DSSSL - DSMIL-Grade OpenSSL

Post-Quantum Cryptography | Hardware-Backed Security | Multi-Profile Architecture

Note: This is DSSSL, a hardened OpenSSL fork for DSMIL-grade security. For original OpenSSL documentation, see docs/openssl-original/

🎯 Overview

DSSSL is a hardened OpenSSL 3.x fork implementing DSMIL-grade security requirements with:

Post-Quantum Cryptography: ML-KEM (Kyber) and ML-DSA (Dilithium) integration
Hybrid Cryptography: Classical + PQC for defense-in-depth
Three Security Profiles: WORLD_COMPAT, DSMIL_SECURE, ATOMAL
Hardware-Backed Security: TPM 2.0 integration (88 algorithms)
Side-Channel Hardening: CSNA constant-time verification
Event Telemetry: Real-time security monitoring
DSLLVM Optimization: Built with hardened LLVM/Clang

⚡ Quick Start

# Clone and build
git clone https://github.com/SWORDIntel/DSSSL.git
cd DSSSL
./util/build-dsllvm-world.sh --clean

# Run tests
cd test/dsmil && ./run-all-tests.sh

# Check PQC support
cd examples && make && ./check-pqc

# Install as system OpenSSL (requires root)
sudo ./install-dsssl.sh

📚 Essential Documentation

Start Here:

docs/DOCUMENTATION_INDEX.md - Complete documentation guide
docs/core/OPENSSL_SECURE_SPEC.md - Full DSMIL specification
docs/core/IMPLEMENTATION_PLAN.md - 9-phase implementation roadmap

Implementation Phases:

✅ Phase 1-9: Complete (Build, Policy, Events, Config, Hybrid, CSNA, TPM, Testing, Deployment)
✅ Phase 3: TLS Full Integration - Complete (Hybrid KEM TLS 1.3 handshake)
🎉 Production Ready!

🔐 Security Profiles

Profile	Use Case	Crypto	TPM	Overhead
WORLD_COMPAT	Public internet	Classical + opportunistic PQC	Optional	1.0x
DSMIL_SECURE	Internal/allies	Hybrid mandatory (X25519+ML-KEM-768)	Recommended	1.2-1.5x
ATOMAL	Maximum security	Hybrid/PQC only (ML-KEM-1024)	Mandatory	1.5-2.0x

🚀 Key Features

Post-Quantum Cryptography

✅ ML-KEM-512/768/1024 (Kyber)
✅ ML-DSA-44/65/87 (Dilithium)
✅ Hybrid KEM (X25519+ML-KEM) - TLS 1.3 Integrated
✅ Hybrid Signatures (ECDSA+ML-DSA)
✅ TLS 1.3 Hybrid KEM Handshake - Full production support

Hardware Security

✅ TPM 2.0 (88 algorithms)
✅ Intel NPU/GNA acceleration
✅ Hardware-backed key storage
✅ AES-NI, AVX-512 support

Side-Channel Protection

✅ CSNA 2.0 annotations
✅ Constant-time operations
✅ Timing analysis testing
✅ Compiler verification

Testing

✅ 342+ automated tests
✅ Security score: 100%
✅ Performance benchmarking
✅ Fuzzing infrastructure
✅ CVE Detection & Mitigation - 2024-2025 high-impact CVEs
✅ Hybrid KEM TLS Testing - End-to-end handshake validation

🧪 Testing

cd test/dsmil

# Quick test (3-6 min)
./run-all-tests.sh

# Comprehensive (20-50 min)
./test-comprehensive.sh --all

# Security validation only
./test-security-validation.sh

# Performance benchmarks
./test-performance-benchmarks.sh

Test Coverage: 342+ tests across 7 suites, 100% security score achieved

📊 Performance

Benchmark Results (Intel Core Ultra 7 165H)

Operation	Throughput	Hardware
SHA-256	8,400 MB/s	SHA-NI
AES-256-GCM	3,800 MB/s	AES-NI
ECDSA P-256 sign	24,000 ops/s	-
ML-KEM-768 encap	~14,000 ops/s	-

