Initial commit

package/network/services/dropbear/Config.in

@@ -0,0 +1,112 @@
+menu "Configuration"
+	depends on PACKAGE_dropbear
+
+config DROPBEAR_CURVE25519
+	bool "Curve25519 support"
+	default y
+	help
+		This enables the following key exchange algorithm:
+		  curve25519-sha256@libssh.org
+
+		Increases binary size by about 4 kB (MIPS).
+
+config DROPBEAR_ECC
+	bool "Elliptic curve cryptography (ECC)"
+	default n
+	help
+		Enables basic support for elliptic curve cryptography (ECC)
+		in key exchange and public key authentication.
+
+		Key exchange algorithms:
+		  ecdh-sha2-nistp256
+
+		Public key algorithms:
+		  ecdsa-sha2-nistp256
+
+		Increases binary size by about 24 kB (MIPS).
+
+		If full ECC support is required, also select DROPBEAR_ECC_FULL.
+
+config DROPBEAR_ECC_FULL
+	bool "Elliptic curve cryptography (ECC), full support"
+	default n
+	depends on DROPBEAR_ECC
+	help
+		Enables full support for elliptic curve cryptography (ECC)
+		in key exchange and public key authentication.
+
+		Key exchange algorithms:
+		  ecdh-sha2-nistp256 (*)
+		  ecdh-sha2-nistp384
+		  ecdh-sha2-nistp521
+
+		Public key algorithms:
+		  ecdsa-sha2-nistp256 (*)
+		  ecdsa-sha2-nistp384
+		  ecdsa-sha2-nistp521
+
+		(*) - basic ECC support; provided by DROPBEAR_ECC.
+
+		Increases binary size by about 4 kB (MIPS).
+
+config DROPBEAR_ED25519
+	bool "Ed25519 support"
+	default y if !SMALL_FLASH
+	help
+		This enables the following public key algorithm:
+		  ssh-ed25519
+
+		Increases binary size by about 12 kB (MIPS).
+
+config DROPBEAR_CHACHA20POLY1305
+	bool "Chacha20-Poly1305 support"
+	default y
+	help
+		This enables the following authenticated encryption cipher:
+		  chacha20-poly1305@openssh.com
+
+		Increases binary size by about 4 kB (MIPS).
+
+config DROPBEAR_ZLIB
+	bool "Enable compression"
+	default n
+	help
+		Enables compression using shared zlib library.
+
+		Increases binary size by about 0.1 kB (MIPS) and requires additional 62 kB (MIPS)
+		for a shared zlib library.
+
+config DROPBEAR_UTMP
+	bool "Utmp support"
+	default n
+	depends on BUSYBOX_CONFIG_FEATURE_UTMP
+	help
+		This enables dropbear utmp support, the file /var/run/utmp is used to
+		track who is currently logged in.
+
+config DROPBEAR_PUTUTLINE
+	bool "Pututline support"
+	default n
+	depends on DROPBEAR_UTMP
+	help
+		Dropbear will use pututline() to write the utmp structure into the utmp file.
+
+config DROPBEAR_DBCLIENT
+	bool "Build dropbear with dbclient"
+	default y
+
+config DROPBEAR_SCP
+	bool "Build dropbear with scp"
+	default y
+
+config DROPBEAR_ASKPASS
+	bool "Enable askpass helper support"
+	default n
+	depends on DROPBEAR_DBCLIENT
+	help
+		This enables support for ssh-askpass helper in dropbear client
+		in order to authenticate on remote hosts.
+
+		Increases binary size by about 0.1 kB (MIPS).
+
+endmenu

