From eeb8c319eb825554607bbb26aea7de6574c4309a Mon Sep 17 00:00:00 2001
From: Michał Górny <mgorny@gentoo.org>
Date: Wed, 20 Nov 2019 22:33:33 +0100
Subject: dev-lang/python: Import and fix 3.4.10
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Michał Górny <mgorny@gentoo.org>
---
 dev-lang/python/Manifest                           |   2 +
 dev-lang/python/files/3.4-getentropy-linux.patch   |  40 +
 dev-lang/python/files/3.6-disable-nis.patch        |  21 +
 .../python/files/python-3.4.10-openssl11.patch     | 894 +++++++++++++++++++++
 .../files/python-3.4.3-ncurses-pkg-config.patch    |  13 +
 dev-lang/python/files/python-3.4.5-cross.patch     |  11 +
 .../python/files/python-3.5.5-hash-unaligned.patch |  43 +
 dev-lang/python/python-3.4.10.ebuild               | 364 +++++++++
 8 files changed, 1388 insertions(+)
 create mode 100644 dev-lang/python/files/3.4-getentropy-linux.patch
 create mode 100644 dev-lang/python/files/3.6-disable-nis.patch
 create mode 100644 dev-lang/python/files/python-3.4.10-openssl11.patch
 create mode 100644 dev-lang/python/files/python-3.4.3-ncurses-pkg-config.patch
 create mode 100644 dev-lang/python/files/python-3.4.5-cross.patch
 create mode 100644 dev-lang/python/files/python-3.5.5-hash-unaligned.patch
 create mode 100644 dev-lang/python/python-3.4.10.ebuild

diff --git a/dev-lang/python/Manifest b/dev-lang/python/Manifest
index 38fe597..fe0d951 100644
--- a/dev-lang/python/Manifest
+++ b/dev-lang/python/Manifest
@@ -1,3 +1,5 @@
 DIST Python-2.6.9.tar.xz 9333664 SHA256 cae7bb995006ea5b703d9d28446f694894c441fe4bfb95d561c0ac908cd06e41 SHA512 bcd9286b6af3bfa2017f0b32c6c0f9b934224ece496d2d897ab3a61a936d306a5f61a580c060ce501034a614da374d17831a9c9be9f947b01d977b56437c023b WHIRLPOOL 0b9feb710f0c5c8726522465f26ac6fa17e8f87c0e5cda4ef0b130e5d8e213d32aad0143e0ec909c677a7b515ed63ed9e9d50a33890f22068b820a5f15ba47fd
 DIST Python-3.2.6.tar.xz 9243292 SHA256 1d12b501819fd26afafbf8459be1aa279b56f032b4c15412de0a713ce0de7bdc SHA512 514b46029dd5b07f2d287a1f00c6716970197186a38e3f2e1ec60c2292cf03a2dc45165ba9c217e5219c7cb6d96a09f790f5b3bdcc8d11db53f927297fe4ddc9 WHIRLPOOL b34f215e0f50123c5b2969e615ffbab99b631433de8f13cbbca525bf57cbc1bb9a159fba02616b3772be9b249be3cec36d6fd1856a678880674b828eb4ab08ed
 DIST Python-3.3.5.tar.xz 12116308 SHA256 abe99b484434503d8b23be0f243ec27139e743a4798cd71c1dce3cf40e63b6e5 SHA512 562ebd85291f29ff18d37f05682763fc45aa9d070688006f4ef5c89392a48022357c3ca9ee1d795e9e863bdef413e6bab77b8d65581d374a76dbe7cacec65550 WHIRLPOOL f4b6010d32b28b7bb038cbb7c5f98d325cc4253fd1be9a0a1089ed6fd7dd414c5169931d21ef819137d5c1084517a650828f260cf2a1d8ce871bc67aeef3fff8
+DIST Python-3.4.10.tar.xz 14559088 SHA256 d46a8f6fe91679e199c671b1b0a30aaf172d2acb5bcab25beb35f16c3d195b4e SHA512 d5d27d68049b61f135e21b12a800dbd4fc521d6935de178de6e2e88a989cda511d3c8fead90d14e38d2db0e528a74b22674e0da01c51ff4fad7d335ec6c3dbbc WHIRLPOOL 84608931cd785eddd234d207be2caa273575067d7687a0ed05217e2f2ae410da684fcf5ed65cfa17dd8eda082844bb4067cdcb4a277ceb20845ffa9f3baa6f58
+DIST python-gentoo-patches-3.4.6-0.tar.xz 11728 SHA256 93e7c8487deefc36c612403fb6c82e495c46846a1952f9ed85f82af41840be4a SHA512 41c22dc8f1db8800fc0b97eed2b27bf1873e5de1369bd4aecf7a7a91e609a78e45a4b56fc89d575317f33a7704c0c1cad1494e8a993415a198f256e8338f49ab WHIRLPOOL 851945e7ccea985a88bcbd71bc404bc34c27a0e335386e9ed15fa9876aab3285ff559936fb2dcadf7ac0594a7cb03ac3a9e4135b67b350c5fdf33e9a44ca0654
diff --git a/dev-lang/python/files/3.4-getentropy-linux.patch b/dev-lang/python/files/3.4-getentropy-linux.patch
new file mode 100644
index 0000000..9f12389
--- /dev/null
+++ b/dev-lang/python/files/3.4-getentropy-linux.patch
@@ -0,0 +1,40 @@
+From 5635d44079e1bbd9c495951ede8d078e7b8d67d5 Mon Sep 17 00:00:00 2001
+From: Victor Stinner <victor.stinner@gmail.com>
+Date: Mon, 9 Jan 2017 11:10:41 +0100
+Subject: [PATCH] Don't use getentropy() on Linux
+
+Issue #29188: Support glibc 2.24 on Linux: don't use getentropy() function but
+read from /dev/urandom to get random bytes, for example in os.urandom().  On
+Linux, getentropy() is implemented which getrandom() is blocking mode, whereas
+os.urandom() should not block.
+---
+ Python/random.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/Python/random.c b/Python/random.c
+index af3d0bd0d5..dc6400d3b8 100644
+--- a/Python/random.c
++++ b/Python/random.c
+@@ -67,9 +67,16 @@ win32_urandom(unsigned char *buffer, Py_ssize_t size, int raise)
+     return 0;
+ }
+ 
+-/* Issue #25003: Don' use getentropy() on Solaris (available since
+- * Solaris 11.3), it is blocking whereas os.urandom() should not block. */
+-#elif defined(HAVE_GETENTROPY) && !defined(sun)
++/* Issue #25003: Don't use getentropy() on Solaris (available since
++   Solaris 11.3), it is blocking whereas os.urandom() should not block.
++
++   Issue #29188: Don't use getentropy() on Linux since the glibc 2.24
++   implements it with the getrandom() syscall which can fail with ENOSYS,
++   and this error is not supported in py_getentropy() and getrandom() is called
++   with flags=0 which blocks until system urandom is initialized, which is not
++   the desired behaviour to seed the Python hash secret nor for os.urandom():
++   see the PEP 524 which was only implemented in Python 3.6. */
++#elif defined(HAVE_GETENTROPY) && !defined(sun) && !defined(linux)
+ #define PY_GETENTROPY 1
+ 
+ /* Fill buffer with size pseudo-random bytes generated by getentropy().
+-- 
+2.15.0.rc2
+
diff --git a/dev-lang/python/files/3.6-disable-nis.patch b/dev-lang/python/files/3.6-disable-nis.patch
new file mode 100644
index 0000000..4e81847
--- /dev/null
+++ b/dev-lang/python/files/3.6-disable-nis.patch
@@ -0,0 +1,21 @@
+--- a/setup.py
++++ b/setup.py
+@@ -1332,17 +1332,7 @@ class PyBuildExt(build_ext):
+             # Jeremy Hylton's rlimit interface
+             exts.append( Extension('resource', ['resource.c']) )
+ 
+-            # Sun yellow pages. Some systems have the functions in libc.
+-            if (host_platform not in ['cygwin', 'qnx6'] and
+-                find_file('rpcsvc/yp_prot.h', inc_dirs, []) is not None):
+-                if (self.compiler.find_library_file(lib_dirs, 'nsl')):
+-                    libs = ['nsl']
+-                else:
+-                    libs = []
+-                exts.append( Extension('nis', ['nismodule.c'],
+-                                       libraries = libs) )
+-            else:
+-                missing.append('nis')
++            missing.append('nis')
+         else:
+             missing.extend(['nis', 'resource', 'termios'])
+ 
diff --git a/dev-lang/python/files/python-3.4.10-openssl11.patch b/dev-lang/python/files/python-3.4.10-openssl11.patch
new file mode 100644
index 0000000..f5fe537
--- /dev/null
+++ b/dev-lang/python/files/python-3.4.10-openssl11.patch
@@ -0,0 +1,894 @@
+From 9c7a4d7baebfa84c2fa2deff7417871d96f714f2 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <christian@python.org>
+Date: Mon, 5 Sep 2016 23:19:05 +0200
+Subject: [PATCH] Issue #26470: Port ssl and hashlib module to OpenSSL 1.1.0.
