psa_cipher_decrypt with CCM* rejects very short messages

[gilles-peskine-arm]

psa_cipher_decrypt takes an input which is the IV concatenated with the ciphertext proper. It validates that the input is at least as large as the IV. This validation is wrong for PSA_ALG_CCM_STAR_NO_TAG: the length enforcement is for 16 bytes but the IV length is actually 13. As a consequence, psa_cipher_decrypt incorrectly returns PSA_ERROR_INVALID_ARGUMENT when the message is 3 bytes or less.

Workaround: the multipart interface works fine.

Found by Cryptofuzz.