Allow finding and linking system deps

[tranzystorekk]

Addresses #190

Adds necessary changes to optionally detect the system liboqs version and link to it.

To consider:

• Should there be a vendor feature, or can we defer to pkg-config crate's env var configuration (e.g. "LIBOQS_NO_PKG_CONFIG")
• Is targeting the minor version (>= 0.8.0 && < 0.9.0) enough?

Tested this manually with a system-installed build of liboqs 0.8.0-rc1. Not sure how best to test this in CI yet.

[tranzystorekk]

Oops, meant for this to be a draft for now.

[tranzystorekk]

Ping @wucke13 for discussion

[thomwiggers]

Overall this looks pretty reasonable, but I have a few questions/suggestions

[tranzystorekk]

Added requested changes, split the code into some more includedir related functions to allow early return if vendored is enabled.

[thomwiggers]

I have a minor gripe with the lower bound computation, and it would be great if you could document the vendored feature in the README.

[tranzystorekk]

Added the suggested change and README docs. I was split between processing the patch version as an interger or as a str, but the latter seems more reliable, especially against versions like 0.8.001

[thomwiggers]

Unfortunately, Cargo won't allow 001 and will simplify that to 1; otherwise I would have released version 000. But this seems good enough.

[thomwiggers]

Shoot, I hadn't thought about this but 001 being not allowed also means that #192 is again unsolved.

[thomwiggers]

And that is a problem for releasing updates :(

[tranzystorekk]

I guess I also forgot something - an env var like LIBOQS_NO_VENDOR that would make it easier for distributions to ensure we're only built if system package is available.

Such a thing makes it easier for distros to manage a central liboqs package with e.g. sexurity vulnerabilities patched, as with SSL libraries.

[thomwiggers]

Sounds like a good addition