lukasa
(Cory Benfield)
1
OpenSSL have published a security update addressing a bug. This bug partially affects BoringSSL as well, but only in a limited fashion, and it does not affect swift-nio-ssl or swift-crypto at all.
BoringSSL shares the same underlying bug in BN_mod_sqrt as OpenSSL, but as BoringSSL does not support certificates or remote input of arbitrary EC curves it's not possible to reach that code path without doing either of:
- Calling
EC_GROUP_new_curve_GFp with untrusted curve parameters
- Calling
BN_mod_sqrt with untrusted moduli
We do neither, and so there is no impact from this issue.
9 Likes
