[SECP256K1] Check correctness of lambda split without -DVERIFY

Summary:
```
The VERIFY macro turns on various paranoid consistency checks, but the
complete functionality should still be tested without it.

This also adds a couple of static test points for extremely small split
inputs/outputs. The existing bounds vectors already check extremely
large outputs.
```

Partial backport 7/11 of secp256k1 [[bitcoin-core/secp256k1#830 | PR830]]:
bitcoin-core/secp256k1@ebad841

Depends on D8042.

Test Plan:
  ninja check-secp256k1

Reviewers: #bitcoin_abc, deadalnix

Reviewed By: #bitcoin_abc, deadalnix

Differential Revision: https://reviews.bitcoinabc.org/D8043

src/tests.c

@@ -3634,12 +3634,17 @@ void run_ecmult_gen_blind(void) {
 #ifdef USE_ENDOMORPHISM
 /***** ENDOMORPHISH TESTS *****/
 void test_scalar_split(const secp256k1_scalar* full) {
-    secp256k1_scalar s1, slam;
+    secp256k1_scalar s, s1, slam;
     const unsigned char zero[32] = {0};
     unsigned char tmp[32];
 
     secp256k1_scalar_split_lambda(&s1, &slam, full);
 
+    /* check slam*lambda + s1 == full */
+    secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
+    secp256k1_scalar_add(&s, &s, &s1);
+    CHECK(secp256k1_scalar_eq(&s, full));
+
     /* check that both are <= 128 bits in size */
     if (secp256k1_scalar_is_high(&s1)) {
         secp256k1_scalar_negate(&s1, &s1);
@@ -3657,6 +3662,15 @@ void test_scalar_split(const secp256k1_scalar* full) {
 
 void run_endomorphism_tests(void) {
     unsigned i;
+    static secp256k1_scalar s;
+    test_scalar_split(&secp256k1_scalar_zero);
+    test_scalar_split(&secp256k1_scalar_one);
+    secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
+    test_scalar_split(&s);
+    test_scalar_split(&secp256k1_const_lambda);
+    secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
+    test_scalar_split(&s);
+
     for (i = 0; i < 100U * count; ++i) {
         secp256k1_scalar full;
         random_scalar_order_test(&full);