gh-132339: Add support for OpenSSL 3.5 (GH-137720)

* Add OpenSSL 3.5.2 definitions to Modules/_ssl_data_35.h (moved from Modules/_ssl_data_34.h) * Demote OpenSSL 3.1 to "old", remove it from CI * Update all OpenSSL versions to latest patchlevel in CI config and multissltests defaults * Add OpenSSL 3.5.2 to CI configuration and multissltests default list * Fix a typo in the argument parser description of multissltests.py
2026-05-06 12:49:07 -04:00 · 2025-08-13 23:18:03 -05:00
parent 14319a99e5
commit 7a703c8f19
5 changed files with 166 additions and 10 deletions
@@ -270,7 +270,7 @@ jobs:
      fail-fast: false
      matrix:
        os: [ubuntu-24.04]
-        openssl_ver: [3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.1]
+        openssl_ver: [3.0.17, 3.2.5, 3.3.4, 3.4.2, 3.5.2]
        # See Tools/ssl/make_ssl_data.py for notes on adding a new version
    env:
      OPENSSL_VER: ${{ matrix.openssl_ver }}
@@ -0,0 +1 @@
+Add support for OpenSSL 3.5.
@@ -150,7 +150,7 @@ static void _PySSLFixErrno(void) {
 /* Include generated data (error codes) */
 /* See make_ssl_data.h for notes on adding a new version. */
 #if (OPENSSL_VERSION_NUMBER >= 0x30401000L)
-#include "_ssl_data_34.h"
+#include "_ssl_data_35.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30100000L)
 #include "_ssl_data_340.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
@@ -1,6 +1,6 @@
 /* File generated by Tools/ssl/make_ssl_data.py */
-/* Generated on 2025-03-26T13:47:34.223146+00:00 */
-/* Generated from Git commit openssl-3.4.1-0-ga26d85337d */
+/* Generated on 2025-08-13T16:42:33.155822+00:00 */
+/* Generated from Git commit openssl-3.5.2-0-g0893a6235 */

 /* generated from args.lib2errnum */
 static struct py_ssl_library_code library_codes[] = {
@@ -1283,6 +1283,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"FAILED_BUILDING_OWN_CHAIN", 58, 164},
  #endif
+  #ifdef CMP_R_FAILED_EXTRACTING_CENTRAL_GEN_KEY
+    {"FAILED_EXTRACTING_CENTRAL_GEN_KEY", ERR_LIB_CMP, CMP_R_FAILED_EXTRACTING_CENTRAL_GEN_KEY},
+  #else
+    {"FAILED_EXTRACTING_CENTRAL_GEN_KEY", 58, 203},
+  #endif
  #ifdef CMP_R_FAILED_EXTRACTING_PUBKEY
    {"FAILED_EXTRACTING_PUBKEY", ERR_LIB_CMP, CMP_R_FAILED_EXTRACTING_PUBKEY},
  #else
@@ -1343,6 +1348,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"INVALID_ROOTCAKEYUPDATE", 58, 195},
  #endif
+  #ifdef CMP_R_MISSING_CENTRAL_GEN_KEY
+    {"MISSING_CENTRAL_GEN_KEY", ERR_LIB_CMP, CMP_R_MISSING_CENTRAL_GEN_KEY},
+  #else
+    {"MISSING_CENTRAL_GEN_KEY", 58, 204},
+  #endif
  #ifdef CMP_R_MISSING_CERTID
    {"MISSING_CERTID", ERR_LIB_CMP, CMP_R_MISSING_CERTID},
  #else
@@ -1513,6 +1523,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"UNCLEAN_CTX", 58, 191},
  #endif
