FIPS140: mark HKDF and AES-GCM as approved when used in TLS
As suggested in !1465 (merged), HKDF and AES-GCM are approved in FIPS when used in TLS, while currently they are marked as non-approved for all uses.
We could relax the check a little maybe using a temporary FIPS context, or adding internal API for HKDF and AES-GCM that leaves state change to the caller.