From 65256aee23a5104eb0c78411fdc73640c0b757ea Mon Sep 17 00:00:00 2001
From: Konstantin Demin <rockdrilla@gmail.com>
Date: Thu, 7 Apr 2022 11:33:08 +0300
Subject: [PATCH] dropbear: bump to 2022.82

- update dropbear to latest stable 2022.82;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- use $(AUTORELEASE) in PKG_RELEASE
- use https for all uris
- refresh all patches
- rewrite patches:
  - 100-pubkey_path.patch
  - 130-ssh_ignore_x_args.patch

binary/pkg size changes:
- ath79/generic, mips:
  - binary: 215112 -> 219228 (+4116)
  - pkg: 111914 -> 113404 (+1490)
- ath79/tiny, mips:
  - binary: 172501 -> 172485 (-16)
  - pkg: 89871 -> 90904 (+1033)

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
---
 package/network/services/dropbear/Makefile    |  12 +-
 .../dropbear/patches/100-pubkey_path.patch    | 116 ++++++++++--------
 .../dropbear/patches/110-change_user.patch    |   2 +-
 .../patches/130-ssh_ignore_x_args.patch       |  14 ++-
 .../dropbear/patches/140-disable_assert.patch |   2 +-
 .../dropbear/patches/160-lto-jobserver.patch  |   4 +-
 .../600-allow-blank-root-password.patch       |   2 +-
 .../patches/900-configure-hardening.patch     |   2 +-
 ...nkey-fix-use-of-rsa-sha2-256-pubkeys.patch |   2 +-
 9 files changed, 90 insertions(+), 66 deletions(-)

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index d518de3f70..eaf14c5533 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2020.81
-PKG_RELEASE:=2
+PKG_VERSION:=2022.82
+PKG_RELEASE:=$(AUTORELEASE)
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
-	http://matt.ucc.asn.au/dropbear/releases/ \
+	https://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_HASH:=48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b
+PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -42,7 +42,7 @@ ifneq ($(DUMP),1)
 endif
 
 define Package/dropbear/Default
-  URL:=http://matt.ucc.asn.au/dropbear/
+  URL:=https://matt.ucc.asn.au/dropbear/
 endef
 
 define Package/dropbear/config
@@ -130,8 +130,10 @@ DB_OPT_COMMON = \
 DB_OPT_CONFIG = \
 	DROPBEAR_CURVE25519|CONFIG_DROPBEAR_CURVE25519|1|0 \
 	DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
+	DROPBEAR_SK_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
 	DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \
 	DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
+	DROPBEAR_SK_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
 	DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \
 	!!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \
 	!!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
index af3fbb336b..0403198062 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -1,34 +1,50 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal
- 		goto out;
- 	}
+@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons
+ 		const unsigned char* keyblob, unsigned int keybloblen);
+ static int checkfileperm(char * filename);
  
--	/* we don't need to check pw and pw_dir for validity, since
--	 * its been done in checkpubkeyperms. */
--	len = strlen(ses.authstate.pw_dir);
--	/* allocate max required pathname storage,
--	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
--	filename = m_malloc(len + 22);
--	snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
--				ses.authstate.pw_dir);
-+	if (ses.authstate.pw_uid != 0) {
-+		/* we don't need to check pw and pw_dir for validity, since
-+		 * its been done in checkpubkeyperms. */
-+		len = strlen(ses.authstate.pw_dir);
-+		/* allocate max required pathname storage,
-+		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+		filename = m_malloc(len + 22);
-+		snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
-+					ses.authstate.pw_dir);
-+	} else {
-+		filename = m_malloc(30);
-+		strncpy(filename, "/etc/dropbear/authorized_keys", 30);
-+	}
++static const char * const global_authkeys_dir = "/etc/dropbear";
++static const int        n_global_authkeys_dir = 14; /* + 1 extra byte */
++static const char * const user_authkeys_dir = ".ssh";
++static const int        n_user_authkeys_dir = 5; /* + 1 extra byte */
++static const char * const authkeys_file = "authorized_keys";
++static const int        n_authkeys_file = 16; /* + 1 extra byte */
++
+ /* process a pubkey auth request, sending success or failure message as
+  * appropriate */
+ void svr_auth_pubkey(int valid_user) {
+@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal
+ 	if (checkpubkeyperms() == DROPBEAR_FAILURE) {
+ 		TRACE(("bad authorized_keys permissions, or file doesn't exist"))
+ 	} else {
+-		/* we don't need to check pw and pw_dir for validity, since
+-		 * its been done in checkpubkeyperms. */
+-		len = strlen(ses.authstate.pw_dir);
+-		/* allocate max required pathname storage,
+-		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-		filename = m_malloc(len + 22);
+-		snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
+-					ses.authstate.pw_dir);
++		if (ses.authstate.pw_uid == 0) {
++			len = n_global_authkeys_dir + n_authkeys_file;
++			filename = m_malloc(len);
++			snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
++		} else {
++			/* we don't need to check pw and pw_dir for validity, since
++			 * its been done in checkpubkeyperms. */
++			len = strlen(ses.authstate.pw_dir);
++			/* allocate max required pathname storage,
++			 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++			len += n_user_authkeys_dir + n_authkeys_file + 1;
++			filename = m_malloc(len);
++			snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
++			        user_authkeys_dir, authkeys_file);
++		}
  
- #if DROPBEAR_SVR_MULTIUSER
- 	/* open the file as the authenticating user. */
-@@ -474,27 +479,36 @@ static int checkpubkeyperms() {
+ 		authfile = fopen(filename, "r");
+ 		if (!authfile) {
+@@ -520,27 +534,41 @@ static int checkpubkeyperms() {
  		goto out;
  	}
  
@@ -37,47 +53,51 @@
 -	len += 22;
 -	filename = m_malloc(len);
 -	strlcpy(filename, ses.authstate.pw_dir, len);
--
++	if (ses.authstate.pw_uid == 0) {
++		if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 
 -	/* check ~ */
 -	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 -		goto out;
 -	}
-+	if (ses.authstate.pw_uid == 0) {
-+		if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
-+			goto out;
-+		}
-+		if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
-+			goto out;
-+		}
-+	} else {
-+		/* allocate max required pathname storage,
-+		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+		len += 22;
++		len = n_global_authkeys_dir + n_authkeys_file;
 +		filename = m_malloc(len);
-+		strlcpy(filename, ses.authstate.pw_dir, len);
-+
-+		/* check ~ */
-+		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+			goto out;
-+		}
  
 -	/* check ~/.ssh */
 -	strlcat(filename, "/.ssh", len);
 -	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 -		goto out;
 -	}
-+		/* check ~/.ssh */
-+		strlcat(filename, "/.ssh", len);
++		snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
 +		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 +			goto out;
 +		}
++	} else {
++		/* check ~ */
++		if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
  
 -	/* now check ~/.ssh/authorized_keys */
 -	strlcat(filename, "/authorized_keys", len);
 -	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 -		goto out;
++		/* allocate max required pathname storage,
++		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++		len += n_user_authkeys_dir + n_authkeys_file + 1;
++		filename = m_malloc(len);
++
++		/* check ~/.ssh */
++		snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir);
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
++
 +		/* now check ~/.ssh/authorized_keys */
-+		strlcat(filename, "/authorized_keys", len);
++		snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
++		         user_authkeys_dir, authkeys_file);
 +		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 +			goto out;
 +		}
diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
index 1dd67948af..04d1df3fde 100644
--- a/package/network/services/dropbear/patches/110-change_user.patch
+++ b/package/network/services/dropbear/patches/110-change_user.patch
@@ -1,6 +1,6 @@
 --- a/svr-chansession.c
 +++ b/svr-chansession.c
-@@ -954,12 +954,12 @@ static void execchild(const void *user_d
+@@ -985,12 +985,12 @@ static void execchild(const void *user_d
  	/* We can only change uid/gid as root ... */
  	if (getuid() == 0) {
  
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
index 5e736320cc..d7f589801d 100644
--- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
+++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
@@ -1,11 +1,13 @@
 --- a/cli-runopts.c
 +++ b/cli-runopts.c
-@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
- 					debug_trace = 1;
+@@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv)
+ 				case 'b':
+ 					next = &bind_arg;
  					break;
- #endif
 +				case 'x':
++					/* compatibility with openssh cli
++					 * ("-x" disables X11 forwarding) */
 +					break;
- 				case 'F':
- 				case 'e':
- #if !DROPBEAR_USER_ALGO_LIST
+ 				default:
+ 					fprintf(stderr,
+ 						"WARNING: Ignoring unknown option -%c\n", c);
diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch
index 8c3ae7f119..af01573dee 100644
--- a/package/network/services/dropbear/patches/140-disable_assert.patch
+++ b/package/network/services/dropbear/patches/140-disable_assert.patch
@@ -1,6 +1,6 @@
 --- a/dbutil.h
 +++ b/dbutil.h
-@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig
+@@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */
diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch
index 1ba7dd6f44..fd80b986ae 100644
--- a/package/network/services/dropbear/patches/160-lto-jobserver.patch
+++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch
@@ -1,6 +1,6 @@
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -198,17 +198,17 @@ dropbearkey: $(dropbearkeyobjs)
+@@ -200,17 +200,17 @@ dropbearkey: $(dropbearkeyobjs)
  dropbearconvert: $(dropbearconvertobjs)
  
  dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
@@ -22,7 +22,7 @@
  
  
  # multi-binary compilation.
-@@ -219,7 +219,7 @@ ifeq ($(MULTI),1)
+@@ -221,7 +221,7 @@ ifeq ($(MULTI),1)
  endif
  
  dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
index b138862ca3..07ae022763 100644
--- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -1,6 +1,6 @@
 --- a/svr-auth.c
 +++ b/svr-auth.c
-@@ -125,7 +125,7 @@ void recv_msg_userauth_request() {
+@@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
  				AUTH_METHOD_NONE_LEN) == 0) {
  		TRACE(("recv_msg_userauth_request: 'none' request"))
  		if (valid_user
diff --git a/package/network/services/dropbear/patches/900-configure-hardening.patch b/package/network/services/dropbear/patches/900-configure-hardening.patch
index ab1361f6ae..4f806f8b25 100644
--- a/package/network/services/dropbear/patches/900-configure-hardening.patch
+++ b/package/network/services/dropbear/patches/900-configure-hardening.patch
@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+@@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden,
  
  if test "$hardenbuild" -eq 1; then
  	AC_MSG_NOTICE(Checking for available hardened build flags:)
diff --git a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
index b774a38b1a..f078814403 100644
--- a/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
+++ b/package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
@@ -21,7 +21,7 @@ Signed-off-by: Petr Å tetiar <ynezz@true.cz>
 
 --- a/signkey.c
 +++ b/signkey.c
-@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -646,8 +646,12 @@ int buf_verify(buffer * buf, sign_key *k
  	sigtype = signature_type_from_name(type_name, type_name_len);
  	m_free(type_name);
  
-- 
2.30.2