RubyGems - tttls1.3 - Versions diffs - 0.2.1 → 0.2.2 - Mend

tttls1.3 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

checksums.yaml +4 -4
data/README.md +1 -0
data/Rakefile +3 -3
data/example/https_client_using_hrr_and_ticket.rb +40 -0
data/interop/client_spec.rb +15 -0
data/interop/server_spec.rb +8 -0
data/lib/tttls1.3/client.rb +265 -272
data/lib/tttls1.3/connection.rb +85 -62
data/lib/tttls1.3/message/certificate.rb +1 -1
data/lib/tttls1.3/message/client_hello.rb +26 -1
data/lib/tttls1.3/message/encrypted_extensions.rb +1 -1
data/lib/tttls1.3/message/new_session_ticket.rb +1 -1
data/lib/tttls1.3/message/server_hello.rb +21 -1
data/lib/tttls1.3/server.rb +179 -157
data/lib/tttls1.3/version.rb +1 -1
data/spec/certificate_spec.rb +4 -4
data/spec/client_hello_spec.rb +3 -0
data/spec/client_spec.rb +96 -157
data/spec/connection_spec.rb +32 -23
data/spec/encrypted_extensions_spec.rb +4 -4
data/spec/fixtures/rsa_ca.crt +16 -27
data/spec/fixtures/rsa_ca.key +25 -49
data/spec/fixtures/rsa_rsa.crt +16 -21
data/spec/fixtures/rsa_rsa.key +25 -25
data/spec/fixtures/rsa_rsassaPss.crt +20 -0
data/spec/fixtures/rsa_rsassaPss.key +27 -0
data/spec/fixtures/rsa_secp256r1.crt +12 -17
data/spec/fixtures/rsa_secp256r1.key +3 -3
data/spec/fixtures/rsa_secp384r1.crt +12 -17
data/spec/fixtures/rsa_secp384r1.key +4 -4
data/spec/fixtures/rsa_secp521r1.crt +13 -18
data/spec/fixtures/rsa_secp521r1.key +5 -5
data/spec/server_hello_spec.rb +60 -0
data/spec/server_spec.rb +79 -60
metadata +7 -2

data/lib/tttls1.3/client.rb CHANGED Viewed

@@ -3,6 +3,7 @@
 module TTTLS13
   using Refinements
   module ClientState
     # initial value is 0, eof value is -1
     START         = 1
@@ -62,11 +63,6 @@ module TTTLS13
   # rubocop: disable Metrics/ClassLength
   class Client < Connection
-    DOWNGRADE_PROTECTION_TLS_1_2 = "\x44\x4F\x57\x4E\x47\x52\x44\x01"
-    private_constant :DOWNGRADE_PROTECTION_TLS_1_2
-    DOWNGRADE_PROTECTION_TLS_1_1 = "\x44\x4F\x57\x4E\x47\x52\x44\x00"
-    private_constant :DOWNGRADE_PROTECTION_TLS_1_1
     # @param socket [Socket]
     # @param hostname [String]
     # @param settings [Hash]
@@ -79,20 +75,8 @@ module TTTLS13
       logger.level = @settings[:loglevel]
       @early_data = ''
-      @early_data_write_cipher = nil # Cryptograph::$Object
       @succeed_early_data = false
       raise Error::ConfigError unless valid_settings?
-      return unless use_psk?
-      digest = CipherSuite.digest(@settings[:psk_cipher_suite])
-      @psk = gen_psk_from_nst(@settings[:resumption_master_secret],
-                              @settings[:ticket_nonce], digest)
-      @key_schedule = KeySchedule.new(
-        psk: @psk,
-        shared_secret: nil,
-        cipher_suite: @settings[:psk_cipher_suite],
-        transcript: @transcript
-      )
     end
     # NOTE:
@@ -135,98 +119,160 @@ module TTTLS13
     # rubocop: disable Metrics/MethodLength
     # rubocop: disable Metrics/PerceivedComplexity
     def connect
+      transcript = Transcript.new
+      key_schedule = nil # TTTLS13::KeySchedule
+      psk = nil
+      priv_keys = {} # Hash of NamedGroup => OpenSSL::PKey::$Object
+      if use_psk?
