Document masking of Montgomery private keys in psa_export_key

Follow the PSA Crypto specification which was updated between 1.0 beta3
and 1.0.0.
Add corresponding test cases.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>

include/psa/crypto.h

@@ -738,8 +738,9 @@ psa_status_t psa_import_key(const psa_key_attributes_t *attributes,
  *   `PSA_ECC_CURVE_CURVEXXX`), and in big-endian order for Weierstrass
  *   curves (curve types `PSA_ECC_CURVE_SECTXXX`, `PSA_ECC_CURVE_SECPXXX`
  *   and `PSA_ECC_CURVE_BRAINPOOL_PXXX`).
- *   This is the content of the `privateKey` field of the `ECPrivateKey`
- *   format defined by RFC 5915.
+ *   For Weierstrass curves, this is the content of the `privateKey` field of
+ *   the `ECPrivateKey` format defined by RFC 5915.  For Montgomery curves,
+ *   the format is defined by RFC 7748, and output is masked according to §5.
  * - For Diffie-Hellman key exchange key pairs (key types for which
  *   #PSA_KEY_TYPE_IS_DH_KEY_PAIR is true), the
  *   format is the representation of the private key `x` as a big-endian byte