Fix two misstatements of the Montgomery curve equation.

I got it right in all the serious code (or else my Curve25519 key
exchange wouldn't have worked), but I wrote it down wrongly in the
comment in ecc.h, putting the coefficient b on the RHS x term rather
than the LHS y^2. Then I repeated the same error in the point
decompression function in eccref.py.

contrib/eccref.py

@@ -327,8 +327,8 @@ class MontgomeryCurve(CurveBase):
     def cpoint(self, x, yparity=0):
         if not hasattr(self, 'sqrtmodp'):
             self.sqrtmodp = SqrtModP(self.p)
-        rhs = x**3 + self.a.n * x**2 + self.b.n * x
-        y = self.sqrtmodp.sqrt(rhs)
+        rhs = (x**3 + self.a.n * x**2 + x) / self.b
+        y = self.sqrtmodp.sqrt(int(rhs))
         if (y - yparity) % 2:
             y = -y
         return self.point(x, y)

ecc.h

@@ -108,7 +108,7 @@ void ecc_weierstrass_get_affine(WeierstrassPoint *wp, mp_int **x, mp_int **y);
  * Montgomery curves.
  *
  * A curve in this form is defined by two parameters a,b, and the
- * curve equation is y^2 = x^3 + ax^2 + bx.
+ * curve equation is by^2 = x^3 + ax^2 + x.
  *
  * As with Weierstrass curves, there's an additional point at infinity
  * that is the identity element, and the inverse of (x,y) is (x,-y).