Adding historic version of SSSS -- v0.5.

Author: MrJoy

HISTORY

@@ -0,0 +1,18 @@
+v0.5: (January 2006)
+  - introduction of memory locking and tty echo suppression
+  - a buffer overflow was fixed. It seems to be exploitable.
+
+v0.4: (October 2005)
+  - the security level now can be chosen freely in the range
+      8..1024 bits in steps of 8.
+
+v0.3: (July 2005) 
+  - separation of ssss into ssss-split and ssss-combine
+  - introduction of a man page
+
+v0.2: (June 2005) 
+  - introduction of the diffusion layer
+
+v0.1: (May 2005) 
+  - initial release
+

THANKS

@@ -0,0 +1,6 @@
+I would like to thank the following people for comments and code:
+
+  Tam�s Tevesz (documentation)
+  Stefan Schlesinger, Daniel Bielefeldt (error reporting)
+  Olaf Mersmann (memory locking, echo suppression)
+  Alex Popov (windows port)

doc.html

@@ -0,0 +1,176 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+  <head>
+    <title>ssss: Shamir's Secret Sharing Scheme</title>
+  </head>
+  
+  <body>
+    <small>The following text is licensed under the 
+      <a href="http://www.gnu.org/licenses/gpl.html">
+	GNU General Public License</a>. Copyright 2005, 2006 by
+      B. Poettering.</small> 
+    <hr noshade="noshade"/>
+    
+    <h4>What is "Secret Sharing"?</h4>
+    
+    Citing from the <a href="http://en.wikipedia.org/">Wikipedia</a>
+    article about <a
+      href="http://en.wikipedia.org/wiki/Secret_sharing">Secret
+      Sharing</a>:
+    <blockquote>
+      <p>
+	In <a
+	  href="http://en.wikipedia.org/wiki/Cryptography">cryptography</a>, a
+	<b>secret sharing scheme</b> is a method for distributing a <a
+	  href="http://en.wikipedia.org/wiki/Secrecy"><i>secret</i></a> amongst
+	a group of participants, each of which is allocated a <i>share</i> of
+	the secret. The secret can only be reconstructed when the shares are
+	combined together; individual shares are of no use on their own.
+      </p>
+      <p>
+	More formally, in a secret sharing scheme there is one <i>dealer</i>
+	and <i>n</i> <i>players</i>. The dealer gives a secret to the players,
+	but only when specific conditions are fulfilled. The dealer
+	accomplishes this by giving each player a share in such a way that any
+	group of <i>t</i> (for <i>threshold</i>) or more players can together
+	reconstruct the secret but no group of less than <i>t</i> players
+	can. Such a system is called a <i>(t,n)</i>-threshold scheme.
+      </p>
+    </blockquote>
+    <p>
+        A popular technique to implement threshold schemes uses <a
+	href="http://en.wikipedia.org/wiki/Polynomial_interpolation">
+	polynomial interpolation</a> ("Lagrange interpolation"). This
+        method was invented by <a
+   	href="http://en.wikipedia.org/wiki/Adi_Shamir"> Adi Shamir</a> in
+        1979. You can play around with a threshold scheme on the <a
+        href="http://point-at-infinity.org/ssss/demo.html">demo page</a>.
+	</p>
+    <p>
+    Note that Shamir's scheme is provable secure, that means: in a
+    <i>(t,n)</i> scheme one can prove that it makes no difference
+    whether an attacker has <i>t-1</i> valid shares at his disposal or
+    none at all; as long as he has less than
+    <i>t</i> shares, there is no better option than guessing to find
+    out the secret.
+    </p>
+      <h4>Where is "Secret Sharing" used?</h4> Some popular examples are:
+      <ul>
+      <li>
+	Good passwords are hard to memorize. A clever user could use a
+	secret sharing scheme to generate a set of shares for a given
+	password and store one share in his address book, one in his
+	bank deposit safe, leave one share with a friend, etc. If one day he
+	forgets his password, he can reconstruct it easily. Of
+	course, writing passwords directly into the address book would
+	pose a security risk, as it could be stolen by an "enemy". If
+	a secret sharing scheme is used, the attacker has to steal
+	many shares from different places.
+      </li>
+      <li>
+	"A dealer could send <i>t</i> shares, all of which are
+	necessary to recover the original secret, to a single
+	recipient, using <i>t</i> different channels. An attacker
+	would have to intercept all <i>t</i> shares to recover the
+	secret, a task which may be more difficult than intercepting a
+	single message" (<a
+	  href="http://en.wikipedia.org/wiki/Secret_sharing">Wikipedia</a>).
+      </li>
+      <li>
+	The director of a bank could generate shares for the bank's
+	vault unlocking code and hand them out to his employees. Even
+	if the director is not available, the vault can be opened, but only,
+	when a certain number of employees do it together. Here secret
+	sharing schemes allow the employment of not fully trusted
+	people.
+      </li>
+    </ul>
+    
+    <h4>What is "ssss"? Where can I download "ssss"?</h4>
+    <p>
+      <b>ssss</b> is an implementation of Shamir's secret sharing
+      scheme for UNIX systems, especially developed for linux
+      machines. The code is licensed under the <a
+      href="http://www.gnu.org/licenses/gpl.html">GNU GPL</a>.
+      <b>ssss</b> does both: the generation of shares for a known
+      secret and the reconstruction of a secret using user provided
+      shares.  The software was written in 2006 by B. Poettering, it
+      links against the <a href="http://swox.com/gmp/">GNU libgmp</a>
+      multiprecision library (version 4.1.4 works well) and requires
+      the <tt>/dev/random</tt> entropy source. Please send bug reports
+      to <b><tt>ssss AT point-at-infinity.org</tt></b>.
+    </p>
+    <p>There is a <a
+    href="http://freshmeat.net/projects/ssss/">freshmeat page</a> for
+    <b>ssss</b>. A <a
+    href="http://packages.debian.org/unstable/utils/ssss">debian
+    package</a> is also available. If you are the lucky owner of a
+    debian system just run <tt>apt-get update &amp;&amp; apt-get
+    install ssss</tt> to install <b>ssss</b>. Someone even ported (an
+    outdated version of) <b>ssss</b> to <a
+    href="http://www.seidlitz.ca/ssss/">Windows</a> (but with a
+    lightly too sloppy random number generation, in my opinion).
+    </p>
+    <p>
+      Download on the <a href="http://point-at-infinity.org/ssss">ssss homepage</a>.
+    </p>
+
+    <h4>How is "ssss" used? Is there an online demonstration?</h4> 
+    <p>The generation of shares given a
+      known secret is shown first.  A (3,5)-threshold scheme is used, that is:
+      5 shares are generated, the secret can be reconstructed by any
+      subset of size 3.
+    </p>
+    <pre>
+      % ssss-split -t 3 -n 5
+      Generating shares using a (3,5) scheme with dynamic security level.
+      Enter the secret, at most 128 ASCII characters: my secret root password
+      Using a 184 bit security level.
+      1-1c41ef496eccfbeba439714085df8437236298da8dd824
+      2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665
+      3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309
+      4-468de7d6eb36674c9cf008c8e8fc8c566537ad6301eb9e
+      5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0
+    </pre>
+    These shares can be combined to recreate the secret:
+    <pre>
+      % ssss-combine -t 3
+      Enter 3 shares separated by newlines:
+      Share [1/3]: 3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309
+      Share [2/3]: 5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0
+      Share [3/3]: 2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665
+      Resulting secret: my secret root password
+    </pre>
+    You can try it out on the
+    <a href="http://point-at-infinity.org/ssss/demo.html">demo page</a>.
+
+    <p>
+    If larger secrets are to be shared a hybrid technique has to be
+    applied: encrypt the secret with a block cipher (using openssl,
+    gpg, etc) and apply secret sharing to just the key. See the man
+    page for more information about this topic.
+    </p>
+
+
+    <h4>Where is the manpage?</h4>
+   Read it as <a href="http://point-at-infinity.org/ssss/ssss.1.html">html</a> or 
+    <a href="http://point-at-infinity.org/ssss/ssss.1">*roff</a>! 
+
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input name="cmd" value="_xclick" type="hidden">
+<input name="business" value="[email protected]" type="hidden">
+<input name="no_note" value="1" type="hidden">
+<input name="currency_code" value="EUR" type="hidden">
+   <p>
+If you like this software, think about donating some money via
+   <input src="https://www.paypal.com/en_US/i/btn/x-click-but7.gif" name="submit" alt="PayPal" type="image">.
+</p>
+</form>
+    <hr>
+    <small>
+      <!-- hhmts start -->
+Last modified: Sun Jan 15 12:08:48 CET 2006
+<!-- hhmts end -->
+    </small>
+  </body>
+</html>

