feat: Improvements to the message decryption process (#708)

See GHSA-r8cc-xhh9-rg65.

Author: alex-chew

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 2.2.0 -- 2021-05-27
+
+* Improvements to the message decryption process.
+
+  See <https://github.com/aws/aws-encryption-sdk-c/security/advisories/GHSA-r8cc-xhh9-rg65>
+
 ## 2.0.0 -- 2020-09-24
 
 * Updates to the AWS Encryption SDK. c43d706

CMakeLists.txt

@@ -50,7 +50,7 @@ set(PROJECT_NAME aws-encryption-sdk)
 
 # Version number of the SDK to be consumed by C code and Doxygen
 set(MAJOR 2)
-set(MINOR 0)
+set(MINOR 2)
 set(PATCH 0)
 
 # Compiler feature tests and feature flags

aws-encryption-sdk-cpp/CMakeLists.txt

@@ -84,6 +84,16 @@ if (AWS_ENC_SDK_END_TO_END_TESTS)
         )
     set_target_properties(t_commitment_known_answer PROPERTIES CXX_STANDARD 11 C_STANDARD 99)
     aws_add_test(commitment_known_answer ${VALGRIND} ${CMAKE_CURRENT_BINARY_DIR}/t_commitment_known_answer ${TEST_DATA}/commitment_known_answer_tests.json)
+
+    add_executable(t_max_encrypted_data_keys tests/integration/t_max_encrypted_data_keys.cpp)
+    target_link_libraries(t_max_encrypted_data_keys testlibcpp)
+    target_include_directories(t_max_encrypted_data_keys PUBLIC ${PROJECT_SOURCE_DIR}/tests/lib
+        ${PROJECT_SOURCE_DIR}/tests/unit
+        ${PROJECT_SOURCE_DIR}/tests/integration
+        $<INSTALL_INTERFACE:include>
+        )
+    set_target_properties(t_max_encrypted_data_keys PROPERTIES CXX_STANDARD 11 C_STANDARD 99)
+    aws_add_test(integration_max_edks ${VALGRIND} ${CMAKE_CURRENT_BINARY_DIR}/t_max_encrypted_data_keys)
 else()
     message(STATUS "End to end tests off")
 endif()

aws-encryption-sdk-cpp/tests/integration/t_commitment_known_answer.cpp

@@ -32,6 +32,7 @@
 #include <aws/cryptosdk/raw_aes_keyring.h>
 
 #include "edks_utils.h"
+#include "logutils.h"
 #include "test_crypto.h"
 #include "testutil.h"
 
@@ -49,67 +50,6 @@ const char *CLASS_CTAG = "Test KMS";
 const char *KEY_ARN_STR1        = "arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f";
 const char *KEY_ARN_STR1_REGION = Aws::Region::US_WEST_2;
 
-/*
- * These RAII-style logging classes will buffer log entries until .clear() is called on the LoggingRAII object.
- * If a test fails, RUN_TEST will return from main without calling clear, and the destructor on LoggingRAII will dump
- * the buffered log entries for the specific failed test to stderr before exiting.
- */
-namespace {
-class BufferedLogSystem : public Aws::Utils::Logging::FormattedLogSystem {
-   private:
-    std::mutex logMutex;
-    std::vector<Aws::String> buffer;
-
-   public:
-    void clear() {
-        std::lock_guard<std::mutex> guard(logMutex);
-
-        buffer.clear();
-    }
-
-    void dump() {
-        std::lock_guard<std::mutex> guard(logMutex);
-
-        for (auto &str : buffer) {
-            std::cerr << str;
-        }
-    }
-
-    void Flush() {}
-
-    BufferedLogSystem(Aws::Utils::Logging::LogLevel logLevel) : FormattedLogSystem(logLevel) {}
-
-   protected:
-    // Overrides FormattedLogSystem pure virtual function
-    virtual void ProcessFormattedStatement(Aws::String &&statement) {
-        std::lock_guard<std::mutex> guard(logMutex);
-
-        buffer.push_back(std::move(statement));
-    }
-};
-
-class LoggingRAII {
-    std::shared_ptr<BufferedLogSystem> logSystem;
-
-   public:
-    LoggingRAII() {
-        logSystem = Aws::MakeShared<BufferedLogSystem>("LoggingRAII", Aws::Utils::Logging::LogLevel::Info);
-
-        Aws::Utils::Logging::InitializeAWSLogging(logSystem);
-    }
-
-    void clear() {
-        logSystem->clear();
-    }
-
-    ~LoggingRAII() {
-        Aws::Utils::Logging::ShutdownAWSLogging();
-
-        logSystem->dump();
-    }
-};
-}  // namespace
-
 Aws::String run_single_test(aws_cryptosdk_keyring *kr, const JsonView &test) {
     auto pt_frames_obj  = test.GetObject("plaintext-frames");
     bool have_pt_frames = pt_frames_obj.IsListType();
@@ -228,7 +168,7 @@ AWS_STRING_FROM_LITERAL(PROVIDER_NAME, "ProviderName");
 AWS_STRING_FROM_LITERAL(KEY_ID, "KeyId");
 static uint8_t ZERO_KEY[32] = { 0 };
 
