npm - @elizaos/skills - Versions diffs - 2.0.0-alpha.21 → 2.0.0-alpha.210 - Mend

@elizaos/skills 2.0.0-alpha.21 → 2.0.0-alpha.210

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (373) hide show

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/bn_excerpt.js DELETED Viewed

@@ -1,205 +0,0 @@
-/**
- * Excerpt from bn.js - BigNumber library
- * https://github.com/indutny/bn.js
- *
- * This excerpt demonstrates common timing vulnerability patterns
- * in JavaScript cryptographic libraries.
- */
-// Division operations - use hardware division which has variable timing
-BN.prototype.div = function div(num) {
-  return this.divmod(num, 'div', false).div;
-};
-BN.prototype.mod = function mod(num) {
-  return this.divmod(num, 'mod', false).mod;
-};
-BN.prototype.umod = function umod(num) {
-  return this.divmod(num, 'mod', true).mod;
-};
-// Comparison function - early-exit on sign differences leaks timing
-BN.prototype.cmp = function cmp(num) {
-  if (this.negative !== 0 && num.negative === 0) return -1;
-  if (this.negative === 0 && num.negative !== 0) return 1;
-  var res = this.ucmp(num);
-  if (this.negative !== 0) return -res | 0;
-  return res;
-};
-// Unsigned comparison - iterates until difference found (timing leak)
-BN.prototype.ucmp = function ucmp(num) {
-  if (this.length > num.length) return 1;
-  if (this.length < num.length) return -1;
-  var res = 0;
-  for (var i = this.length - 1; i >= 0; i--) {
-    var a = this.words[i] | 0;
-    var b = num.words[i] | 0;
-    if (a === b) continue;  // Early exit - timing leak!
-    if (a < b) {
-      res = -1;
-    } else if (a > b) {
-      res = 1;
-    }
-    break;
-  }
-  return res;
-};
-// Modular exponentiation - windowed method with data-dependent branches
-Red.prototype.pow = function pow(a, num) {
-  if (num.isZero()) return new BN(1).toRed(this);
-  if (num.cmpn(1) === 0) return a.clone();
-  var windowSize = 4;
-  var wnd = new Array(1 << windowSize);
-  wnd[0] = new BN(1).toRed(this);
-  wnd[1] = a;
-  for (var i = 2; i < wnd.length; i++) {
-    wnd[i] = this.mul(wnd[i - 1], a);
-  }
-  var res = wnd[0];
-  var current = 0;
-  var currentLen = 0;
-  var start = num.bitLength() % 26;
-  if (start === 0) {
-    start = 26;
-  }
-  for (i = num.length - 1; i >= 0; i--) {
-    var word = num.words[i];
-    for (var j = start - 1; j >= 0; j--) {
-      var bit = (word >> j) & 1;
-      if (res !== wnd[0]) {
-        res = this.sqr(res);
-      }
-      // Data-dependent branch on secret exponent bit!
-      if (bit === 0 && current === 0) {
-        currentLen = 0;
-        continue;
-      }
-      current <<= 1;
-      current |= bit;
-      currentLen++;
-      if (currentLen !== windowSize && (i !== 0 || j !== 0)) continue;
