Ruby: Compile for overlay mode.

.github/workflows/build-ripunzip.yml

@@ -6,18 +6,18 @@ on:
       ripunzip-version:
         description: "what reference to checktout from google/runzip"
         required: false
-        default: v2.0.2
+        default: v1.2.1
       openssl-version:
         description: "what reference to checkout from openssl/openssl for Linux"
         required: false
-        default: openssl-3.5.0
+        default: openssl-3.3.0
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2022]
+        os: [ubuntu-22.04, macos-13, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/codegen.yml

@@ -1,11 +1,10 @@
-name: Python tooling
+name: Codegen
 
 on:
   pull_request:
     paths:
       - "misc/bazel/**"
       - "misc/codegen/**"
-      - "misc/scripts/models-as-data/bulk_generate_mad.py"
       - "*.bazel*"
       - .github/workflows/codegen.yml
       - .pre-commit-config.yaml
@@ -18,17 +17,17 @@ permissions:
   contents: read
 
 jobs:
-  check-python-tooling:
+  codegen:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v4
         with:
-          python-version: '3.12'
+          python-version-file: 'misc/codegen/.python-version'
       - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
         name: Check that python code is properly formatted
         with:
-          extra_args: black --all-files
+          extra_args: autopep8 --all-files
       - name: Run codegen tests
         shell: bash
         run: |

.github/workflows/csharp-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -66,6 +66,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/go-tests-other-os.yml

@@ -26,8 +26,9 @@ jobs:
         uses: ./go/actions/test
 
   test-win:
+    if: github.repository_owner == 'github'
     name: Test Windows
-    runs-on: windows-latest
+    runs-on: windows-latest-xl
     steps:
       - name: Check out code
         uses: actions/checkout@v4

.github/workflows/ruby-qltest-rtjo.yml

@@ -35,6 +35,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-qltest.yml

@@ -68,6 +68,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-15-xlarge]
+        runner: [ubuntu-latest, macos-13-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:

.github/workflows/validate-change-notes.yml

@@ -31,4 +31,4 @@ jobs:
       - name: Fail if there are any errors with existing change notes
 
         run: |
-          codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
+          codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental

.gitignore

@@ -62,7 +62,6 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
-/mad-generation-build
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -72,7 +71,3 @@ node_modules/
 
 # cargo build directory
 /target
-
-# some upgrade/downgrade checks create these files
-**/upgrades/*/*.dbscheme.stats
-**/downgrades/*/*.dbscheme.stats

.pre-commit-config.yaml

@@ -1,7 +1,5 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
-default_language_version:
-  python: python3.12
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v3.2.0
@@ -16,11 +14,11 @@ repos:
     hooks:
       - id: clang-format
 
-  - repo: https://github.com/psf/black
-    rev: 25.1.0
+  - repo: https://github.com/pre-commit/mirrors-autopep8
+    rev: v2.0.4
     hooks:
-      - id: black
-        files: ^(misc/codegen/.*|misc/scripts/models-as-data/bulk_generate_mad)\.py$
+      - id: autopep8
+        files: ^misc/codegen/.*\.py
 
   - repo: local
     hooks:

CODEOWNERS

@@ -16,7 +16,7 @@
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography
-**/experimental/**/quantum/ @github/ps-codeql
+**/experimental/quantum/ @github/ps-codeql
 /shared/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs

Cargo.lock

@@ -242,8 +242,6 @@ version = "1.2.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a012a0df96dd6d06ba9a1b29d6402d1a5d77c6befd2566afdc26e10603dc93d7"
 dependencies = [
- "jobserver",
- "libc",
  "shlex",
 ]
 
@@ -392,7 +390,6 @@ dependencies = [
  "tree-sitter",
  "tree-sitter-json",
  "tree-sitter-ql",
- "zstd",
 ]
 
 [[package]]
@@ -426,7 +423,6 @@ dependencies = [
  "figment",
  "glob",
  "itertools 0.14.0",
- "mustache",
  "num-traits",
  "ra_ap_base_db",
  "ra_ap_cfg",
@@ -987,15 +983,6 @@ version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
 
-[[package]]
-name = "jobserver"
-version = "0.1.32"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48d1dbcbbeb6a7fec7e059840aa538bd62aaccf972c7346c4d9d2059312853d0"
-dependencies = [
- "libc",
-]
-
 [[package]]
 name = "jod-thread"
 version = "0.1.2"
@@ -1347,12 +1334,6 @@ version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
 
-[[package]]
-name = "pkg-config"
-version = "0.3.32"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7edddbd0b52d732b21ad9a5fab5c704c14cd949e5e9a1ec5929a24fded1b904c"
-
 [[package]]
 name = "portable-atomic"
 version = "1.11.0"
@@ -3046,31 +3027,3 @@ dependencies = [
  "quote",
  "syn",
 ]
-
-[[package]]
-name = "zstd"
-version = "0.13.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e91ee311a569c327171651566e07972200e76fcfe2242a4fa446149a3881c08a"
-dependencies = [
- "zstd-safe",
-]
-
-[[package]]
-name = "zstd-safe"
-version = "7.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f49c4d5f0abb602a93fb8736af2a4f4dd9512e36f7f570d66e65ff867ed3b9d"
-dependencies = [
- "zstd-sys",
-]
-
-[[package]]
-name = "zstd-sys"
-version = "2.0.15+zstd.1.5.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb81183ddd97d0c74cedf1d50d85c8d08c1b8b68ee863bdee9e706eedba1a237"
-dependencies = [
- "cc",
- "pkg-config",
-]

Cargo.toml

@@ -10,7 +10,6 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
-exclude = ["mad-generation-build"]
 
 [patch.crates-io]
 # patch for build script bug preventing bazel build

MODULE.bazel

@@ -124,7 +124,6 @@ use_repo(
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
-    "vendor_ts__zstd-0.13.3",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -239,24 +238,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
+lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-linux",
-    src = "//misc/ripunzip:ripunzip-Linux.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-linux"],
+    executable = True,
 )
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-windows",
-    src = "//misc/ripunzip:ripunzip-Windows.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
+    executable = True,
 )
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-macos",
-    src = "//misc/ripunzip:ripunzip-macOS.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-macos"],
+    executable = True,
 )
 
 register_toolchains(

actions/ql/lib/CHANGELOG.md

@@ -1,11 +1,3 @@
-## 0.4.11
-
-No user-facing changes.
-
-## 0.4.10
-
-No user-facing changes.
-
 ## 0.4.9
 
 No user-facing changes.

actions/ql/lib/change-notes/2025-06-09-bash-parsing-performance.md

@@ -1,6 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed performance issues in the parsing of Bash scripts in workflow files,
-  which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.

actions/ql/lib/change-notes/released/0.4.10.md

@@ -1,3 +0,0 @@
-## 0.4.10
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.11.md

@@ -1,3 +0,0 @@
-## 0.4.11
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.11
+lastReleaseVersion: 0.4.9

actions/ql/lib/codeql/actions/Ast.qll

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
   string getNormalizedExpression() { result = normalizeExpr(expression) }
 }
 
-/** An `env` in workflow, job or step. */
-class Env extends AstNode instanceof EnvImpl {
+/** A common class for `env` in workflow, job or step. */
+abstract class Env extends AstNode instanceof EnvImpl {
   /** Gets an environment variable value given its name. */
   ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
 

actions/ql/lib/codeql/actions/Bash.qll

@@ -8,64 +8,35 @@ class BashShellScript extends ShellScript {
     )
   }
 
-  /**
-   * Gets the line at 0-based index `lineIndex` within this shell script,
-   * assuming newlines as separators.
-   */
-  private string lineProducer(int lineIndex) {
-    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
+  private string lineProducer(int i) {
+    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
   }
 
-  private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
-    this.commandInSubstitution(lineIndex, command, id)
-    or
-    this.commandInBackticks(lineIndex, command, id)
-  }
-
-  /**
-   * Holds if there is a command substitution `$(command)` in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this command.
-   */
-  private predicate commandInSubstitution(int lineIndex, string command, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      command =
-        // Look for the command inside a $(...) command substitution
-        this.lineProducer(lineIndex)
-            .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
-              occurrenceOffset)
-            // trim starting $( - TODO do this in first regex
-            .regexpReplaceAll("^\\$\\(", "")
-            // trim ending ) - TODO do this in first regex
-            .regexpReplaceAll("\\)$", "") and
-      id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
+  private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
+    exists(string line | line = this.lineProducer(k) |
+      exists(int i, int j |
+        cmdSubs =
+          // $() cmd substitution
+          line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
+              .regexpReplaceAll("^\\$\\(", "")
+              .regexpReplaceAll("\\)$", "") and
+        id = "cmdsubs:" + k + ":" + i + ":" + j
+      )
+      or
+      exists(int i, int j |
+        // `...` cmd substitution
+        cmdSubs =
+          line.regexpFind("\\`[^\\`]+\\`", i, j)
+              .regexpReplaceAll("^\\`", "")
+              .regexpReplaceAll("\\`$", "") and
+        id = "cmd:" + k + ":" + i + ":" + j
+      )
     )
   }
 
-  /**
-   * Holds if `command` is a command in backticks `` `...` `` in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this command.
-   */
-  private predicate commandInBackticks(int lineIndex, string command, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      command =
-        this.lineProducer(lineIndex)
-            .regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
-            // trim leading backtick - TODO do this in first regex
-            .regexpReplaceAll("^\\`", "")
-            // trim trailing backtick - TODO do this in first regex
-            .regexpReplaceAll("\\`$", "") and
-      id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
-    )
-  }
-
-  private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
-    // rank commands by their unique IDs
-    commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
-    // since we cannot output (command, ID) tuples from the rank operation,
-    // we need to work out the specific command associated with the resulting ID
-    this.cmdSubstitutionReplacement(command, commandId, _)
+  private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
+    old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
+    this.cmdSubstitutionReplacement(old, new, _)
   }
 
   private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -93,56 +64,31 @@ class BashShellScript extends ShellScript {
     this.cmdSubstitutionReplacement(result, _, i)
   }
 
