Add infrastructure for managing third-party test vectors #2811
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2811 +/- ##
==========================================
- Coverage 78.24% 78.24% -0.01%
==========================================
Files 683 683
Lines 117187 117187
Branches 16476 16476
==========================================
- Hits 91694 91693 -1
- Misses 24609 24611 +2
+ Partials 884 883 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
### Description of changes: I discovered this edge case when working with an older Ruby version. This discrepancy only exists in older versions since Ruby openssl migrated from using the `HMAC_CTX` APIs to use the `EVP` layer in 3.1: ruby/ruby@b91f62f. [`test_reset_keep_key`](https://github.com/ruby/ruby/blame/cf4a034d59913fb71a7dd1b052164984be4a3d14/test/openssl/test_hmac.rb#L37-L43) was failing since we were MACing the data twice. It turns out the call to `h1.reset` wasn't working properly and this was due to our implementation of `HMAC_Init_ex` not reinitializing the data input when only `HMAC_Update` had been called. According to the original function contract, `HMAC_Init_ex` should reinitialize the inputted data, but the computed key should still be preserved. This is a minor edge case due to how older versions of Ruby were consuming `HMAC_CTX`. [Their call](https://github.com/ruby/ruby/blob/ruby_2_7/ext/openssl/ossl_hmac.c#L167-L174) to `HMAC_Final` was called upon a copy of the original `HMAC_CTX`. The original `HMAC_CTX` was always within a `HMAC_Update` state and AWS-LC was not properly reinitializing these cases. ### Call-outs: N/A ### Testing: New tests By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
### Description of changes: Prepare release v1.64.0. ### What's Changed * Update max polyz value by @jakemas in aws#2787 * ECR Repositories for Android and Formal Verification Images by @skmcgrail in aws#2794 * Support more "openssl rsa" options by @justsmth in aws#2777 * Remove python codebuild patches by @WillChilds-Klein in aws#2793 * Additional options for "openssl c_client" by @justsmth in aws#2791 * GitHub-based Formal Verification Image Build by @skmcgrail in aws#2796 * Use C++11 atomics to update session stats by @justsmth in aws#2786 * Support "openssl dhparam" by @justsmth in aws#2790 * Add scrutinice pull permissions for aws-lc/amazonlinux repository by @skmcgrail in aws#2799 * Use GitHub-based Verification Images by @skmcgrail in aws#2798 * Remove dead code by @torben-hansen in aws#2797 * Rename snapsafe to VM UBE by @torben-hansen in aws#2800 * Bump MySQL version tag to 9.5.0 by @samuel40791765 in aws#2768 * Migrate to macos-15-intel by @samuel40791765 in aws#2802 * Use right compiler with ruby CI by @samuel40791765 in aws#2801 * Migrate analytics job to be GitHub triggered by @skmcgrail in aws#2779 * Support NetBSD by @justsmth in aws#2754 * Make poly_chknorm constant flow by @jakemas in aws#2788 * Rename fork to fork UBE by @torben-hansen in aws#2803 * Extend grv asan timeout for Golang to allow completion by @torben-hansen in aws#2805 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
Contributor
Author
|
@torben-hansen thanks for the patient review, resolving now. |
torben-hansen
previously approved these changes
Nov 13, 2025
skmcgrail
reviewed
Nov 13, 2025
skmcgrail
approved these changes
Nov 14, 2025
torben-hansen
approved these changes
Nov 14, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
N/A -- AWS-LC does not have a systematic way to track and sync cryptographic test vectors from external sources like Wycheproof.
Description of changes:
This PR adds
third_party/vectors/with:sync.py- python script to sync existing vectors and add new onessources.toml- straightforward config of upstream sourcesvectorslib/- utility functions (will host upcoming conversion logic)upstream/- unmodified upstream test vectors (always checked in for transparency)upstream/wycheproof/- initial import from Wycheproof includingLICENSEandaes_gcm_test.jsonCall-outs:
convert_sources()is a placeholder - will be implemented in the next PR--checkmode is documented but not yet implementedTesting:
Manually tested:
./sync.py --new wycheproof/testvectors_v1/aes_gcm_test.jsonsuccessfully adds new file./sync.pyverifies existing files are in sync with upstreamBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.