Test ForceZero of secrets in free and DH KEX

- Add retain-on-free and size-tracking capture allocators to inspect
  freed buffers post-free.
- Verify SshResourceFree zeroes ssh->k, ssh->keys, and ssh->peerKeys
  before wolfSSH_free releases the struct.
- Verify KeyAgreeDh_client wipes ssh->handshake->x even when wc_DhAgree
  fails (ForceZero is unconditional).
- Verify KeyAgreeDh_server zeroes the MAX_KEX_KEY_SZ y_ptr allocation
  under WOLFSSH_SMALL_STACK via 0xCC poisoning.
- Expose KeyAgreeDh_client / KeyAgreeDh_server via wolfSSH_Test* hooks
  under WOLFSSH_TEST_INTERNAL.

Issues: F-2488, F-2492, F-2493, F-2875

Author: ejohnstown

src/internal.c

@@ -18118,6 +18118,22 @@ int wolfSSH_TestHighwaterCheck(WOLFSSH* ssh, byte side)
     return HighwaterCheck(ssh, side);
 }
 
+#ifndef WOLFSSH_NO_DH
+
+int wolfSSH_TestKeyAgreeDh_client(WOLFSSH* ssh, byte hashId,
+        const byte* f, word32 fSz)
+{
+    return KeyAgreeDh_client(ssh, hashId, f, fSz);
+}
+
+int wolfSSH_TestKeyAgreeDh_server(WOLFSSH* ssh, byte hashId,
+        byte* f, word32* fSz)
+{
+    return KeyAgreeDh_server(ssh, hashId, f, fSz);
+}
+
+#endif /* !WOLFSSH_NO_DH */
+
 #ifndef WOLFSSH_NO_DH_GEX_SHA256
 
 int wolfSSH_TestDoKexDhGexRequest(WOLFSSH* ssh, byte* buf, word32 len,