The kernel RPC cannot process non-application data records when
using TLS. It must to an upcall to a userspace daemon that will
call SSL_read() to process them.

This patch adds a new flag called MSG_TLSAPPDATA that the kernel
RPC can use to tell sorecieve() to return ENXIO instead of a non-application
data record, when that is what is at the top of the receive queue.

The code could use any error return that is not normally returned by
soreceive(). If some other errno is preferred, that can easily be changed.

I also put the code in #ifdef KERN_TLS/#endif, although it will build without
that, so that it is recognized as only useful when KERN_TLS is enabled.

The alternative to doing this is to have the kernel RPC re-queue the
non-application data message after receiving it, but that seems more
complicated and might introduce message ordering issues when there
are multiple non-application data records one after another.

I do not know what, if any, changes will be required to support TLS1.3.

Has been tested using the nfs-over-tls implementation in
head/projects/nfs-over-tls. (Really RPC-over-TLS, but since
NFS is the only anticipated consumer, I called it nfs-over-tls.)