Use OpenSSL native OCB-AES implementation

OpenSSL 3.0 deprecated many of the functions that ocb.cc used to
implement OCB-AES, causing a build failure when -Wdeprecated collided
with -Werror. Debian temporarily fixed this by suppressing the error
in #1191.

Since mosh 1.4 will be the next stable release of mosh, it should not
depend on deprecated functions in OpenSSL. Since version 1.1.0,
OpenSSL natively supports OCB-AES through the EVP_CIPHER API. @cgull
started early support for this in #924.

This change extends upon the previous work by @cgull in a few ways

 * EVP_CipherInit_ex is called in ae_init to set up the
   EVP_CIPHER_CTX. It is later called in ae_encrypt and ae_decrypt
   just to load nonce (IV in OpenSSL EVP parlance), which reduces the
   amount of initialization done per-packet. However, due to OpenSSL
   API limitations, two copies of the EVP_CIPHER_CTX are kept: one for
   encryption, and one for decryption.

 * Adds missing support for an external tag, rather than just one
   appended to the ciphertext

 * Support for non-default-sized tags

as well as some improved error handling.

Note that this change raises the minimum OpenSSL version for Mosh to
1.1.0. OpenSSL does not provide security support for versions prior to
1.1 at this time, so this is in principle reasonable dependency. If we
want to continue to support distributions (such as RHEL7) which
continue to be supported by their vendor but use an unsupported
OpenSSL, then some future work will have to restore the ocb.cc
implementation that uses the deprecated functions.

Bugs: #1174