Merge pull request #20887 from github/copilot/add-ecb-cbc-test-cases

Add ECB and CBC block mode test cases for BrokenCryptoAlgorithm query
2025-12-16 16:53:25 +01:00 · 2025-12-11 16:22:27 +00:00
parent 1af1d2d3d5 fa02842d30
commit 5db6b92411
3 changed files with 41 additions and 0 deletions
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/Cargo.lock
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/Cargo.lock
@@ -76,6 +76,15 @@ dependencies = [
 "cipher",
 ]
 [[package]]
 name = "ecb"
 version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1a8bfa975b1aec2145850fcaa1c6fe269a16578c44705a532ae3edc92b8881c7"
 dependencies = [
 "cipher",
 ]
 [[package]]
 name = "generic-array"
 version = "0.14.7"
@@ -146,6 +155,7 @@ dependencies = [
 "cbc",
 "cipher",
 "des",
 "ecb",
 "rabbit",
 "rc2",
 "rc4",
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/options.yml
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/options.yml
@@ -8,3 +8,4 @@ qltest_dependencies:
    - rc2 = { version = "0.8.1" }
    - rc5 = { version = "0.0.1" }
    - cbc = { version = "0.1.2" }
    - ecb = { version = "0.1.2" }
--- a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
+++ b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm/test_cipher.rs
@@ -145,3 +145,33 @@ fn test_cbc(
    let des_cipher4 = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
    _ = des_cipher4.encrypt_padded_b2b_mut::<des::cipher::block_padding::Pkcs7>(input, data).unwrap();
 }
 type MyAesEcbEncryptor = ecb::Encryptor<aes::Aes128>;
 fn test_ecb(
    key: &[u8], key128: &[u8;16],
    input: &[u8], data: &mut [u8]
 ) {
    let data_len = data.len();
    // aes with ECB (weak block mode)
    let aes_cipher1 = ecb::Encryptor::<aes::Aes128>::new(key128.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
    _ = aes_cipher1.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
    let aes_cipher2 = MyAesEcbEncryptor::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
    _ = aes_cipher2.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
    let aes_cipher3 = ecb::Encryptor::<aes::Aes128>::new_from_slice(&key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
    _ = aes_cipher3.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
    let aes_cipher4 = ecb::Encryptor::<aes::Aes128>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
    _ = aes_cipher4.encrypt_padded_b2b_mut::<aes::cipher::block_padding::Pkcs7>(input, data).unwrap();
    // des with ECB (broken cipher + weak block mode)
    let des_cipher1 = ecb::Encryptor::<des::Des>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
    _ = des_cipher1.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
    // rc2 with ECB (broken cipher + weak block mode)
    let rc2_cipher1 = ecb::Encryptor::<rc2::Rc2>::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
    _ = rc2_cipher1.encrypt_padded_mut::<rc2::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
 }