Usage of insufficient random number generator
ID |
c.cryptography.insecure_random |
Severity |
low |
Resource |
Cryptography |
Language |
C / C++ |
Description
The $FUNC function is not cryptographically secure for generating random numbers used in keys, nonces, or other security-sensitive contexts. Use libsodium’s randombytes_random, or OpenSSL’s RAND_bytes family with FIPS mode if required.
Rationale
The $FUNC function is not cryptographically secure for generating random numbers used in keys, nonces, or other security-sensitive contexts. Use libsodium’s randombytes_random, or OpenSSL’s RAND_bytes family with FIPS mode if required.
The following code illustrates a vulnerable pattern detected by this rule:
int i;
// VULNERABLE: Usage of insufficient random number generator
short * seed48(short * );
char * str = (char * ) malloc(sizeof(char) * 11);
char * ptr;
// VULNERABLE: Usage of insufficient random number generator
double a = drand48();
// VULNERABLE: Usage of insufficient random number generator
double b = erand48(example);
// VULNERABLE: Usage of insufficient random number generator
long b = jrand48(example);
// VULNERABLE: Usage of insufficient random number generator
void lcong48();
// VULNERABLE: Usage of insufficient random number generator
lcong48(example);
// VULNERABLE: Usage of insufficient random number generator
long d = lrand48();
// VULNERABLE: Usage of insufficient random number generator
long z = mrand48();
// VULNERABLE: Usage of insufficient random number generator
long t = nrand48(example);
// VULNERABLE: Usage of insufficient random number generator
srand(time(0));
for (int i = 0; i < 2; i++)