gh-132339: Add support for OpenSSL 3.5

.github/workflows/build.yml

@@ -270,7 +270,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-24.04]
-        openssl_ver: [3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.1]
+        openssl_ver: [3.0.17, 3.2.5, 3.3.4, 3.4.2, 3.5.2]
         # See Tools/ssl/make_ssl_data.py for notes on adding a new version
     env:
       OPENSSL_VER: ${{ matrix.openssl_ver }}

Misc/NEWS.d/next/Build/2025-08-13-12-10-12.gh-issue-132339.3Czz5y.rst

@@ -0,0 +1 @@
+Add support for OpenSSL 3.5.

Modules/_ssl.c

@@ -150,7 +150,7 @@ static void _PySSLFixErrno(void) {
 /* Include generated data (error codes) */
 /* See make_ssl_data.h for notes on adding a new version. */
 #if (OPENSSL_VERSION_NUMBER >= 0x30401000L)
-#include "_ssl_data_34.h"
+#include "_ssl_data_35.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30100000L)
 #include "_ssl_data_340.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)

Modules/_ssl_data_34.h → Modules/_ssl_data_35.h

@@ -1,6 +1,6 @@
 /* File generated by Tools/ssl/make_ssl_data.py */
-/* Generated on 2025-03-26T13:47:34.223146+00:00 */
-/* Generated from Git commit openssl-3.4.1-0-ga26d85337d */
+/* Generated on 2025-08-13T16:42:33.155822+00:00 */
+/* Generated from Git commit openssl-3.5.2-0-g0893a6235 */
 
