From: Konstantin Demin Date: Thu, 9 Jul 2026 11:07:20 +0000 (+0300) Subject: dropbear: bump to 2026.92 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=49096a9c4867d3f37fd4d98b283331a30d264aaf;p=thirdparty%2Fopenwrt.git dropbear: bump to 2026.92 - update dropbear to latest stable 2026.92; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES - remove previously cherry-picked patches - cherry-pick upstream patches: - avoid out-of-bounds read matching ecdsa curve identifier - automatically refresh patches Signed-off-by: Konstantin Demin Link: https://github.com/openwrt/openwrt/pull/24113 Signed-off-by: Jonas Jelonek --- diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index db06bbf2bf7..cc8982e47e2 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear -PKG_VERSION:=2026.91 +PKG_VERSION:=2026.92 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ https://matt.ucc.asn.au/dropbear/releases/ \ https://dropbear.nl/mirror/releases/ -PKG_HASH:=defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34 +PKG_HASH:=91dcb5234de8dea68dd82c55411c9fc986b457ab58372a780ee8a870419c2f7e PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE @@ -118,12 +118,15 @@ CONFIGURE_ARGS += \ # - IDENT_VERSION_PART # disable unused functionality: # - DO_MOTD +# enable (deprecated) 2FA in server: +# - DEPRECATED_TWO_FACTOR DB_OPT_COMMON = \ IDENT_VERSION_PART,"" \ COMPAT_USER_SHELLS,"/bin/ash","/bin/sh" \ DEFAULT_PATH,"$(TARGET_INIT_PATH)" \ DEFAULT_ROOT_PATH,"$(TARGET_INIT_PATH)" \ + DEPRECATED_TWO_FACTOR,1 \ DO_MOTD,0 \ AUTH_TIMEOUT,$(CONFIG_DROPBEAR_AUTH_TIMEOUT) \ DEBUG_TRACE,$(CONFIG_DROPBEAR_DEBUG_TRACE) \ @@ -156,9 +159,6 @@ DB_OPT_COMMON = \ DB_OPT_CONFIG = \ !!DROPBEAR_CLI_MULTIHOP,CONFIG_DROPBEAR_CLI_MULTIHOP,1,0 \ - !!DROPBEAR_ECC_256,CONFIG_DROPBEAR_ECC_256,1,0 \ - !!DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_384,1,0 \ - !!DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_521,1,0 \ DO_HOST_LOOKUP,CONFIG_DROPBEAR_DO_HOST_LOOKUP,1,0 \ DROPBEAR_3DES,CONFIG_DROPBEAR_3DES,1,0 \ DROPBEAR_AES128,CONFIG_DROPBEAR_AES128,1,0 \ @@ -179,6 +179,9 @@ DB_OPT_CONFIG = \ DROPBEAR_DH_GROUP14_SHA256,CONFIG_DROPBEAR_DH_GROUP14_SHA256,1,0 \ DROPBEAR_DH_GROUP16,CONFIG_DROPBEAR_DH_GROUP16,1,0 \ DROPBEAR_DSS,CONFIG_DROPBEAR_DSS,1,0 \ + DROPBEAR_ECC_256,CONFIG_DROPBEAR_ECC_256,1,0 \ + DROPBEAR_ECC_384,CONFIG_DROPBEAR_ECC_384,1,0 \ + DROPBEAR_ECC_521,CONFIG_DROPBEAR_ECC_521,1,0 \ DROPBEAR_ECDH,CONFIG_DROPBEAR_ECDH,1,0 \ DROPBEAR_ECDSA,CONFIG_DROPBEAR_ECDSA,1,0 \ DROPBEAR_ED25519,CONFIG_DROPBEAR_ED25519,1,0 \ diff --git a/package/network/services/dropbear/patches/001-avoid-out-of-bounds-read-matching-ecdsa-curve-identi.patch b/package/network/services/dropbear/patches/001-avoid-out-of-bounds-read-matching-ecdsa-curve-identi.patch new file mode 100644 index 00000000000..4dd2292bba4 --- /dev/null +++ b/package/network/services/dropbear/patches/001-avoid-out-of-bounds-read-matching-ecdsa-curve-identi.patch @@ -0,0 +1,20 @@ +From cfedf9889222e44b2a31ecc14a289b7d0d86c563 Mon Sep 17 00:00:00 2001 +From: basavaraj-sm05 +Date: Tue, 7 Jul 2026 13:05:32 +0530 +Subject: avoid out-of-bounds read matching ecdsa curve identifier + +--- + src/ecdsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/ecdsa.c ++++ b/src/ecdsa.c +@@ -103,7 +103,7 @@ ecc_key *buf_get_ecdsa_pub_key(buffer* b + } + + for (curve = dropbear_ecc_curves; *curve; curve++) { +- if (memcmp(identifier, (char*)(*curve)->name, strlen((char*)(*curve)->name)) == 0) { ++ if (strcmp((char*)identifier, (*curve)->name) == 0) { + break; + } + } diff --git a/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch b/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch deleted file mode 100644 index b7db20e1ba6..00000000000 --- a/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch +++ /dev/null @@ -1,27 +0,0 @@ -From b487b111d0cf735c640e6668aa888f7da4e78b3c Mon Sep 17 00:00:00 2001 -From: Matt Johnston -Date: Mon, 11 May 2026 20:43:50 +0800 -Subject: sntrup: Fix 64-bit literals - -Avoids warning on 32-bit platform - -src/sntrup761.c:1643: warning: integer constant is too large for 'long' type ---- - src/sntrup761.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/src/sntrup761.c -+++ b/src/sntrup761.c -@@ -1640,9 +1640,9 @@ __attribute__((unused)) - static inline - int crypto_int64_ones_num(crypto_int64 crypto_int64_x) { - crypto_int64_unsigned crypto_int64_y = crypto_int64_x; -- const crypto_int64 C0 = 0x5555555555555555; -- const crypto_int64 C1 = 0x3333333333333333; -- const crypto_int64 C2 = 0x0f0f0f0f0f0f0f0f; -+ const crypto_int64 C0 = INT64_C(0x5555555555555555); -+ const crypto_int64 C1 = INT64_C(0x3333333333333333); -+ const crypto_int64 C2 = INT64_C(0x0f0f0f0f0f0f0f0f); - crypto_int64_y -= ((crypto_int64_y >> 1) & C0); - crypto_int64_y = (crypto_int64_y & C1) + ((crypto_int64_y >> 2) & C1); - crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 4)) & C2; diff --git a/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch b/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch deleted file mode 100644 index 43121ae0a3b..00000000000 --- a/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch +++ /dev/null @@ -1,23 +0,0 @@ -From a05569c6124006bd9b4823db30e824953c5024de Mon Sep 17 00:00:00 2001 -From: Matt Johnston -Date: Wed, 13 May 2026 08:40:17 +0800 -Subject: Increase MAX_HOSTKEYS to 6 - -This allows all key types to be loaded at once, including different -ecdsa sizes. -Suggested by Darren Tucker. ---- - src/sysoptions.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/src/sysoptions.h -+++ b/src/sysoptions.h -@@ -283,7 +283,7 @@ - #define MAX_KEX_PARTS 1000 - #endif - --#define MAX_HOSTKEYS 4 -+#define MAX_HOSTKEYS 6 - - /* The maximum size of the bignum portion of the kexhash buffer */ - /* K_S + Q_C + Q_S + K */ diff --git a/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch b/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch deleted file mode 100644 index b64799bf025..00000000000 --- a/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ee65bff1567576a223febcdd5ae552326a4da4b1 Mon Sep 17 00:00:00 2001 -From: Matt Johnston -Date: Tue, 19 May 2026 19:03:39 +0800 -Subject: Fix too-low pubkey key query count - -Dropbear 2026.90 added a limit to the number of queries that could be -made to a server when determining usable keys. This was intended to be -set to 15 (MAX_PUBKEY_QUERIES) but the logic was incorrect (and also -debug code was accidentally committed). This meant only 10 (default -MAX_AUTH_TRIES/-T) tried keys would be allowed - not a huge difference. - -Reported by Rui Salvaterra - -Fixes: db0d3fd0a9e9 ("Limit server number of public key queries") ---- - src/svr-authpubkey.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - ---- a/src/svr-authpubkey.c -+++ b/src/svr-authpubkey.c -@@ -173,9 +173,9 @@ void svr_auth_pubkey(int valid_user) { - * Start counting failures (incrfail) only when it's reaching - * the limit. - */ -- unsigned int free_query_limit = 0; -- MAX(0, (int)svr_opts.maxauthtries - MAX_PUBKEY_QUERIES); -- int incrfail = ses.authstate.serv_pubkey_query_count > free_query_limit; -+ unsigned int free_query_limit = -+ MAX(0, MAX_PUBKEY_QUERIES - (int)svr_opts.maxauthtries); -+ int incrfail = ses.authstate.serv_pubkey_query_count >= free_query_limit; - send_msg_userauth_failure(0, incrfail); - ses.authstate.serv_pubkey_query_count++; - goto out; diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch index fd1ba4c86cd..d6822a07bd9 100644 --- a/package/network/services/dropbear/patches/100-pubkey_path.patch +++ b/package/network/services/dropbear/patches/100-pubkey_path.patch @@ -3,7 +3,7 @@ --- a/src/svr-authpubkey.c +++ b/src/svr-authpubkey.c -@@ -80,6 +80,39 @@ static void send_msg_userauth_pk_ok(cons +@@ -84,6 +84,39 @@ static void send_msg_userauth_pk_ok(cons const unsigned char* keyblob, unsigned int keybloblen); static int checkfileperm(char * filename); @@ -43,7 +43,7 @@ /* process a pubkey auth request, sending success or failure message as * appropriate */ void svr_auth_pubkey(int valid_user) { -@@ -459,16 +492,22 @@ out: +@@ -463,16 +496,22 @@ out: static char *authorized_keys_filepath() { size_t len = 0; char *pathname = NULL, *dir = NULL; @@ -69,7 +69,7 @@ m_free(dir); return pathname; } -@@ -572,11 +611,23 @@ out: +@@ -576,11 +615,23 @@ out: * When this path is inside the user's home dir it checks up to and including * the home dir, otherwise it checks every path component. */ static int checkpubkeyperms() { diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch index 6c3811be5cb..de8735f0c00 100644 --- a/package/network/services/dropbear/patches/140-disable_assert.patch +++ b/package/network/services/dropbear/patches/140-disable_assert.patch @@ -1,6 +1,6 @@ --- a/src/dbutil.h +++ b/src/dbutil.h -@@ -81,7 +81,11 @@ int m_snprintf(char *str, size_t size, c +@@ -83,7 +83,11 @@ void cleantext(char* dirtytext, int allo #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL} /* Dropbear assertion */