This is a clone of issue RHEL-15990 to use for version rhel-9.2.0.z
–
Original description:
From 56Arev3 the owner needs to gain assurance of the public key validity as mentioned in :

5.6.2.1 Assurances Required by the Key Pair Owner

Prior to the use of a static or ephemeral key pair in a key-establishment transaction, the keypair owner shall confirm the validity of the key pair by obtaining the following assurances:

...

Assurance of public-key validity – assurance that the public key has the correct
representation for a non-identity element of the correct cryptographic subgroup, as uniquely determined by the domain parameters (see Section 5.6.2.1.3 for the methods for obtaining this assurance).

This was further refined in a recent RFG by the CMVP stating that the ECDH key generation service shall include a call to the public key validation.

This is compliant for DH but not for ECDH where ec_generate_key() does not call ossl_ec_key_public_check().

A possible solution would be to add something like this similar to what was already done for DH in crypto/dh/dh_key.c:

#ifdef FIPS_MODULE
    if (DH_check_pub_key(dh, pub_key, &validate) <= 0) {
        ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID);
        goto err;
    }
#endif

Something like this in ec_generate_key() :

#ifdef FIPS_MODULE
    if (ossl_ec_key_public_check(eckey, ctx) <= 0) {
        ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY);
        goto err;
    }
#endif