diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2022-09-27 13:26:16 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-10-04 14:04:56 +0900 |
commit | d09d3d33c79daa2f8d385dfedf3f20ad205b0fba (patch) | |
tree | 3161f773b87079dee00ac6a447e499209ed60f93 | |
parent | 44812a1d96fc003e6e0d01270c514b91e295d300 (diff) | |
download | libgcrypt-d09d3d33c79daa2f8d385dfedf3f20ad205b0fba.tar.gz |
kdf:pkdf2: Require longer input when FIPS mode.
* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
--
Cherry-pick master commit of:
857e6f467d0fc9fd858a73d84122695425970075
GnuPG-bug-id: 6039
Fixes-commit: ab5aef9b7b6ef757eff7bea4a17ade0ce3d3191b
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
-rw-r--r-- | cipher/kdf.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/cipher/kdf.c b/cipher/kdf.c index 377ea7b7..3e4ebea0 100644 --- a/cipher/kdf.c +++ b/cipher/kdf.c @@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, return GPG_ERR_INV_VALUE; #endif + /* HMAC requires longer input for approved use case. */ + if (fips_mode () && passphraselen < 14) + return GPG_ERR_INV_VALUE; /* Step 2 */ l = ((dklen - 1)/ hlen) + 1; |