Make secp256k1_ecmult_const handle infinity.

Infinity isn't currently needed here, but correctly handling it is a
 little more safe against future changes.

Update docs for it to make it clear that it is not constant time in Q.
 It never was constant time in Q (and would be a little complicated
 to make constant time in Q).

If it was later made constant time in Q infinity support would be easy
 to preserve, e.g. by running it on a dummy value and cmoving infinity
 into the output.

src/ecmult_const.h

@@ -11,7 +11,7 @@
 #include "group.h"
 
 /**
- * Multiply: R = q*A (in constant-time)
+ * Multiply: R = q*A (in constant-time for q)
  * Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus
  * one because we internally sometimes add 2 to the number during the WNAF conversion.
  */

src/ecmult_const_impl.h

@@ -152,6 +152,10 @@ static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, cons
 
     /* build wnaf representation for q. */
     int rsize = size;
+    if (secp256k1_ge_is_infinity(a)) {
+      secp256k1_gej_set_infinity(r);
+      return;
+    }
 #ifdef USE_ENDOMORPHISM
     if (size > 128) {
         rsize = 128;

src/tests_exhaustive.c

@@ -172,10 +172,8 @@ void test_exhaustive_ecmult(const secp256k1_context *ctx, const secp256k1_ge *gr
                 secp256k1_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng);
                 ge_equals_gej(&group[(i * r_log + j) % order], &tmp);
 
-                if (i > 0) {
-                    secp256k1_ecmult_const(&tmp, &group[i], &ng, 256);
-                    ge_equals_gej(&group[(i * j) % order], &tmp);
-                }
+                secp256k1_ecmult_const(&tmp, &group[i], &ng, 256);
+                ge_equals_gej(&group[(i * j) % order], &tmp);
             }
         }
     }