ssss.c

@@ -1,5 +1,5 @@
 /*
- *  ssss version 0.4  -  Copyright 2005 B. Poettering
+ *  ssss version 0.5  -  Copyright 2005,2006 B. Poettering
  * 
  *  This program is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU General Public License as
@@ -31,21 +31,26 @@
  * Compile with 
  * "gcc -O2 -lgmp -o ssss-split ssss.c && ln ssss-split ssss-combine"
  *
+ * Compile with -DNOMLOCK to obtain a version without memory locking.
+ *
  * Report bugs to: ssss AT point-at-infinity.org
  *  
  */
 
 #include <stdlib.h>
 #include <string.h>
+#include <errno.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <stdint.h>
 #include <assert.h>
+#include <termios.h>
+#include <sys/mman.h>
 
 #include <gmp.h>
 
-#define VERSION "0.4"
+#define VERSION "0.5"
 #define RANDOM_SOURCE "/dev/random"
 #define MAXDEGREE 1024
 #define MAXTOKENLEN 128
@@ -77,25 +82,27 @@ int opt_threshold = -1;
 int opt_number = -1;
 char *opt_token = NULL;
 
-int ttyoutput;
-
 unsigned int degree;
 mpz_t poly;
 int cprng;
+struct termios echo_orig, echo_off;
 
