Expose ECJPAKE through the PSA Crypto API

[yanesca]

Make the ECJPAKE functionality available through the PSA Crypto API defined in #4000 .

[yanesca]

(Estimating it for Medium instead of small, because the PSA API probably won't be well aligned with the current public API, thus the task won't be trivial.)

[superna9999]

I have a question about implementation.

The MbedTLS ecjpake API write the while output data at once ((ec point + key) x 2).
What's the best way to implement the PSA API:

• generate the whole output in a buffer in operation and serve the bits depending on the step
• directly access the MbedTLS context and write data on demand.

Second seems simpler, but for the input part, it would be much harder to implement and simpler to cat data in a buffer and run mbedtls_ecjpake_read_round_one.

[gilles-peskine-arm]

I would say whatever is most convenient to implement, and we can revise it later.

But I'm not familiar with ecjpake. Maybe @mpg has some advice?

[mpg]

Hmm, I think both approaches are reasonable* and I don't see a strong reason to prefer one over the other, so I'd also say whatever you find most convenient to implement.

Note that I don't think you even need to use the same approach for inputs and outputs, so you could for example directly output from the Mbed TLS context, but cat input data in a buffer until you have enough to call mbedtls_ecjpake_read_round_xxx() if that's the most convenient.

*We only support P-256 with SHA-256, so all sizes are static. Looking at test data, round one in 330 bytes and round two is 168 bytes, so that's an OK size for an internal buffer.