OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2017-3738 | rsaz_1024_mul_avx2 overflow bug | Low | Fix imported. See discussion below. |
| CVE-2017-3737 | Read/write after SSL object in error state | Moderate | Not affected; bug was introduced after fork. Recent revisions of BoringSSL fully support calling operations after fatal errors and do not consider it an application bug. |
(This was found by Google’s OSS-Fuzz project.)
Despite the function name, the code in question applies to DSA and Finite-Field Diffie-Hellman (FFDH), as well as RSA. In BoringSSL, this applies to all processors which support AVX2, not just those which do not support ADX. (We do not ship the ADX code, which previously had a different bug.)
RSA: The obvious attacks against RSA do not work because anti-glitching countermeasures will trigger. However, this does not eliminate the possibility of obtaining a Bleichenbacher-like oracle using this bug, and we recommend updating promptly.
FFDH: BoringSSL does not support FFDH in TLS. Non-TLS uses of DH with reused private keys could be affected.
DSA: BoringSSL has almost completely removed support for DSA. OpenSSL believes that attacks on DSA would be “very difficult to perform and are not believed likely”. We have not investigated more deeply due to our low DSA use.