dropbear: bump to 2025.88

- update dropbear to latest stable 2025.88;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- rewrite 100-pubkey_path.patch
- refresh remaining patches

Signed-off-by: Konstantin Demin <[email protected]>

package/network/services/dropbear/Makefile

@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2024.86
+PKG_VERSION:=2025.88
 PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	https://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_HASH:=e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e
+PKG_HASH:=783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE

package/network/services/dropbear/patches/050-dropbear-multihop-fix.patch

@@ -0,0 +1,69 @@
+Author: Konstantin Demin <[email protected]>
+Subject: Fix proxycmd without netcat
+
+Fixes commit e5a0ef27c227 "Execute multihop commands directly, no shell"
+
+Forwarded: https://github.com/mkj/dropbear/pull/363
+
+ src/cli-main.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/cli-main.c b/src/cli-main.c
+index 2fafa88900..0a052a3512 100644
+--- a/src/cli-main.c
++++ b/src/cli-main.c
+@@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
+ 	}
+ 
+ #if DROPBEAR_CLI_PROXYCMD
+-	if (cli_opts.proxycmd || cli_opts.proxyexec) {
++	if (cli_opts.proxycmd
++#if DROPBEAR_CLI_MULTIHOP
++		|| cli_opts.proxyexec
++#endif
++	) {
+ 		cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
+ 		if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
+ 			signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
+@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) {
+ 	dropbear_exit("Failed to run '%s'\n", cmd);
+ }
+ 
++#if DROPBEAR_CLI_MULTIHOP
+ static void exec_proxy_cmd(const void *unused) {
+ 	(void)unused;
+ 	run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
+ 	dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
+ }
++#endif
+ 
+ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+ 	char * cmd_arg = NULL;
+@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+ 		cmd_arg = m_malloc(shell_cmdlen);
+ 		snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
+ 		exec_fn = shell_proxy_cmd;
++#if DROPBEAR_CLI_MULTIHOP
+ 	} else {
+ 		/* No shell */
+ 		exec_fn = exec_proxy_cmd;
++#endif
+ 	}
+ 
+ 	ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
+@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+ cleanup:
+ 	m_free(cli_opts.proxycmd);
+ 	m_free(cmd_arg);
++#if DROPBEAR_CLI_MULTIHOP
+ 	if (cli_opts.proxyexec) {
+ 		char **a = NULL;
+ 		for (a = cli_opts.proxyexec; *a; a++) {
+@@ -166,6 +175,7 @@ cleanup:
+ 		}
+ 		m_free(cli_opts.proxyexec);
+ 	}
++#endif
+ }
+ 
+ static void kill_proxy_sighandler(int UNUSED(signo)) {

package/network/services/dropbear/patches/100-pubkey_path.patch

@@ -1,106 +1,51 @@
 --- a/src/svr-authpubkey.c
 +++ b/src/svr-authpubkey.c
-@@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons
- 		const unsigned char* keyblob, unsigned int keybloblen);
- static int checkfileperm(char * filename);
- 
-+static const char * const global_authkeys_dir = "/etc/dropbear";
-+static const int        n_global_authkeys_dir = 14; /* + 1 extra byte */
-+static const char * const user_authkeys_dir = ".ssh";
-+static const int        n_user_authkeys_dir = 5; /* + 1 extra byte */
-+static const char * const authkeys_file = "authorized_keys";
-+static const int        n_authkeys_file = 16; /* + 1 extra byte */
+@@ -435,20 +435,45 @@ out:
+ /* Returns the full path to the user's authorized_keys file in an
+  * allocated string which caller must free. */
+ static char *authorized_keys_filepath() {
++	static const char * const global_authkeys_dir = "/etc/dropbear";
++	/* strlen(global_authkeys_dir) */
++	#define  n_global_authkeys_dir  13
++	static const char * const authkeys_file = "authorized_keys";
++	/* strlen(authkeys_file) */
++	#define  n_authkeys_file  15
 +
- /* process a pubkey auth request, sending success or failure message as
-  * appropriate */
- void svr_auth_pubkey(int valid_user) {
-@@ -462,14 +469,21 @@ static int checkpubkey(const char* keyal
- 	if (checkpubkeyperms() == DROPBEAR_FAILURE) {
- 		TRACE(("bad authorized_keys permissions, or file doesn't exist"))
- 	} else {
--		/* we don't need to check pw and pw_dir for validity, since
--		 * its been done in checkpubkeyperms. */
--		len = strlen(ses.authstate.pw_dir);
--		/* allocate max required pathname storage,
--		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
--		filename = m_malloc(len + 22);
--		snprintf(filename, len + 22, "%s/.ssh/authorized_keys",
--					ses.authstate.pw_dir);
-+		if (ses.authstate.pw_uid == 0) {
-+			len = n_global_authkeys_dir + n_authkeys_file;
-+			filename = m_malloc(len);
-+			snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
-+		} else {
-+			/* we don't need to check pw and pw_dir for validity, since
-+			 * its been done in checkpubkeyperms. */
-+			len = strlen(ses.authstate.pw_dir);
-+			/* allocate max required pathname storage,
-+			 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+			len += n_user_authkeys_dir + n_authkeys_file + 1;
-+			filename = m_malloc(len);
-+			snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
-+			        user_authkeys_dir, authkeys_file);
-+		}
- 
- 		authfile = fopen(filename, "r");
- 		if (!authfile) {
-@@ -543,27 +557,41 @@ static int checkpubkeyperms() {
- 		goto out;
- 	}
- 
--	/* allocate max required pathname storage,
--	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
--	len += 22;
--	filename = m_malloc(len);
--	strlcpy(filename, ses.authstate.pw_dir, len);
-+	if (ses.authstate.pw_uid == 0) {
-+		if (checkfileperm(global_authkeys_dir) != DROPBEAR_SUCCESS) {
-+			goto out;
-+		}
- 
--	/* check ~ */
--	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
--		goto out;
--	}
-+		len = n_global_authkeys_dir + n_authkeys_file;
-+		filename = m_malloc(len);
+ 	size_t len = 0;
+ 	char *pathname = NULL, *dir = NULL;
+-	const char *filename = "authorized_keys";
++
++	/* OpenWrt-specific:
++	   use OpenWrt' global authorized keys directory if:
++	   1. logging as uid 0 (typically root)
++	   2. "svr_opts.authorized_keys_dir" is set to default i.e. no "-D" option was specified
++	 */
++	while (1) {
++		if (ses.authstate.pw_uid != 0) break;
++		if (svr_opts.authorized_keys_dir[0] == '/') break;
++
++		len = n_global_authkeys_dir + n_authkeys_file + 2;
++		pathname = m_malloc(len);
++		snprintf(pathname, len, "%s/%s", global_authkeys_dir, authkeys_file);
++		return pathname;
++	}
  
