)]}'
{
  "commit": "f01f42a2ce161657c6413ef71d7c04262c7abd56",
  "tree": "4b793e5679eb928332f517a278af74a45df3cf0b",
  "parents": [
    "34202b93b6195e9c55402a6bc2653956d0cd26d8"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Wed Nov 16 19:05:33 2016 +0900"
  },
  "committer": {
    "name": "CQ bot account: commit-bot@chromium.org",
    "email": "commit-bot@chromium.org",
    "time": "Thu Nov 17 01:02:42 2016 +0000"
  },
  "message": "Negotiate ciphers before resumption.\n\nThis changes our resumption strategy. Before, we would negotiate ciphers\nonly on fresh handshakes. On resumption, we would blindly use whatever\nwas in the session.\n\nInstead, evaluate cipher suite preferences on every handshake.\nResumption requires that the saved cipher suite match the one that would\nhave been negotiated anyway. If client or server preferences changed\nsufficiently, we decline the session.\n\nThis is much easier to reason about (we always pick the best cipher\nsuite), simpler, and avoids getting stuck under old preferences if\ntickets are continuously renewed. Notably, although TLS 1.2 ticket\nrenewal does not work in practice, TLS 1.3 will renew tickets like\nthere\u0027s no tomorrow.\n\nIt also means we don\u0027t need dedicated code to avoid resuming a cipher\nwhich has since been disabled. (That dedicated code was a little odd\nanyway since the mask_k, etc., checks didn\u0027t occur. When cert_cb was\nskipped on resumption, one could resume without ever configuring a\ncertificate! So we couldn\u0027t know whether to mask off RSA or ECDSA cipher\nsuites.)\n\nAdd tests which assert on this new arrangement.\n\nBUG\u003d116\n\nChange-Id: Id40d851ccd87e06c46c6ec272527fd8ece8abfc6\nReviewed-on: https://boringssl-review.googlesource.com/11847\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\nCQ-Verified: CQ bot account: commit-bot@chromium.org \u003ccommit-bot@chromium.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "ff9169787c72bd86c8a049442e9951249d9d52d9",
      "old_mode": 33188,
      "old_path": "ssl/handshake_server.c",
      "new_id": "a0562d874f7b2b0f7200c3a7a841d00e850df17f",
      "new_mode": 33188,
      "new_path": "ssl/handshake_server.c"
    },
    {
      "type": "modify",
      "old_id": "8860d63917a481daae5ab3b57b5e35a31c3334ff",
      "old_mode": 33188,
      "old_path": "ssl/internal.h",
      "new_id": "d44179b0b2d75df2be679d86ede76069ef8661a9",
      "new_mode": 33188,
      "new_path": "ssl/internal.h"
    },
    {
      "type": "modify",
      "old_id": "9cc0d9d2d2925352f101c1b046658ac2b787ea48",
      "old_mode": 33188,
      "old_path": "ssl/s3_lib.c",
      "new_id": "901b8afee714d8bf5a8d3b5f5c83358910695519",
      "new_mode": 33188,
      "new_path": "ssl/s3_lib.c"
    },
    {
      "type": "modify",
      "old_id": "4a1f88dfeff9cd2c38ab988f408216eae1bc40f9",
      "old_mode": 33188,
      "old_path": "ssl/ssl_session.c",
      "new_id": "a28876b621644e37949f16767634a6ed1f41b3a2",
      "new_mode": 33188,
      "new_path": "ssl/ssl_session.c"
    },
    {
      "type": "modify",
      "old_id": "f55bf377ba7feebfb924344126ac444e19945917",
      "old_mode": 33188,
      "old_path": "ssl/test/runner/runner.go",
      "new_id": "c6b18b11846335efeee543a99a564b5e8f852afd",
      "new_mode": 33188,
      "new_path": "ssl/test/runner/runner.go"
    },
    {
      "type": "modify",
      "old_id": "0a8b97b82cf7b4b371c9288c3c383c3e79ebb3f8",
      "old_mode": 33188,
      "old_path": "ssl/tls13_server.c",
      "new_id": "83ef679537c42c9bd85d4bfa0548554cf3630638",
      "new_mode": 33188,
      "new_path": "ssl/tls13_server.c"
    }
  ]
}
