[webcrypto] Implement AES-CTR using BoringSSL.

BUG=399084

Review URL: https://codereview.chromium.org/491763002

Cr-Commit-Position: refs/heads/master@{#292053}

content/child/webcrypto/algorithm_registry.cc

@@ -21,6 +21,7 @@ class AlgorithmRegistry {
       : sha_(CreatePlatformShaImplementation()),
         aes_gcm_(CreatePlatformAesGcmImplementation()),
         aes_cbc_(CreatePlatformAesCbcImplementation()),
+        aes_ctr_(CreatePlatformAesCtrImplementation()),
         aes_kw_(CreatePlatformAesKwImplementation()),
         hmac_(CreatePlatformHmacImplementation()),
         rsa_ssa_(CreatePlatformRsaSsaImplementation()),
@@ -40,6 +41,8 @@ class AlgorithmRegistry {
         return aes_gcm_.get();
       case blink::WebCryptoAlgorithmIdAesCbc:
         return aes_cbc_.get();
+      case blink::WebCryptoAlgorithmIdAesCtr:
+        return aes_ctr_.get();
       case blink::WebCryptoAlgorithmIdAesKw:
         return aes_kw_.get();
       case blink::WebCryptoAlgorithmIdHmac:
@@ -57,6 +60,7 @@ class AlgorithmRegistry {
   scoped_ptr<AlgorithmImplementation> sha_;
   scoped_ptr<AlgorithmImplementation> aes_gcm_;
   scoped_ptr<AlgorithmImplementation> aes_cbc_;
+  scoped_ptr<AlgorithmImplementation> aes_ctr_;
   scoped_ptr<AlgorithmImplementation> aes_kw_;
   scoped_ptr<AlgorithmImplementation> hmac_;
   scoped_ptr<AlgorithmImplementation> rsa_ssa_;

content/child/webcrypto/nss/util_nss.cc

@@ -6,6 +6,7 @@
 
 #include "base/lazy_instance.h"
 #include "content/child/webcrypto/crypto_data.h"
+#include "content/child/webcrypto/platform_crypto.h"
 #include "crypto/nss_util.h"
 #include "crypto/scoped_nss_types.h"
 
@@ -79,6 +80,11 @@ void PlatformInit() {
   crypto::EnsureNSSInit();
 }
 
+AlgorithmImplementation* CreatePlatformAesCtrImplementation() {
+  // TODO(eroman): http://crbug.com/399084
+  return NULL;
+}
+
 }  // namespace webcrypto
 
 }  // namespace content

content/child/webcrypto/openssl/aes_cbc_openssl.cc

@@ -11,6 +11,7 @@
 #include "content/child/webcrypto/crypto_data.h"
 #include "content/child/webcrypto/openssl/aes_key_openssl.h"
 #include "content/child/webcrypto/openssl/key_openssl.h"
+#include "content/child/webcrypto/openssl/util_openssl.h"
 #include "content/child/webcrypto/status.h"
 #include "content/child/webcrypto/webcrypto_util.h"
 #include "crypto/openssl_util.h"
@@ -35,10 +36,7 @@ const EVP_CIPHER* GetAESCipherByKeyLength(unsigned int key_length_bytes) {
   }
 }
 
-// OpenSSL constants for EVP_CipherInit_ex(), do not change
-enum CipherOperation { kDoDecrypt = 0, kDoEncrypt = 1 };
-
-Status AesCbcEncryptDecrypt(CipherOperation cipher_operation,
+Status AesCbcEncryptDecrypt(EncryptOrDecrypt cipher_operation,
                             const blink::WebCryptoAlgorithm& algorithm,
                             const blink::WebCryptoKey& key,
                             const CryptoData& data,
@@ -119,14 +117,14 @@ class AesCbcImplementation : public AesAlgorithm {
                          const blink::WebCryptoKey& key,
                          const CryptoData& data,
                          std::vector<uint8_t>* buffer) const OVERRIDE {
-    return AesCbcEncryptDecrypt(kDoEncrypt, algorithm, key, data, buffer);
+    return AesCbcEncryptDecrypt(ENCRYPT, algorithm, key, data, buffer);
   }
 
   virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm,
                          const blink::WebCryptoKey& key,
                          const CryptoData& data,
                          std::vector<uint8_t>* buffer) const OVERRIDE {
-    return AesCbcEncryptDecrypt(kDoDecrypt, algorithm, key, data, buffer);
+    return AesCbcEncryptDecrypt(DECRYPT, algorithm, key, data, buffer);
   }
 };
 

content/child/webcrypto/openssl/aes_ctr_openssl.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <openssl/aes.h>
+#include <openssl/evp.h>
+
+#include "base/logging.h"
+#include "base/macros.h"
+#include "base/numerics/safe_math.h"
+#include "base/stl_util.h"
+#include "content/child/webcrypto/crypto_data.h"
+#include "content/child/webcrypto/openssl/aes_key_openssl.h"
+#include "content/child/webcrypto/openssl/key_openssl.h"
+#include "content/child/webcrypto/openssl/util_openssl.h"
+#include "content/child/webcrypto/status.h"
+#include "content/child/webcrypto/webcrypto_util.h"
+#include "crypto/openssl_util.h"
+#include "crypto/scoped_openssl_types.h"
+#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
+
+namespace content {
+
+namespace webcrypto {
+
+namespace {
+
+const EVP_CIPHER* GetAESCipherByKeyLength(unsigned int key_length_bytes) {
+  // BoringSSL does not support 192-bit AES keys.
+  switch (key_length_bytes) {
+    case 16:
+      return EVP_aes_128_ctr();
+    case 32:
+      return EVP_aes_256_ctr();
+    default:
+      return NULL;
+  }
+}
+
+// Encrypts/decrypts given a 128-bit counter.
+//
+// |output| must be a pointer to a buffer which has a length of at least
+// |input.byte_length()|.
+Status AesCtrEncrypt128BitCounter(const EVP_CIPHER* cipher,
+                                  const CryptoData& raw_key,
+                                  const CryptoData& input,
+                                  const CryptoData& counter,
+                                  uint8_t* output) {
+  DCHECK(cipher);
+  DCHECK_EQ(16u, counter.byte_length());
+
+  crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE);
+  crypto::ScopedOpenSSL<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free>::Type context(
+      EVP_CIPHER_CTX_new());
+
+  if (!context.get())
+    return Status::OperationError();
+
+  if (!EVP_CipherInit_ex(context.get(),
+                         cipher,
+                         NULL,
+                         raw_key.bytes(),
+                         counter.bytes(),
+                         ENCRYPT)) {
+    return Status::OperationError();
+  }
+
+  int output_len = 0;
+  if (!EVP_CipherUpdate(context.get(),
+                        output,
+                        &output_len,
+                        input.bytes(),
+                        input.byte_length())) {
+    return Status::OperationError();
+  }
+  int final_output_chunk_len = 0;
+  if (!EVP_CipherFinal_ex(
+          context.get(), output + output_len, &final_output_chunk_len)) {
+    return Status::OperationError();
+  }
+
+  output_len += final_output_chunk_len;
+  if (static_cast<unsigned int>(output_len) != input.byte_length())
+    return Status::ErrorUnexpected();
+
+  return Status::Success();
+}
+
+// Returns ceil(a/b), where a and b are integers.
+template <typename T>
+T CeilDiv(T a, T b) {
+  return a == 0 ? 0 : 1 + (a - 1) / b;
+}
+
+// Extracts the counter as a BIGNUM. The counter is the rightmost
+// "counter_length_bits" of the block, interpreted as a big-endian number.
+crypto::ScopedBIGNUM GetCounter(const CryptoData& counter_block,
+                                unsigned int counter_length_bits) {
+  unsigned int counter_length_remainder_bits = (counter_length_bits % 8);
+
+  // If the counter is a multiple of 8 bits then can call BN_bin2bn() directly.
+  if (counter_length_remainder_bits == 0) {
+    unsigned int byte_length = counter_length_bits / 8;