+  #ifdef CMP_R_UNEXPECTED_CENTRAL_GEN_KEY
+    {"UNEXPECTED_CENTRAL_GEN_KEY", ERR_LIB_CMP, CMP_R_UNEXPECTED_CENTRAL_GEN_KEY},
+  #else
+    {"UNEXPECTED_CENTRAL_GEN_KEY", 58, 205},
+  #endif
  #ifdef CMP_R_UNEXPECTED_CERTPROFILE
    {"UNEXPECTED_CERTPROFILE", ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE},
  #else
@@ -2308,6 +2323,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"BAD_PBM_ITERATIONCOUNT", 56, 100},
  #endif
+  #ifdef CRMF_R_CMS_NOT_SUPPORTED
+    {"CMS_NOT_SUPPORTED", ERR_LIB_CRMF, CRMF_R_CMS_NOT_SUPPORTED},
+  #else
+    {"CMS_NOT_SUPPORTED", 56, 122},
+  #endif
  #ifdef CRMF_R_CRMFERROR
    {"CRMFERROR", ERR_LIB_CRMF, CRMF_R_CRMFERROR},
  #else
@@ -2323,16 +2343,41 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"ERROR_DECODING_CERTIFICATE", 56, 104},
  #endif
+  #ifdef CRMF_R_ERROR_DECODING_ENCRYPTEDKEY
+    {"ERROR_DECODING_ENCRYPTEDKEY", ERR_LIB_CRMF, CRMF_R_ERROR_DECODING_ENCRYPTEDKEY},
+  #else
+    {"ERROR_DECODING_ENCRYPTEDKEY", 56, 123},
+  #endif
  #ifdef CRMF_R_ERROR_DECRYPTING_CERTIFICATE
    {"ERROR_DECRYPTING_CERTIFICATE", ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_CERTIFICATE},
  #else
    {"ERROR_DECRYPTING_CERTIFICATE", 56, 105},
  #endif
+  #ifdef CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY
+    {"ERROR_DECRYPTING_ENCRYPTEDKEY", ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY},
+  #else
+    {"ERROR_DECRYPTING_ENCRYPTEDKEY", 56, 124},
+  #endif
+  #ifdef CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE
+    {"ERROR_DECRYPTING_ENCRYPTEDVALUE", ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE},
+  #else
+    {"ERROR_DECRYPTING_ENCRYPTEDVALUE", 56, 125},
+  #endif
  #ifdef CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY
    {"ERROR_DECRYPTING_SYMMETRIC_KEY", ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY},
  #else
    {"ERROR_DECRYPTING_SYMMETRIC_KEY", 56, 106},
  #endif
+  #ifdef CRMF_R_ERROR_SETTING_PURPOSE
+    {"ERROR_SETTING_PURPOSE", ERR_LIB_CRMF, CRMF_R_ERROR_SETTING_PURPOSE},
+  #else
+    {"ERROR_SETTING_PURPOSE", 56, 126},
+  #endif
+  #ifdef CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY
+    {"ERROR_VERIFYING_ENCRYPTEDKEY", ERR_LIB_CRMF, CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY},
+  #else
+    {"ERROR_VERIFYING_ENCRYPTEDKEY", 56, 127},
+  #endif
  #ifdef CRMF_R_FAILURE_OBTAINING_RANDOM
    {"FAILURE_OBTAINING_RANDOM", ERR_LIB_CRMF, CRMF_R_FAILURE_OBTAINING_RANDOM},
  #else
@@ -2358,6 +2403,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"POPOSKINPUT_NOT_SUPPORTED", 56, 113},
  #endif
+  #ifdef CRMF_R_POPO_INCONSISTENT_CENTRAL_KEYGEN
+    {"POPO_INCONSISTENT_CENTRAL_KEYGEN", ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_CENTRAL_KEYGEN},