--	/* check ~/.ssh */
--	strlcat(filename, "/.ssh", len);
--	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
--		goto out;
--	}
-+		snprintf(filename, len, "%s/%s", global_authkeys_dir, authkeys_file);
-+		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+			goto out;
-+		}
-+	} else {
-+		/* check ~ */
-+		if (checkfileperm(ses.authstate.pw_dir) != DROPBEAR_SUCCESS) {
-+			goto out;
-+		}
+ 	dir = expand_homedir_path_home(svr_opts.authorized_keys_dir,
+ 				       ses.authstate.pw_dir);
  
--	/* now check ~/.ssh/authorized_keys */
--	strlcat(filename, "/authorized_keys", len);
--	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
--		goto out;
-+		/* allocate max required pathname storage,
-+		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+		len += n_user_authkeys_dir + n_authkeys_file + 1;
-+		filename = m_malloc(len);
-+
-+		/* check ~/.ssh */
-+		snprintf(filename, len, "%s/%s", ses.authstate.pw_dir, user_authkeys_dir);
-+		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+			goto out;
-+		}
+ 	/* allocate max required pathname storage,
+ 	 * = dir + "/" + "authorized_keys" + '\0' */;
+-	len = strlen(dir) + strlen(filename) + 2;
++	len = strlen(dir) + n_authkeys_file + 2;
+ 	pathname = m_malloc(len);
+-	snprintf(pathname, len, "%s/%s", dir, filename);
++	snprintf(pathname, len, "%s/%s", dir, authkeys_file);
+ 	m_free(dir);
+ 	return pathname;
 +
-+		/* now check ~/.ssh/authorized_keys */
-+		snprintf(filename, len, "%s/%s/%s", ses.authstate.pw_dir,
-+		         user_authkeys_dir, authkeys_file);
-+		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
-+			goto out;
-+		}
- 	}
++	/* not needed anymore */
++	#undef  n_global_authkeys_dir
++	#undef  n_authkeys_file
+ }
  
- 	/* file looks ok, return success */
+ /* Checks whether a specified publickey (and associated algorithm) is an

package/network/services/dropbear/patches/140-disable_assert.patch

@@ -1,6 +1,6 @@
 --- a/src/dbutil.h
 +++ b/src/dbutil.h
-@@ -80,7 +80,11 @@ int m_snprintf(char *str, size_t size, c
+@@ -81,7 +81,11 @@ int m_snprintf(char *str, size_t size, c
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */

package/network/services/dropbear/patches/160-lto-jobserver.patch

@@ -1,6 +1,6 @@
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -220,17 +220,17 @@ dropbearkey: $(dropbearkeyobjs)
+@@ -222,17 +222,17 @@ dropbearkey: $(dropbearkeyobjs)
  dropbearconvert: $(dropbearconvertobjs)
  
  dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
@@ -22,7 +22,7 @@
  
  
  # multi-binary compilation.
-@@ -241,7 +241,7 @@ ifeq ($(MULTI),1)
+@@ -243,7 +243,7 @@ ifeq ($(MULTI),1)
  endif
  
  dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile

package/network/services/dropbear/patches/910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

@@ -21,7 +21,7 @@ Signed-off-by: Petr Štetiar <[email protected]>
 
 --- a/src/signkey.c
 +++ b/src/signkey.c
-@@ -652,10 +652,18 @@ int buf_verify(buffer * buf, sign_key *k
+@@ -656,10 +656,18 @@ int buf_verify(buffer * buf, sign_key *k
  	sigtype = signature_type_from_name(type_name, type_name_len);
  	m_free(type_name);