SM2: Use constant time modular inversion

Fixes CVE-2025-9231

Issue and a proposed fix reported by Stanislav Fort (Aisle Research).

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit dff94dba75490d03926e77be9f2da3bcf4485820)

diff --git a/crypto/ec/ecp_sm2p256.c b/crypto/ec/ecp_sm2p256.c
index 7668b61378b629fd0ae17ccb317cd943a6376a17..f3ace351bdffe7794f1bc0a6811e293ecd04cf18 100644 (file)
--- a/crypto/ec/ecp_sm2p256.c
+++ b/crypto/ec/ecp_sm2p256.c
@@ -747,7 +747,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void)
         ossl_ec_GFp_simple_point_copy,
         ossl_ec_GFp_simple_point_set_to_infinity,
         ossl_ec_GFp_simple_point_set_affine_coordinates,
-        ecp_sm2p256_get_affine,
+        ossl_ec_GFp_simple_point_get_affine_coordinates,
         0, 0, 0,
         ossl_ec_GFp_simple_add,
         ossl_ec_GFp_simple_dbl,
@@ -763,7 +763,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void)
         ecp_sm2p256_field_mul,
         ecp_sm2p256_field_sqr,
         0 /* field_div */,
-        0 /* field_inv */,
+        ossl_ec_GFp_simple_field_inv,
         0 /* field_encode */,
         0 /* field_decode */,
         0 /* field_set_to_one */,
@@ -779,7 +779,7 @@ const EC_METHOD *EC_GFp_sm2p256_method(void)
         ossl_ecdsa_simple_sign_setup,
         ossl_ecdsa_simple_sign_sig,
         ossl_ecdsa_simple_verify_sig,
-        ecp_sm2p256_inv_mod_ord,
+        0, /* use constant‑time fallback for inverse mod order */
         0, /* blind_coordinates */
         0, /* ladder_pre */
         0, /* ladder_step */