)]}'
{
  "commit": "1c8b5caaa97eaa7ebe745954496522cccca81a50",
  "tree": "b7a729bbdada166fff46d1652e63bad053d1ab7f",
  "parents": [
    "ea52bc3f7558ff13f29a478be614b31c87b27c52"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Thu Jan 29 17:40:12 2026 -0500"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Tue Feb 10 14:17:31 2026 -0800"
  },
  "message": "Simplify PSK binder calculation\n\nThe PSK extension has a really annoying step. There is a list of\n\"binders\" whose value depends on the hash of the entire ClientHello,\ntruncated to the binders block at the end. This means it depends on two\nlength prefixes that, using our CBB API, have not yet been closed out:\n\n1. The length prefix on the extension list\n2. The length prefix on the entire ClientHello message\n\nAs a result, we implemented this by filling in all zeros, and then\npost-processing the message after the fact to fill them in. This got\nmessier with ECH, which constructs lots of different ClientHellos and\nClientHello-like structures. It will get even messier with external\nPSKs, which now require us to compute potentially multiple binders.\n\nNow that the PSK extension is treated fairly special anyway, we can\nchange its calling convention and fold the logic into the PSK extension.\nThis is effectively several steps, but the intermediate points are\nawkward, so this is one CL.\n\nFirst, we take care of the message header by having the binder\ncalculation compute the header on demand. This was already a bit hairy\non the DTLS side due to an unfortunate in-memory representation we need\nto juggle in DTLS. Now that is moot.\n\nThat lets us push binder calculation into ssl_add_clienthello_tlsext, as\nthat is passed a CBB that will ultimately contain the ClientHello, minus\nmessage header. But ssl_add_clienthello_tlsext bifurcates a bit between\nECH and non-ECH. Ideally we\u0027d push it one layer deeper.\n\nNext we change the ext_pre_shared_key_add_clienthello calling convention\nto take two generations of CBB into the same function: the unfinished\nClientHello and the unfinished extensions block. This is a bit unusual\nbut lets it perform all three steps together:\n\n1. Write out the PSK extension, with placeholder binder\n2. Close out the extension block to make the ClientHello coherent\n3. Replace the placeholder binder with the real binder, computed over\n   the now coherent ClientHello.\n\nThis should make it a lot easier to add more complex PSK support as it\ncan all be encapsulated in that one function. We now don\u0027t need to\nthread a needs_psk_binder output, though we do need to return the length\nof the PSK extension to help ECH copy it in two places. (That could\nprobably be avoided with more math, but this seemed simpler. The main\nissue is that, after ext_pre_shared_key_add_clienthello returns,\nCBB_len(\u0026extensions) is no longer usable.)\n\nBug: 369963041\nChange-Id: I16d66567bd4eec84397b0e8e05df57bb257d3b7e\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/88409\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Lily Chen \u003cchlily@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "f88e2366558c8792999d801aa2fd4c4a64c68d9f",
      "old_mode": 33188,
      "old_path": "ssl/encrypted_client_hello.cc",
      "new_id": "44a3c03412f1854dd2e5c4dd8c37cbfa90602604",
      "new_mode": 33188,
      "new_path": "ssl/encrypted_client_hello.cc"
    },
    {
      "type": "modify",
      "old_id": "36b9986638d840cf20dee94918aa164eae9e3e4b",
      "old_mode": 33188,
      "old_path": "ssl/extensions.cc",
      "new_id": "daf6435722dd726b1348960f2e7adb6fc5f557b9",
      "new_mode": 33188,
      "new_path": "ssl/extensions.cc"
    },
    {
      "type": "modify",
      "old_id": "638c75f728b3c6476ab4d299d857d1ff64724e7d",
      "old_mode": 33188,
      "old_path": "ssl/handshake_client.cc",
      "new_id": "901040c2a3d0a8d51ea7e5068d8913fabb212640",
      "new_mode": 33188,
      "new_path": "ssl/handshake_client.cc"
    },
    {
      "type": "modify",
      "old_id": "307729d489f89f5d30506632aa05e5c17090865e",
      "old_mode": 33188,
      "old_path": "ssl/internal.h",
      "new_id": "9053d88e92e5a9390555d597900f9b4d35e84581",
      "new_mode": 33188,
      "new_path": "ssl/internal.h"
    },
    {
      "type": "modify",
      "old_id": "c5baa83b3ca0d1ebcd10fd14009086228e588d46",
      "old_mode": 33188,
      "old_path": "ssl/tls13_enc.cc",
      "new_id": "5c0099e80f67652ebb8648cffc1ffc1986a6a439",
      "new_mode": 33188,
      "new_path": "ssl/tls13_enc.cc"
    }
  ]
}