Nmap code appears in APISan presentation

[David Fifield <david () bamsoftware com>]

I was in the audience at USENIX Security 2016 during the talk on APISan,
a tool that checks for misuse of APIs.

https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/yun
https://github.com/sslab-gatech/apisan

One of the examples featured a tricky OpenSSL API, SSL_get_verify_result.
It's tricky because to use it correctly, you also have to call
SSL_get_peer_certificate for the result to be meaningful. To my
surprise, Nmap code appeared on one of the slides, and to my relief, was
one of the ones that used the API correctly. Here is the example:

https://www.usenix.org/sites/default/files/conference/protected-files/security16_slides_yun.pdf#13

There are two places in the Nmap code where SSL_get_verify_result result
is called, one in Nsock and one in Ncat. Digging into the history, I
found that I originally added both of them in 2009. The Nsock change is
in /nmap-exp/david/nsock-ssl r13039, and the Ncat change is in
/nmap-exp/david/ncat-ssl r13041. I laughed when I saw that there was
even a helpful comment explaining the trickiness of the API:

/* Check server certificate verification, after a connection is established. We
   check first that a certificate was even offered, then call
   SSL_get_verify_result to get the overall status of verification. (Just
   calling SSL_get_verify_result is not enough because that function returns
   X509_V_OK when 0 certificates are presented.) If the verification mode of the
   SSL object is SSL_VERIFY_NONE, or if OpenSSL is disabled, this function
   always returns true. */
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/