]> git.ipfire.org Git - thirdparty/openwrt.git/commitdiff
dropbear: bump to 2026.92 24113/head
authorKonstantin Demin <rockdrilla@gmail.com>
Thu, 9 Jul 2026 11:07:20 +0000 (14:07 +0300)
committerJonas Jelonek <jelonek.jonas@gmail.com>
Tue, 14 Jul 2026 21:37:42 +0000 (23:37 +0200)
- update dropbear to latest stable 2026.92;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- remove previously cherry-picked patches
- cherry-pick upstream patches:
  - avoid out-of-bounds read matching ecdsa curve identifier
- automatically refresh patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/24113
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
package/network/services/dropbear/Makefile
package/network/services/dropbear/patches/001-avoid-out-of-bounds-read-matching-ecdsa-curve-identi.patch [new file with mode: 0644]
package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch [deleted file]
package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch [deleted file]
package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch [deleted file]
package/network/services/dropbear/patches/100-pubkey_path.patch
package/network/services/dropbear/patches/140-disable_assert.patch

index db06bbf2bf779290906e4cd02135e3bae0647015..cc8982e47e28dc501c3b859c6e7e33eb480666f6 100644 (file)
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2026.91
+PKG_VERSION:=2026.92
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
        https://matt.ucc.asn.au/dropbear/releases/ \
        https://dropbear.nl/mirror/releases/
-PKG_HASH:=defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34
+PKG_HASH:=91dcb5234de8dea68dd82c55411c9fc986b457ab58372a780ee8a870419c2f7e
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -118,12 +118,15 @@ CONFIGURE_ARGS += \
 # - IDENT_VERSION_PART
 # disable unused functionality:
 # - DO_MOTD
+# enable (deprecated) 2FA in server:
+# - DEPRECATED_TWO_FACTOR
 
 DB_OPT_COMMON = \
        IDENT_VERSION_PART,"" \
        COMPAT_USER_SHELLS,"/bin/ash","/bin/sh" \
        DEFAULT_PATH,"$(TARGET_INIT_PATH)" \
        DEFAULT_ROOT_PATH,"$(TARGET_INIT_PATH)" \
+       DEPRECATED_TWO_FACTOR,1 \
        DO_MOTD,0 \
        AUTH_TIMEOUT,$(CONFIG_DROPBEAR_AUTH_TIMEOUT) \
        DEBUG_TRACE,$(CONFIG_DROPBEAR_DEBUG_TRACE) \
@@ -156,9 +159,6 @@ DB_OPT_COMMON = \
 
 DB_OPT_CONFIG = \
        !!DROPBEAR_CLI_MULTIHOP,CONFIG_DROPBEAR_CLI_MULTIHOP,1,0 \
-       !!DROPBEAR_ECC_256,CONFIG_DROPBEAR_ECC_256,1,0 \
-       !!DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_384,1,0 \
-       !!DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_521,1,0 \
        DO_HOST_LOOKUP,CONFIG_DROPBEAR_DO_HOST_LOOKUP,1,0 \
        DROPBEAR_3DES,CONFIG_DROPBEAR_3DES,1,0 \
        DROPBEAR_AES128,CONFIG_DROPBEAR_AES128,1,0 \
@@ -179,6 +179,9 @@ DB_OPT_CONFIG = \
        DROPBEAR_DH_GROUP14_SHA256,CONFIG_DROPBEAR_DH_GROUP14_SHA256,1,0 \
        DROPBEAR_DH_GROUP16,CONFIG_DROPBEAR_DH_GROUP16,1,0 \
        DROPBEAR_DSS,CONFIG_DROPBEAR_DSS,1,0 \
+       DROPBEAR_ECC_256,CONFIG_DROPBEAR_ECC_256,1,0 \
+       DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_384,1,0 \
+       DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_521,1,0 \
        DROPBEAR_ECDH,CONFIG_DROPBEAR_ECDH,1,0 \
        DROPBEAR_ECDSA,CONFIG_DROPBEAR_ECDSA,1,0 \
        DROPBEAR_ED25519,CONFIG_DROPBEAR_ED25519,1,0 \
diff --git a/package/network/services/dropbear/patches/001-avoid-out-of-bounds-read-matching-ecdsa-curve-identi.patch b/package/network/services/dropbear/patches/001-avoid-out-of-bounds-read-matching-ecdsa-curve-identi.patch
new file mode 100644 (file)
index 0000000..4dd2292
--- /dev/null
@@ -0,0 +1,20 @@
+From cfedf9889222e44b2a31ecc14a289b7d0d86c563 Mon Sep 17 00:00:00 2001
+From: basavaraj-sm05 <basavaraj@digiscrypt.com>
+Date: Tue, 7 Jul 2026 13:05:32 +0530
+Subject: avoid out-of-bounds read matching ecdsa curve identifier
+
+---
+ src/ecdsa.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/ecdsa.c
++++ b/src/ecdsa.c
+@@ -103,7 +103,7 @@ ecc_key *buf_get_ecdsa_pub_key(buffer* b
+       }
+       for (curve = dropbear_ecc_curves; *curve; curve++) {
+-              if (memcmp(identifier, (char*)(*curve)->name, strlen((char*)(*curve)->name)) == 0) {
++              if (strcmp((char*)identifier, (*curve)->name) == 0) {
+                       break;
+               }
+       }
diff --git a/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch b/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch
deleted file mode 100644 (file)
index b7db20e..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
-From b487b111d0cf735c640e6668aa888f7da4e78b3c Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Mon, 11 May 2026 20:43:50 +0800
-Subject: sntrup: Fix 64-bit literals
-
-Avoids warning on 32-bit platform
-
-src/sntrup761.c:1643: warning: integer constant is too large for 'long' type
----
- src/sntrup761.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/src/sntrup761.c
-+++ b/src/sntrup761.c
-@@ -1640,9 +1640,9 @@ __attribute__((unused))
- static inline
- int crypto_int64_ones_num(crypto_int64 crypto_int64_x) {
-   crypto_int64_unsigned crypto_int64_y = crypto_int64_x;
--  const crypto_int64 C0 = 0x5555555555555555;
--  const crypto_int64 C1 = 0x3333333333333333;
--  const crypto_int64 C2 = 0x0f0f0f0f0f0f0f0f;
-+  const crypto_int64 C0 = INT64_C(0x5555555555555555);
-+  const crypto_int64 C1 = INT64_C(0x3333333333333333);
-+  const crypto_int64 C2 = INT64_C(0x0f0f0f0f0f0f0f0f);
-   crypto_int64_y -= ((crypto_int64_y >> 1) & C0);
-   crypto_int64_y = (crypto_int64_y & C1) + ((crypto_int64_y >> 2) & C1);
-   crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 4)) & C2;
diff --git a/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch b/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch
deleted file mode 100644 (file)
index 43121ae..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-From a05569c6124006bd9b4823db30e824953c5024de Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Wed, 13 May 2026 08:40:17 +0800
-Subject: Increase MAX_HOSTKEYS to 6
-
-This allows all key types to be loaded at once, including different
-ecdsa sizes.
-Suggested by Darren Tucker.
----
- src/sysoptions.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
---- a/src/sysoptions.h
-+++ b/src/sysoptions.h
-@@ -283,7 +283,7 @@
- #define MAX_KEX_PARTS 1000
- #endif
--#define MAX_HOSTKEYS 4
-+#define MAX_HOSTKEYS 6
- /* The maximum size of the bignum portion of the kexhash buffer */
- /* K_S + Q_C + Q_S + K */
diff --git a/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch b/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch
deleted file mode 100644 (file)
index b64799b..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-From ee65bff1567576a223febcdd5ae552326a4da4b1 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Tue, 19 May 2026 19:03:39 +0800
-Subject: Fix too-low pubkey key query count
-
-Dropbear 2026.90 added a limit to the number of queries that could be
-made to a server when determining usable keys. This was intended to be
-set to 15 (MAX_PUBKEY_QUERIES) but the logic was incorrect (and also
-debug code was accidentally committed). This meant only 10 (default
-MAX_AUTH_TRIES/-T) tried keys would be allowed - not a huge difference.
-
-Reported by Rui Salvaterra
-
-Fixes: db0d3fd0a9e9 ("Limit server number of public key queries")
----
- src/svr-authpubkey.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
---- a/src/svr-authpubkey.c
-+++ b/src/svr-authpubkey.c
-@@ -173,9 +173,9 @@ void svr_auth_pubkey(int valid_user) {
-                * Start counting failures (incrfail) only when it's reaching
-                * the limit.
-                */
--              unsigned int free_query_limit = 0;
--                      MAX(0, (int)svr_opts.maxauthtries - MAX_PUBKEY_QUERIES);
--              int incrfail = ses.authstate.serv_pubkey_query_count > free_query_limit;
-+              unsigned int free_query_limit =
-+                      MAX(0, MAX_PUBKEY_QUERIES - (int)svr_opts.maxauthtries);
-+              int incrfail = ses.authstate.serv_pubkey_query_count >= free_query_limit;
-               send_msg_userauth_failure(0, incrfail);
-               ses.authstate.serv_pubkey_query_count++;
-               goto out;
index fd1ba4c86cd7d31a767a69b5c229f7a021d7060c..d6822a07bd92128e3ef02a0062a067498a944f03 100644 (file)
@@ -3,7 +3,7 @@
 
 --- a/src/svr-authpubkey.c
 +++ b/src/svr-authpubkey.c
-@@ -80,6 +80,39 @@ static void send_msg_userauth_pk_ok(cons
+@@ -84,6 +84,39 @@ static void send_msg_userauth_pk_ok(cons
                const unsigned char* keyblob, unsigned int keybloblen);
  static int checkfileperm(char * filename);
  
@@ -43,7 +43,7 @@
  /* process a pubkey auth request, sending success or failure message as
   * appropriate */
  void svr_auth_pubkey(int valid_user) {
-@@ -459,16 +492,22 @@ out:
+@@ -463,16 +496,22 @@ out:
  static char *authorized_keys_filepath() {
        size_t len = 0;
        char *pathname = NULL, *dir = NULL;
@@ -69,7 +69,7 @@
        m_free(dir);
        return pathname;
  }
-@@ -572,11 +611,23 @@ out:
+@@ -576,11 +615,23 @@ out:
   * When this path is inside the user's home dir it checks up to and including
   * the home dir, otherwise it checks every path component. */
  static int checkpubkeyperms() {
index 6c3811be5cb0cadae28e08eb5fd368e29e4e47a9..de8735f0c004bcb92aa474bf7ff29c15a663216f 100644 (file)
@@ -1,6 +1,6 @@
 --- a/src/dbutil.h
 +++ b/src/dbutil.h
-@@ -81,7 +81,11 @@ int m_snprintf(char *str, size_t size, c
+@@ -83,7 +83,11 @@ void cleantext(char* dirtytext, int allo
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */