RubyGems - tttls1.3 - Versions diffs - 0.3.1 → 0.3.2 - Mend

tttls1.3 0.3.1 → 0.3.2

Files changed (24) hide show

checksums.yaml +4 -4
data/Gemfile +1 -0
data/example/helper.rb +21 -0
data/example/https_client_using_0rtt.rb +1 -1
data/example/https_server.rb +14 -1
data/lib/tttls1.3/client.rb +205 -418
data/lib/tttls1.3/connection.rb +21 -362
data/lib/tttls1.3/ech.rb +410 -0
data/lib/tttls1.3/endpoint.rb +276 -0
data/lib/tttls1.3/message/certificate_verify.rb +1 -1
data/lib/tttls1.3/message/extension/ech.rb +12 -10
data/lib/tttls1.3/message/extension/signature_algorithms.rb +2 -2
data/lib/tttls1.3/message/extension/supported_versions.rb +3 -3
data/lib/tttls1.3/message/extension/unknown_extension.rb +2 -2
data/lib/tttls1.3/server.rb +125 -63
data/lib/tttls1.3/utils.rb +37 -0
data/lib/tttls1.3/version.rb +1 -1
data/lib/tttls1.3.rb +2 -1
data/spec/client_spec.rb +21 -60
data/spec/ech_spec.rb +39 -0
data/spec/{connection_spec.rb → endpoint_spec.rb} +41 -49
data/spec/server_spec.rb +12 -12
metadata +7 -6
data/lib/tttls1.3/hpke.rb +0 -91

data/lib/tttls1.3/client.rb CHANGED Viewed

@@ -58,8 +58,6 @@ module TTTLS13
     alpn: nil,
     process_new_session_ticket: nil,
     ticket: nil,
-    # @deprecated Please use `resumption_secret` instead
-    resumption_master_secret: nil,
     resumption_secret: nil,
     psk_cipher_suite: nil,
     ticket_nonce: nil,
@@ -80,36 +78,29 @@ module TTTLS13
   STANDARD_CLIENT_ECH_HPKE_SYMMETRIC_CIPHER_SUITES = [
     HpkeSymmetricCipherSuite.new(
       HpkeSymmetricCipherSuite::HpkeKdfId.new(
-        Hpke::KdfId::HKDF_SHA256
+        Ech::KdfId::HKDF_SHA256
       ),
       HpkeSymmetricCipherSuite::HpkeAeadId.new(
-        Hpke::AeadId::AES_128_GCM
+        Ech::AeadId::AES_128_GCM
       )
     )
   ].freeze
   # rubocop: disable Metrics/ClassLength
-  class Client < Connection
+  class Client
+    include Logging
     HpkeSymmetricCipherSuit = \
       ECHConfig::ECHConfigContents::HpkeKeyConfig::HpkeSymmetricCipherSuite
+    attr_reader :transcript
     # @param socket [Socket]
     # @param hostname [String]
     # @param settings [Hash]
     def initialize(socket, hostname, **settings)
-      super(socket)
-      @endpoint = :client
+      @connection = Connection.new(socket, :client)
       @hostname = hostname
       @settings = DEFAULT_CLIENT_SETTINGS.merge(settings)
-      # NOTE: backward compatibility
-      if @settings[:resumption_secret].nil? &&
-         !@settings[:resumption_master_secret].nil?
-        @settings[:resumption_secret] =
-          @settings.delete(:resumption_master_secret) \
-      end
-      raise Error::ConfigError if @settings[:resumption_secret] !=
-                                  @settings[:resumption_master_secret]
       logger.level = @settings[:loglevel]
       @early_data = ''
@@ -159,7 +150,7 @@ module TTTLS13
     # rubocop: disable Metrics/MethodLength
     # rubocop: disable Metrics/PerceivedComplexity
     def connect
-      transcript = Transcript.new
+      @transcript = Transcript.new
       key_schedule = nil # TTTLS13::KeySchedule
       psk = nil
       priv_keys = {} # Hash of NamedGroup => OpenSSL::PKey::$Object
@@ -173,7 +164,7 @@ module TTTLS13
           psk: psk,
           shared_secret: nil,
           cipher_suite: @settings[:psk_cipher_suite],
-          transcript: transcript
+          transcript: @transcript
         )
       end
@@ -183,7 +174,7 @@ module TTTLS13
       sslkeylogfile = nil # TTTLS13::SslKeyLogFile::Writer
       ch1_outer = nil # TTTLS13::Message::ClientHello for rejected ECH
       ch_outer = nil # TTTLS13::Message::ClientHello for rejected ECH
-      ech_state = nil # TTTLS13::Client::EchState for ECH with HRR
+      ech_state = nil # TTTLS13::EchState for ECH with HRR
       unless @settings[:sslkeylogfile].nil?
         begin
           sslkeylogfile = SslKeyLogFile::Writer.new(@settings[:sslkeylogfile])
@@ -193,9 +184,9 @@ module TTTLS13
         end
       end
-      @state = ClientState::START
+      @connection.state = ClientState::START
       loop do
-        case @state
+        case @connection.state
         when ClientState::START
           logger.debug('ClientState::START')
@@ -205,76 +196,77 @@ module TTTLS13
           ch_outer = ch
           # use ClientHelloInner messages for the transcript hash
           ch = inner.nil? ? ch : inner
-          transcript[CH] = [ch, ch.serialize]
-          send_ccs if @settings[:compatibility_mode]
+          @transcript[CH] = [ch, ch.serialize]
+          @connection.send_ccs if @settings[:compatibility_mode]
           if use_early_data?
