diff options
| -rw-r--r-- | cipher/kdf.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/cipher/kdf.c b/cipher/kdf.c index ff13e6e8..b13574f8 100644 --- a/cipher/kdf.c +++ b/cipher/kdf.c @@ -160,6 +160,18 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen, return GPG_ERR_INV_VALUE; #endif + /* FIPS requires minimum passphrase length, see FIPS 140-3 IG D.N */ + if (fips_mode () && passphraselen < 8) + return GPG_ERR_INV_VALUE; + + /* FIPS requires minimum salt length of 128 b (SP 800-132 sec. 5.1, p.6) */ + if (fips_mode () && saltlen < 16) + return GPG_ERR_INV_VALUE; + + /* FIPS requires minimum iterations bound (SP 800-132 sec 5.2, p.6) */ + if (fips_mode () && iterations < 1000) + return GPG_ERR_INV_VALUE; + /* Check minimum key size */ if (fips_mode () && dklen < 14) return GPG_ERR_INV_VALUE; |