add verification for scalars

secp256k1_scalar_verify checks that scalars are reduced mod the
group order

src/scalar.h

@@ -99,4 +99,7 @@ static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_
 /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time.  Both *r and *a must be initialized.*/
 static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag);
 
+/** Check invariants on a scalar (no-op unless VERIFY is enabled). */
+static void secp256k1_scalar_verify(const secp256k1_scalar *r);
+
 #endif /* SECP256K1_SCALAR_H */

src/scalar_impl.h

@@ -33,6 +33,14 @@ static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned c
     return (!overflow) & (!secp256k1_scalar_is_zero(r));
 }
 
+static void secp256k1_scalar_verify(const secp256k1_scalar *r) {
+#ifdef VERIFY
+    VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0);
+#endif
+
+    (void)r;
+}
+
 #if defined(EXHAUSTIVE_TEST_ORDER)
 /* Begin of section generated by sage/gen_exhaustive_groups.sage. */
 #  if EXHAUSTIVE_TEST_ORDER == 7