-            e_wcipher = gen_cipher(
+            e_wcipher = Endpoint.gen_cipher(
               @settings[:psk_cipher_suite],
               key_schedule.early_data_write_key,
               key_schedule.early_data_write_iv
             )
             sslkeylogfile&.write_client_early_traffic_secret(
-              transcript[CH].first.random,
+              @transcript[CH].first.random,
               key_schedule.client_early_traffic_secret
             )
             send_early_data(e_wcipher)
           end
-          @state = ClientState::WAIT_SH
+          @connection.state = ClientState::WAIT_SH
         when ClientState::WAIT_SH
           logger.debug('ClientState::WAIT_SH')
-          sh, = transcript[SH] = recv_server_hello
+          sh, = @transcript[SH] = recv_server_hello
           # downgrade protection
           if !sh.negotiated_tls_1_3? && sh.downgraded?
-            terminate(:illegal_parameter)
+            @connection.terminate(:illegal_parameter)
           # support only TLS 1.3
           elsif !sh.negotiated_tls_1_3?
-            terminate(:protocol_version)
+            @connection.terminate(:protocol_version)
           end
           # validate parameters
-          terminate(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
             unless sh.appearable_extensions?
-          terminate(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
             unless sh.legacy_compression_method == "\x00"
           # validate sh using ch
-          ch, = transcript[CH]
-          terminate(:illegal_parameter) \
+          ch, = @transcript[CH]
+          @connection.terminate(:illegal_parameter) \
             unless sh.legacy_version == ch.legacy_version
-          terminate(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
             unless sh.legacy_session_id_echo == ch.legacy_session_id
-          terminate(:illegal_parameter) \
+          @connection.terminate(:illegal_parameter) \
             unless ch.cipher_suites.include?(sh.cipher_suite)
-          terminate(:unsupported_extension) \
+          @connection.terminate(:unsupported_extension) \
             unless (sh.extensions.keys - ch.extensions.keys).empty?
           # validate sh using hrr
-          if transcript.include?(HRR)
-            hrr, = transcript[HRR]
-            terminate(:illegal_parameter) \
+          if @transcript.include?(HRR)
+            hrr, = @transcript[HRR]
+            @connection.terminate(:illegal_parameter) \
               unless sh.cipher_suite == hrr.cipher_suite
             sh_sv = sh.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
             hrr_sv = hrr.extensions[Message::ExtensionType::SUPPORTED_VERSIONS]
-            terminate(:illegal_parameter) \
+            @connection.terminate(:illegal_parameter) \
               unless sh_sv.versions == hrr_sv.versions
           end
           # handling HRR
           if sh.hrr?
-            terminate(:unexpected_message) if transcript.include?(HRR)
+            @connection.terminate(:unexpected_message) \
+              if @transcript.include?(HRR)
-            ch1, = transcript[CH1] = transcript.delete(CH)
-            hrr, = transcript[HRR] = transcript.delete(SH)
+            ch1, = @transcript[CH1] = @transcript.delete(CH)
+            hrr, = @transcript[HRR] = @transcript.delete(SH)
             ch1_outer = ch_outer
             ch_outer = nil
             # validate cookie
             diff_sets = sh.extensions.keys - ch1.extensions.keys
-            terminate(:unsupported_extension) \
+            @connection.terminate(:unsupported_extension) \
               unless (diff_sets - [Message::ExtensionType::COOKIE]).empty?
             # validate key_share
@@ -285,7 +277,7 @@ module TTTLS13
                      .key_share_entry
             group = hrr.extensions[Message::ExtensionType::KEY_SHARE]
                        .key_share_entry.first.group
-            terminate(:illegal_parameter) \
+            @connection.terminate(:illegal_parameter) \
               unless ngl.include?(group) && !kse.map(&:group).include?(group)
             # send new client_hello
@@ -302,9 +294,9 @@ module TTTLS13
             # use ClientHelloInner messages for the transcript hash
             ch_outer = ch
             ch = inner.nil? ? ch : inner
-            transcript[CH] = [ch, ch.serialize]
+            @transcript[CH] = [ch, ch.serialize]
-            @state = ClientState::WAIT_SH
+            @connection.state = ClientState::WAIT_SH
             next
           end
@@ -318,69 +310,70 @@ module TTTLS13
                     .key_share_entry.map(&:group)
           sh_ks = sh.extensions[Message::ExtensionType::KEY_SHARE]
                     .key_share_entry.first.group
-          terminate(:illegal_parameter) unless ch_ks.include?(sh_ks)
+          @connection.terminate(:illegal_parameter) unless ch_ks.include?(sh_ks)
           kse = sh.extensions[Message::ExtensionType::KEY_SHARE]
                   .key_share_entry.first
           ke = kse.key_exchange
           @named_group = kse.group
           priv_key = priv_keys[@named_group]
-          shared_secret = gen_shared_secret(ke, priv_key, @named_group)
+          shared_secret = Endpoint.gen_shared_secret(ke, priv_key, @named_group)
           @cipher_suite = sh.cipher_suite
           key_schedule = KeySchedule.new(
             psk: psk,
             shared_secret: shared_secret,
             cipher_suite: @cipher_suite,
-            transcript: transcript
+            transcript: @transcript
           )
           # rejected ECH
           # NOTE: It can compute (hrr_)accept_ech until client selects the
           # cipher_suite.
           if !sh.hrr? && use_ech?
-            if !transcript.include?(HRR) && !key_schedule.accept_ech?
+            if !@transcript.include?(HRR) && !key_schedule.accept_ech?
               # 1sh SH
-              transcript[CH] = [ch_outer, ch_outer.serialize]
+              @transcript[CH] = [ch_outer, ch_outer.serialize]
               @rejected_ech = true
-            elsif transcript.include?(HRR) &&
+            elsif @transcript.include?(HRR) &&
                   key_schedule.hrr_accept_ech? != key_schedule.accept_ech?
               # 2nd SH
-              terminate(:illegal_parameter)
-            elsif transcript.include?(HRR) && !key_schedule.hrr_accept_ech?
+              @connection.terminate(:illegal_parameter)
+            elsif @transcript.include?(HRR) && !key_schedule.hrr_accept_ech?
               # 2nd SH
-              transcript[CH1] = [ch1_outer, ch1_outer.serialize]
-              transcript[CH] = [ch_outer, ch_outer.serialize]
+              @transcript[CH1] = [ch1_outer, ch1_outer.serialize]
+              @transcript[CH] = [ch_outer, ch_outer.serialize]
               @rejected_ech = true
             end
           end
-          @alert_wcipher = hs_wcipher = gen_cipher(
+          @connection.alert_wcipher = hs_wcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.client_handshake_write_key,
             key_schedule.client_handshake_write_iv
           )
           sslkeylogfile&.write_client_handshake_traffic_secret(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.client_handshake_traffic_secret
           )
-          hs_rcipher = gen_cipher(
+          hs_rcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.server_handshake_write_key,
             key_schedule.server_handshake_write_iv
           )
           sslkeylogfile&.write_server_handshake_traffic_secret(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.server_handshake_traffic_secret
           )
-          @state = ClientState::WAIT_EE
+          @connection.state = ClientState::WAIT_EE
         when ClientState::WAIT_EE
           logger.debug('ClientState::WAIT_EE')
-          ee, = transcript[EE] = recv_encrypted_extensions(hs_rcipher)
-          terminate(:illegal_parameter) unless ee.appearable_extensions?
+          ee, = @transcript[EE] = recv_encrypted_extensions(hs_rcipher)
+          @connection.terminate(:illegal_parameter) \
+            unless ee.appearable_extensions?
-          ch, = transcript[CH]
-          terminate(:unsupported_extension) \
+          ch, = @transcript[CH]
+          @connection.terminate(:unsupported_extension) \
             unless (ee.extensions.keys - ch.extensions.keys).empty?
           rsl = ee.extensions[Message::ExtensionType::RECORD_SIZE_LIMIT]
@@ -393,118 +386,120 @@ module TTTLS13
           @retry_configs = ee.extensions[
             Message::ExtensionType::ENCRYPTED_CLIENT_HELLO
           ]&.retry_configs
-          terminate(:unsupported_extension) \
+          @connection.terminate(:unsupported_extension) \
             if !rejected_ech? && !@retry_configs.nil?
-          @state = ClientState::WAIT_CERT_CR
-          @state = ClientState::WAIT_FINISHED unless psk.nil?
+          @connection.state = ClientState::WAIT_CERT_CR
+          @connection.state = ClientState::WAIT_FINISHED unless psk.nil?
         when ClientState::WAIT_CERT_CR
           logger.debug('ClientState::WAIT_CERT_CR')
-          message, orig_msg = recv_message(
+          message, orig_msg = @connection.recv_message(
             receivable_ccs: true,
             cipher: hs_rcipher
           )
           case message.msg_type
           when Message::HandshakeType::CERTIFICATE,
                Message::HandshakeType::COMPRESSED_CERTIFICATE
-            ct, = transcript[CT] = [message, orig_msg]
-            terminate(:bad_certificate) \
+            ct, = @transcript[CT] = [message, orig_msg]
+            @connection.terminate(:bad_certificate) \
               if ct.is_a?(Message::CompressedCertificate) &&
                  !@settings[:compress_certificate_algorithms]
                  .include?(ct.algorithm)
             ct = ct.certificate_message \
               if ct.is_a?(Message::CompressedCertificate)
-            alert = check_invalid_certificate(ct, transcript[CH].first)
-            terminate(alert) unless alert.nil?
+            alert = check_invalid_certificate(ct, @transcript[CH].first)
+            @connection.terminate(alert) unless alert.nil?