+  #else
+    {"POPO_INCONSISTENT_CENTRAL_KEYGEN", 56, 128},
+  #endif
  #ifdef CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY
    {"POPO_INCONSISTENT_PUBLIC_KEY", ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY},
  #else
@@ -3963,6 +4013,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"PBKDF2_ERROR", 6, 181},
  #endif
+  #ifdef EVP_R_PIPELINE_NOT_SUPPORTED
+    {"PIPELINE_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PIPELINE_NOT_SUPPORTED},
+  #else
+    {"PIPELINE_NOT_SUPPORTED", 6, 230},
+  #endif
  #ifdef EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED
    {"PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED", ERR_LIB_EVP, EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED},
  #else
@@ -3978,6 +4033,36 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"PRIVATE_KEY_ENCODE_ERROR", 6, 146},
  #endif
+  #ifdef EVP_R_PROVIDER_ASYM_CIPHER_FAILURE
+    {"PROVIDER_ASYM_CIPHER_FAILURE", ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE},
+  #else
+    {"PROVIDER_ASYM_CIPHER_FAILURE", 6, 232},
+  #endif
+  #ifdef EVP_R_PROVIDER_ASYM_CIPHER_NOT_SUPPORTED
+    {"PROVIDER_ASYM_CIPHER_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_NOT_SUPPORTED},
+  #else
+    {"PROVIDER_ASYM_CIPHER_NOT_SUPPORTED", 6, 235},
+  #endif
+  #ifdef EVP_R_PROVIDER_KEYMGMT_FAILURE
+    {"PROVIDER_KEYMGMT_FAILURE", ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE},
+  #else
+    {"PROVIDER_KEYMGMT_FAILURE", 6, 233},
+  #endif
+  #ifdef EVP_R_PROVIDER_KEYMGMT_NOT_SUPPORTED
+    {"PROVIDER_KEYMGMT_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_NOT_SUPPORTED},
+  #else
+    {"PROVIDER_KEYMGMT_NOT_SUPPORTED", 6, 236},
+  #endif
+  #ifdef EVP_R_PROVIDER_SIGNATURE_FAILURE
+    {"PROVIDER_SIGNATURE_FAILURE", ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE},
+  #else
+    {"PROVIDER_SIGNATURE_FAILURE", 6, 234},
+  #endif
+  #ifdef EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED
+    {"PROVIDER_SIGNATURE_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED},
+  #else
+    {"PROVIDER_SIGNATURE_NOT_SUPPORTED", 6, 237},
+  #endif
  #ifdef EVP_R_PUBLIC_KEY_NOT_RSA
    {"PUBLIC_KEY_NOT_RSA", ERR_LIB_EVP, EVP_R_PUBLIC_KEY_NOT_RSA},
  #else
@@ -3998,6 +4083,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"SIGNATURE_TYPE_AND_KEY_TYPE_INCOMPATIBLE", 6, 228},
  #endif
+  #ifdef EVP_R_TOO_MANY_PIPES
+    {"TOO_MANY_PIPES", ERR_LIB_EVP, EVP_R_TOO_MANY_PIPES},
+  #else
+    {"TOO_MANY_PIPES", 6, 231},
+  #endif
  #ifdef EVP_R_TOO_MANY_RECORDS
    {"TOO_MANY_RECORDS", ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS},
  #else
@@ -4753,6 +4843,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"UNSUPPORTED_PUBLIC_KEY_TYPE", 9, 110},
