diff --git a/cpp/ql/lib/experimental/cryptography/Concepts.qll b/cpp/ql/lib/experimental/cryptography/Concepts.qll new file mode 100644 index 00000000000..de29125614a --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/Concepts.qll @@ -0,0 +1,3 @@ +import experimental.cryptography.CryptoArtifact +import experimental.cryptography.CryptoAlgorithmNames +import experimental.cryptography.modules.OpenSSL as OpenSSL diff --git a/cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll b/cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll new file mode 100644 index 00000000000..5f29320ff14 --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll @@ -0,0 +1,239 @@ +/** + * Names of known cryptographic algorithms. + * The names are standardized into upper-case, no spaces, dashes or underscores. + */ + +/** + * Returns a string to represent generally unknown algorithms. + * Predicate is to be used to get a consistent string representation + * for unknown algorithms. + */ +string unknownAlgorithm() { result = "UNKNOWN" } + +string getHashType() { result = "HASH" } + +string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" } + +string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" } + +string getKeyDerivationType() { result = "KEY_DERIVATION" } + +string getCipherBlockModeType() { result = "BLOCK_MODE" } + +string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" } + +string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" } + +string getEllipticCurveType() { result = "ELLIPTIC_CURVE" } + +string getSignatureType() { result = "SIGNATURE" } + +string getKeyExchangeType() { result = "KEY_EXCHANGE" } + +string getAsymmetricType() { + result in [ + getAsymmetricEncryptionType(), getSignatureType(), getKeyExchangeType(), + getEllipticCurveType() + ] +} + +predicate isKnownType(string algType) { + algType in [ + getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(), + getKeyDerivationType(), getCipherBlockModeType(), getSymmetricPaddingType(), + getAsymmetricPaddingType(), getEllipticCurveType(), getSignatureType(), getKeyExchangeType() + ] +} + +predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) } + +predicate isKnownAlgorithm(string name, string algType) { + isHashingAlgorithm(name) and algType = "HASH" + or + isEncryptionAlgorithm(name, algType) and + algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"] + or + isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION" + or + isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE" + or + isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"] + or + isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE" + or + isSignatureAlgorithm(name) and algType = "SIGNATURE" + or + isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE" +} + +/** + * Holds if `name` is a known hashing algorithm in the model/library. + */ +predicate isHashingAlgorithm(string name) { + name = + [ + "BLAKE2", "BLAKE2B", "BLAKE2S", "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224", + "SHA512256", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256", + "SM3", "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD", + "RIPEMD128", "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1", "MGF1SHA1", + "MDC2", "SIPHASH" + ] +} + +predicate isEncryptionAlgorithm(string name, string algType) { + isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION" + or + isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION" +} + +predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) } + +/** + * Holds if `name` corresponds to a known symmetric encryption algorithm. + */ +predicate isSymmetricEncryptionAlgorithm(string name) { + // NOTE: AES is meant to caputure all possible key lengths + name = + [ + "AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5", + "CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20", + "CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789", + "GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012", + "GOST34112012", "IDEA", "RABBIT", "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES", + "DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5", + "RC5", "MAGMA", "KUZNYECHIK" + ] +} + +/** + * Holds if `name` corresponds to a known key derivation algorithm. + */ +predicate isKeyDerivationAlgorithm(string name) { + name = + [ + "ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF", + "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT", + "X963KDF", "EVPKDF" + ] +} + +/** + * Holds if `name` corresponds to a known cipher block mode + */ +predicate isCipherBlockModeAlgorithm(string name) { + name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"] +} + +/** + * Holds if `name` corresponds to a known padding algorithm + */ +predicate isPaddingAlgorithm(string name, string algType) { + isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING" + or + isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING" +} + +/** + * holds if `name` corresponds to a known symmetric padding algorithm + */ +predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] } + +/** + * Holds if `name` corresponds to a known asymmetric padding algorithm + */ +predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] } + +predicate isBrainpoolCurve(string curveName, int keySize) { + // ALL BRAINPOOL CURVES + keySize in [160, 192, 224, 256, 320, 384, 512] and + ( + curveName = "BRAINPOOLP" + keySize.toString() + "R1" + or + curveName = "BRAINPOOLP" + keySize.toString() + "T1" + ) +} + +predicate isSecCurve(string curveName, int keySize) { + // ALL SEC CURVES + keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and + exists(string suff | suff in ["R1", "R2", "K1"] | + curveName = "SECT" + keySize.toString() + suff or + curveName = "SECP" + keySize.toString() + suff + ) +} + +predicate isC2Curve(string curveName, int keySize) { + // ALL C2 CURVES + keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and + exists(string pre, string suff | + pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"] + | + curveName = "C2" + pre + keySize.toString() + suff + ) +} + +predicate isPrimeCurve(string curveName, int keySize) { + // ALL PRIME CURVES + keySize in [192, 239, 256] and + exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff) +} + +predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) } + +/** + * Holds if `name` corresponds to a known elliptic curve. + */ +predicate isEllipticCurveAlgorithm(string curveName, int keySize) { + isSecCurve(curveName, keySize) + or + isBrainpoolCurve(curveName, keySize) + or + isC2Curve(curveName, keySize) + or + isPrimeCurve(curveName, keySize) + or + curveName = "ES256" and keySize = 256 + or + curveName = "CURVE25519" and keySize = 255 + or + curveName = "X25519" and keySize = 255 + or + curveName = "ED25519" and keySize = 255 + or + curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size + or + curveName = "ED448" and keySize = 448 + or + curveName = "X448" and keySize = 448 + or + curveName = "NUMSP256T1" and keySize = 256 + or + curveName = "NUMSP384T1" and keySize = 384 + or + curveName = "NUMSP512T1" and keySize = 512 + or + curveName = "SM2" and keySize in [256, 512] +} + +/** + * Holds if `name` corresponds to a known signature algorithm. + */ +predicate isSignatureAlgorithm(string name) { + name = + [ + "DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256", + "ECDSA384", "ECDSA512" + ] +} + +/** + * Holds if `name` is a key exchange algorithm. + */ +predicate isKeyExchangeAlgorithm(string name) { + name = ["ECDH", "DH", "DIFFIEHELLMAN", "X25519", "X448"] +} + +/** + * Holds if `name` corresponds to a known asymmetric encryption. + */ +predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] } diff --git a/cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll b/cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll new file mode 100644 index 00000000000..0bb22d688ed --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/CryptoArtifact.qll @@ -0,0 +1,316 @@ +import cpp +private import experimental.cryptography.CryptoAlgorithmNames +import semmle.code.cpp.ir.dataflow.TaintTracking + +/* + * A cryptographic artifact is a DataFlow::Node associated with some + * operation, algorithm, or any other aspect of cryptography. + */ + +abstract class CryptographicArtifact extends Expr { } + +// /** +// * Associates a symmetric encryption algorithm with a block mode. +// * The DataFlow::Node representing this association should be the +// * point where the algorithm and block mode are combined. +// * This may be at the call to encryption or in the construction +// * of an object prior to encryption. +// */ +// abstract class SymmetricCipher extends CryptographicArtifact{ +// abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm(); +// abstract BlockMode getBlockMode(); +// final predicate hasBlockMode(){ +// exists(this.getBlockMode()) +// } +// } +// /** +// * A cryptographic operation is a method call that invokes a cryptographic +// * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm +// * (key generation). +// * +// * Since operations are related to or in support of algorithms, operations must +// * provide a reference to their associated algorithm. Often operataions themselves +// * encapsulate algorithms, so operations can also extend CryptographicAlgorithm +// * and refer to themselves as the target algorithm. +// */ +// abstract class CryptographicOperation extends CryptographicArtifact, Call{ +// // bindingset[paramName, ind] +// // final DataFlow::Node getParameterSource(int ind, string paramName){ +// // result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName)) +// // } +// final string getAlgorithmName(){ +// if exists(this.getAlgorithm().getName()) +// then result = this.getAlgorithm().getName() +// else result = unknownAlgorithm() +// } +// final predicate hasAlgorithm(){ +// exists(this.getAlgorithm()) +// } +// final predicate isUnknownAlgorithm(){ +// this.getAlgorithmName() = unknownAlgorithm() +// or +// not this.hasAlgorithm() +// } +// // TODO: this might have to be parameterized by a configuration source for +// // situations where an operation is passed an algorithm +// abstract CryptographicAlgorithm getAlgorithm(); +// } +// /** A key generation operation for asymmetric keys */ +// abstract class KeyGen extends CryptographicOperation{ +// int getAKeySizeInBits(){ +// result = getKeySizeInBits(_) +// } +// final predicate hasKeySize(Expr configSrc){ +// exists(this.getKeySizeInBits(configSrc)) +// } +// final predicate hasKeySize(){ +// exists(this.getAKeySizeInBits()) +// } +// abstract Expr getKeyConfigSrc(); +// abstract int getKeySizeInBits(Expr configSrc); +// } +abstract class CryptographicOperation extends CryptographicArtifact, Call { } + +abstract class KeyGeneration extends CryptographicOperation { + // TODO: what if the algorithm is UNKNOWN? + abstract Expr getKeyConfigurationSource(CryptographicAlgorithm alg); + + abstract CryptographicAlgorithm getAlgorithm(); + + int getKeySizeInBits(CryptographicAlgorithm alg) { + result = this.getKeyConfigurationSource(alg).(Literal).getValue().toInt() + } + + predicate hasConstantKeySize(CryptographicAlgorithm alg) { exists(this.getKeySizeInBits(alg)) } + + predicate hasKeyConfigurationSource(CryptographicAlgorithm alg) { + exists(this.getKeyConfigurationSource(alg)) + } + + Expr getAKeyConfigurationSource() { result = this.getKeyConfigurationSource(_) } +} + +abstract class AsymmetricKeyGeneration extends KeyGeneration { } + +abstract class SymmetricKeyGeneration extends KeyGeneration { } + +/** + * A cryptographic algorithm is a `CryptographicArtifact` + * representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`). + * Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5) + * or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")). + * Cryptogrpahic algorithms may also be operations that wrap or abstract one or + * more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7). + * + * In principle, this class should model the location where an algorithm enters the program, not + * necessarily where it is used. + */ +abstract class CryptographicAlgorithm extends CryptographicArtifact { + abstract string getName(); + + abstract string getAlgType(); + + // string getAlgType(){ + // if this instanceof HashAlgorithm then result = getHashType() + // else if this instanceof KeyDerivationAlgorithm then result = getKeyDerivationType() + // else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricEncryptionType() + // else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricEncryptionType() + // else if this instanceof SymmetricEncryptionAlgorithm then result = getSymmetricPaddingType() + // else if this instanceof AsymmetricEncryptionAlgorithm then result = getAsymmetricPaddingType() + // else if this instanceof EllipticCurveAlgorithm then result = getEllipticCurveType() + // else if this instanceof BlockMode then result = getCipherBlockModeType() + // else if this instanceof KeyExchangeAlgorithm then result = getKeyExchangeType() + // else if this instanceof SigningAlgorithm then result = getSignatureType() + // else result = unknownAlgorithm() + // } + // TODO: handle case where name isn't known, not just unknown? + /** + * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`. + * Subclassess should override for more api-specific normalization. + * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space. + */ + bindingset[s] + string normalizeName(string s) { + exists(string normStr | normStr = s.toUpperCase().regexpReplaceAll("[-_ ]|/", "") | + result = normStr and isKnownAlgorithm(result) + or + result = unknownAlgorithm() and not isKnownAlgorithm(normStr) + ) + } + + abstract Expr configurationSink(); + + predicate hasConfigurationSink() { exists(this.configurationSink()) } +} + +abstract class HashAlgorithm extends CryptographicAlgorithm { + final string getHashName() { + if exists(string n | n = this.getName() and isHashingAlgorithm(n)) + then isHashingAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + override string getAlgType() { result = getHashType() } +} + +abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm { + final string getKDFName() { + if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n)) + then isKeyDerivationAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + override string getAlgType() { result = getKeyDerivationType() } +} + +// abstract class KeyDerivationOperation extends CryptographicOperation{ +// DataFlow::Node getIterationSizeSrc(){ +// none() +// } +// DataFlow::Node getSaltConfigSrc(){ +// none() +// } +// DataFlow::Node getHashConfigSrc(){ +// none() +// } +// // TODO: get encryption algorithm for CBC-based KDF? +// DataFlow::Node getDerivedKeySizeSrc(){ +// none() +// } +// DataFlow::Node getModeSrc(){ +// none() +// } +// // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type? +// abstract predicate requiresIteration(); +// abstract predicate requiresSalt(); +// abstract predicate requiresHash(); +// //abstract predicate requiresKeySize(); // Going to assume all requires a size +// abstract predicate requiresMode(); +// } +abstract class EncryptionAlgorithm extends CryptographicAlgorithm { + final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm } + + final predicate isSymmetric() { not this.isAsymmetric() } + // NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent + // class does not have this common predicate. +} + +/** + * A parent class to represent any algorithm for which + * asymmetric cryptography is involved. + * Intended to be distinct from AsymmetricEncryptionAlgorithm + * which is intended only for asymmetric algorithms that specifically encrypt. + */ +abstract class AsymmetricAlgorithm extends CryptographicAlgorithm { } + +/** + * Algorithms directly or indirectly related to asymmetric encryption, + * e.g., RSA, DSA, but also RSA padding algorithms + */ +abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm { + final string getEncryptionName() { + if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n)) + then isAsymmetricEncryptionAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + override string getAlgType() { result = getAsymmetricEncryptionType() } +} + +/** + * Algorithms directly or indirectly related to symmetric encryption, + * e.g., AES, DES, but also block modes and padding + */ +abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm { + final string getEncryptionName() { + if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n)) + then isSymmetricEncryptionAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + // TODO: add a stream cipher predicate? + override string getAlgType() { result = getSymmetricEncryptionType() } +} + +// Used only to categorize all padding into a single object, +// DO_NOT add predicates here. Only for categorization purposes. +abstract class PaddingAlgorithm extends CryptographicAlgorithm { } + +abstract class SymmetricPadding extends PaddingAlgorithm { + final string getPaddingName() { + if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n)) + then isSymmetricPaddingAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + override string getAlgType() { result = getSymmetricPaddingType() } +} + +abstract class AsymmetricPadding extends PaddingAlgorithm { + final string getPaddingName() { + if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n)) + then isAsymmetricPaddingAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + override string getAlgType() { result = getAsymmetricPaddingType() } +} + +abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm { + final string getCurveName() { + if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n)) + then isEllipticCurveAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) } + + override string getAlgType() { result = getEllipticCurveType() } +} + +abstract class BlockModeAlgorithm extends CryptographicAlgorithm { + final string getBlockModeName() { + if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n)) + then isCipherBlockModeAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + /** + * Gets the source of the IV configuration. + */ + abstract Expr getIVorNonce(); + + final predicate hasIVorNonce() { exists(this.getIVorNonce()) } + + override string getAlgType() { result = getCipherBlockModeType() } +} + +// abstract class KeyWrapOperation extends CryptographicOperation{ +// } +abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm { + final string getAuthticatedEncryptionName() { + if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n)) + then isSymmetricEncryptionAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} + +abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm { + final string getKeyExchangeName() { + if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n)) + then isKeyExchangeAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + override string getAlgType() { result = getKeyExchangeType() } +} + +abstract class SigningAlgorithm extends AsymmetricAlgorithm { + final string getSigningName() { + if exists(string n | n = this.getName() and isSignatureAlgorithm(n)) + then isSignatureAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + override string getAlgType() { result = getSignatureType() } +} diff --git a/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll b/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll new file mode 100644 index 00000000000..c98967ed635 --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/modules/OpenSSL.qll @@ -0,0 +1,718 @@ +import cpp +import experimental.cryptography.CryptoAlgorithmNames +import experimental.cryptography.CryptoArtifact +import experimental.cryptography.utils.OpenSSL.CryptoFunction +import experimental.cryptography.utils.OpenSSL.AlgorithmSink +import experimental.cryptography.utils.OpenSSL.PassthroughFunction +import experimental.cryptography.utils.OpenSSL.CryptoAlgorithm +import experimental.cryptography.CryptoArtifact +// import semmle.code.cpp.ir.dataflow.TaintTracking +import semmle.code.cpp.ir.dataflow.DataFlow + +/** + * Problematic case in OpenSSL speed.c + * static const char *names[ALGOR_NUM] = { + * "md2", "mdc2", "md4", "md5", "sha1", "rmd160", + * "sha256", "sha512", "whirlpool", "hmac(md5)", + * "des-cbc", "des-ede3", "rc4", "idea-cbc", "seed-cbc", + * "rc2-cbc", "rc5-cbc", "blowfish", "cast-cbc", + * "aes-128-cbc", "aes-192-cbc", "aes-256-cbc", + * "camellia-128-cbc", "camellia-192-cbc", "camellia-256-cbc", + * "evp", "ghash", "rand", "cmac" + * }; + * + * Every entry is considered a block mode, hash, and symmetric encryption algorithm + * getEncryptionName for example, will return unknown + */ +predicate nodeToExpr(DataFlow::Node node, Expr e) { + e = node.asExpr() or e = node.asIndirectArgument() +} + +Expr getExprFromNode(DataFlow::Node node) { nodeToExpr(node, result) } + +DataFlow::Node getNodeFromExpr(Expr e) { nodeToExpr(result, e) } + +predicate isEVP_PKEY_CTX(Type t) { t.getUnderlyingType().stripType().getName() = "evp_pkey_ctx_st" } + +/** + * An expression representing an EVP_PKEY_CTX* at the location of a + * known AlgorithmSinkArgument. + * The EVP_PKEY_CTX* represents the location where the CTX is tied to the algorithm, + * and can be used as a source for tracing EVP_PKEY_CTX to other operations. + */ +class Known_EVP_PKEY_CTX_Ptr_Source extends Expr { + Known_EVP_PKEY_CTX_Ptr_Source() { + isEVP_PKEY_CTX(this.getUnderlyingType()) and + this.getUnderlyingType() instanceof PointerType and + exists(AlgorithmSinkArgument arg, Call sinkCall | + arg.getSinkCall() = sinkCall and + sinkCall.getAnArgument() = this + or + this = sinkCall + ) + } +} + +// module CTXFlow implements DataFlow::ConfigSig{ +// predicate isSource(DataFlow::Node source) { +// // ASSUMPTION: at a sink, an algorithm is converted into a CTX through a return of the call only +// // and is the primary source of interest for CTX tracing +// source.asExpr() instanceof AlgorithmSinkArgument +// } +// predicate isSink(DataFlow::Node sink){ +// sink.asExpr() instanceof CTXSink +// } +// predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { +// // cls.getName() = "asn1_object_st" flow out on any EVP_PKEY_CTX which is "evp_pkey_ctx_st" +// exists(Call c | +// isEVP_PKEY_CTX(c.getUnderlyingType()) and +// node1.asExpr() = c.getAnArgument() and c = node2.asExpr()) +// } +// } +// module CTXFlowConfig = DataFlow::Global; +// TODO: currently only handles tracing from literals to sinks +module LiteralAlgorithmTracerConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { + source.asExpr() instanceof Literal and + // Optimization to reduce literal tracing on integers to only those that are known/relevant NIDs. + ( + exists(source.asExpr().getValue().toInt()) + implies + source.asExpr().getValue().toInt() < getNIDMax() + ) and + // False positives observed inside OBJ_nid2* and OBJ_sn2* functions where NULL is a possible assignment. + // While this is a concern, it only occurs if the object being referenced is NULL to begin with + // Perhaps a different query should be used to find these caes if they represent a threat. + // Filter out any open ssl function source in a function namae Obj_* + // False positives in OpenSSL also observed for CRYPTO_strndup (filtering any CRYPTO_* function) + // due to setting a null byte in the string + ( + isPossibleOpenSSLFunction(source.getEnclosingCallable()) + implies + ( + not source.getEnclosingCallable().getName().matches("OBJ_%") and + not source.getEnclosingCallable().getName().matches("CRYPTO_%") + ) + ) + } + + predicate isSink(DataFlow::Node sink) { + // A sink is a call to a function that takes an algorithm as an argument + // must include checks for asIndirectArgument since the input may be a pointer to an object + // and the member of the object holds the algorithm on the trace. + getExprFromNode(sink) instanceof AlgorithmSinkArgument + } + + predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { + knownPassThroughStep(node1, node2) + } + + predicate isBarrier(DataFlow::Node node) { + // If the node is the 'next' argument of a isCallPassThrough, it is only allowed if it is an out parameter + // i.e., a defining argument. This barrier says that if the node is an expression not an out parameter, it is filtered. + // Out arguments will not be filtered. + exists(Call c | knownPassthoughCall(c, _, node.asExpr()) and c.getAnArgument() = node.asExpr()) + or + // False positive reducer, don't flow out through argv + node.asVariable().hasName("argv") + or + node.asIndirectVariable().hasName("argv") + } + + predicate allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c) { + // Assume a read on crypto identifying field for any object of type asn1_object_st (i.e., ASN1_OBJECT) + exists(Class cls | cls.getName() = "asn1_object_st" | + node.getType().getUnspecifiedType().stripType() = cls and + c.(DataFlow::FieldContent).getField() = cls.getAMember() and + c.(DataFlow::FieldContent).getField().getName() in ["nid", "sn", "ln"] + ) + } +} + +module LiteralAlgorithmTracer = DataFlow::Global; + +/** + * `source` is an expression that is a source of an algorithm of type `algType`. + * `algType` may be `UNKONWN`. + * See CryptoAlgorithmNames for other possible values of `algType`. + */ +bindingset[sinkAlgType] +predicate hasLiteralPathToAlgSink(DataFlow::Node source, DataFlow::Node sink, string sinkAlgType) { + LiteralAlgorithmTracer::flow(source, sink) and + getExprFromNode(sink).(AlgorithmSinkArgument).algType() = sinkAlgType +} + +private predicate knownTracedAlgorithm(Literal e, string srcSinkType) { + knownTracedAlgorithm(e, srcSinkType, srcSinkType) +} + +private predicate knownTracedAlgorithm(Literal e, string srcType, string sinkType) { + resolveAlgorithmFromLiteral(e, _, srcType) and + hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and + isKnownType(sinkType) and + isKnownType(srcType) +} + +private predicate unknownTracedLiteralAlgorithm(Literal e, string srcSinkType) { + // Asymmetric special case: + // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms + // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink + if getAsymmetricType() = srcSinkType + then forall(string t | t = getAsymmetricType() | unknownTracedLiteralAlgorithm(e, t, srcSinkType)) + else unknownTracedLiteralAlgorithm(e, srcSinkType, srcSinkType) +} + +private predicate unknownTracedLiteralAlgorithm(Literal e, string srcType, string sinkType) { + // the literal resolves to an algorithm, but not to the sinktype + // or generally doesn't resolve to any algorithm type + // this case covers 'nonsense' cases e.g., use RSA for symmetric encryption + not resolveAlgorithmFromLiteral(e, _, srcType) and + isValidAlgorithmLiteral(e) and + hasLiteralPathToAlgSink(DataFlow::exprNode(e), _, sinkType) and + isKnownType(sinkType) and + isKnownType(srcType) +} + +private predicate unknownTracedNonLiteralAlgorithm(AlgorithmSinkArgument e, string srcSinkType) { + // Asymmetric special case: + // Since asymmetric algorithm sinks are used for various categories of asymmetric algorithms + // an asymmetric algorithm is only unknown if there is no trace from any asymmetric type to the given srcSinkType sink + if getAsymmetricType() = srcSinkType + then + forall(string t | t = getAsymmetricType() | unknownTracedNonLiteralAlgorithm(e, t, srcSinkType)) + else unknownTracedNonLiteralAlgorithm(e, srcSinkType, srcSinkType) +} + +private predicate unknownTracedNonLiteralAlgorithm( + AlgorithmSinkArgument e, string srcType, string sinkType +) { + not hasLiteralPathToAlgSink(_, getNodeFromExpr(e), srcType) and + LiteralAlgorithmTracerConfig::isSink(getNodeFromExpr(e)) and + e.algType() = sinkType and + isKnownType(srcType) and + isKnownType(sinkType) +} + +private predicate functionAlgorithm(Call c, string algType) { + isOpenSSLCryptoFunctionCall(c, _, algType) +} + +abstract class OpenSSLTracedAlgorithm extends CryptographicAlgorithm { + override string getName() { resolveAlgorithmFromLiteral(this, result, this.getAlgType()) } + + override Expr configurationSink() { + exists(DataFlow::Node sink | + hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType()) + | + result = getExprFromNode(sink) + ) + } +} + +abstract class OpenSSLFunctionAlgorithm extends CryptographicAlgorithm { + override string getName() { isOpenSSLCryptoFunctionCall(this, result, this.getAlgType()) } + + override Expr configurationSink() { result = this } +} + +abstract class OpenSSLUnknownTracedLiteralAlgorithm extends CryptographicAlgorithm { + override string getName() { result = unknownAlgorithm() } + + override Expr configurationSink() { + exists(DataFlow::Node sink | + hasLiteralPathToAlgSink(DataFlow::exprNode(this), sink, this.getAlgType()) + | + result = getExprFromNode(sink) + ) + } +} + +abstract class OpenSSLUnknownTracedNonLiteralAlgorithm extends CryptographicAlgorithm { + override string getName() { result = unknownAlgorithm() } + + override Expr configurationSink() { result = this } +} + +module SymmetricEncryption { + abstract class OpenSSLSymmetricEncryptionAlgorithm extends SymmetricEncryptionAlgorithm { } + + class OpenSSLSymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm, + OpenSSLSymmetricEncryptionAlgorithm + { + OpenSSLSymmetricEncryptionTracedAlgorithm() { + knownTracedAlgorithm(this, getSymmetricEncryptionType()) + } + } + + class OpenSSLSymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm, + OpenSSLSymmetricEncryptionAlgorithm + { + OpenSSLSymmetricEncryptionFunctionAlgorithm() { + functionAlgorithm(this, getSymmetricEncryptionType()) + } + } + + class OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm, + OpenSSLSymmetricEncryptionAlgorithm + { + OpenSSLSymmetricEncryptionTracedUnknownLiteralAlgorithm() { + unknownTracedLiteralAlgorithm(this, getSymmetricEncryptionType()) + } + } + + class OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm, + OpenSSLSymmetricEncryptionAlgorithm + { + OpenSSLSymmetricEncryptionUnknownNonLiteralTracedAlgorithm() { + unknownTracedNonLiteralAlgorithm(this, getSymmetricEncryptionType()) + } + } +} + +module BlockModes { + /** + * In OpenSSL, block modes are associated directly with symmetric encryption algorithms. + * As such, OpenSSLBLockModes are modeled as extensions of any openssl symmetric encryption algorithm + */ + class OpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm + { + OpenSSLBlockModeAlgorithm() { + //two cases, either the block mode is a literal or it is a function call + resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE") + or + isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE") + } + + override string getName() { + resolveAlgorithmFromLiteral(this, result, "BLOCK_MODE") + or + isOpenSSLCryptoFunctionCall(this, result, "BLOCK_MODE") + } + + override Expr configurationSink() { + result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink() + } + + override Expr getIVorNonce() { + // TODO + none() + } + } + + class UnknownOpenSSLBlockModeAlgorithm extends BlockModeAlgorithm, Expr instanceof SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm + { + UnknownOpenSSLBlockModeAlgorithm() { + //two cases, either the block mode is a literal or it is a function call + not resolveAlgorithmFromLiteral(this, _, "BLOCK_MODE") and + not isOpenSSLCryptoFunctionCall(this, _, "BLOCK_MODE") + } + + override string getName() { result = unknownAlgorithm() } + + override Expr configurationSink() { + result = this.(SymmetricEncryption::OpenSSLSymmetricEncryptionAlgorithm).configurationSink() + } + + override Expr getIVorNonce() { none() } + } +} + +module Hashes { + abstract class OpenSSLHashAlgorithm extends HashAlgorithm { } + + class OpenSSLHashTracedAlgorithm extends OpenSSLTracedAlgorithm, OpenSSLHashAlgorithm { + OpenSSLHashTracedAlgorithm() { knownTracedAlgorithm(this, getHashType()) } + } + + class OpenSSLHashFunctionAlgorithm extends OpenSSLFunctionAlgorithm, OpenSSLHashAlgorithm { + OpenSSLHashFunctionAlgorithm() { functionAlgorithm(this, getHashType()) } + } + + class OpenSSLHashTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm, + OpenSSLHashAlgorithm + { + OpenSSLHashTracedUnknownLiteralAlgorithm() { + unknownTracedLiteralAlgorithm(this, getHashType()) + } + } + + class OpenSSLHashUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm, + OpenSSLHashAlgorithm + { + OpenSSLHashUnknownNonLiteralTracedAlgorithm() { + unknownTracedNonLiteralAlgorithm(this, getHashType()) + } + } + + class OpenSSLNullHash extends HashAlgorithm { + OpenSSLNullHash() { + exists(Call c | + this = c and + isPossibleOpenSSLFunction(c.getTarget()) and + c.getTarget().getName() in ["EVP_md_null"] + ) + } + + override string getName() { result = unknownAlgorithm() } + + override Expr configurationSink() { result = this } + } +} + +module EllipticCurves { + // TODO: need to address EVP_PKEY_Q_keygen where the type is "EC" but the curve is UNKNOWN? + class OpenSSLEllipticCurveTracedAlgorithm extends OpenSSLTracedAlgorithm, EllipticCurveAlgorithm { + OpenSSLEllipticCurveTracedAlgorithm() { knownTracedAlgorithm(this, getEllipticCurveType()) } + } + + class OpenSSLEllipticCurveFunctionAlgorithm extends OpenSSLFunctionAlgorithm, + EllipticCurveAlgorithm + { + OpenSSLEllipticCurveFunctionAlgorithm() { functionAlgorithm(this, getEllipticCurveType()) } + } + + class OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm, + EllipticCurveAlgorithm + { + OpenSSLEllipticCurveTracedUnknownLiteralAlgorithm() { + unknownTracedLiteralAlgorithm(this, getEllipticCurveType()) + } + } + + class OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm, + EllipticCurveAlgorithm + { + OpenSSLEllipticCurvehUnknownNonLiteralTracedAlgorithm() { + unknownTracedNonLiteralAlgorithm(this, getEllipticCurveType()) + } + } + + // https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_ex.html + class OpenSSLNullEllipticCurve extends EllipticCurveAlgorithm { + OpenSSLNullEllipticCurve() { + exists(Call c | + this = c and + isPossibleOpenSSLFunction(c.getTarget()) and + c.getTarget().getName() in ["EC_KEY_new", "EC_KEY_new_ex"] + ) + } + + override string getName() { result = unknownAlgorithm() } + + override Expr configurationSink() { result = this } + } +} + +module AsymmetricEncryption { + class OpenSSLAsymmetricEncryptionTracedAlgorithm extends OpenSSLTracedAlgorithm, + AsymmetricEncryptionAlgorithm + { + OpenSSLAsymmetricEncryptionTracedAlgorithm() { + knownTracedAlgorithm(this, getAsymmetricEncryptionType()) + } + } + + class OpenSSLAsymmetricEncryptionFunctionAlgorithm extends OpenSSLFunctionAlgorithm, + AsymmetricEncryptionAlgorithm + { + OpenSSLAsymmetricEncryptionFunctionAlgorithm() { + functionAlgorithm(this, getAsymmetricEncryptionType()) + } + } + + class OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm, + AsymmetricEncryptionAlgorithm + { + OpenSSLAsymmetricEncryptionTracedUnknownLiteralAlgorithm() { + unknownTracedLiteralAlgorithm(this, getAsymmetricEncryptionType()) + } + } + + class OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm, + AsymmetricEncryptionAlgorithm + { + OpenSSLAsymmetricEncryptionUnknownNonLiteralTracedAlgorithm() { + unknownTracedNonLiteralAlgorithm(this, getAsymmetricEncryptionType()) + } + } +} + +module SigningAlgorithms { + class OpenSSLSignatureTracedAlgorithm extends OpenSSLTracedAlgorithm, SigningAlgorithm { + OpenSSLSignatureTracedAlgorithm() { knownTracedAlgorithm(this, getSignatureType()) } + } + + class OpenSSLSignatureFunctionAlgorithm extends OpenSSLFunctionAlgorithm, SigningAlgorithm { + OpenSSLSignatureFunctionAlgorithm() { functionAlgorithm(this, getSignatureType()) } + } + + class OpenSSLSignatureTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm, + SigningAlgorithm + { + OpenSSLSignatureTracedUnknownLiteralAlgorithm() { + unknownTracedLiteralAlgorithm(this, getSignatureType()) + } + } + + class OpenSSLSignatureUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm, + SigningAlgorithm + { + OpenSSLSignatureUnknownNonLiteralTracedAlgorithm() { + unknownTracedNonLiteralAlgorithm(this, getSignatureType()) + } + } +} + +module KeyExchange { + class OpenSSLKeyExchangeTracedAlgorithm extends OpenSSLTracedAlgorithm, KeyExchangeAlgorithm { + OpenSSLKeyExchangeTracedAlgorithm() { knownTracedAlgorithm(this, getKeyExchangeType()) } + } + + class OpenSSLKeyExchangeFunctionAlgorithm extends OpenSSLFunctionAlgorithm, KeyExchangeAlgorithm { + OpenSSLKeyExchangeFunctionAlgorithm() { functionAlgorithm(this, getKeyExchangeType()) } + } + + class OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm extends OpenSSLUnknownTracedLiteralAlgorithm, + KeyExchangeAlgorithm + { + OpenSSLKeyExchangeTracedUnknownLiteralAlgorithm() { + unknownTracedLiteralAlgorithm(this, getKeyExchangeType()) + } + } + + class OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm extends OpenSSLUnknownTracedNonLiteralAlgorithm, + KeyExchangeAlgorithm + { + OpenSSLKeyExchangeUnknownNonLiteralTracedAlgorithm() { + unknownTracedNonLiteralAlgorithm(this, getKeyExchangeType()) + } + } +} + +module KeyGeneration { + /** + * Functions that explicitly set key generation parameters. + * `sizeInd` is the parameter specifying the size of the key. + * `outInd` is the parameter or return value that the key is written to. + * `outInd` is -1 if the key is written to the return value. + */ + predicate isAsymmetricKeyGenExplicitAlgorithm(Function func, int sizeInd, int outInd) { + isPossibleOpenSSLFunction(func) and + exists(string name | func.hasGlobalName(name) | + name in [ + "EVP_PKEY_CTX_set_dsa_paramgen_bits", "DSA_generate_parameters_ex", + "EVP_PKEY_CTX_set_rsa_keygen_bits", "RSA_generate_key_ex", "RSA_generate_key_fips", + "EVP_PKEY_CTX_set_dh_paramgen_prime_len", "DH_generate_parameters_ex" + ] and + sizeInd = 1 and + outInd = 0 + or + name in ["DSA_generate_parameters", "RSA_generate_key", "DH_generate_parameters"] and + sizeInd = 0 and + outInd = -1 + ) and + exists(Type t | + ( + if sizeInd = -1 + then t = func.getType().getUnderlyingType() + else t = func.getParameter(sizeInd).getUnderlyingType() + ) and + t instanceof IntegralType and + not t instanceof CharType + ) + } + + module AsymExplicitAlgKeyLengthFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { + // Optimizations to avoid tracing all integers + node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values + node.asExpr().(Literal).getValue().toInt() < 8500 + } + + predicate isSink(DataFlow::Node node) { + exists(FunctionCall c, int sizeInd | + isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), sizeInd, _) and + c.getArgument(sizeInd) = node.asExpr() + ) + } + } + + module AsymExplicitAlgKeyLengthFlow = DataFlow::Global; + + class OpenSSLAsymmetricKeyGenTiedToAlgorithm extends AsymmetricKeyGeneration { + OpenSSLAsymmetricKeyGenTiedToAlgorithm() { + exists(Call c | + this = c and + isPossibleOpenSSLFunction(c.getTarget()) and + isAsymmetricKeyGenExplicitAlgorithm(c.getTarget(), _, _) + ) + } + + override CryptographicAlgorithm getAlgorithm() { result = this } + + override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) { + alg = this and + exists(int sizeInd | + isAsymmetricKeyGenExplicitAlgorithm(this.getTarget(), sizeInd, _) and + AsymExplicitAlgKeyLengthFlow::flow(DataFlow::exprNode(result), + DataFlow::exprNode(this.getArgument(sizeInd))) + ) + } + } + + module Length_to_RSA_EVP_PKEY_Q_keygen_Config implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { + // Optimizations to avoid tracing all integers + node.asExpr().(Literal).getValue().toInt() > 0 and // exclude sentinel values + node.asExpr().(Literal).getValue().toInt() < 5000 + } + + predicate isSink(DataFlow::Node node) { + exists(FunctionCall c | + c.getTarget().getName() = "EVP_PKEY_Q_keygen" and + isPossibleOpenSSLFunction(c.getTarget()) and + c.getArgument(3) = node.asExpr() + ) + } + } + + module Length_to_RSA_EVP_PKEY_Q_keygen_Flow = + DataFlow::Global; + + class OpenSSL_RSA_EVP_PKEY_Q_keygen extends AsymmetricKeyGeneration { + OpenSSL_RSA_EVP_PKEY_Q_keygen() { + exists(Call c | + this = c and + isPossibleOpenSSLFunction(c.getTarget()) and + this.getTarget().getName() = "EVP_PKEY_Q_keygen" and + this.getArgument(3).getUnderlyingType() instanceof IntegralType + ) + } + + override CryptographicAlgorithm getAlgorithm() { + result.configurationSink().(AlgorithmSinkArgument).getSinkCall() = this + } + + override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) { + alg = this.getAlgorithm() and + Length_to_RSA_EVP_PKEY_Q_keygen_Flow::flow(DataFlow::exprNode(result), + DataFlow::exprNode(this.getArgument(3))) + } + } + + predicate isKeyGenOperationWithNoSize(Function func) { + isPossibleOpenSSLFunction(func) and + exists(string name | func.hasGlobalName(name) | + name in ["EVP_PKEY_keygen", "DSA_generate_key", "DH_generate_key", "EVP_PKEY_generate"] + ) + } + + module KeyGenKeySizeInitToKeyGenConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node node) { + exists(Call c, Function func, int outInd | + isAsymmetricKeyGenExplicitAlgorithm(func, _, outInd) and + c.getTarget() = func + | + if outInd = -1 then node.asExpr() = c else node.asExpr() = c.getArgument(outInd) + ) + } + + predicate isSink(DataFlow::Node node) { + exists(Call c | + isKeyGenOperationWithNoSize(c.getTarget()) and c.getAnArgument() = node.asExpr() + ) + } + } + + module KeyGenKeySizeInitToKeyGenFlow = DataFlow::Global; + + predicate isEVP_PKEY_CTX_Source(DataFlow::Node node, CryptographicAlgorithm alg) { + exists(Call c | + alg.configurationSink().(AlgorithmSinkArgument).getSinkCall() = c and + ( + node.asExpr() = c + or + node.asExpr() = c.getAnArgument() + or + node.asDefiningArgument() = c.getAnArgument() + ) + ) and + ( + node.asExpr() instanceof Known_EVP_PKEY_CTX_Ptr_Source + or + node.asDefiningArgument() instanceof Known_EVP_PKEY_CTX_Ptr_Source + ) + } + + predicate isKeyGen_EVP_PKEY_CTX_Sink(DataFlow::Node node, Call c) { + isKeyGenOperationWithNoSize(c.getTarget()) and nodeToExpr(node, c.getAnArgument()) + } + + /** + * Trace from EVP_PKEY_CTX* at algorithm sink to keygen, + * users can then extrapolatae the matching algorithm from the alg sink to the keygen + */ + module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { isEVP_PKEY_CTX_Source(source, _) } + + predicate isSink(DataFlow::Node sink) { isKeyGen_EVP_PKEY_CTX_Sink(sink, _) } + } + + module EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow = + DataFlow::Global; + + /** + * UNKNOWN key sizes to general purpose key generation functions (i.e., that take in no key size and assume + * is it set on context prior to the call). No path from a key configuration to these operations + * means the key size is UNKNOWN, or more precisely the key size is DEFAULT but + * the defaults can change with each version of OpenSSL, we simply assume the size is generally UNKNOWN. + * ASSUMPTION/TODO: we currently model all known locations where a key size is set explicitly. + * When a key is set implicitly, this usually means a key generation operation + * is called where the operation takes in no key size, and no flow to this operation + * initializes the context with a key size. + * Currently, without a definitive source (set of sources) to start tracing from, we cannot determine + * determine if a single path exists that initializes the context with a key size and another that doesn't. + * Rather than attempt to model all possible sources, we assume that if no path + * from a key config location reaches a generic key generation operation, then the key size is not set. + * NOTE: while this is true, it is possible a key size is set in one path, but not in another + * meaning this approach (and other similar approaches used in this model for UNKNOWN) + * can produce false negatives. + */ + class OpenSSLDefaultKeyGeneration extends AsymmetricKeyGeneration { + OpenSSLDefaultKeyGeneration() { + // this is a call to a function matching isKeyGenOperationWithNoSize + // and there is no flow from a key configuration source to this call + exists(Call c | + this = c and + isKeyGenOperationWithNoSize(this.getTarget()) and + not exists(DataFlow::Node src, DataFlow::Node sink | + KeyGenKeySizeInitToKeyGenFlow::flow(src, sink) and + nodeToExpr(sink, this.getAnArgument()) + ) + ) + } + + override CryptographicAlgorithm getAlgorithm() { + if this.getTarget().getName() in ["DSA_generate_key", "DH_generate_key"] + then result = this + else + // NOTE/ASSUMPTION: EVP_PKEY_keygen, EVP_PKEY_generate assume only other possibilities, + // each take in a CTX as the first arg, need to trace from an alg sink from this CTX param + // get every alg sink, get the corresponding call, trace out on any CTX type variable + // to the key gen + // NOTE: looking for any cryptographic algorithm tracing to the keygen to handle + // any odd cases we aren't awaare of where keygen can be used for other algorithm types + exists(DataFlow::Node src, DataFlow::Node sink | + EVP_PKEY_CTX_Ptr_Source_to_KeyGenOperationWithNoSize_Flow::flow(src, sink) and + isEVP_PKEY_CTX_Source(src, result) and + isKeyGen_EVP_PKEY_CTX_Sink(sink, this) + // TODO: what if there is no CTX source? then the keygen becomes an UNKNOWN sink + ) + } + + /** + * For this class, there is no known configuration source for any algorithm + */ + override Expr getKeyConfigurationSource(CryptographicAlgorithm alg) { none() } + } +} diff --git a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll new file mode 100644 index 00000000000..050dad29598 --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/AlgorithmSink.qll @@ -0,0 +1,296 @@ +/** + * Predicates/classes for identifying algorithm sinks. + * An Algorithm Sink is a function that takes an algorithm as an argument. + * In particular, any function that takes in an algorithm that until the call + * the algorithm is not definitely known to be an algorithm (e.g., an integer used as an identifier to fetch an algorithm) + */ + +//TODO: enforce a hierarchy of AlgorithmSinkArgument, e.g., so I can get all Asymmetric SinkArguments that includes all the strictly RSA etc. +import cpp +import experimental.cryptography.utils.OpenSSL.LibraryFunction +import experimental.cryptography.CryptoAlgorithmNames + +predicate isAlgorithmSink(AlgorithmSinkArgument arg, string algType) { arg.algType() = algType } + +abstract class AlgorithmSinkArgument extends Expr { + AlgorithmSinkArgument() { + exists(Call c | c.getAnArgument() = this and openSSLLibraryFunc(c.getTarget())) + } + + /** + * Gets the function call in which the argument exists + */ + Call getSinkCall() { result.getAnArgument() = this } + + abstract string algType(); +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_CIPHER_fetch.html +predicate cipherAlgorithmSink(string funcName, int argInd) { + funcName in ["EVP_get_cipherbyname", "EVP_get_cipherbynid", "EVP_get_cipherbyobj"] and argInd = 0 + or + funcName = "EVP_CIPHER_fetch" and argInd = 1 +} + +class CipherAlgorithmSink extends AlgorithmSinkArgument { + CipherAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + cipherAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = getSymmetricEncryptionType() } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_MAC_fetch +predicate macAlgorithmSink(string funcName, int argInd) { + (funcName = "EVP_MAC_fetch" and argInd = 1) +} + +class MACAlgorithmSink extends AlgorithmSinkArgument { + MACAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + macAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = "TBD" } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_MD_fetch +predicate messageDigestAlgorithmSink(string funcName, int argInd) { + funcName in ["EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"] and argInd = 0 + or + funcName = "EVP_MD_fetch" and argInd = 1 +} + +class MessageDigestAlgorithmSink extends AlgorithmSinkArgument { + MessageDigestAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + messageDigestAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = getHashType() } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_KEYEXCH_fetch +// https://www.openssl.org/docs/manmaster/man3/EVP_KEM_fetch +predicate keyExchangeAlgorithmSink(string funcName, int argInd) { + funcName = "EVP_KEYEXCH_fetch" and argInd = 1 + or + funcName = "EVP_KEM_fetch" and argInd = 1 +} + +class KeyExchangeAlgorithmSink extends AlgorithmSinkArgument { + KeyExchangeAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + keyExchangeAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = getKeyExchangeType() } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_KEYMGMT_fetch +predicate keyManagementAlgorithmSink(string funcName, int argInd) { + funcName = "EVP_KEYMGMT_fetch" and argInd = 1 +} + +class KeyManagementAlgorithmSink extends AlgorithmSinkArgument { + KeyManagementAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + keyManagementAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = "TBD" } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_KDF +predicate keyDerivationAlgorithmSink(string funcName, int argInd) { + funcName = "EVP_KDF_fetch" and argInd = 1 +} + +class KeyDerivationAlgorithmSink extends AlgorithmSinkArgument { + KeyDerivationAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + keyDerivationAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = getKeyDerivationType() } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_ASYM_CIPHER_fetch +// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id +// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new_CMAC_key.html +predicate asymmetricCipherAlgorithmSink(string funcName, int argInd) { + funcName = "EVP_ASYM_CIPHER_fetch" and argInd = 1 + or + funcName = "EVP_PKEY_new_CMAC_key" and argInd = 3 + // NOTE: other cases are handled by AsymmetricAlgorithmSink +} + +class AsymmetricCipherAlgorithmSink extends AlgorithmSinkArgument { + AsymmetricCipherAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + asymmetricCipherAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = "ASYMMETRIC_ENCRYPTION" } +} + +class AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument { + AsymmetricCipherAlgorithmSink_EVP_PKEY_Q_keygen() { + exists(Call c, string funcName | + funcName = c.getTarget().getName() and + this = c.getArgument(3) + | + funcName = "EVP_PKEY_Q_keygen" and + c.getArgument(3).getType().getUnderlyingType() instanceof IntegralType + ) + } + + override string algType() { result = "ASYMMETRIC_ENCRYPTION" } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_RAND_fetch +predicate randomAlgorithmSink(string funcName, int argInd) { + funcName = "EVP_RAND_fetch" and argInd = 1 +} + +class RandomAlgorithmSink extends AlgorithmSinkArgument { + RandomAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + randomAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = "TBD" } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_SIGNATURE_fetch +predicate signatureAlgorithmSink(string funcName, int argInd) { + funcName = "EVP_SIGNATURE_fetch" and argInd = 1 +} + +class SignatureAlgorithmSink extends AlgorithmSinkArgument { + SignatureAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + signatureAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = getSignatureType() } +} + +// https://www.openssl.org/docs/manmaster/man3/EC_KEY_new_by_curve_name.html +// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_set_ec_paramgen_curve_nid.html +predicate ellipticCurveAlgorithmSink(string funcName, int argInd) { + funcName in ["EC_KEY_new_by_curve_name", "EVP_EC_gen"] and argInd = 0 + or + funcName = "EC_KEY_new_by_curve_name_ex" and argInd = 2 + or + funcName in ["EVP_PKEY_CTX_set_ec_paramgen_curve_nid"] and argInd = 1 +} + +class EllipticCurveAlgorithmSink extends AlgorithmSinkArgument { + EllipticCurveAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + ellipticCurveAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = getEllipticCurveType() } +} + +/** + * Special cased to address the fact that arg index 3 (zero offset based) is the curve name. + * ASSUMPTION: if the arg ind 3 is a char* assume it is an elliptic curve + */ +class EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument { + EllipticCurveAlgorithmSink_EVP_PKEY_Q_keygen() { + exists(Call c, string funcName | + funcName = c.getTarget().getName() and + this = c.getArgument(3) + | + funcName = "EVP_PKEY_Q_keygen" and + c.getArgument(3).getType().getUnderlyingType() instanceof PointerType and + c.getArgument(3).getType().getUnderlyingType().stripType() instanceof CharType + ) + } + + override string algType() { result = getEllipticCurveType() } +} + +// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_new_id.html +// https://www.openssl.org/docs/man1.1.1/man3/EVP_PKEY_new_raw_private_key.html +// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new.html +// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html +// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_Q_keygen.html +// https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_ctrl.html +predicate asymmetricAlgorithmSink(string funcName, int argInd) { + funcName = "EVP_PKEY_CTX_new_id" and argInd = 0 + or + funcName = "EVP_PKEY_CTX_new_from_name" and argInd = 1 + or + funcName in [ + "EVP_PKEY_new_raw_private_key", "EVP_PKEY_new_raw_public_key", "EVP_PKEY_new_mac_key" + ] and + argInd = 0 + or + funcName in ["EVP_PKEY_new_raw_private_key_ex", "EVP_PKEY_new_raw_public_key_ex"] and argInd = 1 + or + // special casing this as arg index 3 must be specified depending on if RSA or ECC, and otherwise not specified for other algs + // funcName = "EVP_PKEY_Q_keygen" and argInd = 2 + funcName in ["EVP_PKEY_CTX_ctrl", "EVP_PKEY_CTX_set_group_name"] and argInd = 1 + // TODO consider void cases EVP_PKEY_new +} + +class AsymmetricAlgorithmSink extends AlgorithmSinkArgument { + AsymmetricAlgorithmSink() { + exists(Call c, string funcName, int argInd | + funcName = c.getTarget().getName() and this = c.getArgument(argInd) + | + asymmetricAlgorithmSink(funcName, argInd) + ) + } + + override string algType() { result = getAsymmetricType() } +} + +class AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen extends AlgorithmSinkArgument { + AsymmetricAlgorithmSink_EVP_PKEY_Q_keygen() { + exists(Call c, string funcName | + funcName = c.getTarget().getName() and + this = c.getArgument(2) + | + funcName = "EVP_PKEY_Q_keygen" and + not exists(c.getArgument(3)) + ) + } + + override string algType() { result = getAsymmetricType() } +} diff --git a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoAlgorithm.qll b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoAlgorithm.qll new file mode 100644 index 00000000000..a744efa4bee --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoAlgorithm.qll @@ -0,0 +1,2764 @@ +import cpp +import experimental.cryptography.CryptoAlgorithmNames + +predicate isValidAlgorithmLiteral(Literal e) { + exists(getPossibleNidFromLiteral(e)) or e instanceof StringLiteral +} + +int getNIDMax() { + result = 2000 + // result = max(int nid | knownOpenSSLAlgorithm(_, nid, _, _)) +} + +/** + * Resolves literal `e` to a known algorithm name, nid, normalized name, and algType + * if `e` resolves to a known algorithm. + * If this predicate does not hold, then `e` can be interpreted as being of `UNKNOWN` type. + */ +predicate resolveAlgorithmFromLiteral(Literal e, string normalized, string algType) { + exists(int nid | + nid = getPossibleNidFromLiteral(e) and knownOpenSSLAlgorithm(_, nid, normalized, algType) + ) + or + exists(string name | + name = resolveAlgorithmAlias(e) and knownOpenSSLAlgorithm(name, _, normalized, algType) + ) + or + // if the algorithm name directly matches a known normalized algorithm name, assume it is an algorithm + exists(string name | + name = e.getValue().toUpperCase() and isKnownAlgorithm(name, algType) and normalized = name + ) +} + +string resolveAlgorithmAlias(StringLiteral name) { + exists(string lower | lower = name.getValue().toLowerCase() | + // The result is an alias algorithm name if known + result = getAlgorithmAlias(lower) + or + // or the name is itself a known algorithm + knownOpenSSLAlgorithm(lower, _, _, _) and result = lower + ) +} + +private int getPossibleNidFromLiteral(Literal e) { + result = e.getValue().toInt() and + not e instanceof CharLiteral and + not e instanceof StringLiteral and + // ASSUMPTION, no negative numbers are allowed + // RATIONALE: this is a performance improvement to avoid having to trace every number + not exists(UnaryMinusExpr u | u.getOperand() = e) and + // OPENSSL has a special macro for getting every line, ignore it + not exists(MacroInvocation mi | mi.getExpr() = e and mi.getMacroName() = "OPENSSL_LINE") and + // Filter out cases where an int is assigned into a pointer, e.g., char* x = NULL; + not exists(Assignment a | + a.getRValue() = e and a.getLValue().getType().getUnspecifiedType() instanceof PointerType + ) and + not exists(Initializer i | + i.getExpr() = e and + i.getDeclaration().getADeclarationEntry().getUnspecifiedType() instanceof PointerType + ) and + // Filter out cases where an int is returned into a pointer, e.g., return NULL; + not exists(ReturnStmt r | + r.getExpr() = e and + r.getEnclosingFunction().getType().getUnspecifiedType() instanceof PointerType + ) +} + +string getAlgorithmAlias(string alias) { + customAliases(result, alias) + or + defaultAliases(result, alias) +} + +/** + * Finds aliases of known alagorithms defined by users (through obj_name_add and various macros pointing to this function) + * + * The `target` and `alias` are converted to lowercase to be of a standard form. + */ +predicate customAliases(string target, string alias) { + exists(Call c | c.getTarget().getName().toLowerCase() = "obj_name_add" | + target = c.getArgument(2).getValue().toLowerCase() and + alias = c.getArgument(0).getValue().toLowerCase() + ) +} + +/** + * A hard-coded mapping of known algorithm aliases in OpenSSL. + * This was derived by applying the same kind of logic foun din `customAliases` to the + * OpenSSL code base directly. + * + * The `target` and `alias` are converted to lowercase to be of a standard form. + */ +predicate defaultAliases(string target, string alias) { + alias = "aes128" and target = "aes-128-cbc" + or + alias = "aes192" and target = "aes-192-cbc" + or + alias = "aes256" and target = "aes-256-cbc" + or + alias = "aes128-wrap" and target = "id-aes128-wrap" + or + alias = "aes192-wrap" and target = "id-aes192-wrap" + or + alias = "aes256-wrap" and target = "id-aes256-wrap" + or + alias = "aes128-wrap-pad" and target = "id-aes128-wrap-pad" + or + alias = "aes192-wrap-pad" and target = "id-aes192-wrap-pad" + or + alias = "aes256-wrap-pad" and target = "id-aes256-wrap-pad" + or + alias = "aes-128-wrap" and target = "id-aes128-wrap" + or + alias = "aes-192-wrap" and target = "id-aes192-wrap" + or + alias = "aes-256-wrap" and target = "id-aes256-wrap" + or + alias = "aria128" and target = "aria-128-cbc" + or + alias = "aria192" and target = "aria-192-cbc" + or + alias = "aria256" and target = "aria-256-cbc" + or + alias = "aes128" and target = "aes-128-cbc" + or + alias = "bf" and target = "bf-cbc" + or + alias = "blowfish" and target = "bf-cbc" + or + alias = "camellia128" and target = "camellia-128-cbc" + or + alias = "camellia192" and target = "camellia-192-cbc" + or + alias = "camellia256" and target = "camellia-256-cbc" + or + alias = "cast" and target = "cast5-cbc" + or + alias = "cast-cbc" and target = "cast5-cbc" + or + alias = "des" and target = "des-cbc" + or + alias = "des-ede-ecb" and target = "des-ede" + or + alias = "des-ede3-ecb" and target = "des-ede3" + or + alias = "des3" and target = "des-ede3-cbc" + or + alias = "des3-wrap" and target = "id-smime-alg-cms3deswrap" + or + alias = "desx" and target = "desx-cbc" + or + alias = "idea" and target = "idea-cbc" + or + alias = "rc2" and target = "rc2-cbc" + or + alias = "rc2-128" and target = "rc2-cbc" + or + alias = "rc2-40" and target = "rc2-40-cbc" + or + alias = "rc2-64" and target = "rc2-64-cbc" + or + alias = "ripemd" and target = "ripemd160" + or + alias = "rmd160" and target = "ripemd160" + or + alias = "rsa-sha1-2" and target = "rsa-sha1" + or + alias = "seed" and target = "seed-cbc" + or + alias = "sm4" and target = "sm4-cbc" + or + alias = "ssl3-md5" and target = "md5" + or + alias = "ssl3-sha1" and target = "sha1" +} + +/** + * Enumeration of all known crypto algorithms for openSSL + * `name` is all lower case (caller's must ensure they pass in lower case) + * `nid` is the numeric id of the algorithm, + * `normalized` is the normalized name of the algorithm (e.g., "AES128" for "aes-128-cbc") + * `algType` is the type of algorithm (e.g., "SYMMETRIC_ENCRYPTION") + */ +predicate knownOpenSSLAlgorithm(string name, int nid, string normalized, string algType) { + name = "rsa" and nid = 19 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "prime192v1" and nid = 409 and normalized = "PRIME192V1" and algType = "ELLIPTIC_CURVE" + or + name = "prime256v1" and nid = 415 and normalized = "PRIME256V1" and algType = "ELLIPTIC_CURVE" + or + name = "pbkdf2" and nid = 69 and normalized = "PBKDF2" and algType = "KEY_DERIVATION" + or + name = "dsa" and nid = 116 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "gost2001" and nid = 811 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost2012_256" and nid = 979 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost2012_512" and nid = 980 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "ed25519" and nid = 1087 and normalized = "ED25519" and algType = "ELLIPTIC_CURVE" + or + name = "ed448" and nid = 1088 and normalized = "ED448" and algType = "ELLIPTIC_CURVE" + or + name = "md2" and nid = 3 and normalized = "MD2" and algType = "HASH" + or + name = "sha" and nid = 41 and normalized = "SHA" and algType = "HASH" + or + name = "sha1" and nid = 64 and normalized = "SHA1" and algType = "HASH" + or + name = "scrypt" and nid = 973 and normalized = "SCRYPT" and algType = "KEY_DERIVATION" + or + name = "pkcs7" and nid = 20 and normalized = "PKCS7" and algType = "SYMMETRIC_PADDING" + or + name = "md4" and nid = 257 and normalized = "MD4" and algType = "HASH" + or + name = "md5" and nid = 4 and normalized = "MD5" and algType = "HASH" + or + name = "sha224" and nid = 675 and normalized = "SHA224" and algType = "HASH" + or + name = "sha256" and nid = 672 and normalized = "SHA256" and algType = "HASH" + or + name = "sha384" and nid = 673 and normalized = "SHA384" and algType = "HASH" + or + name = "sha512" and nid = 674 and normalized = "SHA512" and algType = "HASH" + or + name = "sha512-224" and nid = 1094 and normalized = "SHA512224" and algType = "HASH" + or + name = "sha512-256" and nid = 1095 and normalized = "SHA512256" and algType = "HASH" + or + name = "sha3-224" and nid = 1096 and normalized = "SHA3224" and algType = "HASH" + or + name = "sha3-256" and nid = 1097 and normalized = "SHA3256" and algType = "HASH" + or + name = "sha3-384" and nid = 1098 and normalized = "SHA3384" and algType = "HASH" + or + name = "sha3-512" and nid = 1099 and normalized = "SHA3512" and algType = "HASH" + or + name = "shake128" and nid = 1100 and normalized = "SHAKE128" and algType = "HASH" + or + name = "shake256" and nid = 1101 and normalized = "SHAKE256" and algType = "HASH" + or + name = "mdc2" and nid = 95 and normalized = "MDC2" and algType = "HASH" + or + name = "blake2b512" and nid = 1056 and normalized = "BLAKE2B" and algType = "HASH" + or + name = "blake2s256" and nid = 1057 and normalized = "BLAKE2S" and algType = "HASH" + or + name = "sm3" and nid = 1143 and normalized = "SM3" and algType = "HASH" + or + name = "aes-128-cbc" and nid = 419 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-cbc" and nid = 419 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-128-ecb" and nid = 418 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-ecb" and nid = 418 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "aes-192-cbc" and nid = 423 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-cbc" and nid = 423 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-192-ecb" and nid = 422 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-ecb" and nid = 422 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "aes-256-cbc" and nid = 427 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-cbc" and nid = 427 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-256-ecb" and nid = 426 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-ecb" and nid = 426 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "aria-128-cbc" and nid = 1066 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aria-128-cbc" and nid = 1066 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-128-cfb" and nid = 1067 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aria-128-cfb" and nid = 1067 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-128-ctr" and nid = 1069 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "aria-128-ctr" and nid = 1069 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-128-ecb" and nid = 1065 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "aria-128-ecb" and nid = 1065 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-128-ofb" and nid = 1068 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "aria-128-ofb" and nid = 1068 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-128-cfb1" and nid = 1080 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aria-128-cfb1" and nid = 1080 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-128-cfb8" and nid = 1083 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-128-cfb8" and nid = 1083 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "aria-192-cbc" and nid = 1071 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aria-192-cbc" and nid = 1071 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-cfb" and nid = 1072 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aria-192-cfb" and nid = 1072 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-ctr" and nid = 1074 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "aria-192-ctr" and nid = 1074 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-ecb" and nid = 1070 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "aria-192-ecb" and nid = 1070 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-ofb" and nid = 1073 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "aria-192-ofb" and nid = 1073 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-cfb1" and nid = 1081 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aria-192-cfb1" and nid = 1081 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-cfb8" and nid = 1084 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-cfb8" and nid = 1084 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "aria-256-cbc" and nid = 1076 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aria-256-cbc" and nid = 1076 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-cfb" and nid = 1077 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aria-256-cfb" and nid = 1077 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-ctr" and nid = 1079 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "aria-256-ctr" and nid = 1079 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-ecb" and nid = 1075 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "aria-256-ecb" and nid = 1075 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-ofb" and nid = 1078 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "aria-256-ofb" and nid = 1078 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-cfb1" and nid = 1082 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aria-256-cfb1" and nid = 1082 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-cfb8" and nid = 1085 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-cfb8" and nid = 1085 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "camellia-128-cbc" and + nid = 751 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-cbc" and nid = 751 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "camellia-128-ecb" and + nid = 754 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-ecb" and nid = 754 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "camellia-192-cbc" and + nid = 752 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-cbc" and nid = 752 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "camellia-192-ecb" and + nid = 755 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-ecb" and nid = 755 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "camellia-256-cbc" and + nid = 753 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-cbc" and nid = 753 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "camellia-256-ecb" and + nid = 756 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-ecb" and nid = 756 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "rc4" and nid = 5 and normalized = "RC4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc4-40" and nid = 97 and normalized = "RC4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ecb" and nid = 29 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ecb" and nid = 29 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "des-ede" and nid = 32 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede3" and nid = 33 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede3" and nid = 33 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "des-cbc" and nid = 31 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-cbc" and nid = 31 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "des-ede-cbc" and nid = 43 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede-cbc" and nid = 43 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "des-ede-cbc" and nid = 43 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "des-ede3-cbc" and nid = 44 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede3-cbc" and nid = 44 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "des-cfb" and nid = 30 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-cfb" and nid = 30 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "des-ede-cfb" and nid = 60 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede-cfb" and nid = 60 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "des-ede3-cfb" and nid = 61 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede3-cfb" and nid = 61 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "des-ofb" and nid = 45 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ofb" and nid = 45 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "des-ede-ofb" and nid = 62 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede-ofb" and nid = 62 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "des-ede3-ofb" and nid = 63 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede3-ofb" and nid = 63 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "idea-cbc" and nid = 34 and normalized = "IDEA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "idea-cbc" and nid = 34 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "idea-ecb" and nid = 36 and normalized = "IDEA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "idea-ecb" and nid = 36 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "idea-cfb" and nid = 35 and normalized = "IDEA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "idea-cfb" and nid = 35 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "idea-ofb" and nid = 46 and normalized = "IDEA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "idea-ofb" and nid = 46 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "seed-cbc" and nid = 777 and normalized = "SEED" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "seed-cbc" and nid = 777 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "seed-ecb" and nid = 776 and normalized = "SEED" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "seed-ecb" and nid = 776 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "seed-cfb" and nid = 779 and normalized = "SEED" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "seed-cfb" and nid = 779 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "seed-ofb" and nid = 778 and normalized = "SEED" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "seed-ofb" and nid = 778 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "rc2-cbc" and nid = 37 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc2-cbc" and nid = 37 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "rc2-ecb" and nid = 38 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc2-ecb" and nid = 38 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "rc2-cfb" and nid = 39 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc2-cfb" and nid = 39 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "rc2-ofb" and nid = 40 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc2-ofb" and nid = 40 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "rc2-64-cbc" and nid = 166 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc2-64-cbc" and nid = 166 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "rc2-40-cbc" and nid = 98 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc2-40-cbc" and nid = 98 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "bf-cbc" and nid = 91 and normalized = "BF" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "bf-cbc" and nid = 91 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "bf-ecb" and nid = 92 and normalized = "BF" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "bf-ecb" and nid = 92 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "bf-cfb" and nid = 93 and normalized = "BF" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "bf-cfb" and nid = 93 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "bf-ofb" and nid = 94 and normalized = "BF" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "bf-ofb" and nid = 94 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "cast5-cbc" and nid = 108 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "cast5-cbc" and nid = 108 and normalized = "CAST5" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "cast5-ecb" and nid = 109 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "cast5-ecb" and nid = 109 and normalized = "CAST5" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "cast5-cfb" and nid = 110 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "cast5-cfb" and nid = 110 and normalized = "CAST5" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "cast5-ofb" and nid = 111 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "cast5-ofb" and nid = 111 and normalized = "CAST5" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-cbc" and nid = 1134 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-cbc" and nid = 1134 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "sm4-ecb" and nid = 1133 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-ecb" and nid = 1133 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "sm4-cfb" and nid = 1137 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-cfb" and nid = 1137 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "sm4-ofb" and nid = 1135 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-ofb" and nid = 1135 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "sm4-ctr" and nid = 1139 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-ctr" and nid = 1139 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "aes-128-gcm" and nid = 895 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-gcm" and nid = 895 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "secp160r1" and nid = 709 and normalized = "SECP160R1" and algType = "ELLIPTIC_CURVE" + or + name = "ripemd160" and nid = 117 and normalized = "RIPEMD160" and algType = "HASH" + or + name = "whirlpool" and nid = 804 and normalized = "WHIRLPOOL" and algType = "HASH" + or + name = "rc5-cbc" and nid = 120 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "rc5-cbc" and nid = 120 and normalized = "RC5" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pss" and nid = 435 and normalized = "PSS" and algType = "ASYMMETRIC_PADDING" + or + name = "id-aes128-wrap" and + nid = 788 and + normalized = "AES128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes192-wrap" and + nid = 789 and + normalized = "AES192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes256-wrap" and + nid = 790 and + normalized = "AES256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes128-wrap-pad" and + nid = 897 and + normalized = "AES128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes192-wrap-pad" and + nid = 900 and + normalized = "AES192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes256-wrap-pad" and + nid = 903 and + normalized = "AES256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "chacha20" and nid = 1019 and normalized = "CHACHA20" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "secp112r1" and nid = 704 and normalized = "SECP112R1" and algType = "ELLIPTIC_CURVE" + or + name = "secp112r2" and nid = 705 and normalized = "SECP112R2" and algType = "ELLIPTIC_CURVE" + or + name = "secp128r1" and nid = 706 and normalized = "SECP128R1" and algType = "ELLIPTIC_CURVE" + or + name = "secp128r2" and nid = 707 and normalized = "SECP128R2" and algType = "ELLIPTIC_CURVE" + or + name = "secp160k1" and nid = 708 and normalized = "SECP160K1" and algType = "ELLIPTIC_CURVE" + or + name = "secp160r2" and nid = 710 and normalized = "SECP160R2" and algType = "ELLIPTIC_CURVE" + or + name = "secp192k1" and nid = 711 and normalized = "SECP192K1" and algType = "ELLIPTIC_CURVE" + or + name = "secp224k1" and nid = 712 and normalized = "SECP224K1" and algType = "ELLIPTIC_CURVE" + or + name = "secp224r1" and nid = 713 and normalized = "SECP224R1" and algType = "ELLIPTIC_CURVE" + or + name = "secp256k1" and nid = 714 and normalized = "SECP256K1" and algType = "ELLIPTIC_CURVE" + or + name = "secp384r1" and nid = 715 and normalized = "SECP384R1" and algType = "ELLIPTIC_CURVE" + or + name = "secp521r1" and nid = 716 and normalized = "SECP521R1" and algType = "ELLIPTIC_CURVE" + or + name = "prime192v2" and nid = 410 and normalized = "PRIME192V2" and algType = "ELLIPTIC_CURVE" + or + name = "prime192v3" and nid = 411 and normalized = "PRIME192V3" and algType = "ELLIPTIC_CURVE" + or + name = "prime239v1" and nid = 412 and normalized = "PRIME239V1" and algType = "ELLIPTIC_CURVE" + or + name = "prime239v2" and nid = 413 and normalized = "PRIME239V2" and algType = "ELLIPTIC_CURVE" + or + name = "prime239v3" and nid = 414 and normalized = "PRIME239V3" and algType = "ELLIPTIC_CURVE" + or + name = "sect113r1" and nid = 717 and normalized = "SECT113R1" and algType = "ELLIPTIC_CURVE" + or + name = "sect113r2" and nid = 718 and normalized = "SECT113R2" and algType = "ELLIPTIC_CURVE" + or + name = "sect131r1" and nid = 719 and normalized = "SECT131R1" and algType = "ELLIPTIC_CURVE" + or + name = "sect131r2" and nid = 720 and normalized = "SECT131R2" and algType = "ELLIPTIC_CURVE" + or + name = "sect163k1" and nid = 721 and normalized = "SECT163K1" and algType = "ELLIPTIC_CURVE" + or + name = "sect163r1" and nid = 722 and normalized = "SECT163R1" and algType = "ELLIPTIC_CURVE" + or + name = "sect163r2" and nid = 723 and normalized = "SECT163R2" and algType = "ELLIPTIC_CURVE" + or + name = "sect193r1" and nid = 724 and normalized = "SECT193R1" and algType = "ELLIPTIC_CURVE" + or + name = "sect193r2" and nid = 725 and normalized = "SECT193R2" and algType = "ELLIPTIC_CURVE" + or + name = "sect233k1" and nid = 726 and normalized = "SECT233K1" and algType = "ELLIPTIC_CURVE" + or + name = "sect233r1" and nid = 727 and normalized = "SECT233R1" and algType = "ELLIPTIC_CURVE" + or + name = "sect239k1" and nid = 728 and normalized = "SECT239K1" and algType = "ELLIPTIC_CURVE" + or + name = "sect283k1" and nid = 729 and normalized = "SECT283K1" and algType = "ELLIPTIC_CURVE" + or + name = "sect283r1" and nid = 730 and normalized = "SECT283R1" and algType = "ELLIPTIC_CURVE" + or + name = "sect409k1" and nid = 731 and normalized = "SECT409K1" and algType = "ELLIPTIC_CURVE" + or + name = "sect409r1" and nid = 732 and normalized = "SECT409R1" and algType = "ELLIPTIC_CURVE" + or + name = "sect571k1" and nid = 733 and normalized = "SECT571K1" and algType = "ELLIPTIC_CURVE" + or + name = "sect571r1" and nid = 734 and normalized = "SECT571R1" and algType = "ELLIPTIC_CURVE" + or + name = "c2pnb163v1" and nid = 684 and normalized = "C2PNB163V1" and algType = "ELLIPTIC_CURVE" + or + name = "c2pnb163v2" and nid = 685 and normalized = "C2PNB163V2" and algType = "ELLIPTIC_CURVE" + or + name = "c2pnb163v3" and nid = 686 and normalized = "C2PNB163V3" and algType = "ELLIPTIC_CURVE" + or + name = "c2pnb176v1" and nid = 687 and normalized = "C2PNB176V1" and algType = "ELLIPTIC_CURVE" + or + name = "c2tnb191v1" and nid = 688 and normalized = "C2TNB191V1" and algType = "ELLIPTIC_CURVE" + or + name = "c2tnb191v2" and nid = 689 and normalized = "C2TNB191V2" and algType = "ELLIPTIC_CURVE" + or + name = "c2tnb191v3" and nid = 690 and normalized = "C2TNB191V3" and algType = "ELLIPTIC_CURVE" + or + name = "c2pnb208w1" and nid = 693 and normalized = "C2PNB208W1" and algType = "ELLIPTIC_CURVE" + or + name = "c2tnb239v1" and nid = 694 and normalized = "C2TNB239V1" and algType = "ELLIPTIC_CURVE" + or + name = "c2tnb239v2" and nid = 695 and normalized = "C2TNB239V2" and algType = "ELLIPTIC_CURVE" + or + name = "c2tnb239v3" and nid = 696 and normalized = "C2TNB239V3" and algType = "ELLIPTIC_CURVE" + or + name = "c2pnb272w1" and nid = 699 and normalized = "C2PNB272W1" and algType = "ELLIPTIC_CURVE" + or + name = "c2pnb304w1" and nid = 700 and normalized = "C2PNB304W1" and algType = "ELLIPTIC_CURVE" + or + name = "c2tnb359v1" and nid = 701 and normalized = "C2TNB359V1" and algType = "ELLIPTIC_CURVE" + or + name = "c2pnb368w1" and nid = 702 and normalized = "C2PNB368W1" and algType = "ELLIPTIC_CURVE" + or + name = "c2tnb431r1" and nid = 703 and normalized = "C2TNB431R1" and algType = "ELLIPTIC_CURVE" + or + name = "pkcs5" and nid = 187 and normalized = "PKCS5" and algType = "KEY_DERIVATION" + or + name = "aes-256-gcm" and nid = 901 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-gcm" and nid = 901 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "chacha20-poly1305" and nid = 1018 and normalized = "POLY1305" and algType = "HASH" + or + name = "chacha20-poly1305" and + nid = 1018 and + normalized = "CHACHA20POLY1305" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "rsadsi" and nid = 1 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "pkcs7-data" and nid = 21 and normalized = "PKCS7" and algType = "SYMMETRIC_PADDING" + or + name = "desx-cbc" and nid = 80 and normalized = "DESX" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "desx-cbc" and nid = 80 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "md5-sha1" and nid = 114 and normalized = "SHA1" and algType = "HASH" + or + name = "rc5-ecb" and nid = 121 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "rc5-ecb" and nid = 121 and normalized = "RC5" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc5-cfb" and nid = 122 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "rc5-cfb" and nid = 122 and normalized = "RC5" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rc5-ofb" and nid = 123 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "rc5-ofb" and nid = 123 and normalized = "RC5" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-alg-des40" and nid = 323 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-alg-dh-sig-hmac-sha1" and nid = 325 and normalized = "SHA1" and algType = "HASH" + or + name = "aes-128-ofb" and nid = 420 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-ofb" and nid = 420 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "aes-128-cfb" and nid = 421 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-cfb" and nid = 421 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aes-192-ofb" and nid = 424 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-ofb" and nid = 424 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "aes-192-cfb" and nid = 425 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-cfb" and nid = 425 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aes-256-ofb" and nid = 428 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-ofb" and nid = 428 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "aes-256-cfb" and nid = 429 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-cfb" and nid = 429 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "des-cdmf" and nid = 643 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-cfb1" and nid = 650 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-cfb1" and nid = 650 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aes-192-cfb1" and nid = 651 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-cfb1" and nid = 651 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aes-256-cfb1" and nid = 652 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-cfb1" and nid = 652 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "aes-128-cfb8" and nid = 653 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-cfb8" and nid = 653 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "aes-192-cfb8" and nid = 654 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-cfb8" and nid = 654 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "aes-256-cfb8" and nid = 655 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-cfb8" and nid = 655 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "des-cfb1" and nid = 656 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-cfb1" and nid = 656 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "des-cfb8" and nid = 657 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-cfb8" and nid = 657 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "des-ede3-cfb1" and nid = 658 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede3-cfb1" and nid = 658 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "des-ede3-cfb8" and nid = 659 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "des-ede3-cfb8" and nid = 659 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "c2onb191v4" and nid = 691 and normalized = "C2ONB191V4" and algType = "ELLIPTIC_CURVE" + or + name = "c2onb191v5" and nid = 692 and normalized = "C2ONB191V5" and algType = "ELLIPTIC_CURVE" + or + name = "c2onb239v4" and nid = 697 and normalized = "C2ONB239V4" and algType = "ELLIPTIC_CURVE" + or + name = "c2onb239v5" and nid = 698 and normalized = "C2ONB239V5" and algType = "ELLIPTIC_CURVE" + or + name = "camellia-128-cfb" and + nid = 757 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-cfb" and nid = 757 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "camellia-192-cfb" and + nid = 758 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-cfb" and nid = 758 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "camellia-256-cfb" and + nid = 759 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-cfb" and nid = 759 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "camellia-128-cfb1" and + nid = 760 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-cfb1" and nid = 760 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "camellia-192-cfb1" and + nid = 761 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-cfb1" and nid = 761 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "camellia-256-cfb1" and + nid = 762 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-cfb1" and nid = 762 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "camellia-128-cfb8" and + nid = 763 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-cfb8" and nid = 763 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "camellia-192-cfb8" and + nid = 764 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-cfb8" and nid = 764 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "camellia-256-cfb8" and + nid = 765 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-cfb8" and nid = 765 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "camellia-128-ofb" and + nid = 766 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-ofb" and nid = 766 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "camellia-192-ofb" and + nid = 767 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-ofb" and nid = 767 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "camellia-256-ofb" and + nid = 768 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-ofb" and nid = 768 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "hmac-md5" and nid = 780 and normalized = "MD5" and algType = "HASH" + or + name = "hmac-sha1" and nid = 781 and normalized = "SHA1" and algType = "HASH" + or + name = "md_gost94" and nid = 809 and normalized = "GOST94" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost94" and nid = 812 and normalized = "GOST94" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost89" and nid = 813 and normalized = "GOST89" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost89-cnt" and nid = 814 and normalized = "GOST89" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost-mac" and nid = 815 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "prf-gostr3411-94" and + nid = 816 and + normalized = "GOSTR341194" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost94cc" and nid = 850 and normalized = "GOST94" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost2001cc" and nid = 851 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-ccm" and nid = 896 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-ccm" and nid = 896 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "aes-192-gcm" and nid = 898 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-gcm" and nid = 898 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "aes-192-ccm" and nid = 899 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-ccm" and nid = 899 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "aes-256-ccm" and nid = 902 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-ccm" and nid = 902 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "aes-128-ctr" and nid = 904 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-ctr" and nid = 904 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "aes-192-ctr" and nid = 905 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-ctr" and nid = 905 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "aes-256-ctr" and nid = 906 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-ctr" and nid = 906 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "id-camellia128-wrap" and + nid = 907 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-camellia192-wrap" and + nid = 908 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-camellia256-wrap" and + nid = 909 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "mgf1" and nid = 911 and normalized = "MGF1" and algType = "HASH" + or + name = "aes-128-xts" and nid = 913 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-xts" and nid = 913 and normalized = "XTS" and algType = "BLOCK_MODE" + or + name = "aes-256-xts" and nid = 914 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-xts" and nid = 914 and normalized = "XTS" and algType = "BLOCK_MODE" + or + name = "rc4-hmac-md5" and nid = 915 and normalized = "MD5" and algType = "HASH" + or + name = "rc4-hmac-md5" and nid = 915 and normalized = "RC4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-cbc-hmac-sha1" and nid = 916 and normalized = "SHA1" and algType = "HASH" + or + name = "aes-128-cbc-hmac-sha1" and + nid = 916 and + normalized = "AES128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-cbc-hmac-sha1" and nid = 916 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-192-cbc-hmac-sha1" and nid = 917 and normalized = "SHA1" and algType = "HASH" + or + name = "aes-192-cbc-hmac-sha1" and + nid = 917 and + normalized = "AES192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-cbc-hmac-sha1" and nid = 917 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-256-cbc-hmac-sha1" and + nid = 918 and + normalized = "AES256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-cbc-hmac-sha1" and nid = 918 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-128-cbc-hmac-sha256" and nid = 948 and normalized = "SHA256" and algType = "HASH" + or + name = "aes-128-cbc-hmac-sha256" and + nid = 948 and + normalized = "AES128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-cbc-hmac-sha256" and nid = 948 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-192-cbc-hmac-sha256" and nid = 949 and normalized = "SHA256" and algType = "HASH" + or + name = "aes-192-cbc-hmac-sha256" and + nid = 949 and + normalized = "AES192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-cbc-hmac-sha256" and nid = 949 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-256-cbc-hmac-sha256" and nid = 950 and normalized = "SHA256" and algType = "HASH" + or + name = "aes-256-cbc-hmac-sha256" and + nid = 950 and + normalized = "AES256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-cbc-hmac-sha256" and nid = 950 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "aes-128-ocb" and nid = 958 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-ocb" and nid = 959 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-ocb" and nid = 960 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-gcm" and + nid = 961 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-gcm" and nid = 961 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "camellia-128-ccm" and + nid = 962 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-ccm" and nid = 962 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "camellia-128-ctr" and + nid = 963 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-128-ctr" and nid = 963 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "camellia-128-cmac" and + nid = 964 and + normalized = "CAMELLIA128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-gcm" and + nid = 965 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-gcm" and nid = 965 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "camellia-192-ccm" and + nid = 966 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-ccm" and nid = 966 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "camellia-192-ctr" and + nid = 967 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-192-ctr" and nid = 967 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "camellia-192-cmac" and + nid = 968 and + normalized = "CAMELLIA192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-gcm" and + nid = 969 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-gcm" and nid = 969 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "camellia-256-ccm" and + nid = 970 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-ccm" and nid = 970 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "camellia-256-ctr" and + nid = 971 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "camellia-256-ctr" and nid = 971 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "camellia-256-cmac" and + nid = 972 and + normalized = "CAMELLIA256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-scrypt" and nid = 973 and normalized = "SCRYPT" and algType = "KEY_DERIVATION" + or + name = "gost89-cnt-12" and + nid = 975 and + normalized = "GOST89" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost-mac-12" and nid = 976 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "md_gost12_256" and nid = 982 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "md_gost12_512" and nid = 983 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-signwithdigest-gost3410-2012-256" and + nid = 985 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-signwithdigest-gost3410-2012-512" and + nid = 986 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-hmac-gost-3411-2012-256" and + nid = 988 and + normalized = "GOST34112012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-hmac-gost-3411-2012-512" and + nid = 989 and + normalized = "GOST34112012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-agreement-gost-3410-2012-256" and + nid = 992 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-agreement-gost-3410-2012-512" and + nid = 993 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-512-constants" and + nid = 996 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-28147-constants" and + nid = 1002 and + normalized = "GOST28147" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost89-cbc" and nid = 1009 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "gost89-cbc" and nid = 1009 and normalized = "GOST89" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost89-ecb" and nid = 1010 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "gost89-ecb" and nid = 1010 and normalized = "GOST89" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost89-ctr" and nid = 1011 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "gost89-ctr" and nid = 1011 and normalized = "GOST89" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-ecb" and nid = 1012 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "kuznyechik-ecb" and + nid = 1012 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-ctr" and nid = 1013 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "kuznyechik-ctr" and + nid = 1013 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-ofb" and nid = 1014 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "kuznyechik-ofb" and + nid = 1014 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-cbc" and nid = 1015 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "kuznyechik-cbc" and + nid = 1015 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-cfb" and nid = 1016 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "kuznyechik-cfb" and + nid = 1016 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-mac" and + nid = 1017 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "hkdf" and nid = 1036 and normalized = "HKDF" and algType = "KEY_DERIVATION" + or + name = "kx-rsa" and nid = 1037 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "kx-ecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_EXCHANGE" + or + name = "kx-ecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_EXCHANGE" + or + name = "kx-rsa-psk" and nid = 1042 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "kx-gost" and nid = 1045 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "auth-rsa" and nid = 1046 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "auth-ecdsa" and nid = 1047 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "auth-gost01" and nid = 1050 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "auth-gost12" and nid = 1051 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "poly1305" and nid = 1061 and normalized = "POLY1305" and algType = "HASH" + or + name = "hmac-sha3-224" and nid = 1102 and normalized = "SHA3224" and algType = "HASH" + or + name = "hmac-sha3-256" and nid = 1103 and normalized = "SHA3256" and algType = "HASH" + or + name = "hmac-sha3-384" and nid = 1104 and normalized = "SHA3384" and algType = "HASH" + or + name = "hmac-sha3-512" and nid = 1105 and normalized = "SHA3512" and algType = "HASH" + or + name = "id-dsa-with-sha384" and nid = 1106 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "id-dsa-with-sha384" and nid = 1106 and normalized = "SHA384" and algType = "HASH" + or + name = "id-dsa-with-sha512" and nid = 1107 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "id-dsa-with-sha512" and nid = 1107 and normalized = "SHA512" and algType = "HASH" + or + name = "id-dsa-with-sha3-224" and nid = 1108 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "id-dsa-with-sha3-224" and nid = 1108 and normalized = "SHA3224" and algType = "HASH" + or + name = "id-dsa-with-sha3-256" and nid = 1109 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "id-dsa-with-sha3-256" and nid = 1109 and normalized = "SHA3256" and algType = "HASH" + or + name = "id-dsa-with-sha3-384" and nid = 1110 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "id-dsa-with-sha3-384" and nid = 1110 and normalized = "SHA3384" and algType = "HASH" + or + name = "id-dsa-with-sha3-512" and nid = 1111 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "id-dsa-with-sha3-512" and nid = 1111 and normalized = "SHA3512" and algType = "HASH" + or + name = "id-ecdsa-with-sha3-224" and nid = 1112 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "id-ecdsa-with-sha3-224" and nid = 1112 and normalized = "SHA3224" and algType = "HASH" + or + name = "id-ecdsa-with-sha3-256" and nid = 1113 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "id-ecdsa-with-sha3-256" and nid = 1113 and normalized = "SHA3256" and algType = "HASH" + or + name = "id-ecdsa-with-sha3-384" and nid = 1114 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "id-ecdsa-with-sha3-384" and nid = 1114 and normalized = "SHA3384" and algType = "HASH" + or + name = "id-ecdsa-with-sha3-512" and nid = 1115 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "id-ecdsa-with-sha3-512" and nid = 1115 and normalized = "SHA3512" and algType = "HASH" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-224" and + nid = 1116 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-224" and + nid = 1116 and + normalized = "PKCS1V15" and + algType = "ASYMMETRIC_PADDING" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-224" and + nid = 1116 and + normalized = "SHA3224" and + algType = "HASH" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-256" and + nid = 1117 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-256" and + nid = 1117 and + normalized = "PKCS1V15" and + algType = "ASYMMETRIC_PADDING" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-256" and + nid = 1117 and + normalized = "SHA3256" and + algType = "HASH" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-384" and + nid = 1118 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-384" and + nid = 1118 and + normalized = "PKCS1V15" and + algType = "ASYMMETRIC_PADDING" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-384" and + nid = 1118 and + normalized = "SHA3384" and + algType = "HASH" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-512" and + nid = 1119 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-512" and + nid = 1119 and + normalized = "PKCS1V15" and + algType = "ASYMMETRIC_PADDING" + or + name = "id-rsassa-pkcs1-v1_5-with-sha3-512" and + nid = 1119 and + normalized = "SHA3512" and + algType = "HASH" + or + name = "aria-128-ccm" and nid = 1120 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "aria-128-ccm" and nid = 1120 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-ccm" and nid = 1121 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "aria-192-ccm" and nid = 1121 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-ccm" and nid = 1122 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "aria-256-ccm" and nid = 1122 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-128-gcm" and nid = 1123 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "aria-128-gcm" and nid = 1123 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-192-gcm" and nid = 1124 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "aria-192-gcm" and nid = 1124 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aria-256-gcm" and nid = 1125 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "aria-256-gcm" and nid = 1125 and normalized = "ARIA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-cfb1" and nid = 1136 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-cfb1" and nid = 1136 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "sm4-cfb8" and nid = 1138 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-cfb8" and nid = 1138 and normalized = "CFB8" and algType = "BLOCK_MODE" + or + name = "id-tc26-gost-3410-2012-256-constants" and + nid = 1147 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "dstu28147-ofb" and nid = 1153 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "dstu28147-cfb" and nid = 1154 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "id-tc26-cipher-gostr3412-2015-magma" and + nid = 1173 and + normalized = "MAGMA" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-ctr-acpkm" and nid = 1174 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "magma-ctr-acpkm" and + nid = 1174 and + normalized = "MAGMA" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-ctr-acpkm-omac" and nid = 1175 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "magma-ctr-acpkm-omac" and + nid = 1175 and + normalized = "MAGMA" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-cipher-gostr3412-2015-kuznyechik" and + nid = 1176 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-ctr-acpkm" and nid = 1177 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "kuznyechik-ctr-acpkm" and + nid = 1177 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-ctr-acpkm-omac" and + nid = 1178 and + normalized = "CTR" and + algType = "BLOCK_MODE" + or + name = "kuznyechik-ctr-acpkm-omac" and + nid = 1178 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-wrap-gostr3412-2015-magma" and + nid = 1180 and + normalized = "MAGMA" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-kexp15" and nid = 1181 and normalized = "MAGMA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-wrap-gostr3412-2015-kuznyechik" and + nid = 1182 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kuznyechik-kexp15" and + nid = 1183 and + normalized = "KUZNYECHIK" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-ecb" and nid = 1187 and normalized = "ECB" and algType = "BLOCK_MODE" + or + name = "magma-ecb" and nid = 1187 and normalized = "MAGMA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-ctr" and nid = 1188 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "magma-ctr" and nid = 1188 and normalized = "MAGMA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-ofb" and nid = 1189 and normalized = "OFB" and algType = "BLOCK_MODE" + or + name = "magma-ofb" and nid = 1189 and normalized = "MAGMA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-cbc" and nid = 1190 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "magma-cbc" and nid = 1190 and normalized = "MAGMA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-cfb" and nid = 1191 and normalized = "CFB" and algType = "BLOCK_MODE" + or + name = "magma-cfb" and nid = 1191 and normalized = "MAGMA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "magma-mac" and nid = 1192 and normalized = "MAGMA" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-siv" and nid = 1198 and normalized = "AES128" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-128-siv" and nid = 1198 and normalized = "SIV" and algType = "BLOCK_MODE" + or + name = "aes-192-siv" and nid = 1199 and normalized = "AES192" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-192-siv" and nid = 1199 and normalized = "SIV" and algType = "BLOCK_MODE" + or + name = "aes-256-siv" and nid = 1200 and normalized = "AES256" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "aes-256-siv" and nid = 1200 and normalized = "SIV" and algType = "BLOCK_MODE" + or + name = "blake2bmac" and nid = 1201 and normalized = "BLAKE2B" and algType = "HASH" + or + name = "blake2smac" and nid = 1202 and normalized = "BLAKE2S" and algType = "HASH" + or + name = "sshkdf" and nid = 1203 and normalized = "HKDF" and algType = "KEY_DERIVATION" + or + name = "x963kdf" and nid = 1206 and normalized = "X963KDF" and algType = "KEY_DERIVATION" + or + name = "kx-gost18" and nid = 1218 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-gcm" and nid = 1248 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-gcm" and nid = 1248 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "sm4-ccm" and nid = 1249 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-ccm" and nid = 1249 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "sm4-xts" and nid = 1290 and normalized = "SM4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "sm4-xts" and nid = 1290 and normalized = "XTS" and algType = "BLOCK_MODE" + or + name = "x448" and nid = 1035 and normalized = "X448" and algType = "ELLIPTIC_CURVE" + or + name = "x25519" and nid = 1034 and normalized = "X25519" and algType = "ELLIPTIC_CURVE" + or + name = "authecdsa" and nid = 1047 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "authgost01" and nid = 1050 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "authgost12" and nid = 1051 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "authrsa" and nid = 1046 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "brainpoolp160r1" and + nid = 921 and + normalized = "BRAINPOOLP160R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp160t1" and + nid = 922 and + normalized = "BRAINPOOLP160T1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp192r1" and + nid = 923 and + normalized = "BRAINPOOLP192R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp192t1" and + nid = 924 and + normalized = "BRAINPOOLP192T1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp224r1" and + nid = 925 and + normalized = "BRAINPOOLP224R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp224t1" and + nid = 926 and + normalized = "BRAINPOOLP224T1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp256r1" and + nid = 927 and + normalized = "BRAINPOOLP256R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp256r1tls13" and + nid = 1285 and + normalized = "BRAINPOOLP256R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp256t1" and + nid = 928 and + normalized = "BRAINPOOLP256T1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp320r1" and + nid = 929 and + normalized = "BRAINPOOLP320R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp320t1" and + nid = 930 and + normalized = "BRAINPOOLP320T1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp384r1" and + nid = 931 and + normalized = "BRAINPOOLP384R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp384r1tls13" and + nid = 1286 and + normalized = "BRAINPOOLP384R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp384t1" and + nid = 932 and + normalized = "BRAINPOOLP384T1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp512r1" and + nid = 933 and + normalized = "BRAINPOOLP512R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp512r1tls13" and + nid = 1287 and + normalized = "BRAINPOOLP512R1" and + algType = "ELLIPTIC_CURVE" + or + name = "brainpoolp512t1" and + nid = 934 and + normalized = "BRAINPOOLP512T1" and + algType = "ELLIPTIC_CURVE" + or + name = "dhsinglepass-cofactordh-sha1kdf-scheme" and + nid = 941 and + normalized = "SHA1" and + algType = "HASH" + or + name = "dhsinglepass-cofactordh-sha224kdf-scheme" and + nid = 942 and + normalized = "SHA224" and + algType = "HASH" + or + name = "dhsinglepass-cofactordh-sha256kdf-scheme" and + nid = 943 and + normalized = "SHA256" and + algType = "HASH" + or + name = "dhsinglepass-cofactordh-sha384kdf-scheme" and + nid = 944 and + normalized = "SHA384" and + algType = "HASH" + or + name = "dhsinglepass-cofactordh-sha512kdf-scheme" and + nid = 945 and + normalized = "SHA512" and + algType = "HASH" + or + name = "dhsinglepass-stddh-sha1kdf-scheme" and + nid = 936 and + normalized = "SHA1" and + algType = "HASH" + or + name = "dhsinglepass-stddh-sha224kdf-scheme" and + nid = 937 and + normalized = "SHA224" and + algType = "HASH" + or + name = "dhsinglepass-stddh-sha256kdf-scheme" and + nid = 938 and + normalized = "SHA256" and + algType = "HASH" + or + name = "dhsinglepass-stddh-sha384kdf-scheme" and + nid = 939 and + normalized = "SHA384" and + algType = "HASH" + or + name = "dhsinglepass-stddh-sha512kdf-scheme" and + nid = 940 and + normalized = "SHA512" and + algType = "HASH" + or + name = "dsa-old" and nid = 67 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa-sha" and nid = 66 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa-sha" and nid = 66 and normalized = "SHA" and algType = "HASH" + or + name = "dsa-sha1" and nid = 113 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa-sha1" and nid = 113 and normalized = "SHA1" and algType = "HASH" + or + name = "dsa-sha1-old" and nid = 70 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa-sha1-old" and nid = 70 and normalized = "SHA1" and algType = "HASH" + or + name = "dsa_with_sha224" and nid = 802 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa_with_sha224" and nid = 802 and normalized = "SHA224" and algType = "HASH" + or + name = "dsa_with_sha256" and nid = 803 and normalized = "SHA256" and algType = "HASH" + or + name = "dsa_with_sha256" and nid = 803 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa_with_sha3-224" and nid = 1108 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa_with_sha3-224" and nid = 1108 and normalized = "SHA3224" and algType = "HASH" + or + name = "dsa_with_sha3-256" and nid = 1109 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa_with_sha3-256" and nid = 1109 and normalized = "SHA3256" and algType = "HASH" + or + name = "dsa_with_sha3-384" and nid = 1110 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa_with_sha3-384" and nid = 1110 and normalized = "SHA3384" and algType = "HASH" + or + name = "dsa_with_sha3-512" and nid = 1111 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa_with_sha3-512" and nid = 1111 and normalized = "SHA3512" and algType = "HASH" + or + name = "dsa_with_sha384" and nid = 1106 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa_with_sha384" and nid = 1106 and normalized = "SHA384" and algType = "HASH" + or + name = "dsa_with_sha512" and nid = 1107 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsa_with_sha512" and nid = 1107 and normalized = "SHA512" and algType = "HASH" + or + name = "dsaencryption" and nid = 116 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsaencryption-old" and nid = 67 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsaquality" and nid = 495 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsawithsha" and nid = 66 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsawithsha" and nid = 66 and normalized = "SHA" and algType = "HASH" + or + name = "dsawithsha1" and nid = 113 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsawithsha1" and nid = 113 and normalized = "SHA1" and algType = "HASH" + or + name = "dsawithsha1-old" and nid = 70 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "dsawithsha1-old" and nid = 70 and normalized = "SHA1" and algType = "HASH" + or + name = "dstu gost 28147-2009 cfb mode" and + nid = 1154 and + normalized = "CFB" and + algType = "BLOCK_MODE" + or + name = "dstu gost 28147-2009 cfb mode" and + nid = 1154 and + normalized = "GOST28147" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "dstu gost 28147-2009 ofb mode" and + nid = 1153 and + normalized = "OFB" and + algType = "BLOCK_MODE" + or + name = "dstu gost 28147-2009 ofb mode" and + nid = 1153 and + normalized = "GOST28147" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "ecdsa-with-recommended" and nid = 791 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa-with-sha1" and nid = 416 and normalized = "SHA1" and algType = "HASH" + or + name = "ecdsa-with-sha1" and nid = 416 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa-with-sha224" and nid = 793 and normalized = "SHA224" and algType = "HASH" + or + name = "ecdsa-with-sha224" and nid = 793 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa-with-sha256" and nid = 794 and normalized = "SHA256" and algType = "HASH" + or + name = "ecdsa-with-sha256" and nid = 794 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa-with-sha384" and nid = 795 and normalized = "SHA384" and algType = "HASH" + or + name = "ecdsa-with-sha384" and nid = 795 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa-with-sha512" and nid = 796 and normalized = "SHA512" and algType = "HASH" + or + name = "ecdsa-with-sha512" and nid = 796 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa-with-specified" and nid = 792 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa_with_sha3-224" and nid = 1112 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa_with_sha3-224" and nid = 1112 and normalized = "SHA3224" and algType = "HASH" + or + name = "ecdsa_with_sha3-256" and nid = 1113 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa_with_sha3-256" and nid = 1113 and normalized = "SHA3256" and algType = "HASH" + or + name = "ecdsa_with_sha3-384" and nid = 1114 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa_with_sha3-384" and nid = 1114 and normalized = "SHA3384" and algType = "HASH" + or + name = "ecdsa_with_sha3-512" and nid = 1115 and normalized = "ECDSA" and algType = "SIGNATURE" + or + name = "ecdsa_with_sha3-512" and nid = 1115 and normalized = "SHA3512" and algType = "HASH" + or + name = "gost 28147-89" and + nid = 813 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost 28147-89 cryptocom paramset" and + nid = 849 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost 28147-89 mac" and + nid = 815 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost 28147-89 tc26 parameter set" and + nid = 1003 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost 34.10-2001 cryptocom" and + nid = 851 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost 34.10-94 cryptocom" and + nid = 850 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2001" and + nid = 811 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2001 dh" and + nid = 817 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 (256 bit) paramset a" and + nid = 1148 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 (256 bit) paramset b" and + nid = 1184 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 (256 bit) paramset c" and + nid = 1185 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 (256 bit) paramset d" and + nid = 1186 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 (512 bit) paramset a" and + nid = 998 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 (512 bit) paramset b" and + nid = 999 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 (512 bit) paramset c" and + nid = 1149 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 (512 bit) testing parameter set" and + nid = 997 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 with 256 bit modulus" and + nid = 979 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 with 512 bit modulus" and + nid = 980 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 with gost r 34.11-2012 (256 bit)" and + nid = 985 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-2012 with gost r 34.11-2012 (512 bit)" and + nid = 986 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-94" and + nid = 