docs: add comments

handshake_messages.go

@@ -105,15 +105,13 @@ type clientHelloMsg struct {
 	nextProtoNeg bool
 }
 
-// [uTLS SECTION BEGIN]
 func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
+	// [uTLS SECTION BEGIN]
 	return m.marshalMsgReorderOuterExts(echInner, nil)
 }
 
-// [uTLS SECTION END]
-
-// func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
-func (m *clientHelloMsg) marshalMsgReorderOuterExts(echInner bool, outerExts []uint16) ([]byte, error) { // uTLS
+func (m *clientHelloMsg) marshalMsgReorderOuterExts(echInner bool, outerExts []uint16) ([]byte, error) {
+	// [uTLS SECTION END]
 	var exts cryptobyte.Builder
 	if len(m.serverName) > 0 {
 		// RFC 6066, Section 3
@@ -320,6 +318,7 @@ func (m *clientHelloMsg) marshalMsgReorderOuterExts(echInner bool, outerExts []u
 		}
 	}
 	// [uTLS SECTION BEGIN]
+	// reorder OuterExtensions according to their order in the spec
 	if echInner && outerExts != nil {
 		echOuterExtsReordered := slices.Collect(func(yield func(uint16) bool) {
 			for _, ext := range outerExts {

u_conn.go

@@ -504,7 +504,8 @@ func (uconn *UConn) extensionsList() []uint16 {
 }
 
 func (uconn *UConn) computeAndUpdateOuterECHExtension(inner *clientHelloMsg, ech *echClientContext, useKey bool) error {
-
+	// This function is mostly copied from
+	// https://github.com/refraction-networking/utls/blob/e430876b1d82fdf582efc57f3992d448e7ab3d8a/ech.go#L408
 	var encapKey []byte
 	if useKey {
 		encapKey = ech.encapsulatedKey
@@ -515,10 +516,7 @@ func (uconn *UConn) computeAndUpdateOuterECHExtension(inner *clientHelloMsg, ech
 		return err
 	}
 
-	// NOTE: the tag lengths for all of the supported AEADs are the same (16
-	// bytes), so we have hardcoded it here. If we add support for another AEAD
-	// with a different tag length, we will need to change this.
-	encryptedLen := len(encodedInner) + 16 // AEAD tag length
+	encryptedLen := len(encodedInner) + 16
 	outerECHExt, err := generateOuterECHExt(ech.config.ConfigID, ech.kdfID, ech.aeadID, encapKey, make([]byte, encryptedLen))
 	if err != nil {
 		return err
@@ -543,7 +541,7 @@ func (uconn *UConn) computeAndUpdateOuterECHExtension(inner *clientHelloMsg, ech
 	}
 
 	serializedOuter := uconn.HandshakeState.Hello.Raw
-	serializedOuter = serializedOuter[4:] // strip the four byte prefix
+	serializedOuter = serializedOuter[4:]
 	encryptedInner, err := ech.hpkeContext.Seal(serializedOuter, encodedInner)
 	if err != nil {
 		return err
@@ -573,11 +571,12 @@ func (uconn *UConn) MarshalClientHello() error {
 			return err
 		}
 
+		// copy compressed extensions to the ClientHelloInner
 		inner.keyShares = KeyShares(uconn.HandshakeState.Hello.KeyShares).ToPrivate()
 		inner.supportedSignatureAlgorithms = uconn.HandshakeState.Hello.SupportedSignatureAlgorithms
 		inner.sessionId = uconn.HandshakeState.Hello.SessionId
 		inner.supportedCurves = uconn.HandshakeState.Hello.SupportedCurves
-		inner.supportedVersions = []uint16{VersionTLS13}
+		inner.supportedVersions = []uint16{VersionTLS13} // hardcode tls 1.3 as it is the only supported version currently
 
 		ech.innerHello = inner
 

u_handshake_client.go

@@ -580,6 +580,8 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 }
 
 func (c *UConn) echTranscriptMsg(outer *clientHelloMsg, echCtx *echClientContext) (err error) {
+	// Recreate the inner ClientHello from its compressed form using server's decodeInnerClientHello function.
+	// See https://github.com/refraction-networking/utls/blob/e430876b1d82fdf582efc57f3992d448e7ab3d8a/ech.go#L276-L283
 	encodedInner, err := encodeInnerClientHelloReorderOuterExts(echCtx.innerHello, int(echCtx.config.MaxNameLength), c.extensionsList())
 	if err != nil {
 		return err