Refactor: Expand crypto library API patterns

cursoragent · script3r · cursoragent · commit 582c6ea95b29 · 2025-09-13T02:47:52.000Z
This commit expands the API patterns for various cryptographic libraries to improve detection accuracy.

Co-authored-by: script3r &lt;script3r@gmail.com&gt;
diff --git a/patterns.toml b/patterns.toml
@@ -7,7 +7,13 @@ name = "OpenSSL"
 languages = ["C", "C++"]
 [library.patterns]
 include = ["^\\s*#\\s*include\\s*<openssl/[^>]+>"]
-apis = ["\\bEVP_\\w+\\(", "\\bRSA_\\w+\\(", "\\bSSL_\\w+\\("]
+apis = [
+  "\\bEVP_EncryptInit_ex\\(",
+  "\\bEVP_DecryptInit_ex\\(",
+  "\\bHMAC_Init_ex\\(",
+  "\\bEVP_DigestSignInit\\(",
+  "\\bEVP_DigestVerifyInit\\(",
+]
 
 [[library]]
 name = "LibreSSL"
@@ -28,47 +34,101 @@ name = "libsodium"
 languages = ["C", "C++"]
 [library.patterns]
 include = ["^\\s*#\\s*include\\s*<sodium(?:/[^>]+)?>"]
-apis = ["\\bcrypto_[a-z0-9_]+\\("]
+apis = [
+  "\\bcrypto_secretbox_easy\\(",
+  "\\bcrypto_secretbox_open_easy\\(",
+  "\\bcrypto_aead_chacha20poly1305_ietf_encrypt\\(",
+  "\\bcrypto_aead_chacha20poly1305_ietf_decrypt\\(",
+  "\\bcrypto_auth\\(",
+  "\\bcrypto_auth_verify\\(",
+  "\\bcrypto_sign_detached\\(",
+  "\\bcrypto_sign_verify_detached\\(",
+]
 
 [[library]]
 name = "GnuTLS"
 languages = ["C", "C++"]
 [library.patterns]
 include = ["^\\s*#\\s*include\\s*<gnutls/gnutls\\.h>"]
-apis = ["\\bgnutls_\\w+\\("]
+apis = [
+  "\\bgnutls_cipher_encrypt2\\(",
+  "\\bgnutls_cipher_decrypt2\\(",
+  "\\bgnutls_hmac_init\\(",
+  "\\bgnutls_hmac\\(",
+  "\\bgnutls_privkey_sign_data\\(",
+  "\\bgnutls_pubkey_verify_data2\\(",
+]
 
 [[library]]
 name = "libgcrypt"
 languages = ["C", "C++"]
 [library.patterns]
 include = ["^\\s*#\\s*include\\s*<gcrypt\\.h>"]
-apis = ["\\bgcry_\\w+\\("]
+apis = [
+  "\\bgcry_cipher_encrypt\\(",
+  "\\bgcry_cipher_decrypt\\(",
+  "\\bgcry_md_setkey\\(",
+  "\\bgcry_pk_sign\\(",
+  "\\bgcry_pk_verify\\(",
+]
 
 [[library]]
 name = "Crypto++"
 languages = ["C", "C++"]
 [library.patterns]
 include = ["^\\s*#\\s*include\\s*<cryptopp/[^>]+>"]
 namespace = ["CryptoPP::"]
+apis = [
+  "CryptoPP::CBC_Mode<.*>::Encryption",
+  "CryptoPP::CBC_Mode<.*>::Decryption",
+  "CryptoPP::HMAC<",
+  "CryptoPP::RSASS<.*>::Signer",
+  "CryptoPP::RSASS<.*>::Verifier",
+  "CryptoPP::ECDSA<.*>::Signer",
+  "CryptoPP::ECDSA<.*>::Verifier",
+]
 