+        psk = gen_psk_from_nst(
+          @settings[:resumption_master_secret],
+          @settings[:ticket_nonce],
+          CipherSuite.digest(@settings[:psk_cipher_suite])
+        )
+        key_schedule = KeySchedule.new(
+          psk: psk,
+          shared_secret: nil,
+          cipher_suite: @settings[:psk_cipher_suite],
+          transcript: transcript
+        )
+      end
+      hs_wcipher = nil # TTTLS13::Cryptograph::$Object
+      hs_rcipher = nil # TTTLS13::Cryptograph::$Object
+      e_wcipher = nil # TTTLS13::Cryptograph::$Object
       @state = ClientState::START
       loop do
         case @state
         when ClientState::START
           logger.debug('ClientState::START')
-          exs, @priv_keys = gen_ch_extensions
-          @transcript[CH] = send_client_hello(exs)
+          extensions, priv_keys = gen_ch_extensions
+          binder_key = (use_psk? ? key_schedule.binder_key_res : nil)
+          transcript[CH] = send_client_hello(extensions, binder_key)
           send_ccs # compatibility mode
           if use_early_data?
-            @early_data_write_cipher \
-            = gen_cipher(@settings[:psk_cipher_suite],
-                         @key_schedule.early_data_write_key,
-                         @key_schedule.early_data_write_iv)
-            send_early_data
+            e_wcipher = gen_cipher(
+              @settings[:psk_cipher_suite],
+              key_schedule.early_data_write_key,
+              key_schedule.early_data_write_iv
+            )
+            send_early_data(e_wcipher)
           end
           @state = ClientState::WAIT_SH
         when ClientState::WAIT_SH
           logger.debug('ClientState::WAIT_SH')
-          sh = @transcript[SH] = recv_server_hello
-          terminate(:illegal_parameter) unless sh.only_appearable_extensions?
+          sh = transcript[SH] = recv_server_hello
           # support only TLS 1.3
-          terminate(:protocol_version) unless negotiated_tls_1_3?
+          terminate(:protocol_version) unless sh.negotiated_tls_1_3?
           # validate parameters
-          terminate(:illegal_parameter) unless valid_sh_legacy_version?
-          terminate(:illegal_parameter) unless valid_sh_random?
-          terminate(:illegal_parameter) unless valid_sh_legacy_session_id_echo?
-          terminate(:illegal_parameter) unless valid_sh_cipher_suite?
+          terminate(:illegal_parameter) unless sh.appearable_extensions?
+          terminate(:illegal_parameter) if sh.downgraded?
           terminate(:illegal_parameter) \
-            if @transcript.include?(HRR) &&
-               neq_hrr_cipher_suite?(sh.cipher_suite)
-          terminate(:illegal_parameter) unless valid_sh_compression_method?
+            unless sh.legacy_compression_method == "\x00"
+          # validate sh using ch
+          ch = transcript[CH]
+          terminate(:illegal_parameter) \
+            unless sh.legacy_version == ch.legacy_version
+          terminate(:illegal_parameter) \
+            unless sh.legacy_session_id_echo == ch.legacy_session_id
+          terminate(:illegal_parameter) \
+            unless ch.cipher_suites.include?(sh.cipher_suite)
+          terminate(:unsupported_extension) \
+            unless (sh.extensions.keys - ch.extensions.keys).empty?
+          # validate sh using hrr
+          if transcript.include?(HRR)
+            hrr = transcript[HRR]
+            terminate(:illegal_parameter) \
+              unless sh.cipher_suite == hrr.cipher_suite
+            sh_sv = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
+            hrr_sv = hrr.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
+            terminate(:illegal_parameter) \
+              unless sh_sv.versions == hrr_sv.versions
+          end
           # handling HRR
           if sh.hrr?
-            terminate(:unexpected_message) if received_2nd_hrr?
+            terminate(:unexpected_message) if transcript.include?(HRR)
+            ch1 = transcript[CH1] = transcript.delete(CH)
+            hrr = transcript[HRR] = transcript.delete(SH)
-            @transcript[CH1] = @transcript.delete(CH)
-            @transcript[HRR] = @transcript.delete(SH)
+            # validate cookie
+            diff_sets = sh.extensions.keys - ch1.extensions.keys
             terminate(:unsupported_extension) \
-              unless offered_ch_extensions?(sh.extensions, HRR)
-            terminate(:illegal_parameter) unless valid_hrr_key_share?
-            ch = send_new_client_hello(@transcript[CH1], @transcript[HRR])
-            @transcript[CH] = ch
+              unless (diff_sets - [Message::ExtensionType::COOKIE]).empty?
+            # validate key_share
+            # TODO: pre_shared_key
+            ngl = ch1.extensions[Message::ExtensionType::SUPPORTED_GROUPS]
+                     .named_group_list
+            kse = ch1.extensions[Message::ExtensionType::KEY_SHARE]
+                     .key_share_entry
+            group = hrr.extensions[Message::ExtensionType::KEY_SHARE]
+                       .key_share_entry.first.group
+            terminate(:illegal_parameter) \
+              unless ngl.include?(group) && !kse.map(&:group).include?(group)
+            # send new client_hello
+            extensions, pk = gen_newch_extensions(ch1, hrr)
+            priv_keys = pk.merge(priv_keys)
+            binder_key = (use_psk? ? key_schedule.binder_key_res : nil)
+            transcript[CH] = send_new_client_hello(ch1, hrr, extensions,
+                                                   binder_key)
             @state = ClientState::WAIT_SH
             next
           end
-          # validate extensions
-          terminate(:unsupported_extension) \
-            unless offered_ch_extensions?(sh.extensions)
-          versions \
-          = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS].versions
-          terminate(:illegal_parameter) \
-            if @transcript.include?(HRR) &&
-               neq_hrr_supported_versions?(versions)
           # generate shared secret
-          @psk = nil unless sh.extensions
-                              .include?(Message::ExtensionType::PRE_SHARED_KEY)
-          terminate(:illegal_parameter) unless valid_sh_key_share?
+          psk = nil unless sh.extensions
+                             .include?(Message::ExtensionType::PRE_SHARED_KEY)
+          ch_ks = ch.extensions[Message::ExtensionType::KEY_SHARE]
+                    .key_share_entry.map(&:group)
+          sh_ks = sh.extensions[Message::ExtensionType::KEY_SHARE]
+                    .key_share_entry.first.group
+          terminate(:illegal_parameter) unless ch_ks.include?(sh_ks)
           kse = sh.extensions[Message::ExtensionType::KEY_SHARE]
                   .key_share_entry.first
           ke = kse.key_exchange
-          group = kse.group
-          priv_key = @priv_keys[group]
-          shared_secret = gen_shared_secret(ke, priv_key, group)
+          @named_group = kse.group
+          priv_key = priv_keys[@named_group]
+          shared_secret = gen_shared_secret(ke, priv_key, @named_group)
           @cipher_suite = sh.cipher_suite
-          @key_schedule = KeySchedule.new(psk: @psk,
-                                          shared_secret: shared_secret,
-                                          cipher_suite: @cipher_suite,
-                                          transcript: @transcript)
-          @write_cipher = gen_cipher(@cipher_suite,
-                                     @key_schedule.client_handshake_write_key,
-                                     @key_schedule.client_handshake_write_iv)
-          @read_cipher = gen_cipher(@cipher_suite,
-                                    @key_schedule.server_handshake_write_key,
-                                    @key_schedule.server_handshake_write_iv)
+          key_schedule = KeySchedule.new(
+            psk: psk,
+            shared_secret: shared_secret,
+            cipher_suite: @cipher_suite,
+            transcript: transcript
+          )
+          @alert_wcipher = hs_wcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.client_handshake_write_key,
+            key_schedule.client_handshake_write_iv
+          )
+          hs_rcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.server_handshake_write_key,
+            key_schedule.server_handshake_write_iv
+          )
           @state = ClientState::WAIT_EE
         when ClientState::WAIT_EE
           logger.debug('ClientState::WAIT_EE')
-          ee = @transcript[EE] = recv_encrypted_extensions
-          terminate(:illegal_parameter) unless ee.only_appearable_extensions?
+          ee = transcript[EE] = recv_encrypted_extensions(hs_rcipher)
+          terminate(:illegal_parameter) unless ee.appearable_extensions?
+          ch = transcript[CH]
           terminate(:unsupported_extension) \
-            unless offered_ch_extensions?(ee.extensions)
+            unless (ee.extensions.keys - ch.extensions.keys).empty?
           rsl = ee.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
           @send_record_size = rsl.record_size_limit unless rsl.nil?
@@ -235,17 +281,19 @@ module TTTLS13
             if ee.extensions.include?(Message::ExtensionType::EARLY_DATA)
           @state = ClientState::WAIT_CERT_CR
-          @state = ClientState::WAIT_FINISHED unless @psk.nil?
+          @state = ClientState::WAIT_FINISHED unless psk.nil?
         when ClientState::WAIT_CERT_CR
           logger.debug('ClientState::WAIT_EE')
-          message = recv_message
+          message = recv_message(receivable_ccs: true, cipher: hs_rcipher)
           if message.msg_type == Message::HandshakeType::CERTIFICATE
-            ct = @transcript[CT] = message
-            terminate(:illegal_parameter) unless ct.only_appearable_extensions?
+            ct = transcript[CT] = message
+            terminate(:illegal_parameter) unless ct.appearable_extensions?
+            ch = transcript[CH]
             terminate(:unsupported_extension) \
               unless ct.certificate_list.map(&:extensions)
-                       .all? { |ex| offered_ch_extensions?(ex) }
+                       .all? { |e| (e.keys - ch.extensions.keys).empty? }
             terminate(:certificate_unknown) \
               unless trusted_certificate?(ct.certificate_list,
@@ -253,7 +301,7 @@ module TTTLS13
             @state = ClientState::WAIT_CV
           elsif message.msg_type == Message::HandshakeType::CERTIFICATE_REQUEST
-            @transcript[CR] = message
+            transcript[CR] = message
             # TODO: client authentication
             @state = ClientState::WAIT_CERT
           else
@@ -262,11 +310,13 @@ module TTTLS13
         when ClientState::WAIT_CERT
           logger.debug('ClientState::WAIT_EE')
-          ct = @transcript[CT] = recv_certificate
-          terminate(:illegal_parameter) unless ct.only_appearable_extensions?
+          ct = transcript[CT] = recv_certificate(hs_rcipher)
+          terminate(:illegal_parameter) unless ct.appearable_extensions?
+          ch = transcript[CH]
           terminate(:unsupported_extension) \
             unless ct.certificate_list.map(&:extensions)
-                     .all? { |ex| offered_ch_extensions?(ex) }
+                     .all? { |e| (e.keys - ch.extensions.keys).empty? }
           terminate(:certificate_unknown) \
             unless trusted_certificate?(ct.certificate_list,
@@ -276,27 +326,52 @@ module TTTLS13
         when ClientState::WAIT_CV
           logger.debug('ClientState::WAIT_EE')
-          @transcript[CV] = recv_certificate_verify
-          terminate(:decrypt_error) unless verified_certificate_verify?
+          cv = transcript[CV] = recv_certificate_verify(hs_rcipher)
+          digest = CipherSuite.digest(@cipher_suite)
+          hash = transcript.hash(digest, CT)
+          terminate(:decrypt_error) \
+            unless verified_certificate_verify?(transcript[CT], cv, hash)
+          @signature_scheme = cv.signature_scheme
           @state = ClientState::WAIT_FINISHED
         when ClientState::WAIT_FINISHED
           logger.debug('ClientState::WAIT_EE')
-          @transcript[SF] = recv_finished
-          terminate(:decrypt_error) unless verified_finished?
-          @transcript[EOED] = send_eoed \
+          sf = transcript[SF] = recv_finished(hs_rcipher)
+          digest = CipherSuite.digest(@cipher_suite)
+          verified = verified_finished?(
+            finished: sf,
+            digest: digest,
+            finished_key: key_schedule.server_finished_key,
+            hash: transcript.hash(digest, CV)
+          )
+          terminate(:decrypt_error) unless verified
+          transcript[EOED] = send_eoed(e_wcipher) \
             if use_early_data? && succeed_early_data?
           # TODO: Send Certificate [+ CertificateVerify]
-          @transcript[CF] = send_finished
-          @write_cipher = gen_cipher(@cipher_suite,
-                                     @key_schedule.client_application_write_key,
-                                     @key_schedule.client_application_write_iv)
-          @read_cipher = gen_cipher(@cipher_suite,
-                                    @key_schedule.server_application_write_key,
-                                    @key_schedule.server_application_write_iv)
+          signature = sign_finished(
+            digest: digest,
+            finished_key: key_schedule.client_finished_key,
+            hash: transcript.hash(digest, EOED)
+          )
+          transcript[CF] = send_finished(signature, hs_wcipher)
+          @alert_wcipher = @ap_wcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.client_application_write_key,
+            key_schedule.client_application_write_iv
+          )
+          @ap_rcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.server_application_write_key,
+            key_schedule.server_application_write_iv
+          )
+          @resumption_master_secret = key_schedule.resumption_master_secret
           @state = ClientState::CONNECTED
         when ClientState::CONNECTED
-          logger.debug('ClientState::WAIT_EE')
+          logger.debug('ClientState::CONNECTED')
           break
         end
@@ -369,13 +444,14 @@ module TTTLS13
       !(@early_data.nil? || @early_data.empty?)
     end
-    def send_early_data
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    def send_early_data(cipher)
       ap = Message::ApplicationData.new(@early_data)
       ap_record = Message::Record.new(
         type: Message::ContentType::APPLICATION_DATA,
         legacy_record_version: Message::ProtocolVersion::TLS_1_2,
         messages: [ap],
-        cipher: @early_data_write_cipher
+        cipher: cipher
       )
       send_record(ap_record)
     end
@@ -395,8 +471,6 @@ module TTTLS13
     # @return [TTTLS13::Message::Extensions]
     # @return [Hash of NamedGroup => OpenSSL::PKey::EC.$Object]
-    # rubocop: disable Metrics/AbcSize
-    # rubocop: disable Metrics/CyclomaticComplexity
     def gen_ch_extensions
       exs = []
       # supported_versions: only TLS 1.3
@@ -428,24 +502,22 @@ module TTTLS13
       exs << key_share
       # server_name
-      exs << Message::Extension::ServerName.new(@hostname) \
-        if !@hostname.nil? && !@hostname.empty?
+      exs << Message::Extension::ServerName.new(@hostname)
       # early_data
       exs << Message::Extension::EarlyDataIndication.new if use_early_data?
       [Message::Extensions.new(exs), priv_keys]
     end
-    # rubocop: enable Metrics/AbcSize
-    # rubocop: enable Metrics/CyclomaticComplexity
-    # @param exs [TTTLS13::Message::Extensions]
+    # @param extensions [TTTLS13::Message::Extensions]
+    # @param binder_key [String, nil]
     #
     # @return [TTTLS13::Message::ClientHello]
-    def send_client_hello(exs)
+    def send_client_hello(extensions, binder_key = nil)
       ch = Message::ClientHello.new(
         cipher_suites: CipherSuites.new(@settings[:cipher_suites]),
-        extensions: exs
+        extensions: extensions
       )
       if use_psk?
@@ -460,18 +532,25 @@ module TTTLS13
         )
         ch.extensions[Message::ExtensionType::PSK_KEY_EXCHANGE_MODES] = pkem
         # at the end, sign PSK binder
-        sign_psk_binder(ch)
+        sign_psk_binder(
+          ch: ch,
+          binder_key: binder_key
+        )
       end
-      send_handshakes(Message::ContentType::HANDSHAKE, [ch], @write_cipher)
+      send_handshakes(Message::ContentType::HANDSHAKE, [ch],
+                      Cryptograph::Passer.new)
       ch
     end
+    # @param ch1 [TTTLS13::Message::ClientHello]
+    # @param hrr [TTTLS13::Message::ServerHello]
     # @param ch [TTTLS13::Message::ClientHello]
+    # @param binder_key [String]
     #
     # @return [String]
-    def sign_psk_binder(ch)
+    def sign_psk_binder(ch1: nil, hrr: nil, ch:, binder_key:)
       # pre_shared_key
       #
       # binder is computed as an HMAC over a transcript hash containing a
@@ -494,9 +573,13 @@ module TTTLS13
       )
       ch.extensions[Message::ExtensionType::PRE_SHARED_KEY] = psk
-      transcript = @transcript.clone
-      transcript[CH] = ch
-      psk.offered_psks.binders[0] = do_sign_psk_binder(digest, transcript)
+      psk.offered_psks.binders[0] = do_sign_psk_binder(
+        ch1: ch1,
+        hrr: hrr,
+        ch: ch,
+        binder_key: binder_key,
+        digest: digest
+      )
     end
     # @return [Integer]
@@ -507,24 +590,20 @@ module TTTLS13
       (age + Convert.bin2i(@settings[:ticket_age_add])) % (2**32)
     end
-    # NOTE:
-    # https://tools.ietf.org/html/rfc8446#section-4.1.2
-    #
     # @param ch1 [TTTLS13::Message::ClientHello]
     # @param hrr [TTTLS13::Message::ServerHello]
     #
-    # @return [TTTLS13::Message::ClientHello]
-    def send_new_client_hello(ch1, hrr)
-      arr = []
+    # @return [TTTLS13::Message::Extensions]
+    # @return [Hash of NamedGroup => OpenSSL::PKey::EC.$Object]
+    def gen_newch_extensions(ch1, hrr)
+      exs = []
       # key_share
       if hrr.extensions.include?(Message::ExtensionType::KEY_SHARE)
         group = hrr.extensions[Message::ExtensionType::KEY_SHARE]
                    .key_share_entry.first.group
         key_share, priv_keys \
                    = Message::Extension::KeyShare.gen_ch_key_share([group])
-        arr << key_share
-        @priv_keys = priv_keys.merge(@priv_keys)
+        exs << key_share
       end
       # cookie
@@ -535,21 +614,45 @@ module TTTLS13
       # HelloRetryRequest into a "cookie" extension in the new ClientHello.
       #
       # https://tools.ietf.org/html/rfc8446#section-4.2.2
-      arr << hrr.extensions[Message::ExtensionType::COOKIE] \
+      exs << hrr.extensions[Message::ExtensionType::COOKIE] \
         if hrr.extensions.include?(Message::ExtensionType::COOKIE)
       # early_data
-      new_exs = ch1.extensions.merge(Message::Extensions.new(arr))
+      new_exs = ch1.extensions.merge(Message::Extensions.new(exs))
       new_exs.delete(Message::ExtensionType::EARLY_DATA)
+      [new_exs, priv_keys]
+    end
+    # NOTE:
+    # https://tools.ietf.org/html/rfc8446#section-4.1.2
+    #
+    # @param ch1 [TTTLS13::Message::ClientHello]
+    # @param hrr [TTTLS13::Message::ServerHello]
+    # @param extensions [TTTLS13::Message::Extensions]
+    # @param binder_key [String, nil]
+    #
+    # @return [TTTLS13::Message::ClientHello]
+    def send_new_client_hello(ch1, hrr, extensions, binder_key = nil)
       ch = Message::ClientHello.new(
         legacy_version: ch1.legacy_version,
         random: ch1.random,
         legacy_session_id: ch1.legacy_session_id,
         cipher_suites: ch1.cipher_suites,
         legacy_compression_methods: ch1.legacy_compression_methods,
-        extensions: new_exs
+        extensions: extensions
       )
-      send_handshakes(Message::ContentType::HANDSHAKE, [ch], @write_cipher)
+      # pre_shared_key
+      #
+      # Updating the "pre_shared_key" extension if present by recomputing
+      # the "obfuscated_ticket_age" and binder values.
