@q3k @cesarb I think this is right. We confirmed it hooks additional functions (RSA_get0_key), and we speculate its modifying logs as well (check out what it's doing around the "Accepted password for" strings)