From a1099edf32cac9e35b6635f81d356ed20d46a534 Mon Sep 17 00:00:00 2001
From: Konstantin Demin <rockdrilla@gmail.com>
Date: Mon, 25 Mar 2019 21:40:38 +0300
Subject: [PATCH] dropbear: bump to 2019.77

- drop patches applied upstream:
  * 010-runtime-maxauthtries.patch
  * 020-Wait-to-fail-invalid-usernames.patch
  * 150-dbconvert_standalone.patch
  * 610-skip-default-keys-in-custom-runs.patch
- refresh patches
- move OpenWrt configuration from patch to Build/Configure recipe,
  thus drop patch 120-openwrt_options.patch

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
---
 package/network/services/dropbear/Makefile    |  41 ++--
 .../patches/010-runtime-maxauthtries.patch    | 130 -----------
 .../020-Wait-to-fail-invalid-usernames.patch  | 221 ------------------
 .../dropbear/patches/100-pubkey_path.patch    |  45 ++--
 .../dropbear/patches/110-change_user.patch    |   2 +-
 .../patches/120-openwrt_options.patch         |  82 -------
 .../patches/130-ssh_ignore_x_args.patch       |   4 +-
 .../dropbear/patches/140-disable_assert.patch |   2 +-
 .../patches/150-dbconvert_standalone.patch    |  14 --
 .../dropbear/patches/160-lto-jobserver.patch  |   8 +-
 .../600-allow-blank-root-password.patch       |   2 +-
 ...610-skip-default-keys-in-custom-runs.patch |  18 --
 12 files changed, 52 insertions(+), 517 deletions(-)
 delete mode 100644 package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
 delete mode 100644 package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch
 delete mode 100644 package/network/services/dropbear/patches/120-openwrt_options.patch
 delete mode 100644 package/network/services/dropbear/patches/150-dbconvert_standalone.patch
 delete mode 100644 package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 0ed7199e68..768cc813fa 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2017.75
-PKG_RELEASE:=9
+PKG_VERSION:=2019.77
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	http://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_HASH:=6cbc1dcb1c9709d226dff669e5604172a18cf5dbf9a201474d5618ae4465098c
+PKG_HASH:=d91f78ebe633be1d071fd1b7e5535b9693794048b019e9f4bea257e1992b458d
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -23,6 +23,7 @@ PKG_CPE_ID:=cpe:/a:matt_johnston:dropbear_ssh_server
 
 PKG_BUILD_PARALLEL:=1
 PKG_USE_MIPS16:=0
+PKG_FIXUP:=autoreconf
 
 PKG_CONFIG_DEPENDS:= \
 	CONFIG_TARGET_INIT_PATH CONFIG_DROPBEAR_ECC \
@@ -90,33 +91,33 @@ TARGET_CFLAGS += -DARGTYPE=3 -ffunction-sections -fdata-sections -flto
 TARGET_LDFLAGS += -Wl,--gc-sections -flto=jobserver
 
 define Build/Configure
+	: > $(PKG_BUILD_DIR)/localoptions.h
+
 	$(Build/Configure/Default)
 
-	$(SED) 's,^#define DEFAULT_PATH .*$$$$,#define DEFAULT_PATH "$(TARGET_INIT_PATH)",g' \
-		$(PKG_BUILD_DIR)/options.h
+	echo '#define DEFAULT_PATH "$(TARGET_INIT_PATH)"' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
 
-	awk 'BEGIN { rc = 1 } \
-	     /'DROPBEAR_CURVE25519'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_CURVE25519),,// )#define 'DROPBEAR_CURVE25519'"; rc = 0 } \
-	     { print } \
-	     END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
-	     >$(PKG_BUILD_DIR)/options.h.new && \
-	mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h
+	echo '#define DROPBEAR_CURVE25519 $(if $(CONFIG_DROPBEAR_CURVE25519),1,0)' >> \
+		$(PKG_BUILD_DIR)/localoptions.h
 
-	# Enforce that all replacements are made, otherwise options.h has changed
-	# format and this logic is broken.
 	for OPTION in DROPBEAR_ECDSA DROPBEAR_ECDH; do \
-	  awk 'BEGIN { rc = 1 } \
-	       /'$$$$OPTION'/ { $$$$0 = "$(if $(CONFIG_DROPBEAR_ECC),,// )#define '$$$$OPTION'"; rc = 0 } \
-	       { print } \
-	       END { exit(rc) }' $(PKG_BUILD_DIR)/options.h \
-	       >$(PKG_BUILD_DIR)/options.h.new && \
-	  mv $(PKG_BUILD_DIR)/options.h.new $(PKG_BUILD_DIR)/options.h || exit 1; \
+		echo "#define $$$$OPTION $(if $(CONFIG_DROPBEAR_ECC),1,0)" >> \
+			$(PKG_BUILD_DIR)/localoptions.h; \
 	done
 
 	# remove protocol idented software version number
-	$(SED) 's,^#define LOCAL_IDENT .*$$$$,#define LOCAL_IDENT "SSH-2.0-dropbear",g' \
+	$(ESED) 's,^(#define LOCAL_IDENT) .*$$$$,\1 "SSH-2.0-dropbear",g' \
 		$(PKG_BUILD_DIR)/sysoptions.h
 