+
+(rebased for 3.4.10)
+---
+ Lib/ssl.py             |  15 ++--
+ Lib/test/test_ssl.py   |  27 +++---
+ Modules/_hashopenssl.c | 167 +++++++++++++++++++++++--------------
+ Modules/_ssl.c         | 184 +++++++++++++++++++++++++++++++----------
+ 4 files changed, 271 insertions(+), 122 deletions(-)
+
+diff --git a/Lib/ssl.py b/Lib/ssl.py
+index 873aa4798b..359809a020 100644
+--- a/Lib/ssl.py
++++ b/Lib/ssl.py
+@@ -51,6 +51,7 @@ The following constants identify various SSL protocol variants:
+ PROTOCOL_SSLv2
+ PROTOCOL_SSLv3
+ PROTOCOL_SSLv23
++PROTOCOL_TLS
+ PROTOCOL_TLSv1
+ PROTOCOL_TLSv1_1
+ PROTOCOL_TLSv1_2
+@@ -348,13 +349,13 @@ class SSLContext(_SSLContext):
+     __slots__ = ('protocol', '__weakref__')
+     _windows_cert_stores = ("CA", "ROOT")
+ 
+-    def __new__(cls, protocol, *args, **kwargs):
++    def __new__(cls, protocol=PROTOCOL_TLS, *args, **kwargs):
+         self = _SSLContext.__new__(cls, protocol)
+         if protocol != _SSLv2_IF_EXISTS:
+             self.set_ciphers(_DEFAULT_CIPHERS)
+         return self
+ 
+-    def __init__(self, protocol):
++    def __init__(self, protocol=PROTOCOL_TLS):
+         self.protocol = protocol
+ 
+     def wrap_socket(self, sock, server_side=False,
+@@ -408,7 +409,7 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
+     if not isinstance(purpose, _ASN1Object):
+         raise TypeError(purpose)
+ 
+-    context = SSLContext(PROTOCOL_SSLv23)
++    context = SSLContext(PROTOCOL_TLS)
+ 
+     # SSLv2 considered harmful.
+     context.options |= OP_NO_SSLv2
+@@ -445,7 +446,7 @@ def create_default_context(purpose=Purpose.SERVER_AUTH, *, cafile=None,
+         context.load_default_certs(purpose)
+     return context
+ 
+-def _create_unverified_context(protocol=PROTOCOL_SSLv23, *, cert_reqs=None,
++def _create_unverified_context(protocol=PROTOCOL_TLS, *, cert_reqs=None,
+                            check_hostname=False, purpose=Purpose.SERVER_AUTH,
+                            certfile=None, keyfile=None,
+                            cafile=None, capath=None, cadata=None):
+@@ -501,7 +502,7 @@ class SSLSocket(socket):
+ 
+     def __init__(self, sock=None, keyfile=None, certfile=None,
+                  server_side=False, cert_reqs=CERT_NONE,
+-                 ssl_version=PROTOCOL_SSLv23, ca_certs=None,
++                 ssl_version=PROTOCOL_TLS, ca_certs=None,
+                  do_handshake_on_connect=True,
+                  family=AF_INET, type=SOCK_STREAM, proto=0, fileno=None,
+                  suppress_ragged_eofs=True, npn_protocols=None, ciphers=None,
+@@ -883,7 +884,7 @@ class SSLSocket(socket):
+ 
+ def wrap_socket(sock, keyfile=None, certfile=None,
+                 server_side=False, cert_reqs=CERT_NONE,
+-                ssl_version=PROTOCOL_SSLv23, ca_certs=None,
++                ssl_version=PROTOCOL_TLS, ca_certs=None,
+                 do_handshake_on_connect=True,
+                 suppress_ragged_eofs=True,
+                 ciphers=None):
+@@ -930,7 +931,7 @@ def PEM_cert_to_DER_cert(pem_cert_string):
+     d = pem_cert_string.strip()[len(PEM_HEADER):-len(PEM_FOOTER)]
+     return base64.decodebytes(d.encode('ASCII', 'strict'))
+ 
+-def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv23, ca_certs=None):
++def get_server_certificate(addr, ssl_version=PROTOCOL_TLS, ca_certs=None):
+     """Retrieve the certificate from the server at the specified address,
+     and return it as a PEM-encoded string.
+     If 'ca_certs' is specified, validate the server cert against it.
+diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
+index e36a309bfa..b663a04aa2 100644
+--- a/Lib/test/test_ssl.py
++++ b/Lib/test/test_ssl.py
+@@ -23,6 +23,9 @@ ssl = support.import_module("ssl")
+ 
+ PROTOCOLS = sorted(ssl._PROTOCOL_NAMES)
+ HOST = support.HOST
++IS_LIBRESSL = ssl.OPENSSL_VERSION.startswith('LibreSSL')
++IS_OPENSSL_1_1 = not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0)
++
+ 
+ def data_file(*name):
+     return os.path.join(os.path.dirname(__file__), *name)
+@@ -318,9 +321,9 @@ class BasicSocketTests(unittest.TestCase):
+         self.assertGreaterEqual(status, 0)
+         self.assertLessEqual(status, 15)
+         # Version string as returned by {Open,Libre}SSL, the format might change
+-        if "LibreSSL" in s:
+-            self.assertTrue(s.startswith("LibreSSL {:d}.{:d}".format(major, minor)),
+-                            (s, t))
++        if IS_LIBRESSL:
++            self.assertTrue(s.startswith("LibreSSL {:d}".format(major)),
++                            (s, t, hex(n)))
+         else:
+             self.assertTrue(s.startswith("OpenSSL {:d}.{:d}.{:d}".format(major, minor, fix)),
+                             (s, t))
+@@ -677,7 +680,8 @@ class ContextTests(unittest.TestCase):
+     def test_constructor(self):
+         for protocol in PROTOCOLS:
+             ssl.SSLContext(protocol)
+-        self.assertRaises(TypeError, ssl.SSLContext)
++        ctx = ssl.SSLContext()
++        self.assertEqual(ctx.protocol, ssl.PROTOCOL_TLS)
+         self.assertRaises(ValueError, ssl.SSLContext, -1)
+         self.assertRaises(ValueError, ssl.SSLContext, 42)
+ 
+@@ -698,15 +702,15 @@ class ContextTests(unittest.TestCase):
+     def test_options(self):
+         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+         # OP_ALL | OP_NO_SSLv2 | OP_NO_SSLv3 is the default value
+-        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3,
+-                         ctx.options)
++        default = (ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3)
++        if not IS_LIBRESSL and ssl.OPENSSL_VERSION_INFO >= (1, 1, 0):
++            default |= ssl.OP_NO_COMPRESSION
++        self.assertEqual(default, ctx.options)
+         ctx.options |= ssl.OP_NO_TLSv1
+-        self.assertEqual(ssl.OP_ALL | ssl.OP_NO_SSLv2 | ssl.OP_NO_SSLv3 | ssl.OP_NO_TLSv1,
+-                         ctx.options)
++        self.assertEqual(default | ssl.OP_NO_TLSv1, ctx.options)
+         if can_clear_options():
+-            ctx.options = (ctx.options & ~ssl.OP_NO_SSLv2) | ssl.OP_NO_TLSv1
+-            self.assertEqual(ssl.OP_ALL | ssl.OP_NO_TLSv1 | ssl.OP_NO_SSLv3,
+-                             ctx.options)
++            ctx.options = (ctx.options & ~ssl.OP_NO_TLSv1)
++            self.assertEqual(default, ctx.options)
+             ctx.options = 0
+             # Ubuntu has OP_NO_SSLv3 forced on by default
+             self.assertEqual(0, ctx.options & ~ssl.OP_NO_SSLv3)
+@@ -1042,6 +1046,7 @@ class ContextTests(unittest.TestCase):
+         self.assertRaises(TypeError, ctx.load_default_certs, 'SERVER_AUTH')
+ 
+     @unittest.skipIf(sys.platform == "win32", "not-Windows specific")
++    @unittest.skipIf(IS_LIBRESSL, "LibreSSL doesn't support env vars")
+     def test_load_default_certs_env(self):
+         ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
+         with support.EnvironmentVarGuard() as env:
+diff --git a/Modules/_hashopenssl.c b/Modules/_hashopenssl.c
+index 5b0a7be12b..86a8950588 100644
+--- a/Modules/_hashopenssl.c
++++ b/Modules/_hashopenssl.c