+    return crypto::ScopedBIGNUM(BN_bin2bn(
+        counter_block.bytes() + counter_block.byte_length() - byte_length,
+        byte_length,
+        NULL));
+  }
+
+  // Otherwise make a copy of the counter and zero out the topmost bits so
+  // BN_bin2bn() can be called with a byte stream.
+  unsigned int byte_length = CeilDiv(counter_length_bits, 8u);
+  std::vector<uint8_t> counter(
+      counter_block.bytes() + counter_block.byte_length() - byte_length,
+      counter_block.bytes() + counter_block.byte_length());
+  counter[0] &= ~(0xFF << counter_length_remainder_bits);
+
+  return crypto::ScopedBIGNUM(
+      BN_bin2bn(&counter.front(), counter.size(), NULL));
+}
+
+// Returns a counter block with the counter bits all set all zero.
+std::vector<uint8_t> BlockWithZeroedCounter(const CryptoData& counter_block,
+                                            unsigned int counter_length_bits) {
+  unsigned int counter_length_bytes = counter_length_bits / 8;
+  unsigned int counter_length_bits_remainder = counter_length_bits % 8;
+
+  std::vector<uint8_t> new_counter_block(
+      counter_block.bytes(),
+      counter_block.bytes() + counter_block.byte_length());
+
+  unsigned int index = new_counter_block.size() - counter_length_bytes;
+  memset(&new_counter_block.front() + index, 0, counter_length_bytes);
+
+  if (counter_length_bits_remainder) {
+    new_counter_block[index - 1] &= 0xFF << counter_length_bits_remainder;
+  }
+
+  return new_counter_block;
+}
+
+// This function does encryption/decryption for AES-CTR (encryption and
+// decryption are the same).
+//
+// BoringSSL's interface for AES-CTR differs from that of WebCrypto. In
+// WebCrypto the caller specifies a 16-byte counter block and designates how
+// many of the right-most X bits to use as a big-endian counter. Whereas in
+// BoringSSL the entire counter block is interpreted as a 128-bit counter.
+//
+// In AES-CTR, the counter block MUST be unique across all messages that are
+// encrypted/decrypted. WebCrypto expects that the counter can start at any
+// value, and is therefore permitted to wrap around to zero on overflow.
+//
+// Some care is taken to fail if the counter wraps back to an earlier value.
+// However this protection is only enforced during a *single* call to
+// encrypt/decrypt.
+Status AesCtrEncryptDecrypt(const blink::WebCryptoAlgorithm& algorithm,
+                            const blink::WebCryptoKey& key,
+                            const CryptoData& data,
+                            std::vector<uint8_t>* buffer) {
+  const blink::WebCryptoAesCtrParams* params = algorithm.aesCtrParams();
+  const std::vector<uint8_t>& raw_key =
+      SymKeyOpenSsl::Cast(key)->raw_key_data();
+
+  if (params->counter().size() != 16)
+    return Status::ErrorIncorrectSizeAesCtrCounter();
+
+  unsigned int counter_length_bits = params->lengthBits();
+  if (counter_length_bits < 1 || counter_length_bits > 128)
+    return Status::ErrorInvalidAesCtrCounterLength();
+
+  // The output of AES-CTR is the same size as the input. However BoringSSL
+  // expects buffer sizes as an "int".
+  base::CheckedNumeric<int> output_max_len = data.byte_length();
+  if (!output_max_len.IsValid())
+    return Status::ErrorDataTooLarge();
+
+  const EVP_CIPHER* const cipher = GetAESCipherByKeyLength(raw_key.size());
+  if (!cipher)
+    return Status::ErrorUnexpected();
+
+  const CryptoData counter_block(params->counter());
+  buffer->resize(output_max_len.ValueOrDie());
+
+  // The total number of possible counter values is pow(2, counter_length_bits)
+  crypto::ScopedBIGNUM num_counter_values(BN_new());
+  if (!BN_lshift(num_counter_values.get(), BN_value_one(), counter_length_bits))
+    return Status::ErrorUnexpected();
+
+  crypto::ScopedBIGNUM current_counter =
+      GetCounter(counter_block, counter_length_bits);
