RubyGems - tttls1.3 - Versions diffs - 0.2.1 → 0.2.2 - Mend

tttls1.3 0.2.1 → 0.2.2

Files changed (35) hide show

checksums.yaml +4 -4
data/README.md +1 -0
data/Rakefile +3 -3
data/example/https_client_using_hrr_and_ticket.rb +40 -0
data/interop/client_spec.rb +15 -0
data/interop/server_spec.rb +8 -0
data/lib/tttls1.3/client.rb +265 -272
data/lib/tttls1.3/connection.rb +85 -62
data/lib/tttls1.3/message/certificate.rb +1 -1
data/lib/tttls1.3/message/client_hello.rb +26 -1
data/lib/tttls1.3/message/encrypted_extensions.rb +1 -1
data/lib/tttls1.3/message/new_session_ticket.rb +1 -1
data/lib/tttls1.3/message/server_hello.rb +21 -1
data/lib/tttls1.3/server.rb +179 -157
data/lib/tttls1.3/version.rb +1 -1
data/spec/certificate_spec.rb +4 -4
data/spec/client_hello_spec.rb +3 -0
data/spec/client_spec.rb +96 -157
data/spec/connection_spec.rb +32 -23
data/spec/encrypted_extensions_spec.rb +4 -4
data/spec/fixtures/rsa_ca.crt +16 -27
data/spec/fixtures/rsa_ca.key +25 -49
data/spec/fixtures/rsa_rsa.crt +16 -21
data/spec/fixtures/rsa_rsa.key +25 -25
data/spec/fixtures/rsa_rsassaPss.crt +20 -0
data/spec/fixtures/rsa_rsassaPss.key +27 -0
data/spec/fixtures/rsa_secp256r1.crt +12 -17
data/spec/fixtures/rsa_secp256r1.key +3 -3
data/spec/fixtures/rsa_secp384r1.crt +12 -17
data/spec/fixtures/rsa_secp384r1.key +4 -4
data/spec/fixtures/rsa_secp521r1.crt +13 -18
data/spec/fixtures/rsa_secp521r1.key +5 -5
data/spec/server_hello_spec.rb +60 -0
data/spec/server_spec.rb +79 -60
metadata +7 -2

data/lib/tttls1.3/client.rb CHANGED Viewed

@@ -3,6 +3,7 @@
 module TTTLS13
   using Refinements
   module ClientState
     # initial value is 0, eof value is -1
     START         = 1
@@ -62,11 +63,6 @@ module TTTLS13
   # rubocop: disable Metrics/ClassLength
   class Client < Connection
-    DOWNGRADE_PROTECTION_TLS_1_2 = "\x44\x4F\x57\x4E\x47\x52\x44\x01"
-    private_constant :DOWNGRADE_PROTECTION_TLS_1_2
-    DOWNGRADE_PROTECTION_TLS_1_1 = "\x44\x4F\x57\x4E\x47\x52\x44\x00"
-    private_constant :DOWNGRADE_PROTECTION_TLS_1_1
     # @param socket [Socket]
     # @param hostname [String]
     # @param settings [Hash]
@@ -79,20 +75,8 @@ module TTTLS13
       logger.level = @settings[:loglevel]
       @early_data = ''
-      @early_data_write_cipher = nil # Cryptograph::$Object
       @succeed_early_data = false
       raise Error::ConfigError unless valid_settings?
-      return unless use_psk?
-      digest = CipherSuite.digest(@settings[:psk_cipher_suite])
-      @psk = gen_psk_from_nst(@settings[:resumption_master_secret],
-                              @settings[:ticket_nonce], digest)
-      @key_schedule = KeySchedule.new(
-        psk: @psk,
-        shared_secret: nil,
-        cipher_suite: @settings[:psk_cipher_suite],
-        transcript: @transcript
-      )
     end
     # NOTE:
@@ -135,98 +119,160 @@ module TTTLS13
     # rubocop: disable Metrics/MethodLength
     # rubocop: disable Metrics/PerceivedComplexity
     def connect
+      transcript = Transcript.new
+      key_schedule = nil # TTTLS13::KeySchedule
+      psk = nil
+      priv_keys = {} # Hash of NamedGroup => OpenSSL::PKey::$Object
+      if use_psk?
+        psk = gen_psk_from_nst(
+          @settings[:resumption_master_secret],
+          @settings[:ticket_nonce],
+          CipherSuite.digest(@settings[:psk_cipher_suite])
+        )
+        key_schedule = KeySchedule.new(
+          psk: psk,
+          shared_secret: nil,
+          cipher_suite: @settings[:psk_cipher_suite],
+          transcript: transcript
+        )
+      end
+      hs_wcipher = nil # TTTLS13::Cryptograph::$Object
+      hs_rcipher = nil # TTTLS13::Cryptograph::$Object
+      e_wcipher = nil # TTTLS13::Cryptograph::$Object
       @state = ClientState::START
       loop do
         case @state
         when ClientState::START
           logger.debug('ClientState::START')
-          exs, @priv_keys = gen_ch_extensions
-          @transcript[CH] = send_client_hello(exs)
+          extensions, priv_keys = gen_ch_extensions
+          binder_key = (use_psk? ? key_schedule.binder_key_res : nil)
+          transcript[CH] = send_client_hello(extensions, binder_key)
           send_ccs # compatibility mode
           if use_early_data?
-            @early_data_write_cipher \
-            = gen_cipher(@settings[:psk_cipher_suite],
-                         @key_schedule.early_data_write_key,
-                         @key_schedule.early_data_write_iv)
-            send_early_data
+            e_wcipher = gen_cipher(
+              @settings[:psk_cipher_suite],
+              key_schedule.early_data_write_key,
+              key_schedule.early_data_write_iv
+            )
+            send_early_data(e_wcipher)
           end
           @state = ClientState::WAIT_SH
         when ClientState::WAIT_SH
           logger.debug('ClientState::WAIT_SH')
-          sh = @transcript[SH] = recv_server_hello
-          terminate(:illegal_parameter) unless sh.only_appearable_extensions?
+          sh = transcript[SH] = recv_server_hello
           # support only TLS 1.3
-          terminate(:protocol_version) unless negotiated_tls_1_3?
+          terminate(:protocol_version) unless sh.negotiated_tls_1_3?
           # validate parameters
-          terminate(:illegal_parameter) unless valid_sh_legacy_version?
-          terminate(:illegal_parameter) unless valid_sh_random?
-          terminate(:illegal_parameter) unless valid_sh_legacy_session_id_echo?
-          terminate(:illegal_parameter) unless valid_sh_cipher_suite?
+          terminate(:illegal_parameter) unless sh.appearable_extensions?
+          terminate(:illegal_parameter) if sh.downgraded?
           terminate(:illegal_parameter) \
-            if @transcript.include?(HRR) &&
-               neq_hrr_cipher_suite?(sh.cipher_suite)
-          terminate(:illegal_parameter) unless valid_sh_compression_method?
+            unless sh.legacy_compression_method == "\x00"
+          # validate sh using ch
+          ch = transcript[CH]
+          terminate(:illegal_parameter) \
+            unless sh.legacy_version == ch.legacy_version
+          terminate(:illegal_parameter) \
+            unless sh.legacy_session_id_echo == ch.legacy_session_id
+          terminate(:illegal_parameter) \
+            unless ch.cipher_suites.include?(sh.cipher_suite)
+          terminate(:unsupported_extension) \
+            unless (sh.extensions.keys - ch.extensions.keys).empty?
+          # validate sh using hrr
+          if transcript.include?(HRR)
+            hrr = transcript[HRR]
+            terminate(:illegal_parameter) \
+              unless sh.cipher_suite == hrr.cipher_suite
+            sh_sv = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
+            hrr_sv = hrr.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
+            terminate(:illegal_parameter) \
+              unless sh_sv.versions == hrr_sv.versions
+          end
           # handling HRR
           if sh.hrr?
-            terminate(:unexpected_message) if received_2nd_hrr?
+            terminate(:unexpected_message) if transcript.include?(HRR)
+            ch1 = transcript[CH1] = transcript.delete(CH)
+            hrr = transcript[HRR] = transcript.delete(SH)
-            @transcript[CH1] = @transcript.delete(CH)
-            @transcript[HRR] = @transcript.delete(SH)
+            # validate cookie
+            diff_sets = sh.extensions.keys - ch1.extensions.keys
             terminate(:unsupported_extension) \
-              unless offered_ch_extensions?(sh.extensions, HRR)
-            terminate(:illegal_parameter) unless valid_hrr_key_share?
-            ch = send_new_client_hello(@transcript[CH1], @transcript[HRR])
-            @transcript[CH] = ch
+              unless (diff_sets - [Message::ExtensionType::COOKIE]).empty?
+            # validate key_share
+            # TODO: pre_shared_key
+            ngl = ch1.extensions[Message::ExtensionType::SUPPORTED_GROUPS]
+                     .named_group_list
+            kse = ch1.extensions[Message::ExtensionType::KEY_SHARE]
+                     .key_share_entry
+            group = hrr.extensions[Message::ExtensionType::KEY_SHARE]
+                       .key_share_entry.first.group
+            terminate(:illegal_parameter) \
+              unless ngl.include?(group) && !kse.map(&:group).include?(group)
+            # send new client_hello
+            extensions, pk = gen_newch_extensions(ch1, hrr)
+            priv_keys = pk.merge(priv_keys)
+            binder_key = (use_psk? ? key_schedule.binder_key_res : nil)
+            transcript[CH] = send_new_client_hello(ch1, hrr, extensions,
+                                                   binder_key)
             @state = ClientState::WAIT_SH
             next
           end
-          # validate extensions
-          terminate(:unsupported_extension) \
-            unless offered_ch_extensions?(sh.extensions)
-          versions \
-          = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS].versions
-          terminate(:illegal_parameter) \
-            if @transcript.include?(HRR) &&
-               neq_hrr_supported_versions?(versions)
           # generate shared secret
-          @psk = nil unless sh.extensions
-                              .include?(Message::ExtensionType::PRE_SHARED_KEY)
-          terminate(:illegal_parameter) unless valid_sh_key_share?
+          psk = nil unless sh.extensions
+                             .include?(Message::ExtensionType::PRE_SHARED_KEY)
+          ch_ks = ch.extensions[Message::ExtensionType::KEY_SHARE]
+                    .key_share_entry.map(&:group)
+          sh_ks = sh.extensions[Message::ExtensionType::KEY_SHARE]
+                    .key_share_entry.first.group
+          terminate(:illegal_parameter) unless ch_ks.include?(sh_ks)
           kse = sh.extensions[Message::ExtensionType::KEY_SHARE]
                   .key_share_entry.first
           ke = kse.key_exchange
-          group = kse.group
-          priv_key = @priv_keys[group]
-          shared_secret = gen_shared_secret(ke, priv_key, group)
+          @named_group = kse.group
+          priv_key = priv_keys[@named_group]
+          shared_secret = gen_shared_secret(ke, priv_key, @named_group)
           @cipher_suite = sh.cipher_suite
-          @key_schedule = KeySchedule.new(psk: @psk,
-                                          shared_secret: shared_secret,
-                                          cipher_suite: @cipher_suite,
-                                          transcript: @transcript)
-          @write_cipher = gen_cipher(@cipher_suite,
-                                     @key_schedule.client_handshake_write_key,
-                                     @key_schedule.client_handshake_write_iv)
-          @read_cipher = gen_cipher(@cipher_suite,
-                                    @key_schedule.server_handshake_write_key,
-                                    @key_schedule.server_handshake_write_iv)
+          key_schedule = KeySchedule.new(
+            psk: psk,
+            shared_secret: shared_secret,
+            cipher_suite: @cipher_suite,
+            transcript: transcript
+          )
+          @alert_wcipher = hs_wcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.client_handshake_write_key,
+            key_schedule.client_handshake_write_iv
+          )
+          hs_rcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.server_handshake_write_key,
+            key_schedule.server_handshake_write_iv
+          )
           @state = ClientState::WAIT_EE
         when ClientState::WAIT_EE
           logger.debug('ClientState::WAIT_EE')
-          ee = @transcript[EE] = recv_encrypted_extensions
-          terminate(:illegal_parameter) unless ee.only_appearable_extensions?
+          ee = transcript[EE] = recv_encrypted_extensions(hs_rcipher)
+          terminate(:illegal_parameter) unless ee.appearable_extensions?
+          ch = transcript[CH]
           terminate(:unsupported_extension) \
-            unless offered_ch_extensions?(ee.extensions)
+            unless (ee.extensions.keys - ch.extensions.keys).empty?
           rsl = ee.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
           @send_record_size = rsl.record_size_limit unless rsl.nil?
@@ -235,17 +281,19 @@ module TTTLS13
             if ee.extensions.include?(Message::ExtensionType::EARLY_DATA)
           @state = ClientState::WAIT_CERT_CR
-          @state = ClientState::WAIT_FINISHED unless @psk.nil?
+          @state = ClientState::WAIT_FINISHED unless psk.nil?
         when ClientState::WAIT_CERT_CR
           logger.debug('ClientState::WAIT_EE')
-          message = recv_message
+          message = recv_message(receivable_ccs: true, cipher: hs_rcipher)
           if message.msg_type == Message::HandshakeType::CERTIFICATE
-            ct = @transcript[CT] = message
-            terminate(:illegal_parameter) unless ct.only_appearable_extensions?
+            ct = transcript[CT] = message
+            terminate(:illegal_parameter) unless ct.appearable_extensions?
+            ch = transcript[CH]
             terminate(:unsupported_extension) \
               unless ct.certificate_list.map(&:extensions)
-                       .all? { |ex| offered_ch_extensions?(ex) }
+                       .all? { |e| (e.keys - ch.extensions.keys).empty? }
             terminate(:certificate_unknown) \
               unless trusted_certificate?(ct.certificate_list,
@@ -253,7 +301,7 @@ module TTTLS13
             @state = ClientState::WAIT_CV
           elsif message.msg_type == Message::HandshakeType::CERTIFICATE_REQUEST
-            @transcript[CR] = message
+            transcript[CR] = message
             # TODO: client authentication
             @state = ClientState::WAIT_CERT
           else
@@ -262,11 +310,13 @@ module TTTLS13
         when ClientState::WAIT_CERT
           logger.debug('ClientState::WAIT_EE')
-          ct = @transcript[CT] = recv_certificate
-          terminate(:illegal_parameter) unless ct.only_appearable_extensions?
+          ct = transcript[CT] = recv_certificate(hs_rcipher)
+          terminate(:illegal_parameter) unless ct.appearable_extensions?
+          ch = transcript[CH]
           terminate(:unsupported_extension) \
             unless ct.certificate_list.map(&:extensions)
-                     .all? { |ex| offered_ch_extensions?(ex) }
+                     .all? { |e| (e.keys - ch.extensions.keys).empty? }
           terminate(:certificate_unknown) \
             unless trusted_certificate?(ct.certificate_list,
@@ -276,27 +326,52 @@ module TTTLS13
         when ClientState::WAIT_CV
           logger.debug('ClientState::WAIT_EE')
-          @transcript[CV] = recv_certificate_verify
-          terminate(:decrypt_error) unless verified_certificate_verify?
+          cv = transcript[CV] = recv_certificate_verify(hs_rcipher)
+          digest = CipherSuite.digest(@cipher_suite)
+          hash = transcript.hash(digest, CT)
+          terminate(:decrypt_error) \
+            unless verified_certificate_verify?(transcript[CT], cv, hash)
+          @signature_scheme = cv.signature_scheme
           @state = ClientState::WAIT_FINISHED
         when ClientState::WAIT_FINISHED
           logger.debug('ClientState::WAIT_EE')
-          @transcript[SF] = recv_finished
-          terminate(:decrypt_error) unless verified_finished?
-          @transcript[EOED] = send_eoed \
+          sf = transcript[SF] = recv_finished(hs_rcipher)
+          digest = CipherSuite.digest(@cipher_suite)
+          verified = verified_finished?(
+            finished: sf,
+            digest: digest,
+            finished_key: key_schedule.server_finished_key,
+            hash: transcript.hash(digest, CV)
+          )
+          terminate(:decrypt_error) unless verified
+          transcript[EOED] = send_eoed(e_wcipher) \
             if use_early_data? && succeed_early_data?
           # TODO: Send Certificate [+ CertificateVerify]
-          @transcript[CF] = send_finished
-          @write_cipher = gen_cipher(@cipher_suite,
-                                     @key_schedule.client_application_write_key,
-                                     @key_schedule.client_application_write_iv)
-          @read_cipher = gen_cipher(@cipher_suite,
-                                    @key_schedule.server_application_write_key,
-                                    @key_schedule.server_application_write_iv)
+          signature = sign_finished(
+            digest: digest,
+            finished_key: key_schedule.client_finished_key,
+            hash: transcript.hash(digest, EOED)
+          )
+          transcript[CF] = send_finished(signature, hs_wcipher)
+          @alert_wcipher = @ap_wcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.client_application_write_key,
+            key_schedule.client_application_write_iv
+          )
+          @ap_rcipher = gen_cipher(
+            @cipher_suite,
+            key_schedule.server_application_write_key,
+            key_schedule.server_application_write_iv
+          )
+          @resumption_master_secret = key_schedule.resumption_master_secret
           @state = ClientState::CONNECTED
         when ClientState::CONNECTED
-          logger.debug('ClientState::WAIT_EE')
+          logger.debug('ClientState::CONNECTED')
           break
         end
@@ -369,13 +444,14 @@ module TTTLS13
       !(@early_data.nil? || @early_data.empty?)
     end
-    def send_early_data
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    def send_early_data(cipher)
       ap = Message::ApplicationData.new(@early_data)
       ap_record = Message::Record.new(
         type: Message::ContentType::APPLICATION_DATA,
         legacy_record_version: Message::ProtocolVersion::TLS_1_2,
         messages: [ap],
-        cipher: @early_data_write_cipher
+        cipher: cipher
       )
       send_record(ap_record)
     end
@@ -395,8 +471,6 @@ module TTTLS13
     # @return [TTTLS13::Message::Extensions]
     # @return [Hash of NamedGroup => OpenSSL::PKey::EC.$Object]
-    # rubocop: disable Metrics/AbcSize
-    # rubocop: disable Metrics/CyclomaticComplexity
     def gen_ch_extensions
       exs = []
       # supported_versions: only TLS 1.3
@@ -428,24 +502,22 @@ module TTTLS13
       exs << key_share
       # server_name
-      exs << Message::Extension::ServerName.new(@hostname) \
-        if !@hostname.nil? && !@hostname.empty?
+      exs << Message::Extension::ServerName.new(@hostname)
       # early_data
       exs << Message::Extension::EarlyDataIndication.new if use_early_data?
       [Message::Extensions.new(exs), priv_keys]
     end
-    # rubocop: enable Metrics/AbcSize
-    # rubocop: enable Metrics/CyclomaticComplexity
-    # @param exs [TTTLS13::Message::Extensions]
+    # @param extensions [TTTLS13::Message::Extensions]
+    # @param binder_key [String, nil]
     #
     # @return [TTTLS13::Message::ClientHello]
-    def send_client_hello(exs)
+    def send_client_hello(extensions, binder_key = nil)
       ch = Message::ClientHello.new(
         cipher_suites: CipherSuites.new(@settings[:cipher_suites]),
-        extensions: exs
+        extensions: extensions
       )
       if use_psk?