 [[library]]
 name = "Botan"
 languages = ["C", "C++"]
 [library.patterns]
 include = ["^\\s*#\\s*include\\s*<botan/[^>]+>"]
 namespace = ["Botan::"]
+apis = [
+  "Botan::Cipher_Mode::create",
+  "Botan::AEAD_Mode::create",
+  "Botan::MessageAuthenticationCode::create",
+  "Botan::PK_Signer",
+  "Botan::PK_Verifier",
+]
 
 [[library]]
 name = "wolfSSL"
 languages = ["C", "C++"]
 [library.patterns]
 include = ["^\\s*#\\s*include\\s*<wolfssl/[^>]+>"]
+apis = [
+  "\\bwc_AesGcmEncrypt\\(",
+  "\\bwc_AesGcmDecrypt\\(",
+  "\\bwc_HmacSetKey\\(",
+  "\\bwc_HmacUpdate\\(",
+  "\\bwc_HmacFinal\\(",
+  "\\bwc_SignatureGenerate\\(",
+  "\\bwc_SignatureVerify\\(",
+]
 
 [[library]]
 name = "mbedTLS"
 languages = ["C", "C++"]
 [library.patterns]
 include = ["^\\s*#\\s*include\\s*<mbedtls/[^>]+>"]
+apis = [
+  "\\bmbedtls_gcm_crypt_and_tag\\(",
+  "\\bmbedtls_gcm_auth_decrypt\\(",
+  "\\bmbedtls_md_hmac\\(",
+  "\\bmbedtls_pk_sign\\(",
+  "\\bmbedtls_pk_verify\\(",
+]
 
 [[library]]
 name = "BouncyCastle"
@@ -78,20 +138,38 @@ import = [
   "^\\s*import\\s+org\\.bouncycastle\\.",
   "^\\s*import\\s+org\\.bouncycastle\\.jce\\.provider\\.BouncyCastleProvider",
 ]
-apis = ["Cipher\\.getInstance\\(.*,\"BC\"\\)", "new\\s+BouncyCastleProvider\\("]
+apis = [
+  "Cipher\\.getInstance\\(.*,?\"BC\"?\\)",
+  "Mac\\.getInstance\\(",
+  "Signature\\.getInstance\\(",
+  "\\.sign\\(",
+  "\\.verify\\(",
+]
 
 [[library]]
 name = "Google Tink"
 languages = ["Java"]
 [library.patterns]
 import = ["^\\s*import\\s+com\\.google\\.crypto\\.tink\\."]
-apis = ["TinkConfig\\.register\\("]
+apis = [
+  "TinkConfig\\.register\\(",
+  "\\.encrypt\\(",
+  "\\.decrypt\\(",
+  "computeMac\\(",
+  "verifyMac\\(",
+  "\\bsign\\(",
+  "\\bverify\\(",
+]
 
 [[library]]
 name = "Conscrypt"
 languages = ["Java"]
 [library.patterns]
 import = ["^\\s*import\\s+org\\.conscrypt\\."]
+apis = [
+  "Cipher\\.getInstance\\(",
+  "Signature\\.getInstance\\(",
+]
 
 [[library]]
 name = "Go x/crypto"
@@ -124,6 +202,17 @@ apis = [
   "rustls::ClientConfig",
   "sodiumoxide::crypto::",
   "aes_gcm::Aes256Gcm",
+  "\\bAes256Gcm::new\\(",
+  "\\baead::Aead\\b",
+  "\\bencrypt\\(",
+  "\\bdecrypt\\(",
+  "\\bhmac::Hmac\\b",
+  "\\bMac::verify_slice\\(",
+  "ring::aead::seal_in_place",
+  "ring::aead::open_in_place",
+  "ring::hmac::sign",
+  "ring::signature::.*::sign",
+  "ring::signature::.*::verify",
 ]
 
 [[library]]
@@ -134,7 +223,16 @@ import = [
   "^\\s*from\\s+cryptography\\b",
   "^\\s*import\\s+cryptography\\b",
 ]
-apis = ["Fernet\\(", "AESGCM\\("]
+apis = [
+  "Fernet\\(",
+  "\\.encrypt\\(",
+  "\\.decrypt\\(",
+  "AESGCM\\(",
+  "hmac\\.HMAC\\(",
+  "\\.finalize\\(",
+  "\\.verify\\(",
+  "\\.sign\\(",
+]
 
