Initial commit

package/network/services/dropbear/Config.in

@@ -0,0 +1,80 @@
+menu "Configuration"
+	depends on PACKAGE_dropbear
+
+config DROPBEAR_CURVE25519
+	bool "Curve25519 support"
+	default y
+	help
+		This enables the following key exchange algorithm:
+		  curve25519-sha256@libssh.org
+
+		Increases binary size by about 8 kB uncompressed (MIPS).
+
+config DROPBEAR_ECC
+	bool "Elliptic curve cryptography (ECC)"
+	default n
+	help
+		Enables basic support for elliptic curve cryptography (ECC)
+		in key exchange and public key authentication.
+
+		Key exchange algorithms:
+		  ecdh-sha2-nistp256
+
+		Public key algorithms:
+		  ecdsa-sha2-nistp256
+
+		Increases binary size by about 24 kB (MIPS).
+
+		If full ECC support is required, also select DROPBEAR_ECC_FULL.
+
+config DROPBEAR_ECC_FULL
+	bool "Elliptic curve cryptography (ECC), full support"
+	default n
+	depends on DROPBEAR_ECC
+	help
+		Enables full support for elliptic curve cryptography (ECC)
+		in key exchange and public key authentication.
+
+		Key exchange algorithms:
+		  ecdh-sha2-nistp256 (*)
+		  ecdh-sha2-nistp384
+		  ecdh-sha2-nistp521
+
+		Public key algorithms:
+		  ecdsa-sha2-nistp256 (*)
+		  ecdsa-sha2-nistp384
+		  ecdsa-sha2-nistp521
+
+		(*) - basic ECC support; provided by DROPBEAR_ECC.
+
+		Increases binary size by about 4 kB (MIPS).
+
+config DROPBEAR_ZLIB
+	bool "Enable compression"
+	default n
+	help
+		Enables compression using shared zlib library.
+
+		Increases binary size by about 0.1 kB (MIPS) and requires additional 62 kB (MIPS)
+		for a shared zlib library.
+
+config DROPBEAR_UTMP
+	bool "Utmp support"
+	default n
+	depends on BUSYBOX_CONFIG_FEATURE_UTMP
+	help
+		This enables dropbear utmp support, the file /var/run/utmp is used to
+		track who is currently logged in.
+
+config DROPBEAR_PUTUTLINE
+	bool "Pututline support"
+	default n
+	depends on DROPBEAR_UTMP
+	help
+		Dropbear will use pututline() to write the utmp structure into the utmp file.
+
+config DROPBEAR_DBCLIENT
+	bool "Build dropbear with dbclient"
+	default y
+
+endmenu