 /* generated from args.lib2errnum */
 static struct py_ssl_library_code library_codes[] = {
@@ -1283,6 +1283,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"FAILED_BUILDING_OWN_CHAIN", 58, 164},
   #endif
+  #ifdef CMP_R_FAILED_EXTRACTING_CENTRAL_GEN_KEY
+    {"FAILED_EXTRACTING_CENTRAL_GEN_KEY", ERR_LIB_CMP, CMP_R_FAILED_EXTRACTING_CENTRAL_GEN_KEY},
+  #else
+    {"FAILED_EXTRACTING_CENTRAL_GEN_KEY", 58, 203},
+  #endif
   #ifdef CMP_R_FAILED_EXTRACTING_PUBKEY
     {"FAILED_EXTRACTING_PUBKEY", ERR_LIB_CMP, CMP_R_FAILED_EXTRACTING_PUBKEY},
   #else
@@ -1343,6 +1348,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"INVALID_ROOTCAKEYUPDATE", 58, 195},
   #endif
+  #ifdef CMP_R_MISSING_CENTRAL_GEN_KEY
+    {"MISSING_CENTRAL_GEN_KEY", ERR_LIB_CMP, CMP_R_MISSING_CENTRAL_GEN_KEY},
+  #else
+    {"MISSING_CENTRAL_GEN_KEY", 58, 204},
+  #endif
   #ifdef CMP_R_MISSING_CERTID
     {"MISSING_CERTID", ERR_LIB_CMP, CMP_R_MISSING_CERTID},
   #else
@@ -1513,6 +1523,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"UNCLEAN_CTX", 58, 191},
   #endif
+  #ifdef CMP_R_UNEXPECTED_CENTRAL_GEN_KEY
+    {"UNEXPECTED_CENTRAL_GEN_KEY", ERR_LIB_CMP, CMP_R_UNEXPECTED_CENTRAL_GEN_KEY},
+  #else
+    {"UNEXPECTED_CENTRAL_GEN_KEY", 58, 205},
+  #endif
   #ifdef CMP_R_UNEXPECTED_CERTPROFILE
     {"UNEXPECTED_CERTPROFILE", ERR_LIB_CMP, CMP_R_UNEXPECTED_CERTPROFILE},
   #else
@@ -2308,6 +2323,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"BAD_PBM_ITERATIONCOUNT", 56, 100},
   #endif
+  #ifdef CRMF_R_CMS_NOT_SUPPORTED
+    {"CMS_NOT_SUPPORTED", ERR_LIB_CRMF, CRMF_R_CMS_NOT_SUPPORTED},
+  #else
+    {"CMS_NOT_SUPPORTED", 56, 122},
+  #endif
   #ifdef CRMF_R_CRMFERROR
     {"CRMFERROR", ERR_LIB_CRMF, CRMF_R_CRMFERROR},
   #else
@@ -2323,16 +2343,41 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"ERROR_DECODING_CERTIFICATE", 56, 104},
   #endif
+  #ifdef CRMF_R_ERROR_DECODING_ENCRYPTEDKEY
+    {"ERROR_DECODING_ENCRYPTEDKEY", ERR_LIB_CRMF, CRMF_R_ERROR_DECODING_ENCRYPTEDKEY},
+  #else
+    {"ERROR_DECODING_ENCRYPTEDKEY", 56, 123},
+  #endif
   #ifdef CRMF_R_ERROR_DECRYPTING_CERTIFICATE
     {"ERROR_DECRYPTING_CERTIFICATE", ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_CERTIFICATE},
   #else
     {"ERROR_DECRYPTING_CERTIFICATE", 56, 105},
   #endif
+  #ifdef CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY
+    {"ERROR_DECRYPTING_ENCRYPTEDKEY", ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_ENCRYPTEDKEY},
+  #else
+    {"ERROR_DECRYPTING_ENCRYPTEDKEY", 56, 124},
+  #endif
+  #ifdef CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE
+    {"ERROR_DECRYPTING_ENCRYPTEDVALUE", ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_ENCRYPTEDVALUE},
+  #else
+    {"ERROR_DECRYPTING_ENCRYPTEDVALUE", 56, 125},
+  #endif
   #ifdef CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY
     {"ERROR_DECRYPTING_SYMMETRIC_KEY", ERR_LIB_CRMF, CRMF_R_ERROR_DECRYPTING_SYMMETRIC_KEY},
   #else
     {"ERROR_DECRYPTING_SYMMETRIC_KEY", 56, 106},
