[CVE-2021-3711] (https://www.openssl.org/news/secadv/20210824.txt) only applies to SM2 decryption, i.e., it is not related to the digital signature or key exchange algorithms in the SM2 family.
In the 1.1.1 branch of OpenSSL, libssl does not support RFC 8998, but in any case RFC 8998 only involves the digital signature and key exchange algorithms of SM2, not the public key encryption algorithm for which the security advisory has been released.
As such only applications programmatically using the SM2 public key encryption algorithm (and decryption in particular) should be affected by the mentioned security advisory.
Best regards,
Nicola Tuveri
On Fri, Aug 27, 2021, 15:40 Michael Wojcik <Michael.Wojcik@xxxxxxxxxxxxxx> wrote:
I imagine I could figure this out by reading the source, but does the SM2 fix (the high-severity issue for OpenSSL 1.1.1l) apply to TLS using SMx (RFC 8998), or just to applications that use SM2 directly via the EVP API? It wasn't clear from the announcement, unless I missed something.
We'll be picking up 1.1.1l shortly, but I'd like to be able to clarify the situation for management and customers.
--
Michael Wojcik
