Document failure conditions for SHAKE API

[hanno-becker]

Problem:

The SHA3/SHAKE API in crypto/fipsmodule/sha/internal.h does not document its failure conditions.

This is an issue for call-sites which do not handle errors, such as the ML-KEM reference code.

At present, the ML-KEM reference code refers to implementation internals of the SHAKE implementation to argue why no error condition can occur (example here). This reasoning should be made part of the internal API crypto/fipsmodule/sha/internal.h, so it is less likely that the SHAKE implementation would be changed without noticing that changes in its call-sites may need to be made.

The issue persits with mlkem-native, which equally does not expect errors from the underlying FIPS202 module, and hence needs to reason why it upholds the success conditions.

• Relates to: Add x4 batched SHAKE128 and SHAKE256 APIs #2247

[manastasova]

Thank you @hanno-becker!

I added more detailed comments on the fail conditions of these functions. #2247

[hanno-becker]

Thank you Mila, that resolves the issue 👍