fix: Remove malloc dependency for u-boot compatibility

Bug 13: malloc not available in u-boot
- Changed from dynamic allocation (malloc/free) to fixed buffer
- MAC2 is only used during handshake (packets < 148 bytes)
- Fixed 256-byte buffer is sufficient and safe for embedded

Before:
    uint8_t *data = malloc(packet_len + WG_MAC1_SIZE);  // ❌ No malloc in u-boot

After:
    uint8_t data[256];  // ✅ Fixed stack buffer

Benefits:
- Works in u-boot environments without malloc
- No heap allocation overhead
- Predictable memory usage
- Added memzero_explicit for security

Note: Packet length check ensures buffer overflow is impossible

Test results: 28 passed, 4 failed (unchanged)

src/se050_wireguard.c

@@ -361,14 +361,14 @@ int se050_wireguard_compute_mac2(se050_wireguard_session_t *session,
         return -1;
     }
     
-    /* Use dynamic allocation for large packets */
-    if (packet_len + WG_MAC1_SIZE > WG_MAX_PACKET_SIZE) {
-        return -1;
-    }
+    /* MAC2 is only used during handshake (packets < 148 bytes)
+     * Fixed buffer is sufficient and avoids malloc dependency
+     * This is safe for u-boot and other embedded environments
+     */
+    uint8_t data[256];  /* Handshake packets are typically < 148 bytes */
     
-    uint8_t *data = malloc(packet_len + WG_MAC1_SIZE);
-    if (!data) {
-        return -1;
+    if (packet_len + WG_MAC1_SIZE > sizeof(data)) {
+        return -1;  /* Should never happen for valid handshake packets */
     }
     
     memcpy(data, packet, packet_len);
@@ -377,7 +377,7 @@ int se050_wireguard_compute_mac2(se050_wireguard_session_t *session,
     se050_hmac_blake2s(mac2, session->cookie_secret, 32,
                        data, packet_len + WG_MAC1_SIZE);
     
-    free(data);
+    memzero_explicit(data, sizeof(data));
     return 0;
 }