From e67c95ee1f06e544093747a43c0d8389b9697a39 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Fri, 27 Feb 2026 10:51:13 +0100
Subject: [PATCH 1/2] ROX-33133: Remove hardcoded key-exchange in gRPC

---
 builder/install/40-grpc.sh           |  6 ++++++
 builder/install/grpc-pq-curves.patch | 15 +++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 builder/install/grpc-pq-curves.patch

diff --git a/builder/install/40-grpc.sh b/builder/install/40-grpc.sh
index 5fafa37108..776055f1b6 100755
--- a/builder/install/40-grpc.sh
+++ b/builder/install/40-grpc.sh
@@ -7,6 +7,12 @@ export CXXFLAGS="-Wno-error=class-memaccess -Wno-ignored-qualifiers -Wno-stringo
 cd third_party/grpc
 
 cp NOTICE.txt "${LICENSE_DIR}/grpc-${GRPC_REVISION}"
+
+# ROX-33133: Remove hardcoded P-256 curve from gRPC (OpenSSL 3.x only) to allow
+# OpenSSL to use system crypto-policies defaults, enabling post-quantum key
+# exchange (ML-KEM). See: https://github.com/grpc/grpc/issues/23083
+patch -p1 < ../../builder/install/grpc-pq-curves.patch
+
 mkdir -p cmake/build
 cd cmake/build
 cmake \
diff --git a/builder/install/grpc-pq-curves.patch b/builder/install/grpc-pq-curves.patch
new file mode 100644
index 0000000000..dad5784699
--- /dev/null
+++ b/builder/install/grpc-pq-curves.patch
@@ -0,0 +1,15 @@
+--- a/src/core/tsi/ssl_transport_security.cc
++++ b/src/core/tsi/ssl_transport_security.cc
+@@ -819,12 +819,6 @@ static tsi_result populate_ssl_context(
+     }
+     SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+     EC_KEY_free(ecdh);
+-#else
+-    if (!SSL_CTX_set1_groups(context, kSslEcCurveNames, 1)) {
+-      LOG(ERROR) << "Could not set ephemeral ECDH key.";
+-      return TSI_INTERNAL_ERROR;
+-    }
+-    SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
+ #endif
+   }
+   return TSI_OK;

From 7514157486345ba3b73410bd88eb2a812e8cba59 Mon Sep 17 00:00:00 2001
From: Vlad Bologa <vbologa@redhat.com>
Date: Mon, 2 Mar 2026 15:30:08 +0100
Subject: [PATCH 2/2] try fix konflux build

---
 builder/install/40-grpc.sh | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/builder/install/40-grpc.sh b/builder/install/40-grpc.sh
index 776055f1b6..7306e9ebf1 100755
--- a/builder/install/40-grpc.sh
+++ b/builder/install/40-grpc.sh
@@ -2,6 +2,8 @@
 
 set -e
 
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
 export CXXFLAGS="-Wno-error=class-memaccess -Wno-ignored-qualifiers -Wno-stringop-truncation -Wno-cast-function-type -Wno-attributes"
 
 cd third_party/grpc
@@ -11,7 +13,7 @@ cp NOTICE.txt "${LICENSE_DIR}/grpc-${GRPC_REVISION}"
 # ROX-33133: Remove hardcoded P-256 curve from gRPC (OpenSSL 3.x only) to allow
 # OpenSSL to use system crypto-policies defaults, enabling post-quantum key
 # exchange (ML-KEM). See: https://github.com/grpc/grpc/issues/23083
-patch -p1 < ../../builder/install/grpc-pq-curves.patch
+patch -p1 < "${SCRIPT_DIR}/grpc-pq-curves.patch"
 
 mkdir -p cmake/build
 cd cmake/build