runner: implement SecondHelloRetryRequest more straightforwardly

I am not sure why we ran through this increasingly large block of code, with side effects, twice. All this really needed was to send a second HRR and make sure the client rejected. Change-Id: I1122ef2c5f8f85e2f356a6112ae2042653469417 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75631 Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: Bob Beck <bbe@google.com>
google · Jan 27, 2025 · f0a4948 · f0a4948
1 parent 5823b5e
commit f0a4948
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 8 deletions.
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
@@ -696,9 +696,6 @@ func (hs *serverHandshakeState) doTLS13Handshake() error {
 		hs.hello.hasKeyShare = false
 	}
 
-	firstHelloRetryRequest := true
-
-ResendHelloRetryRequest:
 	var sendHelloRetryRequest bool
 	cipherSuite := hs.suite.id
 	if config.Bugs.SendHelloRetryRequestCipherSuite != 0 {
@@ -906,9 +903,14 @@ ResendHelloRetryRequest:
 			return err
 		}
 
-		if firstHelloRetryRequest && config.Bugs.SecondHelloRetryRequest {
-			firstHelloRetryRequest = false
-			goto ResendHelloRetryRequest
+		if config.Bugs.SecondHelloRetryRequest {
+			c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal())
+			// The peer should reject this. Read from the connection to pick up the alert.
+			_, err := c.readHandshake()
+			if err != nil {
+				return err
+			}
+			return errors.New("tls: client sent message instead of alert")
 		}
 	}
 

diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
@@ -15870,8 +15870,9 @@ func addTLS13HandshakeTests() {
 				SecondHelloRetryRequest: true,
 			},
 		},
-		shouldFail:    true,
-		expectedError: ":UNEXPECTED_MESSAGE:",
+		shouldFail:         true,
+		expectedError:      ":UNEXPECTED_MESSAGE:",
+		expectedLocalError: "remote error: unexpected message",
 	})
 
 	testCases = append(testCases, testCase{