[DRAFT] Fix Windows ARM64 FIPS build; add Clang support for Windows FIPS

[justsmth]

Issues:

Addresses: #2981
Related PR: #2982

Description of changes:

The Windows FIPS shared library build previously used a two-DLL approach: build precrypto.dll with a placeholder hash, run it to capture the real hash, then rebuild a separate crypto.dll with the correct hash embedded. This fails on ARM64 Windows (mandatory ASLR causes the linker to produce different ADRP immediates between the two DLLs) and with Clang's lld-link linker.

This PR replaces the two-DLL approach with a single-DLL capture-and-patch strategy for all Windows FIPS builds:

1. Build crypto.dll once with a placeholder hash
2. Run fips_empty_main.exe (linked against it) — the integrity check fails and prints the correct hash
3. Binary-patch the 32-byte placeholder directly in crypto.dll

This eliminates the precrypto/generated_fipsmodule/generated_fips_shared_support.c machinery entirely.

Additionally, this PR adds Clang compiler support for the Windows FIPS build:

• Widens _MSC_VER preprocessor guards to _MSC_VER || (__clang__ && _WIN32) for FIPS section pragmas, CRT constructors/destructors, __declspec(noreturn), and binary-mode I/O
• Adds explicit #pragma section + __declspec(allocate()) for FIPS rodata markers (needed by clang-cl on ARM64)
• Adds #pragma const_seg() reset in fips_shared_support.c to keep the hash outside the FIPS integrity boundary
• Adds llvm-lib support in fipsmodule/CMakeLists.txt for building bcm.lib with plain Clang

Call-outs:

• The single-DLL approach requires executing fips_empty_main.exe at build time, so FIPS cross-compilation (e.g., building ARM64 on x64) is not supported. This is the same limitation the previous capture_hash approach had.
• The capture_hash.go output parser was made more robust (content-based search instead of strict line numbers) to tolerate additional diagnostic output.
• MinGW GCC does not support the MSVC-specific pragmas (code_seg, const_seg, etc.) required for FIPS section placement, so FIPS remains unsupported with MinGW.

Testing:

• CI: windows-alt.yml updated with FIPS=1 build matrix variants for clang, clang-cl-msbuild (x64), clang-cl-ninja (x64), and msys2 (clang64 only).
• Existing actions-ci.yml and windows-omnibus.yml jobs cover MSVC x64 and ARM64 FIPS builds.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[github-actions]

clang-tidy made some suggestions

[github-actions]

warning: "This file should be compiled only as part of the Shared FIPS build on macOS/iOS/Windows." [clang-diagnostic-error]

#error "This file should be compiled only as part of the Shared FIPS build on macOS/iOS/Windows."
 ^

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.35%. Comparing base (167015c) to head (77103f0).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3013      +/-   ##
==========================================
+ Coverage   78.32%   78.35%   +0.02%     
==========================================
  Files         689      689              
  Lines      121007   121010       +3     
  Branches    16994    16991       -3     
==========================================
+ Hits        94783    94820      +37     
+ Misses      25330    25296      -34     
  Partials      894      894              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.