feat: bypass SSL AEAD wrapper in RecordProtection

Replace `SSLExp_AeadEncrypt`/`Decrypt` with direct `PK11_AEADOp` calls,
removing the `ssl_AeadInner` overhead (`sslBuffer` allocation,
`tls13_WriteNonce`) that fired on every QUIC packet.

Key derivation is replicated using `SSL_HkdfExpandLabelWithMech`
(already bound in `hp.rs`).

Also extract `xor_nonce` as a shared free function, eliminating the
duplicate nonce-XOR logic between `RecordProtection` and `Aead`.

Author: larseggert