tttls1.3 0.3.4 → 0.3.5

data/lib/tttls1.3/message/extension/status_request.rb

@@ -10,9 +10,7 @@ module TTTLS13
       end
 
       class OCSPStatusRequest
-        attr_reader :extension_type
-        attr_reader :responder_id_list
-        attr_reader :request_extensions
+        attr_reader :extension_type, :responder_id_list, :request_extensions
 
         # @param responder_id_list [Array of OpenSSL::ASN1::ASN1Data]
         # @param request_extensions [Array of OpenSSL::ASN1::ASN1Data]
@@ -43,8 +41,6 @@ module TTTLS13
         # @raise [TTTLS13::Error::ErrorAlerts]
         #
         # @return [TTTLS13::Message::Extension::OCSPStatusRequest, nil]
-        # rubocop: disable Metrics/CyclomaticComplexity
-        # rubocop: disable Metrics/PerceivedComplexity
         def self.deserialize(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
           return nil if binary.length < 5 ||
@@ -71,12 +67,9 @@ module TTTLS13
           i += re_len
           return nil unless i == binary.length
 
-          OCSPStatusRequest.new(responder_id_list: responder_id_list,
-                                request_extensions: request_extensions)
+          OCSPStatusRequest.new(responder_id_list:,
+                                request_extensions:)
         end
-        # rubocop: enable Metrics/CyclomaticComplexity
-        # rubocop: enable Metrics/PerceivedComplexity
-
         class << self
           private
 
@@ -111,8 +104,7 @@ module TTTLS13
       end
 
       class OCSPResponse
-        attr_reader :extension_type
-        attr_reader :ocsp_response
+        attr_reader :extension_type, :ocsp_response
 
         # @param ocsp_response [OpenSSL::OCSP::Response]
         #

data/lib/tttls1.3/message/extension/supported_groups.rb

@@ -6,8 +6,7 @@ module TTTLS13
   module Message
     module Extension
       class SupportedGroups
-        attr_reader :extension_type
-        attr_reader :named_group_list
+        attr_reader :extension_type, :named_group_list
 
         # @param named_group_list [Array of NamedGroup]
         #
@@ -31,7 +30,6 @@ module TTTLS13
         # @raise [TTTLS13::Error::ErrorAlerts]
         #
         # @return [TTTLS13::Message::Extension::SupportedGroups, nil]
-        # rubocop: disable Metrics/CyclomaticComplexity
         def self.deserialize(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
 
@@ -51,7 +49,6 @@ module TTTLS13
 
           SupportedGroups.new(named_group_list)
         end
-        # rubocop: enable Metrics/CyclomaticComplexity
       end
     end
   end

data/lib/tttls1.3/message/extension/supported_versions.rb

@@ -6,15 +6,12 @@ module TTTLS13
   module Message
     module Extension
       class SupportedVersions
-        attr_reader :extension_type
-        attr_reader :msg_type
-        attr_reader :versions
+        attr_reader :extension_type, :msg_type, :versions
 
         # @param msg_type [TTTLS13::Message::ContentType]
         # @param versions [Array of ProtocolVersion]
         #
         # @raise [TTTLS13::Error::ErrorAlerts]
-        # rubocop: disable Metrics/CyclomaticComplexity
         def initialize(msg_type:, versions: DEFAULT_VERSIONS)
           @extension_type = ExtensionType::SUPPORTED_VERSIONS
           @msg_type = msg_type
@@ -30,7 +27,6 @@ module TTTLS13
             raise Error::ErrorAlerts, :internal_error
           end
         end
-        # rubocop: enable Metrics/CyclomaticComplexity
 
         # @return [String]
         def serialize
@@ -64,7 +60,7 @@ module TTTLS13
           else
             return nil
           end
-          SupportedVersions.new(msg_type: msg_type, versions: versions)
+          SupportedVersions.new(msg_type:, versions:)
         end
 
         # @param binary [String]
@@ -72,7 +68,6 @@ module TTTLS13
         # @raise [TTTLS13::Error::ErrorAlerts]
         #
         # @return [Array of String, nil]
-        # rubocop: disable Metrics/CyclomaticComplexity
         def self.deserialize_versions(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
 
@@ -91,7 +86,6 @@ module TTTLS13
 
           versions
         end
-        # rubocop: enable Metrics/CyclomaticComplexity
       end
     end
   end

data/lib/tttls1.3/message/extension/unknown_extension.rb

@@ -8,8 +8,7 @@ module TTTLS13
       # Client/Server MUST ignore unrecognized extensions,
       # but transcript MUST include unrecognized extensions.
       class UnknownExtension
-        attr_reader :extension_type
-        attr_reader :extension_data
+        attr_reader :extension_type, :extension_data
 
         # @param extension_type [String]
         # @param extension_data [String]
@@ -28,7 +27,7 @@ module TTTLS13
         #
         # @return [TTTLS13::Message::Extension::UnknownExtension]
         def self.deserialize(binary, extension_type)
-          UnknownExtension.new(extension_type: extension_type,
+          UnknownExtension.new(extension_type:,
                                extension_data: binary)
         end
       end

data/lib/tttls1.3/message/extensions.rb

@@ -43,8 +43,6 @@ module TTTLS13
       # @raise [TTTLS13::Error::ErrorAlerts]
       #
       # @return [TTTLS13::Message::Extensions]
-      # rubocop: disable Metrics/CyclomaticComplexity
-      # rubocop: disable Metrics/PerceivedComplexity
       def self.deserialize(binary, msg_type)
         raise Error::ErrorAlerts, :internal_error if binary.nil?
 
@@ -64,7 +62,7 @@ module TTTLS13
           ex = deserialize_extension(ex_bin, extension_type, msg_type)
           if ex.nil?
             # ignore unparsable binary, but only transcript
-            ex = Extension::UnknownExtension.new(extension_type: extension_type,
+            ex = Extension::UnknownExtension.new(extension_type:,
                                                  extension_data: ex_bin)
           end
 
@@ -80,8 +78,6 @@ module TTTLS13
 
         exs
       end
-      # rubocop: enable Metrics/CyclomaticComplexity
-      # rubocop: enable Metrics/PerceivedComplexity
 
       # @param key [TTTLS13::Message::ExtensionType]
       # @param default
@@ -149,7 +145,6 @@ module TTTLS13
         # rubocop: disable Metrics/AbcSize
         # rubocop: disable Metrics/CyclomaticComplexity
         # rubocop: disable Metrics/MethodLength
-        # rubocop: disable Metrics/PerceivedComplexity
         def deserialize_extension(binary, extension_type, msg_type)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
 
@@ -208,7 +203,6 @@ module TTTLS13
         # rubocop: enable Metrics/AbcSize
         # rubocop: enable Metrics/CyclomaticComplexity
         # rubocop: enable Metrics/MethodLength
-        # rubocop: enable Metrics/PerceivedComplexity
       end
     end
     # rubocop: enable Metrics/ClassLength

data/lib/tttls1.3/message/finished.rb

@@ -5,8 +5,7 @@ module TTTLS13
   using Refinements
   module Message
     class Finished
-      attr_reader :msg_type
-      attr_reader :verify_data
+      attr_reader :msg_type, :verify_data
 
       # @param verify_data [String]
       def initialize(verify_data)

data/lib/tttls1.3/message/new_session_ticket.rb

@@ -11,13 +11,7 @@ module TTTLS13
     private_constant :APPEARABLE_NST_EXTENSIONS
 
     class NewSessionTicket
-      attr_reader :msg_type
-      attr_reader :ticket_lifetime
-      attr_reader :ticket_age_add
-      attr_reader :ticket_nonce
-      attr_reader :ticket
-      attr_reader :extensions
-      attr_reader :timestamp
+      attr_reader :msg_type, :ticket_lifetime, :ticket_age_add, :ticket_nonce, :ticket, :extensions, :timestamp
 
