Blob Blame History Raw
From 2f61f102169e4d6652c9b82246353cd276366809 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 27 Jun 2022 11:14:50 +0900
Subject: [PATCH] cipher: limit plaintext length supplied to AES-GCM

According to SP800-38D 5.2.1.1, input data length of AES-GCM
encryption function must be less than or equal to 2^39-256 bits.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 NEWS                                         |  3 +
 lib/accelerated/aarch64/aes-aarch64.h        | 15 ++++
 lib/accelerated/aarch64/aes-gcm-aarch64.c    |  9 +++
 lib/accelerated/x86/aes-gcm-padlock.c        | 29 ++++---
 lib/accelerated/x86/aes-gcm-x86-aesni.c      | 30 +++++---
 lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c |  9 +++
 lib/accelerated/x86/aes-gcm-x86-pclmul.c     |  9 +++
 lib/accelerated/x86/aes-gcm-x86-ssse3.c      | 30 +++++---
 lib/accelerated/x86/aes-x86.h                | 15 ++++
 lib/nettle/cipher.c                          | 41 ++++++++++
 tests/slow/cipher-api-test.c                 | 79 ++++++++++++++++++++
 11 files changed, 240 insertions(+), 29 deletions(-)

diff --git a/lib/accelerated/aarch64/aes-aarch64.h b/lib/accelerated/aarch64/aes-aarch64.h
index 692d8620d7..0e64f4ed8d 100644
--- a/lib/accelerated/aarch64/aes-aarch64.h
+++ b/lib/accelerated/aarch64/aes-aarch64.h
@@ -20,6 +20,21 @@ typedef struct {
 	if (s != 16 && s != 24 && s != 32) \
 		return GNUTLS_E_INVALID_REQUEST
 
+#include <intprops.h>
+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
+static inline int
+record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
+	size_t sum;
+
+	if (!INT_ADD_OK(*counter, size, &sum) ||
+	    sum > AES_GCM_ENCRYPT_MAX_BYTES) {
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+	}
+	*counter = sum;
+
+	return 0;
+}
+
 int aes_v8_set_encrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);  
 int aes_v8_set_decrypt_key(const unsigned char *userKey, int bits, AES_KEY *key);
 void aes_v8_cbc_encrypt(const unsigned char *in, unsigned char *out,
diff --git a/lib/accelerated/aarch64/aes-gcm-aarch64.c b/lib/accelerated/aarch64/aes-gcm-aarch64.c
index 901bd9f60f..be1e69c784 100644
--- a/lib/accelerated/aarch64/aes-gcm-aarch64.c
+++ b/lib/accelerated/aarch64/aes-gcm-aarch64.c
@@ -62,6 +62,7 @@ struct aes_gcm_ctx {
 	struct gcm128_context gcm;
 	unsigned finished;
 	unsigned auth_finished;
+	size_t rekey_counter;
 };
 
 void gcm_init_v8(u128 Htable[16], const uint64_t Xi[2]);
@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
 	ctx->gcm.H.u[1] = bswap_64(ctx->gcm.H.u[1]);
 
 	gcm_init_v8(ctx->gcm.Htable, ctx->gcm.H.u);
+	ctx->rekey_counter = 0;
 
 	return 0;
 }
@@ -141,6 +143,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
 	ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
 	ctx->finished = 0;
 	ctx->auth_finished = 0;
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -229,6 +232,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 	int exp_blocks = blocks * GCM_BLOCK_SIZE;
 	int rest = src_size - (exp_blocks);
 	uint32_t counter;
+	int ret;
 
 	if (unlikely(ctx->finished))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -236,6 +240,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 	if (unlikely(length < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
+	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+	if (ret < 0) {
+		return gnutls_assert_val(ret);
+	}
+
 	if (blocks > 0) {
 		ctr32_encrypt_blocks(src, dst,
 				     blocks,
diff --git a/lib/accelerated/x86/aes-gcm-padlock.c b/lib/accelerated/x86/aes-gcm-padlock.c
index a9c7441d65..739883ab1b 100644
--- a/lib/accelerated/x86/aes-gcm-padlock.c
+++ b/lib/accelerated/x86/aes-gcm-padlock.c
@@ -43,7 +43,10 @@
  * Actually padlock doesn't include GCM mode. We just use
  * the ECB part of padlock and nettle for everything else.
  */
-struct gcm_padlock_aes_ctx GCM_CTX(struct padlock_ctx);
+struct gcm_padlock_aes_ctx {
+	struct GCM_CTX(struct padlock_ctx) inner;
+	size_t rekey_counter;
+};
 