-      res = this.mul(res, wnd[current]);
-      currentLen = 0;
-      current = 0;
-    }
-    start = 26;
-  }
-  return res;
-};
-// Division with remainder - internally uses variable-time division
-BN.prototype.divmod = function divmod(num, mode, positive) {
-  if (num.isZero()) {
-    throw new Error('division by zero');
-  }
-  if (this.isZero()) {
-    return {
-      div: new BN(0),
-      mod: new BN(0)
-    };
-  }
-  var div, mod, res;
-  if (this.negative !== 0 && num.negative === 0) {
-    res = this.neg().divmod(num, mode);
-    if (mode !== 'mod') {
-      div = res.div.neg();
-    }
-    if (mode !== 'div') {
-      mod = res.mod.neg();
-      if (positive && mod.negative !== 0) {
-        mod.iadd(num);
-      }
-    }
-    return { div: div, mod: mod };
-  }
-  // Uses division internally
-  if (this.length > num.length || this.cmp(num) >= 0) {
-    // Variable-time long division algorithm
-    var shift = num.bitLength() - this.bitLength();
-    // ... implementation uses / and % operators
-  }
-  return { div: div, mod: mod };
-};
-// Montgomery reduction - uses modular operations
-Mont.prototype.mul = function mul(a, b) {
-  if (a.isZero() || b.isZero()) return new BN(0)._forceRed(this);
-  var t = a.mul(b);
-  // Uses mod operation internally
-  var c = t.maskn(this.shift).mul(this.minv).imaskn(this.shift).mul(this.m);
-  var u = t.isub(c).iushrn(this.shift);
-  var res = u;
-  if (u.cmp(this.m) >= 0) {
-    res = u.isub(this.m);
-  } else if (u.cmpn(0) < 0) {
-    res = u.iadd(this.m);
-  }
-  return res._forceRed(this);
-};
-// Modular inverse - uses extended Euclidean algorithm with data-dependent iterations
-BN.prototype.invm = function invm(num) {
-  return this.egcd(num).a.umod(num);
-};
-BN.prototype._invmp = function _invmp(p) {
-  var a = this;
-  var b = p.clone();
-  if (a.negative !== 0) {
-    a = a.umod(p);
-  } else {
-    a = a.clone();
-  }
-  var x1 = new BN(1);
-  var x2 = new BN(0);
-  // Iterations depend on input values - timing leak
-  while (a.cmpn(1) > 0 && b.cmpn(1) > 0) {
-    // ... iteration count reveals information about inputs
-  }
-  return res;
-};
-// Test function to prevent dead code elimination
-function runBnOperations() {
-  var a = new BN('deadbeef', 16);
-  var b = new BN('cafebabe', 16);
-  // These operations have timing leaks
-  var divResult = a.div(b);
-  var modResult = a.mod(b);
-  var cmpResult = a.cmp(b);
-  console.log('Division:', divResult.toString(16));
-  console.log('Modulo:', modResult.toString(16));
-  console.log('Comparison:', cmpResult);
-}
-// Stub for BN constructor
-function BN(number, base) {
-  this.words = [];
-  this.length = 0;
-  this.negative = 0;
-}
-function Red() {}
-function Mont() {}

