From 549c47de65a40fd28cd6c18b2c98d973d9183979 Mon Sep 17 00:00:00 2001
From: Sean Parkinson <sean@wolfssl.com>
Date: Wed, 19 Aug 2020 10:21:53 +1000
Subject: [PATCH] Handle when k is 1 or order + 1 for timing resistant ECC

---
 wolfcrypt/src/ecc.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index 7215dc317..6e4630816 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -3105,6 +3105,23 @@ int wc_ecc_mulmod_ex2(mp_int* k, ecc_point *G, ecc_point *R, mp_int* a,
    if (err == MP_OKAY)
       err = ecc_mulmod(&t, tG, R, M, a, modulus, mp, rng);
 
+    /* Check for k == 1 or k == order+1. Result will be 0 point which is not
+     * correct. Calculates 2 * order and get 0 point then adds base point
+     * which results in 0 point with constant time implementation)
+     */
+   if (err == MP_OKAY)
+      err = mp_add_d(order, 1, &t);
+   if (err == MP_OKAY) {
+      int kIsOne = (mp_cmp_d(k, 1) == MP_EQ) | (mp_cmp(k, &t) == MP_EQ);
+      err = mp_cond_copy(tG->x, kIsOne, R->x);
+      if (err == 0) {
+          err = mp_cond_copy(tG->y, kIsOne, R->y);
+      }
+      if (err == 0) {
+          err = mp_cond_copy(tG->z, kIsOne, R->z);
+      }
+   }
+
    mp_forcezero(&t);
    mp_free(&t);
 #else