 static void padlock_aes_encrypt(const void *_ctx,
 				size_t length, uint8_t * dst,
@@ -78,7 +81,7 @@ static void padlock_aes256_set_encrypt_key(struct padlock_ctx *_ctx,
 
 static void aes_gcm_deinit(void *_ctx)
 {
-	struct padlock_ctx *ctx = _ctx;
+	struct gcm_padlock_aes_ctx *ctx = _ctx;
 
 	zeroize_temp_key(ctx, sizeof(*ctx));
 	gnutls_free(ctx);
@@ -108,14 +111,15 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize)
 	struct gcm_padlock_aes_ctx *ctx = _ctx;
 
 	if (keysize == 16) {
-		GCM_SET_KEY(ctx, padlock_aes128_set_encrypt_key, padlock_aes_encrypt,
+		GCM_SET_KEY(&ctx->inner, padlock_aes128_set_encrypt_key, padlock_aes_encrypt,
 			    key);
 	} else if (keysize == 32) {
-		GCM_SET_KEY(ctx, padlock_aes256_set_encrypt_key, padlock_aes_encrypt,
+		GCM_SET_KEY(&ctx->inner, padlock_aes256_set_encrypt_key, padlock_aes_encrypt,
 			    key);
 	} else
 		return GNUTLS_E_INVALID_REQUEST;
 
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -126,8 +130,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
 	if (iv_size != GCM_BLOCK_SIZE - 4)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-	GCM_SET_IV(ctx, iv_size, iv);
+	GCM_SET_IV(&ctx->inner, iv_size, iv);
 
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -136,11 +141,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 		void *dst, size_t length)
 {
 	struct gcm_padlock_aes_ctx *ctx = _ctx;
+	int ret;
 
 	if (unlikely(length < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-	GCM_ENCRYPT(ctx, padlock_aes_encrypt, src_size, dst, src);
+	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+	if (ret < 0) {
+		return gnutls_assert_val(ret);
+	}
+
+	GCM_ENCRYPT(&ctx->inner, padlock_aes_encrypt, src_size, dst, src);
 
 	return 0;
 }
@@ -154,7 +165,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
 	if (unlikely(dst_size < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-	GCM_DECRYPT(ctx, padlock_aes_encrypt, src_size, dst, src);
+	GCM_DECRYPT(&ctx->inner, padlock_aes_encrypt, src_size, dst, src);
 	return 0;
 }
 
@@ -162,7 +173,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
 {
 	struct gcm_padlock_aes_ctx *ctx = _ctx;
 
-	GCM_UPDATE(ctx, src_size, src);
+	GCM_UPDATE(&ctx->inner, src_size, src);
 
 	return 0;
 }
@@ -171,7 +182,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
 {
 	struct gcm_padlock_aes_ctx *ctx = _ctx;
 
-	GCM_DIGEST(ctx, padlock_aes_encrypt, tagsize, tag);
+	GCM_DIGEST(&ctx->inner, padlock_aes_encrypt, tagsize, tag);
 }
 
 #include "aes-gcm-aead.h"
diff --git a/lib/accelerated/x86/aes-gcm-x86-aesni.c b/lib/accelerated/x86/aes-gcm-x86-aesni.c
index b0edaebfba..3be63ddd97 100644
--- a/lib/accelerated/x86/aes-gcm-x86-aesni.c
+++ b/lib/accelerated/x86/aes-gcm-x86-aesni.c
@@ -36,12 +36,14 @@
 #include <x86-common.h>
 #include <byteswap.h>
 #include <nettle/gcm.h>
-#include <aes-x86.h>
 
 /* GCM mode 
  * It is used when the CPU doesn't include the PCLMUL instructions.
  */
-struct gcm_x86_aes_ctx GCM_CTX(AES_KEY);
+struct gcm_x86_aes_ctx {
+	struct GCM_CTX(AES_KEY) inner;
+	size_t rekey_counter;
+};
 
 static void x86_aes_encrypt(const void *_ctx,
 				size_t length, uint8_t * dst,
@@ -101,17 +103,18 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t length)
 	struct gcm_x86_aes_ctx *ctx = _ctx;
 