+@@ -20,7 +20,6 @@
+ 
+ /* EVP is the preferred interface to hashing in OpenSSL */
+ #include <openssl/evp.h>
+-#include <openssl/hmac.h>
+ /* We use the object interface to discover what hashes OpenSSL supports. */
+ #include <openssl/objects.h>
+ #include "openssl/err.h"
+@@ -31,15 +30,22 @@
+ #define HASH_OBJ_CONSTRUCTOR 0
+ #endif
+ 
+-/* Minimum OpenSSL version needed to support sha224 and higher. */
+-#if defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x00908000)
+-#define _OPENSSL_SUPPORTS_SHA2
++#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
++/* OpenSSL < 1.1.0 */
++#define EVP_MD_CTX_new EVP_MD_CTX_create
++#define EVP_MD_CTX_free EVP_MD_CTX_destroy
++#define HAS_FAST_PKCS5_PBKDF2_HMAC 0
++#include <openssl/hmac.h>
++#else
++/* OpenSSL >= 1.1.0 */
++#define HAS_FAST_PKCS5_PBKDF2_HMAC 1
+ #endif
+ 
++
+ typedef struct {
+     PyObject_HEAD
+     PyObject            *name;  /* name of this hash algorithm */
+-    EVP_MD_CTX           ctx;   /* OpenSSL message digest context */
++    EVP_MD_CTX          *ctx;   /* OpenSSL message digest context */
+ #ifdef WITH_THREAD
+     PyThread_type_lock   lock;  /* OpenSSL context lock */
+ #endif
+@@ -51,7 +57,6 @@ static PyTypeObject EVPtype;
+ 
+ #define DEFINE_CONSTS_FOR_NEW(Name)  \
+     static PyObject *CONST_ ## Name ## _name_obj = NULL; \
+-    static EVP_MD_CTX CONST_new_ ## Name ## _ctx; \
+     static EVP_MD_CTX *CONST_new_ ## Name ## _ctx_p = NULL;
+ 
+ DEFINE_CONSTS_FOR_NEW(md5)
+@@ -64,19 +69,57 @@ DEFINE_CONSTS_FOR_NEW(sha512)
+ #endif
+ 
+ 
++/* LCOV_EXCL_START */
++static PyObject *
++_setException(PyObject *exc)
++{
++    unsigned long errcode;
++    const char *lib, *func, *reason;
++
++    errcode = ERR_peek_last_error();
++    if (!errcode) {
++        PyErr_SetString(exc, "unknown reasons");
++        return NULL;
++    }
++    ERR_clear_error();
++
++    lib = ERR_lib_error_string(errcode);
++    func = ERR_func_error_string(errcode);
++    reason = ERR_reason_error_string(errcode);
++
++    if (lib && func) {
++        PyErr_Format(exc, "[%s: %s] %s", lib, func, reason);
++    }
++    else if (lib) {
++        PyErr_Format(exc, "[%s] %s", lib, reason);
++    }
++    else {
++        PyErr_SetString(exc, reason);
++    }
++    return NULL;
++}
++/* LCOV_EXCL_STOP */
++
+ static EVPobject *
+ newEVPobject(PyObject *name)
+ {
+     EVPobject *retval = (EVPobject *)PyObject_New(EVPobject, &EVPtype);
++    if (retval == NULL) {
++        return NULL;
++    }
++
++    retval->ctx = EVP_MD_CTX_new();
++    if (retval->ctx == NULL) {
++        PyErr_NoMemory();
++        return NULL;
++    }
+ 
+     /* save the name for .name to return */
+-    if (retval != NULL) {
+-        Py_INCREF(name);
+-        retval->name = name;
++    Py_INCREF(name);
++    retval->name = name;
+ #ifdef WITH_THREAD
+-        retval->lock = NULL;
++    retval->lock = NULL;
+ #endif
+-    }
+ 
+     return retval;
+ }
+@@ -91,7 +134,7 @@ EVP_hash(EVPobject *self, const void *vp, Py_ssize_t len)
+             process = MUNCH_SIZE;
+         else
+             process = Py_SAFE_DOWNCAST(len, Py_ssize_t, unsigned int);
+-        EVP_DigestUpdate(&self->ctx, (const void*)cp, process);
++        EVP_DigestUpdate(self->ctx, (const void*)cp, process);
+         len -= process;
+         cp += process;
+     }
+@@ -106,16 +149,19 @@ EVP_dealloc(EVPobject *self)
+     if (self->lock != NULL)
+         PyThread_free_lock(self->lock);
+ #endif
+-    EVP_MD_CTX_cleanup(&self->ctx);
++    EVP_MD_CTX_free(self->ctx);
+     Py_XDECREF(self->name);
+     PyObject_Del(self);
+ }
+ 
+-static void locked_EVP_MD_CTX_copy(EVP_MD_CTX *new_ctx_p, EVPobject *self)
++static int
++locked_EVP_MD_CTX_copy(EVP_MD_CTX *new_ctx_p, EVPobject *self)
+ {
++    int result;
+     ENTER_HASHLIB(self);
+-    EVP_MD_CTX_copy(new_ctx_p, &self->ctx);
++    result = EVP_MD_CTX_copy(new_ctx_p, self->ctx);
+     LEAVE_HASHLIB(self);
++    return result;
+ }
+ 
+ /* External methods for a hash object */
+@@ -131,7 +177,9 @@ EVP_copy(EVPobject *self, PyObject *unused)
+     if ( (newobj = newEVPobject(self->name))==NULL)
+         return NULL;
+ 
+-    locked_EVP_MD_CTX_copy(&newobj->ctx, self);
++    if (!locked_EVP_MD_CTX_copy(newobj->ctx, self)) {
++        return _setException(PyExc_ValueError);
++    }
+     return (PyObject *)newobj;
+ }
+ 
+@@ -142,16 +190,24 @@ static PyObject *
+ EVP_digest(EVPobject *self, PyObject *unused)
+ {
+     unsigned char digest[EVP_MAX_MD_SIZE];
+-    EVP_MD_CTX temp_ctx;
++    EVP_MD_CTX *temp_ctx;
+     PyObject *retval;
+     unsigned int digest_size;
+ 
+-    locked_EVP_MD_CTX_copy(&temp_ctx, self);
+-    digest_size = EVP_MD_CTX_size(&temp_ctx);
+-    EVP_DigestFinal(&temp_ctx, digest, NULL);
++    temp_ctx = EVP_MD_CTX_new();
++    if (temp_ctx == NULL) {
++        PyErr_NoMemory();
++        return NULL;
++    }
++
++    if (!locked_EVP_MD_CTX_copy(temp_ctx, self)) {
++        return _setException(PyExc_ValueError);
++    }
++    digest_size = EVP_MD_CTX_size(temp_ctx);
++    EVP_DigestFinal(temp_ctx, digest, NULL);
+ 
+     retval = PyBytes_FromStringAndSize((const char *)digest, digest_size);
+-    EVP_MD_CTX_cleanup(&temp_ctx);
++    EVP_MD_CTX_free(temp_ctx);
+     return retval;
+ }
+ 
+@@ -162,17 +218,25 @@ static PyObject *
+ EVP_hexdigest(EVPobject *self, PyObject *unused)
+ {
+     unsigned char digest[EVP_MAX_MD_SIZE];
+-    EVP_MD_CTX temp_ctx;
++    EVP_MD_CTX *temp_ctx;
+     PyObject *retval;
+     char *hex_digest;
+     unsigned int i, j, digest_size;
+ 
++    temp_ctx = EVP_MD_CTX_new();
++    if (temp_ctx == NULL) {
++        PyErr_NoMemory();
++        return NULL;
++    }
++
+     /* Get the raw (binary) digest value */
+-    locked_EVP_MD_CTX_copy(&temp_ctx, self);
+-    digest_size = EVP_MD_CTX_size(&temp_ctx);
+-    EVP_DigestFinal(&temp_ctx, digest, NULL);
++    if (!locked_EVP_MD_CTX_copy(temp_ctx, self)) {
++        return _setException(PyExc_ValueError);
++    }
++    digest_size = EVP_MD_CTX_size(temp_ctx);
++    EVP_DigestFinal(temp_ctx, digest, NULL);
+ 
+-    EVP_MD_CTX_cleanup(&temp_ctx);
++    EVP_MD_CTX_free(temp_ctx);
+ 
+     /* Allocate a new buffer */
+     hex_digest = PyMem_Malloc(digest_size * 2 + 1);
+@@ -241,7 +305,7 @@ static PyObject *
+ EVP_get_block_size(EVPobject *self, void *closure)
+ {
+     long block_size;
+-    block_size = EVP_MD_CTX_block_size(&self->ctx);
++    block_size = EVP_MD_CTX_block_size(self->ctx);
+     return PyLong_FromLong(block_size);
+ }
+ 
+@@ -249,7 +313,7 @@ static PyObject *
+ EVP_get_digest_size(EVPobject *self, void *closure)
+ {
+     long size;
+-    size = EVP_MD_CTX_size(&self->ctx);
++    size = EVP_MD_CTX_size(self->ctx);
+     return PyLong_FromLong(size);
+ }
+ 
+@@ -310,7 +374,7 @@ EVP_tp_init(EVPobject *self, PyObject *args, PyObject *kwds)
+             PyBuffer_Release(&view);
+         return -1;
+     }
+-    EVP_DigestInit(&self->ctx, digest);
++    EVP_DigestInit(self->ctx, digest);
+ 
+     self->name = name_obj;
+     Py_INCREF(self->name);
+@@ -407,9 +471,9 @@ EVPnew(PyObject *name_obj,
+         return NULL;
+ 
+     if (initial_ctx) {
+-        EVP_MD_CTX_copy(&self->ctx, initial_ctx);
++        EVP_MD_CTX_copy(self->ctx, initial_ctx);
+     } else {
+-        EVP_DigestInit(&self->ctx, digest);
++        EVP_DigestInit(self->ctx, digest);
+     }
+ 
+     if (cp && len) {
+@@ -475,6 +539,7 @@ EVP_new(PyObject *self, PyObject *args, PyObject *kwdict)
+ 
+ #define PY_PBKDF2_HMAC 1
+ 
++#if !HAS_FAST_PKCS5_PBKDF2_HMAC
+ /* Improved implementation of PKCS5_PBKDF2_HMAC()
+  *
+  * PKCS5_PBKDF2_HMAC_fast() hashes the password exactly one time instead of
+@@ -556,37 +621,8 @@ PKCS5_PBKDF2_HMAC_fast(const char *pass, int passlen,
+     HMAC_CTX_cleanup(&hctx_tpl);
+     return 1;
+ }
++#endif
+ 
+-/* LCOV_EXCL_START */
+-static PyObject *
+-_setException(PyObject *exc)
+-{
+-    unsigned long errcode;
+-    const char *lib, *func, *reason;
+-
+-    errcode = ERR_peek_last_error();
+-    if (!errcode) {
+-        PyErr_SetString(exc, "unknown reasons");
+-        return NULL;
+-    }
+-    ERR_clear_error();
+-
+-    lib = ERR_lib_error_string(errcode);
+-    func = ERR_func_error_string(errcode);
+-    reason = ERR_reason_error_string(errcode);
+-
+-    if (lib && func) {
+-        PyErr_Format(exc, "[%s: %s] %s", lib, func, reason);
+-    }
+-    else if (lib) {
+-        PyErr_Format(exc, "[%s] %s", lib, reason);
+-    }
+-    else {
+-        PyErr_SetString(exc, reason);
+-    }
+-    return NULL;
+-}
+-/* LCOV_EXCL_STOP */
+ 
+ PyDoc_STRVAR(pbkdf2_hmac__doc__,
+ "pbkdf2_hmac(hash_name, password, salt, iterations, dklen=None) -> key\n\
+@@ -668,10 +704,17 @@ pbkdf2_hmac(PyObject *self, PyObject *args, PyObject *kwdict)
+     key = PyBytes_AS_STRING(key_obj);
+ 
+     Py_BEGIN_ALLOW_THREADS
++#if HAS_FAST_PKCS5_PBKDF2_HMAC
++    retval = PKCS5_PBKDF2_HMAC((char*)password.buf, (int)password.len,
++                               (unsigned char *)salt.buf, (int)salt.len,
++                               iterations, digest, dklen,
++                               (unsigned char *)key);
++#else
+     retval = PKCS5_PBKDF2_HMAC_fast((char*)password.buf, (int)password.len,
+                                     (unsigned char *)salt.buf, (int)salt.len,
+                                     iterations, digest, dklen,
+                                     (unsigned char *)key);
++#endif
+     Py_END_ALLOW_THREADS
+ 
+     if (!retval) {
+@@ -790,7 +833,7 @@ generate_hash_name_list(void)
+     if (CONST_ ## NAME ## _name_obj == NULL) { \
+         CONST_ ## NAME ## _name_obj = PyUnicode_FromString(#NAME); \
+         if (EVP_get_digestbyname(#NAME)) { \
+-            CONST_new_ ## NAME ## _ctx_p = &CONST_new_ ## NAME ## _ctx; \
++            CONST_new_ ## NAME ## _ctx_p = EVP_MD_CTX_new(); \
+             EVP_DigestInit(CONST_new_ ## NAME ## _ctx_p, EVP_get_digestbyname(#NAME)); \
+         } \
+     } \
+diff --git a/Modules/_ssl.c b/Modules/_ssl.c
+index 0ff9d553e2..512e5f10ce 100644
+--- a/Modules/_ssl.c
++++ b/Modules/_ssl.c
+@@ -55,6 +55,14 @@ static PySocketModule_APIObject PySocketModule;
+ #include <sys/poll.h>
+ #endif
+ 
++/* Don't warn about deprecated functions */
++#ifdef __GNUC__
++#pragma GCC diagnostic ignored "-Wdeprecated-declarations"
++#endif
++#ifdef __clang__
++#pragma clang diagnostic ignored "-Wdeprecated-declarations"
++#endif
++
+ /* Include OpenSSL header files */
+ #include "openssl/rsa.h"
+ #include "openssl/crypto.h"
+@@ -90,6 +98,10 @@ struct py_ssl_library_code {
+ /* Include generated data (error codes) */
+ #include "_ssl_data.h"
+ 
++#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
++#  define OPENSSL_VERSION_1_1 1
++#endif
++
+ /* Openssl comes with TLSv1.1 and TLSv1.2 between 1.0.0h and 1.0.1
+     http://www.openssl.org/news/changelog.html
+  */
+@@ -108,6 +120,80 @@ struct py_ssl_library_code {
+ # define HAVE_SNI 0
+ #endif
+ 
++#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
++# define HAVE_ALPN
++#endif
++
++#ifndef INVALID_SOCKET /* MS defines this */
++#define INVALID_SOCKET (-1)
++#endif
++
++#ifdef OPENSSL_VERSION_1_1
++/* OpenSSL 1.1.0+ */
++#ifndef OPENSSL_NO_SSL2
++#define OPENSSL_NO_SSL2
++#endif
++#else /* OpenSSL < 1.1.0 */
++#if defined(WITH_THREAD)
++#define HAVE_OPENSSL_CRYPTO_LOCK
++#endif
++
++#define TLS_method SSLv23_method
++
++static int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne)
++{
++    return ne->set;
++}
++
++#ifndef OPENSSL_NO_COMP
++static int COMP_get_type(const COMP_METHOD *meth)
++{
++    return meth->type;
++}
++
++static const char *COMP_get_name(const COMP_METHOD *meth)
++{
++    return meth->name;
++}
++#endif
++
++static pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
++{
++    return ctx->default_passwd_callback;
++}
++
++static void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
++{
++    return ctx->default_passwd_callback_userdata;
++}
++
++static int X509_OBJECT_get_type(X509_OBJECT *x)
++{
++    return x->type;
++}
++
++static X509 *X509_OBJECT_get0_X509(X509_OBJECT *x)
++{
++    return x->data.x509;
++}
++
++static int BIO_up_ref(BIO *b)
++{
++    CRYPTO_add(&b->references, 1, CRYPTO_LOCK_BIO);
++    return 1;
++}
++
++static STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *store) {
++    return store->objs;
++}
++
++static X509_VERIFY_PARAM *X509_STORE_get0_param(X509_STORE *store)
++{
++    return store->param;
++}
++#endif /* OpenSSL < 1.1.0 or LibreSSL */
++
++
+ enum py_ssl_error {
+     /* these mirror ssl.h */
+     PY_SSL_ERROR_NONE,
+@@ -138,7 +224,7 @@ enum py_ssl_cert_requirements {
+ enum py_ssl_version {
+     PY_SSL_VERSION_SSL2,
+     PY_SSL_VERSION_SSL3=1,
+-    PY_SSL_VERSION_SSL23,
++    PY_SSL_VERSION_TLS,
+ #if HAVE_TLSv1_2
+     PY_SSL_VERSION_TLS1,
+     PY_SSL_VERSION_TLS1_1,
+@@ -504,7 +590,7 @@ newPySSLSocket(PySSLContext *sslctx, PySocketSockObject *sock,
+     PySSL_BEGIN_ALLOW_THREADS
+     self->ssl = SSL_new(ctx);
+     PySSL_END_ALLOW_THREADS
+-    SSL_set_app_data(self->ssl,self);
++    SSL_set_app_data(self->ssl, self);
+     SSL_set_fd(self->ssl, Py_SAFE_DOWNCAST(sock->sock_fd, SOCKET_T, int));
+     mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
+ #ifdef SSL_MODE_AUTO_RETRY
+@@ -691,7 +777,7 @@ _create_tuple_for_X509_NAME (X509_NAME *xname)
+ 
+         /* check to see if we've gotten to a new RDN */
+         if (rdn_level >= 0) {
+-            if (rdn_level != entry->set) {
++            if (rdn_level != X509_NAME_ENTRY_set(entry)) {
+                 /* yes, new RDN */
+                 /* add old RDN to DN */
+                 rdnt = PyList_AsTuple(rdn);
+@@ -708,7 +794,7 @@ _create_tuple_for_X509_NAME (X509_NAME *xname)
+                     goto fail0;
+             }
+         }
+-        rdn_level = entry->set;
++        rdn_level = X509_NAME_ENTRY_set(entry);
+ 
+         /* now add this attribute to the current RDN */
+         name = X509_NAME_ENTRY_get_object(entry);
+@@ -811,18 +897,18 @@ _get_peer_alt_names (X509 *certificate) {
+             goto fail;
+         }
+ 
+-        p = ext->value->data;
++        p = X509_EXTENSION_get_data(ext)->data;
