ROX-33133: Remove hardcoded key-exchange in gRPC

vladbologa · vladbologa · commit 7544bead7562 · 2026-02-27T11:33:59.000+01:00
diff --git a/builder/install/40-grpc.sh b/builder/install/40-grpc.sh
@@ -7,6 +7,12 @@ export CXXFLAGS="-Wno-error=class-memaccess -Wno-ignored-qualifiers -Wno-stringo
 cd third_party/grpc
 
 cp NOTICE.txt "${LICENSE_DIR}/grpc-${GRPC_REVISION}"
+
+# ROX-33133: Remove hardcoded P-256 curve from gRPC (OpenSSL 3.x only) to allow
+# OpenSSL to use system crypto-policies defaults, enabling post-quantum key
+# exchange (ML-KEM). See: https://github.com/grpc/grpc/issues/23083
+patch -p1 < ../../builder/install/grpc-pq-curves.patch
+
 mkdir -p cmake/build
 cd cmake/build
 cmake \
diff --git a/builder/install/grpc-pq-curves.patch b/builder/install/grpc-pq-curves.patch
@@ -0,0 +1,20 @@
+Remove hardcoded P-256 curve for OpenSSL 3.x to allow system crypto-policies
+defaults, enabling post-quantum key exchange (X25519MLKEM768).
+
+See: https://github.com/grpc/grpc/issues/23083
+
+--- a/src/core/tsi/ssl_transport_security.cc
++++ b/src/core/tsi/ssl_transport_security.cc
+@@ -819,12 +819,7 @@ static tsi_result populate_ssl_context(
+     }
+     SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+     EC_KEY_free(ecdh);
+-#else
+-    if (!SSL_CTX_set1_groups(context, kSslEcCurveNames, 1)) {
+-      LOG(ERROR) << "Could not set ephemeral ECDH key.";
+-      return TSI_INTERNAL_ERROR;
+-    }
+-    SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+ #endif
+   }
+   return TSI_OK;