-            @state = ClientState::WAIT_CV
+            @connection.state = ClientState::WAIT_CV
           when Message::HandshakeType::CERTIFICATE_REQUEST
-            transcript[CR] = [message, orig_msg]
+            @transcript[CR] = [message, orig_msg]
             # TODO: client authentication
-            @state = ClientState::WAIT_CERT
+            @connection.state = ClientState::WAIT_CERT
           else
-            terminate(:unexpected_message)
+            @connection.terminate(:unexpected_message)
           end
         when ClientState::WAIT_CERT
           logger.debug('ClientState::WAIT_CERT')
-          ct, = transcript[CT] = recv_certificate(hs_rcipher)
+          ct, = @transcript[CT] = recv_certificate(hs_rcipher)
           if ct.is_a?(Message::CompressedCertificate) &&
              !@settings[:compress_certificate_algorithms].include?(ct.algorithm)
-            terminate(:bad_certificate)
+            @connection.terminate(:bad_certificate)
           elsif ct.is_a?(Message::CompressedCertificate)
             ct = ct.certificate_message
           end
-          alert = check_invalid_certificate(ct, transcript[CH].first)
-          terminate(alert) unless alert.nil?
+          alert = check_invalid_certificate(ct, @transcript[CH].first)
+          @connection.terminate(alert) unless alert.nil?
-          @state = ClientState::WAIT_CV
+          @connection.state = ClientState::WAIT_CV
         when ClientState::WAIT_CV
           logger.debug('ClientState::WAIT_CV')
-          cv, = transcript[CV] = recv_certificate_verify(hs_rcipher)
+          cv, = @transcript[CV] = recv_certificate_verify(hs_rcipher)
           digest = CipherSuite.digest(@cipher_suite)
-          hash = transcript.hash(digest, CT)
-          ct, = transcript[CT]
+          hash = @transcript.hash(digest, CT)
+          ct, = @transcript[CT]
           ct = ct.certificate_message \
             if ct.is_a?(Message::CompressedCertificate)
-          terminate(:decrypt_error) \
+          @connection.terminate(:decrypt_error) \
             unless verified_certificate_verify?(ct, cv, hash)
           @signature_scheme = cv.signature_scheme
-          @state = ClientState::WAIT_FINISHED
+          @connection.state = ClientState::WAIT_FINISHED
         when ClientState::WAIT_FINISHED
           logger.debug('ClientState::WAIT_FINISHED')
-          sf, = transcript[SF] = recv_finished(hs_rcipher)
+          sf, = @transcript[SF] = recv_finished(hs_rcipher)
           digest = CipherSuite.digest(@cipher_suite)
-          terminate(:decrypt_error) unless verified_finished?(
-            finished: sf,
-            digest: digest,
-            finished_key: key_schedule.server_finished_key,
-            hash: transcript.hash(digest, CV)
-          )
+          @connection.terminate(:decrypt_error) \
+            unless Endpoint.verified_finished?(
+              finished: sf,
+              digest: digest,
+              finished_key: key_schedule.server_finished_key,
+              hash: @transcript.hash(digest, CV)
+            )
           if use_early_data? && succeed_early_data?
             eoed = send_eoed(e_wcipher)
-            transcript[EOED] = [eoed, eoed.serialize]
+            @transcript[EOED] = [eoed, eoed.serialize]
           end
           # TODO: Send Certificate [+ CertificateVerify]
-          signature = sign_finished(
+          signature = Endpoint.sign_finished(
             digest: digest,
             finished_key: key_schedule.client_finished_key,
-            hash: transcript.hash(digest, EOED)
+            hash: @transcript.hash(digest, EOED)
           )
           cf = send_finished(signature, hs_wcipher)
-          transcript[CF] = [cf, cf.serialize]
-          @alert_wcipher = @ap_wcipher = gen_cipher(
+          @transcript[CF] = [cf, cf.serialize]
+          @connection.ap_wcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.client_application_write_key,
             key_schedule.client_application_write_iv
           )
+          @connection.alert_wcipher = @connection.ap_wcipher
           sslkeylogfile&.write_client_traffic_secret_0(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.client_application_traffic_secret
           )
-          @ap_rcipher = gen_cipher(
+          @connection.ap_rcipher = Endpoint.gen_cipher(
             @cipher_suite,
             key_schedule.server_application_write_key,
             key_schedule.server_application_write_iv
           )
           sslkeylogfile&.write_server_traffic_secret_0(
-            transcript[CH].first.random,
+            @transcript[CH].first.random,
             key_schedule.server_application_traffic_secret
           )
           @exporter_secret = key_schedule.exporter_secret
           @resumption_secret = key_schedule.resumption_secret
-          @state = ClientState::CONNECTED
+          @connection.state = ClientState::CONNECTED
         when ClientState::CONNECTED
           logger.debug('ClientState::CONNECTED')
-          send_alert(:ech_required) \
+          @connection.send_alert(:ech_required) \
             if use_ech? && (!@retry_configs.nil? && !@retry_configs.empty?)
           break
         end
@@ -517,6 +512,14 @@ module TTTLS13
     # rubocop: enable Metrics/MethodLength
     # rubocop: enable Metrics/PerceivedComplexity
+    # @raise [TTTLS13::Error::ConfigError]
+    #
+    # @return [String]
+    def read
+      nst_process = method(:process_new_session_ticket)
+      @connection.read(nst_process)
+    end
     # @param binary [String]
     def write(binary)
       # the client can regard ECH as securely disabled by the server, and it
@@ -528,14 +531,55 @@ module TTTLS13
         return
       end
-      super(binary)
+      @connection.write(binary)
+    end
+    # return [Boolean]
+    def eof?
