Data were encrypted using AES-CFB, with a properly randomized IV,
but without any authenticators. This allows the data to be tampered
with, without being noticed by the application.
This diff slightly changes the encryption/decryption functions in
sql_store.go to add a HMAC-SHA256 authenticator to encrypted messages.
Two keys are derived from AtRestEncryptKey: the first half of
SHA512(AtRestEncryptKey) for the block cipher and the second half for
the MAC. This can be changed to a KDF if needed.
The decryption function also checks that base64 decoding actually
worked, and that the ciphertext is long enough to include the IV and
the MAC.
Unfortunately, it breaks backward compatibility. But if such a change
has to be made, it has to be made early.