 	if (length == 16) {
-		GCM_SET_KEY(ctx, x86_aes128_set_encrypt_key, x86_aes_encrypt,
+		GCM_SET_KEY(&ctx->inner, x86_aes128_set_encrypt_key, x86_aes_encrypt,
 			    key);
 	} else if (length == 24) {
-		GCM_SET_KEY(ctx, x86_aes192_set_encrypt_key, x86_aes_encrypt,
+		GCM_SET_KEY(&ctx->inner, x86_aes192_set_encrypt_key, x86_aes_encrypt,
 			    key);
 	} else if (length == 32) {
-		GCM_SET_KEY(ctx, x86_aes256_set_encrypt_key, x86_aes_encrypt,
+		GCM_SET_KEY(&ctx->inner, x86_aes256_set_encrypt_key, x86_aes_encrypt,
 			    key);
 	} else
 		return GNUTLS_E_INVALID_REQUEST;
 
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -122,8 +125,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
 	if (iv_size != GCM_BLOCK_SIZE - 4)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-	GCM_SET_IV(ctx, iv_size, iv);
+	GCM_SET_IV(&ctx->inner, iv_size, iv);
 
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -132,11 +136,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 		void *dst, size_t length)
 {
 	struct gcm_x86_aes_ctx *ctx = _ctx;
+	int ret;
 
 	if (unlikely(length < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-	GCM_ENCRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
+	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+	if (ret < 0) {
+		return gnutls_assert_val(ret);
+	}
+
+	GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
 
 	return 0;
 }
@@ -150,7 +160,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
 	if (unlikely(dst_size < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-	GCM_DECRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
+	GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
 	return 0;
 }
 
@@ -158,7 +168,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
 {
 	struct gcm_x86_aes_ctx *ctx = _ctx;
 
-	GCM_UPDATE(ctx, src_size, src);
+	GCM_UPDATE(&ctx->inner, src_size, src);
 
 	return 0;
 }
@@ -167,7 +177,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
 {
 	struct gcm_x86_aes_ctx *ctx = _ctx;
 
-	GCM_DIGEST(ctx, x86_aes_encrypt, tagsize, tag);
+	GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag);
 }
 
 static void aes_gcm_deinit(void *_ctx)
diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
index 21aef94440..fbefe432f4 100644
--- a/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
+++ b/lib/accelerated/x86/aes-gcm-x86-pclmul-avx.c
@@ -61,6 +61,7 @@ struct aes_gcm_ctx {
 	struct gcm128_context gcm;
 	unsigned finished;
 	unsigned auth_finished;
+	size_t rekey_counter;
 };
 
 void gcm_init_avx(u128 Htable[16], const uint64_t Xi[2]);
@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
 
 	gcm_init_avx(ctx->gcm.Htable, ctx->gcm.H.u);
 
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -140,6 +142,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
 	ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
 	ctx->finished = 0;
 	ctx->auth_finished = 0;
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -184,6 +187,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 	int exp_blocks = blocks * GCM_BLOCK_SIZE;
 	int rest = src_size - (exp_blocks);
 	uint32_t counter;
+	int ret;
 
 	if (unlikely(ctx->finished))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -191,6 +195,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 	if (unlikely(length < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
+	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+	if (ret < 0) {
+		return gnutls_assert_val(ret);
+	}
+
 	if (blocks > 0) {
 		aesni_ctr32_encrypt_blocks(src, dst,
 					   blocks,
diff --git a/lib/accelerated/x86/aes-gcm-x86-pclmul.c b/lib/accelerated/x86/aes-gcm-x86-pclmul.c
index e6b4990cbf..5385acbb6b 100644
--- a/lib/accelerated/x86/aes-gcm-x86-pclmul.c
+++ b/lib/accelerated/x86/aes-gcm-x86-pclmul.c
@@ -60,6 +60,7 @@ struct aes_gcm_ctx {
 	struct gcm128_context gcm;
 	unsigned finished;
 	unsigned auth_finished;
+	size_t rekey_counter;
 };
 
 void gcm_init_clmul(u128 Htable[16], const uint64_t Xi[2]);
@@ -116,6 +117,7 @@ aes_gcm_cipher_setkey(void *_ctx, const void *userkey, size_t keysize)
 
 	gcm_init_clmul(ctx->gcm.Htable, ctx->gcm.H.u);
 