+         if (method->it)
+             names = (GENERAL_NAMES*)
+               (ASN1_item_d2i(NULL,
+                              &p,
+-                             ext->value->length,
++                             X509_EXTENSION_get_data(ext)->length,
+                              ASN1_ITEM_ptr(method->it)));
+         else
+             names = (GENERAL_NAMES*)
+               (method->d2i(NULL,
+                            &p,
+-                           ext->value->length));
++                           X509_EXTENSION_get_data(ext)->length));
+ 
+         for(j = 0; j < sk_GENERAL_NAME_num(names); j++) {
+             /* get a rendering of each name in the set of names */
+@@ -1033,13 +1119,11 @@ _get_crl_dp(X509 *certificate) {
+     int i, j;
+     PyObject *lst, *res = NULL;
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10001000L
+-    dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL);
+-#else
++#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+     /* Calls x509v3_cache_extensions and sets up crldp */
+     X509_check_ca(certificate);
+-    dps = certificate->crldp;
+ #endif
++    dps = X509_get_ext_d2i(certificate, NID_crl_distribution_points, NULL, NULL);
+ 
+     if (dps == NULL)
+         return Py_None;
+@@ -1431,9 +1515,9 @@ static PyObject *PySSL_compression(PySSLSocket *self) {
+     if (self->ssl == NULL)
+         Py_RETURN_NONE;
+     comp_method = SSL_get_current_compression(self->ssl);
+-    if (comp_method == NULL || comp_method->type == NID_undef)
++    if (comp_method == NULL || COMP_get_type(comp_method) == NID_undef)
+         Py_RETURN_NONE;
+-    short_name = OBJ_nid2sn(comp_method->type);
++    short_name = COMP_get_name(comp_method);
+     if (short_name == NULL)
+         Py_RETURN_NONE;
+     return PyUnicode_DecodeFSDefault(short_name);
+@@ -1981,7 +2065,7 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+ {
+     char *kwlist[] = {"protocol", NULL};
+     PySSLContext *self;
+-    int proto_version = PY_SSL_VERSION_SSL23;
++    int proto_version = PY_SSL_VERSION_TLS;
+     long options;
+     SSL_CTX *ctx = NULL;
+ 
+@@ -2007,8 +2091,8 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+     else if (proto_version == PY_SSL_VERSION_SSL2)
+         ctx = SSL_CTX_new(SSLv2_method());
+ #endif
+-    else if (proto_version == PY_SSL_VERSION_SSL23)
+-        ctx = SSL_CTX_new(SSLv23_method());
++    else if (proto_version == PY_SSL_VERSION_TLS)
++        ctx = SSL_CTX_new(TLS_method());
+     else
+         proto_version = -1;
+     PySSL_END_ALLOW_THREADS
+@@ -2051,8 +2135,9 @@ context_new(PyTypeObject *type, PyObject *args, PyObject *kwds)
+ #ifndef OPENSSL_NO_ECDH
+     /* Allow automatic ECDH curve selection (on OpenSSL 1.0.2+), or use
+        prime256v1 by default.  This is Apache mod_ssl's initialization
+-       policy, so we should be safe. */
+-#if defined(SSL_CTX_set_ecdh_auto)
++       policy, so we should be safe. OpenSSL 1.1 has it enabled by default.
++     */
++#if defined(SSL_CTX_set_ecdh_auto) && !defined(OPENSSL_VERSION_1_1)
+     SSL_CTX_set_ecdh_auto(self->ctx, 1);
+ #else
+     {
+@@ -2263,10 +2348,12 @@ static PyObject *
+ get_verify_flags(PySSLContext *self, void *c)
+ {
+     X509_STORE *store;
++    X509_VERIFY_PARAM *param;
+     unsigned long flags;
+ 
+     store = SSL_CTX_get_cert_store(self->ctx);
+-    flags = X509_VERIFY_PARAM_get_flags(store->param);
++    param = X509_STORE_get0_param(store);
++    flags = X509_VERIFY_PARAM_get_flags(param);
+     return PyLong_FromUnsignedLong(flags);
+ }
+ 
+@@ -2274,22 +2361,24 @@ static int
+ set_verify_flags(PySSLContext *self, PyObject *arg, void *c)
+ {
+     X509_STORE *store;
++    X509_VERIFY_PARAM *param;
+     unsigned long new_flags, flags, set, clear;
+ 
+     if (!PyArg_Parse(arg, "k", &new_flags))
+         return -1;
+     store = SSL_CTX_get_cert_store(self->ctx);
+-    flags = X509_VERIFY_PARAM_get_flags(store->param);
++    param = X509_STORE_get0_param(store);
++    flags = X509_VERIFY_PARAM_get_flags(param);
+     clear = flags & ~new_flags;
+     set = ~flags & new_flags;
+     if (clear) {
+-        if (!X509_VERIFY_PARAM_clear_flags(store->param, clear)) {
++        if (!X509_VERIFY_PARAM_clear_flags(param, clear)) {
+             _setSSLError(NULL, 0, __FILE__, __LINE__);
+             return -1;
+         }
+     }
+     if (set) {
+-        if (!X509_VERIFY_PARAM_set_flags(store->param, set)) {
++        if (!X509_VERIFY_PARAM_set_flags(param, set)) {
+             _setSSLError(NULL, 0, __FILE__, __LINE__);
+             return -1;
+         }
+@@ -2459,8 +2548,8 @@ load_cert_chain(PySSLContext *self, PyObject *args, PyObject *kwds)
+     char *kwlist[] = {"certfile", "keyfile", "password", NULL};
+     PyObject *certfile, *keyfile = NULL, *password = NULL;
+     PyObject *certfile_bytes = NULL, *keyfile_bytes = NULL;
+-    pem_password_cb *orig_passwd_cb = self->ctx->default_passwd_callback;
+-    void *orig_passwd_userdata = self->ctx->default_passwd_callback_userdata;
++    pem_password_cb *orig_passwd_cb = SSL_CTX_get_default_passwd_cb(self->ctx);
++    void *orig_passwd_userdata = SSL_CTX_get_default_passwd_cb_userdata(self->ctx);
+     _PySSLPasswordInfo pw_info = { NULL, NULL, NULL, 0, 0 };
+     int r;
+ 
+@@ -2591,8 +2680,9 @@ _add_ca_certs(PySSLContext *self, void *data, Py_ssize_t len,
+             cert = d2i_X509_bio(biobuf, NULL);
+         } else {
+             cert = PEM_read_bio_X509(biobuf, NULL,
+-                                     self->ctx->default_passwd_callback,
+-                                     self->ctx->default_passwd_callback_userdata);
++                                     SSL_CTX_get_default_passwd_cb(self->ctx),
++                                     SSL_CTX_get_default_passwd_cb_userdata(self->ctx)
++                                    );
+         }
+         if (cert == NULL) {
+             break;
+@@ -3040,25 +3130,24 @@ static PyObject *
+ cert_store_stats(PySSLContext *self)
+ {
+     X509_STORE *store;
++    STACK_OF(X509_OBJECT) *objs;
+     X509_OBJECT *obj;
+-    int x509 = 0, crl = 0, pkey = 0, ca = 0, i;
++    int x509 = 0, crl = 0, ca = 0, i;
+ 
+     store = SSL_CTX_get_cert_store(self->ctx);
+-    for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) {
+-        obj = sk_X509_OBJECT_value(store->objs, i);
+-        switch (obj->type) {
++    objs = X509_STORE_get0_objects(store);
++    for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
++        obj = sk_X509_OBJECT_value(objs, i);
++        switch (X509_OBJECT_get_type(obj)) {
+             case X509_LU_X509:
+                 x509++;
+-                if (X509_check_ca(obj->data.x509)) {
++                if (X509_check_ca(X509_OBJECT_get0_X509(obj))) {
+                     ca++;
+                 }
+                 break;
+             case X509_LU_CRL:
+                 crl++;
+                 break;
+-            case X509_LU_PKEY:
+-                pkey++;
+-                break;
+             default:
+                 /* Ignore X509_LU_FAIL, X509_LU_RETRY, X509_LU_PKEY.
