Nmap Development mailing list archives
Nmap code appears in APISan presentation
From: David Fifield <david () bamsoftware com>
Date: Fri, 26 Aug 2016 09:54:45 -0600
I was in the audience at USENIX Security 2016 during the talk on APISan, a tool that checks for misuse of APIs. https://www.usenix.org/conference/usenixsecurity16/technical-sessions/presentation/yun https://github.com/sslab-gatech/apisan One of the examples featured a tricky OpenSSL API, SSL_get_verify_result. It's tricky because to use it correctly, you also have to call SSL_get_peer_certificate for the result to be meaningful. To my surprise, Nmap code appeared on one of the slides, and to my relief, was one of the ones that used the API correctly. Here is the example: https://www.usenix.org/sites/default/files/conference/protected-files/security16_slides_yun.pdf#13 There are two places in the Nmap code where SSL_get_verify_result result is called, one in Nsock and one in Ncat. Digging into the history, I found that I originally added both of them in 2009. The Nsock change is in /nmap-exp/david/nsock-ssl r13039, and the Ncat change is in /nmap-exp/david/ncat-ssl r13041. I laughed when I saw that there was even a helpful comment explaining the trickiness of the API: /* Check server certificate verification, after a connection is established. We check first that a certificate was even offered, then call SSL_get_verify_result to get the overall status of verification. (Just calling SSL_get_verify_result is not enough because that function returns X509_V_OK when 0 certificates are presented.) If the verification mode of the SSL object is SSL_VERIFY_NONE, or if OpenSSL is disabled, this function always returns true. */ _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap code appears in APISan presentation David Fifield (Aug 26)