+
+  // The number of AES blocks needed for encryption/decryption. The counter is
+  // incremented this many times.
+  crypto::ScopedBIGNUM num_output_blocks(BN_new());
+  if (!BN_set_word(
+          num_output_blocks.get(),
+          CeilDiv(buffer->size(), static_cast<size_t>(AES_BLOCK_SIZE)))) {
+    return Status::ErrorUnexpected();
+  }
+
+  // If the counter is going to be incremented more times than there are counter
+  // values, fail. (Repeating values of the counter block is bad).
+  if (BN_cmp(num_output_blocks.get(), num_counter_values.get()) > 0)
+    return Status::ErrorAesCtrInputTooLongCounterRepeated();
+
+  // This is the number of blocks that can be successfully encrypted without
+  // overflowing the counter. Encrypting the subsequent block will need to
+  // reset the counter to zero.
+  crypto::ScopedBIGNUM num_blocks_until_reset(BN_new());
+
+  if (!BN_sub(num_blocks_until_reset.get(),
+              num_counter_values.get(),
+              current_counter.get())) {
+    return Status::ErrorUnexpected();
+  }
+
+  // If the counter can be incremented for the entire input without
+  // wrapping-around, do it as a single call into BoringSSL.
+  if (BN_cmp(num_blocks_until_reset.get(), num_output_blocks.get()) >= 0) {
+    return AesCtrEncrypt128BitCounter(cipher,
+                                      CryptoData(raw_key),
+                                      data,
+                                      counter_block,
+                                      vector_as_array(buffer));
+  }
+
+  // Otherwise the encryption needs to be done in 2 parts. The first part using
+  // the current counter_block, and the next part resetting the counter portion
+  // of the block to zero.
+
+  // This is guaranteed to fit in an "unsigned int" because input size in bytes
+  // fits in an "unsigned int".
+  BN_ULONG num_blocks_part1 = BN_get_word(num_blocks_until_reset.get());
+  BN_ULONG input_size_part1 = num_blocks_part1 * AES_BLOCK_SIZE;
+  DCHECK_LT(input_size_part1, data.byte_length());
+
+  // Encrypt the first part (before wrap-around).
+  Status status =
+      AesCtrEncrypt128BitCounter(cipher,
+                                 CryptoData(raw_key),
+                                 CryptoData(data.bytes(), input_size_part1),
+                                 counter_block,
+                                 vector_as_array(buffer));
+  if (status.IsError())
+    return status;
+
+  // Encrypt the second part (after wrap-around).
+  std::vector<uint8_t> counter_block_part2 =
+      BlockWithZeroedCounter(counter_block, counter_length_bits);
+
+  return AesCtrEncrypt128BitCounter(
+      cipher,
+      CryptoData(raw_key),
+      CryptoData(data.bytes() + input_size_part1,
+                 data.byte_length() - input_size_part1),
+      CryptoData(counter_block_part2),
+      vector_as_array(buffer) + input_size_part1);
+}
+
+class AesCtrImplementation : public AesAlgorithm {
+ public:
+  AesCtrImplementation() : AesAlgorithm("CTR") {}
+
+  virtual Status Encrypt(const blink::WebCryptoAlgorithm& algorithm,
+                         const blink::WebCryptoKey& key,
+                         const CryptoData& data,
+                         std::vector<uint8_t>* buffer) const OVERRIDE {
+    return AesCtrEncryptDecrypt(algorithm, key, data, buffer);
+  }
+
+  virtual Status Decrypt(const blink::WebCryptoAlgorithm& algorithm,
+                         const blink::WebCryptoKey& key,
+                         const CryptoData& data,
+                         std::vector<uint8_t>* buffer) const OVERRIDE {
+    return AesCtrEncryptDecrypt(algorithm, key, data, buffer);
+  }
+};
+
+}  // namespace
+
+AlgorithmImplementation* CreatePlatformAesCtrImplementation() {
+  return new AesCtrImplementation;
+}
+
+}  // namespace webcrypto
+
+}  // namespace content

