Skip to content

Migrate Wycheproof test vectors for HMAC, HKDF, AEAD, and AES#2998

Draft
sgmenda wants to merge 13 commits intoaws:mainfrom
sgmenda:even-more-wycheproof
Draft

Migrate Wycheproof test vectors for HMAC, HKDF, AEAD, and AES#2998
sgmenda wants to merge 13 commits intoaws:mainfrom
sgmenda:even-more-wycheproof

Conversation

@sgmenda
Copy link
Contributor

@sgmenda sgmenda commented Feb 16, 2026

Issues:

Migrating more Wycheproof test vectors to the new third_party/vectors/ system (#2811, #2839), enabling systematic tracking and traceability.

Description of changes:

Migrates 23 test vector files to the new vector system:

  • 11 HMAC test files (SHA1, SHA224, SHA256, SHA384, SHA512, SHA512-224, SHA512-256, SHA3-224, SHA3-256, SHA3-384, SHA3-512)
  • 4 HKDF test files (SHA1, SHA256, SHA384, SHA512)
  • 3 AEAD test files (ChaCha20-Poly1305, XChaCha20-Poly1305, AES-GCM-SIV)
  • 5 AES Cipher test files (AES-CBC-PKCS5, AES-CCM, AES-WRAP, AES-KWP, AES-CMAC)

Each migration adds upstream JSON vectors and converted txt files to third_party/vectors/, updates test files with new paths and duvet annotations for traceability, and removes old files from third_party/wycheproof_testvectors/.

Call-outs:

Testing:

All migrated tests pass and duvet verification succeeds:

cd build && ./crypto/crypto_test
cd third_party/vectors && python3 sync.py

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

sgmenda added 12 commits February 13, 2026 10:29
@sgmenda
Add migration plan and clarify duvet annotation usage
5e5cd3c
@sgmenda
Update ML-DSA Wycheproof vectors and add mu verification
2063664
@sgmenda
Merge branch 'main' into more-wycheproof
033cb62
@sgmenda
update generated-src
6feeecc
@sgmenda
Add Wycheproof vectors migration plan
63a1617
@sgmenda
Fix sync.py --new flag to actually copy new files to upstream
beaae8b 
The update_sources() function was validating new files but never copying
them to the upstream directory. This meant --new would succeed but the
file wouldn't be added, causing subsequent operations to fail.

Added the missing shutil.copy2() call after validation to copy new files
from the cloned source repo to third_party/vectors/upstream/.

Tested with: ./sync.py --clone-dir .tmpdir --new wycheproof/testvectors_v1/hmac_sha1_test.json
@sgmenda
Migrate HMAC Wycheproof vectors to new system
1f1ca20 
Migrates all 11 HMAC test vectors from third_party/wycheproof_testvectors/
to the new third_party/vectors/ system with duvet traceability.

Changes:
- Added 11 HMAC vectors (SHA1, SHA224, SHA256, SHA384, SHA512, SHA512-224,
  SHA512-256, SHA3-224, SHA3-256, SHA3-384, SHA3-512) via sync.py
- Updated paths in crypto/hmac_extra/hmac_test.cc to point to new location
- Added duvet annotations to all 11 HMAC tests for traceability
- Updated sources.cmake to embed new test vector files
- Updated duvet snapshot and vectors_spec.md

All tests pass locally.
@sgmenda
Remove old HMAC vectors from wycheproof_testvectors
5059362 
Deletes the 22 old HMAC test vector files (11 JSON + 11 TXT) from
third_party/wycheproof_testvectors/ now that they've been migrated
to the new third_party/vectors/ system.
@sgmenda
Migrate HKDF Wycheproof vectors to new system
3f16fd3 
Migrates all 4 HKDF test vectors from third_party/wycheproof_testvectors/
to the new third_party/vectors/ system with duvet traceability.

Changes:
- Added 4 HKDF vectors (SHA1, SHA256, SHA384, SHA512) via sync.py
- Updated paths in crypto/fipsmodule/hkdf/hkdf_test.cc to point to new location
- Added duvet annotations to all 4 HKDF tests for traceability
- Updated sources.cmake to embed new test vector files
- Updated duvet snapshot and vectors_spec.md
- Removed old HKDF vectors from wycheproof_testvectors

All tests pass locally.
@sgmenda
Migrate HMAC, HKDF, AEAD, and AES Cipher Wycheproof test vectors to t…
4899c8c 
…hird_party/vectors/
@sgmenda
remove plan doc
3cae10a 
Signed-off-by: sanketh <sgmenda@amazon.com>
@sgmenda
Merge branch 'main' into even-more-wycheproof
3b38351
@sgmenda sgmenda self-assigned this Feb 16, 2026
@sgmenda sgmenda requested a review from a team as a code owner February 16, 2026 21:13
@sgmenda sgmenda marked this pull request as draft February 16, 2026 21:14
@sgmenda
Copy link
Contributor Author

sgmenda commented Feb 16, 2026

imma leave this as a draft till #2997 lands

@codecov-commenter
Copy link

codecov-commenter commented Feb 16, 2026

Codecov Report

❌ Patch coverage is 88.00000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.31%. Comparing base (07818a9) to head (5f57ac1).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
crypto/evp_extra/p_pqdsa_test.cc 76.92% 3 Missing and 3 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2998      +/-   ##
==========================================
+ Coverage   78.30%   78.31%   +0.01%     
==========================================
  Files         689      689              
  Lines      120975   120985      +10     
  Branches    16965    16971       +6     
==========================================
+ Hits        94727    94752      +25     
+ Misses      25351    25336      -15     
  Partials      897      897

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@sgmenda sgmenda

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sgmenda @codecov-commenter