The AES-CFB8 cipher is unauthenticated, and susceptible to

bit-flipping attacks. As a result, the cryptography library is going

to be moving this into the decrepit namespace in an upcoming version.
This change updates aes_encrypt() to produce authenticated output

using AES-GCM output instead of AES-CFB8. The output carries a 2-byte

magic prefix so aes_decrypt() can tell new GCM data from legacy CFB8

data and decrypt either. Tampered or incorrect-key data now raises an

InvalidTag exception instead of silently returning garbage.
Legacy CFB8 data (including data at rest from older installs and the

PyCrypto-era format) still decrypts. The streaming aes_encrypt_iter()

and aes_decrypt_iter() remain on CFB8, since GCM cannot stream safely

(its tag is only verified at the end). For those, callers must

authenticate the full payload independently before acting on streamed

plaintext.
The cache test helper now mirrors the cache's streaming CFB8 encryption

rather than single-shot encryption, so its generated chunk data matches

what the cache stores.

Ran unit tests.
Verified that existing encrypted data decrypted properly as a

  fallback.