content/child/webcrypto/openssl/util_openssl.h

@@ -19,7 +19,9 @@ namespace webcrypto {
 class CryptoData;
 class Status;
 
-enum EncryptOrDecrypt { ENCRYPT, DECRYPT };
+// The values of these constants correspond with the "enc" parameter of
+// EVP_CipherInit_ex(), do not change.
+enum EncryptOrDecrypt { DECRYPT=0, ENCRYPT=1 };
 
 const EVP_MD* GetDigest(blink::WebCryptoAlgorithmId id);
 

content/child/webcrypto/platform_crypto.h

@@ -25,6 +25,7 @@ scoped_ptr<blink::WebCryptoDigestor> CreatePlatformDigestor(
 
 AlgorithmImplementation* CreatePlatformShaImplementation();
 AlgorithmImplementation* CreatePlatformAesCbcImplementation();
+AlgorithmImplementation* CreatePlatformAesCtrImplementation();
 AlgorithmImplementation* CreatePlatformAesGcmImplementation();
 AlgorithmImplementation* CreatePlatformAesKwImplementation();
 AlgorithmImplementation* CreatePlatformHmacImplementation();

content/child/webcrypto/status.cc

@@ -150,6 +150,21 @@ Status Status::ErrorIncorrectSizeAesCbcIv() {
                 "The \"iv\" has an unexpected length -- must be 16 bytes");
 }
 
+Status Status::ErrorIncorrectSizeAesCtrCounter() {
+  return Status(blink::WebCryptoErrorTypeData,
+                "The \"counter\" has an unexpected length -- must be 16 bytes");
+}
+
+Status Status::ErrorInvalidAesCtrCounterLength() {
+  return Status(blink::WebCryptoErrorTypeData,
+                "The \"length\" property must be >= 1 and <= 128");
+}
+
+Status Status::ErrorAesCtrInputTooLongCounterRepeated() {
+  return Status(blink::WebCryptoErrorTypeData,
+                "The input is too large for the counter length.");
+}
+
 Status Status::ErrorDataTooLarge() {
   return Status(blink::WebCryptoErrorTypeData,
                 "The provided data is too large");

content/child/webcrypto/status.h

@@ -144,6 +144,18 @@ class CONTENT_EXPORT Status {
   // bytes.
   static Status ErrorIncorrectSizeAesCbcIv();
 
+  // When doing AES-CTR encryption/decryption, the "counter" parameter was not
+  // 16 bytes.
+  static Status ErrorIncorrectSizeAesCtrCounter();
+
+  // When doing AES-CTR encryption/decryption, the "length" parameter for the
+  // counter was out of range.
+  static Status ErrorInvalidAesCtrCounterLength();
+
+  // The input to encrypt/decrypt was too large. Based on the counter size, it
+  // would cause the counter to wraparound and repeat earlier values.
+  static Status ErrorAesCtrInputTooLongCounterRepeated();
+
   // The data provided to an encrypt/decrypt/sign/verify operation was too
   // large. This can either represent an internal limitation (for instance
   // representing buffer lengths as uints).