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_constant_time.c DELETED Viewed

@@ -1,181 +0,0 @@
-/**
- * Constant-time implementation of ML-DSA Decompose (Algorithm 36)
- *
- * This implementation avoids hardware division by using Barrett reduction
- * and branchless conditional selection, ensuring constant-time execution.
- *
- * Based on Trail of Bits' ML-DSA implementation.
- */
-#include <stdint.h>
-#include <stddef.h>
-// ML-DSA parameters
-#define Q 8380417
-#define GAMMA2_87 ((Q - 1) / 32)  // 261888 for ML-DSA-87
-#define GAMMA2_44 ((Q - 1) / 88)  // 95232 for ML-DSA-44/65
-// Barrett reduction constants for different gamma2 values
-// These allow division by 2*gamma2 without using DIV instruction
-// Computed as: ceil(2^32 / (2 * gamma2))
-#define BARRETT_MU_87 0x2081ULL      // For gamma2 = 261888 (ML-DSA-87): 2^32 / 523776
-#define BARRETT_MU_44 0x5A1DULL      // For gamma2 = 95232 (ML-DSA-44/65): 2^32 / 190464
-// Constant-time helper: returns 1 if x != 0, 0 otherwise
-static inline uint32_t ct_is_nonzero(uint32_t x) {
-    return (x | (uint32_t)(-(int32_t)x)) >> 31;
-}
-// Constant-time helper: returns 1 if x == 0, 0 otherwise
-static inline uint32_t ct_is_zero(uint32_t x) {
-    return 1 ^ ct_is_nonzero(x);
-}
-// Constant-time helper: returns 1 if x < y (unsigned), 0 otherwise
-static inline uint32_t ct_lt(uint32_t x, uint32_t y) {
-    return (x ^ ((x ^ y) | ((x - y) ^ y))) >> 31;
-}
-// Constant-time helper: returns 1 if x > y (unsigned), 0 otherwise
-static inline uint32_t ct_gt(uint32_t x, uint32_t y) {
-    return ct_lt(y, x);
-}
-// Constant-time helper: returns mask (0xFFFFFFFF if bit != 0, 0 otherwise)
-static inline uint32_t ct_mask(uint32_t bit) {
-    return (uint32_t)(-(int32_t)ct_is_nonzero(bit));
-}
-// Constant-time helper: select x if bit != 0, y otherwise
-static inline uint32_t ct_select(uint32_t x, uint32_t y, uint32_t bit) {
-    uint32_t m = ct_mask(bit);
-    return (x & m) | (y & ~m);
-}
-// Constant-time helper: select x if bit != 0, y otherwise (signed version)
-static inline int32_t ct_select_signed(int32_t x, int32_t y, uint32_t bit) {
-    return (int32_t)ct_select((uint32_t)x, (uint32_t)y, bit);
-}
-/**
- * Barrett reduction to compute r / (2 * gamma2) without DIV instruction
- *
- * For gamma2 = 261888 (ML-DSA-87):
- *   2 * gamma2 = 523776
- *   mu = ceil(2^32 / 523776) = 8192 + some correction
- *
- * q = (r * mu) >> 32
- */
-static inline uint32_t barrett_div(uint32_t r, uint64_t mu, uint32_t divisor) {
-    uint64_t q = ((uint64_t)r * mu) >> 32;
-    // Correction: if r - q*divisor >= divisor, add 1
-    uint32_t remainder = r - (uint32_t)q * divisor;
-    uint32_t correction = ct_gt(remainder, divisor - 1) | ct_is_zero(remainder - divisor + divisor);
-    return (uint32_t)q + (correction & ct_lt(remainder, r + 1));
-}
-/**
- * CONSTANT-TIME: Decompose using Barrett reduction
- *
- * Decomposes r into (r1, r0) such that r = r1 * (2 * gamma2) + r0
- * where -gamma2 < r0 <= gamma2.
- *
- * This implementation:
- * 1. Uses Barrett reduction instead of hardware division
- * 2. Uses branchless conditional selection instead of if statements
- */
-void decompose_constant_time(uint32_t r, uint32_t gamma2, uint32_t *r1, int32_t *r0) {
-    uint32_t two_gamma2 = 2 * gamma2;
-    // Barrett reduction: compute r1 = r / (2 * gamma2)
-    // Using precomputed constants - select the right one using constant-time selection
