SwiftNIO SSL and Swift Crypto impact of OpenSSL security update, March 15, 2022

OpenSSL have published a security update addressing a bug. This bug partially affects BoringSSL as well, but only in a limited fashion, and it does not affect swift-nio-ssl or swift-crypto at all.

BoringSSL shares the same underlying bug in BN_mod_sqrt as OpenSSL, but as BoringSSL does not support certificates or remote input of arbitrary EC curves it's not possible to reach that code path without doing either of:

  • Calling EC_GROUP_new_curve_GFp with untrusted curve parameters
  • Calling BN_mod_sqrt with untrusted moduli

We do neither, and so there is no impact from this issue.