Index: libgcrypt-1.9.4/src/fips.c =================================================================== --- libgcrypt-1.9.4.orig/src/fips.c +++ libgcrypt-1.9.4/src/fips.c @@ -475,10 +475,15 @@ int _gcry_fips_indicator_kdf (va_list arg_ptr) { enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos); + unsigned int keylen = 0; switch (alg) { case GCRY_KDF_PBKDF2: + keylen = va_arg (arg_ptr, unsigned int); + if (keylen < 112) { + return GPG_ERR_NOT_SUPPORTED; + } return GPG_ERR_NO_ERROR; default: return GPG_ERR_NOT_SUPPORTED; Index: libgcrypt-1.9.4/doc/gcrypt.texi =================================================================== --- libgcrypt-1.9.4.orig/doc/gcrypt.texi +++ libgcrypt-1.9.4/doc/gcrypt.texi @@ -983,10 +983,12 @@ algorithm supports different key sizes). this function returns @code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. -@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos +@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int] Check if the given KDF is approved under the current FIPS 140-3 -certification. If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. +certification. The second parameter provides the keylength in bits. +Keylength values of less that 112 bits are considered non-approved. +If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos