crypto: fix version check in hello parser

This is a follow up for 89cb740fc31f3be1c3af9fe787c7a405429ccac4

diff --git a/src/node_crypto_clienthello.cc b/src/node_crypto_clienthello.cc
index 70603e95c5bd9f47321326f4147525b844f6235d..ad0235343cc4eb41082fb82228d843c69597c97d 100644 (file)
--- a/src/node_crypto_clienthello.cc
+++ b/src/node_crypto_clienthello.cc
@@ -85,6 +85,12 @@ bool ClientHelloParser::ParseRecordHeader(const uint8_t* data, size_t avail) {
   return true;
 }
 
+#ifdef OPENSSL_NO_SSL2
+# define NODE_SSL2_VER_CHECK(buf) false
+#else
+# define NODE_SSL2_VER_CHECK(buf) ((buf)[0] == 0x00 && (buf)[1] == 0x02)
+#endif  // OPENSSL_NO_SSL2
+
 
 void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) {
   ClientHello hello;
@@ -95,12 +101,10 @@ void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) {
 
   // Skip unsupported frames and gather some data from frame
   // Check hello protocol version
-  if (!(data[body_offset_ + 4] == 0x03 && data[body_offset_ + 5] <= 0x03))
+  if (!(data[body_offset_ + 4] == 0x03 && data[body_offset_ + 5] <= 0x03) &&
+      !NODE_SSL2_VER_CHECK(data + body_offset_ + 4)) {
     goto fail;
-#ifndef OPENSSL_NO_SSL2
-  if (!(data[body_offset_ + 4] == 0x00 && data[body_offset_ + 5] == 0x02))
-    goto fail;
-#endif
+  }
 
   if (data[body_offset_] == kClientHello) {
     if (state_ == kTLSHeader) {
@@ -141,6 +145,9 @@ void ClientHelloParser::ParseHeader(const uint8_t* data, size_t avail) {
 }
 
 
+#undef NODE_SSL2_VER_CHECK
+
+
 void ClientHelloParser::ParseExtension(ClientHelloParser::ExtensionType type,
                                        const uint8_t* data,
                                        size_t len) {