[DO NOT MERGE] 25.3.8-fips: compression: use fips-compliant non-siv version of codec

[mkmkme]

Changelog category (leave one):

• Not for changelog (changelog entry is not required)

CI/CD Options

Exclude tests:

• Fast test
• Integration Tests
• Stateless tests
• Stateful tests
• Performance tests
• All with ASAN
• All with TSAN
• All with MSAN
• All with UBSAN
• All with Coverage
• All with Aarch64
• All Regression
• Disable CI Cache

Regression jobs to run:

• Fast suites (mostly <1h)
• Aggregate Functions (2h)
• Alter (1.5h)
• Benchmark (30m)
• ClickHouse Keeper (1h)
• Iceberg (2h)
• LDAP (1h)
• Parquet (1.5h)
• RBAC (1.5h)
• SSL Server (1h)
• S3 (2h)
• Tiered Storage (2h)

[mkmkme]

Context for the change: the test test_codec_encrypted/test.py::test_different_keys is failing in the CI for the FIPS build. The reason for that is that in CompressionCodecEncrypted.cpp there are AES-{128,256}-GCM-SIV algos which are not FIPS approved and therefore any attempt to get those ciphers returns nullptr and causes a fail.

There are, however, AES-{128,256}-GCM (note the lack of -SIV in the name) that are FIPS-approved. This is just a small PoC that replaces -SIV versions with non--SIV ones for the case when openssl is boringssl (although we probably should make it FIPS_CLICKHOUSE instead in this particular case).

Here's the test that fails: https://github.com/Altinity/ClickHouse/blob/releases/25.3.8-fips/tests/integration/test_codec_encrypted/test.py#L52-L70

The problem is that CompressionCodecEncrypted exposes only -SIV variants.

There's three ways to resolve this, and I'm not sure I'm fond of any of them:

1. Silently pick AES-{128,256}-GCM when AES-{128,256}-GCM-SIV is chosen (this is what this PR implements at this point)
2. Rename the enums as well so that they don't have -SIV in their names
3. Explicitly forbid -SIV ciphers whilst not providing non--SIV ones, which is effectively disabling that codec entirely.