add missing group element invariant checks

The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR bitcoin-core#1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba5 of WIP-PR bitcoin-core#1032 (which is
obviously not rebased on bitcoin-core#1299 yet).

Co-authored-by: Peter Dettman <[email protected]>

Author: theStack

src/group_impl.h

@@ -154,6 +154,8 @@ static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a) {
     secp256k1_fe_mul(&a->x, &a->x, &z2);
     secp256k1_fe_mul(&a->y, &a->y, &z3);
     secp256k1_fe_set_int(&a->z, 1);
+    secp256k1_gej_verify(a);
+
     r->x = a->x;
     r->y = a->y;
     secp256k1_ge_verify(r);
@@ -173,6 +175,8 @@ static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a) {
     secp256k1_fe_mul(&a->x, &a->x, &z2);
     secp256k1_fe_mul(&a->y, &a->y, &z3);
     secp256k1_fe_set_int(&a->z, 1);
+    secp256k1_gej_verify(a);
+
     secp256k1_ge_set_xy(r, &a->x, &a->y);
     secp256k1_ge_verify(r);
 }
@@ -231,6 +235,7 @@ static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const se
         secp256k1_fe_verify(&zr[i]);
         /* Ensure all y values are in weak normal form for fast negation of points */
         secp256k1_fe_normalize_weak(&a[i].y);
+        secp256k1_ge_verify(&a[i]);
         zs = zr[i];
 
         /* Work our way backwards, using the z-ratios to scale the x/y values. */
@@ -269,12 +274,14 @@ static void secp256k1_gej_clear(secp256k1_gej *r) {
     secp256k1_fe_clear(&r->x);
     secp256k1_fe_clear(&r->y);
     secp256k1_fe_clear(&r->z);
+    secp256k1_gej_verify(r);
 }
 
 static void secp256k1_ge_clear(secp256k1_ge *r) {
     r->infinity = 0;
     secp256k1_fe_clear(&r->x);
     secp256k1_fe_clear(&r->y);
+    secp256k1_ge_verify(r);
 }
 
 static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd) {
@@ -544,6 +551,7 @@ static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a,
     /* 9 mul, 3 sqr, 13 add/negate/normalize_weak/normalizes_to_zero (ignoring special cases) */
     secp256k1_fe az, z12, u1, u2, s1, s2, h, i, h2, h3, t;
 
+    secp256k1_gej_verify(a);
     secp256k1_ge_verify(b);
     secp256k1_fe_verify(bzinv);
     if (a->infinity) {
@@ -554,6 +562,7 @@ static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a,
         secp256k1_fe_mul(&r->x, &b->x, &bzinv2);
         secp256k1_fe_mul(&r->y, &b->y, &bzinv3);
         secp256k1_fe_set_int(&r->z, 1);
+        secp256k1_gej_verify(r);
         return;
     }
     if (b->infinity) {
@@ -817,6 +826,7 @@ static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge* ge) {
     }
     return secp256k1_gej_is_infinity(&out);
 #else
+    secp256k1_ge_verify(ge);
     (void)ge;
     /* The real secp256k1 group has cofactor 1, so the subgroup is the entire curve. */
     return 1;