From 2c22f948523949c3d07f2a1daabedd3d4af497ad Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 21 Nov 2025 18:10:43 +0000
Subject: [PATCH 1/3] Initial plan


From 9b65a33b4ac254b130cb8c131a4a336e256b88ab Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 21 Nov 2025 18:32:39 +0000
Subject: [PATCH 2/3] Add ECB and CBC block mode test cases

Co-authored-by: geoffw0 <40627776+geoffw0@users.noreply.github.com>
---
 .../CWE-327/BrokenCryptoAlgorithm/Cargo.lock  | 10 +++++++
 .../CWE-327/BrokenCryptoAlgorithm/options.yml |  1 +
 .../BrokenCryptoAlgorithm/test_cipher.rs      | 30 +++++++++++++++++++
 3 files changed, 41 insertions(+)

diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/Cargo.lock b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/Cargo.lock
index 708b79ed46d5..a47021d54b46 100644
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/Cargo.lock
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/Cargo.lock
@@ -76,6 +76,15 @@ dependencies = [
  "cipher",
 ]
 
+[[package]]
+name = "ecb"
+version = "0.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1a8bfa975b1aec2145850fcaa1c6fe269a16578c44705a532ae3edc92b8881c7"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -146,6 +155,7 @@ dependencies = [
  "cbc",
  "cipher",
  "des",
+ "ecb",
  "rabbit",
  "rc2",
  "rc4",
diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/options.yml b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/options.yml
index 5a3cf0cab12e..139cb084be20 100644
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/options.yml
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/options.yml
@@ -8,3 +8,4 @@ qltest_dependencies:
     - rc2 = { version = "0.8.1" }
     - rc5 = { version = "0.0.1" }
     - cbc = { version = "0.1.2" }
+    - ecb = { version = "0.1.2" }
diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
index 61471ac99ecf..ca25a9e28e08 100644
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
@@ -145,3 +145,33 @@ fn test_cbc(
     let des_cipher4 = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
     _ = des_cipher4.encrypt_padded_b2b_mut::<des::cipher::block_padding::Pkcs7>(input, data).unwrap();
 }
+
+type MyDesEcbEncryptor = ecb::Encryptor<des::Des>;
+
+fn test_ecb(
+    key: &[u8], key128: &[u8;16],
+    input: &[u8], data: &mut [u8]
+) {
+    let data_len = data.len();
+
+    // aes with ECB (weak block mode)
+    let aes_cipher1 = ecb::Encryptor::<aes::Aes128>::new(key128.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = aes_cipher1.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+
+    // des with ECB (broken cipher + weak block mode)
+    let des_cipher1 = ecb::Encryptor::<des::Des>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = des_cipher1.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+
+    let des_cipher2 = MyDesEcbEncryptor::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = des_cipher2.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+
+    let des_cipher3 = ecb::Encryptor::<des::Des>::new_from_slice(&key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = des_cipher3.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+
+    let des_cipher4 = ecb::Encryptor::<des::Des>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = des_cipher4.encrypt_padded_b2b_mut::<des::cipher::block_padding::Pkcs7>(input, data).unwrap();
+
+    // rc2 with ECB (broken cipher + weak block mode)
+    let rc2_cipher1 = ecb::Encryptor::<rc2::Rc2>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = rc2_cipher1.encrypt_padded_mut::<rc2::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+}

From 5893dc699d33bed003292bc2658c5ea059ad63c6 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 24 Nov 2025 16:16:20 +0000
Subject: [PATCH 3/3] Rust: Change the majority of variant tests to be on AES
 not DES, since the focus of these new tests should be the block mode not the
 encryption algorithm.

---
 .../BrokenCryptoAlgorithm/test_cipher.rs      | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
index ca25a9e28e08..17db0f9ceb19 100644
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
@@ -146,7 +146,7 @@ fn test_cbc(
     _ = des_cipher4.encrypt_padded_b2b_mut::<des::cipher::block_padding::Pkcs7>(input, data).unwrap();
 }
 
-type MyDesEcbEncryptor = ecb::Encryptor<des::Des>;
+type MyAesEcbEncryptor = ecb::Encryptor<aes::Aes128>;
 
 fn test_ecb(
     key: &[u8], key128: &[u8;16],
@@ -158,18 +158,18 @@ fn test_ecb(
     let aes_cipher1 = ecb::Encryptor::<aes::Aes128>::new(key128.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
     _ = aes_cipher1.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
 
-    // des with ECB (broken cipher + weak block mode)
-    let des_cipher1 = ecb::Encryptor::<des::Des>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
-    _ = des_cipher1.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+    let aes_cipher2 = MyAesEcbEncryptor::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = aes_cipher2.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
 
-    let des_cipher2 = MyDesEcbEncryptor::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
-    _ = des_cipher2.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+    let aes_cipher3 = ecb::Encryptor::<aes::Aes128>::new_from_slice(&key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = aes_cipher3.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
 
-    let des_cipher3 = ecb::Encryptor::<des::Des>::new_from_slice(&key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
-    _ = des_cipher3.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
+    let aes_cipher4 = ecb::Encryptor::<aes::Aes128>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = aes_cipher4.encrypt_padded_b2b_mut::<aes::cipher::block_padding::Pkcs7>(input, data).unwrap();
 
-    let des_cipher4 = ecb::Encryptor::<des::Des>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
-    _ = des_cipher4.encrypt_padded_b2b_mut::<des::cipher::block_padding::Pkcs7>(input, data).unwrap();
+    // des with ECB (broken cipher + weak block mode)
+    let des_cipher1 = ecb::Encryptor::<des::Des>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    _ = des_cipher1.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
 
     // rc2 with ECB (broken cipher + weak block mode)
     let rc2_cipher1 = ecb::Encryptor::<rc2::Rc2>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]