-  /**
-   * Holds if `quotedStr` is a string in double quotes in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this quoted string.
-   */
-  private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      // double quoted string
-      quotedStr =
-        this.cmdSubstitutedLineProducer(lineIndex)
-            .regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
-      id =
-        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
-          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-    )
-  }
-
-  /**
-   * Holds if `quotedStr` is a string in single quotes in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this quoted string.
-   */
-  private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      // single quoted string
-      quotedStr =
-        this.cmdSubstitutedLineProducer(lineIndex)
-            .regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
-      id =
-        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
-          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-    )
-  }
-
   private predicate quotedStringReplacement(string quotedStr, string id) {
-    exists(int lineIndex |
-      this.doubleQuotedString(lineIndex, quotedStr, id)
+    exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
+      exists(int i, int j |
+        // double quoted string
+        quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
+        id =
+          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
+            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+      )
       or
-      this.singleQuotedString(lineIndex, quotedStr, id)
+      exists(int i, int j |
+        // single quoted string
+        quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
+        id =
+          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
+            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+      )
     ) and
     // Only do this for strings that might otherwise disrupt subsequent parsing
     quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
   }
 
-  private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
-    // rank quoted strings by their nearly-unique IDs
-    quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
-    // since we cannot output (string, ID) tuples from the rank operation,
-    // we need to work out the specific string associated with the resulting ID
-    this.quotedStringReplacement(quotedString, quotedStringId)
+  private predicate rankedQuotedStringReplacements(int i, string old, string new) {
+    old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
+    this.quotedStringReplacement(old, new)
   }
 
   private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -214,8 +214,6 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll

@@ -16,8 +16,6 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll

@@ -15,8 +15,6 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

actions/ql/lib/ext/config/actions_permissions.yml

@@ -22,21 +22,16 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
-      - ["actions/deploy-pages", "pages: write"]
-      - ["actions/deploy-pages", "id-token: write"]
-      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]
+      - ["actions/versions-package-tools", "contents: read"]      
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]
+      - ["actions/reusable-workflows", "contents: read"]      
       - ["actions/reusable-workflows", "actions: read"]
-      - ["actions/ai-inference", "contents: read"]
-      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
-      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-      # No permissions needed for actions/configure-pages
+
+      

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.12-dev
+version: 0.4.10-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,13 +1,3 @@
-## 0.6.3
-
-No user-facing changes.
-
-## 0.6.2
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
-
 ## 0.6.1
 
 No user-facing changes.

actions/ql/src/Models/CompositeActionsSinks.ql

@@ -24,8 +24,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSources.ql

@@ -34,8 +34,6 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSummaries.ql

@@ -25,8 +25,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSinks.ql

@@ -24,8 +24,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSources.ql

@@ -34,8 +34,6 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSummaries.ql

@@ -25,8 +25,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/change-notes/released/0.6.2.md

@@ -1,5 +0,0 @@
-## 0.6.2
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.

actions/ql/src/change-notes/released/0.6.3.md

@@ -1,3 +0,0 @@
-## 0.6.3
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.3
+lastReleaseVersion: 0.6.1

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.4-dev
+version: 0.6.2-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml

@@ -1,81 +0,0 @@
-name: Workflow with complex interpolation
-on: 
-  workflow_dispatch:
-    inputs:
-      choice-a:
-        required: true
-        type: choice
-        description: choice-a
-        default: a1
-        options: 
-        - a1
-        - a2
-        - a3
-      string-b:
-        required: false
-        type: string
-        description: string-b
-      string-c:
-        required: false
-        type: string
-        description: string-c
-      list-d:
-        required: true
-        type: string
-        default: d1 d2
-        description: list-d whitespace separated
-      list-e:
-        required: false
-        type: string
-        description: list-e whitespace separated
-      choice-f:
-        required: true
-        type: choice
-        description: choice-f
-        options: 
-        - false
-        - true
-          
-env:
-  DRY_TEST: false
-  B: ${{ github.event.inputs.string-b }}
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Produce values
-      id: produce-values
-      run: |
-        echo "region=region" >> $GITHUB_OUTPUT
-        echo "zone=zone" >> $GITHUB_OUTPUT
-
-    - name: Step with complex interpolation
-      id: complex
-      env:
-        CHOICE_A: ${{ github.event.inputs.choice-a }}
-        STRING_B: ${{ github.event.inputs.string-b }}
-        STRING_C: ${{ github.event.inputs.string-c }}
-        LIST_D: ${{ github.event.inputs.list-d }}
-        LIST_E: ${{ github.event.inputs.list-e }}
-        CHOICE_F: ${{ github.event.inputs.choice-f }}
-        REGION: ${{ steps.produce-values.outputs.region }}
-        ZONE: ${{ steps.produce-values.outputs.zone }}
-        DRY_TEST_JSON: ${{ fromJSON(env.DRY_TEST) }}
-        FUNCTION_NAME: my-function
-        USER_EMAIL: 'example@example.com'
-        TYPE: type
-        RANGE: '0-100'
-
-      run: |
-        comma_separated_list_d=$(echo "${LIST_D}" | sed "s/ /\",\"/g")
-        comma_separated_list_e=$(echo "${LIST_E}" | sed "s/ /\",\"/g")
-        c1=$(echo "${STRING_C}" | cut -d "-" -f 1)
-        c2=$(echo "${STRING_C}" | cut -d "-" -f 2)
-        # Similar commands that use JSON payloads with string interpolation.
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":["'"${comma_separated_list_e}"'"],"dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-      shell: bash

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/ai-inference

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/delete-package-versions

actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected

@@ -3,6 +3,3 @@
 | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
 | .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
-| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
-| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
-| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |

cpp/bulk_generation_targets.yml

@@ -1,31 +0,0 @@
-language: cpp
-strategy: dca
-destination: cpp/ql/lib/ext/generated
-targets:
-- name: zlib
-  with-sinks: false
-  with-sources: false
-- name: brotli
-  with-sinks: false
-  with-sources: false
-- name: libidn2
-  with-sinks: false
-  with-sources: false
-- name: libssh2
-  with-sinks: false
-  with-sources: false
-- name: sqlite
-  with-sinks: false
-  with-sources: false
-- name: openssl
-  with-sinks: false
-  with-sources: false
-- name: nghttp2
-  with-sinks: false
-  with-sources: false
-- name: libuv
-  with-sinks: false
-  with-sources: false
-- name: curl
-  with-sinks: false
-  with-sources: false

cpp/downgrades/3c45f8b9e71ec723bf50c40581e1f18f4f25e290/lambdas.ql

@@ -1,7 +0,0 @@
-class LambdaExpr extends @lambdaexpr {
-  string toString() { none() }
-}
-
-from LambdaExpr lambda, string default_capture, boolean has_explicit_return_type
-where lambdas(lambda, default_capture, has_explicit_return_type, _)
-select lambda, default_capture, has_explicit_return_type

cpp/downgrades/3c45f8b9e71ec723bf50c40581e1f18f4f25e290/upgrade.properties

@@ -1,3 +0,0 @@
-description: capture whether a lambda has an explicitly specified parameter list.
-compatibility: full
-lambdas.rel: run lambdas.qlo

cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/preprocdirects.ql

@@ -11,7 +11,7 @@ int getKind(int kind) {
   if kind = 14
   then result = 6 // Represent MSFT #import as #include
   else
-    if kind = 15 or kind = 16
+    if kind = 15 or kind = 6
     then result = 3 // Represent #elifdef and #elifndef as #elif
     else result = kind
 }

cpp/downgrades/9baef67d1ffc1551429dbe1c1130815693e28218/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add a predicate `getAnAttribute` to `Namespace`
-compatibility: full
-namespaceattributes.rel: delete

cpp/downgrades/a8c2176e9a5cf9be8d17053a4c8e7e56b5aced6d/stmts.ql

@@ -1,13 +0,0 @@
-class Stmt extends @stmt {
-  string toString() { none() }
-}
-
-class Location extends @location_stmt {
-  string toString() { none() }
-}
-
-from Stmt id, int kind, Location loc, int new_kind
-where
-  stmts(id, kind, loc) and
-  if kind = 40 then new_kind = 4 else new_kind = kind
-select id, new_kind, loc

cpp/downgrades/a8c2176e9a5cf9be8d17053a4c8e7e56b5aced6d/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support `__leave` statement
-compatibility: full
-stmts.rel: run stmts.qlo

cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/builtintypes.ql

@@ -1,9 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
-where
-  builtintypes(id, name, kind, size, sign, alignment) and
-  if kind = 62 then new_kind = 1 else new_kind = kind
-select id, name, new_kind, size, sign, alignment

cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support __mfp8 type
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/ql/lib/CHANGELOG.md

@@ -1,33 +1,3 @@
-## 5.1.0
-
-### New Features
-
-* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
-
-## 5.0.0
-
-### Breaking Changes
-
-* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
-* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
-* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
-
-### New Features
-
-* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
-* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
-* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
-* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
-* Added support for `wmain` as part of the ArgvSource model.
-
-### Bug Fixes
-
-* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
-* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
-
 ## 4.3.1
 
 ### Bug Fixes

cpp/ql/lib/change-notes/2014-12-13-deprecate-throwing.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.

cpp/ql/lib/change-notes/2025-06-06-lambda-parameters.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.

cpp/ql/lib/change-notes/2025-06-11-leave-stmt.md

@@ -1,5 +0,0 @@
----
-category: feature
----
-* The Microsoft-specific `__leave` statement is now supported.
-* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.

cpp/ql/lib/change-notes/2025-06-16-namespace-attributes.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.

cpp/ql/lib/change-notes/2025-06-17-arraytype-typedefs.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.

cpp/ql/lib/change-notes/released/5.0.0.md

@@ -1,23 +0,0 @@
-## 5.0.0
-
-### Breaking Changes
-
-* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
-* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
-* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
-
-### New Features
-
-* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
-* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
-* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
-* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
-* Added support for `wmain` as part of the ArgvSource model.
-
-### Bug Fixes
-
-* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
-* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

cpp/ql/lib/change-notes/released/5.1.0.md

@@ -1,5 +0,0 @@
-## 5.1.0
-
-### New Features
-
-* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.0
+lastReleaseVersion: 4.3.1

cpp/ql/lib/experimental/quantum/Language.qll

@@ -1,7 +1,6 @@
 private import cpp as Language
-import semmle.code.cpp.dataflow.new.TaintTracking
+import semmle.code.cpp.dataflow.new.DataFlow
 import codeql.quantum.experimental.Model
-private import OpenSSL.GenericSourceCandidateLiteral
 
 module CryptoInput implements InputSig<Language::Location> {
   class DataFlowNode = DataFlow::Node;
@@ -87,21 +86,6 @@ module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
-module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
-
-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
-  ConstantDataSource() { this instanceof OpenSSLGenericSourceCandidateLiteral }
-
-  override DataFlow::Node getOutputNode() { result.asExpr() = this }
-
-  override predicate flowsTo(Crypto::FlowAwareElement other) {
-    // TODO: separate config to avoid blowing up data-flow analysis
-    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
-  }
-
-  override string getAdditionalDescription() { result = this.toString() }
-}
-
 module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source = any(Crypto::ArtifactInstance artifact).getOutputNode()