package/network/services/dropbear/Makefile

@@ -0,0 +1,212 @@
+#
+# Copyright (C) 2006-2020 OpenWrt.org
+#
+# This is free software, licensed under the GNU General Public License v2.
+# See /LICENSE for more information.
+#
+
+include $(TOPDIR)/rules.mk
+
+PKG_NAME:=dropbear
+PKG_VERSION:=2020.81
+PKG_RELEASE:=2
+
+PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
+PKG_SOURCE_URL:= \
+	http://matt.ucc.asn.au/dropbear/releases/ \
+	https://dropbear.nl/mirror/releases/
+PKG_HASH:=48235d10b37775dbda59341ac0c4b239b82ad6318c31568b985730c788aac53b
+
+PKG_LICENSE:=MIT
+PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
+PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server
+
+PKG_BUILD_PARALLEL:=1
+PKG_ASLR_PIE_REGULAR:=1
+PKG_USE_MIPS16:=0
+PKG_FIXUP:=autoreconf
+PKG_FLAGS:=nonshared
+
+PKG_CONFIG_DEPENDS:= \
+	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC CONFIG_DROPBEAR_ECC_FULL \
+	CONFIG_DROPBEAR_CURVE25519 CONFIG_DROPBEAR_ZLIB \
+	CONFIG_DROPBEAR_ED25519 CONFIG_DROPBEAR_CHACHA20POLY1305 \
+	CONFIG_DROPBEAR_UTMP CONFIG_DROPBEAR_PUTUTLINE \
+	CONFIG_DROPBEAR_DBCLIENT CONFIG_DROPBEAR_SCP CONFIG_DROPBEAR_ASKPASS
+
+include $(INCLUDE_DIR)/package.mk
+
+ifneq ($(DUMP),1)
+  STAMP_CONFIGURED:=$(strip $(STAMP_CONFIGURED))_$(shell echo $(CONFIG_TARGET_INIT_PATH) | $(MKHASH) md5)
+endif
+
+define Package/dropbear/Default
+  URL:=http://matt.ucc.asn.au/dropbear/
+endef
+
+define Package/dropbear/config
+	source "$(SOURCE)/Config.in"
+endef
+
+define Package/dropbear
+  $(call Package/dropbear/Default)
+  SECTION:=net
+  CATEGORY:=Base system
+  TITLE:=Small SSH2 client/server
+  DEPENDS:= +DROPBEAR_ZLIB:zlib
+  ALTERNATIVES:=
+  $(if $(CONFIG_DROPBEAR_SCP),ALTERNATIVES+= \
+	  100:/usr/bin/scp:/usr/sbin/dropbear,)
+  $(if $(CONFIG_DROPBEAR_DBCLIENT),ALTERNATIVES+= \
+	  100:/usr/bin/ssh:/usr/sbin/dropbear,)
+
+endef
+
+define Package/dropbear/description
+ A small SSH2 server/client designed for small memory environments.
+endef
+
+define Package/dropbear/conffiles
+$(if $(CONFIG_DROPBEAR_ED25519),/etc/dropbear/dropbear_ed25519_host_key)
+$(if $(CONFIG_DROPBEAR_ECC),/etc/dropbear/dropbear_ecdsa_host_key)
+/etc/dropbear/dropbear_rsa_host_key
+/etc/config/dropbear
+endef
+
+define Package/dropbearconvert
+  $(call Package/dropbear/Default)
+  SECTION:=utils
+  CATEGORY:=Utilities
+  TITLE:=Utility for converting SSH keys
+  DEPENDS:= +DROPBEAR_ZLIB:zlib
+endef
+
+CONFIGURE_ARGS += \
+	--disable-pam \
+	--enable-openpty \
+	--enable-syslog \
+	--disable-lastlog \
+	--disable-utmpx \
+	$(if $(CONFIG_DROPBEAR_UTMP),,--disable-utmp) \
+	--disable-wtmp \
+	--disable-wtmpx \
+	--disable-loginfunc \
+	$(if $(CONFIG_DROPBEAR_PUTUTLINE),,--disable-pututline) \
+	--disable-pututxline \
+	$(if $(CONFIG_DROPBEAR_ZLIB),,--disable-zlib) \
+	--enable-bundled-libtom
+
+##############################################################################
+#
+#   option|value - add option to localoptions.h
+# !!option|value - replace option in sysoptions.h
+#
+##############################################################################
+
+# remove protocol idented software version number:
+# - LOCAL_IDENT
+# disable legacy/unsafe methods and unused functionality:
+# - DROPBEAR_CLI_NETCAT
+# - DROPBEAR_DSS
+# - DO_MOTD
+DB_OPT_COMMON = \
+	DEFAULT_PATH|"$(TARGET_INIT_PATH)" \
+	!!LOCAL_IDENT|"SSH-2.0-dropbear" \
+	DROPBEAR_CLI_NETCAT|0 \
+	DROPBEAR_DSS|0 \
+	DO_MOTD|0 \
+
+
+##############################################################################
+#
+#   option|config|enabled|disabled = add option to localoptions.h
