Merge branch 'main' into cwe-134

.github/workflows/build-ripunzip.yml

@@ -6,18 +6,18 @@ on:
       ripunzip-version:
         description: "what reference to checktout from google/runzip"
         required: false
-        default: v1.2.1
+        default: v2.0.2
       openssl-version:
         description: "what reference to checkout from openssl/openssl for Linux"
         required: false
-        default: openssl-3.3.0
+        default: openssl-3.5.0
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2019]
+        os: [ubuntu-22.04, macos-13, windows-2022]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/csharp-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-2019]
+        os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -66,6 +66,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/go-tests-other-os.yml

@@ -26,9 +26,8 @@ jobs:
         uses: ./go/actions/test
 
   test-win:
-    if: github.repository_owner == 'github'
     name: Test Windows
-    runs-on: windows-latest-xl
+    runs-on: windows-latest
     steps:
       - name: Check out code
         uses: actions/checkout@v4

.github/workflows/ruby-qltest-rtjo.yml

@@ -35,6 +35,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-qltest.yml

@@ -68,6 +68,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-13-xlarge]
+        runner: [ubuntu-latest, macos-15-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:

.gitignore

@@ -62,6 +62,7 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
+/mad-generation-build
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -71,3 +72,7 @@ node_modules/
 
 # cargo build directory
 /target
+
+# some upgrade/downgrade checks create these files
+**/upgrades/*/*.dbscheme.stats
+**/downgrades/*/*.dbscheme.stats

CODEOWNERS

@@ -16,7 +16,7 @@
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography
-**/experimental/quantum/ @github/ps-codeql
+**/experimental/**/quantum/ @github/ps-codeql
 /shared/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs

Cargo.lock

@@ -242,6 +242,8 @@ version = "1.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7"
 dependencies = [
+ "jobserver",
+ "libc",
  "shlex",
 ]
 
@@ -390,6 +392,7 @@ dependencies = [
  "tree-sitter",
  "tree-sitter-json",
  "tree-sitter-ql",
+ "zstd",
 ]
 
 [[package]]
@@ -983,6 +986,15 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
 
+[[package]]
+name = "jobserver"
+version = "0.1.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
+dependencies = [
+ "libc",
+]
+
 [[package]]
 name = "jod-thread"
 version = "0.1.2"
@@ -1334,6 +1346,12 @@ version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
 
+[[package]]
+name = "pkg-config"
+version = "0.3.32"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
+
 [[package]]
 name = "portable-atomic"
 version = "1.11.0"
@@ -3027,3 +3045,31 @@ dependencies = [
  "quote",
  "syn",
 ]
+
+[[package]]
+name = "zstd"
+version = "0.13.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
+dependencies = [
+ "zstd-safe",
+]
+
+[[package]]
+name = "zstd-safe"
+version = "7.2.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
+dependencies = [
+ "zstd-sys",
+]
+
+[[package]]
+name = "zstd-sys"
+version = "2.0.15+zstd.1.5.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237"
+dependencies = [
+ "cc",
+ "pkg-config",
+]

Cargo.toml

@@ -10,6 +10,7 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
+exclude = ["mad-generation-build"]
 
 [patch.crates-io]
 # patch for build script bug preventing bazel build

MODULE.bazel

@@ -124,6 +124,7 @@ use_repo(
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
+    "vendor_ts__zstd-0.13.3",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -238,24 +239,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
+lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-linux",
-    srcs = ["//misc/ripunzip:ripunzip-linux"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-Linux.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-windows",
-    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-Windows.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-macos",
-    srcs = ["//misc/ripunzip:ripunzip-macos"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-macOS.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
 register_toolchains(

actions/ql/lib/codeql/actions/Ast.qll

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
   string getNormalizedExpression() { result = normalizeExpr(expression) }
 }
 
-/** A common class for `env` in workflow, job or step. */
-abstract class Env extends AstNode instanceof EnvImpl {
+/** An `env` in workflow, job or step. */
+class Env extends AstNode instanceof EnvImpl {
   /** Gets an environment variable value given its name. */
   ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
 

actions/ql/lib/ext/config/actions_permissions.yml

@@ -22,16 +22,21 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
+      - ["actions/deploy-pages", "pages: write"]
+      - ["actions/deploy-pages", "id-token: write"]
+      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]      
+      - ["actions/versions-package-tools", "contents: read"]
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]      
+      - ["actions/reusable-workflows", "contents: read"]
       - ["actions/reusable-workflows", "actions: read"]
+      - ["actions/ai-inference", "contents: read"]
+      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
+      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-
-      
+      # No permissions needed for actions/configure-pages

actions/ql/src/change-notes/2025-05-14-minimal-permission-for-add-to-project.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/ai-inference

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml

@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/delete-package-versions

actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected

@@ -3,3 +3,6 @@
 | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
 | .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
+| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
+| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
+| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |

cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/preprocdirects.ql

@@ -11,7 +11,7 @@ int getKind(int kind) {
   if kind = 14
   then result = 6 // Represent MSFT #import as #include
   else
-    if kind = 15 or kind = 6
+    if kind = 15 or kind = 16
     then result = 3 // Represent #elifdef and #elifndef as #elif
     else result = kind
 }

cpp/misc/bulk_generation_targets.json

@@ -0,0 +1,9 @@
+{
+  "strategy": "dca",
+  "language": "cpp",
+  "targets": [
+      { "name": "openssl", "with-sources": false, "with-sinks": false },
+      { "name": "sqlite", "with-sources": false, "with-sinks": false }
+  ],
+  "destination": "cpp/ql/lib/ext/generated"
+}

cpp/ql/lib/change-notes/2025-05-23-windows-sources.md

@@ -0,0 +1,6 @@
+---
+category: feature
+---
+* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
+* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
+* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.

cpp/ql/lib/change-notes/2025-05-27-windows-sources-2.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.

cpp/ql/lib/change-notes/2025-05-28-using-template.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.

cpp/ql/lib/experimental/quantum/Language.qll

@@ -1,6 +1,7 @@
 private import cpp as Language
-import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.dataflow.new.TaintTracking
 import codeql.quantum.experimental.Model
+private import OpenSSL.GenericSourceCandidateLiteral
 
 module CryptoInput implements InputSig<Language::Location> {
   class DataFlowNode = DataFlow::Node;
@@ -86,6 +87,21 @@ module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
+module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
+
+private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
+  ConstantDataSource() { this instanceof OpenSSLGenericSourceCandidateLiteral }
+
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
+
+  override predicate flowsTo(Crypto::FlowAwareElement other) {
+    // TODO: separate config to avoid blowing up data-flow analysis
+    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
+  }
+
+  override string getAdditionalDescription() { result = this.toString() }
+}
+
 module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source = any(Crypto::ArtifactInstance artifact).getOutputNode()

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -1,7 +1,9 @@
 import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import PaddingAlgorithmInstance
 
 /**
  * Traces 'known algorithms' to AVCs, specifically
@@ -18,6 +20,9 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
   predicate isSink(DataFlow::Node sink) {
     exists(OpenSSLAlgorithmValueConsumer c |
       c.getInputNode() = sink and
+      // exclude padding algorithm consumers, since
+      // these consumers take in different constant values
+      // not in the typical "known algorithm" set
       not c instanceof PaddingAlgorithmValueConsumer
     )
   }
@@ -42,9 +47,7 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow =
   DataFlow::Global<KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig>;
 
 module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
-  }
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSSLPaddingLiteral }
 
   predicate isSink(DataFlow::Node sink) {
     exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -1,13 +1,14 @@
 import cpp
-import experimental.quantum.Language
-import OpenSSLAlgorithmInstanceBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-import AlgToAVCFlow
+private import experimental.quantum.Language
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import AlgToAVCFlow
 
 /**
  * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToBlockModeFamilyType(
   KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type
@@ -70,7 +71,11 @@ class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmIns
 
   // NOTE: I'm not going to attempt to parse out the mode specific part, so returning
   // the same as the raw name for now.
-  override string getRawModeAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawModeAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -1,16 +1,17 @@
 import cpp
-import experimental.quantum.Language
-import KnownAlgorithmConstants
-import Crypto::KeyOpAlg as KeyOpAlg
-import OpenSSLAlgorithmInstanceBase
-import PaddingAlgorithmInstance
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import AlgToAVCFlow
-import BlockAlgorithmInstance
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import Crypto::KeyOpAlg as KeyOpAlg
+private import OpenSSLAlgorithmInstanceBase
+private import PaddingAlgorithmInstance
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import AlgToAVCFlow
+private import BlockAlgorithmInstance
 
 /**
  * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToCipherFamilyType(
   KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
@@ -101,13 +102,14 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
     // TODO or trace through getter ctx to set padding
   }
 
-  override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
-  override string getKeySizeFixed() {
-    exists(int keySize |
-      this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
-      result = keySize.toString()
-    )
+  override int getKeySizeFixed() {
+    this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
   }
 
   override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -0,0 +1,53 @@
+import cpp
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import AlgToAVCFlow
+
+class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLEllipticCurveConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override string getRawEllipticCurveName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
+
+  override Crypto::TEllipticCurveType getEllipticCurveType() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
+  }
+
+  override string getParsedEllipticCurveName() {
+    result = this.(KnownOpenSSLEllipticCurveAlgorithmConstant).getNormalizedName()
+  }
+
+  override int getKeySize() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
+          .getNormalizedName(), result, _)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -1,8 +1,9 @@
 import cpp
-import experimental.quantum.Language
-import KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import AlgToAVCFlow
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import AlgToAVCFlow
 
 predicate knownOpenSSLConstantToHashFamilyType(
   KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type
@@ -75,7 +76,11 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
     not knownOpenSSLConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
   }
 
-  override string getRawHashAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawHashAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override int getFixedDigestLength() {
     this.(KnownOpenSSLHashAlgorithmConstant).getExplicitDigestLength() = result

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KeyAgreementAlgorithmInstance.qll

@@ -0,0 +1,63 @@
+import cpp
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import AlgToAVCFlow
+
+predicate knownOpenSSLConstantToKeyAgreementFamilyType(
+  KnownOpenSSLKeyAgreementAlgorithmConstant e, Crypto::TKeyAgreementType type
+) {
+  exists(string name |
+    name = e.getNormalizedName() and
+    (
+      name = "ECDH" and type = Crypto::ECDH()
+      or
+      name = "DH" and type = Crypto::DH()
+      or
+      name = "EDH" and type = Crypto::EDH()
+      or
+      name = "ESDH" and type = Crypto::EDH()
+    )
+  )
+}
+
+class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::KeyAgreementAlgorithmInstance instanceof KnownOpenSSLKeyAgreementAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLHashConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override Crypto::TKeyAgreementType getKeyAgreementType() {
+    knownOpenSSLConstantToKeyAgreementFamilyType(this, result)
+    or
+    not knownOpenSSLConstantToKeyAgreementFamilyType(this, _) and
+    result = Crypto::OtherKeyAgreementType()
+  }
+
+  override string getRawKeyAgreementAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll

@@ -1,5 +1,5 @@
 import cpp
-import experimental.quantum.OpenSSL.LibraryDetector
+import experimental.quantum.OpenSSL.GenericSourceCandidateLiteral
 
 predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) {
   resolveAlgorithmFromCall(e, normalizedName, algType)
@@ -20,7 +20,7 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
 
   KnownOpenSSLCipherAlgorithmConstant() {
     resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%encryption")
+    algType.matches("%ENCRYPTION")
   }
 
   int getExplicitKeySize() {
@@ -33,30 +33,20 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
 }
 
 class KnownOpenSSLPaddingAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
   KnownOpenSSLPaddingAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%padding")
+    exists(string algType |
+      resolveAlgorithmFromExpr(this, _, algType) and
+      algType.matches("%PADDING")
+    )
   }
 }
 
 class KnownOpenSSLBlockModeAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
-  KnownOpenSSLBlockModeAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%block_mode")
-  }
+  KnownOpenSSLBlockModeAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "BLOCK_MODE") }
 }
 
 class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  string algType;
-
-  KnownOpenSSLHashAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, algType) and
-    algType.toLowerCase().matches("%hash")
-  }
+  KnownOpenSSLHashAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "HASH") }
 
   int getExplicitDigestLength() {
     exists(string name |
@@ -67,6 +57,20 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
   }
 }
 
+class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLEllipticCurveAlgorithmConstant() {
+    resolveAlgorithmFromExpr(this, _, "ELLIPTIC_CURVE")
+  }
+}
+
+class KnownOpenSSLSignatureAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLSignatureAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "SIGNATURE") }
+}
+
+class KnownOpenSSLKeyAgreementAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLKeyAgreementAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "KEY_AGREEMENT") }
+}
+
 /**
  * Resolves a call to a 'direct algorithm getter', e.g., EVP_MD5()
  * This approach to fetching algorithms was used in OpenSSL 1.0.2.
@@ -80,7 +84,6 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
  *  alias = "dss1" and target = "dsaWithSHA1"
  */
 predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
-  isPossibleOpenSSLFunction(c.getTarget()) and
   exists(string name, string parsedTargetName |
     parsedTargetName =
       c.getTarget().getName().replaceAll("EVP_", "").toLowerCase().replaceAll("_", "-") and
@@ -94,10 +97,10 @@ predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
  * if `e` resolves to a known algorithm.
  * If this predicate does not hold, then `e` can be interpreted as being of `UNKNOWN` type.
  */
-predicate resolveAlgorithmFromLiteral(Literal e, string normalized, string algType) {
-  exists(int nid |
-    nid = getPossibleNidFromLiteral(e) and knownOpenSSLAlgorithmLiteral(_, nid, normalized, algType)
-  )
+predicate resolveAlgorithmFromLiteral(
+  OpenSSLGenericSourceCandidateLiteral e, string normalized, string algType
+) {
+  knownOpenSSLAlgorithmLiteral(_, e.getValue().toInt(), normalized, algType)
   or
   exists(string name |
     name = resolveAlgorithmAlias(e.getValue()) and
@@ -116,30 +119,6 @@ string resolveAlgorithmAlias(string name) {
   )
 }
 
