From owner-doc-jp@jp.freebsd.org  Wed Jun 21 08:13:56 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id IAA34394;
	Wed, 21 Jun 2000 08:13:56 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from teamk00.eng.niigata-u.ac.jp (teamk00.eng.niigata-u.ac.jp [133.35.135.65])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with SMTP id IAA34389
	for <doc-jp@jp.freebsd.org>; Wed, 21 Jun 2000 08:13:55 +0900 (JST)
	(envelope-from hasebe@telecom0.eng.niigata-u.ac.jp)
Message-Id: <200006202313.IAA34389@castle.jp.freebsd.org>
Received: (qmail 18754 invoked from network); 20 Jun 2000 23:15:43 -0000
Received: from snig0209.ppp.infoweb.ne.jp (HELO rei) (210.131.112.73)
  by teamk00.eng.niigata-u.ac.jp with SMTP; 20 Jun 2000 23:15:43 -0000
Date: Wed, 21 Jun 2000 08:16:22 +0900
From: Satoshi Hasebe <hasebe@telecom0.eng.niigata-u.ac.jp>
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000620192506.1645.qmail@smtp.246.ne.jp>
References: <20000612215144.D1A3B37BBF7@hub.freebsd.org>
	<20000620192506.1645.qmail@smtp.246.ne.jp>
X-Mailer: Datula version 1.22.06 for Windows
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-2022-jp
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7471
Subject: [doc-jp 7471] Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hasebe@telecom0.eng.niigata-u.ac.jp

$B$O$;$Y$G$9!#(B

Koga Youichirou$B$5$s$N(B<20000620192506.1645.qmail@smtp.246.ne.jp>$B$+$i(B

>II.  $BLdBj$N>\:Y(B - Problem Description
>
>The FreeBSD port to the Alpha platform did not provide the /dev/random
>or /dev/urandom devices - this was an oversight during the development
>process which was not corrected before the Alpha port "became
>mainstream". FreeBSD/i386 is not affected.
>

>$B$h$S(B /dev/urandom $B$rDs6!$7$F$$$^$;$s$G$7$?(B. $B$3$l$O(B, Alpha $B$X$N0\?"$N(B
>$B!V%a%$%s%9%H%j!<%`2=!W0JA0$K=$@5$5$l$J$+$C$?$H$$$&(B, $B3+H/%W%m%;%9Cf$N(B
>$B%_%9$G$9(B. 

$B$3$l$O(B Alpha $B%]!<%H$,!V%a%$%s%9%H%j!<%`2=!W$9$k$^$G=$@5$5$l$J$+$C$?3+(B
$BH/2aDx$K$*$1$k8+Mn$H$7$G$7$?!#(BFreeBSD/i386 $B$O1F6A$r<u$1$^$;$s!#(B

>As a consequence, there is no way for Alpha systems prior to the
>correction date to obtain cryptographic-strength random numbers,
>unless an application "rolls its own" entropy gathering
>mechanism. This in itself is not a vulnerability, although it is an
>omission and a departure from the expected behaviour of a FreeBSD
>system.
>
>$B$=$N7k2L(B, $B=$@5F|0JA0$N(B Alpha $B%7%9%F%`$G$O(B, $B%"%W%j%1!<%7%g%s$,!V<+J,$N!W(B
>$B%(%s%H%m%T!<$r(B gather $B$9$k5!9=$r!V;}$?$J$$$J$i$P!W(B
>cryptographic-strength $BMp?t$rF@$k$?$a$N<jCJ$,$"$j$^$;$s(B. 

$B7k2L$H$7$F!$=$@5F|0JA0$N(B Alpha $B%7%9%F%`$G$O!$%"%W%j%1!<%7%g%s$,%(%s%H(B
$B%m%T<}=85!9=$r!V<+A0$G;}$?$J$$!W8B$j!$(Bcryptograhic-strength $B$JMp?t$rF@(B
$B$k<jCJ$,$"$j$^$;$s!#(B

>The actual vulnerability is that some applications fail to correctly
>check for a working /dev/random and do not exit with an error if it is
>not available, so this weakness goes undetected. OpenSSL 0.9.4, and
>utilities based on it, including OpenSSH (both of which are included
>in the base FreeBSD 4.0 system) are affected in this manner (this bug
>was corrected in OpenSSL 0.9.5)
>
>$BK\Ev$N<eE@$O(B, /dev/random $B$,F/$/$+$I$&$+$r@5$7$/3NG'$G$-$J$/$F(B, 
>/dev/random $B$,MxMQ$G$-$J$/$F$b%(%i!<$G=*N;$7$J$$$?$a$K$3$N<eE@$K5$$E$+(B
>$B$J$$%"%W%j%1!<%7%g%s$,$"$k$H$$$&$3$H$G$9(B. 

$B<B:]$N<eE@$O!$$$$/$D$+$N%"%W%j%1!<%7%g%s$,(B /dev/random $B$N2TF/$r@5$7$/(B
$B3NG'$G$-$:!$$=$l$KBP1~$9$k%(%i!<$,MQ0U$5$l$F$$$J$$>l9g!$%(%i!<$G=*N;$7(B
$B$J$$$?$a!$$3$N<eE@$,8!=P$5$l$J$$$3$H$G$9!#(B
-- 
$B!\(B                                           $B!\(B
    $BD9C+ItAo!J?73cBg3XBg3X1!<+A32J3X8&5f2J!K(B
  mailto:hasebe@telecom0.eng.niigata-u.ac.jp
  http://telecom0.eng.niigata-u.ac.jp/~hasebe
$B!\(B                                           $B!\(B
