From 672b1016ffad59a615eb49b30a6f0d7ad8c4627e Mon Sep 17 00:00:00 2001
From: Sebastian Falbesoner <sebastian.falbesoner@gmail.com>
Date: Thu, 15 Jun 2023 00:21:20 +0200
Subject: [PATCH] add missing group element invariant checks

The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f20266722ac93ca66d1beb0d2f2d2469b95aafea
(PR #1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba561fdb9d57a2cc9842ce041d9ba29a6189 of WIP-PR #1032 (which is
obviously not rebased on #1299 yet).

Co-authored-by: Peter Dettman <peter.dettman@gmail.com>
---
 src/group_impl.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/group_impl.h b/src/group_impl.h
index ffdfeaa10a..16c53459e6 100644
--- a/src/group_impl.h
+++ b/src/group_impl.h
@@ -154,6 +154,8 @@ static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a) {
     secp256k1_fe_mul(&a->x, &a->x, &z2);
     secp256k1_fe_mul(&a->y, &a->y, &z3);
     secp256k1_fe_set_int(&a->z, 1);
+    secp256k1_gej_verify(a);
+
     r->x = a->x;
     r->y = a->y;
     secp256k1_ge_verify(r);
@@ -173,6 +175,8 @@ static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a) {
     secp256k1_fe_mul(&a->x, &a->x, &z2);
     secp256k1_fe_mul(&a->y, &a->y, &z3);
     secp256k1_fe_set_int(&a->z, 1);
+    secp256k1_gej_verify(a);
+
     secp256k1_ge_set_xy(r, &a->x, &a->y);
     secp256k1_ge_verify(r);
 }
@@ -231,6 +235,7 @@ static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const se
         secp256k1_fe_verify(&zr[i]);
         /* Ensure all y values are in weak normal form for fast negation of points */
         secp256k1_fe_normalize_weak(&a[i].y);
+        secp256k1_ge_verify(&a[i]);
         zs = zr[i];
 
         /* Work our way backwards, using the z-ratios to scale the x/y values. */
@@ -269,12 +274,14 @@ static void secp256k1_gej_clear(secp256k1_gej *r) {
     secp256k1_fe_clear(&r->x);
     secp256k1_fe_clear(&r->y);
     secp256k1_fe_clear(&r->z);
+    secp256k1_gej_verify(r);
 }
 
 static void secp256k1_ge_clear(secp256k1_ge *r) {
     r->infinity = 0;
     secp256k1_fe_clear(&r->x);
     secp256k1_fe_clear(&r->y);
+    secp256k1_ge_verify(r);
 }
 
 static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd) {
@@ -547,6 +554,7 @@ static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a,
     /* 9 mul, 3 sqr, 13 add/negate/normalize_weak/normalizes_to_zero (ignoring special cases) */
     secp256k1_fe az, z12, u1, u2, s1, s2, h, i, h2, h3, t;
 
+    secp256k1_gej_verify(a);
     secp256k1_ge_verify(b);
     secp256k1_fe_verify(bzinv);
     if (a->infinity) {
@@ -557,6 +565,7 @@ static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a,
         secp256k1_fe_mul(&r->x, &b->x, &bzinv2);
         secp256k1_fe_mul(&r->y, &b->y, &bzinv3);
         secp256k1_fe_set_int(&r->z, 1);
+        secp256k1_gej_verify(r);
         return;
     }
     if (b->infinity) {
@@ -820,6 +829,7 @@ static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge* ge) {
     }
     return secp256k1_gej_is_infinity(&out);
 #else
+    secp256k1_ge_verify(ge);
     (void)ge;
     /* The real secp256k1 group has cofactor 1, so the subgroup is the entire curve. */
     return 1;