-private int getPossibleNidFromLiteral(Literal e) {
-  result = e.getValue().toInt() and
-  not e instanceof CharLiteral and
-  not e instanceof StringLiteral and
-  // ASSUMPTION, no negative numbers are allowed
-  // RATIONALE: this is a performance improvement to avoid having to trace every number
-  not exists(UnaryMinusExpr u | u.getOperand() = e) and
-  //  OPENSSL has a special macro for getting every line, ignore it
-  not exists(MacroInvocation mi | mi.getExpr() = e and mi.getMacroName() = "OPENSSL_LINE") and
-  // Filter out cases where an int is assigned into a pointer, e.g., char* x = NULL;
-  not exists(Assignment a |
-    a.getRValue() = e and a.getLValue().getType().getUnspecifiedType() instanceof PointerType
-  ) and
-  not exists(Initializer i |
-    i.getExpr() = e and
-    i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof PointerType
-  ) and
-  // Filter out cases where an int is returned into a pointer, e.g., return NULL;
-  not exists(ReturnStmt r |
-    r.getExpr() = e and
-    r.getEnclosingFunction().getType().getUnspecifiedType() instanceof PointerType
-  )
-}
-
 string getAlgorithmAlias(string alias) {
   customAliases(result, alias)
   or
@@ -166,6 +145,14 @@ predicate customAliases(string target, string alias) {
  * The `target` and `alias` are converted to lowercase to be of a standard form.
  */
 predicate defaultAliases(string target, string alias) {
+  // "DH" and "DHX" are not aliases in the traditional sense,
+  // i.e., they are not registered as aliases explicitly,
+  // rather they appear in common usage, and experiments reveal their
+  // NID matches those of the `dhKeyAgreement` and `x9.42 dh` algorithms respectively.
+  alias = "dh" and target = "dhKeyAgreement"
+  or
+  alias = "dhx" and target = "x9.42 dh"
+  or
   alias = "aes128" and target = "aes-128-cbc"
   or
   alias = "aes192" and target = "aes-192-cbc"
@@ -253,11 +240,6 @@ predicate defaultAliases(string target, string alias) {
   alias = "ssl3-sha1" and target = "sha1"
 }
 
-predicate tbd(string normalized, string algType) {
-  knownOpenSSLAlgorithmLiteral(_, _, normalized, algType) and
-  algType = "HASH"
-}
-
 /**
  * Enumeration of all known crypto algorithms for openSSL
  * `name` is all lower case (caller's must ensure they pass in lower case)
@@ -266,6 +248,10 @@ predicate tbd(string normalized, string algType) {
  * `algType` is the type of algorithm (e.g., "SYMMETRIC_ENCRYPTION")
  */
 predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized, string algType) {
+  name = "dhKeyAgreement" and nid = 28 and normalized = "DH" and algType = "KEY_AGREEMENT"
+  or
+  name = "x9.42 dh" and nid = 29 and normalized = "DH" and algType = "KEY_AGREEMENT"
+  or
   name = "rsa" and nid = 19 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
   name = "prime192v1" and nid = 409 and normalized = "PRIME192V1" and algType = "ELLIPTIC_CURVE"
@@ -284,8 +270,12 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "ELLIPTIC_CURVE"
   or
+  name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "SIGNATURE"
+  or
   name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "ELLIPTIC_CURVE"
   or
+  name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "SIGNATURE"
+  or
   name = "md2" and nid = 3 and normalized = "MD2" and algType = "HASH"
   or
   name = "sha" and nid = 41 and normalized = "SHA" and algType = "HASH"
@@ -894,6 +884,8 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "id-alg-dh-sig-hmac-sha1" and nid = 325 and normalized = "SHA1" and algType = "HASH"
   or
+  name = "id-alg-dh-sig-hmac-sha1" and nid = 325 and normalized = "DH" and algType = "KEY_AGREEMENT"
+  or
   name = "aes-128-ofb" and nid = 420 and normalized = "AES-128" and algType = "SYMMETRIC_ENCRYPTION"
   or
   name = "aes-128-ofb" and nid = 420 and normalized = "OFB" and algType = "BLOCK_MODE"
@@ -1395,9 +1387,9 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "kx-rsa" and nid = 1037 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
-  name = "kx-ecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
+  name = "kx-ecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
   or
-  name = "kx-ecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
+  name = "kx-ecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
   or
   name = "kx-rsa-psk" and nid = 1042 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
@@ -1705,8 +1697,12 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "x448" and nid = 1035 and normalized = "X448" and algType = "ELLIPTIC_CURVE"
   or
+  name = "x448" and nid = 1035 and normalized = "X448" and algType = "KEY_AGREEMENT"
+  or
   name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "ELLIPTIC_CURVE"
   or
+  name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "KEY_AGREEMENT"
+  or
   name = "authecdsa" and nid = 1047 and normalized = "ECDSA" and algType = "SIGNATURE"
   or
   name = "authgost01" and nid = 1050 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION"
@@ -1805,51 +1801,101 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "SHA1" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha1kdf-scheme" and
+  nid = 941 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-cofactordh-sha224kdf-scheme" and
   nid = 942 and
   normalized = "SHA-224" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha224kdf-scheme" and
+  nid = 942 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-cofactordh-sha256kdf-scheme" and
   nid = 943 and
   normalized = "SHA-256" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha256kdf-scheme" and
+  nid = 943 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-cofactordh-sha384kdf-scheme" and
   nid = 944 and
   normalized = "SHA-384" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha384kdf-scheme" and
+  nid = 944 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-cofactordh-sha512kdf-scheme" and
   nid = 945 and
   normalized = "SHA-512" and
   algType = "HASH"
   or
+  name = "dhsinglepass-cofactordh-sha512kdf-scheme" and
+  nid = 945 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha1kdf-scheme" and
   nid = 936 and
   normalized = "SHA1" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha1kdf-scheme" and
+  nid = 936 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha224kdf-scheme" and
   nid = 937 and
   normalized = "SHA-224" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha224kdf-scheme" and
+  nid = 937 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha256kdf-scheme" and
   nid = 938 and
   normalized = "SHA-256" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha256kdf-scheme" and
+  nid = 938 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha384kdf-scheme" and
   nid = 939 and
   normalized = "SHA-384" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha384kdf-scheme" and
+  nid = 939 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dhsinglepass-stddh-sha512kdf-scheme" and
   nid = 940 and
   normalized = "SHA-512" and
   algType = "HASH"
   or
+  name = "dhsinglepass-stddh-sha512kdf-scheme" and
+  nid = 940 and
+  normalized = "DH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "dsa-old" and nid = 67 and normalized = "DSA" and algType = "SIGNATURE"
   or
   name = "dsa-sha" and nid = 66 and normalized = "DSA" and algType = "SIGNATURE"
@@ -2009,7 +2055,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "gost r 34.10-2001 dh" and
+  name = "gost r 34.10-2001 dh" and // TODO: review this algorithm
   nid = 817 and
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2079,7 +2125,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "gost r 34.10-94 dh" and
+  name = "gost r 34.10-94 dh" and // TODO: review this algorithm
   nid = 818 and
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2294,7 +2340,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOSTR34102001" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id-gostr3410-2001dh" and
+  name = "id-gostr3410-2001dh" and // TODO: review this algorithm
   nid = 817 and
   normalized = "GOSTR34102001" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2359,7 +2405,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOSTR341094" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id-gostr3410-94dh" and
+  name = "id-gostr3410-94dh" and // TODO: review this algorithm
   nid = 818 and
   normalized = "GOSTR341094" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2443,16 +2489,31 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "3DES" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
+  name = "id-smime-alg-esdhwith3des" and
+  nid = 241 and
+  normalized = "ESDH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "id-smime-alg-esdhwithrc2" and
   nid = 242 and
   normalized = "RC2" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
+  name = "id-smime-alg-esdhwithrc2" and
+  nid = 242 and
+  normalized = "ESDH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "id-smime-alg-rc2wrap" and
   nid = 244 and
   normalized = "RC2" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
+  name = "id_smime_alg_esdh" and
+  nid = 245 and
+  normalized = "ESDH" and
+  algType = "KEY_AGREEMENT"
+  or
   name = "id-tc26-gost-28147-param-z" and
   nid = 1003 and
   normalized = "GOST28147" and
@@ -2498,9 +2559,9 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST34102012" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "kxecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
+  name = "kxecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
   or
-  name = "kxecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
+  name = "kxecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
   or
   name = "kxgost" and nid = 1045 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION"
   or

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll

@@ -1,5 +1,5 @@
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
 abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
   abstract OpenSSLAlgorithmValueConsumer getAVC();

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll

@@ -3,3 +3,4 @@ import CipherAlgorithmInstance
 import PaddingAlgorithmInstance
 import BlockAlgorithmInstance
 import HashAlgorithmInstance
+import EllipticCurveAlgorithmInstance

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -1,13 +1,31 @@
 import cpp
-import experimental.quantum.Language
-import OpenSSLAlgorithmInstanceBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import AlgToAVCFlow
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.Language
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import AlgToAVCFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+
+/**
+ * A class to define padding specific integer values.
+ * from rsa.h in openssl:
+ *     # define RSA_PKCS1_PADDING          1
+ *     # define RSA_NO_PADDING             3
+ *     # define RSA_PKCS1_OAEP_PADDING     4
+ *     # define RSA_X931_PADDING           5
+ *     # define RSA_PKCS1_PSS_PADDING      6
+ *     # define RSA_PKCS1_WITH_TLS_PADDING 7
+ *     # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
+ */
+class OpenSSLPaddingLiteral extends Literal {
+  // TODO: we can be more specific about where the literal is in a larger expression
+  // to avoid literals that are clealy not representing an algorithm, e.g., array indices.
+  OpenSSLPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] }
+}
 
 /**
  * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type.
- * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToPaddingFamilyType(
   KnownOpenSSLPaddingAlgorithmConstant e, Crypto::TPaddingType type
@@ -59,19 +77,8 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta
     this instanceof KnownOpenSSLPaddingAlgorithmConstant and
     isPaddingSpecificConsumer = false
     or
-    // Possibility 3:
-    // from rsa.h in openssl:
-    // # define RSA_PKCS1_PADDING          1
-    // # define RSA_NO_PADDING             3
-    // # define RSA_PKCS1_OAEP_PADDING     4
-    // # define RSA_X931_PADDING           5
-    // /* EVP_PKEY_ only */
-    // # define RSA_PKCS1_PSS_PADDING      6
-    // # define RSA_PKCS1_WITH_TLS_PADDING 7
-    // /* internal RSA_ only */
-    // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
-    this instanceof Literal and
-    this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] and
+    // Possibility 3: padding-specific literal
+    this instanceof OpenSSLPaddingLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
@@ -83,28 +90,32 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta
     isPaddingSpecificConsumer = true
   }
 
-  override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawPaddingAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 
+  Crypto::TPaddingType getKnownPaddingType() {
+    this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5()
+    or
+    this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding()
+    or
+    this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP()
+    or
+    this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23()
+    or
+    this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS()
+  }
+
   override Crypto::TPaddingType getPaddingType() {
     isPaddingSpecificConsumer = true and
     (
-      if this.(Literal).getValue().toInt() in [1, 7, 8]
-      then result = Crypto::PKCS1_v1_5()
-      else
-        if this.(Literal).getValue().toInt() = 3
-        then result = Crypto::NoPadding()
-        else
-          if this.(Literal).getValue().toInt() = 4
-          then result = Crypto::OAEP()
-          else
-            if this.(Literal).getValue().toInt() = 5
-            then result = Crypto::ANSI_X9_23()
-            else
-              if this.(Literal).getValue().toInt() = 6
-              then result = Crypto::PSS()
-              else result = Crypto::OtherPadding()
+      result = this.getKnownPaddingType()
+      or
+      not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding()
     )
     or
     isPaddingSpecificConsumer = false and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.LibraryDetector
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-import OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import OpenSSLAlgorithmValueConsumerBase
 
 abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -14,7 +13,6 @@ class EVPCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer {
 
   EVPCipherAlgorithmValueConsumer() {
     resultNode.asExpr() = this and
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
     (
       this.(Call).getTarget().getName() in [
           "EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid"

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
-// TODO: can self referential to itself, which is also an algorithm (Known algorithm)
 /**
  * Cases like EVP_MD5(),
  * there is no input, rather it directly gets an algorithm

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll

@@ -0,0 +1,34 @@
+import cpp
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+//https://docs.openssl.org/3.0/man3/EC_KEY_new/#name
+class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPEllipticCurveAlgorithmConsumer() {
+    resultNode.asExpr() = this.(Call) and // in all cases the result is the return
+    (
+      this.(Call).getTarget().getName() in ["EVP_EC_gen", "EC_KEY_new_by_curve_name"] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() in [
+          "EC_KEY_new_by_curve_name_ex", "EVP_PKEY_CTX_set_ec_paramgen_curve_nid"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(2)
+    )
+  }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll

@@ -1,23 +1,16 @@
-// import EVPHashInitializer
-// import EVPHashOperation
-// import EVPHashAlgorithmSource
 import cpp
-import experimental.quantum.Language
-import semmle.code.cpp.dataflow.new.DataFlow
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-import experimental.quantum.OpenSSL.LibraryDetector
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
 
 abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
 /**
  * EVP_Q_Digest directly consumes algorithm constant values
  */
-class EVP_Q_Digest_Algorithm_Consumer extends OpenSSLAlgorithmValueConsumer {
-  EVP_Q_Digest_Algorithm_Consumer() {
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
-    this.(Call).getTarget().getName() = "EVP_Q_digest"
-  }
+class EVP_Q_Digest_Algorithm_Consumer extends HashAlgorithmValueConsumer {
+  EVP_Q_Digest_Algorithm_Consumer() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
 
   override Crypto::ConsumerInputDataFlowNode getInputNode() {
     result.asExpr() = this.(Call).getArgument(1)
@@ -33,3 +26,33 @@ class EVP_Q_Digest_Algorithm_Consumer extends OpenSSLAlgorithmValueConsumer {
     none()
   }
 }
+
+/**
+ * The EVP digest algorithm getters
+ * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
+ */
+class EVPDigestAlgorithmValueConsumer extends HashAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPDigestAlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    (
+      this.(Call).getTarget().getName() in [
+          "EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() = "EVP_MD_fetch" and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/KEMAlgorithmValueConsumer.qll

@@ -0,0 +1,28 @@
+import cpp
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class KEMAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+class EVPKEMAlgorithmValueConsumer extends KEMAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPKEMAlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    (
+      this.(Call).getTarget().getName() = "EVP_KEM_fetch" and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/KeyExchangeAlgorithmValueConsumer.qll

@@ -0,0 +1,28 @@
+import cpp
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class KeyExchangeAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+class EVPKeyExchangeAlgorithmValueConsumer extends KeyExchangeAlgorithmValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPKeyExchangeAlgorithmValueConsumer() {
+    resultNode.asExpr() = this and
+    (
+      this.(Call).getTarget().getName() = "EVP_KEYEXCH_fetch" and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll

@@ -1,5 +1,4 @@
-import experimental.quantum.Language
-import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.Language
 
 abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call {
   /**

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll

@@ -3,3 +3,5 @@ import CipherAlgorithmValueConsumer
 import DirectAlgorithmValueConsumer
 import PaddingAlgorithmValueConsumer
 import HashAlgorithmValueConsumer
+import EllipticCurveAlgorithmValueConsumer
+import PKeyAlgorithmValueConsumer

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll

@@ -0,0 +1,55 @@
+import cpp
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+
+abstract class PKeyValueConsumer extends OpenSSLAlgorithmValueConsumer { }
+
+class EVPPKeyAlgorithmConsumer extends PKeyValueConsumer {
+  DataFlow::Node valueArgNode;
+  DataFlow::Node resultNode;
+
+  EVPPKeyAlgorithmConsumer() {
+    resultNode.asExpr() = this.(Call) and // in all cases the result is the return
+    (
+      // NOTE: some of these consumers are themselves key gen operations,
+      // in these cases, the operation will be created separately for the same function.
+      this.(Call).getTarget().getName() in [
+          "EVP_PKEY_CTX_new_id", "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key",
+          "EVP_PKEY_new_mac_key"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(0)
+      or
+      this.(Call).getTarget().getName() in [
+          "EVP_PKEY_CTX_new_from_name", "EVP_PKEY_new_raw_private_key_ex",
+          "EVP_PKEY_new_raw_public_key_ex", "EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"
+        ] and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+      or
+      // argInd 2 is 'type' which can be RSA, or EC
+      // if RSA argInd 3 is the key size, else if EC argInd 3 is the curve name
+      // In all other cases there is no argInd 3, and argInd 2 is the algorithm.
+      // Since this is a key gen operation, handling the key size should be handled
+      // when the operation is again modeled as a key gen operation.
+      this.(Call).getTarget().getName() = "EVP_PKEY_Q_keygen" and
+      (
+        // Elliptic curve case
+        // If the argInd 3 is a derived type (pointer or array) then assume it is a curve name
+        if this.(Call).getArgument(3).getType().getUnderlyingType() instanceof DerivedType
+        then valueArgNode.asExpr() = this.(Call).getArgument(3)
+        else
+          // All other cases
+          valueArgNode.asExpr() = this.(Call).getArgument(2)
+      )
+    )
+  }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
+    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
+  }
+
+  override DataFlow::Node getResultNode() { result = resultNode }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll

@@ -1,9 +1,8 @@
 import cpp
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.LibraryDetector
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-import OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import OpenSSLAlgorithmValueConsumerBase
 
 abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -16,11 +15,8 @@ class EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer extends PaddingAlgorit
 
   EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer() {
     resultNode.asExpr() = this and
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
-    (
-      this.(Call).getTarget().getName() in ["EVP_PKEY_CTX_set_rsa_padding"] and
-      valueArgNode.asExpr() = this.(Call).getArgument(1)
-    )
+    this.(Call).getTarget().getName() = "EVP_PKEY_CTX_set_rsa_padding" and
+    valueArgNode.asExpr() = this.(Call).getArgument(1)
   }
 
   override DataFlow::Node getResultNode() { result = resultNode }

cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll

@@ -20,79 +20,119 @@
 
 import semmle.code.cpp.dataflow.new.DataFlow
 
-class CTXType extends Type {
-  CTXType() {
-    // TODO: should we limit this to an openssl path?
+/**
+ * An openSSL CTX type, which is type for which the stripped underlying type
+ * matches the pattern 'evp_%ctx_%st'.
+ * This includes types like:
+ * - EVP_CIPHER_CTX
+ * - EVP_MD_CTX
+ * - EVP_PKEY_CTX
+ */
+private class CtxType extends Type {
+  CtxType() {
+    // It is possible for users to use the underlying type of the CTX variables
+    // these have a name matching 'evp_%ctx_%st
     this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st")
+    or
+    // In principal the above check should be sufficient, but in case of build mode none issues
+    // i.e., if a typedef cannot be resolved,
+    // or issues with properly stubbing test cases, we also explicitly check for the wrapping type defs
+    // i.e., patterns matching 'EVP_%_CTX'
+    exists(Type base | base = this or base = this.(DerivedType).getBaseType() |
+      base.getName().matches("EVP_%_CTX")
+    )
   }
 }
 
-class CTXPointerExpr extends Expr {
-  CTXPointerExpr() {
-    this.getType() instanceof CTXType and
+/**
+ * A pointer to a CtxType
+ */
+private class CtxPointerExpr extends Expr {
+  CtxPointerExpr() {
+    this.getType() instanceof CtxType and
     this.getType() instanceof PointerType
   }
 }
 
-class CTXPointerArgument extends CTXPointerExpr {
-  CTXPointerArgument() { exists(Call c | c.getAnArgument() = this) }
+/**
+ * A call argument of type CtxPointerExpr.
+ */
+private class CtxPointerArgument extends CtxPointerExpr {
+  CtxPointerArgument() { exists(Call c | c.getAnArgument() = this) }
 
   Call getCall() { result.getAnArgument() = this }
 }
 
-class CTXClearCall extends Call {
-  CTXClearCall() {
+/**
+ * A call whose target contains 'free' or 'reset' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxClearCall extends Call {
+  CtxClearCall() {
     this.getTarget().getName().toLowerCase().matches(["%free%", "%reset%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-class CTXCopyOutArgCall extends Call {
-  CTXCopyOutArgCall() {
-    this.getTarget().getName().toLowerCase().matches(["%copy%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument
+/**
+ * A call whose target contains 'copy' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxCopyOutArgCall extends Call {
+  CtxCopyOutArgCall() {
+    this.getTarget().getName().toLowerCase().matches("%copy%") and
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-class CTXCopyReturnCall extends Call {
-  CTXCopyReturnCall() {
-    this.getTarget().getName().toLowerCase().matches(["%dup%"]) and
-    this.getAnArgument() instanceof CTXPointerArgument and
-    this instanceof CTXPointerExpr
+/**
+ * A call whose target contains 'dup' and has an argument of type
+ * CtxPointerArgument.
+ */
+private class CtxCopyReturnCall extends Call, CtxPointerExpr {
+  CtxCopyReturnCall() {
+    this.getTarget().getName().toLowerCase().matches("%dup%") and
+    this.getAnArgument() instanceof CtxPointerArgument
   }
 }
 
-module OpenSSLCTXArgumentFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CTXPointerArgument }
+/**
+ * Flow from any CtxPointerArgument to any other CtxPointerArgument
+ */
+module OpenSSLCtxArgumentFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CtxPointerArgument }
 
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CTXPointerArgument }
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CtxPointerArgument }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(CTXClearCall c | c.getAnArgument() = node.asExpr())
+    exists(CtxClearCall c | c.getAnArgument() = node.asExpr())
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(CTXCopyOutArgCall c |
+    exists(CtxCopyOutArgCall c |
       c.getAnArgument() = node1.asExpr() and
       c.getAnArgument() = node2.asExpr() and
       node1.asExpr() != node2.asExpr() and
-      node2.asExpr().getType() instanceof CTXType
+      node2.asExpr().getType() instanceof CtxType
     )
     or
-    exists(CTXCopyReturnCall c |
+    exists(CtxCopyReturnCall c |
       c.getAnArgument() = node1.asExpr() and
       c = node2.asExpr() and
       node1.asExpr() != node2.asExpr() and
-      node2.asExpr().getType() instanceof CTXType
+      node2.asExpr().getType() instanceof CtxType
     )
   }
 }
 
-module OpenSSLCTXArgumentFlow = DataFlow::Global<OpenSSLCTXArgumentFlowConfig>;
+module OpenSSLCtxArgumentFlow = DataFlow::Global<OpenSSLCtxArgumentFlowConfig>;
 
-predicate ctxArgFlowsToCtxArg(CTXPointerArgument source, CTXPointerArgument sink) {
+/**
+ * Holds if there is a context flow from the source to the sink.
+ */
+predicate ctxArgFlowsToCtxArg(CtxPointerArgument source, CtxPointerArgument sink) {
   exists(DataFlow::Node a, DataFlow::Node b |
-    OpenSSLCTXArgumentFlow::flow(a, b) and
+    OpenSSLCtxArgumentFlow::flow(a, b) and
     a.asExpr() = source and
     b.asExpr() = sink
   )

cpp/ql/lib/experimental/quantum/OpenSSL/GenericSourceCandidateLiteral.qll

@@ -0,0 +1,122 @@
+import cpp
+private import semmle.code.cpp.models.Models
+private import semmle.code.cpp.models.interfaces.FormattingFunction
+
+private class IntLiteral extends Literal {
+  IntLiteral() {
+    //Heuristics for distinguishing int literals from other literals
+    exists(this.getValue().toInt()) and
+    not this instanceof CharLiteral and
+    not this instanceof StringLiteral
+  }
+}
+
+/**
+ * Holds if a StringLiteral could conceivably be used in some way for cryptography.
+ * Note: this predicate should only consider restrictions with respect to strings only.
+ * General restrictions are in the OpenSSLGenericSourceCandidateLiteral class.
+ */
+private predicate isOpenSSLStringLiteralGenericSourceCandidate(StringLiteral s) {
+  // 'EC' is a constant that may be used where typical algorithms are specified,
+  // but EC specifically means set up a default curve container, that will later be
+  //specified explicitly (or if not a default) curve is used.
+  s.getValue() != "EC" and
+  // Ignore empty strings
+  s.getValue() != "" and
+  // Filter out strings with "%", to filter out format strings
+  not s.getValue().matches("%\\%%") and
+  // Filter out strings in brackets or braces (commonly seen strings not relevant for crypto)
+  not s.getValue().matches(["[%]", "(%)"]) and
+  // Filter out all strings of length 1, since these are not algorithm names
+  // NOTE/ASSUMPTION: If a user legitimately passes a string of length 1 to some configuration
+  // we will assume this is generally unknown. We may need to reassess this in the future.
+  s.getValue().length() > 1 and
+  // Ignore all strings that are in format string calls outputing to a stream (e.g., stdout)
+  not exists(FormattingFunctionCall f |
+    exists(f.getOutputArgument(true)) and s = f.(Call).getAnArgument()
+  ) and
+  // Ignore all format string calls where there is no known out param (resulting string)
+  // i.e., ignore printf, since it will just output a string and not produce a new string
+  not exists(FormattingFunctionCall f |
+    // Note: using two ways of determining if there is an out param, since I'm not sure
+    // which way is canonical
+    not exists(f.getOutputArgument(false)) and
+    not f.getTarget().hasTaintFlow(_, _) and
+    f.(Call).getAnArgument() = s
+  )
+}
+
+/**
+ * Holds if a StringLiteral could conceivably be used in some way for cryptography.
+ * Note: this predicate should only consider restrictions with respect to integers only.
+ * General restrictions are in the OpenSSLGenericSourceCandidateLiteral class.
+ */
+private predicate isOpenSSLIntLiteralGenericSourceCandidate(IntLiteral l) {
+  // Ignore integer values of 0, commonly referring to NULL only (no known algorithm 0)
+  l.getValue().toInt() != 0 and
+  // ASSUMPTION, no negative numbers are allowed
+  // RATIONALE: this is a performance improvement to avoid having to trace every number
+  not exists(UnaryMinusExpr u | u.getOperand() = l) and
+  //  OPENSSL has a special macro for getting every line, ignore it
+  not exists(MacroInvocation mi | mi.getExpr() = l and mi.getMacroName() = "OPENSSL_LINE") and
+  // Filter out cases where an int is returned into a pointer, e.g., return NULL;
+  not exists(ReturnStmt r |
+    r.getExpr() = l and
+    r.getEnclosingFunction().getType().getUnspecifiedType() instanceof DerivedType
+  ) and
+  // A literal as an array index should not be relevant for crypo
+  not exists(ArrayExpr op | op.getArrayOffset() = l) and
+  // A literal used in a bitwise should not be relevant for crypto
+  not exists(BinaryBitwiseOperation op | op.getAnOperand() = l) and
+  not exists(AssignBitwiseOperation op | op.getAnOperand() = l) and
+  //Filter out cases where an int is assigned or initialized into a pointer, e.g., char* x = NULL;
+  not exists(Assignment a |
+    a.getRValue() = l and
+    a.getLValue().getType().getUnspecifiedType() instanceof DerivedType
+  ) and
+  not exists(Initializer i |
+    i.getExpr() = l and
+    i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof DerivedType
+  ) and
+  // Filter out cases where the literal is used in any kind of arithmetic operation
+  not exists(BinaryArithmeticOperation op | op.getAnOperand() = l) and
+  not exists(UnaryArithmeticOperation op | op.getOperand() = l) and
+  not exists(AssignArithmeticOperation op | op.getAnOperand() = l) and
+  // If a literal has no parent ignore it, this is a workaround for the current inability
+  // to find a literal in an array declaration: int x[100];
+  // NOTE/ASSUMPTION: this value might actually be relevant for finding hard coded sizes
+  // consider size as inferred through the allocation of a buffer.
+  // In these cases, we advise that the source is not generic and must be traced explicitly.
+  exists(l.getParent())
+}
+
+/**
+ * Any literal that may be conceivably be used in some way for cryptography.
+ * The set of all literals is restricted by this class to cases where there is higher
+ * plausibility that the literal could be used as a source of configuration.
+ * Literals are filtered, for example, if they are used in a way no indicative of an algorithm use
+ * such as in an array index, bitwise operation, or logical operation.
+ * Note a case like this:
+ *      if(algVal == "AES")
+ *
+ * "AES" may be a legitimate algorithm literal, but the literal will not be used for an operation directly
+ * since it is in a equality comparison, hence this case would also be filtered.
+ */
+class OpenSSLGenericSourceCandidateLiteral extends Literal {
+  OpenSSLGenericSourceCandidateLiteral() {
+    (
+      isOpenSSLIntLiteralGenericSourceCandidate(this) or
+      isOpenSSLStringLiteralGenericSourceCandidate(this)
+    ) and
+    // ********* General filters beyond what is filtered for strings and ints *********
+    // An algorithm literal in a switch case will not be directly applied to an operation.
+    not exists(SwitchCase sc | sc.getExpr() = this) and
+    // A literal in a logical operation may be an algorithm, but not a candidate
+    // for the purposes of finding applied algorithms
+    not exists(BinaryLogicalOperation op | op.getAnOperand() = this) and
+    not exists(UnaryLogicalOperation op | op.getOperand() = this) and
+    // A literal in a comparison operation may be an algorithm, but not a candidate
+    // for the purposes of finding applied algorithms
+    not exists(ComparisonOperation op | op.getAnOperand() = this)
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll

@@ -1,9 +1,7 @@
-import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-
 module OpenSSLModel {
-  import experimental.quantum.Language
-  import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-  import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-  import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
+  import AlgorithmInstances.OpenSSLAlgorithmInstances
+  import AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+  import Operations.OpenSSLOperations
+  import Random
+  import GenericSourceCandidateLiteral
 }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll

@@ -0,0 +1,34 @@
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import OpenSSLOperationBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import semmle.code.cpp.dataflow.new.DataFlow
+
+class ECKeyGenOperation extends OpenSSLOperation, Crypto::KeyGenerationOperationInstance {
+  ECKeyGenOperation() { this.(Call).getTarget().getName() = "EC_KEY_generate_key" }
+
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }
+
+  override Crypto::KeyArtifactType getOutputKeyType() { result = Crypto::TAsymmetricKeyType() }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputKeyArtifact() {
+    result.asExpr() = this.(Call).getArgument(0)
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
+    none() // no explicit key size, inferred from algorithm
+  }
+
+  override int getKeySizeFixed() {
+    none()
+    // TODO: marked as none as the operation itself has no key size, it
+    // comes from the algorithm source, but note we could grab the
+    // algorithm source and get the key size (see below).
+    // We may need to reconsider what is the best approach here.
+    // result =
+    //   this.getAnAlgorithmValueConsumer()
+    //       .getAKnownAlgorithmSource()
+    //       .(Crypto::EllipticCurveInstance)
+    //       .getKeySize()
+  }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll

@@ -3,8 +3,9 @@
  * Models cipher initialization for EVP cipher operations.
  */
 
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import OpenSSLOperationBase
 
 module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }
@@ -34,19 +35,12 @@ Crypto::KeyOperationSubtype intToCipherOperationSubtype(int i) {
 }
 
 // TODO: need to add key consumer
-abstract class EVP_Cipher_Initializer extends Call {
-  Expr getContextArg() { result = this.(Call).getArgument(0) }
+abstract class EVP_Cipher_Initializer extends EVPInitialize {
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
 
-  Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
-
-  abstract Expr getKeyArg();
-
-  abstract Expr getIVArg();
-
-  //   abstract Crypto::CipherOperationSubtype getCipherOperationSubtype();
   abstract Expr getOperationSubtypeArg();
 
-  Crypto::KeyOperationSubtype getCipherOperationSubtype() {
+  override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
     if this.(Call).getTarget().getName().toLowerCase().matches("%encrypt%")
     then result instanceof Crypto::TEncryptMode
     else

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll

@@ -1,37 +1,26 @@
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-import EVPCipherInitializer
-import OpenSSLOperationBase
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import EVPCipherInitializer
+private import OpenSSLOperationBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
-private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
+class EVP_Cipher_Update_Call extends EVPUpdate {
+  EVP_Cipher_Update_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
+      ]
   }
 
-  predicate isSink(DataFlow::Node sink) {
-    exists(EVP_Cipher_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
-  }
+  override Expr getInputArg() { result = this.(Call).getArgument(3) }
+
+  override Expr getOutputArg() { result = this.(Call).getArgument(1) }
 }
 
-private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
-
-// import experimental.quantum.OpenSSL.AlgorithmValueConsumers.AlgorithmValueConsumers
-// import OpenSSLOperation
-// class EVPCipherOutput extends CipherOutputArtifact {
-//   EVPCipherOutput() { exists(EVP_Cipher_Operation op | op.getOutputArg() = this) }
-//   override DataFlow::Node getOutputNode() { result.asDefiningArgument() = this }
-// }
-//
 /**
  * see: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
  * Base configuration for all EVP cipher operations.
- * NOTE: cannot extend instance of OpenSSLOperation, as we need to override
- * elements of OpenSSLOperation (i.e., we are creating an instance)
  */
-abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {
-  Expr getContextArg() { result = this.(Call).getArgument(0) }
-
+abstract class EVP_Cipher_Operation extends EVPOperation, Crypto::KeyOperationInstance {
   override Expr getOutputArg() { result = this.(Call).getArgument(1) }
 
   override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
@@ -41,81 +30,48 @@ abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperati
     result instanceof Crypto::TDecryptMode and
     this.(Call).getTarget().getName().toLowerCase().matches("%decrypt%")
     or
-    result = this.getInitCall().getCipherOperationSubtype() and
+    result = this.getInitCall().getKeyOperationSubtype() and
     this.(Call).getTarget().getName().toLowerCase().matches("%cipher%")
   }
 
-  EVP_Cipher_Initializer getInitCall() {
-    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
-  }
-
   override Crypto::ConsumerInputDataFlowNode getNonceConsumer() {
     this.getInitCall().getIVArg() = result.asExpr()
   }
 
-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
-
   override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
     this.getInitCall().getKeyArg() = result.asExpr()
+    // todo: or track to the EVP_PKEY_CTX_new
   }
 
-  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
+    result = EVPOperation.super.getOutputArtifact()
+  }
 
-  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-      DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
+    result = EVPOperation.super.getInputConsumer()
   }
 }
 
-class EVP_Cipher_Call extends EVP_Cipher_Operation {
+class EVP_Cipher_Call extends EVPOperation, EVP_Cipher_Operation {
   EVP_Cipher_Call() { this.(Call).getTarget().getName() = "EVP_Cipher" }
 
   override Expr getInputArg() { result = this.(Call).getArgument(2) }
 }
 
-// NOTE: not modeled as cipher operations, these are intermediate calls
-class EVP_Update_Call extends Call {
-  EVP_Update_Call() {
-    this.(Call).getTarget().getName() in [
-        "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
-      ]
-  }
-
-  Expr getInputArg() { result = this.(Call).getArgument(3) }
-
-  DataFlow::Node getInputNode() { result.asExpr() = this.getInputArg() }
-
-  Expr getContextArg() { result = this.(Call).getArgument(0) }
-}
-
-class EVP_Final_Call extends EVP_Cipher_Operation {
-  EVP_Final_Call() {
+class EVP_Cipher_Final_Call extends EVPFinal, EVP_Cipher_Operation {
+  EVP_Cipher_Final_Call() {
     this.(Call).getTarget().getName() in [
         "EVP_EncryptFinal_ex", "EVP_DecryptFinal_ex", "EVP_CipherFinal_ex", "EVP_EncryptFinal",
         "EVP_DecryptFinal", "EVP_CipherFinal"
       ]
   }
 
-  EVP_Update_Call getUpdateCalls() {
-    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  /**
+   * Output is both from update calls and from the final call.
+   */
+  override Expr getOutputArg() {
+    result = EVPFinal.super.getOutputArg()
+    or
+    result = EVP_Cipher_Operation.super.getOutputArg()
   }
-
-  override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
-
-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
-}
-
-class EVP_PKEY_Operation extends EVP_Cipher_Operation {
-  EVP_PKEY_Operation() {
-    this.(Call).getTarget().getName() in ["EVP_PKEY_decrypt", "EVP_PKEY_encrypt"]
-  }
-
-  override Expr getInputArg() { result = this.(Call).getArgument(3) }
-  // TODO: how PKEY is initialized is different that symmetric cipher
-  // Consider making an entirely new class for this and specializing
-  // the get init call
-}
-
-class EVPCipherInputArgument extends Expr {
-  EVPCipherInputArgument() { exists(EVP_Cipher_Operation op | op.getInputArg() = this) }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashInitializer.qll

@@ -1,10 +1,7 @@
 import cpp
+private import OpenSSLOperationBase
 
-abstract class EVP_Hash_Initializer extends Call {
-  Expr getContextArg() { result = this.(Call).getArgument(0) }
-
-  abstract Expr getAlgorithmArg();
-}
+abstract class EVP_Hash_Initializer extends EVPInitialize { }
 
 class EVP_DigestInit_Variant_Calls extends EVP_Hash_Initializer {
   EVP_DigestInit_Variant_Calls() {

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll

@@ -2,77 +2,50 @@
  * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
  */
 
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-import experimental.quantum.OpenSSL.LibraryDetector
-import OpenSSLOperationBase
-import EVPHashInitializer
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import OpenSSLOperationBase
+private import EVPHashInitializer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
-// import EVPHashConsumers
-abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
-  Expr getContextArg() { result = this.(Call).getArgument(0) }
+class EVP_Digest_Update_Call extends EVPUpdate {
+  EVP_Digest_Update_Call() { this.(Call).getTarget().getName() = "EVP_DigestUpdate" }
 
-  EVP_Hash_Initializer getInitCall() {
-    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
-  }
+  override Expr getInputArg() { result = this.(Call).getArgument(1) }
 }
 
-private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(EVP_Hash_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
-  }
-}
-
-private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
-
 //https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
-class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
-  EVP_Q_Digest_Operation() {
-    this.(Call).getTarget().getName() = "EVP_Q_digest" and
-    isPossibleOpenSSLFunction(this.(Call).getTarget())
-  }
+class EVP_Q_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
+  EVP_Q_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
+
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
 
-  //override Crypto::AlgorithmConsumer getAlgorithmConsumer() {  }
   override EVP_Hash_Initializer getInitCall() {
     // This variant of digest does not use an init
     // and even if it were used, the init would be ignored/undefined
     none()
   }
 
-  override Expr getOutputArg() { result = this.(Call).getArgument(5) }
-
   override Expr getInputArg() { result = this.(Call).getArgument(3) }
 
-  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+  override Expr getOutputArg() { result = this.(Call).getArgument(5) }
 
-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
+    result = EVPOperation.super.getOutputArtifact()
+  }
 
-  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-    // The operation is a direct algorithm consumer
-    // NOTE: the operation itself is already modeld as a value consumer, so we can
-    // simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest
-    this = result
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
+    result = EVPOperation.super.getInputConsumer()
   }
 }
 
-class EVP_Digest_Operation extends EVP_Hash_Operation {
-  EVP_Digest_Operation() {
-    this.(Call).getTarget().getName() = "EVP_Digest" and
-    isPossibleOpenSSLFunction(this.(Call).getTarget())
-  }
+class EVP_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
+  EVP_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Digest" }
 
   // There is no context argument for this function
   override Expr getContextArg() { none() }
 
-  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-      DataFlow::exprNode(this.(Call).getArgument(4)))
-  }
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }
 
   override EVP_Hash_Initializer getInitCall() {
     // This variant of digest does not use an init
@@ -80,38 +53,33 @@ class EVP_Digest_Operation extends EVP_Hash_Operation {
     none()
   }
 
-  override Expr getOutputArg() { result = this.(Call).getArgument(2) }
-
   override Expr getInputArg() { result = this.(Call).getArgument(0) }
 
-  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+  override Expr getOutputArg() { result = this.(Call).getArgument(2) }
 
-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
+    result = EVPOperation.super.getOutputArtifact()
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
+    result = EVPOperation.super.getInputConsumer()
+  }
+}
+
+class EVP_Digest_Final_Call extends EVPFinal, Crypto::HashOperationInstance {
+  EVP_Digest_Final_Call() {
+    this.(Call).getTarget().getName() in [
+        "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
+      ]
+  }
+
+  override Expr getOutputArg() { result = this.(Call).getArgument(1) }
+
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
+    result = EVPFinal.super.getOutputArtifact()
+  }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
+    result = EVPFinal.super.getInputConsumer()
+  }
 }
-// // override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-// //   AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-// //     DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
-// // }
-// // ***** TODO *** complete modelinlg for hash operations, but have consideration for terminal and non-terminal (non intermedaite) steps
-// // see the JCA. May need to update the cipher operations similarly
-// // ALSO SEE cipher for how we currently model initialization of the algorithm through an init call
-// class EVP_DigestUpdate_Operation extends EVP_Hash_Operation {
-//   EVP_DigestUpdate_Operation() {
-//     this.(Call).getTarget().getName() = "EVP_DigestUpdate" and
-//     isPossibleOpenSSLFunction(this.(Call).getTarget())
-//   }
-//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
-//     this.getInitCall().getAlgorithmArg() = result
-//   }
-// }
-// class EVP_DigestFinal_Variants_Operation extends EVP_Hash_Operation {
-//   EVP_DigestFinal_Variants_Operation() {
-//     this.(Call).getTarget().getName() in [
-//         "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
-//       ] and
-//     isPossibleOpenSSLFunction(this.(Call).getTarget())
-//   }
-//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
-//     this.getInitCall().getAlgorithmArg() = result
-//   }
-// }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll

@@ -1,21 +1,162 @@
-import experimental.quantum.Language
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
+/**
+ * A class for all OpenSSL operations.
+ */
 abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
+  /**
+   * Expression that specifies the algorithm for the operation.
+   * Will be an argument of the operation in the simplest case.
+   */
+  abstract Expr getAlgorithmArg();
+
+  /**
+   * Algorithm is specified in initialization call or is implicitly established by the key.
+   */
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.getAlgorithmArg()))
+  }
+}
+
+/**
+ * A Call to initialization functions from the EVP API.
+ * These are not operations in the sense of Crypto::OperationInstance,
+ * but they are used to initialize the context for the operation.
+ */
+abstract class EVPInitialize extends Call {
+  /**
+   * Gets the context argument that ties together initialization, updates and/or final calls.
+   */
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
+  /**
+   * Gets the type of key operation, none if not applicable.
+   */
+  Crypto::KeyOperationSubtype getKeyOperationSubtype() { none() }
+
+  /**
+   * Explicitly specified algorithm or none if implicit (e.g., established by the key).
+   * None if not applicable.
+   */
+  Expr getAlgorithmArg() { none() }
+
+  /**
+   * Gets the key for the operation, none if not applicable.
+   */
+  Expr getKeyArg() { none() }
+
+  /**
+   * Gets the IV/nonce, none if not applicable.
+   */
+  Expr getIVArg() { none() }
+}
+
+/**
+ * A Call to update functions from the EVP API.
+ * These are not operations in the sense of Crypto::OperationInstance,
+ * but they are used to update the context for the operation.
+ */
+abstract class EVPUpdate extends Call {
+  /**
+   * Gets the context argument that ties together initialization, updates and/or final calls.
+   */
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
+  /**
+   * Update calls always have some input data like plaintext or message digest.
+   */
   abstract Expr getInputArg();
 
   /**
-   * Can be an argument of a call or a return value of a function.
+   * Update calls sometimes have some output data like a plaintext.
+   */
+  Expr getOutputArg() { none() }
+}
+
+/**
+ * Flows from algorithm values to operations, specific to OpenSSL
+ */
+private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(EVPOperation c | c.getAlgorithmArg() = sink.asExpr())
+  }
+}
+
+private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
+
+/**
+ * The base class for all operations of the EVP API.
+ * This captures one-shot APIs (with and without an initilizer call) and final calls.
+ * Provides some default methods for Crypto::KeyOperationInstance class
+ */
+abstract class EVPOperation extends OpenSSLOperation {
+  /**
+   * Gets the context argument that ties together initialization, updates and/or final calls.
+   */
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
+  /**
+   * Some input data like plaintext or message digest.
+   * Either argument provided direcly in the call or all arguments that were provided in update calls.
+   */
+  abstract Expr getInputArg();
+
+  /**
+   * Some output data like ciphertext or signature.
    */
   abstract Expr getOutputArg();
 
-  DataFlow::Node getInputNode() {
-    // Assumed to be default to asExpr
-    result.asExpr() = this.getInputArg()
+  /**
+   * Overwrite with an explicitly specified algorithm or leave base implementation to find it in the initialization call.
+   */
+  override Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
+
+  /**
+   * Finds the initialization call, may be none.
+   */
+  EVPInitialize getInitCall() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
   }
 
-  DataFlow::Node getOutputNode() {
-    if exists(Call c | c.getAnArgument() = this)
-    then result.asDefiningArgument() = this
-    else result.asExpr() = this
+  Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
+    result = DataFlow::exprNode(this.getOutputArg())
+  }
+
+  /**
+   * Input consumer is the input argument of the call.
+   */
+  Crypto::ConsumerInputDataFlowNode getInputConsumer() {
+    result = DataFlow::exprNode(this.getInputArg())
   }
 }
+
+/**
+ * The final calls of the EVP API.
+ */
+abstract class EVPFinal extends EVPOperation {
+  /**
+   * All update calls that were executed before this final call.
+   */
+  EVPUpdate getUpdateCalls() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
+
+  /**
+   * Gets the input data provided to all update calls.
+   * If more input data was provided in the final call, override the method.
+   */
+  override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
+
+  /**
+   * Gets the output data provided to all update calls.
+   * If more output data was provided in the final call, override the method.
+   */
+  override Expr getOutputArg() { result = this.getUpdateCalls().getOutputArg() }
+}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll

@@ -1,3 +1,4 @@
 import OpenSSLOperationBase
 import EVPCipherOperation
 import EVPHashOperation
+import ECKeyGenOperation

cpp/ql/lib/ext/Boost.Asio.model.yml

@@ -1,4 +1,4 @@
-  # partial model of the Boost::Asio network library
+# partial model of the Boost::Asio network library
 extensions:
   - addsTo:
       pack: codeql/cpp-all

cpp/ql/lib/ext/Windows.model.yml

@@ -0,0 +1,35 @@
+# partial model of windows system calls
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      # processenv.h
+      - ["", "", False, "GetCommandLineA", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetCommandLineW", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentStringsA", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentStringsW", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentVariableA", "", "", "Argument[*1]", "local", "manual"]
+      - ["", "", False, "GetEnvironmentVariableW", "", "", "Argument[*1]", "local", "manual"]
+      # fileapi.h
+      - ["", "", False, "ReadFile", "", "", "Argument[*1]", "local", "manual"]
+      - ["", "", False, "ReadFileEx", "", "", "Argument[*1]", "local", "manual"]
+      # memoryapi.h
+      - ["", "", False, "MapViewOfFile", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile2", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile3", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFile3FromApp", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileEx", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileFromApp", "", "", "ReturnValue[*]", "local", "manual"]
+      - ["", "", False, "MapViewOfFileNuma2", "", "", "ReturnValue[*]", "local", "manual"]
+      # ntifs.h
+      - ["", "", False, "NtReadFile", "", "", "Argument[*5]", "local", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      # shellapi.h
+      - ["", "", False, "CommandLineToArgvA", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
+      - ["", "", False, "CommandLineToArgvW", "", "", "Argument[*0]", "ReturnValue[**]", "taint", "manual"]
+      # fileapi.h
+      - ["", "", False, "ReadFileEx", "", "", "Argument[*3].Field[@hEvent]", "Argument[4].Parameter[*2].Field[@hEvent]", "value", "manual"]

cpp/ql/lib/qlpack.yml

@@ -17,7 +17,7 @@ dependencies:
   codeql/xml: ${workspace}
 dataExtensions:
   - ext/*.model.yml
-  - ext/generated/*.model.yml
+  - ext/generated/**/*.model.yml
   - ext/deallocation/*.model.yml
   - ext/allocation/*.model.yml
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/Namespace.qll

@@ -174,7 +174,27 @@ class UsingDeclarationEntry extends UsingEntry {
    */
   Declaration getDeclaration() { usings(underlyingElement(this), unresolveElement(result), _, _) }
 
-  override string toString() { result = "using " + this.getDeclaration().getDescription() }
+  /**
+   * Gets the member that is referenced by this using declaration, where the member depends on a
+   * type template parameter.
+   *
+   * For example:
+   * ```
+   * template <typename T>
+   * class A {
+   *   using T::m;
+   * };
+   * ```
+   * Here, `getReferencedMember()` yields the member `m` of `T`. Observe that,
+   * as `T` is not instantiated, `m` is represented by a `Literal` and not
+   * a `Declaration`.
+   */
+  Literal getReferencedMember() { usings(underlyingElement(this), unresolveElement(result), _, _) }
+
+  override string toString() {
+    result = "using " + this.getDeclaration().getDescription() or
+    result = "using " + this.getReferencedMember()
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -22,7 +22,11 @@ module Input implements InputSig<Location, DataFlowImplSpecific::CppDataFlow> {
 
   ArgumentPosition callbackSelfParameterPosition() { result = TDirectPosition(-1) }
 
-  ReturnKind getStandardReturnValueKind() { result.(NormalReturnKind).getIndirectionIndex() = 0 }
+  ReturnKind getStandardReturnValueKind() { result = getReturnValueKind("") }
+
+  ReturnKind getReturnValueKind(string arg) {
+    arg = repeatStars(result.(NormalReturnKind).getIndirectionIndex())
+  }
 
   string encodeParameterPosition(ParameterPosition pos) { result = pos.toString() }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1903,6 +1903,10 @@ module IteratorFlow {
     predicate allowFlowIntoUncertainDef(IteratorSsa::UncertainWriteDefinition def) { any() }
 
     class Guard extends Void {
+      predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+        none()
+      }
+
       predicate controlsBranchEdge(
         SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch
       ) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -991,13 +991,17 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
   class Guard instanceof IRGuards::IRGuardCondition {
     string toString() { result = super.toString() }
 
-    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+    predicate hasBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
       exists(EdgeKind kind |
         super.getBlock() = bb1 and
         kind = getConditionalEdge(branch) and
         bb1.getSuccessor(kind) = bb2
       )
     }
+
+    predicate controlsBranchEdge(SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch) {
+      this.hasBranchEdge(bb1, bb2, branch)
+    }
   }
 
   predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticCFG.qll

@@ -10,7 +10,7 @@ private import SemanticExprSpecific::SemanticExprConfig as Specific
  */
 class SemBasicBlock extends Specific::BasicBlock {
   /** Holds if this block (transitively) dominates `otherblock`. */
-  final predicate bbDominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
+  final predicate dominates(SemBasicBlock otherBlock) { Specific::bbDominates(this, otherBlock) }
 
   /** Gets an expression that is evaluated in this basic block. */
   final SemExpr getAnExpr() { result.getBasicBlock() = this }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticExprSpecific.qll

@@ -264,10 +264,6 @@ module SemanticExprConfig {
 
   Guard comparisonGuard(Expr e) { getSemanticExpr(result) = e }
 
-  predicate implies_v2(Guard g1, boolean b1, Guard g2, boolean b2) {
-    none() // TODO
-  }
-
   /** Gets the expression associated with `instr`. */
   SemExpr getSemanticExpr(IR::Instruction instr) { result = instr }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticGuard.qll

@@ -18,11 +18,11 @@ class SemGuard instanceof Specific::Guard {
     Specific::equalityGuard(this, e1, e2, polarity)
   }
 
-  final predicate directlyControls(SemBasicBlock controlled, boolean branch) {
+  final predicate controls(SemBasicBlock controlled, boolean branch) {
     Specific::guardDirectlyControlsBlock(this, controlled, branch)
   }
 
-  final predicate hasBranchEdge(SemBasicBlock bb1, SemBasicBlock bb2, boolean branch) {
+  final predicate controlsBranchEdge(SemBasicBlock bb1, SemBasicBlock bb2, boolean branch) {
     Specific::guardHasBranchEdge(this, bb1, bb2, branch)
   }
 
@@ -31,8 +31,4 @@ class SemGuard instanceof Specific::Guard {
   final SemExpr asExpr() { result = Specific::getGuardAsExpr(this) }
 }
 
-predicate semImplies_v2(SemGuard g1, boolean b1, SemGuard g2, boolean b2) {
-  Specific::implies_v2(g1, b1, g2, b2)
-}
-
 SemGuard semGetComparisonGuard(SemRelationalExpr e) { result = Specific::comparisonGuard(e) }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll

@@ -77,8 +77,6 @@ module Sem implements Semantic<SemLocation> {
 
   class Guard = SemGuard;
 
-  predicate implies_v2 = semImplies_v2/4;
-
   class Type = SemType;
 
   class IntegerType = SemIntegerType;

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -55,7 +55,7 @@ private class LocalModelSource extends LocalFlowSource {
 }
 
 /**
- * A local data flow source that the `argv` parameter to `main` or `wmain`.
+ * A local data flow source that is the `argv` parameter to `main` or `wmain`.
  */
 private class ArgvSource extends LocalFlowSource {
   ArgvSource() {
@@ -69,6 +69,21 @@ private class ArgvSource extends LocalFlowSource {
   override string getSourceType() { result = "a command-line argument" }
 }
 
+/**
+ * A local data flow source that is the `pCmdLine` parameter to `WinMain` or `wWinMain`.
+ */
+private class CmdLineSource extends LocalFlowSource {
+  CmdLineSource() {
+    exists(Function main, Parameter pCmdLine |
+      main.hasGlobalName(["WinMain", "wWinMain"]) and
+      main.getParameter(2) = pCmdLine and
+      this.asParameter(1) = pCmdLine
+    )
+  }
+
+  override string getSourceType() { result = "a command-line" }
+}
+
 /**
  * A remote data flow source that is defined through 'models as data'.
  */

cpp/ql/test/examples/expressions/PrintAST.expected

@@ -324,7 +324,7 @@ Conversion3.cpp:
 #    2|               getExpr(): [CStyleCast] (int)...
 #    2|                   Conversion = [IntegralConversion] integral conversion
 #    2|                   Type = [IntType] int
-#    2|                   Value = [CStyleCast] 1
+#    2|                   Value = [CStyleCast] 5
 #    2|                   ValueCategory = prvalue
 #    2|           getRightOperand().getFullyConverted(): [ParenthesisExpr] (...)
 #    2|               Type = [IntType] int

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_key_sources.expected

@@ -0,0 +1,2 @@
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:179:43:179:76 | Constant |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:179:43:179:76 | Constant |

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_key_sources.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::CipherOperationNode op, Crypto::KeyArtifactNode k
+where op.getAKey() = k
+select op, k, k.getSourceNode()

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_nonce_sources.expected

@@ -0,0 +1,2 @@
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:180:42:180:59 | Constant |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:180:42:180:59 | Constant |

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_nonce_sources.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::CipherOperationNode op, Crypto::NonceArtifactNode n
+where op.getANonce() = n
+select op, n, n.getSourceNode()

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_operations.expected

@@ -0,0 +1,16 @@
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:35:36:35:45 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:38:40:53 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:81:32:81:40 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
+| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:36:90:50 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_operations.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::CipherOperationNode n
+select n, n.getAnInputArtifact(), n.getAnOutputArtifact(), n.getAKey(), n.getANonce(),
+  n.getAnAlgorithmOrGenericSource(), n.getKeyOperationSubtype()

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_plaintext_sources.expected

@@ -0,0 +1 @@
+| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:181:49:181:87 | Constant |

cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_plaintext_sources.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::CipherOperationNode n, Crypto::MessageArtifactNode m
+where n.getAnInputArtifact() = m
+select n, m, m.getSourceNode()

cpp/ql/test/experimental/library-tests/quantum/openssl/hash_input_sources.expected

@@ -0,0 +1,2 @@
+| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:120:37:120:43 | Message | openssl_basic.c:181:49:181:87 | Constant |
+| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:24:144:30 | Message | openssl_basic.c:181:49:181:87 | Constant |

cpp/ql/test/experimental/library-tests/quantum/openssl/hash_input_sources.ql

@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::HashOperationNode n, Crypto::MessageArtifactNode m
+where n.getInputArtifact() = m
+select n, m, m.getSourceNode()

cpp/ql/test/experimental/library-tests/quantum/openssl/hash_operations.expected

@@ -0,0 +1,2 @@
+| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:124:39:124:44 | Digest | openssl_basic.c:116:38:116:47 | HashAlgorithm | openssl_basic.c:120:37:120:43 | Message |
+| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:46:144:51 | Digest | openssl_basic.c:144:67:144:73 | HashAlgorithm | openssl_basic.c:144:24:144:30 | Message |

cpp/ql/test/experimental/library-tests/quantum/openssl/hash_operations.ql

@@ -0,0 +1,5 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::HashOperationNode n
+select n, n.getDigest(), n.getAnAlgorithmOrGenericSource(), n.getInputArtifact()

cpp/ql/test/experimental/library-tests/quantum/openssl/openssl_basic.c

@@ -0,0 +1,221 @@
+#include "openssl/evp_stubs.h"
+#include "openssl/alg_macro_stubs.h"
+#include "openssl/rand_stubs.h"
+
+size_t strlen(const char* str);
+
+// Sample OpenSSL code that demonstrates various cryptographic operations
+// that can be detected by the quantum model
+
+// Function to perform AES-256-GCM encryption
+int encrypt_aes_gcm(const unsigned char *plaintext, int plaintext_len,
+                   const unsigned char *key, const unsigned char *iv, int iv_len,
+                   unsigned char *ciphertext, unsigned char *tag) {
+    EVP_CIPHER_CTX *ctx;
+    int len;
+    int ciphertext_len;
+
+    // Create and initialize the context
+    if(!(ctx = EVP_CIPHER_CTX_new()))
+        return -1;
+
+    // Initialize the encryption operation
+    if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL))
+        return -1;
+
+    // Set IV length (for GCM mode)
+    if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL))
+        return -1;
+
+    // Initialize key and IV
+    if(1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
+        return -1;
+
+    // Provide the plaintext to be encrypted
+    if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len))
+        return -1;
+    ciphertext_len = len;
+
+    // Finalize the encryption
+    if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len))
+        return -1;
+    ciphertext_len += len;
+
+    // Get the tag
+    if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
+        return -1;
+
+    // Clean up
+    EVP_CIPHER_CTX_free(ctx);
+
+    return ciphertext_len;
+}
+
+// Function to perform AES-256-GCM decryption
+int decrypt_aes_gcm(const unsigned char *ciphertext, int ciphertext_len,
+                   const unsigned char *tag, const unsigned char *key,
+                   const unsigned char *iv, int iv_len, 
+                   unsigned char *plaintext) {
+    EVP_CIPHER_CTX *ctx;
+    int len;
+    int plaintext_len;
+    int ret;
+
+    // Create and initialize the context
+    if(!(ctx = EVP_CIPHER_CTX_new()))
+        return -1;
+
+    // Initialize the decryption operation
+    if(!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL))
+        return -1;
+
+    // Set IV length
+    if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL))
+        return -1;
+
+    // Initialize key and IV
+    if(!EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv))
+        return -1;
+
+    // Provide the ciphertext to be decrypted
+    if(!EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len))
+        return -1;
+    plaintext_len = len;
+
+    // Set expected tag value
+    if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, (void*)tag))
+        return -1;
+
+    // Finalize the decryption
+    ret = EVP_DecryptFinal_ex(ctx, plaintext + len, &len);
+
+    // Clean up
+    EVP_CIPHER_CTX_free(ctx);
+
+    if(ret > 0) {
+        // Success
+        plaintext_len += len;
+        return plaintext_len;
+    } else {
+        // Verification failed
+        return -1;
+    }
+}
+
+// Function to calculate SHA-256 hash
+int calculate_sha256(const unsigned char *message, size_t message_len,
+                    unsigned char *digest) {
+    EVP_MD_CTX *mdctx;
+    unsigned int digest_len;
+
+    // Create and initialize the context
+    if(!(mdctx = EVP_MD_CTX_new()))
+        return 0;
+
+    // Initialize the hash operation
+    if(1 != EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
+        return 0;
+
+    // Provide the message to be hashed
+    if(1 != EVP_DigestUpdate(mdctx, message, message_len))
+        return 0;
+
+    // Finalize the hash
+    if(1 != EVP_DigestFinal_ex(mdctx, digest, &digest_len))
+        return 0;
+
+    // Clean up
+    EVP_MD_CTX_free(mdctx);
+
+    return 1;
+}
+
+// Function to generate random bytes
+int generate_random_bytes(unsigned char *buffer, size_t length) {
+    return RAND_bytes(buffer, length);
+}
+
+// Function using direct EVP_Digest function (one-shot hash)
+int calculate_md5_oneshot(const unsigned char *message, size_t message_len,
+                         unsigned char *digest) {
+    unsigned int digest_len;
+    
+    // Calculate MD5 in a single call
+    if(1 != EVP_Digest(message, message_len, digest, &digest_len, EVP_md5(), NULL))
+        return 0;
+        
+    return 1;
+}
+
+// Function using HMAC
+int calculate_hmac_sha256(const unsigned char *key, size_t key_len,
+                         const unsigned char *message, size_t message_len,
+                         unsigned char *mac) {
+    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+    EVP_PKEY *pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len);
+    
+    if (!ctx || !pkey)
+        return 0;
+        
+    if (EVP_DigestSignInit(ctx, NULL, EVP_sha256(), NULL, pkey) != 1)
+        return 0;
+        
+    if (EVP_DigestSignUpdate(ctx, message, message_len) != 1)
+        return 0;
+        
+    size_t mac_len = 32; // SHA-256 output size
+    if (EVP_DigestSignFinal(ctx, mac, &mac_len) != 1)
+        return 0;
+        
+    EVP_MD_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
+    
+    return 1;
+}
+
+// Test function
+int test_main() {
+    // Test encryption and decryption
+    unsigned char *key = (unsigned char *)"01234567890123456789012345678901"; // 32 bytes
+    unsigned char *iv = (unsigned char *)"0123456789012345"; // 16 bytes
+    unsigned char *plaintext = (unsigned char *)"This is a test message for encryption";
+    unsigned char ciphertext[1024];
+    unsigned char tag[16];
+    unsigned char decrypted[1024];
+    int plaintext_len = strlen((char *)plaintext);
+    int ciphertext_len;
+    int decrypted_len;
+    
+    // Test SHA-256 hash
+    unsigned char hash[32];
+    
+    // Test random generation
+    unsigned char random_bytes[32];
+    
+    // // Initialize OpenSSL
+    // ERR_load_crypto_strings();
+    
+    // Encrypt data
+    ciphertext_len = encrypt_aes_gcm(plaintext, plaintext_len, key, iv, 16, ciphertext, tag);
+    
+    // Decrypt data
+    decrypted_len = decrypt_aes_gcm(ciphertext, ciphertext_len, tag, key, iv, 16, decrypted);
+
+    //printf("decrypted: %s\n", decrypted);
+    
+    // Calculate hash
+    calculate_sha256(plaintext, plaintext_len, hash);
+    
+    // Generate random bytes
+    generate_random_bytes(random_bytes, 32);
+    
+    // Calculate one-shot MD5
+    unsigned char md5_hash[16];
+    calculate_md5_oneshot(plaintext, plaintext_len, md5_hash);
+    
+    // Calculate HMAC
+    unsigned char hmac[32];
+    calculate_hmac_sha256(key, 32, plaintext, plaintext_len, hmac);
+    
+    return 0;
+} 

cpp/ql/test/experimental/library-tests/quantum/openssl/options

@@ -0,0 +1 @@
+semmle-extractor-options: -I ../../../stubs

cpp/ql/test/experimental/stubs/README.md

@@ -0,0 +1,4 @@
+The stubs in this directory are derived from various open-source projects, and
+used to test that the relevant APIs are correctly modelled. Where a disclaimer
+or third-party-notice is required, this is included in the top-level directory
+for each particular library.

cpp/ql/test/experimental/stubs/openssl/license.txt

@@ -0,0 +1,177 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        https://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

cpp/ql/test/experimental/stubs/openssl/rand_stubs.h

@@ -0,0 +1,3 @@
+int RAND_bytes(unsigned char *buf, int num);
+
+int RAND_pseudo_bytes(unsigned char *buf, int num);

cpp/ql/test/library-tests/comments/binding/commentBinding.expected

@@ -9,3 +9,6 @@
 | multi.c:5:27:5:36 | // Multi 3 | declaration of multi3 |
 | templates.cpp:3:3:3:8 | // Foo | declaration of foo |
 | templates.cpp:7:3:7:8 | // Bar | definition of bar |
+| templates.cpp:16:3:16:20 | // using T::member | using member |
+| templates.cpp:19:3:19:28 | // using T::nested::member | using member |
+| templates.cpp:25:3:25:20 | // using T::member | using member |

cpp/ql/test/library-tests/comments/binding/templates.cpp

@@ -10,3 +10,18 @@ class Cl {
   }
 };
 
+
+template <typename T>
+class Derived : public T {
+  // using T::member
+  using T::member;
+
+  // using T::nested::member
+  using T::nested::member;
+};
+
+template <typename T>
+class Base {
+  // using T::member
+  using T::member;
+};

cpp/ql/test/library-tests/dataflow/dataflow-tests/TestBase.qll

@@ -124,7 +124,11 @@ module IRTest {
 
   /** Common data flow configuration to be used by tests. */
   module IRTestAllocationConfig implements DataFlow::ConfigSig {
+    private import semmle.code.cpp.security.FlowSources
+
     predicate isSource(DataFlow::Node source) {
+      source instanceof FlowSource
+      or
       source.asExpr().(FunctionCall).getTarget().getName() = "source"
       or
       source.asIndirectExpr(1).(FunctionCall).getTarget().getName() = "indirect_source"

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -337,3 +337,4 @@ irFlow
 | true_upon_entry.cpp:70:11:70:16 | call to source | true_upon_entry.cpp:78:8:78:8 | x |
 | true_upon_entry.cpp:83:11:83:16 | call to source | true_upon_entry.cpp:86:8:86:8 | x |
 | true_upon_entry.cpp:98:11:98:16 | call to source | true_upon_entry.cpp:105:8:105:8 | x |
+| winmain.cpp:4:57:4:64 | *pCmdLine | winmain.cpp:6:8:6:16 | * ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/winmain.cpp

@@ -0,0 +1,9 @@
+void sink(char);
+void sink(char*);
+
+int WinMain(void *hInstance, void *hPrevInstance, char *pCmdLine, int nCmdShow) { // $ ast-def=hInstance ast-def=hPrevInstance ast-def=pCmdLine ir-def=*hInstance ir-def=*hPrevInstance ir-def=*pCmdLine 
+  sink(pCmdLine);
+  sink(*pCmdLine); // $ ir
+
+  return 0;
+}

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -10,33 +10,95 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:6 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:10 |
-| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:23489 |
-| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:23490 |
-| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:23491 |
+| test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | provenance | MaD:23508 |
+| test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | provenance | MaD:23509 |
+| test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | provenance | MaD:23510 |
 | test.cpp:7:47:7:52 | value2 | test.cpp:7:64:7:69 | value2 | provenance |  |
 | test.cpp:7:64:7:69 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | provenance |  |
-| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:23487  |
-| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:14:10:14:10 | x | provenance | Sink:MaD:23488 |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:10:10:10:18 | call to ymlSource | provenance | Src:MaD:23506  |
+| test.cpp:10:10:10:18 | call to ymlSource | test.cpp:14:10:14:10 | x | provenance | Sink:MaD:23507 |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:17:24:17:24 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:21:27:21:27 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:25:35:25:35 | x | provenance |  |
 | test.cpp:10:10:10:18 | call to ymlSource | test.cpp:32:41:32:41 | x | provenance |  |
 | test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual | provenance |  |
-| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:23488 |
+| test.cpp:17:10:17:22 | call to ymlStepManual | test.cpp:18:10:18:10 | y | provenance | Sink:MaD:23507 |
 | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | provenance |  |
-| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:23489 |
+| test.cpp:17:24:17:24 | x | test.cpp:17:10:17:22 | call to ymlStepManual | provenance | MaD:23508 |
 | test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance |  |
-| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:23488 |
+| test.cpp:21:10:21:25 | call to ymlStepGenerated | test.cpp:22:10:22:10 | z | provenance | Sink:MaD:23507 |
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | provenance |  |
-| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:23490 |
+| test.cpp:21:27:21:27 | x | test.cpp:21:10:21:25 | call to ymlStepGenerated | provenance | MaD:23509 |
 | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance |  |
-| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:23488 |
+| test.cpp:25:11:25:33 | call to ymlStepManual_with_body | test.cpp:26:10:26:11 | y2 | provenance | Sink:MaD:23507 |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | provenance |  |
-| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:23491 |
+| test.cpp:25:35:25:35 | x | test.cpp:25:11:25:33 | call to ymlStepManual_with_body | provenance | MaD:23510 |
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
-| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:23488 |
+| test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | test.cpp:33:10:33:11 | z2 | provenance | Sink:MaD:23507 |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | provenance |  |
 | test.cpp:32:41:32:41 | x | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | provenance |  |
+| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:341 |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:325  |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:27:36:27:38 | *cmd | provenance |  |
+| windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance |  |
+| windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | windows.cpp:30:8:30:15 | * ... | provenance |  |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | provenance |  |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | provenance | MaD:341 |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | provenance | Src:MaD:327  |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | windows.cpp:36:10:36:13 | * ... | provenance |  |
+| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | windows.cpp:41:10:41:13 | * ... | provenance | Src:MaD:329  |
+| windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | provenance |  |
+| windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | provenance |  |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | provenance | MaD:343 |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | provenance | MaD:343 |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | provenance |  |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | provenance |  |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | provenance |  |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | provenance |  |
+| windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | windows.cpp:149:42:149:53 | *lpOverlapped [*hEvent] | provenance |  |
+| windows.cpp:149:18:149:62 | *hEvent | windows.cpp:149:18:149:62 | *hEvent | provenance |  |
+| windows.cpp:149:18:149:62 | *hEvent | windows.cpp:151:8:151:14 | * ... | provenance |  |
+| windows.cpp:149:42:149:53 | *lpOverlapped [*hEvent] | windows.cpp:149:18:149:62 | *hEvent | provenance |  |
+| windows.cpp:149:42:149:53 | *lpOverlapped [*hEvent] | windows.cpp:149:56:149:61 | *hEvent | provenance |  |
+| windows.cpp:149:56:149:61 | *hEvent | windows.cpp:149:18:149:62 | *hEvent | provenance |  |
+| windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | provenance |  |
+| windows.cpp:159:12:159:55 | hEvent | windows.cpp:159:12:159:55 | hEvent | provenance |  |
+| windows.cpp:159:12:159:55 | hEvent | windows.cpp:160:8:160:8 | c | provenance |  |
+| windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | windows.cpp:159:12:159:55 | hEvent | provenance |  |
+| windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | windows.cpp:159:12:159:55 | hEvent | provenance |  |
+| windows.cpp:168:35:168:40 | ReadFile output argument | windows.cpp:170:10:170:16 | * ... | provenance | Src:MaD:331  |
+| windows.cpp:177:23:177:28 | ReadFileEx output argument | windows.cpp:179:10:179:16 | * ... | provenance | Src:MaD:332  |
+| windows.cpp:189:21:189:26 | ReadFile output argument | windows.cpp:190:5:190:56 | *... = ... | provenance | Src:MaD:331  |
+| windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | windows.cpp:192:53:192:63 | *& ... [*hEvent] | provenance |  |
+| windows.cpp:190:5:190:56 | *... = ... | windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | provenance |  |
+| windows.cpp:192:53:192:63 | *& ... [*hEvent] | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | provenance |  |
+| windows.cpp:198:21:198:26 | ReadFile output argument | windows.cpp:199:5:199:57 | ... = ... | provenance | Src:MaD:331  |
+| windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | windows.cpp:201:53:201:63 | *& ... [hEvent] | provenance |  |
+| windows.cpp:199:5:199:57 | ... = ... | windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | provenance |  |
+| windows.cpp:201:53:201:63 | *& ... [hEvent] | windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | provenance |  |
+| windows.cpp:209:84:209:89 | NtReadFile output argument | windows.cpp:211:10:211:16 | * ... | provenance | Src:MaD:340  |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:286:23:286:35 | *call to MapViewOfFile | provenance | Src:MaD:333  |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | windows.cpp:287:20:287:52 | *pMapView | provenance |  |
+| windows.cpp:287:20:287:52 | *pMapView | windows.cpp:289:10:289:16 | * ... | provenance |  |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | provenance | Src:MaD:334  |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | windows.cpp:294:20:294:52 | *pMapView | provenance |  |
+| windows.cpp:294:20:294:52 | *pMapView | windows.cpp:296:10:296:16 | * ... | provenance |  |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | provenance | Src:MaD:335  |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | windows.cpp:303:20:303:52 | *pMapView | provenance |  |
+| windows.cpp:303:20:303:52 | *pMapView | windows.cpp:305:10:305:16 | * ... | provenance |  |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | provenance | Src:MaD:336  |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | windows.cpp:312:20:312:52 | *pMapView | provenance |  |
+| windows.cpp:312:20:312:52 | *pMapView | windows.cpp:314:10:314:16 | * ... | provenance |  |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | provenance | Src:MaD:337  |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | windows.cpp:319:20:319:52 | *pMapView | provenance |  |
+| windows.cpp:319:20:319:52 | *pMapView | windows.cpp:321:10:321:16 | * ... | provenance |  |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | provenance | Src:MaD:338  |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | windows.cpp:326:20:326:52 | *pMapView | provenance |  |
+| windows.cpp:326:20:326:52 | *pMapView | windows.cpp:328:10:328:16 | * ... | provenance |  |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | provenance | Src:MaD:339  |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | windows.cpp:333:20:333:52 | *pMapView | provenance |  |
+| windows.cpp:333:20:333:52 | *pMapView | windows.cpp:335:10:335:16 | * ... | provenance |  |
 nodes
 | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | semmle.label | [summary param] *0 in buffer |
 | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | semmle.label | [summary] to write: ReturnValue in buffer |
@@ -78,9 +140,85 @@ nodes
 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body | semmle.label | call to ymlStepGenerated_with_body |
 | test.cpp:32:41:32:41 | x | semmle.label | x |
 | test.cpp:33:10:33:11 | z2 | semmle.label | z2 |
+| windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
+| windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
+| windows.cpp:24:8:24:11 | * ... | semmle.label | * ... |
+| windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | semmle.label | **call to CommandLineToArgvA |
+| windows.cpp:27:17:27:34 | **call to CommandLineToArgvA | semmle.label | **call to CommandLineToArgvA |
+| windows.cpp:27:36:27:38 | *cmd | semmle.label | *cmd |
+| windows.cpp:30:8:30:15 | * ... | semmle.label | * ... |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | semmle.label | *call to GetEnvironmentStringsA |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | semmle.label | *call to GetEnvironmentStringsA |
+| windows.cpp:36:10:36:13 | * ... | semmle.label | * ... |
+| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | semmle.label | GetEnvironmentVariableA output argument |
+| windows.cpp:41:10:41:13 | * ... | semmle.label | * ... |
+| windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [*hEvent] | semmle.label | [summary param] *3 in ReadFileEx [*hEvent] |
+| windows.cpp:90:6:90:15 | [summary param] *3 in ReadFileEx [hEvent] | semmle.label | [summary param] *3 in ReadFileEx [hEvent] |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx | semmle.label | [summary] read: Argument[*3].Field[*hEvent] in ReadFileEx |
+| windows.cpp:90:6:90:15 | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx | semmle.label | [summary] read: Argument[*3].Field[hEvent] in ReadFileEx |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] | semmle.label | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [*hEvent] |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] | semmle.label | [summary] to write: Argument[4].Parameter[*2] in ReadFileEx [hEvent] |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx | semmle.label | [summary] to write: Argument[4].Parameter[*2].Field[*hEvent] in ReadFileEx |
+| windows.cpp:90:6:90:15 | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx | semmle.label | [summary] to write: Argument[4].Parameter[*2].Field[hEvent] in ReadFileEx |
+| windows.cpp:147:16:147:27 | *lpOverlapped [*hEvent] | semmle.label | *lpOverlapped [*hEvent] |
+| windows.cpp:149:18:149:62 | *hEvent | semmle.label | *hEvent |
+| windows.cpp:149:18:149:62 | *hEvent | semmle.label | *hEvent |
+| windows.cpp:149:42:149:53 | *lpOverlapped [*hEvent] | semmle.label | *lpOverlapped [*hEvent] |
+| windows.cpp:149:56:149:61 | *hEvent | semmle.label | *hEvent |
+| windows.cpp:151:8:151:14 | * ... | semmle.label | * ... |
+| windows.cpp:157:16:157:27 | *lpOverlapped [hEvent] | semmle.label | *lpOverlapped [hEvent] |
+| windows.cpp:159:12:159:55 | hEvent | semmle.label | hEvent |
+| windows.cpp:159:12:159:55 | hEvent | semmle.label | hEvent |
+| windows.cpp:159:35:159:46 | *lpOverlapped [hEvent] | semmle.label | *lpOverlapped [hEvent] |
+| windows.cpp:160:8:160:8 | c | semmle.label | c |
+| windows.cpp:168:35:168:40 | ReadFile output argument | semmle.label | ReadFile output argument |
+| windows.cpp:170:10:170:16 | * ... | semmle.label | * ... |
+| windows.cpp:177:23:177:28 | ReadFileEx output argument | semmle.label | ReadFileEx output argument |
+| windows.cpp:179:10:179:16 | * ... | semmle.label | * ... |
+| windows.cpp:189:21:189:26 | ReadFile output argument | semmle.label | ReadFile output argument |
+| windows.cpp:190:5:190:14 | *overlapped [post update] [*hEvent] | semmle.label | *overlapped [post update] [*hEvent] |
+| windows.cpp:190:5:190:56 | *... = ... | semmle.label | *... = ... |
+| windows.cpp:192:53:192:63 | *& ... [*hEvent] | semmle.label | *& ... [*hEvent] |
+| windows.cpp:198:21:198:26 | ReadFile output argument | semmle.label | ReadFile output argument |
+| windows.cpp:199:5:199:14 | *overlapped [post update] [hEvent] | semmle.label | *overlapped [post update] [hEvent] |
+| windows.cpp:199:5:199:57 | ... = ... | semmle.label | ... = ... |
+| windows.cpp:201:53:201:63 | *& ... [hEvent] | semmle.label | *& ... [hEvent] |
+| windows.cpp:209:84:209:89 | NtReadFile output argument | semmle.label | NtReadFile output argument |
+| windows.cpp:211:10:211:16 | * ... | semmle.label | * ... |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | semmle.label | *call to MapViewOfFile |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | semmle.label | *call to MapViewOfFile |
+| windows.cpp:287:20:287:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:289:10:289:16 | * ... | semmle.label | * ... |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | semmle.label | *call to MapViewOfFile2 |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | semmle.label | *call to MapViewOfFile2 |
+| windows.cpp:294:20:294:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:296:10:296:16 | * ... | semmle.label | * ... |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | semmle.label | *call to MapViewOfFile3 |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | semmle.label | *call to MapViewOfFile3 |
+| windows.cpp:303:20:303:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:305:10:305:16 | * ... | semmle.label | * ... |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | semmle.label | *call to MapViewOfFile3FromApp |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | semmle.label | *call to MapViewOfFile3FromApp |
+| windows.cpp:312:20:312:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:314:10:314:16 | * ... | semmle.label | * ... |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | semmle.label | *call to MapViewOfFileEx |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | semmle.label | *call to MapViewOfFileEx |
+| windows.cpp:319:20:319:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:321:10:321:16 | * ... | semmle.label | * ... |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | semmle.label | *call to MapViewOfFileFromApp |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | semmle.label | *call to MapViewOfFileFromApp |
+| windows.cpp:326:20:326:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:328:10:328:16 | * ... | semmle.label | * ... |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | semmle.label | *call to MapViewOfFileNuma2 |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | semmle.label | *call to MapViewOfFileNuma2 |
+| windows.cpp:333:20:333:52 | *pMapView | semmle.label | *pMapView |
+| windows.cpp:335:10:335:16 | * ... | semmle.label | * ... |
 subpaths
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | asio_streams.cpp:100:44:100:62 | call to buffer |
 | test.cpp:17:24:17:24 | x | test.cpp:4:5:4:17 | [summary param] 0 in ymlStepManual | test.cpp:4:5:4:17 | [summary] to write: ReturnValue in ymlStepManual | test.cpp:17:10:17:22 | call to ymlStepManual |
 | test.cpp:21:27:21:27 | x | test.cpp:5:5:5:20 | [summary param] 0 in ymlStepGenerated | test.cpp:5:5:5:20 | [summary] to write: ReturnValue in ymlStepGenerated | test.cpp:21:10:21:25 | call to ymlStepGenerated |
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -1,2 +1,19 @@
 | asio_streams.cpp:87:34:87:44 | read_until output argument | remote |
 | test.cpp:10:10:10:18 | call to ymlSource | local |
+| windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
+| windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
+| windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |
+| windows.cpp:168:35:168:40 | ReadFile output argument | local |
+| windows.cpp:177:23:177:28 | ReadFileEx output argument | local |
+| windows.cpp:189:21:189:26 | ReadFile output argument | local |
+| windows.cpp:192:23:192:29 | ReadFileEx output argument | local |
+| windows.cpp:198:21:198:26 | ReadFile output argument | local |
+| windows.cpp:201:23:201:29 | ReadFileEx output argument | local |
+| windows.cpp:209:84:209:89 | NtReadFile output argument | local |
+| windows.cpp:286:23:286:35 | *call to MapViewOfFile | local |
+| windows.cpp:293:23:293:36 | *call to MapViewOfFile2 | local |
+| windows.cpp:302:23:302:36 | *call to MapViewOfFile3 | local |
+| windows.cpp:311:23:311:43 | *call to MapViewOfFile3FromApp | local |
+| windows.cpp:318:23:318:37 | *call to MapViewOfFileEx | local |
+| windows.cpp:325:23:325:42 | *call to MapViewOfFileFromApp | local |
+| windows.cpp:332:23:332:40 | *call to MapViewOfFileNuma2 | local |

cpp/ql/test/library-tests/dataflow/external-models/steps.expected

@@ -5,3 +5,4 @@
 | test.cpp:28:35:28:35 | 0 | test.cpp:28:11:28:33 | call to ymlStepManual_with_body |
 | test.cpp:32:38:32:38 | 0 | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
 | test.cpp:35:38:35:38 | x | test.cpp:35:11:35:36 | call to ymlStepGenerated_with_body |
+| windows.cpp:27:36:27:38 | *cmd | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |

cpp/ql/test/library-tests/dataflow/external-models/validatemodels.expected

@@ -3771,3 +3771,7 @@
 | Dubious signature "(wchar_t *)" in summary model. |
 | Dubious signature "(wchar_t, const CStringT &)" in summary model. |
 | Dubious signature "(wchar_t,const CStringT &)" in summary model. |
+| Unrecognized input specification "Field[****hEvent]" in summary model. |
+| Unrecognized input specification "Field[***hEvent]" in summary model. |
+| Unrecognized output specification "Field[****hEvent]" in summary model. |
+| Unrecognized output specification "Field[***hEvent]" in summary model. |

cpp/ql/test/library-tests/dataflow/external-models/windows.cpp

@@ -0,0 +1,337 @@
+void sink(char);
+void sink(char*);
+void sink(char**);
+
+using HANDLE = void*;
+using DWORD = unsigned long;
+using LPCH = char*;
+using LPSTR = char*;
+using LPCSTR = const char*;
+using LPVOID = void*;
+using LPDWORD = unsigned long*;
+using PVOID = void*;
+using ULONG_PTR = unsigned long*;
+using SIZE_T = decltype(sizeof(0));
+
+LPSTR GetCommandLineA();
+LPSTR* CommandLineToArgvA(LPSTR, int*);
+LPCH GetEnvironmentStringsA();
+DWORD GetEnvironmentVariableA(LPCSTR, LPSTR, DWORD);
+
+void getCommandLine() {
+  char* cmd = GetCommandLineA();
+  sink(cmd);
+  sink(*cmd); // $ ir
+
+  int argc;
+  char** argv = CommandLineToArgvA(cmd, &argc);
+  sink(argv);
+  sink(argv[1]);
+  sink(*argv[1]); // $ ir
+}
+
+void getEnvironment() {
+    char* env = GetEnvironmentStringsA();
+    sink(env);
+    sink(*env); // $ ir
+
+    char buf[1024];
+    GetEnvironmentVariableA("FOO", buf, sizeof(buf));
+    sink(buf);
+    sink(*buf); // $ ir
+}
+
+typedef struct _OVERLAPPED {
+  ULONG_PTR Internal;
+  ULONG_PTR InternalHigh;
+  union {
+    struct {
+      DWORD Offset;
+      DWORD OffsetHigh;
+    } DUMMYSTRUCTNAME;
+    PVOID Pointer;
+  } DUMMYUNIONNAME;
+  HANDLE    hEvent;
+} OVERLAPPED, *LPOVERLAPPED;
+
+using BOOL = int;
+#define FILE_MAP_READ 0x0004
+
+using ULONG64 = unsigned long long;
+using ULONG = unsigned long;
+
+using DWORD64 = unsigned long long;
+#define MEM_EXTENDED_PARAMETER_TYPE_BITS 8
+
+typedef struct MEM_EXTENDED_PARAMETER {
+  struct {
+    DWORD64 Type : MEM_EXTENDED_PARAMETER_TYPE_BITS;
+    DWORD64 Reserved : 64 - MEM_EXTENDED_PARAMETER_TYPE_BITS;
+  } DUMMYSTRUCTNAME;
+  union {
+    DWORD64 ULong64;
+    PVOID   Pointer;
+    SIZE_T  Size;
+    HANDLE  Handle;
+    DWORD   ULong;
+  } DUMMYUNIONNAME;
+} MEM_EXTENDED_PARAMETER, *PMEM_EXTENDED_PARAMETER;
+
+BOOL ReadFile(
+  HANDLE       hFile,
+  LPVOID       lpBuffer,
+  DWORD        nNumberOfBytesToRead,
+  LPDWORD      lpNumberOfBytesRead,
+  LPOVERLAPPED lpOverlapped
+);
+
+using LPOVERLAPPED_COMPLETION_ROUTINE = void (*)(DWORD, DWORD, LPOVERLAPPED);
+
+BOOL ReadFileEx(
+  HANDLE                          hFile,
+  LPVOID                          lpBuffer,
+  DWORD                           nNumberOfBytesToRead,
+  LPOVERLAPPED                    lpOverlapped,
+  LPOVERLAPPED_COMPLETION_ROUTINE lpCompletionRoutine
+);
+
+using NTSTATUS = long;
+using PIO_APC_ROUTINE = void (*)(struct _DEVICE_OBJECT*, struct _IRP*, PVOID);
+typedef struct _IO_STATUS_BLOCK {
+  union {
+    NTSTATUS Status;
+    PVOID    Pointer;
+  } DUMMYUNIONNAME;
+  ULONG_PTR Information;
+} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK;
+using LONGLONG = long long;
+using LONG = long;
+typedef struct _LARGE_INTEGER {
+  union {
+    struct {
+      ULONG LowPart;
+      LONG  HighPart;
+    } DUMMYSTRUCTNAME;
+    LONGLONG QuadPart;
+  } DUMMYUNIONNAME;
+} LARGE_INTEGER, *PLARGE_INTEGER;
+
+using PULONG = unsigned long*;
+
+NTSTATUS NtReadFile(
+  HANDLE           FileHandle,
+  HANDLE           Event,
+  PIO_APC_ROUTINE  ApcRoutine,
+  PVOID            ApcContext,
+  PIO_STATUS_BLOCK IoStatusBlock,
+  PVOID            Buffer,
+  ULONG            Length,
+  PLARGE_INTEGER   ByteOffset,
+  PULONG           Key
+);
+
+
+void FileIOCompletionRoutine(
+  DWORD dwErrorCode,
+  DWORD dwNumberOfBytesTransfered,
+  LPOVERLAPPED lpOverlapped
+) {
+  char* buffer = reinterpret_cast<char*>(lpOverlapped->hEvent);
+  sink(buffer);
+  sink(*buffer); // $ MISSING: ir
+}
+
+void FileIOCompletionRoutine2(
+  DWORD dwErrorCode,
+  DWORD dwNumberOfBytesTransfered,
+  LPOVERLAPPED lpOverlapped
+) {
+  char* buffer = reinterpret_cast<char*>(lpOverlapped->hEvent);
+  sink(buffer);
+  sink(*buffer); // $ ir
+}
+
+void FileIOCompletionRoutine3(
+  DWORD dwErrorCode,
+  DWORD dwNumberOfBytesTransfered,
+  LPOVERLAPPED lpOverlapped
+) {
+  char c = reinterpret_cast<char>(lpOverlapped->hEvent);
+  sink(c); // $ ir
+}
+
+void readFile(HANDLE hFile) {
+  {
+    char buffer[1024];
+    DWORD bytesRead;
+    OVERLAPPED overlapped;
+    BOOL result = ReadFile(hFile, buffer, sizeof(buffer), &bytesRead, &overlapped);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    char buffer[1024];
+    OVERLAPPED overlapped;
+    overlapped.hEvent = reinterpret_cast<HANDLE>(buffer);
+    ReadFileEx(hFile, buffer, sizeof(buffer) - 1, &overlapped, FileIOCompletionRoutine);
+    sink(buffer);
+    sink(*buffer); // $ ir
+
+    char* p = reinterpret_cast<char*>(overlapped.hEvent);
+    sink(p);
+    sink(*p); // $ MISSING: ir
+  }
+  
+  {
+    char buffer[1024];
+    OVERLAPPED overlapped;
+    ReadFile(hFile, buffer, sizeof(buffer), nullptr, nullptr);
+    overlapped.hEvent = reinterpret_cast<HANDLE>(buffer);
+    char buffer2[1024];
+    ReadFileEx(hFile, buffer2, sizeof(buffer2) - 1, &overlapped, FileIOCompletionRoutine2);
+  }
+
+  {
+    char buffer[1024];
+    OVERLAPPED overlapped;
+    ReadFile(hFile, buffer, sizeof(buffer), nullptr, nullptr);
+    overlapped.hEvent = reinterpret_cast<HANDLE>(*buffer);
+    char buffer2[1024];
+    ReadFileEx(hFile, buffer2, sizeof(buffer2) - 1, &overlapped, FileIOCompletionRoutine3);
+  }
+
+  {
+    char buffer[1024];
+    IO_STATUS_BLOCK ioStatusBlock;
+    LARGE_INTEGER byteOffset;
+    ULONG key;
+    NTSTATUS status = NtReadFile(hFile, nullptr, nullptr, nullptr, &ioStatusBlock, buffer, sizeof(buffer), &byteOffset, &key);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+}
+
+LPVOID MapViewOfFile(
+  HANDLE hFileMappingObject,
+  DWORD  dwDesiredAccess,
+  DWORD  dwFileOffsetHigh,
+  DWORD  dwFileOffsetLow,
+  SIZE_T dwNumberOfBytesToMap
+);
+
+PVOID MapViewOfFile2(
+  HANDLE  FileMappingHandle,
+  HANDLE  ProcessHandle,
+  ULONG64 Offset,
+  PVOID   BaseAddress,
+  SIZE_T  ViewSize,
+  ULONG   AllocationType,
+  ULONG   PageProtection
+);
+
+PVOID MapViewOfFile3(
+  HANDLE                 FileMapping,
+  HANDLE                 Process,
+  PVOID                  BaseAddress,
+  ULONG64                Offset,
+  SIZE_T                 ViewSize,
+  ULONG                  AllocationType,
+  ULONG                  PageProtection,
+  MEM_EXTENDED_PARAMETER *ExtendedParameters,
+  ULONG                  ParameterCount
+);
+
+PVOID MapViewOfFile3FromApp(
+  HANDLE                 FileMapping,
+  HANDLE                 Process,
+  PVOID                  BaseAddress,
+  ULONG64                Offset,
+  SIZE_T                 ViewSize,
+  ULONG                  AllocationType,
+  ULONG                  PageProtection,
+  MEM_EXTENDED_PARAMETER *ExtendedParameters,
+  ULONG                  ParameterCount
+);
+
+LPVOID MapViewOfFileEx(
+  HANDLE hFileMappingObject,
+  DWORD  dwDesiredAccess,
+  DWORD  dwFileOffsetHigh,
+  DWORD  dwFileOffsetLow,
+  SIZE_T dwNumberOfBytesToMap,
+  LPVOID lpBaseAddress
+);
+
+PVOID MapViewOfFileFromApp(
+  HANDLE  hFileMappingObject,
+  ULONG   DesiredAccess,
+  ULONG64 FileOffset,
+  SIZE_T  NumberOfBytesToMap
+);
+
+PVOID MapViewOfFileNuma2(
+  HANDLE  FileMappingHandle,
+  HANDLE  ProcessHandle,
+  ULONG64 Offset,
+  PVOID   BaseAddress,
+  SIZE_T  ViewSize,
+  ULONG   AllocationType,
+  ULONG   PageProtection,
+  ULONG   PreferredNode
+);
+
+void mapViewOfFile(HANDLE hMapFile) {
+  {
+    LPVOID pMapView = MapViewOfFile(hMapFile, FILE_MAP_READ, 0, 0, 0);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    LPVOID pMapView = MapViewOfFile2(hMapFile, nullptr, 0, nullptr, 0, 0, 0);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    MEM_EXTENDED_PARAMETER extendedParams;
+
+    LPVOID pMapView = MapViewOfFile3(hMapFile, nullptr, 0, 0, 0, 0, 0, &extendedParams, 1);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    MEM_EXTENDED_PARAMETER extendedParams;
+
+    LPVOID pMapView = MapViewOfFile3FromApp(hMapFile, nullptr, 0, 0, 0, 0, 0, &extendedParams, 1);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    LPVOID pMapView = MapViewOfFileEx(hMapFile, FILE_MAP_READ, 0, 0, 0, nullptr);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    LPVOID pMapView = MapViewOfFileFromApp(hMapFile, FILE_MAP_READ, 0, 0);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+
+  {
+    LPVOID pMapView = MapViewOfFileNuma2(hMapFile, nullptr, 0, nullptr, 0, 0, 0, 0);
+    char* buffer = reinterpret_cast<char*>(pMapView);
+    sink(buffer);
+    sink(*buffer); // $ ir
+  }
+}

cpp/ql/test/library-tests/dataflow/models-as-data/tests.cpp

@@ -56,9 +56,9 @@ void test_sources() {
 	sink(v_direct); // $ ir
 
 	sink(remoteMadSourceIndirect());
-	sink(*remoteMadSourceIndirect()); // $ MISSING: ir
+	sink(*remoteMadSourceIndirect()); // $ ir
 	sink(*remoteMadSourceDoubleIndirect());
-	sink(**remoteMadSourceDoubleIndirect()); // $ MISSING: ir
+	sink(**remoteMadSourceDoubleIndirect()); // $ ir
 
 	int a, b, c, d;
 
@@ -124,7 +124,7 @@ void test_sinks() {
 	// test sources + sinks together
 
 	madSinkArg0(localMadSource()); // $ ir
-	madSinkIndirectArg0(remoteMadSourceIndirect()); // $ MISSING: ir
+	madSinkIndirectArg0(remoteMadSourceIndirect()); // $ ir
 	madSinkVar = remoteMadSourceVar; // $ ir
 	*madSinkVarIndirect = remoteMadSourceVar; // $ MISSING: ir
 }

cpp/ql/test/library-tests/exprs/min_max/expr.expected

@@ -1,6 +1,6 @@
-| test.cpp:3:13:3:13 | i |
-| test.cpp:3:13:3:18 | ... <? ... |
-| test.cpp:3:18:3:18 | j |
 | test.cpp:4:13:4:13 | i |
-| test.cpp:4:13:4:18 | ... >? ... |
+| test.cpp:4:13:4:18 | ... <? ... |
 | test.cpp:4:18:4:18 | j |
+| test.cpp:5:13:5:13 | i |
+| test.cpp:5:13:5:18 | ... >? ... |
+| test.cpp:5:18:5:18 | j |