…egrity, PCT, zeroize, CMAC/SHAKE/AES-KW CASTs, DH PCT + configurable DRBG_SHA512_SEED_LEN

Seven findings from the v7.0.0 security review, squashed into one
commit per the Part3 branch invariant.

FND 40.2 (in-core integrity HMAC upgraded to SHA-512)
  - wolfssl/wolfcrypt/fips_test.h: add v7+ branch that selects SHA-512 /
    64-byte digest / 512-bit key / 64-byte verify-size.  Older versions
    (v5.3, v6.x) keep HMAC-SHA-256.
  - fips-hash.sh: drop the hardcoded cut -c1-64 so the script works for
    both the 32-byte (v5.3 / v6.x) and 64-byte (v7+) digests.

FND 36.1 (SLH-DSA PCT per FIPS 140-3 IG 10.3.B)
  wolfcrypt/src/wc_slhdsa.c wc_SlhDsaKey_MakeKey: after key generation
  performs a sign+verify pairwise consistency test on a fixed prehashed
  message, returning SLH_DSA_PCT_E on failure.  Companion fips.c
  DEGRADE_STATE entry is in the kh-fork-fips commit.

FND 6.4 (AES-GCM zeroization on the assembly fast path)
  wolfcrypt/src/aes.c AES_GCM_decrypt_C: zero the partial block before
  the early return when the auth-tag check fails, not after.

FND 10.1 (AES-CMAC dedicated CAST: companion error code)
  wolfssl/wolfcrypt/error-crypt.h: add CMAC_KAT_FIPS_E = -1020 with a
  comment citing the IG 10.3.A authenticated-mode allowance and the
  vendor-elected enhancement rationale.
  wolfcrypt/src/error.c: description string for CMAC_KAT_FIPS_E.

FND 15.1 (SHAKE dedicated CAST: companion error code)
  wolfssl/wolfcrypt/error-crypt.h: add SHAKE_KAT_FIPS_E = -1021 with
  the IG 10.3.B comment.
  wolfcrypt/src/error.c: description string for SHAKE_KAT_FIPS_E.

FND 26.7 (DH KeyGen PCT per SP 800-56A r3 sec 5.6.2.1.4)
  wolfcrypt/src/dh.c wc_DhGenerateKeyPair: under HAVE_FIPS, after the
  underlying make-key returns the function regenerates the public key
  from the private key via the math primitives and ConstantCompare's
  it against the supplied public, returning DH_PCT_E on mismatch.
  wolfssl/wolfcrypt/error-crypt.h: add DH_PCT_E = -1022 with comment
  citing SP 800-56A r3 sec 5.6.2.1.4 / FIPS 140-3 IG 10.3.B.
  wolfcrypt/src/error.c: description string for DH_PCT_E.

FND 11.3 (AES-KW dedicated CAST per SP 800-38F sec 6.2 / RFC 3394)
  wolfssl/wolfcrypt/fips_test.h: add FIPS_CAST_AES_KW = 28 and bump
  FIPS_CAST_COUNT to 29.
  wolfssl/wolfcrypt/error-crypt.h: add AES_KW_KAT_FIPS_E = -1023 with
  comment citing SP 800-38F sec 6.2 / RFC 3394 (vendor-elected
  enhancement).  WC_SPAN2_LAST_E / WC_LAST_E updated.
  wolfcrypt/src/error.c: description string for AES_KW_KAT_FIPS_E.
  Companion changes (kh-fork-fips):
   - fips_test.c: AesKw_KnownAnswerTest helper; new DoCAST case
     FIPS_CAST_AES_KW with RFC 3394 sec 4.6 (AES-256 KEK / 256-bit
     plaintext) vector exercising the full SP 800-38F sec 6.2 wrap
     composition (6n=24 iteration counter, semiblock concatenation,
     0xA6A6A6A6A6A6A6A6 IV check).
   - fips.c: wc_AesKeyWrap_fips/_ex_fips/_UnWrap_fips/_UnWrap_ex_fips
     refactored to gate on FIPS_CAST_AES_KW; CastIdToStr entry;
     DEGRADE_STATE on AES_KW_KAT_FIPS_E (only the KW CAST is degraded
     - underlying AES CASTs remain independent); explicit AES-KW entry
     in wc_RunAllCast_fips alongside AES-CBC/GCM/ECB.
  AES-KWP (SP 800-38F sec 6.3 internal padding) is intentionally out
  of scope - the module does not implement padding for any AES mode
  and requires inputs to be 8-byte aligned at the boundary.  This is
  a voluntary enhancement exceeding the IG 10.3.A minimum.

Companion paperwork updates (tracked changes) live in
Final_Submission_Paperwork/PL-R34-...-Security-Policy.docx and
PL-R36-...-Compliance-Summary.docx (CAST count 28 -> 29, AES-KW
coverage paragraph, no-padding policy clarification).

DRBG_SHA512_SEED_LEN configurability (carried forward from the prior
Part3 commit): wolfssl/wolfcrypt/random.h exposes the seed-length
constant as a configurable macro for OE-specific entropy claims.

Verified:
  POST passes, make check passes (5 pass, 3 skip, 0 fail) with the
  default --enable-fips=v7 configure, AND with the CI-representative
  configure (9 pass, 3 skip, 0 fail).