OpenSSL have published a security update addressing a bug. This bug partially affects BoringSSL as well, but only in a limited fashion, and it does not affect swift-nio-ssl or swift-crypto at all.
BoringSSL shares the same underlying bug in BN_mod_sqrt
as OpenSSL, but as BoringSSL does not support certificates or remote input of arbitrary EC curves it's not possible to reach that code path without doing either of:
- Calling
EC_GROUP_new_curve_GFp
with untrusted curve parameters - Calling
BN_mod_sqrt
with untrusted moduli
We do neither, and so there is no impact from this issue.