       # @param ticket_lifetime [Integer]
       # @param ticket_age_add [String]
@@ -83,11 +77,11 @@ module TTTLS13
         raise Error::ErrorAlerts, :decode_error unless i == msg_len + 4 &&
                                                        i == binary.length
 
-        NewSessionTicket.new(ticket_lifetime: ticket_lifetime,
-                             ticket_age_add: ticket_age_add,
-                             ticket_nonce: ticket_nonce,
-                             ticket: ticket,
-                             extensions: extensions)
+        NewSessionTicket.new(ticket_lifetime:,
+                             ticket_age_add:,
+                             ticket_nonce:,
+                             ticket:,
+                             extensions:)
       end
       # rubocop: enable Metrics/AbcSize
 

data/lib/tttls1.3/message/record.rb

@@ -8,19 +8,14 @@ module TTTLS13
 
     # rubocop: disable Metrics/ClassLength
     class Record
-      attr_reader :type
-      attr_reader :legacy_record_version
-      attr_reader :messages
-      attr_reader :cipher
+      attr_reader :type, :legacy_record_version, :messages, :cipher
 
       # @param type [TTTLS13::Message::ContentType]
       # @param legacy_record_version [TTTLS13::Message::ProtocolVersion]
       # @param messages [Array of TTTLS13::Message::$Object]
       # @param cipher [TTTLS13::Cryptograph::$Object]
       def initialize(type:,
-                     legacy_record_version: ProtocolVersion::TLS_1_2,
-                     messages:,
-                     cipher:)
+                     messages:, cipher:, legacy_record_version: ProtocolVersion::TLS_1_2)
         @type = type
         @legacy_record_version = legacy_record_version
         @messages = messages
@@ -63,8 +58,6 @@ module TTTLS13
       # @return [Array of String]
       # @return [String]
       # rubocop: disable Metrics/AbcSize
-      # rubocop: disable Metrics/CyclomaticComplexity
-      # rubocop: disable Metrics/PerceivedComplexity
       def self.deserialize(binary, cipher, buffered = '',
                            record_size_limit = DEFAULT_RECORD_SIZE_LIMIT)
         raise Error::ErrorAlerts, :internal_error if binary.nil?
@@ -82,9 +75,7 @@ module TTTLS13
           unless binary.length == 5 + fragment_len
 
         if type == ContentType::APPLICATION_DATA
-          if fragment.length - cipher.auth_tag_len > record_size_limit
-            raise Error::ErrorAlerts, :record_overflow
-          end
+          raise Error::ErrorAlerts, :record_overflow if fragment.length - cipher.auth_tag_len > record_size_limit
 
           fragment, inner_type = cipher.decrypt(fragment, binary.slice(0, 5))
         end
@@ -94,16 +85,14 @@ module TTTLS13
           inner_type || type
         )
         record = Record.new(
-          type: type,
-          legacy_record_version: legacy_record_version,
-          messages: messages,
-          cipher: cipher
+          type:,
+          legacy_record_version:,
+          messages:,
+          cipher:
         )
         [record, orig_msgs, surplus_binary]
       end
       # rubocop: enable Metrics/AbcSize
-      # rubocop: enable Metrics/CyclomaticComplexity
-      # rubocop: enable Metrics/PerceivedComplexity
 
