feat: Improvements to the message decryption process (2.x) (#343)

See GHSA-x5h4-9gqw-942j
aws · May 27, 2021 · 863b04d · 863b04d
1 parent c42c483
commit 863b04d
Show file tree

Hide file tree

Showing 44 changed files with 669 additions and 327 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -1,3 +1,3 @@
 [submodule "test_vector_handlers/test/aws-crypto-tools-test-vector-framework"]
 	path = test_vector_handlers/test/aws-crypto-tools-test-vector-framework
-	url = https://github.com/awslabs/aws-crypto-tools-test-vector-framework.git
+	url = https://github.com/awslabs/private-aws-crypto-tools-test-vector-framework-staging.git
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,6 +2,15 @@
 Changelog
 *********
 
+2.2.0 -- 2021-05-27
+===================
+
+Features
+--------
+* Improvements to the message decryption process
+
+  See https://github.com/aws/aws-encryption-sdk-python/security/advisories/GHSA-x5h4-9gqw-942j.
+
 2.1.0 -- 2020-04-20
 ===================
 

diff --git a/buildspec.yml b/buildspec.yml
@@ -7,67 +7,42 @@ batch:
       buildspec: codebuild/py27/integ.yml
     - identifier: py27_examples
       buildspec: codebuild/py27/examples.yml
-    - identifier: py27_awses_1_7_1
-      buildspec: codebuild/py27/awses_1.7.1.yml
-    - identifier: py27_awses_2_0_0
-      buildspec: codebuild/py27/awses_2.0.0.yml
-    - identifier: py27_awses_latest
-      buildspec: codebuild/py27/awses_latest.yml
+    - identifier: py27_awses_local
+      buildspec: codebuild/py27/awses_local.yml
 
     - identifier: py35_integ
       buildspec: codebuild/py35/integ.yml
     - identifier: py35_examples
       buildspec: codebuild/py35/examples.yml
-    - identifier: py35_awses_1_7_1
-      buildspec: codebuild/py35/awses_1.7.1.yml
-    - identifier: py35_awses_2_0_0
-      buildspec: codebuild/py35/awses_2.0.0.yml
-    - identifier: py35_awses_latest
-      buildspec: codebuild/py35/awses_latest.yml
+    - identifier: py35_awses_local
+      buildspec: codebuild/py35/awses_local.yml
 
     - identifier: py36_integ
       buildspec: codebuild/py36/integ.yml
     - identifier: py36_examples
       buildspec: codebuild/py36/examples.yml
-    - identifier: py36_awses_1_7_1
-      buildspec: codebuild/py36/awses_1.7.1.yml
-    - identifier: py36_awses_2_0_0
-      buildspec: codebuild/py36/awses_2.0.0.yml
-    - identifier: py36_awses_latest
-      buildspec: codebuild/py36/awses_latest.yml
+    - identifier: py36_awses_local
+      buildspec: codebuild/py36/awses_local.yml
 
     - identifier: py37_integ
       buildspec: codebuild/py37/integ.yml
     - identifier: py37_examples
       buildspec: codebuild/py37/examples.yml
-    - identifier: py37_awses_1_7_1
-      buildspec: codebuild/py37/awses_1.7.1.yml
-    - identifier: py37_awses_2_0_0
-      buildspec: codebuild/py37/awses_2.0.0.yml
-    - identifier: py37_awses_latest
-      buildspec: codebuild/py37/awses_latest.yml
+    - identifier: py37_awses_local
+      buildspec: codebuild/py37/awses_local.yml
 
     - identifier: py38_integ
       buildspec: codebuild/py38/integ.yml
     - identifier: py38_examples
       buildspec: codebuild/py38/examples.yml
-    - identifier: py38_awses_1_7_1
-      buildspec: codebuild/py38/awses_1.7.1.yml
-    - identifier: py38_awses_2_0_0
-      buildspec: codebuild/py38/awses_2.0.0.yml
-    - identifier: py38_awses_latest
-      buildspec: codebuild/py38/awses_latest.yml
+    - identifier: py38_awses_local
+      buildspec: codebuild/py38/awses_local.yml
 
     - identifier: py39_integ
       buildspec: codebuild/py39/integ.yml
     - identifier: py39_examples
       buildspec: codebuild/py39/examples.yml
-    - identifier: py39_awses_1_7_1
-      buildspec: codebuild/py39/awses_1.7.1.yml
-    - identifier: py39_awses_2_0_0
-      buildspec: codebuild/py39/awses_2.0.0.yml
     - identifier: py39_awses_latest
-      buildspec: codebuild/py39/awses_latest.yml
 
     - identifier: code_coverage
       buildspec: codebuild/coverage/coverage.yml
diff --git a/codebuild/py27/awses_latest.yml b/codebuild/py27/awses_latest.yml
diff --git a/codebuild/py27/awses_1.7.1.yml → codebuild/py27/awses_local.yml b/codebuild/py27/awses_1.7.1.yml → codebuild/py27/awses_local.yml
@@ -2,7 +2,7 @@ version: 0.2
 
 env:
   variables:
-    TOXENV: "py27-awses_1.7.1"
+    TOXENV: "py27-awses_local"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-

diff --git a/codebuild/py35/awses_1.7.1.yml b/codebuild/py35/awses_1.7.1.yml
diff --git a/codebuild/py35/awses_latest.yml b/codebuild/py35/awses_latest.yml
diff --git a/codebuild/py35/awses_2.0.0.yml → codebuild/py35/awses_local.yml b/codebuild/py35/awses_2.0.0.yml → codebuild/py35/awses_local.yml
@@ -2,7 +2,7 @@ version: 0.2
 
 env:
   variables:
-    TOXENV: "py35-awses_2.0.0"
+    TOXENV: "py35-awses_local"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-

diff --git a/codebuild/py36/awses_1.7.1.yml b/codebuild/py36/awses_1.7.1.yml
diff --git a/codebuild/py36/awses_latest.yml b/codebuild/py36/awses_latest.yml
diff --git a/codebuild/py27/awses_2.0.0.yml → codebuild/py36/awses_local.yml b/codebuild/py27/awses_2.0.0.yml → codebuild/py36/awses_local.yml
@@ -2,7 +2,7 @@ version: 0.2
 
 env:
   variables:
-    TOXENV: "py27-awses_2.0.0"
+    TOXENV: "py36-awses_local"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-

diff --git a/codebuild/py37/awses_1.7.1.yml b/codebuild/py37/awses_1.7.1.yml
diff --git a/codebuild/py37/awses_latest.yml b/codebuild/py37/awses_latest.yml
diff --git a/codebuild/py37/awses_2.0.0.yml → codebuild/py37/awses_local.yml b/codebuild/py37/awses_2.0.0.yml → codebuild/py37/awses_local.yml
@@ -2,7 +2,7 @@ version: 0.2
 
 env:
   variables:
-    TOXENV: "py37-awses_2.0.0"
+    TOXENV: "py37-awses_local"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-

diff --git a/codebuild/py38/awses_1.7.1.yml b/codebuild/py38/awses_1.7.1.yml
diff --git a/codebuild/py38/awses_2.0.0.yml b/codebuild/py38/awses_2.0.0.yml
diff --git a/codebuild/py38/awses_latest.yml b/codebuild/py38/awses_latest.yml
diff --git a/codebuild/py36/awses_2.0.0.yml → codebuild/py38/awses_local.yml b/codebuild/py36/awses_2.0.0.yml → codebuild/py38/awses_local.yml
@@ -2,7 +2,7 @@ version: 0.2
 
 env:
   variables:
-    TOXENV: "py36-awses_2.0.0"
+    TOXENV: "py38-awses_local"
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID: >-
       arn:aws:kms:us-west-2:658956600833:key/b3537ef1-d8dc-4780-9f5a-55776cbb2f7f
     AWS_ENCRYPTION_SDK_PYTHON_INTEGRATION_TEST_AWS_KMS_KEY_ID_2: >-

diff --git a/examples/src/basic_file_encryption_with_multiple_providers.py b/examples/src/basic_file_encryption_with_multiple_providers.py
@@ -103,18 +103,18 @@ def cycle_file(key_arn, source_plaintext_filename, botocore_session=None):
                 ciphertext.write(chunk)
 
     # Decrypt the ciphertext with only the AWS KMS master key
+    # Buffer the data in memory before writing to disk to ensure the signature is verified first.
     with open(ciphertext_filename, "rb") as ciphertext, open(cycled_kms_plaintext_filename, "wb") as plaintext:
         with client.stream(
             source=ciphertext, mode="d", key_provider=aws_encryption_sdk.StrictAwsKmsMasterKeyProvider(**kms_kwargs)
         ) as kms_decryptor:
-            for chunk in kms_decryptor:
-                plaintext.write(chunk)
+            plaintext.write(kms_decryptor.read())
 
     # Decrypt the ciphertext with only the static master key
+    # Buffer the data in memory before writing to disk to ensure the signature is verified first.
     with open(ciphertext_filename, "rb") as ciphertext, open(cycled_static_plaintext_filename, "wb") as plaintext:
         with client.stream(source=ciphertext, mode="d", key_provider=static_master_key_provider) as static_decryptor:
-            for chunk in static_decryptor:
-                plaintext.write(chunk)
+            plaintext.write(static_decryptor.read())
 
     # Verify that the "cycled" (encrypted, then decrypted) plaintext is identical to the source plaintext
     assert filecmp.cmp(source_plaintext_filename, cycled_kms_plaintext_filename)