ROX-33133: Remove hardcoded key-exchange in gRPC

Author: vladbologa

builder/install/40-grpc.sh

@@ -7,6 +7,12 @@ export CXXFLAGS="-Wno-error=class-memaccess -Wno-ignored-qualifiers -Wno-stringo
 cd third_party/grpc
 
 cp NOTICE.txt "${LICENSE_DIR}/grpc-${GRPC_REVISION}"
+
+# ROX-33133: Remove hardcoded P-256 curve from gRPC (OpenSSL 3.x only) to allow
+# OpenSSL to use system crypto-policies defaults, enabling post-quantum key
+# exchange (ML-KEM). See: https://github.com/grpc/grpc/issues/23083
+patch -p1 < ../../builder/install/grpc-pq-curves.patch
+
 mkdir -p cmake/build
 cd cmake/build
 cmake \

builder/install/grpc-pq-curves.patch

@@ -0,0 +1,15 @@
+--- a/src/core/tsi/ssl_transport_security.cc
++++ b/src/core/tsi/ssl_transport_security.cc
+@@ -819,12 +819,7 @@ static tsi_result populate_ssl_context(
+     }
+     SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+     EC_KEY_free(ecdh);
+-#else
+-    if (!SSL_CTX_set1_groups(context, kSslEcCurveNames, 1)) {
+-      LOG(ERROR) << "Could not set ephemeral ECDH key.";
+-      return TSI_INTERNAL_ERROR;
+-    }
+-    SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+ #endif
+   }
+   return TSI_OK;