This document describes the comprehensive test suite for DSMIL-grade OpenSSL.
The DSMIL OpenSSL test suite consists of:
- Build Verification Tests - Verify build system and configurations
- Policy Provider Tests - Unit tests for security policy enforcement
- Profile Integration Tests - Test security profile configurations
- Example Programs - Practical usage examples
- OpenSSL Core Tests - Standard OpenSSL test suite
# Run all DSMIL tests
cd test/dsmil
./run-all-tests.sh
# Or run individually
./test-build-verification.sh
./test-policy-provider.sh
./test-profiles.shFile: test/dsmil/test-build-verification.sh
Purpose: Verify that the DSMIL build system is correctly configured.
What it tests:
- Build infrastructure files exist
- Security profile configurations exist
- Policy provider source code exists
- Compiler availability (dsclang or clang)
- Build configuration parsing
- Profile configuration validation
- PQC implementation exists
- Build scripts are executable
- Documentation completeness
Run:
./test/dsmil/test-build-verification.shExpected Output:
========================================
DSMIL Build Verification Tests
========================================
Test Suite 1: Build Infrastructure
✓ File exists: Configurations/10-dsllvm.conf
✓ File exists: util/build-dsllvm-world.sh
...
========================================
Test Summary
========================================
Passed: 45
Failed: 0
✓ All tests passed!
File: test/dsmil/test-policy-provider.sh
Purpose: Unit test the DSMIL policy provider implementation.
What it tests:
- Profile definitions (WORLD_COMPAT, DSMIL_SECURE, ATOMAL)
- THREATCON level definitions
- Policy decision types
- Policy function declarations
- KEM algorithm policy logic
- Signature algorithm policy logic
- Cipher suite policy logic
- Configuration parameters
- Provider initialization
Run:
./test/dsmil/test-policy-provider.shExpected Output:
========================================
DSMIL Policy Provider Tests
========================================
Test Suite 1: Profile Definitions
✓ WORLD_COMPAT profile defined
✓ DSMIL_SECURE profile defined
✓ ATOMAL profile defined
...
Test Suite 5: KEM Algorithm Policy Logic
✓ WORLD: Classical KEX allowed
✓ DSMIL: Classical KEX blocked
✓ ATOMAL: PQC KEX allowed
========================================
Test Summary
========================================
Passed: 38
Failed: 0
✓ All policy provider tests passed!
File: test/dsmil/test-profiles.sh
Purpose: Integration test the three security profiles.
What it tests:
- WORLD_COMPAT profile configuration
- TLS 1.3 support
- Classical crypto baseline
- Optional PQC
- Cipher suites
- DSMIL_SECURE profile configuration
- Hybrid KEX mandatory
- Event telemetry
- THREATCON integration
- ML-KEM-768 support
- ATOMAL profile configuration
- Maximum security settings
- ML-KEM-1024 + ML-DSA-87
- AES-256-GCM only
- Hardware RNG only
- Side-channel protections
- Profile security level comparison
- Configuration syntax validation
- Documentation completeness
Run:
./test/dsmil/test-profiles.shExpected Output:
========================================
DSMIL Security Profile Tests
========================================
Test Suite 1: WORLD_COMPAT Profile Configuration
✓ Profile name present
✓ TLS 1.3 minimum protocol
✓ AES-256-GCM cipher suite
...
Test Suite 2: DSMIL_SECURE Profile Configuration
✓ Hybrid KEX required
✓ ML-KEM-768 support
✓ Event telemetry configured
...
Test Suite 3: ATOMAL Profile Configuration
✓ ML-KEM-1024 support
✓ AES-256-GCM only
✓ Hardware RNG only
...
========================================
Test Summary
========================================
Passed: 52
Failed: 0
✓ All profile tests passed!
examples/
cd examples
make
# Or specify OpenSSL prefix
make OPENSSL_PREFIX=/opt/openssl-dsmilPurpose: Check for PQC algorithm availability
Usage:
./check-pqcOutput:
========================================
DSMIL PQC Algorithm Checker
========================================
OpenSSL Version:
OpenSSL 3.x.x
Loaded Providers:
✓ default
✓ base
✓ pqc
✓ dsmil-policy
ML-KEM (Key Encapsulation):
✓ ML-KEM-512 (KEM)
✓ ML-KEM-768 (KEM)
✓ ML-KEM-1024 (KEM)
ML-DSA (Digital Signatures):
✓ ML-DSA-44 (Signature)
✓ ML-DSA-65 (Signature)
✓ ML-DSA-87 (Signature)
✓ PQC check complete
Purpose: TLS client demonstrating profile usage
Usage:
# With WORLD_COMPAT profile
export OPENSSL_CONF=configs/world.cnf
./dsmil-client google.com 443
# With DSMIL_SECURE profile
export OPENSSL_CONF=configs/dsmil-secure.cnf
export THREATCON_LEVEL=NORMAL
./dsmil-client internal-server.local 443Output:
DSMIL TLS Client Example
Connecting to google.com:443
=== DSMIL Configuration ===
Profile: WORLD_COMPAT
THREATCON: NORMAL
Config: configs/world.cnf
Performing TLS handshake...