+	# disable legacy/unsafe methods and unused functionality
+	for OPTION in INETD_MODE DROPBEAR_CLI_NETCAT \
+	DROPBEAR_3DES DROPBEAR_DSS DROPBEAR_ENABLE_CBC_MODE \
+	DROPBEAR_SHA1_96_HMAC DROPBEAR_USE_PASSWORD_ENV; do \
+		echo "#define $$$$OPTION 0" >> \
+			$(PKG_BUILD_DIR)/localoptions.h; \
+	done
+
 	# Enforce rebuild of svr-chansession.c
 	rm -f $(PKG_BUILD_DIR)/svr-chansession.o
 endef
diff --git a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch b/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
deleted file mode 100644
index 26db3181f2..0000000000
--- a/package/network/services/dropbear/patches/010-runtime-maxauthtries.patch
+++ /dev/null
@@ -1,130 +0,0 @@
-From 46b22e57d91e33a591d0fba97da52672af4d6ed2 Mon Sep 17 00:00:00 2001
-From: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
-Date: Mon, 29 May 2017 10:25:09 +0100
-Subject: [PATCH] dropbear server: support -T max auth tries
-
-Add support for '-T n' for a run-time specification for maximum number
-of authentication attempts where 'n' is between 1 and compile time
-option MAX_AUTH_TRIES.
-
-A default number of tries can be specified at compile time using
-'DEFAULT_AUTH_TRIES' which itself defaults to MAX_AUTH_TRIES for
-backwards compatibility.
-
-Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
----
- options.h     |  7 +++++++
- runopts.h     |  1 +
- svr-auth.c    |  2 +-
- svr-runopts.c | 17 +++++++++++++++++
- 4 files changed, 26 insertions(+), 1 deletion(-)
-
-diff --git a/options.h b/options.h
-index 0c51bb1..4d22704 100644
---- a/options.h
-+++ b/options.h
-@@ -284,6 +284,13 @@ Homedir is prepended unless path begins with / */
- #define MAX_AUTH_TRIES 10
- #endif
- 
-+/* Default maximum number of failed authentication tries.
-+ * defaults to MAX_AUTH_TRIES */
-+
-+#ifndef DEFAULT_AUTH_TRIES
-+#define DEFAULT_AUTH_TRIES MAX_AUTH_TRIES
-+#endif
-+
- /* The default file to store the daemon's process ID, for shutdown
-    scripts etc. This can be overridden with the -P flag */
- #ifndef DROPBEAR_PIDFILE
-diff --git a/runopts.h b/runopts.h
-index f7c869d..2f7da63 100644
---- a/runopts.h
-+++ b/runopts.h
-@@ -96,6 +96,7 @@ typedef struct svr_runopts {
- 	int noauthpass;
- 	int norootpass;
- 	int allowblankpass;
-+	unsigned int maxauthtries;
- 
- #ifdef ENABLE_SVR_REMOTETCPFWD
- 	int noremotetcp;
-diff --git a/svr-auth.c b/svr-auth.c
-index 577ea88..6a7ce0b 100644
---- a/svr-auth.c
-+++ b/svr-auth.c
-@@ -362,7 +362,7 @@ void send_msg_userauth_failure(int partial, int incrfail) {
- 		ses.authstate.failcount++;
- 	}
- 
--	if (ses.authstate.failcount >= MAX_AUTH_TRIES) {
-+	if (ses.authstate.failcount >= svr_opts.maxauthtries) {
- 		char * userstr;
- 		/* XXX - send disconnect ? */
- 		TRACE(("Max auth tries reached, exiting"))
-diff --git a/svr-runopts.c b/svr-runopts.c
-index 8f60059..1e7440f 100644
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -73,6 +73,7 @@ static void printhelp(const char * progname) {
- 					"-g		Disable password logins for root\n"
- 					"-B		Allow blank password logins\n"
- #endif
-+					"-T <1 to %d> 	Maximum authentication tries (default %d)\n"
- #ifdef ENABLE_SVR_LOCALTCPFWD
- 					"-j		Disable local port forwarding\n"
- #endif
-@@ -106,6 +107,7 @@ static void printhelp(const char * progname) {
- #ifdef DROPBEAR_ECDSA
- 					ECDSA_PRIV_FILENAME,
- #endif
-+					MAX_AUTH_TRIES, DEFAULT_AUTH_TRIES,
- 					DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE,
- 					DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT);
- }
-@@ -118,6 +120,7 @@ void svr_getopts(int argc, char ** argv) {
- 	char* recv_window_arg = NULL;
- 	char* keepalive_arg = NULL;
- 	char* idle_timeout_arg = NULL;
-+	char* maxauthtries_arg = NULL;
- 	char* keyfile = NULL;
- 	char c;
- 
-@@ -130,6 +133,7 @@ void svr_getopts(int argc, char ** argv) {
- 	svr_opts.noauthpass = 0;
- 	svr_opts.norootpass = 0;
- 	svr_opts.allowblankpass = 0;
-+	svr_opts.maxauthtries = DEFAULT_AUTH_TRIES;
- 	svr_opts.inetdmode = 0;
- 	svr_opts.portcount = 0;
- 	svr_opts.hostkey = NULL;
-@@ -234,6 +238,9 @@ void svr_getopts(int argc, char ** argv) {
- 				case 'I':
- 					next = &idle_timeout_arg;
- 					break;
-+				case 'T':
-+					next = &maxauthtries_arg;
-+					break;
- #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH)
- 				case 's':
