dropbear: bump to 2026.91

- update dropbear to latest stable 2026.91; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES - cherry-pick upstream patches: - sntrup: Fix 64-bit literals - Increase MAX_HOSTKEYS to 6 - Fix too-low pubkey key query count - automatically refresh patches Fixes: CVE-2019-6111, CVE-2026-35385 Signed-off-by: Konstantin Demin <rockdrilla@gmail.com> Link: https://github.com/openwrt/openwrt/pull/23217 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2026-05-19 16:38:13 +03:00 · 2026-05-19 16:38:13 +03:00 · 99b681934d
commit 99b681934d
parent 06bf4fa978
8 changed files with 92 additions and 9 deletions
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=dropbear
-PKG_VERSION:=2025.89
+PKG_VERSION:=2026.91
 PKG_RELEASE:=1

 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	https://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_HASH:=0d1f7ca711cfc336dc8a85e672cab9cfd8223a02fe2da0a4a7aeb58c9e113634
+PKG_HASH:=defa924475abf6bc1e74abc00173e46bfdc804bd47caafa14f5a4ef0cc76da34

 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
--- a/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch
+++ b/package/network/services/dropbear/patches/001-sntrup-Fix-64-bit-literals.patch
@ -0,0 +1,27 @@
+From b487b111d0cf735c640e6668aa888f7da4e78b3c Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Mon, 11 May 2026 20:43:50 +0800
+Subject: sntrup: Fix 64-bit literals
+
+Avoids warning on 32-bit platform
+
+src/sntrup761.c:1643: warning: integer constant is too large for 'long' type
+---
+ src/sntrup761.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/src/sntrup761.c
+++ b/src/sntrup761.c
+@@ -1640,9 +1640,9 @@ __attribute__((unused))
+ static inline
+ int crypto_int64_ones_num(crypto_int64 crypto_int64_x) {
+   crypto_int64_unsigned crypto_int64_y = crypto_int64_x;
+-  const crypto_int64 C0 = 0x5555555555555555;
+-  const crypto_int64 C1 = 0x3333333333333333;
+-  const crypto_int64 C2 = 0x0f0f0f0f0f0f0f0f;
+  const crypto_int64 C0 = INT64_C(0x5555555555555555);
+  const crypto_int64 C1 = INT64_C(0x3333333333333333);
+  const crypto_int64 C2 = INT64_C(0x0f0f0f0f0f0f0f0f);
+   crypto_int64_y -= ((crypto_int64_y >> 1) & C0);
+   crypto_int64_y = (crypto_int64_y & C1) + ((crypto_int64_y >> 2) & C1);
+   crypto_int64_y = (crypto_int64_y + (crypto_int64_y >> 4)) & C2;
--- a/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch
+++ b/package/network/services/dropbear/patches/002-Increase-MAX_HOSTKEYS-to-6.patch
@ -0,0 +1,23 @@
+From a05569c6124006bd9b4823db30e824953c5024de Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Wed, 13 May 2026 08:40:17 +0800
+Subject: Increase MAX_HOSTKEYS to 6
+
+This allows all key types to be loaded at once, including different
+ecdsa sizes.
+Suggested by Darren Tucker.
+---
+ src/sysoptions.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/sysoptions.h
+++ b/src/sysoptions.h
+@@ -283,7 +283,7 @@
+ #define MAX_KEX_PARTS 1000
+ #endif
+ 
+-#define MAX_HOSTKEYS 4
+#define MAX_HOSTKEYS 6
+ 
+ /* The maximum size of the bignum portion of the kexhash buffer */
+ /* K_S + Q_C + Q_S + K */
--- a/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch
+++ b/package/network/services/dropbear/patches/003-Fix-too-low-pubkey-key-query-count.patch
@ -0,0 +1,33 @@
+From ee65bff1567576a223febcdd5ae552326a4da4b1 Mon Sep 17 00:00:00 2001
+From: Matt Johnston <matt@ucc.asn.au>
+Date: Tue, 19 May 2026 19:03:39 +0800
+Subject: Fix too-low pubkey key query count
+
+Dropbear 2026.90 added a limit to the number of queries that could be
+made to a server when determining usable keys. This was intended to be
+set to 15 (MAX_PUBKEY_QUERIES) but the logic was incorrect (and also
+debug code was accidentally committed). This meant only 10 (default
+MAX_AUTH_TRIES/-T) tried keys would be allowed - not a huge difference.
+
+Reported by Rui Salvaterra
+
+Fixes: db0d3fd0a9e9 ("Limit server number of public key queries")
+---
+ src/svr-authpubkey.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/src/svr-authpubkey.c
+++ b/src/svr-authpubkey.c
+@@ -173,9 +173,9 @@ void svr_auth_pubkey(int valid_user) {
+ 		 * Start counting failures (incrfail) only when it's reaching
+ 		 * the limit.
+ 		 */
+-		unsigned int free_query_limit = 0;
+-			MAX(0, (int)svr_opts.maxauthtries - MAX_PUBKEY_QUERIES);
+-		int incrfail = ses.authstate.serv_pubkey_query_count > free_query_limit;
+		unsigned int free_query_limit =
+			MAX(0, MAX_PUBKEY_QUERIES - (int)svr_opts.maxauthtries);
+		int incrfail = ses.authstate.serv_pubkey_query_count >= free_query_limit;
+ 		send_msg_userauth_failure(0, incrfail);
+ 		ses.authstate.serv_pubkey_query_count++;
+ 		goto out;
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@ -3,7 +3,7 @@

 --- a/src/svr-authpubkey.c
 +++ b/src/svr-authpubkey.c
-@@ -79,6 +79,39 @@ static void send_msg_userauth_pk_ok(cons
+@@ -80,6 +80,39 @@ static void send_msg_userauth_pk_ok(cons
 		const unsigned char* keyblob, unsigned int keybloblen);
 static int checkfileperm(char * filename);
 
@ -43,7 +43,7 @@
 /* process a pubkey auth request, sending success or failure message as
  * appropriate */
 void svr_auth_pubkey(int valid_user) {
-@@ -439,16 +472,22 @@ out:
+@@ -459,16 +492,22 @@ out:
 static char *authorized_keys_filepath() {
 	size_t len = 0;
 	char *pathname = NULL, *dir = NULL;
@ -69,7 +69,7 @@
 	m_free(dir);
 	return pathname;
 }
-@@ -549,11 +588,23 @@ out:
+@@ -572,11 +611,23 @@ out:
  * When this path is inside the user's home dir it checks up to and including
  * the home dir, otherwise it checks every path component. */
 static int checkpubkeyperms() {
--- a/package/network/services/dropbear/patches/110-change_user.patch
+++ b/package/network/services/dropbear/patches/110-change_user.patch
@ -1,6 +1,6 @@
 --- a/src/svr-auth.c
 +++ b/src/svr-auth.c
-@@ -510,9 +510,9 @@ void svr_switch_user(void) {
+@@ -504,9 +504,9 @@ void svr_switch_user(void) {
 	/* We can only change uid/gid as root ... */
 	if (getuid() == 0) {
 
@ -12,7 +12,7 @@
 			dropbear_exit("Error changing user group");
 		}
 
-@@ -534,7 +534,7 @@ void svr_switch_user(void) {
+@@ -528,7 +528,7 @@ void svr_switch_user(void) {
 		}
 #endif
 
--- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
+++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
@ -1,6 +1,6 @@
 --- a/src/cli-runopts.c
 +++ b/src/cli-runopts.c
-@@ -340,6 +340,10 @@ void cli_getopts(int argc, char ** argv)
+@@ -352,6 +352,10 @@ void cli_getopts(int argc, char ** argv)
 				case 'z':
 					opts.disable_ip_tos = 1;
 					break;
--- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@ -1,6 +1,6 @@
 --- a/src/svr-auth.c
 +++ b/src/svr-auth.c
-@@ -124,7 +124,7 @@ void recv_msg_userauth_request() {
+@@ -122,7 +122,7 @@ void recv_msg_userauth_request() {
 				AUTH_METHOD_NONE_LEN) == 0) {
 		TRACE(("recv_msg_userauth_request: 'none' request"))
 		if (valid_user