Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

On Windows platforms, the BcryptGenRandomBCryptGenRandom() function can be used to generate cryptographically strong random numbers. The Microsoft Developer Network BCryptGenRandom() reference [MSDN] states:

The default random number provider implements an algorithm for generating random numbers that complies with the NIST SP800-90 standard, specifically the CTR_DRBG portion of that standard.

Code Block
bgColor#ccccff
langc
#include <Windows.h>
#include <bcrypt.h>
#include <stdio.h>

#pragma comment(lib, "Bcrypt")

void func(void) {
  BCRYPT_ALG_HANDLE Prov;
  int Buffer;
  if (!BCRYPT_SUCCESS(
          BCryptOpenAlgorithmProvider(&Prov, BCRYPT_RNG_ALGORITHM,
                                      NULL, 0))) {
    /* handle error */
  }
  if (!BCRYPT_SUCCESS(BCryptGenRandom(Prov, (PUCHAR) (&Buffer),
                                      sizeof(Buffer), 0))) {
    /* handle error */
  }
  printf("Random number: %d\n", Buffer);
  BCryptCloseAlgorithmProvider(Prov, 0);
}

Risk Assessment

The use of the rand() function can result in predictable random numbers.

...

Supported, but no explicit checkerUsing a cryptographically weak PRQA QA-CFully implemented

Tool

Version

Checker

Description

Astrée
Include Page
Astrée_V
Astrée_V
stdlib-use-randFully checked
Axivion Bauhaus Suite

Include Page
Axivion Bauhaus Suite_V
Axivion Bauhaus Suite_V

CertC-MSC30
Clang
Include Page
Clang_40_V
Clang_40_V
cert-msc30-cChecked by clang-tidy
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
BADFUNC.RANDOM.RANDUse of rand
Compass/ROSE




Coverity
Include Page
Coverity_V
Coverity_V

DONTCALL

Implemented - weak support
Cppcheck Premium

Include Page
Cppcheck Premium_V
Cppcheck Premium_V

premium-cert-msc30-cFully implemented

ECLAIR

Include Page
ECLAIR_V
ECLAIR_V

CC2.MSC30

Fully implemented

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5022

C++5029


Klocwork
Include Page
Klocwork_V
Klocwork_V

CERT.MSC.STD_RAND_CALL


LDRA tool suite
Include Page
LDRA_V
LDRA_V
44 SEnhanced enforcement
Parasoft C/C++test
Include Page
Parasoft_V
Parasoft_V

CERT_C-MSC30-a

Do not use the rand() function for generating pseudorandom numbers
PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Fully supported

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

Vulnerable pseudo-random number generatorCERT C: Rule MSC30-CChecks for vulnerable pseudo-random number generator (rule fully covered)


RuleChecker

Include Page

PRQA QA-C_v

RuleChecker_V
RuleChecker_V

stdlib-use-randFully checkedPRQA QA-C_v5022

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

...

  • Invocation of other dangerous functions, besides rand().


Bibliography


...