Update OpenSSL to version 3.5.4 in CI

OpenSSL for Windows is now prebuilt. Instructions to build OpenSSL for
Android are also changed.

Pick-to: 6.11
Task-number: QTQAINFRA-5540
Change-Id: I40fb6964b5887c4bfee008997057a75cc70ac037
Reviewed-by: Tero Heikkinen <tero.heikkinen@qt.io>

coin/platform_configs/cmake_platforms.yaml

@@ -190,7 +190,7 @@ Configurations:
     Features: ['Sccache', 'Packaging', "DebugAndRelease", 'UseConfigure', 'GenerateSBOM', 'VerifySBOM']
     Configure arguments: '-debug-and-release -force-debug-info -headersclean -nomake examples -qt-zlib'
     Environment variables: [
-        'CMAKE_ARGS=-DFEATURE_msvc_obj_debug_info=ON -DOPENSSL_ROOT_DIR={{.Env.OPENSSL_INCLUDE_x64}}\.. -DPostgreSQL_ROOT={{.Env.POSTGRESQL_LIB_x64}}\..',
+        'CMAKE_ARGS=-DFEATURE_msvc_obj_debug_info=ON -DOPENSSL_ROOT_DIR={{.Env.OPENSSL_ROOT_DIR_x64}}\.. -DPostgreSQL_ROOT={{.Env.POSTGRESQL_LIB_x64}}\..',
         'NON_QTBASE_CMAKE_ARGS=-DFFMPEG_DIR={{.Env.FFMPEG_DIR_MSVC}} -DQT_DEPLOY_FFMPEG=TRUE -DFEATURE_clangcpp=OFF -DINPUT_headersclean=ON',
         'LLVM_INSTALL_DIR={{.Env.LLVM_INSTALL_DIR_msvc}}',
         'VCPKG_HOST_TRIPLET=x64-windows-qt',
@@ -224,9 +224,9 @@ Configurations:
         'TARGET_CONFIGURE_ARGS=-debug-and-release -force-debug-info -platform win32-arm64-msvc -qt-zlib -no-sql-db2 -no-sql-ibase -no-sql-mysql -no-sql-oci -no-sql-psql -no-sql-mimer',
         'TARGET_CMAKE_ARGS=-DFEATURE_msvc_obj_debug_info=ON -DOPENSSL_ROOT_DIR={{.Env.OPENSSL_ROOT_DIR_x64_arm64}} -DQT_FORCE_BUILD_TOOLS=ON',
         'NON_QTBASE_TARGET_CMAKE_ARGS=-DFEATURE_native_grpc=OFF -DFFMPEG_DIR={{.Env.FFMPEG_DIR_MSVC_ARM64}} -DQT_DEPLOY_FFMPEG=TRUE',
-        'OPENSSL_CONF_x64={{.Env.OPENSSL_CONF_x64_arm64}}',
-        'OPENSSL_INCLUDE_x64={{.Env.OPENSSL_INCLUDE_x64_arm64}}',
-        'OPENSSL_LIB_x64={{.Env.OPENSSL_LIB_x64_arm64}}',
+        'OPENSSL_INCLUDE={{.Env.OPENSSL_INCLUDE_x64_arm64}}',
+        'OPENSSL_LIB={{.Env.OPENSSL_LIB_x64_arm64}}',
+        'OPENSSL_ROOT_DIR={{.Env.OPENSSL_ROOT_DIR_x64_arm64}}',
         'LLVM_INSTALL_DIR={{.Env.LLVM_INSTALL_DIR_msvc_arm64}}',
         'VCPKG_HOST_TRIPLET=x64-windows-qt',
         'VCPKG_TARGET_TRIPLET=arm64-windows-qt',

coin/provisioning/common/unix/install-openssl.sh

@@ -1,13 +1,13 @@
 #!/usr/bin/env bash
-# Copyright (C) 2022 The Qt Company Ltd.
+# Copyright (C) 2025 The Qt Company Ltd.
 # SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 
 # This script install OpenSSL from sources.
 # Requires GCC and Perl to be in PATH.
 set -ex
 os="$1"
-version=${2:-"3.0.7"}
-sha=${3:-"f20736d6aae36bcbfa9aba0d358c71601833bf27"}
+version=${2:-"3.5.4"}
+sha=${3:-"b75daac8e10f189abe28a076ba5905d363e4801f"}
 
 SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
 # shellcheck source=../unix/DownloadURL.sh
@@ -104,6 +104,18 @@ elif [ "$os" == "macos" ] || [ "$os" == "macos-universal" ]; then
     SetEnvVar "OPENSSL_INCLUDE" "\"$openssl_install_dir/include\""
     SetEnvVar "OPENSSL_LIB" "\"$openssl_install_dir/lib\""
 
+    # Set runtime loader (dyld) and OpenSSL providers for SSL tests (QTBUG-142392)
+    SetEnvVar "DYLD_LIBRARY_PATH" "\"$opensslTargetLocation/lib:\$DYLD_LIBRARY_PATH\""
+    SetEnvVar "OPENSSL_MODULES" "\"$opensslTargetLocation/lib/ossl-modules\""
+    # Check that the versioned dylibs exists and ML-DSA is available
+    test -f "$opensslTargetLocation/lib/libcrypto.3.dylib"
+    test -f "$opensslTargetLocation/lib/libssl.3.dylib"
+    test -d "$opensslTargetLocation/lib/ossl-modules"
+
+    OPENSSL_MODULES="$opensslTargetLocation/lib/ossl-modules" \
+    "$opensslTargetLocation/bin/openssl" list -signature-algorithms | \
+    grep -q -i 'ML-DSA' || { echo "ML-DSA not available"; exit 1; }
+
     security find-certificate -a -p /Library/Keychains/System.keychain | sudo tee -a "$opensslTargetLocation/ssl/cert.pem" > /dev/null
     security find-certificate -a -p /System/Library/Keychains/SystemRootCertificates.keychain | sudo tee -a "$opensslTargetLocation/ssl/cert.pem" > /dev/null
 fi

coin/provisioning/common/unix/openssl_for_android.sh

@@ -13,15 +13,15 @@ source "${BASH_SOURCE%/*}/../unix/SetEnvVar.sh"
 
 outputPathBase="${HOME}"
 
-sslVersionForLatest="3.0.7"
+sslVersionForLatest="3.5.4"
 ndkVersionLatest="r27c"
-featureSuffixLatest="_16kb"
-prebuiltOpensslShaLatest="2cc15dd990460c2c7157ab257a47071fbd9e0ac8"
+featureSuffixLatest="_16kb_fixed_symversions"
+prebuiltOpensslShaLatest="b9dc30ed77bfd26e526e81d558d6964585b27283"
 
-sslVersionForPreview="3.0.7"
+sslVersionForPreview="3.5.4"
 ndkVersionPreview="r29-beta2"
-featureSuffixPreview="_16kb"
-prebuiltOpensslShaPreview="76c9788216440111be97ea1a63c4d8cd807baacd"
+featureSuffixPreview="_16kb_fixed_symversions"
+prebuiltOpensslShaPreview="89b6692e983c7e9678dcd9fc03da623fb75593d3"
 
 ndkVersionNightly1=$ndkVersionLatest
 sslVersionForNightly1=$sslVersionForLatest
@@ -33,36 +33,20 @@ sslVersionForNightly2=$sslVersionForLatest
 featureSuffixNightly2=""
 prebuiltOpensslShaNightly2=$prebuiltOpensslShaLatest
 
-: <<'EOB' SOURCE BUILD INSTRUCTIONS - Openssl prebuilt was made using Android NDK r29-beta2
-# Source built requires GCC and Perl to be in PATH. Rhel "requires yum install perl-IPC-Cmd"
-exports_file="/tmp/export.sh"
-# source previously made environmental variables.
-if uname -a |grep -q "Ubuntu"; then
-    # shellcheck disable=SC1090
-    grep -e "^export" "$HOME/.profile" > $exports_file && source $exports_file
-    rm -rf "$exports_file"
-else
-    # shellcheck disable=SC1090
-    grep -e "^export" "$HOME/.bashrc" > $exports_file && source $exports_file
-    rm -rf "$exports_file"
-fi
+: <<'EOB' SOURCE BUILD INSTRUCTIONS
+Openssl 3.5.4 prebuilt was made using Android NDK r27c Revision 27.2.12479018
+and r29-beta2 Revision 29.0.13599879
 
