...
This compliant solution requires the user to supply the authentication code, and securely erases it when done, using the memset_s()
, an optional function , provided by C11's Annex K.
Code Block | ||||
---|---|---|---|---|
| ||||
/* Returns nonzero if authenticated */ int authenticate(const char* code); int main() { #define CODE_LEN 50 char code[CODE_LEN]; printf("Please enter your authentication code:\n"); fgets(code, sizeof(code), stdin); int flag = authenticate(code); memset_s(code, sizeof(code), 0, sizeof(code)); if (!flag) { printf("Access denied\n"); return -1; } printf("Access granted\n"); // ...Work with system... return 0; } |
...
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
Astrée |
| Supported | |||||||
CodeSonar |
| HARDCODED.AUTH HARDCODED.DNS HARDCODED.KEY HARDCODED.SALT HARDCODED.SEED | Hardcoded Authentication Hardcoded DNS Name Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded Seed in PRNG | ||||||
Helix QAC |
| C3122 C++3842 | |||||||
Klocwork |
| HCC | |||||||
Parasoft C/C++test |
| CERT_C-MSC41-a | Do not hard code string literals | ||||||
PC-lint Plus |
| 2460 | Assistance provided: reports when a literal is provided as an argument to a function parameter with the ‘noliteral’ argument Semantic; several Windows API functions are marked as such and the ‘-sem’ option can apply it to other functions as appropriate | ||||||
Polyspace Bug Finder |
| CERT C: Rule MSC41-C | Checks for hard coded sensitive data (rule partially covered) | ||||||
RuleChecker |
| Supported |
Related Guidelines
java | MSC03-J. Never hard code sensitive information |
Hard-coded Password [XYP] | |
CWE-259, Use of Hard-Coded Password |
...
Section 11.2, "Outbound Passwords: Keep Passwords out of Source Code" | |
"Unsafe Mobile Code: Database Access" |
...
...
MSC40-C. Do not violate constraints Rule 48. Miscellaneous (MSC) Rule 50. POSIX (POS)