Avoid usage of invalid arguments size for PBKDF2

Related: rhbz#2137577

libgcrypt-1.10.0-fips-kdf.patch

@@ -85,3 +85,45 @@ index c0192d7b..716fb53e 100644
 -- 
 2.37.3
 
+From f4a861f3e5ae82f278284061e4829c03edf9c3a7 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 18 Nov 2022 09:49:50 +0900
+Subject: [PATCH] pkdf2: Add checks for FIPS.
+
+* cipher/kdf.c (_gcry_kdf_pkdf2): Require 8 chars passphrase for FIPS.
+Set bounds for salt length and iteration count in FIPS mode.
+
+--
+
+GnuPG-bug-id: 6039
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/kdf.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/cipher/kdf.c b/cipher/kdf.c
+index d22584da..823c744e 100644
+--- a/cipher/kdf.c
++++ b/cipher/kdf.c
+@@ -160,6 +160,18 @@ _gcry_kdf_pkdf2 (const void *passphrase, size_t passphraselen,
+     return GPG_ERR_INV_VALUE;
+ #endif
+ 
++  /* FIPS requires minimum passphrase length, see FIPS 140-3 IG D.N */
++  if (fips_mode () && passphraselen < 8)
++    return GPG_ERR_INV_VALUE;
++
++  /* FIPS requires minimum salt length of 128 b (SP 800-132 sec. 5.1, p.6) */
++  if (fips_mode () && saltlen < 16)
++    return GPG_ERR_INV_VALUE;
++
++  /* FIPS requires minimum iterations bound (SP 800-132 sec 5.2, p.6) */
++  if (fips_mode () && iterations < 1000)
++    return GPG_ERR_INV_VALUE;
++
+   /* Check minimum key size */
+   if (fips_mode () && dklen < 14)
+     return GPG_ERR_INV_VALUE;
+-- 
+2.39.0
+

libgcrypt.spec

@@ -34,6 +34,7 @@ Patch9: libgcrypt-1.10.0-sha3-large.patch
 # https://dev.gnupg.org/T5919
 Patch10: libgcrypt-1.10.0-fips-keygen.patch
 # https://dev.gnupg.org/T6219
+# f4a861f3e5ae82f278284061e4829c03edf9c3a7
 Patch11: libgcrypt-1.10.0-fips-kdf.patch
 # c34c9e70055ee43e5ef257384fa15941f064e5a4
 # https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/13