+      @connection.eof?
+    end
+    def close
+      @connection.close
+    end
+    # @return [TTTLS13::CipherSuite, nil]
+    def negotiated_cipher_suite
+      @cipher_suite
+    end
+    # @return [TTTLS13::NamedGroup, nil]
+    def negotiated_named_group
+      @named_group
+    end
+    # @return [TTTLS13::SignatureScheme, nil]
+    def negotiated_signature_scheme
+      @signature_scheme
+    end
+    # @return [String]
+    def negotiated_alpn
+      @alpn
+    end
+    # @param label [String]
+    # @param context [String]
+    # @param key_length [Integer]
+    #
+    # @return [String, nil]
+    def exporter(label, context, key_length)
+      return nil if @exporter_secret.nil? || @cipher_suite.nil?
+      digest = CipherSuite.digest(@cipher_suite)
+      Endpoint.exporter(@exporter_secret, digest, label, context, key_length)
     end
     # @param binary [String]
     #
     # @raise [TTTLS13::Error::ConfigError]
     def early_data(binary)
-      raise Error::ConfigError unless @state == INITIAL && use_psk?
+      raise Error::ConfigError unless @connection.state == INITIAL && use_psk?
       @early_data = binary
     end
@@ -677,7 +721,7 @@ module TTTLS13
         messages: [ap],
         cipher: cipher
       )
-      send_record(ap_record)
+      @connection.send_record(ap_record)
     end
     # @param resumption_secret [String]
@@ -768,7 +812,7 @@ module TTTLS13
     #
     # @return [TTTLS13::Message::ClientHello] outer
     # @return [TTTLS13::Message::ClientHello] inner
-    # @return [TTTLS13::Client::EchState]
+    # @return [TTTLS13::EchState]
     # rubocop: disable Metrics/MethodLength
     def send_client_hello(extensions, binder_key = nil)
       ch = Message::ClientHello.new(
@@ -783,7 +827,11 @@ module TTTLS13
         inner_ech = Message::Extension::ECHClientHello.new_inner
         inner.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO] \
           = inner_ech
-        ch, inner, ech_state = offer_ech(inner, @settings[:ech_config])
+        ch, inner, ech_state = Ech.offer_ech(
+          inner,
+          @settings[:ech_config],
+          method(:select_ech_hpke_cipher_suite)
+        )
       end
       # psk_key_exchange_modes
@@ -814,8 +862,8 @@ module TTTLS13
         end
       end
-      send_handshakes(Message::ContentType::HANDSHAKE, [ch],
-                      Cryptograph::Passer.new)
+      @connection.send_handshakes(Message::ContentType::HANDSHAKE, [ch],
+                                  Cryptograph::Passer.new)
       [ch, inner, ech_state]
     end
@@ -850,7 +898,7 @@ module TTTLS13
       )
       ch.extensions[Message::ExtensionType::PRE_SHARED_KEY] = psk
-      psk.offered_psks.binders[0] = do_sign_psk_binder(
+      psk.offered_psks.binders[0] = Endpoint.sign_psk_binder(
         ch1: ch1,
         hrr: hrr,
         ch: ch,
@@ -900,7 +948,7 @@ module TTTLS13
       )
       ch_outer.extensions[Message::ExtensionType::PRE_SHARED_KEY] = psk
-      psk.offered_psks.binders[0] = do_sign_psk_binder(
+      psk.offered_psks.binders[0] = Endpoint.sign_psk_binder(
         ch1: ch1,
         hrr: hrr,
         ch: ch_outer,
@@ -909,209 +957,6 @@ module TTTLS13
       )
     end
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param ech_config [ECHConfig]
-    #
-    # @return [TTTLS13::Message::ClientHello]
-    # @return [TTTLS13::Message::ClientHello]
-    # @return [TTTLS13::Client::EchState]
-    # rubocop: disable Metrics/AbcSize
-    # rubocop: disable Metrics/MethodLength
-    def offer_ech(inner, ech_config)
-      return [new_greased_ch(inner, new_grease_ech), nil, nil] \
-        if ech_config.nil? ||
-           !SUPPORTED_ECHCONFIG_VERSIONS.include?(ech_config.version)
-      # Encrypted ClientHello Configuration
-      public_name = ech_config.echconfig_contents.public_name
-      key_config = ech_config.echconfig_contents.key_config
-      public_key = key_config.public_key.opaque
-      kem_id = key_config&.kem_id&.uint16
-      config_id = key_config.config_id
-      cipher_suite = select_ech_hpke_cipher_suite(key_config)
-      overhead_len = Hpke.aead_id2overhead_len(cipher_suite&.aead_id&.uint16)
-      aead_cipher = Hpke.aead_id2aead_cipher(cipher_suite&.aead_id&.uint16)
-      kdf_hash = Hpke.kdf_id2kdf_hash(cipher_suite&.kdf_id&.uint16)
-      return [new_greased_ch(inner, new_grease_ech), nil, nil] \
-        if [kem_id, overhead_len, aead_cipher, kdf_hash].any?(&:nil?)
