all: merge v1.1.1 security fix

I tagged it on top of only v1.1.0 to minimize the jump when applying it.

Author: FiloSottile

edwards25519_test.go

@@ -18,6 +18,9 @@ var I = NewIdentityPoint()
 func checkOnCurve(t *testing.T, points ...*Point) {
 	t.Helper()
 	for i, p := range points {
+		if p.z.Equal(new(field.Element)) == 1 {
+			t.Errorf("point %d has Z == 0 (degenerate projective point)", i)
+		}
 		var XX, YY, ZZ, ZZZZ field.Element
 		XX.Square(&p.x)
 		YY.Square(&p.y)

extra.go

@@ -270,6 +270,7 @@ func (v *Point) MultiScalarMult(scalars []*Scalar, points []*Point) *Point {
 	tmp1 := &projP1xP1{}
 	tmp2 := &projP2{}
 	// Lookup-and-add the appropriate multiple of each input point
+	v.Set(NewIdentityPoint())
 	for j := range tables {
 		tables[j].SelectInto(multiple, digits[j][63])
 		tmp1.Add(v, multiple) // tmp1 = v + x_(j,63)*Q in P1xP1 coords

extra_test.go

@@ -149,6 +149,36 @@ func TestMultiScalarMultMatchesBaseMult(t *testing.T) {
 	}
 }
 
+func TestMultiScalarMultZeroReceiver(t *testing.T) {
+	// A zero-value (uninitialized) receiver should be handled correctly,
+	// producing a valid point on the curve.
+	var p Point
+	p.MultiScalarMult([]*Scalar{dalekScalar}, []*Point{B})
+
+	var check Point
+	check.ScalarBaseMult(dalekScalar)
+
+	checkOnCurve(t, &p, &check)
+	if p.Equal(&check) != 1 {
+		t.Error("MultiScalarMult with zero-value receiver did not match ScalarBaseMult")
+	}
+}
+
+func TestMultiScalarMultReceiverAliasing(t *testing.T) {
+	// The receiver v aliasing one of the input points should produce
+	// the correct result.
+	p := NewGeneratorPoint()
+	p.MultiScalarMult([]*Scalar{dalekScalar}, []*Point{p})
+
+	var check Point
+	check.ScalarBaseMult(dalekScalar)
+
+	checkOnCurve(t, p, &check)
+	if p.Equal(&check) != 1 {
+		t.Error("MultiScalarMult with aliased receiver did not match ScalarBaseMult")
+	}
+}
+
 func TestVarTimeMultiScalarMultMatchesBaseMult(t *testing.T) {
 	varTimeMultiScalarMultMatchesBaseMult := func(x, y, z Scalar) bool {
 		var p, q1, q2, q3, check Point