Change from CTR cipher mode to CBC cipher mode for encrypting the user data. In final cipher in use will be AES-256-CBC with AEAD provided by HMAC-SHA-256. This is not the same as the FLE 1 algorithm which took half of SHA-512 for AEAD.

This impacts kFLE2EqualityIndexedValueV2 and kFLE2RangeIndexedValueV2. Also, a new unindexed encrypted value type will be needed that uses CBC.

In the server code, only the QE code that calls _mongocrypt_fle2aead_do_encryption is affected by this change.