RubyGems - tttls1.3 - Versions diffs - 0.3.1 → 0.3.2 - Mend

tttls1.3 0.3.1 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (24) hide show

checksums.yaml +4 -4
data/Gemfile +1 -0
data/example/helper.rb +21 -0
data/example/https_client_using_0rtt.rb +1 -1
data/example/https_server.rb +14 -1
data/lib/tttls1.3/client.rb +205 -418
data/lib/tttls1.3/connection.rb +21 -362
data/lib/tttls1.3/ech.rb +410 -0
data/lib/tttls1.3/endpoint.rb +276 -0
data/lib/tttls1.3/message/certificate_verify.rb +1 -1
data/lib/tttls1.3/message/extension/ech.rb +12 -10
data/lib/tttls1.3/message/extension/signature_algorithms.rb +2 -2
data/lib/tttls1.3/message/extension/supported_versions.rb +3 -3
data/lib/tttls1.3/message/extension/unknown_extension.rb +2 -2
data/lib/tttls1.3/server.rb +125 -63
data/lib/tttls1.3/utils.rb +37 -0
data/lib/tttls1.3/version.rb +1 -1
data/lib/tttls1.3.rb +2 -1
data/spec/client_spec.rb +21 -60
data/spec/ech_spec.rb +39 -0
data/spec/{connection_spec.rb → endpoint_spec.rb} +41 -49
data/spec/server_spec.rb +12 -12
metadata +7 -6
data/lib/tttls1.3/hpke.rb +0 -91

data/lib/tttls1.3/client.rb CHANGED Viewed

@@ -58,8 +58,6 @@ module TTTLS13
     alpn: nil,
     process_new_session_ticket: nil,
     ticket: nil,
-    # @deprecated Please use `resumption_secret` instead
-    resumption_master_secret: nil,
     resumption_secret: nil,
     psk_cipher_suite: nil,
     ticket_nonce: nil,
@@ -80,36 +78,29 @@ module TTTLS13
   STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES = [
     HpkeSymmetricCipherSuite.new(
       HpkeSymmetricCipherSuite::HpkeKdfId.new(
-        Hpke::KdfId::HKDF_SHA256
+        Ech::KdfId::HKDF_SHA256
       ),
       HpkeSymmetricCipherSuite::HpkeAeadId.new(
-        Hpke::AeadId::AES_128_GCM
+        Ech::AeadId::AES_128_GCM
       )
     )
   ].freeze
   # rubocop: disable Metrics/ClassLength
-  class Client < Connection
+  class Client
+    include Logging
     HpkeSymmetricCipherSuit = \
       ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+    attr_reader :transcript
     # @param socket [Socket]
     # @param hostname [String]
     # @param settings [Hash]
     def initialize(socket, hostname, **settings)
-      super(socket)
-      @endpoint = :client
+      @connection = Connection.new(socket, :client)
       @hostname = hostname
       @settings = DEFAULT_CLIENT_SETTINGS.merge(settings)
-      # NOTE: backward compatibility
-      if @settings[:resumption_secret].nil? &&
-         !@settings[:resumption_master_secret].nil?
-        @settings[:resumption_secret] =
-          @settings.delete(:resumption_master_secret) \
-      end
-      raise Error::ConfigError if @settings[:resumption_secret] !=
-                                  @settings[:resumption_master_secret]
       logger.level = @settings[:loglevel]
       @early_data = ''
@@ -159,7 +150,7 @@ module TTTLS13
     # rubocop: disable Metrics/MethodLength
     # rubocop: disable Metrics/PerceivedComplexity
     def connect
-      transcript = Transcript.new
+      @transcript = Transcript.new
       key_schedule = nil # TTTLS13::KeySchedule
       psk = nil
       priv_keys = {} # Hash of NamedGroup => OpenSSL::PKey::$Object
@@ -173,7 +164,7 @@ module TTTLS13
           psk: psk,
           shared_secret: nil,
           cipher_suite: @settings[:psk_cipher_suite],
-          transcript: transcript
+          transcript: @transcript
         )
       end
@@ -183,7 +174,7 @@ module TTTLS13
       sslkeylogfile = nil # TTTLS13::SslKeyLogFile::Writer
       ch1_outer = nil # TTTLS13::Message::ClientHello for rejected ECH
       ch_outer = nil # TTTLS13::Message::ClientHello for rejected ECH
-      ech_state = nil # TTTLS13::Client::EchState for ECH with HRR
+      ech_state = nil # TTTLS13::EchState for ECH with HRR
       unless @settings[:sslkeylogfile].nil?
         begin
           sslkeylogfile = SslKeyLogFile::Writer.new(@settings[:sslkeylogfile])
@@ -193,9 +184,9 @@ module TTTLS13
         end
       end
-      @state = ClientState::START
+      @connection.state = ClientState::START
       loop do
-        case @state
+        case @connection.state
         when ClientState::START
           logger.debug('ClientState::START')
@@ -205,76 +196,77 @@ module TTTLS13
           ch_outer = ch
           # use ClientHelloInner messages for the transcript hash
           ch = inner.nil? ? ch : inner
-          transcript[CH] = [ch, ch.serialize]
-          send_ccs if @settings[:compatibility_mode]
+          @transcript[CH] = [ch, ch.serialize]
+          @connection.send_ccs if @settings[:compatibility_mode]
           if use_early_data?