-      kem_curve_name, kem_hash = Hpke.kem_id2dhkem(kem_id)
-      dhkem = Hpke.kem_curve_name2dhkem(kem_curve_name)
-      pkr = dhkem&.new(kem_hash)&.deserialize_public_key(public_key)
-      return [new_greased_ch(inner, new_grease_ech), nil, nil] if pkr.nil?
-      hpke = HPKE.new(kem_curve_name, kem_hash, kdf_hash, aead_cipher)
-      base_s = hpke.setup_base_s(pkr, "tls ech\x00" + ech_config.encode)
-      enc = base_s[:enc]
-      ctx = base_s[:context_s]
-      mnl = ech_config.echconfig_contents.maximum_name_length
-      encoded = encode_ch_inner(inner, mnl)
-      # Encoding the ClientHelloInner
-      aad = new_ch_outer_aad(
-        inner,
-        cipher_suite,
-        config_id,
-        enc,
-        encoded.length + overhead_len,
-        public_name
-      )
-      # Authenticating the ClientHelloOuter
-      # which does not include the Handshake structure's four byte header.
-      outer = new_ch_outer(
-        aad,
-        cipher_suite,
-        config_id,
-        enc,
-        ctx.seal(aad.serialize[4..], encoded)
-      )
-      ech_state = EchState.new(mnl, config_id, cipher_suite, public_name, ctx)
-      [outer, inner, ech_state]
-    end
-    # rubocop: enable Metrics/AbcSize
-    # rubocop: enable Metrics/MethodLength
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param ech_state [TTTLS13::Client::EchState]
-    #
-    # @return [TTTLS13::Message::ClientHello]
-    # @return [TTTLS13::Message::ClientHello]
-    def offer_new_ech(inner, ech_state)
-      encoded = encode_ch_inner(inner, ech_state.maximum_name_length)
-      overhead_len \
-        = Hpke.aead_id2overhead_len(ech_state.cipher_suite.aead_id.uint16)
-      # It encrypts EncodedClientHelloInner as described in Section 6.1.1, using
-      # the second partial ClientHelloOuterAAD, to obtain a second
-      # ClientHelloOuter. It reuses the original HPKE encryption context
-      # computed in Section 6.1 and uses the empty string for enc.
-      #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.1.5-4.4.1
-      aad = new_ch_outer_aad(
-        inner,
-        ech_state.cipher_suite,
-        ech_state.config_id,
-        '',
-        encoded.length + overhead_len,
-        ech_state.public_name
-      )
-      # Authenticating the ClientHelloOuter
-      # which does not include the Handshake structure's four byte header.
-      outer = new_ch_outer(
-        aad,
-        ech_state.cipher_suite,
-        ech_state.config_id,
-        '',
-        ech_state.ctx.seal(aad.serialize[4..], encoded)
-      )
-      [outer, inner]
-    end
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param maximum_name_length [Integer]
-    #
-    # @return [String] EncodedClientHelloInner
-    def encode_ch_inner(inner, maximum_name_length)
-      # TODO: ech_outer_extensions
-      encoded = Message::ClientHello.new(
-        legacy_version: inner.legacy_version,
-        random: inner.random,
-        legacy_session_id: '',
-        cipher_suites: inner.cipher_suites,
-        legacy_compression_methods: inner.legacy_compression_methods,
-        extensions: inner.extensions
-      )
-      server_name_length = \
-        inner.extensions[Message::ExtensionType::SERVER_NAME].server_name.length
-      # which does not include the Handshake structure's four byte header.
-      padding_encoded_ch_inner(
-        encoded.serialize[4..],
-        server_name_length,
-        maximum_name_length
-      )
-    end
-    # @param s [String]
-    # @param server_name_length [Integer]
-    # @param maximum_name_length [Integer]
-    #
-    # @return [String]
-    def padding_encoded_ch_inner(s, server_name_length, maximum_name_length)
-      padding_len =
-        if server_name_length.positive?
-          [maximum_name_length - server_name_length, 0].max
-        else
-          9 + maximum_name_length
-        end
-      padding_len = 31 - ((s.length + padding_len - 1) % 32)
-      s + padding_len.zeros
-    end
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param cipher_suite [HpkeSymmetricCipherSuite]
-    # @param config_id [Integer]
-    # @param enc [String]
-    # @param payload_len [Integer]
-    # @param server_name [String]
-    #
-    # @return [TTTLS13::Message::ClientHello]
-    # rubocop: disable Metrics/ParameterLists
-    def new_ch_outer_aad(inner,
-                         cipher_suite,
-                         config_id,
-                         enc,
-                         payload_len,
-                         server_name)
-      aad_ech = Message::Extension::ECHClientHello.new_outer(
-        cipher_suite: cipher_suite,
-        config_id: config_id,
-        enc: enc,
-        payload: payload_len.zeros
-      )
-      Message::ClientHello.new(
-        legacy_version: inner.legacy_version,
-        legacy_session_id: inner.legacy_session_id,
-        cipher_suites: inner.cipher_suites,
-        legacy_compression_methods: inner.legacy_compression_methods,
-        extensions: inner.extensions.merge(
-          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => aad_ech,
-          Message::ExtensionType::SERVER_NAME => \
-            Message::Extension::ServerName.new(server_name)
-        )
-      )
-    end
-    # rubocop: enable Metrics/ParameterLists
-    # @param aad [TTTLS13::Message::ClientHello]
-    # @param cipher_suite [HpkeSymmetricCipherSuite]
-    # @param config_id [Integer]
-    # @param enc [String]
-    # @param payload [String]
-    #
-    # @return [TTTLS13::Message::ClientHello]
-    def new_ch_outer(aad, cipher_suite, config_id, enc, payload)
-      outer_ech = Message::Extension::ECHClientHello.new_outer(
-        cipher_suite: cipher_suite,
-        config_id: config_id,
-        enc: enc,
-        payload: payload
-      )
-      Message::ClientHello.new(
-        legacy_version: aad.legacy_version,
-        random: aad.random,
-        legacy_session_id: aad.legacy_session_id,
-        cipher_suites: aad.cipher_suites,
-        legacy_compression_methods: aad.legacy_compression_methods,
-        extensions: aad.extensions.merge(
-          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => outer_ech
-        )
-      )
-    end
     # @param conf [HpkeKeyConfig]
     #
     # @return [HpkeSymmetricCipherSuite, nil]
@@ -1121,63 +966,6 @@ module TTTLS13
       end
     end
-    # @return [Message::Extension::ECHClientHello]
-    def new_grease_ech
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#name-compliance-requirements
-      cipher_suite = HpkeSymmetricCipherSuite.new(
-        HpkeSymmetricCipherSuite::HpkeKdfId.new(
-          TTTLS13::Hpke::KdfId::HKDF_SHA256
-        ),
-        HpkeSymmetricCipherSuite::HpkeAeadId.new(
-          TTTLS13::Hpke::AeadId::AES_128_GCM
-        )
-      )
-      # Set the enc field to a randomly-generated valid encapsulated public key
-      # output by the HPKE KEM.
-      #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-2.3.1
-      public_key = OpenSSL::PKey.read(
-        OpenSSL::PKey.generate_key('X25519').public_to_pem
-      )
-      hpke = HPKE.new(:x25519, :sha256, :sha256, :aes_128_gcm)
-      enc = hpke.setup_base_s(public_key, '')[:enc]
-      # Set the payload field to a randomly-generated string of L+C bytes, where
-      # C is the ciphertext expansion of the selected AEAD scheme and L is the
-      # size of the EncodedClientHelloInner the client would compute when
-      # offering ECH, padded according to Section 6.1.3.
-      #
-      # https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.2-2.4.1
-      payload_len = placeholder_encoded_ch_inner_len \
-                    + Hpke.aead_id2overhead_len(Hpke::AeadId::AES_128_GCM)
-      Message::Extension::ECHClientHello.new_outer(
-        cipher_suite: cipher_suite,
-        config_id: Convert.bin2i(OpenSSL::Random.random_bytes(1)),
-        enc: enc,
-        payload: OpenSSL::Random.random_bytes(payload_len)
-      )
-    end
-    # @return [Integer]
-    def placeholder_encoded_ch_inner_len
-      448
-    end
-    # @param inner [TTTLS13::Message::ClientHello]
-    # @param ech [Message::Extension::ECHClientHello]
-    def new_greased_ch(inner, ech)
-      Message::ClientHello.new(
-        legacy_version: inner.legacy_version,
-        random: inner.random,
-        legacy_session_id: inner.legacy_session_id,
-        cipher_suites: inner.cipher_suites,
-        legacy_compression_methods: inner.legacy_compression_methods,
-        extensions: inner.extensions.merge(
-          Message::ExtensionType::ENCRYPTED_CLIENT_HELLO => ech
-        )
-      )
-    end
     # @return [Integer]
     def calc_obfuscated_ticket_age
       # the "ticket_lifetime" field in the NewSessionTicket message is
@@ -1227,7 +1015,7 @@ module TTTLS13
     # @param hrr [TTTLS13::Message::ServerHello]
     # @param extensions [TTTLS13::Message::Extensions]
     # @param binder_key [String, nil]
-    # @param ech_state [TTTLS13::Client::EchState]
+    # @param ech_state [TTTLS13::EchState]
     #
     # @return [TTTLS13::Message::ClientHello] outer
     # @return [TTTLS13::Message::ClientHello] inner
@@ -1258,7 +1046,7 @@ module TTTLS13
         ch.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO] \
           = ch1.extensions[Message::ExtensionType::ENCRYPTED_CLIENT_HELLO]
       elsif use_ech?