-    // This avoids any runtime division
-    uint64_t mu_87 = BARRETT_MU_87;
-    uint64_t mu_44 = BARRETT_MU_44;
-    // Constant-time selection of mu based on gamma2
-    // Note: We use bit operations to select without branching
-    uint32_t is_87 = ct_is_zero(gamma2 - GAMMA2_87);
-    uint64_t mu = (mu_87 & (uint64_t)ct_mask(is_87)) |
-                  (mu_44 & (uint64_t)ct_mask(ct_is_zero(is_87)));
-    // Compute quotient using multiplication and shift (no DIV)
-    uint64_t q64 = ((uint64_t)r * mu) >> 32;
-    uint32_t q = (uint32_t)q64;
-    // Compute remainder: r0 = r - q * (2 * gamma2)
-    int32_t r0_temp = (int32_t)(r - q * two_gamma2);
-    // Correction: handle case where Barrett underestimates
-    // If r0_temp >= 2*gamma2, increment q and adjust r0
-    uint32_t needs_correction = ct_gt((uint32_t)r0_temp, two_gamma2 - 1);
-    q += needs_correction;
-    r0_temp = ct_select_signed(r0_temp - (int32_t)two_gamma2, r0_temp, needs_correction);
-    // Center r0 around 0: if r0 > gamma2, subtract 2*gamma2 and increment r1
-    // This is done branchlessly using constant-time selection
-    uint32_t needs_centering = ct_gt((uint32_t)r0_temp, gamma2);
-    *r0 = ct_select_signed(r0_temp - (int32_t)two_gamma2, r0_temp, needs_centering);
-    *r1 = q + needs_centering;
-}
-/**
- * CONSTANT-TIME: UseHint using branchless selection
- *
- * All conditional logic is replaced with constant-time bit operations.
- */
-uint32_t use_hint_constant_time(uint32_t r, uint32_t hint, uint32_t gamma2) {
-    uint32_t r1;
-    int32_t r0;
-    // Decompose (constant-time)
-    decompose_constant_time(r, gamma2, &r1, &r0);
-    // m = (Q - 1) / (2 * gamma2)
-    // Precomputed values to avoid runtime division
-    // For gamma2 = 261888: m = 8380416 / 523776 = 16 - 1 = 15
-    // For gamma2 = 95232: m = 8380416 / 190464 = 44 - 1 = 43
-    uint32_t m_87 = 15;
-    uint32_t m_44 = 43;
-    uint32_t is_87_hint = ct_is_zero(gamma2 - GAMMA2_87);
-    uint32_t m = ct_select(m_87, m_44, is_87_hint);
-    // If hint == 0, return r1
-    // If hint != 0:
-    //   If r0 > 0, return (r1 + 1) mod (m + 1)
-    //   Else return (r1 - 1 + (m + 1)) mod (m + 1)
-    // Compute both branches
-    uint32_t m_plus_1 = m + 1;
-    // r1_inc = (r1 + 1) mod (m + 1)
-    // Since r1 < m+1, we just need to check if r1 + 1 == m + 1
-    uint32_t r1_plus_1 = r1 + 1;
-    uint32_t r1_inc = ct_select(0, r1_plus_1, ct_is_zero(r1_plus_1 - m_plus_1));
-    // r1_dec = (r1 - 1 + (m + 1)) mod (m + 1) = (r1 + m) mod (m + 1)
-    uint32_t r1_plus_m = r1 + m;
-    uint32_t r1_dec = ct_select(r1_plus_m - m_plus_1, r1_plus_m,
-                                 ct_gt(r1_plus_m, m_plus_1 - 1));
-    // Select based on r0 > 0 (constant-time)
-    // r0 > 0 is equivalent to r0 being positive and non-zero
-    uint32_t r0_positive = ct_gt((uint32_t)((r0 >> 31) ^ r0), 0) & ct_is_zero((uint32_t)(r0 >> 31));
-    uint32_t adjusted = ct_select(r1_inc, r1_dec, r0_positive);
-    // Final selection based on hint
-    return ct_select(adjusted, r1, ct_is_zero(hint));
-}
-// Test functions to ensure code is not dead-code eliminated
-uint32_t test_decompose_ct(uint32_t r) {
-    uint32_t r1;
-    int32_t r0;
-    decompose_constant_time(r, GAMMA2_87, &r1, &r0);
-    return r1 + (uint32_t)r0;
-}
-uint32_t test_use_hint_ct(uint32_t r, uint32_t hint) {
-    return use_hint_constant_time(r, hint, GAMMA2_87);
-}