-officialUrl="https://www.openssl.org/source/openssl-$sslVersionForLatest.tar.gz"
-cachedUrl="http://ci-files01-hki.ci.qt.io/input/openssl/openssl-$sslVersionForLatest.tar.gz"
-targetFile="/tmp/openssl-$sslVersionForLatest.tar.gz"
-sha="f20736d6aae36bcbfa9aba0d358c71601833bf27"
-opensslHome="${HOME}/openssl/android/openssl-${sslVersionForLatest}"
-DownloadURL "$cachedUrl" "$officialUrl" "$sha" "$targetFile"
-mkdir -p "${HOME}/openssl/android/"
-tar -xzf "$targetFile" -C "${HOME}/openssl/android/"
-if uname -a |grep -q "Darwin"; then
-    TOOLCHAIN=${ANDROID_NDK_ROOT}/toolchains/llvm/prebuilt/darwin-x86_64/bin
-else
-    TOOLCHAIN=${ANDROID_NDK_ROOT}/toolchains/llvm/prebuilt/linux-x86_64/bin
-fi
-cd "$opensslHome"
-PATH=$TOOLCHAIN:$PATH CC=clang ./Configure android-arm
-PATH=$TOOLCHAIN:$PATH CC=clang make build_generated
+By using a helpful (build_ssl.sh) script from:
+Android OpenSSL support for Qt
+https://github.com/KDAB/android_openssl/commit/b71f1470962019bd89534a2919f5925f93bc5779
+
+Download the same NDK version that the Qt branch supports
+https://developer.android.com/ndk/downloads
+
+Modify the script to your liking: set a path to NDK root, set OpenSSL version
+(script will download needed OpenSSL packages)
+Set ANDROID_API to the lowest version of Android which will be used.
 EOB
 
 function BuildOutputPath() {

coin/provisioning/common/windows/android-openssl.ps1

@@ -15,15 +15,15 @@ if (Is64BitWinHost) {
 # Msys need to be installed to target machine
 # More info and building instructions can be found from http://doc.qt.io/qt-5/opensslsupport.html
 
-$openssl_version_latest = "3.0.7"
-$ndk_version_latest = "r27c"
-$prebuilt_ssl_sha1_latest = "733cff853b6ee7738e78b90f46b5f028c8490e1e"
-$openssl_sha1_latest = "f20736d6aae36bcbfa9aba0d358c71601833bf27"
+$openssl_version_latest = "3.5.4"
+$ndk_version_latest = "r27c_16kb"
+$prebuilt_ssl_sha1_latest = "a76cd9ec719d4e71473dcf451d648a9766247081"
+$openssl_sha1_latest = "b75daac8e10f189abe28a076ba5905d363e4801f"
 
-$openssl_version_preview = "3.0.7"
-$ndk_version_preview = "r29-beta2"
-$prebuilt_ssl_sha1_preview = "c2cf8fabfb7e00b31abcc554e6e306dafd99ae1b"
-$openssl_sha1_preview = "f20736d6aae36bcbfa9aba0d358c71601833bf27"
+$openssl_version_preview = "3.5.4"
+$ndk_version_preview = "r29-beta2_16kb"
+$prebuilt_ssl_sha1_preview = "664bab8b4f5e01c8bb87ab0ea8333b2ef1af703d"
+$openssl_sha1_preview = "b75daac8e10f189abe28a076ba5905d363e4801f"
 
 $openssl_version_nightly1 = $openssl_version_latest
 $ndk_version_nightly1 = $ndk_version_latest

coin/provisioning/common/windows/openssl-arm64.ps1

@@ -1,31 +1,28 @@
-# Copyright (C) 2022 The Qt Company Ltd.
+# Copyright (C) 2025 The Qt Company Ltd.
 # SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 
 . "$PSScriptRoot\helpers.ps1"
 
-# This script installs OpenSSL ARM64 $version.
+# This script installs OpenSSL ARM64 (debug version)
 
