feat(mysql): add mysql-rsa feature for non-TLS RSA auth

[dertin]

Does your PR solve an issue?

fixes #4081
#4082

Is this a breaking change?

Potentially. Public APIs are unchanged, but mysql no longer pulls RSA by default.
Non-TLS MySQL auth that relies on RSA now requires the mysql-rsa feature.
CI/scripts that connect with ssl-mode=disabled must enable mysql-rsa.

Summary

• Split RSA auth behind mysql-rsa to avoid unused RSA deps and audit noise when TLS is enabled.
• Adjust CI/workflows to include mysql-rsa where non-TLS MySQL is used, and add a minimal TLS+mysql-rsa check.
• Update local tooling/docs (x.py --clippy, MySQL 5.7 RSA certs) to reflect the new matrix.

[dertin]

Hi @abonander

This PR adds two MySQL RSA auth backend features:

• mysql-auth-rsa-aws-lc-rs (non‑FIPS, replaces rsa for caching_sha2_password/sha256_password when TLS is off)
• mysql-auth-rsa-aws-lc-rs-fips (FIPS module, requires Go/CMake on supported targets)

On the TLS side, this PR adds tls-rustls-aws-lc-rs-fips to expose the FIPS rustls provider.
The FIPS and non‑FIPS (tls-rustls-aws-lc-rs) variants are mutually exclusive.

If you'd prefer a different feature layout or naming, I'm happy to adjust.

[abonander]

I don't want to add a bunch more TLS features going forward. It just doesn't scale. We can have a couple of TLS features targeted for convenience, and then anything else, especially with RusTLS, should just require a custom CryptoProvider to be installed (and potentially a pre-built rustls::ClientConfig to be passed).

We've also learned the hard way that mutually exclusive features are a bad idea. The runtime-* features used to be mutually exclusive, but we did a bunch of refactoring so that they didn't have to be anymore.

The thing about this refactor is, if you or your organization cares enough about security to be using a FIPS certified module, your configuration probably doesn't allow for falling back to RSA here anyway. This is because RSA is only used to encrypt the password when sending it over a non-TLS connection, otherwise it's sent without any encapsulation (as it's encrypted by TLS anyway).

I think the only thing that really needs to be done here is allowing the rsa feature to be optional. It also doesn't make sense to make it a default feature of sqlx-mysql, because then it'll be near-impossible to turn off--unless we set default-features = false in sqlx which makes the whole exercise pointless anyway.

Also, I don't know if you noticed this, but there's several other RustCrypto crates being used there: sha1, sha2, hkdf, hmac, md-5 (though we don't use the last 3, at least not in sqlx-mysql, so they should really just be deleted). I'm not sure how that factors in to your FIPS compliance.

[dertin]

Hi @abonander,

Thanks for the detailed feedback. I’ve reworked the PR accordingly:

• Dropped the additional rustls/TLS feature variants (including the mutually-exclusive FIPS TLS feature).
• Made MySQL RSA support optional: RSA is no longer pulled in by default for sqlx-mysql; enabling non-TLS auth paths that require RSA is now gated behind an explicit mysql-rsa feature.
• Updated CI/docs/tooling to reflect the new feature matrix and to only enable RSA where it’s actually needed (e.g. non-TLS tests).
• Removed the unused deps (e.g. hkdf, hmac, md-5) where applicable.

Could you take another look and let me know whether this aligns with what you had in mind, or if you’d prefer any further changes before we merge?