 #define mpz_lshift(A, B, l) mpz_mul_2exp(A, B, l)
 #define mpz_sizeinbits(A) (mpz_cmp_ui(A, 0) ? mpz_sizeinbase(A, 2) : 0)
 
+/* emergency abort and warning functions */
+
 void fatal(char *msg)
 {
-  fprintf(stderr, "%sFATAL: %s.\n", ttyoutput ? "\a" : "", msg);
+  tcsetattr(0, TCSANOW, &echo_orig);
+  fprintf(stderr, "%sFATAL: %s.\n", isatty(2) ? "\a" : "", msg);
   exit(1);
 }
 
 void warning(char *msg)
 {
   if (! opt_QUIET)
-    fprintf(stderr, "%sWARNING: %s.\n", ttyoutput ? "\a" : "", msg);
+    fprintf(stderr, "%sWARNING: %s.\n", isatty(2) ? "\a" : "", msg);
 }
 
 /* field arithmetic routines */
@@ -110,6 +117,7 @@ int field_size_valid(int deg)
 
 void field_init(int deg)
 {
+  assert(field_size_valid(deg));
   mpz_init_set_ui(poly, 0);
   mpz_setbit(poly, deg);
   mpz_setbit(poly, irred_coeff[3 * (deg / 8 - 1) + 0]);
@@ -385,7 +393,7 @@ void split(void)
   unsigned int fmt_len;
   mpz_t x, y, coeff[opt_threshold];
   char buf[MAXLINELEN];
-  int i;
+  int deg, i;
   for(fmt_len = 1, i = opt_number; i >= 10; i /= 10, fmt_len++);
   if (! opt_quiet) {
     printf("Generating shares using a (%d,%d) scheme with ", 
@@ -396,23 +404,27 @@ void split(void)
       printf("dynamic");
     printf(" security level.\n");
 
-    int deg = opt_security ? opt_security : MAXDEGREE;
+    deg = opt_security ? opt_security : MAXDEGREE;
     fprintf(stderr, "Enter the secret, ");
     if (opt_hex)
       fprintf(stderr, "as most %d hex digits: ", deg / 4);
     else 
       fprintf(stderr, "at most %d ASCII characters: ", deg / 8);
   }
+  tcsetattr(0, TCSANOW, &echo_off);
   if (! fgets(buf, sizeof(buf), stdin))
     fatal("I/O error while reading secret");
+  tcsetattr(0, TCSANOW, &echo_orig);
   buf[strcspn(buf, "\r\n")] = '\0';
 
   if (! opt_security) {
     opt_security = opt_hex ? 4 * ((strlen(buf) + 1) & ~1): 8 * strlen(buf);
-
+    if (! field_size_valid(opt_security))
+      fatal("security level invalid (secret too long?)");
     if (! opt_quiet)
       fprintf(stderr, "Using a %d bit security level.\n", opt_security);
   }
+
   field_init(opt_security);
 
   mpz_init(coeff[0]);
@@ -528,9 +540,31 @@ int main(int argc, char *argv[])
 {
   char *name;
   int i;
-  if ((i = fileno(stderr)) < 0)
-    fatal("couldn't determine fileno of stderr");
-  ttyoutput = isatty(i);
+
+#if ! NOMLOCK
+  if (mlockall(MCL_CURRENT | MCL_FUTURE) < 0)
+    switch(errno) {
+    case ENOMEM:
+      warning("couldn't get memory lock (ENOMEM, try to adjust RLIMIT_MEMLOCK!)");
+      break;
+    case EPERM:
+      warning("couldn't get memory lock (EPERM, try UID 0!)");
+      break;
+    case ENOSYS:
+      warning("couldn't get memory lock (ENOSYS, kernel doesn't allow page locking)");
+      break;
+    default:
+      warning("couldn't get memory lock");
+      break;
+    }
+#endif
+
+  if (getuid() != geteuid())
+    seteuid(getuid());
+
+  tcgetattr(0, &echo_orig);
+  echo_off = echo_orig;
+  echo_off.c_lflag &= ~ECHO;
 
   opt_help = argc == 1;
   while((i = getopt(argc, argv, "vDhqQxs:t:n:w:")) != -1)

ssss.manpage.xml

@@ -136,8 +136,19 @@ gpg -c < file.plain > file.encrypted
 
 </section>
 
+<section name="Security">
+<p>
+<opt>ssss</opt> tries to lock its virtual address space into RAM for
+privacy reasons. But this may fail for two reasons: either the current uid
+doesn't permit page locking, or the RLIMIT_MEMLOCK is set too
+low. After printing a warning message <opt>ssss</opt> will run even without
+obtaining the desired mlock.
+</p>
+
+</section>
+
 <section name="Author">
-        This software (v0.4) was written in 2005 by B. Poettering
+        This software (v0.5) was written in 2006 by B. Poettering
         (ssss AT point-at-infinity.org). Find the newest version of
         ssss on the project's homepage: <url
         href="http://point-at-infinity.org/ssss/"/>.