-bool known_answer_tests(LoggingRAII &logging, const char *filename) {
+bool known_answer_tests(Aws::Cryptosdk::Testing::LoggingRAII &logging, const char *filename) {
     std::fstream file(filename);
     JsonValue test_dataset(file);
     JsonView dataset_view = test_dataset.View();
@@ -276,7 +216,7 @@ int main(int argc, char **argv) {
     aws_common_library_init(aws_default_allocator());
     aws_cryptosdk_load_error_strings();
 
-    LoggingRAII logging;
+    Aws::Cryptosdk::Testing::LoggingRAII logging;
 
     SDKOptions options;
     Aws::InitAPI(options);

aws-encryption-sdk-cpp/tests/integration/t_integration_kms_keyring.cpp

@@ -21,6 +21,7 @@
 #include <aws/cryptosdk/enc_ctx.h>
 
 #include "edks_utils.h"
+#include "logutils.h"
 #include "test_crypto.h"
 #include "testutil.h"
 
@@ -603,71 +604,10 @@ int dataKeyDecrypt_discoveryFilterPartitionMismatch_returnErr() {
 
 // todo add more tests for grantTokens
 
-/*
- * These RAII-style logging classes will buffer log entries until .clear() is called on the LoggingRAII object.
- * If a test fails, RUN_TEST will return from main without calling clear, and the destructor on LoggingRAII will dump
- * the buffered log entries for the specific failed test to stderr before exiting.
- */
-namespace {
-class BufferedLogSystem : public Aws::Utils::Logging::FormattedLogSystem {
-   private:
-    std::mutex logMutex;
-    std::vector<Aws::String> buffer;
-
-   public:
-    void clear() {
-        std::lock_guard<std::mutex> guard(logMutex);
-
-        buffer.clear();
-    }
-
-    void dump() {
-        std::lock_guard<std::mutex> guard(logMutex);
-
-        for (auto &str : buffer) {
-            std::cerr << str;
-        }
-    }
-
-    void Flush() {}
-
-    BufferedLogSystem(Aws::Utils::Logging::LogLevel logLevel) : FormattedLogSystem(logLevel) {}
-
-   protected:
-    // Overrides FormattedLogSystem pure virtual function
-    virtual void ProcessFormattedStatement(Aws::String &&statement) {
-        std::lock_guard<std::mutex> guard(logMutex);
-
-        buffer.push_back(std::move(statement));
-    }
-};
-
-class LoggingRAII {
-    std::shared_ptr<BufferedLogSystem> logSystem;
-
-   public:
-    LoggingRAII() {
-        logSystem = Aws::MakeShared<BufferedLogSystem>("LoggingRAII", Aws::Utils::Logging::LogLevel::Trace);
-
-        Aws::Utils::Logging::InitializeAWSLogging(logSystem);
-    }
-
-    void clear() {
-        logSystem->clear();
-    }
-
-    ~LoggingRAII() {
-        Aws::Utils::Logging::ShutdownAWSLogging();
-
-        logSystem->dump();
-    }
-};
-}  // namespace
-
 int main() {
     aws_cryptosdk_load_error_strings();
 
-    LoggingRAII logging;
+    Aws::Cryptosdk::Testing::LoggingRAII logging;
 
     SDKOptions options;
     Aws::InitAPI(options);