Relax OpenSSL version to look at build date as well

Brett Hazen · Brett Hazen · commit bf00c885e4fa · 2014-06-04T18:19:31.000-07:00
diff --git a/riak/security.py b/riak/security.py
@@ -20,19 +20,52 @@
 import httplib
 import socket
 import select
+import string
+import datetime
 from riak import RiakError
 try:
     from cStringIO import StringIO
 except ImportError:
     from StringIO import StringIO
 
 OPENSSL_VERSION_101G = 268439679
+OPENSSL_VERSION_101 = 1000*1000*1 + 1000*0 + 1
+OPENSSL_VERSION_NUM_POS = 1
+OPENSSL_VERSION_DAY_POS = 4
+OPENSSL_VERSION_MON_POS = 3
+OPENSSL_VERSION_YEAR_POS = 7
+ssldate = datetime.date(2014, 4, 1)
 sslver = OpenSSL.SSL.OPENSSL_VERSION_NUMBER
 # Be sure to use at least OpenSSL 1.0.1g
 if (sslver < OPENSSL_VERSION_101G):
+    too_old = False
+    # Check the build date on older versions
     verstring = OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_VERSION)
-    raise RuntimeError("Found {0} version, but expected at least "
-                       "OpenSSL 1.0.1g".format(verstring))
+    versions = string.split(verstring)
+    # Convert version string to integer
+    verdots = string.split(versions[OPENSSL_VERSION_NUM_POS], '.')
+    if len(verdots) == 3:
+        verint = 1000 * 1000 * verdots[0] + 1000 * verdots[1] + \
+            verdots[2].translate(None, "abcdefghijklmnopqrstuvwxyz")
+        # Is this at least 1.0.1 built after April 2014 (hopefully patched)
+        if verint < OPENSSL_VERSION_101:
+            too_old = True
+        else:
+            builtstr = OpenSSL.SSL.SSLeay_version(OpenSSL.SSL.SSLEAY_BUILT_ON)
+            timestamp = string.split(builtstr)
+            import calendar
+            calmap = {v: k for k,v in enumerate(calendar.month_abbr)}
+            day = int(timestamp[OPENSSL_VERSION_DAY_POS])
+            mon = calmap[timestamp[OPENSSL_VERSION_MON_POS]]
+            year = int(timestamp[OPENSSL_VERSION_YEAR_POS])
+            build = datetime.date(year, mon, day)
+            if build < ssldate:
+                too_old = True
+    else:
+        too_old = True
+    if too_old:
+        raise RuntimeError("Found {0} version, but expected at least "
+                           "OpenSSL 1.0.1g".format(verstring))
 
 
 class SecurityError(RiakError):
