From cb4ce5e354c1e36ef0ff2425e82b7fdbeeb971e9 Mon Sep 17 00:00:00 2001
From: Luke Parker <lukeparker5132@gmail.com>
Date: Thu, 23 Feb 2023 00:57:41 -0500
Subject: [PATCH] 3.1.3 Use a checked_add for the modulus in secp256k1/P-256

---
 crypto/ciphersuite/src/kp256.rs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/crypto/ciphersuite/src/kp256.rs b/crypto/ciphersuite/src/kp256.rs
index 983751fb..aa84f8e5 100644
--- a/crypto/ciphersuite/src/kp256.rs
+++ b/crypto/ciphersuite/src/kp256.rs
@@ -6,7 +6,7 @@ use group::ff::{Field, PrimeField};
 
 use elliptic_curve::{
   generic_array::GenericArray,
-  bigint::{Encoding, U384},
+  bigint::{CheckedAdd, Encoding, U384},
   hash2curve::{Expander, ExpandMsg, ExpandMsgXmd},
 };
 
@@ -64,7 +64,11 @@ macro_rules! kp_curve {
         // The byte repr of scalars will be 32 big-endian bytes
         // Set the lower 32 bytes of our 48-byte array accordingly
         modulus[16 ..].copy_from_slice(&(Self::F::zero() - Self::F::one()).to_bytes());
-        let modulus = U384::from_be_slice(&modulus).wrapping_add(&U384::ONE);
+        // Use a checked_add + unwrap since this addition cannot fail (being a 32-byte value with
+        // 48-bytes of space)
+        // While a non-panicking saturating_add/wrapping_add could be used, they'd likely be less
+        // performant
+        let modulus = U384::from_be_slice(&modulus).checked_add(&U384::ONE).unwrap();
 
         // The defined P-256 and secp256k1 ciphersuites both use expand_message_xmd
         let mut wide = U384::from_be_bytes({