class Openssl < Formula desc "SSL/TLS cryptography library" homepage "https://openssl.org/" url "https://www.openssl.org/source/openssl-1.0.2g.tar.gz" mirror "https://dl.bintray.com/homebrew/mirror/openssl-1.0.2g.tar.gz" mirror "https://www.mirrorservice.org/sites/ftp.openssl.org/source/openssl-1.0.2g.tar.gz" sha256 "b784b1b3907ce39abf4098702dade6365522a253ad1552e267a9a0e89594aa33" bottle do sha256 "b1de0682c7a838a75da3a06ddad2b9700d208b2faaaa1b51c0889ba403c7dd22" => :el_capitan sha256 "68e5432c7b863341bc0c42c9a9391c11ba244519f110ba7c5ef4d97eb5c6b8fa" => :yosemite sha256 "cdb9ddcc2bc683afa836b40258acbd40fa82dc67b68b245b7413d85e18d98ca0" => :mavericks end keg_only :provided_by_osx, "Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries" option :universal option "without-test", "Skip build-time tests (not recommended)" deprecated_option "without-check" => "without-test" depends_on "makedepend" => :build # Replace with upstream url if they merge the more robust fix # https://github.com/openssl/openssl/pull/597 if MacOS.version <= :snow_leopard patch do url "https://raw.githubusercontent.com/Homebrew/patches/3f1dc8ea145a70543aded8101a0c725abf82fc45/openssl/revert-pass-pure-constants-verbatim.patch" sha256 "e38f84181a56e70028ade8408ad70aaffaea386b7e1b35de55728ae878d544aa" end patch do url "https://raw.githubusercontent.com/Homebrew/patches/3f1dc8ea145a70543aded8101a0c725abf82fc45/openssl/tshort-asm.patch" sha256 "f161e2fc1395efcb53d785004d67d4962d28aa8ce282a91020f12809c03b2afd" end end def arch_args { :x86_64 => %w[darwin64-x86_64-cc enable-ec_nistp_64_gcc_128], :i386 => %w[darwin-i386-cc], } end def configure_args; %W[ --prefix=#{prefix} --openssldir=#{openssldir} no-ssl2 zlib-dynamic shared enable-cms ] end def install # Load zlib from an explicit path instead of relying on dyld's fallback # path, which is empty in a SIP context. This patch will be unnecessary # when we begin building openssl with no-comp to disable TLS compression. # https://langui.sh/2015/11/27/sip-and-dlopen inreplace "crypto/comp/c_zlib.c", 'zlib_dso = DSO_load(NULL, "z", NULL, 0);', 'zlib_dso = DSO_load(NULL, "/usr/lib/libz.dylib", NULL, DSO_FLAG_NO_NAME_TRANSLATION);' if build.universal? ENV.permit_arch_flags archs = Hardware::CPU.universal_archs elsif MacOS.prefer_64_bit? archs = [Hardware::CPU.arch_64_bit] else archs = [Hardware::CPU.arch_32_bit] end dirs = [] archs.each do |arch| if build.universal? dir = "build-#{arch}" dirs << dir mkdir dir mkdir "#{dir}/engines" system "make", "clean" end ENV.deparallelize system "perl", "./Configure", *(configure_args + arch_args[arch]) system "make", "depend" system "make" if (MacOS.prefer_64_bit? || arch == MacOS.preferred_arch) && build.with?("test") system "make", "test" end if build.universal? cp "include/openssl/opensslconf.h", dir cp Dir["*.?.?.?.dylib", "*.a", "apps/openssl"], dir cp Dir["engines/**/*.dylib"], "#{dir}/engines" end end system "make", "install", "MANDIR=#{man}", "MANSUFFIX=ssl" if build.universal? %w[libcrypto libssl].each do |libname| system "lipo", "-create", "#{dirs.first}/#{libname}.1.0.0.dylib", "#{dirs.last}/#{libname}.1.0.0.dylib", "-output", "#{lib}/#{libname}.1.0.0.dylib" system "lipo", "-create", "#{dirs.first}/#{libname}.a", "#{dirs.last}/#{libname}.a", "-output", "#{lib}/#{libname}.a" end Dir.glob("#{dirs.first}/engines/*.dylib") do |engine| libname = File.basename(engine) system "lipo", "-create", "#{dirs.first}/engines/#{libname}", "#{dirs.last}/engines/#{libname}", "-output", "#{lib}/engines/#{libname}" end system "lipo", "-create", "#{dirs.first}/openssl", "#{dirs.last}/openssl", "-output", "#{bin}/openssl" confs = archs.map do |arch| <<-EOS.undent #ifdef __#{arch}__ #{(buildpath/"build-#{arch}/opensslconf.h").read} #endif EOS end (include/"openssl/opensslconf.h").atomic_write confs.join("\n") end end def openssldir etc/"openssl" end def post_install keychains = %w[ /Library/Keychains/System.keychain /System/Library/Keychains/SystemRootCertificates.keychain ] certs_list = `security find-certificate -a -p #{keychains.join(" ")}` certs = certs_list.scan( /-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m ) valid_certs = certs.select do |cert| IO.popen("#{bin}/openssl x509 -inform pem -checkend 0 -noout", "w") do |openssl_io| openssl_io.write(cert) openssl_io.close_write end $?.success? end openssldir.mkpath (openssldir/"cert.pem").atomic_write(valid_certs.join("\n")) end def caveats; <<-EOS.undent A CA file has been bootstrapped using certificates from the system keychain. To add additional certificates, place .pem files in #{openssldir}/certs and run #{opt_bin}/c_rehash EOS end test do # Make sure the necessary .cnf file exists, otherwise OpenSSL gets moody. assert (HOMEBREW_PREFIX/"etc/openssl/openssl.cnf").exist?, "OpenSSL requires the .cnf file for some functionality" # Check OpenSSL itself functions as expected. (testpath/"testfile.txt").write("This is a test file") expected_checksum = "e2d0fe1585a63ec6009c8016ff8dda8b17719a637405a4e23c0ff81339148249" system "#{bin}/openssl", "dgst", "-sha256", "-out", "checksum.txt", "testfile.txt" open("checksum.txt") do |f| checksum = f.read(100).split("=").last.strip assert_equal checksum, expected_checksum end end end