On 07/11/2016 03:17 PM, Thomas Monjalon wrote: > 2016-06-08 07:46, Azarewicz, PiotrX T: >>> 2016-05-25 15:34, Piotr Azarewicz: >>>> This patch improve generate_random_key() function by replacing rand() >>>> function with reading from /dev/urandom. >>>> >>>> CID 120136 : Calling risky function (DC.WEAK_CRYPTO) >>>> dont_call: rand should not be used for security related applications, >>>> as linear congruential algorithms are too easy to break >>>> >>>> Coverity issue: 120136 >>>> >>>> Signed-off-by: Piotr Azarewicz <piotrx.t.azarewicz at intel.com> >>> >>> Is it relevant for this example? >> >> Maybe not. But it don't break anything, and in the end make Coverity tool >> happy. >> >> Declan, please share your opinion. > > Declan? >
sorry I'm missed this thread. While not strictly necessary for the example app, I don't see a problem applying it, as coverity points out it is a bad idea to use rand() for crypto purposes. Declan