diff options
author | NIIBE Yutaka <gniibe@fsij.org> | 2022-09-27 13:26:16 +0900 |
---|---|---|
committer | NIIBE Yutaka <gniibe@fsij.org> | 2022-09-27 13:26:16 +0900 |
commit | 857e6f467d0fc9fd858a73d84122695425970075 (patch) | |
tree | d9f45e764799a20db34d8e293ea3d98c2bb03919 /cipher/kdf.c | |
parent | c20022ffd4ad2cea51928a109dfa102d711d30ac (diff) | |
download | libgcrypt-857e6f467d0fc9fd858a73d84122695425970075.tar.gz |
kdf:pkdf2: Require longer input when FIPS mode.
* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.
--
GnuPG-bug-id: 6039
Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Diffstat (limited to 'cipher/kdf.c')
-rw-r--r-- | cipher/kdf.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/cipher/kdf.c b/cipher/kdf.c index 3e51e115..81523320 100644 --- a/cipher/kdf.c +++ b/cipher/kdf.c @@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, return GPG_ERR_INV_VALUE; #endif + /* HMAC requires longer input for approved use case. */ + if (fips_mode () && passphraselen < 14) + return GPG_ERR_INV_VALUE; /* Step 2 */ l = ((dklen - 1)/ hlen) + 1; |