Skip to content

Add SHA-384/SHA-512 support to Pkcs5HashPassword (PBKDF2)#266

Draft
Flickdm with Copilot wants to merge 2 commits into
mainfrom
copilot/pkcs5hashpassword-use-pbkdf2-sha512
Draft

Add SHA-384/SHA-512 support to Pkcs5HashPassword (PBKDF2)#266
Flickdm with Copilot wants to merge 2 commits into
mainfrom
copilot/pkcs5hashpassword-use-pbkdf2-sha512

Conversation

Copilot AI commented Jul 9, 2026

Copy link
Copy Markdown

Description

Pkcs5HashPassword (PBKDF2) only mapped SHA1_DIGEST_SIZE and SHA256_DIGEST_SIZE, so platforms could not select SHA-384/SHA-512 for password hashing. This blocks CNSA 2.0–aligned configurations. This change extends the digest-size switch in both BaseCryptLib backends to cover SHA-384 and SHA-512; iteration count is already a caller-supplied parameter.

  • OpensslPkg (CryptPkcs5Pbkdf2.c): map SHA384_DIGEST_SIZE → EVP_sha384(), SHA512_DIGEST_SIZE → EVP_sha512().
  • MbedTlsPkg (CryptPkcs5Pbkdf2.c): map SHA384_DIGEST_SIZE → MBEDTLS_MD_SHA384, SHA512_DIGEST_SIZE → MBEDTLS_MD_SHA512 (config already enables MBEDTLS_SHA384_C/MBEDTLS_SHA512_C).
  • Doc comments updated in both implementations and their *Null.c variants to list the newly supported digest sizes.
  switch (DigestSize) {
    case SHA1_DIGEST_SIZE:
      HashAlg = EVP_sha1 ();
      break;
    case SHA256_DIGEST_SIZE:
      HashAlg = EVP_sha256 ();
      break;
    case SHA384_DIGEST_SIZE:      // new
      HashAlg = EVP_sha384 ();
      break;
    case SHA512_DIGEST_SIZE:      // new
      HashAlg = EVP_sha512 ();
      break;
    default:
      return FALSE;
  }
  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

How This Was Tested

CodeQL security scan and code review pass with no findings. No host-based unit test infrastructure exists for Pkcs5HashPassword in this repo, so no automated tests were added. Existing callers using SHA-1/SHA-256 are unaffected (additive switch cases only).

Integration Instructions

Callers wishing to use stronger hashes pass SHA384_DIGEST_SIZE or SHA512_DIGEST_SIZE as DigestSize with an appropriate IterationCount. Backwards compatibility (stored-hash migration) and any OS-facing capability reporting (e.g., ECIT) are platform responsibilities and out of scope here.

Copilot AI changed the title [WIP] Add PBKDF2-SHA512 support for password hashing Add SHA-384/SHA-512 support to Pkcs5HashPassword (PBKDF2) Jul 9, 2026
Copilot AI requested a review from Flickdm July 9, 2026 21:44
@mu-automation mu-automation Bot added impact:security Has a security impact type:documentation Improvements or additions to documentation labels Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

impact:security Has a security impact type:documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Pkcs5HashPassword ]: Use PBKDF2-SHA512 for password hashing

2 participants