)]}'
{
  "commit": "e6b800f90bbdaf57b565db2ce3fd5782df2d7366",
  "tree": "c4788fb95b1c070ca1dbc7cf749c462ec094393b",
  "parents": [
    "0c3c42784edb5fddb7673998727746fe177df090"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Mon Nov 11 17:31:41 2024 -0500"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Tue Nov 12 23:34:45 2024 +0000"
  },
  "message": "Track SSL session types a bit better on the client\n\nA session could be offered in one of three fields:\n\n- The TLS 1.2 session ID\n- The TLS 1.2 session ticket extension\n- The TLS 1.3 PSK extension\n\nWe didn\u0027t quite keep track of which kind we had. In particular:\n\n- We are not willing to send TLS 1.2 session tickets if SSL_OP_NO_TICKET\n  is set. However, if we were configured with a ticket session AND\n  enabled TLS 1.3, we\u0027d send a non-empty session ID. If the server\n  echo\u0027d the session ID anyway, we\u0027d get confused and think the session\n  was being resumed. There\u0027s no real practical consequence to this, but\n  we should reject this.\n\n- If we somehow constructed a TLS 1.3 session with ID but no ticket, we\n  would think it was an ID session and offer the session ID after the\n  cleanup in\n  https://boringssl-review.googlesource.com/c/boringssl/+/69947. We\u0027d\n  also send a PSK extension with an empty PSK field, and then even allow\n  the server to resume it. This isn\u0027t completely absurd (except that PSK\n  identities cannot be empty), but offering the session ID would trip\n  QUIC up.\n\n  This case should be impossible... but before the bug fixed in\n  I1651e7887f9611ebc44ac54af89c85bf86a9feff, this was actually\n  reachable. There\u0027s no practical consequence, but we should reject this\n  at a better place.\n\n- The code to decide whether the server could send pre_shared_key in\n  ServerHello just checked for any session at all, even a TLS 1.2\n  session. This has no practical consequence because we\u0027ll just catch it\n  later, but may as well fix this.\n\nFix this by adding a function to classify the SSL_SESSION and then catch\non that throughout.\n\nChange-Id: I26a721b7c473d08525217e4ab1d0d341d651dfcb\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/73008\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ad4bf8151b27392ee2b1d5d37f2f09fd04f662a7",
      "old_mode": 33188,
      "old_path": "ssl/extensions.cc",
      "new_id": "1845bcaf714ebee2808c929f89562d273dcc3b08",
      "new_mode": 33188,
      "new_path": "ssl/extensions.cc"
    },
    {
      "type": "modify",
      "old_id": "9bd84627ef67eb1bf3fb0a07929dc1b0cc0d0c4c",
      "old_mode": 33188,
      "old_path": "ssl/handshake_client.cc",
      "new_id": "2655a6a82e0c148b421d0990fbe29207c93679fb",
      "new_mode": 33188,
      "new_path": "ssl/handshake_client.cc"
    },
    {
      "type": "modify",
      "old_id": "fcca3c73e0319e69e90cb28253ade33601651e9f",
      "old_mode": 33188,
      "old_path": "ssl/internal.h",
      "new_id": "3e68a8bf1da33d4608ac184a394d39ad9ccb7b6f",
      "new_mode": 33188,
      "new_path": "ssl/internal.h"
    },
    {
      "type": "modify",
      "old_id": "f455b1b623c67c2eb94b93215045065d48c3cf50",
      "old_mode": 33188,
      "old_path": "ssl/ssl_session.cc",
      "new_id": "9ceefbb0ad20e6b3e961b006eecdfe803ea8eb06",
      "new_mode": 33188,
      "new_path": "ssl/ssl_session.cc"
    },
    {
      "type": "modify",
      "old_id": "a4fedd890782cb1c915ebc3429869021a4b0b260",
      "old_mode": 33188,
      "old_path": "ssl/ssl_test.cc",
      "new_id": "a6e62d442b521f8fbdc5cb418126973e81bbd2cf",
      "new_mode": 33188,
      "new_path": "ssl/ssl_test.cc"
    },
    {
      "type": "modify",
      "old_id": "16a1df2c627dc1cd13100f9f1c728b2b3860bda0",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/common.go",
      "new_id": "2a3b648b11fd9167d7c624967421d48ae029b637",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/common.go"
    },
    {
      "type": "modify",
      "old_id": "8c10c82058ff3799462d0f498e150738f660ea6a",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/handshake_server.go",
      "new_id": "08165ae151bf27a8f86f4994b52fc29e0b37cd6d",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/handshake_server.go"
    },
    {
      "type": "modify",
      "old_id": "4e90c3174b94b6f881dbea07c71fa9f5274734a8",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/runner.go",
      "new_id": "4f7d74aa7ea5046f607af994dbdccf922597c210",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/runner.go"
    },
    {
      "type": "modify",
      "old_id": "a783a0a154e6c8676397cda6d8ed4d7343d7f19a",
      "old_mode": 33188,
      "old_path": "ssl/tls13_client.cc",
      "new_id": "00215c3cdb574e178da003ed36017bb2a385a057",
      "new_mode": 33188,
      "new_path": "ssl/tls13_client.cc"
    }
  ]
}