Make TlsConnector wrap TCP connections, not create its own

tor-rtcompat's TlsConnector trait previously included a method to create a TLS-over-TCP connection, which implied creating a TCP stream inside that method. This commit changes that, and makes the function wrap a TCP stream, as returned from the runtime's TcpProvider trait implementation, instead.

This means you can actually override TcpProvider and have it apply to all connections Arti makes, which is useful for issues like #235 (closed) and other cases where you want to have a custom TCP stream implementation.

This required updating the mock TCP/TLS types in tor-rtmock slightly; due to the change in API, we now store whether a LocalStream should actually be a TLS stream inside the stream itself, and check this property on reads/writes in order to detect misuse. The fake TLS wrapper checks this property and removes it in order to "wrap" the stream, making reads and writes work again.