-##### OpenSSL ARM64 has been pre-built with following commands #####
-# Two different builds were done to the same folder C:\openssl_arm64\. One with '--debug' and one with '--release' parameter
-# From Visual studio 'C++ Universal Windows Platform support for v142 build tools (ARM64)' and 'Windows Universal C Runtime' were installed
-# cd C:\Program Files (x86)\Microsoft Visual Studio\2019\Professional\VC\Auxiliary\Build
-# call vcvarsamd64_arm64
-# curl -o C:\Utils\openssl-3.0.7.zip http://ci-files01-hki.ci.qt.io/input/openssl/openssl-3.0.7.zip
+##### OpenSSL ARM64 and x64-arm64 has been pre-built with following commands #####
+# From Visual studio 'C++ Universal Windows Platform support for v143 build tools' and 'Windows Universal C Runtime' were installed
+# cd C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Auxiliary\Build
+# call vcvarsamd64_arm64 (or vcvarsarm64 in Windows 11 arm64 OS)
+# curl -o C:\Utils\openssl-3.5.4.zip http://ci-files01-hki.ci.qt.io/input/openssl/openssl-3.5.4.zip
+# (or https://github.com/openssl/openssl/releases/download/openssl-3.5.4/openssl-3.5.4.tar.gz)
 # cd C:\Utils
-# C:\Utils\sevenzip\7z.exe x C:\Utils\openssl-3.0.7.zip
-# cd C:\Utils\openssl-3.0.7
-# perl Configure no-asm VC-WIN64-ARM --debug --prefix=C:\openssl_arm64\ --openssldir=C:\openssl_arm64\
+# C:\Utils\sevenzip\7z.exe x C:\Utils\openssl-3.5.4.zip
+# cd C:\Utils\openssl-3.5.4
+# perl Configure no-asm VC-WIN64-ARM --debug --prefix=C:\openssl_arm64\
 # nmake
 # nmake install
-#
-# perl Configure no-asm VC-WIN64-ARM --release --prefix=C:\openssl_arm64\ --openssldir=C:\openssl_arm64\
-# nmake
-# nmake install
-#################################################################################################################################################
+##################################################################################
 
-$version = "3_0_7"
-$url = "\\ci-files01-hki.ci.qt.io\provisioning\openssl\openssl-$version-arm64.zip"
-$sha1 = "19be15069d981b4a96f5715f039df7aaa7456d52"
+$version = "3.5.4"
+
+$url = "https://ci-files01-hki.ci.qt.io/input/openssl/openssl-$version-prebuild-windows-msvc2022-arm64.zip"
+$sha1 = "e5fdf5c565e7c275fdfe877f31b387eb48da5d96"
 $installFolder = "C:\openssl_arm64"
 $zip_package = "C:\Windows\Temp\$version.zip"
 
@@ -38,9 +35,8 @@ Remove $zip_package
 $cpu_arch = Get-CpuArchitecture
 switch ($cpu_arch) {
     arm64 {
-        # For native arm64
+        # Native arm64
         Set-EnvironmentVariable "OPENSSL_ROOT_DIR_arm64" "$installFolder"
-        Set-EnvironmentVariable "OPENSSL_CONF_arm64" "$installFolder\bin\openssl.cfg"
         Set-EnvironmentVariable "OPENSSL_INCLUDE_arm64" "$installFolder\include"
         Set-EnvironmentVariable "OPENSSL_LIB_arm64" "$installFolder\lib"
         Break
@@ -48,7 +44,6 @@ switch ($cpu_arch) {
     x64 {
         # For cross-compiling x64_arm64
         Set-EnvironmentVariable "OPENSSL_ROOT_DIR_x64_arm64" "$installFolder"
-        Set-EnvironmentVariable "OPENSSL_CONF_x64_arm64" "$installFolder\bin\openssl.cfg"
         Set-EnvironmentVariable "OPENSSL_INCLUDE_x64_arm64" "$installFolder\include"
         Set-EnvironmentVariable "OPENSSL_LIB_x64_arm64" "$installFolder\lib"
     }

coin/provisioning/common/windows/openssl.ps1

@@ -1,64 +1,44 @@
-# Copyright (C) 2022 The Qt Company Ltd.
+# Copyright (C) 2025 The Qt Company Ltd.
 # SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 
 . "$PSScriptRoot\helpers.ps1"
 
-# This script installs OpenSSL $version.
-# Both x86 and x64 versions needed when x86 integrations are done on x64 machine
+# This script installs OpenSSL x86_64 (debug version)
 
-$version = "3_0_7"
-$packagex64 = "C:\Windows\Temp\Win64OpenSSL-$version.exe"
-$packagex86 = "C:\Windows\Temp\Win32OpenSSL-$version.exe"
+##### OpenSSL has been pre-built with following commands #####
+# cd C:\Program Files\Microsoft Visual Studio\2022\Professional\VC\Auxiliary\Build
+# call vcvarsamd64
+# curl -o C:\Utils\openssl-3.5.4.zip http://ci-files01-hki.ci.qt.io/input/openssl/openssl-3.5.4.zip
+# cd C:\Utils
+# C:\Utils\sevenzip\7z.exe x C:\Utils\openssl-3.5.4.zip
+# cd C:\Utils\openssl-3.5.4
+# perl Configure VC-WIN64A --debug --prefix=C:\openssl_x64\
+# nmake
+# nmake install
+####################################################################################################
 
