C++: add sample code for InsufficientKeySize.qhelp

rdmarsh2 · rdmarsh2 · commit d3665f935e66 · 2022-02-16T12:30:41.000-05:00
diff --git a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.c b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.c
@@ -0,0 +1,8 @@
+void encrypt_with_openssl(EVP_PKEY_CTX *ctx) {
+
+  // BAD: only 1024 bits for an RSA key
+  EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 1024);
+
+  // GOOD: 2048 bits for an RSA key
+  EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, 2048);
+}
diff --git a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.qhelp b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.qhelp
@@ -17,7 +17,11 @@ encrypted data.</p>
 </recommendation>
 <example>
 
+<p>The following code shows an example of using the <code>openssl</code> library to generate an RSA key.
+When creating a key, you must specify which key size to use. The first example uses 1024 bits, which is not
+considered sufficient. The second example uses 2048 bits, which is currently considered sufficient.</p>
 
+<sample src="InsufficientKeySize.c" />
 
 </example>
 <references>
@@ -27,8 +31,6 @@ Approved Security Functions</a>.</li>
 <li>NIST, SP 800-131A: <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf">
 Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths</a>.</li>
 
-
-
 <!--  LocalWords:  CWE
  -->
 
