RTEMS | cpukit/libcrypt: Add SHA3-512 Keccak Implementation and cpukit/telnetd/pty.c: Update comments for grammar and clarity. (!687)

Wayne Thornton (@wmthornton-dev) gitlab at rtems.org
Fri Aug 22 20:28:17 UTC 2025 


Wayne Thornton created a merge request: https://gitlab.rtems.org/rtems/rtos/rtems/-/merge_requests/687

Project:Branches: wmthornton-dev/rtems:libcrypt-sha3-512 to rtems/rtos/rtems:main
Author:   Wayne Thornton




## Summary

cpukit/libcrypt: Add SHA3-512 Keccak Implementation

	- This commit introduces a full implementation of the SHA3-512 (Keccak) crypt-style password hashing function to the RTEMS libcrypt       module.
	- The new function follows the established crypt API and output format, allowing users to select SHA3-512 for password hashing via the
          $SHA3$512$ salt prefix.
        - SHA3-512 is based on the Keccak sponge construction, which operates by absorbing input data into a large internal state and then squeezing out
          the hash output. The Keccak-f[1600] permutation is applied repeatedly to mix the state, providing strong diffusion and resistance to
          cryptanalysis. Unlike the Merkle-Damgård construction used in SHA-2, Keccak’s sponge design is more flexible and robust against certain
          classes of attacks, such as length extension and collision attacks.
        - The implementation parses the salt and optional rounds parameter, mixes the password and salt into the Keccak state, and performs additional
          rounds to increase computational cost. The final digest is encoded in a base64 variant for compatibility with Unix password files.
        - SHA3-512 is a newer standard, designed to address theoretical weaknesses in SHA-2 and provide a fundamentally different cryptographic structure.
        - The sponge construction is resistant to length extension attacks, which can affect Merkle-Damgård hashes like SHA-512.
        - SHA3-512 has a higher security margin and is less susceptible to certain future cryptanalytic advances.
        - The Keccak algorithm was selected as the winner of the NIST SHA-3 competition and has undergone extensive public review.

        Note: This change does not remove or alter existing SHA-256 or SHA-512 support, but adds SHA3-512 as an additional, more robust option for
              password hashing in RTEMS.

cpukit/libcrypt: Added compiler flags to detect C compiler version

        - Introduced compiler flags to detect which C standard is being used
          and use the appropriate secure memory clearing function.
        - Added memset_s_rtems function to crypt.h in order to restore the
          memset_s function to the C11 compiler, which is currently missing
          from the RTEMS tooling. This function is written in such a way that
          it cannot be optimized away by the compiler, even in build environments
          where agressive compiler optimizations are present that might otherwise
          skip such operations.
        - Removed __FBSDID as it is not used in RTEMS.

cpukit/telnetd/pty.c: Updated comments for grammar and clarity. (Previous MR contained this change, but that MR is closed)

<!-- Default settings, if it is a dropdown it will set after submission -->

-- 
View it on GitLab: https://gitlab.rtems.org/rtems/rtos/rtems/-/merge_requests/687
You're receiving this email because of your account on gitlab.rtems.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rtems.org/pipermail/bugs/attachments/20250822/4350bf90/attachment-0001.htm>

More information about the bugs mailing list