Implement psa_generate_key_custom

Implement `psa_generate_key_custom()` and
`psa_key_derivation_output_key_custom()`. These functions replace
`psa_generate_key_ext()` and `psa_key_derivation_output_key_ext()`.
They have the same functionality, but a slightly different interface:
the `ext` functions use a structure with a flexible array member to pass
variable-length data, while the `custom` functions use a separate parameter.

Keep the `ext` functions for backward compatibility with Mbed TLS 3.6.0.
But make them a thin wrapper around the new `custom` functions.

Duplicate the test code and data. The test cases have to be duplicated
anyway, and the test functions are individually more readable this way.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

include/psa/crypto_struct.h

@@ -223,9 +223,28 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init(
     return v;
 }
 
-struct psa_key_production_parameters_s {
+struct psa_custom_key_parameters_s {
     /* Future versions may add other fields in this structure. */
     uint32_t flags;
+};
+
+/** The default production parameters for key generation or key derivation.
+ *
+ * Calling psa_generate_key_custom() or psa_key_derivation_output_key_custom()
+ * with `custom=PSA_CUSTOM_KEY_PARAMETERS_INIT` and `custom_data_length=0` is
+ * equivalent to calling psa_generate_key() or psa_key_derivation_output_key()
+ * respectively.
+ */
+#define PSA_CUSTOM_KEY_PARAMETERS_INIT { 0 }
+
+/* This is a deprecated variant of `struct psa_custom_key_parameters_s`.
+ * It has exactly the same layout, plus an extra field which is a flexible
+ * array members. Thus a `const struct psa_key_production_parameters_s*`
+ * can be passed to any function that reads a
+ * `const struct psa_custom_key_parameters_s*`.
+ */
+struct psa_key_production_parameters_s {
+    uint32_t flags;
     uint8_t data[];
 };