Make the Nigori user salt key 128-bits to be FIPS compliant.

BUG=none
TEST=NigoriTest.*

Review URL: http://codereview.chromium.org/1697010

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45816 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 1 deletions

diff --git a/base/crypto/symmetric_key_mac.cc b/base/crypto/symmetric_key_mac.cc
index ba033a7..19c330d 100644
--- a/base/crypto/symmetric_key_mac.cc
+++ b/base/crypto/symmetric_key_mac.cc
@@ -23,8 +23,11 @@ CSSM_KEY_TYPE CheckKeyParams(base::SymmetricKey::Algorithm algorithm,
         << "Invalid key size " << key_size_in_bits << " bits";
     return CSSM_ALGID_AES;
   } else {
+    // FIPS 198 Section 3 requires a HMAC-SHA-1 derived keys to be at least
+    // (HMAC-SHA-1 output size / 2) to be compliant. Since the ouput size of
+    // HMAC-SHA-1 is 160 bits, we require at least 80 bits here.
     CHECK(algorithm == base::SymmetricKey::HMAC_SHA1);
-    CHECK(key_size_in_bits >= 64 && (key_size_in_bits % 8) == 0)
+    CHECK(key_size_in_bits >= 80 && (key_size_in_bits % 8) == 0)
         << "Invalid key size " << key_size_in_bits << " bits";
     return CSSM_ALGID_SHA1HMAC_LEGACY;
   }