From 99b681934de6d75086cf01f3571823584fa37b29 Mon Sep 17 00:00:00 2001
From: Konstantin Demin <rockdrilla@gmail.com>
Date: Tue, 19 May 2026 16:38:13 +0300
Subject: [PATCH] dropbear: bump to 2026.91

- update dropbear to latest stable 2026.91;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- cherry-pick upstream patches:
  - sntrup: Fix 64-bit literals
  - Increase MAX_HOSTKEYS to 6
  - Fix too-low pubkey key query count
- automatically refresh patches

Fixes: CVE-2019-6111, CVE-2026-35385
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23217
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
---
 package/network/services/dropbear/Makefile    |  4 +--
 .../001-sntrup-Fix-64-bit-literals.patch      | 27 +++++++++++++++
 .../002-Increase-MAX_HOSTKEYS-to-6.patch      | 23 +++++++++++++
 ...3-Fix-too-low-pubkey-key-query-count.patch | 33 +++++++++++++++++++
 .../dropbear/patches/100-pubkey_path.patch    |  6 ++--
 .../dropbear/patches/110-change_user.patch    |  4 +--
 .../patches/130-ssh_ignore_x_args.patch       |  2 +-
 .../600-allow-blank-root-password.patch       |  2 +-
 8 files changed, 92 insertions(+), 9 deletions(-)
 create mode 100644 package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch
 create mode 100644 package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch
 create mode 100644 package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index dd493babc5..19dd7390d3 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2025.89
+PKG_VERSION:=2026.91
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	https://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_HASH:=0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634
+PKG_HASH:=defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
diff --git a/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch b/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch
new file mode 100644
index 0000000000..b7db20e1ba
--- /dev/null
+++ b/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch
@@ -0,0 +1,27 @@
+From b487b111d0cf735c640e6668aa888f7da4e78b3c Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 11 May 2026 20:43:50 +0800
+Subject: sntrup: Fix 64-bit literals
+
+Avoids warning on 32-bit platform
+
+src/sntrup761.c:1643: warning: integer constant is too large for 'long' type
+---
+ src/sntrup761.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/src/sntrup761.c
++++ b/src/sntrup761.c
+@@ -1640,9 +1640,9 @@ __attribute__((unused))
+ static inline
+ int crypto_int64_ones_num(crypto_int64 crypto_int64_x) {
+   crypto_int64_unsigned crypto_int64_y = crypto_int64_x;
+-  const crypto_int64 C0 = 0x5555555555555555;
+-  const crypto_int64 C1 = 0x3333333333333333;
+-  const crypto_int64 C2 = 0x0f0f0f0f0f0f0f0f;
++  const crypto_int64 C0 = INT64_C(0x5555555555555555);
++  const crypto_int64 C1 = INT64_C(0x3333333333333333);
++  const crypto_int64 C2 = INT64_C(0x0f0f0f0f0f0f0f0f);
+   crypto_int64_y -= ((crypto_int64_y >> 1) & C0);
+   crypto_int64_y = (crypto_int64_y & C1) + ((crypto_int64_y >> 2) & C1);
+   crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 4)) & C2;
diff --git a/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch b/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch
new file mode 100644
index 0000000000..43121ae0a3
--- /dev/null
+++ b/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch
@@ -0,0 +1,23 @@
+From a05569c6124006bd9b4823db30e824953c5024de Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Wed, 13 May 2026 08:40:17 +0800
+Subject: Increase MAX_HOSTKEYS to 6
+
+This allows all key types to be loaded at once, including different
+ecdsa sizes.
+Suggested by Darren Tucker.
+---
+ src/sysoptions.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/sysoptions.h
++++ b/src/sysoptions.h
+@@ -283,7 +283,7 @@
+ #define MAX_KEX_PARTS 1000
+ #endif
+ 
+-#define MAX_HOSTKEYS 4
++#define MAX_HOSTKEYS 6
+ 
+ /* The maximum size of the bignum portion of the kexhash buffer */
+ /* K_S + Q_C + Q_S + K */
diff --git a/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch b/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch
new file mode 100644
index 0000000000..b64799bf02
--- /dev/null
+++ b/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch
@@ -0,0 +1,33 @@
+From ee65bff1567576a223febcdd5ae552326a4da4b1 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Tue, 19 May 2026 19:03:39 +0800
+Subject: Fix too-low pubkey key query count
+
+Dropbear 2026.90 added a limit to the number of queries that could be
+made to a server when determining usable keys. This was intended to be
+set to 15 (MAX_PUBKEY_QUERIES) but the logic was incorrect (and also
+debug code was accidentally committed). This meant only 10 (default
+MAX_AUTH_TRIES/-T) tried keys would be allowed - not a huge difference.
+
+Reported by Rui Salvaterra
+
+Fixes: db0d3fd0a9e9 ("Limit server number of public key queries")
+---
+ src/svr-authpubkey.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/src/svr-authpubkey.c
++++ b/src/svr-authpubkey.c
+@@ -173,9 +173,9 @@ void svr_auth_pubkey(int valid_user) {
+ 		 * Start counting failures (incrfail) only when it's reaching
+ 		 * the limit.
+ 		 */
+-		unsigned int free_query_limit = 0;
+-			MAX(0, (int)svr_opts.maxauthtries - MAX_PUBKEY_QUERIES);
+-		int incrfail = ses.authstate.serv_pubkey_query_count > free_query_limit;
++		unsigned int free_query_limit =
++			MAX(0, MAX_PUBKEY_QUERIES - (int)svr_opts.maxauthtries);
++		int incrfail = ses.authstate.serv_pubkey_query_count >= free_query_limit;
+ 		send_msg_userauth_failure(0, incrfail);
+ 		ses.authstate.serv_pubkey_query_count++;
+ 		goto out;
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
index 5aafdffe67..fd1ba4c86c 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -3,7 +3,7 @@
 
 --- a/src/svr-authpubkey.c
 +++ b/src/svr-authpubkey.c
-@@ -79,6 +79,39 @@ static void send_msg_userauth_pk_ok(cons
+@@ -80,6 +80,39 @@ static void send_msg_userauth_pk_ok(cons
  		const unsigned char* keyblob, unsigned int keybloblen);
  static int checkfileperm(char * filename);
  
@@ -43,7 +43,7 @@
  /* process a pubkey auth request, sending success or failure message as
   * appropriate */
  void svr_auth_pubkey(int valid_user) {
-@@ -439,16 +472,22 @@ out:
+@@ -459,16 +492,22 @@ out:
  static char *authorized_keys_filepath() {
  	size_t len = 0;
  	char *pathname = NULL, *dir = NULL;
@@ -69,7 +69,7 @@
  	m_free(dir);
  	return pathname;
  }
-@@ -549,11 +588,23 @@ out:
+@@ -572,11 +611,23 @@ out:
   * When this path is inside the user's home dir it checks up to and including
   * the home dir, otherwise it checks every path component. */
  static int checkpubkeyperms() {
diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
index 3e8c736a67..db85218070 100644
--- a/package/network/services/dropbear/patches/110-change_user.patch
+++ b/package/network/services/dropbear/patches/110-change_user.patch
@@ -1,6 +1,6 @@
 --- a/src/svr-auth.c
 +++ b/src/svr-auth.c
-@@ -510,9 +510,9 @@ void svr_switch_user(void) {
+@@ -504,9 +504,9 @@ void svr_switch_user(void) {
  	/* We can only change uid/gid as root ... */
  	if (getuid() == 0) {
  
@@ -12,7 +12,7 @@
  			dropbear_exit("Error changing user group");
  		}
  
-@@ -534,7 +534,7 @@ void svr_switch_user(void) {
+@@ -528,7 +528,7 @@ void svr_switch_user(void) {
  		}
  #endif
  
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
index de0e5f2725..cfc603258b 100644
--- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
+++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
@@ -1,6 +1,6 @@
 --- a/src/cli-runopts.c
 +++ b/src/cli-runopts.c
-@@ -340,6 +340,10 @@ void cli_getopts(int argc, char ** argv)
+@@ -352,6 +352,10 @@ void cli_getopts(int argc, char ** argv)
  				case 'z':
  					opts.disable_ip_tos = 1;
  					break;
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
index e72458dd6e..f807c27453 100644
--- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -1,6 +1,6 @@
 --- a/src/svr-auth.c
 +++ b/src/svr-auth.c
-@@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
+@@ -122,7 +122,7 @@ void recv_msg_userauth_request() {
  				AUTH_METHOD_NONE_LEN) == 0) {
  		TRACE(("recv_msg_userauth_request: 'none' request"))
  		if (valid_user