...
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum {len = 12};
char id[len]; /* id will hold the ID, starting with
* the characters "ID" followed by a
* random integer */
int r;
int num;
/* ... */
r = rand(); /* generateGenerate a random integer */
num = snprintf(id, len, "ID%-d", r); /* generateGenerate the ID */
/* ... */
|
Compliant Solution (POSIX)
...
| Code Block | ||||
|---|---|---|---|---|
| ||||
enum {len = 12};
char id[len]; /* id will hold the ID, starting with
* the characters "ID" followed by a
* random integer */
int r;
int num;
/* ... */
time_t now = time(NULL);
if (now == (time_t) -1) {
/* handle error */
}
srandom(now); /* seedSeed the PRNG with the current time */
/* ... */
r = random(); /* generateGenerate a random integer */
num = snprintf(id, len, "ID%-d", r); /* generateGenerate the ID */
/* ... */
|
The rand48 family of functions provides another alternative for pseudorandom numbers.
...
To achieve the best random numbers possible, an implementation-specific function must be used. When unpredictability really matters and speed is not an issue, as in the creation of strong cryptographic keys, use a true entropy source, such as /dev/random, or a hardware device capable of generating random numbers. Note that the /dev/random device can block for a long time if there are not enough events going on to generate sufficient entropy.
...
Tool | Version | Checker | Description | LDRA tool suite|||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
Compass/ROSE |
|
|
| |||||||||
| LDRA
| LDRA
| stlibuse | Fully implemented | ||||||||
| V. | 5.0 |
|
| |||||||||
Compass/ROSE |
|
|
| |||||||||
| stlibuse | Fully implemented. | ||||||||||
| PRQA QA-C |
| Warncall -wc rand | Fully implemented |
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
...
...
...
...
...
...
| Use of a broken or risky cryptographic algorithm |
...
...
...
| Use of insufficiently random values |
...
...
Bibliography
...