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -1,9 +1,7 @@
 import cpp
-private import experimental.quantum.Language
-private import semmle.code.cpp.dataflow.new.DataFlow
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import PaddingAlgorithmInstance
+import semmle.code.cpp.dataflow.new.DataFlow
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
 /**
  * Traces 'known algorithms' to AVCs, specifically
@@ -20,9 +18,6 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
   predicate isSink(DataFlow::Node sink) {
     exists(OpenSSLAlgorithmValueConsumer c |
       c.getInputNode() = sink and
-      // exclude padding algorithm consumers, since
-      // these consumers take in different constant values
-      // not in the typical "known algorithm" set
       not c instanceof PaddingAlgorithmValueConsumer
     )
   }
@@ -47,7 +42,9 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow =
   DataFlow::Global<KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig>;
 
 module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSSLPaddingLiteral }
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
+  }
 
   predicate isSink(DataFlow::Node sink) {
     exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -1,14 +1,13 @@
 import cpp
-private import experimental.quantum.Language
-private import OpenSSLAlgorithmInstanceBase
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import AlgToAVCFlow
+import experimental.quantum.Language
+import OpenSSLAlgorithmInstanceBase
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+import AlgToAVCFlow
 
 /**
  * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
- * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToBlockModeFamilyType(
   KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type
@@ -71,11 +70,7 @@ class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmIns
 
   // NOTE: I'm not going to attempt to parse out the mode specific part, so returning
   // the same as the raw name for now.
-  override string getRawModeAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
+  override string getRawModeAlgorithmName() { result = this.(Literal).getValue().toString() }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -1,17 +1,16 @@
 import cpp
-private import experimental.quantum.Language
-private import KnownAlgorithmConstants
-private import Crypto::KeyOpAlg as KeyOpAlg
-private import OpenSSLAlgorithmInstanceBase
-private import PaddingAlgorithmInstance
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-private import AlgToAVCFlow
-private import BlockAlgorithmInstance
+import experimental.quantum.Language
+import KnownAlgorithmConstants
+import Crypto::KeyOpAlg as KeyOpAlg
+import OpenSSLAlgorithmInstanceBase
+import PaddingAlgorithmInstance
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+import AlgToAVCFlow
+import BlockAlgorithmInstance
 
 /**
  * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
- * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToCipherFamilyType(
   KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
@@ -102,14 +101,13 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
     // TODO or trace through getter ctx to set padding
   }
 
-  override string getRawAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
+  override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
 
-  override int getKeySizeFixed() {
-    this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
+  override string getKeySizeFixed() {
+    exists(int keySize |
+      this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
+      result = keySize.toString()
+    )
   }
 
   override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -1,53 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import KnownAlgorithmConstants
-private import OpenSSLAlgorithmInstanceBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-private import AlgToAVCFlow
-
-class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
-  Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant
-{
-  OpenSSLAlgorithmValueConsumer getterCall;
-
-  KnownOpenSSLEllipticCurveConstantAlgorithmInstance() {
-    // Two possibilities:
-    // 1) The source is a literal and flows to a getter, then we know we have an instance
-    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
-    // Possibility 1:
-    this instanceof Literal and
-    exists(DataFlow::Node src, DataFlow::Node sink |
-      // Sink is an argument to a CipherGetterCall
-      sink = getterCall.getInputNode() and
-      // Source is `this`
-      src.asExpr() = this and
-      // This traces to a getter
-      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
-    )
-    or
-    // Possibility 2:
-    this instanceof DirectAlgorithmValueConsumer and getterCall = this
-  }
-
-  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
-
-  override string getRawEllipticCurveName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
-
-  override Crypto::TEllipticCurveType getEllipticCurveType() {
-    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
-  }
-
-  override string getParsedEllipticCurveName() {
-    result = this.(KnownOpenSSLEllipticCurveAlgorithmConstant).getNormalizedName()
-  }
-
-  override int getKeySize() {
-    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
-          .getNormalizedName(), result, _)
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -1,9 +1,8 @@
 import cpp
-private import experimental.quantum.Language
-private import KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-private import AlgToAVCFlow
+import experimental.quantum.Language
+import KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+import AlgToAVCFlow
 
 predicate knownOpenSSLConstantToHashFamilyType(
   KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type
@@ -76,11 +75,7 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
     not knownOpenSSLConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
   }
 
-  override string getRawHashAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
+  override string getRawHashAlgorithmName() { result = this.(Literal).getValue().toString() }
 
   override int getFixedDigestLength() {
     this.(KnownOpenSSLHashAlgorithmConstant).getExplicitDigestLength() = result

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KeyAgreementAlgorithmInstance.qll

@@ -1,63 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-private import AlgToAVCFlow
-
-predicate knownOpenSSLConstantToKeyAgreementFamilyType(
-  KnownOpenSSLKeyAgreementAlgorithmConstant e, Crypto::TKeyAgreementType type
-) {
-  exists(string name |
-    name = e.getNormalizedName() and
-    (
-      name = "ECDH" and type = Crypto::ECDH()
-      or
-      name = "DH" and type = Crypto::DH()
-      or
-      name = "EDH" and type = Crypto::EDH()
-      or
-      name = "ESDH" and type = Crypto::EDH()
-    )
-  )
-}
-
-class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
-  Crypto::KeyAgreementAlgorithmInstance instanceof KnownOpenSSLKeyAgreementAlgorithmConstant
-{
-  OpenSSLAlgorithmValueConsumer getterCall;
-
-  KnownOpenSSLHashConstantAlgorithmInstance() {
-    // Two possibilities:
-    // 1) The source is a literal and flows to a getter, then we know we have an instance
-    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
-    // Possibility 1:
-    this instanceof Literal and
-    exists(DataFlow::Node src, DataFlow::Node sink |
-      // Sink is an argument to a CipherGetterCall
-      sink = getterCall.getInputNode() and
-      // Source is `this`
-      src.asExpr() = this and
-      // This traces to a getter
-      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
-    )
-    or
-    // Possibility 2:
-    this instanceof DirectAlgorithmValueConsumer and getterCall = this
-  }
-
-  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
-
-  override Crypto::TKeyAgreementType getKeyAgreementType() {
-    knownOpenSSLConstantToKeyAgreementFamilyType(this, result)
-    or
-    not knownOpenSSLConstantToKeyAgreementFamilyType(this, _) and
-    result = Crypto::OtherKeyAgreementType()
-  }
-
-  override string getRawKeyAgreementAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll

@@ -1,5 +1,5 @@
 import cpp
-import experimental.quantum.OpenSSL.GenericSourceCandidateLiteral
+import experimental.quantum.OpenSSL.LibraryDetector
 
 predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) {
   resolveAlgorithmFromCall(e, normalizedName, algType)
@@ -20,7 +20,7 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
 
   KnownOpenSSLCipherAlgorithmConstant() {
     resolveAlgorithmFromExpr(this, _, algType) and
-    algType.matches("%ENCRYPTION")
+    algType.toLowerCase().matches("%encryption")
   }
 
   int getExplicitKeySize() {
@@ -33,20 +33,30 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant
 }
 
 class KnownOpenSSLPaddingAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  string algType;
+
   KnownOpenSSLPaddingAlgorithmConstant() {
-    exists(string algType |
-      resolveAlgorithmFromExpr(this, _, algType) and
-      algType.matches("%PADDING")
-    )
+    resolveAlgorithmFromExpr(this, _, algType) and
+    algType.toLowerCase().matches("%padding")
   }
 }
 
 class KnownOpenSSLBlockModeAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  KnownOpenSSLBlockModeAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "BLOCK_MODE") }
+  string algType;
+
+  KnownOpenSSLBlockModeAlgorithmConstant() {
+    resolveAlgorithmFromExpr(this, _, algType) and
+    algType.toLowerCase().matches("%block_mode")
+  }
 }
 
 class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  KnownOpenSSLHashAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "HASH") }
+  string algType;
+
+  KnownOpenSSLHashAlgorithmConstant() {
+    resolveAlgorithmFromExpr(this, _, algType) and
+    algType.toLowerCase().matches("%hash")
+  }
 
   int getExplicitDigestLength() {
     exists(string name |
@@ -57,20 +67,6 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
   }
 }
 
-class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  KnownOpenSSLEllipticCurveAlgorithmConstant() {
-    resolveAlgorithmFromExpr(this, _, "ELLIPTIC_CURVE")
-  }
-}
-
-class KnownOpenSSLSignatureAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  KnownOpenSSLSignatureAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "SIGNATURE") }
-}
-
-class KnownOpenSSLKeyAgreementAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
-  KnownOpenSSLKeyAgreementAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, "KEY_AGREEMENT") }
-}
-
 /**
  * Resolves a call to a 'direct algorithm getter', e.g., EVP_MD5()
  * This approach to fetching algorithms was used in OpenSSL 1.0.2.
@@ -84,6 +80,7 @@ class KnownOpenSSLKeyAgreementAlgorithmConstant extends KnownOpenSSLAlgorithmCon
  *  alias = "dss1" and target = "dsaWithSHA1"
  */
 predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
+  isPossibleOpenSSLFunction(c.getTarget()) and
   exists(string name, string parsedTargetName |
     parsedTargetName =
       c.getTarget().getName().replaceAll("EVP_", "").toLowerCase().replaceAll("_", "-") and
@@ -97,10 +94,10 @@ predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
  * if `e` resolves to a known algorithm.
  * If this predicate does not hold, then `e` can be interpreted as being of `UNKNOWN` type.
  */
-predicate resolveAlgorithmFromLiteral(
-  OpenSSLGenericSourceCandidateLiteral e, string normalized, string algType
-) {
-  knownOpenSSLAlgorithmLiteral(_, e.getValue().toInt(), normalized, algType)
+predicate resolveAlgorithmFromLiteral(Literal e, string normalized, string algType) {
+  exists(int nid |
+    nid = getPossibleNidFromLiteral(e) and knownOpenSSLAlgorithmLiteral(_, nid, normalized, algType)
+  )
   or
   exists(string name |
     name = resolveAlgorithmAlias(e.getValue()) and
@@ -119,6 +116,30 @@ string resolveAlgorithmAlias(string name) {
   )
 }
 
+private int getPossibleNidFromLiteral(Literal e) {
+  result = e.getValue().toInt() and
+  not e instanceof CharLiteral and
+  not e instanceof StringLiteral and
+  // ASSUMPTION, no negative numbers are allowed
+  // RATIONALE: this is a performance improvement to avoid having to trace every number
+  not exists(UnaryMinusExpr u | u.getOperand() = e) and
+  //  OPENSSL has a special macro for getting every line, ignore it
+  not exists(MacroInvocation mi | mi.getExpr() = e and mi.getMacroName() = "OPENSSL_LINE") and
+  // Filter out cases where an int is assigned into a pointer, e.g., char* x = NULL;
+  not exists(Assignment a |
+    a.getRValue() = e and a.getLValue().getType().getUnspecifiedType() instanceof PointerType
+  ) and
+  not exists(Initializer i |
+    i.getExpr() = e and
+    i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof PointerType
+  ) and
+  // Filter out cases where an int is returned into a pointer, e.g., return NULL;
+  not exists(ReturnStmt r |
+    r.getExpr() = e and
+    r.getEnclosingFunction().getType().getUnspecifiedType() instanceof PointerType
+  )
+}
+
 string getAlgorithmAlias(string alias) {
   customAliases(result, alias)
   or
@@ -145,14 +166,6 @@ predicate customAliases(string target, string alias) {
  * The `target` and `alias` are converted to lowercase to be of a standard form.
  */
 predicate defaultAliases(string target, string alias) {
-  // "DH" and "DHX" are not aliases in the traditional sense,
-  // i.e., they are not registered as aliases explicitly,
-  // rather they appear in common usage, and experiments reveal their
-  // NID matches those of the `dhKeyAgreement` and `x9.42 dh` algorithms respectively.
-  alias = "dh" and target = "dhKeyAgreement"
-  or
-  alias = "dhx" and target = "x9.42 dh"
-  or
   alias = "aes128" and target = "aes-128-cbc"
   or
   alias = "aes192" and target = "aes-192-cbc"
@@ -240,6 +253,11 @@ predicate defaultAliases(string target, string alias) {
   alias = "ssl3-sha1" and target = "sha1"
 }
 
+predicate tbd(string normalized, string algType) {
+  knownOpenSSLAlgorithmLiteral(_, _, normalized, algType) and
+  algType = "HASH"
+}
+
 /**
  * Enumeration of all known crypto algorithms for openSSL
  * `name` is all lower case (caller's must ensure they pass in lower case)
@@ -248,10 +266,6 @@ predicate defaultAliases(string target, string alias) {
  * `algType` is the type of algorithm (e.g., "SYMMETRIC_ENCRYPTION")
  */
 predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized, string algType) {
-  name = "dhKeyAgreement" and nid = 28 and normalized = "DH" and algType = "KEY_AGREEMENT"
-  or
-  name = "x9.42 dh" and nid = 29 and normalized = "DH" and algType = "KEY_AGREEMENT"
-  or
   name = "rsa" and nid = 19 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
   name = "prime192v1" and nid = 409 and normalized = "PRIME192V1" and algType = "ELLIPTIC_CURVE"
@@ -270,12 +284,8 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "ELLIPTIC_CURVE"
   or
-  name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "SIGNATURE"
-  or
   name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "ELLIPTIC_CURVE"
   or
-  name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "SIGNATURE"
-  or
   name = "md2" and nid = 3 and normalized = "MD2" and algType = "HASH"
   or
   name = "sha" and nid = 41 and normalized = "SHA" and algType = "HASH"
@@ -884,8 +894,6 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "id-alg-dh-sig-hmac-sha1" and nid = 325 and normalized = "SHA1" and algType = "HASH"
   or
-  name = "id-alg-dh-sig-hmac-sha1" and nid = 325 and normalized = "DH" and algType = "KEY_AGREEMENT"
-  or
   name = "aes-128-ofb" and nid = 420 and normalized = "AES-128" and algType = "SYMMETRIC_ENCRYPTION"
   or
   name = "aes-128-ofb" and nid = 420 and normalized = "OFB" and algType = "BLOCK_MODE"
@@ -1387,9 +1395,9 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "kx-rsa" and nid = 1037 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
-  name = "kx-ecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
+  name = "kx-ecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
   or
-  name = "kx-ecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
+  name = "kx-ecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
   or
   name = "kx-rsa-psk" and nid = 1042 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
@@ -1697,12 +1705,8 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "x448" and nid = 1035 and normalized = "X448" and algType = "ELLIPTIC_CURVE"
   or
-  name = "x448" and nid = 1035 and normalized = "X448" and algType = "KEY_AGREEMENT"
-  or
   name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "ELLIPTIC_CURVE"
   or
-  name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "KEY_AGREEMENT"
-  or
   name = "authecdsa" and nid = 1047 and normalized = "ECDSA" and algType = "SIGNATURE"
   or
   name = "authgost01" and nid = 1050 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION"
@@ -1801,101 +1805,51 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "SHA1" and
   algType = "HASH"
   or
-  name = "dhsinglepass-cofactordh-sha1kdf-scheme" and
-  nid = 941 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-cofactordh-sha224kdf-scheme" and
   nid = 942 and
   normalized = "SHA-224" and
   algType = "HASH"
   or
-  name = "dhsinglepass-cofactordh-sha224kdf-scheme" and
-  nid = 942 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-cofactordh-sha256kdf-scheme" and
   nid = 943 and
   normalized = "SHA-256" and
   algType = "HASH"
   or
-  name = "dhsinglepass-cofactordh-sha256kdf-scheme" and
-  nid = 943 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-cofactordh-sha384kdf-scheme" and
   nid = 944 and
   normalized = "SHA-384" and
   algType = "HASH"
   or
-  name = "dhsinglepass-cofactordh-sha384kdf-scheme" and
-  nid = 944 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-cofactordh-sha512kdf-scheme" and
   nid = 945 and
   normalized = "SHA-512" and
   algType = "HASH"
   or
-  name = "dhsinglepass-cofactordh-sha512kdf-scheme" and
-  nid = 945 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-stddh-sha1kdf-scheme" and
   nid = 936 and
   normalized = "SHA1" and
   algType = "HASH"
   or
-  name = "dhsinglepass-stddh-sha1kdf-scheme" and
-  nid = 936 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-stddh-sha224kdf-scheme" and
   nid = 937 and
   normalized = "SHA-224" and
   algType = "HASH"
   or
-  name = "dhsinglepass-stddh-sha224kdf-scheme" and
-  nid = 937 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-stddh-sha256kdf-scheme" and
   nid = 938 and
   normalized = "SHA-256" and
   algType = "HASH"
   or
-  name = "dhsinglepass-stddh-sha256kdf-scheme" and
-  nid = 938 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-stddh-sha384kdf-scheme" and
   nid = 939 and
   normalized = "SHA-384" and
   algType = "HASH"
   or
-  name = "dhsinglepass-stddh-sha384kdf-scheme" and
-  nid = 939 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dhsinglepass-stddh-sha512kdf-scheme" and
   nid = 940 and
   normalized = "SHA-512" and
   algType = "HASH"
   or
-  name = "dhsinglepass-stddh-sha512kdf-scheme" and
-  nid = 940 and
-  normalized = "DH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "dsa-old" and nid = 67 and normalized = "DSA" and algType = "SIGNATURE"
   or
   name = "dsa-sha" and nid = 66 and normalized = "DSA" and algType = "SIGNATURE"
@@ -2055,7 +2009,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "gost r 34.10-2001 dh" and // TODO: review this algorithm
+  name = "gost r 34.10-2001 dh" and
   nid = 817 and
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2125,7 +2079,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "gost r 34.10-94 dh" and // TODO: review this algorithm
+  name = "gost r 34.10-94 dh" and
   nid = 818 and
   normalized = "GOST" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2340,7 +2294,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOSTR34102001" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id-gostr3410-2001dh" and // TODO: review this algorithm
+  name = "id-gostr3410-2001dh" and
   nid = 817 and
   normalized = "GOSTR34102001" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2405,7 +2359,7 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOSTR341094" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id-gostr3410-94dh" and // TODO: review this algorithm
+  name = "id-gostr3410-94dh" and
   nid = 818 and
   normalized = "GOSTR341094" and
   algType = "SYMMETRIC_ENCRYPTION"
@@ -2489,31 +2443,16 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "3DES" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id-smime-alg-esdhwith3des" and
-  nid = 241 and
-  normalized = "ESDH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "id-smime-alg-esdhwithrc2" and
   nid = 242 and
   normalized = "RC2" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id-smime-alg-esdhwithrc2" and
-  nid = 242 and
-  normalized = "ESDH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "id-smime-alg-rc2wrap" and
   nid = 244 and
   normalized = "RC2" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "id_smime_alg_esdh" and
-  nid = 245 and
-  normalized = "ESDH" and
-  algType = "KEY_AGREEMENT"
-  or
   name = "id-tc26-gost-28147-param-z" and
   nid = 1003 and
   normalized = "GOST28147" and
@@ -2559,9 +2498,9 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   normalized = "GOST34102012" and
   algType = "SYMMETRIC_ENCRYPTION"
   or
-  name = "kxecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
+  name = "kxecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
   or
-  name = "kxecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_AGREEMENT"
+  name = "kxecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_EXCHANGE"
   or
   name = "kxgost" and nid = 1045 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION"
   or

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll

@@ -1,5 +1,5 @@
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
 abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
   abstract OpenSSLAlgorithmValueConsumer getAVC();

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll

@@ -3,4 +3,3 @@ import CipherAlgorithmInstance
 import PaddingAlgorithmInstance
 import BlockAlgorithmInstance
 import HashAlgorithmInstance
-import EllipticCurveAlgorithmInstance

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -1,31 +1,13 @@
 import cpp
-private import experimental.quantum.Language
-private import OpenSSLAlgorithmInstanceBase
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import AlgToAVCFlow
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-
-/**
- * A class to define padding specific integer values.
- * from rsa.h in openssl:
- *     # define RSA_PKCS1_PADDING          1
- *     # define RSA_NO_PADDING             3
- *     # define RSA_PKCS1_OAEP_PADDING     4
- *     # define RSA_X931_PADDING           5
- *     # define RSA_PKCS1_PSS_PADDING      6
- *     # define RSA_PKCS1_WITH_TLS_PADDING 7
- *     # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
- */
-class OpenSSLPaddingLiteral extends Literal {
-  // TODO: we can be more specific about where the literal is in a larger expression
-  // to avoid literals that are clealy not representing an algorithm, e.g., array indices.
-  OpenSSLPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] }
-}
+import experimental.quantum.Language
+import OpenSSLAlgorithmInstanceBase
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import AlgToAVCFlow
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
 
 /**
  * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type.
- * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
+ * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToPaddingFamilyType(
   KnownOpenSSLPaddingAlgorithmConstant e, Crypto::TPaddingType type
@@ -77,8 +59,19 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta
     this instanceof KnownOpenSSLPaddingAlgorithmConstant and
     isPaddingSpecificConsumer = false
     or
-    // Possibility 3: padding-specific literal
-    this instanceof OpenSSLPaddingLiteral and
+    // Possibility 3:
+    // from rsa.h in openssl:
+    // # define RSA_PKCS1_PADDING          1
+    // # define RSA_NO_PADDING             3
+    // # define RSA_PKCS1_OAEP_PADDING     4
+    // # define RSA_X931_PADDING           5
+    // /* EVP_PKEY_ only */
+    // # define RSA_PKCS1_PSS_PADDING      6
+    // # define RSA_PKCS1_WITH_TLS_PADDING 7
+    // /* internal RSA_ only */
+    // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
+    this instanceof Literal and
+    this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
@@ -90,32 +83,28 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta
     isPaddingSpecificConsumer = true
   }
 
-  override string getRawPaddingAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
+  override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 
-  Crypto::TPaddingType getKnownPaddingType() {
-    this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5()
-    or
-    this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding()
-    or
-    this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP()
-    or
-    this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23()
-    or
-    this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS()
-  }
-
   override Crypto::TPaddingType getPaddingType() {
     isPaddingSpecificConsumer = true and
     (
-      result = this.getKnownPaddingType()
-      or
-      not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding()
+      if this.(Literal).getValue().toInt() in [1, 7, 8]
+      then result = Crypto::PKCS1_v1_5()
+      else
+        if this.(Literal).getValue().toInt() = 3
+        then result = Crypto::NoPadding()
+        else
+          if this.(Literal).getValue().toInt() = 4
+          then result = Crypto::OAEP()
+          else
+            if this.(Literal).getValue().toInt() = 5
+            then result = Crypto::ANSI_X9_23()
+            else
+              if this.(Literal).getValue().toInt() = 6
+              then result = Crypto::PSS()
+              else result = Crypto::OtherPadding()
     )
     or
     isPaddingSpecificConsumer = false and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll

@@ -1,8 +1,9 @@
 import cpp
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-private import OpenSSLAlgorithmValueConsumerBase
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.LibraryDetector
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+import OpenSSLAlgorithmValueConsumerBase
 
 abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -13,6 +14,7 @@ class EVPCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer {
 
   EVPCipherAlgorithmValueConsumer() {
     resultNode.asExpr() = this and
+    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
     (
       this.(Call).getTarget().getName() in [
           "EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid"

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll

@@ -1,8 +1,9 @@
 import cpp
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
+// TODO: can self referential to itself, which is also an algorithm (Known algorithm)
 /**
  * Cases like EVP_MD5(),
  * there is no input, rather it directly gets an algorithm

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll

@@ -1,34 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-
-abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { }
-
-//https://docs.openssl.org/3.0/man3/EC_KEY_new/#name
-class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer {
-  DataFlow::Node valueArgNode;
-  DataFlow::Node resultNode;
-
-  EVPEllipticCurveAlgorithmConsumer() {
-    resultNode.asExpr() = this.(Call) and // in all cases the result is the return
-    (
-      this.(Call).getTarget().getName() in ["EVP_EC_gen", "EC_KEY_new_by_curve_name"] and
-      valueArgNode.asExpr() = this.(Call).getArgument(0)
-      or
-      this.(Call).getTarget().getName() in [
-          "EC_KEY_new_by_curve_name_ex", "EVP_PKEY_CTX_set_ec_paramgen_curve_nid"
-        ] and
-      valueArgNode.asExpr() = this.(Call).getArgument(2)
-    )
-  }
-
-  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
-    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
-  }
-
-  override DataFlow::Node getResultNode() { result = resultNode }
-
-  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll

@@ -1,16 +1,23 @@
+// import EVPHashInitializer
+// import EVPHashOperation
+// import EVPHashAlgorithmSource
 import cpp
-private import experimental.quantum.Language
-private import semmle.code.cpp.dataflow.new.DataFlow
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+import experimental.quantum.Language
+import semmle.code.cpp.dataflow.new.DataFlow
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+import experimental.quantum.OpenSSL.LibraryDetector
 
 abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
 /**
  * EVP_Q_Digest directly consumes algorithm constant values
  */
-class EVP_Q_Digest_Algorithm_Consumer extends HashAlgorithmValueConsumer {
-  EVP_Q_Digest_Algorithm_Consumer() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
+class EVP_Q_Digest_Algorithm_Consumer extends OpenSSLAlgorithmValueConsumer {
+  EVP_Q_Digest_Algorithm_Consumer() {
+    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
+    this.(Call).getTarget().getName() = "EVP_Q_digest"
+  }
 
   override Crypto::ConsumerInputDataFlowNode getInputNode() {
     result.asExpr() = this.(Call).getArgument(1)
@@ -26,33 +33,3 @@ class EVP_Q_Digest_Algorithm_Consumer extends HashAlgorithmValueConsumer {
     none()
   }
 }
-
-/**
- * The EVP digest algorithm getters
- * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
- */
-class EVPDigestAlgorithmValueConsumer extends HashAlgorithmValueConsumer {
-  DataFlow::Node valueArgNode;
-  DataFlow::Node resultNode;
-
-  EVPDigestAlgorithmValueConsumer() {
-    resultNode.asExpr() = this and
-    (
-      this.(Call).getTarget().getName() in [
-          "EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"
-        ] and
-      valueArgNode.asExpr() = this.(Call).getArgument(0)
-      or
-      this.(Call).getTarget().getName() = "EVP_MD_fetch" and
-      valueArgNode.asExpr() = this.(Call).getArgument(1)
-    )
-  }
-
-  override DataFlow::Node getResultNode() { result = resultNode }
-
-  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
-
-  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
-    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/KEMAlgorithmValueConsumer.qll

@@ -1,28 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import semmle.code.cpp.dataflow.new.DataFlow
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-
-abstract class KEMAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
-
-class EVPKEMAlgorithmValueConsumer extends KEMAlgorithmValueConsumer {
-  DataFlow::Node valueArgNode;
-  DataFlow::Node resultNode;
-
-  EVPKEMAlgorithmValueConsumer() {
-    resultNode.asExpr() = this and
-    (
-      this.(Call).getTarget().getName() = "EVP_KEM_fetch" and
-      valueArgNode.asExpr() = this.(Call).getArgument(1)
-    )
-  }
-
-  override DataFlow::Node getResultNode() { result = resultNode }
-
-  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
-
-  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
-    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/KeyExchangeAlgorithmValueConsumer.qll

@@ -1,28 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import semmle.code.cpp.dataflow.new.DataFlow
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-
-abstract class KeyExchangeAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
-
-class EVPKeyExchangeAlgorithmValueConsumer extends KeyExchangeAlgorithmValueConsumer {
-  DataFlow::Node valueArgNode;
-  DataFlow::Node resultNode;
-
-  EVPKeyExchangeAlgorithmValueConsumer() {
-    resultNode.asExpr() = this and
-    (
-      this.(Call).getTarget().getName() = "EVP_KEYEXCH_fetch" and
-      valueArgNode.asExpr() = this.(Call).getArgument(1)
-    )
-  }
-
-  override DataFlow::Node getResultNode() { result = resultNode }
-
-  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
-
-  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
-    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll

@@ -1,4 +1,5 @@
-private import experimental.quantum.Language
+import experimental.quantum.Language
+import semmle.code.cpp.dataflow.new.DataFlow
 
 abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call {
   /**

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll

@@ -3,5 +3,3 @@ import CipherAlgorithmValueConsumer
 import DirectAlgorithmValueConsumer
 import PaddingAlgorithmValueConsumer
 import HashAlgorithmValueConsumer
-import EllipticCurveAlgorithmValueConsumer
-import PKeyAlgorithmValueConsumer

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll

@@ -1,55 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
-
-abstract class PKeyValueConsumer extends OpenSSLAlgorithmValueConsumer { }
-
-class EVPPKeyAlgorithmConsumer extends PKeyValueConsumer {
-  DataFlow::Node valueArgNode;
-  DataFlow::Node resultNode;
-
-  EVPPKeyAlgorithmConsumer() {
-    resultNode.asExpr() = this.(Call) and // in all cases the result is the return
-    (
-      // NOTE: some of these consumers are themselves key gen operations,
-      // in these cases, the operation will be created separately for the same function.
-      this.(Call).getTarget().getName() in [
-          "EVP_PKEY_CTX_new_id", "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key",
-          "EVP_PKEY_new_mac_key"
-        ] and
-      valueArgNode.asExpr() = this.(Call).getArgument(0)
-      or
-      this.(Call).getTarget().getName() in [
-          "EVP_PKEY_CTX_new_from_name", "EVP_PKEY_new_raw_private_key_ex",
-          "EVP_PKEY_new_raw_public_key_ex", "EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"
-        ] and
-      valueArgNode.asExpr() = this.(Call).getArgument(1)
-      or
-      // argInd 2 is 'type' which can be RSA, or EC
-      // if RSA argInd 3 is the key size, else if EC argInd 3 is the curve name
-      // In all other cases there is no argInd 3, and argInd 2 is the algorithm.
-      // Since this is a key gen operation, handling the key size should be handled
-      // when the operation is again modeled as a key gen operation.
-      this.(Call).getTarget().getName() = "EVP_PKEY_Q_keygen" and
-      (
-        // Elliptic curve case
-        // If the argInd 3 is a derived type (pointer or array) then assume it is a curve name
-        if this.(Call).getArgument(3).getType().getUnderlyingType() instanceof DerivedType
-        then valueArgNode.asExpr() = this.(Call).getArgument(3)
-        else
-          // All other cases
-          valueArgNode.asExpr() = this.(Call).getArgument(2)
-      )
-    )
-  }
-
-  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
-    exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i)
-  }
-
-  override DataFlow::Node getResultNode() { result = resultNode }
-
-  override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll

@@ -1,8 +1,9 @@
 import cpp
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-private import OpenSSLAlgorithmValueConsumerBase
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.LibraryDetector
+import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+import OpenSSLAlgorithmValueConsumerBase
 
 abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
@@ -15,8 +16,11 @@ class EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer extends PaddingAlgorit
 
   EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer() {
     resultNode.asExpr() = this and
-    this.(Call).getTarget().getName() = "EVP_PKEY_CTX_set_rsa_padding" and
-    valueArgNode.asExpr() = this.(Call).getArgument(1)
+    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
+    (
+      this.(Call).getTarget().getName() in ["EVP_PKEY_CTX_set_rsa_padding"] and
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
+    )
   }
 
   override DataFlow::Node getResultNode() { result = resultNode }

cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll

@@ -20,119 +20,79 @@
 
 import semmle.code.cpp.dataflow.new.DataFlow
 
-/**
- * An openSSL CTX type, which is type for which the stripped underlying type
- * matches the pattern 'evp_%ctx_%st'.
- * This includes types like:
- * - EVP_CIPHER_CTX
- * - EVP_MD_CTX
- * - EVP_PKEY_CTX
- */
-private class CtxType extends Type {
-  CtxType() {
-    // It is possible for users to use the underlying type of the CTX variables
-    // these have a name matching 'evp_%ctx_%st
+class CTXType extends Type {
+  CTXType() {
+    // TODO: should we limit this to an openssl path?
     this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st")
-    or
-    // In principal the above check should be sufficient, but in case of build mode none issues
-    // i.e., if a typedef cannot be resolved,
-    // or issues with properly stubbing test cases, we also explicitly check for the wrapping type defs
-    // i.e., patterns matching 'EVP_%_CTX'
-    exists(Type base | base = this or base = this.(DerivedType).getBaseType() |
-      base.getName().matches("EVP_%_CTX")
-    )
   }
 }
 
-/**
- * A pointer to a CtxType
- */
-private class CtxPointerExpr extends Expr {
-  CtxPointerExpr() {
-    this.getType() instanceof CtxType and
+class CTXPointerExpr extends Expr {
+  CTXPointerExpr() {
+    this.getType() instanceof CTXType and
     this.getType() instanceof PointerType
   }
 }
 
-/**
- * A call argument of type CtxPointerExpr.
- */
-private class CtxPointerArgument extends CtxPointerExpr {
-  CtxPointerArgument() { exists(Call c | c.getAnArgument() = this) }
+class CTXPointerArgument extends CTXPointerExpr {
+  CTXPointerArgument() { exists(Call c | c.getAnArgument() = this) }
 
   Call getCall() { result.getAnArgument() = this }
 }
 
-/**
- * A call whose target contains 'free' or 'reset' and has an argument of type
- * CtxPointerArgument.
- */
-private class CtxClearCall extends Call {
-  CtxClearCall() {
+class CTXClearCall extends Call {
+  CTXClearCall() {
     this.getTarget().getName().toLowerCase().matches(["%free%", "%reset%"]) and
-    this.getAnArgument() instanceof CtxPointerArgument
+    this.getAnArgument() instanceof CTXPointerArgument
   }
 }
 
-/**
- * A call whose target contains 'copy' and has an argument of type
- * CtxPointerArgument.
- */
-private class CtxCopyOutArgCall extends Call {
-  CtxCopyOutArgCall() {
-    this.getTarget().getName().toLowerCase().matches("%copy%") and
-    this.getAnArgument() instanceof CtxPointerArgument
+class CTXCopyOutArgCall extends Call {
+  CTXCopyOutArgCall() {
+    this.getTarget().getName().toLowerCase().matches(["%copy%"]) and
+    this.getAnArgument() instanceof CTXPointerArgument
   }
 }
 
-/**
- * A call whose target contains 'dup' and has an argument of type
- * CtxPointerArgument.
- */
-private class CtxCopyReturnCall extends Call, CtxPointerExpr {
-  CtxCopyReturnCall() {
-    this.getTarget().getName().toLowerCase().matches("%dup%") and
-    this.getAnArgument() instanceof CtxPointerArgument
+class CTXCopyReturnCall extends Call {
+  CTXCopyReturnCall() {
+    this.getTarget().getName().toLowerCase().matches(["%dup%"]) and
+    this.getAnArgument() instanceof CTXPointerArgument and
+    this instanceof CTXPointerExpr
   }
 }
 
-/**
- * Flow from any CtxPointerArgument to any other CtxPointerArgument
- */
-module OpenSSLCtxArgumentFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CtxPointerArgument }
+module OpenSSLCTXArgumentFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CTXPointerArgument }
 
-  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CtxPointerArgument }
+  predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CTXPointerArgument }
 
   predicate isBarrier(DataFlow::Node node) {
-    exists(CtxClearCall c | c.getAnArgument() = node.asExpr())
+    exists(CTXClearCall c | c.getAnArgument() = node.asExpr())
   }
 
   predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    exists(CtxCopyOutArgCall c |
+    exists(CTXCopyOutArgCall c |
       c.getAnArgument() = node1.asExpr() and
       c.getAnArgument() = node2.asExpr() and
       node1.asExpr() != node2.asExpr() and
-      node2.asExpr().getType() instanceof CtxType
+      node2.asExpr().getType() instanceof CTXType
     )
     or
-    exists(CtxCopyReturnCall c |
+    exists(CTXCopyReturnCall c |
       c.getAnArgument() = node1.asExpr() and
       c = node2.asExpr() and
       node1.asExpr() != node2.asExpr() and
-      node2.asExpr().getType() instanceof CtxType
+      node2.asExpr().getType() instanceof CTXType
     )
   }
 }
 
-module OpenSSLCtxArgumentFlow = DataFlow::Global<OpenSSLCtxArgumentFlowConfig>;
+module OpenSSLCTXArgumentFlow = DataFlow::Global<OpenSSLCTXArgumentFlowConfig>;
 
-/**
- * Holds if there is a context flow from the source to the sink.
- */
-predicate ctxArgFlowsToCtxArg(CtxPointerArgument source, CtxPointerArgument sink) {
+predicate ctxArgFlowsToCtxArg(CTXPointerArgument source, CTXPointerArgument sink) {
   exists(DataFlow::Node a, DataFlow::Node b |
-    OpenSSLCtxArgumentFlow::flow(a, b) and
+    OpenSSLCTXArgumentFlow::flow(a, b) and
     a.asExpr() = source and
     b.asExpr() = sink
   )

cpp/ql/lib/experimental/quantum/OpenSSL/GenericSourceCandidateLiteral.qll

@@ -1,122 +0,0 @@
-import cpp
-private import semmle.code.cpp.models.Models
-private import semmle.code.cpp.models.interfaces.FormattingFunction
-
-private class IntLiteral extends Literal {
-  IntLiteral() {
-    //Heuristics for distinguishing int literals from other literals
-    exists(this.getValue().toInt()) and
-    not this instanceof CharLiteral and
-    not this instanceof StringLiteral
-  }
-}
-
-/**
- * Holds if a StringLiteral could conceivably be used in some way for cryptography.
- * Note: this predicate should only consider restrictions with respect to strings only.
- * General restrictions are in the OpenSSLGenericSourceCandidateLiteral class.
- */
-private predicate isOpenSSLStringLiteralGenericSourceCandidate(StringLiteral s) {
-  // 'EC' is a constant that may be used where typical algorithms are specified,
-  // but EC specifically means set up a default curve container, that will later be
-  //specified explicitly (or if not a default) curve is used.
-  s.getValue() != "EC" and
-  // Ignore empty strings
-  s.getValue() != "" and
-  // Filter out strings with "%", to filter out format strings
-  not s.getValue().matches("%\\%%") and
-  // Filter out strings in brackets or braces (commonly seen strings not relevant for crypto)
-  not s.getValue().matches(["[%]", "(%)"]) and
-  // Filter out all strings of length 1, since these are not algorithm names
-  // NOTE/ASSUMPTION: If a user legitimately passes a string of length 1 to some configuration
-  // we will assume this is generally unknown. We may need to reassess this in the future.
-  s.getValue().length() > 1 and
-  // Ignore all strings that are in format string calls outputing to a stream (e.g., stdout)
-  not exists(FormattingFunctionCall f |
-    exists(f.getOutputArgument(true)) and s = f.(Call).getAnArgument()
-  ) and
-  // Ignore all format string calls where there is no known out param (resulting string)
-  // i.e., ignore printf, since it will just output a string and not produce a new string
-  not exists(FormattingFunctionCall f |
-    // Note: using two ways of determining if there is an out param, since I'm not sure
-    // which way is canonical
-    not exists(f.getOutputArgument(false)) and
-    not f.getTarget().hasTaintFlow(_, _) and
-    f.(Call).getAnArgument() = s
-  )
-}
-
-/**
- * Holds if a StringLiteral could conceivably be used in some way for cryptography.
- * Note: this predicate should only consider restrictions with respect to integers only.
- * General restrictions are in the OpenSSLGenericSourceCandidateLiteral class.
- */
-private predicate isOpenSSLIntLiteralGenericSourceCandidate(IntLiteral l) {
-  // Ignore integer values of 0, commonly referring to NULL only (no known algorithm 0)
-  l.getValue().toInt() != 0 and
-  // ASSUMPTION, no negative numbers are allowed
-  // RATIONALE: this is a performance improvement to avoid having to trace every number
-  not exists(UnaryMinusExpr u | u.getOperand() = l) and
-  //  OPENSSL has a special macro for getting every line, ignore it
-  not exists(MacroInvocation mi | mi.getExpr() = l and mi.getMacroName() = "OPENSSL_LINE") and
-  // Filter out cases where an int is returned into a pointer, e.g., return NULL;
-  not exists(ReturnStmt r |
-    r.getExpr() = l and
-    r.getEnclosingFunction().getType().getUnspecifiedType() instanceof DerivedType
-  ) and
-  // A literal as an array index should not be relevant for crypo
-  not exists(ArrayExpr op | op.getArrayOffset() = l) and
-  // A literal used in a bitwise should not be relevant for crypto
-  not exists(BinaryBitwiseOperation op | op.getAnOperand() = l) and
-  not exists(AssignBitwiseOperation op | op.getAnOperand() = l) and
-  //Filter out cases where an int is assigned or initialized into a pointer, e.g., char* x = NULL;
-  not exists(Assignment a |
-    a.getRValue() = l and
-    a.getLValue().getType().getUnspecifiedType() instanceof DerivedType
-  ) and
-  not exists(Initializer i |
-    i.getExpr() = l and
-    i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof DerivedType
-  ) and
-  // Filter out cases where the literal is used in any kind of arithmetic operation
-  not exists(BinaryArithmeticOperation op | op.getAnOperand() = l) and
-  not exists(UnaryArithmeticOperation op | op.getOperand() = l) and
-  not exists(AssignArithmeticOperation op | op.getAnOperand() = l) and
-  // If a literal has no parent ignore it, this is a workaround for the current inability
-  // to find a literal in an array declaration: int x[100];
-  // NOTE/ASSUMPTION: this value might actually be relevant for finding hard coded sizes
-  // consider size as inferred through the allocation of a buffer.
-  // In these cases, we advise that the source is not generic and must be traced explicitly.
-  exists(l.getParent())
-}
-
-/**
- * Any literal that may be conceivably be used in some way for cryptography.
- * The set of all literals is restricted by this class to cases where there is higher
- * plausibility that the literal could be used as a source of configuration.
- * Literals are filtered, for example, if they are used in a way no indicative of an algorithm use
- * such as in an array index, bitwise operation, or logical operation.
- * Note a case like this:
- *      if(algVal == "AES")
- *
- * "AES" may be a legitimate algorithm literal, but the literal will not be used for an operation directly
- * since it is in a equality comparison, hence this case would also be filtered.
- */
-class OpenSSLGenericSourceCandidateLiteral extends Literal {
-  OpenSSLGenericSourceCandidateLiteral() {
-    (
-      isOpenSSLIntLiteralGenericSourceCandidate(this) or
-      isOpenSSLStringLiteralGenericSourceCandidate(this)
-    ) and
-    // ********* General filters beyond what is filtered for strings and ints *********
-    // An algorithm literal in a switch case will not be directly applied to an operation.
-    not exists(SwitchCase sc | sc.getExpr() = this) and
-    // A literal in a logical operation may be an algorithm, but not a candidate
-    // for the purposes of finding applied algorithms
-    not exists(BinaryLogicalOperation op | op.getAnOperand() = this) and
-    not exists(UnaryLogicalOperation op | op.getOperand() = this) and
-    // A literal in a comparison operation may be an algorithm, but not a candidate
-    // for the purposes of finding applied algorithms
-    not exists(ComparisonOperation op | op.getAnOperand() = this)
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll

