Merge to fips-20250107: Update PQ ACVP to reflect NIST's breaking changes.

NIST have updated the ACVP protocol for SLH-DSA and ML-DSA in several
breaking ways. This change updates acvptool to reflect this.

(cherry picked from commit 298ac78507)
Change-Id: Iddd2d1db2241a83119c7b671c225bb709d01c70c
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/77267
Auto-Submit: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>

util/fipstools/acvp/acvptool/subprocess/mldsa.go

@@ -92,12 +92,12 @@ type mldsaSigVerTestGroup struct {
 	ID           uint64            `json:"tgId"`
 	TestType     string            `json:"testType"`
 	ParameterSet string            `json:"parameterSet"`
-	PublicKey    string            `json:"pk"`
 	Tests        []mldsaSigVerTest `json:"tests"`
 }
 
 type mldsaSigVerTest struct {
 	ID        uint64 `json:"tcId"`
+	PublicKey string `json:"pk"`
 	Message   string `json:"message"`
 	Signature string `json:"signature"`
 }
@@ -254,13 +254,13 @@ func (m *mldsa) processSigVer(vectorSet []byte, t Transactable) (any, error) {
 		}
 		cmdName := group.ParameterSet + "/sigVer"
 
-		pk, err := hex.DecodeString(group.PublicKey)
-		if err != nil {
-			return nil, fmt.Errorf("failed to decode public key in group %d: %s",
-				group.ID, err)
-		}
-
 		for _, test := range group.Tests {
+			pk, err := hex.DecodeString(test.PublicKey)
+			if err != nil || len(pk) == 0 {
+				return nil, fmt.Errorf("failed to decode public key in test case %d/%d: %s",
+					group.ID, test.ID, err)
+			}
+
 			msg, err := hex.DecodeString(test.Message)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode message in test case %d/%d: %s",

util/fipstools/acvp/modulewrapper/modulewrapper.cc

@@ -958,30 +958,42 @@ static bool GetConfig(const Span<const uint8_t> args[],
         "algorithm": "ML-DSA",
         "mode": "sigGen",
         "revision": "FIPS204",
-        "parameterSets": [
-          "ML-DSA-65",
-          "ML-DSA-87"
-        ],
+        "signatureInterfaces": ["internal"],
         "deterministic": [
           true,
           false
         ],
-        "messageLength": [
-          {
+        "externalMu": [
+          false
+        ],
+        "capabilities": [{
+          "parameterSets": [
+            "ML-DSA-65",
+            "ML-DSA-87"
+          ],
+          "messageLength": [{
             "min": 8,
             "max": 65536,
             "increment": 8
-          }
-        ]
+          }]
+        }]
       },
       {
         "algorithm": "ML-DSA",
         "mode": "sigVer",
         "revision": "FIPS204",
-        "parameterSets": [
-          "ML-DSA-65",
-          "ML-DSA-87"
-        ]
+        "signatureInterfaces": ["internal"],
+        "capabilities": [{
+          "messageLength": [{
+            "min": 8,
+            "max": 65536,
+            "increment": 8
+          }],
+          "parameterSets": [
+            "ML-DSA-65",
+            "ML-DSA-87"
+          ]
+        }]
       },
       {
         "algorithm": "ML-KEM",
@@ -1021,6 +1033,7 @@ static bool GetConfig(const Span<const uint8_t> args[],
           true,
           false
         ],
+        "signatureInterfaces": [ "internal" ],
         "capabilities": [
           {
             "parameterSets": [
@@ -1040,6 +1053,7 @@ static bool GetConfig(const Span<const uint8_t> args[],
         "algorithm": "SLH-DSA",
         "mode": "sigVer",
         "revision": "FIPS205",
+        "signatureInterfaces": [ "internal" ],
         "deterministic": [
           true,
           false