content/child/webcrypto/test/aes_ctr_unittest.cc

+// Copyright 2014 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/stl_util.h"
+#include "content/child/webcrypto/algorithm_dispatch.h"
+#include "content/child/webcrypto/crypto_data.h"
+#include "content/child/webcrypto/status.h"
+#include "content/child/webcrypto/test/test_helpers.h"
+#include "content/child/webcrypto/webcrypto_util.h"
+#include "third_party/WebKit/public/platform/WebCryptoAlgorithmParams.h"
+#include "third_party/WebKit/public/platform/WebCryptoKeyAlgorithm.h"
+
+namespace content {
+
+namespace webcrypto {
+
+namespace {
+
+bool SupportsAesCtr() {
+#if defined(USE_OPENSSL)
+  return true;
+#else
+  return false;
+#endif
+}
+
+// Creates an AES-CTR algorithm for encryption/decryption.
+blink::WebCryptoAlgorithm CreateAesCtrAlgorithm(
+    const std::vector<uint8_t>& counter,
+    uint8_t length_bits) {
+  return blink::WebCryptoAlgorithm::adoptParamsAndCreate(
+      blink::WebCryptoAlgorithmIdAesCtr,
+      new blink::WebCryptoAesCtrParams(
+          length_bits, vector_as_array(&counter), counter.size()));
+}
+
+TEST(WebCryptoAesCtrTest, EncryptDecryptKnownAnswer) {
+  if (!SupportsAesCtr()) {
+    LOG(WARNING) << "Skipping test because AES-CTR is not supported";
+    return;
+  }
+
+  scoped_ptr<base::ListValue> tests;
+  ASSERT_TRUE(ReadJsonTestFileToList("aes_ctr.json", &tests));
+
+  for (size_t test_index = 0; test_index < tests->GetSize(); ++test_index) {
+    SCOPED_TRACE(test_index);
+    base::DictionaryValue* test;
+    ASSERT_TRUE(tests->GetDictionary(test_index, &test));
+
+    std::vector<uint8_t> test_key = GetBytesFromHexString(test, "key");
+    std::vector<uint8_t> test_counter = GetBytesFromHexString(test, "counter");
+    int counter_length_bits = 0;
+    ASSERT_TRUE(test->GetInteger("length", &counter_length_bits));
+
+    std::vector<uint8_t> test_plain_text =
+        GetBytesFromHexString(test, "plain_text");
+    std::vector<uint8_t> test_cipher_text =
+        GetBytesFromHexString(test, "cipher_text");
+
+    blink::WebCryptoKey key = ImportSecretKeyFromRaw(
+        test_key,
+        CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCtr),
+        blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
+
+    EXPECT_EQ(test_key.size() * 8, key.algorithm().aesParams()->lengthBits());
+
+    std::vector<uint8_t> output;
+
+    // Test encryption.
+    EXPECT_EQ(Status::Success(),
+              Encrypt(CreateAesCtrAlgorithm(test_counter, counter_length_bits),
+                      key,
+                      CryptoData(test_plain_text),
+                      &output));
+    EXPECT_BYTES_EQ(test_cipher_text, output);
+
+    // Test decryption.
+    EXPECT_EQ(Status::Success(),
+              Decrypt(CreateAesCtrAlgorithm(test_counter, counter_length_bits),
+                      key,
+                      CryptoData(test_cipher_text),
+                      &output));
+    EXPECT_BYTES_EQ(test_plain_text, output);
+  }
+}
+
+// The counter block must be exactly 16 bytes.
+TEST(WebCryptoAesCtrTest, InvalidCounterBlockLength) {
+  if (!SupportsAesCtr()) {
+    LOG(WARNING) << "Skipping test because AES-CTR is not supported";
+    return;
+  }
+
+  const unsigned int kBadCounterBlockLengthBytes[] = {0, 15, 17};
+
+  blink::WebCryptoKey key = ImportSecretKeyFromRaw(
+      std::vector<uint8>(16),  // 128-bit key of all zeros.
+      CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCtr),
+      blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
+
+  std::vector<uint8_t> input(32);
+  std::vector<uint8_t> output;
+
+  for (size_t i = 0; i < arraysize(kBadCounterBlockLengthBytes); ++i) {
+    std::vector<uint8_t> bad_counter(kBadCounterBlockLengthBytes[i]);
+
+    EXPECT_EQ(Status::ErrorIncorrectSizeAesCtrCounter(),
+              Encrypt(CreateAesCtrAlgorithm(bad_counter, 128),
+                      key,
+                      CryptoData(input),
+                      &output));
+
+    EXPECT_EQ(Status::ErrorIncorrectSizeAesCtrCounter(),
+              Decrypt(CreateAesCtrAlgorithm(bad_counter, 128),
+                      key,
+                      CryptoData(input),
+                      &output));
+  }
+}
+
+// The counter length cannot be less than 1 or greater than 128.
+TEST(WebCryptoAesCtrTest, InvalidCounterLength) {
+  if (!SupportsAesCtr()) {
+    LOG(WARNING) << "Skipping test because AES-CTR is not supported";
+    return;
+  }
+
+  const uint8_t kBadCounterLengthBits[] = {0, 129};
+
+  blink::WebCryptoKey key = ImportSecretKeyFromRaw(
+      std::vector<uint8>(16),  // 128-bit key of all zeros.
+      CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCtr),
+      blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
+
+  std::vector<uint8_t> counter(16);
+  std::vector<uint8_t> input(32);
+  std::vector<uint8_t> output;
+
+  for (size_t i = 0; i < arraysize(kBadCounterLengthBits); ++i) {
+    uint8_t bad_counter_length_bits = kBadCounterLengthBits[i];
+
+    EXPECT_EQ(Status::ErrorInvalidAesCtrCounterLength(),
+              Encrypt(CreateAesCtrAlgorithm(counter, bad_counter_length_bits),
+                      key,
+                      CryptoData(input),
+                      &output));
+
+    EXPECT_EQ(Status::ErrorInvalidAesCtrCounterLength(),
+              Decrypt(CreateAesCtrAlgorithm(counter, bad_counter_length_bits),
+                      key,
+                      CryptoData(input),
+                      &output));
+  }
+}
+
+// Tests wrap-around using a 4-bit counter.
+//
+// Wrap-around is allowed, however if the counter repeats itself an error should
+// be thrown.
+//
+// Using a 4-bit counter it is possible to encrypt 16 blocks. However the 17th
+// block would end up wrapping back to the starting value.
+TEST(WebCryptoAesCtrTest, OverflowAndRepeatCounter) {
+  if (!SupportsAesCtr()) {
+    LOG(WARNING) << "Skipping test because AES-CTR is not supported";
+    return;
+  }
+
+  const uint8_t kCounterLengthBits = 4;
+  const uint8_t kStartCounter[] = {0, 1, 15};
+
+  blink::WebCryptoKey key = ImportSecretKeyFromRaw(
+      std::vector<uint8>(16),  // 128-bit key of all zeros.
+      CreateAlgorithm(blink::WebCryptoAlgorithmIdAesCtr),
+      blink::WebCryptoKeyUsageEncrypt | blink::WebCryptoKeyUsageDecrypt);
+
+  std::vector<uint8_t> buffer(272);
+
+  // 16 and 17 AES blocks worth of data respectively (AES blocks are 16 bytes
+  // long).
+  CryptoData input_16(vector_as_array(&buffer), 256);
+  CryptoData input_17(vector_as_array(&buffer), 272);
+
+  std::vector<uint8_t> output;
+
+  for (size_t i = 0; i < arraysize(kStartCounter); ++i) {
+    std::vector<uint8_t> counter(16);
+    counter[15] = kStartCounter[i];
+
+    // Baseline test: Encrypting 16 blocks should work (don't bother to check
+    // output, the known answer tests already do that).
+    EXPECT_EQ(Status::Success(),
+              Encrypt(CreateAesCtrAlgorithm(counter, kCounterLengthBits),
+                      key,
+                      input_16,
+                      &output));
+
+    // Encrypting/Decrypting 17 however should fail.
+    EXPECT_EQ(Status::ErrorAesCtrInputTooLongCounterRepeated(),
+              Encrypt(CreateAesCtrAlgorithm(counter, kCounterLengthBits),
+                      key,
+                      input_17,
+                      &output));
+    EXPECT_EQ(Status::ErrorAesCtrInputTooLongCounterRepeated(),
+              Decrypt(CreateAesCtrAlgorithm(counter, kCounterLengthBits),
+                      key,
+                      input_17,
+                      &output));
+  }
+}
+
+}  // namespace
+
+}  // namespace webcrypto
+
+}  // namespace content

