Add infrastructure for managing third-party test vectors#2811
Merged
Add infrastructure for managing third-party test vectors#2811
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2811 +/- ##
==========================================
- Coverage 78.24% 78.24% -0.01%
==========================================
Files 683 683
Lines 117187 117187
Branches 16476 16476
==========================================
- Hits 91694 91693 -1
- Misses 24609 24611 +2
+ Partials 884 883 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
### Description of changes: I discovered this edge case when working with an older Ruby version. This discrepancy only exists in older versions since Ruby openssl migrated from using the `HMAC_CTX` APIs to use the `EVP` layer in 3.1: ruby/ruby@b91f62f. [`test_reset_keep_key`](https://github.com/ruby/ruby/blame/cf4a034d59913fb71a7dd1b052164984be4a3d14/test/openssl/test_hmac.rb#L37-L43) was failing since we were MACing the data twice. It turns out the call to `h1.reset` wasn't working properly and this was due to our implementation of `HMAC_Init_ex` not reinitializing the data input when only `HMAC_Update` had been called. According to the original function contract, `HMAC_Init_ex` should reinitialize the inputted data, but the computed key should still be preserved. This is a minor edge case due to how older versions of Ruby were consuming `HMAC_CTX`. [Their call](https://github.com/ruby/ruby/blob/ruby_2_7/ext/openssl/ossl_hmac.c#L167-L174) to `HMAC_Final` was called upon a copy of the original `HMAC_CTX`. The original `HMAC_CTX` was always within a `HMAC_Update` state and AWS-LC was not properly reinitializing these cases. ### Call-outs: N/A ### Testing: New tests By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Description of changes: Prepare release v1.64.0. ### What's Changed * Update max polyz value by @jakemas in aws#2787 * ECR Repositories for Android and Formal Verification Images by @skmcgrail in aws#2794 * Support more "openssl rsa" options by @justsmth in aws#2777 * Remove python codebuild patches by @WillChilds-Klein in aws#2793 * Additional options for "openssl c_client" by @justsmth in aws#2791 * GitHub-based Formal Verification Image Build by @skmcgrail in aws#2796 * Use C++11 atomics to update session stats by @justsmth in aws#2786 * Support "openssl dhparam" by @justsmth in aws#2790 * Add scrutinice pull permissions for aws-lc/amazonlinux repository by @skmcgrail in aws#2799 * Use GitHub-based Verification Images by @skmcgrail in aws#2798 * Remove dead code by @torben-hansen in aws#2797 * Rename snapsafe to VM UBE by @torben-hansen in aws#2800 * Bump MySQL version tag to 9.5.0 by @samuel40791765 in aws#2768 * Migrate to macos-15-intel by @samuel40791765 in aws#2802 * Use right compiler with ruby CI by @samuel40791765 in aws#2801 * Migrate analytics job to be GitHub triggered by @skmcgrail in aws#2779 * Support NetBSD by @justsmth in aws#2754 * Make poly_chknorm constant flow by @jakemas in aws#2788 * Rename fork to fork UBE by @torben-hansen in aws#2803 * Extend grv asan timeout for Golang to allow completion by @torben-hansen in aws#2805 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Contributor
Author
|
@torben-hansen thanks for the patient review, resolving now. |
torben-hansen
previously approved these changes
Nov 13, 2025
skmcgrail
reviewed
Nov 13, 2025
skmcgrail
approved these changes
Nov 14, 2025
torben-hansen
approved these changes
Nov 14, 2025
sgmenda
added a commit
that referenced
this pull request
Nov 21, 2025
### Issues: Addresses the need to convert third-party test vectors to AWS-LC's file_test.h format and track which vectors are tested. Currently, test vectors are manually converted and there's no systematic way to verify that all vectors in `third_party/` are actually used in tests. ### Description of changes: Extends the test vector infrastructure from #2811 with two new phases (each can be skipped independently): - **Convert**: Transforms Wycheproof JSON test vectors to file_test.h format via `convert_vector.py` (inspired by the existing Go converter) - **Spec**: Generates `vectors_spec.md` with MUST requirements and uses duvet to verify that test files contain corresponding annotations Converts and integrates `aes_gcm_test` from the latest upstream Wycheproof as a proof of concept, the test and duvet verification pass. ### Call-outs: - Conversion is Python-based (not Go) to keep tooling unified within the vectors system - The existing Go converter at `util/convert_wycheproof/` will be removed once all test vectors are migrated to the new system - Also removes now-outdated `aes_gcm_test` vector in `third_party/wycheproof_testvectors/` - Duvet verifies annotation presence but doesn't verify test coverage ### Testing: - Unit tests in `convert_vector.py` verify JSON to file_test.h conversion - Tested full sync workflow and various skip flag combinations - Verified error handling (invalid sources, missing files) - Confirmed duvet correctly tracks annotation in `crypto/cipher_extra/aead_test.cc` Run the full workflow with `cd third_party/vectors && ./sync.py`. Run the migrated test with `cd build && ./crypto/crypto_test --gtest_filter="AEADTest.WycheproofAESGCM"` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
sgmenda
added a commit
that referenced
this pull request
Jan 7, 2026
…2887) ### Issues: Migrating Wycheproof test vectors to the new `third_party/vectors/` system introduced in #2811 and extended in #2839, enabling systematic tracking and traceability. ### Description of changes: Migrates 30 test vector files to the new vector system: - 10 ECDSA test files (secp224r1, secp256r1, secp384r1, secp521r1, secp256k1 with SHA-224, SHA-256, SHA-384, SHA-512) - 4 DSA test files (2048-bit and 3072-bit keys with SHA-224, SHA-256) - 1 EdDSA test file (Ed25519) - 12 RSA PKCS#1 signature verification test files (2048, 3072, 4096, 8192-bit keys with SHA-224, SHA-256, SHA-384, SHA-512) - 5 RSA PKCS#1 signature generation test files (1024, 1536, 2048, 3072, 4096-bit keys including weak key sizes) - 3 RSA PKCS#1 v1.5 decryption test files (2048, 3072, 4096-bit keys) Each migration adds upstream JSON vectors and converted txt files to `third_party/vectors/`, updates test files with new paths and duvet annotations for traceability, and removes old files from `third_party/wycheproof_testvectors/`. ### Call-outs: - Previous `rsa_signature_test.txt` superseded by `rsa_signature_*_sha*_test.txt` files with explicit key sizes - Previous `rsa_sig_gen_misc_test.txt` superseded by `rsa_pkcs1_*_sig_gen_test.txt` files with explicit key sizes - Remaining test vectors will be migrated in follow-up PRs ### Testing: All migrated tests pass and duvet verification succeeds: ```bash cd build && ./crypto/crypto_test cd third_party/vectors && python3 sync.py ``` By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issues:
N/A -- AWS-LC does not have a systematic way to track and sync cryptographic test vectors from external sources like Wycheproof.
Description of changes:
This PR adds
third_party/vectors/with:sync.py- python script to sync existing vectors and add new onessources.toml- straightforward config of upstream sourcesvectorslib/- utility functions (will host upcoming conversion logic)upstream/- unmodified upstream test vectors (always checked in for transparency)upstream/wycheproof/- initial import from Wycheproof includingLICENSEandaes_gcm_test.jsonCall-outs:
convert_sources()is a placeholder - will be implemented in the next PR--checkmode is documented but not yet implementedTesting:
Manually tested:
./sync.py --new wycheproof/testvectors_v1/aes_gcm_test.jsonsuccessfully adds new file./sync.pyverifies existing files are in sync with upstreamBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.