 [[library]]
 name = "PyCryptodome"
@@ -144,27 +242,49 @@ import = [
   "^\\s*from\\s+Crypto\\b",
   "^\\s*import\\s+Crypto\\b",
 ]
-apis = ["Crypto\\.Cipher\\.AES"]
+apis = [
+  "Crypto\\.Cipher\\.AES\\.new\\(",
+  "\\.encrypt\\(",
+  "\\.decrypt\\(",
+  "Crypto\\.Hash\\.HMAC\\.new\\(",
+  "Crypto\\.Signature\\.pkcs1_15\\.new\\(.*\\)\\.sign\\(",
+  "Crypto\\.Signature\\.pkcs1_15\\.new\\(.*\\)\\.verify\\(",
+]
 
 [[library]]
 name = "PyNaCl"
 languages = ["Python"]
 [library.patterns]
 import = ["^\\s*from\\s+nacl\\b", "^\\s*import\\s+nacl\\b"]
-apis = ["nacl\\.secret"]
+apis = [
+  "nacl\\.secret\\.SecretBox",
+  "\\.encrypt\\(",
+  "\\.decrypt\\(",
+  "SigningKey\\.sign\\(",
+  "VerifyKey\\.verify\\(",
+]
 
 [[library]]
 name = "pyOpenSSL"
 languages = ["Python"]
 [library.patterns]
 import = ["^\\s*import\\s+OpenSSL\\b"]
-apis = ["OpenSSL\\.crypto"]
+apis = [
+  "OpenSSL\\.crypto\\.sign\\(",
+  "OpenSSL\\.crypto\\.verify\\(",
+]
 
 [[library]]
 name = "M2Crypto"
 languages = ["Python"]
 [library.patterns]
 import = ["^\\s*import\\s+M2Crypto\\b"]
+apis = [
+  "EVP\\.Cipher\\(",
+  "EVP\\.HMAC\\(",
+  "RSA\\.sign\\(",
+  "RSA\\.verify\\(",
+]
 
 [[library]]
 name = "phpseclib"
@@ -174,22 +294,46 @@ import = [
   "^\\s*use\\s+phpseclib",
   "^\\s*use\\s+phpseclib\\\\Crypt\\\\",
 ]
+apis = [
+  "->encrypt\\(",
+  "->decrypt\\(",
+  "->sign\\(",
+  "->verify\\(",
+]
 
 [[library]]
 name = "Defuse PHP Crypto"
 languages = ["PHP"]
 [library.patterns]
 import = ["^\\s*use\\s+Defuse\\\\Crypto\\\\"]
+apis = [
+  "Defuse\\\\Crypto\\\\Crypto::encrypt\\(",
+  "Defuse\\\\Crypto\\\\Crypto::decrypt\\(",
+]
 
 [[library]]
 name = "PHP sodium"
 languages = ["PHP"]
 [library.patterns]
-apis = ["\\bsodium_[a-z0-9_]+\\("]
+apis = [
+  "\\bsodium_crypto_secretbox\\(",
+  "\\bsodium_crypto_secretbox_open\\(",
+  "\\bsodium_crypto_aead_.*_encrypt\\(",
+  "\\bsodium_crypto_aead_.*_decrypt\\(",
+  "\\bsodium_crypto_auth\\(",
+  "\\bsodium_crypto_auth_verify\\(",
+  "\\bsodium_crypto_sign_detached\\(",
+  "\\bsodium_crypto_sign_verify_detached\\(",
+]
 
 [[library]]
 name = "PHP OpenSSL"
 languages = ["PHP"]
 [library.patterns]
-apis = ["\\bopenssl_(encrypt|decrypt|sign|verify)\\("]
+apis = [
+  "\\bopenssl_encrypt\\(",
+  "\\bopenssl_decrypt\\(",
+  "\\bopenssl_sign\\(",
+  "\\bopenssl_verify\\(",
+]
 
