Move NIST_KW to PSA API

[gilles-peskine-arm]

Migrate the NIST KW/KWP interface (nist_kw.h) to rely on the PSA API instead of cipher.h.

Justification: KW/KWP are an encrypted authentication modes built on a block cipher (currently only AES). They doesn't fit the PSA crypto API well (no nonce, no AEAD, awkward to make multipart), so at least for the time being we aren't exposing it through a PSA API. The implementation relies on the block cipher in ECB mode. Currently, nist_kw.c relies on mbedtls_cipher_xxx functions for AES-ECB. The goal of this task is to make the implementation rely on psa_cipher_encrypt/psa_cipher_decrypt instead.

New prototypes:

psa_status_t mbedtls_nist_kw_wrap(mbedtls_svc_key_id_t key,
                                  mbedtls_nist_kw_mode_t mode,
                                  const unsigned char *input, size_t input_length,
                                  unsigned char *output, size_t output_size, size_t *output_length);
psa_status_t mbedtls_nist_kw_unwrap(mbedtls_svc_key_id_t key,
                                    mbedtls_nist_kw_mode_t mode,
                                    const unsigned char *input, size_t input_length,
                                    unsigned char *output, size_t output_size, size_t *output_length);

The changes are:

• Use a PSA key instead of a context. There is no more context type and context management functions.
• Use the same parameter order as PSA APIs (output buffer size before output length).

Validation: check that the key type is PSA_KEY_TYPE_AES. This isn't really necessary, but expanding support to other 128-bit block ciphers is out of scope, even if all it would take is to add test cases.

Implementation: use the psa_cipher_xxx multipart API. Return PSA error codes instead of legacy error codes.