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -140,6 +142,7 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
 	ctx->gcm.Yi.c[GCM_BLOCK_SIZE - 1] = 2;
 	ctx->finished = 0;
 	ctx->auth_finished = 0;
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -184,6 +187,7 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 	int exp_blocks = blocks * GCM_BLOCK_SIZE;
 	int rest = src_size - (exp_blocks);
 	uint32_t counter;
+	int ret;
 
 	if (unlikely(ctx->finished))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
@@ -191,6 +195,11 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 	if (unlikely(length < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
+	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+	if (ret < 0) {
+		return gnutls_assert_val(ret);
+	}
+
 	if (blocks > 0) {
 		aesni_ctr32_encrypt_blocks(src, dst,
 					   blocks,
diff --git a/lib/accelerated/x86/aes-gcm-x86-ssse3.c b/lib/accelerated/x86/aes-gcm-x86-ssse3.c
index 7a2ac50869..f074cb1096 100644
--- a/lib/accelerated/x86/aes-gcm-x86-ssse3.c
+++ b/lib/accelerated/x86/aes-gcm-x86-ssse3.c
@@ -36,13 +36,15 @@
 #include <x86-common.h>
 #include <byteswap.h>
 #include <nettle/gcm.h>
-#include <aes-x86.h>
 #include <assert.h>
 
 /* GCM mode 
  * It is used when the CPU doesn't include the PCLMUL instructions.
  */
-struct gcm_x86_aes_ctx GCM_CTX(AES_KEY);
+struct gcm_x86_aes_ctx {
+	struct GCM_CTX(AES_KEY) inner;
+	size_t rekey_counter;
+};
 
 static void x86_aes_encrypt(const void *_ctx,
 				size_t length, uint8_t * dst,
@@ -110,17 +112,18 @@ aes_gcm_cipher_setkey(void *_ctx, const void *key, size_t keysize)
 	struct gcm_x86_aes_ctx *ctx = _ctx;
 
 	if (keysize == 16) {
-		GCM_SET_KEY(ctx, x86_aes_128_set_encrypt_key, x86_aes_encrypt,
+		GCM_SET_KEY(&ctx->inner, x86_aes_128_set_encrypt_key, x86_aes_encrypt,
 			    key);
 	} else if (keysize == 24) {
-		GCM_SET_KEY(ctx, x86_aes_192_set_encrypt_key, x86_aes_encrypt,
+		GCM_SET_KEY(&ctx->inner, x86_aes_192_set_encrypt_key, x86_aes_encrypt,
 			    key);
 	} else if (keysize == 32) {
-		GCM_SET_KEY(ctx, x86_aes_256_set_encrypt_key, x86_aes_encrypt,
+		GCM_SET_KEY(&ctx->inner, x86_aes_256_set_encrypt_key, x86_aes_encrypt,
 			    key);
 	} else
 		return GNUTLS_E_INVALID_REQUEST;
 
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -131,8 +134,9 @@ static int aes_gcm_setiv(void *_ctx, const void *iv, size_t iv_size)
 	if (iv_size != GCM_BLOCK_SIZE - 4)
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
-	GCM_SET_IV(ctx, iv_size, iv);
+	GCM_SET_IV(&ctx->inner, iv_size, iv);
 
+	ctx->rekey_counter = 0;
 	return 0;
 }
 
@@ -141,11 +145,17 @@ aes_gcm_encrypt(void *_ctx, const void *src, size_t src_size,
 		void *dst, size_t length)
 {
 	struct gcm_x86_aes_ctx *ctx = _ctx;
+	int ret;
 
 	if (unlikely(length < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-	GCM_ENCRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
+	ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, src_size);
+	if (ret < 0) {
+		return gnutls_assert_val(ret);
+	}
+
+	GCM_ENCRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
 
 	return 0;
 }
@@ -159,7 +169,7 @@ aes_gcm_decrypt(void *_ctx, const void *src, size_t src_size,
 	if (unlikely(dst_size < src_size))
 		return gnutls_assert_val(GNUTLS_E_SHORT_MEMORY_BUFFER);
 
-	GCM_DECRYPT(ctx, x86_aes_encrypt, src_size, dst, src);
+	GCM_DECRYPT(&ctx->inner, x86_aes_encrypt, src_size, dst, src);
 	return 0;
 }
 
@@ -167,7 +177,7 @@ static int aes_gcm_auth(void *_ctx, const void *src, size_t src_size)
 {
 	struct gcm_x86_aes_ctx *ctx = _ctx;
 
-	GCM_UPDATE(ctx, src_size, src);
+	GCM_UPDATE(&ctx->inner, src_size, src);
 
 	return 0;
 }
@@ -176,7 +186,7 @@ static void aes_gcm_tag(void *_ctx, void *tag, size_t tagsize)
 {
 	struct gcm_x86_aes_ctx *ctx = _ctx;
 
