SEI CERT C++ Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 19

changes.mady.by.user Roberto Bagnara

Saved on

compared with

New Version 20

changes.mady.by.user Roberto Bagnara

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

Compliant Solution (Windows)

Wiki MarkupIn the compliant solution, on Windows platforms, the [{{CryptGenRandom()}}|http://msdn2.microsoft.com/en-us/library/aa379942.aspx] function can be used to generate cryptographically strong random numbers. It is important to note that the exact details of the implementation are unknown, and it is unknown what source of entropy the {{CryptGenRandom()}} uses. The Microsoft Developer Network {{CryptGenRandom()}} reference \ [[MSDN 2010|AA. Bibliography#MSDN 10] \] says,

...

If an application has access to a good random source, it can fill the {{pbBuffer}} buffer with some random data before calling {{CryptGenRandom()}}. The CSP \ [cryptographic service provider\] then uses this data to further randomize its internal seed. It is acceptable to omit the step of initializing the {{pbBuffer}} buffer before calling {{CryptGenRandom()}}.

Code Block
bgColor#ccccff
langcpp
#include<Wincrypt.h>

HCRYPTPROV hCryptProv;
union {
    BYTE bs[sizeof(long int)];
    long int li;
} rand_buf;

if (!CryptGenRandom(hCryptProv, sizeof(rand_buf), &rand_buf) {
    /* Handle error */
} else {
    printf("Random number: %ld\n", rand_buf.li);
}

...

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC30-CPP

medium

unlikely

low

P6

L2

Automated Detection

Tool

Version

Checker

Description

Section

LDRA tool suite

7.6.0

 

 

Section

Fortify SCA

Section

V. 5.0

 

Section

Can detect violations of this rule with CERT C Rule Pack.

Section

Compass/ROSE

 

 

 

Section

ECLAIR

Include Page
cplusplus:ECLAIR_Vcplusplus:
ECLAIR_V
Section

stlibuse

Section

Fully Implemented

...

This rule appears in the Java Secure Coding Standard as MSC02-J. Generate strong random numbers.

Bibliography

...

\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999] \] Section 7.20.2.1, "The rand function" \
[[MITRE 2007|AA. Bibliography#MITRE 07]\] [CWE ID 327 |http://cwe.mitre.org/data/definitions/ 327 .html], "Use of a Broken or Risky Cryptographic Algorithm," [CWE ID 330|http://cwe.mitre.org/data/definitions/330.html], "Use of Insufficiently Random Values" \[
[MSDN 2010|AA. Bibliography#MSDN 10]\] "[CryptGenRandom Function|http://msdn.microsoft.com/en-us/library/aa379942.aspx]."

...

CON04-CPP. Ensure objects are fully initialized before allowing access      49. Miscellaneous (MSC)      MSC31-CPP. Ensure that return values are compared against the proper type