- 					svr_opts.noauthpass = 1;
-@@ -330,6 +337,16 @@ void svr_getopts(int argc, char ** argv) {
- 			dropbear_exit("Bad recv window '%s'", recv_window_arg);
- 		}
- 	}
-+
-+	if (maxauthtries_arg) {
-+		unsigned int val = 0;
-+		if (m_str_to_uint(maxauthtries_arg, &val) == DROPBEAR_FAILURE ||
-+			val == 0 || val > MAX_AUTH_TRIES) {
-+			dropbear_exit("Bad maxauthtries '%s'", maxauthtries_arg);
-+		}
-+		svr_opts.maxauthtries = val;
-+	}
-+
- 	
- 	if (keepalive_arg) {
- 		unsigned int val;
--- 
-2.7.4
-
diff --git a/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch b/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch
deleted file mode 100644
index 593dca930d..0000000000
--- a/package/network/services/dropbear/patches/020-Wait-to-fail-invalid-usernames.patch
+++ /dev/null
@@ -1,221 +0,0 @@
-From 52adbb34c32d3e2e1bcdb941e20a6f81138b8248 Mon Sep 17 00:00:00 2001
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Thu, 23 Aug 2018 23:43:12 +0800
-Subject: [PATCH 2/2] Wait to fail invalid usernames
-
----
- auth.h           |  6 +++---
- svr-auth.c       | 19 +++++--------------
- svr-authpam.c    | 26 ++++++++++++++++++++++----
- svr-authpasswd.c | 27 ++++++++++++++-------------
- svr-authpubkey.c | 11 ++++++++++-
- 5 files changed, 54 insertions(+), 35 deletions(-)
-
---- a/auth.h
-+++ b/auth.h
-@@ -37,9 +37,9 @@ void recv_msg_userauth_request(void);
- void send_msg_userauth_failure(int partial, int incrfail);
- void send_msg_userauth_success(void);
- void send_msg_userauth_banner(buffer *msg);
--void svr_auth_password(void);
--void svr_auth_pubkey(void);
--void svr_auth_pam(void);
-+void svr_auth_password(int valid_user);
-+void svr_auth_pubkey(int valid_user);
-+void svr_auth_pam(int valid_user);
- 
- #ifdef ENABLE_SVR_PUBKEY_OPTIONS
- int svr_pubkey_allows_agentfwd(void);
---- a/svr-auth.c
-+++ b/svr-auth.c
-@@ -176,10 +176,8 @@ void recv_msg_userauth_request() {
- 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
- 				strncmp(methodname, AUTH_METHOD_PASSWORD,
- 					AUTH_METHOD_PASSWORD_LEN) == 0) {
--			if (valid_user) {
--				svr_auth_password();
--				goto out;
--			}
-+			svr_auth_password(valid_user);
-+			goto out;
- 		}
- 	}
- #endif
-@@ -191,10 +189,8 @@ void recv_msg_userauth_request() {
- 		if (methodlen == AUTH_METHOD_PASSWORD_LEN &&
- 				strncmp(methodname, AUTH_METHOD_PASSWORD,
- 					AUTH_METHOD_PASSWORD_LEN) == 0) {
--			if (valid_user) {
--				svr_auth_pam();
--				goto out;
--			}
-+			svr_auth_pam(valid_user);
-+			goto out;
- 		}
- 	}
- #endif
-@@ -204,12 +200,7 @@ void recv_msg_userauth_request() {
- 	if (methodlen == AUTH_METHOD_PUBKEY_LEN &&
- 			strncmp(methodname, AUTH_METHOD_PUBKEY,
- 				AUTH_METHOD_PUBKEY_LEN) == 0) {
--		if (valid_user) {
--			svr_auth_pubkey();
--		} else {
--			/* pubkey has no failure delay */
--			send_msg_userauth_failure(0, 0);
--		}
-+		svr_auth_pubkey(valid_user);
- 		goto out;
- 	}
- #endif
---- a/svr-authpam.c
-+++ b/svr-authpam.c
-@@ -178,13 +178,14 @@ pamConvFunc(int num_msg,
-  * Keyboard interactive would be a lot nicer, but since PAM is synchronous, it
-  * gets very messy trying to send the interactive challenges, and read the
-  * interactive responses, over the network. */
--void svr_auth_pam() {
-+void svr_auth_pam(int valid_user) {
- 
- 	struct UserDataS userData = {NULL, NULL};
- 	struct pam_conv pamConv = {
- 		pamConvFunc,
- 		&userData /* submitted to pamvConvFunc as appdata_ptr */ 
- 	};
-+	const char* printable_user = NULL;
- 
- 	pam_handle_t* pamHandlep = NULL;
- 
-@@ -204,12 +205,23 @@ void svr_auth_pam() {
- 
- 	password = buf_getstring(ses.payload, &passwordlen);
- 
-+	/* We run the PAM conversation regardless of whether the username is valid
-+	in case the conversation function has an inherent delay.
-+	Use ses.authstate.username rather than ses.authstate.pw_name.
-+	After PAM succeeds we then check the valid_user flag too */
-+
- 	/* used to pass data to the PAM conversation function - don't bother with
- 	 * strdup() etc since these are touched only by our own conversation
- 	 * function (above) which takes care of it */
--	userData.user = ses.authstate.pw_name;
-+	userData.user = ses.authstate.username;
- 	userData.passwd = password;
- 
-+	if (ses.authstate.pw_name) {
-+		printable_user = ses.authstate.pw_name;