@@ -460,18 +532,25 @@ module TTTLS13
         )
         ch.extensions[Message::ExtensionType::PSK_KEY_EXCHANGE_MODES] = pkem
         # at the end, sign PSK binder
-        sign_psk_binder(ch)
+        sign_psk_binder(
+          ch: ch,
+          binder_key: binder_key
+        )
       end
-      send_handshakes(Message::ContentType::HANDSHAKE, [ch], @write_cipher)
+      send_handshakes(Message::ContentType::HANDSHAKE, [ch],
+                      Cryptograph::Passer.new)
       ch
     end
+    # @param ch1 [TTTLS13::Message::ClientHello]
+    # @param hrr [TTTLS13::Message::ServerHello]
     # @param ch [TTTLS13::Message::ClientHello]
+    # @param binder_key [String]
     #
     # @return [String]
-    def sign_psk_binder(ch)
+    def sign_psk_binder(ch1: nil, hrr: nil, ch:, binder_key:)
       # pre_shared_key
       #
       # binder is computed as an HMAC over a transcript hash containing a
@@ -494,9 +573,13 @@ module TTTLS13
       )
       ch.extensions[Message::ExtensionType::PRE_SHARED_KEY] = psk
-      transcript = @transcript.clone
-      transcript[CH] = ch
-      psk.offered_psks.binders[0] = do_sign_psk_binder(digest, transcript)
+      psk.offered_psks.binders[0] = do_sign_psk_binder(
+        ch1: ch1,
+        hrr: hrr,
+        ch: ch,
+        binder_key: binder_key,
+        digest: digest
+      )
     end
     # @return [Integer]
@@ -507,24 +590,20 @@ module TTTLS13
       (age + Convert.bin2i(@settings[:ticket_age_add])) % (2**32)
     end
-    # NOTE:
-    # https://tools.ietf.org/html/rfc8446#section-4.1.2
-    #
     # @param ch1 [TTTLS13::Message::ClientHello]
     # @param hrr [TTTLS13::Message::ServerHello]
     #
-    # @return [TTTLS13::Message::ClientHello]
-    def send_new_client_hello(ch1, hrr)
-      arr = []
+    # @return [TTTLS13::Message::Extensions]
+    # @return [Hash of NamedGroup => OpenSSL::PKey::EC.$Object]
+    def gen_newch_extensions(ch1, hrr)
+      exs = []
       # key_share
       if hrr.extensions.include?(Message::ExtensionType::KEY_SHARE)
         group = hrr.extensions[Message::ExtensionType::KEY_SHARE]
                    .key_share_entry.first.group
         key_share, priv_keys \
                    = Message::Extension::KeyShare.gen_ch_key_share([group])
-        arr << key_share
-        @priv_keys = priv_keys.merge(@priv_keys)
+        exs << key_share
       end
       # cookie
@@ -535,21 +614,45 @@ module TTTLS13
       # HelloRetryRequest into a "cookie" extension in the new ClientHello.
       #
       # https://tools.ietf.org/html/rfc8446#section-4.2.2
-      arr << hrr.extensions[Message::ExtensionType::COOKIE] \
+      exs << hrr.extensions[Message::ExtensionType::COOKIE] \
         if hrr.extensions.include?(Message::ExtensionType::COOKIE)
       # early_data
-      new_exs = ch1.extensions.merge(Message::Extensions.new(arr))
+      new_exs = ch1.extensions.merge(Message::Extensions.new(exs))
       new_exs.delete(Message::ExtensionType::EARLY_DATA)
+      [new_exs, priv_keys]
+    end
+    # NOTE:
+    # https://tools.ietf.org/html/rfc8446#section-4.1.2
+    #
+    # @param ch1 [TTTLS13::Message::ClientHello]
+    # @param hrr [TTTLS13::Message::ServerHello]
+    # @param extensions [TTTLS13::Message::Extensions]
+    # @param binder_key [String, nil]
+    #
+    # @return [TTTLS13::Message::ClientHello]
+    def send_new_client_hello(ch1, hrr, extensions, binder_key = nil)
       ch = Message::ClientHello.new(
         legacy_version: ch1.legacy_version,
         random: ch1.random,
         legacy_session_id: ch1.legacy_session_id,
         cipher_suites: ch1.cipher_suites,
         legacy_compression_methods: ch1.legacy_compression_methods,
-        extensions: new_exs
+        extensions: extensions
       )
-      send_handshakes(Message::ContentType::HANDSHAKE, [ch], @write_cipher)
+      # pre_shared_key
+      #
+      # Updating the "pre_shared_key" extension if present by recomputing
+      # the "obfuscated_ticket_age" and binder values.
