Index: libgcrypt-1.10.0/src/fips.c
===================================================================
--- libgcrypt-1.10.0.orig/src/fips.c
+++ libgcrypt-1.10.0/src/fips.c
@@ -379,10 +379,15 @@ int
 _gcry_fips_indicator_kdf (va_list arg_ptr)
 {
   enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
+  unsigned int keylen = 0;
 
   switch (alg)
     {
     case GCRY_KDF_PBKDF2:
+      keylen = va_arg (arg_ptr, unsigned int);
+      if (keylen < 112) {
+        return GPG_ERR_NOT_SUPPORTED;
+      }
       return GPG_ERR_NO_ERROR;
     default:
       return GPG_ERR_NOT_SUPPORTED;
Index: libgcrypt-1.10.0/doc/gcrypt.texi
===================================================================
--- libgcrypt-1.10.0.orig/doc/gcrypt.texi
+++ libgcrypt-1.10.0/doc/gcrypt.texi
@@ -995,10 +995,12 @@ algorithm supports different key sizes).
 this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
 is returned.
 
-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
+@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
 
 Check if the given KDF is approved under the current FIPS 140-3
-certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+certification. The second parameter provides the keylength in bits.
+Keylength values of less that 112 bits are considered non-approved.
+If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
 Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
 
 @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos