feat(mysql): add aws-lc-rs backend for RSA auth and FIPS TLS support

[dertin]

Does your PR solve an issue?

fixes #4082

Is this a breaking change?

Potentially. Public APIs are unchanged and defaults remain the same, but --all-features no longer works for sqlx-mysql because mutually exclusive RSA backend features were added. Build/CI scripts that relied on --all-features must select a backend explicitly.

Summary

Add aws-lc-rs RSA auth backend for MySQL/MariaDB with a FIPS option, plus a rustls FIPS TLS feature.
Refactor MySQL RSA auth backends to prefer aws-lc-rs when selected, and expose new facade features.
Update docs, changelog, and CI/test tooling to cover the new feature matrix and FIPS prerequisites.

Testing

- cargo check -p sqlx-mysql --no-default-features --features rsa-aws-lc-rs
- cargo check -p sqlx-mysql --no-default-features --features rsa-aws-lc-rs-fips
- cargo test -p sqlx-mysql --no-default-features --features rsa-aws-lc-rs --lib
- cargo test -p sqlx-mysql --no-default-features --features rsa-aws-lc-rs --doc --features sqlx/mysql-auth-rsa-aws-lc-rs
- cargo check -p sqlx --no-default-features --features mysql-auth-rsa-aws-lc-rs,runtime-tokio,tls-native-tls
- cargo check -p sqlx --no-default-features --features mysql-auth-rsa-aws-lc-rs-fips,runtime-tokio,tls-rustls-aws-lc-rs-fips
- cargo test -p sqlx-core --no-default-features --features _tls-rustls-aws-lc-rs
- cargo test -p sqlx-core --no-default-features --features _tls-rustls-aws-lc-rs-fips
- cargo test -p sqlx-core --no-default-features --features _tls-rustls-ring-webpki
- python tests/x.py --fips

[dertin]

Hi @abonander

This PR adds two MySQL RSA auth backend features:

• mysql-auth-rsa-aws-lc-rs (non‑FIPS, replaces rsa for caching_sha2_password/sha256_password when TLS is off)
• mysql-auth-rsa-aws-lc-rs-fips (FIPS module, requires Go/CMake on supported targets)

On the TLS side, this PR adds tls-rustls-aws-lc-rs-fips to expose the FIPS rustls provider.
The FIPS and non‑FIPS (tls-rustls-aws-lc-rs) variants are mutually exclusive.

If you'd prefer a different feature layout or naming, I'm happy to adjust.

[abonander]

I don't want to add a bunch more TLS features going forward. It just doesn't scale. We can have a couple of TLS features targeted for convenience, and then anything else, especially with RusTLS, should just require a custom CryptoProvider to be installed (and potentially a pre-built rustls::ClientConfig to be passed).

We've also learned the hard way that mutually exclusive features are a bad idea. The runtime-* features used to be mutually exclusive, but we did a bunch of refactoring so that they didn't have to be anymore.

The thing about this refactor is, if you or your organization cares enough about security to be using a FIPS certified module, your configuration probably doesn't allow for falling back to RSA here anyway. This is because RSA is only used to encrypt the password when sending it over a non-TLS connection, otherwise it's sent without any encapsulation (as it's encrypted by TLS anyway).

I think the only thing that really needs to be done here is allowing the rsa feature to be optional. It also doesn't make sense to make it a default feature of sqlx-mysql, because then it'll be near-impossible to turn off--unless we set default-features = false in sqlx which makes the whole exercise pointless anyway.

Also, I don't know if you noticed this, but there's several other RustCrypto crates being used there: sha1, sha2, hkdf, hmac, md-5 (though we don't use the last 3, at least not in sqlx-mysql, so they should really just be deleted). I'm not sure how that factors in to your FIPS compliance.