kdf:pkdf2: Require longer input when FIPS mode.

* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check. -- GnuPG-bug-id: 6039 Fixes-commit: 58c92098d053aae7c78cc42bdd7c80c13efc89bb Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
author: NIIBE Yutaka <gniibe@fsij.org> 2022-09-27 13:26:16 +0900
committer: NIIBE Yutaka <gniibe@fsij.org> 2022-09-27 13:26:16 +0900
commit: 857e6f467d0fc9fd858a73d84122695425970075 (patch)
tree: d9f45e764799a20db34d8e293ea3d98c2bb03919 /cipher/kdf.c
parent: c20022ffd4ad2cea51928a109dfa102d711d30ac (diff)
download: libgcrypt-857e6f467d0fc9fd858a73d84122695425970075.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/cipher/kdf.c b/cipher/kdf.c
index 3e51e115..81523320 100644
--- a/cipher/kdf.c
+++ b/cipher/kdf.c
@@ -160,6 +160,9 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
     return GPG_ERR_INV_VALUE;
 #endif
 
+  /* HMAC requires longer input for approved use case.  */
+  if (fips_mode () && passphraselen < 14)
+    return GPG_ERR_INV_VALUE;
 
   /* Step 2 */
   l = ((dklen - 1)/ hlen) + 1;
author	NIIBE Yutaka <gniibe@fsij.org>	2022-09-27 13:26:16 +0900
committer	NIIBE Yutaka <gniibe@fsij.org>	2022-09-27 13:26:16 +0900
commit	857e6f467d0fc9fd858a73d84122695425970075 (patch)
tree	d9f45e764799a20db34d8e293ea3d98c2bb03919 /cipher/kdf.c
parent	c20022ffd4ad2cea51928a109dfa102d711d30ac (diff)
download	libgcrypt-857e6f467d0fc9fd858a73d84122695425970075.tar.gz