package/network/services/dropbear/Makefile

@@ -0,0 +1,165 @@
+#
+# Copyright (C) 2006-2016 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dropbear
+PKG_VERSION:=2019.78
+PKG_RELEASE:=2
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:= \
+	http://matt.ucc.asn.au/dropbear/releases/ \
+	https://dropbear.nl/mirror/releases/
+PKG_HASH:=525965971272270995364a0eb01f35180d793182e63dd0b0c3eb0292291644a4
+
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
+PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server
+
+PKG_BUILD_PARALLEL:=1
+PKG_USE_MIPS16:=0
+PKG_FIXUP:=autoreconf
+
+PKG_CONFIG_DEPENDS:= \
+	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
+	CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
+	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
+	CONFIG_DROPBEAR_DBCLIENT
+
+include $(INCLUDE_DIR)/package.mk
+
+ifneq ($(DUMP),1)
+  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell echo $(CONFIG_TARGET_INIT_PATH) | mkhash md5)
+endif
+
+define Package/dropbear/Default
+  URL:=http://matt.ucc.asn.au/dropbear/
+endef
+
+define Package/dropbear/config
+	source "$(SOURCE)/Config.in"
+endef
+
+define Package/dropbear
+  $(call Package/dropbear/Default)
+  SECTION:=net
+  CATEGORY:=Base system
+  TITLE:=Small SSH2 client/server
+  DEPENDS:= +DROPBEAR_ZLIB:zlib
+  ALTERNATIVES:=\
+	  100:/usr/bin/ssh:/usr/sbin/dropbear \
+	  100:/usr/bin/scp:/usr/sbin/dropbear \
+
+endef
+
+define Package/dropbear/description
+ A small SSH2 server/client designed for small memory environments.
+endef
+
+define Package/dropbear/conffiles
+$(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key)
+/etc/dropbear/dropbear_rsa_host_key
+/etc/config/dropbear
+endef
+
+define Package/dropbearconvert
+  $(call Package/dropbear/Default)
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=Utility for converting SSH keys
+endef
+
+CONFIGURE_ARGS += \
+	--disable-pam \
+	--enable-openpty \
+	--enable-syslog \
+	--disable-lastlog \
+	--disable-utmpx \
+	$(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
+	--disable-wtmp \
+	--disable-wtmpx \
+	--disable-loginfunc \
+	$(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \
+	--disable-pututxline \
+	$(if $(CONFIG_DROPBEAR_ZLIB),,--disable-zlib) \
+	--enable-bundled-libtom
+
+TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto
+TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver
+
+define Build/Configure
+	: > $(PKG_BUILD_DIR)/localoptions.h
+
+	$(Build/Configure/Default)
+
+	echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
+
+	echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
+
+	for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
+		echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \
+			$(PKG_BUILD_DIR)/localoptions.h; \
+	done
+
+	# remove protocol idented software version number
+	$(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \
+		$(PKG_BUILD_DIR)/sysoptions.h
+
+	# disable legacy/unsafe methods and unused functionality
+	for OPTION in INETD_MODE DROPBEAR_CLI_NETCAT \
+	DROPBEAR_3DES DROPBEAR_DSS DROPBEAR_ENABLE_CBC_MODE \
+	DROPBEAR_SHA1_96_HMAC DROPBEAR_USE_PASSWORD_ENV; do \
+		echo "#define $$$$OPTION 0" >> \
+			$(PKG_BUILD_DIR)/localoptions.h; \
+	done
+
+	# enable nistp384 and nistp521 only if full ECC support was requested
+	for OPTION in DROPBEAR_ECC_384 DROPBEAR_ECC_521; do \
+		$(ESED) 's,^(#define '$$$$OPTION') .*$$$$,\1 $(if $(CONFIG_DROPBEAR_ECC_FULL),1,0),g' \
+		$(PKG_BUILD_DIR)/sysoptions.h; \
+	done
+
+	# Enforce rebuild of svr-chansession.c
+	rm -f $(PKG_BUILD_DIR)/svr-chansession.o
+endef
+
+define Build/Compile
+	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
+		$(TARGET_CONFIGURE_OPTS) \
+		PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey scp" \
+		MULTI=1 SCPPROGRESS=1
+	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
+		$(TARGET_CONFIGURE_OPTS) \
+		PROGRAMS="dropbearconvert"
+endef
+
+define Package/dropbear/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearmulti $(1)/usr/sbin/dropbear
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(if $(CONFIG_DROPBEAR_DBCLIENT),$(LN) ../sbin/dropbear $(1)/usr/bin/dbclient,)
+	$(LN) ../sbin/dropbear $(1)/usr/bin/dropbearkey
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/dropbear.config $(1)/etc/config/dropbear
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/dropbear.init $(1)/etc/init.d/dropbear
+	$(INSTALL_DIR) $(1)/usr/lib/opkg/info
+	$(INSTALL_DIR) $(1)/etc/dropbear
+	$(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key)
+	touch $(1)/etc/dropbear/dropbear_rsa_host_key
+endef
+
+define Package/dropbearconvert/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearconvert $(1)/usr/bin/dropbearconvert
+endef
+
+$(eval $(call BuildPackage,dropbear))
+$(eval $(call BuildPackage,dropbearconvert))

package/network/services/dropbear/files/dropbear.config

@@ -0,0 +1,5 @@
+config dropbear
+	option PasswordAuth 'on'
+	option RootPasswordAuth 'on'
+	option Port         '22'
+#	option BannerFile   '/etc/banner'

