include $(TOPDIR)/rules.mk
PKG_NAME:=dropbear
-PKG_VERSION:=2025.89
+PKG_VERSION:=2026.91
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:= \
https://matt.ucc.asn.au/dropbear/releases/ \
https://dropbear.nl/mirror/releases/
-PKG_HASH:=0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634
+PKG_HASH:=defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
--- /dev/null
+From b487b111d0cf735c640e6668aa888f7da4e78b3c Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 11 May 2026 20:43:50 +0800
+Subject: sntrup: Fix 64-bit literals
+
+Avoids warning on 32-bit platform
+
+src/sntrup761.c:1643: warning: integer constant is too large for 'long' type
+---
+ src/sntrup761.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/src/sntrup761.c
++++ b/src/sntrup761.c
+@@ -1640,9 +1640,9 @@ __attribute__((unused))
+ static inline
+ int crypto_int64_ones_num(crypto_int64 crypto_int64_x) {
+ crypto_int64_unsigned crypto_int64_y = crypto_int64_x;
+- const crypto_int64 C0 = 0x5555555555555555;
+- const crypto_int64 C1 = 0x3333333333333333;
+- const crypto_int64 C2 = 0x0f0f0f0f0f0f0f0f;
++ const crypto_int64 C0 = INT64_C(0x5555555555555555);
++ const crypto_int64 C1 = INT64_C(0x3333333333333333);
++ const crypto_int64 C2 = INT64_C(0x0f0f0f0f0f0f0f0f);
+ crypto_int64_y -= ((crypto_int64_y >> 1) & C0);
+ crypto_int64_y = (crypto_int64_y & C1) + ((crypto_int64_y >> 2) & C1);
+ crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 4)) & C2;
--- /dev/null
+From a05569c6124006bd9b4823db30e824953c5024de Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Wed, 13 May 2026 08:40:17 +0800
+Subject: Increase MAX_HOSTKEYS to 6
+
+This allows all key types to be loaded at once, including different
+ecdsa sizes.
+Suggested by Darren Tucker.
+---
+ src/sysoptions.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/sysoptions.h
++++ b/src/sysoptions.h
+@@ -283,7 +283,7 @@
+ #define MAX_KEX_PARTS 1000
+ #endif
+
+-#define MAX_HOSTKEYS 4
++#define MAX_HOSTKEYS 6
+
+ /* The maximum size of the bignum portion of the kexhash buffer */
+ /* K_S + Q_C + Q_S + K */
--- /dev/null
+From ee65bff1567576a223febcdd5ae552326a4da4b1 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Tue, 19 May 2026 19:03:39 +0800
+Subject: Fix too-low pubkey key query count
+
+Dropbear 2026.90 added a limit to the number of queries that could be
+made to a server when determining usable keys. This was intended to be
+set to 15 (MAX_PUBKEY_QUERIES) but the logic was incorrect (and also
+debug code was accidentally committed). This meant only 10 (default
+MAX_AUTH_TRIES/-T) tried keys would be allowed - not a huge difference.
+
+Reported by Rui Salvaterra
+
+Fixes: db0d3fd0a9e9 ("Limit server number of public key queries")
+---
+ src/svr-authpubkey.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/src/svr-authpubkey.c
++++ b/src/svr-authpubkey.c
+@@ -173,9 +173,9 @@ void svr_auth_pubkey(int valid_user) {
+ * Start counting failures (incrfail) only when it's reaching
+ * the limit.
+ */
+- unsigned int free_query_limit = 0;
+- MAX(0, (int)svr_opts.maxauthtries - MAX_PUBKEY_QUERIES);
+- int incrfail = ses.authstate.serv_pubkey_query_count > free_query_limit;
++ unsigned int free_query_limit =
++ MAX(0, MAX_PUBKEY_QUERIES - (int)svr_opts.maxauthtries);
++ int incrfail = ses.authstate.serv_pubkey_query_count >= free_query_limit;
+ send_msg_userauth_failure(0, incrfail);
+ ses.authstate.serv_pubkey_query_count++;
+ goto out;
--- a/src/svr-authpubkey.c
+++ b/src/svr-authpubkey.c
-@@ -79,6 +79,39 @@ static void send_msg_userauth_pk_ok(cons
+@@ -80,6 +80,39 @@ static void send_msg_userauth_pk_ok(cons
const unsigned char* keyblob, unsigned int keybloblen);
static int checkfileperm(char * filename);
/* process a pubkey auth request, sending success or failure message as
* appropriate */
void svr_auth_pubkey(int valid_user) {
-@@ -439,16 +472,22 @@ out:
+@@ -459,16 +492,22 @@ out:
static char *authorized_keys_filepath() {
size_t len = 0;
char *pathname = NULL, *dir = NULL;
m_free(dir);
return pathname;
}
-@@ -549,11 +588,23 @@ out:
+@@ -572,11 +611,23 @@ out:
* When this path is inside the user's home dir it checks up to and including
* the home dir, otherwise it checks every path component. */
static int checkpubkeyperms() {
--- a/src/svr-auth.c
+++ b/src/svr-auth.c
-@@ -510,9 +510,9 @@ void svr_switch_user(void) {
+@@ -504,9 +504,9 @@ void svr_switch_user(void) {
/* We can only change uid/gid as root ... */
if (getuid() == 0) {
dropbear_exit("Error changing user group");
}
-@@ -534,7 +534,7 @@ void svr_switch_user(void) {
+@@ -528,7 +528,7 @@ void svr_switch_user(void) {
}
#endif
--- a/src/cli-runopts.c
+++ b/src/cli-runopts.c
-@@ -340,6 +340,10 @@ void cli_getopts(int argc, char ** argv)
+@@ -352,6 +352,10 @@ void cli_getopts(int argc, char ** argv)
case 'z':
opts.disable_ip_tos = 1;
break;
--- a/src/svr-auth.c
+++ b/src/svr-auth.c
-@@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
+@@ -122,7 +122,7 @@ void recv_msg_userauth_request() {
AUTH_METHOD_NONE_LEN) == 0) {
TRACE(("recv_msg_userauth_request: 'none' request"))
if (valid_user
projects / thirdparty / openwrt.git / commitdiff
