acvp: don't include CMAC-AES in regcap dump.

CMAC-AES isn't inside our FIPS module, it's only included in
modulewrapper in order to test acvptool. Mark it with a special tag to
avoid it appearing when dumping regcap JSON because NIST paperwork is
such that it's better not to ACVP test such code.

Change-Id: I0c6d3a38bce9bf5766b889677eb3f7de94262c24
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/45465
Reviewed-by: David Benjamin <davidben@google.com>

util/fipstools/acvp/acvptool/acvp.go

diff --git a/util/fipstools/acvp/acvptool/acvp.go b/util/fipstools/acvp/acvptool/acvp.go
index df627cc..87c2f87 100644
--- a/util/fipstools/acvp/acvptool/acvp.go
+++ b/util/fipstools/acvp/acvptool/acvp.go
@@ -279,9 +279,23 @@
 	}
 
 	if *dumpRegcap {
+		nonTestAlgos := make([]map[string]interface{}, 0, len(supportedAlgos))
+		for _, algo := range supportedAlgos {
+			if value, ok := algo["acvptoolTestOnly"]; ok {
+				testOnly, ok := value.(bool)
+				if !ok {
+					log.Fatalf("modulewrapper config contains acvptoolTestOnly field with non-boolean value %#v", value)
+				}
+				if testOnly {
+					continue
+				}
+			}
+			nonTestAlgos = append(nonTestAlgos, algo)
+		}
+
 		regcap := []map[string]interface{}{
 			map[string]interface{}{"acvVersion": "1.0"},
-			map[string]interface{}{"algorithms": supportedAlgos},
+			map[string]interface{}{"algorithms": nonTestAlgos},
 		}
 		regcapBytes, err := json.MarshalIndent(regcap, "", "    ")
 		if err != nil {

util/fipstools/acvp/modulewrapper/modulewrapper.cc

diff --git a/util/fipstools/acvp/modulewrapper/modulewrapper.cc b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
index b354280..a08e670 100644
--- a/util/fipstools/acvp/modulewrapper/modulewrapper.cc
+++ b/util/fipstools/acvp/modulewrapper/modulewrapper.cc
@@ -676,6 +676,7 @@
       },
       {
         "algorithm": "CMAC-AES",
+        "acvptoolTestOnly": true,
         "revision": "1.0",
         "capabilities": [{
           "direction": ["gen", "ver"],