package/network/services/dropbear/files/dropbear.init

@@ -0,0 +1,282 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2010 OpenWrt.org
+# Copyright (C) 2006 Carlos Sobrinho
+
+START=19
+STOP=50
+
+USE_PROCD=1
+PROG=/usr/sbin/dropbear
+NAME=dropbear
+PIDCOUNT=0
+EXTRA_COMMANDS="killclients"
+EXTRA_HELP="	killclients Kill ${NAME} processes except servers and yourself"
+
+_dropbearkey()
+{
+	/usr/bin/dropbearkey "$@" 0<&- 1>&- 2>&-
+}
+
+# $1 - host key file name
+hk_verify()
+{
+	[ -f "$1" ] || return 1
+	[ -s "$1" ] || return 2
+	_dropbearkey -y -f "$1" || return 3
+	return 0
+}
+
+# $1 - hk_verify() return code
+hk_errmsg()
+{
+	case "$1" in
+	0) ;;
+	1) echo "file does not exist" ;;
+	2) echo "file has zero length" ;;
+	3) echo "file is not valid host key or not supported" ;;
+	*) echo "unknown error" ;;
+	esac
+}
+
+# $1 - config option
+# $2 - host key file name
+hk_config()
+{
+	local x m
+	hk_verify "$2"; x=$?
+	case "$x" in
+	0)	procd_append_param command -r "$2"
+		;;
+	*)	m=$(hk_errmsg "$x")
+		logger -t "${NAME}" -p daemon.warn \
+		  "option '$1', value '$2': $m, skipping"
+		;;
+	esac
+}
+
+# $1 - host key file name
+hk_config__keyfile()
+{
+	hk_config 'keyfile' "$1"
+}
+
+hk_generate_as_needed()
+{
+	local kdir kgen ktype tdir kcount tfile
+	kdir='/etc/dropbear'
+
+	kgen=''
+	for ktype in ecdsa rsa; do
+		hk_verify "${kdir}/dropbear_${ktype}_host_key" && continue
+
+		kgen="${kgen} ${ktype}"
+	done
+
+	[ -z "${kgen}" ] && return
+
+	tdir=$(mktemp -d); chmod 0700 "${tdir}"
+
+	kcount=0
+	for ktype in ${kgen}; do
+		tfile="${tdir}/dropbear_${ktype}_host_key"
+
+		if ! _dropbearkey -t ${ktype} -f "${tfile}"; then
+			# unsupported key type
+			rm -f "${tfile}"
+			continue
+		fi
+
+		kcount=$((kcount+1))
+	done
+
+	if [ ${kcount} -ne 0 ]; then
+		mkdir -p "${kdir}"; chmod 0700 "${kdir}"; chown root "${kdir}"
+		mv -f "${tdir}/"* "${kdir}/"
+	fi
+
+	rm -rf "${tdir}"
+}
+
+append_ports()
+{
+	local ipaddrs="$1"
+	local port="$2"
+
+	[ -z "$ipaddrs" ] && {
+		procd_append_param command -p "$port"
+		return
+	}
+
+	for addr in $ipaddrs; do
+		procd_append_param command -p "$addr:$port"
+	done
+}
+
+validate_section_dropbear()
+{
+	uci_load_validate dropbear dropbear "$1" "$2" \
+		'PasswordAuth:bool:1' \
+		'enable:bool:1' \
+		'Interface:string' \
+		'GatewayPorts:bool:0' \
+		'RootPasswordAuth:bool:1' \
+		'RootLogin:bool:1' \
+		'rsakeyfile:file' \
+		'keyfile:list(file)' \
+		'BannerFile:file' \
+		'Port:port:22' \
+		'SSHKeepAlive:uinteger:300' \
+		'IdleTimeout:uinteger:0' \
+		'MaxAuthTries:uinteger:3' \
+		'RecvWindowSize:uinteger:0' \
+		'mdns:bool:1'
+}
+
+dropbear_instance()
+{
+	local ipaddrs
+
+	[ "$2" = 0 ] || {
+		echo "validation failed"
+		return 1
+	}
+
+	[ -n "${Interface}" ] && {
+		[ -n "${BOOT}" ] && return 0
+
+		network_get_ipaddrs_all ipaddrs "${Interface}" || {
+			echo "interface ${Interface} has no physdev or physdev has no suitable ip"
+			return 1
+		}
+	}
+
+	[ "${enable}" = "0" ] && return 1
+	PIDCOUNT="$(( ${PIDCOUNT} + 1))"
+	local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
+
+	procd_open_instance
+	procd_set_param command "$PROG" -F -P "$pid_file"
+	[ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
+	[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
+	[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
+	[ "${RootLogin}" -eq 0 ] && procd_append_param command -w
+	if [ -n "${rsakeyfile}" ]; then
+		logger -t ${NAME} -p daemon.warn \
+			"option 'rsakeyfile' is considered to be deprecated and" \
+			"will be removed in future releases, use 'keyfile' instead"
+		hk_config 'rsakeyfile' "${rsakeyfile}"
+	fi
+	config_list_foreach "$1" "keyfile" hk_config__keyfile
+	[ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
+	append_ports "${ipaddrs}" "${Port}"
+	[ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
+	[ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
+	[ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
+	[ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \
+		procd_append_param command -W "${RecvWindowSize}"
+	[ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
+	procd_set_param respawn
+	procd_close_instance
+}
+
+load_interfaces()
+{
+	config_get interface "$1" Interface
+	config_get enable "$1" enable 1
+
+	[ "${enable}" = "1" ] && interfaces=" ${interface} ${interfaces}"
+}
+
+boot()
+{
+	BOOT=1
+	start "$@"
+}
+
+start_service()
+{
+	hk_generate_as_needed
+
+	. /lib/functions.sh
+	. /lib/functions/network.sh
+
+	config_load "${NAME}"
+	config_foreach validate_section_dropbear dropbear dropbear_instance
+}
+
+service_triggers()
+{
+	local interfaces
+
+	procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload
+
+	config_load "${NAME}"
+	config_foreach load_interfaces dropbear
+
+	[ -n "${interfaces}" ] && {
+		for n in $interfaces ; do
+			procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
+		done
+	}
+
+	procd_add_validation validate_section_dropbear
+}
+
+shutdown() {
+	# close all open connections
+	killall dropbear
+}
+
+killclients()
+{
+	local ignore=''
+	local server
+	local pid
+
+	# if this script is run from inside a client session, then ignore that session
+	pid="$$"
+	while [ "${pid}" -ne 0 ]
+	 do
+		# get parent process id
+		pid=`cut -d ' ' -f 4 "/proc/${pid}/stat"`
+		[ "${pid}" -eq 0 ] && break
+
+		# check if client connection
+		grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
+			append ignore "${pid}"
+			break
+		}
+	done
+
+	# get all server pids that should be ignored
+	for server in `cat /var/run/${NAME}.*.pid`
+	 do
+		append ignore "${server}"
+	done
+
+	# get all running pids and kill client connections
+	local skip
+	for pid in `pidof "${NAME}"`
+	 do
+		# check if correct program, otherwise process next pid
+		grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
+			continue
+		}
+
+		# check if pid should be ignored (servers, ourself)
+		skip=0
+		for server in ${ignore}
+		 do
+			if [ "${pid}" = "${server}" ]
+			 then
+				skip=1
+				break
+			fi
+		done
+		[ "${skip}" -ne 0 ] && continue
+
+		# kill process
+		echo "${initscript}: Killing ${pid}..."
+		kill -KILL ${pid}
+	done
+}

package/network/services/dropbear/patches/100-pubkey_path.patch

@@ -0,0 +1,86 @@
+--- a/svr-authpubkey.c
++++ b/svr-authpubkey.c
+@@ -338,14 +338,19 @@ static int checkpubkey(const char* algo,
+ 		goto out;
+ 	}
+ 
+-	/* we don't need to check pw and pw_dir for validity, since
+-	 * its been done in checkpubkeyperms. */
+-	len = strlen(ses.authstate.pw_dir);
+-	/* allocate max required pathname storage,
+-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-	filename = m_malloc(len + 22);
+-	snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
+-				ses.authstate.pw_dir);
++	if (ses.authstate.pw_uid != 0) {
++		/* we don't need to check pw and pw_dir for validity, since
++		 * its been done in checkpubkeyperms. */
++		len = strlen(ses.authstate.pw_dir);
++		/* allocate max required pathname storage,
++		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++		filename = m_malloc(len + 22);
++		snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++					ses.authstate.pw_dir);
++	} else {
++		filename = m_malloc(30);
++		strncpy(filename, "/etc/dropbear/authorized_keys", 30);
++	}
+ 
+ #if DROPBEAR_SVR_MULTIUSER
+ 	/* open the file as the authenticating user. */
+@@ -426,27 +431,36 @@ static int checkpubkeyperms() {
+ 		goto out;
+ 	}
+ 
+-	/* allocate max required pathname storage,
+-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-	len += 22;
+-	filename = m_malloc(len);
+-	strlcpy(filename, ses.authstate.pw_dir, len);
+-
+-	/* check ~ */
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
+-	}
++	if (ses.authstate.pw_uid == 0) {
++		if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
++			goto out;
++		}
++		if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
++			goto out;
++		}
++	} else {
++		/* allocate max required pathname storage,
++		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++		len += 22;
++		filename = m_malloc(len);
++		strlcpy(filename, ses.authstate.pw_dir, len);
++
++		/* check ~ */
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 
+-	/* check ~/.ssh */
+-	strlcat(filename, "/.ssh", len);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
+-	}
++		/* check ~/.ssh */
++		strlcat(filename, "/.ssh", len);
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 
+-	/* now check ~/.ssh/authorized_keys */
+-	strlcat(filename, "/authorized_keys", len);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
++		/* now check ~/.ssh/authorized_keys */
++		strlcat(filename, "/authorized_keys", len);
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 	}
+ 
+ 	/* file looks ok, return success */

package/network/services/dropbear/patches/110-change_user.patch

@@ -0,0 +1,18 @@
+--- a/svr-chansession.c
++++ b/svr-chansession.c
+@@ -953,12 +953,12 @@ static void execchild(const void *user_d
+ 	/* We can only change uid/gid as root ... */
+ 	if (getuid() == 0) {
+ 
+-		if ((setgid(ses.authstate.pw_gid) < 0) ||
++		if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) ||
+ 			(initgroups(ses.authstate.pw_name, 
+-						ses.authstate.pw_gid) < 0)) {
++						ses.authstate.pw_gid) < 0))) {
+ 			dropbear_exit("Error changing user group");
+ 		}
+-		if (setuid(ses.authstate.pw_uid) < 0) {
++		if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
+ 			dropbear_exit("Error changing user");
+ 		}
+ 	} else {

package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch

@@ -0,0 +1,11 @@
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
+ 					debug_trace = 1;
+ 					break;
+ #endif
++				case 'x':
++					break;
+ 				case 'F':
+ 				case 'e':
+ #if !DROPBEAR_USER_ALGO_LIST

package/network/services/dropbear/patches/140-disable_assert.patch

@@ -0,0 +1,15 @@
+--- a/dbutil.h
++++ b/dbutil.h
+@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig
+ #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
+ 
+ /* Dropbear assertion */
+-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
++#ifndef DROPBEAR_ASSERT_ENABLED
++#define DROPBEAR_ASSERT_ENABLED 0
++#endif
++
++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
+ 
+ /* Returns 0 if a and b have the same contents */
+ int constant_time_memcmp(const void* a, const void *b, size_t n);

package/network/services/dropbear/patches/160-lto-jobserver.patch

@@ -0,0 +1,33 @@
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -189,17 +189,17 @@ dropbearkey: $(dropbearkeyobjs)
+ dropbearconvert: $(dropbearconvertobjs)
+ 
+ dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
+ 
+ dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ 
+ dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ 
+ # scp doesn't use the libs so is special.
+ scp: $(SCPOBJS)  $(HEADERS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $(SCPOBJS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $(SCPOBJS)
+ 
+ 
+ # multi-binary compilation.
+@@ -210,7 +210,7 @@ ifeq ($(MULTI),1)
+ endif
+ 
+ dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
++	+$(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
+ 
+ multibinary: dropbearmulti$(EXEEXT)
+ 

package/network/services/dropbear/patches/600-allow-blank-root-password.patch

@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -125,7 +125,7 @@ void recv_msg_userauth_request() {
+ 				AUTH_METHOD_NONE_LEN) == 0) {
+ 		TRACE(("recv_msg_userauth_request: 'none' request"))
+ 		if (valid_user
+-				&& svr_opts.allowblankpass
++				&& (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ 				&& !svr_opts.noauthpass
+ 				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+ 				&& ses.authstate.pw_passwd[0] == '\0') 

package/network/services/dropbear/patches/900-configure-hardening.patch

@@ -0,0 +1,56 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+ 
+ if test "$hardenbuild" -eq 1; then
+ 	AC_MSG_NOTICE(Checking for available hardened build flags:)
+-	# relocation flags don't make sense for static builds
+-	if test "$STATIC" -ne 1; then
+-		# pie
+-		DB_TRYADDCFLAGS([-fPIE])
+-
+-		OLDLDFLAGS="$LDFLAGS"
+-		TESTFLAGS="-Wl,-pie"
+-		LDFLAGS="$LDFLAGS $TESTFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			[
+-				LDFLAGS="$OLDLDFLAGS"
+-				TESTFLAGS="-pie"
+-				LDFLAGS="$LDFLAGS $TESTFLAGS"
+-				AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-					[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-					[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+-					)
+-			]
+-			)
+-		# readonly elf relocation sections (relro)
+-		OLDLDFLAGS="$LDFLAGS"
+-		TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+-		LDFLAGS="$LDFLAGS $TESTFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+-			)
+-	fi # non-static
+-	# stack protector. -strong is good but only in gcc 4.9 or later
+-	OLDCFLAGS="$CFLAGS"
+-	TESTFLAGS="-fstack-protector-strong"
+-	CFLAGS="$CFLAGS $TESTFLAGS"
+-	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-	    [
+-			CFLAGS="$OLDCFLAGS"
+-			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+-			CFLAGS="$CFLAGS $TESTFLAGS"
+-			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+-			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+-			    )
+-	    ]
+-	    )
+-	# FORTIFY_SOURCE
+-	DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
+ 
+ 	# Spectre v2 mitigations
+ 	DB_TRYADDCFLAGS([-mfunction-return=thunk])

package/network/services/dropbear/patches/901-bundled-libs-cflags.patch

@@ -0,0 +1,48 @@
+--- a/libtomcrypt/makefile_include.mk
++++ b/libtomcrypt/makefile_include.mk
+@@ -75,6 +75,13 @@ endif
+ 
+ LTC_CFLAGS += -Wno-type-limits
+ 
++ifdef OPENWRT_BUILD
++  ifeq (-Os,$(filter -Os,$(CFLAGS)))
++    LTC_CFLAGS += -DLTC_SMALL_CODE
++  endif
++else
++  ### ! OPENWRT_BUILD
++
+ ifdef LTC_DEBUG
+ $(info Debug build)
+ # compile for DEBUGGING (required for ccmalloc checking!!!)
+@@ -102,6 +109,9 @@ endif
+ endif # COMPILE_SMALL
+ endif # COMPILE_DEBUG
+ 
++  ### ! OPENWRT_BUILD
++endif
++
+ 
+ ifneq ($(findstring clang,$(CC)),)
+ LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers
+--- a/libtommath/makefile_include.mk
++++ b/libtommath/makefile_include.mk
+@@ -37,6 +37,9 @@ CFLAGS += -Wsystem-headers -Wdeclaration
+ CFLAGS += -Wstrict-prototypes -Wpointer-arith
+ endif
+ 
++ifndef OPENWRT_BUILD
++  ### ! OPENWRT_BUILD
++
+ ifdef COMPILE_DEBUG
+ #debug
+ CFLAGS += -g3
+@@ -58,6 +61,9 @@ endif
+ endif # COMPILE_SIZE
+ endif # COMPILE_DEBUG
+ 
++  ### ! OPENWRT_BUILD
++endif
++
+ ifneq ($(findstring clang,$(CC)),)
+ CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header
+ endif