-+	} else {
-+		printable_user = "<invalid username>";
-+	}
-+
- 	/* Init pam */
- 	if ((rc = pam_start("sshd", NULL, &pamConv, &pamHandlep)) != PAM_SUCCESS) {
- 		dropbear_log(LOG_WARNING, "pam_start() failed, rc=%d, %s", 
-@@ -236,7 +248,7 @@ void svr_auth_pam() {
- 				rc, pam_strerror(pamHandlep, rc));
- 		dropbear_log(LOG_WARNING,
- 				"Bad PAM password attempt for '%s' from %s",
--				ses.authstate.pw_name,
-+				printable_user,
- 				svr_ses.addrstring);
- 		send_msg_userauth_failure(0, 1);
- 		goto cleanup;
-@@ -247,12 +259,18 @@ void svr_auth_pam() {
- 				rc, pam_strerror(pamHandlep, rc));
- 		dropbear_log(LOG_WARNING,
- 				"Bad PAM password attempt for '%s' from %s",
--				ses.authstate.pw_name,
-+				printable_user,
- 				svr_ses.addrstring);
- 		send_msg_userauth_failure(0, 1);
- 		goto cleanup;
- 	}
- 
-+	if (!valid_user) {
-+		/* PAM auth succeeded but the username isn't allowed in for another reason
-+		(checkusername() failed) */
-+		send_msg_userauth_failure(0, 1);
-+	}
-+
- 	/* successful authentication */
- 	dropbear_log(LOG_NOTICE, "PAM password auth succeeded for '%s' from %s",
- 			ses.authstate.pw_name,
---- a/svr-authpasswd.c
-+++ b/svr-authpasswd.c
-@@ -48,22 +48,14 @@ static int constant_time_strcmp(const ch
- 
- /* Process a password auth request, sending success or failure messages as
-  * appropriate */
--void svr_auth_password() {
-+void svr_auth_password(int valid_user) {
- 	
- 	char * passwdcrypt = NULL; /* the crypt from /etc/passwd or /etc/shadow */
- 	char * testcrypt = NULL; /* crypt generated from the user's password sent */
--	char * password;
-+	char * password = NULL;
- 	unsigned int passwordlen;
--
- 	unsigned int changepw;
- 
--	passwdcrypt = ses.authstate.pw_passwd;
--
--#ifdef DEBUG_HACKCRYPT
--	/* debugging crypt for non-root testing with shadows */
--	passwdcrypt = DEBUG_HACKCRYPT;
--#endif
--
- 	/* check if client wants to change password */
- 	changepw = buf_getbool(ses.payload);
- 	if (changepw) {
-@@ -73,12 +65,21 @@ void svr_auth_password() {
- 	}
- 
- 	password = buf_getstring(ses.payload, &passwordlen);
--
--	/* the first bytes of passwdcrypt are the salt */
--	testcrypt = crypt(password, passwdcrypt);
-+	if (valid_user) {
-+		/* the first bytes of passwdcrypt are the salt */
-+		passwdcrypt = ses.authstate.pw_passwd;
-+		testcrypt = crypt(password, passwdcrypt);
-+	}
- 	m_burn(password, passwordlen);
- 	m_free(password);
- 
-+	/* After we have got the payload contents we can exit if the username
-+	is invalid. Invalid users have already been logged. */
-+	if (!valid_user) {
-+		send_msg_userauth_failure(0, 1);
-+		return;
-+	}
-+
- 	if (testcrypt == NULL) {
- 		/* crypt() with an invalid salt like "!!" */
- 		dropbear_log(LOG_WARNING, "User account '%s' is locked",
---- a/svr-authpubkey.c
-+++ b/svr-authpubkey.c
-@@ -79,7 +79,7 @@ static int checkfileperm(char * filename
- 
- /* process a pubkey auth request, sending success or failure message as
-  * appropriate */
--void svr_auth_pubkey() {
-+void svr_auth_pubkey(int valid_user) {
- 
- 	unsigned char testkey; /* whether we're just checking if a key is usable */
- 	char* algo = NULL; /* pubkey algo */
-@@ -102,6 +102,15 @@ void svr_auth_pubkey() {
- 	keybloblen = buf_getint(ses.payload);
- 	keyblob = buf_getptr(ses.payload, keybloblen);
- 
-+	if (!valid_user) {
-+		/* Return failure once we have read the contents of the packet
-+		required to validate a public key. 
-+		Avoids blind user enumeration though it isn't possible to prevent
-+		testing for user existence if the public key is known */
-+		send_msg_userauth_failure(0, 0);
-+		goto out;
-+	}
-+
- 	/* check if the key is valid */
- 	if (checkpubkey(algo, algolen, keyblob, keybloblen) == DROPBEAR_FAILURE) {
- 		send_msg_userauth_failure(0, 0);
diff --git a/package/network/services/dropbear/patches/100-pubkey_path.patch b/package/network/services/dropbear/patches/100-pubkey_path.patch
index 274d3af46a..732d84078f 100644
--- a/package/network/services/dropbear/patches/100-pubkey_path.patch
+++ b/package/network/services/dropbear/patches/100-pubkey_path.patch
@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -229,14 +229,20 @@ static int checkpubkey(char* algo, unsig
+@@ -338,14 +338,19 @@ static int checkpubkey(const char* algo,
  		goto out;
  	}
  