       private
 
@@ -122,11 +111,11 @@ module TTTLS13
               Message::EndOfEarlyData,
               Message::NewSessionTicket].include?(m.class)
             ContentType::HANDSHAKE
-          elsif m.class == ChangeCipherSpec
+          elsif m.instance_of?(ChangeCipherSpec)
             ContentType::CCS
-          elsif m.class == Message::ApplicationData
+          elsif m.instance_of?(Message::ApplicationData)
             ContentType::APPLICATION_DATA
-          elsif m.class == Message::Alert
+          elsif m.instance_of?(Message::Alert)
             ContentType::ALERT
           else
             raise Error::ErrorAlerts, :internal_error
@@ -212,7 +201,6 @@ module TTTLS13
         # @raise [TTTLS13::Error::ErrorAlerts]
         #
         # @return [Array of TTTLS13::Message::$Object]
-        # rubocop: disable Metrics/CyclomaticComplexity
         def do_deserialize_handshake(binary)
           raise Error::ErrorAlerts, :internal_error if binary.nil?
           raise Error::ErrorAlerts, :decode_error if binary.empty?
@@ -240,7 +228,6 @@ module TTTLS13
             raise Error::ErrorAlerts, :unexpected_message
           end
         end
-        # rubocop: enable Metrics/CyclomaticComplexity
       end
     end
     # rubocop: enable Metrics/ClassLength

data/lib/tttls1.3/message/server_hello.rb

@@ -34,13 +34,8 @@ module TTTLS13
       "\xc2\xa2\x11\x16\x7a\xbb\x8c\x5e\x07\x9e\x09\xe2\xc8\xa8\x33\x9c"
 
     class ServerHello
-      attr_reader :msg_type
-      attr_reader :legacy_version
-      attr_reader :random
-      attr_reader :legacy_session_id_echo
-      attr_reader :cipher_suite
-      attr_reader :legacy_compression_method
-      attr_reader :extensions
+      attr_reader :msg_type, :legacy_version, :random, :legacy_session_id_echo, :cipher_suite,
+                  :legacy_compression_method, :extensions
 
       # @param legacy_version [String]
       # @param random [String]
@@ -49,10 +44,8 @@ module TTTLS13
       # @param legacy_compression_method [String]
       # @param extensions [TTTLS13::Message::Extensions]
       # rubocop: disable Metrics/ParameterLists
-      def initialize(legacy_version: ProtocolVersion::TLS_1_2,
+      def initialize(legacy_session_id_echo:, cipher_suite:, legacy_version: ProtocolVersion::TLS_1_2,
                      random: OpenSSL::Random.random_bytes(32),
-                     legacy_session_id_echo:,
-                     cipher_suite:,
                      legacy_compression_method: "\x00",
                      extensions: Extensions.new)
         @msg_type = HandshakeType::SERVER_HELLO
@@ -84,9 +77,7 @@ module TTTLS13
       #
       # @return [TTTLS13::Message::ServerHello]
       # rubocop: disable Metrics/AbcSize
-      # rubocop: disable Metrics/CyclomaticComplexity
       # rubocop: disable Metrics/MethodLength
-      # rubocop: disable Metrics/PerceivedComplexity
       def self.deserialize(binary)
         raise Error::ErrorAlerts, :internal_error if binary.nil?
         raise Error::ErrorAlerts, :decode_error if binary.length < 39
@@ -116,18 +107,16 @@ module TTTLS13
         raise Error::ErrorAlerts, :decode_error unless i == msg_len + 4 &&
                                                        i == binary.length
 
-        ServerHello.new(legacy_version: legacy_version,
-                        random: random,
-                        legacy_session_id_echo: legacy_session_id_echo,
-                        cipher_suite: cipher_suite,
-                        legacy_compression_method: legacy_compression_method,
-                        extensions: extensions)
+        ServerHello.new(legacy_version:,
+                        random:,
+                        legacy_session_id_echo:,
+                        cipher_suite:,
+                        legacy_compression_method:,
+                        extensions:)
       end
+
       # rubocop: enable Metrics/AbcSize
-      # rubocop: enable Metrics/CyclomaticComplexity
       # rubocop: enable Metrics/MethodLength
-      # rubocop: enable Metrics/PerceivedComplexity
-
       # @return [Boolean]
       def hrr?
         @random == HRR_RANDOM

data/lib/tttls1.3/named_group.rb

@@ -6,8 +6,8 @@ module TTTLS13
     SECP256R1 = "\x00\x17"
     SECP384R1 = "\x00\x18"
     SECP521R1 = "\x00\x19"
-    # X25519    = "\x00\x1d" # UNSUPPORTED
-    # X448      = "\x00\x1e" # UNSUPPORTED
+    X25519    = "\x00\x1d"
+    X448      = "\x00\x1e"
     # FFDHE2048 = "\x01\x00" # UNSUPPORTED
     # FFDHE3072 = "\x01\x01" # UNSUPPORTED
     # FFDHE4096 = "\x01\x02" # UNSUPPORTED
@@ -25,6 +25,8 @@ module TTTLS13
       #         opaque Y[coordinate_length];
       #     } UncompressedPointRepresentation;
       #
+      # https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.8.2
+      #
       # @param group [TTTLS13::Message::Extension::NamedGroup]
       #
       # @raise [TTTLS13::Error::ErrorAlerts]
@@ -38,11 +40,11 @@ module TTTLS13
           97
         when SECP521R1
           133
+        when X25519
+          32
+        when X448
+          56
         # not supported other NamedGroup
-        # when X25519
-        #   32
-        # when X448
-        #   56
         # when FFDHE2048
         #   256
         # when FFDHE4096
@@ -77,6 +79,10 @@ module TTTLS13
           'secp384r1'
         when SECP521R1
           'secp521r1'
+        when X25519
+          'X25519'
+        when X448
+          'X448'
         else
           # not supported other NamedGroup
           raise Error::ErrorAlerts, :internal_error

data/lib/tttls1.3/server.rb

@@ -38,6 +38,7 @@ module TTTLS13
   private_constant :DEFAULT_SP_SIGNATURE_ALGORITHMS
 
   DEFAULT_SP_NAMED_GROUP_LIST = [
+    NamedGroup::X25519,
     NamedGroup::SECP256R1,
     NamedGroup::SECP384R1,
     NamedGroup::SECP521R1
@@ -73,6 +74,7 @@ module TTTLS13
 
     # @param socket [Socket]
     # @param settings [Hash]
+    # rubocop: disable Metrics/AbcSize
     def initialize(socket, **settings)
       @connection = Connection.new(socket, :server)
       @settings = DEFAULT_SERVER_SETTINGS.merge(settings)
@@ -95,6 +97,7 @@ module TTTLS13
         raise Error::ConfigError unless cert.verify(sign.public_key)
       end
     end
+    # rubocop: enable Metrics/AbcSize
 
     #                              START <-----+
     #               Recv ClientHello |         | Send HelloRetryRequest
@@ -147,7 +150,7 @@ module TTTLS13
     def accept
       @transcript = Transcript.new
       key_schedule = nil # TTTLS13::KeySchedule
-      priv_key = nil # OpenSSL::PKey::$Object
+      shared_secret = nil # TTTLS13::SharedSecret
       hs_wcipher = nil # TTTLS13::Cryptograph::$Object
       hs_rcipher = nil # TTTLS13::Cryptograph::$Object
       sslkeylogfile = nil # TTTLS13::SslKeyLogFile::Writer
@@ -186,7 +189,7 @@ module TTTLS13
           ch_alpn = ch.extensions[
             Message::ExtensionType::APPLICATION_LAYER_PROTOCOL_NEGOTIATION
           ]
-          if !@settings[:alpn].nil? && !@settings[:alpn].empty? && !ch_alpn.nil?
+          if use_alpn? && !ch_alpn.nil?
             @alpn = ch_alpn.protocol_name_list
                            .find { |p| @settings[:alpn].include?(p) }
 
@@ -222,7 +225,7 @@ module TTTLS13
           logger.debug('ServerState::NEGOTIATED')
 
           ch, = @transcript[CH]
-          extensions, priv_key = gen_sh_extensions(@named_group)
+          extensions, shared_secret = gen_sh_extensions(@named_group)
           sh = send_server_hello(
             extensions,
             @cipher_suite,
@@ -233,13 +236,12 @@ module TTTLS13
 
           # generate shared secret
           ke = ch.extensions[Message::ExtensionType::KEY_SHARE]
-                &.key_share_entry
-                &.find { |kse| kse.group == @named_group }
-                &.key_exchange
-          shared_secret = Endpoint.gen_shared_secret(ke, priv_key, @named_group)
+                 &.key_share_entry
+                 &.find { |kse| kse.group == @named_group }
+                 &.key_exchange
           key_schedule = KeySchedule.new(
             psk: @psk,
-            shared_secret: shared_secret,
+            shared_secret: shared_secret.build(@named_group, ke),
             cipher_suite: @cipher_suite,
             transcript: @transcript
           )
@@ -285,8 +287,8 @@ module TTTLS13
           @transcript[CV] = [cv, cv.serialize]
           finished_key = key_schedule.server_finished_key
           signature = Endpoint.sign_finished(
-            digest: digest,
-            finished_key: finished_key,
+            digest:,
+            finished_key:,
             hash: @transcript.hash(digest, CV)
           )
           sf = Message::Finished.new(signature)
@@ -304,7 +306,7 @@ module TTTLS13
           digest = CipherSuite.digest(@cipher_suite)
           verified = Endpoint.verified_finished?(
             finished: cf,
-            digest: digest,
+            digest:,
             finished_key: key_schedule.client_finished_key,
             hash: @transcript.hash(digest, EOED)
           )
@@ -416,6 +418,11 @@ module TTTLS13
       true
     end
 
+    # @return [Boolean]
+    def use_alpn?
+      !@settings[:alpn].nil? && !@settings[:alpn].empty?
+    end
+
     # @param receivable_ccs [Boolean]
     #
     # @raise [TTTLS13::Error::ErrorAlerts]
@@ -424,7 +431,7 @@ module TTTLS13
     # @return [String]
     def recv_client_hello(receivable_ccs)
       ch, orig_msg = @connection.recv_message(
-        receivable_ccs: receivable_ccs,
+        receivable_ccs:,
         cipher: Cryptograph::Passer.new
       )
       @connection.terminate(:unexpected_message) \
@@ -441,8 +448,8 @@ module TTTLS13
     def send_server_hello(extensions, cipher_suite, session_id)
       sh = Message::ServerHello.new(
         legacy_session_id_echo: session_id,
-        cipher_suite: cipher_suite,
-        extensions: extensions
+        cipher_suite:,
+        extensions:
       )
       @connection.send_handshakes(Message::ContentType::HANDSHAKE, [sh],
                                   Cryptograph::Passer.new)
@@ -463,9 +470,9 @@ module TTTLS13
 
       # key_share
       sp_groups = ch1.extensions[Message::ExtensionType::SUPPORTED_GROUPS]
-                    &.named_group_list || []
+                     &.named_group_list || []
       ks_groups = ch1.extensions[Message::ExtensionType::KEY_SHARE]
-                    &.key_share_entry&.map(&:group) || []
+                     &.key_share_entry&.map(&:group) || []
       ksg = sp_groups.find do |g|
         !ks_groups.include?(g) && @settings[:supported_groups].include?(g)
       end
@@ -476,7 +483,7 @@ module TTTLS13
       sh = Message::ServerHello.new(
         random: Message::HRR_RANDOM,
         legacy_session_id_echo: ch1.legacy_session_id,
-        cipher_suite: cipher_suite,
+        cipher_suite:,
         extensions: exs
       )
       @connection.send_handshakes(Message::ContentType::HANDSHAKE, [sh],
@@ -513,7 +520,6 @@ module TTTLS13
     # @param ocsp_response [OpenSSL::OCSP::Response]
     #
     # @return [TTTLS13::Message::Certificate, CompressedCertificate, nil]
-    # rubocop: disable Metrics/CyclomaticComplexity
     def gen_certificate(crt, ch, chain = [], ocsp_response = nil)
       exs = Message::Extensions.new
       # status_request
@@ -540,7 +546,6 @@ module TTTLS13
 