+                  * As far as I can tell they are internal states and never
+@@ -3083,6 +3172,7 @@ get_ca_certs(PySSLContext *self, PyObject *args, PyObject *kwds)
+ {
+     char *kwlist[] = {"binary_form", NULL};
+     X509_STORE *store;
++    STACK_OF(X509_OBJECT) *objs;
+     PyObject *ci = NULL, *rlist = NULL;
+     int i;
+     int binary_mode = 0;
+@@ -3097,17 +3187,18 @@ get_ca_certs(PySSLContext *self, PyObject *args, PyObject *kwds)
+     }
+ 
+     store = SSL_CTX_get_cert_store(self->ctx);
+-    for (i = 0; i < sk_X509_OBJECT_num(store->objs); i++) {
++    objs = X509_STORE_get0_objects(store);
++    for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+         X509_OBJECT *obj;
+         X509 *cert;
+ 
+-        obj = sk_X509_OBJECT_value(store->objs, i);
+-        if (obj->type != X509_LU_X509) {
++        obj = sk_X509_OBJECT_value(objs, i);
++        if (X509_OBJECT_get_type(obj) != X509_LU_X509) {
+             /* not a x509 cert */
+             continue;
+         }
+         /* CA for any purpose */
+-        cert = obj->data.x509;
++        cert = X509_OBJECT_get0_X509(obj);
+         if (!X509_check_ca(cert)) {
+             continue;
+         }
+@@ -3780,10 +3871,12 @@ static PyMethodDef PySSL_methods[] = {
+ };
+ 
+ 
+-#ifdef WITH_THREAD
++#ifdef HAVE_OPENSSL_CRYPTO_LOCK
+ 
+ /* an implementation of OpenSSL threading operations in terms
+-   of the Python C thread library */
++ * of the Python C thread library
++ * Only used up to 1.0.2. OpenSSL 1.1.0+ has its own locking code.
++ */
+ 
+ static PyThread_type_lock *_ssl_locks = NULL;
+ 
+@@ -3864,7 +3957,7 @@ static int _setup_ssl_threads(void) {
+     return 1;
+ }
+ 
+-#endif  /* def HAVE_THREAD */
++#endif  /* HAVE_OPENSSL_CRYPTO_LOCK for WITH_THREAD && OpenSSL < 1.1.0 */
+ 
+ PyDoc_STRVAR(module_doc,
+ "Implementation module for SSL socket operations.  See the socket module\n\
+@@ -3931,11 +4024,16 @@ PyInit__ssl(void)
+     SSL_load_error_strings();
+     SSL_library_init();
+ #ifdef WITH_THREAD
++#ifdef HAVE_OPENSSL_CRYPTO_LOCK
+     /* note that this will start threading if not already started */
+     if (!_setup_ssl_threads()) {
+         return NULL;
+     }
++#elif OPENSSL_VERSION_1_1 && defined(OPENSSL_THREADS)
++    /* OpenSSL 1.1.0 builtin thread support is enabled */
++    _ssl_locks_count++;
+ #endif
++#endif  /* WITH_THREAD */
+     OpenSSL_add_all_algorithms();
+ 
+     /* Add symbols to module dict */
+@@ -4079,7 +4177,9 @@ PyInit__ssl(void)
+                             PY_SSL_VERSION_SSL3);
+ #endif
+     PyModule_AddIntConstant(m, "PROTOCOL_SSLv23",
+-                            PY_SSL_VERSION_SSL23);
++                            PY_SSL_VERSION_TLS);
++    PyModule_AddIntConstant(m, "PROTOCOL_TLS",
++                            PY_SSL_VERSION_TLS);
+     PyModule_AddIntConstant(m, "PROTOCOL_TLSv1",
+                             PY_SSL_VERSION_TLS1);
+ #if HAVE_TLSv1_2
+-- 
+2.24.0
+
diff --git a/dev-lang/python/files/python-3.4.3-ncurses-pkg-config.patch b/dev-lang/python/files/python-3.4.3-ncurses-pkg-config.patch
new file mode 100644
index 0000000..8bfad11
--- /dev/null
+++ b/dev-lang/python/files/python-3.4.3-ncurses-pkg-config.patch
@@ -0,0 +1,13 @@
+do not hardcode /usr/include paths
+
+--- a/configure.ac
++++ b/configure.ac
+@@ -4402,7 +4402,7 @@ fi
+ 
+ # first curses header check
+ ac_save_cppflags="$CPPFLAGS"
+-CPPFLAGS="$CPPFLAGS -I/usr/include/ncursesw"
++CPPFLAGS="$CPPFLAGS `$PKG_CONFIG --cflags ncursesw`"
+ 
+ AC_CHECK_HEADERS(curses.h ncurses.h)
+ 
diff --git a/dev-lang/python/files/python-3.4.5-cross.patch b/dev-lang/python/files/python-3.4.5-cross.patch
new file mode 100644
index 0000000..7a016ff
--- /dev/null
+++ b/dev-lang/python/files/python-3.4.5-cross.patch
@@ -0,0 +1,11 @@
+--- a/Lib/distutils/command/build_ext.py
++++ b/Lib/distutils/command/build_ext.py
+@@ -729,7 +729,7 @@
+             if sysconfig.get_config_var('Py_ENABLE_SHARED'):
+                 pythonlib = 'python{}.{}{}'.format(
+                     sys.hexversion >> 24, (sys.hexversion >> 16) & 0xff,
+-                    sys.abiflags)
++                    sysconfig.get_config_var('ABIFLAGS'))
+                 return ext.libraries + [pythonlib]
+             else:
+                 return ext.libraries
diff --git a/dev-lang/python/files/python-3.5.5-hash-unaligned.patch b/dev-lang/python/files/python-3.5.5-hash-unaligned.patch
new file mode 100644
index 0000000..c418f40
--- /dev/null
+++ b/dev-lang/python/files/python-3.5.5-hash-unaligned.patch
@@ -0,0 +1,43 @@
+The hash implementation casts the input pointer to uint64_t* and directly reads
+from this, which may cause unaligned accesses. Use memcpy() instead so this code
+will not crash with SIGBUS on sparc.