+# !!option|config|enabled|disabled = replace option in sysoptions.h
+#
+#   option := (config) ? enabled : disabled
+#
+##############################################################################
+
+DB_OPT_CONFIG = \
+	DROPBEAR_CURVE25519|CONFIG_DROPBEAR_CURVE25519|1|0 \
+	DROPBEAR_ED25519|CONFIG_DROPBEAR_ED25519|1|0 \
+	DROPBEAR_CHACHA20POLY1305|CONFIG_DROPBEAR_CHACHA20POLY1305|1|0 \
+	DROPBEAR_ECDSA|CONFIG_DROPBEAR_ECC|1|0 \
+	DROPBEAR_ECDH|CONFIG_DROPBEAR_ECC|1|0 \
+	!!DROPBEAR_ECC_384|CONFIG_DROPBEAR_ECC_FULL|1|0 \
+	!!DROPBEAR_ECC_521|CONFIG_DROPBEAR_ECC_FULL|1|0 \
+	DROPBEAR_CLI_ASKPASS_HELPER|CONFIG_DROPBEAR_ASKPASS|1|0 \
+
+
+TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto
+TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver
+
+db_opt_add     =echo '\#define $(1) $(2)' >> $(PKG_BUILD_DIR)/localoptions.h
+db_opt_replace =$(ESED) 's,^(\#define $(1)) .*$$$$,\1 $(2),g' $(PKG_BUILD_DIR)/sysoptions.h
+
+define Build/Configure/dropbear_headers
+	$(strip $(foreach s,$(DB_OPT_COMMON), \
+	  $(if $(filter !!%,$(word 1,$(subst |, ,$(s)))), \
+	    $(call db_opt_replace,$(patsubst !!%,%,$(word 1,$(subst |, ,$(s)))),$(word 2,$(subst |, ,$(s)))), \
+	    $(call db_opt_add,$(word 1,$(subst |, ,$(s))),$(word 2,$(subst |, ,$(s)))) \
+	  ) ; \
+	))
+
+	$(strip $(foreach s,$(DB_OPT_CONFIG), \
+	  $(if $(filter !!%,$(word 1,$(subst |, ,$(s)))), \
+	    $(call db_opt_replace,$(patsubst !!%,%,$(word 1,$(subst |, ,$(s)))),$(if $($(word 2,$(subst |, ,$(s)))),$(word 3,$(subst |, ,$(s))),$(word 4,$(subst |, ,$(s))))), \
+	    $(call db_opt_add,$(word 1,$(subst |, ,$(s))),$(if $($(word 2,$(subst |, ,$(s)))),$(word 3,$(subst |, ,$(s))),$(word 4,$(subst |, ,$(s))))) \
+	  ) ; \
+	))
+endef
+
+define Build/Configure
+	: > $(PKG_BUILD_DIR)/localoptions.h
+
+	$(Build/Configure/Default)
+
+	$(Build/Configure/dropbear_headers)
+
+	# Enforce rebuild of svr-chansession.c
+	rm -f $(PKG_BUILD_DIR)/svr-chansession.o
+
+	# Rebuild them on config change
+	+$(MAKE) -C $(PKG_BUILD_DIR)/libtomcrypt clean
+	+$(MAKE) -C $(PKG_BUILD_DIR)/libtommath clean
+endef
+
+define Build/Compile
+	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
+		$(TARGET_CONFIGURE_OPTS) \
+		PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey $(if $(CONFIG_DROPBEAR_SCP),scp,)" \
+		MULTI=1 SCPPROGRESS=1
+	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
+		$(TARGET_CONFIGURE_OPTS) \
+		PROGRAMS="dropbearconvert"
+endef
+
+define Package/dropbear/install
+	$(INSTALL_DIR) $(1)/usr/sbin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearmulti $(1)/usr/sbin/dropbear
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(if $(CONFIG_DROPBEAR_DBCLIENT),$(LN) ../sbin/dropbear $(1)/usr/bin/dbclient,)
+	$(LN) ../sbin/dropbear $(1)/usr/bin/dropbearkey
+	$(INSTALL_DIR) $(1)/etc/config
+	$(INSTALL_CONF) ./files/dropbear.config $(1)/etc/config/dropbear
+	$(INSTALL_DIR) $(1)/etc/init.d
+	$(INSTALL_BIN) ./files/dropbear.init $(1)/etc/init.d/dropbear
+	$(INSTALL_DIR) $(1)/usr/lib/opkg/info
+	$(INSTALL_DIR) $(1)/etc/dropbear
+	$(INSTALL_DIR) $(1)/lib/preinit
+	$(INSTALL_DATA) ./files/dropbear.failsafe $(1)/lib/preinit/99_10_failsafe_dropbear
+	$(if $(CONFIG_DROPBEAR_ED25519),touch $(1)/etc/dropbear/dropbear_ed25519_host_key)
+	$(if $(CONFIG_DROPBEAR_ECC),touch $(1)/etc/dropbear/dropbear_ecdsa_host_key)
+	touch $(1)/etc/dropbear/dropbear_rsa_host_key
+endef
+
+define Package/dropbearconvert/install
+	$(INSTALL_DIR) $(1)/usr/bin
+	$(INSTALL_BIN) $(PKG_BUILD_DIR)/dropbearconvert $(1)/usr/bin/dropbearconvert
+endef
+
+$(eval $(call BuildPackage,dropbear))
+$(eval $(call BuildPackage,dropbearconvert))

