From c7d0454932b42a9728b55033c94e000b1dbbb6f2 Mon Sep 17 00:00:00 2001
From: stratospher <44024636+stratospher@users.noreply.github.com>
Date: Tue, 4 Jul 2023 00:43:10 +0530
Subject: [PATCH] add verification for scalars

secp256k1_scalar_verify checks that scalars are reduced mod the
group order
---
 src/scalar.h      | 3 +++
 src/scalar_impl.h | 8 ++++++++
 2 files changed, 11 insertions(+)

diff --git a/src/scalar.h b/src/scalar.h
index 63c0d646a..4b3c2998b 100644
--- a/src/scalar.h
+++ b/src/scalar.h
@@ -99,4 +99,7 @@ static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_
 /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time.  Both *r and *a must be initialized.*/
 static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag);
 
+/** Check invariants on a scalar (no-op unless VERIFY is enabled). */
+static void secp256k1_scalar_verify(const secp256k1_scalar *r);
+
 #endif /* SECP256K1_SCALAR_H */
diff --git a/src/scalar_impl.h b/src/scalar_impl.h
index bed7f95fc..77abb8365 100644
--- a/src/scalar_impl.h
+++ b/src/scalar_impl.h
@@ -33,6 +33,14 @@ static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned c
     return (!overflow) & (!secp256k1_scalar_is_zero(r));
 }
 
+static void secp256k1_scalar_verify(const secp256k1_scalar *r) {
+#ifdef VERIFY
+    VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0);
+#endif
+
+    (void)r;
+}
+
 #if defined(EXHAUSTIVE_TEST_ORDER)
 /* Begin of section generated by sage/gen_exhaustive_groups.sage. */
 #  if EXHAUSTIVE_TEST_ORDER == 7