Use hash size as KSF output size, expose KSF parameters & salt in configuration

[DJAndries]

A couple of changes to achieve interoperability with facebook/opaque-ke:

• Use the configured hash size as the KSF output size (it seems that the Rust library does this, not sure if it's mentioned in the draft)
• Allow configuration of KSF cost parameters & salt value

[bytemare]

Suggested change

	OPRF: opaque.RistrettoSha512,
	KDF: crypto.SHA512,
	MAC: crypto.SHA512,
	Hash: crypto.SHA512,
	KSF: opaque.KSFConfiguration{
	Identifier: ksf.Argon2id,
	},
	OPRF: opaque.RistrettoSha512,
	KDF: crypto.SHA512,
	MAC: crypto.SHA512,
	Hash: crypto.SHA512,
	KSF: opaque.KSFConfiguration{
	Identifier: ksf.Argon2id,
	},

[bytemare]

Suggested change

	type KSFConfiguration struct {
	Identifier ksf.Identifier `json:"identifier"`
	Parameters []int `json:"parameters"`
	Salt []byte `json:"salt"`
	}
	type KSFConfiguration struct {
	Parameters []int `json:"parameters"`
	Salt []byte `json:"salt"`
	Identifier ksf.Identifier `json:"identifier"`
	}

aligns better in memory

[bytemare]

Suggested change

Context []byte

[bytemare]

Suggested change

	KDF crypto.Hash `json:"kdf"`
	MAC crypto.Hash `json:"mac"`
	Hash crypto.Hash `json:"hash"`
	OPRF Group `json:"oprf"`
	KSF KSFConfiguration `json:"ksf"`
	AKE Group `json:"group"`
	KSF KSFConfiguration `json:"ksf"`
	Context []byte
	KDF crypto.Hash `json:"kdf"`
	MAC crypto.Hash `json:"mac"`
	Hash crypto.Hash `json:"hash"`
	OPRF Group `json:"oprf"`
	KSF KSFConfiguration `json:"ksf"`
	AKE Group `json:"group"`

memory alignement

[bytemare]

Suggested change

	}
	}

[bytemare]

Suggested change

	if len(encoded) < confIdsLength+2 { // corresponds to the configuration length + 2-byte encoding of empty context
	if len(encoded) < confIdsLength+6 { // corresponds to the configuration length + 3*2-byte encoding of empty context and KSF parameters

[bytemare]

Suggested change

	ctx, _, err := encoding.DecodeVector(encoded[confIdsLength:])
	ctx, offset, err := encoding.DecodeVector(encoded[confIdsLength:])

use the returned offset

[bytemare]

Suggested change

	var ksfParams []int
	ksfParamOffset := confIdsLength + 2 + len(ctx)
	if len(encoded) >= ksfParamOffset+2 {
	ksfEncodedParams, _, err := encoding.DecodeVector(encoded[ksfParamOffset:])
	if err != nil {
	return nil, fmt.Errorf("decoding the ksf configuration parameters: %w", err)
	}
	for i := 0; i < len(ksfEncodedParams); i += 4 {
	ksfParams = append(ksfParams, encoding.OS2IP(ksfEncodedParams[i:i+4]))
	}
	}
	var ksfSalt []byte
	ksfSaltOffset := ksfParamOffset + 2 + (len(ksfParams) * 4)
	if len(encoded) >= ksfSaltOffset+2 {
	ksfSalt, _, err = encoding.DecodeVector(encoded[ksfSaltOffset:])
	if err != nil {
	return nil, fmt.Errorf("decoding the ksf salt: %w", err)
	}
	if len(ksfSalt) == 0 {
	ksfSalt = nil
	}
	}
	offset += confIdsLength
	ksfEncodedParams, offsetKSF, err := encoding.DecodeVector(encoded[offset:])
	if err != nil {
	return nil, fmt.Errorf("decoding the ksf configuration parameters: %w", err)
	}
	offset += offsetKSF
	var ksfParams []int
	for i := 0; i < len(ksfEncodedParams); i += 4 {
	ksfParams = append(ksfParams, encoding.OS2IP(ksfEncodedParams[i:i+4]))
	}
	ksfSalt, _, err := encoding.DecodeVector(encoded[offset:])
	if err != nil {
	return nil, fmt.Errorf("decoding the ksf salt: %w", err)
	}
	if len(ksfSalt) == 0 {
	ksfSalt = nil
	}

we can use the offset argument returned by DecodeVector

[bytemare]

I believe we should keep this error detection test.

[bytemare]

Hi @DJAndries ! Thank you for this PR, this is an excellent contribution :)
I'm sorry the delay, I haven't had time to get to this earlier.

I left some comments for some minor code changes.
I also believe we should keep the TestDeserializeConfiguration_InvalidContextHeader test function, but it would need some adaptation.

[bytemare]

Have you noticed other differences in Kevin's implementation that would be interesting to add here?