   #endif
+  #ifdef CRMF_R_ERROR_SETTING_PURPOSE
+    {"ERROR_SETTING_PURPOSE", ERR_LIB_CRMF, CRMF_R_ERROR_SETTING_PURPOSE},
+  #else
+    {"ERROR_SETTING_PURPOSE", 56, 126},
+  #endif
+  #ifdef CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY
+    {"ERROR_VERIFYING_ENCRYPTEDKEY", ERR_LIB_CRMF, CRMF_R_ERROR_VERIFYING_ENCRYPTEDKEY},
+  #else
+    {"ERROR_VERIFYING_ENCRYPTEDKEY", 56, 127},
+  #endif
   #ifdef CRMF_R_FAILURE_OBTAINING_RANDOM
     {"FAILURE_OBTAINING_RANDOM", ERR_LIB_CRMF, CRMF_R_FAILURE_OBTAINING_RANDOM},
   #else
@@ -2358,6 +2403,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"POPOSKINPUT_NOT_SUPPORTED", 56, 113},
   #endif
+  #ifdef CRMF_R_POPO_INCONSISTENT_CENTRAL_KEYGEN
+    {"POPO_INCONSISTENT_CENTRAL_KEYGEN", ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_CENTRAL_KEYGEN},
+  #else
+    {"POPO_INCONSISTENT_CENTRAL_KEYGEN", 56, 128},
+  #endif
   #ifdef CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY
     {"POPO_INCONSISTENT_PUBLIC_KEY", ERR_LIB_CRMF, CRMF_R_POPO_INCONSISTENT_PUBLIC_KEY},
   #else
@@ -3963,6 +4013,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"PBKDF2_ERROR", 6, 181},
   #endif
+  #ifdef EVP_R_PIPELINE_NOT_SUPPORTED
+    {"PIPELINE_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PIPELINE_NOT_SUPPORTED},
+  #else
+    {"PIPELINE_NOT_SUPPORTED", 6, 230},
+  #endif
   #ifdef EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED
     {"PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED", ERR_LIB_EVP, EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED},
   #else
@@ -3978,6 +4033,36 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"PRIVATE_KEY_ENCODE_ERROR", 6, 146},
   #endif
+  #ifdef EVP_R_PROVIDER_ASYM_CIPHER_FAILURE
+    {"PROVIDER_ASYM_CIPHER_FAILURE", ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE},
+  #else
+    {"PROVIDER_ASYM_CIPHER_FAILURE", 6, 232},
+  #endif
+  #ifdef EVP_R_PROVIDER_ASYM_CIPHER_NOT_SUPPORTED
+    {"PROVIDER_ASYM_CIPHER_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_NOT_SUPPORTED},
+  #else
+    {"PROVIDER_ASYM_CIPHER_NOT_SUPPORTED", 6, 235},
+  #endif
+  #ifdef EVP_R_PROVIDER_KEYMGMT_FAILURE
+    {"PROVIDER_KEYMGMT_FAILURE", ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE},
+  #else
+    {"PROVIDER_KEYMGMT_FAILURE", 6, 233},
+  #endif
+  #ifdef EVP_R_PROVIDER_KEYMGMT_NOT_SUPPORTED
+    {"PROVIDER_KEYMGMT_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_NOT_SUPPORTED},
+  #else
+    {"PROVIDER_KEYMGMT_NOT_SUPPORTED", 6, 236},
+  #endif
+  #ifdef EVP_R_PROVIDER_SIGNATURE_FAILURE
+    {"PROVIDER_SIGNATURE_FAILURE", ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE},
+  #else
+    {"PROVIDER_SIGNATURE_FAILURE", 6, 234},
+  #endif
+  #ifdef EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED
+    {"PROVIDER_SIGNATURE_NOT_SUPPORTED", ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_NOT_SUPPORTED},
+  #else
+    {"PROVIDER_SIGNATURE_NOT_SUPPORTED", 6, 237},
+  #endif