-            e_wcipher = gen_cipher(
+            e_wcipher = Endpoint.gen_cipher(
               @settings[:psk_cipher_suite],
               key_schedule.early_data_write_key,
               key_schedule.early_data_write_iv
             )
             sslkeylogfile&.write_client_early_traffic_secret(
-              transcript[CH].first.random,
+              @transcript[CH].first.random,
               key_schedule.client_early_traffic_secret
             )
             send_early_data(e_wcipher)
           end
-          @state = ClientState::WAIT_SH
+          @connection.state = ClientState::WAIT_SH
         when ClientState::WAIT_SH
           logger.debug('ClientState::WAIT_SH')
-          sh, = transcript[SH] = recv_server_hello
+          sh, = @transcript[SH] = recv_server_hello
           # downgrade protection
           if !sh.negotiated_tls_1_3? && sh.downgraded?
-            terminate(:illegal_parameter)
+            @connection.terminate(:illegal_parameter)
           # support only TLS 1.3
           elsif !sh.negotiated_tls_1_3?
-            terminate(:protocol_version)
+            @connection.terminate(:protocol_version)
           end
           # validate parameters
-          terminate(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
             unless sh.appearable_extensions?
-          terminate(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
             unless sh.legacy_compression_method == "\x00"
           # validate sh using ch
-          ch, = transcript[CH]
-          terminate(:illegal_parameter) \
+          ch, = @transcript[CH]
+          @connection.terminate(:illegal_parameter) \
             unless sh.legacy_version == ch.legacy_version
-          terminate(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
             unless sh.legacy_session_id_echo == ch.legacy_session_id
-          terminate(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
             unless ch.cipher_suites.include?(sh.cipher_suite)
-          terminate(:unsupported_extension) \
+          @connection.terminate(:unsupported_extension) \
             unless (sh.extensions.keys - ch.extensions.keys).empty?
           # validate sh using hrr
-          if transcript.include?(HRR)
-            hrr, = transcript[HRR]
-            terminate(:illegal_parameter) \
+          if @transcript.include?(HRR)
+            hrr, = @transcript[HRR]
+            @connection.terminate(:illegal_parameter) \
               unless sh.cipher_suite == hrr.cipher_suite
             sh_sv = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
             hrr_sv = hrr.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
-            terminate(:illegal_parameter) \
+            @connection.terminate(:illegal_parameter) \
               unless sh_sv.versions == hrr_sv.versions
           end
           # handling HRR
           if sh.hrr?
-            terminate(:unexpected_message) if transcript.include?(HRR)
+            @connection.terminate(:unexpected_message) \
+              if @transcript.include?(HRR)
-            ch1, = transcript[CH1] = transcript.delete(CH)
-            hrr, = transcript[HRR] = transcript.delete(SH)
+            ch1, = @transcript[CH1] = @transcript.delete(CH)
+            hrr, = @transcript[HRR] = @transcript.delete(SH)
             ch1_outer = ch_outer
             ch_outer = nil
             # validate cookie
             diff_sets = sh.extensions.keys - ch1.extensions.keys
-            terminate(:unsupported_extension) \
+            @connection.terminate(:unsupported_extension) \
               unless (diff_sets - [Message::ExtensionType::COOKIE]).empty?
             # validate key_share
@@ -285,7 +277,7 @@ module TTTLS13
                      .key_share_entry
             group = hrr.extensions[Message::ExtensionType::KEY_SHARE]
                        .key_share_entry.first.group
-            terminate(:illegal_parameter) \
+            @connection.terminate(:illegal_parameter) \
               unless ngl.include?(group) && !kse.map(&:group).include?(group)
             # send new client_hello
@@ -302,9 +294,9 @@ module TTTLS13
             # use ClientHelloInner messages for the transcript hash
             ch_outer = ch
             ch = inner.nil? ? ch : inner
-            transcript[CH] = [ch, ch.serialize]
+            @transcript[CH] = [ch, ch.serialize]
-            @state = ClientState::WAIT_SH
+            @connection.state = ClientState::WAIT_SH
             next
           end
@@ -318,69 +310,70 @@ module TTTLS13
                     .key_share_entry.map(&:group)
           sh_ks = sh.extensions[Message::ExtensionType::KEY_SHARE]
                     .key_share_entry.first.group
-          terminate(:illegal_parameter) unless ch_ks.include?(sh_ks)
+          @connection.terminate(:illegal_parameter) unless ch_ks.include?(sh_ks)
           kse = sh.extensions[Message::ExtensionType::KEY_SHARE]
                   .key_share_entry.first
           ke = kse.key_exchange
           @named_group = kse.group
           priv_key = priv_keys[@named_group]
-          shared_secret = gen_shared_secret(ke, priv_key, @named_group)
+          shared_secret = Endpoint.gen_shared_secret(ke, priv_key, @named_group)
           @cipher_suite = sh.cipher_suite
           key_schedule = KeySchedule.new(
             psk: psk,
             shared_secret: shared_secret,
             cipher_suite: @cipher_suite,
-            transcript: transcript
+            transcript: @transcript
           )
           # rejected ECH
           # NOTE: It can compute (hrr_)accept_ech until client selects the
           # cipher_suite.
           if !sh.hrr? && use_ech?
-            if !transcript.include?(HRR) && !key_schedule.accept_ech?
+            if !@transcript.include?(HRR) && !key_schedule.accept_ech?
               # 1sh SH
-              transcript[CH] = [ch_outer, ch_outer.serialize]
+              @transcript[CH] = [ch_outer, ch_outer.serialize]
               @rejected_ech = true
-            elsif transcript.include?(HRR) &&
+            elsif @transcript.include?(HRR) &&
                   key_schedule.hrr_accept_ech? != key_schedule.accept_ech?
               # 2nd SH
-              terminate(:illegal_parameter)
-            elsif transcript.include?(HRR) && !key_schedule.hrr_accept_ech?
+              @connection.terminate(:illegal_parameter)
+            elsif @transcript.include?(HRR) && !key_schedule.hrr_accept_ech?
               # 2nd SH
-              transcript[CH1] = [ch1_outer, ch1_outer.serialize]
-              transcript[CH] = [ch_outer, ch_outer.serialize]
+              @transcript[CH1] = [ch1_outer, ch1_outer.serialize]
+              @transcript[CH] = [ch_outer, ch_outer.serialize]
               @rejected_ech = true
             end
           end
-          @alert_wcipher = hs_wcipher = gen_cipher(
+          @connection.alert_wcipher = hs_wcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.client_handshake_write_key,
             key_schedule.client_handshake_write_iv
           )
           sslkeylogfile&.write_client_handshake_traffic_secret(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.client_handshake_traffic_secret
           )
-          hs_rcipher = gen_cipher(
+          hs_rcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.server_handshake_write_key,
             key_schedule.server_handshake_write_iv
           )
           sslkeylogfile&.write_server_handshake_traffic_secret(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.server_handshake_traffic_secret
           )
-          @state = ClientState::WAIT_EE
+          @connection.state = ClientState::WAIT_EE
         when ClientState::WAIT_EE
           logger.debug('ClientState::WAIT_EE')
-          ee, = transcript[EE] = recv_encrypted_extensions(hs_rcipher)
-          terminate(:illegal_parameter) unless ee.appearable_extensions?
+          ee, = @transcript[EE] = recv_encrypted_extensions(hs_rcipher)
+          @connection.terminate(:illegal_parameter) \
+            unless ee.appearable_extensions?
-          ch, = transcript[CH]
-          terminate(:unsupported_extension) \
+          ch, = @transcript[CH]
+          @connection.terminate(:unsupported_extension) \
             unless (ee.extensions.keys - ch.extensions.keys).empty?
           rsl = ee.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
@@ -393,118 +386,120 @@ module TTTLS13
           @retry_configs = ee.extensions[
             Message::ExtensionType::ENCRYPTED_CLIENT_HELLO
           ]&.retry_configs
-          terminate(:unsupported_extension) \
+          @connection.terminate(:unsupported_extension) \
             if !rejected_ech? && !@retry_configs.nil?
-          @state = ClientState::WAIT_CERT_CR
-          @state = ClientState::WAIT_FINISHED unless psk.nil?
+          @connection.state = ClientState::WAIT_CERT_CR
+          @connection.state = ClientState::WAIT_FINISHED unless psk.nil?
         when ClientState::WAIT_CERT_CR
           logger.debug('ClientState::WAIT_CERT_CR')
-          message, orig_msg = recv_message(
+          message, orig_msg = @connection.recv_message(
             receivable_ccs: true,
             cipher: hs_rcipher
           )
           case message.msg_type
           when Message::HandshakeType::CERTIFICATE,
                Message::HandshakeType::COMPRESSED_CERTIFICATE
-            ct, = transcript[CT] = [message, orig_msg]
-            terminate(:bad_certificate) \
+            ct, = @transcript[CT] = [message, orig_msg]
+            @connection.terminate(:bad_certificate) \
               if ct.is_a?(Message::CompressedCertificate) &&
                  !@settings[:compress_certificate_algorithms]
                  .include?(ct.algorithm)
             ct = ct.certificate_message \
               if ct.is_a?(Message::CompressedCertificate)
-            alert = check_invalid_certificate(ct, transcript[CH].first)
-            terminate(alert) unless alert.nil?
+            alert = check_invalid_certificate(ct, @transcript[CH].first)
+            @connection.terminate(alert) unless alert.nil?
