From a376c7bce3614e76fe1d8f0367b6a2dbb710d888 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lubo=C5=A1=20Uhliarik?= <luhliari@redhat.com>
Date: Fri, 12 Sep 2025 14:46:58 +0200
Subject: [PATCH] Resolves: RHEL-107994 - squid does not work with post-quantum
 crypto

---
 squid-6.10-provider-keys-digest.patch | 36 +++++++++++++++++++++++++++
 squid.spec                            |  7 +++++-
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 squid-6.10-provider-keys-digest.patch

diff --git a/squid-6.10-provider-keys-digest.patch b/squid-6.10-provider-keys-digest.patch
new file mode 100644
index 0000000..bd62ea1
--- /dev/null
+++ b/squid-6.10-provider-keys-digest.patch
@@ -0,0 +1,36 @@
+diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
+index 09bad6d..59171b7 100644
+--- a/src/ssl/gadgets.cc
++++ b/src/ssl/gadgets.cc
+@@ -15,6 +15,19 @@
+ #include "security/Io.h"
+ #include "ssl/gadgets.h"
+ 
++/// whether the given key requires a digest when signing
++static bool
++keyNeedsDigest(const EVP_PKEY * const pkey) {
++    if (EVP_PKEY_is_a(pkey, "ML-DSA-44") ||
++        EVP_PKEY_is_a(pkey, "ML-DSA-65") ||
++        EVP_PKEY_is_a(pkey, "ML-DSA-87") ||
++        EVP_PKEY_is_a(pkey, "ED25519") ||
++        EVP_PKEY_is_a(pkey, "ED448"))
++        return false; // no digest needed
++
++    return true; // require a digest for all other types
++}
++
+ void
+ Ssl::ForgetErrors()
+ {
+@@ -677,9 +690,9 @@ static bool generateFakeSslCertificate(Security::CertPointer & certToStore, Secu
+     assert(hash);
+     /*Now sign the request */
+     if (properties.signAlgorithm != Ssl::algSignSelf && properties.signWithPkey.get())
+-        ret = X509_sign(cert.get(), properties.signWithPkey.get(), hash);
++        ret = X509_sign(cert.get(), properties.signWithPkey.get(), keyNeedsDigest(properties.signWithPkey.get()) ? hash : nullptr);
+     else //else sign with self key (self signed request)
+-        ret = X509_sign(cert.get(), pkey.get(), hash);
++        ret = X509_sign(cert.get(), pkey.get(), keyNeedsDigest(pkey.get()) ? hash : nullptr);
+ 
+     if (!ret)
+         return false;
diff --git a/squid.spec b/squid.spec
index a14eba0..de40a0f 100644
--- a/squid.spec
+++ b/squid.spec
@@ -2,7 +2,7 @@
 
 Name:     squid
 Version:  6.10
-Release:  6%{?dist}
+Release:  7%{?dist}
 Summary:  The Squid proxy caching server
 Epoch:    7
 # See CREDITS for breakdown of non GPLv2+ code
@@ -45,6 +45,8 @@ Patch207: squid-6.10-large-upload-buffer-dies.patch
 # Upstream commit: https://github.com/squid-cache/squid/commit/2e7dea3cedd3ef2f071dee82867c4147f17376dd
 # https://issues.redhat.com/browse/RHEL-86817
 Patch208: squid-6.10-cache-peer-connect-errors.patch
+# https://issues.redhat.com/browse/RHEL-107994
+Patch209: squid-6.10-provider-keys-digest.patch
 
 # cache_swap.sh
 Requires: bash gawk
@@ -329,6 +331,9 @@ fi
 
 
 %changelog
+* Fri Sep 12 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-7
+- Resolves: RHEL-107994 - squid does not work with post-quantum crypto
+
 * Thu Apr 10 2025 Luboš Uhliarik <luhliari@redhat.com> - 7:6.10-6
 - Resolves: RHEL-86817 - ”TCP connection to XX.XX.XX.XX/XXXX failed” message is
   output frequently on RHEL10