   #ifdef EVP_R_PUBLIC_KEY_NOT_RSA
     {"PUBLIC_KEY_NOT_RSA", ERR_LIB_EVP, EVP_R_PUBLIC_KEY_NOT_RSA},
   #else
@@ -3998,6 +4083,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"SIGNATURE_TYPE_AND_KEY_TYPE_INCOMPATIBLE", 6, 228},
   #endif
+  #ifdef EVP_R_TOO_MANY_PIPES
+    {"TOO_MANY_PIPES", ERR_LIB_EVP, EVP_R_TOO_MANY_PIPES},
+  #else
+    {"TOO_MANY_PIPES", 6, 231},
+  #endif
   #ifdef EVP_R_TOO_MANY_RECORDS
     {"TOO_MANY_RECORDS", ERR_LIB_EVP, EVP_R_TOO_MANY_RECORDS},
   #else
@@ -4753,6 +4843,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"UNSUPPORTED_PUBLIC_KEY_TYPE", 9, 110},
   #endif
+  #ifdef PEM_R_UNSUPPORTED_PVK_KEY_TYPE
+    {"UNSUPPORTED_PVK_KEY_TYPE", ERR_LIB_PEM, PEM_R_UNSUPPORTED_PVK_KEY_TYPE},
+  #else
+    {"UNSUPPORTED_PVK_KEY_TYPE", 9, 133},
+  #endif
   #ifdef PKCS12_R_CALLBACK_FAILED
     {"CALLBACK_FAILED", ERR_LIB_PKCS12, PKCS12_R_CALLBACK_FAILED},
   #else
@@ -5543,6 +5638,16 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"MISSING_XCGHASH", 57, 135},
   #endif
+  #ifdef PROV_R_ML_DSA_NO_FORMAT
+    {"ML_DSA_NO_FORMAT", ERR_LIB_PROV, PROV_R_ML_DSA_NO_FORMAT},
+  #else
+    {"ML_DSA_NO_FORMAT", 57, 245},
+  #endif
+  #ifdef PROV_R_ML_KEM_NO_FORMAT
+    {"ML_KEM_NO_FORMAT", ERR_LIB_PROV, PROV_R_ML_KEM_NO_FORMAT},
+  #else
+    {"ML_KEM_NO_FORMAT", 57, 246},
+  #endif
   #ifdef PROV_R_MODULE_INTEGRITY_FAILURE
     {"MODULE_INTEGRITY_FAILURE", ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE},
   #else
@@ -5593,6 +5698,16 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"NO_PARAMETERS_SET", 57, 177},
   #endif
+  #ifdef PROV_R_NULL_LENGTH_POINTER
+    {"NULL_LENGTH_POINTER", ERR_LIB_PROV, PROV_R_NULL_LENGTH_POINTER},
+  #else
+    {"NULL_LENGTH_POINTER", 57, 247},
+  #endif
+  #ifdef PROV_R_NULL_OUTPUT_BUFFER
+    {"NULL_OUTPUT_BUFFER", ERR_LIB_PROV, PROV_R_NULL_OUTPUT_BUFFER},
+  #else
+    {"NULL_OUTPUT_BUFFER", 57, 248},
+  #endif
   #ifdef PROV_R_ONESHOT_CALL_OUT_OF_ORDER
     {"ONESHOT_CALL_OUT_OF_ORDER", ERR_LIB_PROV, PROV_R_ONESHOT_CALL_OUT_OF_ORDER},
   #else
@@ -5728,6 +5843,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"UNABLE_TO_RESEED", 57, 204},
   #endif
+  #ifdef PROV_R_UNEXPECTED_KEY_PARAMETERS
+    {"UNEXPECTED_KEY_PARAMETERS", ERR_LIB_PROV, PROV_R_UNEXPECTED_KEY_PARAMETERS},
+  #else
+    {"UNEXPECTED_KEY_PARAMETERS", 57, 249},
+  #endif
   #ifdef PROV_R_UNSUPPORTED_CEK_ALG
     {"UNSUPPORTED_CEK_ALG", ERR_LIB_PROV, PROV_R_UNSUPPORTED_CEK_ALG},
   #else
@@ -5748,6 +5868,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"UNSUPPORTED_NUMBER_OF_ROUNDS", 57, 152},
   #endif
+  #ifdef PROV_R_UNSUPPORTED_SELECTION
+    {"UNSUPPORTED_SELECTION", ERR_LIB_PROV, PROV_R_UNSUPPORTED_SELECTION},
+  #else
+    {"UNSUPPORTED_SELECTION", 57, 250},
+  #endif
   #ifdef PROV_R_UPDATE_CALL_OUT_OF_ORDER
     {"UPDATE_CALL_OUT_OF_ORDER", ERR_LIB_PROV, PROV_R_UPDATE_CALL_OUT_OF_ORDER},
   #else
@@ -5763,6 +5888,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"VALUE_ERROR", 57, 138},
   #endif
+  #ifdef PROV_R_WRONG_CIPHERTEXT_SIZE
+    {"WRONG_CIPHERTEXT_SIZE", ERR_LIB_PROV, PROV_R_WRONG_CIPHERTEXT_SIZE},
+  #else
+    {"WRONG_CIPHERTEXT_SIZE", 57, 251},
+  #endif
   #ifdef PROV_R_WRONG_FINAL_BLOCK_LENGTH
     {"WRONG_FINAL_BLOCK_LENGTH", ERR_LIB_PROV, PROV_R_WRONG_FINAL_BLOCK_LENGTH},
   #else
@@ -5938,6 +6068,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"PRNG_NOT_SEEDED", 36, 100},
   #endif
+  #ifdef RAND_R_RANDOM_POOL_IS_EMPTY
+    {"RANDOM_POOL_IS_EMPTY", ERR_LIB_RAND, RAND_R_RANDOM_POOL_IS_EMPTY},
+  #else
+    {"RANDOM_POOL_IS_EMPTY", 36, 142},
+  #endif
   #ifdef RAND_R_RANDOM_POOL_OVERFLOW
     {"RANDOM_POOL_OVERFLOW", ERR_LIB_RAND, RAND_R_RANDOM_POOL_OVERFLOW},
   #else
@@ -6923,6 +7058,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"DIGEST_CHECK_FAILED", 20, 149},
   #endif
+  #ifdef SSL_R_DOMAIN_USE_ONLY
+    {"DOMAIN_USE_ONLY", ERR_LIB_SSL, SSL_R_DOMAIN_USE_ONLY},
+  #else
+    {"DOMAIN_USE_ONLY", 20, 422},
+  #endif
   #ifdef SSL_R_DTLS_MESSAGE_TOO_BIG
     {"DTLS_MESSAGE_TOO_BIG", ERR_LIB_SSL, SSL_R_DTLS_MESSAGE_TOO_BIG},
   #else
@@ -7213,6 +7353,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"LIBRARY_HAS_NO_CIPHERS", 20, 161},
   #endif
+  #ifdef SSL_R_LISTENER_USE_ONLY
+    {"LISTENER_USE_ONLY", ERR_LIB_SSL, SSL_R_LISTENER_USE_ONLY},
+  #else
+    {"LISTENER_USE_ONLY", 20, 421},
+  #endif
   #ifdef SSL_R_MAXIMUM_ENCRYPTED_PKTS_REACHED
     {"MAXIMUM_ENCRYPTED_PKTS_REACHED", ERR_LIB_SSL, SSL_R_MAXIMUM_ENCRYPTED_PKTS_REACHED},
   #else
@@ -7243,6 +7388,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"MISSING_PSK_KEX_MODES_EXTENSION", 20, 310},
   #endif
+  #ifdef SSL_R_MISSING_QUIC_TLS_FUNCTIONS
+    {"MISSING_QUIC_TLS_FUNCTIONS", ERR_LIB_SSL, SSL_R_MISSING_QUIC_TLS_FUNCTIONS},
+  #else
+    {"MISSING_QUIC_TLS_FUNCTIONS", 20, 423},
+  #endif
   #ifdef SSL_R_MISSING_RSA_CERTIFICATE
     {"MISSING_RSA_CERTIFICATE", ERR_LIB_SSL, SSL_R_MISSING_RSA_CERTIFICATE},
   #else
@@ -8983,6 +9133,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY", 34, 159},
   #endif
+  #ifdef X509V3_R_PURPOSE_NOT_UNIQUE
+    {"PURPOSE_NOT_UNIQUE", ERR_LIB_X509V3, X509V3_R_PURPOSE_NOT_UNIQUE},
+  #else
+    {"PURPOSE_NOT_UNIQUE", 34, 173},
+  #endif
   #ifdef X509V3_R_SECTION_NOT_FOUND
     {"SECTION_NOT_FOUND", ERR_LIB_X509V3, X509V3_R_SECTION_NOT_FOUND},
   #else

Tools/ssl/multissltests.py

@@ -44,14 +44,15 @@
 
 OPENSSL_OLD_VERSIONS = [
     "1.1.1w",
+    "3.1.8",
 ]
 
 OPENSSL_RECENT_VERSIONS = [
     "3.0.16",
-    "3.1.8",
-    "3.2.4",
-    "3.3.3",
-    "3.4.1",
+    "3.2.5",
+    "3.3.4",
+    "3.4.2",
+    "3.5.2",
     # See make_ssl_data.py for notes on adding a new version.
 ]
 
@@ -74,8 +75,7 @@
 parser = argparse.ArgumentParser(
     prog='multissl',
     description=(
-        "Run CPython tests with multiple cryptography libraries"
-        "versions."
+        "Run CPython tests with multiple cryptography libraries/versions."
     ),
 )
 parser.add_argument(