Add a point at infinity check to ecdh_compute_key()

While we already check that the peer's public point is on the curve and
will reject the point at infinity when getting the affine coordinates,
doing this earlier avoids doing work with the private key in a clearly
invalid case.

Suggested by Lucca Hirschi et al.

[An EC_KEY_check_key() call was also suggested but this is a bit expensive
and punishes callers that do that or equivalent already (e.g. ssh)]

ok jsing kenjiro

lib/libcrypto/ecdh/ecdh.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ecdh.c,v 1.13 2026/03/18 08:02:40 tb Exp $ */
+/* $OpenBSD: ecdh.c,v 1.14 2026/06/08 12:08:08 tb Exp $ */
 /* ====================================================================
  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  *
@@ -169,6 +169,9 @@ ec_key_ecdh_compute_key(unsigned char **out, size_t *out_len,
 	if ((group = EC_KEY_get0_group(ecdh)) == NULL)
 		goto err;
 
+	if (EC_POINT_is_at_infinity(group, pub_key))
+		goto err;
+
 	if (EC_POINT_is_on_curve(group, pub_key, ctx) <= 0)
 		goto err;