Home GnuPG

kdf:pkdf2: Require longer input when FIPS mode.

Description

kdf:pkdf2: Require longer input when FIPS mode.

* cipher/kdf.c (_gcry_kdf_pkdf2): Add length check.

Event Timeline

This causes ACVP tests to fail, so apparently the assumption that passphrases must be at least 14 bytes was incorrect. ACVP testing tests values larger than 8 bytes. I'll try to clarify whether that's a limit we need to enforce, or just what NIST wants to test. In any case, we will probably have to revert this.