@@ -1,7 +1,9 @@
+import cpp
+import semmle.code.cpp.dataflow.new.DataFlow
+
 module OpenSSLModel {
-  import AlgorithmInstances.OpenSSLAlgorithmInstances
-  import AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-  import Operations.OpenSSLOperations
-  import Random
-  import GenericSourceCandidateLiteral
+  import experimental.quantum.Language
+  import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+  import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+  import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
 }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll

@@ -1,34 +0,0 @@
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-private import OpenSSLOperationBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import semmle.code.cpp.dataflow.new.DataFlow
-
-class ECKeyGenOperation extends OpenSSLOperation, Crypto::KeyGenerationOperationInstance {
-  ECKeyGenOperation() { this.(Call).getTarget().getName() = "EC_KEY_generate_key" }
-
-  override Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }
-
-  override Crypto::KeyArtifactType getOutputKeyType() { result = Crypto::TAsymmetricKeyType() }
-
-  override Crypto::ArtifactOutputDataFlowNode getOutputKeyArtifact() {
-    result.asExpr() = this.(Call).getArgument(0)
-  }
-
-  override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
-    none() // no explicit key size, inferred from algorithm
-  }
-
-  override int getKeySizeFixed() {
-    none()
-    // TODO: marked as none as the operation itself has no key size, it
-    // comes from the algorithm source, but note we could grab the
-    // algorithm source and get the key size (see below).
-    // We may need to reconsider what is the best approach here.
-    // result =
-    //   this.getAnAlgorithmValueConsumer()
-    //       .getAKnownAlgorithmSource()
-    //       .(Crypto::EllipticCurveInstance)
-    //       .getKeySize()
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll

@@ -3,9 +3,8 @@
  * Models cipher initialization for EVP cipher operations.
  */
 
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-private import OpenSSLOperationBase
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
 
 module EncValToInitEncArgConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] }
@@ -35,12 +34,19 @@ Crypto::KeyOperationSubtype intToCipherOperationSubtype(int i) {
 }
 
 // TODO: need to add key consumer
-abstract class EVP_Cipher_Initializer extends EVPInitialize {
-  override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
+abstract class EVP_Cipher_Initializer extends Call {
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
 
+  Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
+
+  abstract Expr getKeyArg();
+
+  abstract Expr getIVArg();
+
+  //   abstract Crypto::CipherOperationSubtype getCipherOperationSubtype();
   abstract Expr getOperationSubtypeArg();
 
-  override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
+  Crypto::KeyOperationSubtype getCipherOperationSubtype() {
     if this.(Call).getTarget().getName().toLowerCase().matches("%encrypt%")
     then result instanceof Crypto::TEncryptMode
     else

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll

@@ -1,26 +1,37 @@
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-private import EVPCipherInitializer
-private import OpenSSLOperationBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+import EVPCipherInitializer
+import OpenSSLOperationBase
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
-class EVP_Cipher_Update_Call extends EVPUpdate {
-  EVP_Cipher_Update_Call() {
-    this.(Call).getTarget().getName() in [
-        "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
-      ]
+private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
   }
 
-  override Expr getInputArg() { result = this.(Call).getArgument(3) }
-
-  override Expr getOutputArg() { result = this.(Call).getArgument(1) }
+  predicate isSink(DataFlow::Node sink) {
+    exists(EVP_Cipher_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
+  }
 }
 
+private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
+
+// import experimental.quantum.OpenSSL.AlgorithmValueConsumers.AlgorithmValueConsumers
+// import OpenSSLOperation
+// class EVPCipherOutput extends CipherOutputArtifact {
+//   EVPCipherOutput() { exists(EVP_Cipher_Operation op | op.getOutputArg() = this) }
+//   override DataFlow::Node getOutputNode() { result.asDefiningArgument() = this }
+// }
+//
 /**
  * see: https://docs.openssl.org/master/man3/EVP_EncryptInit/#synopsis
  * Base configuration for all EVP cipher operations.
+ * NOTE: cannot extend instance of OpenSSLOperation, as we need to override
+ * elements of OpenSSLOperation (i.e., we are creating an instance)
  */
-abstract class EVP_Cipher_Operation extends EVPOperation, Crypto::KeyOperationInstance {
+abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
   override Expr getOutputArg() { result = this.(Call).getArgument(1) }
 
   override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
@@ -30,48 +41,76 @@ abstract class EVP_Cipher_Operation extends EVPOperation, Crypto::KeyOperationIn
     result instanceof Crypto::TDecryptMode and
     this.(Call).getTarget().getName().toLowerCase().matches("%decrypt%")
     or
-    result = this.getInitCall().getKeyOperationSubtype() and
+    result = this.getInitCall().getCipherOperationSubtype() and
     this.(Call).getTarget().getName().toLowerCase().matches("%cipher%")
   }
 
+  EVP_Cipher_Initializer getInitCall() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
+
   override Crypto::ConsumerInputDataFlowNode getNonceConsumer() {
     this.getInitCall().getIVArg() = result.asExpr()
   }
 
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+
   override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
     this.getInitCall().getKeyArg() = result.asExpr()
-    // todo: or track to the EVP_PKEY_CTX_new
   }
 
-  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
-    result = EVPOperation.super.getOutputArtifact()
-  }
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
 
-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
-    result = EVPOperation.super.getInputConsumer()
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
   }
 }
 
-class EVP_Cipher_Call extends EVPOperation, EVP_Cipher_Operation {
+// abstract class EVP_Update_Call extends EVP_Cipher_Operation { }
+abstract class EVP_Final_Call extends EVP_Cipher_Operation {
+  override Expr getInputArg() { none() }
+}
+
+// TODO: only model Final (model final as operation and model update but not as an operation)
+// Updates are multiple input consumers (most important)
+// TODO: assuming update doesn't ouput, otherwise it outputs artifacts, but is not an operation
+class EVP_Cipher_Call extends EVP_Cipher_Operation {
   EVP_Cipher_Call() { this.(Call).getTarget().getName() = "EVP_Cipher" }
 
   override Expr getInputArg() { result = this.(Call).getArgument(2) }
 }
 
-class EVP_Cipher_Final_Call extends EVPFinal, EVP_Cipher_Operation {
-  EVP_Cipher_Final_Call() {
+// ******* TODO: model UPDATE but not as the core operation, rather a step towards final
+// see the JCA
+// class EVP_Encrypt_Decrypt_or_Cipher_Update_Call extends EVP_Update_Call {
+//   EVP_Encrypt_Decrypt_or_Cipher_Update_Call() {
+//     this.(Call).getTarget().getName() in [
+//         "EVP_EncryptUpdate", "EVP_DecryptUpdate", "EVP_CipherUpdate"
+//       ]
+//   }
+//   override Expr getInputArg() { result = this.(Call).getArgument(3) }
+// }
+class EVP_Encrypt_Decrypt_or_Cipher_Final_Call extends EVP_Final_Call {
+  EVP_Encrypt_Decrypt_or_Cipher_Final_Call() {
     this.(Call).getTarget().getName() in [
         "EVP_EncryptFinal_ex", "EVP_DecryptFinal_ex", "EVP_CipherFinal_ex", "EVP_EncryptFinal",
         "EVP_DecryptFinal", "EVP_CipherFinal"
       ]
   }
-
-  /**
-   * Output is both from update calls and from the final call.
-   */
-  override Expr getOutputArg() {
-    result = EVPFinal.super.getOutputArg()
-    or
-    result = EVP_Cipher_Operation.super.getOutputArg()
-  }
+}
+
+class EVP_PKEY_Operation extends EVP_Cipher_Operation {
+  EVP_PKEY_Operation() {
+    this.(Call).getTarget().getName() in ["EVP_PKEY_decrypt", "EVP_PKEY_encrypt"]
+  }
+
+  override Expr getInputArg() { result = this.(Call).getArgument(3) }
+  // TODO: how PKEY is initialized is different that symmetric cipher
+  // Consider making an entirely new class for this and specializing
+  // the get init call
+}
+
+class EVPCipherInputArgument extends Expr {
+  EVPCipherInputArgument() { exists(EVP_Cipher_Operation op | op.getInputArg() = this) }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashInitializer.qll

