Verify size of mlen in ML-DSA external mu mode (#2841)

### Issues:
Resolves #N/A

### Description of changes: 
When signing/verifying in ML-DSA the caller provides `mlen` the the
length of the message `m` that is being signed/verified. Currently, we
do no validation on the size of `mlen` when in pre-hash mode (called
"external mu" in ML-DSA). Since the pre-hash is the output of a SHAKE256
hash function, it is of fixed size `ML_DSA_CRHBYTES`. This adds
validation to check that, returning `-1` if not true to match the case
where the context `ctx` has length too large.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Author: jakemas

crypto/fipsmodule/ml_dsa/ml_dsa_ref/sign.c

@@ -161,7 +161,7 @@ int ml_dsa_keypair(ml_dsa_params *params, uint8_t *pk, uint8_t *sk, uint8_t *see
 *              - uint8_t *sk:     pointer to bit-packed secret key
 *              - int external_mu: indicates input message m is to be processed as mu
 *
-* Returns 0 (success) or -1 (context string too long)
+* Returns 0 (success) or -1 (context string too long or incorrect mlen in external mu)
 **************************************************/
 int ml_dsa_sign_internal(ml_dsa_params *params,
                          uint8_t *sig,
@@ -184,6 +184,10 @@ int ml_dsa_sign_internal(ml_dsa_params *params,
   ml_dsa_poly cp;
   KECCAK1600_CTX state;
 
+  if (external_mu && mlen != ML_DSA_CRHBYTES) {
+    return -1;
+  }
+
   rho = seedbuf;
   tr = rho + ML_DSA_SEEDBYTES;
   key = tr + ML_DSA_TRBYTES;
@@ -346,12 +350,12 @@ int ml_dsa_sign(ml_dsa_params *params,
   if (!RAND_bytes(rnd, ML_DSA_RNDBYTES)) {
     return -1;
   }
-  ml_dsa_sign_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk, 0);
+  int ret = ml_dsa_sign_internal(params, sig, siglen, m, mlen, pre, 2 + ctxlen, rnd, sk, 0);
 
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   OPENSSL_cleanse(pre, sizeof(pre));
   OPENSSL_cleanse(rnd, sizeof(rnd));
-  return 0;
+  return ret;
 }
 
 /*************************************************
@@ -380,11 +384,11 @@ int ml_dsa_extmu_sign(ml_dsa_params *params,
   if (!RAND_bytes(rnd, ML_DSA_RNDBYTES)) {
     return -1;
   }
-  ml_dsa_sign_internal(params, sig, siglen, mu, mulen, NULL, 0, rnd, sk, 1);
+  int ret = ml_dsa_sign_internal(params, sig, siglen, mu, mulen, NULL, 0, rnd, sk, 1);
 
   /* FIPS 204. Section 3.6.3 Destruction of intermediate values. */
   OPENSSL_cleanse(rnd, sizeof(rnd));
-  return 0;
+  return ret;
 }
 
 /*************************************************
@@ -469,6 +473,11 @@ int ml_dsa_verify_internal(ml_dsa_params *params,
   if(siglen != params->bytes) {
     return -1;
   }
+
+  if (external_mu && mlen != ML_DSA_CRHBYTES) {
+    return -1;
+  }
+
   /* FIPS 204: line 1 */
   ml_dsa_unpack_pk(params, rho, &t1, pk);
   /* FIPS 204: line 2 */