+      if ch1.extensions.include?(Message::ExtensionType::PRE_SHARED_KEY)
+        sign_psk_binder(ch1: ch1, hrr: hrr, ch: ch, binder_key: binder_key)
+      end
+      send_handshakes(Message::ContentType::HANDSHAKE, [ch],
+                      Cryptograph::Passer.new)
       ch
     end
@@ -558,208 +661,98 @@ module TTTLS13
     #
     # @return [TTTLS13::Message::ServerHello]
     def recv_server_hello
-      sh = recv_message
+      sh = recv_message(receivable_ccs: true, cipher: Cryptograph::Passer.new)
       terminate(:unexpected_message) unless sh.is_a?(Message::ServerHello)
       sh
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::EncryptedExtensions]
-    def recv_encrypted_extensions
-      ee = recv_message
+    def recv_encrypted_extensions(cipher)
+      ee = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) \
         unless ee.is_a?(Message::EncryptedExtensions)
       ee
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::Certificate]
-    def recv_certificate
-      ct = recv_message
+    def recv_certificate(cipher)
+      ct = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless ct.is_a?(Message::Certificate)
       ct
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::CertificateVerify]
-    def recv_certificate_verify
-      cv = recv_message
+    def recv_certificate_verify(cipher)
+      cv = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless cv.is_a?(Message::CertificateVerify)
       cv
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::Finished]
-    def recv_finished
-      sf = recv_message
+    def recv_finished(cipher)
+      sf = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless sf.is_a?(Message::Finished)
       sf
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @return [TTTLS13::Message::Finished]
-    def send_finished
-      cf = Message::Finished.new(sign_finished)
-      send_handshakes(Message::ContentType::APPLICATION_DATA, [cf],
-                      @write_cipher)
+    def send_finished(signature, cipher)
+      cf = Message::Finished.new(signature)
+      send_handshakes(Message::ContentType::APPLICATION_DATA, [cf], cipher)
       cf
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @return [TTTLS13::Message::EndOfEarlyData]
-    def send_eoed
+    def send_eoed(cipher)
       eoed = Message::EndOfEarlyData.new
-      send_handshakes(Message::ContentType::APPLICATION_DATA, [eoed],
-                      @early_data_write_cipher)
+      send_handshakes(Message::ContentType::APPLICATION_DATA, [eoed], cipher)
       eoed
     end
+    # @param ct [TTTLS13::Message::Certificate]
+    # @param cv [TTTLS13::Message::CertificateVerify]
+    # @param hash [String]
+    #
     # @return [Boolean]
-    def verified_certificate_verify?
-      ct = @transcript[CT]
+    def verified_certificate_verify?(ct, cv, hash)
       public_key = ct.certificate_list.first.cert_data.public_key
-      cv = @transcript[CV]
       signature_scheme = cv.signature_scheme
       signature = cv.signature
-      context = 'TLS 1.3, server CertificateVerify'
-      do_verified_certificate_verify?(public_key: public_key,
-                                      signature_scheme: signature_scheme,
-                                      signature: signature,
-                                      context: context,
-                                      handshake_context_end: CT)
-    end
-    # @return [String]
-    def sign_finished
-      digest = CipherSuite.digest(@cipher_suite)
-      finished_key = @key_schedule.client_finished_key
-      do_sign_finished(digest: digest,
-                       finished_key: finished_key,
-                       handshake_context_end: EOED)
-    end
-    # @return [Boolean]
-    def verified_finished?
-      digest = CipherSuite.digest(@cipher_suite)
-      finished_key = @key_schedule.server_finished_key
-      signature = @transcript[SF].verify_data
-      do_verified_finished?(digest: digest,
-                            finished_key: finished_key,
-                            handshake_context_end: CV,
-                            signature: signature)
-    end
-    # NOTE:
-    # This implementation supports only TLS 1.3,
-    # so negotiated_tls_1_3? assumes that it sent ClientHello with:
-    #     1. supported_versions == ["\x03\x04"]
-    #     2. legacy_versions == ["\x03\x03"]
-    #
-    # @return [Boolean]
-    def negotiated_tls_1_3?
-      sh = @transcript[SH]
-      sh_lv = sh.legacy_version
-      sh_sv = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
-               &.versions || []
-      sh_lv == Message::ProtocolVersion::TLS_1_2 &&
-        sh_sv.first == Message::ProtocolVersion::TLS_1_3
-    end
-    # @return [Boolean]
-    def valid_sh_random?
-      sh_r8 = @transcript[SH].random[-8..]
-      sh_r8 != DOWNGRADE_PROTECTION_TLS_1_2 &&
-        sh_r8 != DOWNGRADE_PROTECTION_TLS_1_1
-    end
-    # @return [Boolean]
-    def valid_sh_legacy_version?
-      @transcript[CH].legacy_version ==
-        @transcript[SH].legacy_version
-    end
-    # @return [Boolean]
-    def valid_sh_legacy_session_id_echo?
-      @transcript[CH].legacy_session_id ==
-        @transcript[SH].legacy_session_id_echo
-    end
-    # @return [Boolean]
-    def valid_sh_cipher_suite?
-      @transcript[CH].cipher_suites.include?(@transcript[SH].cipher_suite)
-    end
-    # @return [Boolean]
-    def valid_sh_compression_method?
-      @transcript[SH].legacy_compression_method == "\x00"
-    end
-    # @param extensions [TTTLS13::Message::Extensions]
-    # @param transcript_index [Integer]
-    #
-    # @return [Boolean]
-    def offered_ch_extensions?(extensions, transcript_index = nil)
-      keys = extensions.keys
-      if transcript_index == HRR
-        keys -= @transcript[CH1].extensions.keys
-        keys -= [Message::ExtensionType::COOKIE]
-      else
-        keys -= @transcript[CH].extensions.keys
-      end
-      keys.empty?
-    end
-    # @return [Boolean]
-    def received_2nd_hrr?
-      @transcript.include?(HRR)
-    end
-    # @param cipher_suite [TTTLS13::CipherSuite]
-    #
-    # @return [Boolean]
-    def neq_hrr_cipher_suite?(cipher_suite)
-      cipher_suite != @transcript[HRR].cipher_suite
-    end
-    # @param versions [Array of TTTLS13::Message::ProtocolVersion]
-    #
-    # @return [Boolean]
-    def neq_hrr_supported_versions?(versions)
-      hrr = @transcript[HRR]
-      versions != hrr.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
-                     .versions
-    end
-    # @return [Boolean]
-    def valid_sh_key_share?
-      offered = @transcript[CH].extensions[Message::ExtensionType::KEY_SHARE]
-                               .key_share_entry.map(&:group)
-      selected = @transcript[SH].extensions[Message::ExtensionType::KEY_SHARE]
-                                .key_share_entry.first.group
-      offered.include?(selected)
-    end
-    # @return [Boolean]
-    def valid_hrr_key_share?
-      # TODO: pre_shared_key
-      ch1_exs = @transcript[CH1].extensions
-      ngl = ch1_exs[Message::ExtensionType::SUPPORTED_GROUPS].named_group_list
-      kse = ch1_exs[Message::ExtensionType::KEY_SHARE].key_share_entry
-      group = @transcript[HRR].extensions[Message::ExtensionType::KEY_SHARE]
-                              .key_share_entry.first.group
-      ngl.include?(group) && !kse.map(&:group).include?(group)
+      do_verified_certificate_verify?(
+        public_key: public_key,
+        signature_scheme: signature_scheme,
+        signature: signature,
+        context: 'TLS 1.3, server CertificateVerify',
+        hash: hash
+      )
     end
     # @param nst [TTTLS13::Message::NewSessionTicket]
@@ -768,7 +761,7 @@ module TTTLS13
     def process_new_session_ticket(nst)
       super(nst)
-      rms = @key_schedule.resumption_master_secret
+      rms = @resumption_master_secret
       cs = @cipher_suite
       @settings[:process_new_session_ticket]&.call(nst, rms, cs)
     end