  #endif
+  #ifdef PEM_R_UNSUPPORTED_PVK_KEY_TYPE
+    {"UNSUPPORTED_PVK_KEY_TYPE", ERR_LIB_PEM, PEM_R_UNSUPPORTED_PVK_KEY_TYPE},
+  #else
+    {"UNSUPPORTED_PVK_KEY_TYPE", 9, 133},
+  #endif
  #ifdef PKCS12_R_CALLBACK_FAILED
    {"CALLBACK_FAILED", ERR_LIB_PKCS12, PKCS12_R_CALLBACK_FAILED},
  #else
@@ -5543,6 +5638,16 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"MISSING_XCGHASH", 57, 135},
  #endif
+  #ifdef PROV_R_ML_DSA_NO_FORMAT
+    {"ML_DSA_NO_FORMAT", ERR_LIB_PROV, PROV_R_ML_DSA_NO_FORMAT},
+  #else
+    {"ML_DSA_NO_FORMAT", 57, 245},
+  #endif
+  #ifdef PROV_R_ML_KEM_NO_FORMAT
+    {"ML_KEM_NO_FORMAT", ERR_LIB_PROV, PROV_R_ML_KEM_NO_FORMAT},
+  #else
+    {"ML_KEM_NO_FORMAT", 57, 246},
+  #endif
  #ifdef PROV_R_MODULE_INTEGRITY_FAILURE
    {"MODULE_INTEGRITY_FAILURE", ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE},
  #else
@@ -5593,6 +5698,16 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"NO_PARAMETERS_SET", 57, 177},
  #endif
+  #ifdef PROV_R_NULL_LENGTH_POINTER
+    {"NULL_LENGTH_POINTER", ERR_LIB_PROV, PROV_R_NULL_LENGTH_POINTER},
+  #else
+    {"NULL_LENGTH_POINTER", 57, 247},
+  #endif
+  #ifdef PROV_R_NULL_OUTPUT_BUFFER
+    {"NULL_OUTPUT_BUFFER", ERR_LIB_PROV, PROV_R_NULL_OUTPUT_BUFFER},
+  #else
+    {"NULL_OUTPUT_BUFFER", 57, 248},
+  #endif
  #ifdef PROV_R_ONESHOT_CALL_OUT_OF_ORDER
    {"ONESHOT_CALL_OUT_OF_ORDER", ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER},
  #else
@@ -5728,6 +5843,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"UNABLE_TO_RESEED", 57, 204},
  #endif
+  #ifdef PROV_R_UNEXPECTED_KEY_PARAMETERS
+    {"UNEXPECTED_KEY_PARAMETERS", ERR_LIB_PROV, PROV_R_UNEXPECTED_KEY_PARAMETERS},
+  #else
+    {"UNEXPECTED_KEY_PARAMETERS", 57, 249},
+  #endif
  #ifdef PROV_R_UNSUPPORTED_CEK_ALG
    {"UNSUPPORTED_CEK_ALG", ERR_LIB_PROV, PROV_R_UNSUPPORTED_CEK_ALG},
  #else
@@ -5748,6 +5868,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"UNSUPPORTED_NUMBER_OF_ROUNDS", 57, 152},
  #endif
+  #ifdef PROV_R_UNSUPPORTED_SELECTION
+    {"UNSUPPORTED_SELECTION", ERR_LIB_PROV, PROV_R_UNSUPPORTED_SELECTION},
+  #else
+    {"UNSUPPORTED_SELECTION", 57, 250},
+  #endif
  #ifdef PROV_R_UPDATE_CALL_OUT_OF_ORDER
    {"UPDATE_CALL_OUT_OF_ORDER", ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER},
  #else
@@ -5763,6 +5888,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"VALUE_ERROR", 57, 138},
  #endif
+  #ifdef PROV_R_WRONG_CIPHERTEXT_SIZE
+    {"WRONG_CIPHERTEXT_SIZE", ERR_LIB_PROV, PROV_R_WRONG_CIPHERTEXT_SIZE},
+  #else
+    {"WRONG_CIPHERTEXT_SIZE", 57, 251},
+  #endif
  #ifdef PROV_R_WRONG_FINAL_BLOCK_LENGTH
    {"WRONG_FINAL_BLOCK_LENGTH", ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH},
  #else
@@ -5938,6 +6068,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"PRNG_NOT_SEEDED", 36, 100},
  #endif
+  #ifdef RAND_R_RANDOM_POOL_IS_EMPTY
+    {"RANDOM_POOL_IS_EMPTY", ERR_LIB_RAND, RAND_R_RANDOM_POOL_IS_EMPTY},
+  #else
+    {"RANDOM_POOL_IS_EMPTY", 36, 142},
+  #endif
  #ifdef RAND_R_RANDOM_POOL_OVERFLOW
    {"RANDOM_POOL_OVERFLOW", ERR_LIB_RAND, RAND_R_RANDOM_POOL_OVERFLOW},
  #else
@@ -6923,6 +7058,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"DIGEST_CHECK_FAILED", 20, 149},
  #endif
+  #ifdef SSL_R_DOMAIN_USE_ONLY
+    {"DOMAIN_USE_ONLY", ERR_LIB_SSL, SSL_R_DOMAIN_USE_ONLY},
+  #else
+    {"DOMAIN_USE_ONLY", 20, 422},
+  #endif
  #ifdef SSL_R_DTLS_MESSAGE_TOO_BIG
    {"DTLS_MESSAGE_TOO_BIG", ERR_LIB_SSL, SSL_R_DTLS_MESSAGE_TOO_BIG},
  #else
@@ -7213,6 +7353,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"LIBRARY_HAS_NO_CIPHERS", 20, 161},
  #endif
+  #ifdef SSL_R_LISTENER_USE_ONLY
+    {"LISTENER_USE_ONLY", ERR_LIB_SSL, SSL_R_LISTENER_USE_ONLY},
+  #else
+    {"LISTENER_USE_ONLY", 20, 421},
+  #endif
  #ifdef SSL_R_MAXIMUM_ENCRYPTED_PKTS_REACHED
    {"MAXIMUM_ENCRYPTED_PKTS_REACHED", ERR_LIB_SSL, SSL_R_MAXIMUM_ENCRYPTED_PKTS_REACHED},
  #else
@@ -7243,6 +7388,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
  #endif
+  #ifdef SSL_R_MISSING_QUIC_TLS_FUNCTIONS
+    {"MISSING_QUIC_TLS_FUNCTIONS", ERR_LIB_SSL, SSL_R_MISSING_QUIC_TLS_FUNCTIONS},
+  #else
+    {"MISSING_QUIC_TLS_FUNCTIONS", 20, 423},
+  #endif
  #ifdef SSL_R_MISSING_RSA_CERTIFICATE
    {"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
  #else
@@ -8983,6 +9133,11 @@ static struct py_ssl_error_code error_codes[] = {
  #else
    {"POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY", 34, 159},
  #endif
+  #ifdef X509V3_R_PURPOSE_NOT_UNIQUE
+    {"PURPOSE_NOT_UNIQUE", ERR_LIB_X509V3, X509V3_R_PURPOSE_NOT_UNIQUE},
+  #else
+    {"PURPOSE_NOT_UNIQUE", 34, 173},
+  #endif
  #ifdef X509V3_R_SECTION_NOT_FOUND
    {"SECTION_NOT_FOUND", ERR_LIB_X509V3, X509V3_R_SECTION_NOT_FOUND},
  #else
@@ -44,14 +44,15 @@ log = logging.getLogger("multissl")

 OPENSSL_OLD_VERSIONS = [
    "1.1.1w",
+    "3.1.8",
 ]

 OPENSSL_RECENT_VERSIONS = [
    "3.0.16",
-    "3.1.8",
-    "3.2.4",
-    "3.3.3",
-    "3.4.1",
+    "3.2.5",
+    "3.3.4",
+    "3.4.2",
+    "3.5.2",
    # See make_ssl_data.py for notes on adding a new version.
 ]

@@ -74,8 +75,7 @@ MULTISSL_DIR = os.path.abspath(os.path.join(PYTHONROOT, '..', 'multissl'))
 parser = argparse.ArgumentParser(
    prog='multissl',
    description=(
-        "Run CPython tests with multiple cryptography libraries"
-        "versions."
+        "Run CPython tests with multiple cryptography libraries/versions."
    ),
 )
 parser.add_argument(