+      if ch1.extensions.include?(Message::ExtensionType::PRE_SHARED_KEY)
+        sign_psk_binder(ch1: ch1, hrr: hrr, ch: ch, binder_key: binder_key)
+      end
+      send_handshakes(Message::ContentType::HANDSHAKE, [ch],
+                      Cryptograph::Passer.new)
       ch
     end
@@ -558,208 +661,98 @@ module TTTLS13
     #
     # @return [TTTLS13::Message::ServerHello]
     def recv_server_hello
-      sh = recv_message
+      sh = recv_message(receivable_ccs: true, cipher: Cryptograph::Passer.new)
       terminate(:unexpected_message) unless sh.is_a?(Message::ServerHello)
       sh
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::EncryptedExtensions]
-    def recv_encrypted_extensions
-      ee = recv_message
+    def recv_encrypted_extensions(cipher)
+      ee = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) \
         unless ee.is_a?(Message::EncryptedExtensions)
       ee
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::Certificate]
-    def recv_certificate
-      ct = recv_message
+    def recv_certificate(cipher)
+      ct = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless ct.is_a?(Message::Certificate)
       ct
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::CertificateVerify]
-    def recv_certificate_verify
-      cv = recv_message
+    def recv_certificate_verify(cipher)
+      cv = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless cv.is_a?(Message::CertificateVerify)
       cv
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @raise [TTTLS13::Error::ErrorAlerts]
     #
     # @return [TTTLS13::Message::Finished]
-    def recv_finished
-      sf = recv_message
+    def recv_finished(cipher)
+      sf = recv_message(receivable_ccs: true, cipher: cipher)
       terminate(:unexpected_message) unless sf.is_a?(Message::Finished)
       sf
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @return [TTTLS13::Message::Finished]
-    def send_finished
-      cf = Message::Finished.new(sign_finished)
-      send_handshakes(Message::ContentType::APPLICATION_DATA, [cf],
-                      @write_cipher)
+    def send_finished(signature, cipher)
+      cf = Message::Finished.new(signature)
+      send_handshakes(Message::ContentType::APPLICATION_DATA, [cf], cipher)
       cf
     end
+    # @param cipher [TTTLS13::Cryptograph::Aead]
+    #
     # @return [TTTLS13::Message::EndOfEarlyData]
-    def send_eoed
+    def send_eoed(cipher)
       eoed = Message::EndOfEarlyData.new
-      send_handshakes(Message::ContentType::APPLICATION_DATA, [eoed],
-                      @early_data_write_cipher)
+      send_handshakes(Message::ContentType::APPLICATION_DATA, [eoed], cipher)
       eoed
     end
+    # @param ct [TTTLS13::Message::Certificate]
+    # @param cv [TTTLS13::Message::CertificateVerify]
+    # @param hash [String]
+    #
     # @return [Boolean]
-    def verified_certificate_verify?
-      ct = @transcript[CT]
+    def verified_certificate_verify?(ct, cv, hash)
       public_key = ct.certificate_list.first.cert_data.public_key
-      cv = @transcript[CV]
       signature_scheme = cv.signature_scheme
       signature = cv.signature
-      context = 'TLS 1.3, server CertificateVerify'
-      do_verified_certificate_verify?(public_key: public_key,
-                                      signature_scheme: signature_scheme,
-                                      signature: signature,
-                                      context: context,
-                                      handshake_context_end: CT)
-    end
-    # @return [String]
-    def sign_finished
-      digest = CipherSuite.digest(@cipher_suite)
-      finished_key = @key_schedule.client_finished_key
-      do_sign_finished(digest: digest,
-                       finished_key: finished_key,
-                       handshake_context_end: EOED)
-    end
-    # @return [Boolean]
-    def verified_finished?
-      digest = CipherSuite.digest(@cipher_suite)
-      finished_key = @key_schedule.server_finished_key
-      signature = @transcript[SF].verify_data
-      do_verified_finished?(digest: digest,
-                            finished_key: finished_key,
-                            handshake_context_end: CV,
-                            signature: signature)
-    end
-    # NOTE:
-    # This implementation supports only TLS 1.3,
-    # so negotiated_tls_1_3? assumes that it sent ClientHello with:
-    #     1. supported_versions == ["\x03\x04"]
-    #     2. legacy_versions == ["\x03\x03"]
-    #
-    # @return [Boolean]
-    def negotiated_tls_1_3?
