From 5e46567c39fd5b1ad35ba9c7b4f677d4be93af0a Mon Sep 17 00:00:00 2001
From: Jeffery To <jeffery.to@gmail.com>
Date: Wed, 24 May 2023 15:56:32 +0800
Subject: [PATCH] python3: Fix hashlib module not compiled for host Python

This updates 026-openssl-feature-flags.patch with a newer version from
OpenBSD[1].

This also adds 029-no-FIPS_mode.patch to patch out a call to
FIPS_mode(). LibreSSL 3.4 does not have a function definition for
FIPS_mode.

[1]: https://github.com/openbsd/ports/blob/26a04435bf2a09dcbe22b718bfee08997617a906/lang/python/3.10/patches/patch-Modules__hashopenssl_c

Signed-off-by: Jeffery To <jeffery.to@gmail.com>
---
 lang/python/python3/Makefile                  |  2 +-
 .../patches/026-openssl-feature-flags.patch   | 57 ++++++++++++++++++-
 .../python3/patches/029-no-FIPS_mode.patch    | 11 ++++
 3 files changed, 67 insertions(+), 3 deletions(-)
 create mode 100644 lang/python/python3/patches/029-no-FIPS_mode.patch

diff --git a/lang/python/python3/Makefile b/lang/python/python3/Makefile
index 93ae4df2e6..6633d6ed27 100644
--- a/lang/python/python3/Makefile
+++ b/lang/python/python3/Makefile
@@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
 include ../python3-version.mk
 
 PKG_NAME:=python3
-PKG_RELEASE:=6
+PKG_RELEASE:=7
 PKG_VERSION:=$(PYTHON3_VERSION).$(PYTHON3_VERSION_MICRO)
 
 PKG_SOURCE:=Python-$(PKG_VERSION).tar.xz
diff --git a/lang/python/python3/patches/026-openssl-feature-flags.patch b/lang/python/python3/patches/026-openssl-feature-flags.patch
index 9272f36a45..2546048b0d 100644
--- a/lang/python/python3/patches/026-openssl-feature-flags.patch
+++ b/lang/python/python3/patches/026-openssl-feature-flags.patch
@@ -1,12 +1,65 @@
 --- a/Modules/_hashopenssl.c
 +++ b/Modules/_hashopenssl.c
-@@ -48,7 +48,9 @@
+@@ -45,10 +45,18 @@
+ 
+ #define MUNCH_SIZE INT_MAX
+ 
++#ifdef NID_id_scrypt
  #define PY_OPENSSL_HAS_SCRYPT 1
++#endif
++#ifdef NID_sha3_256
  #define PY_OPENSSL_HAS_SHA3 1
++#endif
++#ifdef NID_shake256
  #define PY_OPENSSL_HAS_SHAKE 1
-+#ifndef OPENSSL_NO_BLAKE2
++#endif
++#ifdef NID_blake2s256
  #define PY_OPENSSL_HAS_BLAKE2 1
 +#endif
  
  #if OPENSSL_VERSION_NUMBER >= 0x30000000L
  #define PY_EVP_MD EVP_MD
+@@ -120,19 +128,27 @@ static const py_hashentry_t py_hashes[]
+     PY_HASH_ENTRY(Py_hash_sha384, "SHA384", SN_sha384, NID_sha384),
+     PY_HASH_ENTRY(Py_hash_sha512, "SHA512", SN_sha512, NID_sha512),
+     /* truncated sha2 */
++#ifdef NID_sha512_256
+     PY_HASH_ENTRY(Py_hash_sha512_224, "SHA512_224", SN_sha512_224, NID_sha512_224),
+     PY_HASH_ENTRY(Py_hash_sha512_256, "SHA512_256", SN_sha512_256, NID_sha512_256),
++#endif
+     /* sha3 */
++#ifdef PY_OPENSSL_HAS_SHA3
+     PY_HASH_ENTRY(Py_hash_sha3_224, NULL, SN_sha3_224, NID_sha3_224),
+     PY_HASH_ENTRY(Py_hash_sha3_256, NULL, SN_sha3_256, NID_sha3_256),
+     PY_HASH_ENTRY(Py_hash_sha3_384, NULL, SN_sha3_384, NID_sha3_384),
+     PY_HASH_ENTRY(Py_hash_sha3_512, NULL, SN_sha3_512, NID_sha3_512),
++#endif
+     /* sha3 shake */
++#ifdef PY_OPENSSL_HAS_SHAKE
+     PY_HASH_ENTRY(Py_hash_shake_128, NULL, SN_shake128, NID_shake128),
+     PY_HASH_ENTRY(Py_hash_shake_256, NULL, SN_shake256, NID_shake256),
++#endif
+     /* blake2 digest */
++#ifdef PY_OPENSSL_HAS_BLAKE2
+     PY_HASH_ENTRY(Py_hash_blake2s, "blake2s256", SN_blake2s256, NID_blake2s256),
+     PY_HASH_ENTRY(Py_hash_blake2b, "blake2b512", SN_blake2b512, NID_blake2b512),
++#endif
+     PY_HASH_ENTRY(NULL, NULL, NULL, 0),
+ };
+ 
+@@ -873,11 +889,15 @@ py_evp_fromname(PyObject *module, const
+         goto exit;
+     }
+ 
++#ifndef EVP_MD_FLAG_XOF
++    type = get_hashlib_state(module)->EVPtype;
++#else
+     if ((EVP_MD_flags(digest) & EVP_MD_FLAG_XOF) == EVP_MD_FLAG_XOF) {
+         type = get_hashlib_state(module)->EVPXOFtype;
+     } else {
+         type = get_hashlib_state(module)->EVPtype;
+     }
++#endif
+ 
+     self = newEVPobject(type);
+     if (self == NULL) {
diff --git a/lang/python/python3/patches/029-no-FIPS_mode.patch b/lang/python/python3/patches/029-no-FIPS_mode.patch
new file mode 100644
index 0000000000..a726fec97b
--- /dev/null
+++ b/lang/python/python3/patches/029-no-FIPS_mode.patch
@@ -0,0 +1,11 @@
+--- a/Modules/_hashopenssl.c
++++ b/Modules/_hashopenssl.c
+@@ -1938,7 +1938,7 @@ _hashlib_get_fips_mode_impl(PyObject *mo
+     return EVP_default_properties_is_fips_enabled(NULL);
+ #else
+     ERR_clear_error();
+-    int result = FIPS_mode();
++    int result = 0;
+     if (result == 0) {
+         // "If the library was built without support of the FIPS Object Module,
+         // then the function will return 0 with an error code of