+
+--- a/Python/pyhash.c	2017-11-29 10:21:20.283094068 +0100
++++ b/Python/pyhash.c	2017-11-29 10:24:26.733087813 +0100
+@@ -372,7 +372,7 @@ siphash24(const void *src, Py_ssize_t sr
+     PY_UINT64_T k0 = _le64toh(_Py_HashSecret.siphash.k0);
+     PY_UINT64_T k1 = _le64toh(_Py_HashSecret.siphash.k1);
+     PY_UINT64_T b = (PY_UINT64_T)src_sz << 56;
+-    const PY_UINT64_T *in = (PY_UINT64_T*)src;
++    const PY_UINT8_T *in = (PY_UINT8_T*)src;
+ 
+     PY_UINT64_T v0 = k0 ^ 0x736f6d6570736575ULL;
+     PY_UINT64_T v1 = k1 ^ 0x646f72616e646f6dULL;
+@@ -381,12 +381,14 @@ siphash24(const void *src, Py_ssize_t sr
+ 
+     PY_UINT64_T t;
+     PY_UINT8_T *pt;
+-    PY_UINT8_T *m;
++    const PY_UINT8_T *m;
+ 
+     while (src_sz >= 8) {
+-        PY_UINT64_T mi = _le64toh(*in);
+-        in += 1;
+-        src_sz -= 8;
++        PY_UINT64_T mi;
++        memcpy(&mi, in, sizeof(mi));
++        mi = _le64toh(mi);
++        in += sizeof(mi);
++        src_sz -= sizeof(mi);
+         v3 ^= mi;
+         DOUBLE_ROUND(v0,v1,v2,v3);
+         v0 ^= mi;
+@@ -394,7 +396,7 @@ siphash24(const void *src, Py_ssize_t sr
+ 
+     t = 0;
+     pt = (PY_UINT8_T *)&t;
+-    m = (PY_UINT8_T *)in;
++    m = in;
+     switch (src_sz) {
+         case 7: pt[6] = m[6];
+         case 6: pt[5] = m[5];
diff --git a/dev-lang/python/python-3.4.10.ebuild b/dev-lang/python/python-3.4.10.ebuild
new file mode 100644
index 0000000..10d6002
--- /dev/null
+++ b/dev-lang/python/python-3.4.10.ebuild
@@ -0,0 +1,364 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI="5"
+WANT_LIBTOOL="none"
+
+inherit autotools eutils flag-o-matic multilib pax-utils python-utils-r1 toolchain-funcs multiprocessing
+
+MY_P="Python-${PV/_/}"
+PATCHSET_VERSION="3.4.6-0"
+
+DESCRIPTION="An interpreted, interactive, object-oriented programming language"
+HOMEPAGE="https://www.python.org/"
+SRC_URI="https://www.python.org/ftp/python/${PV%_rc*}/${MY_P}.tar.xz
+	https://dev.gentoo.org/~floppym/python/python-gentoo-patches-${PATCHSET_VERSION}.tar.xz"
+
+LICENSE="PSF-2"
+SLOT="3.4/3.4m"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd"
+IUSE="bluetooth build elibc_uclibc examples gdbm hardened ipv6 libressl +ncurses +readline sqlite +ssl +threads tk wininst +xml"
+
+# Do not add a dependency on dev-lang/python to this ebuild.
+# If you need to apply a patch which requires python for bootstrapping, please
+# run the bootstrap code on your dev box and include the results in the
+# patchset. See bug 447752.
+
+RDEPEND="app-arch/bzip2:0=
+	app-arch/xz-utils:0=
+	>=sys-libs/zlib-1.1.3:0=
+	virtual/libffi:=
+	virtual/libintl
+	gdbm? ( sys-libs/gdbm:0=[berkdb] )
+	ncurses? (
+		>=sys-libs/ncurses-5.2:0=
+		readline? ( >=sys-libs/readline-4.1:0= )
+	)
+	sqlite? ( >=dev-db/sqlite-3.3.8:3= )
+	ssl? (
+		!libressl? ( dev-libs/openssl:0= )
+		libressl? ( dev-libs/libressl:0= )
+	)
+	tk? (
+		>=dev-lang/tcl-8.0:0=
+		>=dev-lang/tk-8.0:0=
+		dev-tcltk/blt:0=
+		dev-tcltk/tix
+	)
+	xml? ( >=dev-libs/expat-2.1:0= )
+	!!<sys-apps/sandbox-2.6-r1"
+# bluetooth requires headers from bluez
+DEPEND="${RDEPEND}
+	bluetooth? ( net-wireless/bluez )
+	virtual/pkgconfig
+	>=sys-devel/autoconf-2.65
+	!sys-devel/gcc[libffi(-)]"
+RDEPEND+=" !build? ( app-misc/mime-types )"
+PDEPEND=">=app-eselect/eselect-python-20140125-r1"
+
+S="${WORKDIR}/${MY_P}"
+
+PYVER=${SLOT%/*}
+
+src_prepare() {
+	# Ensure that internal copies of expat, libffi and zlib are not used.
+	rm -fr Modules/expat
+	rm -fr Modules/_ctypes/libffi*
+	rm -fr Modules/zlib
+
+	if tc-is-cross-compiler; then
+		# Invokes BUILDPYTHON, which is built for the host arch
+		local EPATCH_EXCLUDE="*_regenerate_platform-specific_modules.patch"
+	fi
+
+	EPATCH_SUFFIX="patch" epatch "${WORKDIR}/patches"
+	epatch "${FILESDIR}/${PN}-3.4.3-ncurses-pkg-config.patch"
+	epatch "${FILESDIR}/${PN}-3.4.5-cross.patch"
+	epatch "${FILESDIR}/3.4-getentropy-linux.patch"
+	epatch "${FILESDIR}/3.6-disable-nis.patch"
+	epatch "${FILESDIR}/python-3.5.5-hash-unaligned.patch"
+	epatch "${FILESDIR}/python-3.4.10-openssl11.patch"
+
+	epatch_user
+
+	sed -i -e "s:@@GENTOO_LIBDIR@@:$(get_libdir):g" \
+		configure.ac \
+		Lib/distutils/command/install.py \
+		Lib/distutils/sysconfig.py \
+		Lib/site.py \
+		Lib/sysconfig.py \
+		Lib/test/test_site.py \
+		Makefile.pre.in \
+		Modules/Setup.dist \
+		Modules/getpath.c \
+		setup.py || die "sed failed to replace @@GENTOO_LIBDIR@@"
+
+	eautoreconf
+}
+
+src_configure() {
+	local disable
+	# disable automagic bluetooth headers detection
+	use bluetooth || export ac_cv_header_bluetooth_bluetooth_h=no
+	use gdbm     || disable+=" gdbm"
+	use ncurses  || disable+=" _curses _curses_panel"
+	use readline || disable+=" readline"
+	use sqlite   || disable+=" _sqlite3"
+	use ssl      || export PYTHON_DISABLE_SSL="1"
+	use tk       || disable+=" _tkinter"
+	use xml      || disable+=" _elementtree pyexpat" # _elementtree uses pyexpat.
+	export PYTHON_DISABLE_MODULES="${disable}"
+
+	if ! use xml; then
+		ewarn "You have configured Python without XML support."
+		ewarn "This is NOT a recommended configuration as you"
+		ewarn "may face problems parsing any XML documents."
+	fi
+
+	if [[ -n "${PYTHON_DISABLE_MODULES}" ]]; then
+		einfo "Disabled modules: ${PYTHON_DISABLE_MODULES}"
+	fi
+
+	if [[ "$(gcc-major-version)" -ge 4 ]]; then
+		append-flags -fwrapv
+	fi
+
+	filter-flags -malign-double
+
+	# https://bugs.gentoo.org/show_bug.cgi?id=50309
+	if is-flagq -O3; then
+		is-flagq -fstack-protector-all && replace-flags -O3 -O2
+		use hardened && replace-flags -O3 -O2
+	fi
+
+	# Export CXX so it ends up in /usr/lib/python3.X/config/Makefile.
+	tc-export CXX
+
+	# The configure script fails to use pkg-config correctly.
+	# http://bugs.python.org/issue15506
+	export ac_cv_path_PKG_CONFIG=$(tc-getPKG_CONFIG)
+
+	# Set LDFLAGS so we link modules with -lpython3.2 correctly.
+	# Needed on FreeBSD unless Python 3.2 is already installed.
+	# Please query BSD team before removing this!
+	append-ldflags "-L."
+
+	local dbmliborder
+	if use gdbm; then
+		dbmliborder+="${dbmliborder:+:}gdbm"
+	fi
+
+	BUILD_DIR="${WORKDIR}/${CHOST}"
+	mkdir -p "${BUILD_DIR}" || die
+	cd "${BUILD_DIR}" || die
+
+	ECONF_SOURCE="${S}" OPT="" \
+	econf \
+		--with-fpectl \
+		--enable-shared \
+		$(use_enable ipv6) \
+		$(use_with threads) \
+		--infodir='${prefix}/share/info' \
+		--mandir='${prefix}/share/man' \
+		--with-computed-gotos \
+		--with-dbmliborder="${dbmliborder}" \
+		--with-libc="" \
+		--enable-loadable-sqlite-extensions \
+		--with-system-expat \
+		--with-system-ffi \
+		--without-ensurepip
+
+	if use threads && grep -q "#define POSIX_SEMAPHORES_NOT_ENABLED 1" pyconfig.h; then
+		eerror "configure has detected that the sem_open function is broken."
+		eerror "Please ensure that /dev/shm is mounted as a tmpfs with mode 1777."
+		die "Broken sem_open function (bug 496328)"
+	fi
+}
+
+src_compile() {
+	# Ensure sed works as expected
+	# https://bugs.gentoo.org/594768
+	local -x LC_ALL=C
+
+	# Avoid invoking pgen for cross-compiles.
+	touch Include/graminit.h Python/graminit.c || die
+
+	cd "${BUILD_DIR}" || die
+
+	emake CPPFLAGS= CFLAGS= LDFLAGS=
+
+	# Work around bug 329499. See also bug 413751 and 457194.
+	if has_version dev-libs/libffi[pax_kernel]; then
+		pax-mark E python
+	else
+		pax-mark m python
+	fi
+}
+
+src_test() {
+	# Tests will not work when cross compiling.
+	if tc-is-cross-compiler; then
+		elog "Disabling tests due to crosscompiling."
+		return
+	fi
+
+	cd "${BUILD_DIR}" || die
+
+	# Skip failing tests.
+	local skipped_tests="gdb"
+
+	for test in ${skipped_tests}; do
+		mv "${S}"/Lib/test/test_${test}.py "${T}"
+	done
+
+	local -x PYTHONDONTWRITEBYTECODE=
+	emake test EXTRATESTOPTS="-u-network" CPPFLAGS= CFLAGS= LDFLAGS= < /dev/tty
+	local result=$?
+
+	for test in ${skipped_tests}; do
+		mv "${T}/test_${test}.py" "${S}"/Lib/test
+	done
+
+	elog "The following tests have been skipped:"
+	for test in ${skipped_tests}; do
+		elog "test_${test}.py"
+	done
+
+	elog "If you would like to run them, you may:"
+	elog "cd '${EPREFIX}/usr/$(get_libdir)/python${PYVER}/test'"
+	elog "and run the tests separately."
+
+	if [[ ${result} -ne 0 ]]; then
+		die "emake test failed"
+	fi
+}
+
+src_install() {
+	local libdir=${ED}/usr/$(get_libdir)/python${PYVER}
+
+	cd "${BUILD_DIR}" || die
+
+	emake DESTDIR="${D}" altinstall
+
+	sed \
+		-e "s/\(CONFIGURE_LDFLAGS=\).*/\1/" \
+		-e "s/\(PY_LDFLAGS=\).*/\1/" \
+		-i "${libdir}/config-${PYVER}"*/Makefile || die "sed failed"
+
+	# Fix collisions between different slots of Python.
+	rm -f "${ED}usr/$(get_libdir)/libpython3.so"
+
+	# Cheap hack to get version with ABIFLAGS
+	local abiver=$(cd "${ED}usr/include"; echo python*)
+	if [[ ${abiver} != python${PYVER} ]]; then
+		# Replace python3.X with a symlink to python3.Xm
+		rm "${ED}usr/bin/python${PYVER}" || die
+		dosym "${abiver}" "/usr/bin/python${PYVER}"
+		# Create python3.X-config symlink
+		dosym "${abiver}-config" "/usr/bin/python${PYVER}-config"
+		# Create python-3.5m.pc symlink
+		dosym "python-${PYVER}.pc" "/usr/$(get_libdir)/pkgconfig/${abiver/${PYVER}/-${PYVER}}.pc"
+	fi
+
+	use elibc_uclibc && rm -fr "${libdir}/test"
+	use sqlite || rm -fr "${libdir}/"{sqlite3,test/test_sqlite*}
+	use tk || rm -fr "${ED}usr/bin/idle${PYVER}" "${libdir}/"{idlelib,tkinter,test/test_tk*}
+
+	use threads || rm -fr "${libdir}/multiprocessing"
+	use wininst || rm -f "${libdir}/distutils/command/"wininst-*.exe
+
+	dodoc "${S}"/Misc/{ACKS,HISTORY,NEWS}
+
+	if use examples; then
+		insinto /usr/share/doc/${PF}/examples
+		find "${S}"/Tools -name __pycache__ -print0 | xargs -0 rm -fr
+		doins -r "${S}"/Tools
+	fi
+	insinto /usr/share/gdb/auto-load/usr/$(get_libdir) #443510
+	local libname=$(printf 'e:\n\t@echo $(INSTSONAME)\ninclude Makefile\n' | \
+		emake --no-print-directory -s -f - 2>/dev/null)
+	newins "${S}"/Tools/gdb/libpython.py "${libname}"-gdb.py
+
+	newconfd "${FILESDIR}/pydoc.conf" pydoc-${PYVER}
+	newinitd "${FILESDIR}/pydoc.init" pydoc-${PYVER}
+	sed \
+		-e "s:@PYDOC_PORT_VARIABLE@:PYDOC${PYVER/./_}_PORT:" \
+		-e "s:@PYDOC@:pydoc${PYVER}:" \
+		-i "${ED}etc/conf.d/pydoc-${PYVER}" "${ED}etc/init.d/pydoc-${PYVER}" || die "sed failed"
+
+	# for python-exec
+	local vars=( EPYTHON PYTHON_SITEDIR PYTHON_SCRIPTDIR )
+
+	# if not using a cross-compiler, use the fresh binary
+	if ! tc-is-cross-compiler; then
+		local -x PYTHON=./python
+		local -x LD_LIBRARY_PATH=${LD_LIBRARY_PATH+${LD_LIBRARY_PATH}:}${PWD}
+	else
+		vars=( PYTHON "${vars[@]}" )
+	fi
+
+	python_export "python${PYVER}" "${vars[@]}"
+	echo "EPYTHON='${EPYTHON}'" > epython.py || die
+	python_domodule epython.py
+
+	# python-exec wrapping support
+	local pymajor=${PYVER%.*}
+	mkdir -p "${D}${PYTHON_SCRIPTDIR}" || die
+	# python and pythonX
+	ln -s "../../../bin/${abiver}" \
+		"${D}${PYTHON_SCRIPTDIR}/python${pymajor}" || die
+	ln -s "python${pymajor}" \
+		"${D}${PYTHON_SCRIPTDIR}/python" || die
+	# python-config and pythonX-config
+	# note: we need to create a wrapper rather than symlinking it due
+	# to some random dirname(argv[0]) magic performed by python-config
+	cat > "${D}${PYTHON_SCRIPTDIR}/python${pymajor}-config" <<-EOF || die
+		#!/bin/sh
+		exec "${abiver}-config" "\${@}"
+	EOF
+	chmod +x "${D}${PYTHON_SCRIPTDIR}/python${pymajor}-config" || die
+	ln -s "python${pymajor}-config" \
+		"${D}${PYTHON_SCRIPTDIR}/python-config" || die
+	# 2to3, pydoc, pyvenv
+	ln -s "../../../bin/2to3-${PYVER}" \
+		"${D}${PYTHON_SCRIPTDIR}/2to3" || die
+	ln -s "../../../bin/pydoc${PYVER}" \
+		"${D}${PYTHON_SCRIPTDIR}/pydoc" || die
+	ln -s "../../../bin/pyvenv-${PYVER}" \
+		"${D}${PYTHON_SCRIPTDIR}/pyvenv" || die
+	# idle
+	if use tk; then
+		ln -s "../../../bin/idle${PYVER}" \
+			"${D}${PYTHON_SCRIPTDIR}/idle" || die
+	fi
+}
+
+pkg_preinst() {
+	if has_version "<${CATEGORY}/${PN}-${PYVER}" && ! has_version ">=${CATEGORY}/${PN}-${PYVER}_alpha"; then
+		python_updater_warning="1"
+	fi
+}
+
+eselect_python_update() {
+	if [[ -z "$(eselect python show)" || ! -f "${EROOT}usr/bin/$(eselect python show)" ]]; then
+		eselect python update
+	fi
+
+	if [[ -z "$(eselect python show --python${PV%%.*})" || ! -f "${EROOT}usr/bin/$(eselect python show --python${PV%%.*})" ]]; then
+		eselect python update --python${PV%%.*}
+	fi
+}
+
+pkg_postinst() {
+	eselect_python_update
+
+	if [[ "${python_updater_warning}" == "1" ]]; then
+		ewarn "You have just upgraded from an older version of Python."
+		ewarn
+		ewarn "Please adjust PYTHON_TARGETS (if so desired), and run emerge with the --newuse or --changed-use option to rebuild packages installing python modules."
+	fi
+}
+
+pkg_postrm() {
+	eselect_python_update
+}
-- 
cgit v1.2.3-65-gdbad