-      sh = @transcript[SH]
-      sh_lv = sh.legacy_version
-      sh_sv = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
-               &.versions || []
-      sh_lv == Message::ProtocolVersion::TLS_1_2 &&
-        sh_sv.first == Message::ProtocolVersion::TLS_1_3
-    end
-    # @return [Boolean]
-    def valid_sh_random?
-      sh_r8 = @transcript[SH].random[-8..]
-      sh_r8 != DOWNGRADE_PROTECTION_TLS_1_2 &&
-        sh_r8 != DOWNGRADE_PROTECTION_TLS_1_1
-    end
-    # @return [Boolean]
-    def valid_sh_legacy_version?
-      @transcript[CH].legacy_version ==
-        @transcript[SH].legacy_version
-    end
-    # @return [Boolean]
-    def valid_sh_legacy_session_id_echo?
-      @transcript[CH].legacy_session_id ==
-        @transcript[SH].legacy_session_id_echo
-    end
-    # @return [Boolean]
-    def valid_sh_cipher_suite?
-      @transcript[CH].cipher_suites.include?(@transcript[SH].cipher_suite)
-    end
-    # @return [Boolean]
-    def valid_sh_compression_method?
-      @transcript[SH].legacy_compression_method == "\x00"
-    end
-    # @param extensions [TTTLS13::Message::Extensions]
-    # @param transcript_index [Integer]
-    #
-    # @return [Boolean]
-    def offered_ch_extensions?(extensions, transcript_index = nil)
-      keys = extensions.keys
-      if transcript_index == HRR
-        keys -= @transcript[CH1].extensions.keys
-        keys -= [Message::ExtensionType::COOKIE]
-      else
-        keys -= @transcript[CH].extensions.keys
-      end
-      keys.empty?
-    end
-    # @return [Boolean]
-    def received_2nd_hrr?
-      @transcript.include?(HRR)
-    end
-    # @param cipher_suite [TTTLS13::CipherSuite]
-    #
-    # @return [Boolean]
-    def neq_hrr_cipher_suite?(cipher_suite)
-      cipher_suite != @transcript[HRR].cipher_suite
-    end
-    # @param versions [Array of TTTLS13::Message::ProtocolVersion]
-    #
-    # @return [Boolean]
-    def neq_hrr_supported_versions?(versions)
-      hrr = @transcript[HRR]
-      versions != hrr.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
-                     .versions
-    end
-    # @return [Boolean]
-    def valid_sh_key_share?
-      offered = @transcript[CH].extensions[Message::ExtensionType::KEY_SHARE]
-                               .key_share_entry.map(&:group)
-      selected = @transcript[SH].extensions[Message::ExtensionType::KEY_SHARE]
-                                .key_share_entry.first.group
-      offered.include?(selected)
-    end
-    # @return [Boolean]
-    def valid_hrr_key_share?
-      # TODO: pre_shared_key
-      ch1_exs = @transcript[CH1].extensions
-      ngl = ch1_exs[Message::ExtensionType::SUPPORTED_GROUPS].named_group_list
-      kse = ch1_exs[Message::ExtensionType::KEY_SHARE].key_share_entry
-      group = @transcript[HRR].extensions[Message::ExtensionType::KEY_SHARE]
-                              .key_share_entry.first.group
-      ngl.include?(group) && !kse.map(&:group).include?(group)
+      do_verified_certificate_verify?(
+        public_key: public_key,
+        signature_scheme: signature_scheme,
+        signature: signature,
+        context: 'TLS 1.3, server CertificateVerify',
+        hash: hash
+      )
     end
     # @param nst [TTTLS13::Message::NewSessionTicket]
@@ -768,7 +761,7 @@ module TTTLS13
     def process_new_session_ticket(nst)
       super(nst)
-      rms = @key_schedule.resumption_master_secret
+      rms = @resumption_master_secret
       cs = @cipher_suite
       @settings[:process_new_session_ticket]&.call(nst, rms, cs)
     end