-            @state = ClientState::WAIT_CV
+            @connection.state = ClientState::WAIT_CV
           when Message::HandshakeType::CERTIFICATE_REQUEST
-            transcript[CR] = [message, orig_msg]
+            @transcript[CR] = [message, orig_msg]
             # TODO: client authentication
-            @state = ClientState::WAIT_CERT
+            @connection.state = ClientState::WAIT_CERT
           else
-            terminate(:unexpected_message)
+            @connection.terminate(:unexpected_message)
           end
         when ClientState::WAIT_CERT
           logger.debug('ClientState::WAIT_CERT')
-          ct, = transcript[CT] = recv_certificate(hs_rcipher)
+          ct, = @transcript[CT] = recv_certificate(hs_rcipher)
           if ct.is_a?(Message::CompressedCertificate) &&
              !@settings[:compress_certificate_algorithms].include?(ct.algorithm)
-            terminate(:bad_certificate)
+            @connection.terminate(:bad_certificate)
           elsif ct.is_a?(Message::CompressedCertificate)
             ct = ct.certificate_message
           end
-          alert = check_invalid_certificate(ct, transcript[CH].first)
-          terminate(alert) unless alert.nil?
+          alert = check_invalid_certificate(ct, @transcript[CH].first)
+          @connection.terminate(alert) unless alert.nil?
-          @state = ClientState::WAIT_CV
+          @connection.state = ClientState::WAIT_CV
         when ClientState::WAIT_CV
           logger.debug('ClientState::WAIT_CV')
-          cv, = transcript[CV] = recv_certificate_verify(hs_rcipher)
+          cv, = @transcript[CV] = recv_certificate_verify(hs_rcipher)
           digest = CipherSuite.digest(@cipher_suite)
-          hash = transcript.hash(digest, CT)
-          ct, = transcript[CT]
+          hash = @transcript.hash(digest, CT)
+          ct, = @transcript[CT]
           ct = ct.certificate_message \
             if ct.is_a?(Message::CompressedCertificate)
-          terminate(:decrypt_error) \
+          @connection.terminate(:decrypt_error) \
             unless verified_certificate_verify?(ct, cv, hash)
           @signature_scheme = cv.signature_scheme
-          @state = ClientState::WAIT_FINISHED
+          @connection.state = ClientState::WAIT_FINISHED
         when ClientState::WAIT_FINISHED
           logger.debug('ClientState::WAIT_FINISHED')
-          sf, = transcript[SF] = recv_finished(hs_rcipher)
+          sf, = @transcript[SF] = recv_finished(hs_rcipher)
           digest = CipherSuite.digest(@cipher_suite)
-          terminate(:decrypt_error) unless verified_finished?(
-            finished: sf,
-            digest: digest,
-            finished_key: key_schedule.server_finished_key,
-            hash: transcript.hash(digest, CV)
-          )
+          @connection.terminate(:decrypt_error) \
+            unless Endpoint.verified_finished?(
+              finished: sf,
+              digest: digest,
+              finished_key: key_schedule.server_finished_key,
+              hash: @transcript.hash(digest, CV)
+            )
           if use_early_data? && succeed_early_data?
             eoed = send_eoed(e_wcipher)
-            transcript[EOED] = [eoed, eoed.serialize]
+            @transcript[EOED] = [eoed, eoed.serialize]
           end
           # TODO: Send Certificate [+ CertificateVerify]
-          signature = sign_finished(
+          signature = Endpoint.sign_finished(
             digest: digest,
             finished_key: key_schedule.client_finished_key,
-            hash: transcript.hash(digest, EOED)
+            hash: @transcript.hash(digest, EOED)
           )
           cf = send_finished(signature, hs_wcipher)
-          transcript[CF] = [cf, cf.serialize]
-          @alert_wcipher = @ap_wcipher = gen_cipher(
+          @transcript[CF] = [cf, cf.serialize]
+          @connection.ap_wcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.client_application_write_key,
             key_schedule.client_application_write_iv
           )
+          @connection.alert_wcipher = @connection.ap_wcipher
           sslkeylogfile&.write_client_traffic_secret_0(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.client_application_traffic_secret
           )
-          @ap_rcipher = gen_cipher(
+          @connection.ap_rcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.server_application_write_key,
             key_schedule.server_application_write_iv
           )
           sslkeylogfile&.write_server_traffic_secret_0(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.server_application_traffic_secret
           )
           @exporter_secret = key_schedule.exporter_secret
           @resumption_secret = key_schedule.resumption_secret
-          @state = ClientState::CONNECTED
+          @connection.state = ClientState::CONNECTED
         when ClientState::CONNECTED
           logger.debug('ClientState::CONNECTED')
-          send_alert(:ech_required) \
+          @connection.send_alert(:ech_required) \
             if use_ech? && (!@retry_configs.nil? && !@retry_configs.empty?)
           break
         end
@@ -517,6 +512,14 @@ module TTTLS13
     # rubocop: enable Metrics/MethodLength
     # rubocop: enable Metrics/PerceivedComplexity
+    # @raise [TTTLS13::Error::ConfigError]
+    #
+    # @return [String]
+    def read
+      nst_process = method(:process_new_session_ticket)
+      @connection.read(nst_process)
+    end
     # @param binary [String]
     def write(binary)
       # the client can regard ECH as securely disabled by the server, and it
@@ -528,14 +531,55 @@ module TTTLS13
         return
       end
-      super(binary)
+      @connection.write(binary)
+    end
+    # return [Boolean]
+    def eof?
+      @connection.eof?
+    end
+    def close
+      @connection.close
+    end
+    # @return [TTTLS13::CipherSuite, nil]
+    def negotiated_cipher_suite
+      @cipher_suite
+    end
+    # @return [TTTLS13::NamedGroup, nil]
+    def negotiated_named_group
+      @named_group
+    end
+    # @return [TTTLS13::SignatureScheme, nil]
+    def negotiated_signature_scheme
+      @signature_scheme
+    end
+    # @return [String]
+    def negotiated_alpn
+      @alpn
+    end
+    # @param label [String]
+    # @param context [String]
+    # @param key_length [Integer]
+    #
+    # @return [String, nil]
+    def exporter(label, context, key_length)
+      return nil if @exporter_secret.nil? || @cipher_suite.nil?
+      digest = CipherSuite.digest(@cipher_suite)
+      Endpoint.exporter(@exporter_secret, digest, label, context, key_length)
     end
     # @param binary [String]
     #
     # @raise [TTTLS13::Error::ConfigError]
     def early_data(binary)
-      raise Error::ConfigError unless @state == INITIAL && use_psk?
+      raise Error::ConfigError unless @connection.state == INITIAL && use_psk?
       @early_data = binary
     end
@@ -677,7 +721,7 @@ module TTTLS13
         messages: [ap],
         cipher: cipher
       )
-      send_record(ap_record)
+      @connection.send_record(ap_record)
     end
     # @param resumption_secret [String]
@@ -768,7 +812,7 @@ module TTTLS13
     #
     # @return [TTTLS13::Message::ClientHello] outer
     # @return [TTTLS13::Message::ClientHello] inner
-    # @return [TTTLS13::Client::EchState]
+    # @return [TTTLS13::EchState]
     # rubocop: disable Metrics/MethodLength
     def send_client_hello(extensions, binder_key = nil)
       ch = Message::ClientHello.new(
@@ -783,7 +827,11 @@ module TTTLS13
         inner_ech = Message::Extension::ECHClientHello.new_inner
         inner.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO] \
           = inner_ech
-        ch, inner, ech_state = offer_ech(inner, @settings[:ech_config])
+        ch, inner, ech_state = Ech.offer_ech(
+          inner,
+          @settings[:ech_config],
+          method(:select_ech_hpke_cipher_suite)
+        )
       end
       # psk_key_exchange_modes
@@ -814,8 +862,8 @@ module TTTLS13
         end
       end
-      send_handshakes(Message::ContentType::HANDSHAKE, [ch],
-                      Cryptograph::Passer.new)
+      @connection.send_handshakes(Message::ContentType::HANDSHAKE, [ch],
+                                  Cryptograph::Passer.new)
       [ch, inner, ech_state]
     end
@@ -850,7 +898,7 @@ module TTTLS13
       )
       ch.extensions[Message::ExtensionType::PRE_SHARED_KEY] = psk
-      psk.offered_psks.binders[0] = do_sign_psk_binder(
+      psk.offered_psks.binders[0] = Endpoint.sign_psk_binder(
         ch1: ch1,
         hrr: hrr,
         ch: ch,
@@ -900,7 +948,7 @@ module TTTLS13
       )
       ch_outer.extensions[Message::ExtensionType::PRE_SHARED_KEY] = psk
-      psk.offered_psks.binders[0] = do_sign_psk_binder(
+      psk.offered_psks.binders[0] = Endpoint.sign_psk_binder(
         ch1: ch1,
         hrr: hrr,
         ch: ch_outer,
@@ -909,209 +957,6 @@ module TTTLS13
       )
     end
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param ech_config [ECHConfig]
-    #
-    # @return [TTTLS13::Message::ClientHello]
-    # @return [TTTLS13::Message::ClientHello]
-    # @return [TTTLS13::Client::EchState]
-    # rubocop: disable Metrics/AbcSize
-    # rubocop: disable Metrics/MethodLength
-    def offer_ech(inner, ech_config)
-      return [new_greased_ch(inner, new_grease_ech), nil, nil] \
-        if ech_config.nil? ||
-           !SUPPORTED_ECHCONFIG_VERSIONS.include?(ech_config.version)
-      # Encrypted ClientHello Configuration
-      public_name = ech_config.echconfig_contents.public_name
-      key_config = ech_config.echconfig_contents.key_config
-      public_key = key_config.public_key.opaque
-      kem_id = key_config&.kem_id&.uint16
-      config_id = key_config.config_id
-      cipher_suite = select_ech_hpke_cipher_suite(key_config)
-      overhead_len = Hpke.aead_id2overhead_len(cipher_suite&.aead_id&.uint16)
-      aead_cipher = Hpke.aead_id2aead_cipher(cipher_suite&.aead_id&.uint16)
-      kdf_hash = Hpke.kdf_id2kdf_hash(cipher_suite&.kdf_id&.uint16)
-      return [new_greased_ch(inner, new_grease_ech), nil, nil] \
-        if [kem_id, overhead_len, aead_cipher, kdf_hash].any?(&:nil?)
