aliasing problem in gcry_mpi_ec_mul()

[Markus Teich]

Heyho,

I noticed an undocumented inconsistency with the low level ECC functions. This
happens for Edwards Curve computations. When giving the mul function the same
point twice, once as output and once as input, the computation fails, because
the result-> coordinates are set to the zero point and therefore the input is
lost in the beginning of _gcry_mpi_ec_mul_point(). The expected behavior for the
following call would be to multiply P by s and update P to hold the result:

gcry_mpi_ec_mul(P, s, P, ctx);

At least for addition it works this way and I can happily add P to itself and
store it within P again in the same call:

gcry_mpi_ec_add(P, P, P, ctx);

Christian mentioned this problem class is called "aliasing". I don't know if any
other functions are affected by this problem and found no obvious fix for the
mul function. If this discrepancy is intended it should be documented at least.
Also the documentation on https://www.gnupg.org/documentation/manuals/gcrypt/ is
out of date and should be updated.

--Markus