package/network/services/dropbear/files/dropbear.config

@@ -0,0 +1,5 @@
+config dropbear
+	option PasswordAuth 'on'
+	option RootPasswordAuth 'on'
+	option Port         '22'
+#	option BannerFile   '/etc/banner'

package/network/services/dropbear/files/dropbear.failsafe

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+failsafe_dropbear () {
+	dropbearkey -t rsa -s 1024 -f /tmp/dropbear_failsafe_host_key
+	dropbear -r /tmp/dropbear_failsafe_host_key <> /dev/null 2>&1
+}
+
+boot_hook_add failsafe failsafe_dropbear

package/network/services/dropbear/files/dropbear.init

@@ -0,0 +1,282 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2006-2010 OpenWrt.org
+# Copyright (C) 2006 Carlos Sobrinho
+
+START=19
+STOP=50
+
+USE_PROCD=1
+PROG=/usr/sbin/dropbear
+NAME=dropbear
+PIDCOUNT=0
+
+extra_command "killclients" "Kill ${NAME} processes except servers and yourself"
+
+_dropbearkey()
+{
+	/usr/bin/dropbearkey "$@" 0<&- 1>&- 2>&-
+}
+
+# $1 - host key file name
+hk_verify()
+{
+	[ -f "$1" ] || return 1
+	[ -s "$1" ] || return 2
+	_dropbearkey -y -f "$1" || return 3
+	return 0
+}
+
+# $1 - hk_verify() return code
+hk_errmsg()
+{
+	case "$1" in
+	0) ;;
+	1) echo "file does not exist" ;;
+	2) echo "file has zero length" ;;
+	3) echo "file is not valid host key or not supported" ;;
+	*) echo "unknown error" ;;
+	esac
+}
+
+# $1 - config option
+# $2 - host key file name
+hk_config()
+{
+	local x m
+	hk_verify "$2"; x=$?
+	case "$x" in
+	0)	procd_append_param command -r "$2"
+		;;
+	*)	m=$(hk_errmsg "$x")
+		logger -t "${NAME}" -p daemon.warn \
+		  "option '$1', value '$2': $m, skipping"
+		;;
+	esac
+}
+
+# $1 - host key file name
+hk_config__keyfile()
+{
+	hk_config 'keyfile' "$1"
+}
+
+hk_generate_as_needed()
+{
+	local kdir kgen ktype tdir kcount tfile
+	kdir='/etc/dropbear'
+
+	kgen=''
+	for ktype in ed25519 ecdsa rsa; do
+		hk_verify "${kdir}/dropbear_${ktype}_host_key" && continue
+
+		kgen="${kgen} ${ktype}"
+	done
+
+	[ -z "${kgen}" ] && return
+
+	tdir=$(mktemp -d); chmod 0700 "${tdir}"
+
+	kcount=0
+	for ktype in ${kgen}; do
+		tfile="${tdir}/dropbear_${ktype}_host_key"
+
+		if ! _dropbearkey -t ${ktype} -f "${tfile}"; then
+			# unsupported key type
+			rm -f "${tfile}"
+			continue
+		fi
+
+		kcount=$((kcount+1))
+	done
+
+	if [ ${kcount} -ne 0 ]; then
+		mkdir -p "${kdir}"; chmod 0700 "${kdir}"; chown root "${kdir}"
+		mv -f "${tdir}/"* "${kdir}/"
+	fi
+
+	rm -rf "${tdir}"
+}
+
+append_ports()
+{
+	local ipaddrs="$1"
+	local port="$2"
+
+	[ -z "$ipaddrs" ] && {
+		procd_append_param command -p "$port"
+		return
+	}
+
+	for addr in $ipaddrs; do
+		procd_append_param command -p "$addr:$port"
+	done
+}
+
+validate_section_dropbear()
+{
+	uci_load_validate dropbear dropbear "$1" "$2" \
+		'PasswordAuth:bool:1' \
+		'enable:bool:1' \
+		'Interface:string' \
+		'GatewayPorts:bool:0' \
+		'RootPasswordAuth:bool:1' \
+		'RootLogin:bool:1' \
+		'rsakeyfile:file' \
+		'keyfile:list(file)' \
+		'BannerFile:file' \
+		'Port:port:22' \
+		'SSHKeepAlive:uinteger:300' \
+		'IdleTimeout:uinteger:0' \
+		'MaxAuthTries:uinteger:3' \
+		'RecvWindowSize:uinteger:0' \
+		'mdns:bool:1'
+}
+
+dropbear_instance()
+{
+	local ipaddrs
+
+	[ "$2" = 0 ] || {
+		echo "validation failed"
+		return 1
+	}
+
+	[ -n "${Interface}" ] && {
+		[ -n "${BOOT}" ] && return 0
+
+		network_get_ipaddrs_all ipaddrs "${Interface}" || {
+			echo "interface ${Interface} has no physdev or physdev has no suitable ip"
+			return 1
+		}
+	}
+
+	[ "${enable}" = "0" ] && return 1
+	PIDCOUNT="$(( ${PIDCOUNT} + 1))"
+	local pid_file="/var/run/${NAME}.${PIDCOUNT}.pid"
+
+	procd_open_instance
+	procd_set_param command "$PROG" -F -P "$pid_file"
+	[ "${PasswordAuth}" -eq 0 ] && procd_append_param command -s
+	[ "${GatewayPorts}" -eq 1 ] && procd_append_param command -a
+	[ "${RootPasswordAuth}" -eq 0 ] && procd_append_param command -g
+	[ "${RootLogin}" -eq 0 ] && procd_append_param command -w
+	if [ -n "${rsakeyfile}" ]; then
+		logger -t ${NAME} -p daemon.warn \
+			"option 'rsakeyfile' is considered to be deprecated and" \
+			"will be removed in future releases, use 'keyfile' instead"
+		hk_config 'rsakeyfile' "${rsakeyfile}"
+	fi
+	config_list_foreach "$1" "keyfile" hk_config__keyfile
+	[ -n "${BannerFile}" ] && procd_append_param command -b "${BannerFile}"
+	append_ports "${ipaddrs}" "${Port}"
+	[ "${IdleTimeout}" -ne 0 ] && procd_append_param command -I "${IdleTimeout}"
+	[ "${SSHKeepAlive}" -ne 0 ] && procd_append_param command -K "${SSHKeepAlive}"
+	[ "${MaxAuthTries}" -ne 0 ] && procd_append_param command -T "${MaxAuthTries}"
+	[ "${RecvWindowSize}" -gt 0 -a "${RecvWindowSize}" -le 1048576 ] && \
+		procd_append_param command -W "${RecvWindowSize}"
+	[ "${mdns}" -ne 0 ] && procd_add_mdns "ssh" "tcp" "$Port" "daemon=dropbear"
+	procd_set_param respawn
+	procd_close_instance
+}
+
+load_interfaces()
+{
+	config_get interface "$1" Interface
+	config_get enable "$1" enable 1
+
+	[ "${enable}" = "1" ] && interfaces=" ${interface} ${interfaces}"
+}
+
+boot()
+{
+	BOOT=1
+	start "$@"
+}
+
+start_service()
+{
+	hk_generate_as_needed
+
+	. /lib/functions.sh
+	. /lib/functions/network.sh
+
+	config_load "${NAME}"
+	config_foreach validate_section_dropbear dropbear dropbear_instance
+}
+
+service_triggers()
+{
+	local interfaces
+
+	procd_add_config_trigger "config.change" "dropbear" /etc/init.d/dropbear reload
+
+	config_load "${NAME}"
+	config_foreach load_interfaces dropbear
+
+	[ -n "${interfaces}" ] && {
+		for n in $interfaces ; do
+			procd_add_interface_trigger "interface.*" $n /etc/init.d/dropbear reload
+		done
+	}
+
+	procd_add_validation validate_section_dropbear
+}
+
+shutdown() {
+	# close all open connections
+	killall dropbear
+}
+
+killclients()
+{
+	local ignore=''
+	local server
+	local pid
+
+	# if this script is run from inside a client session, then ignore that session
+	pid="$$"
+	while [ "${pid}" -ne 0 ]
+	 do
+		# get parent process id
+		pid=$(cut -d ' ' -f 4 "/proc/${pid}/stat")
+		[ "${pid}" -eq 0 ] && break
+
+		# check if client connection
+		grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" && {
+			append ignore "${pid}"
+			break
+		}
+	done
+
+	# get all server pids that should be ignored
+	for server in $(cat /var/run/${NAME}.*.pid)
+	 do
+		append ignore "${server}"
+	done
+
+	# get all running pids and kill client connections
+	local skip
+	for pid in $(pidof "${NAME}")
+	 do
+		# check if correct program, otherwise process next pid
+		grep -F -q -e "${PROG}" "/proc/${pid}/cmdline" || {
+			continue
+		}
+
+		# check if pid should be ignored (servers, ourself)
+		skip=0
+		for server in ${ignore}
+		 do
+			if [ "${pid}" = "${server}" ]
+			 then
+				skip=1
+				break
+			fi
+		done
+		[ "${skip}" -ne 0 ] && continue
+
+		# kill process
+		echo "${initscript}: Killing ${pid}..."
+		kill -KILL ${pid}
+	done
+}

package/network/services/dropbear/patches/100-pubkey_path.patch

@@ -0,0 +1,86 @@
+--- a/svr-authpubkey.c
++++ b/svr-authpubkey.c
+@@ -386,14 +386,19 @@ static int checkpubkey(const char* keyal
+ 		goto out;
+ 	}
+ 
+-	/* we don't need to check pw and pw_dir for validity, since
+-	 * its been done in checkpubkeyperms. */
+-	len = strlen(ses.authstate.pw_dir);
+-	/* allocate max required pathname storage,
+-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-	filename = m_malloc(len + 22);
+-	snprintf(filename, len + 22, "%s/.ssh/authorized_keys", 
+-				ses.authstate.pw_dir);
++	if (ses.authstate.pw_uid != 0) {
++		/* we don't need to check pw and pw_dir for validity, since
++		 * its been done in checkpubkeyperms. */
++		len = strlen(ses.authstate.pw_dir);
++		/* allocate max required pathname storage,
++		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++		filename = m_malloc(len + 22);
++		snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
++					ses.authstate.pw_dir);
++	} else {
++		filename = m_malloc(30);
++		strncpy(filename, "/etc/dropbear/authorized_keys", 30);
++	}
+ 
+ #if DROPBEAR_SVR_MULTIUSER
+ 	/* open the file as the authenticating user. */
+@@ -474,27 +479,36 @@ static int checkpubkeyperms() {
+ 		goto out;
+ 	}
+ 
+-	/* allocate max required pathname storage,
+-	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
+-	len += 22;
+-	filename = m_malloc(len);
+-	strlcpy(filename, ses.authstate.pw_dir, len);
+-
+-	/* check ~ */
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
+-	}
++	if (ses.authstate.pw_uid == 0) {
++		if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
++			goto out;
++		}
++		if (checkfileperm("/etc/dropbear/authorized_keys") != DROPBEAR_SUCCESS) {
++			goto out;
++		}
++	} else {
++		/* allocate max required pathname storage,
++		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
++		len += 22;
++		filename = m_malloc(len);
++		strlcpy(filename, ses.authstate.pw_dir, len);
++
++		/* check ~ */
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 
+-	/* check ~/.ssh */
+-	strlcat(filename, "/.ssh", len);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
+-	}
++		/* check ~/.ssh */
++		strlcat(filename, "/.ssh", len);
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 
+-	/* now check ~/.ssh/authorized_keys */
+-	strlcat(filename, "/authorized_keys", len);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
++		/* now check ~/.ssh/authorized_keys */
++		strlcat(filename, "/authorized_keys", len);
++		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
++			goto out;
++		}
+ 	}
+ 
+ 	/* file looks ok, return success */

package/network/services/dropbear/patches/110-change_user.patch

@@ -0,0 +1,18 @@
+--- a/svr-chansession.c
++++ b/svr-chansession.c
+@@ -954,12 +954,12 @@ static void execchild(const void *user_d
+ 	/* We can only change uid/gid as root ... */
+ 	if (getuid() == 0) {
+ 
+-		if ((setgid(ses.authstate.pw_gid) < 0) ||
++		if ((ses.authstate.pw_gid != 0) && ((setgid(ses.authstate.pw_gid) < 0) ||
+ 			(initgroups(ses.authstate.pw_name, 
+-						ses.authstate.pw_gid) < 0)) {
++						ses.authstate.pw_gid) < 0))) {
+ 			dropbear_exit("Error changing user group");
+ 		}
+-		if (setuid(ses.authstate.pw_uid) < 0) {
++		if ((ses.authstate.pw_uid != 0) && (setuid(ses.authstate.pw_uid) < 0)) {
+ 			dropbear_exit("Error changing user");
+ 		}
+ 	} else {

package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch

@@ -0,0 +1,11 @@
+--- a/cli-runopts.c
++++ b/cli-runopts.c
+@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
+ 					debug_trace = 1;
+ 					break;
+ #endif
++				case 'x':
++					break;
+ 				case 'F':
+ 				case 'e':
+ #if !DROPBEAR_USER_ALGO_LIST

package/network/services/dropbear/patches/140-disable_assert.patch

@@ -0,0 +1,15 @@
+--- a/dbutil.h
++++ b/dbutil.h
+@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig
+ #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
+ 
+ /* Dropbear assertion */
+-#define dropbear_assert(X) do { if (!(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
++#ifndef DROPBEAR_ASSERT_ENABLED
++#define DROPBEAR_ASSERT_ENABLED 0
++#endif
++
++#define dropbear_assert(X) do { if (DROPBEAR_ASSERT_ENABLED && !(X)) { fail_assert(#X, __FILE__, __LINE__); } } while (0)
+ 
+ /* Returns 0 if a and b have the same contents */
+ int constant_time_memcmp(const void* a, const void *b, size_t n);

package/network/services/dropbear/patches/160-lto-jobserver.patch

@@ -0,0 +1,33 @@
+--- a/Makefile.in
++++ b/Makefile.in
+@@ -198,17 +198,17 @@ dropbearkey: $(dropbearkeyobjs)
+ dropbearconvert: $(dropbearconvertobjs)
+ 
+ dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@ $(PLUGIN_LIBS)
+ 
+ dbclient: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ 
+ dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
+ 
+ # scp doesn't use the libs so is special.
+ scp: $(SCPOBJS)  $(HEADERS) Makefile
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $(SCPOBJS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $(SCPOBJS)
+ 
+ 
+ # multi-binary compilation.
+@@ -219,7 +219,7 @@ ifeq ($(MULTI),1)
+ endif
+ 
+ dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
+-	$(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
++	+$(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBTOM_LIBS) $(LIBS) @CRYPTLIB@
+ 
+ multibinary: dropbearmulti$(EXEEXT)
+ 

package/network/services/dropbear/patches/600-allow-blank-root-password.patch

@@ -0,0 +1,11 @@
+--- a/svr-auth.c
++++ b/svr-auth.c
+@@ -125,7 +125,7 @@ void recv_msg_userauth_request() {
+ 				AUTH_METHOD_NONE_LEN) == 0) {
+ 		TRACE(("recv_msg_userauth_request: 'none' request"))
+ 		if (valid_user
+-				&& svr_opts.allowblankpass
++				&& (svr_opts.allowblankpass || !strcmp(ses.authstate.pw_name, "root"))
+ 				&& !svr_opts.noauthpass
+ 				&& !(svr_opts.norootpass && ses.authstate.pw_uid == 0) 
+ 				&& ses.authstate.pw_passwd[0] == '\0') 

package/network/services/dropbear/patches/900-configure-hardening.patch

@@ -0,0 +1,56 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+ 
+ if test "$hardenbuild" -eq 1; then
+ 	AC_MSG_NOTICE(Checking for available hardened build flags:)
+-	# relocation flags don't make sense for static builds
+-	if test "$STATIC" -ne 1; then
+-		# pie
+-		DB_TRYADDCFLAGS([-fPIE])
+-
+-		OLDLDFLAGS="$LDFLAGS"
+-		TESTFLAGS="-Wl,-pie"
+-		LDFLAGS="$LDFLAGS $TESTFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			[
+-				LDFLAGS="$OLDLDFLAGS"
+-				TESTFLAGS="-pie"
+-				LDFLAGS="$LDFLAGS $TESTFLAGS"
+-				AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-					[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-					[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+-					)
+-			]
+-			)
+-		# readonly elf relocation sections (relro)
+-		OLDLDFLAGS="$LDFLAGS"
+-		TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+-		LDFLAGS="$LDFLAGS $TESTFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+-			)
+-	fi # non-static
+-	# stack protector. -strong is good but only in gcc 4.9 or later
+-	OLDCFLAGS="$CFLAGS"
+-	TESTFLAGS="-fstack-protector-strong"
+-	CFLAGS="$CFLAGS $TESTFLAGS"
+-	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-	    [
+-			CFLAGS="$OLDCFLAGS"
+-			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+-			CFLAGS="$CFLAGS $TESTFLAGS"
+-			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+-			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+-			    )
+-	    ]
+-	    )
+-	# FORTIFY_SOURCE
+-	DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
+ 
+ 	# Spectre v2 mitigations
+ 	DB_TRYADDCFLAGS([-mfunction-return=thunk])

package/network/services/dropbear/patches/901-bundled-libs-cflags.patch

@@ -0,0 +1,48 @@
+--- a/libtomcrypt/makefile_include.mk
++++ b/libtomcrypt/makefile_include.mk
+@@ -94,6 +94,13 @@ endif
+ 
+ LTC_CFLAGS += -Wno-type-limits
+ 
++ifdef OPENWRT_BUILD
++  ifeq (-Os,$(filter -Os,$(CFLAGS)))
++    LTC_CFLAGS += -DLTC_SMALL_CODE
++  endif
++else
++  ### ! OPENWRT_BUILD
++
+ ifdef LTC_DEBUG
+ $(info Debug build)
+ # compile for DEBUGGING (required for ccmalloc checking!!!)
+@@ -121,6 +128,9 @@ endif
+ endif # COMPILE_SMALL
+ endif # COMPILE_DEBUG
+ 
++  ### ! OPENWRT_BUILD
++endif
++
+ 
+ ifneq ($(findstring clang,$(CC)),)
+ LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers
+--- a/libtommath/makefile_include.mk
++++ b/libtommath/makefile_include.mk
+@@ -70,6 +70,9 @@ else
+ LTM_CFLAGS += -Wsystem-headers
+ endif
+ 
++ifndef OPENWRT_BUILD
++  ### ! OPENWRT_BUILD
++
+ ifdef COMPILE_DEBUG
+ #debug
+ LTM_CFLAGS += -g3
+@@ -90,6 +93,9 @@ endif
+ 
+ endif # COMPILE_SIZE
+ 
++  ### ! OPENWRT_BUILD
++endif
++
+ ifneq ($(findstring clang,$(CC)),)
+ LTM_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header
+ endif

package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

@@ -0,0 +1,38 @@
+From 667d9b75df86ec9ee1205f9101beb8dbbe4a00ae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
+Date: Wed, 1 Jul 2020 11:38:33 +0200
+Subject: [PATCH] signkey: fix use of rsa-sha2-256 pubkeys
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Commit 972d723484d8 ("split signkey_type and signature_type for RSA sha1
+vs sha256") has added strict checking of pubkey algorithms which made
+keys with SHA-256 hashing algorithm unusable as they still reuse the
+`ssh-rsa` public key format. So fix this by disabling the check for
+rsa-sha2-256 pubkeys.
+
+Ref: https://tools.ietf.org/html/rfc8332#section-3
+Fixes: 972d723484d8 ("split signkey_type and signature_type for RSA sha1 vs sha256")
+Signed-off-by: Petr Štetiar <ynezz@true.cz>
+---
+ signkey.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/signkey.c
++++ b/signkey.c
+@@ -657,8 +657,12 @@ int buf_verify(buffer * buf, sign_key *k
+ 	sigtype = signature_type_from_name(type_name, type_name_len);
+ 	m_free(type_name);
+ 
+-	if (expect_sigtype != sigtype) {
+-			dropbear_exit("Non-matching signing type");
++	if (sigtype == DROPBEAR_SIGNATURE_NONE) {
++		dropbear_exit("No signature type");
++	}
++
++	if ((expect_sigtype != DROPBEAR_SIGNATURE_RSA_SHA256) && (expect_sigtype != sigtype)) {
++		dropbear_exit("Non-matching signing type");
+ 	}
+ 
+ 	keytype = signkey_type_from_signature(sigtype);