@@ -1,7 +1,10 @@
 import cpp
-private import OpenSSLOperationBase
 
-abstract class EVP_Hash_Initializer extends EVPInitialize { }
+abstract class EVP_Hash_Initializer extends Call {
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
+
+  abstract Expr getAlgorithmArg();
+}
 
 class EVP_DigestInit_Variant_Calls extends EVP_Hash_Initializer {
   EVP_DigestInit_Variant_Calls() {

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll

@@ -2,50 +2,77 @@
  * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
  */
 
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-private import OpenSSLOperationBase
-private import EVPHashInitializer
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
+import experimental.quantum.OpenSSL.LibraryDetector
+import OpenSSLOperationBase
+import EVPHashInitializer
+import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
-class EVP_Digest_Update_Call extends EVPUpdate {
-  EVP_Digest_Update_Call() { this.(Call).getTarget().getName() = "EVP_DigestUpdate" }
+// import EVPHashConsumers
+abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
+  Expr getContextArg() { result = this.(Call).getArgument(0) }
 
-  override Expr getInputArg() { result = this.(Call).getArgument(1) }
+  EVP_Hash_Initializer getInitCall() {
+    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  }
 }
 
+private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(EVP_Hash_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
+  }
+}
+
+private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
+
 //https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis
-class EVP_Q_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
-  EVP_Q_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
-
-  override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
+class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
+  EVP_Q_Digest_Operation() {
+    this.(Call).getTarget().getName() = "EVP_Q_digest" and
+    isPossibleOpenSSLFunction(this.(Call).getTarget())
+  }
 
+  //override Crypto::AlgorithmConsumer getAlgorithmConsumer() {  }
   override EVP_Hash_Initializer getInitCall() {
     // This variant of digest does not use an init
     // and even if it were used, the init would be ignored/undefined
     none()
   }
 
-  override Expr getInputArg() { result = this.(Call).getArgument(3) }
-
   override Expr getOutputArg() { result = this.(Call).getArgument(5) }
 
-  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
-    result = EVPOperation.super.getOutputArtifact()
-  }
+  override Expr getInputArg() { result = this.(Call).getArgument(3) }
 
-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
-    result = EVPOperation.super.getInputConsumer()
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    // The operation is a direct algorithm consumer
+    // NOTE: the operation itself is already modeld as a value consumer, so we can
+    // simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest
+    this = result
   }
 }
 
-class EVP_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
-  EVP_Digest_Operation() { this.(Call).getTarget().getName() = "EVP_Digest" }
+class EVP_Digest_Operation extends EVP_Hash_Operation {
+  EVP_Digest_Operation() {
+    this.(Call).getTarget().getName() = "EVP_Digest" and
+    isPossibleOpenSSLFunction(this.(Call).getTarget())
+  }
 
   // There is no context argument for this function
   override Expr getContextArg() { none() }
 
-  override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }
+  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+      DataFlow::exprNode(this.(Call).getArgument(4)))
+  }
 
   override EVP_Hash_Initializer getInitCall() {
     // This variant of digest does not use an init
@@ -53,33 +80,38 @@ class EVP_Digest_Operation extends EVPOperation, Crypto::HashOperationInstance {
     none()
   }
 
-  override Expr getInputArg() { result = this.(Call).getArgument(0) }
-
   override Expr getOutputArg() { result = this.(Call).getArgument(2) }
 
-  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
-    result = EVPOperation.super.getOutputArtifact()
-  }
+  override Expr getInputArg() { result = this.(Call).getArgument(0) }
 
-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
-    result = EVPOperation.super.getInputConsumer()
-  }
-}
-
-class EVP_Digest_Final_Call extends EVPFinal, Crypto::HashOperationInstance {
-  EVP_Digest_Final_Call() {
-    this.(Call).getTarget().getName() in [
-        "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
-      ]
-  }
-
-  override Expr getOutputArg() { result = this.(Call).getArgument(1) }
-
-  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
-    result = EVPFinal.super.getOutputArtifact()
-  }
-
-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() {
-    result = EVPFinal.super.getInputConsumer()
-  }
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() { result = this.getOutputNode() }
+
+  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
 }
+// // override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
+// //   AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
+// //     DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
+// // }
+// // ***** TODO *** complete modelinlg for hash operations, but have consideration for terminal and non-terminal (non intermedaite) steps
+// // see the JCA. May need to update the cipher operations similarly
+// // ALSO SEE cipher for how we currently model initialization of the algorithm through an init call
+// class EVP_DigestUpdate_Operation extends EVP_Hash_Operation {
+//   EVP_DigestUpdate_Operation() {
+//     this.(Call).getTarget().getName() = "EVP_DigestUpdate" and
+//     isPossibleOpenSSLFunction(this.(Call).getTarget())
+//   }
+//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
+//     this.getInitCall().getAlgorithmArg() = result
+//   }
+// }
+// class EVP_DigestFinal_Variants_Operation extends EVP_Hash_Operation {
+//   EVP_DigestFinal_Variants_Operation() {
+//     this.(Call).getTarget().getName() in [
+//         "EVP_DigestFinal", "EVP_DigestFinal_ex", "EVP_DigestFinalXOF"
+//       ] and
+//     isPossibleOpenSSLFunction(this.(Call).getTarget())
+//   }
+//   override Crypto::AlgorithmConsumer getAlgorithmConsumer() {
+//     this.getInitCall().getAlgorithmArg() = result
+//   }
+// }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll

@@ -1,162 +1,21 @@
-private import experimental.quantum.Language
-private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+import experimental.quantum.Language
 
-/**
- * A class for all OpenSSL operations.
- */
 abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call {
-  /**
-   * Expression that specifies the algorithm for the operation.
-   * Will be an argument of the operation in the simplest case.
-   */
-  abstract Expr getAlgorithmArg();
-
-  /**
-   * Algorithm is specified in initialization call or is implicitly established by the key.
-   */
-  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-      DataFlow::exprNode(this.getAlgorithmArg()))
-  }
-}
-
-/**
- * A Call to initialization functions from the EVP API.
- * These are not operations in the sense of Crypto::OperationInstance,
- * but they are used to initialize the context for the operation.
- */
-abstract class EVPInitialize extends Call {
-  /**
-   * Gets the context argument that ties together initialization, updates and/or final calls.
-   */
-  Expr getContextArg() { result = this.(Call).getArgument(0) }
-
-  /**
-   * Gets the type of key operation, none if not applicable.
-   */
-  Crypto::KeyOperationSubtype getKeyOperationSubtype() { none() }
-
-  /**
-   * Explicitly specified algorithm or none if implicit (e.g., established by the key).
-   * None if not applicable.
-   */
-  Expr getAlgorithmArg() { none() }
-
-  /**
-   * Gets the key for the operation, none if not applicable.
-   */
-  Expr getKeyArg() { none() }
-
-  /**
-   * Gets the IV/nonce, none if not applicable.
-   */
-  Expr getIVArg() { none() }
-}
-
-/**
- * A Call to update functions from the EVP API.
- * These are not operations in the sense of Crypto::OperationInstance,
- * but they are used to update the context for the operation.
- */
-abstract class EVPUpdate extends Call {
-  /**
-   * Gets the context argument that ties together initialization, updates and/or final calls.
-   */
-  Expr getContextArg() { result = this.(Call).getArgument(0) }
-
-  /**
-   * Update calls always have some input data like plaintext or message digest.
-   */
   abstract Expr getInputArg();
 
   /**
-   * Update calls sometimes have some output data like a plaintext.
-   */
-  Expr getOutputArg() { none() }
-}
-
-/**
- * Flows from algorithm values to operations, specific to OpenSSL
- */
-private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(EVPOperation c | c.getAlgorithmArg() = sink.asExpr())
-  }
-}
-
-private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
-
-/**
- * The base class for all operations of the EVP API.
- * This captures one-shot APIs (with and without an initilizer call) and final calls.
- * Provides some default methods for Crypto::KeyOperationInstance class
- */
-abstract class EVPOperation extends OpenSSLOperation {
-  /**
-   * Gets the context argument that ties together initialization, updates and/or final calls.
-   */
-  Expr getContextArg() { result = this.(Call).getArgument(0) }
-
-  /**
-   * Some input data like plaintext or message digest.
-   * Either argument provided direcly in the call or all arguments that were provided in update calls.
-   */
-  abstract Expr getInputArg();
-
-  /**
-   * Some output data like ciphertext or signature.
+   * Can be an argument of a call or a return value of a function.
    */
   abstract Expr getOutputArg();
 
-  /**
-   * Overwrite with an explicitly specified algorithm or leave base implementation to find it in the initialization call.
-   */
-  override Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
-
-  /**
-   * Finds the initialization call, may be none.
-   */
-  EVPInitialize getInitCall() {
-    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+  DataFlow::Node getInputNode() {
+    // Assumed to be default to asExpr
+    result.asExpr() = this.getInputArg()
   }
 
-  Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
-    result = DataFlow::exprNode(this.getOutputArg())
-  }
-
-  /**
-   * Input consumer is the input argument of the call.
-   */
-  Crypto::ConsumerInputDataFlowNode getInputConsumer() {
-    result = DataFlow::exprNode(this.getInputArg())
+  DataFlow::Node getOutputNode() {
+    if exists(Call c | c.getAnArgument() = this)
+    then result.asDefiningArgument() = this
+    else result.asExpr() = this
   }
 }
-
-/**
- * The final calls of the EVP API.
- */
-abstract class EVPFinal extends EVPOperation {
-  /**
-   * All update calls that were executed before this final call.
-   */
-  EVPUpdate getUpdateCalls() {
-    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
-  }
-
-  /**
-   * Gets the input data provided to all update calls.
-   * If more input data was provided in the final call, override the method.
-   */
-  override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
-
-  /**
-   * Gets the output data provided to all update calls.
-   * If more output data was provided in the final call, override the method.
-   */
-  override Expr getOutputArg() { result = this.getUpdateCalls().getOutputArg() }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll

@@ -1,4 +1,3 @@
 import OpenSSLOperationBase
 import EVPCipherOperation
 import EVPHashOperation
-import ECKeyGenOperation

cpp/ql/lib/experimental/semmle/code/cpp/security/PrivateCleartextWrite.qll

@@ -42,8 +42,6 @@ module PrivateCleartextWrite {
     predicate isSink(DataFlow::Node sink) { sink instanceof Sink }
 
     predicate isBarrier(DataFlow::Node node) { node instanceof Sanitizer }
-
-    predicate observeDiffInformedIncrementalMode() { any() }
   }
 
   module WriteFlow = TaintTracking::Global<WriteConfig>;