dropbear: fix hardening flags during configure

compiler complains about messed up CFLAGS in build log:
  <command-line>: warning: "_FORTIFY_SOURCE" redefined
  <command-line>: note: this is the location of the previous definition

and then linker fails:
  mips-openwrt-linux-musl-gcc [...] -o dropbearmulti [...]
  collect2: fatal error: ld terminated with signal 11 [Segmentation fault]
  compilation terminated.
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans0.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans1.ltrans.o: relocation R_MIPS_HI16 against `ses' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: /tmp/cc27zORz.ltrans2.ltrans.o: relocation R_MIPS_HI16 against `cipher_descriptor' can not be used when making a shared object; recompile with -fPIC
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550
  [...]
  /staging_dir/toolchain-mips_24kc_gcc-8.2.0_musl/mips-openwrt-linux-musl/bin/ld: BFD (GNU Binutils) 2.31.1 assertion fail elfxx-mips.c:6550
  make[3]: *** [Makefile:198: dropbearmulti] Error 1
  make[3]: *** Deleting file 'dropbearmulti'
  make[3]: Leaving directory '/build_dir/target-mips_24kc_musl/dropbear-2018.76'
  make[2]: *** [Makefile:158: /build_dir/target-mips_24kc_musl/dropbear-2018.76/.built] Error 2
  make[2]: Leaving directory '/package/network/services/dropbear'

This FTBFS issue was caused by hardening flags set up by dropbear's configure script.

By default, Dropbear offers hardening via CFLAGS and LDFLAGS,
but this may break or confuse OpenWrt settings.

Remove most Dropbear's hardening settings in favour of precise build,
but preserve Spectre v2 mitigations:
* -mfunction-return=thunk
* -mindirect-branch=thunk

Signed-off-by: Konstantin Demin <[email protected]>

package/network/services/dropbear/patches/900-configure-hardening.patch

@@ -0,0 +1,56 @@
+--- a/configure.ac
++++ b/configure.ac
+@@ -70,53 +70,6 @@ AC_ARG_ENABLE(harden,
+ 
+ if test "$hardenbuild" -eq 1; then
+ 	AC_MSG_NOTICE(Checking for available hardened build flags:)
+-	# relocation flags don't make sense for static builds
+-	if test "$STATIC" -ne 1; then
+-		# pie
+-		DB_TRYADDCFLAGS([-fPIE])
+-
+-		OLDLDFLAGS="$LDFLAGS"
+-		TESTFLAGS="-Wl,-pie"
+-		LDFLAGS="$LDFLAGS $TESTFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			[
+-				LDFLAGS="$OLDLDFLAGS"
+-				TESTFLAGS="-pie"
+-				LDFLAGS="$LDFLAGS $TESTFLAGS"
+-				AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-					[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-					[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+-					)
+-			]
+-			)
+-		# readonly elf relocation sections (relro)
+-		OLDLDFLAGS="$LDFLAGS"
+-		TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
+-		LDFLAGS="$LDFLAGS $TESTFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
+-			)
+-	fi # non-static
+-	# stack protector. -strong is good but only in gcc 4.9 or later
+-	OLDCFLAGS="$CFLAGS"
+-	TESTFLAGS="-fstack-protector-strong"
+-	CFLAGS="$CFLAGS $TESTFLAGS"
+-	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-	    [
+-			CFLAGS="$OLDCFLAGS"
+-			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
+-			CFLAGS="$CFLAGS $TESTFLAGS"
+-			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
+-			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
+-			    )
+-	    ]
+-	    )
+-	# FORTIFY_SOURCE
+-	DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
+ 
+ 	# Spectre v2 mitigations
+ 	DB_TRYADDCFLAGS([-mfunction-return=thunk])