-      kem_curve_name, kem_hash = Hpke.kem_id2dhkem(kem_id)
-      dhkem = Hpke.kem_curve_name2dhkem(kem_curve_name)
-      pkr = dhkem&.new(kem_hash)&.deserialize_public_key(public_key)
-      return [new_greased_ch(inner, new_grease_ech), nil, nil] if pkr.nil?
-      hpke = HPKE.new(kem_curve_name, kem_hash, kdf_hash, aead_cipher)
-      base_s = hpke.setup_base_s(pkr, "tls ech\x00" + ech_config.encode)
-      enc = base_s[:enc]
-      ctx = base_s[:context_s]
-      mnl = ech_config.echconfig_contents.maximum_name_length
-      encoded = encode_ch_inner(inner, mnl)
-      # Encoding the ClientHelloInner
-      aad = new_ch_outer_aad(
-        inner,
-        cipher_suite,
-        config_id,
-        enc,
-        encoded.length + overhead_len,
-        public_name
-      )
-      # Authenticating the ClientHelloOuter
-      # which does not include the Handshake structure's four byte header.
-      outer = new_ch_outer(
-        aad,
-        cipher_suite,
-        config_id,
-        enc,
-        ctx.seal(aad.serialize[4..], encoded)
-      )
-      ech_state = EchState.new(mnl, config_id, cipher_suite, public_name, ctx)
-      [outer, inner, ech_state]
-    end
-    # rubocop: enable Metrics/AbcSize
-    # rubocop: enable Metrics/MethodLength
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param ech_state [TTTLS13::Client::EchState]
-    #
-    # @return [TTTLS13::Message::ClientHello]
-    # @return [TTTLS13::Message::ClientHello]
-    def offer_new_ech(inner, ech_state)
-      encoded = encode_ch_inner(inner, ech_state.maximum_name_length)
-      overhead_len \
-        = Hpke.aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
-      # It encrypts EncodedClientHelloInner as described in Section 6.1.1, using
-      # the second partial ClientHelloOuterAAD, to obtain a second
-      # ClientHelloOuter. It reuses the original HPKE encryption context
-      # computed in Section 6.1 and uses the empty string for enc.
-      #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.1.5-4.4.1
-      aad = new_ch_outer_aad(
-        inner,
-        ech_state.cipher_suite,
-        ech_state.config_id,
-        '',
-        encoded.length + overhead_len,
-        ech_state.public_name
-      )
-      # Authenticating the ClientHelloOuter
-      # which does not include the Handshake structure's four byte header.
-      outer = new_ch_outer(
-        aad,
-        ech_state.cipher_suite,
-        ech_state.config_id,
-        '',
-        ech_state.ctx.seal(aad.serialize[4..], encoded)
-      )
-      [outer, inner]
-    end
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param maximum_name_length [Integer]
-    #
-    # @return [String] EncodedClientHelloInner
-    def encode_ch_inner(inner, maximum_name_length)
-      # TODO: ech_outer_extensions
-      encoded = Message::ClientHello.new(
-        legacy_version: inner.legacy_version,
-        random: inner.random,
-        legacy_session_id: '',
-        cipher_suites: inner.cipher_suites,
-        legacy_compression_methods: inner.legacy_compression_methods,
-        extensions: inner.extensions
-      )
-      server_name_length = \
-        inner.extensions[Message::ExtensionType::SERVER_NAME].server_name.length
-      # which does not include the Handshake structure's four byte header.
-      padding_encoded_ch_inner(
-        encoded.serialize[4..],
-        server_name_length,
-        maximum_name_length
-      )
-    end
-    # @param s [String]
-    # @param server_name_length [Integer]
-    # @param maximum_name_length [Integer]
-    #
-    # @return [String]
-    def padding_encoded_ch_inner(s, server_name_length, maximum_name_length)
-      padding_len =
-        if server_name_length.positive?
-          [maximum_name_length - server_name_length, 0].max
-        else
-          9 + maximum_name_length
-        end
-      padding_len = 31 - ((s.length + padding_len - 1) % 32)
-      s + padding_len.zeros
-    end
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param cipher_suite [HpkeSymmetricCipherSuite]
-    # @param config_id [Integer]
-    # @param enc [String]
-    # @param payload_len [Integer]
-    # @param server_name [String]
-    #
-    # @return [TTTLS13::Message::ClientHello]
-    # rubocop: disable Metrics/ParameterLists
-    def new_ch_outer_aad(inner,
-                         cipher_suite,
-                         config_id,
-                         enc,
-                         payload_len,
-                         server_name)
-      aad_ech = Message::Extension::ECHClientHello.new_outer(
-        cipher_suite: cipher_suite,
-        config_id: config_id,
-        enc: enc,
-        payload: payload_len.zeros
-      )
-      Message::ClientHello.new(
-        legacy_version: inner.legacy_version,
-        legacy_session_id: inner.legacy_session_id,
-        cipher_suites: inner.cipher_suites,
-        legacy_compression_methods: inner.legacy_compression_methods,
-        extensions: inner.extensions.merge(
-          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => aad_ech,
-          Message::ExtensionType::SERVER_NAME => \
-            Message::Extension::ServerName.new(server_name)
-        )
-      )
-    end
-    # rubocop: enable Metrics/ParameterLists
-    # @param aad [TTTLS13::Message::ClientHello]
-    # @param cipher_suite [HpkeSymmetricCipherSuite]
-    # @param config_id [Integer]
-    # @param enc [String]
-    # @param payload [String]
-    #
-    # @return [TTTLS13::Message::ClientHello]
-    def new_ch_outer(aad, cipher_suite, config_id, enc, payload)
-      outer_ech = Message::Extension::ECHClientHello.new_outer(
-        cipher_suite: cipher_suite,
-        config_id: config_id,
-        enc: enc,
-        payload: payload
-      )
-      Message::ClientHello.new(
-        legacy_version: aad.legacy_version,
-        random: aad.random,
-        legacy_session_id: aad.legacy_session_id,
-        cipher_suites: aad.cipher_suites,
-        legacy_compression_methods: aad.legacy_compression_methods,
-        extensions: aad.extensions.merge(
-          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => outer_ech
-        )
-      )
-    end
     # @param conf [HpkeKeyConfig]
     #
     # @return [HpkeSymmetricCipherSuite, nil]
@@ -1121,63 +966,6 @@ module TTTLS13
       end
     end
-    # @return [Message::Extension::ECHClientHello]
-    def new_grease_ech
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#name-compliance-requirements
-      cipher_suite = HpkeSymmetricCipherSuite.new(
-        HpkeSymmetricCipherSuite::HpkeKdfId.new(
-          TTTLS13::Hpke::KdfId::HKDF_SHA256
-        ),
-        HpkeSymmetricCipherSuite::HpkeAeadId.new(
-          TTTLS13::Hpke::AeadId::AES_128_GCM
-        )
-      )
-      # Set the enc field to a randomly-generated valid encapsulated public key
-      # output by the HPKE KEM.
-      #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-2.3.1
-      public_key = OpenSSL::PKey.read(
-        OpenSSL::PKey.generate_key('X25519').public_to_pem
-      )
-      hpke = HPKE.new(:x25519, :sha256, :sha256, :aes_128_gcm)
-      enc = hpke.setup_base_s(public_key, '')[:enc]
-      # Set the payload field to a randomly-generated string of L+C bytes, where
-      # C is the ciphertext expansion of the selected AEAD scheme and L is the
-      # size of the EncodedClientHelloInner the client would compute when
-      # offering ECH, padded according to Section 6.1.3.
-      #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-2.4.1
-      payload_len = placeholder_encoded_ch_inner_len \
-                    + Hpke.aead_id2overhead_len(Hpke::AeadId::AES_128_GCM)
-      Message::Extension::ECHClientHello.new_outer(
-        cipher_suite: cipher_suite,
-        config_id: Convert.bin2i(OpenSSL::Random.random_bytes(1)),
-        enc: enc,
-        payload: OpenSSL::Random.random_bytes(payload_len)
-      )
-    end
-    # @return [Integer]
-    def placeholder_encoded_ch_inner_len
-      448
-    end
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param ech [Message::Extension::ECHClientHello]
-    def new_greased_ch(inner, ech)
-      Message::ClientHello.new(
-        legacy_version: inner.legacy_version,
-        random: inner.random,
-        legacy_session_id: inner.legacy_session_id,
-        cipher_suites: inner.cipher_suites,
-        legacy_compression_methods: inner.legacy_compression_methods,
-        extensions: inner.extensions.merge(
-          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => ech
-        )
-      )
-    end
     # @return [Integer]
     def calc_obfuscated_ticket_age
       # the "ticket_lifetime" field in the NewSessionTicket message is
@@ -1227,7 +1015,7 @@ module TTTLS13
     # @param hrr [TTTLS13::Message::ServerHello]
     # @param extensions [TTTLS13::Message::Extensions]
     # @param binder_key [String, nil]
-    # @param ech_state [TTTLS13::Client::EchState]
+    # @param ech_state [TTTLS13::EchState]
     #
     # @return [TTTLS13::Message::ClientHello] outer
     # @return [TTTLS13::Message::ClientHello] inner
@@ -1258,7 +1046,7 @@ module TTTLS13
         ch.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO] \
           = ch1.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO]
       elsif use_ech?
