gh-131423: Update OpenSSL data to 3.4.1 on Linux (#131618)

OpenSSL 3.4.1 mnemonics are not compatible with OpenSSL 3.4.0 ones since
they were renumbered [1, 2]. Consequently, `_ssl_data_34.h` is renamed to
`_ssl_data_340.h` and `_ssl_data_34.h` now contains OpenSSL 3.4.1 mnemonics.

We also refine the mnemonics that are selected, discarding those that are
mnemonic-like but should not be used as such. More precisely, we remove
the ERR_LIB_MASK and ERR_LIB_OFFSET entries from OpenSSL 1.1.1 data.

[1]: openssl/openssl#26316
[2]: openssl/openssl#26388

Author: picnixz

.github/workflows/build.yml

@@ -264,7 +264,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-24.04]
-        openssl_ver: [3.0.15, 3.1.7, 3.2.3, 3.3.2, 3.4.0]
+        openssl_ver: [3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.1]
         # See Tools/ssl/make_ssl_data.py for notes on adding a new version
     env:
       OPENSSL_VER: ${{ matrix.openssl_ver }}
@@ -331,7 +331,7 @@ jobs:
     needs: build-context
     if: needs.build-context.outputs.run-tests == 'true'
     env:
-      OPENSSL_VER: 3.0.15
+      OPENSSL_VER: 3.0.16
       PYTHONSTRICTEXTENSIONBUILD: 1
     steps:
     - uses: actions/checkout@v4
@@ -450,7 +450,7 @@ jobs:
       matrix:
         os: [ubuntu-24.04]
     env:
-      OPENSSL_VER: 3.0.15
+      OPENSSL_VER: 3.0.16
       PYTHONSTRICTEXTENSIONBUILD: 1
       ASAN_OPTIONS: detect_leaks=0:allocator_may_return_null=1:handle_segv=0
     steps:

Doc/using/configure.rst

@@ -22,7 +22,7 @@ Features and minimum versions required to build CPython:
 
 * Support for threads.
 
-* OpenSSL 1.1.1 is the minimum version and OpenSSL 3.0.9 is the recommended
+* OpenSSL 1.1.1 is the minimum version and OpenSSL 3.0.16 is the recommended
   minimum version for the :mod:`ssl` and :mod:`hashlib` extension modules.
 
 * SQLite 3.15.2 for the :mod:`sqlite3` extension module.

Misc/NEWS.d/next/Library/2025-03-23-11-33-09.gh-issue-131423.bQlcEb.rst

@@ -0,0 +1,2 @@
+:mod:`ssl` can show descriptions for errors added in OpenSSL 3.4.1.
+Patch by Bénédikt Tran.

Modules/_ssl.c

@@ -121,8 +121,10 @@ static void _PySSLFixErrno(void) {
 
 /* Include generated data (error codes) */
 /* See make_ssl_data.h for notes on adding a new version. */
-#if (OPENSSL_VERSION_NUMBER >= 0x30100000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x30401000L)
 #include "_ssl_data_34.h"
+#elif (OPENSSL_VERSION_NUMBER >= 0x30100000L)
+#include "_ssl_data_340.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x30000000L)
 #include "_ssl_data_300.h"
 #elif (OPENSSL_VERSION_NUMBER >= 0x10101000L)

Modules/_ssl_data_111.h

@@ -1,6 +1,8 @@
 /* File generated by Tools/ssl/make_ssl_data.py */
-/* Generated on 2024-11-27T12:48:46.194048+00:00 */
+/* Generated on 2025-03-26T13:48:34.811613+00:00 */
 /* Generated from Git commit OpenSSL_1_1_1w-0-ge04bd3433f */
+
+/* generated from args.lib2errnum */
 static struct py_ssl_library_code library_codes[] = {
 #ifdef ERR_LIB_ASN1
     {"ASN1", ERR_LIB_ASN1},
@@ -137,10 +139,10 @@ static struct py_ssl_library_code library_codes[] = {
 #ifdef ERR_LIB_X509V3
     {"X509V3", ERR_LIB_X509V3},
 #endif
-    { NULL }
+    {NULL, 0}  /* sentinel */
 };
 
-
+/* generated from args.reasons */
 static struct py_ssl_error_code error_codes[] = {
   #ifdef ASN1_R_ADDING_OBJECT
     {"ADDING_OBJECT", ERR_LIB_ASN1, ASN1_R_ADDING_OBJECT},
@@ -6537,6 +6539,5 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"WRONG_TYPE", 11, 122},
   #endif
-    { NULL }
+    {NULL, 0, 0}  /* sentinel */
 };
-

Modules/_ssl_data_34.h

@@ -1,6 +1,8 @@
 /* File generated by Tools/ssl/make_ssl_data.py */
-/* Generated on 2024-11-27T12:35:52.276767+00:00 */
-/* Generated from Git commit openssl-3.4.0-0-g98acb6b028 */
+/* Generated on 2025-03-26T13:47:34.223146+00:00 */
+/* Generated from Git commit openssl-3.4.1-0-ga26d85337d */
+
+/* generated from args.lib2errnum */
 static struct py_ssl_library_code library_codes[] = {
 #ifdef ERR_LIB_ASN1
     {"ASN1", ERR_LIB_ASN1},
@@ -80,9 +82,6 @@ static struct py_ssl_library_code library_codes[] = {
 #ifdef ERR_LIB_KDF
     {"KDF", ERR_LIB_KDF},
 #endif
-#ifdef ERR_LIB_MASK
-    {"MASK", ERR_LIB_MASK},
-#endif
 #ifdef ERR_LIB_METH
     {"METH", ERR_LIB_METH},
 #endif
@@ -95,9 +94,6 @@ static struct py_ssl_library_code library_codes[] = {
 #ifdef ERR_LIB_OCSP
     {"OCSP", ERR_LIB_OCSP},
 #endif
-#ifdef ERR_LIB_OFFSET
-    {"OFFSET", ERR_LIB_OFFSET},
-#endif
 #ifdef ERR_LIB_OSSL_DECODER
     {"OSSL_DECODER", ERR_LIB_OSSL_DECODER},
 #endif
@@ -167,10 +163,10 @@ static struct py_ssl_library_code library_codes[] = {
 #ifdef ERR_LIB_X509V3
     {"X509V3", ERR_LIB_X509V3},
 #endif
-    { NULL }
+    {NULL, 0}  /* sentinel */
 };
 
-
+/* generated from args.reasons */
 static struct py_ssl_error_code error_codes[] = {
   #ifdef ASN1_R_ADDING_OBJECT
     {"ADDING_OBJECT", ERR_LIB_ASN1, ASN1_R_ADDING_OBJECT},
@@ -1762,6 +1758,11 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"ERROR_SETTING_RECIPIENTINFO", 46, 116},
   #endif
+  #ifdef CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT
+    {"ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT", ERR_LIB_CMS, CMS_R_ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT},
+  #else
+    {"ERROR_UNSUPPORTED_STATIC_KEY_AGREEMENT", 46, 196},
+  #endif
   #ifdef CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR
     {"ESS_SIGNING_CERTID_MISMATCH_ERROR", ERR_LIB_CMS, CMS_R_ESS_SIGNING_CERTID_MISMATCH_ERROR},
   #else
@@ -2122,25 +2123,15 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"BROTLI_DECODE_ERROR", 41, 102},
   #endif
-  #ifdef COMP_R_BROTLI_DEFLATE_ERROR
-    {"BROTLI_DEFLATE_ERROR", ERR_LIB_COMP, COMP_R_BROTLI_DEFLATE_ERROR},
-  #else
-    {"BROTLI_DEFLATE_ERROR", 41, 103},
-  #endif
   #ifdef COMP_R_BROTLI_ENCODE_ERROR
     {"BROTLI_ENCODE_ERROR", ERR_LIB_COMP, COMP_R_BROTLI_ENCODE_ERROR},
   #else
-    {"BROTLI_ENCODE_ERROR", 41, 106},
-  #endif
-  #ifdef COMP_R_BROTLI_INFLATE_ERROR
-    {"BROTLI_INFLATE_ERROR", ERR_LIB_COMP, COMP_R_BROTLI_INFLATE_ERROR},
-  #else
-    {"BROTLI_INFLATE_ERROR", 41, 104},
+    {"BROTLI_ENCODE_ERROR", 41, 103},
   #endif
   #ifdef COMP_R_BROTLI_NOT_SUPPORTED
     {"BROTLI_NOT_SUPPORTED", ERR_LIB_COMP, COMP_R_BROTLI_NOT_SUPPORTED},
   #else
-    {"BROTLI_NOT_SUPPORTED", 41, 105},
+    {"BROTLI_NOT_SUPPORTED", 41, 104},
   #endif
   #ifdef COMP_R_ZLIB_DEFLATE_ERROR
     {"ZLIB_DEFLATE_ERROR", ERR_LIB_COMP, COMP_R_ZLIB_DEFLATE_ERROR},
@@ -2160,22 +2151,22 @@ static struct py_ssl_error_code error_codes[] = {
   #ifdef COMP_R_ZSTD_COMPRESS_ERROR
     {"ZSTD_COMPRESS_ERROR", ERR_LIB_COMP, COMP_R_ZSTD_COMPRESS_ERROR},
   #else
-    {"ZSTD_COMPRESS_ERROR", 41, 107},
+    {"ZSTD_COMPRESS_ERROR", 41, 105},
   #endif
   #ifdef COMP_R_ZSTD_DECODE_ERROR
     {"ZSTD_DECODE_ERROR", ERR_LIB_COMP, COMP_R_ZSTD_DECODE_ERROR},
   #else
-    {"ZSTD_DECODE_ERROR", 41, 108},
+    {"ZSTD_DECODE_ERROR", 41, 106},
   #endif
   #ifdef COMP_R_ZSTD_DECOMPRESS_ERROR
     {"ZSTD_DECOMPRESS_ERROR", ERR_LIB_COMP, COMP_R_ZSTD_DECOMPRESS_ERROR},
   #else
-    {"ZSTD_DECOMPRESS_ERROR", 41, 109},
+    {"ZSTD_DECOMPRESS_ERROR", 41, 107},
   #endif
   #ifdef COMP_R_ZSTD_NOT_SUPPORTED
     {"ZSTD_NOT_SUPPORTED", ERR_LIB_COMP, COMP_R_ZSTD_NOT_SUPPORTED},
   #else
-    {"ZSTD_NOT_SUPPORTED", 41, 110},
+    {"ZSTD_NOT_SUPPORTED", 41, 108},
   #endif
   #ifdef CONF_R_ERROR_LOADING_DSO
     {"ERROR_LOADING_DSO", ERR_LIB_CONF, CONF_R_ERROR_LOADING_DSO},
@@ -9272,6 +9263,5 @@ static struct py_ssl_error_code error_codes[] = {
   #else
     {"WRONG_TYPE", 11, 122},
   #endif
-    { NULL }
+    {NULL, 0, 0}  /* sentinel */
 };
-