Handshake Overhead

WORLD_COMPAT: 1.5 ms (baseline)
DSMIL_SECURE: 2.0 ms (+33%)
ATOMAL: 2.5 ms (+67%)

🔧 Build Options

# Portable build (x86-64-v3)
./util/build-dsllvm-world.sh --clean

# Optimized build (Meteor Lake)
./util/build-dsllvm-dsmil.sh --clean

# With testing
./util/build-dsllvm-world.sh --clean --test

# Manual configuration
./Configure dsllvm-world
make -j$(nproc)
make test

With oqs-provider (built by default, extended PQC coverage)

# Build and stage oqs-provider + liboqs (falls back to local staging if /opt is not writable)
./util/build-dsllvm-world.sh --clean --test
# To skip oqs-provider: --without-oqs-provider

# After build, point OpenSSL to the staged provider
export OPENSSL_MODULES=$(find oqs-provider -name ossl-modules -type d | head -n1)
export OPENSSL_CONF=$(pwd)/configs/oqs-provider.cnf

# Quick smoke
./apps/openssl list -kem-algorithms -provider oqsprovider -provider-path "$OPENSSL_MODULES"

Notes: oqs-provider is built by default for extended PQC coverage (interop/research). Submodule is pinned to oqs-provider v0.10.0; override the liboqs branch with --liboqs-branch. OpenSSL ≥3.2 is required for TLS PQ signatures; OpenSSL ≥3.5 disables ML-KEM/ML-DSA inside oqs-provider because those are native.

📖 Documentation

Core Docs

docs/DOCUMENTATION_INDEX.md - Master index
docs/core/OPENSSL_SECURE_SPEC.md - Complete specification
docs/core/IMPLEMENTATION_PLAN.md - 9-phase roadmap

Phase Guides

docs/PHASES_2-5_SUMMARY.md - Policy, Events, Hybrid
docs/PHASE8_COMPREHENSIVE_TESTING.md - Testing guide
docs/PHASE9_DEPLOYMENT_SUMMARY.md - Deployment guide

Technical Guides

docs/CSNA_SIDE_CHANNEL_HARDENING.md - Constant-time programming
docs/TPM_INTEGRATION.md - TPM2 hardware integration
docs/HYBRID_CRYPTO.md - Hybrid cryptography
docs/CVE_DETECTION_AND_MITIGATION.md - CVE detection & mitigation
docs/DEPLOYMENT_GUIDE.md - Production deployment

Quick Refs

README-TESTING.md - Quick testing reference
docs/core/INSTALLATION_GUIDE.md - System installation guide
examples/README.md - Example programs
docs/openssl-original/ - Original OpenSSL docs

🛠️ Configuration

Environment Variables

export DSMIL_PROFILE=DSMIL_SECURE
export THREATCON_LEVEL=HIGH
export DSMIL_EVENT_SOCKET=/run/crypto-events.sock

Configuration Files

# WORLD_COMPAT profile
openssl s_server -config configs/world.cnf

# DSMIL_SECURE profile
openssl s_server -config configs/dsmil-secure.cnf

# ATOMAL profile (requires TPM)
openssl s_server -config configs/atomal.cnf

🎓 Examples

Check PQC Support

cd examples && make
./check-pqc

Output:

Post-Quantum Algorithms:
  ✓ ML-KEM-512 (KEM)
  ✓ ML-KEM-768 (KEM)
  ✓ ML-KEM-1024 (KEM)
  ✓ ML-DSA-44 (Signature)
  ✓ ML-DSA-65 (Signature)
  ✓ ML-DSA-87 (Signature)

TLS Client with Profile

./dsmil-client cloudflare.com 443 DSMIL_SECURE

TPM Key Management

#include "providers/dsmil/tpm_integration.h"

// Seal private key to TPM
DSMIL_TPM_CTX tpm_ctx;
dsmil_tpm_init(&tpm_ctx, policy_ctx);
dsmil_tpm_seal_key(&tpm_ctx, key, 32, sealed_blob, &size);

// Later: unseal from TPM
dsmil_tpm_unseal_key(&tpm_ctx, sealed_blob, size, key, &key_size);

🔒 Security

Security Score: 100%

Based on 37 security validation tests:

✅ Policy enforcement (all profiles)
✅ Downgrade attack prevention
✅ Constant-time implementations
✅ TPM key protection
✅ Memory safety
✅ Build security flags
✅ Attack surface minimization

Reporting Issues

DO NOT file public issues for security vulnerabilities.