-	GCM_DIGEST(ctx, x86_aes_encrypt, tagsize, tag);
+	GCM_DIGEST(&ctx->inner, x86_aes_encrypt, tagsize, tag);
 }
 
 static void aes_gcm_deinit(void *_ctx)
diff --git a/lib/accelerated/x86/aes-x86.h b/lib/accelerated/x86/aes-x86.h
index 023b5f7be6..349d3d5d9c 100644
--- a/lib/accelerated/x86/aes-x86.h
+++ b/lib/accelerated/x86/aes-x86.h
@@ -22,6 +22,21 @@ typedef struct {
 	if (s != 16 && s != 24 && s != 32) \
 		return GNUTLS_E_INVALID_REQUEST
 
+#include <intprops.h>
+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
+static inline int
+record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
+	size_t sum;
+
+	if (!INT_ADD_OK(*counter, size, &sum) ||
+	    sum > AES_GCM_ENCRYPT_MAX_BYTES) {
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+	}
+	*counter = sum;
+
+	return 0;
+}
+
 void aesni_ecb_encrypt(const unsigned char *in, unsigned char *out,
 		       size_t len, const AES_KEY * key, int enc);
 
diff --git a/lib/nettle/cipher.c b/lib/nettle/cipher.c
index ab4c46d2d0..b41862d1ea 100644
--- a/lib/nettle/cipher.c
+++ b/lib/nettle/cipher.c
@@ -63,6 +63,7 @@
 #include <nettle/xts.h>
 #include <nettle/siv-cmac.h>
 #include <fips.h>
+#include <intprops.h>
 
 struct nettle_cipher_ctx;
 
@@ -120,8 +121,23 @@ struct nettle_cipher_ctx {
 	unsigned iv_size;
 
 	bool enc;
+	size_t rekey_counter;
 };
 
+#define AES_GCM_ENCRYPT_MAX_BYTES ((1ULL << 36) - 32)
+static inline int
+record_aes_gcm_encrypt_size(size_t *counter, size_t size) {
+	size_t sum;
+
+	if (!INT_ADD_OK(*counter, size, &sum) ||
+	    sum > AES_GCM_ENCRYPT_MAX_BYTES) {
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+	}
+	*counter = sum;
+
+	return 0;
+}
+
 static void
 _stream_encrypt(struct nettle_cipher_ctx *ctx, size_t length, uint8_t * dst,
 		const uint8_t * src)
@@ -1133,6 +1149,16 @@ wrap_nettle_cipher_setkey(void *_ctx, const void *key, size_t keysize)
 	else
 		ctx->cipher->set_decrypt_key(ctx->ctx_ptr, key);
 
+	switch (ctx->cipher->algo) {
+	case GNUTLS_CIPHER_AES_128_GCM:
+	case GNUTLS_CIPHER_AES_192_GCM:
+	case GNUTLS_CIPHER_AES_256_GCM:
+		ctx->rekey_counter = 0;
+		break;
+	default:
+		break;
+	}
+
 	return 0;
 }
 
@@ -1147,6 +1173,7 @@ wrap_nettle_cipher_setiv(void *_ctx, const void *iv, size_t iv_size)
 	case GNUTLS_CIPHER_AES_192_GCM:
 	case GNUTLS_CIPHER_AES_256_GCM:
 		FIPS_RULE(iv_size < GCM_IV_SIZE, GNUTLS_E_INVALID_REQUEST, "access to short GCM nonce size\n");
+		ctx->rekey_counter = 0;
 		break;
 	case GNUTLS_CIPHER_SALSA20_256:
 	case GNUTLS_CIPHER_ESTREAM_SALSA20_256:
@@ -1207,10 +1234,24 @@ wrap_nettle_cipher_encrypt(void *_ctx, const void *plain, size_t plain_size,
 			   void *encr, size_t encr_size)
 {
 	struct nettle_cipher_ctx *ctx = _ctx;
+	int ret;
 
 	if (unlikely(ctx->cipher->encrypt == NULL))
 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
 