       ct
     end
-    # rubocop: enable Metrics/CyclomaticComplexity
 
     # @param key [OpenSSL::PKey::PKey]
     # @param signature_scheme [TTTLS13::SignatureScheme]
@@ -549,12 +554,12 @@ module TTTLS13
     # @return [TTTLS13::Message::CertificateVerify, nil]
     def gen_certificate_verify(key, signature_scheme, hash)
       signature = sign_certificate_verify(
-        key: key,
-        signature_scheme: signature_scheme,
-        hash: hash
+        key:,
+        signature_scheme:,
+        hash:
       )
-      Message::CertificateVerify.new(signature_scheme: signature_scheme,
-                                     signature: signature)
+      Message::CertificateVerify.new(signature_scheme:,
+                                     signature:)
     end
 
     # @param cipher [TTTLS13::Cryptograph::Aead]
@@ -565,7 +570,7 @@ module TTTLS13
     # @return [String]
     def recv_finished(cipher)
       cf, orig_msg \
-        = @connection.recv_message(receivable_ccs: true, cipher: cipher)
+        = @connection.recv_message(receivable_ccs: true, cipher:)
       @connection.terminate(:unexpected_message) \
         unless cf.is_a?(Message::Finished)
 
@@ -575,7 +580,7 @@ module TTTLS13
     # @param named_group [TTTLS13::NamedGroup]
     #
     # @return [TTTLS13::Message::Extensions]
-    # @return [OpenSSL::PKey::EC.$Object]
+    # @return [TTTLS13::SharedSecret]
     def gen_sh_extensions(named_group)
       exs = Message::Extensions.new
       # supported_versions: only TLS 1.3
@@ -584,11 +589,11 @@ module TTTLS13
       )
 
       # key_share
-      key_share, priv_key \
+      key_share, shared_secret \
                  = Message::Extension::KeyShare.gen_sh_key_share(named_group)
       exs << key_share
 
-      [exs, priv_key]
+      [exs, shared_secret]
     end
 
     # @param ch [TTTLS13::Message::ClientHello]
@@ -625,10 +630,10 @@ module TTTLS13
     # @return [String]
     def sign_certificate_verify(key:, signature_scheme:, hash:)
       Endpoint.sign_certificate_verify(
-        key: key,
-        signature_scheme: signature_scheme,
+        key:,
+        signature_scheme:,
         context: 'TLS 1.3, server CertificateVerify',
-        hash: hash
+        hash:
       )
     end
 
@@ -646,7 +651,7 @@ module TTTLS13
     # @return [TTTLS13::NamedGroup, nil]
     def select_named_group(ch)
       ks_groups = ch.extensions[Message::ExtensionType::KEY_SHARE]
-                   &.key_share_entry&.map(&:group) || []
+                    &.key_share_entry&.map(&:group) || []
 
       ks_groups.find do |g|
         @settings[:supported_groups].include?(g)
@@ -659,7 +664,7 @@ module TTTLS13
     # @return [TTTLS13::SignatureScheme, nil]
     def select_signature_scheme(ch, crt)
       algorithms = ch.extensions[Message::ExtensionType::SIGNATURE_ALGORITHMS]
-                    &.supported_signature_algorithms || []
+                     &.supported_signature_algorithms || []
 
       Endpoint.select_signature_algorithms(algorithms, crt).find do |ss|
         @settings[:signature_algorithms].include?(ss)
@@ -672,7 +677,7 @@ module TTTLS13
     # @return [Boolean]
     def recognized_server_name?(ch, crt)
       server_name = ch.extensions[Message::ExtensionType::SERVER_NAME]
-                     &.server_name
+                      &.server_name
       return true if server_name.nil?
 
       Endpoint.matching_san?(crt, server_name)