Remove FIPS guards in GetASN_BitString length check

[embhorn]

Description

Remove FIPS guards in GetASN_BitString length check

Fixes zd21394

Testing

Build test

Checklist

• added tests
• updated/added doxygen
• updated appropriate READMEs
• Updated manual and documentation

[Copilot]

Pull request overview

Removes conditional compilation guards so GetASN_BitString always rejects zero-length BIT STRING content, aligning behavior across FIPS/non-FIPS builds.

Changes:

• Removed #if/#endif gating around the length == 0 validation in GetASN_BitString.
• Ensured the “one or more octets” check runs in all build configurations.

Comments suppressed due to low confidence (2)

wolfcrypt/src/asn.c:1

• length is an int, but the new guard only rejects length == 0. If length can ever be negative (e.g., propagated from a decode error), this check won’t trigger and the function will continue and potentially read input[idx] despite an invalid length. Consider changing the condition to reject all non-positive lengths (e.g., length <= 0) so invalid/underflowed lengths fail fast as well.
  wolfcrypt/src/asn.c:1
• Removing the HAVE_SELFTEST/HAVE_FIPS guards changes behavior specifically for those build modes (previously, length == 0 would not return ASN_PARSE_E in those configurations). If consumers rely on the prior behavior in FIPS/selftest builds, this is a behavioral breaking change; consider documenting it (release notes / migration note) or clarifying in the PR description why this is safe/required for those configurations.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kaleb-himes]

This was only compiled out for ctaocrypt (cert 2425) but we're no longer actively supporting that very old FIPS module at this point so this is a fine change from my perspective.

I'll ask @cconlon to also review for the self-test use-case. Good from my side though.