+	switch (ctx->cipher->algo) {
+	case GNUTLS_CIPHER_AES_128_GCM:
+	case GNUTLS_CIPHER_AES_192_GCM:
+	case GNUTLS_CIPHER_AES_256_GCM:
+		ret = record_aes_gcm_encrypt_size(&ctx->rekey_counter, plain_size);
+		if (ret < 0) {
+			return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+		}
+		break;
+	default:
+		break;
+	}
+
 	ctx->cipher->encrypt(ctx, plain_size, encr, plain);
 
 	return 0;
diff --git a/tests/slow/cipher-api-test.c b/tests/slow/cipher-api-test.c
index fc880bcc9f..1d267ce312 100644
--- a/tests/slow/cipher-api-test.c
+++ b/tests/slow/cipher-api-test.c
@@ -21,6 +21,7 @@
  */
 
 #include <config.h>
+#include <limits.h>
 #include <stdint.h>
 #include <stdio.h>
 #include <string.h>
@@ -48,6 +49,11 @@ int main(int argc, char **argv)
 #include <assert.h>
 #include <utils.h>
 
+#define AES_GCM_ENCRYPT_PLAINTEXT_MAX ((1ULL << 36) - 32)
+#if SIZE_MAX >= AES_GCM_ENCRYPT_PLAINTEXT_MAX
+#define TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE 1
+#endif
+
 static void tls_log_func(int level, const char *str)
 {
 	fprintf(stderr, "<%d>| %s", level, str);
@@ -401,6 +407,74 @@ static void test_aead_invalid_short_decrypt(int algo)
 	return;
 }
 
+#ifdef TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE
+/* Test whether an invalid call to gnutls_cipher_encrypt() with too
+ * long message is caught */
+static void test_aead_invalid_too_long_encrypt(int algo)
+{
+	int ret;
+	gnutls_cipher_hd_t ch;
+	uint8_t key16[64];
+	uint8_t iv16[32];
+	uint8_t data[128];
+	gnutls_datum_t key, iv;
+
+	if (algo != GNUTLS_CIPHER_AES_128_GCM &&
+	    algo != GNUTLS_CIPHER_AES_192_GCM &&
+	    algo != GNUTLS_CIPHER_AES_256_GCM) {
+		return;
+	}
+
+	key.data = key16;
+	key.size = gnutls_cipher_get_key_size(algo);
+	assert(key.size <= sizeof(key16));
+
+	iv.data = iv16;
+	iv.size = gnutls_cipher_get_iv_size(algo);
+	assert(iv.size <= sizeof(iv16));
+
+	memset(iv.data, 0xff, iv.size);
+	memset(key.data, 0xfe, key.size);
+	memset(data, 0xfa, sizeof(data));
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(4711);
+
+	ret = global_init();
+	if (ret < 0) {
+		fail("Cannot initialize library\n"); /*errcode 1 */
+	}
+
+	ret = gnutls_cipher_init(&ch, algo, &key, &iv);
+	if (ret < 0)
+		fail("gnutls_cipher_init failed\n"); /*errcode 1 */
+
+	/* Test exceeding AES-GCM plaintext limit */
+	ret = gnutls_cipher_encrypt(ch, data, sizeof(data));
+	if (ret < 0)
+		fail("could not encrypt data\n");
+
+	/* A few blocks larger than AES_GCM_ENCRYPT_PLAINTEXT_MAX combined with
+	 * the previous call.  Use NULL for PLAINTEXT so the access to the first
+	 * block always results in page fault (in case the limit is not
+	 * enforced).
+	 */
+	ret = gnutls_cipher_encrypt(ch, NULL, AES_GCM_ENCRYPT_PLAINTEXT_MAX);
+	if (ret >= 0)
+		fail("succeeded in encrypting too long data\n");
+	if (ret != GNUTLS_E_INVALID_REQUEST)
+		fail("wrong kind of error on encrypting too long data,"
+		     "%s instead of GNUTLS_E_INVALID_REQUEST\n",
+		     gnutls_strerror_name(ret));
+
+	gnutls_cipher_deinit(ch);
+
+	gnutls_global_deinit();
+	return;
+}
+#endif
+
 static void check_status(int status)
 {
 	if (WEXITSTATUS(status) != 0 ||
@@ -464,6 +538,11 @@ void start(const char *name, int algo, unsigned aead)
 
 		success("trying %s: test_aead_invalid_short_decrypt\n", name);
 		fork_subtest(test_aead_invalid_short_decrypt, algo);
+
+#if TEST_AES_GCM_ENCRYPT_PLAINTEXT_SIZE
+		success("trying %s: test_aead_invalid_too_long_encrypt\n", name);
+		fork_subtest(test_aead_invalid_too_long_encrypt, algo);
+#endif
 	}
 }
 
-- 
2.37.1