...
This compliant solution requires the user to supply the authentication code, and securely erases it when done, using the memset_s(), an optional function , provided by C11's Annex K.
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* Returns nonzero if authenticated */
int authenticate(const char* code);
int main() {
#define CODE_LEN 50
char code[CODE_LEN];
printf("Please enter your authentication code:\n");
fgets(code, sizeof(code), stdin);
int flag = authenticate(code);
memset_s(code, sizeof(code), 0, sizeof(code));
if (!flag) {
printf("Access denied\n");
return -1;
}
printf("Access granted\n");
// ...Work with system...
return 0;
}
|
...
| Tool | Version | Checker | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported | ||||||||||
| CodeSonar |
| HARDCODED.AUTH HARDCODED.DNS HARDCODED.KEY HARDCODED.SALT HARDCODED.SEED | Hardcoded Authentication Hardcoded DNS Name Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded Seed in PRNG | |||||||||
| Helix QAC |
| C3122 C++3842 | ||||||||||
| Klocwork |
| HCC | ||||||||||
| Parasoft C/C++test |
| CERT_C-MSC41-a | Do not hard code string literals | |||||||||
| PC-lint Plus |
| 2460 | Assistance provided: reports when a literal is provided as an argument to a function parameter with the ‘noliteral’ argument Semantic; several Windows API functions are marked as such and the ‘-sem’ option can apply it to other functions as appropriate | |||||||||
| Polyspace Bug Finder |
| CERT C: Rule MSC41-C | Checks for hard coded sensitive data (rule partially covered) | |||||||||
| RuleChecker |
| Helix QAC
| Helix QAC
| Supported |
Related Guidelines
| java | MSC03-J. Never hard code sensitive information |
Hard-coded Password [XYP] | |
CWE-259, Use of Hard-Coded Password |
...
MSC40-C. Do not violate constraints Rule 48. Miscellaneous (MSC) Rule 50. POSIX (POS)