content/content_child.gypi

@@ -268,6 +268,7 @@
     ],
     'webcrypto_openssl_sources': [
       'child/webcrypto/openssl/aes_cbc_openssl.cc',
+      'child/webcrypto/openssl/aes_ctr_openssl.cc',
       'child/webcrypto/openssl/aes_gcm_openssl.cc',
       'child/webcrypto/openssl/aes_key_openssl.cc',
       'child/webcrypto/openssl/aes_key_openssl.h',

content/content_tests.gypi

@@ -642,9 +642,10 @@
         'child/touch_fling_gesture_curve_unittest.cc',
         'child/web_url_loader_impl_unittest.cc',
         'child/webcrypto/test/aes_cbc_unittest.cc',
+        'child/webcrypto/test/aes_ctr_unittest.cc',
         'child/webcrypto/test/aes_gcm_unittest.cc',
-        'child/webcrypto/test/status_unittest.cc',
         'child/webcrypto/test/aes_kw_unittest.cc',
+        'child/webcrypto/test/status_unittest.cc',
         'child/webcrypto/test/hmac_unittest.cc',
         'child/webcrypto/test/rsa_oaep_unittest.cc',
         'child/webcrypto/test/rsa_ssa_unittest.cc',

content/test/data/webcrypto/aes_ctr.json

+[
+  // From https://www.rfc-editor.org/rfc/rfc3686.txt
+  // Test Vector #3: Encrypting 36 octets using AES-CTR with 128-bit key
+  {
+    "key": "7691BE035E5020A8AC6E618529F9A0DC",
+    "plain_text": "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F20212223",
+    "counter": "00E0017B27777F3F4A1786F000000001",
+    "length": 32,
+    "cipher_text": "C1CF48A89F2FFDD9CF4652E9EFDB72D74540A42BDE6D7836D59A5CEAAEF3105325B2072F"
+  },
+
+  // From https://www.rfc-editor.org/rfc/rfc3686.txt
+  // Test Vector #8: Encrypting 32 octets using AES-CTR with 256-bit key
+  {
+    "key": "F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884",
+    "plain_text": "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F",
+    "counter": "00FAAC24C1585EF15A43D87500000001",
+    "length": 32,
+    "cipher_text": "F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1C"
+  },
+
+  // Empty plaintext, using a 256-bit key.
+  {
+    "key": "F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884",
+    "plain_text": "",
+    "counter": "00FAAC24C1585EF15A43D87500000001",
+    "length": 32,
+    "cipher_text": ""
+  },
+
+  // 32-bit counter wrap-around (manually constructed).
+  //
+  // Starts a 32-bit counter at 0xFFFFFFFF and encrypts 3 blocks worth of data.
+  // The counter will wrap around and take on values of 0 and 1.
+  {
+    "key": "F6D66D6BD52D59BB0796365879EFF886C66DD51A5B6A99744B50590C87A23884",
+    "plain_text": "F05E231B3894612C49EE000B804EB2A9B8306B508F839D6A5530831D9344AF1CC1CF48A89F2FFDD9CF4652E9EFDB72D7",
+    "counter": "00FAAC24C1585EF15A43D875FFFFFFFF",
+    "length": 32,
+    "cipher_text": "2E32E02FF9E69A1D6B78AC4308A67592C5DD5505589B79183D4189619A1467E4319069B0A3BE9AF28EA158E96398CE71"
+  },
+
+  // 1-bit counter wrap-around (manually constructed).
+  //
+  // Starts a 1-bit counter at 1 and encrypts 2 blocks worth of data.
+  {
+    "key": "7691BE035E5020A8AC6E618529F9A0DC",
+    "plain_text": "C05E231B3894612C49EE000B804EB2A6B8306B508F839D6A5530831D9344AF1C",
+    "counter": "00FAAC24C1585EF15A43D875000000FF",
+    "length": 1,
+    "cipher_text": "52334727723A84F4278FB319386CD7B5587DD8B2D9AA394D83EF8A826C4761AA"
+  },
+
+  // 4-bit counter wrap-around (manually constructed).
+  //
+  // Starts a 4-bit counter at 14 and encrypts 3 blocks worth of data.
+  {
+    "key": "7691BE035E5020A8AC6E618529F9A0DC",
+    "plain_text": "C05E231B3894612C49EE000B804EB2A6B8306B508F839D6A5530831D9344AF1C1415161718191A1B1C1D1E1F20212223",
+    "counter": "00FAAC24C1585EF15A43D8750000111E",
+    "length": 4,
+    "cipher_text": "5573894046DEF46162ED54966A22D8F0517B61A0CE7E657A5A5124A7F62AAE149A3C7856711C59D67F34F31374CF7A72"
+  },
+
+  // Same test as above, however the plaintext/ciphertext is not a multiple of block size.
+  {
+    "key": "7691BE035E5020A8AC6E618529F9A0DC",
+    "plain_text": "C05E231B3894612C49EE000B804EB2A6B8306B508F839D6A5530831D9344AF1C1415161718191A1B1C1D1E1F20",
+    "counter": "00FAAC24C1585EF15A43D8750000111E",
+    "length": 4,
+    "cipher_text": "5573894046DEF46162ED54966A22D8F0517B61A0CE7E657A5A5124A7F62AAE149A3C7856711C59D67F34F31374"
+  },
+
+  // 128-bit counter wrap-around (manually constructed).
+  {
+    "key": "7691BE035E5020A8AC6E618529F9A0DC",
+    "plain_text": "C05E231B3894612C49EE000B804EB2A6B8306B508F839D6A5530831D9344AF1C1415161718191A1B1C1D1E1F20212223",
+    "counter": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE",
+    "length": 128,
+    "cipher_text": "D2C49B275BC73814DC90ECE98959041C9A3481F2247E08B0AF5D8DE3F521C9DAF535B0A8156DF9D2370EE7328103C8AD"
+  }
+]