<crypto/chacha20_poly1305>: Fix operations with 8 byte nonce.

In head, the inline ChaCha20+Poly1305 API is implemented using the
software implementation backing OCF, but that requires API changes
that can't be MFC'd. As a result, this API in stable/13 uses
libsodium directly.

However, libsodium's version of ChaCha20+Poly1305 with an 8 byte nonce
uses a different construction for the Poly1305 hash than is used for
the standard IETF AEAD cipher used for TLS and IPsec. WireGuard's use
of an 8 byte nonce also uses the more standard construction.

Since the verison in stable/13 was using libsodium directly for the 8
byte nonce case, it was generating incorrect MACs for if_wg(4). As a
workaround, change the direct API to always use the IETF API from
libsodium which uses 12 byte nonces. This can be done by
zero-extending the provided 8 byte nonce to 12 bytes so long as the
passed in buffers are sufficiently small to not overflow a 4 byte
counter.

This fixes key negotiation for if_wg(4) on stable/13. This is also
a direct commit to stable/13.

Reported by: Marek Zarychta <mzar@bpine64.dom.potoki.eu>