Index: libgcrypt-1.10.2/src/fips.c
===================================================================
--- libgcrypt-1.10.2.orig/src/fips.c
+++ libgcrypt-1.10.2/src/fips.c
@@ -520,10 +520,15 @@ int
 _gcry_fips_indicator_kdf (va_list arg_ptr)
 {
   enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
+  unsigned int keylen = 0;
 
   switch (alg)
     {
     case GCRY_KDF_PBKDF2:
+      keylen = va_arg (arg_ptr, unsigned int);
+      if (keylen < 112) {
+        return GPG_ERR_NOT_SUPPORTED;
+      }
       return GPG_ERR_NO_ERROR;
     default:
       return GPG_ERR_NOT_SUPPORTED;
Index: libgcrypt-1.10.2/doc/gcrypt.texi
===================================================================
--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.2/doc/gcrypt.texi
@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
 combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
 Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
 
 Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns
-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
-is returned.
+certification. The second parameter provides the keylength in bits.
+Keylength values of less that 112 bits are considered non-approved.
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
 @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *