acvp: check that the payloadLen of cipher tests is correct.

NIST currently seems to have a bug where they don't respect the regcap
for AES-CTR and return fractional-byte tests when not allowed.
Previously we didn't notice that the specified payload length didn't
match the actual value.

Change-Id: I0e48d5246f7250e6047d983cd016b0de290d0f70
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45205
Reviewed-by: David Benjamin <davidben@google.com>

util/fipstools/acvp/acvptool/subprocess/block.go

@@ -250,11 +250,12 @@ type blockCipherTestGroup struct {
 	Direction string `json:"direction"`
 	KeyBits   int    `json:"keylen"`
 	Tests     []struct {
-		ID            uint64 `json:"tcId"`
-		PlaintextHex  string `json:"pt"`
-		CiphertextHex string `json:"ct"`
-		IVHex         string `json:"iv"`
-		KeyHex        string `json:"key"`
+		ID            uint64  `json:"tcId"`
+		InputBits     *uint64 `json:"payloadLen"`
+		PlaintextHex  string  `json:"pt"`
+		CiphertextHex string  `json:"ct"`
+		IVHex         string  `json:"iv"`
+		KeyHex        string  `json:"key"`
 
 		// 3DES tests serialise the key differently.
 		Key1Hex string `json:"key1"`
@@ -366,6 +367,15 @@ func (b *blockCipher) Process(vectorSet []byte, m Transactable) (interface{}, er
 				inputHex = test.CiphertextHex
 			}
 
+			if test.InputBits != nil {
+				if *test.InputBits%8 != 0 {
+					return nil, fmt.Errorf("input to test case %d/%d is not a whole number of bytes", group.ID, test.ID)
+				}
+				if inputBits := 4 * uint64(len(inputHex)); *test.InputBits != inputBits {
+					return nil, fmt.Errorf("input to test case %d/%d is %q (%d bits), but %d bits is specified", group.ID, test.ID, inputHex, inputBits, *test.InputBits)
+				}
+			}
+
 			input, err := hex.DecodeString(inputHex)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode hex in test case %d/%d: %s", group.ID, test.ID, err)