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.c DELETED Viewed

@@ -1,74 +0,0 @@
-/**
- * Vulnerable implementation of ML-DSA Decompose (Algorithm 36)
- *
- * This implementation uses hardware division which has data-dependent timing,
- * making it vulnerable to timing side-channel attacks like KyberSlash.
- *
- * DO NOT use this in production - for testing purposes only.
- */
-#include <stdint.h>
-// ML-DSA parameters
-#define Q 8380417
-#define GAMMA2_87 ((Q - 1) / 32)  // 261888 for ML-DSA-87
-#define GAMMA2_44 ((Q - 1) / 88)  // 95232 for ML-DSA-44/65
-/**
- * VULNERABLE: Decompose using hardware division
- *
- * Decomposes r into (r1, r0) such that r = r1 * (2 * gamma2) + r0
- * where -gamma2 < r0 <= gamma2.
- *
- * This uses the / and % operators which compile to DIV/IDIV instructions
- * on x86, which have data-dependent timing.
- */
-void decompose_vulnerable(int32_t r, int32_t gamma2, int32_t *r1, int32_t *r0) {
-    int32_t two_gamma2 = 2 * gamma2;
-    // VULNERABLE: Hardware division with data-dependent timing
-    *r1 = r / two_gamma2;
-    *r0 = r % two_gamma2;
-    // Center r0 around 0
-    if (*r0 > gamma2) {
-        *r0 -= two_gamma2;
-        *r1 += 1;
-    }
-}
-/**
- * VULNERABLE: UseHint using branches on potentially secret data
- *
- * The hint values may be derived from secret data in some contexts,
- * making these branches potentially exploitable.
- */
-int32_t use_hint_vulnerable(int32_t r, int32_t hint, int32_t gamma2) {
-    int32_t r1, r0;
-    // This decompose call is also vulnerable
-    decompose_vulnerable(r, gamma2, &r1, &r0);
-    // VULNERABLE: Branch on hint which may depend on secret data
-    if (hint == 0) {
-        return r1;
-    }
-    // VULNERABLE: Branch on r0's sign
-    if (r0 > 0) {
-        return (r1 + 1) % ((Q - 1) / (2 * gamma2) + 1);
-    } else {
-        return (r1 - 1 + ((Q - 1) / (2 * gamma2) + 1)) % ((Q - 1) / (2 * gamma2) + 1);
-    }
-}
-// Test functions to ensure code is not dead-code eliminated
-int32_t test_decompose(int32_t r) {
-    int32_t r1, r0;
-    decompose_vulnerable(r, GAMMA2_87, &r1, &r0);
-    return r1 + r0;
-}
-int32_t test_use_hint(int32_t r, int32_t hint) {
-    return use_hint_vulnerable(r, hint, GAMMA2_87);
-}

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.go DELETED Viewed

@@ -1,78 +0,0 @@
-// Package decompose contains vulnerable implementations of ML-DSA decompose
-// for testing the constant-time analyzer.
-//
-// DO NOT use this in production - for testing purposes only.
-package main
-// ML-DSA parameters
-const (
-	Q       = 8380417
-	Gamma87 = (Q - 1) / 32  // 261888 for ML-DSA-87
-	Gamma44 = (Q - 1) / 88  // 95232 for ML-DSA-44/65
-)
-// DecomposeVulnerable uses hardware division which has data-dependent timing.
-// This is vulnerable to timing side-channel attacks like KyberSlash.
-//
-// VULNERABLE: Uses / and % operators which compile to DIV instructions
-// that have variable execution time based on operand values.
-func DecomposeVulnerable(r int32, gamma2 int32) (r1 int32, r0 int32) {
-	twoGamma2 := 2 * gamma2
-	// VULNERABLE: Hardware division with data-dependent timing
-	r1 = r / twoGamma2
-	r0 = r % twoGamma2
-	// Center r0 around 0
-	// VULNERABLE: Branch on r0 which may depend on secret data
-	if r0 > gamma2 {
-		r0 -= twoGamma2
-		r1 += 1
-	}
-	return r1, r0
-}
-// UseHintVulnerable uses branches on potentially secret-derived data.
-//
-// VULNERABLE: Contains conditional branches that may leak timing information
-// when the hint or r values are derived from secret data.
-func UseHintVulnerable(r int32, hint int32, gamma2 int32) int32 {
-	r1, r0 := DecomposeVulnerable(r, gamma2)
-	m := (Q - 1) / (2 * gamma2)
-	// VULNERABLE: Branch on hint which may depend on secret data
-	if hint == 0 {
-		return r1
-	}
-	// VULNERABLE: Branch on r0's sign
-	if r0 > 0 {
-		return (r1 + 1) % (m + 1)
-	}
-	return (r1 - 1 + m + 1) % (m + 1)
-}
-// PowerDecomposeVulnerable demonstrates another vulnerable pattern:
-// using division for power-of-2 decomposition instead of bit shifts.
-func PowerDecomposeVulnerable(r int32, d int32) (r1 int32, r0 int32) {
-	// VULNERABLE: Should use bit shifts instead of division
-	// This compiles to IDIV even though it could be a simple shift
-	divisor := int32(1) << d
-	r1 = r / divisor
-	r0 = r % divisor
-	return r1, r0
-}
-func main() {
-	// Test calls to prevent dead code elimination
-	r1, r0 := DecomposeVulnerable(12345, Gamma87)
-	_ = r1 + r0
-	result := UseHintVulnerable(12345, 1, Gamma87)
-	_ = result
-	r1p, r0p := PowerDecomposeVulnerable(12345, 13)
-	_ = r1p + r0p
-}