812 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.10-94 dh" and + nid = 818 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.11-2012 with 256 bit hash" and + nid = 982 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.11-2012 with 512 bit hash" and + nid = 983 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.11-94" and + nid = 809 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.11-94 prf" and + nid = 816 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.11-94 with gost r 34.10-2001" and + nid = 807 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.11-94 with gost r 34.10-2001 cryptocom" and + nid = 853 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.11-94 with gost r 34.10-94" and + nid = 808 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 34.11-94 with gost r 34.10-94 cryptocom" and + nid = 852 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "gost r 3410-2001 parameter set cryptocom" and + nid = 854 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "hmac gost 34.11-2012 256 bit" and + nid = 988 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "hmac gost 34.11-2012 512 bit" and + nid = 989 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "hmac gost 34.11-94" and + nid = 810 and + normalized = "GOST" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "hmacwithmd5" and nid = 797 and normalized = "MD5" and algType = "HASH" + or + name = "hmacwithsha1" and nid = 163 and normalized = "SHA1" and algType = "HASH" + or + name = "hmacwithsha224" and nid = 798 and normalized = "SHA224" and algType = "HASH" + or + name = "hmacwithsha256" and nid = 799 and normalized = "SHA256" and algType = "HASH" + or + name = "hmacwithsha384" and nid = 800 and normalized = "SHA384" and algType = "HASH" + or + name = "hmacwithsha512" and nid = 801 and normalized = "SHA512" and algType = "HASH" + or + name = "hmacwithsha512-224" and nid = 1193 and normalized = "SHA512224" and algType = "HASH" + or + name = "hmacwithsha512-256" and nid = 1194 and normalized = "SHA512256" and algType = "HASH" + or + name = "hmacwithsm3" and nid = 1281 and normalized = "SM3" and algType = "HASH" + or + name = "id-aes128-ccm" and + nid = 896 and + normalized = "AES128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes128-ccm" and nid = 896 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "id-aes128-gcm" and + nid = 895 and + normalized = "AES128" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes128-gcm" and nid = 895 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "id-aes192-ccm" and + nid = 899 and + normalized = "AES192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes192-ccm" and nid = 899 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "id-aes192-gcm" and + nid = 898 and + normalized = "AES192" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes192-gcm" and nid = 898 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "id-aes256-ccm" and + nid = 902 and + normalized = "AES256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes256-ccm" and nid = 902 and normalized = "CCM" and algType = "BLOCK_MODE" + or + name = "id-aes256-gcm" and + nid = 901 and + normalized = "AES256" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-aes256-gcm" and nid = 901 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "id-gost28147-89-cc" and + nid = 849 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-cryptopro-a-paramset" and + nid = 824 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-cryptopro-b-paramset" and + nid = 825 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-cryptopro-c-paramset" and + nid = 826 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-cryptopro-d-paramset" and + nid = 827 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-cryptopro-keymeshing" and + nid = 819 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-cryptopro-oscar-1-0-paramset" and + nid = 829 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-cryptopro-oscar-1-1-paramset" and + nid = 828 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-cryptopro-ric-1-paramset" and + nid = 830 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-none-keymeshing" and + nid = 820 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gost28147-89-testparamset" and + nid = 823 and + normalized = "GOST2814789" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-2001-cryptopro-a-paramset" and + nid = 840 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-2001-cryptopro-b-paramset" and + nid = 841 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-2001-cryptopro-c-paramset" and + nid = 842 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-2001-cryptopro-xcha-paramset" and + nid = 843 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-2001-cryptopro-xchb-paramset" and + nid = 844 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-2001-paramset-cc" and + nid = 854 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-2001-testparamset" and + nid = 839 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-2001dh" and + nid = 817 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-a" and + nid = 845 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-abis" and + nid = 846 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-b" and + nid = 847 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-bbis" and + nid = 848 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-cryptopro-a-paramset" and + nid = 832 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-cryptopro-b-paramset" and + nid = 833 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-cryptopro-c-paramset" and + nid = 834 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-cryptopro-d-paramset" and + nid = 835 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-cryptopro-xcha-paramset" and + nid = 836 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-cryptopro-xchb-paramset" and + nid = 837 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-cryptopro-xchc-paramset" and + nid = 838 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94-testparamset" and + nid = 831 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3410-94dh" and + nid = 818 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3411-94-cryptoproparamset" and + nid = 822 and + normalized = "GOSTR341194" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3411-94-testparamset" and + nid = 821 and + normalized = "GOSTR341194" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3411-94-with-gostr3410-2001" and + nid = 807 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3411-94-with-gostr3410-2001-cc" and + nid = 853 and + normalized = "GOSTR34102001" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3411-94-with-gostr3410-94" and + nid = 808 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3411-94-with-gostr3410-94" and + nid = 808 and + normalized = "GOSTR341194" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3411-94-with-gostr3410-94-cc" and + nid = 852 and + normalized = "GOSTR341094" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-gostr3411-94-with-gostr3410-94-cc" and + nid = 852 and + normalized = "GOSTR341194" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-hmacgostr3411-94" and + nid = 810 and + normalized = "GOSTR341194" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-hmacwithsha3-224" and nid = 1102 and normalized = "SHA3224" and algType = "HASH" + or + name = "id-hmacwithsha3-256" and nid = 1103 and normalized = "SHA3256" and algType = "HASH" + or + name = "id-hmacwithsha3-384" and nid = 1104 and normalized = "SHA3384" and algType = "HASH" + or + name = "id-hmacwithsha3-512" and nid = 1105 and normalized = "SHA3512" and algType = "HASH" + or + name = "id-regctrl" and nid = 313 and normalized = "CTR" and algType = "BLOCK_MODE" + or + name = "id-smime-alg-3deswrap" and + nid = 243 and + normalized = "3DES" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-smime-alg-cms3deswrap" and nid = 246 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "id-smime-alg-cms3deswrap" and + nid = 246 and + normalized = "3DES" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-smime-alg-cmsrc2wrap" and + nid = 247 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-smime-alg-cmsrc2wrap" and nid = 247 and normalized = "GCM" and algType = "BLOCK_MODE" + or + name = "id-smime-alg-esdhwith3des" and + nid = 241 and + normalized = "3DES" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-smime-alg-esdhwithrc2" and + nid = 242 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-smime-alg-rc2wrap" and + nid = 244 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-28147-param-z" and + nid = 1003 and + normalized = "GOST28147" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-256-paramseta" and + nid = 1148 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-256-paramsetb" and + nid = 1184 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-256-paramsetc" and + nid = 1185 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-256-paramsetd" and + nid = 1186 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-512-paramseta" and + nid = 998 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-512-paramsetb" and + nid = 999 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-512-paramsetc" and + nid = 1149 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "id-tc26-gost-3410-2012-512-paramsettest" and + nid = 997 and + normalized = "GOST34102012" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "kxecdhe" and nid = 1038 and normalized = "ECDH" and algType = "KEY_EXCHANGE" + or + name = "kxecdhe-psk" and nid = 1040 and normalized = "ECDH" and algType = "KEY_EXCHANGE" + or + name = "kxgost" and nid = 1045 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "kxgost18" and nid = 1218 and normalized = "GOST" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "kxrsa" and nid = 1037 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "kxrsa_psk" and nid = 1042 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "md2withrsaencryption" and + nid = 7 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "md2withrsaencryption" and nid = 7 and normalized = "MD2" and algType = "HASH" + or + name = "md4withrsaencryption" and + nid = 396 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "md4withrsaencryption" and nid = 396 and normalized = "MD4" and algType = "HASH" + or + name = "md5withrsa" and nid = 104 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "md5withrsa" and nid = 104 and normalized = "MD5" and algType = "HASH" + or + name = "md5withrsaencryption" and + nid = 8 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "md5withrsaencryption" and nid = 8 and normalized = "MD5" and algType = "HASH" + or + name = "mdc2withrsa" and nid = 96 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "mdc2withrsa" and nid = 96 and normalized = "MDC2" and algType = "HASH" + or + name = "pbe-md2-des" and nid = 9 and normalized = "MD2" and algType = "HASH" + or + name = "pbe-md2-des" and nid = 9 and normalized = "2DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-md2-rc2-64" and nid = 168 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-md2-rc2-64" and nid = 168 and normalized = "MD2" and algType = "HASH" + or + name = "pbe-md5-des" and nid = 10 and normalized = "MD5" and algType = "HASH" + or + name = "pbe-md5-des" and nid = 10 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-md5-rc2-64" and nid = 169 and normalized = "MD5" and algType = "HASH" + or + name = "pbe-md5-rc2-64" and nid = 169 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-sha1-2des" and nid = 147 and normalized = "SHA1" and algType = "HASH" + or + name = "pbe-sha1-2des" and nid = 147 and normalized = "2DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-sha1-3des" and nid = 146 and normalized = "SHA1" and algType = "HASH" + or + name = "pbe-sha1-3des" and nid = 146 and normalized = "3DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-sha1-des" and nid = 170 and normalized = "SHA1" and algType = "HASH" + or + name = "pbe-sha1-des" and nid = 170 and normalized = "DES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-sha1-rc2-128" and nid = 148 and normalized = "SHA1" and algType = "HASH" + or + name = "pbe-sha1-rc2-128" and + nid = 148 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-sha1-rc2-40" and nid = 149 and normalized = "SHA1" and algType = "HASH" + or + name = "pbe-sha1-rc2-40" and nid = 149 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-sha1-rc2-64" and nid = 68 and normalized = "SHA1" and algType = "HASH" + or + name = "pbe-sha1-rc2-64" and nid = 68 and normalized = "RC2" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-sha1-rc4-128" and nid = 144 and normalized = "SHA1" and algType = "HASH" + or + name = "pbe-sha1-rc4-128" and + nid = 144 and + normalized = "RC4" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbe-sha1-rc4-40" and nid = 145 and normalized = "SHA1" and algType = "HASH" + or + name = "pbe-sha1-rc4-40" and nid = 145 and normalized = "RC4" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithmd2anddes-cbc" and + nid = 9 and + normalized = "DES" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithmd2anddes-cbc" and nid = 9 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "pbewithmd2anddes-cbc" and nid = 9 and normalized = "MD2" and algType = "HASH" + or + name = "pbewithmd2andrc2-cbc" and + nid = 168 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithmd2andrc2-cbc" and nid = 168 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "pbewithmd2andrc2-cbc" and nid = 168 and normalized = "MD2" and algType = "HASH" + or + name = "pbewithmd5andcast5cbc" and nid = 112 and normalized = "MD5" and algType = "HASH" + or + name = "pbewithmd5andcast5cbc" and nid = 112 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "pbewithmd5andcast5cbc" and + nid = 112 and + normalized = "CAST5" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithmd5anddes-cbc" and nid = 10 and normalized = "MD5" and algType = "HASH" + or + name = "pbewithmd5anddes-cbc" and + nid = 10 and + normalized = "DES" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithmd5anddes-cbc" and nid = 10 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "pbewithmd5andrc2-cbc" and nid = 169 and normalized = "MD5" and algType = "HASH" + or + name = "pbewithmd5andrc2-cbc" and + nid = 169 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithmd5andrc2-cbc" and nid = 169 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "pbewithsha1and128bitrc2-cbc" and nid = 148 and normalized = "SHA1" and algType = "HASH" + or + name = "pbewithsha1and128bitrc2-cbc" and + nid = 148 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithsha1and128bitrc2-cbc" and + nid = 148 and + normalized = "CBC" and + algType = "BLOCK_MODE" + or + name = "pbewithsha1and128bitrc4" and nid = 144 and normalized = "SHA1" and algType = "HASH" + or + name = "pbewithsha1and128bitrc4" and + nid = 144 and + normalized = "RC4" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithsha1and2-keytripledes-cbc" and + nid = 147 and + normalized = "SHA1" and + algType = "HASH" + or + name = "pbewithsha1and2-keytripledes-cbc" and + nid = 147 and + normalized = "CBC" and + algType = "BLOCK_MODE" + or + name = "pbewithsha1and2-keytripledes-cbc" and + nid = 147 and + normalized = "TRIPLEDES" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithsha1and3-keytripledes-cbc" and + nid = 146 and + normalized = "SHA1" and + algType = "HASH" + or + name = "pbewithsha1and3-keytripledes-cbc" and + nid = 146 and + normalized = "CBC" and + algType = "BLOCK_MODE" + or + name = "pbewithsha1and3-keytripledes-cbc" and + nid = 146 and + normalized = "TRIPLEDES" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithsha1and40bitrc2-cbc" and nid = 149 and normalized = "SHA1" and algType = "HASH" + or + name = "pbewithsha1and40bitrc2-cbc" and + nid = 149 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithsha1and40bitrc2-cbc" and + nid = 149 and + normalized = "CBC" and + algType = "BLOCK_MODE" + or + name = "pbewithsha1and40bitrc4" and nid = 145 and normalized = "SHA1" and algType = "HASH" + or + name = "pbewithsha1and40bitrc4" and + nid = 145 and + normalized = "RC4" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithsha1anddes-cbc" and nid = 170 and normalized = "SHA1" and algType = "HASH" + or + name = "pbewithsha1anddes-cbc" and + nid = 170 and + normalized = "DES" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithsha1anddes-cbc" and nid = 170 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "pbewithsha1andrc2-cbc" and nid = 68 and normalized = "SHA1" and algType = "HASH" + or + name = "pbewithsha1andrc2-cbc" and + nid = 68 and + normalized = "RC2" and + algType = "SYMMETRIC_ENCRYPTION" + or + name = "pbewithsha1andrc2-cbc" and nid = 68 and normalized = "CBC" and algType = "BLOCK_MODE" + or + name = "pilotdsa" and nid = 456 and normalized = "DSA" and algType = "SIGNATURE" + or + name = "pkcs7-digestdata" and nid = 25 and normalized = "PKCS7" and algType = "SYMMETRIC_PADDING" + or + name = "pkcs7-encrypteddata" and + nid = 26 and + normalized = "PKCS7" and + algType = "SYMMETRIC_PADDING" + or + name = "pkcs7-envelopeddata" and + nid = 23 and + normalized = "PKCS7" and + algType = "SYMMETRIC_PADDING" + or + name = "pkcs7-signedandenvelopeddata" and + nid = 24 and + normalized = "PKCS7" and + algType = "SYMMETRIC_PADDING" + or + name = "pkcs7-signeddata" and nid = 22 and normalized = "PKCS7" and algType = "SYMMETRIC_PADDING" + or + name = "ripemd160withrsa" and + nid = 119 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "ripemd160withrsa" and nid = 119 and normalized = "RIPEMD160" and algType = "HASH" + or + name = "rsa-md2" and nid = 7 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-md2" and nid = 7 and normalized = "MD2" and algType = "HASH" + or + name = "rsa-md4" and nid = 396 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-md4" and nid = 396 and normalized = "MD4" and algType = "HASH" + or + name = "rsa-md5" and nid = 8 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-md5" and nid = 8 and normalized = "MD5" and algType = "HASH" + or + name = "rsa-mdc2" and nid = 96 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-mdc2" and nid = 96 and normalized = "MDC2" and algType = "HASH" + or + name = "rsa-np-md5" and nid = 104 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-np-md5" and nid = 104 and normalized = "MD5" and algType = "HASH" + or + name = "rsa-ripemd160" and nid = 119 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-ripemd160" and nid = 119 and normalized = "RIPEMD160" and algType = "HASH" + or + name = "rsa-sha" and nid = 42 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha" and nid = 42 and normalized = "SHA" and algType = "HASH" + or + name = "rsa-sha1" and nid = 65 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha1" and nid = 65 and normalized = "SHA1" and algType = "HASH" + or + name = "rsa-sha1-2" and nid = 115 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha1-2" and nid = 115 and normalized = "SHA1" and algType = "HASH" + or + name = "rsa-sha224" and nid = 671 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha224" and nid = 671 and normalized = "SHA224" and algType = "HASH" + or + name = "rsa-sha256" and nid = 668 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha256" and nid = 668 and normalized = "SHA256" and algType = "HASH" + or + name = "rsa-sha3-224" and nid = 1116 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha3-224" and nid = 1116 and normalized = "SHA3224" and algType = "HASH" + or + name = "rsa-sha3-256" and nid = 1117 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha3-256" and nid = 1117 and normalized = "SHA3256" and algType = "HASH" + or + name = "rsa-sha3-384" and nid = 1118 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha3-384" and nid = 1118 and normalized = "SHA3384" and algType = "HASH" + or + name = "rsa-sha3-512" and nid = 1119 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha3-512" and nid = 1119 and normalized = "SHA3512" and algType = "HASH" + or + name = "rsa-sha384" and nid = 669 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha384" and nid = 669 and normalized = "SHA384" and algType = "HASH" + or + name = "rsa-sha512" and nid = 670 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha512" and nid = 670 and normalized = "SHA512" and algType = "HASH" + or + name = "rsa-sha512/224" and + nid = 1145 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha512/224" and nid = 1145 and normalized = "SHA512224" and algType = "HASH" + or + name = "rsa-sha512/256" and + nid = 1146 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sha512/256" and nid = 1146 and normalized = "SHA512256" and algType = "HASH" + or + name = "rsa-sm3" and nid = 1144 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsa-sm3" and nid = 1144 and normalized = "SM3" and algType = "HASH" + or + name = "rsaencryption" and nid = 6 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsaes-oaep" and nid = 919 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsaes-oaep" and nid = 919 and normalized = "AES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rsaes-oaep" and nid = 919 and normalized = "OAEP" and algType = "ASYMMETRIC_PADDING" + or + name = "rsaesoaep" and nid = 919 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsaesoaep" and nid = 919 and normalized = "AES" and algType = "SYMMETRIC_ENCRYPTION" + or + name = "rsaesoaep" and nid = 919 and normalized = "OAEP" and algType = "ASYMMETRIC_PADDING" + or + name = "rsaoaepencryptionset" and + nid = 644 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsaoaepencryptionset" and + nid = 644 and + normalized = "OAEP" and + algType = "ASYMMETRIC_PADDING" + or + name = "rsasignature" and nid = 377 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsassa-pss" and nid = 912 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsassa-pss" and nid = 912 and normalized = "PSS" and algType = "ASYMMETRIC_PADDING" + or + name = "rsassapss" and nid = 912 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "rsassapss" and nid = 912 and normalized = "PSS" and algType = "ASYMMETRIC_PADDING" + or + name = "sha1withrsa" and nid = 115 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sha1withrsa" and nid = 115 and normalized = "SHA1" and algType = "HASH" + or + name = "sha1withrsaencryption" and + nid = 65 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sha1withrsaencryption" and nid = 65 and normalized = "SHA1" and algType = "HASH" + or + name = "sha224withrsaencryption" and + nid = 671 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sha224withrsaencryption" and nid = 671 and normalized = "SHA224" and algType = "HASH" + or + name = "sha256withrsaencryption" and + nid = 668 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sha256withrsaencryption" and nid = 668 and normalized = "SHA256" and algType = "HASH" + or + name = "sha384withrsaencryption" and + nid = 669 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sha384withrsaencryption" and nid = 669 and normalized = "SHA384" and algType = "HASH" + or + name = "sha512-224withrsaencryption" and + nid = 1145 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sha512-224withrsaencryption" and + nid = 1145 and + normalized = "SHA512224" and + algType = "HASH" + or + name = "sha512-256withrsaencryption" and + nid = 1146 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sha512-256withrsaencryption" and + nid = 1146 and + normalized = "SHA512256" and + algType = "HASH" + or + name = "sha512withrsaencryption" and + nid = 670 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sha512withrsaencryption" and nid = 670 and normalized = "SHA512" and algType = "HASH" + or + name = "shawithrsaencryption" and + nid = 42 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "shawithrsaencryption" and nid = 42 and normalized = "SHA" and algType = "HASH" + or + name = "sm2" and nid = 1172 and normalized = "SM2" and algType = "ELLIPTIC_CURVE" + or + name = "sm2-sm3" and nid = 1204 and normalized = "SM3" and algType = "HASH" + or + name = "sm2-sm3" and nid = 1204 and normalized = "SM2" and algType = "ELLIPTIC_CURVE" + or + name = "sm2-with-sm3" and nid = 1204 and normalized = "SM3" and algType = "HASH" + or + name = "sm2-with-sm3" and nid = 1204 and normalized = "SM2" and algType = "ELLIPTIC_CURVE" + or + name = "sm3withrsaencryption" and + nid = 1144 and + normalized = "RSA" and + algType = "ASYMMETRIC_ENCRYPTION" + or + name = "sm3withrsaencryption" and nid = 1144 and normalized = "SM3" and algType = "HASH" +} diff --git a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll new file mode 100644 index 00000000000..2c46a7c0674 --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/CryptoFunction.qll @@ -0,0 +1,121 @@ +import cpp +import experimental.cryptography.utils.OpenSSL.LibraryFunction +import experimental.cryptography.CryptoAlgorithmNames + +predicate inferredOpenSSLCryptoFunctionCall(Call c, string normalized, string algType) { + inferredOpenSSLCryptoFunction(c.getTarget(), normalized, algType) +} + +predicate inferredOpenSSLCryptoFunction(Function f, string normalized, string algType) { + isPossibleOpenSSLFunction(f) and + normalizeFunctionName(f, algType) = normalized +} + +predicate isOpenSSLCryptoFunction(Function f, string normalized, string algType) { + // NOTE: relying on inference as there are thousands of functions for crypto + // enumerating them all and maintaining the list seems problematic. + // For now, we will rely on dynamically inferring algorithms for function names. + // This has been seen to be reasonably efficient and accurate. + inferredOpenSSLCryptoFunction(f, normalized, algType) +} + +predicate isOpenSSLCryptoFunctionCall(Call c, string normalized, string algType) { + isOpenSSLCryptoFunction(c.getTarget(), normalized, algType) +} + +private string basicNormalizeFunctionName(Function f, string algType) { + isPossibleOpenSSLFunction(f) and + isKnownAlgorithm(result, algType) and + exists(string normStr | normStr = f.getName().toUpperCase().regexpReplaceAll("[-_ ]|/", "") | + normStr.matches("%" + result + "%") + ) +} + +/** + * Converts a raw OpenSSL algorithm to a normalized algorithm name. + * + * If more than one match occurs for a given algorithm type, normalize attempts to find the "max" + * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES. + * + * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type. + * + * `f` is the function name to normalize. + * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`) + */ +private string privateNormalizeFunctionName(Function f, string algType) { + isPossibleOpenSSLFunction(f) and + result = basicNormalizeFunctionName(f, algType) and + not exists(string res2 | + result != res2 and + res2 = basicNormalizeFunctionName(f, algType) and + res2.length() > result.length() + ) +} + +/** + * Normalizes a function name to a known algorithm name, similar to `normalizeName`. + * A function is not, however, allowed to be UNKNOWN. The function either + * normalizes to a known algorithm name, or the predicate does not hold (no result). + * + * The predicate attempts to restrict normalization to what looks like an openssl + * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`). + * This may give false postive functions if a directory erronously appears to be openssl; + * however, we take the stance that if a function + * exists strongly mapping to a known function name in a directory such as these, + * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were. + */ +private string normalizeFunctionName(Function f, string algType) { + algType != "UNKNOWN" and + isPossibleOpenSSLFunction(f) and + result = privateNormalizeFunctionName(f, algType) and + // Addressing false positives + // For algorithm names less than or equal to 4, we must see the algorithm name + // in the original function as upper case (it can't be split between tokens) + // One exception found is DES_xcbc_encrypt, this is DESX + ( + (result.length() <= 4 and result != "DESX") + implies + f.getName().toUpperCase().matches("%" + result + "%") + ) and + ( + (result.length() <= 4 and result = "DESX") + implies + (f.getName().toUpperCase().matches("%DESX%") or f.getName().toUpperCase().matches("%DES_X%")) + ) and + // (result.length() <= 3 implies (not f.getName().toUpperCase().regexpMatch(".*" + result + "[a-zA-Z0-9].*|.*[a-zA-Z0-9]" + result + ".*"))) + // and + // DES specific false positives + ( + result.matches("DES") + implies + not f.getName().toUpperCase().regexpMatch(".*DES[a-zA-Z0-9].*|.*[a-zA-Z0-9]DES.*") + ) and + // ((result.matches("%DES%")) implies not exists(string s | s in ["DESCRIBE", "DESTROY", "DESCRIPTION", "DESCRIPTOR", "NODES"] | + // f.getName().toUpperCase().matches("%" + s + "%"))) and + // SEED specific false positives + ( + result.matches("SEED") + implies + not exists(string s | + s in [ + "SEED_SRC_GENERATE", "RAND", "NEW_SEED", "GEN_SEED", "SEED_GEN", "SET_SEED", "GET_SEED", + "GET0_SEED", "RESEED", "SEEDING" + ] + | + f.getName().toUpperCase().matches("%" + s + "%") + ) + ) and + // ARIA specific false positives + (result.matches("ARIA") implies not f.getName().toUpperCase().matches("%VARIANT%")) and + // CTR false positives + (result.matches("CTR") implies not f.getName().toUpperCase().matches("%CTRL%")) and + // ES false positives (e.g., ES256 from AES256) + (result.matches("ES%") implies not f.getName().toUpperCase().matches("%AES%")) and + // RSA false positives + (result.matches("RSA") implies not f.getName().toUpperCase().matches("%UNIVERSAL%")) and + //rsaz functions deemed to be too low level, and can be ignored + not f.getLocation().getFile().getBaseName().matches("rsaz_exp.c") and + // General False positives + // Functions that 'get' do not set an algorithm, and therefore are considered ignorable + not f.getName().toLowerCase().matches("%get%") +} diff --git a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll new file mode 100644 index 00000000000..ba83de34597 --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/DataBuilders.qll @@ -0,0 +1,153 @@ +/** + * This file contains predicates create to build up initial data sets for OpenSSL + * predicates. E.g., These predicates were used to assist in associating all + * openSSL functions with their known crypto algorithms. + */ + +import cpp +import experimental.cryptography.CryptoAlgorithmNames +import experimental.cryptography.utils.OpenSSL.CryptoFunction + +private string basicNormalizeFunctionName(Function f, string algType) { + isKnownAlgorithm(result, algType) and + exists(string normStr | normStr = f.getName().toUpperCase().regexpReplaceAll("[-_ ]|/", "") | + normStr.matches("%" + result + "%") + ) +} + +/** + * Converts a raw OpenSSL algorithm to a normalized algorithm name. + * + * If more than one match occurs for a given algorithm type, normalize attempts to find the "max" + * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES. + * + * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type. + * + * `f` is the function name to normalize. + * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`) + */ +private string privateNormalizeFunctionName(Function f, string algType) { + result = basicNormalizeFunctionName(f, algType) and + not exists(string res2 | + result != res2 and + res2 = basicNormalizeFunctionName(f, algType) and + res2.length() > result.length() + ) and + // Addressing bad normalization case-by-case + // CASE: ES256 being identified when the algorithm is AES256 + ( + result.matches("ES256") + implies + not exists(string res2 | res2 = basicNormalizeFunctionName(f, _) and res2.matches("AES%")) + ) +} + +/** + * Normalizes a function name to a known algorithm name, similar to `normalizeName`. + * A function is not, however, allowed to be UNKNOWN. The function either + * normalizes to a known algorithm name, or the predicate does not hold (no result). + * + * The predicate attempts to restrict normalization to what looks like an openssl + * library by looking for functions only in an openssl path (see `isPossibleOpenSSLFunction`). + * This may give false postive functions if a directory erronously appears to be openssl; + * however, we take the stance that if a function + * exists strongly mapping to a known function name in a directory such as these, + * regardless of whether its actually a part of openSSL or not, we will analyze it as though it were. + */ +string normalizeFunctionName(Function f, string algType) { + algType != "UNKNOWN" and + result = privateNormalizeFunctionName(f, algType) and + openSSLLibraryFunc(f) and + // Addressing false positives + // For algorithm names less than or equal to 4, we must see the algorithm name + // in the original function as upper case (it can't be split between tokens) + // One exception found is DES_xcbc_encrypt, this is DESX + ( + (result.length() <= 4 and result != "DESX") + implies + f.getName().toUpperCase().matches("%" + result + "%") + ) and + ( + (result.length() <= 4 and result = "DESX") + implies + (f.getName().toUpperCase().matches("%DESX%") or f.getName().toUpperCase().matches("%DES_X%")) + ) and + // (result.length() <= 3 implies (not f.getName().toUpperCase().regexpMatch(".*" + result + "[a-zA-Z0-9].*|.*[a-zA-Z0-9]" + result + ".*"))) + // and + // DES specific false positives + ( + result.matches("DES") + implies + not f.getName().toUpperCase().regexpMatch(".*DES[a-zA-Z0-9].*|.*[a-zA-Z0-9]DES.*") + ) and + // ((result.matches("%DES%")) implies not exists(string s | s in ["DESCRIBE", "DESTROY", "DESCRIPTION", "DESCRIPTOR", "NODES"] | + // f.getName().toUpperCase().matches("%" + s + "%"))) and + // SEED specific false positives + ( + result.matches("%SEED%") + implies + not not exists(string s | + s in ["NEW_SEED", "GEN_SEED", "SET_SEED", "GET_SEED", "GET0_SEED", "RESEED", "SEEDING"] + | + f.getName().toUpperCase().matches("%" + s + "%") + ) + ) and + // ARIA specific false positives + (result.matches("%ARIA%") implies not f.getName().toUpperCase().matches("%VARIANT%")) +} + +/** + * Predicate to support name normalization. + * Converts the raw name upper-case with no hyphen, slash, underscore, hash, or space. + * Looks for substrings that are known algorithms, and normalizes the name. + * If the algorithm cannot be determined or is in the ignorable list (`isIgnorableOpenSSLAlgorithm`) + * this predicate will not resolve a name. + * + * Rationale for private: For normalization, we want to get the longest string for a normalized name match + * for a given algorithm type. I found this easier to express if the public normalizeName + * checks that the name is the longest, and that UNKNOWN is reserved if there exists no + * result from this predicate that is known. + */ +bindingset[name] +string privateNormalizeName(string name, string algType) { + //not isIgnorableOpenSSLAlgorithm(name, _, _) and + // targetOpenSSLAlgorithm(name, _) and + isKnownAlgorithm(result, algType) and + exists(string normStr | normStr = name.toUpperCase().regexpReplaceAll("[-_ ]|/", "") | + normStr.matches("%" + result + "%") + ) +} + +/** + * Converts a raw OpenSSL algorithm to a normalized algorithm name. + * + * If more than one match occurs for a given algorithm type, normalize attempts to find the "max" + * string (max in terms of string length) e.g., matching AES128 to AES128 and not simply AES. + * + * An unknown algorithm is only identified if there exists no known algorithm found for any algorithm type. + * + * `name` is the name to normalize. + * `algType` is a string representing the classification of the algorithm (see `CryptoAlgorithmNames`) + */ +bindingset[name] +string normalizeName(string name, string algType) { + ( + if exists(privateNormalizeName(name, _)) + then result = privateNormalizeName(name, algType) + else ( + result = unknownAlgorithm() and algType = "UNKNOWN" + ) + ) and + not exists(string res2 | + result != res2 and + res2 = privateNormalizeName(name, algType) and + res2.length() > result.length() + ) and + // Addressing bad normalization case-by-case + // CASE: ES256 being identified when the algorithm is AES256 + ( + result.matches("ES256") + implies + not exists(string res2 | res2 = privateNormalizeName(name, _) and res2.matches("AES%")) + ) +} diff --git a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/LibraryFunction.qll b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/LibraryFunction.qll new file mode 100644 index 00000000000..a70b91e5e9e --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/LibraryFunction.qll @@ -0,0 +1,11292 @@ +import cpp + +/** + * A function is a possibleOpenSSLFunction + * if the function's declaration exists in a subdirectory of any directory matching 'openssl' as a substring. + */ +predicate isPossibleOpenSSLFunction(Function f) { + f.getADeclarationLocation().toString().toLowerCase().matches("%openssl%") +} + +predicate openSSLLibraryFunc(Function f) { + openSSLAPIFuncName(f.getName()) and + isPossibleOpenSSLFunction(f) +} + +/** + * OpenSSL functions as defined in the OpenSSL docs + * https://www.openssl.org/docs/manmaster/man3/ + */ +predicate openSSLAPIFuncName(string name) { + name = "ACCESS_DESCRIPTION_free" + or + name = "ACCESS_DESCRIPTION_new" + or + name = "ADMISSIONS" + or + name = "ADMISSIONS_free" + or + name = "ADMISSIONS_get0_admissionAuthority" + or + name = "ADMISSIONS_get0_namingAuthority" + or + name = "ADMISSIONS_get0_professionInfos" + or + name = "ADMISSIONS_new" + or + name = "ADMISSIONS_set0_admissionAuthority" + or + name = "ADMISSIONS_set0_namingAuthority" + or + name = "ADMISSIONS_set0_professionInfos" + or + name = "ADMISSION_SYNTAX" + or + name = "ADMISSION_SYNTAX_free" + or + name = "ADMISSION_SYNTAX_get0_admissionAuthority" + or + name = "ADMISSION_SYNTAX_get0_contentsOfAdmissions" + or + name = "ADMISSION_SYNTAX_new" + or + name = "ADMISSION_SYNTAX_set0_admissionAuthority" + or + name = "ADMISSION_SYNTAX_set0_contentsOfAdmissions" + or + name = "ASIdOrRange_free" + or + name = "ASIdOrRange_new" + or + name = "ASIdentifierChoice_free" + or + name = "ASIdentifierChoice_new" + or + name = "ASIdentifiers_free" + or + name = "ASIdentifiers_new" + or + name = "ASN1_AUX" + or + name = "ASN1_ENUMERATED_get" + or + name = "ASN1_ENUMERATED_get_int64" + or + name = "ASN1_ENUMERATED_set" + or + name = "ASN1_ENUMERATED_set_int64" + or + name = "ASN1_ENUMERATED_to_BN" + or + name = "ASN1_EXTERN_FUNCS" + or + name = "ASN1_GENERALIZEDTIME_adj" + or + name = "ASN1_GENERALIZEDTIME_check" + or + name = "ASN1_GENERALIZEDTIME_dup" + or + name = "ASN1_GENERALIZEDTIME_print" + or + name = "ASN1_GENERALIZEDTIME_set" + or + name = "ASN1_GENERALIZEDTIME_set_string" + or + name = "ASN1_INTEGER_free" + or + name = "ASN1_INTEGER_get" + or + name = "ASN1_INTEGER_get_int64" + or + name = "ASN1_INTEGER_get_uint64" + or + name = "ASN1_INTEGER_new" + or + name = "ASN1_INTEGER_set" + or + name = "ASN1_INTEGER_set_int64" + or + name = "ASN1_INTEGER_set_uint64" + or + name = "ASN1_INTEGER_to_BN" + or + name = "ASN1_ITEM" + or + name = "ASN1_ITEM_get" + or + name = "ASN1_ITEM_lookup" + or + name = "ASN1_OBJECT_free" + or + name = "ASN1_OBJECT_new" + or + name = "ASN1_PRINT_ARG" + or + name = "ASN1_STREAM_ARG" + or + name = "ASN1_STRING_TABLE" + or + name = "ASN1_STRING_TABLE_add" + or + name = "ASN1_STRING_TABLE_cleanup" + or + name = "ASN1_STRING_TABLE_get" + or + name = "ASN1_STRING_cmp" + or + name = "ASN1_STRING_data" + or + name = "ASN1_STRING_dup" + or + name = "ASN1_STRING_free" + or + name = "ASN1_STRING_get0_data" + or + name = "ASN1_STRING_length" + or + name = "ASN1_STRING_length_set" + or + name = "ASN1_STRING_new" + or + name = "ASN1_STRING_print" + or + name = "ASN1_STRING_print_ex" + or + name = "ASN1_STRING_print_ex_fp" + or + name = "ASN1_STRING_set" + or + name = "ASN1_STRING_to_UTF8" + or + name = "ASN1_STRING_type" + or + name = "ASN1_STRING_type_new" + or + name = "ASN1_TIME_adj" + or + name = "ASN1_TIME_check" + or + name = "ASN1_TIME_cmp_time_t" + or + name = "ASN1_TIME_compare" + or + name = "ASN1_TIME_diff" + or + name = "ASN1_TIME_dup" + or + name = "ASN1_TIME_normalize" + or + name = "ASN1_TIME_print" + or + name = "ASN1_TIME_print_ex" + or + name = "ASN1_TIME_set" + or + name = "ASN1_TIME_set_string" + or + name = "ASN1_TIME_set_string_X509" + or + name = "ASN1_TIME_to_generalizedtime" + or + name = "ASN1_TIME_to_tm" + or + name = "ASN1_TYPE_cmp" + or + name = "ASN1_TYPE_get" + or + name = "ASN1_TYPE_pack_sequence" + or + name = "ASN1_TYPE_set" + or + name = "ASN1_TYPE_set1" + or + name = "ASN1_TYPE_unpack_sequence" + or + name = "ASN1_UTCTIME_adj" + or + name = "ASN1_UTCTIME_check" + or + name = "ASN1_UTCTIME_cmp_time_t" + or + name = "ASN1_UTCTIME_dup" + or + name = "ASN1_UTCTIME_print" + or + name = "ASN1_UTCTIME_set" + or + name = "ASN1_UTCTIME_set_string" + or + name = "ASN1_add_oid_module" + or + name = "ASN1_aux_cb" + or + name = "ASN1_aux_const_cb" + or + name = "ASN1_ex_d2i" + or + name = "ASN1_ex_d2i_ex" + or + name = "ASN1_ex_free_func" + or + name = "ASN1_ex_i2d" + or + name = "ASN1_ex_new_ex_func" + or + name = "ASN1_ex_new_func" + or + name = "ASN1_ex_print_func" + or + name = "ASN1_generate_nconf" + or + name = "ASN1_generate_v3" + or + name = "ASN1_item_d2i" + or + name = "ASN1_item_d2i_bio" + or + name = "ASN1_item_d2i_bio_ex" + or + name = "ASN1_item_d2i_ex" + or + name = "ASN1_item_d2i_fp" + or + name = "ASN1_item_d2i_fp_ex" + or + name = "ASN1_item_i2d_mem_bio" + or + name = "ASN1_item_new" + or + name = "ASN1_item_new_ex" + or + name = "ASN1_item_pack" + or + name = "ASN1_item_sign" + or + name = "ASN1_item_sign_ctx" + or + name = "ASN1_item_sign_ex" + or + name = "ASN1_item_unpack" + or + name = "ASN1_item_unpack_ex" + or + name = "ASN1_item_verify" + or + name = "ASN1_item_verify_ctx" + or + name = "ASN1_item_verify_ex" + or + name = "ASN1_tag2str" + or + name = "ASRange_free" + or + name = "ASRange_new" + or + name = "ASYNC_STATUS_EAGAIN" + or + name = "ASYNC_STATUS_ERR" + or + name = "ASYNC_STATUS_OK" + or + name = "ASYNC_STATUS_UNSUPPORTED" + or + name = "ASYNC_WAIT_CTX_clear_fd" + or + name = "ASYNC_WAIT_CTX_free" + or + name = "ASYNC_WAIT_CTX_get_all_fds" + or + name = "ASYNC_WAIT_CTX_get_callback" + or + name = "ASYNC_WAIT_CTX_get_changed_fds" + or + name = "ASYNC_WAIT_CTX_get_fd" + or + name = "ASYNC_WAIT_CTX_get_status" + or + name = "ASYNC_WAIT_CTX_new" + or + name = "ASYNC_WAIT_CTX_set_callback" + or + name = "ASYNC_WAIT_CTX_set_status" + or + name = "ASYNC_WAIT_CTX_set_wait_fd" + or + name = "ASYNC_block_pause" + or + name = "ASYNC_callback_fn" + or + name = "ASYNC_cleanup_thread" + or + name = "ASYNC_get_current_job" + or + name = "ASYNC_get_mem_functions" + or + name = "ASYNC_get_wait_ctx" + or + name = "ASYNC_init_thread" + or + name = "ASYNC_is_capable" + or + name = "ASYNC_pause_job" + or + name = "ASYNC_set_mem_functions" + or + name = "ASYNC_stack_alloc_fn" + or + name = "ASYNC_stack_free_fn" + or + name = "ASYNC_start_job" + or + name = "ASYNC_unblock_pause" + or + name = "AUTHORITY_INFO_ACCESS_free" + or + name = "AUTHORITY_INFO_ACCESS_new" + or + name = "AUTHORITY_KEYID_free" + or + name = "AUTHORITY_KEYID_new" + or + name = "BASIC_CONSTRAINTS_free" + or + name = "BASIC_CONSTRAINTS_new" + or + name = "BF_cbc_encrypt" + or + name = "BF_cfb64_encrypt" + or + name = "BF_decrypt" + or + name = "BF_ecb_encrypt" + or + name = "BF_encrypt" + or + name = "BF_ofb64_encrypt" + or + name = "BF_options" + or + name = "BF_set_key" + or + name = "BIO_ADDR" + or + name = "BIO_ADDRINFO" + or + name = "BIO_ADDRINFO_address" + or + name = "BIO_ADDRINFO_family" + or + name = "BIO_ADDRINFO_free" + or + name = "BIO_ADDRINFO_next" + or + name = "BIO_ADDRINFO_protocol" + or + name = "BIO_ADDRINFO_socktype" + or + name = "BIO_ADDR_clear" + or + name = "BIO_ADDR_dup" + or + name = "BIO_ADDR_family" + or + name = "BIO_ADDR_free" + or + name = "BIO_ADDR_hostname_string" + or + name = "BIO_ADDR_new" + or + name = "BIO_ADDR_path_string" + or + name = "BIO_ADDR_rawaddress" + or + name = "BIO_ADDR_rawmake" + or + name = "BIO_ADDR_rawport" + or + name = "BIO_ADDR_service_string" + or + name = "BIO_accept_ex" + or + name = "BIO_append_filename" + or + name = "BIO_bind" + or + name = "BIO_callback_ctrl" + or + name = "BIO_callback_fn" + or + name = "BIO_callback_fn_ex" + or + name = "BIO_closesocket" + or + name = "BIO_connect" + or + name = "BIO_ctrl" + or + name = "BIO_ctrl_dgram_connect" + or + name = "BIO_ctrl_get_read_request" + or + name = "BIO_ctrl_get_write_guarantee" + or + name = "BIO_ctrl_pending" + or + name = "BIO_ctrl_reset_read_request" + or + name = "BIO_ctrl_set_connected" + or + name = "BIO_ctrl_wpending" + or + name = "BIO_debug_callback" + or + name = "BIO_debug_callback_ex" + or + name = "BIO_destroy_bio_pair" + or + name = "BIO_dgram_get_caps" + or + name = "BIO_dgram_get_effective_caps" + or + name = "BIO_dgram_get_local_addr_cap" + or + name = "BIO_dgram_get_local_addr_enable" + or + name = "BIO_dgram_get_mtu" + or + name = "BIO_dgram_get_mtu_overhead" + or + name = "BIO_dgram_get_no_trunc" + or + name = "BIO_dgram_get_peer" + or + name = "BIO_dgram_recv_timedout" + or + name = "BIO_dgram_send_timedout" + or + name = "BIO_dgram_set_caps" + or + name = "BIO_dgram_set_local_addr_enable" + or + name = "BIO_dgram_set_mtu" + or + name = "BIO_dgram_set_no_trunc" + or + name = "BIO_dgram_set_peer" + or + name = "BIO_do_accept" + or + name = "BIO_do_connect" + or + name = "BIO_do_connect_retry" + or + name = "BIO_do_handshake" + or + name = "BIO_eof" + or + name = "BIO_err_is_non_fatal" + or + name = "BIO_f_base64" + or + name = "BIO_f_brotli" + or + name = "BIO_f_buffer" + or + name = "BIO_f_cipher" + or + name = "BIO_f_md" + or + name = "BIO_f_null" + or + name = "BIO_f_prefix" + or + name = "BIO_f_readbuffer" + or + name = "BIO_f_ssl" + or + name = "BIO_f_zlib" + or + name = "BIO_f_zstd" + or + name = "BIO_find_type" + or + name = "BIO_flush" + or + name = "BIO_free" + or + name = "BIO_free_all" + or + name = "BIO_get_accept_ip_family" + or + name = "BIO_get_accept_name" + or + name = "BIO_get_accept_port" + or + name = "BIO_get_app_data" + or + name = "BIO_get_bind_mode" + or + name = "BIO_get_buffer_num_lines" + or + name = "BIO_get_callback" + or + name = "BIO_get_callback_arg" + or + name = "BIO_get_callback_ex" + or + name = "BIO_get_cipher_ctx" + or + name = "BIO_get_cipher_status" + or + name = "BIO_get_close" + or + name = "BIO_get_conn_address" + or + name = "BIO_get_conn_hostname" + or + name = "BIO_get_conn_int_port" + or + name = "BIO_get_conn_ip" + or + name = "BIO_get_conn_ip_family" + or + name = "BIO_get_conn_mode" + or + name = "BIO_get_conn_port" + or + name = "BIO_get_data" + or + name = "BIO_get_ex_data" + or + name = "BIO_get_ex_new_index" + or + name = "BIO_get_fd" + or + name = "BIO_get_fp" + or + name = "BIO_get_indent" + or + name = "BIO_get_info_callback" + or + name = "BIO_get_init" + or + name = "BIO_get_ktls_recv" + or + name = "BIO_get_ktls_send" + or + name = "BIO_get_line" + or + name = "BIO_get_md" + or + name = "BIO_get_md_ctx" + or + name = "BIO_get_mem_data" + or + name = "BIO_get_mem_ptr" + or + name = "BIO_get_new_index" + or + name = "BIO_get_num_renegotiates" + or + name = "BIO_get_peer_name" + or + name = "BIO_get_peer_port" + or + name = "BIO_get_read_request" + or + name = "BIO_get_retry_BIO" + or + name = "BIO_get_retry_reason" + or + name = "BIO_get_rpoll_descriptor" + or + name = "BIO_get_shutdown" + or + name = "BIO_get_ssl" + or + name = "BIO_get_wpoll_descriptor" + or + name = "BIO_get_write_buf_size" + or + name = "BIO_get_write_guarantee" + or + name = "BIO_gets" + or + name = "BIO_hostserv_priorities" + or + name = "BIO_info_cb" + or + name = "BIO_int_ctrl" + or + name = "BIO_listen" + or + name = "BIO_lookup" + or + name = "BIO_lookup_ex" + or + name = "BIO_lookup_type" + or + name = "BIO_make_bio_pair" + or + name = "BIO_meth_free" + or + name = "BIO_meth_get_callback_ctrl" + or + name = "BIO_meth_get_create" + or + name = "BIO_meth_get_ctrl" + or + name = "BIO_meth_get_destroy" + or + name = "BIO_meth_get_gets" + or + name = "BIO_meth_get_puts" + or + name = "BIO_meth_get_read" + or + name = "BIO_meth_get_read_ex" + or + name = "BIO_meth_get_recvmmsg" + or + name = "BIO_meth_get_sendmmsg" + or + name = "BIO_meth_get_write" + or + name = "BIO_meth_get_write_ex" + or + name = "BIO_meth_new" + or + name = "BIO_meth_set_callback_ctrl" + or + name = "BIO_meth_set_create" + or + name = "BIO_meth_set_ctrl" + or + name = "BIO_meth_set_destroy" + or + name = "BIO_meth_set_gets" + or + name = "BIO_meth_set_puts" + or + name = "BIO_meth_set_read" + or + name = "BIO_meth_set_read_ex" + or + name = "BIO_meth_set_recvmmsg" + or + name = "BIO_meth_set_sendmmsg" + or + name = "BIO_meth_set_write" + or + name = "BIO_meth_set_write_ex" + or + name = "BIO_method_type" + or + name = "BIO_new" + or + name = "BIO_new_CMS" + or + name = "BIO_new_accept" + or + name = "BIO_new_bio_dgram_pair" + or + name = "BIO_new_bio_pair" + or + name = "BIO_new_buffer_ssl_connect" + or + name = "BIO_new_connect" + or + name = "BIO_new_dgram" + or + name = "BIO_new_ex" + or + name = "BIO_new_fd" + or + name = "BIO_new_file" + or + name = "BIO_new_fp" + or + name = "BIO_new_from_core_bio" + or + name = "BIO_new_mem_buf" + or + name = "BIO_new_socket" + or + name = "BIO_new_ssl" + or + name = "BIO_new_ssl_connect" + or + name = "BIO_next" + or + name = "BIO_parse_hostserv" + or + name = "BIO_pending" + or + name = "BIO_pop" + or + name = "BIO_printf" + or + name = "BIO_ptr_ctrl" + or + name = "BIO_push" + or + name = "BIO_puts" + or + name = "BIO_read" + or + name = "BIO_read_ex" + or + name = "BIO_read_filename" + or + name = "BIO_recvmmsg" + or + name = "BIO_reset" + or + name = "BIO_retry_type" + or + name = "BIO_rw_filename" + or + name = "BIO_s_accept" + or + name = "BIO_s_bio" + or + name = "BIO_s_connect" + or + name = "BIO_s_core" + or + name = "BIO_s_datagram" + or + name = "BIO_s_dgram_mem" + or + name = "BIO_s_dgram_pair" + or + name = "BIO_s_fd" + or + name = "BIO_s_file" + or + name = "BIO_s_mem" + or + name = "BIO_s_null" + or + name = "BIO_s_secmem" + or + name = "BIO_s_socket" + or + name = "BIO_seek" + or + name = "BIO_sendmmsg" + or + name = "BIO_set" + or + name = "BIO_set_accept_bios" + or + name = "BIO_set_accept_ip_family" + or + name = "BIO_set_accept_name" + or + name = "BIO_set_accept_port" + or + name = "BIO_set_app_data" + or + name = "BIO_set_bind_mode" + or + name = "BIO_set_buffer_read_data" + or + name = "BIO_set_buffer_size" + or + name = "BIO_set_callback" + or + name = "BIO_set_callback_arg" + or + name = "BIO_set_callback_ex" + or + name = "BIO_set_cipher" + or + name = "BIO_set_close" + or + name = "BIO_set_conn_address" + or + name = "BIO_set_conn_hostname" + or + name = "BIO_set_conn_int_port" + or + name = "BIO_set_conn_ip" + or + name = "BIO_set_conn_ip_family" + or + name = "BIO_set_conn_mode" + or + name = "BIO_set_conn_port" + or + name = "BIO_set_data" + or + name = "BIO_set_ex_data" + or + name = "BIO_set_fd" + or + name = "BIO_set_fp" + or + name = "BIO_set_indent" + or + name = "BIO_set_info_callback" + or + name = "BIO_set_init" + or + name = "BIO_set_md" + or + name = "BIO_set_mem_buf" + or + name = "BIO_set_mem_eof_return" + or + name = "BIO_set_nbio" + or + name = "BIO_set_nbio_accept" + or + name = "BIO_set_next" + or + name = "BIO_set_prefix" + or + name = "BIO_set_read_buffer_size" + or + name = "BIO_set_retry_reason" + or + name = "BIO_set_shutdown" + or + name = "BIO_set_ssl" + or + name = "BIO_set_ssl_mode" + or + name = "BIO_set_ssl_renegotiate_bytes" + or + name = "BIO_set_ssl_renegotiate_timeout" + or + name = "BIO_set_tfo" + or + name = "BIO_set_tfo_accept" + or + name = "BIO_set_write_buf_size" + or + name = "BIO_set_write_buffer_size" + or + name = "BIO_should_io_special" + or + name = "BIO_should_read" + or + name = "BIO_should_retry" + or + name = "BIO_should_write" + or + name = "BIO_shutdown_wr" + or + name = "BIO_snprintf" + or + name = "BIO_socket" + or + name = "BIO_socket_wait" + or + name = "BIO_ssl_copy_session_id" + or + name = "BIO_ssl_shutdown" + or + name = "BIO_tell" + or + name = "BIO_up_ref" + or + name = "BIO_vfree" + or + name = "BIO_vprintf" + or + name = "BIO_vsnprintf" + or + name = "BIO_wait" + or + name = "BIO_wpending" + or + name = "BIO_write" + or + name = "BIO_write_ex" + or + name = "BIO_write_filename" + or + name = "BN_BLINDING_convert" + or + name = "BN_BLINDING_convert_ex" + or + name = "BN_BLINDING_create_param" + or + name = "BN_BLINDING_free" + or + name = "BN_BLINDING_get_flags" + or + name = "BN_BLINDING_get_thread_id" + or + name = "BN_BLINDING_invert" + or + name = "BN_BLINDING_invert_ex" + or + name = "BN_BLINDING_is_current_thread" + or + name = "BN_BLINDING_lock" + or + name = "BN_BLINDING_new" + or + name = "BN_BLINDING_set_current_thread" + or + name = "BN_BLINDING_set_flags" + or + name = "BN_BLINDING_set_thread_id" + or + name = "BN_BLINDING_thread_id" + or + name = "BN_BLINDING_unlock" + or + name = "BN_BLINDING_update" + or + name = "BN_CTX_end" + or + name = "BN_CTX_free" + or + name = "BN_CTX_get" + or + name = "BN_CTX_init" + or + name = "BN_CTX_new" + or + name = "BN_CTX_new_ex" + or + name = "BN_CTX_secure_new" + or + name = "BN_CTX_secure_new_ex" + or + name = "BN_CTX_start" + or + name = "BN_GENCB_call" + or + name = "BN_GENCB_free" + or + name = "BN_GENCB_get_arg" + or + name = "BN_GENCB_new" + or + name = "BN_GENCB_set" + or + name = "BN_GENCB_set_old" + or + name = "BN_MONT_CTX_copy" + or + name = "BN_MONT_CTX_free" + or + name = "BN_MONT_CTX_init" + or + name = "BN_MONT_CTX_new" + or + name = "BN_MONT_CTX_set" + or + name = "BN_RECP_CTX_free" + or + name = "BN_RECP_CTX_init" + or + name = "BN_RECP_CTX_new" + or + name = "BN_RECP_CTX_set" + or + name = "BN_abs_is_word" + or + name = "BN_add" + or + name = "BN_add_word" + or + name = "BN_are_coprime" + or + name = "BN_bin2bn" + or + name = "BN_bn2bin" + or + name = "BN_bn2binpad" + or + name = "BN_bn2dec" + or + name = "BN_bn2hex" + or + name = "BN_bn2lebinpad" + or + name = "BN_bn2mpi" + or + name = "BN_bn2nativepad" + or + name = "BN_check_prime" + or + name = "BN_clear" + or + name = "BN_clear_bit" + or + name = "BN_clear_free" + or + name = "BN_cmp" + or + name = "BN_copy" + or + name = "BN_dec2bn" + or + name = "BN_div" + or + name = "BN_div_recp" + or + name = "BN_div_word" + or + name = "BN_dup" + or + name = "BN_exp" + or + name = "BN_free" + or + name = "BN_from_montgomery" + or + name = "BN_gcd" + or + name = "BN_generate_prime" + or + name = "BN_generate_prime_ex" + or + name = "BN_generate_prime_ex2" + or + name = "BN_get0_nist_prime_192" + or + name = "BN_get0_nist_prime_224" + or + name = "BN_get0_nist_prime_256" + or + name = "BN_get0_nist_prime_384" + or + name = "BN_get0_nist_prime_521" + or + name = "BN_get_rfc2409_prime_1024" + or + name = "BN_get_rfc2409_prime_768" + or + name = "BN_get_rfc3526_prime_1536" + or + name = "BN_get_rfc3526_prime_2048" + or + name = "BN_get_rfc3526_prime_3072" + or + name = "BN_get_rfc3526_prime_4096" + or + name = "BN_get_rfc3526_prime_6144" + or + name = "BN_get_rfc3526_prime_8192" + or + name = "BN_get_word" + or + name = "BN_hex2bn" + or + name = "BN_init" + or + name = "BN_is_bit_set" + or + name = "BN_is_odd" + or + name = "BN_is_one" + or + name = "BN_is_prime" + or + name = "BN_is_prime_ex" + or + name = "BN_is_prime_fasttest" + or + name = "BN_is_prime_fasttest_ex" + or + name = "BN_is_word" + or + name = "BN_is_zero" + or + name = "BN_lebin2bn" + or + name = "BN_lshift" + or + name = "BN_lshift1" + or + name = "BN_mask_bits" + or + name = "BN_mod" + or + name = "BN_mod_add" + or + name = "BN_mod_exp" + or + name = "BN_mod_exp_mont" + or + name = "BN_mod_exp_mont_consttime" + or + name = "BN_mod_exp_mont_consttime_x2" + or + name = "BN_mod_inverse" + or + name = "BN_mod_mul" + or + name = "BN_mod_mul_montgomery" + or + name = "BN_mod_mul_reciprocal" + or + name = "BN_mod_sqr" + or + name = "BN_mod_sqrt" + or + name = "BN_mod_sub" + or + name = "BN_mod_word" + or + name = "BN_mpi2bn" + or + name = "BN_mul" + or + name = "BN_mul_word" + or + name = "BN_native2bn" + or + name = "BN_new" + or + name = "BN_nnmod" + or + name = "BN_num_bits" + or + name = "BN_num_bits_word" + or + name = "BN_num_bytes" + or + name = "BN_one" + or + name = "BN_print" + or + name = "BN_print_fp" + or + name = "BN_priv_rand" + or + name = "BN_priv_rand_ex" + or + name = "BN_priv_rand_range" + or + name = "BN_priv_rand_range_ex" + or + name = "BN_pseudo_rand" + or + name = "BN_pseudo_rand_range" + or + name = "BN_rand" + or + name = "BN_rand_ex" + or + name = "BN_rand_range" + or + name = "BN_rand_range_ex" + or + name = "BN_rshift" + or + name = "BN_rshift1" + or + name = "BN_secure_new" + or + name = "BN_security_bits" + or + name = "BN_set_bit" + or + name = "BN_set_word" + or + name = "BN_signed_bin2bn" + or + name = "BN_signed_bn2bin" + or + name = "BN_signed_bn2lebin" + or + name = "BN_signed_bn2native" + or + name = "BN_signed_lebin2bn" + or + name = "BN_signed_native2bn" + or + name = "BN_sqr" + or + name = "BN_sub" + or + name = "BN_sub_word" + or + name = "BN_swap" + or + name = "BN_to_ASN1_ENUMERATED" + or + name = "BN_to_ASN1_INTEGER" + or + name = "BN_to_montgomery" + or + name = "BN_ucmp" + or + name = "BN_value_one" + or + name = "BN_with_flags" + or + name = "BN_zero" + or + name = "BUF_MEM_free" + or + name = "BUF_MEM_grow" + or + name = "BUF_MEM_grow_clean" + or + name = "BUF_MEM_new" + or + name = "BUF_MEM_new_ex" + or + name = "BUF_memdup" + or + name = "BUF_reverse" + or + name = "BUF_strdup" + or + name = "BUF_strlcat" + or + name = "BUF_strlcpy" + or + name = "BUF_strndup" + or + name = "CERTIFICATEPOLICIES_free" + or + name = "CERTIFICATEPOLICIES_new" + or + name = "CMS_AuthEnvelopedData_create" + or + name = "CMS_AuthEnvelopedData_create_ex" + or + name = "CMS_ContentInfo_free" + or + name = "CMS_ContentInfo_new" + or + name = "CMS_ContentInfo_new_ex" + or + name = "CMS_ContentInfo_print_ctx" + or + name = "CMS_EncryptedData_decrypt" + or + name = "CMS_EncryptedData_encrypt" + or + name = "CMS_EncryptedData_encrypt_ex" + or + name = "CMS_EnvelopedData_create" + or + name = "CMS_EnvelopedData_create_ex" + or + name = "CMS_EnvelopedData_decrypt" + or + name = "CMS_EnvelopedData_it" + or + name = "CMS_ReceiptRequest_create0" + or + name = "CMS_ReceiptRequest_create0_ex" + or + name = "CMS_ReceiptRequest_free" + or + name = "CMS_ReceiptRequest_get0_values" + or + name = "CMS_ReceiptRequest_new" + or + name = "CMS_RecipientInfo_decrypt" + or + name = "CMS_RecipientInfo_encrypt" + or + name = "CMS_RecipientInfo_kari_set0_pkey" + or + name = "CMS_RecipientInfo_kari_set0_pkey_and_peer" + or + name = "CMS_RecipientInfo_kekri_get0_id" + or + name = "CMS_RecipientInfo_kekri_id_cmp" + or + name = "CMS_RecipientInfo_ktri_cert_cmp" + or + name = "CMS_RecipientInfo_ktri_get0_signer_id" + or + name = "CMS_RecipientInfo_set0_key" + or + name = "CMS_RecipientInfo_set0_pkey" + or + name = "CMS_RecipientInfo_type" + or + name = "CMS_SignedData_free" + or + name = "CMS_SignedData_new" + or + name = "CMS_SignedData_verify" + or + name = "CMS_SignerInfo_cert_cmp" + or + name = "CMS_SignerInfo_get0_signature" + or + name = "CMS_SignerInfo_get0_signer_id" + or + name = "CMS_SignerInfo_set1_signer_cert" + or + name = "CMS_SignerInfo_sign" + or + name = "CMS_add0_cert" + or + name = "CMS_add0_crl" + or + name = "CMS_add0_recipient_key" + or + name = "CMS_add1_ReceiptRequest" + or + name = "CMS_add1_cert" + or + name = "CMS_add1_crl" + or + name = "CMS_add1_recipient" + or + name = "CMS_add1_recipient_cert" + or + name = "CMS_add1_signer" + or + name = "CMS_compress" + or + name = "CMS_data_create" + or + name = "CMS_data_create_ex" + or + name = "CMS_decrypt" + or + name = "CMS_decrypt_set1_password" + or + name = "CMS_decrypt_set1_pkey" + or + name = "CMS_decrypt_set1_pkey_and_peer" + or + name = "CMS_digest_create" + or + name = "CMS_digest_create_ex" + or + name = "CMS_encrypt" + or + name = "CMS_encrypt_ex" + or + name = "CMS_final" + or + name = "CMS_final_digest" + or + name = "CMS_get0_RecipientInfos" + or + name = "CMS_get0_SignerInfos" + or + name = "CMS_get0_content" + or + name = "CMS_get0_eContentType" + or + name = "CMS_get0_signers" + or + name = "CMS_get0_type" + or + name = "CMS_get1_ReceiptRequest" + or + name = "CMS_get1_certs" + or + name = "CMS_get1_crls" + or + name = "CMS_set1_eContentType" + or + name = "CMS_set1_signer_cert" + or + name = "CMS_sign" + or + name = "CMS_sign_ex" + or + name = "CMS_sign_receipt" + or + name = "CMS_uncompress" + or + name = "CMS_verify" + or + name = "CMS_verify_receipt" + or + name = "COMP_CTX_free" + or + name = "COMP_CTX_get_method" + or + name = "COMP_CTX_get_type" + or + name = "COMP_CTX_new" + or + name = "COMP_brotli" + or + name = "COMP_brotli_oneshot" + or + name = "COMP_compress_block" + or + name = "COMP_expand_block" + or + name = "COMP_get_name" + or + name = "COMP_get_type" + or + name = "COMP_zlib" + or + name = "COMP_zlib_oneshot" + or + name = "COMP_zstd" + or + name = "COMP_zstd_oneshot" + or + name = "CONF_get1_default_config_file" + or + name = "CONF_modules_finish" + or + name = "CONF_modules_free" + or + name = "CONF_modules_load" + or + name = "CONF_modules_load_file" + or + name = "CONF_modules_load_file_ex" + or + name = "CONF_modules_unload" + or + name = "CRL_DIST_POINTS_free" + or + name = "CRL_DIST_POINTS_new" + or + name = "CRYPTO_EX_dup" + or + name = "CRYPTO_EX_free" + or + name = "CRYPTO_EX_new" + or + name = "CRYPTO_THREADID_cmp" + or + name = "CRYPTO_THREADID_cpy" + or + name = "CRYPTO_THREADID_current" + or + name = "CRYPTO_THREADID_get_callback" + or + name = "CRYPTO_THREADID_hash" + or + name = "CRYPTO_THREADID_set_callback" + or + name = "CRYPTO_THREAD_lock_free" + or + name = "CRYPTO_THREAD_lock_new" + or + name = "CRYPTO_THREAD_read_lock" + or + name = "CRYPTO_THREAD_run_once" + or + name = "CRYPTO_THREAD_unlock" + or + name = "CRYPTO_THREAD_write_lock" + or + name = "CRYPTO_alloc_ex_data" + or + name = "CRYPTO_atomic_add" + or + name = "CRYPTO_atomic_load" + or + name = "CRYPTO_atomic_or" + or + name = "CRYPTO_clear_free" + or + name = "CRYPTO_clear_realloc" + or + name = "CRYPTO_destroy_dynlockid" + or + name = "CRYPTO_free" + or + name = "CRYPTO_free_ex_data" + or + name = "CRYPTO_free_ex_index" + or + name = "CRYPTO_free_fn" + or + name = "CRYPTO_get_alloc_counts" + or + name = "CRYPTO_get_ex_data" + or + name = "CRYPTO_get_ex_new_index" + or + name = "CRYPTO_get_mem_functions" + or + name = "CRYPTO_get_new_dynlockid" + or + name = "CRYPTO_lock" + or + name = "CRYPTO_malloc" + or + name = "CRYPTO_malloc_fn" + or + name = "CRYPTO_mem_ctrl" + or + name = "CRYPTO_mem_debug_pop" + or + name = "CRYPTO_mem_debug_push" + or + name = "CRYPTO_mem_leaks" + or + name = "CRYPTO_mem_leaks_cb" + or + name = "CRYPTO_mem_leaks_fp" + or + name = "CRYPTO_memcmp" + or + name = "CRYPTO_new_ex_data" + or + name = "CRYPTO_num_locks" + or + name = "CRYPTO_realloc" + or + name = "CRYPTO_realloc_fn" + or + name = "CRYPTO_secure_allocated" + or + name = "CRYPTO_secure_clear_free" + or + name = "CRYPTO_secure_free" + or + name = "CRYPTO_secure_malloc" + or + name = "CRYPTO_secure_malloc_done" + or + name = "CRYPTO_secure_malloc_init" + or + name = "CRYPTO_secure_malloc_initialized" + or + name = "CRYPTO_secure_used" + or + name = "CRYPTO_secure_zalloc" + or + name = "CRYPTO_set_dynlock_create_callback" + or + name = "CRYPTO_set_dynlock_destroy_callback" + or + name = "CRYPTO_set_dynlock_lock_callback" + or + name = "CRYPTO_set_ex_data" + or + name = "CRYPTO_set_locking_callback" + or + name = "CRYPTO_set_mem_debug" + or + name = "CRYPTO_set_mem_functions" + or + name = "CRYPTO_strdup" + or + name = "CRYPTO_strndup" + or + name = "CRYPTO_zalloc" + or + name = "CTLOG_STORE_free" + or + name = "CTLOG_STORE_get0_log_by_id" + or + name = "CTLOG_STORE_load_default_file" + or + name = "CTLOG_STORE_load_file" + or + name = "CTLOG_STORE_new" + or + name = "CTLOG_STORE_new_ex" + or + name = "CTLOG_free" + or + name = "CTLOG_get0_log_id" + or + name = "CTLOG_get0_name" + or + name = "CTLOG_get0_public_key" + or + name = "CTLOG_new" + or + name = "CTLOG_new_ex" + or + name = "CTLOG_new_from_base64" + or + name = "CTLOG_new_from_base64_ex" + or + name = "CT_POLICY_EVAL_CTX_free" + or + name = "CT_POLICY_EVAL_CTX_get0_cert" + or + name = "CT_POLICY_EVAL_CTX_get0_issuer" + or + name = "CT_POLICY_EVAL_CTX_get0_log_store" + or + name = "CT_POLICY_EVAL_CTX_get_time" + or + name = "CT_POLICY_EVAL_CTX_new" + or + name = "CT_POLICY_EVAL_CTX_new_ex" + or + name = "CT_POLICY_EVAL_CTX_set1_cert" + or + name = "CT_POLICY_EVAL_CTX_set1_issuer" + or + name = "CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE" + or + name = "CT_POLICY_EVAL_CTX_set_time" + or + name = "DECLARE_ASN1_FUNCTIONS" + or + name = "DECLARE_LHASH_OF" + or + name = "DECLARE_PEM_rw" + or + name = "DEFINE_LHASH_OF" + or + name = "DEFINE_LHASH_OF_EX" + or + name = "DEFINE_SPECIAL_STACK_OF" + or + name = "DEFINE_SPECIAL_STACK_OF_CONST" + or + name = "DEFINE_STACK_OF" + or + name = "DEFINE_STACK_OF_CONST" + or + name = "DES_cbc_cksum" + or + name = "DES_cfb64_encrypt" + or + name = "DES_cfb_encrypt" + or + name = "DES_crypt" + or + name = "DES_ecb2_encrypt" + or + name = "DES_ecb3_encrypt" + or + name = "DES_ecb_encrypt" + or + name = "DES_ede2_cbc_encrypt" + or + name = "DES_ede2_cfb64_encrypt" + or + name = "DES_ede2_ofb64_encrypt" + or + name = "DES_ede3_cbc_encrypt" + or + name = "DES_ede3_cbcm_encrypt" + or + name = "DES_ede3_cfb64_encrypt" + or + name = "DES_ede3_ofb64_encrypt" + or + name = "DES_enc_read" + or + name = "DES_enc_write" + or + name = "DES_fcrypt" + or + name = "DES_is_weak_key" + or + name = "DES_key_sched" + or + name = "DES_ncbc_encrypt" + or + name = "DES_ofb64_encrypt" + or + name = "DES_ofb_encrypt" + or + name = "DES_pcbc_encrypt" + or + name = "DES_quad_cksum" + or + name = "DES_random_key" + or + name = "DES_set_key" + or + name = "DES_set_key_checked" + or + name = "DES_set_key_unchecked" + or + name = "DES_set_odd_parity" + or + name = "DES_string_to_2keys" + or + name = "DES_string_to_key" + or + name = "DES_xcbc_encrypt" + or + name = "DH_OpenSSL" + or + name = "DH_bits" + or + name = "DH_check" + or + name = "DH_check_ex" + or + name = "DH_check_params" + or + name = "DH_check_params_ex" + or + name = "DH_check_pub_key_ex" + or + name = "DH_clear_flags" + or + name = "DH_compute_key" + or + name = "DH_compute_key_padded" + or + name = "DH_free" + or + name = "DH_generate_key" + or + name = "DH_generate_parameters" + or + name = "DH_generate_parameters_ex" + or + name = "DH_get0_engine" + or + name = "DH_get0_g" + or + name = "DH_get0_key" + or + name = "DH_get0_p" + or + name = "DH_get0_pqg" + or + name = "DH_get0_priv_key" + or + name = "DH_get0_pub_key" + or + name = "DH_get0_q" + or + name = "DH_get_1024_160" + or + name = "DH_get_2048_224" + or + name = "DH_get_2048_256" + or + name = "DH_get_default_method" + or + name = "DH_get_ex_data" + or + name = "DH_get_ex_new_index" + or + name = "DH_get_length" + or + name = "DH_get_nid" + or + name = "DH_meth_dup" + or + name = "DH_meth_free" + or + name = "DH_meth_get0_app_data" + or + name = "DH_meth_get0_name" + or + name = "DH_meth_get_bn_mod_exp" + or + name = "DH_meth_get_compute_key" + or + name = "DH_meth_get_finish" + or + name = "DH_meth_get_flags" + or + name = "DH_meth_get_generate_key" + or + name = "DH_meth_get_generate_params" + or + name = "DH_meth_get_init" + or + name = "DH_meth_new" + or + name = "DH_meth_set0_app_data" + or + name = "DH_meth_set1_name" + or + name = "DH_meth_set_bn_mod_exp" + or + name = "DH_meth_set_compute_key" + or + name = "DH_meth_set_finish" + or + name = "DH_meth_set_flags" + or + name = "DH_meth_set_generate_key" + or + name = "DH_meth_set_generate_params" + or + name = "DH_meth_set_init" + or + name = "DH_new" + or + name = "DH_new_by_nid" + or + name = "DH_new_method" + or + name = "DH_security_bits" + or + name = "DH_set0_key" + or + name = "DH_set0_pqg" + or + name = "DH_set_default_method" + or + name = "DH_set_ex_data" + or + name = "DH_set_flags" + or + name = "DH_set_length" + or + name = "DH_set_method" + or + name = "DH_size" + or + name = "DH_test_flags" + or + name = "DHparams_print" + or + name = "DHparams_print_fp" + or + name = "DIRECTORYSTRING_free" + or + name = "DIRECTORYSTRING_new" + or + name = "DISPLAYTEXT_free" + or + name = "DISPLAYTEXT_new" + or + name = "DIST_POINT_NAME_free" + or + name = "DIST_POINT_NAME_new" + or + name = "DIST_POINT_free" + or + name = "DIST_POINT_new" + or + name = "DSA_OpenSSL" + or + name = "DSA_SIG_free" + or + name = "DSA_SIG_get0" + or + name = "DSA_SIG_new" + or + name = "DSA_SIG_set0" + or + name = "DSA_bits" + or + name = "DSA_clear_flags" + or + name = "DSA_do_sign" + or + name = "DSA_do_verify" + or + name = "DSA_dup_DH" + or + name = "DSA_free" + or + name = "DSA_generate_key" + or + name = "DSA_generate_parameters" + or + name = "DSA_generate_parameters_ex" + or + name = "DSA_get0_engine" + or + name = "DSA_get0_g" + or + name = "DSA_get0_key" + or + name = "DSA_get0_p" + or + name = "DSA_get0_pqg" + or + name = "DSA_get0_priv_key" + or + name = "DSA_get0_pub_key" + or + name = "DSA_get0_q" + or + name = "DSA_get_default_method" + or + name = "DSA_get_ex_data" + or + name = "DSA_get_ex_new_index" + or + name = "DSA_meth_dup" + or + name = "DSA_meth_free" + or + name = "DSA_meth_get0_app_data" + or + name = "DSA_meth_get0_name" + or + name = "DSA_meth_get_bn_mod_exp" + or + name = "DSA_meth_get_finish" + or + name = "DSA_meth_get_flags" + or + name = "DSA_meth_get_init" + or + name = "DSA_meth_get_keygen" + or + name = "DSA_meth_get_mod_exp" + or + name = "DSA_meth_get_paramgen" + or + name = "DSA_meth_get_sign" + or + name = "DSA_meth_get_sign_setup" + or + name = "DSA_meth_get_verify" + or + name = "DSA_meth_new" + or + name = "DSA_meth_set0_app_data" + or + name = "DSA_meth_set1_name" + or + name = "DSA_meth_set_bn_mod_exp" + or + name = "DSA_meth_set_finish" + or + name = "DSA_meth_set_flags" + or + name = "DSA_meth_set_init" + or + name = "DSA_meth_set_keygen" + or + name = "DSA_meth_set_mod_exp" + or + name = "DSA_meth_set_paramgen" + or + name = "DSA_meth_set_sign" + or + name = "DSA_meth_set_sign_setup" + or + name = "DSA_meth_set_verify" + or + name = "DSA_new" + or + name = "DSA_new_method" + or + name = "DSA_print" + or + name = "DSA_print_fp" + or + name = "DSA_security_bits" + or + name = "DSA_set0_key" + or + name = "DSA_set0_pqg" + or + name = "DSA_set_default_method" + or + name = "DSA_set_ex_data" + or + name = "DSA_set_flags" + or + name = "DSA_set_method" + or + name = "DSA_sign" + or + name = "DSA_sign_setup" + or + name = "DSA_size" + or + name = "DSA_test_flags" + or + name = "DSA_verify" + or + name = "DSAparams_dup" + or + name = "DSAparams_print" + or + name = "DSAparams_print_fp" + or + name = "DTLS_client_method" + or + name = "DTLS_get_data_mtu" + or + name = "DTLS_method" + or + name = "DTLS_server_method" + or + name = "DTLS_set_timer_cb" + or + name = "DTLS_timer_cb" + or + name = "DTLSv1_2_client_method" + or + name = "DTLSv1_2_method" + or + name = "DTLSv1_2_server_method" + or + name = "DTLSv1_client_method" + or + name = "DTLSv1_get_timeout" + or + name = "DTLSv1_handle_timeout" + or + name = "DTLSv1_listen" + or + name = "DTLSv1_method" + or + name = "DTLSv1_server_method" + or + name = "ECDH_get_ex_data" + or + name = "ECDH_get_ex_new_index" + or + name = "ECDH_set_ex_data" + or + name = "ECDSA_SIG_free" + or + name = "ECDSA_SIG_get0" + or + name = "ECDSA_SIG_get0_r" + or + name = "ECDSA_SIG_get0_s" + or + name = "ECDSA_SIG_new" + or + name = "ECDSA_SIG_set0" + or + name = "ECDSA_do_sign" + or + name = "ECDSA_do_sign_ex" + or + name = "ECDSA_do_verify" + or + name = "ECDSA_sign" + or + name = "ECDSA_sign_ex" + or + name = "ECDSA_sign_setup" + or + name = "ECDSA_size" + or + name = "ECDSA_verify" + or + name = "ECPARAMETERS_free" + or + name = "ECPARAMETERS_new" + or + name = "ECPKPARAMETERS_free" + or + name = "ECPKPARAMETERS_new" + or + name = "ECPKParameters_print" + or + name = "ECPKParameters_print_fp" + or + name = "EC_GF2m_simple_method" + or + name = "EC_GFp_mont_method" + or + name = "EC_GFp_nist_method" + or + name = "EC_GFp_nistp224_method" + or + name = "EC_GFp_nistp256_method" + or + name = "EC_GFp_nistp521_method" + or + name = "EC_GFp_simple_method" + or + name = "EC_GROUP_check" + or + name = "EC_GROUP_check_discriminant" + or + name = "EC_GROUP_check_named_curve" + or + name = "EC_GROUP_clear_free" + or + name = "EC_GROUP_cmp" + or + name = "EC_GROUP_copy" + or + name = "EC_GROUP_dup" + or + name = "EC_GROUP_free" + or + name = "EC_GROUP_get0_cofactor" + or + name = "EC_GROUP_get0_field" + or + name = "EC_GROUP_get0_generator" + or + name = "EC_GROUP_get0_order" + or + name = "EC_GROUP_get0_seed" + or + name = "EC_GROUP_get_asn1_flag" + or + name = "EC_GROUP_get_basis_type" + or + name = "EC_GROUP_get_cofactor" + or + name = "EC_GROUP_get_curve" + or + name = "EC_GROUP_get_curve_GF2m" + or + name = "EC_GROUP_get_curve_GFp" + or + name = "EC_GROUP_get_curve_name" + or + name = "EC_GROUP_get_degree" + or + name = "EC_GROUP_get_ecparameters" + or + name = "EC_GROUP_get_ecpkparameters" + or + name = "EC_GROUP_get_field_type" + or + name = "EC_GROUP_get_order" + or + name = "EC_GROUP_get_pentanomial_basis" + or + name = "EC_GROUP_get_point_conversion_form" + or + name = "EC_GROUP_get_seed_len" + or + name = "EC_GROUP_get_trinomial_basis" + or + name = "EC_GROUP_have_precompute_mult" + or + name = "EC_GROUP_method_of" + or + name = "EC_GROUP_new" + or + name = "EC_GROUP_new_by_curve_name" + or + name = "EC_GROUP_new_by_curve_name_ex" + or + name = "EC_GROUP_new_curve_GF2m" + or + name = "EC_GROUP_new_curve_GFp" + or + name = "EC_GROUP_new_from_ecparameters" + or + name = "EC_GROUP_new_from_ecpkparameters" + or + name = "EC_GROUP_new_from_params" + or + name = "EC_GROUP_order_bits" + or + name = "EC_GROUP_precompute_mult" + or + name = "EC_GROUP_set_asn1_flag" + or + name = "EC_GROUP_set_curve" + or + name = "EC_GROUP_set_curve_GF2m" + or + name = "EC_GROUP_set_curve_GFp" + or + name = "EC_GROUP_set_curve_name" + or + name = "EC_GROUP_set_generator" + or + name = "EC_GROUP_set_point_conversion_form" + or + name = "EC_GROUP_set_seed" + or + name = "EC_GROUP_to_params" + or + name = "EC_KEY_check_key" + or + name = "EC_KEY_clear_flags" + or + name = "EC_KEY_copy" + or + name = "EC_KEY_decoded_from_explicit_params" + or + name = "EC_KEY_dup" + or + name = "EC_KEY_free" + or + name = "EC_KEY_generate_key" + or + name = "EC_KEY_get0_engine" + or + name = "EC_KEY_get0_group" + or + name = "EC_KEY_get0_private_key" + or + name = "EC_KEY_get0_public_key" + or + name = "EC_KEY_get_conv_form" + or + name = "EC_KEY_get_enc_flags" + or + name = "EC_KEY_get_ex_data" + or + name = "EC_KEY_get_ex_new_index" + or + name = "EC_KEY_get_flags" + or + name = "EC_KEY_get_key_method_data" + or + name = "EC_KEY_get_method" + or + name = "EC_KEY_insert_key_method_data" + or + name = "EC_KEY_key2buf" + or + name = "EC_KEY_new" + or + name = "EC_KEY_new_by_curve_name" + or + name = "EC_KEY_new_by_curve_name_ex" + or + name = "EC_KEY_new_ex" + or + name = "EC_KEY_oct2key" + or + name = "EC_KEY_oct2priv" + or + name = "EC_KEY_precompute_mult" + or + name = "EC_KEY_priv2buf" + or + name = "EC_KEY_priv2oct" + or + name = "EC_KEY_set_asn1_flag" + or + name = "EC_KEY_set_conv_form" + or + name = "EC_KEY_set_enc_flags" + or + name = "EC_KEY_set_ex_data" + or + name = "EC_KEY_set_flags" + or + name = "EC_KEY_set_group" + or + name = "EC_KEY_set_method" + or + name = "EC_KEY_set_private_key" + or + name = "EC_KEY_set_public_key" + or + name = "EC_KEY_set_public_key_affine_coordinates" + or + name = "EC_KEY_up_ref" + or + name = "EC_METHOD_get_field_type" + or + name = "EC_POINT_add" + or + name = "EC_POINT_bn2point" + or + name = "EC_POINT_clear_free" + or + name = "EC_POINT_cmp" + or + name = "EC_POINT_copy" + or + name = "EC_POINT_dbl" + or + name = "EC_POINT_dup" + or + name = "EC_POINT_free" + or + name = "EC_POINT_get_Jprojective_coordinates_GFp" + or + name = "EC_POINT_get_affine_coordinates" + or + name = "EC_POINT_get_affine_coordinates_GF2m" + or + name = "EC_POINT_get_affine_coordinates_GFp" + or + name = "EC_POINT_hex2point" + or + name = "EC_POINT_invert" + or + name = "EC_POINT_is_at_infinity" + or + name = "EC_POINT_is_on_curve" + or + name = "EC_POINT_make_affine" + or + name = "EC_POINT_method_of" + or + name = "EC_POINT_mul" + or + name = "EC_POINT_new" + or + name = "EC_POINT_oct2point" + or + name = "EC_POINT_point2bn" + or + name = "EC_POINT_point2buf" + or + name = "EC_POINT_point2hex" + or + name = "EC_POINT_point2oct" + or + name = "EC_POINT_set_Jprojective_coordinates" + or + name = "EC_POINT_set_Jprojective_coordinates_GFp" + or + name = "EC_POINT_set_affine_coordinates" + or + name = "EC_POINT_set_affine_coordinates_GF2m" + or + name = "EC_POINT_set_affine_coordinates_GFp" + or + name = "EC_POINT_set_compressed_coordinates" + or + name = "EC_POINT_set_compressed_coordinates_GF2m" + or + name = "EC_POINT_set_compressed_coordinates_GFp" + or + name = "EC_POINT_set_to_infinity" + or + name = "EC_POINTs_make_affine" + or + name = "EC_POINTs_mul" + or + name = "EC_get_builtin_curves" + or + name = "EDIPARTYNAME_free" + or + name = "EDIPARTYNAME_new" + or + name = "ENGINE_add" + or + name = "ENGINE_add_conf_module" + or + name = "ENGINE_by_id" + or + name = "ENGINE_cleanup" + or + name = "ENGINE_cmd_is_executable" + or + name = "ENGINE_ctrl" + or + name = "ENGINE_ctrl_cmd" + or + name = "ENGINE_ctrl_cmd_string" + or + name = "ENGINE_finish" + or + name = "ENGINE_free" + or + name = "ENGINE_get_DH" + or + name = "ENGINE_get_DSA" + or + name = "ENGINE_get_RAND" + or + name = "ENGINE_get_RSA" + or + name = "ENGINE_get_cipher" + or + name = "ENGINE_get_cipher_engine" + or + name = "ENGINE_get_ciphers" + or + name = "ENGINE_get_cmd_defns" + or + name = "ENGINE_get_ctrl_function" + or + name = "ENGINE_get_default_DH" + or + name = "ENGINE_get_default_DSA" + or + name = "ENGINE_get_default_RAND" + or + name = "ENGINE_get_default_RSA" + or + name = "ENGINE_get_destroy_function" + or + name = "ENGINE_get_digest" + or + name = "ENGINE_get_digest_engine" + or + name = "ENGINE_get_digests" + or + name = "ENGINE_get_ex_data" + or + name = "ENGINE_get_ex_new_index" + or + name = "ENGINE_get_finish_function" + or + name = "ENGINE_get_first" + or + name = "ENGINE_get_flags" + or + name = "ENGINE_get_id" + or + name = "ENGINE_get_init_function" + or + name = "ENGINE_get_last" + or + name = "ENGINE_get_load_privkey_function" + or + name = "ENGINE_get_load_pubkey_function" + or + name = "ENGINE_get_name" + or + name = "ENGINE_get_next" + or + name = "ENGINE_get_prev" + or + name = "ENGINE_get_table_flags" + or + name = "ENGINE_init" + or + name = "ENGINE_load_builtin_engines" + or + name = "ENGINE_load_private_key" + or + name = "ENGINE_load_public_key" + or + name = "ENGINE_new" + or + name = "ENGINE_register_DH" + or + name = "ENGINE_register_DSA" + or + name = "ENGINE_register_RAND" + or + name = "ENGINE_register_RSA" + or + name = "ENGINE_register_all_DH" + or + name = "ENGINE_register_all_DSA" + or + name = "ENGINE_register_all_RAND" + or + name = "ENGINE_register_all_RSA" + or + name = "ENGINE_register_all_ciphers" + or + name = "ENGINE_register_all_complete" + or + name = "ENGINE_register_all_digests" + or + name = "ENGINE_register_ciphers" + or + name = "ENGINE_register_complete" + or + name = "ENGINE_register_digests" + or + name = "ENGINE_remove" + or + name = "ENGINE_set_DH" + or + name = "ENGINE_set_DSA" + or + name = "ENGINE_set_RAND" + or + name = "ENGINE_set_RSA" + or + name = "ENGINE_set_ciphers" + or + name = "ENGINE_set_cmd_defns" + or + name = "ENGINE_set_ctrl_function" + or + name = "ENGINE_set_default" + or + name = "ENGINE_set_default_DH" + or + name = "ENGINE_set_default_DSA" + or + name = "ENGINE_set_default_RAND" + or + name = "ENGINE_set_default_RSA" + or + name = "ENGINE_set_default_ciphers" + or + name = "ENGINE_set_default_digests" + or + name = "ENGINE_set_default_string" + or + name = "ENGINE_set_destroy_function" + or + name = "ENGINE_set_digests" + or + name = "ENGINE_set_ex_data" + or + name = "ENGINE_set_finish_function" + or + name = "ENGINE_set_flags" + or + name = "ENGINE_set_id" + or + name = "ENGINE_set_init_function" + or + name = "ENGINE_set_load_privkey_function" + or + name = "ENGINE_set_load_pubkey_function" + or + name = "ENGINE_set_name" + or + name = "ENGINE_set_table_flags" + or + name = "ENGINE_unregister_DH" + or + name = "ENGINE_unregister_DSA" + or + name = "ENGINE_unregister_RAND" + or + name = "ENGINE_unregister_RSA" + or + name = "ENGINE_unregister_ciphers" + or + name = "ENGINE_unregister_digests" + or + name = "ENGINE_up_ref" + or + name = "ERR_FATAL_ERROR" + or + name = "ERR_GET_FUNC" + or + name = "ERR_GET_LIB" + or + name = "ERR_GET_REASON" + or + name = "ERR_PACK" + or + name = "ERR_add_error_data" + or + name = "ERR_add_error_mem_bio" + or + name = "ERR_add_error_txt" + or + name = "ERR_add_error_vdata" + or + name = "ERR_clear_error" + or + name = "ERR_clear_last_mark" + or + name = "ERR_error_string" + or + name = "ERR_error_string_n" + or + name = "ERR_free_strings" + or + name = "ERR_func_error_string" + or + name = "ERR_get_error" + or + name = "ERR_get_error_all" + or + name = "ERR_get_error_line" + or + name = "ERR_get_error_line_data" + or + name = "ERR_get_next_error_library" + or + name = "ERR_lib_error_string" + or + name = "ERR_load_UI_strings" + or + name = "ERR_load_crypto_strings" + or + name = "ERR_load_strings" + or + name = "ERR_new" + or + name = "ERR_peek_error" + or + name = "ERR_peek_error_all" + or + name = "ERR_peek_error_data" + or + name = "ERR_peek_error_func" + or + name = "ERR_peek_error_line" + or + name = "ERR_peek_error_line_data" + or + name = "ERR_peek_last_error" + or + name = "ERR_peek_last_error_all" + or + name = "ERR_peek_last_error_data" + or + name = "ERR_peek_last_error_func" + or + name = "ERR_peek_last_error_line" + or + name = "ERR_peek_last_error_line_data" + or + name = "ERR_pop_to_mark" + or + name = "ERR_print_errors" + or + name = "ERR_print_errors_cb" + or + name = "ERR_print_errors_fp" + or + name = "ERR_put_error" + or + name = "ERR_raise" + or + name = "ERR_raise_data" + or + name = "ERR_reason_error_string" + or + name = "ERR_remove_state" + or + name = "ERR_remove_thread_state" + or + name = "ERR_set_debug" + or + name = "ERR_set_error" + or + name = "ERR_set_mark" + or + name = "ERR_vset_error" + or + name = "ESS_CERT_ID_V2_dup" + or + name = "ESS_CERT_ID_V2_free" + or + name = "ESS_CERT_ID_V2_new" + or + name = "ESS_CERT_ID_dup" + or + name = "ESS_CERT_ID_free" + or + name = "ESS_CERT_ID_new" + or + name = "ESS_ISSUER_SERIAL_dup" + or + name = "ESS_ISSUER_SERIAL_free" + or + name = "ESS_ISSUER_SERIAL_new" + or + name = "ESS_SIGNING_CERT_V2_dup" + or + name = "ESS_SIGNING_CERT_V2_free" + or + name = "ESS_SIGNING_CERT_V2_it" + or + name = "ESS_SIGNING_CERT_V2_new" + or + name = "ESS_SIGNING_CERT_dup" + or + name = "ESS_SIGNING_CERT_free" + or + name = "ESS_SIGNING_CERT_it" + or + name = "ESS_SIGNING_CERT_new" + or + name = "EVP_ASYM_CIPHER_do_all_provided" + or + name = "EVP_ASYM_CIPHER_fetch" + or + name = "EVP_ASYM_CIPHER_free" + or + name = "EVP_ASYM_CIPHER_get0_description" + or + name = "EVP_ASYM_CIPHER_get0_name" + or + name = "EVP_ASYM_CIPHER_get0_provider" + or + name = "EVP_ASYM_CIPHER_gettable_ctx_params" + or + name = "EVP_ASYM_CIPHER_is_a" + or + name = "EVP_ASYM_CIPHER_names_do_all" + or + name = "EVP_ASYM_CIPHER_settable_ctx_params" + or + name = "EVP_ASYM_CIPHER_up_ref" + or + name = "EVP_BytesToKey" + or + name = "EVP_CIPHER_CTX_block_size" + or + name = "EVP_CIPHER_CTX_cipher" + or + name = "EVP_CIPHER_CTX_cleanup" + or + name = "EVP_CIPHER_CTX_clear_flags" + or + name = "EVP_CIPHER_CTX_copy" + or + name = "EVP_CIPHER_CTX_ctrl" + or + name = "EVP_CIPHER_CTX_dup" + or + name = "EVP_CIPHER_CTX_encrypting" + or + name = "EVP_CIPHER_CTX_flags" + or + name = "EVP_CIPHER_CTX_free" + or + name = "EVP_CIPHER_CTX_get0_cipher" + or + name = "EVP_CIPHER_CTX_get0_name" + or + name = "EVP_CIPHER_CTX_get1_cipher" + or + name = "EVP_CIPHER_CTX_get_app_data" + or + name = "EVP_CIPHER_CTX_get_block_size" + or + name = "EVP_CIPHER_CTX_get_cipher_data" + or + name = "EVP_CIPHER_CTX_get_iv_length" + or + name = "EVP_CIPHER_CTX_get_key_length" + or + name = "EVP_CIPHER_CTX_get_mode" + or + name = "EVP_CIPHER_CTX_get_nid" + or + name = "EVP_CIPHER_CTX_get_num" + or + name = "EVP_CIPHER_CTX_get_original_iv" + or + name = "EVP_CIPHER_CTX_get_params" + or + name = "EVP_CIPHER_CTX_get_tag_length" + or + name = "EVP_CIPHER_CTX_get_type" + or + name = "EVP_CIPHER_CTX_get_updated_iv" + or + name = "EVP_CIPHER_CTX_gettable_params" + or + name = "EVP_CIPHER_CTX_init" + or + name = "EVP_CIPHER_CTX_is_encrypting" + or + name = "EVP_CIPHER_CTX_iv" + or + name = "EVP_CIPHER_CTX_iv_length" + or + name = "EVP_CIPHER_CTX_iv_noconst" + or + name = "EVP_CIPHER_CTX_key_length" + or + name = "EVP_CIPHER_CTX_mode" + or + name = "EVP_CIPHER_CTX_new" + or + name = "EVP_CIPHER_CTX_nid" + or + name = "EVP_CIPHER_CTX_num" + or + name = "EVP_CIPHER_CTX_original_iv" + or + name = "EVP_CIPHER_CTX_reset" + or + name = "EVP_CIPHER_CTX_set_app_data" + or + name = "EVP_CIPHER_CTX_set_cipher_data" + or + name = "EVP_CIPHER_CTX_set_flags" + or + name = "EVP_CIPHER_CTX_set_key_length" + or + name = "EVP_CIPHER_CTX_set_num" + or + name = "EVP_CIPHER_CTX_set_padding" + or + name = "EVP_CIPHER_CTX_set_params" + or + name = "EVP_CIPHER_CTX_settable_params" + or + name = "EVP_CIPHER_CTX_tag_length" + or + name = "EVP_CIPHER_CTX_test_flags" + or + name = "EVP_CIPHER_CTX_type" + or + name = "EVP_CIPHER_asn1_to_param" + or + name = "EVP_CIPHER_block_size" + or + name = "EVP_CIPHER_do_all_provided" + or + name = "EVP_CIPHER_fetch" + or + name = "EVP_CIPHER_flags" + or + name = "EVP_CIPHER_free" + or + name = "EVP_CIPHER_get0_description" + or + name = "EVP_CIPHER_get0_name" + or + name = "EVP_CIPHER_get0_provider" + or + name = "EVP_CIPHER_get_block_size" + or + name = "EVP_CIPHER_get_flags" + or + name = "EVP_CIPHER_get_iv_length" + or + name = "EVP_CIPHER_get_key_length" + or + name = "EVP_CIPHER_get_mode" + or + name = "EVP_CIPHER_get_nid" + or + name = "EVP_CIPHER_get_params" + or + name = "EVP_CIPHER_get_type" + or + name = "EVP_CIPHER_gettable_ctx_params" + or + name = "EVP_CIPHER_gettable_params" + or + name = "EVP_CIPHER_is_a" + or + name = "EVP_CIPHER_iv_length" + or + name = "EVP_CIPHER_key_length" + or + name = "EVP_CIPHER_meth_dup" + or + name = "EVP_CIPHER_meth_free" + or + name = "EVP_CIPHER_meth_get_cleanup" + or + name = "EVP_CIPHER_meth_get_ctrl" + or + name = "EVP_CIPHER_meth_get_do_cipher" + or + name = "EVP_CIPHER_meth_get_get_asn1_params" + or + name = "EVP_CIPHER_meth_get_init" + or + name = "EVP_CIPHER_meth_get_set_asn1_params" + or + name = "EVP_CIPHER_meth_new" + or + name = "EVP_CIPHER_meth_set_cleanup" + or + name = "EVP_CIPHER_meth_set_ctrl" + or + name = "EVP_CIPHER_meth_set_do_cipher" + or + name = "EVP_CIPHER_meth_set_flags" + or + name = "EVP_CIPHER_meth_set_get_asn1_params" + or + name = "EVP_CIPHER_meth_set_impl_ctx_size" + or + name = "EVP_CIPHER_meth_set_init" + or + name = "EVP_CIPHER_meth_set_iv_length" + or + name = "EVP_CIPHER_meth_set_set_asn1_params" + or + name = "EVP_CIPHER_mode" + or + name = "EVP_CIPHER_name" + or + name = "EVP_CIPHER_names_do_all" + or + name = "EVP_CIPHER_nid" + or + name = "EVP_CIPHER_param_to_asn1" + or + name = "EVP_CIPHER_settable_ctx_params" + or + name = "EVP_CIPHER_type" + or + name = "EVP_CIPHER_up_ref" + or + name = "EVP_Cipher" + or + name = "EVP_CipherFinal" + or + name = "EVP_CipherFinal_ex" + or + name = "EVP_CipherInit" + or + name = "EVP_CipherInit_ex" + or + name = "EVP_CipherInit_ex2" + or + name = "EVP_CipherUpdate" + or + name = "EVP_DecodeBlock" + or + name = "EVP_DecodeFinal" + or + name = "EVP_DecodeInit" + or + name = "EVP_DecodeUpdate" + or + name = "EVP_DecryptFinal" + or + name = "EVP_DecryptFinal_ex" + or + name = "EVP_DecryptInit" + or + name = "EVP_DecryptInit_ex" + or + name = "EVP_DecryptInit_ex2" + or + name = "EVP_DecryptUpdate" + or + name = "EVP_Digest" + or + name = "EVP_DigestFinal" + or + name = "EVP_DigestFinalXOF" + or + name = "EVP_DigestFinal_ex" + or + name = "EVP_DigestInit" + or + name = "EVP_DigestInit_ex" + or + name = "EVP_DigestInit_ex2" + or + name = "EVP_DigestSign" + or + name = "EVP_DigestSignFinal" + or + name = "EVP_DigestSignInit" + or + name = "EVP_DigestSignInit_ex" + or + name = "EVP_DigestSignUpdate" + or + name = "EVP_DigestUpdate" + or + name = "EVP_DigestVerify" + or + name = "EVP_DigestVerifyFinal" + or + name = "EVP_DigestVerifyInit" + or + name = "EVP_DigestVerifyInit_ex" + or + name = "EVP_DigestVerifyUpdate" + or + name = "EVP_EC_gen" + or + name = "EVP_ENCODE_CTX_copy" + or + name = "EVP_ENCODE_CTX_free" + or + name = "EVP_ENCODE_CTX_new" + or + name = "EVP_ENCODE_CTX_num" + or + name = "EVP_EncodeBlock" + or + name = "EVP_EncodeFinal" + or + name = "EVP_EncodeInit" + or + name = "EVP_EncodeUpdate" + or + name = "EVP_EncryptFinal" + or + name = "EVP_EncryptFinal_ex" + or + name = "EVP_EncryptInit" + or + name = "EVP_EncryptInit_ex" + or + name = "EVP_EncryptInit_ex2" + or + name = "EVP_EncryptUpdate" + or + name = "EVP_KDF" + or + name = "EVP_KDF_CTX" + or + name = "EVP_KDF_CTX_dup" + or + name = "EVP_KDF_CTX_free" + or + name = "EVP_KDF_CTX_get_kdf_size" + or + name = "EVP_KDF_CTX_get_params" + or + name = "EVP_KDF_CTX_gettable_params" + or + name = "EVP_KDF_CTX_kdf" + or + name = "EVP_KDF_CTX_new" + or + name = "EVP_KDF_CTX_reset" + or + name = "EVP_KDF_CTX_set_params" + or + name = "EVP_KDF_CTX_settable_params" + or + name = "EVP_KDF_derive" + or + name = "EVP_KDF_do_all_provided" + or + name = "EVP_KDF_fetch" + or + name = "EVP_KDF_free" + or + name = "EVP_KDF_get0_description" + or + name = "EVP_KDF_get0_name" + or + name = "EVP_KDF_get0_provider" + or + name = "EVP_KDF_get_params" + or + name = "EVP_KDF_gettable_ctx_params" + or + name = "EVP_KDF_gettable_params" + or + name = "EVP_KDF_is_a" + or + name = "EVP_KDF_names_do_all" + or + name = "EVP_KDF_settable_ctx_params" + or + name = "EVP_KDF_up_ref" + or + name = "EVP_KEM_do_all_provided" + or + name = "EVP_KEM_fetch" + or + name = "EVP_KEM_free" + or + name = "EVP_KEM_get0_description" + or + name = "EVP_KEM_get0_name" + or + name = "EVP_KEM_get0_provider" + or + name = "EVP_KEM_gettable_ctx_params" + or + name = "EVP_KEM_is_a" + or + name = "EVP_KEM_names_do_all" + or + name = "EVP_KEM_settable_ctx_params" + or + name = "EVP_KEM_up_ref" + or + name = "EVP_KEYEXCH_do_all_provided" + or + name = "EVP_KEYEXCH_fetch" + or + name = "EVP_KEYEXCH_free" + or + name = "EVP_KEYEXCH_get0_description" + or + name = "EVP_KEYEXCH_get0_name" + or + name = "EVP_KEYEXCH_get0_provider" + or + name = "EVP_KEYEXCH_gettable_ctx_params" + or + name = "EVP_KEYEXCH_is_a" + or + name = "EVP_KEYEXCH_names_do_all" + or + name = "EVP_KEYEXCH_settable_ctx_params" + or + name = "EVP_KEYEXCH_up_ref" + or + name = "EVP_KEYMGMT" + or + name = "EVP_KEYMGMT_do_all_provided" + or + name = "EVP_KEYMGMT_fetch" + or + name = "EVP_KEYMGMT_free" + or + name = "EVP_KEYMGMT_gen_settable_params" + or + name = "EVP_KEYMGMT_get0_description" + or + name = "EVP_KEYMGMT_get0_name" + or + name = "EVP_KEYMGMT_get0_provider" + or + name = "EVP_KEYMGMT_gettable_params" + or + name = "EVP_KEYMGMT_is_a" + or + name = "EVP_KEYMGMT_names_do_all" + or + name = "EVP_KEYMGMT_settable_params" + or + name = "EVP_KEYMGMT_up_ref" + or + name = "EVP_MAC" + or + name = "EVP_MAC_CTX" + or + name = "EVP_MAC_CTX_dup" + or + name = "EVP_MAC_CTX_free" + or + name = "EVP_MAC_CTX_get0_mac" + or + name = "EVP_MAC_CTX_get_block_size" + or + name = "EVP_MAC_CTX_get_mac_size" + or + name = "EVP_MAC_CTX_get_params" + or + name = "EVP_MAC_CTX_gettable_params" + or + name = "EVP_MAC_CTX_new" + or + name = "EVP_MAC_CTX_set_params" + or + name = "EVP_MAC_CTX_settable_params" + or + name = "EVP_MAC_do_all_provided" + or + name = "EVP_MAC_fetch" + or + name = "EVP_MAC_final" + or + name = "EVP_MAC_finalXOF" + or + name = "EVP_MAC_free" + or + name = "EVP_MAC_get0_description" + or + name = "EVP_MAC_get0_name" + or + name = "EVP_MAC_get0_provider" + or + name = "EVP_MAC_get_params" + or + name = "EVP_MAC_gettable_ctx_params" + or + name = "EVP_MAC_gettable_params" + or + name = "EVP_MAC_init" + or + name = "EVP_MAC_is_a" + or + name = "EVP_MAC_names_do_all" + or + name = "EVP_MAC_settable_ctx_params" + or + name = "EVP_MAC_up_ref" + or + name = "EVP_MAC_update" + or + name = "EVP_MAX_MD_SIZE" + or + name = "EVP_MD_CTX_block_size" + or + name = "EVP_MD_CTX_cleanup" + or + name = "EVP_MD_CTX_clear_flags" + or + name = "EVP_MD_CTX_copy" + or + name = "EVP_MD_CTX_copy_ex" + or + name = "EVP_MD_CTX_create" + or + name = "EVP_MD_CTX_ctrl" + or + name = "EVP_MD_CTX_destroy" + or + name = "EVP_MD_CTX_dup" + or + name = "EVP_MD_CTX_free" + or + name = "EVP_MD_CTX_get0_md" + or + name = "EVP_MD_CTX_get0_md_data" + or + name = "EVP_MD_CTX_get0_name" + or + name = "EVP_MD_CTX_get1_md" + or + name = "EVP_MD_CTX_get_block_size" + or + name = "EVP_MD_CTX_get_params" + or + name = "EVP_MD_CTX_get_pkey_ctx" + or + name = "EVP_MD_CTX_get_size" + or + name = "EVP_MD_CTX_get_type" + or + name = "EVP_MD_CTX_gettable_params" + or + name = "EVP_MD_CTX_init" + or + name = "EVP_MD_CTX_md" + or + name = "EVP_MD_CTX_md_data" + or + name = "EVP_MD_CTX_new" + or + name = "EVP_MD_CTX_pkey_ctx" + or + name = "EVP_MD_CTX_reset" + or + name = "EVP_MD_CTX_set_flags" + or + name = "EVP_MD_CTX_set_params" + or + name = "EVP_MD_CTX_set_pkey_ctx" + or + name = "EVP_MD_CTX_set_update_fn" + or + name = "EVP_MD_CTX_settable_params" + or + name = "EVP_MD_CTX_size" + or + name = "EVP_MD_CTX_test_flags" + or + name = "EVP_MD_CTX_type" + or + name = "EVP_MD_CTX_update_fn" + or + name = "EVP_MD_block_size" + or + name = "EVP_MD_do_all_provided" + or + name = "EVP_MD_fetch" + or + name = "EVP_MD_flags" + or + name = "EVP_MD_free" + or + name = "EVP_MD_get0_description" + or + name = "EVP_MD_get0_name" + or + name = "EVP_MD_get0_provider" + or + name = "EVP_MD_get_block_size" + or + name = "EVP_MD_get_flags" + or + name = "EVP_MD_get_params" + or + name = "EVP_MD_get_pkey_type" + or + name = "EVP_MD_get_size" + or + name = "EVP_MD_get_type" + or + name = "EVP_MD_gettable_ctx_params" + or + name = "EVP_MD_gettable_params" + or + name = "EVP_MD_is_a" + or + name = "EVP_MD_meth_dup" + or + name = "EVP_MD_meth_free" + or + name = "EVP_MD_meth_get_app_datasize" + or + name = "EVP_MD_meth_get_cleanup" + or + name = "EVP_MD_meth_get_copy" + or + name = "EVP_MD_meth_get_ctrl" + or + name = "EVP_MD_meth_get_final" + or + name = "EVP_MD_meth_get_flags" + or + name = "EVP_MD_meth_get_init" + or + name = "EVP_MD_meth_get_input_blocksize" + or + name = "EVP_MD_meth_get_result_size" + or + name = "EVP_MD_meth_get_update" + or + name = "EVP_MD_meth_new" + or + name = "EVP_MD_meth_set_app_datasize" + or + name = "EVP_MD_meth_set_cleanup" + or + name = "EVP_MD_meth_set_copy" + or + name = "EVP_MD_meth_set_ctrl" + or + name = "EVP_MD_meth_set_final" + or + name = "EVP_MD_meth_set_flags" + or + name = "EVP_MD_meth_set_init" + or + name = "EVP_MD_meth_set_input_blocksize" + or + name = "EVP_MD_meth_set_result_size" + or + name = "EVP_MD_meth_set_update" + or + name = "EVP_MD_name" + or + name = "EVP_MD_names_do_all" + or + name = "EVP_MD_nid" + or + name = "EVP_MD_pkey_type" + or + name = "EVP_MD_settable_ctx_params" + or + name = "EVP_MD_size" + or + name = "EVP_MD_type" + or + name = "EVP_MD_up_ref" + or + name = "EVP_OpenFinal" + or + name = "EVP_OpenInit" + or + name = "EVP_OpenUpdate" + or + name = "EVP_PBE_CipherInit" + or + name = "EVP_PBE_CipherInit_ex" + or + name = "EVP_PBE_alg_add" + or + name = "EVP_PBE_alg_add_type" + or + name = "EVP_PBE_find" + or + name = "EVP_PBE_find_ex" + or + name = "EVP_PBE_scrypt" + or + name = "EVP_PBE_scrypt_ex" + or + name = "EVP_PKCS82PKEY" + or + name = "EVP_PKCS82PKEY_ex" + or + name = "EVP_PKEVP_PKEY_CTX_set_app_data" + or + name = "EVP_PKEY" + or + name = "EVP_PKEY2PKCS8" + or + name = "EVP_PKEY_ASN1_METHOD" + or + name = "EVP_PKEY_CTX_add1_hkdf_info" + or + name = "EVP_PKEY_CTX_add1_tls1_prf_seed" + or + name = "EVP_PKEY_CTX_ctrl" + or + name = "EVP_PKEY_CTX_ctrl_str" + or + name = "EVP_PKEY_CTX_ctrl_uint64" + or + name = "EVP_PKEY_CTX_dup" + or + name = "EVP_PKEY_CTX_free" + or + name = "EVP_PKEY_CTX_get0_dh_kdf_oid" + or + name = "EVP_PKEY_CTX_get0_dh_kdf_ukm" + or + name = "EVP_PKEY_CTX_get0_ecdh_kdf_ukm" + or + name = "EVP_PKEY_CTX_get0_libctx" + or + name = "EVP_PKEY_CTX_get0_peerkey" + or + name = "EVP_PKEY_CTX_get0_pkey" + or + name = "EVP_PKEY_CTX_get0_propq" + or + name = "EVP_PKEY_CTX_get0_provider" + or + name = "EVP_PKEY_CTX_get0_rsa_oaep_label" + or + name = "EVP_PKEY_CTX_get1_id" + or + name = "EVP_PKEY_CTX_get1_id_len" + or + name = "EVP_PKEY_CTX_get_app_data" + or + name = "EVP_PKEY_CTX_get_cb" + or + name = "EVP_PKEY_CTX_get_dh_kdf_md" + or + name = "EVP_PKEY_CTX_get_dh_kdf_outlen" + or + name = "EVP_PKEY_CTX_get_dh_kdf_type" + or + name = "EVP_PKEY_CTX_get_ecdh_cofactor_mode" + or + name = "EVP_PKEY_CTX_get_ecdh_kdf_md" + or + name = "EVP_PKEY_CTX_get_ecdh_kdf_outlen" + or + name = "EVP_PKEY_CTX_get_ecdh_kdf_type" + or + name = "EVP_PKEY_CTX_get_group_name" + or + name = "EVP_PKEY_CTX_get_keygen_info" + or + name = "EVP_PKEY_CTX_get_params" + or + name = "EVP_PKEY_CTX_get_rsa_mgf1_md" + or + name = "EVP_PKEY_CTX_get_rsa_mgf1_md_name" + or + name = "EVP_PKEY_CTX_get_rsa_oaep_md" + or + name = "EVP_PKEY_CTX_get_rsa_oaep_md_name" + or + name = "EVP_PKEY_CTX_get_rsa_padding" + or + name = "EVP_PKEY_CTX_get_rsa_pss_saltlen" + or + name = "EVP_PKEY_CTX_get_signature_md" + or + name = "EVP_PKEY_CTX_gettable_params" + or + name = "EVP_PKEY_CTX_hkdf_mode" + or + name = "EVP_PKEY_CTX_is_a" + or + name = "EVP_PKEY_CTX_md" + or + name = "EVP_PKEY_CTX_new" + or + name = "EVP_PKEY_CTX_new_from_name" + or + name = "EVP_PKEY_CTX_new_from_pkey" + or + name = "EVP_PKEY_CTX_new_id" + or + name = "EVP_PKEY_CTX_set0_dh_kdf_oid" + or + name = "EVP_PKEY_CTX_set0_dh_kdf_ukm" + or + name = "EVP_PKEY_CTX_set0_ecdh_kdf_ukm" + or + name = "EVP_PKEY_CTX_set0_rsa_oaep_label" + or + name = "EVP_PKEY_CTX_set1_hkdf_key" + or + name = "EVP_PKEY_CTX_set1_hkdf_salt" + or + name = "EVP_PKEY_CTX_set1_id" + or + name = "EVP_PKEY_CTX_set1_pbe_pass" + or + name = "EVP_PKEY_CTX_set1_rsa_keygen_pubexp" + or + name = "EVP_PKEY_CTX_set1_scrypt_salt" + or + name = "EVP_PKEY_CTX_set1_tls1_prf_secret" + or + name = "EVP_PKEY_CTX_set_app_data" + or + name = "EVP_PKEY_CTX_set_cb" + or + name = "EVP_PKEY_CTX_set_dh_kdf_md" + or + name = "EVP_PKEY_CTX_set_dh_kdf_outlen" + or + name = "EVP_PKEY_CTX_set_dh_kdf_type" + or + name = "EVP_PKEY_CTX_set_dh_nid" + or + name = "EVP_PKEY_CTX_set_dh_pad" + or + name = "EVP_PKEY_CTX_set_dh_paramgen_generator" + or + name = "EVP_PKEY_CTX_set_dh_paramgen_gindex" + or + name = "EVP_PKEY_CTX_set_dh_paramgen_prime_len" + or + name = "EVP_PKEY_CTX_set_dh_paramgen_seed" + or + name = "EVP_PKEY_CTX_set_dh_paramgen_subprime_len" + or + name = "EVP_PKEY_CTX_set_dh_paramgen_type" + or + name = "EVP_PKEY_CTX_set_dh_rfc5114" + or + name = "EVP_PKEY_CTX_set_dhx_rfc5114" + or + name = "EVP_PKEY_CTX_set_dsa_paramgen_bits" + or + name = "EVP_PKEY_CTX_set_dsa_paramgen_gindex" + or + name = "EVP_PKEY_CTX_set_dsa_paramgen_md" + or + name = "EVP_PKEY_CTX_set_dsa_paramgen_md_props" + or + name = "EVP_PKEY_CTX_set_dsa_paramgen_q_bits" + or + name = "EVP_PKEY_CTX_set_dsa_paramgen_seed" + or + name = "EVP_PKEY_CTX_set_dsa_paramgen_type" + or + name = "EVP_PKEY_CTX_set_ec_param_enc" + or + name = "EVP_PKEY_CTX_set_ec_paramgen_curve_nid" + or + name = "EVP_PKEY_CTX_set_ecdh_cofactor_mode" + or + name = "EVP_PKEY_CTX_set_ecdh_kdf_md" + or + name = "EVP_PKEY_CTX_set_ecdh_kdf_outlen" + or + name = "EVP_PKEY_CTX_set_ecdh_kdf_type" + or + name = "EVP_PKEY_CTX_set_group_name" + or + name = "EVP_PKEY_CTX_set_hkdf_md" + or + name = "EVP_PKEY_CTX_set_hkdf_mode" + or + name = "EVP_PKEY_CTX_set_kem_op" + or + name = "EVP_PKEY_CTX_set_mac_key" + or + name = "EVP_PKEY_CTX_set_params" + or + name = "EVP_PKEY_CTX_set_rsa_keygen_bits" + or + name = "EVP_PKEY_CTX_set_rsa_keygen_primes" + or + name = "EVP_PKEY_CTX_set_rsa_keygen_pubexp" + or + name = "EVP_PKEY_CTX_set_rsa_mgf1_md" + or + name = "EVP_PKEY_CTX_set_rsa_mgf1_md_name" + or + name = "EVP_PKEY_CTX_set_rsa_oaep_md" + or + name = "EVP_PKEY_CTX_set_rsa_oaep_md_name" + or + name = "EVP_PKEY_CTX_set_rsa_padding" + or + name = "EVP_PKEY_CTX_set_rsa_pss_keygen_md" + or + name = "EVP_PKEY_CTX_set_rsa_pss_keygen_md_name" + or + name = "EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md" + or + name = "EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md_name" + or + name = "EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen" + or + name = "EVP_PKEY_CTX_set_rsa_pss_saltlen" + or + name = "EVP_PKEY_CTX_set_rsa_rsa_keygen_bits" + or + name = "EVP_PKEY_CTX_set_scrypt_N" + or + name = "EVP_PKEY_CTX_set_scrypt_maxmem_bytes" + or + name = "EVP_PKEY_CTX_set_scrypt_p" + or + name = "EVP_PKEY_CTX_set_scrypt_r" + or + name = "EVP_PKEY_CTX_set_signature_md" + or + name = "EVP_PKEY_CTX_set_tls1_prf_md" + or + name = "EVP_PKEY_CTX_settable_params" + or + name = "EVP_PKEY_METHOD" + or + name = "EVP_PKEY_Q_keygen" + or + name = "EVP_PKEY_asn1_add0" + or + name = "EVP_PKEY_asn1_add_alias" + or + name = "EVP_PKEY_asn1_copy" + or + name = "EVP_PKEY_asn1_find" + or + name = "EVP_PKEY_asn1_find_str" + or + name = "EVP_PKEY_asn1_free" + or + name = "EVP_PKEY_asn1_get0" + or + name = "EVP_PKEY_asn1_get0_info" + or + name = "EVP_PKEY_asn1_get_count" + or + name = "EVP_PKEY_asn1_new" + or + name = "EVP_PKEY_asn1_set_check" + or + name = "EVP_PKEY_asn1_set_ctrl" + or + name = "EVP_PKEY_asn1_set_free" + or + name = "EVP_PKEY_asn1_set_get_priv_key" + or + name = "EVP_PKEY_asn1_set_get_pub_key" + or + name = "EVP_PKEY_asn1_set_item" + or + name = "EVP_PKEY_asn1_set_param" + or + name = "EVP_PKEY_asn1_set_param_check" + or + name = "EVP_PKEY_asn1_set_private" + or + name = "EVP_PKEY_asn1_set_public" + or + name = "EVP_PKEY_asn1_set_public_check" + or + name = "EVP_PKEY_asn1_set_security_bits" + or + name = "EVP_PKEY_asn1_set_set_priv_key" + or + name = "EVP_PKEY_asn1_set_set_pub_key" + or + name = "EVP_PKEY_asn1_set_siginf" + or + name = "EVP_PKEY_assign_DH" + or + name = "EVP_PKEY_assign_DSA" + or + name = "EVP_PKEY_assign_EC_KEY" + or + name = "EVP_PKEY_assign_POLY1305" + or + name = "EVP_PKEY_assign_RSA" + or + name = "EVP_PKEY_assign_SIPHASH" + or + name = "EVP_PKEY_auth_decapsulate_init" + or + name = "EVP_PKEY_auth_encapsulate_init" + or + name = "EVP_PKEY_base_id" + or + name = "EVP_PKEY_bits" + or + name = "EVP_PKEY_can_sign" + or + name = "EVP_PKEY_check" + or + name = "EVP_PKEY_cmp" + or + name = "EVP_PKEY_cmp_parameters" + or + name = "EVP_PKEY_copy_parameters" + or + name = "EVP_PKEY_decapsulate" + or + name = "EVP_PKEY_decapsulate_init" + or + name = "EVP_PKEY_decrypt" + or + name = "EVP_PKEY_decrypt_init" + or + name = "EVP_PKEY_decrypt_init_ex" + or + name = "EVP_PKEY_derive" + or + name = "EVP_PKEY_derive_init" + or + name = "EVP_PKEY_derive_init_ex" + or + name = "EVP_PKEY_derive_set_peer" + or + name = "EVP_PKEY_derive_set_peer_ex" + or + name = "EVP_PKEY_digestsign_supports_digest" + or + name = "EVP_PKEY_dup" + or + name = "EVP_PKEY_encapsulate" + or + name = "EVP_PKEY_encapsulate_init" + or + name = "EVP_PKEY_encrypt" + or + name = "EVP_PKEY_encrypt_init" + or + name = "EVP_PKEY_encrypt_init_ex" + or + name = "EVP_PKEY_eq" + or + name = "EVP_PKEY_export" + or + name = "EVP_PKEY_free" + or + name = "EVP_PKEY_fromdata" + or + name = "EVP_PKEY_fromdata_init" + or + name = "EVP_PKEY_fromdata_settable" + or + name = "EVP_PKEY_gen_cb" + or + name = "EVP_PKEY_generate" + or + name = "EVP_PKEY_get0" + or + name = "EVP_PKEY_get0_DH" + or + name = "EVP_PKEY_get0_DSA" + or + name = "EVP_PKEY_get0_EC_KEY" + or + name = "EVP_PKEY_get0_RSA" + or + name = "EVP_PKEY_get0_asn1" + or + name = "EVP_PKEY_get0_description" + or + name = "EVP_PKEY_get0_engine" + or + name = "EVP_PKEY_get0_hmac" + or + name = "EVP_PKEY_get0_poly1305" + or + name = "EVP_PKEY_get0_provider" + or + name = "EVP_PKEY_get0_siphash" + or + name = "EVP_PKEY_get0_type_name" + or + name = "EVP_PKEY_get1_DH" + or + name = "EVP_PKEY_get1_DSA" + or + name = "EVP_PKEY_get1_EC_KEY" + or + name = "EVP_PKEY_get1_RSA" + or + name = "EVP_PKEY_get1_encoded_public_key" + or + name = "EVP_PKEY_get1_tls_encodedpoint" + or + name = "EVP_PKEY_get_base_id" + or + name = "EVP_PKEY_get_bits" + or + name = "EVP_PKEY_get_bn_param" + or + name = "EVP_PKEY_get_default_digest" + or + name = "EVP_PKEY_get_default_digest_name" + or + name = "EVP_PKEY_get_default_digest_nid" + or + name = "EVP_PKEY_get_ec_point_conv_form" + or + name = "EVP_PKEY_get_ex_data" + or + name = "EVP_PKEY_get_ex_new_index" + or + name = "EVP_PKEY_get_field_type" + or + name = "EVP_PKEY_get_group_name" + or + name = "EVP_PKEY_get_id" + or + name = "EVP_PKEY_get_int_param" + or + name = "EVP_PKEY_get_octet_string_param" + or + name = "EVP_PKEY_get_params" + or + name = "EVP_PKEY_get_raw_private_key" + or + name = "EVP_PKEY_get_raw_public_key" + or + name = "EVP_PKEY_get_security_bits" + or + name = "EVP_PKEY_get_size" + or + name = "EVP_PKEY_get_size_t_param" + or + name = "EVP_PKEY_get_utf8_string_param" + or + name = "EVP_PKEY_gettable_params" + or + name = "EVP_PKEY_id" + or + name = "EVP_PKEY_is_a" + or + name = "EVP_PKEY_keygen" + or + name = "EVP_PKEY_keygen_init" + or + name = "EVP_PKEY_meth_add0" + or + name = "EVP_PKEY_meth_copy" + or + name = "EVP_PKEY_meth_find" + or + name = "EVP_PKEY_meth_free" + or + name = "EVP_PKEY_meth_get0" + or + name = "EVP_PKEY_meth_get0_info" + or + name = "EVP_PKEY_meth_get_check" + or + name = "EVP_PKEY_meth_get_cleanup" + or + name = "EVP_PKEY_meth_get_copy" + or + name = "EVP_PKEY_meth_get_count" + or + name = "EVP_PKEY_meth_get_ctrl" + or + name = "EVP_PKEY_meth_get_decrypt" + or + name = "EVP_PKEY_meth_get_derive" + or + name = "EVP_PKEY_meth_get_digest_custom" + or + name = "EVP_PKEY_meth_get_digestsign" + or + name = "EVP_PKEY_meth_get_digestverify" + or + name = "EVP_PKEY_meth_get_encrypt" + or + name = "EVP_PKEY_meth_get_init" + or + name = "EVP_PKEY_meth_get_keygen" + or + name = "EVP_PKEY_meth_get_param_check" + or + name = "EVP_PKEY_meth_get_paramgen" + or + name = "EVP_PKEY_meth_get_public_check" + or + name = "EVP_PKEY_meth_get_sign" + or + name = "EVP_PKEY_meth_get_signctx" + or + name = "EVP_PKEY_meth_get_verify" + or + name = "EVP_PKEY_meth_get_verify_recover" + or + name = "EVP_PKEY_meth_get_verifyctx" + or + name = "EVP_PKEY_meth_new" + or + name = "EVP_PKEY_meth_remove" + or + name = "EVP_PKEY_meth_set_check" + or + name = "EVP_PKEY_meth_set_cleanup" + or + name = "EVP_PKEY_meth_set_copy" + or + name = "EVP_PKEY_meth_set_ctrl" + or + name = "EVP_PKEY_meth_set_decrypt" + or + name = "EVP_PKEY_meth_set_derive" + or + name = "EVP_PKEY_meth_set_digest_custom" + or + name = "EVP_PKEY_meth_set_digestsign" + or + name = "EVP_PKEY_meth_set_digestverify" + or + name = "EVP_PKEY_meth_set_encrypt" + or + name = "EVP_PKEY_meth_set_init" + or + name = "EVP_PKEY_meth_set_keygen" + or + name = "EVP_PKEY_meth_set_param_check" + or + name = "EVP_PKEY_meth_set_paramgen" + or + name = "EVP_PKEY_meth_set_public_check" + or + name = "EVP_PKEY_meth_set_sign" + or + name = "EVP_PKEY_meth_set_signctx" + or + name = "EVP_PKEY_meth_set_verify" + or + name = "EVP_PKEY_meth_set_verify_recover" + or + name = "EVP_PKEY_meth_set_verifyctx" + or + name = "EVP_PKEY_missing_parameters" + or + name = "EVP_PKEY_new" + or + name = "EVP_PKEY_new_CMAC_key" + or + name = "EVP_PKEY_new_mac_key" + or + name = "EVP_PKEY_new_raw_private_key" + or + name = "EVP_PKEY_new_raw_private_key_ex" + or + name = "EVP_PKEY_new_raw_public_key" + or + name = "EVP_PKEY_new_raw_public_key_ex" + or + name = "EVP_PKEY_pairwise_check" + or + name = "EVP_PKEY_param_check" + or + name = "EVP_PKEY_param_check_quick" + or + name = "EVP_PKEY_parameters_eq" + or + name = "EVP_PKEY_paramgen" + or + name = "EVP_PKEY_paramgen_init" + or + name = "EVP_PKEY_print_params" + or + name = "EVP_PKEY_print_params_fp" + or + name = "EVP_PKEY_print_private" + or + name = "EVP_PKEY_print_private_fp" + or + name = "EVP_PKEY_print_public" + or + name = "EVP_PKEY_print_public_fp" + or + name = "EVP_PKEY_private_check" + or + name = "EVP_PKEY_public_check" + or + name = "EVP_PKEY_public_check_quick" + or + name = "EVP_PKEY_security_bits" + or + name = "EVP_PKEY_set1_DH" + or + name = "EVP_PKEY_set1_DSA" + or + name = "EVP_PKEY_set1_EC_KEY" + or + name = "EVP_PKEY_set1_RSA" + or + name = "EVP_PKEY_set1_encoded_public_key" + or + name = "EVP_PKEY_set1_engine" + or + name = "EVP_PKEY_set1_tls_encodedpoint" + or + name = "EVP_PKEY_set_alias_type" + or + name = "EVP_PKEY_set_bn_param" + or + name = "EVP_PKEY_set_ex_data" + or + name = "EVP_PKEY_set_int_param" + or + name = "EVP_PKEY_set_octet_string_param" + or + name = "EVP_PKEY_set_params" + or + name = "EVP_PKEY_set_size_t_param" + or + name = "EVP_PKEY_set_type" + or + name = "EVP_PKEY_set_type_by_keymgmt" + or + name = "EVP_PKEY_set_type_str" + or + name = "EVP_PKEY_set_utf8_string_param" + or + name = "EVP_PKEY_settable_params" + or + name = "EVP_PKEY_sign" + or + name = "EVP_PKEY_sign_init" + or + name = "EVP_PKEY_sign_init_ex" + or + name = "EVP_PKEY_size" + or + name = "EVP_PKEY_todata" + or + name = "EVP_PKEY_type" + or + name = "EVP_PKEY_type_names_do_all" + or + name = "EVP_PKEY_up_ref" + or + name = "EVP_PKEY_verify" + or + name = "EVP_PKEY_verify_init" + or + name = "EVP_PKEY_verify_init_ex" + or + name = "EVP_PKEY_verify_recover" + or + name = "EVP_PKEY_verify_recover_init" + or + name = "EVP_PKEY_verify_recover_init_ex" + or + name = "EVP_Q_digest" + or + name = "EVP_Q_mac" + or + name = "EVP_RAND" + or + name = "EVP_RAND_CTX" + or + name = "EVP_RAND_CTX_free" + or + name = "EVP_RAND_CTX_get0_rand" + or + name = "EVP_RAND_CTX_get_params" + or + name = "EVP_RAND_CTX_gettable_params" + or + name = "EVP_RAND_CTX_new" + or + name = "EVP_RAND_CTX_set_params" + or + name = "EVP_RAND_CTX_settable_params" + or + name = "EVP_RAND_CTX_up_ref" + or + name = "EVP_RAND_STATE_ERROR" + or + name = "EVP_RAND_STATE_READY" + or + name = "EVP_RAND_STATE_UNINITIALISED" + or + name = "EVP_RAND_do_all_provided" + or + name = "EVP_RAND_enable_locking" + or + name = "EVP_RAND_fetch" + or + name = "EVP_RAND_free" + or + name = "EVP_RAND_generate" + or + name = "EVP_RAND_get0_description" + or + name = "EVP_RAND_get0_name" + or + name = "EVP_RAND_get0_provider" + or + name = "EVP_RAND_get_params" + or + name = "EVP_RAND_get_state" + or + name = "EVP_RAND_get_strength" + or + name = "EVP_RAND_gettable_ctx_params" + or + name = "EVP_RAND_gettable_params" + or + name = "EVP_RAND_instantiate" + or + name = "EVP_RAND_is_a" + or + name = "EVP_RAND_names_do_all" + or + name = "EVP_RAND_nonce" + or + name = "EVP_RAND_reseed" + or + name = "EVP_RAND_settable_ctx_params" + or + name = "EVP_RAND_uninstantiate" + or + name = "EVP_RAND_up_ref" + or + name = "EVP_RAND_verify_zeroization" + or + name = "EVP_RSA_gen" + or + name = "EVP_SIGNATURE" + or + name = "EVP_SIGNATURE_do_all_provided" + or + name = "EVP_SIGNATURE_fetch" + or + name = "EVP_SIGNATURE_free" + or + name = "EVP_SIGNATURE_get0_description" + or + name = "EVP_SIGNATURE_get0_name" + or + name = "EVP_SIGNATURE_get0_provider" + or + name = "EVP_SIGNATURE_gettable_ctx_params" + or + name = "EVP_SIGNATURE_is_a" + or + name = "EVP_SIGNATURE_names_do_all" + or + name = "EVP_SIGNATURE_settable_ctx_params" + or + name = "EVP_SIGNATURE_up_ref" + or + name = "EVP_SealFinal" + or + name = "EVP_SealInit" + or + name = "EVP_SealUpdate" + or + name = "EVP_SignFinal" + or + name = "EVP_SignFinal_ex" + or + name = "EVP_SignInit" + or + name = "EVP_SignInit_ex" + or + name = "EVP_SignUpdate" + or + name = "EVP_VerifyFinal" + or + name = "EVP_VerifyFinal_ex" + or + name = "EVP_VerifyInit" + or + name = "EVP_VerifyInit_ex" + or + name = "EVP_VerifyUpdate" + or + name = "EVP_aes" + or + name = "EVP_aes_128_cbc" + or + name = "EVP_aes_128_cbc_hmac_sha1" + or + name = "EVP_aes_128_cbc_hmac_sha256" + or + name = "EVP_aes_128_ccm" + or + name = "EVP_aes_128_cfb" + or + name = "EVP_aes_128_cfb1" + or + name = "EVP_aes_128_cfb128" + or + name = "EVP_aes_128_cfb8" + or + name = "EVP_aes_128_ctr" + or + name = "EVP_aes_128_ecb" + or + name = "EVP_aes_128_gcm" + or + name = "EVP_aes_128_ocb" + or + name = "EVP_aes_128_ofb" + or + name = "EVP_aes_128_wrap" + or + name = "EVP_aes_128_wrap_pad" + or + name = "EVP_aes_128_xts" + or + name = "EVP_aes_192_cbc" + or + name = "EVP_aes_192_ccm" + or + name = "EVP_aes_192_cfb" + or + name = "EVP_aes_192_cfb1" + or + name = "EVP_aes_192_cfb128" + or + name = "EVP_aes_192_cfb8" + or + name = "EVP_aes_192_ctr" + or + name = "EVP_aes_192_ecb" + or + name = "EVP_aes_192_gcm" + or + name = "EVP_aes_192_ocb" + or + name = "EVP_aes_192_ofb" + or + name = "EVP_aes_192_wrap" + or + name = "EVP_aes_192_wrap_pad" + or + name = "EVP_aes_256_cbc" + or + name = "EVP_aes_256_cbc_hmac_sha1" + or + name = "EVP_aes_256_cbc_hmac_sha256" + or + name = "EVP_aes_256_ccm" + or + name = "EVP_aes_256_cfb" + or + name = "EVP_aes_256_cfb1" + or + name = "EVP_aes_256_cfb128" + or + name = "EVP_aes_256_cfb8" + or + name = "EVP_aes_256_ctr" + or + name = "EVP_aes_256_ecb" + or + name = "EVP_aes_256_gcm" + or + name = "EVP_aes_256_ocb" + or + name = "EVP_aes_256_ofb" + or + name = "EVP_aes_256_wrap" + or + name = "EVP_aes_256_wrap_pad" + or + name = "EVP_aes_256_xts" + or + name = "EVP_aria" + or + name = "EVP_aria_128_cbc" + or + name = "EVP_aria_128_ccm" + or + name = "EVP_aria_128_cfb" + or + name = "EVP_aria_128_cfb1" + or + name = "EVP_aria_128_cfb128" + or + name = "EVP_aria_128_cfb8" + or + name = "EVP_aria_128_ctr" + or + name = "EVP_aria_128_ecb" + or + name = "EVP_aria_128_gcm" + or + name = "EVP_aria_128_ofb" + or + name = "EVP_aria_192_cbc" + or + name = "EVP_aria_192_ccm" + or + name = "EVP_aria_192_cfb" + or + name = "EVP_aria_192_cfb1" + or + name = "EVP_aria_192_cfb128" + or + name = "EVP_aria_192_cfb8" + or + name = "EVP_aria_192_ctr" + or + name = "EVP_aria_192_ecb" + or + name = "EVP_aria_192_gcm" + or + name = "EVP_aria_192_ofb" + or + name = "EVP_aria_256_cbc" + or + name = "EVP_aria_256_ccm" + or + name = "EVP_aria_256_cfb" + or + name = "EVP_aria_256_cfb1" + or + name = "EVP_aria_256_cfb128" + or + name = "EVP_aria_256_cfb8" + or + name = "EVP_aria_256_ctr" + or + name = "EVP_aria_256_ecb" + or + name = "EVP_aria_256_gcm" + or + name = "EVP_aria_256_ofb" + or + name = "EVP_bf_cbc" + or + name = "EVP_bf_cfb" + or + name = "EVP_bf_cfb64" + or + name = "EVP_bf_ecb" + or + name = "EVP_bf_ofb" + or + name = "EVP_blake2b512" + or + name = "EVP_blake2s256" + or + name = "EVP_camellia" + or + name = "EVP_camellia_128_cbc" + or + name = "EVP_camellia_128_cfb" + or + name = "EVP_camellia_128_cfb1" + or + name = "EVP_camellia_128_cfb128" + or + name = "EVP_camellia_128_cfb8" + or + name = "EVP_camellia_128_ctr" + or + name = "EVP_camellia_128_ecb" + or + name = "EVP_camellia_128_ofb" + or + name = "EVP_camellia_192_cbc" + or + name = "EVP_camellia_192_cfb" + or + name = "EVP_camellia_192_cfb1" + or + name = "EVP_camellia_192_cfb128" + or + name = "EVP_camellia_192_cfb8" + or + name = "EVP_camellia_192_ctr" + or + name = "EVP_camellia_192_ecb" + or + name = "EVP_camellia_192_ofb" + or + name = "EVP_camellia_256_cbc" + or + name = "EVP_camellia_256_cfb" + or + name = "EVP_camellia_256_cfb1" + or + name = "EVP_camellia_256_cfb128" + or + name = "EVP_camellia_256_cfb8" + or + name = "EVP_camellia_256_ctr" + or + name = "EVP_camellia_256_ecb" + or + name = "EVP_camellia_256_ofb" + or + name = "EVP_cast5_cbc" + or + name = "EVP_cast5_cfb" + or + name = "EVP_cast5_cfb64" + or + name = "EVP_cast5_ecb" + or + name = "EVP_cast5_ofb" + or + name = "EVP_chacha20" + or + name = "EVP_chacha20_poly1305" + or + name = "EVP_cleanup" + or + name = "EVP_default_properties_enable_fips" + or + name = "EVP_default_properties_is_fips_enabled" + or + name = "EVP_des" + or + name = "EVP_des_cbc" + or + name = "EVP_des_cfb" + or + name = "EVP_des_cfb1" + or + name = "EVP_des_cfb64" + or + name = "EVP_des_cfb8" + or + name = "EVP_des_ecb" + or + name = "EVP_des_ede" + or + name = "EVP_des_ede3" + or + name = "EVP_des_ede3_cbc" + or + name = "EVP_des_ede3_cfb" + or + name = "EVP_des_ede3_cfb1" + or + name = "EVP_des_ede3_cfb64" + or + name = "EVP_des_ede3_cfb8" + or + name = "EVP_des_ede3_ecb" + or + name = "EVP_des_ede3_ofb" + or + name = "EVP_des_ede3_wrap" + or + name = "EVP_des_ede_cbc" + or + name = "EVP_des_ede_cfb" + or + name = "EVP_des_ede_cfb64" + or + name = "EVP_des_ede_ecb" + or + name = "EVP_des_ede_ofb" + or + name = "EVP_des_ofb" + or + name = "EVP_desx_cbc" + or + name = "EVP_dss" + or + name = "EVP_dss1" + or + name = "EVP_enc_null" + or + name = "EVP_get_cipherbyname" + or + name = "EVP_get_cipherbynid" + or + name = "EVP_get_cipherbyobj" + or + name = "EVP_get_digestbyname" + or + name = "EVP_get_digestbynid" + or + name = "EVP_get_digestbyobj" + or + name = "EVP_idea_cbc" + or + name = "EVP_idea_cfb" + or + name = "EVP_idea_cfb64" + or + name = "EVP_idea_ecb" + or + name = "EVP_idea_ofb" + or + name = "EVP_md2" + or + name = "EVP_md4" + or + name = "EVP_md5" + or + name = "EVP_md5_sha1" + or + name = "EVP_md_null" + or + name = "EVP_mdc2" + or + name = "EVP_rc2_40_cbc" + or + name = "EVP_rc2_64_cbc" + or + name = "EVP_rc2_cbc" + or + name = "EVP_rc2_cfb" + or + name = "EVP_rc2_cfb64" + or + name = "EVP_rc2_ecb" + or + name = "EVP_rc2_ofb" + or + name = "EVP_rc4" + or + name = "EVP_rc4_40" + or + name = "EVP_rc4_hmac_md5" + or + name = "EVP_rc5_32_12_16_cbc" + or + name = "EVP_rc5_32_12_16_cfb" + or + name = "EVP_rc5_32_12_16_cfb64" + or + name = "EVP_rc5_32_12_16_ecb" + or + name = "EVP_rc5_32_12_16_ofb" + or + name = "EVP_ripemd160" + or + name = "EVP_seed_cbc" + or + name = "EVP_seed_cfb" + or + name = "EVP_seed_cfb128" + or + name = "EVP_seed_ecb" + or + name = "EVP_seed_ofb" + or + name = "EVP_set_default_properties" + or + name = "EVP_sha" + or + name = "EVP_sha1" + or + name = "EVP_sha224" + or + name = "EVP_sha256" + or + name = "EVP_sha384" + or + name = "EVP_sha3_224" + or + name = "EVP_sha3_256" + or + name = "EVP_sha3_384" + or + name = "EVP_sha3_512" + or + name = "EVP_sha512" + or + name = "EVP_sha512_224" + or + name = "EVP_sha512_256" + or + name = "EVP_shake128" + or + name = "EVP_shake256" + or + name = "EVP_sm3" + or + name = "EVP_sm4_cbc" + or + name = "EVP_sm4_cfb" + or + name = "EVP_sm4_cfb128" + or + name = "EVP_sm4_ctr" + or + name = "EVP_sm4_ecb" + or + name = "EVP_sm4_ofb" + or + name = "EVP_whirlpool" + or + name = "EXTENDED_KEY_USAGE_free" + or + name = "EXTENDED_KEY_USAGE_new" + or + name = "EXT_UTF8STRING" + or + name = "GENERAL_NAMES_free" + or + name = "GENERAL_NAMES_new" + or + name = "GENERAL_NAME_dup" + or + name = "GENERAL_NAME_free" + or + name = "GENERAL_NAME_new" + or + name = "GENERAL_SUBTREE_free" + or + name = "GENERAL_SUBTREE_new" + or + name = "GEN_SESSION_CB" + or + name = "HMAC" + or + name = "HMAC_CTX_cleanup" + or + name = "HMAC_CTX_copy" + or + name = "HMAC_CTX_free" + or + name = "HMAC_CTX_get_md" + or + name = "HMAC_CTX_init" + or + name = "HMAC_CTX_new" + or + name = "HMAC_CTX_reset" + or + name = "HMAC_CTX_set_flags" + or + name = "HMAC_Final" + or + name = "HMAC_Init" + or + name = "HMAC_Init_ex" + or + name = "HMAC_Update" + or + name = "HMAC_cleanup" + or + name = "HMAC_size" + or + name = "IMPLEMENT_ASN1_FUNCTIONS" + or + name = "IMPLEMENT_EXTERN_ASN1" + or + name = "IMPLEMENT_LHASH_COMP_FN" + or + name = "IMPLEMENT_LHASH_HASH_FN" + or + name = "IPAddressChoice_free" + or + name = "IPAddressChoice_new" + or + name = "IPAddressFamily_free" + or + name = "IPAddressFamily_new" + or + name = "IPAddressOrRange_free" + or + name = "IPAddressOrRange_new" + or + name = "IPAddressRange_free" + or + name = "IPAddressRange_new" + or + name = "ISSUER_SIGN_TOOL_free" + or + name = "ISSUER_SIGN_TOOL_it" + or + name = "ISSUER_SIGN_TOOL_new" + or + name = "ISSUING_DIST_POINT_free" + or + name = "ISSUING_DIST_POINT_it" + or + name = "ISSUING_DIST_POINT_new" + or + name = "LHASH" + or + name = "LHASH_DOALL_ARG_FN_TYPE" + or + name = "LHASH_OF" + or + name = "MD2" + or + name = "MD2_Final" + or + name = "MD2_Init" + or + name = "MD2_Update" + or + name = "MD4" + or + name = "MD4_Final" + or + name = "MD4_Init" + or + name = "MD4_Update" + or + name = "MD5" + or + name = "MD5_Final" + or + name = "MD5_Init" + or + name = "MD5_Update" + or + name = "MDC2" + or + name = "MDC2_Final" + or + name = "MDC2_Init" + or + name = "MDC2_Update" + or + name = "NAME_CONSTRAINTS_free" + or + name = "NAME_CONSTRAINTS_new" + or + name = "NAMING_AUTHORITY" + or + name = "NAMING_AUTHORITY_free" + or + name = "NAMING_AUTHORITY_get0_authorityId" + or + name = "NAMING_AUTHORITY_get0_authorityText" + or + name = "NAMING_AUTHORITY_get0_authorityURL" + or + name = "NAMING_AUTHORITY_new" + or + name = "NAMING_AUTHORITY_set0_authorityId" + or + name = "NAMING_AUTHORITY_set0_authorityText" + or + name = "NAMING_AUTHORITY_set0_authorityURL" + or + name = "NCONF_default" + or + name = "NCONF_free" + or + name = "NCONF_get0_libctx" + or + name = "NCONF_get_section" + or + name = "NCONF_get_section_names" + or + name = "NCONF_load" + or + name = "NCONF_new" + or + name = "NCONF_new_ex" + or + name = "NETSCAPE_CERT_SEQUENCE_free" + or + name = "NETSCAPE_CERT_SEQUENCE_new" + or + name = "NETSCAPE_SPKAC_free" + or + name = "NETSCAPE_SPKAC_new" + or + name = "NETSCAPE_SPKI_free" + or + name = "NETSCAPE_SPKI_new" + or + name = "NOTICEREF_free" + or + name = "NOTICEREF_new" + or + name = "OBJ_add_sigid" + or + name = "OBJ_cleanup" + or + name = "OBJ_cmp" + or + name = "OBJ_create" + or + name = "OBJ_dup" + or + name = "OBJ_get0_data" + or + name = "OBJ_length" + or + name = "OBJ_ln2nid" + or + name = "OBJ_nid2ln" + or + name = "OBJ_nid2obj" + or + name = "OBJ_nid2sn" + or + name = "OBJ_obj2nid" + or + name = "OBJ_obj2txt" + or + name = "OBJ_sn2nid" + or + name = "OBJ_txt2nid" + or + name = "OBJ_txt2obj" + or + name = "OCSP_BASICRESP_free" + or + name = "OCSP_BASICRESP_new" + or + name = "OCSP_CERTID_dup" + or + name = "OCSP_CERTID_free" + or + name = "OCSP_CERTID_new" + or + name = "OCSP_CERTSTATUS_free" + or + name = "OCSP_CERTSTATUS_new" + or + name = "OCSP_CRLID_free" + or + name = "OCSP_CRLID_new" + or + name = "OCSP_ONEREQ_free" + or + name = "OCSP_ONEREQ_new" + or + name = "OCSP_REQINFO_free" + or + name = "OCSP_REQINFO_new" + or + name = "OCSP_REQUEST_free" + or + name = "OCSP_REQUEST_new" + or + name = "OCSP_REQ_CTX" + or + name = "OCSP_REQ_CTX_add1_header" + or + name = "OCSP_REQ_CTX_free" + or + name = "OCSP_REQ_CTX_i2d" + or + name = "OCSP_REQ_CTX_set1_req" + or + name = "OCSP_RESPBYTES_free" + or + name = "OCSP_RESPBYTES_new" + or + name = "OCSP_RESPDATA_free" + or + name = "OCSP_RESPDATA_new" + or + name = "OCSP_RESPID_free" + or + name = "OCSP_RESPID_match" + or + name = "OCSP_RESPID_match_ex" + or + name = "OCSP_RESPID_new" + or + name = "OCSP_RESPID_set_by_key" + or + name = "OCSP_RESPID_set_by_key_ex" + or + name = "OCSP_RESPID_set_by_name" + or + name = "OCSP_RESPONSE_free" + or + name = "OCSP_RESPONSE_new" + or + name = "OCSP_REVOKEDINFO_free" + or + name = "OCSP_REVOKEDINFO_new" + or + name = "OCSP_SERVICELOC_free" + or + name = "OCSP_SERVICELOC_new" + or + name = "OCSP_SIGNATURE_free" + or + name = "OCSP_SIGNATURE_new" + or + name = "OCSP_SINGLERESP_free" + or + name = "OCSP_SINGLERESP_new" + or + name = "OCSP_basic_add1_nonce" + or + name = "OCSP_basic_sign" + or + name = "OCSP_basic_sign_ctx" + or + name = "OCSP_basic_verify" + or + name = "OCSP_cert_id_new" + or + name = "OCSP_cert_to_id" + or + name = "OCSP_check_nonce" + or + name = "OCSP_check_validity" + or + name = "OCSP_copy_nonce" + or + name = "OCSP_id_cmp" + or + name = "OCSP_id_get0_info" + or + name = "OCSP_id_issuer_cmp" + or + name = "OCSP_parse_url" + or + name = "OCSP_request_add0_id" + or + name = "OCSP_request_add1_cert" + or + name = "OCSP_request_add1_nonce" + or + name = "OCSP_request_onereq_count" + or + name = "OCSP_request_onereq_get0" + or + name = "OCSP_request_sign" + or + name = "OCSP_resp_count" + or + name = "OCSP_resp_find" + or + name = "OCSP_resp_find_status" + or + name = "OCSP_resp_get0" + or + name = "OCSP_resp_get0_certs" + or + name = "OCSP_resp_get0_id" + or + name = "OCSP_resp_get0_produced_at" + or + name = "OCSP_resp_get0_respdata" + or + name = "OCSP_resp_get0_signature" + or + name = "OCSP_resp_get0_signer" + or + name = "OCSP_resp_get0_tbs_sigalg" + or + name = "OCSP_resp_get1_id" + or + name = "OCSP_response_create" + or + name = "OCSP_response_get1_basic" + or + name = "OCSP_response_status" + or + name = "OCSP_sendreq_bio" + or + name = "OCSP_sendreq_nbio" + or + name = "OCSP_sendreq_new" + or + name = "OCSP_set_max_response_length" + or + name = "OCSP_single_get0_status" + or + name = "OPENSSL_Applink" + or + name = "OPENSSL_FILE" + or + name = "OPENSSL_FUNC" + or + name = "OPENSSL_INIT_free" + or + name = "OPENSSL_INIT_new" + or + name = "OPENSSL_INIT_set_config_appname" + or + name = "OPENSSL_INIT_set_config_file_flags" + or + name = "OPENSSL_INIT_set_config_filename" + or + name = "OPENSSL_LH_COMPFUNC" + or + name = "OPENSSL_LH_DOALL_FUNC" + or + name = "OPENSSL_LH_HASHFUNC" + or + name = "OPENSSL_LH_delete" + or + name = "OPENSSL_LH_doall" + or + name = "OPENSSL_LH_doall_arg" + or + name = "OPENSSL_LH_error" + or + name = "OPENSSL_LH_flush" + or + name = "OPENSSL_LH_free" + or + name = "OPENSSL_LH_insert" + or + name = "OPENSSL_LH_new" + or + name = "OPENSSL_LH_node_stats" + or + name = "OPENSSL_LH_node_stats_bio" + or + name = "OPENSSL_LH_node_usage_stats" + or + name = "OPENSSL_LH_node_usage_stats_bio" + or + name = "OPENSSL_LH_retrieve" + or + name = "OPENSSL_LH_stats" + or + name = "OPENSSL_LH_stats_bio" + or + name = "OPENSSL_LINE" + or + name = "OPENSSL_MALLOC_FAILURES" + or + name = "OPENSSL_MALLOC_FD" + or + name = "OPENSSL_MSTR" + or + name = "OPENSSL_MSTR_HELPER" + or + name = "OPENSSL_VERSION_BUILD_METADATA" + or + name = "OPENSSL_VERSION_MAJOR" + or + name = "OPENSSL_VERSION_MINOR" + or + name = "OPENSSL_VERSION_NUMBER" + or + name = "OPENSSL_VERSION_PATCH" + or + name = "OPENSSL_VERSION_PREREQ" + or + name = "OPENSSL_VERSION_PRE_RELEASE" + or + name = "OPENSSL_VERSION_TEXT" + or + name = "OPENSSL_atexit" + or + name = "OPENSSL_buf2hexstr" + or + name = "OPENSSL_buf2hexstr_ex" + or + name = "OPENSSL_cipher_name" + or + name = "OPENSSL_cleanse" + or + name = "OPENSSL_cleanup" + or + name = "OPENSSL_clear_free" + or + name = "OPENSSL_clear_realloc" + or + name = "OPENSSL_config" + or + name = "OPENSSL_fork_child" + or + name = "OPENSSL_fork_parent" + or + name = "OPENSSL_fork_prepare" + or + name = "OPENSSL_free" + or + name = "OPENSSL_gmtime" + or + name = "OPENSSL_gmtime_adj" + or + name = "OPENSSL_gmtime_diff" + or + name = "OPENSSL_hexchar2int" + or + name = "OPENSSL_hexstr2buf" + or + name = "OPENSSL_hexstr2buf_ex" + or + name = "OPENSSL_ia32cap" + or + name = "OPENSSL_ia32cap_loc" + or + name = "OPENSSL_info" + or + name = "OPENSSL_init_crypto" + or + name = "OPENSSL_init_ssl" + or + name = "OPENSSL_instrument_bus" + or + name = "OPENSSL_instrument_bus2" + or + name = "OPENSSL_load_builtin_modules" + or + name = "OPENSSL_malloc" + or + name = "OPENSSL_malloc_init" + or + name = "OPENSSL_mem_debug_pop" + or + name = "OPENSSL_mem_debug_push" + or + name = "OPENSSL_memdup" + or + name = "OPENSSL_no_config" + or + name = "OPENSSL_realloc" + or + name = "OPENSSL_s390xcap" + or + name = "OPENSSL_secure_actual_size" + or + name = "OPENSSL_secure_clear_free" + or + name = "OPENSSL_secure_free" + or + name = "OPENSSL_secure_malloc" + or + name = "OPENSSL_secure_zalloc" + or + name = "OPENSSL_sk_deep_copy" + or + name = "OPENSSL_sk_delete" + or + name = "OPENSSL_sk_delete_ptr" + or + name = "OPENSSL_sk_dup" + or + name = "OPENSSL_sk_find" + or + name = "OPENSSL_sk_find_all" + or + name = "OPENSSL_sk_find_ex" + or + name = "OPENSSL_sk_free" + or + name = "OPENSSL_sk_insert" + or + name = "OPENSSL_sk_is_sorted" + or + name = "OPENSSL_sk_new" + or + name = "OPENSSL_sk_new_null" + or + name = "OPENSSL_sk_new_reserve" + or + name = "OPENSSL_sk_num" + or + name = "OPENSSL_sk_pop" + or + name = "OPENSSL_sk_pop_free" + or + name = "OPENSSL_sk_push" + or + name = "OPENSSL_sk_reserve" + or + name = "OPENSSL_sk_set" + or + name = "OPENSSL_sk_set_cmp_func" + or + name = "OPENSSL_sk_shift" + or + name = "OPENSSL_sk_sort" + or + name = "OPENSSL_sk_unshift" + or + name = "OPENSSL_sk_value" + or + name = "OPENSSL_sk_zero" + or + name = "OPENSSL_strcasecmp" + or + name = "OPENSSL_strdup" + or + name = "OPENSSL_strlcat" + or + name = "OPENSSL_strlcpy" + or + name = "OPENSSL_strncasecmp" + or + name = "OPENSSL_strndup" + or + name = "OPENSSL_thread_stop" + or + name = "OPENSSL_thread_stop_ex" + or + name = "OPENSSL_version_build_metadata" + or + name = "OPENSSL_version_major" + or + name = "OPENSSL_version_minor" + or + name = "OPENSSL_version_patch" + or + name = "OPENSSL_version_pre_release" + or + name = "OPENSSL_zalloc" + or + name = "OSSL_ALGORITHM" + or + name = "OSSL_CALLBACK" + or + name = "OSSL_CMP_CR" + or + name = "OSSL_CMP_CTX_build_cert_chain" + or + name = "OSSL_CMP_CTX_free" + or + name = "OSSL_CMP_CTX_get0_libctx" + or + name = "OSSL_CMP_CTX_get0_newCert" + or + name = "OSSL_CMP_CTX_get0_newPkey" + or + name = "OSSL_CMP_CTX_get0_propq" + or + name = "OSSL_CMP_CTX_get0_statusString" + or + name = "OSSL_CMP_CTX_get0_trusted" + or + name = "OSSL_CMP_CTX_get0_trustedStore" + or + name = "OSSL_CMP_CTX_get0_untrusted" + or + name = "OSSL_CMP_CTX_get0_validatedSrvCert" + or + name = "OSSL_CMP_CTX_get1_caPubs" + or + name = "OSSL_CMP_CTX_get1_extraCertsIn" + or + name = "OSSL_CMP_CTX_get1_newChain" + or + name = "OSSL_CMP_CTX_get_certConf_cb_arg" + or + name = "OSSL_CMP_CTX_get_failInfoCode" + or + name = "OSSL_CMP_CTX_get_http_cb_arg" + or + name = "OSSL_CMP_CTX_get_option" + or + name = "OSSL_CMP_CTX_get_status" + or + name = "OSSL_CMP_CTX_get_transfer_cb_arg" + or + name = "OSSL_CMP_CTX_new" + or + name = "OSSL_CMP_CTX_print_errors" + or + name = "OSSL_CMP_CTX_push0_geninfo_ITAV" + or + name = "OSSL_CMP_CTX_push0_genm_ITAV" + or + name = "OSSL_CMP_CTX_push0_policy" + or + name = "OSSL_CMP_CTX_push1_subjectAltName" + or + name = "OSSL_CMP_CTX_reinit" + or + name = "OSSL_CMP_CTX_reqExtensions_have_SAN" + or + name = "OSSL_CMP_CTX_reset_geninfo_ITAVs" + or + name = "OSSL_CMP_CTX_server_perform" + or + name = "OSSL_CMP_CTX_set0_newPkey" + or + name = "OSSL_CMP_CTX_set0_reqExtensions" + or + name = "OSSL_CMP_CTX_set0_trusted" + or + name = "OSSL_CMP_CTX_set0_trustedStore" + or + name = "OSSL_CMP_CTX_set1_cert" + or + name = "OSSL_CMP_CTX_set1_expected_sender" + or + name = "OSSL_CMP_CTX_set1_extraCertsOut" + or + name = "OSSL_CMP_CTX_set1_issuer" + or + name = "OSSL_CMP_CTX_set1_no_proxy" + or + name = "OSSL_CMP_CTX_set1_oldCert" + or + name = "OSSL_CMP_CTX_set1_p10CSR" + or + name = "OSSL_CMP_CTX_set1_pkey" + or + name = "OSSL_CMP_CTX_set1_proxy" + or + name = "OSSL_CMP_CTX_set1_recipient" + or + name = "OSSL_CMP_CTX_set1_referenceValue" + or + name = "OSSL_CMP_CTX_set1_secretValue" + or + name = "OSSL_CMP_CTX_set1_senderNonce" + or + name = "OSSL_CMP_CTX_set1_server" + or + name = "OSSL_CMP_CTX_set1_serverPath" + or + name = "OSSL_CMP_CTX_set1_srvCert" + or + name = "OSSL_CMP_CTX_set1_subjectName" + or + name = "OSSL_CMP_CTX_set1_transactionID" + or + name = "OSSL_CMP_CTX_set1_untrusted" + or + name = "OSSL_CMP_CTX_set_certConf_cb" + or + name = "OSSL_CMP_CTX_set_certConf_cb_arg" + or + name = "OSSL_CMP_CTX_set_http_cb" + or + name = "OSSL_CMP_CTX_set_http_cb_arg" + or + name = "OSSL_CMP_CTX_set_log_cb" + or + name = "OSSL_CMP_CTX_set_log_verbosity" + or + name = "OSSL_CMP_CTX_set_option" + or + name = "OSSL_CMP_CTX_set_serverPort" + or + name = "OSSL_CMP_CTX_set_transfer_cb" + or + name = "OSSL_CMP_CTX_set_transfer_cb_arg" + or + name = "OSSL_CMP_CTX_setup_CRM" + or + name = "OSSL_CMP_CTX_snprint_PKIStatus" + or + name = "OSSL_CMP_HDR_get0_recipNonce" + or + name = "OSSL_CMP_HDR_get0_transactionID" + or + name = "OSSL_CMP_IR" + or + name = "OSSL_CMP_ITAV_create" + or + name = "OSSL_CMP_ITAV_dup" + or + name = "OSSL_CMP_ITAV_free" + or + name = "OSSL_CMP_ITAV_get0_type" + or + name = "OSSL_CMP_ITAV_get0_value" + or + name = "OSSL_CMP_ITAV_push0_stack_item" + or + name = "OSSL_CMP_ITAV_set0" + or + name = "OSSL_CMP_KUR" + or + name = "OSSL_CMP_LOG_ALERT" + or + name = "OSSL_CMP_LOG_CRIT" + or + name = "OSSL_CMP_LOG_DEBUG" + or + name = "OSSL_CMP_LOG_EMERG" + or + name = "OSSL_CMP_LOG_ERR" + or + name = "OSSL_CMP_LOG_INFO" + or + name = "OSSL_CMP_LOG_NOTICE" + or + name = "OSSL_CMP_LOG_TRACE" + or + name = "OSSL_CMP_LOG_WARNING" + or + name = "OSSL_CMP_MSG_dup" + or + name = "OSSL_CMP_MSG_free" + or + name = "OSSL_CMP_MSG_get0_header" + or + name = "OSSL_CMP_MSG_get_bodytype" + or + name = "OSSL_CMP_MSG_http_perform" + or + name = "OSSL_CMP_MSG_it" + or + name = "OSSL_CMP_MSG_read" + or + name = "OSSL_CMP_MSG_update_recipNonce" + or + name = "OSSL_CMP_MSG_update_transactionID" + or + name = "OSSL_CMP_MSG_write" + or + name = "OSSL_CMP_P10CR" + or + name = "OSSL_CMP_PKIHEADER_free" + or + name = "OSSL_CMP_PKIHEADER_it" + or + name = "OSSL_CMP_PKIHEADER_new" + or + name = "OSSL_CMP_PKISI_dup" + or + name = "OSSL_CMP_PKISI_free" + or + name = "OSSL_CMP_PKISI_it" + or + name = "OSSL_CMP_PKISI_new" + or + name = "OSSL_CMP_PKISTATUS_it" + or + name = "OSSL_CMP_SRV_CTX_free" + or + name = "OSSL_CMP_SRV_CTX_get0_cmp_ctx" + or + name = "OSSL_CMP_SRV_CTX_get0_custom_ctx" + or + name = "OSSL_CMP_SRV_CTX_init" + or + name = "OSSL_CMP_SRV_CTX_new" + or + name = "OSSL_CMP_SRV_CTX_set_accept_raverified" + or + name = "OSSL_CMP_SRV_CTX_set_accept_unprotected" + or + name = "OSSL_CMP_SRV_CTX_set_grant_implicit_confirm" + or + name = "OSSL_CMP_SRV_CTX_set_send_unprotected_errors" + or + name = "OSSL_CMP_SRV_certConf_cb_t" + or + name = "OSSL_CMP_SRV_cert_request_cb_t" + or + name = "OSSL_CMP_SRV_error_cb_t" + or + name = "OSSL_CMP_SRV_genm_cb_t" + or + name = "OSSL_CMP_SRV_pollReq_cb_t" + or + name = "OSSL_CMP_SRV_process_request" + or + name = "OSSL_CMP_SRV_rr_cb_t" + or + name = "OSSL_CMP_STATUSINFO_new" + or + name = "OSSL_CMP_certConf_cb" + or + name = "OSSL_CMP_certConf_cb_t" + or + name = "OSSL_CMP_exec_CR_ses" + or + name = "OSSL_CMP_exec_GENM_ses" + or + name = "OSSL_CMP_exec_IR_ses" + or + name = "OSSL_CMP_exec_KUR_ses" + or + name = "OSSL_CMP_exec_P10CR_ses" + or + name = "OSSL_CMP_exec_RR_ses" + or + name = "OSSL_CMP_exec_certreq" + or + name = "OSSL_CMP_log_cb_t" + or + name = "OSSL_CMP_log_close" + or + name = "OSSL_CMP_log_open" + or + name = "OSSL_CMP_print_errors_cb" + or + name = "OSSL_CMP_print_to_bio" + or + name = "OSSL_CMP_severity" + or + name = "OSSL_CMP_snprint_PKIStatusInfo" + or + name = "OSSL_CMP_transfer_cb_t" + or + name = "OSSL_CMP_try_certreq" + or + name = "OSSL_CMP_validate_cert_path" + or + name = "OSSL_CMP_validate_msg" + or + name = "OSSL_CORE_MAKE_FUNC" + or + name = "OSSL_CRMF_CERTID_dup" + or + name = "OSSL_CRMF_CERTID_free" + or + name = "OSSL_CRMF_CERTID_gen" + or + name = "OSSL_CRMF_CERTID_get0_issuer" + or + name = "OSSL_CRMF_CERTID_get0_serialNumber" + or + name = "OSSL_CRMF_CERTID_it" + or + name = "OSSL_CRMF_CERTID_new" + or + name = "OSSL_CRMF_CERTTEMPLATE_fill" + or + name = "OSSL_CRMF_CERTTEMPLATE_free" + or + name = "OSSL_CRMF_CERTTEMPLATE_get0_extensions" + or + name = "OSSL_CRMF_CERTTEMPLATE_get0_issuer" + or + name = "OSSL_CRMF_CERTTEMPLATE_get0_publicKey" + or + name = "OSSL_CRMF_CERTTEMPLATE_get0_serialNumber" + or + name = "OSSL_CRMF_CERTTEMPLATE_get0_subject" + or + name = "OSSL_CRMF_CERTTEMPLATE_it" + or + name = "OSSL_CRMF_CERTTEMPLATE_new" + or + name = "OSSL_CRMF_ENCRYPTEDVALUE_free" + or + name = "OSSL_CRMF_ENCRYPTEDVALUE_get1_encCert" + or + name = "OSSL_CRMF_ENCRYPTEDVALUE_it" + or + name = "OSSL_CRMF_ENCRYPTEDVALUE_new" + or + name = "OSSL_CRMF_MSGS_free" + or + name = "OSSL_CRMF_MSGS_it" + or + name = "OSSL_CRMF_MSGS_new" + or + name = "OSSL_CRMF_MSGS_verify_popo" + or + name = "OSSL_CRMF_MSG_PKIPublicationInfo_push0_SinglePubInfo" + or + name = "OSSL_CRMF_MSG_create_popo" + or + name = "OSSL_CRMF_MSG_dup" + or + name = "OSSL_CRMF_MSG_free" + or + name = "OSSL_CRMF_MSG_get0_regCtrl_authenticator" + or + name = "OSSL_CRMF_MSG_get0_regCtrl_oldCertID" + or + name = "OSSL_CRMF_MSG_get0_regCtrl_pkiPublicationInfo" + or + name = "OSSL_CRMF_MSG_get0_regCtrl_protocolEncrKey" + or + name = "OSSL_CRMF_MSG_get0_regCtrl_regToken" + or + name = "OSSL_CRMF_MSG_get0_regInfo_certReq" + or + name = "OSSL_CRMF_MSG_get0_regInfo_utf8Pairs" + or + name = "OSSL_CRMF_MSG_get0_tmpl" + or + name = "OSSL_CRMF_MSG_get_certReqId" + or + name = "OSSL_CRMF_MSG_it" + or + name = "OSSL_CRMF_MSG_new" + or + name = "OSSL_CRMF_MSG_push0_extension" + or + name = "OSSL_CRMF_MSG_set0_SinglePubInfo" + or + name = "OSSL_CRMF_MSG_set0_extensions" + or + name = "OSSL_CRMF_MSG_set0_validity" + or + name = "OSSL_CRMF_MSG_set1_regCtrl_authenticator" + or + name = "OSSL_CRMF_MSG_set1_regCtrl_oldCertID" + or + name = "OSSL_CRMF_MSG_set1_regCtrl_pkiPublicationInfo" + or + name = "OSSL_CRMF_MSG_set1_regCtrl_protocolEncrKey" + or + name = "OSSL_CRMF_MSG_set1_regCtrl_regToken" + or + name = "OSSL_CRMF_MSG_set1_regInfo_certReq" + or + name = "OSSL_CRMF_MSG_set1_regInfo_utf8Pairs" + or + name = "OSSL_CRMF_MSG_set_PKIPublicationInfo_action" + or + name = "OSSL_CRMF_MSG_set_certReqId" + or + name = "OSSL_CRMF_PBMPARAMETER_free" + or + name = "OSSL_CRMF_PBMPARAMETER_it" + or + name = "OSSL_CRMF_PBMPARAMETER_new" + or + name = "OSSL_CRMF_PKIPUBLICATIONINFO_free" + or + name = "OSSL_CRMF_PKIPUBLICATIONINFO_it" + or + name = "OSSL_CRMF_PKIPUBLICATIONINFO_new" + or + name = "OSSL_CRMF_SINGLEPUBINFO_free" + or + name = "OSSL_CRMF_SINGLEPUBINFO_it" + or + name = "OSSL_CRMF_SINGLEPUBINFO_new" + or + name = "OSSL_CRMF_pbm_new" + or + name = "OSSL_CRMF_pbmp_new" + or + name = "OSSL_DECODER" + or + name = "OSSL_DECODER_CLEANUP" + or + name = "OSSL_DECODER_CONSTRUCT" + or + name = "OSSL_DECODER_CTX" + or + name = "OSSL_DECODER_CTX_add_decoder" + or + name = "OSSL_DECODER_CTX_add_extra" + or + name = "OSSL_DECODER_CTX_free" + or + name = "OSSL_DECODER_CTX_get_cleanup" + or + name = "OSSL_DECODER_CTX_get_construct" + or + name = "OSSL_DECODER_CTX_get_construct_data" + or + name = "OSSL_DECODER_CTX_get_num_decoders" + or + name = "OSSL_DECODER_CTX_new" + or + name = "OSSL_DECODER_CTX_new_for_pkey" + or + name = "OSSL_DECODER_CTX_set_cleanup" + or + name = "OSSL_DECODER_CTX_set_construct" + or + name = "OSSL_DECODER_CTX_set_construct_data" + or + name = "OSSL_DECODER_CTX_set_input_structure" + or + name = "OSSL_DECODER_CTX_set_input_type" + or + name = "OSSL_DECODER_CTX_set_params" + or + name = "OSSL_DECODER_CTX_set_passphrase" + or + name = "OSSL_DECODER_CTX_set_passphrase_cb" + or + name = "OSSL_DECODER_CTX_set_passphrase_ui" + or + name = "OSSL_DECODER_CTX_set_pem_password_cb" + or + name = "OSSL_DECODER_CTX_set_selection" + or + name = "OSSL_DECODER_INSTANCE" + or + name = "OSSL_DECODER_INSTANCE_get_decoder" + or + name = "OSSL_DECODER_INSTANCE_get_decoder_ctx" + or + name = "OSSL_DECODER_INSTANCE_get_input_structure" + or + name = "OSSL_DECODER_INSTANCE_get_input_type" + or + name = "OSSL_DECODER_do_all_provided" + or + name = "OSSL_DECODER_export" + or + name = "OSSL_DECODER_fetch" + or + name = "OSSL_DECODER_free" + or + name = "OSSL_DECODER_from_bio" + or + name = "OSSL_DECODER_from_data" + or + name = "OSSL_DECODER_from_fp" + or + name = "OSSL_DECODER_get0_description" + or + name = "OSSL_DECODER_get0_name" + or + name = "OSSL_DECODER_get0_properties" + or + name = "OSSL_DECODER_get0_provider" + or + name = "OSSL_DECODER_get_params" + or + name = "OSSL_DECODER_gettable_params" + or + name = "OSSL_DECODER_is_a" + or + name = "OSSL_DECODER_names_do_all" + or + name = "OSSL_DECODER_settable_ctx_params" + or + name = "OSSL_DECODER_up_ref" + or + name = "OSSL_DISPATCH" + or + name = "OSSL_DISPATCH_END" + or + name = "OSSL_EC_curve_nid2name" + or + name = "OSSL_ENCODER" + or + name = "OSSL_ENCODER_CLEANUP" + or + name = "OSSL_ENCODER_CONSTRUCT" + or + name = "OSSL_ENCODER_CTX" + or + name = "OSSL_ENCODER_CTX_add_encoder" + or + name = "OSSL_ENCODER_CTX_add_extra" + or + name = "OSSL_ENCODER_CTX_free" + or + name = "OSSL_ENCODER_CTX_get_num_encoders" + or + name = "OSSL_ENCODER_CTX_new" + or + name = "OSSL_ENCODER_CTX_new_for_pkey" + or + name = "OSSL_ENCODER_CTX_set_cipher" + or + name = "OSSL_ENCODER_CTX_set_cleanup" + or + name = "OSSL_ENCODER_CTX_set_construct" + or + name = "OSSL_ENCODER_CTX_set_construct_data" + or + name = "OSSL_ENCODER_CTX_set_output_structure" + or + name = "OSSL_ENCODER_CTX_set_output_type" + or + name = "OSSL_ENCODER_CTX_set_params" + or + name = "OSSL_ENCODER_CTX_set_passphrase" + or + name = "OSSL_ENCODER_CTX_set_passphrase_cb" + or + name = "OSSL_ENCODER_CTX_set_passphrase_ui" + or + name = "OSSL_ENCODER_CTX_set_pem_password_cb" + or + name = "OSSL_ENCODER_CTX_set_selection" + or + name = "OSSL_ENCODER_INSTANCE" + or + name = "OSSL_ENCODER_INSTANCE_get_encoder" + or + name = "OSSL_ENCODER_INSTANCE_get_encoder_ctx" + or + name = "OSSL_ENCODER_INSTANCE_get_output_structure" + or + name = "OSSL_ENCODER_INSTANCE_get_output_type" + or + name = "OSSL_ENCODER_do_all_provided" + or + name = "OSSL_ENCODER_fetch" + or + name = "OSSL_ENCODER_free" + or + name = "OSSL_ENCODER_get0_description" + or + name = "OSSL_ENCODER_get0_name" + or + name = "OSSL_ENCODER_get0_properties" + or + name = "OSSL_ENCODER_get0_provider" + or + name = "OSSL_ENCODER_get_params" + or + name = "OSSL_ENCODER_gettable_params" + or + name = "OSSL_ENCODER_is_a" + or + name = "OSSL_ENCODER_names_do_all" + or + name = "OSSL_ENCODER_settable_ctx_params" + or + name = "OSSL_ENCODER_to_bio" + or + name = "OSSL_ENCODER_to_data" + or + name = "OSSL_ENCODER_to_fp" + or + name = "OSSL_ENCODER_up_ref" + or + name = "OSSL_ESS_check_signing_certs" + or + name = "OSSL_ESS_signing_cert_new_init" + or + name = "OSSL_ESS_signing_cert_v2_new_init" + or + name = "OSSL_HPKE_CTX_free" + or + name = "OSSL_HPKE_CTX_get_seq" + or + name = "OSSL_HPKE_CTX_new" + or + name = "OSSL_HPKE_CTX_set1_authpriv" + or + name = "OSSL_HPKE_CTX_set1_authpub" + or + name = "OSSL_HPKE_CTX_set1_ikme" + or + name = "OSSL_HPKE_CTX_set1_psk" + or + name = "OSSL_HPKE_CTX_set_seq" + or + name = "OSSL_HPKE_decap" + or + name = "OSSL_HPKE_encap" + or + name = "OSSL_HPKE_export" + or + name = "OSSL_HPKE_get_ciphertext_size" + or + name = "OSSL_HPKE_get_grease_value" + or + name = "OSSL_HPKE_get_public_encap_size" + or + name = "OSSL_HPKE_get_recommended_ikmelen" + or + name = "OSSL_HPKE_keygen" + or + name = "OSSL_HPKE_open" + or + name = "OSSL_HPKE_seal" + or + name = "OSSL_HPKE_str2suite" + or + name = "OSSL_HPKE_suite_check" + or + name = "OSSL_HTTP_REQ_CTX" + or + name = "OSSL_HTTP_REQ_CTX_add1_header" + or + name = "OSSL_HTTP_REQ_CTX_exchange" + or + name = "OSSL_HTTP_REQ_CTX_free" + or + name = "OSSL_HTTP_REQ_CTX_get0_mem_bio" + or + name = "OSSL_HTTP_REQ_CTX_get_resp_len" + or + name = "OSSL_HTTP_REQ_CTX_nbio" + or + name = "OSSL_HTTP_REQ_CTX_nbio_d2i" + or + name = "OSSL_HTTP_REQ_CTX_new" + or + name = "OSSL_HTTP_REQ_CTX_set1_req" + or + name = "OSSL_HTTP_REQ_CTX_set_expected" + or + name = "OSSL_HTTP_REQ_CTX_set_max_response_length" + or + name = "OSSL_HTTP_REQ_CTX_set_request_line" + or + name = "OSSL_HTTP_adapt_proxy" + or + name = "OSSL_HTTP_bio_cb_t" + or + name = "OSSL_HTTP_close" + or + name = "OSSL_HTTP_exchange" + or + name = "OSSL_HTTP_get" + or + name = "OSSL_HTTP_is_alive" + or + name = "OSSL_HTTP_open" + or + name = "OSSL_HTTP_parse_url" + or + name = "OSSL_HTTP_proxy_connect" + or + name = "OSSL_HTTP_set1_request" + or + name = "OSSL_HTTP_transfer" + or + name = "OSSL_ITEM" + or + name = "OSSL_LIB_CTX" + or + name = "OSSL_LIB_CTX_free" + or + name = "OSSL_LIB_CTX_get0_global_default" + or + name = "OSSL_LIB_CTX_load_config" + or + name = "OSSL_LIB_CTX_new" + or + name = "OSSL_LIB_CTX_new_child" + or + name = "OSSL_LIB_CTX_new_from_dispatch" + or + name = "OSSL_LIB_CTX_set0_default" + or + name = "OSSL_PARAM" + or + name = "OSSL_PARAM_BLD" + or + name = "OSSL_PARAM_BLD_free" + or + name = "OSSL_PARAM_BLD_new" + or + name = "OSSL_PARAM_BLD_push_BN" + or + name = "OSSL_PARAM_BLD_push_BN_pad" + or + name = "OSSL_PARAM_BLD_push_double" + or + name = "OSSL_PARAM_BLD_push_int" + or + name = "OSSL_PARAM_BLD_push_int32" + or + name = "OSSL_PARAM_BLD_push_int64" + or + name = "OSSL_PARAM_BLD_push_long" + or + name = "OSSL_PARAM_BLD_push_octet_ptr" + or + name = "OSSL_PARAM_BLD_push_octet_string" + or + name = "OSSL_PARAM_BLD_push_size_t" + or + name = "OSSL_PARAM_BLD_push_time_t" + or + name = "OSSL_PARAM_BLD_push_uint" + or + name = "OSSL_PARAM_BLD_push_uint32" + or + name = "OSSL_PARAM_BLD_push_uint64" + or + name = "OSSL_PARAM_BLD_push_ulong" + or + name = "OSSL_PARAM_BLD_push_utf8_ptr" + or + name = "OSSL_PARAM_BLD_push_utf8_string" + or + name = "OSSL_PARAM_BLD_to_param" + or + name = "OSSL_PARAM_BN" + or + name = "OSSL_PARAM_DEFN" + or + name = "OSSL_PARAM_END" + or + name = "OSSL_PARAM_UNMODIFIED" + or + name = "OSSL_PARAM_allocate_from_text" + or + name = "OSSL_PARAM_construct_BN" + or + name = "OSSL_PARAM_construct_double" + or + name = "OSSL_PARAM_construct_end" + or + name = "OSSL_PARAM_construct_int" + or + name = "OSSL_PARAM_construct_int32" + or + name = "OSSL_PARAM_construct_int64" + or + name = "OSSL_PARAM_construct_long" + or + name = "OSSL_PARAM_construct_octet_ptr" + or + name = "OSSL_PARAM_construct_octet_string" + or + name = "OSSL_PARAM_construct_size_t" + or + name = "OSSL_PARAM_construct_time_t" + or + name = "OSSL_PARAM_construct_uint" + or + name = "OSSL_PARAM_construct_uint32" + or + name = "OSSL_PARAM_construct_uint64" + or + name = "OSSL_PARAM_construct_ulong" + or + name = "OSSL_PARAM_construct_utf8_ptr" + or + name = "OSSL_PARAM_construct_utf8_string" + or + name = "OSSL_PARAM_double" + or + name = "OSSL_PARAM_dup" + or + name = "OSSL_PARAM_free" + or + name = "OSSL_PARAM_get_BN" + or + name = "OSSL_PARAM_get_double" + or + name = "OSSL_PARAM_get_int" + or + name = "OSSL_PARAM_get_int32" + or + name = "OSSL_PARAM_get_int64" + or + name = "OSSL_PARAM_get_long" + or + name = "OSSL_PARAM_get_octet_ptr" + or + name = "OSSL_PARAM_get_octet_string" + or + name = "OSSL_PARAM_get_octet_string_ptr" + or + name = "OSSL_PARAM_get_size_t" + or + name = "OSSL_PARAM_get_time_t" + or + name = "OSSL_PARAM_get_uint" + or + name = "OSSL_PARAM_get_uint32" + or + name = "OSSL_PARAM_get_uint64" + or + name = "OSSL_PARAM_get_ulong" + or + name = "OSSL_PARAM_get_utf8_ptr" + or + name = "OSSL_PARAM_get_utf8_string" + or + name = "OSSL_PARAM_get_utf8_string_ptr" + or + name = "OSSL_PARAM_int" + or + name = "OSSL_PARAM_int32" + or + name = "OSSL_PARAM_int64" + or + name = "OSSL_PARAM_locate" + or + name = "OSSL_PARAM_locate_const" + or + name = "OSSL_PARAM_long" + or + name = "OSSL_PARAM_merge" + or + name = "OSSL_PARAM_modified" + or + name = "OSSL_PARAM_octet_ptr" + or + name = "OSSL_PARAM_octet_string" + or + name = "OSSL_PARAM_set_BN" + or + name = "OSSL_PARAM_set_all_unmodified" + or + name = "OSSL_PARAM_set_double" + or + name = "OSSL_PARAM_set_int" + or + name = "OSSL_PARAM_set_int32" + or + name = "OSSL_PARAM_set_int64" + or + name = "OSSL_PARAM_set_long" + or + name = "OSSL_PARAM_set_octet_ptr" + or + name = "OSSL_PARAM_set_octet_string" + or + name = "OSSL_PARAM_set_size_t" + or + name = "OSSL_PARAM_set_time_t" + or + name = "OSSL_PARAM_set_uint" + or + name = "OSSL_PARAM_set_uint32" + or + name = "OSSL_PARAM_set_uint64" + or + name = "OSSL_PARAM_set_ulong" + or + name = "OSSL_PARAM_set_utf8_ptr" + or + name = "OSSL_PARAM_set_utf8_string" + or + name = "OSSL_PARAM_size_t" + or + name = "OSSL_PARAM_time_t" + or + name = "OSSL_PARAM_uint" + or + name = "OSSL_PARAM_uint32" + or + name = "OSSL_PARAM_uint64" + or + name = "OSSL_PARAM_ulong" + or + name = "OSSL_PARAM_utf8_ptr" + or + name = "OSSL_PARAM_utf8_string" + or + name = "OSSL_PASSPHRASE_CALLBACK" + or + name = "OSSL_PROVIDER" + or + name = "OSSL_PROVIDER_add_builtin" + or + name = "OSSL_PROVIDER_available" + or + name = "OSSL_PROVIDER_do_all" + or + name = "OSSL_PROVIDER_get0_default_search_path" + or + name = "OSSL_PROVIDER_get0_dispatch" + or + name = "OSSL_PROVIDER_get0_name" + or + name = "OSSL_PROVIDER_get0_provider_ctx" + or + name = "OSSL_PROVIDER_get_capabilities" + or + name = "OSSL_PROVIDER_get_params" + or + name = "OSSL_PROVIDER_gettable_params" + or + name = "OSSL_PROVIDER_load" + or + name = "OSSL_PROVIDER_query_operation" + or + name = "OSSL_PROVIDER_self_test" + or + name = "OSSL_PROVIDER_set_default_search_path" + or + name = "OSSL_PROVIDER_try_load" + or + name = "OSSL_PROVIDER_unload" + or + name = "OSSL_PROVIDER_unquery_operation" + or + name = "OSSL_QUIC_client_method" + or + name = "OSSL_QUIC_client_thread_method" + or + name = "OSSL_QUIC_server_method" + or + name = "OSSL_SELF_TEST_free" + or + name = "OSSL_SELF_TEST_get_callback" + or + name = "OSSL_SELF_TEST_new" + or + name = "OSSL_SELF_TEST_onbegin" + or + name = "OSSL_SELF_TEST_oncorrupt_byte" + or + name = "OSSL_SELF_TEST_onend" + or + name = "OSSL_SELF_TEST_set_callback" + or + name = "OSSL_STACK_OF_X509_free" + or + name = "OSSL_STORE_CTX" + or + name = "OSSL_STORE_INFO" + or + name = "OSSL_STORE_INFO_free" + or + name = "OSSL_STORE_INFO_get0_CERT" + or + name = "OSSL_STORE_INFO_get0_CRL" + or + name = "OSSL_STORE_INFO_get0_NAME" + or + name = "OSSL_STORE_INFO_get0_NAME_description" + or + name = "OSSL_STORE_INFO_get0_PARAMS" + or + name = "OSSL_STORE_INFO_get0_PKEY" + or + name = "OSSL_STORE_INFO_get0_PUBKEY" + or + name = "OSSL_STORE_INFO_get0_data" + or + name = "OSSL_STORE_INFO_get1_CERT" + or + name = "OSSL_STORE_INFO_get1_CRL" + or + name = "OSSL_STORE_INFO_get1_NAME" + or + name = "OSSL_STORE_INFO_get1_NAME_description" + or + name = "OSSL_STORE_INFO_get1_PARAMS" + or + name = "OSSL_STORE_INFO_get1_PKEY" + or + name = "OSSL_STORE_INFO_get1_PUBKEY" + or + name = "OSSL_STORE_INFO_get_type" + or + name = "OSSL_STORE_INFO_new" + or + name = "OSSL_STORE_INFO_new_CERT" + or + name = "OSSL_STORE_INFO_new_CRL" + or + name = "OSSL_STORE_INFO_new_NAME" + or + name = "OSSL_STORE_INFO_new_PARAMS" + or + name = "OSSL_STORE_INFO_new_PKEY" + or + name = "OSSL_STORE_INFO_new_PUBKEY" + or + name = "OSSL_STORE_INFO_set0_NAME_description" + or + name = "OSSL_STORE_INFO_type_string" + or + name = "OSSL_STORE_LOADER" + or + name = "OSSL_STORE_LOADER_CTX" + or + name = "OSSL_STORE_LOADER_do_all_provided" + or + name = "OSSL_STORE_LOADER_fetch" + or + name = "OSSL_STORE_LOADER_free" + or + name = "OSSL_STORE_LOADER_get0_description" + or + name = "OSSL_STORE_LOADER_get0_engine" + or + name = "OSSL_STORE_LOADER_get0_properties" + or + name = "OSSL_STORE_LOADER_get0_provider" + or + name = "OSSL_STORE_LOADER_get0_scheme" + or + name = "OSSL_STORE_LOADER_is_a" + or + name = "OSSL_STORE_LOADER_names_do_all" + or + name = "OSSL_STORE_LOADER_new" + or + name = "OSSL_STORE_LOADER_set_attach" + or + name = "OSSL_STORE_LOADER_set_close" + or + name = "OSSL_STORE_LOADER_set_ctrl" + or + name = "OSSL_STORE_LOADER_set_eof" + or + name = "OSSL_STORE_LOADER_set_error" + or + name = "OSSL_STORE_LOADER_set_expect" + or + name = "OSSL_STORE_LOADER_set_find" + or + name = "OSSL_STORE_LOADER_set_load" + or + name = "OSSL_STORE_LOADER_set_open" + or + name = "OSSL_STORE_LOADER_set_open_ex" + or + name = "OSSL_STORE_LOADER_up_ref" + or + name = "OSSL_STORE_SEARCH" + or + name = "OSSL_STORE_SEARCH_by_alias" + or + name = "OSSL_STORE_SEARCH_by_issuer_serial" + or + name = "OSSL_STORE_SEARCH_by_key_fingerprint" + or + name = "OSSL_STORE_SEARCH_by_name" + or + name = "OSSL_STORE_SEARCH_free" + or + name = "OSSL_STORE_SEARCH_get0_bytes" + or + name = "OSSL_STORE_SEARCH_get0_digest" + or + name = "OSSL_STORE_SEARCH_get0_name" + or + name = "OSSL_STORE_SEARCH_get0_serial" + or + name = "OSSL_STORE_SEARCH_get0_string" + or + name = "OSSL_STORE_SEARCH_get_type" + or + name = "OSSL_STORE_attach" + or + name = "OSSL_STORE_attach_fn" + or + name = "OSSL_STORE_close" + or + name = "OSSL_STORE_close_fn" + or + name = "OSSL_STORE_ctrl" + or + name = "OSSL_STORE_ctrl_fn" + or + name = "OSSL_STORE_eof" + or + name = "OSSL_STORE_eof_fn" + or + name = "OSSL_STORE_error" + or + name = "OSSL_STORE_error_fn" + or + name = "OSSL_STORE_expect" + or + name = "OSSL_STORE_expect_fn" + or + name = "OSSL_STORE_find" + or + name = "OSSL_STORE_find_fn" + or + name = "OSSL_STORE_load" + or + name = "OSSL_STORE_load_fn" + or + name = "OSSL_STORE_open" + or + name = "OSSL_STORE_open_ex" + or + name = "OSSL_STORE_open_ex_fn" + or + name = "OSSL_STORE_open_fn" + or + name = "OSSL_STORE_post_process_info_fn" + or + name = "OSSL_STORE_register_loader" + or + name = "OSSL_STORE_supports_search" + or + name = "OSSL_STORE_unregister_loader" + or + name = "OSSL_TRACE" + or + name = "OSSL_TRACE1" + or + name = "OSSL_TRACE2" + or + name = "OSSL_TRACE3" + or + name = "OSSL_TRACE4" + or + name = "OSSL_TRACE5" + or + name = "OSSL_TRACE6" + or + name = "OSSL_TRACE7" + or + name = "OSSL_TRACE8" + or + name = "OSSL_TRACE9" + or + name = "OSSL_TRACEV" + or + name = "OSSL_TRACE_BEGIN" + or + name = "OSSL_TRACE_CANCEL" + or + name = "OSSL_TRACE_ENABLED" + or + name = "OSSL_TRACE_END" + or + name = "OSSL_TRACE_STRING" + or + name = "OSSL_TRACE_STRING_MAX" + or + name = "OSSL_default_cipher_list" + or + name = "OSSL_default_ciphersuites" + or + name = "OSSL_get_max_threads" + or + name = "OSSL_get_thread_support_flags" + or + name = "OSSL_parse_url" + or + name = "OSSL_set_max_threads" + or + name = "OSSL_sleep" + or + name = "OSSL_trace_begin" + or + name = "OSSL_trace_cb" + or + name = "OSSL_trace_enabled" + or + name = "OSSL_trace_end" + or + name = "OSSL_trace_get_category_name" + or + name = "OSSL_trace_get_category_num" + or + name = "OSSL_trace_set_callback" + or + name = "OSSL_trace_set_channel" + or + name = "OSSL_trace_set_prefix" + or + name = "OSSL_trace_set_suffix" + or + name = "OSSL_trace_string" + or + name = "OTHERNAME_free" + or + name = "OTHERNAME_new" + or + name = "OpenSSL_add_all_algorithms" + or + name = "OpenSSL_add_all_ciphers" + or + name = "OpenSSL_add_all_digests" + or + name = "OpenSSL_add_ssl_algorithms" + or + name = "OpenSSL_version" + or + name = "OpenSSL_version_num" + or + name = "PBE2PARAM_free" + or + name = "PBE2PARAM_new" + or + name = "PBEPARAM_free" + or + name = "PBEPARAM_new" + or + name = "PBKDF2PARAM_free" + or + name = "PBKDF2PARAM_new" + or + name = "PEM" + or + name = "PEM_FLAG_EAY_COMPATIBLE" + or + name = "PEM_FLAG_ONLY_B64" + or + name = "PEM_FLAG_SECURE" + or + name = "PEM_X509_INFO_read" + or + name = "PEM_X509_INFO_read_bio" + or + name = "PEM_X509_INFO_read_bio_ex" + or + name = "PEM_X509_INFO_read_ex" + or + name = "PEM_bytes_read_bio" + or + name = "PEM_bytes_read_bio_secmem" + or + name = "PEM_do_header" + or + name = "PEM_get_EVP_CIPHER_INFO" + or + name = "PEM_read" + or + name = "PEM_read_CMS" + or + name = "PEM_read_DHparams" + or + name = "PEM_read_DSAPrivateKey" + or + name = "PEM_read_DSA_PUBKEY" + or + name = "PEM_read_DSAparams" + or + name = "PEM_read_ECPKParameters" + or + name = "PEM_read_ECPrivateKey" + or + name = "PEM_read_EC_PUBKEY" + or + name = "PEM_read_NETSCAPE_CERT_SEQUENCE" + or + name = "PEM_read_PKCS7" + or + name = "PEM_read_PKCS8" + or + name = "PEM_read_PKCS8_PRIV_KEY_INFO" + or + name = "PEM_read_PUBKEY" + or + name = "PEM_read_PUBKEY_ex" + or + name = "PEM_read_PrivateKey" + or + name = "PEM_read_PrivateKey_ex" + or + name = "PEM_read_RSAPrivateKey" + or + name = "PEM_read_RSAPublicKey" + or + name = "PEM_read_RSA_PUBKEY" + or + name = "PEM_read_SSL_SESSION" + or + name = "PEM_read_X509" + or + name = "PEM_read_X509_AUX" + or + name = "PEM_read_X509_CRL" + or + name = "PEM_read_X509_PUBKEY" + or + name = "PEM_read_X509_REQ" + or + name = "PEM_read_bio" + or + name = "PEM_read_bio_CMS" + or + name = "PEM_read_bio_DHparams" + or + name = "PEM_read_bio_DSAPrivateKey" + or + name = "PEM_read_bio_DSA_PUBKEY" + or + name = "PEM_read_bio_DSAparams" + or + name = "PEM_read_bio_ECPKParameters" + or + name = "PEM_read_bio_EC_PUBKEY" + or + name = "PEM_read_bio_NETSCAPE_CERT_SEQUENCE" + or + name = "PEM_read_bio_PKCS7" + or + name = "PEM_read_bio_PKCS8" + or + name = "PEM_read_bio_PKCS8_PRIV_KEY_INFO" + or + name = "PEM_read_bio_PUBKEY" + or + name = "PEM_read_bio_PUBKEY_ex" + or + name = "PEM_read_bio_Parameters" + or + name = "PEM_read_bio_Parameters_ex" + or + name = "PEM_read_bio_PrivateKey" + or + name = "PEM_read_bio_PrivateKey_ex" + or + name = "PEM_read_bio_RSAPrivateKey" + or + name = "PEM_read_bio_RSAPublicKey" + or + name = "PEM_read_bio_RSA_PUBKEY" + or + name = "PEM_read_bio_SSL_SESSION" + or + name = "PEM_read_bio_X509" + or + name = "PEM_read_bio_X509_AUX" + or + name = "PEM_read_bio_X509_CRL" + or + name = "PEM_read_bio_X509_PUBKEY" + or + name = "PEM_read_bio_X509_REQ" + or + name = "PEM_read_bio_ex" + or + name = "PEM_write" + or + name = "PEM_write_CMS" + or + name = "PEM_write_DHparams" + or + name = "PEM_write_DHxparams" + or + name = "PEM_write_DSAPrivateKey" + or + name = "PEM_write_DSA_PUBKEY" + or + name = "PEM_write_DSAparams" + or + name = "PEM_write_ECPKParameters" + or + name = "PEM_write_ECPrivateKey" + or + name = "PEM_write_EC_PUBKEY" + or + name = "PEM_write_NETSCAPE_CERT_SEQUENCE" + or + name = "PEM_write_PKCS7" + or + name = "PEM_write_PKCS8" + or + name = "PEM_write_PKCS8PrivateKey" + or + name = "PEM_write_PKCS8PrivateKey_nid" + or + name = "PEM_write_PKCS8_PRIV_KEY_INFO" + or + name = "PEM_write_PUBKEY" + or + name = "PEM_write_PUBKEY_ex" + or + name = "PEM_write_PrivateKey" + or + name = "PEM_write_PrivateKey_ex" + or + name = "PEM_write_RSAPrivateKey" + or + name = "PEM_write_RSAPublicKey" + or + name = "PEM_write_RSA_PUBKEY" + or + name = "PEM_write_SSL_SESSION" + or + name = "PEM_write_X509" + or + name = "PEM_write_X509_AUX" + or + name = "PEM_write_X509_CRL" + or + name = "PEM_write_X509_PUBKEY" + or + name = "PEM_write_X509_REQ" + or + name = "PEM_write_X509_REQ_NEW" + or + name = "PEM_write_bio" + or + name = "PEM_write_bio_CMS" + or + name = "PEM_write_bio_CMS_stream" + or + name = "PEM_write_bio_DHparams" + or + name = "PEM_write_bio_DHxparams" + or + name = "PEM_write_bio_DSAPrivateKey" + or + name = "PEM_write_bio_DSA_PUBKEY" + or + name = "PEM_write_bio_DSAparams" + or + name = "PEM_write_bio_ECPKParameters" + or + name = "PEM_write_bio_ECPrivateKey" + or + name = "PEM_write_bio_EC_PUBKEY" + or + name = "PEM_write_bio_NETSCAPE_CERT_SEQUENCE" + or + name = "PEM_write_bio_PKCS7" + or + name = "PEM_write_bio_PKCS7_stream" + or + name = "PEM_write_bio_PKCS8" + or + name = "PEM_write_bio_PKCS8PrivateKey" + or + name = "PEM_write_bio_PKCS8PrivateKey_nid" + or + name = "PEM_write_bio_PKCS8_PRIV_KEY_INFO" + or + name = "PEM_write_bio_PUBKEY" + or + name = "PEM_write_bio_PUBKEY_ex" + or + name = "PEM_write_bio_Parameters" + or + name = "PEM_write_bio_PrivateKey" + or + name = "PEM_write_bio_PrivateKey_ex" + or + name = "PEM_write_bio_PrivateKey_traditional" + or + name = "PEM_write_bio_RSAPrivateKey" + or + name = "PEM_write_bio_RSAPublicKey" + or + name = "PEM_write_bio_RSA_PUBKEY" + or + name = "PEM_write_bio_SSL_SESSION" + or + name = "PEM_write_bio_X509" + or + name = "PEM_write_bio_X509_AUX" + or + name = "PEM_write_bio_X509_CRL" + or + name = "PEM_write_bio_X509_PUBKEY" + or + name = "PEM_write_bio_X509_REQ" + or + name = "PEM_write_bio_X509_REQ_NEW" + or + name = "PKCS12_BAGS_free" + or + name = "PKCS12_BAGS_new" + or + name = "PKCS12_MAC_DATA_free" + or + name = "PKCS12_MAC_DATA_new" + or + name = "PKCS12_PBE_keyivgen" + or + name = "PKCS12_PBE_keyivgen_ex" + or + name = "PKCS12_SAFEBAG_create0_p8inf" + or + name = "PKCS12_SAFEBAG_create0_pkcs8" + or + name = "PKCS12_SAFEBAG_create_cert" + or + name = "PKCS12_SAFEBAG_create_crl" + or + name = "PKCS12_SAFEBAG_create_pkcs8_encrypt" + or + name = "PKCS12_SAFEBAG_create_pkcs8_encrypt_ex" + or + name = "PKCS12_SAFEBAG_create_secret" + or + name = "PKCS12_SAFEBAG_free" + or + name = "PKCS12_SAFEBAG_get0_attr" + or + name = "PKCS12_SAFEBAG_get0_attrs" + or + name = "PKCS12_SAFEBAG_get0_bag_obj" + or + name = "PKCS12_SAFEBAG_get0_bag_type" + or + name = "PKCS12_SAFEBAG_get0_p8inf" + or + name = "PKCS12_SAFEBAG_get0_pkcs8" + or + name = "PKCS12_SAFEBAG_get0_safes" + or + name = "PKCS12_SAFEBAG_get0_type" + or + name = "PKCS12_SAFEBAG_get1_cert" + or + name = "PKCS12_SAFEBAG_get1_cert_ex" + or + name = "PKCS12_SAFEBAG_get1_crl" + or + name = "PKCS12_SAFEBAG_get1_crl_ex" + or + name = "PKCS12_SAFEBAG_get_bag_nid" + or + name = "PKCS12_SAFEBAG_get_nid" + or + name = "PKCS12_SAFEBAG_new" + or + name = "PKCS12_SAFEBAG_set0_attrs" + or + name = "PKCS12_add1_attr_by_NID" + or + name = "PKCS12_add1_attr_by_txt" + or + name = "PKCS12_add_CSPName_asc" + or + name = "PKCS12_add_cert" + or + name = "PKCS12_add_friendlyname_asc" + or + name = "PKCS12_add_friendlyname_uni" + or + name = "PKCS12_add_friendlyname_utf8" + or + name = "PKCS12_add_key" + or + name = "PKCS12_add_key_ex" + or + name = "PKCS12_add_localkeyid" + or + name = "PKCS12_add_safe" + or + name = "PKCS12_add_safe_ex" + or + name = "PKCS12_add_safes" + or + name = "PKCS12_add_safes_ex" + or + name = "PKCS12_add_secret" + or + name = "PKCS12_create" + or + name = "PKCS12_create_cb" + or + name = "PKCS12_create_ex" + or + name = "PKCS12_create_ex2" + or + name = "PKCS12_decrypt_skey" + or + name = "PKCS12_decrypt_skey_ex" + or + name = "PKCS12_free" + or + name = "PKCS12_gen_mac" + or + name = "PKCS12_get_attr_gen" + or + name = "PKCS12_get_friendlyname" + or + name = "PKCS12_init" + or + name = "PKCS12_init_ex" + or + name = "PKCS12_item_decrypt_d2i" + or + name = "PKCS12_item_decrypt_d2i_ex" + or + name = "PKCS12_item_i2d_encrypt" + or + name = "PKCS12_item_i2d_encrypt_ex" + or + name = "PKCS12_key_gen_asc" + or + name = "PKCS12_key_gen_asc_ex" + or + name = "PKCS12_key_gen_uni" + or + name = "PKCS12_key_gen_uni_ex" + or + name = "PKCS12_key_gen_utf8" + or + name = "PKCS12_key_gen_utf8_ex" + or + name = "PKCS12_new" + or + name = "PKCS12_newpass" + or + name = "PKCS12_pack_p7encdata" + or + name = "PKCS12_pack_p7encdata_ex" + or + name = "PKCS12_parse" + or + name = "PKCS12_pbe_crypt" + or + name = "PKCS12_pbe_crypt_ex" + or + name = "PKCS12_set_mac" + or + name = "PKCS12_setup_mac" + or + name = "PKCS12_verify_mac" + or + name = "PKCS5_PBE_keyivgen" + or + name = "PKCS5_PBE_keyivgen_ex" + or + name = "PKCS5_PBKDF2_HMAC" + or + name = "PKCS5_PBKDF2_HMAC_SHA1" + or + name = "PKCS5_pbe2_set" + or + name = "PKCS5_pbe2_set_iv" + or + name = "PKCS5_pbe2_set_iv_ex" + or + name = "PKCS5_pbe2_set_scrypt" + or + name = "PKCS5_pbe_set" + or + name = "PKCS5_pbe_set0_algor" + or + name = "PKCS5_pbe_set0_algor_ex" + or + name = "PKCS5_pbe_set_ex" + or + name = "PKCS5_pbkdf2_set" + or + name = "PKCS5_pbkdf2_set_ex" + or + name = "PKCS5_v2_PBE_keyivgen" + or + name = "PKCS5_v2_PBE_keyivgen_ex" + or + name = "PKCS5_v2_scrypt_keyivgen" + or + name = "PKCS5_v2_scrypt_keyivgen_ex" + or + name = "PKCS7_DIGEST_free" + or + name = "PKCS7_DIGEST_new" + or + name = "PKCS7_ENCRYPT_free" + or + name = "PKCS7_ENCRYPT_new" + or + name = "PKCS7_ENC_CONTENT_free" + or + name = "PKCS7_ENC_CONTENT_new" + or + name = "PKCS7_ENVELOPE_free" + or + name = "PKCS7_ENVELOPE_new" + or + name = "PKCS7_ISSUER_AND_SERIAL_digest" + or + name = "PKCS7_ISSUER_AND_SERIAL_free" + or + name = "PKCS7_ISSUER_AND_SERIAL_new" + or + name = "PKCS7_RECIP_INFO_free" + or + name = "PKCS7_RECIP_INFO_new" + or + name = "PKCS7_SIGNED_free" + or + name = "PKCS7_SIGNED_new" + or + name = "PKCS7_SIGNER_INFO_free" + or + name = "PKCS7_SIGNER_INFO_new" + or + name = "PKCS7_SIGN_ENVELOPE_free" + or + name = "PKCS7_SIGN_ENVELOPE_new" + or + name = "PKCS7_add_certificate" + or + name = "PKCS7_add_crl" + or + name = "PKCS7_decrypt" + or + name = "PKCS7_dup" + or + name = "PKCS7_encrypt" + or + name = "PKCS7_encrypt_ex" + or + name = "PKCS7_free" + or + name = "PKCS7_get0_signers" + or + name = "PKCS7_get_octet_string" + or + name = "PKCS7_new" + or + name = "PKCS7_new_ex" + or + name = "PKCS7_print_ctx" + or + name = "PKCS7_sign" + or + name = "PKCS7_sign_add_signer" + or + name = "PKCS7_sign_ex" + or + name = "PKCS7_type_is_other" + or + name = "PKCS7_verify" + or + name = "PKCS8_PRIV_KEY_INFO_free" + or + name = "PKCS8_PRIV_KEY_INFO_new" + or + name = "PKCS8_decrypt" + or + name = "PKCS8_decrypt_ex" + or + name = "PKCS8_encrypt" + or + name = "PKCS8_encrypt_ex" + or + name = "PKCS8_pkey_add1_attr" + or + name = "PKCS8_pkey_add1_attr_by_NID" + or + name = "PKCS8_pkey_add1_attr_by_OBJ" + or + name = "PKCS8_pkey_get0_attrs" + or + name = "PKCS8_set0_pbe" + or + name = "PKCS8_set0_pbe_ex" + or + name = "PKEY_USAGE_PERIOD_free" + or + name = "PKEY_USAGE_PERIOD_new" + or + name = "POLICYINFO_free" + or + name = "POLICYINFO_new" + or + name = "POLICYQUALINFO_free" + or + name = "POLICYQUALINFO_new" + or + name = "POLICY_CONSTRAINTS_free" + or + name = "POLICY_CONSTRAINTS_new" + or + name = "POLICY_MAPPING_free" + or + name = "POLICY_MAPPING_new" + or + name = "PROFESSION_INFO" + or + name = "PROFESSION_INFOS" + or + name = "PROFESSION_INFOS_free" + or + name = "PROFESSION_INFOS_new" + or + name = "PROFESSION_INFO_free" + or + name = "PROFESSION_INFO_get0_addProfessionInfo" + or + name = "PROFESSION_INFO_get0_namingAuthority" + or + name = "PROFESSION_INFO_get0_professionItems" + or + name = "PROFESSION_INFO_get0_professionOIDs" + or + name = "PROFESSION_INFO_get0_registrationNumber" + or + name = "PROFESSION_INFO_new" + or + name = "PROFESSION_INFO_set0_addProfessionInfo" + or + name = "PROFESSION_INFO_set0_namingAuthority" + or + name = "PROFESSION_INFO_set0_professionItems" + or + name = "PROFESSION_INFO_set0_professionOIDs" + or + name = "PROFESSION_INFO_set0_registrationNumber" + or + name = "PROXY_CERT_INFO_EXTENSION_free" + or + name = "PROXY_CERT_INFO_EXTENSION_new" + or + name = "PROXY_POLICY_free" + or + name = "PROXY_POLICY_new" + or + name = "RAND_DRBG_bytes" + or + name = "RAND_DRBG_cleanup_entropy_fn" + or + name = "RAND_DRBG_cleanup_nonce_fn" + or + name = "RAND_DRBG_free" + or + name = "RAND_DRBG_generate" + or + name = "RAND_DRBG_get0_master" + or + name = "RAND_DRBG_get0_private" + or + name = "RAND_DRBG_get0_public" + or + name = "RAND_DRBG_get_entropy_fn" + or + name = "RAND_DRBG_get_ex_data" + or + name = "RAND_DRBG_get_ex_new_index" + or + name = "RAND_DRBG_get_nonce_fn" + or + name = "RAND_DRBG_instantiate" + or + name = "RAND_DRBG_new" + or + name = "RAND_DRBG_reseed" + or + name = "RAND_DRBG_secure_new" + or + name = "RAND_DRBG_set" + or + name = "RAND_DRBG_set_callbacks" + or + name = "RAND_DRBG_set_defaults" + or + name = "RAND_DRBG_set_ex_data" + or + name = "RAND_DRBG_set_reseed_defaults" + or + name = "RAND_DRBG_set_reseed_interval" + or + name = "RAND_DRBG_set_reseed_time_interval" + or + name = "RAND_DRBG_uninstantiate" + or + name = "RAND_OpenSSL" + or + name = "RAND_SSLeay" + or + name = "RAND_add" + or + name = "RAND_bytes" + or + name = "RAND_bytes_ex" + or + name = "RAND_cleanup" + or + name = "RAND_egd" + or + name = "RAND_egd_bytes" + or + name = "RAND_event" + or + name = "RAND_file_name" + or + name = "RAND_get0_primary" + or + name = "RAND_get0_private" + or + name = "RAND_get0_public" + or + name = "RAND_get_rand_method" + or + name = "RAND_keep_random_devices_open" + or + name = "RAND_load_file" + or + name = "RAND_poll" + or + name = "RAND_priv_bytes" + or + name = "RAND_priv_bytes_ex" + or + name = "RAND_pseudo_bytes" + or + name = "RAND_query_egd_bytes" + or + name = "RAND_screen" + or + name = "RAND_seed" + or + name = "RAND_set0_private" + or + name = "RAND_set0_public" + or + name = "RAND_set_DRBG_type" + or + name = "RAND_set_rand_method" + or + name = "RAND_set_seed_source_type" + or + name = "RAND_status" + or + name = "RAND_write_file" + or + name = "RC4" + or + name = "RC4_set_key" + or + name = "RIPEMD160" + or + name = "RIPEMD160_Final" + or + name = "RIPEMD160_Init" + or + name = "RIPEMD160_Update" + or + name = "RSAPrivateKey_dup" + or + name = "RSAPublicKey_dup" + or + name = "RSA_OAEP_PARAMS_free" + or + name = "RSA_OAEP_PARAMS_new" + or + name = "RSA_PKCS1_OpenSSL" + or + name = "RSA_PKCS1_SSLeay" + or + name = "RSA_PSS_PARAMS_dup" + or + name = "RSA_PSS_PARAMS_free" + or + name = "RSA_PSS_PARAMS_new" + or + name = "RSA_bits" + or + name = "RSA_blinding_off" + or + name = "RSA_blinding_on" + or + name = "RSA_check_key" + or + name = "RSA_check_key_ex" + or + name = "RSA_clear_flags" + or + name = "RSA_flags" + or + name = "RSA_free" + or + name = "RSA_generate_key" + or + name = "RSA_generate_key_ex" + or + name = "RSA_generate_multi_prime_key" + or + name = "RSA_get0_crt_params" + or + name = "RSA_get0_d" + or + name = "RSA_get0_dmp1" + or + name = "RSA_get0_dmq1" + or + name = "RSA_get0_e" + or + name = "RSA_get0_engine" + or + name = "RSA_get0_factors" + or + name = "RSA_get0_iqmp" + or + name = "RSA_get0_key" + or + name = "RSA_get0_multi_prime_crt_params" + or + name = "RSA_get0_multi_prime_factors" + or + name = "RSA_get0_n" + or + name = "RSA_get0_p" + or + name = "RSA_get0_pss_params" + or + name = "RSA_get0_q" + or + name = "RSA_get_app_data" + or + name = "RSA_get_default_method" + or + name = "RSA_get_ex_data" + or + name = "RSA_get_ex_new_index" + or + name = "RSA_get_method" + or + name = "RSA_get_multi_prime_extra_count" + or + name = "RSA_get_version" + or + name = "RSA_meth_dup" + or + name = "RSA_meth_free" + or + name = "RSA_meth_get0_app_data" + or + name = "RSA_meth_get0_name" + or + name = "RSA_meth_get_bn_mod_exp" + or + name = "RSA_meth_get_finish" + or + name = "RSA_meth_get_flags" + or + name = "RSA_meth_get_init" + or + name = "RSA_meth_get_keygen" + or + name = "RSA_meth_get_mod_exp" + or + name = "RSA_meth_get_multi_prime_keygen" + or + name = "RSA_meth_get_priv_dec" + or + name = "RSA_meth_get_priv_enc" + or + name = "RSA_meth_get_pub_dec" + or + name = "RSA_meth_get_pub_enc" + or + name = "RSA_meth_get_sign" + or + name = "RSA_meth_get_verify" + or + name = "RSA_meth_new" + or + name = "RSA_meth_set0_app_data" + or + name = "RSA_meth_set1_name" + or + name = "RSA_meth_set_bn_mod_exp" + or + name = "RSA_meth_set_finish" + or + name = "RSA_meth_set_flags" + or + name = "RSA_meth_set_init" + or + name = "RSA_meth_set_keygen" + or + name = "RSA_meth_set_mod_exp" + or + name = "RSA_meth_set_multi_prime_keygen" + or + name = "RSA_meth_set_priv_dec" + or + name = "RSA_meth_set_priv_enc" + or + name = "RSA_meth_set_pub_dec" + or + name = "RSA_meth_set_pub_enc" + or + name = "RSA_meth_set_sign" + or + name = "RSA_meth_set_verify" + or + name = "RSA_new" + or + name = "RSA_new_method" + or + name = "RSA_null_method" + or + name = "RSA_padding_add_PKCS1_OAEP" + or + name = "RSA_padding_add_PKCS1_OAEP_mgf1" + or + name = "RSA_padding_add_PKCS1_type_1" + or + name = "RSA_padding_add_PKCS1_type_2" + or + name = "RSA_padding_add_SSLv23" + or + name = "RSA_padding_add_none" + or + name = "RSA_padding_check_PKCS1_OAEP" + or + name = "RSA_padding_check_PKCS1_OAEP_mgf1" + or + name = "RSA_padding_check_PKCS1_type_1" + or + name = "RSA_padding_check_PKCS1_type_2" + or + name = "RSA_padding_check_SSLv23" + or + name = "RSA_padding_check_none" + or + name = "RSA_print" + or + name = "RSA_print_fp" + or + name = "RSA_private_decrypt" + or + name = "RSA_private_encrypt" + or + name = "RSA_public_decrypt" + or + name = "RSA_public_encrypt" + or + name = "RSA_security_bits" + or + name = "RSA_set0_crt_params" + or + name = "RSA_set0_factors" + or + name = "RSA_set0_key" + or + name = "RSA_set0_multi_prime_params" + or + name = "RSA_set_app_data" + or + name = "RSA_set_default_method" + or + name = "RSA_set_ex_data" + or + name = "RSA_set_flags" + or + name = "RSA_set_method" + or + name = "RSA_sign" + or + name = "RSA_sign_ASN1_OCTET_STRING" + or + name = "RSA_size" + or + name = "RSA_test_flags" + or + name = "RSA_verify" + or + name = "RSA_verify_ASN1_OCTET_STRING" + or + name = "SCRYPT_PARAMS_free" + or + name = "SCRYPT_PARAMS_new" + or + name = "SCT_LIST_free" + or + name = "SCT_LIST_print" + or + name = "SCT_LIST_validate" + or + name = "SCT_free" + or + name = "SCT_get0_extensions" + or + name = "SCT_get0_log_id" + or + name = "SCT_get0_signature" + or + name = "SCT_get_log_entry_type" + or + name = "SCT_get_signature_nid" + or + name = "SCT_get_source" + or + name = "SCT_get_timestamp" + or + name = "SCT_get_validation_status" + or + name = "SCT_get_version" + or + name = "SCT_new" + or + name = "SCT_new_from_base64" + or + name = "SCT_print" + or + name = "SCT_set0_extensions" + or + name = "SCT_set0_log_id" + or + name = "SCT_set0_signature" + or + name = "SCT_set1_extensions" + or + name = "SCT_set1_log_id" + or + name = "SCT_set1_signature" + or + name = "SCT_set_log_entry_type" + or + name = "SCT_set_signature_nid" + or + name = "SCT_set_source" + or + name = "SCT_set_timestamp" + or + name = "SCT_set_version" + or + name = "SCT_validate" + or + name = "SCT_validation_status_string" + or + name = "SHA1" + or + name = "SHA1_Final" + or + name = "SHA1_Init" + or + name = "SHA1_Update" + or + name = "SHA224" + or + name = "SHA224_Final" + or + name = "SHA224_Init" + or + name = "SHA224_Update" + or + name = "SHA256" + or + name = "SHA256_Final" + or + name = "SHA256_Init" + or + name = "SHA256_Update" + or + name = "SHA384" + or + name = "SHA384_Final" + or + name = "SHA384_Init" + or + name = "SHA384_Update" + or + name = "SHA512" + or + name = "SHA512_Final" + or + name = "SHA512_Init" + or + name = "SHA512_Update" + or + name = "SMIME_read_ASN1" + or + name = "SMIME_read_ASN1_ex" + or + name = "SMIME_read_CMS" + or + name = "SMIME_read_CMS_ex" + or + name = "SMIME_read_PKCS7" + or + name = "SMIME_read_PKCS7_ex" + or + name = "SMIME_write_ASN1" + or + name = "SMIME_write_ASN1_ex" + or + name = "SMIME_write_CMS" + or + name = "SMIME_write_PKCS7" + or + name = "SRP_Calc_A" + or + name = "SRP_Calc_B" + or + name = "SRP_Calc_B_ex" + or + name = "SRP_Calc_client_key" + or + name = "SRP_Calc_client_key_ex" + or + name = "SRP_Calc_server_key" + or + name = "SRP_Calc_u" + or + name = "SRP_Calc_u_ex" + or + name = "SRP_Calc_x" + or + name = "SRP_Calc_x_ex" + or + name = "SRP_VBASE_add0_user" + or + name = "SRP_VBASE_free" + or + name = "SRP_VBASE_get1_by_user" + or + name = "SRP_VBASE_get_by_user" + or + name = "SRP_VBASE_init" + or + name = "SRP_VBASE_new" + or + name = "SRP_check_known_gN_param" + or + name = "SRP_create_verifier" + or + name = "SRP_create_verifier_BN" + or + name = "SRP_create_verifier_BN_ex" + or + name = "SRP_create_verifier_ex" + or + name = "SRP_get_default_gN" + or + name = "SRP_user_pwd_free" + or + name = "SRP_user_pwd_new" + or + name = "SRP_user_pwd_set0_sv" + or + name = "SRP_user_pwd_set1_ids" + or + name = "SRP_user_pwd_set_gN" + or + name = "SSL" + or + name = "SSL_CIPHER_description" + or + name = "SSL_CIPHER_find" + or + name = "SSL_CIPHER_get_auth_nid" + or + name = "SSL_CIPHER_get_bits" + or + name = "SSL_CIPHER_get_cipher_nid" + or + name = "SSL_CIPHER_get_digest_nid" + or + name = "SSL_CIPHER_get_handshake_digest" + or + name = "SSL_CIPHER_get_id" + or + name = "SSL_CIPHER_get_kx_nid" + or + name = "SSL_CIPHER_get_name" + or + name = "SSL_CIPHER_get_protocol_id" + or + name = "SSL_CIPHER_get_version" + or + name = "SSL_CIPHER_is_aead" + or + name = "SSL_CIPHER_standard_name" + or + name = "SSL_COMP_add_compression_method" + or + name = "SSL_COMP_free_compression_methods" + or + name = "SSL_COMP_get0_name" + or + name = "SSL_COMP_get_compression_methods" + or + name = "SSL_COMP_get_id" + or + name = "SSL_CONF_CTX_clear_flags" + or + name = "SSL_CONF_CTX_free" + or + name = "SSL_CONF_CTX_new" + or + name = "SSL_CONF_CTX_set1_prefix" + or + name = "SSL_CONF_CTX_set_flags" + or + name = "SSL_CONF_CTX_set_ssl" + or + name = "SSL_CONF_CTX_set_ssl_ctx" + or + name = "SSL_CONF_cmd" + or + name = "SSL_CONF_cmd_argv" + or + name = "SSL_CONF_cmd_value_type" + or + name = "SSL_CTX_add0_chain_cert" + or + name = "SSL_CTX_add1_chain_cert" + or + name = "SSL_CTX_add1_to_CA_list" + or + name = "SSL_CTX_add_client_CA" + or + name = "SSL_CTX_add_client_custom_ext" + or + name = "SSL_CTX_add_custom_ext" + or + name = "SSL_CTX_add_extra_chain_cert" + or + name = "SSL_CTX_add_server_custom_ext" + or + name = "SSL_CTX_add_session" + or + name = "SSL_CTX_build_cert_chain" + or + name = "SSL_CTX_callback_ctrl" + or + name = "SSL_CTX_check_private_key" + or + name = "SSL_CTX_clear_chain_certs" + or + name = "SSL_CTX_clear_extra_chain_certs" + or + name = "SSL_CTX_clear_mode" + or + name = "SSL_CTX_clear_options" + or + name = "SSL_CTX_compress_certs" + or + name = "SSL_CTX_config" + or + name = "SSL_CTX_ct_is_enabled" + or + name = "SSL_CTX_ctrl" + or + name = "SSL_CTX_dane_clear_flags" + or + name = "SSL_CTX_dane_enable" + or + name = "SSL_CTX_dane_mtype_set" + or + name = "SSL_CTX_dane_set_flags" + or + name = "SSL_CTX_decrypt_session_ticket_fn" + or + name = "SSL_CTX_disable_ct" + or + name = "SSL_CTX_enable_ct" + or + name = "SSL_CTX_flush_sessions" + or + name = "SSL_CTX_free" + or + name = "SSL_CTX_generate_session_ticket_fn" + or + name = "SSL_CTX_get0_CA_list" + or + name = "SSL_CTX_get0_chain_cert_store" + or + name = "SSL_CTX_get0_chain_certs" + or + name = "SSL_CTX_get0_client_cert_type" + or + name = "SSL_CTX_get0_param" + or + name = "SSL_CTX_get0_security_ex_data" + or + name = "SSL_CTX_get0_server_cert_type" + or + name = "SSL_CTX_get0_verify_cert_store" + or + name = "SSL_CTX_get1_compressed_cert" + or + name = "SSL_CTX_get_app_data" + or + name = "SSL_CTX_get_cert_store" + or + name = "SSL_CTX_get_ciphers" + or + name = "SSL_CTX_get_client_CA_list" + or + name = "SSL_CTX_get_client_cert_cb" + or + name = "SSL_CTX_get_default_passwd_cb" + or + name = "SSL_CTX_get_default_passwd_cb_userdata" + or + name = "SSL_CTX_get_default_read_ahead" + or + name = "SSL_CTX_get_ex_data" + or + name = "SSL_CTX_get_ex_new_index" + or + name = "SSL_CTX_get_extra_chain_certs" + or + name = "SSL_CTX_get_extra_chain_certs_only" + or + name = "SSL_CTX_get_info_callback" + or + name = "SSL_CTX_get_keylog_callback" + or + name = "SSL_CTX_get_max_cert_list" + or + name = "SSL_CTX_get_max_early_data" + or + name = "SSL_CTX_get_max_proto_version" + or + name = "SSL_CTX_get_min_proto_version" + or + name = "SSL_CTX_get_mode" + or + name = "SSL_CTX_get_num_tickets" + or + name = "SSL_CTX_get_options" + or + name = "SSL_CTX_get_quiet_shutdown" + or + name = "SSL_CTX_get_read_ahead" + or + name = "SSL_CTX_get_record_padding_callback_arg" + or + name = "SSL_CTX_get_recv_max_early_data" + or + name = "SSL_CTX_get_security_callback" + or + name = "SSL_CTX_get_security_level" + or + name = "SSL_CTX_get_session_cache_mode" + or + name = "SSL_CTX_get_ssl_method" + or + name = "SSL_CTX_get_timeout" + or + name = "SSL_CTX_get_tlsext_status_arg" + or + name = "SSL_CTX_get_tlsext_status_cb" + or + name = "SSL_CTX_get_tlsext_status_type" + or + name = "SSL_CTX_get_verify_callback" + or + name = "SSL_CTX_get_verify_depth" + or + name = "SSL_CTX_get_verify_mode" + or + name = "SSL_CTX_has_client_custom_ext" + or + name = "SSL_CTX_keylog_cb_func" + or + name = "SSL_CTX_load_verify_dir" + or + name = "SSL_CTX_load_verify_file" + or + name = "SSL_CTX_load_verify_locations" + or + name = "SSL_CTX_load_verify_store" + or + name = "SSL_CTX_need_tmp_rsa" + or + name = "SSL_CTX_new" + or + name = "SSL_CTX_new_ex" + or + name = "SSL_CTX_remove_session" + or + name = "SSL_CTX_select_current_cert" + or + name = "SSL_CTX_sess_accept" + or + name = "SSL_CTX_sess_accept_good" + or + name = "SSL_CTX_sess_accept_renegotiate" + or + name = "SSL_CTX_sess_cache_full" + or + name = "SSL_CTX_sess_cb_hits" + or + name = "SSL_CTX_sess_connect" + or + name = "SSL_CTX_sess_connect_good" + or + name = "SSL_CTX_sess_connect_renegotiate" + or + name = "SSL_CTX_sess_get_cache_size" + or + name = "SSL_CTX_sess_get_get_cb" + or + name = "SSL_CTX_sess_get_new_cb" + or + name = "SSL_CTX_sess_get_remove_cb" + or + name = "SSL_CTX_sess_hits" + or + name = "SSL_CTX_sess_misses" + or + name = "SSL_CTX_sess_number" + or + name = "SSL_CTX_sess_set_cache_size" + or + name = "SSL_CTX_sess_set_get_cb" + or + name = "SSL_CTX_sess_set_new_cb" + or + name = "SSL_CTX_sess_set_remove_cb" + or + name = "SSL_CTX_sess_timeouts" + or + name = "SSL_CTX_sessions" + or + name = "SSL_CTX_set0_CA_list" + or + name = "SSL_CTX_set0_chain" + or + name = "SSL_CTX_set0_chain_cert_store" + or + name = "SSL_CTX_set0_security_ex_data" + or + name = "SSL_CTX_set0_tmp_dh_pkey" + or + name = "SSL_CTX_set0_verify_cert_store" + or + name = "SSL_CTX_set1_cert_comp_preference" + or + name = "SSL_CTX_set1_cert_store" + or + name = "SSL_CTX_set1_chain" + or + name = "SSL_CTX_set1_chain_cert_store" + or + name = "SSL_CTX_set1_client_cert_type" + or + name = "SSL_CTX_set1_client_sigalgs" + or + name = "SSL_CTX_set1_client_sigalgs_list" + or + name = "SSL_CTX_set1_compressed_cert" + or + name = "SSL_CTX_set1_curves" + or + name = "SSL_CTX_set1_curves_list" + or + name = "SSL_CTX_set1_groups" + or + name = "SSL_CTX_set1_groups_list" + or + name = "SSL_CTX_set1_param" + or + name = "SSL_CTX_set1_server_cert_type" + or + name = "SSL_CTX_set1_sigalgs" + or + name = "SSL_CTX_set1_sigalgs_list" + or + name = "SSL_CTX_set1_verify_cert_store" + or + name = "SSL_CTX_set_allow_early_data_cb" + or + name = "SSL_CTX_set_alpn_protos" + or + name = "SSL_CTX_set_alpn_select_cb" + or + name = "SSL_CTX_set_app_data" + or + name = "SSL_CTX_set_async_callback" + or + name = "SSL_CTX_set_async_callback_arg" + or + name = "SSL_CTX_set_block_padding" + or + name = "SSL_CTX_set_cert_cb" + or + name = "SSL_CTX_set_cert_store" + or + name = "SSL_CTX_set_cert_verify_callback" + or + name = "SSL_CTX_set_cipher_list" + or + name = "SSL_CTX_set_ciphersuites" + or + name = "SSL_CTX_set_client_CA_list" + or + name = "SSL_CTX_set_client_cert_cb" + or + name = "SSL_CTX_set_client_hello_cb" + or + name = "SSL_CTX_set_cookie_generate_cb" + or + name = "SSL_CTX_set_cookie_verify_cb" + or + name = "SSL_CTX_set_ct_validation_callback" + or + name = "SSL_CTX_set_ctlog_list_file" + or + name = "SSL_CTX_set_current_cert" + or + name = "SSL_CTX_set_custom_cli_ext" + or + name = "SSL_CTX_set_default_ctlog_list_file" + or + name = "SSL_CTX_set_default_passwd_cb" + or + name = "SSL_CTX_set_default_passwd_cb_userdata" + or + name = "SSL_CTX_set_default_read_ahead" + or + name = "SSL_CTX_set_default_read_buffer_len" + or + name = "SSL_CTX_set_default_verify_dir" + or + name = "SSL_CTX_set_default_verify_file" + or + name = "SSL_CTX_set_default_verify_paths" + or + name = "SSL_CTX_set_default_verify_store" + or + name = "SSL_CTX_set_dh_auto" + or + name = "SSL_CTX_set_ecdh_auto" + or + name = "SSL_CTX_set_ex_data" + or + name = "SSL_CTX_set_generate_session_id" + or + name = "SSL_CTX_set_info_callback" + or + name = "SSL_CTX_set_keylog_callback" + or + name = "SSL_CTX_set_max_cert_list" + or + name = "SSL_CTX_set_max_early_data" + or + name = "SSL_CTX_set_max_pipelines" + or + name = "SSL_CTX_set_max_proto_version" + or + name = "SSL_CTX_set_max_send_fragment" + or + name = "SSL_CTX_set_min_proto_version" + or + name = "SSL_CTX_set_mode" + or + name = "SSL_CTX_set_msg_callback" + or + name = "SSL_CTX_set_msg_callback_arg" + or + name = "SSL_CTX_set_next_proto_select_cb" + or + name = "SSL_CTX_set_next_protos_advertised_cb" + or + name = "SSL_CTX_set_num_tickets" + or + name = "SSL_CTX_set_options" + or + name = "SSL_CTX_set_post_handshake_auth" + or + name = "SSL_CTX_set_psk_client_callback" + or + name = "SSL_CTX_set_psk_find_session_callback" + or + name = "SSL_CTX_set_psk_server_callback" + or + name = "SSL_CTX_set_psk_use_session_callback" + or + name = "SSL_CTX_set_purpose" + or + name = "SSL_CTX_set_quiet_shutdown" + or + name = "SSL_CTX_set_read_ahead" + or + name = "SSL_CTX_set_record_padding_callback" + or + name = "SSL_CTX_set_record_padding_callback_arg" + or + name = "SSL_CTX_set_recv_max_early_data" + or + name = "SSL_CTX_set_security_callback" + or + name = "SSL_CTX_set_security_level" + or + name = "SSL_CTX_set_session_cache_mode" + or + name = "SSL_CTX_set_session_id_context" + or + name = "SSL_CTX_set_session_ticket_cb" + or + name = "SSL_CTX_set_split_send_fragment" + or + name = "SSL_CTX_set_srp_cb_arg" + or + name = "SSL_CTX_set_srp_client_pwd_callback" + or + name = "SSL_CTX_set_srp_password" + or + name = "SSL_CTX_set_srp_strength" + or + name = "SSL_CTX_set_srp_username" + or + name = "SSL_CTX_set_srp_username_callback" + or + name = "SSL_CTX_set_srp_verify_param_callback" + or + name = "SSL_CTX_set_ssl_version" + or + name = "SSL_CTX_set_stateless_cookie_generate_cb" + or + name = "SSL_CTX_set_stateless_cookie_verify_cb" + or + name = "SSL_CTX_set_timeout" + or + name = "SSL_CTX_set_tlsext_max_fragment_length" + or + name = "SSL_CTX_set_tlsext_servername_arg" + or + name = "SSL_CTX_set_tlsext_servername_callback" + or + name = "SSL_CTX_set_tlsext_status_arg" + or + name = "SSL_CTX_set_tlsext_status_cb" + or + name = "SSL_CTX_set_tlsext_status_type" + or + name = "SSL_CTX_set_tlsext_ticket_key_cb" + or + name = "SSL_CTX_set_tlsext_ticket_key_evp_cb" + or + name = "SSL_CTX_set_tlsext_use_srtp" + or + name = "SSL_CTX_set_tmp_dh" + or + name = "SSL_CTX_set_tmp_dh_callback" + or + name = "SSL_CTX_set_tmp_ecdh" + or + name = "SSL_CTX_set_tmp_rsa" + or + name = "SSL_CTX_set_tmp_rsa_callback" + or + name = "SSL_CTX_set_trust" + or + name = "SSL_CTX_set_verify" + or + name = "SSL_CTX_set_verify_depth" + or + name = "SSL_CTX_up_ref" + or + name = "SSL_CTX_use_PrivateKey" + or + name = "SSL_CTX_use_PrivateKey_ASN1" + or + name = "SSL_CTX_use_PrivateKey_file" + or + name = "SSL_CTX_use_RSAPrivateKey" + or + name = "SSL_CTX_use_RSAPrivateKey_ASN1" + or + name = "SSL_CTX_use_RSAPrivateKey_file" + or + name = "SSL_CTX_use_cert_and_key" + or + name = "SSL_CTX_use_certificate" + or + name = "SSL_CTX_use_certificate_ASN1" + or + name = "SSL_CTX_use_certificate_chain_file" + or + name = "SSL_CTX_use_certificate_file" + or + name = "SSL_CTX_use_psk_identity_hint" + or + name = "SSL_CTX_use_serverinfo" + or + name = "SSL_CTX_use_serverinfo_ex" + or + name = "SSL_CTX_use_serverinfo_file" + or + name = "SSL_OP_BIT" + or + name = "SSL_SESSION_dup" + or + name = "SSL_SESSION_free" + or + name = "SSL_SESSION_get0_alpn_selected" + or + name = "SSL_SESSION_get0_cipher" + or + name = "SSL_SESSION_get0_hostname" + or + name = "SSL_SESSION_get0_id_context" + or + name = "SSL_SESSION_get0_peer" + or + name = "SSL_SESSION_get0_peer_rpk" + or + name = "SSL_SESSION_get0_ticket" + or + name = "SSL_SESSION_get0_ticket_appdata" + or + name = "SSL_SESSION_get_app_data" + or + name = "SSL_SESSION_get_compress_id" + or + name = "SSL_SESSION_get_ex_data" + or + name = "SSL_SESSION_get_ex_new_index" + or + name = "SSL_SESSION_get_id" + or + name = "SSL_SESSION_get_master_key" + or + name = "SSL_SESSION_get_max_early_data" + or + name = "SSL_SESSION_get_max_fragment_length" + or + name = "SSL_SESSION_get_protocol_version" + or + name = "SSL_SESSION_get_ticket_lifetime_hint" + or + name = "SSL_SESSION_get_time" + or + name = "SSL_SESSION_get_timeout" + or + name = "SSL_SESSION_has_ticket" + or + name = "SSL_SESSION_is_resumable" + or + name = "SSL_SESSION_new" + or + name = "SSL_SESSION_print" + or + name = "SSL_SESSION_print_fp" + or + name = "SSL_SESSION_print_keylog" + or + name = "SSL_SESSION_set1_alpn_selected" + or + name = "SSL_SESSION_set1_hostname" + or + name = "SSL_SESSION_set1_id" + or + name = "SSL_SESSION_set1_id_context" + or + name = "SSL_SESSION_set1_master_key" + or + name = "SSL_SESSION_set1_ticket_appdata" + or + name = "SSL_SESSION_set_app_data" + or + name = "SSL_SESSION_set_cipher" + or + name = "SSL_SESSION_set_ex_data" + or + name = "SSL_SESSION_set_max_early_data" + or + name = "SSL_SESSION_set_protocol_version" + or + name = "SSL_SESSION_set_time" + or + name = "SSL_SESSION_set_timeout" + or + name = "SSL_SESSION_up_ref" + or + name = "SSL_accept" + or + name = "SSL_add0_chain_cert" + or + name = "SSL_add1_chain_cert" + or + name = "SSL_add1_host" + or + name = "SSL_add1_to_CA_list" + or + name = "SSL_add_client_CA" + or + name = "SSL_add_dir_cert_subjects_to_stack" + or + name = "SSL_add_expected_rpk" + or + name = "SSL_add_file_cert_subjects_to_stack" + or + name = "SSL_add_session" + or + name = "SSL_add_store_cert_subjects_to_stack" + or + name = "SSL_alert_desc_string" + or + name = "SSL_alert_desc_string_long" + or + name = "SSL_alert_type_string" + or + name = "SSL_alert_type_string_long" + or + name = "SSL_alloc_buffers" + or + name = "SSL_allow_early_data_cb_fn" + or + name = "SSL_async_callback_fn" + or + name = "SSL_build_cert_chain" + or + name = "SSL_bytes_to_cipher_list" + or + name = "SSL_callback_ctrl" + or + name = "SSL_check_chain" + or + name = "SSL_check_private_key" + or + name = "SSL_clear" + or + name = "SSL_clear_chain_certs" + or + name = "SSL_clear_mode" + or + name = "SSL_clear_options" + or + name = "SSL_client_hello_cb_fn" + or + name = "SSL_client_hello_get0_ciphers" + or + name = "SSL_client_hello_get0_compression_methods" + or + name = "SSL_client_hello_get0_ext" + or + name = "SSL_client_hello_get0_legacy_version" + or + name = "SSL_client_hello_get0_random" + or + name = "SSL_client_hello_get0_session_id" + or + name = "SSL_client_hello_get1_extensions_present" + or + name = "SSL_client_hello_get_extension_order" + or + name = "SSL_client_hello_isv2" + or + name = "SSL_client_version" + or + name = "SSL_compress_certs" + or + name = "SSL_config" + or + name = "SSL_connect" + or + name = "SSL_ct_is_enabled" + or + name = "SSL_ctrl" + or + name = "SSL_custom_ext_add_cb_ex" + or + name = "SSL_custom_ext_free_cb_ex" + or + name = "SSL_custom_ext_parse_cb_ex" + or + name = "SSL_dane_clear_flags" + or + name = "SSL_dane_enable" + or + name = "SSL_dane_set_flags" + or + name = "SSL_dane_tlsa_add" + or + name = "SSL_disable_ct" + or + name = "SSL_do_handshake" + or + name = "SSL_dup" + or + name = "SSL_enable_ct" + or + name = "SSL_export_keying_material" + or + name = "SSL_export_keying_material_early" + or + name = "SSL_extension_supported" + or + name = "SSL_flush_sessions" + or + name = "SSL_free" + or + name = "SSL_free_buffers" + or + name = "SSL_get0_CA_list" + or + name = "SSL_get0_alpn_selected" + or + name = "SSL_get0_chain_cert_store" + or + name = "SSL_get0_chain_certs" + or + name = "SSL_get0_client_cert_type" + or + name = "SSL_get0_dane_authority" + or + name = "SSL_get0_dane_tlsa" + or + name = "SSL_get0_iana_groups" + or + name = "SSL_get0_next_proto_negotiated" + or + name = "SSL_get0_param" + or + name = "SSL_get0_peer_CA_list" + or + name = "SSL_get0_peer_certificate" + or + name = "SSL_get0_peer_rpk" + or + name = "SSL_get0_peer_scts" + or + name = "SSL_get0_peername" + or + name = "SSL_get0_security_ex_data" + or + name = "SSL_get0_server_cert_type" + or + name = "SSL_get0_session" + or + name = "SSL_get0_verified_chain" + or + name = "SSL_get0_verify_cert_store" + or + name = "SSL_get1_compressed_cert" + or + name = "SSL_get1_curves" + or + name = "SSL_get1_groups" + or + name = "SSL_get1_peer_certificate" + or + name = "SSL_get1_session" + or + name = "SSL_get1_supported_ciphers" + or + name = "SSL_get_SSL_CTX" + or + name = "SSL_get_accept_state" + or + name = "SSL_get_all_async_fds" + or + name = "SSL_get_app_data" + or + name = "SSL_get_async_status" + or + name = "SSL_get_blocking_mode" + or + name = "SSL_get_certificate" + or + name = "SSL_get_changed_async_fds" + or + name = "SSL_get_cipher" + or + name = "SSL_get_cipher_bits" + or + name = "SSL_get_cipher_list" + or + name = "SSL_get_cipher_name" + or + name = "SSL_get_cipher_version" + or + name = "SSL_get_ciphers" + or + name = "SSL_get_client_CA_list" + or + name = "SSL_get_client_ciphers" + or + name = "SSL_get_client_random" + or + name = "SSL_get_current_cipher" + or + name = "SSL_get_default_passwd_cb" + or + name = "SSL_get_default_passwd_cb_userdata" + or + name = "SSL_get_default_timeout" + or + name = "SSL_get_early_data_status" + or + name = "SSL_get_error" + or + name = "SSL_get_ex_data" + or + name = "SSL_get_ex_data_X509_STORE_CTX_idx" + or + name = "SSL_get_ex_new_index" + or + name = "SSL_get_extms_support" + or + name = "SSL_get_fd" + or + name = "SSL_get_info_callback" + or + name = "SSL_get_key_update_type" + or + name = "SSL_get_max_cert_list" + or + name = "SSL_get_max_early_data" + or + name = "SSL_get_max_proto_version" + or + name = "SSL_get_min_proto_version" + or + name = "SSL_get_mode" + or + name = "SSL_get_msg_callback_arg" + or + name = "SSL_get_negotiated_client_cert_type" + or + name = "SSL_get_negotiated_group" + or + name = "SSL_get_negotiated_server_cert_type" + or + name = "SSL_get_num_tickets" + or + name = "SSL_get_options" + or + name = "SSL_get_peer_cert_chain" + or + name = "SSL_get_peer_certificate" + or + name = "SSL_get_peer_signature_nid" + or + name = "SSL_get_peer_signature_type_nid" + or + name = "SSL_get_peer_tmp_key" + or + name = "SSL_get_pending_cipher" + or + name = "SSL_get_privatekey" + or + name = "SSL_get_psk_identity" + or + name = "SSL_get_psk_identity_hint" + or + name = "SSL_get_quiet_shutdown" + or + name = "SSL_get_rbio" + or + name = "SSL_get_read_ahead" + or + name = "SSL_get_record_padding_callback_arg" + or + name = "SSL_get_recv_max_early_data" + or + name = "SSL_get_rfd" + or + name = "SSL_get_rpoll_descriptor" + or + name = "SSL_get_secure_renegotiation_support" + or + name = "SSL_get_security_callback" + or + name = "SSL_get_security_level" + or + name = "SSL_get_selected_srtp_profile" + or + name = "SSL_get_server_random" + or + name = "SSL_get_server_tmp_key" + or + name = "SSL_get_servername" + or + name = "SSL_get_servername_type" + or + name = "SSL_get_session" + or + name = "SSL_get_shared_ciphers" + or + name = "SSL_get_shared_curve" + or + name = "SSL_get_shared_group" + or + name = "SSL_get_shared_sigalgs" + or + name = "SSL_get_shutdown" + or + name = "SSL_get_sigalgs" + or + name = "SSL_get_signature_nid" + or + name = "SSL_get_signature_type_nid" + or + name = "SSL_get_srp_N" + or + name = "SSL_get_srp_g" + or + name = "SSL_get_srp_userinfo" + or + name = "SSL_get_srp_username" + or + name = "SSL_get_srtp_profiles" + or + name = "SSL_get_ssl_method" + or + name = "SSL_get_state" + or + name = "SSL_get_tick_timeout" + or + name = "SSL_get_time" + or + name = "SSL_get_timeout" + or + name = "SSL_get_tlsext_status_ocsp_resp" + or + name = "SSL_get_tlsext_status_type" + or + name = "SSL_get_tmp_key" + or + name = "SSL_get_verify_callback" + or + name = "SSL_get_verify_depth" + or + name = "SSL_get_verify_mode" + or + name = "SSL_get_verify_result" + or + name = "SSL_get_version" + or + name = "SSL_get_wbio" + or + name = "SSL_get_wfd" + or + name = "SSL_get_wpoll_descriptor" + or + name = "SSL_group_to_name" + or + name = "SSL_has_matching_session_id" + or + name = "SSL_has_pending" + or + name = "SSL_in_accept_init" + or + name = "SSL_in_before" + or + name = "SSL_in_connect_init" + or + name = "SSL_in_init" + or + name = "SSL_inject_net_dgram" + or + name = "SSL_is_dtls" + or + name = "SSL_is_init_finished" + or + name = "SSL_is_quic" + or + name = "SSL_is_server" + or + name = "SSL_is_tls" + or + name = "SSL_key_update" + or + name = "SSL_library_init" + or + name = "SSL_load_client_CA_file" + or + name = "SSL_load_client_CA_file_ex" + or + name = "SSL_load_error_strings" + or + name = "SSL_need_tmp_rsa" + or + name = "SSL_net_read_desired" + or + name = "SSL_net_write_desired" + or + name = "SSL_new" + or + name = "SSL_new_session_ticket" + or + name = "SSL_peek" + or + name = "SSL_peek_ex" + or + name = "SSL_pending" + or + name = "SSL_psk_client_cb_func" + or + name = "SSL_psk_find_session_cb_func" + or + name = "SSL_psk_server_cb_func" + or + name = "SSL_psk_use_session_cb_func" + or + name = "SSL_read" + or + name = "SSL_read_early_data" + or + name = "SSL_read_ex" + or + name = "SSL_remove_session" + or + name = "SSL_renegotiate" + or + name = "SSL_renegotiate_abbreviated" + or + name = "SSL_renegotiate_pending" + or + name = "SSL_rstate_string" + or + name = "SSL_rstate_string_long" + or + name = "SSL_select_current_cert" + or + name = "SSL_select_next_proto" + or + name = "SSL_sendfile" + or + name = "SSL_session_reused" + or + name = "SSL_set0_CA_list" + or + name = "SSL_set0_chain" + or + name = "SSL_set0_chain_cert_store" + or + name = "SSL_set0_rbio" + or + name = "SSL_set0_security_ex_data" + or + name = "SSL_set0_tmp_dh_pkey" + or + name = "SSL_set0_verify_cert_store" + or + name = "SSL_set0_wbio" + or + name = "SSL_set1_cert_comp_preference" + or + name = "SSL_set1_chain" + or + name = "SSL_set1_chain_cert_store" + or + name = "SSL_set1_client_cert_type" + or + name = "SSL_set1_client_sigalgs" + or + name = "SSL_set1_client_sigalgs_list" + or + name = "SSL_set1_compressed_cert" + or + name = "SSL_set1_curves" + or + name = "SSL_set1_curves_list" + or + name = "SSL_set1_groups" + or + name = "SSL_set1_groups_list" + or + name = "SSL_set1_host" + or + name = "SSL_set1_param" + or + name = "SSL_set1_server_cert_type" + or + name = "SSL_set1_sigalgs" + or + name = "SSL_set1_sigalgs_list" + or + name = "SSL_set1_verify_cert_store" + or + name = "SSL_set_accept_state" + or + name = "SSL_set_allow_early_data_cb" + or + name = "SSL_set_alpn_protos" + or + name = "SSL_set_app_data" + or + name = "SSL_set_async_callback" + or + name = "SSL_set_async_callback_arg" + or + name = "SSL_set_bio" + or + name = "SSL_set_block_padding" + or + name = "SSL_set_blocking_mode" + or + name = "SSL_set_cert_cb" + or + name = "SSL_set_cipher_list" + or + name = "SSL_set_ciphersuites" + or + name = "SSL_set_client_CA_list" + or + name = "SSL_set_connect_state" + or + name = "SSL_set_ct_validation_callback" + or + name = "SSL_set_current_cert" + or + name = "SSL_set_default_passwd_cb" + or + name = "SSL_set_default_passwd_cb_userdata" + or + name = "SSL_set_default_read_buffer_len" + or + name = "SSL_set_dh_auto" + or + name = "SSL_set_ecdh_auto" + or + name = "SSL_set_ex_data" + or + name = "SSL_set_fd" + or + name = "SSL_set_generate_session_id" + or + name = "SSL_set_hostflags" + or + name = "SSL_set_info_callback" + or + name = "SSL_set_initial_peer_addr" + or + name = "SSL_set_max_cert_list" + or + name = "SSL_set_max_early_data" + or + name = "SSL_set_max_pipelines" + or + name = "SSL_set_max_proto_version" + or + name = "SSL_set_max_send_fragment" + or + name = "SSL_set_min_proto_version" + or + name = "SSL_set_mode" + or + name = "SSL_set_msg_callback" + or + name = "SSL_set_msg_callback_arg" + or + name = "SSL_set_num_tickets" + or + name = "SSL_set_options" + or + name = "SSL_set_post_handshake_auth" + or + name = "SSL_set_psk_client_callback" + or + name = "SSL_set_psk_find_session_callback" + or + name = "SSL_set_psk_server_callback" + or + name = "SSL_set_psk_use_session_callback" + or + name = "SSL_set_purpose" + or + name = "SSL_set_quiet_shutdown" + or + name = "SSL_set_read_ahead" + or + name = "SSL_set_record_padding_callback" + or + name = "SSL_set_record_padding_callback_arg" + or + name = "SSL_set_recv_max_early_data" + or + name = "SSL_set_retry_verify" + or + name = "SSL_set_rfd" + or + name = "SSL_set_security_callback" + or + name = "SSL_set_security_level" + or + name = "SSL_set_session" + or + name = "SSL_set_session_id_context" + or + name = "SSL_set_shutdown" + or + name = "SSL_set_split_send_fragment" + or + name = "SSL_set_srp_server_param" + or + name = "SSL_set_srp_server_param_pw" + or + name = "SSL_set_ssl_method" + or + name = "SSL_set_time" + or + name = "SSL_set_timeout" + or + name = "SSL_set_tlsext_host_name" + or + name = "SSL_set_tlsext_max_fragment_length" + or + name = "SSL_set_tlsext_status_ocsp_resp" + or + name = "SSL_set_tlsext_status_type" + or + name = "SSL_set_tlsext_use_srtp" + or + name = "SSL_set_tmp_dh" + or + name = "SSL_set_tmp_dh_callback" + or + name = "SSL_set_tmp_ecdh" + or + name = "SSL_set_tmp_rsa" + or + name = "SSL_set_tmp_rsa_callback" + or + name = "SSL_set_trust" + or + name = "SSL_set_verify" + or + name = "SSL_set_verify_depth" + or + name = "SSL_set_verify_result" + or + name = "SSL_set_wfd" + or + name = "SSL_shutdown" + or + name = "SSL_shutdown_ex" + or + name = "SSL_state_string" + or + name = "SSL_state_string_long" + or + name = "SSL_stateless" + or + name = "SSL_stream_conclude" + or + name = "SSL_tick" + or + name = "SSL_up_ref" + or + name = "SSL_use_PrivateKey" + or + name = "SSL_use_PrivateKey_ASN1" + or + name = "SSL_use_PrivateKey_file" + or + name = "SSL_use_RSAPrivateKey" + or + name = "SSL_use_RSAPrivateKey_ASN1" + or + name = "SSL_use_RSAPrivateKey_file" + or + name = "SSL_use_cert_and_key" + or + name = "SSL_use_certificate" + or + name = "SSL_use_certificate_ASN1" + or + name = "SSL_use_certificate_chain_file" + or + name = "SSL_use_certificate_file" + or + name = "SSL_use_psk_identity_hint" + or + name = "SSL_verify_cb" + or + name = "SSL_verify_client_post_handshake" + or + name = "SSL_version" + or + name = "SSL_waiting_for_async" + or + name = "SSL_want" + or + name = "SSL_want_async" + or + name = "SSL_want_async_job" + or + name = "SSL_want_client_hello_cb" + or + name = "SSL_want_nothing" + or + name = "SSL_want_read" + or + name = "SSL_want_retry_verify" + or + name = "SSL_want_write" + or + name = "SSL_want_x509_lookup" + or + name = "SSL_write" + or + name = "SSL_write_early_data" + or + name = "SSL_write_ex" + or + name = "SSLeay" + or + name = "SSLeay_add_ssl_algorithms" + or + name = "SSLeay_version" + or + name = "SSLv23_client_method" + or + name = "SSLv23_method" + or + name = "SSLv23_server_method" + or + name = "SSLv2_client_method" + or + name = "SSLv2_method" + or + name = "SSLv2_server_method" + or + name = "SSLv3_client_method" + or + name = "SSLv3_method" + or + name = "SSLv3_server_method" + or + name = "SXNETID_free" + or + name = "SXNETID_new" + or + name = "SXNET_free" + or + name = "SXNET_new" + or + name = "TLS_FEATURE_free" + or + name = "TLS_FEATURE_new" + or + name = "TLS_client_method" + or + name = "TLS_method" + or + name = "TLS_server_method" + or + name = "TLSv1_1_client_method" + or + name = "TLSv1_1_method" + or + name = "TLSv1_1_server_method" + or + name = "TLSv1_2_client_method" + or + name = "TLSv1_2_method" + or + name = "TLSv1_2_server_method" + or + name = "TLSv1_client_method" + or + name = "TLSv1_method" + or + name = "TLSv1_server_method" + or + name = "TS_ACCURACY_dup" + or + name = "TS_ACCURACY_free" + or + name = "TS_ACCURACY_new" + or + name = "TS_MSG_IMPRINT_dup" + or + name = "TS_MSG_IMPRINT_free" + or + name = "TS_MSG_IMPRINT_new" + or + name = "TS_REQ_dup" + or + name = "TS_REQ_free" + or + name = "TS_REQ_new" + or + name = "TS_RESP_CTX_free" + or + name = "TS_RESP_CTX_new" + or + name = "TS_RESP_CTX_new_ex" + or + name = "TS_RESP_dup" + or + name = "TS_RESP_free" + or + name = "TS_RESP_new" + or + name = "TS_STATUS_INFO_dup" + or + name = "TS_STATUS_INFO_free" + or + name = "TS_STATUS_INFO_new" + or + name = "TS_TST_INFO_dup" + or + name = "TS_TST_INFO_free" + or + name = "TS_TST_INFO_new" + or + name = "TS_VERIFY_CTS_set_certs" + or + name = "TS_VERIFY_CTX_set_certs" + or + name = "UI" + or + name = "UI_METHOD" + or + name = "UI_OpenSSL" + or + name = "UI_STRING" + or + name = "UI_UTIL_read_pw" + or + name = "UI_UTIL_read_pw_string" + or + name = "UI_UTIL_wrap_read_pem_callback" + or + name = "UI_add_error_string" + or + name = "UI_add_info_string" + or + name = "UI_add_input_boolean" + or + name = "UI_add_input_string" + or + name = "UI_add_user_data" + or + name = "UI_add_verify_string" + or + name = "UI_construct_prompt" + or + name = "UI_create_method" + or + name = "UI_ctrl" + or + name = "UI_destroy_method" + or + name = "UI_dup_error_string" + or + name = "UI_dup_info_string" + or + name = "UI_dup_input_boolean" + or + name = "UI_dup_input_string" + or + name = "UI_dup_user_data" + or + name = "UI_dup_verify_string" + or + name = "UI_free" + or + name = "UI_get0_action_string" + or + name = "UI_get0_output_string" + or + name = "UI_get0_result" + or + name = "UI_get0_result_string" + or + name = "UI_get0_test_string" + or + name = "UI_get0_user_data" + or + name = "UI_get_app_data" + or + name = "UI_get_default_method" + or + name = "UI_get_ex_data" + or + name = "UI_get_ex_new_index" + or + name = "UI_get_input_flags" + or + name = "UI_get_method" + or + name = "UI_get_result_length" + or + name = "UI_get_result_maxsize" + or + name = "UI_get_result_minsize" + or + name = "UI_get_result_string_length" + or + name = "UI_get_string_type" + or + name = "UI_method_get_closer" + or + name = "UI_method_get_data_destructor" + or + name = "UI_method_get_data_duplicator" + or + name = "UI_method_get_ex_data" + or + name = "UI_method_get_flusher" + or + name = "UI_method_get_opener" + or + name = "UI_method_get_prompt_constructor" + or + name = "UI_method_get_reader" + or + name = "UI_method_get_writer" + or + name = "UI_method_set_closer" + or + name = "UI_method_set_data_duplicator" + or + name = "UI_method_set_ex_data" + or + name = "UI_method_set_flusher" + or + name = "UI_method_set_opener" + or + name = "UI_method_set_prompt_constructor" + or + name = "UI_method_set_reader" + or + name = "UI_method_set_writer" + or + name = "UI_new" + or + name = "UI_new_method" + or + name = "UI_null" + or + name = "UI_process" + or + name = "UI_set_app_data" + or + name = "UI_set_default_method" + or + name = "UI_set_ex_data" + or + name = "UI_set_method" + or + name = "UI_set_result" + or + name = "UI_set_result_ex" + or + name = "UI_string_types" + or + name = "USERNOTICE_free" + or + name = "USERNOTICE_new" + or + name = "X509V3_EXT_d2i" + or + name = "X509V3_EXT_i2d" + or + name = "X509V3_add1_i2d" + or + name = "X509V3_get_d2i" + or + name = "X509V3_set_ctx" + or + name = "X509V3_set_issuer_pkey" + or + name = "X509_ALGOR_cmp" + or + name = "X509_ALGOR_copy" + or + name = "X509_ALGOR_dup" + or + name = "X509_ALGOR_free" + or + name = "X509_ALGOR_get0" + or + name = "X509_ALGOR_it" + or + name = "X509_ALGOR_new" + or + name = "X509_ALGOR_set0" + or + name = "X509_ALGOR_set_md" + or + name = "X509_ATTRIBUTE_dup" + or + name = "X509_ATTRIBUTE_free" + or + name = "X509_ATTRIBUTE_new" + or + name = "X509_CERT_AUX_free" + or + name = "X509_CERT_AUX_new" + or + name = "X509_CINF_free" + or + name = "X509_CINF_new" + or + name = "X509_CRL_INFO_free" + or + name = "X509_CRL_INFO_new" + or + name = "X509_CRL_add0_revoked" + or + name = "X509_CRL_add1_ext_i2d" + or + name = "X509_CRL_add_ext" + or + name = "X509_CRL_cmp" + or + name = "X509_CRL_delete_ext" + or + name = "X509_CRL_digest" + or + name = "X509_CRL_dup" + or + name = "X509_CRL_free" + or + name = "X509_CRL_get0_by_cert" + or + name = "X509_CRL_get0_by_serial" + or + name = "X509_CRL_get0_extensions" + or + name = "X509_CRL_get0_lastUpdate" + or + name = "X509_CRL_get0_nextUpdate" + or + name = "X509_CRL_get0_signature" + or + name = "X509_CRL_get_REVOKED" + or + name = "X509_CRL_get_ext" + or + name = "X509_CRL_get_ext_by_NID" + or + name = "X509_CRL_get_ext_by_OBJ" + or + name = "X509_CRL_get_ext_by_critical" + or + name = "X509_CRL_get_ext_count" + or + name = "X509_CRL_get_ext_d2i" + or + name = "X509_CRL_get_issuer" + or + name = "X509_CRL_get_signature_nid" + or + name = "X509_CRL_get_version" + or + name = "X509_CRL_http_nbio" + or + name = "X509_CRL_load_http" + or + name = "X509_CRL_match" + or + name = "X509_CRL_new" + or + name = "X509_CRL_new_ex" + or + name = "X509_CRL_set1_lastUpdate" + or + name = "X509_CRL_set1_nextUpdate" + or + name = "X509_CRL_set_issuer_name" + or + name = "X509_CRL_set_version" + or + name = "X509_CRL_sign" + or + name = "X509_CRL_sign_ctx" + or + name = "X509_CRL_sort" + or + name = "X509_CRL_verify" + or + name = "X509_EXTENSION_create_by_NID" + or + name = "X509_EXTENSION_create_by_OBJ" + or + name = "X509_EXTENSION_dup" + or + name = "X509_EXTENSION_free" + or + name = "X509_EXTENSION_get_critical" + or + name = "X509_EXTENSION_get_data" + or + name = "X509_EXTENSION_get_object" + or + name = "X509_EXTENSION_new" + or + name = "X509_EXTENSION_set_critical" + or + name = "X509_EXTENSION_set_data" + or + name = "X509_EXTENSION_set_object" + or + name = "X509_LOOKUP" + or + name = "X509_LOOKUP_METHOD" + or + name = "X509_LOOKUP_TYPE" + or + name = "X509_LOOKUP_add_dir" + or + name = "X509_LOOKUP_add_store" + or + name = "X509_LOOKUP_add_store_ex" + or + name = "X509_LOOKUP_by_alias" + or + name = "X509_LOOKUP_by_fingerprint" + or + name = "X509_LOOKUP_by_issuer_serial" + or + name = "X509_LOOKUP_by_subject" + or + name = "X509_LOOKUP_by_subject_ex" + or + name = "X509_LOOKUP_ctrl" + or + name = "X509_LOOKUP_ctrl_ex" + or + name = "X509_LOOKUP_ctrl_fn" + or + name = "X509_LOOKUP_file" + or + name = "X509_LOOKUP_free" + or + name = "X509_LOOKUP_get_by_alias_fn" + or + name = "X509_LOOKUP_get_by_fingerprint_fn" + or + name = "X509_LOOKUP_get_by_issuer_serial_fn" + or + name = "X509_LOOKUP_get_by_subject_fn" + or + name = "X509_LOOKUP_get_method_data" + or + name = "X509_LOOKUP_get_store" + or + name = "X509_LOOKUP_hash_dir" + or + name = "X509_LOOKUP_init" + or + name = "X509_LOOKUP_load_file" + or + name = "X509_LOOKUP_load_file_ex" + or + name = "X509_LOOKUP_load_store" + or + name = "X509_LOOKUP_load_store_ex" + or + name = "X509_LOOKUP_meth_free" + or + name = "X509_LOOKUP_meth_get_ctrl" + or + name = "X509_LOOKUP_meth_get_free" + or + name = "X509_LOOKUP_meth_get_get_by_alias" + or + name = "X509_LOOKUP_meth_get_get_by_fingerprint" + or + name = "X509_LOOKUP_meth_get_get_by_issuer_serial" + or + name = "X509_LOOKUP_meth_get_get_by_subject" + or + name = "X509_LOOKUP_meth_get_init" + or + name = "X509_LOOKUP_meth_get_new_item" + or + name = "X509_LOOKUP_meth_get_shutdown" + or + name = "X509_LOOKUP_meth_new" + or + name = "X509_LOOKUP_meth_set_ctrl" + or + name = "X509_LOOKUP_meth_set_free" + or + name = "X509_LOOKUP_meth_set_get_by_alias" + or + name = "X509_LOOKUP_meth_set_get_by_fingerprint" + or + name = "X509_LOOKUP_meth_set_get_by_issuer_serial" + or + name = "X509_LOOKUP_meth_set_get_by_subject" + or + name = "X509_LOOKUP_meth_set_init" + or + name = "X509_LOOKUP_meth_set_new_item" + or + name = "X509_LOOKUP_meth_set_shutdown" + or + name = "X509_LOOKUP_new" + or + name = "X509_LOOKUP_set_method_data" + or + name = "X509_LOOKUP_shutdown" + or + name = "X509_LOOKUP_store" + or + name = "X509_NAME_ENTRY_create_by_NID" + or + name = "X509_NAME_ENTRY_create_by_OBJ" + or + name = "X509_NAME_ENTRY_create_by_txt" + or + name = "X509_NAME_ENTRY_dup" + or + name = "X509_NAME_ENTRY_free" + or + name = "X509_NAME_ENTRY_get_data" + or + name = "X509_NAME_ENTRY_get_object" + or + name = "X509_NAME_ENTRY_new" + or + name = "X509_NAME_ENTRY_set_data" + or + name = "X509_NAME_ENTRY_set_object" + or + name = "X509_NAME_add_entry" + or + name = "X509_NAME_add_entry_by_NID" + or + name = "X509_NAME_add_entry_by_OBJ" + or + name = "X509_NAME_add_entry_by_txt" + or + name = "X509_NAME_cmp" + or + name = "X509_NAME_delete_entry" + or + name = "X509_NAME_digest" + or + name = "X509_NAME_dup" + or + name = "X509_NAME_entry_count" + or + name = "X509_NAME_free" + or + name = "X509_NAME_get0_der" + or + name = "X509_NAME_get_entry" + or + name = "X509_NAME_get_index_by_NID" + or + name = "X509_NAME_get_index_by_OBJ" + or + name = "X509_NAME_get_text_by_NID" + or + name = "X509_NAME_get_text_by_OBJ" + or + name = "X509_NAME_hash" + or + name = "X509_NAME_hash_ex" + or + name = "X509_NAME_new" + or + name = "X509_NAME_oneline" + or + name = "X509_NAME_print" + or + name = "X509_NAME_print_ex" + or + name = "X509_NAME_print_ex_fp" + or + name = "X509_OBJECT_set1_X509" + or + name = "X509_OBJECT_set1_X509_CRL" + or + name = "X509_PUBKEY_dup" + or + name = "X509_PUBKEY_eq" + or + name = "X509_PUBKEY_free" + or + name = "X509_PUBKEY_get" + or + name = "X509_PUBKEY_get0" + or + name = "X509_PUBKEY_get0_param" + or + name = "X509_PUBKEY_new" + or + name = "X509_PUBKEY_new_ex" + or + name = "X509_PUBKEY_set" + or + name = "X509_PUBKEY_set0_param" + or + name = "X509_PUBKEY_set0_public_key" + or + name = "X509_REQ_INFO_free" + or + name = "X509_REQ_INFO_new" + or + name = "X509_REQ_add_extensions" + or + name = "X509_REQ_add_extensions_nid" + or + name = "X509_REQ_check_private_key" + or + name = "X509_REQ_digest" + or + name = "X509_REQ_dup" + or + name = "X509_REQ_free" + or + name = "X509_REQ_get0_distinguishing_id" + or + name = "X509_REQ_get0_pubkey" + or + name = "X509_REQ_get0_signature" + or + name = "X509_REQ_get_X509_PUBKEY" + or + name = "X509_REQ_get_extensions" + or + name = "X509_REQ_get_pubkey" + or + name = "X509_REQ_get_signature_nid" + or + name = "X509_REQ_get_subject_name" + or + name = "X509_REQ_get_version" + or + name = "X509_REQ_new" + or + name = "X509_REQ_new_ex" + or + name = "X509_REQ_set0_distinguishing_id" + or + name = "X509_REQ_set0_signature" + or + name = "X509_REQ_set1_signature_algo" + or + name = "X509_REQ_set_pubkey" + or + name = "X509_REQ_set_subject_name" + or + name = "X509_REQ_set_version" + or + name = "X509_REQ_sign" + or + name = "X509_REQ_sign_ctx" + or + name = "X509_REQ_verify" + or + name = "X509_REQ_verify_ex" + or + name = "X509_REVOKED_add1_ext_i2d" + or + name = "X509_REVOKED_add_ext" + or + name = "X509_REVOKED_delete_ext" + or + name = "X509_REVOKED_dup" + or + name = "X509_REVOKED_free" + or + name = "X509_REVOKED_get0_extensions" + or + name = "X509_REVOKED_get0_revocationDate" + or + name = "X509_REVOKED_get0_serialNumber" + or + name = "X509_REVOKED_get_ext" + or + name = "X509_REVOKED_get_ext_by_NID" + or + name = "X509_REVOKED_get_ext_by_OBJ" + or + name = "X509_REVOKED_get_ext_by_critical" + or + name = "X509_REVOKED_get_ext_count" + or + name = "X509_REVOKED_get_ext_d2i" + or + name = "X509_REVOKED_new" + or + name = "X509_REVOKED_set_revocationDate" + or + name = "X509_REVOKED_set_serialNumber" + or + name = "X509_SIG_INFO_get" + or + name = "X509_SIG_INFO_set" + or + name = "X509_SIG_free" + or + name = "X509_SIG_get0" + or + name = "X509_SIG_getm" + or + name = "X509_SIG_new" + or + name = "X509_STORE" + or + name = "X509_STORE_CTX_cert_crl_fn" + or + name = "X509_STORE_CTX_check_crl_fn" + or + name = "X509_STORE_CTX_check_issued_fn" + or + name = "X509_STORE_CTX_check_policy_fn" + or + name = "X509_STORE_CTX_check_revocation_fn" + or + name = "X509_STORE_CTX_cleanup" + or + name = "X509_STORE_CTX_cleanup_fn" + or + name = "X509_STORE_CTX_free" + or + name = "X509_STORE_CTX_get0_cert" + or + name = "X509_STORE_CTX_get0_chain" + or + name = "X509_STORE_CTX_get0_param" + or + name = "X509_STORE_CTX_get0_rpk" + or + name = "X509_STORE_CTX_get0_untrusted" + or + name = "X509_STORE_CTX_get1_chain" + or + name = "X509_STORE_CTX_get1_issuer" + or + name = "X509_STORE_CTX_get_app_data" + or + name = "X509_STORE_CTX_get_by_subject" + or + name = "X509_STORE_CTX_get_cert_crl" + or + name = "X509_STORE_CTX_get_check_crl" + or + name = "X509_STORE_CTX_get_check_issued" + or + name = "X509_STORE_CTX_get_check_policy" + or + name = "X509_STORE_CTX_get_check_revocation" + or + name = "X509_STORE_CTX_get_cleanup" + or + name = "X509_STORE_CTX_get_crl_fn" + or + name = "X509_STORE_CTX_get_current_cert" + or + name = "X509_STORE_CTX_get_error" + or + name = "X509_STORE_CTX_get_error_depth" + or + name = "X509_STORE_CTX_get_ex_data" + or + name = "X509_STORE_CTX_get_ex_new_index" + or + name = "X509_STORE_CTX_get_get_crl" + or + name = "X509_STORE_CTX_get_get_issuer" + or + name = "X509_STORE_CTX_get_issuer_fn" + or + name = "X509_STORE_CTX_get_lookup_certs" + or + name = "X509_STORE_CTX_get_lookup_crls" + or + name = "X509_STORE_CTX_get_num_untrusted" + or + name = "X509_STORE_CTX_get_obj_by_subject" + or + name = "X509_STORE_CTX_get_verify" + or + name = "X509_STORE_CTX_get_verify_cb" + or + name = "X509_STORE_CTX_init" + or + name = "X509_STORE_CTX_init_rpk" + or + name = "X509_STORE_CTX_lookup_certs_fn" + or + name = "X509_STORE_CTX_lookup_crls_fn" + or + name = "X509_STORE_CTX_new" + or + name = "X509_STORE_CTX_new_ex" + or + name = "X509_STORE_CTX_print_verify_cb" + or + name = "X509_STORE_CTX_purpose_inherit" + or + name = "X509_STORE_CTX_set0_crls" + or + name = "X509_STORE_CTX_set0_param" + or + name = "X509_STORE_CTX_set0_rpk" + or + name = "X509_STORE_CTX_set0_trusted_stack" + or + name = "X509_STORE_CTX_set0_untrusted" + or + name = "X509_STORE_CTX_set0_verified_chain" + or + name = "X509_STORE_CTX_set_app_data" + or + name = "X509_STORE_CTX_set_cert" + or + name = "X509_STORE_CTX_set_chain" + or + name = "X509_STORE_CTX_set_current_cert" + or + name = "X509_STORE_CTX_set_default" + or + name = "X509_STORE_CTX_set_error" + or + name = "X509_STORE_CTX_set_error_depth" + or + name = "X509_STORE_CTX_set_ex_data" + or + name = "X509_STORE_CTX_set_purpose" + or + name = "X509_STORE_CTX_set_trust" + or + name = "X509_STORE_CTX_set_verify" + or + name = "X509_STORE_CTX_set_verify_cb" + or + name = "X509_STORE_CTX_trusted_stack" + or + name = "X509_STORE_CTX_verify" + or + name = "X509_STORE_CTX_verify_cb" + or + name = "X509_STORE_CTX_verify_fn" + or + name = "X509_STORE_add_cert" + or + name = "X509_STORE_add_crl" + or + name = "X509_STORE_add_lookup" + or + name = "X509_STORE_free" + or + name = "X509_STORE_get0_objects" + or + name = "X509_STORE_get0_param" + or + name = "X509_STORE_get1_all_certs" + or + name = "X509_STORE_get_cert_crl" + or + name = "X509_STORE_get_check_crl" + or + name = "X509_STORE_get_check_issued" + or + name = "X509_STORE_get_check_policy" + or + name = "X509_STORE_get_check_revocation" + or + name = "X509_STORE_get_cleanup" + or + name = "X509_STORE_get_ex_data" + or + name = "X509_STORE_get_ex_new_index" + or + name = "X509_STORE_get_get_crl" + or + name = "X509_STORE_get_get_issuer" + or + name = "X509_STORE_get_lookup_certs" + or + name = "X509_STORE_get_lookup_crls" + or + name = "X509_STORE_get_verify_cb" + or + name = "X509_STORE_load_file" + or + name = "X509_STORE_load_file_ex" + or + name = "X509_STORE_load_locations" + or + name = "X509_STORE_load_locations_ex" + or + name = "X509_STORE_load_path" + or + name = "X509_STORE_load_store" + or + name = "X509_STORE_load_store_ex" + or + name = "X509_STORE_lock" + or + name = "X509_STORE_new" + or + name = "X509_STORE_set1_param" + or + name = "X509_STORE_set_cert_crl" + or + name = "X509_STORE_set_check_crl" + or + name = "X509_STORE_set_check_issued" + or + name = "X509_STORE_set_check_policy" + or + name = "X509_STORE_set_check_revocation" + or + name = "X509_STORE_set_cleanup" + or + name = "X509_STORE_set_default_paths" + or + name = "X509_STORE_set_default_paths_ex" + or + name = "X509_STORE_set_depth" + or + name = "X509_STORE_set_ex_data" + or + name = "X509_STORE_set_flags" + or + name = "X509_STORE_set_get_crl" + or + name = "X509_STORE_set_get_issuer" + or + name = "X509_STORE_set_lookup_certs" + or + name = "X509_STORE_set_lookup_crls" + or + name = "X509_STORE_set_lookup_crls_cb" + or + name = "X509_STORE_set_purpose" + or + name = "X509_STORE_set_trust" + or + name = "X509_STORE_set_verify" + or + name = "X509_STORE_set_verify_cb" + or + name = "X509_STORE_set_verify_cb_func" + or + name = "X509_STORE_set_verify_func" + or + name = "X509_STORE_unlock" + or + name = "X509_STORE_up_ref" + or + name = "X509_VAL_free" + or + name = "X509_VAL_new" + or + name = "X509_VERIFY_PARAM_add0_policy" + or + name = "X509_VERIFY_PARAM_add1_host" + or + name = "X509_VERIFY_PARAM_clear_flags" + or + name = "X509_VERIFY_PARAM_get0_email" + or + name = "X509_VERIFY_PARAM_get0_host" + or + name = "X509_VERIFY_PARAM_get0_peername" + or + name = "X509_VERIFY_PARAM_get1_ip_asc" + or + name = "X509_VERIFY_PARAM_get_auth_level" + or + name = "X509_VERIFY_PARAM_get_depth" + or + name = "X509_VERIFY_PARAM_get_flags" + or + name = "X509_VERIFY_PARAM_get_hostflags" + or + name = "X509_VERIFY_PARAM_get_inh_flags" + or + name = "X509_VERIFY_PARAM_get_time" + or + name = "X509_VERIFY_PARAM_set1_email" + or + name = "X509_VERIFY_PARAM_set1_host" + or + name = "X509_VERIFY_PARAM_set1_ip" + or + name = "X509_VERIFY_PARAM_set1_ip_asc" + or + name = "X509_VERIFY_PARAM_set1_policies" + or + name = "X509_VERIFY_PARAM_set_auth_level" + or + name = "X509_VERIFY_PARAM_set_depth" + or + name = "X509_VERIFY_PARAM_set_flags" + or + name = "X509_VERIFY_PARAM_set_hostflags" + or + name = "X509_VERIFY_PARAM_set_inh_flags" + or + name = "X509_VERIFY_PARAM_set_purpose" + or + name = "X509_VERIFY_PARAM_set_time" + or + name = "X509_VERIFY_PARAM_set_trust" + or + name = "X509_add1_ext_i2d" + or + name = "X509_add_cert" + or + name = "X509_add_certs" + or + name = "X509_add_ext" + or + name = "X509_build_chain" + or + name = "X509_chain_up_ref" + or + name = "X509_check_ca" + or + name = "X509_check_email" + or + name = "X509_check_host" + or + name = "X509_check_ip" + or + name = "X509_check_ip_asc" + or + name = "X509_check_issued" + or + name = "X509_check_private_key" + or + name = "X509_check_purpose" + or + name = "X509_cmp" + or + name = "X509_cmp_current_time" + or + name = "X509_cmp_time" + or + name = "X509_cmp_timeframe" + or + name = "X509_delete_ext" + or + name = "X509_digest" + or + name = "X509_digest_sig" + or + name = "X509_dup" + or + name = "X509_free" + or + name = "X509_get0_authority_issuer" + or + name = "X509_get0_authority_key_id" + or + name = "X509_get0_authority_serial" + or + name = "X509_get0_distinguishing_id" + or + name = "X509_get0_extensions" + or + name = "X509_get0_notAfter" + or + name = "X509_get0_notBefore" + or + name = "X509_get0_pubkey" + or + name = "X509_get0_serialNumber" + or + name = "X509_get0_signature" + or + name = "X509_get0_subject_key_id" + or + name = "X509_get0_tbs_sigalg" + or + name = "X509_get0_uids" + or + name = "X509_get_X509_PUBKEY" + or + name = "X509_get_default_cert_dir" + or + name = "X509_get_default_cert_dir_env" + or + name = "X509_get_default_cert_file" + or + name = "X509_get_default_cert_file_env" + or + name = "X509_get_default_cert_path_env" + or + name = "X509_get_default_cert_uri" + or + name = "X509_get_default_cert_uri_env" + or + name = "X509_get_ex_data" + or + name = "X509_get_ex_new_index" + or + name = "X509_get_ext" + or + name = "X509_get_ext_by_NID" + or + name = "X509_get_ext_by_OBJ" + or + name = "X509_get_ext_by_critical" + or + name = "X509_get_ext_count" + or + name = "X509_get_ext_d2i" + or + name = "X509_get_extended_key_usage" + or + name = "X509_get_extension_flags" + or + name = "X509_get_issuer_name" + or + name = "X509_get_key_usage" + or + name = "X509_get_pathlen" + or + name = "X509_get_proxy_pathlen" + or + name = "X509_get_pubkey" + or + name = "X509_get_serialNumber" + or + name = "X509_get_signature_info" + or + name = "X509_get_signature_nid" + or + name = "X509_get_subject_name" + or + name = "X509_get_version" + or + name = "X509_getm_notAfter" + or + name = "X509_getm_notBefore" + or + name = "X509_gmtime_adj" + or + name = "X509_http_nbio" + or + name = "X509_issuer_and_serial_cmp" + or + name = "X509_issuer_name_cmp" + or + name = "X509_issuer_name_hash" + or + name = "X509_load_cert_crl_file" + or + name = "X509_load_cert_crl_file_ex" + or + name = "X509_load_cert_file" + or + name = "X509_load_cert_file_ex" + or + name = "X509_load_crl_file" + or + name = "X509_load_http" + or + name = "X509_new" + or + name = "X509_new_ex" + or + name = "X509_pubkey_digest" + or + name = "X509_self_signed" + or + name = "X509_set0_distinguishing_id" + or + name = "X509_set1_notAfter" + or + name = "X509_set1_notBefore" + or + name = "X509_set_ex_data" + or + name = "X509_set_issuer_name" + or + name = "X509_set_proxy_flag" + or + name = "X509_set_proxy_pathlen" + or + name = "X509_set_pubkey" + or + name = "X509_set_serialNumber" + or + name = "X509_set_subject_name" + or + name = "X509_set_version" + or + name = "X509_sign" + or + name = "X509_sign_ctx" + or + name = "X509_subject_name_cmp" + or + name = "X509_subject_name_hash" + or + name = "X509_time_adj" + or + name = "X509_time_adj_ex" + or + name = "X509_up_ref" + or + name = "X509_verify" + or + name = "X509_verify_cert" + or + name = "X509_verify_cert_error_string" + or + name = "X509v3_add_ext" + or + name = "X509v3_delete_ext" + or + name = "X509v3_get_ext" + or + name = "X509v3_get_ext_by_NID" + or + name = "X509v3_get_ext_by_OBJ" + or + name = "X509v3_get_ext_by_critical" + or + name = "X509v3_get_ext_count" + or + name = "b2i_PVK_bio" + or + name = "b2i_PVK_bio_ex" + or + name = "bio" + or + name = "blowfish" + or + name = "bn" + or + name = "bn_add_words" + or + name = "bn_check_top" + or + name = "bn_cmp_words" + or + name = "bn_div_words" + or + name = "bn_dump" + or + name = "bn_expand" + or + name = "bn_expand2" + or + name = "bn_fix_top" + or + name = "bn_internal" + or + name = "bn_mul_add_words" + or + name = "bn_mul_comba4" + or + name = "bn_mul_comba8" + or + name = "bn_mul_high" + or + name = "bn_mul_low_normal" + or + name = "bn_mul_low_recursive" + or + name = "bn_mul_normal" + or + name = "bn_mul_part_recursive" + or + name = "bn_mul_recursive" + or + name = "bn_mul_words" + or + name = "bn_print" + or + name = "bn_set_high" + or + name = "bn_set_low" + or + name = "bn_set_max" + or + name = "bn_sqr_comba4" + or + name = "bn_sqr_comba8" + or + name = "bn_sqr_normal" + or + name = "bn_sqr_recursive" + or + name = "bn_sqr_words" + or + name = "bn_sub_words" + or + name = "bn_wexpand" + or + name = "buffer" + or + name = "crypto" + or + name = "custom_ext_add_cb" + or + name = "custom_ext_free_cb" + or + name = "custom_ext_parse_cb" + or + name = "d2i_ACCESS_DESCRIPTION" + or + name = "d2i_ADMISSIONS" + or + name = "d2i_ADMISSION_SYNTAX" + or + name = "d2i_ASIdOrRange" + or + name = "d2i_ASIdentifierChoice" + or + name = "d2i_ASIdentifiers" + or + name = "d2i_ASN1_BIT_STRING" + or + name = "d2i_ASN1_BMPSTRING" + or + name = "d2i_ASN1_ENUMERATED" + or + name = "d2i_ASN1_GENERALIZEDTIME" + or + name = "d2i_ASN1_GENERALSTRING" + or + name = "d2i_ASN1_IA5STRING" + or + name = "d2i_ASN1_INTEGER" + or + name = "d2i_ASN1_NULL" + or + name = "d2i_ASN1_OBJECT" + or + name = "d2i_ASN1_OCTET_STRING" + or + name = "d2i_ASN1_PRINTABLE" + or + name = "d2i_ASN1_PRINTABLESTRING" + or + name = "d2i_ASN1_SEQUENCE_ANY" + or + name = "d2i_ASN1_SET_ANY" + or + name = "d2i_ASN1_T61STRING" + or + name = "d2i_ASN1_TIME" + or + name = "d2i_ASN1_TYPE" + or + name = "d2i_ASN1_UINTEGER" + or + name = "d2i_ASN1_UNIVERSALSTRING" + or + name = "d2i_ASN1_UTCTIME" + or + name = "d2i_ASN1_UTF8STRING" + or + name = "d2i_ASN1_VISIBLESTRING" + or + name = "d2i_ASRange" + or + name = "d2i_AUTHORITY_INFO_ACCESS" + or + name = "d2i_AUTHORITY_KEYID" + or + name = "d2i_AutoPrivateKey" + or + name = "d2i_AutoPrivateKey_ex" + or + name = "d2i_BASIC_CONSTRAINTS" + or + name = "d2i_CERTIFICATEPOLICIES" + or + name = "d2i_CMS_ContentInfo" + or + name = "d2i_CMS_ReceiptRequest" + or + name = "d2i_CMS_bio" + or + name = "d2i_CRL_DIST_POINTS" + or + name = "d2i_DHparams" + or + name = "d2i_DHparams_bio" + or + name = "d2i_DHparams_fp" + or + name = "d2i_DHxparams" + or + name = "d2i_DIRECTORYSTRING" + or + name = "d2i_DISPLAYTEXT" + or + name = "d2i_DIST_POINT" + or + name = "d2i_DIST_POINT_NAME" + or + name = "d2i_DSAPrivateKey" + or + name = "d2i_DSAPrivateKey_bio" + or + name = "d2i_DSAPrivateKey_fp" + or + name = "d2i_DSAPublicKey" + or + name = "d2i_DSA_PUBKEY" + or + name = "d2i_DSA_PUBKEY_bio" + or + name = "d2i_DSA_PUBKEY_fp" + or + name = "d2i_DSA_SIG" + or + name = "d2i_DSAparams" + or + name = "d2i_ECDSA_SIG" + or + name = "d2i_ECPKParameters" + or + name = "d2i_ECPKParameters_bio" + or + name = "d2i_ECPKParameters_fp" + or + name = "d2i_ECParameters" + or + name = "d2i_ECPrivateKey" + or + name = "d2i_ECPrivateKey_bio" + or + name = "d2i_ECPrivateKey_fp" + or + name = "d2i_ECPrivate_key" + or + name = "d2i_EC_PUBKEY" + or + name = "d2i_EC_PUBKEY_bio" + or + name = "d2i_EC_PUBKEY_fp" + or + name = "d2i_EDIPARTYNAME" + or + name = "d2i_ESS_CERT_ID" + or + name = "d2i_ESS_CERT_ID_V2" + or + name = "d2i_ESS_ISSUER_SERIAL" + or + name = "d2i_ESS_SIGNING_CERT" + or + name = "d2i_ESS_SIGNING_CERT_V2" + or + name = "d2i_EXTENDED_KEY_USAGE" + or + name = "d2i_GENERAL_NAME" + or + name = "d2i_GENERAL_NAMES" + or + name = "d2i_IPAddressChoice" + or + name = "d2i_IPAddressFamily" + or + name = "d2i_IPAddressOrRange" + or + name = "d2i_IPAddressRange" + or + name = "d2i_ISSUER_SIGN_TOOL" + or + name = "d2i_ISSUING_DIST_POINT" + or + name = "d2i_KeyParams" + or + name = "d2i_KeyParams_bio" + or + name = "d2i_NAMING_AUTHORITY" + or + name = "d2i_NETSCAPE_CERT_SEQUENCE" + or + name = "d2i_NETSCAPE_SPKAC" + or + name = "d2i_NETSCAPE_SPKI" + or + name = "d2i_NOTICEREF" + or + name = "d2i_Netscape_RSA" + or + name = "d2i_OCSP_BASICRESP" + or + name = "d2i_OCSP_CERTID" + or + name = "d2i_OCSP_CERTSTATUS" + or + name = "d2i_OCSP_CRLID" + or + name = "d2i_OCSP_ONEREQ" + or + name = "d2i_OCSP_REQINFO" + or + name = "d2i_OCSP_REQUEST" + or + name = "d2i_OCSP_RESPBYTES" + or + name = "d2i_OCSP_RESPDATA" + or + name = "d2i_OCSP_RESPID" + or + name = "d2i_OCSP_RESPONSE" + or + name = "d2i_OCSP_REVOKEDINFO" + or + name = "d2i_OCSP_SERVICELOC" + or + name = "d2i_OCSP_SIGNATURE" + or + name = "d2i_OCSP_SINGLERESP" + or + name = "d2i_OSSL_CMP_MSG" + or + name = "d2i_OSSL_CMP_MSG_bio" + or + name = "d2i_OSSL_CMP_PKIHEADER" + or + name = "d2i_OSSL_CMP_PKISI" + or + name = "d2i_OSSL_CRMF_CERTID" + or + name = "d2i_OSSL_CRMF_CERTTEMPLATE" + or + name = "d2i_OSSL_CRMF_ENCRYPTEDVALUE" + or + name = "d2i_OSSL_CRMF_MSG" + or + name = "d2i_OSSL_CRMF_MSGS" + or + name = "d2i_OSSL_CRMF_PBMPARAMETER" + or + name = "d2i_OSSL_CRMF_PKIPUBLICATIONINFO" + or + name = "d2i_OSSL_CRMF_SINGLEPUBINFO" + or + name = "d2i_OTHERNAME" + or + name = "d2i_PBE2PARAM" + or + name = "d2i_PBEPARAM" + or + name = "d2i_PBKDF2PARAM" + or + name = "d2i_PKCS12" + or + name = "d2i_PKCS12_BAGS" + or + name = "d2i_PKCS12_MAC_DATA" + or + name = "d2i_PKCS12_SAFEBAG" + or + name = "d2i_PKCS12_bio" + or + name = "d2i_PKCS12_fp" + or + name = "d2i_PKCS7" + or + name = "d2i_PKCS7_DIGEST" + or + name = "d2i_PKCS7_ENCRYPT" + or + name = "d2i_PKCS7_ENC_CONTENT" + or + name = "d2i_PKCS7_ENVELOPE" + or + name = "d2i_PKCS7_ISSUER_AND_SERIAL" + or + name = "d2i_PKCS7_RECIP_INFO" + or + name = "d2i_PKCS7_SIGNED" + or + name = "d2i_PKCS7_SIGNER_INFO" + or + name = "d2i_PKCS7_SIGN_ENVELOPE" + or + name = "d2i_PKCS7_bio" + or + name = "d2i_PKCS7_fp" + or + name = "d2i_PKCS8PrivateKey" + or + name = "d2i_PKCS8PrivateKey_bio" + or + name = "d2i_PKCS8PrivateKey_fp" + or + name = "d2i_PKCS8_PRIV_KEY_INFO" + or + name = "d2i_PKCS8_PRIV_KEY_INFO_bio" + or + name = "d2i_PKCS8_PRIV_KEY_INFO_fp" + or + name = "d2i_PKCS8_bio" + or + name = "d2i_PKCS8_fp" + or + name = "d2i_PKEY_USAGE_PERIOD" + or + name = "d2i_POLICYINFO" + or + name = "d2i_POLICYQUALINFO" + or + name = "d2i_PROFESSION_INFO" + or + name = "d2i_PROXY_CERT_INFO_EXTENSION" + or + name = "d2i_PROXY_POLICY" + or + name = "d2i_PUBKEY" + or + name = "d2i_PUBKEY_bio" + or + name = "d2i_PUBKEY_ex" + or + name = "d2i_PUBKEY_ex_bio" + or + name = "d2i_PUBKEY_ex_fp" + or + name = "d2i_PUBKEY_fp" + or + name = "d2i_PrivateKey" + or + name = "d2i_PrivateKey_bio" + or + name = "d2i_PrivateKey_ex" + or + name = "d2i_PrivateKey_ex_bio" + or + name = "d2i_PrivateKey_ex_fp" + or + name = "d2i_PrivateKey_fp" + or + name = "d2i_Private_key" + or + name = "d2i_PublicKey" + or + name = "d2i_RSAPrivateKey" + or + name = "d2i_RSAPrivateKey_bio" + or + name = "d2i_RSAPrivateKey_fp" + or + name = "d2i_RSAPublicKey" + or + name = "d2i_RSAPublicKey_bio" + or + name = "d2i_RSAPublicKey_fp" + or + name = "d2i_RSA_OAEP_PARAMS" + or + name = "d2i_RSA_PSS_PARAMS" + or + name = "d2i_RSA_PUBKEY" + or + name = "d2i_RSA_PUBKEY_bio" + or + name = "d2i_RSA_PUBKEY_fp" + or + name = "d2i_SCRYPT_PARAMS" + or + name = "d2i_SCT_LIST" + or + name = "d2i_SSL_SESSION" + or + name = "d2i_SSL_SESSION_ex" + or + name = "d2i_SXNET" + or + name = "d2i_SXNETID" + or + name = "d2i_TS_ACCURACY" + or + name = "d2i_TS_MSG_IMPRINT" + or + name = "d2i_TS_MSG_IMPRINT_bio" + or + name = "d2i_TS_MSG_IMPRINT_fp" + or + name = "d2i_TS_REQ" + or + name = "d2i_TS_REQ_bio" + or + name = "d2i_TS_REQ_fp" + or + name = "d2i_TS_RESP" + or + name = "d2i_TS_RESP_bio" + or + name = "d2i_TS_RESP_fp" + or + name = "d2i_TS_STATUS_INFO" + or + name = "d2i_TS_TST_INFO" + or + name = "d2i_TS_TST_INFO_bio" + or + name = "d2i_TS_TST_INFO_fp" + or + name = "d2i_USERNOTICE" + or + name = "d2i_X509" + or + name = "d2i_X509_ALGOR" + or + name = "d2i_X509_ALGORS" + or + name = "d2i_X509_ATTRIBUTE" + or + name = "d2i_X509_AUX" + or + name = "d2i_X509_CERT_AUX" + or + name = "d2i_X509_CINF" + or + name = "d2i_X509_CRL" + or + name = "d2i_X509_CRL_INFO" + or + name = "d2i_X509_CRL_bio" + or + name = "d2i_X509_CRL_fp" + or + name = "d2i_X509_EXTENSION" + or + name = "d2i_X509_EXTENSIONS" + or + name = "d2i_X509_NAME" + or + name = "d2i_X509_NAME_ENTRY" + or + name = "d2i_X509_PUBKEY" + or + name = "d2i_X509_PUBKEY_bio" + or + name = "d2i_X509_PUBKEY_fp" + or + name = "d2i_X509_REQ" + or + name = "d2i_X509_REQ_INFO" + or + name = "d2i_X509_REQ_bio" + or + name = "d2i_X509_REQ_fp" + or + name = "d2i_X509_REVOKED" + or + name = "d2i_X509_SIG" + or + name = "d2i_X509_VAL" + or + name = "d2i_X509_bio" + or + name = "d2i_X509_fp" + or + name = "des" + or + name = "des_read_2passwords" + or + name = "des_read_password" + or + name = "des_read_pw" + or + name = "des_read_pw_string" + or + name = "dh" + or + name = "dsa" + or + name = "ec" + or + name = "ecdsa" + or + name = "engine" + or + name = "err" + or + name = "evp" + or + name = "hmac" + or + name = "i2b_PVK_bio" + or + name = "i2b_PVK_bio_ex" + or + name = "i2d_ACCESS_DESCRIPTION" + or + name = "i2d_ADMISSIONS" + or + name = "i2d_ADMISSION_SYNTAX" + or + name = "i2d_ASIdOrRange" + or + name = "i2d_ASIdentifierChoice" + or + name = "i2d_ASIdentifiers" + or + name = "i2d_ASN1_BIT_STRING" + or + name = "i2d_ASN1_BMPSTRING" + or + name = "i2d_ASN1_ENUMERATED" + or + name = "i2d_ASN1_GENERALIZEDTIME" + or + name = "i2d_ASN1_GENERALSTRING" + or + name = "i2d_ASN1_IA5STRING" + or + name = "i2d_ASN1_INTEGER" + or + name = "i2d_ASN1_NULL" + or + name = "i2d_ASN1_OBJECT" + or + name = "i2d_ASN1_OCTET_STRING" + or + name = "i2d_ASN1_PRINTABLE" + or + name = "i2d_ASN1_PRINTABLESTRING" + or + name = "i2d_ASN1_SEQUENCE_ANY" + or + name = "i2d_ASN1_SET_ANY" + or + name = "i2d_ASN1_T61STRING" + or + name = "i2d_ASN1_TIME" + or + name = "i2d_ASN1_TYPE" + or + name = "i2d_ASN1_UNIVERSALSTRING" + or + name = "i2d_ASN1_UTCTIME" + or + name = "i2d_ASN1_UTF8STRING" + or + name = "i2d_ASN1_VISIBLESTRING" + or + name = "i2d_ASN1_bio_stream" + or + name = "i2d_ASRange" + or + name = "i2d_AUTHORITY_INFO_ACCESS" + or + name = "i2d_AUTHORITY_KEYID" + or + name = "i2d_BASIC_CONSTRAINTS" + or + name = "i2d_CERTIFICATEPOLICIES" + or + name = "i2d_CMS_ContentInfo" + or + name = "i2d_CMS_ReceiptRequest" + or + name = "i2d_CMS_bio" + or + name = "i2d_CMS_bio_stream" + or + name = "i2d_CRL_DIST_POINTS" + or + name = "i2d_DHparams" + or + name = "i2d_DHparams_bio" + or + name = "i2d_DHparams_fp" + or + name = "i2d_DHxparams" + or + name = "i2d_DIRECTORYSTRING" + or + name = "i2d_DISPLAYTEXT" + or + name = "i2d_DIST_POINT" + or + name = "i2d_DIST_POINT_NAME" + or + name = "i2d_DSAPrivateKey" + or + name = "i2d_DSAPrivateKey_bio" + or + name = "i2d_DSAPrivateKey_fp" + or + name = "i2d_DSAPublicKey" + or + name = "i2d_DSA_PUBKEY" + or + name = "i2d_DSA_PUBKEY_bio" + or + name = "i2d_DSA_PUBKEY_fp" + or + name = "i2d_DSA_SIG" + or + name = "i2d_DSAparams" + or + name = "i2d_ECDSA_SIG" + or + name = "i2d_ECPKParameters" + or + name = "i2d_ECPKParameters_bio" + or + name = "i2d_ECPKParameters_fp" + or + name = "i2d_ECParameters" + or + name = "i2d_ECPrivateKey" + or + name = "i2d_ECPrivateKey_bio" + or + name = "i2d_ECPrivateKey_fp" + or + name = "i2d_EC_PUBKEY" + or + name = "i2d_EC_PUBKEY_bio" + or + name = "i2d_EC_PUBKEY_fp" + or + name = "i2d_EDIPARTYNAME" + or + name = "i2d_ESS_CERT_ID" + or + name = "i2d_ESS_CERT_ID_V2" + or + name = "i2d_ESS_ISSUER_SERIAL" + or + name = "i2d_ESS_SIGNING_CERT" + or + name = "i2d_ESS_SIGNING_CERT_V2" + or + name = "i2d_EXTENDED_KEY_USAGE" + or + name = "i2d_GENERAL_NAME" + or + name = "i2d_GENERAL_NAMES" + or + name = "i2d_IPAddressChoice" + or + name = "i2d_IPAddressFamily" + or + name = "i2d_IPAddressOrRange" + or + name = "i2d_IPAddressRange" + or + name = "i2d_ISSUER_SIGN_TOOL" + or + name = "i2d_ISSUING_DIST_POINT" + or + name = "i2d_KeyParams" + or + name = "i2d_KeyParams_bio" + or + name = "i2d_NAMING_AUTHORITY" + or + name = "i2d_NETSCAPE_CERT_SEQUENCE" + or + name = "i2d_NETSCAPE_SPKAC" + or + name = "i2d_NETSCAPE_SPKI" + or + name = "i2d_NOTICEREF" + or + name = "i2d_Netscape_RSA" + or + name = "i2d_OCSP_BASICRESP" + or + name = "i2d_OCSP_CERTID" + or + name = "i2d_OCSP_CERTSTATUS" + or + name = "i2d_OCSP_CRLID" + or + name = "i2d_OCSP_ONEREQ" + or + name = "i2d_OCSP_REQINFO" + or + name = "i2d_OCSP_REQUEST" + or + name = "i2d_OCSP_RESPBYTES" + or + name = "i2d_OCSP_RESPDATA" + or + name = "i2d_OCSP_RESPID" + or + name = "i2d_OCSP_RESPONSE" + or + name = "i2d_OCSP_REVOKEDINFO" + or + name = "i2d_OCSP_SERVICELOC" + or + name = "i2d_OCSP_SIGNATURE" + or + name = "i2d_OCSP_SINGLERESP" + or + name = "i2d_OSSL_CMP_MSG" + or + name = "i2d_OSSL_CMP_MSG_bio" + or + name = "i2d_OSSL_CMP_PKIHEADER" + or + name = "i2d_OSSL_CMP_PKISI" + or + name = "i2d_OSSL_CRMF_CERTID" + or + name = "i2d_OSSL_CRMF_CERTTEMPLATE" + or + name = "i2d_OSSL_CRMF_ENCRYPTEDVALUE" + or + name = "i2d_OSSL_CRMF_MSG" + or + name = "i2d_OSSL_CRMF_MSGS" + or + name = "i2d_OSSL_CRMF_PBMPARAMETER" + or + name = "i2d_OSSL_CRMF_PKIPUBLICATIONINFO" + or + name = "i2d_OSSL_CRMF_SINGLEPUBINFO" + or + name = "i2d_OTHERNAME" + or + name = "i2d_PBE2PARAM" + or + name = "i2d_PBEPARAM" + or + name = "i2d_PBKDF2PARAM" + or + name = "i2d_PKCS12" + or + name = "i2d_PKCS12_BAGS" + or + name = "i2d_PKCS12_MAC_DATA" + or + name = "i2d_PKCS12_SAFEBAG" + or + name = "i2d_PKCS12_bio" + or + name = "i2d_PKCS12_fp" + or + name = "i2d_PKCS7" + or + name = "i2d_PKCS7_DIGEST" + or + name = "i2d_PKCS7_ENCRYPT" + or + name = "i2d_PKCS7_ENC_CONTENT" + or + name = "i2d_PKCS7_ENVELOPE" + or + name = "i2d_PKCS7_ISSUER_AND_SERIAL" + or + name = "i2d_PKCS7_NDEF" + or + name = "i2d_PKCS7_RECIP_INFO" + or + name = "i2d_PKCS7_SIGNED" + or + name = "i2d_PKCS7_SIGNER_INFO" + or + name = "i2d_PKCS7_SIGN_ENVELOPE" + or + name = "i2d_PKCS7_bio" + or + name = "i2d_PKCS7_bio_stream" + or + name = "i2d_PKCS7_fp" + or + name = "i2d_PKCS8PrivateKeyInfo_bio" + or + name = "i2d_PKCS8PrivateKeyInfo_fp" + or + name = "i2d_PKCS8PrivateKey_bio" + or + name = "i2d_PKCS8PrivateKey_fp" + or + name = "i2d_PKCS8PrivateKey_nid_bio" + or + name = "i2d_PKCS8PrivateKey_nid_fp" + or + name = "i2d_PKCS8_PRIV_KEY_INFO" + or + name = "i2d_PKCS8_PRIV_KEY_INFO_bio" + or + name = "i2d_PKCS8_PRIV_KEY_INFO_fp" + or + name = "i2d_PKCS8_bio" + or + name = "i2d_PKCS8_fp" + or + name = "i2d_PKEY_USAGE_PERIOD" + or + name = "i2d_POLICYINFO" + or + name = "i2d_POLICYQUALINFO" + or + name = "i2d_PROFESSION_INFO" + or + name = "i2d_PROXY_CERT_INFO_EXTENSION" + or + name = "i2d_PROXY_POLICY" + or + name = "i2d_PUBKEY" + or + name = "i2d_PUBKEY_bio" + or + name = "i2d_PUBKEY_fp" + or + name = "i2d_PrivateKey" + or + name = "i2d_PrivateKey_bio" + or + name = "i2d_PrivateKey_fp" + or + name = "i2d_PublicKey" + or + name = "i2d_RSAPrivateKey" + or + name = "i2d_RSAPrivateKey_bio" + or + name = "i2d_RSAPrivateKey_fp" + or + name = "i2d_RSAPublicKey" + or + name = "i2d_RSAPublicKey_bio" + or + name = "i2d_RSAPublicKey_fp" + or + name = "i2d_RSA_OAEP_PARAMS" + or + name = "i2d_RSA_PSS_PARAMS" + or + name = "i2d_RSA_PUBKEY" + or + name = "i2d_RSA_PUBKEY_bio" + or + name = "i2d_RSA_PUBKEY_fp" + or + name = "i2d_SCRYPT_PARAMS" + or + name = "i2d_SCT_LIST" + or + name = "i2d_SSL_SESSION" + or + name = "i2d_SXNET" + or + name = "i2d_SXNETID" + or + name = "i2d_TS_ACCURACY" + or + name = "i2d_TS_MSG_IMPRINT" + or + name = "i2d_TS_MSG_IMPRINT_bio" + or + name = "i2d_TS_MSG_IMPRINT_fp" + or + name = "i2d_TS_REQ" + or + name = "i2d_TS_REQ_bio" + or + name = "i2d_TS_REQ_fp" + or + name = "i2d_TS_RESP" + or + name = "i2d_TS_RESP_bio" + or + name = "i2d_TS_RESP_fp" + or + name = "i2d_TS_STATUS_INFO" + or + name = "i2d_TS_TST_INFO" + or + name = "i2d_TS_TST_INFO_bio" + or + name = "i2d_TS_TST_INFO_fp" + or + name = "i2d_USERNOTICE" + or + name = "i2d_X509" + or + name = "i2d_X509_ALGOR" + or + name = "i2d_X509_ALGORS" + or + name = "i2d_X509_ATTRIBUTE" + or + name = "i2d_X509_AUX" + or + name = "i2d_X509_CERT_AUX" + or + name = "i2d_X509_CINF" + or + name = "i2d_X509_CRL" + or + name = "i2d_X509_CRL_INFO" + or + name = "i2d_X509_CRL_bio" + or + name = "i2d_X509_CRL_fp" + or + name = "i2d_X509_EXTENSION" + or + name = "i2d_X509_EXTENSIONS" + or + name = "i2d_X509_NAME" + or + name = "i2d_X509_NAME_ENTRY" + or + name = "i2d_X509_PUBKEY" + or + name = "i2d_X509_PUBKEY_bio" + or + name = "i2d_X509_PUBKEY_fp" + or + name = "i2d_X509_REQ" + or + name = "i2d_X509_REQ_INFO" + or + name = "i2d_X509_REQ_bio" + or + name = "i2d_X509_REQ_fp" + or + name = "i2d_X509_REVOKED" + or + name = "i2d_X509_SIG" + or + name = "i2d_X509_VAL" + or + name = "i2d_X509_bio" + or + name = "i2d_X509_fp" + or + name = "i2d_re_X509_CRL_tbs" + or + name = "i2d_re_X509_REQ_tbs" + or + name = "i2d_re_X509_tbs" + or + name = "i2o_SCT" + or + name = "i2o_SCT_LIST" + or + name = "i2s_ASN1_ENUMERATED" + or + name = "i2s_ASN1_ENUMERATED_TABLE" + or + name = "i2s_ASN1_IA5STRING" + or + name = "i2s_ASN1_INTEGER" + or + name = "i2s_ASN1_OCTET_STRING" + or + name = "i2s_ASN1_UTF8STRING" + or + name = "i2t_ASN1_OBJECT" + or + name = "lh_TYPE_delete" + or + name = "lh_TYPE_doall" + or + name = "lh_TYPE_doall_arg" + or + name = "lh_TYPE_error" + or + name = "lh_TYPE_flush" + or + name = "lh_TYPE_free" + or + name = "lh_TYPE_insert" + or + name = "lh_TYPE_new" + or + name = "lh_TYPE_retrieve" + or + name = "lh_delete" + or + name = "lh_doall" + or + name = "lh_doall_arg" + or + name = "lh_error" + or + name = "lh_free" + or + name = "lh_insert" + or + name = "lh_new" + or + name = "lh_node_stats" + or + name = "lh_node_stats_bio" + or + name = "lh_node_usage_stats" + or + name = "lh_node_usage_stats_bio" + or + name = "lh_retrieve" + or + name = "lh_stats" + or + name = "lh_stats_bio" + or + name = "lhash" + or + name = "md5" + or + name = "mdc2" + or + name = "o2i_SCT" + or + name = "o2i_SCT_LIST" + or + name = "pem" + or + name = "pem_password_cb" + or + name = "rand" + or + name = "rc4" + or + name = "ripemd" + or + name = "rsa" + or + name = "s2i_ASN1_IA5STRING" + or + name = "s2i_ASN1_INTEGER" + or + name = "s2i_ASN1_OCTET_STRING" + or + name = "s2i_ASN1_UTF8STRING" + or + name = "sha" + or + name = "sk_TYPE_deep_copy" + or + name = "sk_TYPE_delete" + or + name = "sk_TYPE_delete_ptr" + or + name = "sk_TYPE_dup" + or + name = "sk_TYPE_find" + or + name = "sk_TYPE_find_all" + or + name = "sk_TYPE_find_ex" + or + name = "sk_TYPE_free" + or + name = "sk_TYPE_insert" + or + name = "sk_TYPE_is_sorted" + or + name = "sk_TYPE_new" + or + name = "sk_TYPE_new_null" + or + name = "sk_TYPE_new_reserve" + or + name = "sk_TYPE_num" + or + name = "sk_TYPE_pop" + or + name = "sk_TYPE_pop_free" + or + name = "sk_TYPE_push" + or + name = "sk_TYPE_reserve" + or + name = "sk_TYPE_set" + or + name = "sk_TYPE_set_cmp_func" + or + name = "sk_TYPE_shift" + or + name = "sk_TYPE_sort" + or + name = "sk_TYPE_unshift" + or + name = "sk_TYPE_value" + or + name = "sk_TYPE_zero" + or + name = "ssl" + or + name = "ssl_ct_validation_cb" + or + name = "threads" + or + name = "ui" + or + name = "ui_compat" + or + name = "x509" +} diff --git a/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll new file mode 100644 index 00000000000..f772f85afb1 --- /dev/null +++ b/cpp/ql/lib/experimental/cryptography/utils/OpenSSL/PassthroughFunction.qll @@ -0,0 +1,59 @@ +import cpp +import experimental.cryptography.utils.OpenSSL.LibraryFunction +import semmle.code.cpp.ir.dataflow.DataFlow + +// TODO: possible use of extensible predicates here +// NOTE: -1 for outInd represents the return value +predicate knownPassthroughFunction(Function f, int inInd, int outInd) { + // Trace through functions + // See https://www.openssl.org/docs/man1.1.1/man3/OBJ_obj2txt + // https://www.openssl.org/docs/man3.0/man3/EVP_CIPHER_get0_name + openSSLLibraryFunc(f) and + ( + f.getName() in [ + "OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn", "OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid", + "OBJ_txt2nid", "OBJ_txt2obj", "OBJ_dup", "EVP_CIPHER_get0_name" + ] and + inInd = 0 and + outInd = -1 + or + f.getName() in ["OBJ_obj2txt", "i2t_ASN1_OBJECT"] and + inInd = 2 and + outInd = 0 + or + // Dup/copy pattern occurs in more places, + //see: https://www.openssl.org/docs/manmaster/man3/EC_KEY_copy.html and https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_CTX_dup.html + f.getName().matches("%_dup") and inInd = 0 and outInd = -1 + or + f.getName().matches("%_copy") and inInd = 0 and outInd = -1 + ) +} + +/** + * `c` is a call to a function that preserves the algorithm but changes its form. + * `onExpr` is the input argument passing through to, `outExpr` is the next expression in a dataflow step associated with `c` + */ +predicate knownPassthoughCall(Call c, Expr inExpr, Expr outExpr) { + exists(int inInd, int outInd | + knownPassthroughFunction(c.getTarget(), inInd, outInd) and + inExpr = c.getArgument(inInd) and + if outInd = -1 then outExpr = c else outExpr = c.getArgument(outInd) + ) +} + +/* + * Explicitly add flow through openssl functions that preserve the algorithm but alter the form (e.g., from NID to string) + */ + +predicate knownPassThroughStep(DataFlow::Node node1, DataFlow::Node node2) { + exists(Expr cur, Expr next | + (cur = node1.asExpr() or cur = node1.asIndirectArgument()) and + ( + next = node2.asExpr() or + next = node2.asIndirectArgument() or + next = node2.asDefiningArgument() + ) + | + exists(Call c | knownPassthoughCall(c, cur, next)) + ) +} diff --git a/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql b/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql new file mode 100644 index 00000000000..722449d2fe4 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql @@ -0,0 +1,19 @@ +/** + * @name Unknown key generation key size + * @description + * @id cpp/unknown-asymmetric-key-gen-size + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-326 + */ + +import cpp +import experimental.cryptography.Concepts + +from AsymmetricKeyGeneration op, AsymmetricAlgorithm alg +where + alg = op.getAlgorithm() and + not alg instanceof EllipticCurveAlgorithm and + not exists(op.getKeySizeInBits(alg)) +select op, "Use of unknown asymmetric key size for algorithm $@", alg, alg.getName().toString() diff --git a/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql b/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql new file mode 100644 index 00000000000..c11e01acf0c --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql @@ -0,0 +1,23 @@ +/** + * @name Weak asymmetric key generation key size (< 2048 bits) + * @description + * @id cpp/weak-asymmetric-key-gen-size + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-326 + */ + +import cpp +import experimental.cryptography.Concepts + +from AsymmetricKeyGeneration op, AsymmetricAlgorithm alg, Expr configSrc, int size +where + alg = op.getAlgorithm() and + not alg instanceof EllipticCurveAlgorithm and + configSrc = op.getKeyConfigurationSource(alg) and + size = configSrc.getValue().toInt() and + size < 2048 +select op, + "Use of weak asymmetric key size (in bits) " + size + " configured at $@ for algorithm $@", + configSrc, configSrc.toString(), alg, alg.getName().toString() diff --git a/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql b/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql new file mode 100644 index 00000000000..8242bc14438 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql @@ -0,0 +1,34 @@ +/** + * @name Weak block mode + * @description Finds uses of symmetric encryption block modes that are weak, obsolete, or otherwise unaccepted. + * @id cpp/weak-block-mode + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-327 + */ + +import cpp +import experimental.cryptography.Concepts + +from BlockModeAlgorithm alg, string name, string msg, Expr confSink +where + exists(string tmpMsg | + ( + name = alg.getBlockModeName() and + name = unknownAlgorithm() and + tmpMsg = "Use of unrecognized block mode algorithm." + or + name != unknownAlgorithm() and + name = alg.getBlockModeName() and + not name = ["CBC", "CTS", "XTS"] and + tmpMsg = "Use of weak block mode algorithm " + name + "." + ) and + if alg.hasConfigurationSink() and alg.configurationSink() != alg + then ( + confSink = alg.configurationSink() and msg = tmpMsg + " Algorithm used at sink: $@." + ) else ( + confSink = alg and msg = tmpMsg + ) + ) +select alg, msg, confSink, confSink.toString() diff --git a/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql b/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql new file mode 100644 index 00000000000..f51795bad95 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql @@ -0,0 +1,40 @@ +/** + * @name Weak elliptic curve + * @description Finds uses of weak, unknown, or otherwise unaccepted elliptic curve algorithms. + * @id cpp/weak-elliptic-curve + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-327 + */ + +import cpp +import experimental.cryptography.Concepts + +from EllipticCurveAlgorithm alg, string name, string msg, Expr confSink +where + exists(string tmpMsg | + ( + name = alg.getCurveName() and + name = unknownAlgorithm() and + tmpMsg = "Use of unrecognized curve algorithm." + or + name != unknownAlgorithm() and + name = alg.getCurveName() and + not name = + [ + "SECP256R1", "PRIME256V1", //P-256 + "SECP384R1", //P-384 + "SECP521R1", //P-521 + "ED25519", "X25519" + ] and + tmpMsg = "Use of weak curve algorithm " + name + "." + ) and + if alg.hasConfigurationSink() and alg.configurationSink() != alg + then ( + confSink = alg.configurationSink() and msg = tmpMsg + " Algorithm used at sink: $@." + ) else ( + confSink = alg and msg = tmpMsg + ) + ) +select alg, msg, confSink, confSink.toString() diff --git a/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql b/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql new file mode 100644 index 00000000000..d8d5c4e4a56 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql @@ -0,0 +1,41 @@ +/** + * @name Weak cryptography + * @description Finds explicit uses of symmetric encryption algorithms that are weak, unknown, or otherwise unaccepted. + * @kind problem + * @id cpp/weak-crypto/banned-encryption-algorithms + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-327 + */ + +import cpp +import experimental.cryptography.Concepts + +from SymmetricEncryptionAlgorithm alg, Expr confSink, string msg +where + exists(string resMsg | + ( + if alg.getEncryptionName() = unknownAlgorithm() + then ( + alg instanceof Literal and + resMsg = + "Use of unrecognized symmetric encryption algorithm: " + + alg.(Literal).getValueText().toString() + "." + or + not alg instanceof Literal and + resMsg = "Use of unrecognized symmetric encryption algorithm." + ) else ( + not alg.getEncryptionName().matches("AES%") and + resMsg = "Use of banned symmetric encryption algorithm: " + alg.getEncryptionName() + "." + ) + ) and + ( + if alg.hasConfigurationSink() and alg.configurationSink() != alg + then ( + confSink = alg.configurationSink() and msg = resMsg + " Algorithm used at sink: $@." + ) else ( + confSink = alg and msg = resMsg + ) + ) + ) +select alg, msg, confSink, confSink.toString() diff --git a/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql b/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql new file mode 100644 index 00000000000..8b6835d9b26 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql @@ -0,0 +1,36 @@ +/** + * @name Weak cryptography + * @description Finds explicit uses of cryptographic hash algorithms that are weak and obsolete. + * @kind problem + * @id cpp/weak-crypto/banned-hash-algorithms + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-327 + */ + +import cpp +import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow +import experimental.cryptography.Concepts + +from HashAlgorithm alg, Expr confSink, string msg +where + exists(string name, string msgTmp | name = alg.getHashName() | + not name = ["SHA256", "SHA384", "SHA512"] and + ( + if name = unknownAlgorithm() + then + not alg instanceof Literal and msgTmp = "Use of unrecognized hash algorithm." + or + alg instanceof Literal and + msgTmp = + "Use of unrecognized hash algorithm: " + alg.(Literal).getValueText().toString() + "." + else msgTmp = "Use of banned hash algorithm " + name + "." + ) and + if alg.hasConfigurationSink() and alg.configurationSink() != alg + then ( + confSink = alg.configurationSink() and msg = msgTmp + " Algorithm used at sink: $@." + ) else ( + confSink = alg and msg = msgTmp + ) + ) +select alg, msg, confSink, confSink.toString() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql new file mode 100644 index 00000000000..138664b7665 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name All Asymmetric Algorithms + * @description Finds all potential usage of asymmeric keys (RSA & ECC) using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/all-asymmetric-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from AsymmetricAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql new file mode 100644 index 00000000000..1fe71b00a58 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name All Cryptographic Algorithms + * @description Finds all potential usage of cryptographic algorithms usage using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/all-cryptographic-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from CryptographicAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql new file mode 100644 index 00000000000..29e429af95f --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Asymmetric Encryption Algorithms + * @description Finds all potential usage of asymmeric keys for encryption or key exchange using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/all-asymmetric-encryption-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from AsymmetricEncryptionAlgorithm alg +select alg, "Use of algorithm " + alg.getEncryptionName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql new file mode 100644 index 00000000000..e12ac07604f --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Asymmetric Padding Schemes + * @description Finds all potential usage of padding schemes used with asymmeric algorithms. + * @kind problem + * @id cpp/quantum-readiness/cbom/asymmetric-padding-schemes + * @problem.severity error + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +// TODO: currently not modeled for any API +from AsymmetricPadding alg +select alg, "Use of algorithm " + alg.getPaddingName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql new file mode 100644 index 00000000000..d855e50ea88 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Authenticated Encryption Algorithms + * @description Finds all potential usage of authenticated encryption schemes using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/authenticated-encryption-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from AuthenticatedEncryptionAlgorithm alg +select alg, "Use of algorithm " + alg.getAuthticatedEncryptionName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql new file mode 100644 index 00000000000..36b5d52a7c1 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Block cipher mode of operation + * @description Finds all potential block cipher modes of operations using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/block-cipher-mode + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from BlockModeAlgorithm alg +select alg, "Use of algorithm " + alg.getBlockModeName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql new file mode 100644 index 00000000000..6b91e84edba --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql @@ -0,0 +1,17 @@ +/** + * @name Initialization Vector (IV) or nonces + * @description Finds all potential sources for initialization vectors (IV) or nonce used in block ciphers while using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/iv-sources + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +// TODO: currently not modeled for any API +from BlockModeAlgorithm alg +select alg.getIVorNonce(), "Block mode IV/Nonce source" diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql new file mode 100644 index 00000000000..6acf3bb598f --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql @@ -0,0 +1,18 @@ +/** + * @name Unknown Initialization Vector (IV) or nonces + * @description Finds all potentially unknown sources for initialization vectors (IV) or nonce used in block ciphers while using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/unkown-iv-sources + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +// TODO: currently not modeled for any API +from BlockModeAlgorithm alg +where not alg.hasIVorNonce() +select alg, "Block mode with unknown IV or Nonce configuration" diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql new file mode 100644 index 00000000000..ad9206b5ba4 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql @@ -0,0 +1,20 @@ +/** + * @name Elliptic Curve Key length + * @description Finds all potential key lengths for elliptic curve algorithms usage. + * @kind problem + * @id cpp/quantum-readiness/cbom/elliptic-curve-key-length + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from EllipticCurveAlgorithm alg, string size +where + if not exists(alg.getCurveBitSize()) + then size = "UNKNOWN SIZE" + else size = alg.getCurveBitSize().toString() +select alg, "Use of algorithm " + alg.getCurveName() + " with key size (in bits) " + size diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql new file mode 100644 index 00000000000..06aa44cd1bb --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Elliptic Curve Algorithms + * @description Finds all potential usage of elliptic curve algorithms using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/elliptic-curve-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from EllipticCurveAlgorithm alg +select alg, "Use of algorithm " + alg.getCurveName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql new file mode 100644 index 00000000000..175ba39e138 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Hash Algorithms + * @description Finds all potential usage of cryptographic hash algorithms using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/hash-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from HashAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql new file mode 100644 index 00000000000..7f7ceb17c39 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Key Exchange Algorithms + * @description Finds all potential usage of key exchange using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/key-exchange + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from KeyExchangeAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql new file mode 100644 index 00000000000..34fca159fdb --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql @@ -0,0 +1,20 @@ +/** + * @name Known asymmetric key source generation + * @description Finds all known potential sources for asymmetric key generation while using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/asymmetric-key-generation + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from AsymmetricKeyGeneration op, CryptographicAlgorithm alg, Expr configSrc +where + alg = op.getAlgorithm() and + configSrc = op.getKeyConfigurationSource(alg) +select op, "Key generator for algorithm $@ with key configuration $@", alg, alg.getName(), + configSrc, configSrc.toString() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql new file mode 100644 index 00000000000..b052e48a664 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql @@ -0,0 +1,17 @@ +/** + * @name Signing Algorithms + * @description Finds all potential usage of signing algorithms using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/signing-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +// TODO: currently not modeled for any API +from SigningAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql new file mode 100644 index 00000000000..2a4c3f1056a --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Symmetric Encryption Algorithms + * @description Finds all potential usage of symmetric encryption algorithms using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/symmetric-encryption-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from SymmetricEncryptionAlgorithm alg +select alg, "Use of algorithm " + alg.getEncryptionName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql new file mode 100644 index 00000000000..9b6c34a8698 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Symmetric Padding Schemes + * @description Finds all potential usage of padding schemes used with symmeric algorithms. + * @kind problem + * @id cpp/quantum-readiness/cbom/symmetric-padding-schemes + * @problem.severity error + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +// TODO: currently not modeled for any API +from SymmetricPadding alg +select alg, "Use of algorithm " + alg.getPaddingName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql b/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql new file mode 100644 index 00000000000..63ab3fdcffb --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql @@ -0,0 +1,19 @@ +/** + * @name Unknown asymmetric key source generation + * @description Finds all unknown potential sources for asymmetric key generation while using the supported libraries. + * @kind problem + * @id cpp/quantum-readiness/cbom/unkwon-asymmetric-key-generation + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import cpp +import experimental.cryptography.Concepts + +from AsymmetricKeyGeneration op, CryptographicAlgorithm alg +where + alg = op.getAlgorithm() and + not op.hasKeyConfigurationSource(alg) +select op, "Key generator for algorithm $@ with unknown configuration source", alg, alg.getName() diff --git a/cpp/ql/src/experimental/cryptography/inventory/old_models/readme.md b/cpp/ql/src/experimental/cryptography/inventory/old_models/readme.md new file mode 100644 index 00000000000..c338bbc52e7 --- /dev/null +++ b/cpp/ql/src/experimental/cryptography/inventory/old_models/readme.md @@ -0,0 +1 @@ +No existing 'old models' for inventories \ No newline at end of file diff --git a/python/ql/lib/experimental/cryptography/Concepts.qll b/python/ql/lib/experimental/cryptography/Concepts.qll new file mode 100644 index 00000000000..e7befd8f239 --- /dev/null +++ b/python/ql/lib/experimental/cryptography/Concepts.qll @@ -0,0 +1,6 @@ +import experimental.cryptography.CryptoArtifact +import experimental.cryptography.CryptoAlgorithmNames +import semmle.python.ApiGraphs +import experimental.cryptography.modules.stdlib.HashlibModule as HashLibModule +import experimental.cryptography.modules.stdlib.HmacModule as HMacModule +import experimental.cryptography.modules.CryptographyModule as CryptographyModule diff --git a/python/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll b/python/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll new file mode 100644 index 00000000000..937b45b7aac --- /dev/null +++ b/python/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll @@ -0,0 +1,228 @@ +/** + * Names of known cryptographic algorithms. + * The names are standardized into upper-case, no spaces, dashes or underscores. + */ + +/** + * Returns a string to represent generally unknown algorithms. + * Predicate is to be used to get a consistent string representation + * for unknown algorithms. + */ +string unknownAlgorithm() { result = "UNKNOWN" } + +string getHashType() { result = "HASH" } + +string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" } + +string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" } + +string getKeyDerivationType() { result = "KEY_DERIVATION" } + +string getCipherBlockModeType() { result = "BLOCK_MODE" } + +string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" } + +string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" } + +string getEllipticCurveType() { result = "ELLIPTIC_CURVE" } + +string getSignatureType() { result = "SIGNATURE" } + +string getKeyExchangeType() { result = "KEY_EXCHANGE" } + +predicate isKnownType(string algType) { + algType in [ + getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(), + getKeyDerivationType(), getCipherBlockModeType(), getSymmetricPaddingType(), + getAsymmetricPaddingType(), getEllipticCurveType(), getSignatureType(), getKeyExchangeType() + ] +} + +predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) } + +predicate isKnownAlgorithm(string name, string algType) { + isHashingAlgorithm(name) and algType = "HASH" + or + isEncryptionAlgorithm(name, algType) and + algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"] + or + isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION" + or + isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE" + or + isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"] + or + isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE" + or + isSignatureAlgorithm(name) and algType = "SIGNATURE" + or + isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE" +} + +/** + * Holds if `name` is a known hashing algorithm in the model/library. + */ +predicate isHashingAlgorithm(string name) { + name = + [ + "BLAKE2", "BLAKE2B", "BLAKE2S", "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224", + "SHA512256", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256", + "SM3", "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD", + "RIPEMD128", "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1", "MGF1SHA1", + "MDC2", "SIPHASH" + ] +} + +predicate isEncryptionAlgorithm(string name, string algType) { + isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION" + or + isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION" +} + +predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) } + +/** + * Holds if `name` corresponds to a known symmetric encryption algorithm. + */ +predicate isSymmetricEncryptionAlgorithm(string name) { + // NOTE: AES is meant to caputure all possible key lengths + name = + [ + "AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5", + "CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20", + "CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789", + "GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012", + "GOST34112012", "IDEA", "RABBIT", "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES", + "DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5", + "RC5", "MAGMA", "KUZNYECHIK" + ] +} + +/** + * Holds if `name` corresponds to a known key derivation algorithm. + */ +predicate isKeyDerivationAlgorithm(string name) { + name = + [ + "ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF", + "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT", + "X963KDF", "EVPKDF" + ] +} + +/** + * Holds if `name` corresponds to a known cipher block mode + */ +predicate isCipherBlockModeAlgorithm(string name) { + name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"] +} + +/** + * Holds if `name` corresponds to a known padding algorithm + */ +predicate isPaddingAlgorithm(string name, string algType) { + isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING" + or + isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING" +} + +/** + * holds if `name` corresponds to a known symmetric padding algorithm + */ +predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] } + +/** + * Holds if `name` corresponds to a known asymmetric padding algorithm + */ +predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] } + +predicate isBrainpoolCurve(string curveName, int keySize) { + // ALL BRAINPOOL CURVES + keySize in [160, 192, 224, 256, 320, 384, 512] and + ( + curveName = "BRAINPOOLP" + keySize.toString() + "R1" + or + curveName = "BRAINPOOLP" + keySize.toString() + "T1" + ) +} + +predicate isSecCurve(string curveName, int keySize) { + // ALL SEC CURVES + keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and + exists(string suff | suff in ["R1", "R2", "K1"] | + curveName = "SECT" + keySize.toString() + suff or + curveName = "SECP" + keySize.toString() + suff + ) +} + +predicate isC2Curve(string curveName, int keySize) { + // ALL C2 CURVES + keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and + exists(string pre, string suff | + pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"] + | + curveName = "C2" + pre + keySize.toString() + suff + ) +} + +predicate isPrimeCurve(string curveName, int keySize) { + // ALL PRIME CURVES + keySize in [192, 239, 256] and + exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff) +} + +predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) } + +/** + * Holds if `name` corresponds to a known elliptic curve. + */ +predicate isEllipticCurveAlgorithm(string curveName, int keySize) { + isSecCurve(curveName, keySize) + or + isBrainpoolCurve(curveName, keySize) + or + isC2Curve(curveName, keySize) + or + isPrimeCurve(curveName, keySize) + or + curveName = "ES256" and keySize = 256 + or + curveName = "CURVE25519" and keySize = 255 + or + curveName = "X25519" and keySize = 255 + or + curveName = "ED25519" and keySize = 255 + or + curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size + or + curveName = "ED448" and keySize = 448 + or + curveName = "X448" and keySize = 448 + or + curveName = "NUMSP256T1" and keySize = 256 + or + curveName = "NUMSP384T1" and keySize = 384 + or + curveName = "NUMSP512T1" and keySize = 512 +} + +/** + * Holds if `name` corresponds to a known signature algorithm. + */ +predicate isSignatureAlgorithm(string name) { + name = + [ + "DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256", + "ECDSA384", "ECDSA512" + ] +} + +/** + * Holds if `name` is a key exchange algorithm. + */ +predicate isKeyExchangeAlgorithm(string name) { name = ["ECDH", "DIFFIEHELLMAN", "X25519", "X448"] } + +/** + * Holds if `name` corresponds to a known asymmetric encryption. + */ +predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] } diff --git a/python/ql/lib/experimental/cryptography/CryptoArtifact.qll b/python/ql/lib/experimental/cryptography/CryptoArtifact.qll new file mode 100644 index 00000000000..fc5c75a4e44 --- /dev/null +++ b/python/ql/lib/experimental/cryptography/CryptoArtifact.qll @@ -0,0 +1,264 @@ +import python +private import semmle.python.ApiGraphs +private import experimental.cryptography.CryptoAlgorithmNames +private import experimental.cryptography.utils.Utils as Utils + +/* + * A cryptographic artifact is a DataFlow::Node associated with some + * operation, algorithm, or any other aspect of cryptography. + */ + +abstract class CryptographicArtifact extends DataFlow::Node { } + +/** + * Associates a symmetric encryption algorithm with a block mode. + * The DataFlow::Node representing this association should be the + * point where the algorithm and block mode are combined. + * This may be at the call to encryption or in the construction + * of an object prior to encryption. + */ +abstract class SymmetricCipher extends CryptographicArtifact { + abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm(); + + abstract BlockMode getBlockMode(); + + final predicate hasBlockMode() { exists(this.getBlockMode()) } +} + +/** + * A cryptographic operation is a method call that invokes a cryptographic + * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm + * (key generation). + * + * Since operations are related to or in support of algorithms, operations must + * provide a reference to their associated algorithm. Often operataions themselves + * encapsulate algorithms, so operations can also extend CryptographicAlgorithm + * and refer to themselves as the target algorithm. + */ +abstract class CryptographicOperation extends CryptographicArtifact, API::CallNode { + bindingset[paramName, ind] + final DataFlow::Node getParameterSource(int ind, string paramName) { + result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName)) + } + + final string getAlgorithmName() { + if exists(this.getAlgorithm().getName()) + then result = this.getAlgorithm().getName() + else result = unknownAlgorithm() + } + + final predicate hasAlgorithm() { exists(this.getAlgorithm()) } + + final predicate isUnknownAlgorithm() { + this.getAlgorithmName() = unknownAlgorithm() + or + not this.hasAlgorithm() + } + + // TODO: this might have to be parameterized by a configuration source for + // situations where an operation is passed an algorithm + abstract CryptographicAlgorithm getAlgorithm(); +} + +/** A key generation operation for asymmetric keys */ +abstract class KeyGen extends CryptographicOperation { + int getAKeySizeInBits() { result = this.getKeySizeInBits(_) } + + final predicate hasKeySize(DataFlow::Node configSrc) { exists(this.getKeySizeInBits(configSrc)) } + + final predicate hasKeySize() { exists(this.getAKeySizeInBits()) } + + abstract DataFlow::Node getKeyConfigSrc(); + + abstract int getKeySizeInBits(DataFlow::Node configSrc); +} + +abstract class AsymmetricKeyGen extends KeyGen { } + +abstract class SymmetricKeyGen extends KeyGen { } + +/** + * A cryptographic algorithm is a `CryptographicArtifact` + * representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`). + * Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5) + * or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")). + * Cryptogrpahic algorithms may also be operations that wrap or abstract one or + * more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7). + * + * In principle, this class should model the location where an algorithm enters the program, not + * necessarily where it is used. + */ +abstract class CryptographicAlgorithm extends CryptographicArtifact { + abstract string getName(); + + // TODO: handle case where name isn't known, not just unknown? + /** + * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`. + * Subclassess should override for more api-specific normalization. + * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space. + */ + bindingset[s] + string normalizeName(string s) { + exists(string normStr | normStr = s.toUpperCase().regexpReplaceAll("[-_ ]", "") | + result = normStr and isKnownAlgorithm(result) + or + result = unknownAlgorithm() and not isKnownAlgorithm(normStr) + ) + } +} + +// class UnknownAlgorithm extends DataFlow::Node instanceof CryptographicAlgorithm{ +// UnknownAlgorithm(){ +// super.getName() = unknownAlgorithm() +// } +// } +abstract class HashAlgorithm extends CryptographicAlgorithm { + final string getHashName() { + if exists(string n | n = this.getName() and isHashingAlgorithm(n)) + then isHashingAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} + +abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm { + final string getKDFName() { + if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n)) + then isKeyDerivationAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} + +abstract class KeyDerivationOperation extends CryptographicOperation { + DataFlow::Node getIterationSizeSrc() { none() } + + DataFlow::Node getSaltConfigSrc() { none() } + + DataFlow::Node getHashConfigSrc() { none() } + + // TODO: get encryption algorithm for CBC-based KDF? + DataFlow::Node getDerivedKeySizeSrc() { none() } + + DataFlow::Node getModeSrc() { none() } + + // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type? + abstract predicate requiresIteration(); + + abstract predicate requiresSalt(); + + abstract predicate requiresHash(); + + //abstract predicate requiresKeySize(); // Going to assume all requires a size + abstract predicate requiresMode(); +} + +/** + * A parent class to represent any algorithm for which + * asymmetric cryptography is involved. + * Intended to be distinct from AsymmetricEncryptionAlgorithm + * which is intended only for asymmetric algorithms that specifically encrypt. + */ +abstract class AsymmetricAlgorithm extends CryptographicAlgorithm { } + +abstract class EncryptionAlgorithm extends CryptographicAlgorithm { + final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm } + + final predicate isSymmetric() { not this.isAsymmetric() } + // NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent + // class does not have this common predicate. +} + +/** + * Algorithms directly or indirectly related to asymmetric encryption, + * e.g., RSA, DSA, but also RSA padding algorithms + */ +abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm { + final string getEncryptionName() { + if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n)) + then isAsymmetricEncryptionAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} + +/** + * Algorithms directly or indirectly related to symmetric encryption, + * e.g., AES, DES, but also block modes and padding + */ +abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm { + final string getEncryptionName() { + if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n)) + then isSymmetricEncryptionAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + // TODO: add a stream cipher predicate? +} + +// Used only to categorize all padding into a single object, +// DO_NOT add predicates here. Only for categorization purposes. +abstract class PaddingAlgorithm extends CryptographicAlgorithm { } + +abstract class SymmetricPadding extends PaddingAlgorithm { + final string getPaddingName() { + if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n)) + then isSymmetricPaddingAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} + +abstract class AsymmetricPadding extends PaddingAlgorithm { + final string getPaddingName() { + if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n)) + then isAsymmetricPaddingAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} + +abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm { + final string getCurveName() { + if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n)) + then isEllipticCurveAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) } +} + +abstract class BlockMode extends CryptographicAlgorithm { + final string getBlockModeName() { + if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n)) + then isCipherBlockModeAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } + + /** + * Gets the source of the IV configuration. + */ + abstract DataFlow::Node getIVorNonce(); + + final predicate hasIVorNonce() { exists(this.getIVorNonce()) } +} + +abstract class KeyWrapOperation extends CryptographicOperation { } + +abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm { + final string getAuthticatedEncryptionName() { + if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n)) + then isSymmetricEncryptionAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} + +abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm { + final string getKeyExchangeName() { + if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n)) + then isKeyExchangeAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} + +abstract class SigningAlgorithm extends AsymmetricAlgorithm { + final string getSigningName() { + if exists(string n | n = this.getName() and isSignatureAlgorithm(n)) + then isSignatureAlgorithm(result) and result = this.getName() + else result = unknownAlgorithm() + } +} diff --git a/python/ql/lib/experimental/cryptography/modules/CryptographyModule.qll b/python/ql/lib/experimental/cryptography/modules/CryptographyModule.qll new file mode 100644 index 00000000000..405433b0735 --- /dev/null +++ b/python/ql/lib/experimental/cryptography/modules/CryptographyModule.qll @@ -0,0 +1,1036 @@ +import python +import semmle.python.ApiGraphs +import experimental.cryptography.CryptoArtifact +import experimental.cryptography.CryptoAlgorithmNames +import experimental.cryptography.utils.CallCfgNodeWithTarget +private import experimental.cryptography.utils.Utils as Utils + +/** + * Provides models for the `cryptography` PyPI package. + * See https://cryptography.io/en/latest/. + */ +// ----------------------------------------------- +// Hash Artifacts +// https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#module-cryptography.hazmat.primitives.hashes +// ----------------------------------------------- +module Hashes { + /** + * Gets a member access of cryptography.hazmat.primitives.hashes + * that is a hash algorithm invocation. + * `hashName` is the name of the hash algorithm. + */ + // Copying use of nomagic from similar predicate in codeql/main + pragma[nomagic] + DataFlow::Node cryptographyMemberHashAlgorithm(string hashName) { + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("hashes") + .getMember(hashName) + .asSource() and + // Don't matches known non-hash members + // https://github.com/pyca/cryptography/blob/main/src/cryptography/hazmat/primitives/hashes.py#L69-L111 + not hashName in [ + "abc", "already_finalized", "ExtendableOutputFunction", "Hash", "HashAlgorithm", + "HashContext", "typing", "utils" + ] and + // Don't match things like __file__ + not hashName.regexpMatch("_.*") + } + + /** + * Identifies hashing algorithm members (i.e., functions) of the `cryptography` module, + * e.g., `cryptography.hazmat.primitives.hashes.SHA256`. + * https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#cryptography.hazmat.primitives.hashes.Hash + */ + class CryptographyGenericHashAlgorithm extends HashAlgorithm { + CryptographyGenericHashAlgorithm() { this = cryptographyMemberHashAlgorithm(_) } + + override string getName() { + exists(string rawName | this = cryptographyMemberHashAlgorithm(rawName) | + result = super.normalizeName(rawName) + ) + } + } + // NOTE: no need to model hashes used for PBKDF2HMAC (and other similar KDF HMAC), the API requires the specified algorithm + // is an instance of `HashAlgorithm` handled by `CryptographyGenericHashArtifact` +} + +// https://cryptography.io/en/latest/hazmat/primitives/key-derivation-functions/#module-cryptography.hazmat.primitives.kdf +module KDF { + DataFlow::Node genericKDFArtifact(API::Node algModule, string algName) { + exists(string member | + algModule = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("kdf") + .getMember(member) + .getMember(algName) and + result = algModule.asSource() and + // https://github.com/pyca/cryptography/tree/main/src/cryptography/hazmat/primitives/kdf + member in ["concatkdf", "hkdf", "kbkdf", "pbkdf2", "scrypt", "x963kdf"] and + algName in [ + "ConcatKDFHash", "ConcatKDFHMAC", "HKDF", "HKDFExpand", "KBKDFCMAC", "KBKDFHMAC", + "PBKDF2HMAC", "Scrypt", "X963KDF" + ] + ) + } + + /** + * Identifies key derivation function members (i.e., functions) of the `cryptography` module + * https://cryptography.io/en/latest/hazmat/primitives/key-derivation-functions/#module-cryptography.hazmat.primitives.kdf + */ + class CryptographyKDFAlgorithm extends KeyDerivationAlgorithm { + CryptographyKDFAlgorithm() { this = genericKDFArtifact(_, _) } + + override string getName() { + exists(string rawName | this = genericKDFArtifact(_, rawName) | + // TODO: is HKDFExpand ok to categorize as HKDF? + result = super.normalizeName(rawName) + ) + } + + API::Node getModule() { this = genericKDFArtifact(result, _) } + } + + API::CallNode getCryptographyKDFOperation(CryptographyKDFAlgorithm kdf) { + result = kdf.getModule().getACall() + } + + class CryptographyKDFOperation extends KeyDerivationOperation { + CryptographyKDFOperation() { this = getCryptographyKDFOperation(_) } + + override KeyDerivationAlgorithm getAlgorithm() { this = getCryptographyKDFOperation(result) } + + override predicate requiresHash() { this.getAlgorithm().getKDFName() != "KBKDFCMAC" } + + override predicate requiresMode() { + this.getAlgorithm().getKDFName() in ["KBKDFCMAC", "KBKDFHMAC"] + } + + override predicate requiresSalt() { + this.getAlgorithm().getKDFName() in ["PBKDF2HMAC", "CONCATKDFHMAC", "HKDF"] + } + + override predicate requiresIteration() { this.getAlgorithm().getKDFName() in ["PBKDF2HMAC"] } + + override DataFlow::Node getIterationSizeSrc() { + if this.requiresIteration() + then + // ASSUMPTION: ONLY EVER in arg 3 in PBKDF2HMAC + result = Utils::getUltimateSrcFromApiNode(this.getParameter(3, "iterations")) + else none() + } + + override DataFlow::Node getSaltConfigSrc() { + if this.requiresSalt() + then + // SCRYPT has it in arg 1 + if this.getAlgorithm().getKDFName() = "SCRYPT" + then result = Utils::getUltimateSrcFromApiNode(this.getParameter(1, "salt")) + else + // EVERYTHING ELSE that uses salt is in arg 2 + result = Utils::getUltimateSrcFromApiNode(this.getParameter(2, "salt")) + else none() + } + + override DataFlow::Node getHashConfigSrc() { + if this.requiresHash() + then + // ASSUMPTION: ONLY EVER in arg 0 + result = Utils::getUltimateSrcFromApiNode(this.getParameter(0, "algorithm")) + else none() + } + + // TODO: get encryption algorithm for CBC-based KDF? + override DataFlow::Node getDerivedKeySizeSrc() { + if this.getAlgorithm().getKDFName() in ["KBKDFHMAC", "KBKDFCMAC"] + then result = Utils::getUltimateSrcFromApiNode(this.getParameter(2, "length")) + else result = Utils::getUltimateSrcFromApiNode(this.getParameter(1, "length")) + } + + override DataFlow::Node getModeSrc() { + if this.requiresMode() + then + // ASSUMPTION: ONLY EVER in arg 1 + result = Utils::getUltimateSrcFromApiNode(this.getParameter(1, "mode")) + else none() + } + } +} + +module Encryption { + /** + * https://cryptography.io/en/latest/hazmat/primitives/aead/#module-cryptography.hazmat.primitives.ciphers.aead + * https://cryptography.io/en/latest/fernet/ + * https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/ + */ + module SymmetricEncryption { + // https://cryptography.io/en/latest/hazmat/primitives/keywrap/ + module KeyWrap { + // TODO: what padding mode is used by default? + DataFlow::Node genericKeyWrapArtifact() { + exists(string opName | + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("keywrap") + .getMember(opName) + .getACall() and + opName in [ + "aes_key_wrap", "aes_key_wrap_with_padding", "aes_key_unwrap", + "aes_key_unwrap_with_padding" + ] + ) + } + + class CryptographyKeyWrap extends KeyWrapOperation, SymmetricEncryptionAlgorithm, BlockMode, + SymmetricCipher + { + CryptographyKeyWrap() { this = genericKeyWrapArtifact() } + + override string getName() { + //Cryptography Key Wrap Artifact's use ECB block mode by default: + // https://github.com/pyca/cryptography/blob/main/src/cryptography/hazmat/primitives/keywrap.py#L14 + result = super.normalizeName("ECB") + or + // TODO: the actual AES used is dependent on the key size, get key size and set name accordingly + // Only allowed key sizes: + // https://github.com/pyca/cryptography/blob/main/src/cryptography/hazmat/primitives/keywrap.py#L38-L54 + result = super.normalizeName("AES") + } + + /** + * ECB mode is effectively no block mode and no IV is associated with this mode. + */ + override DataFlow::Node getIVorNonce() { none() } + + override SymmetricEncryptionAlgorithm getEncryptionAlgorithm() { result = this } + + override BlockMode getBlockMode() { result = this } + + override CryptographicAlgorithm getAlgorithm() { result = this } + } + } + + /** + * Authenticated Encryption Artifacts + * https://cryptography.io/en/latest/hazmat/primitives/aead/#module-cryptography.hazmat.primitives.ciphers.aead + */ + module AuthenticatedEncryption { + API::Node genericAEADAPINode(string algName) { + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("ciphers") + .getMember("aead") + .getMember(algName) and + algName in ["AESGCM", "AESCCM", "AESOCB3", "AESSIV", "ChaCha20Poly1305"] + } + + DataFlow::Node genericAEADArtifact(API::Node algModule, string algName) { + algModule = genericAEADAPINode(algName) and + result = algModule.asSource() + } + + class CryptographyAEAD extends BlockMode, AuthenticatedEncryptionAlgorithm, SymmetricCipher { + CryptographyAEAD() { this = genericAEADArtifact(_, _) } + + API::Node getMember(string memberName) { result = this.getModule().getMember(memberName) } + + API::Node getModule() { this = genericAEADArtifact(result, _) } + + override string getName() { + exists(string rawName | genericAEADArtifact(_, rawName) = this | + result = this.normalizedBlockNames(rawName) or + result = this.normalizedEncryptionName(rawName) + ) + } + + bindingset[rawName] + string normalizedBlockNames(string rawName) { + // https://cryptography.io/en/latest/hazmat/primitives/aead/#module-cryptography.hazmat.primitives.ciphers.aead + if rawName = "AESGCM" + then result = super.normalizeName("GCM") + else + if rawName = "AESCCM" + then result = super.normalizeName("CCM") + else + if rawName = "AESOCB3" + then result = super.normalizeName("OCB") + else + if rawName = "AESSIV" + then result = super.normalizeName("SIV") + else result = super.normalizeName(rawName) + } + + bindingset[rawName] + string normalizedEncryptionName(string rawName) { + if rawName.matches("AES%") + then result = super.normalizeName("AES") + else result = super.normalizeName(rawName) + } + + /** + * Since the IV/Nonce is dependent on the API, we could attempt a dataflow to derive + * what it is internal to the library, but instead we take the stance that + * the IV/Nonce is non-existent/unknown to simplify analyses and to be + * safe in case of API changes. Uses of this API must therefore be + * individually assessed for correct IV use. + */ + override DataFlow::Node getIVorNonce() { none() } + + override SymmetricEncryptionAlgorithm getEncryptionAlgorithm() { result = this } + + override BlockMode getBlockMode() { result = this } + } + + DataFlow::Node genericAEADKeyGen(CryptographyAEAD aead) { + aead.getMember("generate_key").getACall() = result + } + + class CryptographyAEADKeyGen extends SymmetricKeyGen { + CryptographyAEADKeyGen() { this = genericAEADKeyGen(_) } + + override CryptographyAEAD getAlgorithm() { this = genericAEADKeyGen(result) } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + if this.getAlgorithm().getAuthticatedEncryptionName() = "ChaCha20Poly1305 " + then result = 32 * 8 + else ( + result = configSrc.asExpr().(IntegerLiteral).getValue() and + configSrc = this.getKeyConfigSrc() + ) + } + + DataFlow::Node keyBitLengthSrc() { + result = + Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(0, "bit_length")) + } + + override DataFlow::Node getKeyConfigSrc() { + result = this.keyBitLengthSrc() + or + not exists(this.keyBitLengthSrc()) and result = this + } + } + } + + /** + * https://cryptography.io/en/latest/fernet/ + */ + module Fernet { + DataFlow::Node fernetConstructor() { + exists(string member | member = ["Fernet", "MultiFernet"] | + result = + API::moduleImport("cryptography").getMember("fernet").getMember(member).getACall() + ) + } + + class CryptographyFernet extends SymmetricPadding, BlockMode, SymmetricEncryptionAlgorithm, + SymmetricCipher + { + CryptographyFernet() { this = fernetConstructor() } + + override string getName() { + result = super.normalizeName("PKCS7") or + result = super.normalizeName("AES128") or + result = super.normalizeName("CBC") + } + + /** + * Since the IV/Nonce is dependent on the API, we could attempt a dataflow to derive + * what it is internal to the library, but instead we take the stance that + * the IV/Nonce is non-existent/unknown to simplify analyses and to be + * safe in case of API changes. Uses of this API must therefore be + * individually assessed for correct IV use. + * + * The current API shows the IV is set via os.urandom: + * https://github.com/pyca/cryptography/blob/main/src/cryptography/fernet.py + */ + override DataFlow::Node getIVorNonce() { none() } + + override SymmetricEncryptionAlgorithm getEncryptionAlgorithm() { result = this } + + override BlockMode getBlockMode() { result = this } + } + + API::CallNode fernetKeyGen(CryptographyFernet fernetCall) { + result = fernetCall.(API::CallNode).getReturn().getMember("generate_key").getACall() + } + + /** + * https://cryptography.io/en/latest/fernet/#cryptography.fernet.Fernet.generate_key + */ + class FernetKeyGen extends SymmetricKeyGen { + FernetKeyGen() { this = fernetKeyGen(_) } + + override DataFlow::Node getKeyConfigSrc() { result = this } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + // https://github.com/pyca/cryptography/blob/main/src/cryptography/fernet.py#L44 + // requires a 256 bit key, but only uses half of it for 128 bit encryption/signing + result = 128 and + configSrc = this + } + + override CryptographyFernet getAlgorithm() { this = fernetKeyGen(result) } + } + // NOTE: not implementing MultiFernet since it operates on Fernet which is already modeled: + // https://cryptography.io/en/latest/fernet/#cryptography.fernet.MultiFernet + } + + // https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#module-cryptography.hazmat.primitives.ciphers.modes + module GenericCryptoArtifact { + DataFlow::Node genericBlockMode(string name) { + // getACall since the typical case is to construct the block mode with initialization values + // not to pass the mode uninitialized + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("ciphers") + .getMember("modes") + .getMember(name) + .getACall() and + not name.regexpMatch("_.*") + } + + // https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#module-cryptography.hazmat.primitives.ciphers.modes + class CryptographyGenericBlockMode extends BlockMode { + CryptographyGenericBlockMode() { this = genericBlockMode(_) } + + override string getName() { + exists(string rawName | this = genericBlockMode(rawName) | + result = super.normalizeName(rawName) + ) + } + + override DataFlow::Node getIVorNonce() { + exists(string paramName | paramName = ["initialization_vector", "nonce"] | + result = + Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(0, paramName)) + ) + } + } + + DataFlow::Node genericSymmetricEncryptionArtifact(string name) { + // getCall since the typical case is to construct the algorithm with initialization values (e.g., keys) + // not to pass the mode uninitialized + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("ciphers") + .getMember("algorithms") + .getMember(name) + .getACall() and + not name.regexpMatch("_.*") + } + + class CrytographyGenericSymmetricEncryption extends SymmetricEncryptionAlgorithm { + CrytographyGenericSymmetricEncryption() { this = genericSymmetricEncryptionArtifact(_) } + + override string getName() { + exists(string rawName | this = genericSymmetricEncryptionArtifact(rawName) | + result = super.normalizeName(rawName) + ) + } + } + + // class CryptographcyGenericSymmetricKeyGen extends SymmetricKeyGen{ + // CryptographcyGenericSymmetricKeyGen(){ + // this = genericSymmetricEncryptionArtifact(_) + // } + // override DataFlow::Node getKeyConfigSrc(){ + // result = this.(API::CallNode).getParameter(0, "key").getAValueReachingSink() + // } + // override int getKeySizeInBits(DataFlow::Node configSrc){ + // // TODO: if/else over all posibilities + // } + // override string getAlgorithmName() { + // exists(SymmetricEncryptionAlgorithm a, string algName | + // this = genericSymmetricEncryptionArtifact(algName) and + // a = genericSymmetricEncryptionArtifact(algName) and + // result = a.normalizeName(algName) + // ) + // } + // } + /** + * Gets a symmetric padding operation: + * https://cryptography.io/en/latest/hazmat/primitives/padding/#module-cryptography.hazmat.primitives.padding + */ + DataFlow::Node genericSymmetricPadding(string name) { + // getACall since the typical case is to construct the padding with initialization values, + // not to pass the mode uninitialized + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("ciphers") + .getMember("padding") + .getMember(name) + .getACall() and + name != "PaddingContext" and + not name.regexpMatch("_.*") + } + + class CryptographyGenericSymmetricPadding extends SymmetricPadding { + CryptographyGenericSymmetricPadding() { this = genericSymmetricPadding(_) } + + override string getName() { + exists(string rawName | this = genericSymmetricPadding(rawName) | + result = super.normalizeName(rawName) + ) + } + } + + /** + * https://cryptography.io/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.Cipher + */ + class CyrptographyGenericCipher extends SymmetricCipher { + CyrptographyGenericCipher() { + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("ciphers") + .getMember("Cipher") + .getACall() + } + + override SymmetricEncryptionAlgorithm getEncryptionAlgorithm() { + result = + Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(0, "algorithm")) + } + + override BlockMode getBlockMode() { + result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(1, "mode")) + } + } + } + } + + module AsymmetricEncryption { + module RSA { + /** + * Returns a member of cryptography asymmetric padding module that is + * a padding algorithm (filteres out non-padding members) + */ + DataFlow::CallCfgNode cryptographyAsymmetricPadding(string name) { + // getACall since the typical case is to construct the padding with initialization values, + // not to pass the mode uninitialized + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("padding") + .getMember(name) + .getACall() and + ( + name = "PKCS1v15" or + name = "OAEP" or + name = "PSS" + ) + } + + /** + * A cryptography asymmetric padding algorithm. + */ + class CryptographyAsymmetricPadding extends AsymmetricPadding { + CryptographyAsymmetricPadding() { this = cryptographyAsymmetricPadding(_) } + + override string getName() { + exists(string rawName | this = cryptographyAsymmetricPadding(rawName) | + result = super.normalizeName(rawName) + ) + } + } + + API::CallNode getRSAKeyGenCall() { + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("rsa") + .getMember("generate_private_key") + .getACall() + } + + API::CallNode getRSAKeyLoadCall() { + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("serialization") + .getMember("load_pem_private_key") + .getACall() + } + + API::Node getRSAPrivateKey() { + result = getRSAKeyGenCall().getReturn() + or + result = getRSAKeyLoadCall().getReturn() + } + + API::Node getRSAPublicKey() { + result = getRSAPrivateKey().getMember("public_key").getACall().getReturn() + } + + DataFlow::Node getRSASignCall() { result = getRSAPrivateKey().getMember("sign").getACall() } + + DataFlow::Node getRSAVerifyCall() { + result = getRSAPublicKey().getMember("verify").getACall() + } + + DataFlow::Node getRSAEncryptCall() { + result = getRSAPublicKey().getMember("encrypt").getACall() + } + + DataFlow::Node getRSADecryptCall() { + result = getRSAPrivateKey().getMember("decrypt").getACall() + } + + /** + * Finds the parameter DataFlow::Node representing padding for all RSA operations + * that accept a padding parameter. + */ + API::Node getRSAPaddingParameter(API::CallNode c) { + c = getRSASignCall() and result = c.(API::CallNode).getParameter(1, "padding") + or + c = getRSAVerifyCall() and result = c.(API::CallNode).getParameter(2, "padding") + or + c = getRSAEncryptCall() and result = c.(API::CallNode).getParameter(1, "padding") + or + c = getRSADecryptCall() and result = c.(API::CallNode).getParameter(1, "padding") + } + + predicate isRSAPaddingCall(API::CallNode c) { + c = getRSASignCall() or + c = getRSAVerifyCall() or + c = getRSAEncryptCall() or + c = getRSADecryptCall() + } + + /** + * All unknown padding algorithms determined by + * tracing RSA operations that accept a padding parameter back to their source. + * If the source is not `cryptographyAsymmetricPadding`, then mark it as unknown. + */ + class UnknownRSAOperationAsymmetricPadding extends AsymmetricPadding { + UnknownRSAOperationAsymmetricPadding() { + // Either the padding parameter is known and it isn't a member of cryptographyAsymmetricPadding + // or the padding parameter does not exist, and the operation itself will be considered the + // source of an unknown padding algorithm. + exists(API::CallNode c, API::Node p | isRSAPaddingCall(c) | + p = getRSAPaddingParameter(c) and + this = Utils::getUltimateSrcFromApiNode(p) and + not this = cryptographyAsymmetricPadding(_) + or + not exists(getRSAPaddingParameter(c)) and + this = c + ) + } + + override string getName() { result = unknownAlgorithm() } + } + + /** + * The result of a RSA key generation operation + */ + class CryptographyRSAKeyGen extends AsymmetricKeyGen, AsymmetricEncryptionAlgorithm { + CryptographyRSAKeyGen() { this = getRSAKeyGenCall() } + + override DataFlow::Node getKeyConfigSrc() { + result = + Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(1, "key_size")) + } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + result = configSrc.asExpr().(IntegerLiteral).getValue() and + configSrc = this.getKeyConfigSrc() + } + + override AsymmetricEncryptionAlgorithm getAlgorithm() { result = this } + + override string getName() { result = super.normalizeName("RSA") } + } + + /** + * Identifies an RSA operation or artifact. + * https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#module-cryptography.hazmat.primitives.asymmetric.rsa + * Since the use of such an operation or artifact infers the algorithm all + * operations/artifacts are identified as an RSA algorithm + */ + class CryptographyRSAAlgorithm extends AsymmetricEncryptionAlgorithm { + CryptographyRSAAlgorithm() { + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("rsa") + .getAMember*() + .asSource() + } + + override string getName() { result = super.normalizeName("RSA") } + } + } + + module EllipticCurve { + /** + * Gets a call to an elliptic curve key generation operation + */ + DataFlow::Node getEllipticCurveKeyGenCall() { + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("ec") + .getMember("generate_private_key") + .getACall() + } + + /** + * Gets a predefined curve class constructor call from + * `cryptography.hazmat.primitives.asymmetric.ec` + * https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#elliptic-curves + */ + DataFlow::Node predefinedCurveClass(string curveName) { + // getACall since the typical case is to construct the curve with initialization values, + // not to pass the mode uninitialized + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("ec") + .getMember(curveName) + .getACall() and + curveName = + [ + "SECP256R1", "SECP384R1", "SECP521R1", "SECP224R1", "SECP192R1", "SECP256K1", + "BrainpoolP256R1", "BrainpoolP384R1", "BrainpoolP512R1", "SECT571K1", "SECT409K1", + "SECT283K1", "SECT233K1", "SECT163K1", "SECT571R1", "SECT409R1", "SECT283R1", + "SECT233R1", "SECT163R2" + ] + } + + /** + * Gets calls to EllipticCurvePublicNumbers + * https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers + */ + DataFlow::Node getEllipticCurvePublicNumbersCall() { + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("ec") + .getMember("EllipticCurvePublicNumbers") + .getACall() + } + + /** + * Gets calls to derive_private_key + * https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.derive_private_key + */ + DataFlow::Node getEllipticCurveDerivePrivateKeyCall() { + result = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("ec") + .getMember("derive_private_key") + .getACall() + } + + /** + * An elliptic curve key generation operation + */ + class CryptographyEllipticCurveKeyGen extends AsymmetricKeyGen { + CryptographyEllipticCurveKeyGen() { this = getEllipticCurveKeyGenCall() } + + override DataFlow::Node getKeyConfigSrc() { + result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(0, "curve")) + } + + override EllipticCurveAlgorithm getAlgorithm() { result = this.getKeyConfigSrc() } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + // TODO/NOTE: there is a general issue if config sources are defined as calls vs general dataflow nodes + // The issue is if defined asSource, a call may be seen as the source, hence, this predicate + // and others like it, will not resolve, since there is no satisfying configSrc (there is a mismatch + // as observed is a call, and the Curve is actually defined using `asSource`.) + // We need to find a generalized solution to be able to have both cases happen and rely upon + // getting algorithms consistently. + isEllipticCurveAlgorithm(configSrc.(EllipticCurveAlgorithm).getCurveName(), result) + } + } + + /** + * Any operation that takes in a Curve, trace the curve back to its ultimate source + * and if it is not a known curve, the curve is considered unknown an a member of this class. + */ + class CryptographyUnknownEllipticCurve extends EllipticCurveAlgorithm { + CryptographyUnknownEllipticCurve() { + ( + Utils::getUltimateSrcFromApiNode(getEllipticCurvePublicNumbersCall() + .(API::CallNode) + .getParameter(2, "curve")) = this + or + Utils::getUltimateSrcFromApiNode(getEllipticCurveKeyGenCall() + .(API::CallNode) + .getParameter(0, "curve")) = this + or + Utils::getUltimateSrcFromApiNode(getEllipticCurveDerivePrivateKeyCall() + .(API::CallNode) + .getParameter(1, "curve")) = this + ) and + not predefinedCurveClass(_) = this + } + + override string getName() { result = unknownAlgorithm() } + } + + /** + * An elliptic curve as defined in this cryptography.hazmat.primitives.asymmetric.ec module. + * Includes all members of the module thata are elliptic curves (filters out non-curve members) + */ + class CryptographyEllipticCurveAlgorithm extends EllipticCurveAlgorithm { + CryptographyEllipticCurveAlgorithm() { this = predefinedCurveClass(_) } + + override string getName() { + exists(string rawName | this = predefinedCurveClass(rawName) | + result = super.normalizeName(rawName) + ) + } + } + } + + module DiffieHellman { + /** + * Any diffie-hellman module operation or artifact. + * https://cryptography.io/en/latest/hazmat/primitives/asymmetric/dh/#diffie-hellman-key-exchange + * + * Since the algorithm is hidden within all operations, all operations are identified by this class. + */ + class CryptographyDiffieHellmanAlgorithm extends KeyExchangeAlgorithm { + CryptographyDiffieHellmanAlgorithm() { + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("dh") + .getAMember*() + .asSource() + } + + override string getName() { result = super.normalizeName("DiffieHellman") } + } + + class CrytographyDiffieHellmanKeyGen extends AsymmetricKeyGen, KeyExchangeAlgorithm { + CrytographyDiffieHellmanKeyGen() { + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("dh") + .getMember("generate_parameters") + .getACall() + } + + override string getName() { result = super.normalizeName("DiffieHellman") } + + override DataFlow::Node getKeyConfigSrc() { + result = + Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(1, "key_size")) + } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + result = configSrc.asExpr().(IntegerLiteral).getValue() and + configSrc = this.getKeyConfigSrc() + } + + override KeyExchangeAlgorithm getAlgorithm() { result = this } + } + + class CryptographyX25519 extends KeyExchangeAlgorithm, AsymmetricKeyGen, + EllipticCurveAlgorithm + { + CryptographyX25519() { + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("x25519") + .getAMember*() + .asSource() + } + + override string getName() { + result = super.normalizeName("DiffieHellman") + or + result = super.normalizeName("Curve25519") + } + + override DataFlow::Node getKeyConfigSrc() { result = this } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + isEllipticCurveAlgorithm(this.getCurveName(), result) and + configSrc = this + } + + override CryptographicAlgorithm getAlgorithm() { result = this } + } + + /** + * Identifies the key exchange algorithm from x448 API: + * https://cryptography.io/en/latest/hazmat/primitives/asymmetric/x448/#x448 + * + * Modeling as both an operation and algorithm because the algorithm is hidden + * within all operations. All operations are therefore modeled by this class. + */ + class CryptographyX448 extends KeyExchangeAlgorithm, AsymmetricKeyGen, EllipticCurveAlgorithm { + CryptographyX448() { + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("x448") + .getAMember*() + .asSource() + } + + override string getName() { + result = super.normalizeName("DiffieHellman") + or + result = super.normalizeName("Curve448") + } + + override DataFlow::Node getKeyConfigSrc() { result = this } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + isEllipticCurveAlgorithm(this.getCurveName(), result) and + configSrc = this + } + + override CryptographicAlgorithm getAlgorithm() { result = this } + } + } + + module Signing { + class CryptographyDSAKeyGen extends AsymmetricKeyGen, SigningAlgorithm { + CryptographyDSAKeyGen() { + exists(string op | op = ["generate_private_key", "generate_parameters"] | + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("dsa") + .getMember(op) + .getACall() + ) + } + + override DataFlow::Node getKeyConfigSrc() { + result = + Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(0, "key_size")) + } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + result = configSrc.asExpr().(IntegerLiteral).getValue() and + configSrc = this.getKeyConfigSrc() + } + + override SigningAlgorithm getAlgorithm() { result = this } + + override string getName() { result = super.normalizeName("DSA") } + } + + /** + * Identifies the signing algorithm from the ed25519 signing API: + * https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed25519/#ed25519-signing + * + * Modeling as both an operation and algorithm because the algorithm is hidden + * within all operations. All operations are therefore modeled by this class. + */ + class CryptographyED25519 extends SigningAlgorithm, AsymmetricKeyGen, EllipticCurveAlgorithm { + CryptographyED25519() { + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("ed25519") + .getAMember*() + .asSource() + } + + override string getName() { + result = super.normalizeName("EDDSA") + or + result = super.normalizeName("Curve25519") + } + + override DataFlow::Node getKeyConfigSrc() { result = this } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + isEllipticCurveAlgorithm(this.getCurveName(), result) and + configSrc = this + } + + override CryptographicAlgorithm getAlgorithm() { result = this } + } + + /** + * Identifies the signing algorithm from the ed448 signing API: + * https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ed448/#ed448-signing + * + * Modeling as both an operation and algorithm because the algorithm is hidden + * within all operations. All operations are therefore modeled by this class. + */ + class CryptographyED448 extends SigningAlgorithm, AsymmetricKeyGen, EllipticCurveAlgorithm { + CryptographyED448() { + this = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("asymmetric") + .getMember("ed448") + .getAMember*() + .asSource() + } + + override string getName() { + result = super.normalizeName("EDDSA") + or + result = super.normalizeName("Curve448") + } + + override DataFlow::Node getKeyConfigSrc() { result = this } + + override int getKeySizeInBits(DataFlow::Node configSrc) { + isEllipticCurveAlgorithm(this.getCurveName(), result) and + configSrc = this + } + + override CryptographicAlgorithm getAlgorithm() { result = this } + } + } + } +} diff --git a/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll b/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll new file mode 100644 index 00000000000..7ceb58c109d --- /dev/null +++ b/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll @@ -0,0 +1,237 @@ +import python +import semmle.python.ApiGraphs +import experimental.cryptography.CryptoArtifact +private import experimental.cryptography.utils.Utils as Utils +private import experimental.cryptography.CryptoAlgorithmNames + +/** + * `hashlib` is a ptyhon standard library module for hashing algorithms. + * https://docs.python.org/3/library/hashlib.html + * This is an abstract class to reference all hashlib artifacts. + */ +// ----------------------------------------------- +// Hash Artifacts +// ----------------------------------------------- +module Hashes { + /** + * Represents a hash algorithm used by `hashlib.new`, where the hash algorithm is a string in the first argument. + */ + class HashlibNewHashAlgorithm extends HashAlgorithm { + HashlibNewHashAlgorithm() { + this = + Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib") + .getMember("new") + .getACall() + .getParameter(0, "name")) + } + + override string getName() { + result = super.normalizeName(this.asExpr().(StrConst).getText()) + or + // if not a known/static string, assume from an outside source and the algorithm is UNKNOWN + not this.asExpr() instanceof StrConst and result = unknownAlgorithm() + } + } + + /** + * Identifies hashlib.pbdkf2_hmac calls, identifying the hash algorithm used + * in the hmac (matching kdf is handled separately by `HashlibPbkdf2HMACArtifact`). + * + * https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac + */ + class HashlibPbkdf2HMACHashAlgorithm extends HashAlgorithm { + HashlibPbkdf2HMACHashAlgorithm() { + this = + Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib") + .getMember("pbkdf2_hmac") + .getACall() + .getParameter(0, "hash_name")) + } + + override string getName() { + result = super.normalizeName(this.asExpr().(StrConst).getText()) + or + // if not a known/static string, assume from an outside source and the algorithm is UNKNOWN + not this.asExpr() instanceof StrConst and result = unknownAlgorithm() + } + } + + /** + * Gets a call to `hashlib.file_digest` where the hash algorithm is the first argument in `digest` + * `nameSrc` is the source of the first argument. + * + * https://docs.python.org/3/library/hashlib.html#hashlib.file_digest + * + * NOTE: the digest argument can be, in addition to a string, + * a callable that returns a hash object or a hash constructor. + * These cases are not considered here since they would be detected separately. + * Specifically, other non-string cases are themselves considered sources for alerts, e.g., + * references to hashlib.sha512 is found by `HashlibMemberAlgorithm`. + * The only exception is if the source is not a string constant or HashlibMemberAlgorithm. + * In these cases, the algorithm is considered 'UNKNOWN'. + */ + class HashlibFileDigestAlgorithm extends HashAlgorithm { + HashlibFileDigestAlgorithm() { + this = + Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib") + .getMember("file_digest") + .getACall() + .getParameter(1, "digest")) and + // Ignore sources that are hash constructors, allow `HashlibMemberAlgorithm` to detect these + this != hashlibMemberHashAlgorithm(_) and + // Ignore sources that are HMAC objects, to be handled by HmacModule + this != API::moduleImport("hmac").getMember("new").getACall() and + this != API::moduleImport("hmac").getMember("HMAC").getACall() + } + + override string getName() { + // Name is a string constant or consider the name unknown + // NOTE: we are excluding hmac.new and hmac.HMAC constructor calls so we are expecting + // a string or an outside configuration only + result = super.normalizeName(this.asExpr().(StrConst).getText()) + or + not this.asExpr() instanceof StrConst and + result = unknownAlgorithm() + } + } + + /** + * Gets a member access of hashlib that is an algorithm invocation. + * `hashName` is the name of the hash algorithm. + * + * Note: oringally a variant of this predicate was in codeql/github/main + * to a predicate to avoid a bad join order. + */ + // Copying use of nomagic from similar predicate in codeql/main + pragma[nomagic] + DataFlow::Node hashlibMemberHashAlgorithm(string hashName) { + result = API::moduleImport("hashlib").getMember(hashName).asSource() and + // Don't matches known non-hash members + not hashName in [ + "new", "pbkdf2_hmac", "algorithms_available", "algorithms_guaranteed", "file_digest" + ] and + // Don't match things like __file__ + not hashName.regexpMatch("_.*") + } + + /** + * Identifies hashing algorithm members (i.e., functions) of the `hashlib` module, + * e.g., `hashlib.sha512`. + */ + class HashlibMemberAlgorithm extends HashAlgorithm { + HashlibMemberAlgorithm() { this = hashlibMemberHashAlgorithm(_) } + + override string getName() { + exists(string rawName | + result = super.normalizeName(rawName) and this = hashlibMemberHashAlgorithm(rawName) + ) + } + } +} + +// ----------------------------------------------- +// Key Derivation Functions +// ----------------------------------------------- +module KDF { + // NOTE: Only finds the params of `pbkdf2_hmac` that are non-optional + // dk_len is optional, i.e., can be None, and if addressed in this predicate + // would result in an unsatisfiable predicate. + predicate hashlibPBDKF2HMACKDFRequiredParams( + HashlibPbkdf2HMACOperation kdf, API::Node hashParam, API::Node saltParam, + API::Node iterationParam + ) { + kdf.getParameter(0, "hash_name") = hashParam and + kdf.getParameter(2, "salt") = saltParam and + kdf.getParameter(3, "iterations") = iterationParam + } + + predicate hashlibPBDKF2HMACKDFOptionalParams(HashlibPbkdf2HMACOperation kdf, API::Node keylenParam) { + kdf.getParameter(4, "dklen") = keylenParam + } + + /** + * Identifies kery derivation function hashlib.pbdkf2_hmac accesses. + * https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac + */ + class HashlibPbkdf2HMACOperation extends KeyDerivationAlgorithm, KeyDerivationOperation { + HashlibPbkdf2HMACOperation() { + this = API::moduleImport("hashlib").getMember("pbkdf2_hmac").getACall() + } + + override string getName() { result = super.normalizeName("pbkdf2_hmac") } + + override DataFlow::Node getIterationSizeSrc() { + exists(API::Node it | hashlibPBDKF2HMACKDFRequiredParams(this, _, _, it) | + result = Utils::getUltimateSrcFromApiNode(it) + ) + } + + override DataFlow::Node getSaltConfigSrc() { + exists(API::Node s | hashlibPBDKF2HMACKDFRequiredParams(this, _, s, _) | + result = Utils::getUltimateSrcFromApiNode(s) + ) + } + + override DataFlow::Node getHashConfigSrc() { + exists(API::Node h | hashlibPBDKF2HMACKDFRequiredParams(this, h, _, _) | + result = Utils::getUltimateSrcFromApiNode(h) + ) + } + + override DataFlow::Node getDerivedKeySizeSrc() { + exists(API::Node dk | hashlibPBDKF2HMACKDFOptionalParams(this, dk) | + result = Utils::getUltimateSrcFromApiNode(dk) + ) + } + + // TODO: if DK is none, then the length is based on the hash type, if hash length not known, must call this unknown + // The issue is the src is what we model not the size + // For now, we are not modeling this and are relying on the fact that the accepted hashes are of accepted length. + // I.e., any query looking at length will ignore cases where it is unknown + override KeyDerivationAlgorithm getAlgorithm() { result = this } + + override predicate requiresHash() { any() } + + override predicate requiresMode() { none() } + + override predicate requiresSalt() { any() } + + override predicate requiresIteration() { any() } + } + + // TODO: better modeling of scrypt + /** + * Identifies key derivation fucntion hashlib.scrypt accesses. + */ + class HashlibScryptAlgorithm extends KeyDerivationAlgorithm, KeyDerivationOperation { + HashlibScryptAlgorithm() { this = API::moduleImport("hashlib").getMember("scrypt").getACall() } + + override string getName() { result = super.normalizeName("scrypt") } + + override DataFlow::Node getIterationSizeSrc() { none() } + + override DataFlow::Node getSaltConfigSrc() { + // TODO: need to address getting salt from params, unsure how this works in CodeQL + // since the signature is defined as hashlib.scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64) + // What position is 'salt' then such that we can reliably extract it? + none() + } + + override DataFlow::Node getHashConfigSrc() { none() } + + override DataFlow::Node getDerivedKeySizeSrc() { + //TODO: see comment for getSaltConfigSrc above + none() + } + + override KeyDerivationAlgorithm getAlgorithm() { result = this } + + override predicate requiresHash() { none() } + + override predicate requiresMode() { none() } + + override predicate requiresSalt() { any() } + + override predicate requiresIteration() { none() } + } +} diff --git a/python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll b/python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll new file mode 100644 index 00000000000..25634543a0b --- /dev/null +++ b/python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll @@ -0,0 +1,71 @@ +import python +import semmle.python.ApiGraphs +import experimental.cryptography.CryptoArtifact +private import experimental.cryptography.utils.Utils as Utils +private import experimental.cryptography.CryptoAlgorithmNames +private import experimental.cryptography.modules.stdlib.HashlibModule as HashlibModule + +/** + * `hmac` is a ptyhon standard library module for key-based hashing algorithms. + * https://docs.python.org/3/library/hmac.html + */ +// ----------------------------------------------- +// Hash Artifacts +// ----------------------------------------------- +module Hashes { + class GenericHmacHashCall extends API::CallNode { + GenericHmacHashCall() { + this = API::moduleImport("hmac").getMember("new").getACall() or + this = API::moduleImport("hmac").getMember("HMAC").getACall() or + this = API::moduleImport("hmac").getMember("digest").getACall() + } + } + + DataFlow::Node getDigestModParamSrc(GenericHmacHashCall call) { + result = Utils::getUltimateSrcFromApiNode(call.(API::CallNode).getParameter(2, "digestmod")) + } + + /** + * This class captures the common behavior for all HMAC operations: + * hmac.HMAC https://docs.python.org/3/library/hmac.html#hmac.HMAC + * hmac.new https://docs.python.org/3/library/hmac.html#hmac.new + * hmac.digest https://docs.python.org/3/library/hmac.html#hmac.digest + * These operations commonly set the algorithm as a string in the third argument (`digestmod`) + * of the operation itself. + * + * NOTE: `digestmod` is the digest name, digest constructor or module for the HMAC object to use, however + * this class only identifies string names. The other forms are found by CryptopgraphicArtifacts, + * modeled in `HmacHMACConsArtifact` and `Hashlib.qll`, specifically through hashlib.new and + * direct member accesses (e.g., hashlib.md5). + * + * Where no `digestmod` exists, the algorithm is assumed to be `md5` per the docs found here: + * https://docs.python.org/3/library/hmac.html#hmac.new + * + * Where `digestmod` exists but is not a string and not a hashlib algorithm, it is assumed + * to be `UNKNOWN`. Note this includes cases wheere the digest is provided as a `A module supporting PEP 247.` + * Such modules are currently not modeled. + */ + class HmacGenericAlgorithm extends HashAlgorithm { + HmacGenericAlgorithm() { + exists(GenericHmacHashCall c | + if not exists(getDigestModParamSrc(c)) then this = c else this = getDigestModParamSrc(c) + ) and + // Ignore case where the algorithm is a hashlib algorithm, rely on `HashlibMemberAlgorithm` to catch these cases + not this instanceof HashlibModule::Hashes::HashlibMemberAlgorithm + // NOTE: the docs say the digest can be `A module supporting PEP 247.`, however, this is not modeled, and will be considered UNKNOWN + } + + override string getName() { + // when the this is a generic hmac call + // it means the algorithm parameter was not identified, assume the default case of 'md5' (per the docs) + if this instanceof GenericHmacHashCall + then result = super.normalizeName("MD5") + else ( + // Else get the string name, if its a string constant, or UNKNOWN if otherwise + result = super.normalizeName(this.asExpr().(StrConst).getText()) + or + not this.asExpr() instanceof StrConst and result = unknownAlgorithm() + ) + } + } +} diff --git a/python/ql/lib/experimental/cryptography/utils/CallCfgNodeWithTarget.qll b/python/ql/lib/experimental/cryptography/utils/CallCfgNodeWithTarget.qll new file mode 100644 index 00000000000..4d5ecd8f6bd --- /dev/null +++ b/python/ql/lib/experimental/cryptography/utils/CallCfgNodeWithTarget.qll @@ -0,0 +1,12 @@ +/** + * Patches all DataFlow::CallCfgNode adding a getTarget predicate to a new + * subclass of CallCfgNode + */ + +import python +private import semmle.python.dataflow.new.internal.TypeTrackerSpecific +private import semmle.python.ApiGraphs + +class CallCfgNodeWithTarget extends DataFlow::Node instanceof DataFlow::CallCfgNode { + DataFlow::Node getTarget() { returnStep(result, this) } +} diff --git a/python/ql/lib/experimental/cryptography/utils/Utils.qll b/python/ql/lib/experimental/cryptography/utils/Utils.qll new file mode 100644 index 00000000000..b53134ec7a0 --- /dev/null +++ b/python/ql/lib/experimental/cryptography/utils/Utils.qll @@ -0,0 +1,21 @@ +import python +private import semmle.python.ApiGraphs +private import experimental.cryptography.utils.CallCfgNodeWithTarget + +/** + * Gets an ultimate local source (not a source in a library) + */ +DataFlow::Node getUltimateSrcFromApiNode(API::Node n) { + result = n.getAValueReachingSink() and + ( + // the result is a call to a library only + result instanceof CallCfgNodeWithTarget and + not result.(CallCfgNodeWithTarget).getTarget().asExpr().getEnclosingModule().inSource() + or + // the result is not a call, and not a function signataure or parameter + not result instanceof CallCfgNodeWithTarget and + not result instanceof DataFlow::ParameterNode and + not result.asExpr() instanceof FunctionExpr and + result.asExpr().getEnclosingModule().inSource() + ) +} diff --git a/python/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql b/python/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql new file mode 100644 index 00000000000..511b1f0c176 --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql @@ -0,0 +1,21 @@ +/** + * @name Unknown key generation key size + * @description + * @id py/unknown-asymmetric-key-gen-size + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-326 + */ + +import python +import experimental.cryptography.Concepts + +from AsymmetricKeyGen op, DataFlow::Node configSrc, string algName +where + not op.hasKeySize(configSrc) and + configSrc = op.getKeyConfigSrc() and + algName = op.getAlgorithm().getName() +select op, + "Non-statically verifiable key size used for key generation for algorithm " + algName.toString() + + " at config source $@", configSrc, configSrc.toString() diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql new file mode 100644 index 00000000000..7cc85731217 --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql @@ -0,0 +1,23 @@ +/** + * @name Weak key generation key size (< 2048 bits) + * @description + * @id py/weak-asymmetric-key-gen-size + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-326 + */ + +import python +import experimental.cryptography.Concepts + +from AsymmetricKeyGen op, DataFlow::Node configSrc, int keySize, string algName +where + keySize = op.getKeySizeInBits(configSrc) and + keySize < 2048 and + algName = op.getAlgorithm().getName() and + // Can't be an elliptic curve + not isEllipticCurveAlgorithm(algName, _) +select op, + "Use of weak asymmetric key size (int bits)" + keySize.toString() + " for algorithm " + + algName.toString() + " at config source $@", configSrc, configSrc.toString() diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricPadding.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricPadding.ql new file mode 100644 index 00000000000..846882d5148 --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricPadding.ql @@ -0,0 +1,17 @@ +/** + * @name Weak or unknown asymmetric padding + * @description + * @id py/weak-asymmetric-padding + * @kind problem + * @problem.severity error + * @precision high + */ + +import python +import experimental.cryptography.Concepts + +from AsymmetricPadding pad, string name +where + name = pad.getPaddingName() and + not name = ["OAEP", "KEM", "PSS"] +select pad, "Use of unapproved, weak, or unknown asymmetric padding algorithm or API: " + name diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql new file mode 100644 index 00000000000..f0f7253589c --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql @@ -0,0 +1,48 @@ +/** + * @name Weak block mode + * @description Finds uses of symmetric encryption block modes that are weak, obsolete, or otherwise unaccepted. + * @id py/weak-block-mode + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-327 + */ + +import python +import experimental.cryptography.Concepts + +from CryptographicArtifact op, string msg +where + // False positive hack, some projects are directly including all of cryptography, + // filter any match that is in cryptography/hazmat + // Specifically happening for ECB being used in keywrap operations internally to the cryptography keywrap/unwrap API + not op.asExpr() + .getLocation() + .getFile() + .getAbsolutePath() + .toString() + .matches("%cryptography/hazmat/%") and + ( + op instanceof BlockMode and + // ECB is only allowed for KeyWrapOperations, i.e., only alert on ECB is not a KeyWrapOperation + (op.(BlockMode).getBlockModeName() = "ECB" implies not op instanceof KeyWrapOperation) and + exists(string name | name = op.(BlockMode).getBlockModeName() | + // Only CBC, CTS, XTS modes are allowed. + // https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.Cryptography.10002 + not name = ["CBC", "CTS", "XTS"] and + if name = unknownAlgorithm() + then msg = "Use of unrecognized block mode algorithm." + else + if name in ["GCM", "CCM"] + then + msg = + "Use of block mode algorithm " + name + + " requires special crypto board approval/review." + else msg = "Use of unapproved block mode algorithm or API " + name + "." + ) + or + op instanceof SymmetricCipher and + not op.(SymmetricCipher).hasBlockMode() and + msg = "Cipher has unspecified block mode algorithm." + ) +select op, msg diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakBlockModeIVorNonce.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakBlockModeIVorNonce.ql new file mode 100644 index 00000000000..d11638a1d1d --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakBlockModeIVorNonce.ql @@ -0,0 +1,37 @@ +/** + * @name Weak block mode IV or nonce + * @description Finds initialization vectors or nonces used by block modes that are weak, obsolete, or otherwise unaccepted. + * Looks for IVs or nonces that are not generated by a cryptographically secure random number generator + * + * NOTE: for simplicity, if an IV or nonce is not known or not form os.urandom it is flagged. + * More specific considerations, such as correct use of nonces are currently not handled. + * In particular, GCM requires the use of a nonce. Using urandom is possible but may still be configured + * incorrectly. We currently assume that GCM is flagged as a block mode regardless through a separate + * query, and such uses will need to be reivewed by the crypto board. + * + * Additionally, some functions, which infer a mode and IV may be flagged by this query. + * For now, we will rely on users suppressing these cases rather than filtering them out. + * The exception is Fernet, which is explicitly ignored since it's implementation uses os.urandom. + * @id py/weak-block-mode-iv-or-nonce + * @kind problem + * @problem.severity error + * @precision high + */ + +import python +import experimental.cryptography.Concepts + +from BlockMode op, string msg, DataFlow::Node conf +where + not op instanceof CryptographyModule::Encryption::SymmetricEncryption::Fernet::CryptographyFernet and + ( + not op.hasIVorNonce() or + not API::moduleImport("os").getMember("urandom").getACall() = op.getIVorNonce() + ) and + ( + if not op.hasIVorNonce() + then conf = op and msg = "Block mode is missing IV/Nonce initialization." + else conf = op.getIVorNonce() + ) and + msg = "Block mode is not using an accepted IV/Nonce initialization: $@" +select op, msg, conf, conf.toString() diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql new file mode 100644 index 00000000000..a5f6f735e50 --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql @@ -0,0 +1,32 @@ +/** + * @name Weak elliptic curve + * @description Finds uses of cryptography algorithms that are unapproved or otherwise weak. + * @id py/weak-elliptic-curve + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-327 + */ + +import python +import experimental.cryptography.Concepts + +from EllipticCurveAlgorithm op, string msg, string name +where + ( + name = op.getCurveName() and + name = unknownAlgorithm() and + msg = "Use of unrecognized curve algorithm." + or + name != unknownAlgorithm() and + name = op.getCurveName() and + not name = + [ + "SECP256R1", "PRIME256V1", //P-256 + "SECP384R1", //P-384 + "SECP521R1", //P-521 + "ED25519", "X25519" + ] and + msg = "Use of weak curve algorithm " + name + "." + ) +select op, msg diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql new file mode 100644 index 00000000000..7aa88e2d58f --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql @@ -0,0 +1,21 @@ +/** + * @name Weak hashes + * @description Finds uses of cryptography algorithms that are unapproved or otherwise weak. + * @id py/weak-hashes + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-327 + */ + +import python +import experimental.cryptography.Concepts + +from HashAlgorithm op, string name, string msg +where + name = op.getHashName() and + not name = ["SHA256", "SHA384", "SHA512"] and + if name = unknownAlgorithm() + then msg = "Use of unrecognized hash algorithm." + else msg = "Use of unapproved hash algorithm or API " + name + "." +select op, msg diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakKDFAlgorithm.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFAlgorithm.ql new file mode 100644 index 00000000000..0f30571385a --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFAlgorithm.ql @@ -0,0 +1,22 @@ +/** + * @name Weak KDF algorithm. + * @description Approved KDF algorithms must one of the following + * ["PBKDF2" , "PBKDF2HMAC", "KBKDF", "KBKDFHMAC", "CONCATKDF", "CONCATKDFHASH"] + * @assumption The value being used to derive a key (either a key or a password) is correct for the algorithm (i.e., a key is used for KBKDF and a password for PBKDF). + * @kind problem + * @id py/weak-kdf-algorithm + * @problem.severity error + * @precision high + */ + +import python +import experimental.cryptography.Concepts + +from KeyDerivationAlgorithm op +where + not op.getKDFName() = + [ + "PBKDF2", "PBKDF2HMAC", "KBKDF", "KBKDFHMAC", "KBKDFCMAC", "CONCATKDF", "CONCATKDFHASH", + "CONCATKDFHMAC" + ] +select op, "Use of unapproved, weak, or unknown key derivation algorithm or API." diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakKDFIteration.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFIteration.ql new file mode 100644 index 00000000000..055b4781516 --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFIteration.ql @@ -0,0 +1,31 @@ +/** + * @name Use iteration count at least 100k to prevent brute force attacks + * @description When deriving cryptographic keys from user-provided inputs such as password, + * use sufficient iteration count (at least 100k). + * + * This query will alert if the iteration count is less than 10000 (i.e., a constant <100000 is observed) + * or if the source for the iteration count is not known statically. + * @kind problem + * @id py/kdf-low-iteration-count + * @problem.severity error + * @precision high + */ + +import python +import experimental.cryptography.Concepts +private import experimental.cryptography.utils.Utils as Utils + +from KeyDerivationOperation op, string msg, DataFlow::Node iterConfSrc +where + op.requiresIteration() and + iterConfSrc = op.getIterationSizeSrc() and + ( + exists(iterConfSrc.asExpr().(IntegerLiteral).getValue()) and + iterConfSrc.asExpr().(IntegerLiteral).getValue() < 10000 and + msg = "Iteration count is too low. " + or + not exists(iterConfSrc.asExpr().(IntegerLiteral).getValue()) and + msg = "Iteration count is not a statically verifiable size. " + ) +select op, msg + "Iteration count must be a minimum of 10000. Iteration Config: $@", + iterConfSrc.asExpr(), iterConfSrc.asExpr().toString() diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakKDFKeyLength.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFKeyLength.ql new file mode 100644 index 00000000000..a7c83f9e62e --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFKeyLength.ql @@ -0,0 +1,32 @@ +/** + * @name Small KDF derived key length. + * @description KDF derived keys should be a minimum of 128 bits (16 bytes). + * @assumption If the key length is not explicitly provided (e.g., it is None or otherwise not specified) assumes the length is derived from the hash length. + * @kind problem + * @id py/kdf-small-key-size + * @problem.severity error + * @precision high + */ + +import python +import experimental.cryptography.Concepts +private import experimental.cryptography.utils.Utils as Utils + +from KeyDerivationOperation op, string msg, DataFlow::Node derivedKeySizeSrc +where + // NOTE/ASSUMPTION: if the key size is not specified or explicitly None, it is common that the size is derived from the hash used. + // The only acceptable hashes are currently "SHA256", "SHA384", "SHA512", which are all large enough. + // We will currently rely on other acceptable hash queries therefore to determine if the size is + // is sufficient where the key is not specified. + derivedKeySizeSrc = op.getDerivedKeySizeSrc() and + not derivedKeySizeSrc.asExpr() instanceof None and + ( + exists(derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue()) and + derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue() < 16 and + msg = "Derived key size is too small. " + or + not exists(derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue()) and + msg = "Derived key size is not a statically verifiable size. " + ) +select op, msg + "Derived key size must be a minimum of 16 (bytes). Derived Key Size Config: $@", + derivedKeySizeSrc.asExpr(), derivedKeySizeSrc.asExpr().toString() diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakKDFMode.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFMode.ql new file mode 100644 index 00000000000..08da21f8e15 --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFMode.ql @@ -0,0 +1,28 @@ +/** + * @name Weak KDF Modee + * @description KDF mode, if specified, must be CounterMode + * @kind problem + * @id py/kdf-weak-mode + * @problem.severity error + * @precision high + */ + +import python +import experimental.cryptography.Concepts +private import experimental.cryptography.utils.Utils as Utils + +from KeyDerivationOperation op, DataFlow::Node modeConfSrc +where + op.requiresMode() and + modeConfSrc = op.getModeSrc() and + not modeConfSrc = + API::moduleImport("cryptography") + .getMember("hazmat") + .getMember("primitives") + .getMember("kdf") + .getMember("kbkdf") + .getMember("Mode") + .getMember("CounterMode") + .asSource() +select op, "Key derivation mode is not set to CounterMode. Mode Config: $@", modeConfSrc, + modeConfSrc.toString() diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltGen.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltGen.ql new file mode 100644 index 00000000000..9d312583912 --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltGen.ql @@ -0,0 +1,20 @@ +/** + * @name Weak KDF salt generation. + * @description KDF salts must be generated by an approved random number generator (os.urandom) + * @kind problem + * @id py/kdf-weak-salt-gen + * @problem.severity error + * @precision high + */ + +import python +import experimental.cryptography.Concepts +private import experimental.cryptography.utils.Utils as Utils + +from KeyDerivationOperation op, DataFlow::Node saltSrc +where + op.requiresSalt() and + not API::moduleImport("os").getMember("urandom").getACall() = saltSrc and + saltSrc = op.getSaltConfigSrc() +select op, "Salt configuration is not from an accepted random source: $@. Must be os.urandom", + saltSrc, saltSrc.toString() diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltSize.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltSize.ql new file mode 100644 index 00000000000..54f72de0594 --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltSize.ql @@ -0,0 +1,32 @@ +/** + * @name Small KDF salt length. + * @description KDF salts should be a minimum of 128 bits (16 bytes). + * + * This alerts if a constant traces to to a salt length sink less than 128-bits or + * if the value that traces to a salt length sink is not known statically. + * @kind problem + * @id py/kdf-small-salt-size + * @problem.severity error + * @precision high + */ + +import python +import experimental.cryptography.Concepts +private import experimental.cryptography.utils.Utils as Utils + +from KeyDerivationOperation op, DataFlow::Node randConfSrc, API::CallNode call, string msg +where + op.requiresSalt() and + API::moduleImport("os").getMember("urandom").getACall() = call and + call = op.getSaltConfigSrc() and + randConfSrc = Utils::getUltimateSrcFromApiNode(call.getParameter(0, "size")) and + ( + not exists(randConfSrc.asExpr().(IntegerLiteral).getValue()) and + msg = "Salt config is not a statically verifiable size. " + or + randConfSrc.asExpr().(IntegerLiteral).getValue() < 16 and + msg = "Salt config is insufficiently large. " + ) +select op, + msg + "Salt size must be a minimum of 16 (bytes). os.urandom Config: $@, Size Config: $@", call, + call.toString(), randConfSrc, randConfSrc.toString() diff --git a/python/ql/src/experimental/cryptography/example_alerts/WeakSymmetricEncryption.ql b/python/ql/src/experimental/cryptography/example_alerts/WeakSymmetricEncryption.ql new file mode 100644 index 00000000000..1c3ac4bce5b --- /dev/null +++ b/python/ql/src/experimental/cryptography/example_alerts/WeakSymmetricEncryption.ql @@ -0,0 +1,24 @@ +/** + * @name Weak symmetric encryption algorithm + * @description Finds uses of symmetric cryptography algorithms that are weak, obsolete, or otherwise unaccepted. + * + * The key lengths allowed are 128, 192, and 256 bits. These are all the key lengths supported by AES, so any + * application of AES is considered acceptable. + * @id py/weak-symmetric-encryption + * @kind problem + * @problem.severity error + * @precision high + * @tags external/cwe/cwe-327 + */ + +import python +import experimental.cryptography.Concepts + +from SymmetricEncryptionAlgorithm op, string name, string msg +where + name = op.getEncryptionName() and + not name = ["AES", "AES128", "AES192", "AES256"] and + if name = unknownAlgorithm() + then msg = "Use of unrecognized symmetric encryption algorithm." + else msg = "Use of unapproved symmetric encryption algorithm or API " + name + "." +select op, msg diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql new file mode 100644 index 00000000000..8d60f5e9432 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql @@ -0,0 +1,15 @@ +/** + * @name All Asymmetric Algorithms + * @description Finds all potential usage of asymmeric keys (RSA & ECC) using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/all-asymmetric-algorithms + * @problem.severity error + * @preci cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from AsymmetricAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql new file mode 100644 index 00000000000..e9daf960bdf --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name All Cryptographic Algorithms + * @description Finds all potential usage of cryptographic algorithms usage using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/all-cryptographic-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from CryptographicAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql new file mode 100644 index 00000000000..68335234438 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Asymmetric Encryption Algorithms + * @description Finds all potential usage of asymmeric keys for encryption or key exchange using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/all-asymmetric-encryption-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from AsymmetricEncryptionAlgorithm alg +select alg, "Use of algorithm " + alg.getEncryptionName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricKeyGenOperation.ql b/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricKeyGenOperation.ql new file mode 100644 index 00000000000..eb5af39da63 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricKeyGenOperation.ql @@ -0,0 +1,19 @@ +/** + * @name Known asymmetric key source generation + * @description Finds all known potential sources for asymmetric key generation while using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/asymmetric-key-generation + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from AsymmetricKeyGen op, DataFlow::Node confSrc +where op.getKeyConfigSrc() = confSrc +select op, + "Asymmetric key generation for algorithm " + op.getAlgorithm().getName() + + " with key config source $@", confSrc, confSrc.toString() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql new file mode 100644 index 00000000000..1c53fd707c0 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql @@ -0,0 +1,15 @@ +/** + * @name Asymmetric Padding Schemes + * @description Finds all potential usage of padding schemes used with asymmeric algorithms. + * @kind problem + * @id py/quantum-readiness/cbom/asymmetric-padding-schemes + * @problem.severity error + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from AsymmetricPadding alg +select alg, "Use of algorithm " + alg.getPaddingName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql new file mode 100644 index 00000000000..3a154e4ffec --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Authenticated Encryption Algorithms + * @description Finds all potential usage of authenticated encryption schemes using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/authenticated-encryption-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from AuthenticatedEncryptionAlgorithm alg +select alg, "Use of algorithm " + alg.getAuthticatedEncryptionName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql new file mode 100644 index 00000000000..c8c186810ec --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Block cipher mode of operation + * @description Finds all potential block cipher modes of operations using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/block-cipher-mode + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from BlockMode alg +select alg, "Use of algorithm " + alg.getBlockModeName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql b/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql new file mode 100644 index 00000000000..60209fda6dd --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql @@ -0,0 +1,16 @@ +/** + * @name Initialization Vector (IV) or nonces + * @description Finds all potential sources for initialization vectors (IV) or nonce used in block ciphers while using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/iv-sources + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from BlockMode alg +select alg.getIVorNonce().asExpr(), "Block mode IV/Nonce source" diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql b/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql new file mode 100644 index 00000000000..1c8f4c6ca7c --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql @@ -0,0 +1,17 @@ +/** + * @name Unknown Initialization Vector (IV) or nonces + * @description Finds all potentially unknown sources for initialization vectors (IV) or nonce used in block ciphers while using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/unkown-iv-sources + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from BlockMode alg +where not alg.hasIVorNonce() +select alg, "Block mode with unknown IV or Nonce configuration" diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql new file mode 100644 index 00000000000..313c44d6c8a --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql @@ -0,0 +1,18 @@ +/** + * @name Elliptic Curve Algorithms + * @description Finds all potential usage of elliptic curve algorithms using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/elliptic-curve-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from EllipticCurveAlgorithm alg +select alg, + "Use of algorithm " + alg.getCurveName() + " with key size (in bits) " + + alg.getCurveBitSize().toString() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql new file mode 100644 index 00000000000..358ece5b454 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Hash Algorithms + * @description Finds all potential usage of cryptographic hash algorithms using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/hash-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from HashAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/KeyDerivationAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/KeyDerivationAlgorithms.ql new file mode 100644 index 00000000000..005fdcf58b7 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/KeyDerivationAlgorithms.ql @@ -0,0 +1,18 @@ +/** + * @name Key Derivation Algorithms + * @description Finds all potential usage of key derivation using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/key-derivation + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from KeyDerivationOperation op +// TODO: pull out all configuration from the operation? +select op, + "Use of key derivation algorithm " + op.getAlgorithm().(KeyDerivationAlgorithm).getKDFName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql new file mode 100644 index 00000000000..35696dfc3f1 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Key Exchange Algorithms + * @description Finds all potential usage of key exchange using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/key-exchange + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from KeyExchangeAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql new file mode 100644 index 00000000000..48ce3487ac1 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Signing Algorithms + * @description Finds all potential usage of signing algorithms using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/signing-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from SigningAlgorithm alg +select alg, "Use of algorithm " + alg.getName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql new file mode 100644 index 00000000000..6d1b0b306b0 --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql @@ -0,0 +1,16 @@ +/** + * @name Symmetric Encryption Algorithms + * @description Finds all potential usage of symmetric encryption algorithms using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/symmetric-encryption-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from SymmetricEncryptionAlgorithm alg +select alg, "Use of algorithm " + alg.getEncryptionName() diff --git a/python/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql new file mode 100644 index 00000000000..0d05edaddab --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql @@ -0,0 +1,15 @@ +/** + * @name Symmetric Padding Schemes + * @description Finds all potential usage of padding schemes used with symmeric algorithms. + * @kind problem + * @id py/quantum-readiness/cbom/symmetric-padding-schemes + * @problem.severity error + * @tags cbom + * cryptography + */ + +import python +import experimental.cryptography.Concepts + +from SymmetricPadding alg +select alg, "Use of algorithm " + alg.getPaddingName() diff --git a/python/ql/src/experimental/cryptography/inventory/old_models/AllCryptoAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/old_models/AllCryptoAlgorithms.ql new file mode 100644 index 00000000000..ef6b38829ac --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/old_models/AllCryptoAlgorithms.ql @@ -0,0 +1,20 @@ +/** + * @name All Cryptographic Algorithms + * @description Finds all potential usage of cryptographic algorithms usage using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/classic-model/all-cryptographic-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import semmle.python.Concepts + +from Cryptography::CryptographicOperation operation, string algName +where + algName = operation.getAlgorithm().getName() + or + algName = operation.getBlockMode() +select operation, "Use of algorithm " + algName diff --git a/python/ql/src/experimental/cryptography/inventory/old_models/BlockModeAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/old_models/BlockModeAlgorithms.ql new file mode 100644 index 00000000000..fb5e412cc4d --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/old_models/BlockModeAlgorithms.ql @@ -0,0 +1,17 @@ +/** + * @name Block cipher mode of operation + * @description Finds all potential block cipher modes of operations using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/classic-model/block-cipher-mode + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import semmle.python.Concepts + +from Cryptography::CryptographicOperation operation, string algName +where algName = operation.getBlockMode() +select operation, "Use of algorithm " + algName diff --git a/python/ql/src/experimental/cryptography/inventory/old_models/HashingAlgorithms.ql b/python/ql/src/experimental/cryptography/inventory/old_models/HashingAlgorithms.ql new file mode 100644 index 00000000000..f06e00f9adf --- /dev/null +++ b/python/ql/src/experimental/cryptography/inventory/old_models/HashingAlgorithms.ql @@ -0,0 +1,22 @@ +/** + * @name Hash Algorithms + * @description Finds all potential usage of cryptographic hash algorithms using the supported libraries. + * @kind problem + * @id py/quantum-readiness/cbom/classic-model/hash-algorithms + * @problem.severity error + * @precision high + * @tags cbom + * cryptography + */ + +import python +import semmle.python.Concepts + +from Cryptography::CryptographicOperation operation, Cryptography::CryptographicAlgorithm algorithm +where + algorithm = operation.getAlgorithm() and + ( + algorithm instanceof Cryptography::HashingAlgorithm or + algorithm instanceof Cryptography::PasswordHashingAlgorithm + ) +select operation, "Use of algorithm " + operation.getAlgorithm().getName()