Usage of insufficient random number generators
Description
The detected function is not sufficient at generating security-related random numbers, such as those used in key and nonce creation. Consider using the libsodium library's `randombytes_random` function instead. More information on libsodium's random number generators can be found here: https://libsodium.gitbook.io/doc/generating_random_data. If FIPS validation is required, consider using OpenSSLs `RAND_bytes` family of functions after enabling the `FIPS_mode_set`. For more information on OpenSSL random numbers please see: https://wiki.openssl.org/index.php/Random_Numbers
Examples
Insecure Code
c
srand(time(NULL));
int random_number = rand();Secure Code
c
#include <sodium.h>
unsigned char random_bytes[16];
sodium_randombytes_buf(random_bytes, 16);Remediation
Replace the insufficient random number generator with a secure alternative, such as libsodium's `randombytes_random` or OpenSSL's `RAND_bytes`.
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0611 |
| Category | Crypto |
| Severity | MEDIUM |
| CWE | CWE-327 |
| Confidence | HIGH |
| Impact | MEDIUM |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | random number generator, security |
| OWASP | A3:2017-Sensitive Data Exposure, A02:2021-Cryptographic Failures |