package/skills/security-constant-time-analysis/ct_analyzer/tests/test_samples/decompose_vulnerable.rs DELETED Viewed

@@ -1,92 +0,0 @@
-//! Vulnerable implementations of ML-DSA decompose for testing the constant-time analyzer.
-//!
-//! DO NOT use this in production - for testing purposes only.
-/// ML-DSA modulus
-const Q: i32 = 8380417;
-/// Gamma2 for ML-DSA-87
-const GAMMA2_87: i32 = (Q - 1) / 32; // 261888
-/// Gamma2 for ML-DSA-44/65
-const GAMMA2_44: i32 = (Q - 1) / 88; // 95232
-/// VULNERABLE: Decompose using hardware division
-///
-/// This implementation uses the / and % operators which compile to IDIV
-/// instructions on x86, which have data-dependent timing.
-///
-/// This makes it vulnerable to timing side-channel attacks like KyberSlash.
-#[inline(never)]
-pub fn decompose_vulnerable(r: i32, gamma2: i32) -> (i32, i32) {
-    let two_gamma2 = 2 * gamma2;
-    // VULNERABLE: Hardware division with data-dependent timing
-    let mut r1 = r / two_gamma2;
-    let mut r0 = r % two_gamma2;
-    // Center r0 around 0
-    // VULNERABLE: Branch on r0 which may depend on secret data
-    if r0 > gamma2 {
-        r0 -= two_gamma2;
-        r1 += 1;
-    }
-    (r1, r0)
-}
-/// VULNERABLE: UseHint using branches on potentially secret-derived data
-///
-/// The hint values may be derived from secret data in some contexts,
-/// making these branches potentially exploitable.
-#[inline(never)]
-pub fn use_hint_vulnerable(r: i32, hint: i32, gamma2: i32) -> i32 {
-    let (r1, r0) = decompose_vulnerable(r, gamma2);
-    let m = (Q - 1) / (2 * gamma2);
-    // VULNERABLE: Branch on hint which may depend on secret data
-    if hint == 0 {
-        return r1;
-    }
-    // VULNERABLE: Branch on r0's sign
-    if r0 > 0 {
-        (r1 + 1) % (m + 1)
-    } else {
-        (r1 - 1 + m + 1) % (m + 1)
-    }
-}
-/// VULNERABLE: Floating-point division
-///
-/// Uses floating-point division which has variable latency on most processors.
-#[inline(never)]
-pub fn fp_divide_vulnerable(a: f64, b: f64) -> f64 {
-    // VULNERABLE: FDIV/DIVSD has variable latency
-    a / b
-}
-/// VULNERABLE: Square root
-///
-/// Uses floating-point square root which has variable latency.
-#[inline(never)]
-pub fn fp_sqrt_vulnerable(x: f64) -> f64 {
-    // VULNERABLE: FSQRT/SQRTSD has variable latency
-    x.sqrt()
-}
-fn main() {
-    // Test calls to prevent dead code elimination
-    let (r1, r0) = decompose_vulnerable(12345, GAMMA2_87);
-    println!("Decompose: r1={}, r0={}", r1, r0);
-    let result = use_hint_vulnerable(12345, 1, GAMMA2_87);
-    println!("UseHint: {}", result);
-    let div_result = fp_divide_vulnerable(100.0, 3.0);
-    println!("FP Divide: {}", div_result);
-    let sqrt_result = fp_sqrt_vulnerable(2.0);
-    println!("FP Sqrt: {}", sqrt_result);
-}