)]}'
{
  "commit": "9806ae005b3085683a2fcf2953e4170893e0973d",
  "tree": "7e37a34a4e807a098687a1bf8020a4f57b2990f8",
  "parents": [
    "44544d9d2d624cbfff9b1e77cb77f8dfc70d073c"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Fri Aug 16 15:32:03 2019 -0400"
  },
  "committer": {
    "name": "CQ bot account: commit-bot@chromium.org",
    "email": "commit-bot@chromium.org",
    "time": "Mon Aug 19 16:44:43 2019 +0000"
  },
  "message": "Check the second ClientHello\u0027s PSK binder on resumption.\n\nWe perform all our negotiation based on the first ClientHello (for\nconsistency with what |select_certificate_cb| observed), which is in the\ntranscript, so we can ignore most of the second one.\n\nHowever, we ought to check the second PSK binder. That covers the client\nkey share, which we do consume. In particular, we\u0027ll want to check if it\nwe ever send half-RTT data on these connections (we do not currently do\nthis). It is also a tricky computation, so we enforce the peer handled\nit correctly.\n\nTested that both Chrome and Firefox continue to interop with this check,\nwhen configuring uncommon curve preferences that trigger HRR. (Normally\nneither browser sees HRRs against BoringSSL servers.)\n\nUpdate-Note: This does enforce some client behavior that we hadn\u0027t been\n    enforcing previously. However, it only figures into TLS 1.3 (not many\n    implementations yet), and only clients which hit HelloRetryRequest\n    (rare), so this should be low risk.\nChange-Id: I42126585ec0685d009542094192e674cbd22520d\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/37124\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Steven Valdez \u003csvaldez@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ddb383c358351d892abae882b315d0131642b34d",
      "old_mode": 33188,
      "old_path": "crypto/err/ssl.errordata",
      "new_id": "132c9e0ff797f1f95f68d059bd7e040958f1c51f",
      "new_mode": 33188,
      "new_path": "crypto/err/ssl.errordata"
    },
    {
      "type": "modify",
      "old_id": "3d2bc07e37fbd74480acca392e55ce49c701dde6",
      "old_mode": 33188,
      "old_path": "include/openssl/ssl.h",
      "new_id": "679ee44e89a687bec8e2ec113ec6dc95f98eb9a3",
      "new_mode": 33188,
      "new_path": "include/openssl/ssl.h"
    },
    {
      "type": "modify",
      "old_id": "a53e43030e17198adcf54f625fea99f032d92c2d",
      "old_mode": 33188,
      "old_path": "ssl/handshake_client.cc",
      "new_id": "e1a506a78bb9fb5904048dd0f60551481c066422",
      "new_mode": 33188,
      "new_path": "ssl/handshake_client.cc"
    },
    {
      "type": "modify",
      "old_id": "b355c7f106a81634109f6766f89a95b504abd6b9",
      "old_mode": 33188,
      "old_path": "ssl/internal.h",
      "new_id": "580cf6ebe09e96718a25fa9c544b589f3f9a5e3e",
      "new_mode": 33188,
      "new_path": "ssl/internal.h"
    },
    {
      "type": "modify",
      "old_id": "8bb513da854958865f7339215c755eea8ac47641",
      "old_mode": 33188,
      "old_path": "ssl/ssl_transcript.cc",
      "new_id": "c1cef2bb12e4344836aba92a1b83d83b3d39e6f9",
      "new_mode": 33188,
      "new_path": "ssl/ssl_transcript.cc"
    },
    {
      "type": "modify",
      "old_id": "c1c41a8aa4bff65c34a82ce1f035c01a96b9dc59",
      "old_mode": 33188,
      "old_path": "ssl/t1_lib.cc",
      "new_id": "52cea6cfaa0cc308c7bdba4148e77faa52e1ffa8",
      "new_mode": 33188,
      "new_path": "ssl/t1_lib.cc"
    },
    {
      "type": "modify",
      "old_id": "b56b9b35b8dd18ac491f079954a1708881f6ea6a",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/common.go",
      "new_id": "d1cf757dd5b85b0175a898c84efe531b0f8a9b7d",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/common.go"
    },
    {
      "type": "modify",
      "old_id": "2574ec3f0361c31f011f774853dbda902e05b66d",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/handshake_client.go",
      "new_id": "aa18ff325fa1177a366518de0e560eaaae42bb51",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/handshake_client.go"
    },
    {
      "type": "modify",
      "old_id": "877a239c627483bcc5efbbdc1169527772b37581",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/runner.go",
      "new_id": "5a4b0cc980c85e97231fecf2202933dacce2e356",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/runner.go"
    },
    {
      "type": "modify",
      "old_id": "b6a402f4a4432e016105461940a22cd372046a70",
      "old_mode": 33188,
      "old_path": "ssl/tls13_enc.cc",
      "new_id": "7a98128475c7d0c5390106c203cb0851841a4e7b",
      "new_mode": 33188,
      "new_path": "ssl/tls13_enc.cc"
    },
    {
      "type": "modify",
      "old_id": "6a00dfa30fb11f28637fba9b2c3c9521057069ae",
      "old_mode": 33188,
      "old_path": "ssl/tls13_server.cc",
      "new_id": "1e87bb9f412fbc1ab320f59ffa09dca8120ecf8c",
      "new_mode": 33188,
      "new_path": "ssl/tls13_server.cc"
    }
  ]
}