Contact: Contact me directly for reporting issues.

📈 Project Status

Phases Complete (9/9) 🎉

Phase	Status	Tests
1. Build System	✅	45+
2. Policy Provider	✅	38+
3. Event Telemetry	✅	70+
4. Configuration	✅	52+
5. Hybrid Crypto Docs	✅	N/A
6. CSNA Hardening	✅	45+
7. TPM Integration	✅	55+
8. Testing	✅	37+
9. Deployment	✅	N/A

🛠️ Requirements

Build Environment

Compiler: DSLLVM (https://github.com/SWORDIntel/DSLLVM) or Clang
OS: Linux (kernel 4.4+), x86_64
Tools: make, perl, standard build tools

Hardware (Optional)

TPM 2.0: Required for ATOMAL profile
Intel Meteor Lake: For NPU/GNA acceleration
AES-NI, AVX-512: For hardware acceleration

📊 Statistics

Code: ~12,000+ lines of implementation
Tests: 350+ automated tests (98%+ pass rate)
Documentation: 18 docs, ~250 pages
Algorithms: 88 TPM2-compatible
Security Score: 100%
TLS Features: TLS 1.3 Hybrid KEM fully integrated
CVE Coverage: 2024-2025 high-impact SSL/TLS vulnerabilities

🤝 Contributing

This is a controlled DoD project. Contributions require:

Security clearance
Signed contributor agreement
Internal review process

External contributions not currently accepted.

📄 License

License: Proprietary DoD License
Classification: UNCLASSIFIED // FOR OFFICIAL USE ONLY
Distribution: Authorized DoD personnel and contractors only

🙏 Acknowledgments

OpenSSL Project (Apache 2.0)
NIST PQC Program
DSLLVM Team
Intel Hardware Team
DoD Crypto Modernization Program

📞 Support

Documentation: docs/DOCUMENTATION_INDEX.md
Testing: docs/TESTING.md
DSLLVM Issues: https://github.com/SWORDIntel/DSLLVM/issues
Internal: Use DoD secure channels

🔒 Security Enhancements (2025)

TLS 1.3 Hybrid KEM Integration

✅ Full handshake support for hybrid groups (X25519+ML-KEM-768, P-256+ML-KEM-768)
✅ Client and server key exchange implementation
✅ HKDF-based secret combination
✅ Policy-based group negotiation
✅ Comprehensive test suite

CVE Detection & Mitigation

✅ Real-time attack pattern detection
✅ Automatic mitigation for known vulnerabilities
✅ Security event logging and telemetry
✅ Support for 2024-2025 high-impact CVEs:
- SSL/TLS injection attacks
- Handshake DoS attacks
- TLS 1.3 downgrade attacks
- Key share replay attacks
- Hybrid KEM manipulation

⚠️ Offensive Operations (Authorized Testing Only)

✅ Protocol manipulation (version downgrade, cipher suite manipulation)
✅ Key exchange attack simulation (replay, manipulation, hybrid bypass)
✅ Certificate attack testing (chain manipulation, signature testing)
✅ Timing analysis tools (side-channel testing)
✅ Resource exhaustion testing (DoS, memory exhaustion)
✅ Custom payload injection
✅ Authorization required - Security testing and red team exercises only
✅ Unauthorized use prohibited

Security Audit Improvements

✅ Memory safety fixes (strncpy, JSON injection)
✅ Constant-time annotations (CSNA 2.0)
✅ Policy enforcement enhancements
✅ Input validation improvements
✅ Build system hardening

Version: 1.1.0 (Phases 1-9 + TLS Hybrid KEM + CVE Detection - Production Ready)
Last Updated: 2025-01-15
Classification: UNCLASSIFIED // FOR OFFICIAL USE ONLY

For original OpenSSL documentation, see docs/openssl-original/

Uh oh!

FilesExpand file tree

README.md

Latest commit

History