✓ TLS handshake successful
=== TLS Connection Info ===
Protocol: TLSv1.3
Cipher: TLS_AES_256_GCM_SHA384
⚠ Classical Key Exchange Only
Server: CN=google.com
✓ Connection closed successfully
# After building
make test
# Run specific tests
make test TESTS=test_tls13
# Verbose output
make VERBOSE=1 test# ML-KEM tests
make test TESTS=test_evp_kem
# ML-DSA tests
make test TESTS=test_evp_sig
# TLS 1.3 tests
make test TESTS=test_tls13
# Provider tests
make test TESTS=test_providerCreate .github/workflows/dsmil-tests.yml:
name: DSMIL Tests
on: [push, pull_request]
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y clang perl make
- name: Create dsclang symlinks
run: |
sudo ln -s $(which clang) /usr/local/bin/dsclang
sudo ln -s $(which clang++) /usr/local/bin/dsclang++
- name: Run DSMIL tests
run: |
cd test/dsmil
./test-build-verification.sh
./test-policy-provider.sh
./test-profiles.sh
- name: Build world variant
run: |
./util/build-dsllvm-world.sh --clean --test# Benchmark TLS handshake performance
./apps/openssl s_time -connect example.com:443 -new
# With different profiles
export OPENSSL_CONF=configs/world.cnf
./apps/openssl s_time -connect example.com:443 -new
export OPENSSL_CONF=configs/dsmil-secure.cnf
./apps/openssl s_time -connect example.com:443 -new# Benchmark bulk encryption performance
./apps/openssl speed aes-256-gcm
./apps/openssl speed chacha20-poly1305
# PQC performance
./apps/openssl speed ml-kem-768
./apps/openssl speed ml-dsa-65Side-channel testing requires specialized tools and will be added in Phase 6.
Planned tests:
- Timing variance analysis
- Constant-time verification
- Cache-timing analysis
# Build with fuzzing enabled
./Configure dsllvm-world enable-fuzz-libfuzzer --with-fuzzer-include=/path/to/fuzzer
# Run TLS fuzzer
cd fuzz
./run-fuzzer.sh tls# Build with coverage
./Configure dsllvm-world --coverage
# Run tests
make test
# Generate coverage report
lcov --capture --directory . --output-file coverage.info
genhtml coverage.info --output-directory coverage-report| Component | Coverage | Notes |
|---|---|---|
| ML-KEM implementation | 95% | Core OpenSSL tests |
| ML-DSA implementation | 95% | Core OpenSSL tests |
| Policy provider | 60% | Skeleton only (Phase 2) |
| Build system | 100% | Verification tests |
| Configurations | 100% | Profile tests |
Solution:
sudo ln -s $(which clang) /usr/local/bin/dsclang
sudo ln -s $(which clang++) /usr/local/bin/dsclang++Check:
# Ensure all files exist
ls Configurations/10-dsllvm.conf
ls util/build-dsllvm-world.sh
ls configs/world.cnfReason: Policy provider is a skeleton (Phase 2 incomplete)
Expected: Some tests may be marked as warnings, not failures
Check OpenSSL installation:
# Verify OpenSSL is installed
ls /opt/openssl-dsmil/include/openssl/ssl.h
# Update Makefile
cd examples
make OPENSSL_PREFIX=/opt/openssl-dsmil- Create test script in
test/dsmil/ - Use standard format:
#!/usr/bin/env bash
set -e
set -u
TESTS_PASSED=0
TESTS_FAILED=0
log_success() {
echo -e "${GREEN}[PASS]${NC} $1"
((TESTS_PASSED++))
}
log_failure() {
echo -e "${RED}[FAIL]${NC} $1"
((TESTS_FAILED++))
}
# Test suites
# ...
# Summary
echo "Passed: $TESTS_PASSED"
echo "Failed: $TESTS_FAILED"
exit $TESTS_FAILED- Make executable:
chmod +x test-new-feature.sh - Add to run-all-tests.sh
test-<component>-<feature>.shfor specific teststest-<component>.shfor component test suites- Use descriptive names
-
Run all tests before committing
cd test/dsmil && ./run-all-tests.sh
-
Test with both builds
# Test world build ./util/build-dsllvm-world.sh --test # Test DSMIL build ./util/build-dsllvm-dsmil.sh --test
-
Test all profiles
for profile in world dsmil-secure atomal; do export OPENSSL_CONF=configs/$profile.cnf # Run tests done
-
Use THREATCON levels
for level in NORMAL ELEVATED HIGH SEVERE; do export THREATCON_LEVEL=$level # Run tests done
-
Check for memory leaks
valgrind ./examples/check-pqc
- Property query interception tests
- SNI/IP-based profile selection tests
- Algorithm filtering tests
- Event emission tests
- CBOR/JSON format validation
- Socket communication tests
- Hybrid KEX composition tests
- Hybrid signature tests
- TLS 1.3 hybrid negotiation tests
- Timing variance analysis
- Constant-time verification
- DSLLVM CSNA validation
- TPM key storage tests
- Key sealing/unsealing tests
- Hardware-backed TLS tests
- Wycheproof tests
- Interoperability tests
- Fuzzing campaigns
- Performance benchmarks
Last updated: 2025-11-25 DSMIL Security Team