[webcrypto] Add decrypt() for AES-CBC.

content/renderer/webcrypto/webcrypto_impl_nss.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/renderer/webcrypto/webcrypto_impl.h"
 
 #include <cryptohi.h>
 #include <pk11pub.h>
 #include <sechash.h>
 
@@ skipping 66 matching lines @@
   if (new_size == buffer->byteLength())
     return;
 
   WebKit::WebArrayBuffer new_buffer =
       WebKit::WebArrayBuffer::create(new_size, 1);
   DCHECK(!new_buffer.isNull());
   memcpy(new_buffer.data(), buffer->data(), new_size);
   *buffer = new_buffer;
 }
 
-}  // namespace
-
-void WebCryptoImpl::Init() {
-  crypto::EnsureNSSInit();
-}
-
-bool WebCryptoImpl::EncryptInternal(
+bool AesCbcEncryptDecrypt(
+    CK_ATTRIBUTE_TYPE operation,
     const WebKit::WebCryptoAlgorithm& algorithm,
     const WebKit::WebCryptoKey& key,
     const unsigned char* data,
     unsigned data_size,
     WebKit::WebArrayBuffer* buffer) {
-  if (algorithm.id() != WebKit::WebCryptoAlgorithmIdAesCbc)
-    return false;
-
+  DCHECK_EQ(WebKit::WebCryptoAlgorithmIdAesCbc, algorithm.id());
   DCHECK_EQ(algorithm.id(), key.algorithm().id());
   DCHECK_EQ(WebKit::WebCryptoKeyTypeSecret, key.type());
+  DCHECK(operation == CKA_ENCRYPT || operation == CKA_DECRYPT);
 
   SymKeyHandle* sym_key = reinterpret_cast<SymKeyHandle*>(key.handle());
 
   const WebKit::WebCryptoAesCbcParams* params = algorithm.aesCbcParams();
   if (params->iv().size() != AES_BLOCK_SIZE)
     return false;
 
   SECItem iv_item;
   iv_item.type = siBuffer;
   iv_item.data = const_cast<unsigned char*>(params->iv().data());
   iv_item.len = params->iv().size();
 
   crypto::ScopedSECItem param(PK11_ParamFromIV(CKM_AES_CBC_PAD, &iv_item));
   if (!param)
     return false;
 
   crypto::ScopedPK11Context context(PK11_CreateContextBySymKey(
-      CKM_AES_CBC_PAD, CKA_ENCRYPT, sym_key->key(), param.get()));
+      CKM_AES_CBC_PAD, operation, sym_key->key(), param.get()));
 
   if (!context.get())
     return false;
 
   // Oddly PK11_CipherOp takes input and output lenths as "int" rather than
   // "unsigned". Do some checks now to avoid integer overflowing.
   if (data_size >= INT_MAX - AES_BLOCK_SIZE) {
     // TODO(eroman): Handle this by chunking the input fed into NSS. Right now
     // it doesn't make much difference since the one-shot API would end up
     // blowing out the memory and crashing anyway. However a newer version of
     // the spec allows for a sequence<CryptoData> so this will be relevant.
     return false;
   }
 
+  // PK11_CipherOp does an invalid memory access when given empty decryption
+  // input, or input which is not a multiple of the block size. See also
+  // https://bugzilla.mozilla.com/show_bug.cgi?id=921687.
+  if (operation == CKA_DECRYPT &&
+      (data_size == 0 || (data_size % AES_BLOCK_SIZE != 0))) {
+    return false;
+  }
+
+  // TODO(eroman): Refine the output buffer size. It can be computed exactly for
+  //               encryption, and can be smaller for decryption.
   unsigned output_max_len = data_size + AES_BLOCK_SIZE;
   CHECK_GT(output_max_len, data_size);
 
   *buffer = WebKit::WebArrayBuffer::create(output_max_len, 1);
 
   unsigned char* buffer_data = reinterpret_cast<unsigned char*>(buffer->data());
 
   int output_len;
   if (SECSuccess != PK11_CipherOp(context.get(),
                                   buffer_data,
                                   &output_len,
                                   buffer->byteLength(),
                                   data,
                                   data_size)) {
     return false;
   }
 
   unsigned int final_output_chunk_len;
   if (SECSuccess != PK11_DigestFinal(context.get(),
                                      buffer_data + output_len,
                                      &final_output_chunk_len,
                                      output_max_len - output_len)) {
     return false;
   }
 
   ShrinkBuffer(buffer, final_output_chunk_len + output_len);
   return true;
 }
 
+}  // namespace
+
+void WebCryptoImpl::Init() {
+  crypto::EnsureNSSInit();
+}
+
+bool WebCryptoImpl::EncryptInternal(
+    const WebKit::WebCryptoAlgorithm& algorithm,
+    const WebKit::WebCryptoKey& key,
+    const unsigned char* data,
+    unsigned data_size,
+    WebKit::WebArrayBuffer* buffer) {
+  if (algorithm.id() == WebKit::WebCryptoAlgorithmIdAesCbc) {
+    return AesCbcEncryptDecrypt(
+        CKA_ENCRYPT, algorithm, key, data, data_size, buffer);
+  }
+
+  return false;
+}
+
+bool WebCryptoImpl::DecryptInternal(
+    const WebKit::WebCryptoAlgorithm& algorithm,
+    const WebKit::WebCryptoKey& key,
+    const unsigned char* data,
+    unsigned data_size,
+    WebKit::WebArrayBuffer* buffer) {
+  if (algorithm.id() == WebKit::WebCryptoAlgorithmIdAesCbc) {
+    return AesCbcEncryptDecrypt(
+        CKA_DECRYPT, algorithm, key, data, data_size, buffer);
+  }
+
+  return false;
+}
+
 bool WebCryptoImpl::DigestInternal(
     const WebKit::WebCryptoAlgorithm& algorithm,
     const unsigned char* data,
     unsigned data_size,
     WebKit::WebArrayBuffer* buffer) {
   HASH_HashType hash_type = WebCryptoAlgorithmToNSSHashType(algorithm);
   if (hash_type == HASH_AlgNULL) {
     return false;
   }
 
@@ skipping 196 matching lines @@
       break;
     }
     default:
       return false;
   }
 
   return true;
 }
 
 }  // namespace content