Add rs_packet_add_avp() and use it.

Add rs_packet_add_avp() and use it.

rs_packet_create_authn_request() now uses rs_packet_add_avp() instead
of rs_packet_append_avp() which makes it possible to create a
authentication packet without knowing the shared secret.

Calling rs_packet_add_avp() on a packet is incompatible with using
rs_packet_append_avp() on the same packet but since
rs_packet_create_authn_request() adds attribute-value pairs for user
name and password only if those arguments are supplied, code that
doesn't use user name and password (i.e. mech_eap) should still be
fine.