From f0a4948de12f24179a0882821e99723482d59542 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Thu, 23 Jan 2025 18:26:26 -0500
Subject: [PATCH] runner: implement SecondHelloRetryRequest more
 straightforwardly

I am not sure why we ran through this increasingly large block of code,
with side effects, twice. All this really needed was to send a second
HRR and make sure the client rejected.

Change-Id: I1122ef2c5f8f85e2f356a6112ae2042653469417
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/75631
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>
---
 ssl/test/runner/handshake_server.go | 14 ++++++++------
 ssl/test/runner/runner.go           |  5 +++--
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index 2198ffd043..00a6287b62 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -696,9 +696,6 @@ func (hs *serverHandshakeState) doTLS13Handshake() error {
 		hs.hello.hasKeyShare = false
 	}
 
-	firstHelloRetryRequest := true
-
-ResendHelloRetryRequest:
 	var sendHelloRetryRequest bool
 	cipherSuite := hs.suite.id
 	if config.Bugs.SendHelloRetryRequestCipherSuite != 0 {
@@ -906,9 +903,14 @@ ResendHelloRetryRequest:
 			return err
 		}
 
-		if firstHelloRetryRequest && config.Bugs.SecondHelloRetryRequest {
-			firstHelloRetryRequest = false
-			goto ResendHelloRetryRequest
+		if config.Bugs.SecondHelloRetryRequest {
+			c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal())
+			// The peer should reject this. Read from the connection to pick up the alert.
+			_, err := c.readHandshake()
+			if err != nil {
+				return err
+			}
+			return errors.New("tls: client sent message instead of alert")
 		}
 	}
 
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index adc35bd4fe..4a58458b02 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -15870,8 +15870,9 @@ func addTLS13HandshakeTests() {
 				SecondHelloRetryRequest: true,
 			},
 		},
-		shouldFail:    true,
-		expectedError: ":UNEXPECTED_MESSAGE:",
+		shouldFail:         true,
+		expectedError:      ":UNEXPECTED_MESSAGE:",
+		expectedLocalError: "remote error: unexpected message",
 	})
 
 	testCases = append(testCases, testCase{