Skip to content

Migrate Wycheproof test vectors for HMAC, HKDF, AEAD, and AES#2998

Draft
sgmenda wants to merge 13 commits intoaws:mainfrom
sgmenda:even-more-wycheproof
Draft

Migrate Wycheproof test vectors for HMAC, HKDF, AEAD, and AES#2998
sgmenda wants to merge 13 commits intoaws:mainfrom
sgmenda:even-more-wycheproof

Conversation

@sgmenda
Copy link
Contributor

@sgmenda sgmenda commented Feb 16, 2026

Issues:

Migrating more Wycheproof test vectors to the new third_party/vectors/ system (#2811, #2839), enabling systematic tracking and traceability.

Description of changes:

Migrates 23 test vector files to the new vector system:

  • 11 HMAC test files (SHA1, SHA224, SHA256, SHA384, SHA512, SHA512-224, SHA512-256, SHA3-224, SHA3-256, SHA3-384, SHA3-512)
  • 4 HKDF test files (SHA1, SHA256, SHA384, SHA512)
  • 3 AEAD test files (ChaCha20-Poly1305, XChaCha20-Poly1305, AES-GCM-SIV)
  • 5 AES Cipher test files (AES-CBC-PKCS5, AES-CCM, AES-WRAP, AES-KWP, AES-CMAC)

Each migration adds upstream JSON vectors and converted txt files to third_party/vectors/, updates test files with new paths and duvet annotations for traceability, and removes old files from third_party/wycheproof_testvectors/.

Call-outs:

Testing:

All migrated tests pass and duvet verification succeeds:

cd build && ./crypto/crypto_test
cd third_party/vectors && python3 sync.py

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

The update_sources() function was validating new files but never copying
them to the upstream directory. This meant --new would succeed but the
file wouldn't be added, causing subsequent operations to fail.

Added the missing shutil.copy2() call after validation to copy new files
from the cloned source repo to third_party/vectors/upstream/.

Tested with: ./sync.py --clone-dir .tmpdir --new wycheproof/testvectors_v1/hmac_sha1_test.json
Migrates all 11 HMAC test vectors from third_party/wycheproof_testvectors/
to the new third_party/vectors/ system with duvet traceability.

Changes:
- Added 11 HMAC vectors (SHA1, SHA224, SHA256, SHA384, SHA512, SHA512-224,
  SHA512-256, SHA3-224, SHA3-256, SHA3-384, SHA3-512) via sync.py
- Updated paths in crypto/hmac_extra/hmac_test.cc to point to new location
- Added duvet annotations to all 11 HMAC tests for traceability
- Updated sources.cmake to embed new test vector files
- Updated duvet snapshot and vectors_spec.md

All tests pass locally.
Deletes the 22 old HMAC test vector files (11 JSON + 11 TXT) from
third_party/wycheproof_testvectors/ now that they've been migrated
to the new third_party/vectors/ system.
Migrates all 4 HKDF test vectors from third_party/wycheproof_testvectors/
to the new third_party/vectors/ system with duvet traceability.

Changes:
- Added 4 HKDF vectors (SHA1, SHA256, SHA384, SHA512) via sync.py
- Updated paths in crypto/fipsmodule/hkdf/hkdf_test.cc to point to new location
- Added duvet annotations to all 4 HKDF tests for traceability
- Updated sources.cmake to embed new test vector files
- Updated duvet snapshot and vectors_spec.md
- Removed old HKDF vectors from wycheproof_testvectors

All tests pass locally.
Signed-off-by: sanketh <sgmenda@amazon.com>
@sgmenda sgmenda self-assigned this Feb 16, 2026
@sgmenda sgmenda requested a review from a team as a code owner February 16, 2026 21:13
@sgmenda sgmenda marked this pull request as draft February 16, 2026 21:14
@sgmenda
Copy link
Contributor Author

sgmenda commented Feb 16, 2026

imma leave this as a draft till #2997 lands

@codecov-commenter
Copy link

Codecov Report

❌ Patch coverage is 88.00000% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 78.31%. Comparing base (07818a9) to head (5f57ac1).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
crypto/evp_extra/p_pqdsa_test.cc 76.92% 3 Missing and 3 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2998      +/-   ##
==========================================
+ Coverage   78.30%   78.31%   +0.01%     
==========================================
  Files         689      689              
  Lines      120975   120985      +10     
  Branches    16965    16971       +6     
==========================================
+ Hits        94727    94752      +25     
+ Misses      25351    25336      -15     
  Partials      897      897              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants