)]}' { "commit": "40e356af73bb6467b31706730ac871cc4fedd8a9", "tree": "0bf6cb3c646fddf55c7c34035bb0ce9ed8c7c50a", "parents": [ "bf307da5c8883da9cd7290626a862d4358d8c4fc" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Thu Apr 23 13:38:43 2026 -0400" }, "committer": { "name": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Fri Apr 24 18:08:33 2026 -0700" }, "message": "Check for invalid certificate_authorities extensions\n\nOur parsers were neither rejecting trailing data, nor an empty list.\n(Empty lists aren\u0027t allowed because the sender should have skipped the\nextension.)\n\nUpdate-Note: Our TLS 1.3 parsers are slightly more spec-compliant and\nmay reject messages from buggy peers. This isn\u0027t expected to have any\nimpact. Confirmed that OpenSSL correctly skips the extension when empty.\nAny stack tested against our SSL tests also would have sent it\ncorrectly. Additionally, as a server, clients that send\ncertificate_authorities are rare. As a client, servers that send\nCertificateRequest are rare.\n\nChange-Id: I12c9821c12f0c075fc32635d447417b19e95263f\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/93727\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Lily Chen \u003cchlily@google.com\u003e\nAuto-Submit: David Benjamin \u003cdavidben@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "50ce434bf31655405f341448f5adb13fd0c2ce65", "old_mode": 33188, "old_path": "ssl/extensions.cc", "new_id": "640001af4623569775679ff5e396574c707e1918", "new_mode": 33188, "new_path": "ssl/extensions.cc" }, { "type": "modify", "old_id": "ad8e3f73c2aa733d001ebaec7a85f8982fd1ed1d", "old_mode": 33188, "old_path": "ssl/test/runner/common.go", "new_id": "b98052c650f1c9bf7c93c9a718fc3e585a9f9e47", "new_mode": 33188, "new_path": "ssl/test/runner/common.go" }, { "type": "modify", "old_id": "3087efe374c140220bcf6d534bcee92786dc5828", "old_mode": 33188, "old_path": "ssl/test/runner/extension_tests.go", "new_id": "9334f450b5a8d48aa67df9148697448bef693cf8", "new_mode": 33188, "new_path": "ssl/test/runner/extension_tests.go" }, { "type": "modify", "old_id": "b5d708436f0dcfc9ee5ae1dc8f07c087c280e4ad", "old_mode": 33188, "old_path": "ssl/test/runner/handshake_client.go", "new_id": "f064c381daf0e364fbb2ac7bca60662c32c2893d", "new_mode": 33188, "new_path": "ssl/test/runner/handshake_client.go" }, { "type": "modify", "old_id": "2efccfd15ae6f8d3d630ee2ff96b0bbe59a559df", "old_mode": 33188, "old_path": "ssl/test/runner/handshake_messages.go", "new_id": "7d09d84a5864bd69319ffbc60d448af647366746", "new_mode": 33188, "new_path": "ssl/test/runner/handshake_messages.go" }, { "type": "modify", "old_id": "8425f74dcf0fb7e1d3b051e64b9d32efc210edfe", "old_mode": 33188, "old_path": "ssl/test/runner/handshake_server.go", "new_id": "fcb9c0a23652a3e74f9ec8a3670b47abe60a71df", "new_mode": 33188, "new_path": "ssl/test/runner/handshake_server.go" }, { "type": "modify", "old_id": "f092873566ec24ed7e933b0d98416f2c2b8f6c37", "old_mode": 33188, "old_path": "ssl/test/runner/runner.go", "new_id": "43b3227bfb7d22c04b3b42573ae27111417c7237", "new_mode": 33188, "new_path": "ssl/test/runner/runner.go" }, { "type": "modify", "old_id": "67b6321e095c9266614f55063f388bbd76695697", "old_mode": 33188, "old_path": "ssl/tls13_client.cc", "new_id": "c92bb27578ffc915e0c8764399c8611ef317c870", "new_mode": 33188, "new_path": "ssl/tls13_client.cc" } ] }