From 9a7c320d2c83c8b1062591754fdf42cbbf91d930 Mon Sep 17 00:00:00 2001
From: Dmitry Belyavskiy <dbelyavs@redhat.com>
Date: Thu, 2 Jan 2025 16:40:47 +0100
Subject: [PATCH] Print key exchange group for hybrid PQC

Resolves: RHEL-66163
---
 0141-print-pq-group.patch | 19 +++++++++++++++++++
 openssl.spec              |  4 ++++
 2 files changed, 23 insertions(+)
 create mode 100644 0141-print-pq-group.patch

diff --git a/0141-print-pq-group.patch b/0141-print-pq-group.patch
new file mode 100644
index 0000000..a6462fe
--- /dev/null
+++ b/0141-print-pq-group.patch
@@ -0,0 +1,19 @@
+diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
+index 3b3c0dd0b38f5..026315406e298 100644
+--- a/apps/lib/s_cb.c
++++ b/apps/lib/s_cb.c
+@@ -418,8 +418,13 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
+ {
+     EVP_PKEY *key;
+ 
+-    if (!SSL_get_peer_tmp_key(s, &key))
++    if (!SSL_get_peer_tmp_key(s, &key)) {
++        if (SSL_version(s) == TLS1_3_VERSION)
++            BIO_printf(out, "Negotiated TLS1.3 group: %s\n",
++                       SSL_group_to_name(s, SSL_get_negotiated_group(s)));
+         return 1;
++    }
++
+     BIO_puts(out, "Server Temp Key: ");
+     switch (EVP_PKEY_get_id(key)) {
+     case EVP_PKEY_RSA:
diff --git a/openssl.spec b/openssl.spec
index b862b90..032baee 100644
--- a/openssl.spec
+++ b/openssl.spec
@@ -183,6 +183,8 @@ Patch138: 0138-Add-a-test-for-an-empty-NextProto-message.patch
 Patch139: 0139-CVE-2024-6119.patch
 # https://github.com/openssl/openssl/pull/26197
 Patch140: 0140-prov_no-cache.patch
+# https://github.com/openssl/openssl/pull/25959
+Patch141: 0141-print-pq-group.patch
 
 License: Apache-2.0
 URL: http://www.openssl.org/
@@ -534,6 +536,8 @@ touch $RPM_BUILD_ROOT/%{_prefix}/include/openssl/engine.h
   Resolves: RHEL-71903
 - Fix pkcs12 command line segfault
   Resolves: RHEL-70878
+- Print key exchange group for hybrid PQC
+  Resolves: RHEL-66163
 
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 1:3.2.2-14
 - Bump release for October 2024 mass rebuild: