Skip to content

Add Trixie (Debian 13) OpenSSL 3.5.x FIPS support#82

Open
securely1g wants to merge 1 commit intosonic-net:mainfrom
securely1g:add-trixie-openssl-support
Open

Add Trixie (Debian 13) OpenSSL 3.5.x FIPS support#82
securely1g wants to merge 1 commit intosonic-net:mainfrom
securely1g:add-trixie-openssl-support

Conversation

@securely1g
Copy link

@securely1g securely1g commented Mar 4, 2026

Description

Add Trixie/Debian 13 support for FIPS OpenSSL builds.

Changes

  • Add Trixie-specific debian patch series (src/openssl.patch/debian.patch.trixie/)
  • Add TRIXIE.md documenting Trixie FIPS compatibility

Key Findings

OpenSSL 3.5.x reorganized test data files (split monolithic evppkey.txt, evpciph.txt, evpmac.txt into per-algorithm files). As a result:

  • Only 3 of 7 Bookworm FIPS patches are needed for Trixie:
    • 20-support-fips-test.patch
    • 70-disable-evp-iv-check.patch
    • Remove-the-provider-section.patch ✅ (already in Trixie upstream)
  • 4 patches dropped (30, 40, 50, 60) — target files reorganized, tests pass without them
  • Full test suite passes: 343 files, 4471 tests, zero failures
  • No nocheck workaround needed

Trixie Package Differences

  • libssl3libssl3t64 (t64 transition)
  • FIPS provider in separate openssl-provider-fips package
  • 41 FIPS self-tests (vs 18 in Bookworm), including post-quantum (ML-DSA, ML-KEM, SLH-DSA)

Testing

  • Built OpenSSL 3.5.4-1~deb13u1+fips in debian:trixie Docker container
  • All tests pass with full test suite enabled
  • FIPS provider loads and passes all self-tests on SONiC master VS (KVM)
  • SymCrypt/SymCrypt-OpenSSL compatible without modification

@securely1g
Add Trixie (Debian 13) OpenSSL 3.5.x FIPS support
0be53cd 
Add Trixie-specific debian patch series for OpenSSL 3.5.x:
- Only 3 of 7 Bookworm patches needed (20, 70, Remove-the-provider-section)
- Patches 30, 40, 50, 60 not needed: OpenSSL 3.5 reorganized test data
  files and all 4471 tests pass without these patches
- No DEB_BUILD_OPTIONS=nocheck workaround needed

Key Trixie differences documented in TRIXIE.md:
- libssl3 -> libssl3t64 (t64 transition)
- Separate openssl-provider-fips package
- 41 FIPS self-tests including post-quantum (ML-DSA, ML-KEM, SLH-DSA)
- SymCrypt/SymCrypt-OpenSSL compatible without modification

Signed-off-by: securely1g <securely1g@users.noreply.github.com>
@mssonicbld
Copy link

mssonicbld commented Mar 4, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 4, 2026

Azure Pipelines successfully started running 1 pipeline(s).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@securely1g @mssonicbld