From c0e2cdd3ce25dc17c899b0f5f7444ffc1c4fdf02 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 20 Oct 2022 16:55:18 +0200
Subject: [PATCH] Handle key length limits also in the md API in FIPS Mode

Resolves: rhbz#2130275
---
 libgcrypt-1.10.0-allow-short-salt.patch | 26 +++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/libgcrypt-1.10.0-allow-short-salt.patch b/libgcrypt-1.10.0-allow-short-salt.patch
index 46054cf..6800cf6 100644
--- a/libgcrypt-1.10.0-allow-short-salt.patch
+++ b/libgcrypt-1.10.0-allow-short-salt.patch
@@ -48,4 +48,30 @@ index c98247d8..aee5bffb 100644
  
 -- 
 2.37.1
+commit 02718ade6ab5eee38169c2102097166770a2456d
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Thu Oct 20 16:33:11 2022 +0200
 
+    visiblity: Check the HMAC key length in FIPS mode
+    
+    ---
+    * src/visibility.c (gcry_md_setkey): Check the HMAC key length in FIPS
+      mode also in the md_ API.
+    
+    Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+diff --git a/src/visibility.c b/src/visibility.c
+index 150b197d..73db3dea 100644
+--- a/src/visibility.c
++++ b/src/visibility.c
+@@ -1357,6 +1357,10 @@ gcry_md_setkey (gcry_md_hd_t hd, const void *key, size_t keylen)
+ {
+   if (!fips_is_operational ())
+     return gpg_error (fips_not_operational ());
++
++  if (fips_mode () && keylen < 14)
++    return GPG_ERR_INV_VALUE;
++
+   return gpg_error (_gcry_md_setkey (hd, key, keylen));
+ }
+