Re: pkg/60292: haproxy 3.3.5 on NetBSD 11.0_RC4 crashes randomly due to OpenSSL errors

["Thomas Klausner via gnats" <gnats-admin%NetBSD.org@localhost>]

The following reply was made to PR lib/60292; it has been noted by GNATS.

From: Thomas Klausner <wiz%netbsd.org@localhost>
To: NetBSD bugtracking <gnats-bugs%netbsd.org@localhost>
Cc: 
Subject: Re: pkg/60292: haproxy 3.3.5 on NetBSD 11.0_RC4 crashes randomly due
 to OpenSSL errors
Date: Sat, 6 Jun 2026 18:40:27 +0200

 On Fri, Jun 05, 2026 at 11:25:01AM +0100, Bartek Krawczyk via gnats wrote:
 >  I applied these changes manually (there were more differences between 
 >  this file and the one shipped in NetBSD) and this part built OK however 
 >  the full distribution build fails with:
 
 The actual error is missing from the output you sent, it's probably a
 couple lines higher.
 
 Anyway, most of the patch is for tests anyway. Here's a patch that
 applies to NetBSD-current.
 
 Index: tls_common.c
 ===================================================================
 RCS file: /cvsroot/src/crypto/external/apache2/openssl/dist/ssl/record/methods/tls_common.c,v
 retrieving revision 1.1.1.3
 diff -u -r1.1.1.3 tls_common.c
 --- tls_common.c	8 Apr 2026 16:56:40 -0000	1.1.1.3
 +++ tls_common.c	6 Jun 2026 07:06:16 -0000
 @@ -1919,13 +1862,14 @@
  {
      int i, ret;
      TLS_BUFFER *thiswb;
 -    size_t tmpwrit = 0;
 +    size_t tmpwrit = 0, left;
  
      if (rl->nextwbuf >= rl->numwpipes)
          return OSSL_RECORD_RETURN_SUCCESS;
  
      for (;;) {
          thiswb = &rl->wbuf[rl->nextwbuf];
 +        left = TLS_BUFFER_get_left(thiswb);
  
          clear_sys_error();
          if (rl->bio != NULL) {
 @@ -1935,13 +1879,24 @@
                      return ret;
              }
              i = BIO_write(rl->bio, (char *)&(TLS_BUFFER_get_buf(thiswb)[TLS_BUFFER_get_offset(thiswb)]),
 -                (unsigned int)TLS_BUFFER_get_left(thiswb));
 +                (unsigned int)left);
              if (i >= 0) {
                  tmpwrit = i;
 -                if (i == 0 && BIO_should_retry(rl->bio))
 -                    ret = OSSL_RECORD_RETURN_RETRY;
 -                else
 +                if (i == 0 && left != 0) {
 +                    if (BIO_should_retry(rl->bio)) {
 +                        ret = OSSL_RECORD_RETURN_RETRY;
 +                    } else {
 +                        /*
 +                         * Treat this as a fatal I/O condition. Do not queue an
 +                         * SSL reason: a zero return with no retry flag may come
 +                         * from a custom BIO and does not imply an SSL library
 +                         * or protocol error.
 +                         */
 +                        ret = OSSL_RECORD_RETURN_FATAL;
 +                    }
 +                } else {
                      ret = OSSL_RECORD_RETURN_SUCCESS;
 +                }
              } else {
                  if (BIO_should_retry(rl->bio)) {
                      ret = OSSL_RECORD_RETURN_RETRY;
 @@ -1964,7 +1919,7 @@
           * Treat i == 0 as success rather than an error for zero byte
           * writes to permit this case.
           */
 -        if (i >= 0 && tmpwrit == TLS_BUFFER_get_left(thiswb)) {
 +        if (i >= 0 && tmpwrit == left) {
              TLS_BUFFER_set_left(thiswb, 0);
              TLS_BUFFER_add_offset(thiswb, tmpwrit);
              if (++(rl->nextwbuf) < rl->numwpipes)
 
 
  Thomas