-        ch, inner = offer_new_ech(ch, ech_state)
+        ch, inner = Ech.offer_new_ech(ch, ech_state)
       end
       # pre_shared_key
@@ -1286,8 +1074,8 @@ module TTTLS13
         end
       end
-      send_handshakes(Message::ContentType::HANDSHAKE, [ch],
-                      Cryptograph::Passer.new)
+      @connection.send_handshakes(Message::ContentType::HANDSHAKE, [ch],
+                                  Cryptograph::Passer.new)
       [ch, inner]
     end
@@ -1299,11 +1087,12 @@ module TTTLS13
     # @return [TTTLS13::Message::ServerHello]
     # @return [String]
     def recv_server_hello
-      sh, orig_msg = recv_message(
+      sh, orig_msg = @connection.recv_message(
         receivable_ccs: true,
         cipher: Cryptograph::Passer.new
       )
-      terminate(:unexpected_message) unless sh.is_a?(Message::ServerHello)
+      @connection.terminate(:unexpected_message) \
+        unless sh.is_a?(Message::ServerHello)
       [sh, orig_msg]
     end
@@ -1315,8 +1104,9 @@ module TTTLS13
     # @return [TTTLS13::Message::EncryptedExtensions]
     # @return [String]
     def recv_encrypted_extensions(cipher)
-      ee, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) \
+      ee, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
         unless ee.is_a?(Message::EncryptedExtensions)
       [ee, orig_msg]
@@ -1329,8 +1119,10 @@ module TTTLS13
     # @return [TTTLS13::Message::Certificate]
     # @return [String]
     def recv_certificate(cipher)
-      ct, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) unless ct.is_a?(Message::Certificate)
+      ct, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
+        unless ct.is_a?(Message::Certificate)
       [ct, orig_msg]
     end
@@ -1342,8 +1134,10 @@ module TTTLS13
     # @return [TTTLS13::Message::CertificateVerify]
     # @return [String]
     def recv_certificate_verify(cipher)
-      cv, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) unless cv.is_a?(Message::CertificateVerify)
+      cv, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
+        unless cv.is_a?(Message::CertificateVerify)
       [cv, orig_msg]
     end
@@ -1355,8 +1149,10 @@ module TTTLS13
     # @return [TTTLS13::Message::Finished]
     # @return [String]
     def recv_finished(cipher)
-      sf, orig_msg = recv_message(receivable_ccs: true, cipher: cipher)
-      terminate(:unexpected_message) unless sf.is_a?(Message::Finished)
+      sf, orig_msg \
+        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+      @connection.terminate(:unexpected_message) \
+        unless sf.is_a?(Message::Finished)
       [sf, orig_msg]
     end
@@ -1366,7 +1162,11 @@ module TTTLS13
     # @return [TTTLS13::Message::Finished]
     def send_finished(signature, cipher)
       cf = Message::Finished.new(signature)
-      send_handshakes(Message::ContentType::APPLICATION_DATA, [cf], cipher)
+      @connection.send_handshakes(
+        Message::ContentType::APPLICATION_DATA,
+        [cf],
+        cipher
+      )
       cf
     end
@@ -1376,7 +1176,11 @@ module TTTLS13
     # @return [TTTLS13::Message::EndOfEarlyData]
     def send_eoed(cipher)
       eoed = Message::EndOfEarlyData.new
-      send_handshakes(Message::ContentType::APPLICATION_DATA, [eoed], cipher)
+      @connection.send_handshakes(
+        Message::ContentType::APPLICATION_DATA,
+        [eoed],
+        cipher
+      )
       eoed
     end
@@ -1392,7 +1196,7 @@ module TTTLS13
         unless ct.certificate_list.map(&:extensions)
                  .all? { |e| (e.keys - ch.extensions.keys).empty? }
-      return :certificate_unknown unless trusted_certificate?(
+      return :certificate_unknown unless Endpoint.trusted_certificate?(
         ct.certificate_list,
         @settings[:ca_file],
         @hostname
@@ -1421,7 +1225,7 @@ module TTTLS13
       signature_scheme = cv.signature_scheme
       signature = cv.signature
-      do_verified_certificate_verify?(
+      Endpoint.verified_certificate_verify?(
         public_key: public_key,
         signature_scheme: signature_scheme,
         signature: signature,
@@ -1443,36 +1247,19 @@ module TTTLS13
     #
     # @raise [TTTLS13::Error::ErrorAlerts]
     def process_new_session_ticket(nst)
-      super(nst)
       rms = @resumption_secret
       cs = @cipher_suite
       @settings[:process_new_session_ticket]&.call(nst, rms, cs)
     end
-    class EchState
-      attr_accessor :maximum_name_length
-      attr_accessor :config_id
-      attr_accessor :cipher_suite
-      attr_accessor :public_name
-      attr_accessor :ctx
-      # @param maximum_name_length [Integer]
-      # @param config_id [Integer]
-      # @param cipher_suite [HpkeSymmetricCipherSuite]
-      # @param public_name [String]
-      # @param ctx [[HPKE::ContextS]
-      def initialize(maximum_name_length,
-                     config_id,
-                     cipher_suite,
-                     public_name,
-                     ctx)
-        @maximum_name_length = maximum_name_length
-        @config_id = config_id
-        @cipher_suite = cipher_suite
-        @public_name = public_name
-        @ctx = ctx
-      end
+    # @param cid [OpenSSL::OCSP::CertificateId]
+    #
+    # @return [OpenSSL::OCSP::Request]
+    def gen_ocsp_request(cid)
+      ocsp_request = OpenSSL::OCSP::Request.new
+      ocsp_request.add_certid(cid)
+      ocsp_request.add_nonce
+      ocsp_request
     end
   end
   # rubocop: enable Metrics/ClassLength