Dev news

Commit 60a174cd6c for openssl.org

commit 60a174cd6cb271c869c1bdfcf04c2d28dcc87016
Author: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date:   Fri Jun 19 12:49:10 2026 +0200

    ssl/record: remove remnants of SSLv2-specific code

    Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Tue Jun 23 07:09:07 2026
    (Merged from https://github.com/openssl/openssl/pull/31627)

diff --git a/ssl/record/methods/tls_common.c b/ssl/record/methods/tls_common.c
index e149d09898..190e61bb1c 100644
--- a/ssl/record/methods/tls_common.c
+++ b/ssl/record/methods/tls_common.c
@@ -526,8 +526,6 @@ static int rlayer_early_data_count_ok(OSSL_RECORD_LAYER *rl, size_t length,
  */
 #define MAX_EMPTY_RECORDS 32

-#define SSL2_RT_HEADER_LENGTH 2
-
 /*-
  * Call this to buffer new input records in rl->rrec.
  * It will return a OSSL_RECORD_RETURN_* value.
@@ -626,12 +624,7 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)
          * rl->rstate == SSL_ST_READ_BODY, get and decode the data. Calculate
          * how much more data we need to read for the rest of the record
          */
-        if (thisrr->rec_version == SSL2_VERSION) {
-            more = thisrr->length + SSL2_RT_HEADER_LENGTH
-                - SSL3_RT_HEADER_LENGTH;
-        } else {
-            more = thisrr->length;
-        }
+        more = thisrr->length;

         if (more > 0) {
             /* now rl->packet_length == SSL3_RT_HEADER_LENGTH */
@@ -646,13 +639,9 @@ int tls_get_more_records(OSSL_RECORD_LAYER *rl)

         /*
          * At this point, rl->packet_length == SSL3_RT_HEADER_LENGTH
-         * + thisrr->length, or rl->packet_length == SSL2_RT_HEADER_LENGTH
          * + thisrr->length and we have that many bytes in rl->packet
          */
-        if (thisrr->rec_version == SSL2_VERSION)
-            thisrr->input = &(rl->packet[SSL2_RT_HEADER_LENGTH]);
-        else
-            thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);
+        thisrr->input = &(rl->packet[SSL3_RT_HEADER_LENGTH]);

         /*
          * ok, we can now read from 'rl->packet' data into 'thisrr'.
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index e68d8f8fa1..548104e73b 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -835,15 +835,9 @@ start:
      */

     /*
-     * Lets just double check that we've not got an SSLv2 record
+     * Lets just double check that we've got a supported record version
      */
-    if (rr->version == SSL2_VERSION) {
-        /*
-         * Should never happen. ssl3_get_record() should only give us an SSLv2
-         * record back if this is the first packet and we are looking for an
-         * initial ClientHello. Therefore |type| should always be equal to
-         * |rr->type|. If not then something has gone horribly wrong
-         */
+    if (rr->version < TLS1_VERSION || rr->version > TLS1_3_VERSION) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return -1;
     }