-        ch, inner = offer_new_ech(ch, ech_state)
+        ch, inner = Ech.offer_new_ech(ch, ech_state)
       end
       # pre_shared_key
@@ -1286,8 +1074,8 @@ module TTTLS13
         end
       end
-      send_handshakes(Message::ContentType::HANDSHAKE, [ch],
-                      Cryptograph::Passer.new)
+      @connection.send_handshakes(Message::ContentType::HANDSHAKE, [ch],
+                                  Cryptograph::Passer.new)
       [ch, inner]
     end
@@ -1299,11 +1087,12 @@ module TTTLS13
     # @return [TTTLS13::Message::ServerHello]
     # @return [String]
     def recv_server_hello
-      sh, orig_msg = recv_message(
+      sh, orig_msg = @connection.recv_message(
         receivable_ccs: true,
         cipher: Cryptograph::Passer.new
       )
-      terminate(:unexpected_message) unless sh.is_a?(Message::ServerHello)
+      @connection.terminate(:unexpected_message) \
+        unless sh.is_a?(Message::ServerHello)
       [sh, orig_msg]
     end
@@ -1315,8 +1104,9 @@ module TTTLS13
     # @return [TTTLS13::Message::EncryptedExtensions]
     # @return [String]
     def recv_encrypted_extensions(cipher)
-      ee, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) \
+      ee, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
         unless ee.is_a?(Message::EncryptedExtensions)
       [ee, orig_msg]
@@ -1329,8 +1119,10 @@ module TTTLS13
     # @return [TTTLS13::Message::Certificate]
     # @return [String]
     def recv_certificate(cipher)
-      ct, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) unless ct.is_a?(Message::Certificate)
+      ct, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
+        unless ct.is_a?(Message::Certificate)
       [ct, orig_msg]
     end
@@ -1342,8 +1134,10 @@ module TTTLS13
     # @return [TTTLS13::Message::CertificateVerify]
     # @return [String]
     def recv_certificate_verify(cipher)
-      cv, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) unless cv.is_a?(Message::CertificateVerify)
+      cv, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
+        unless cv.is_a?(Message::CertificateVerify)
       [cv, orig_msg]
     end
@@ -1355,8 +1149,10 @@ module TTTLS13
     # @return [TTTLS13::Message::Finished]
     # @return [String]
     def recv_finished(cipher)
-      sf, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) unless sf.is_a?(Message::Finished)
+      sf, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
+        unless sf.is_a?(Message::Finished)
       [sf, orig_msg]
     end
@@ -1366,7 +1162,11 @@ module TTTLS13
     # @return [TTTLS13::Message::Finished]
     def send_finished(signature, cipher)
       cf = Message::Finished.new(signature)
-      send_handshakes(Message::ContentType::APPLICATION_DATA, [cf], cipher)
+      @connection.send_handshakes(
+        Message::ContentType::APPLICATION_DATA,
+        [cf],
+        cipher
+      )
       cf
     end
@@ -1376,7 +1176,11 @@ module TTTLS13
     # @return [TTTLS13::Message::EndOfEarlyData]
     def send_eoed(cipher)
       eoed = Message::EndOfEarlyData.new
-      send_handshakes(Message::ContentType::APPLICATION_DATA, [eoed], cipher)
+      @connection.send_handshakes(
+        Message::ContentType::APPLICATION_DATA,
+        [eoed],
+        cipher
+      )
       eoed
     end
@@ -1392,7 +1196,7 @@ module TTTLS13
         unless ct.certificate_list.map(&:extensions)
                  .all? { |e| (e.keys - ch.extensions.keys).empty? }
-      return :certificate_unknown unless trusted_certificate?(
+      return :certificate_unknown unless Endpoint.trusted_certificate?(
         ct.certificate_list,
         @settings[:ca_file],
         @hostname
@@ -1421,7 +1225,7 @@ module TTTLS13
       signature_scheme = cv.signature_scheme
       signature = cv.signature
-      do_verified_certificate_verify?(
+      Endpoint.verified_certificate_verify?(
         public_key: public_key,
         signature_scheme: signature_scheme,
         signature: signature,
@@ -1443,36 +1247,19 @@ module TTTLS13
     #
     # @raise [TTTLS13::Error::ErrorAlerts]
     def process_new_session_ticket(nst)
-      super(nst)
       rms = @resumption_secret
       cs = @cipher_suite
       @settings[:process_new_session_ticket]&.call(nst, rms, cs)
     end
-    class EchState
-      attr_accessor :maximum_name_length
-      attr_accessor :config_id
-      attr_accessor :cipher_suite
-      attr_accessor :public_name
-      attr_accessor :ctx
-      # @param maximum_name_length [Integer]
-      # @param config_id [Integer]
-      # @param cipher_suite [HpkeSymmetricCipherSuite]
-      # @param public_name [String]
-      # @param ctx [[HPKE::ContextS]
-      def initialize(maximum_name_length,
-                     config_id,
-                     cipher_suite,
-                     public_name,
-                     ctx)
-        @maximum_name_length = maximum_name_length
-        @config_id = config_id
-        @cipher_suite = cipher_suite
-        @public_name = public_name
-        @ctx = ctx
-      end
+    # @param cid [OpenSSL::OCSP::CertificateId]
+    #
+    # @return [OpenSSL::OCSP::Request]
+    def gen_ocsp_request(cid)
+      ocsp_request = OpenSSL::OCSP::Request.new
+      ocsp_request.add_certid(cid)
+      ocsp_request.add_nonce
+      ocsp_request
     end
   end
   # rubocop: enable Metrics/ClassLength