-if (Is64BitWinHost) {
-
-    # Install x64 bit version
-    $architecture = "x64"
-    $installFolder = "C:\openssl"
-    $externalUrl = "https://slproweb.com/download/Win64OpenSSL-$version.exe"
-    $internalUrl = "\\ci-files01-hki.ci.qt.io\provisioning\openssl\Win64OpenSSL-$version.exe"
-    $sha1 = "2fb73f233bc565939312782b8157bebc26a5e17b"
-
-    Write-Host "Fetching from URL ..."
-    Download $externalUrl $internalUrl $packagex64
-    Verify-Checksum $packagex64 $sha1
-    Write-Host "Installing $packagex64 ..."
-    Run-Executable "$packagex64" "/SP- /SILENT /LOG /SUPPRESSMSGBOXES /NORESTART /DIR=$installFolder"
-
-    Write-Host "Remove downloaded $packagex64 ..."
-    Remove "$packagex64"
-
-    Set-EnvironmentVariable "OPENSSL_CONF_x64" "$installFolder\bin\openssl.cfg"
-    Set-EnvironmentVariable "OPENSSL_INCLUDE_x64" "$installFolder\include"
-    Set-EnvironmentVariable "OPENSSL_LIB_x64" "$installFolder\lib"
-    Prepend-Path "$installFolder\bin"
-}
-
-# Install x86 bit version
-$architecture = "x86"
-
-if (Is64BitWinHost) {
-    $installFolder = "C:\openssl$architecture"
-} else {
-    $installFolder = "C:\openssl"
-}
-
-$externalUrl = "https://slproweb.com/download/Win32OpenSSL-$version.exe"
-$internalUrl = "\\ci-files01-hki.ci.qt.io\provisioning\openssl\Win32OpenSSL-$version.exe"
-$sha1 = "ddead693fa279ad6b1baf123b3af51a9ef289dc1"
+$version = "3.5.4"
+$url = "https://ci-files01-hki.ci.qt.io/input/openssl/openssl-$version-prebuild-windows-msvc2022-x64.zip"
+$sha1 = "a028caa10ade0c1d39ad60d06201345908dfaaf2"
+$installFolder = "C:\openssl_x64"
+$zip_package = "C:\Windows\Temp\$version.zip"
 
 Write-Host "Fetching from URL ..."
-Download $externalUrl $internalUrl $packagex86
-Verify-Checksum $packagex86 $sha1
-Write-Host "Installing $packagex86 ..."
-Run-Executable "$packagex86" "/SP- /SILENT /LOG /SUPPRESSMSGBOXES /NORESTART /DIR=$installFolder"
+Download $url $url $zip_package
+Verify-Checksum $zip_package $sha1
+Extract-7Zip $zip_package C:\
+Remove $zip_package
 
-Write-Host "Remove downloaded $packagex86 ..."
-Remove "$packagex86"
+Set-EnvironmentVariable "OPENSSL_ROOT_DIR_x64" "$installFolder"
+Set-EnvironmentVariable "OPENSSL_INCLUDE_x64" "$installFolder\include"
+Set-EnvironmentVariable "OPENSSL_LIB_x64" "$installFolder\lib"
 
-Set-EnvironmentVariable "OPENSSL_CONF_x86" "$installFolder\bin\openssl.cfg"
-Set-EnvironmentVariable "OPENSSL_INCLUDE_x86" "$installFolder\include"
-Set-EnvironmentVariable "OPENSSL_LIB_x86" "$installFolder\lib"
+# Set envvars for builds in provisoning e.g. grpc
+Set-EnvironmentVariable "OPENSSL_ROOT_DIR" "$installFolder"
+Set-EnvironmentVariable "OPENSSL_INCLUDE" "$installFolder\include"
+Set-EnvironmentVariable "OPENSSL_LIB" "$installFolder\lib"
+
+Prepend-Path "$installFolder\bin"
 
 # Store version information to ~/versions.txt, which is used to print version information to provision log.
-Write-Output "OpenSSL = $version" >> ~/versions.txt
+Write-Output "OpenSSL x64= $version" >> ~/versions.txt