@@ -25,34 +25,23 @@
 +		filename = m_malloc(30);
 +		strncpy(filename, "/etc/dropbear/authorized_keys", 30);
 +	}
-+
  
+ #if DROPBEAR_SVR_MULTIUSER
  	/* open the file as the authenticating user. */
- 	origuid = getuid();
-@@ -405,26 +411,35 @@ static int checkpubkeyperms() {
+@@ -426,27 +431,36 @@ static int checkpubkeyperms() {
  		goto out;
  	}
  
 -	/* allocate max required pathname storage,
 -	 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
--	filename = m_malloc(len + 22);
--	strncpy(filename, ses.authstate.pw_dir, len+1);
+-	len += 22;
+-	filename = m_malloc(len);
+-	strlcpy(filename, ses.authstate.pw_dir, len);
 -
 -	/* check ~ */
 -	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 -		goto out;
 -	}
--
--	/* check ~/.ssh */
--	strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
--	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
--		goto out;
--	}
--
--	/* now check ~/.ssh/authorized_keys */
--	strncat(filename, "/authorized_keys", 16);
--	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
--		goto out;
 +	if (ses.authstate.pw_uid == 0) {
 +		if (checkfileperm("/etc/dropbear") != DROPBEAR_SUCCESS) {
 +			goto out;
@@ -63,22 +52,32 @@
 +	} else {
 +		/* allocate max required pathname storage,
 +		 * = path + "/.ssh/authorized_keys" + '\0' = pathlen + 22 */
-+		filename = m_malloc(len + 22);
-+		strncpy(filename, ses.authstate.pw_dir, len+1);
++		len += 22;
++		filename = m_malloc(len);
++		strlcpy(filename, ses.authstate.pw_dir, len);
 +
 +		/* check ~ */
 +		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 +			goto out;
 +		}
-+
+ 
+-	/* check ~/.ssh */
+-	strlcat(filename, "/.ssh", len);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
+-	}
 +		/* check ~/.ssh */
-+		strncat(filename, "/.ssh", 5); /* strlen("/.ssh") == 5 */
++		strlcat(filename, "/.ssh", len);
 +		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 +			goto out;
 +		}
-+
+ 
+-	/* now check ~/.ssh/authorized_keys */
+-	strlcat(filename, "/authorized_keys", len);
+-	if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
+-		goto out;
 +		/* now check ~/.ssh/authorized_keys */
-+		strncat(filename, "/authorized_keys", 16);
++		strlcat(filename, "/authorized_keys", len);
 +		if (checkfileperm(filename) != DROPBEAR_SUCCESS) {
 +			goto out;
 +		}
diff --git a/package/network/services/dropbear/patches/110-change_user.patch b/package/network/services/dropbear/patches/110-change_user.patch
index 4b5c1cb51b..27e7fbaf4f 100644
--- a/package/network/services/dropbear/patches/110-change_user.patch
+++ b/package/network/services/dropbear/patches/110-change_user.patch
@@ -1,6 +1,6 @@
 --- a/svr-chansession.c
 +++ b/svr-chansession.c
-@@ -922,12 +922,12 @@ static void execchild(void *user_data) {
+@@ -953,12 +953,12 @@ static void execchild(const void *user_d
  	/* We can only change uid/gid as root ... */
  	if (getuid() == 0) {
  
diff --git a/package/network/services/dropbear/patches/120-openwrt_options.patch b/package/network/services/dropbear/patches/120-openwrt_options.patch
deleted file mode 100644
index 7f47a74304..0000000000
--- a/package/network/services/dropbear/patches/120-openwrt_options.patch
+++ /dev/null
@@ -1,82 +0,0 @@
---- a/options.h
-+++ b/options.h
-@@ -41,7 +41,7 @@
-  * Both of these flags can be defined at once, don't compile without at least
-  * one of them. */
- #define NON_INETD_MODE
--#define INETD_MODE
-+/*#define INETD_MODE*/
- 
- /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
-  * perhaps 20% slower for pubkey operations (it is probably worth experimenting
-@@ -81,7 +81,7 @@ much traffic. */
- 
- /* Enable "Netcat mode" option. This will forward standard input/output
-  * to a remote TCP-forwarded connection */
--#define ENABLE_CLI_NETCAT
-+/*#define ENABLE_CLI_NETCAT*/
- 
- /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
- #define ENABLE_USER_ALGO_LIST
-@@ -91,16 +91,16 @@ much traffic. */
-  * Including multiple keysize variants the same cipher 
-  * (eg AES256 as well as AES128) will result in a minimal size increase.*/
- #define DROPBEAR_AES128
--#define DROPBEAR_3DES
-+/*#define DROPBEAR_3DES*/
- #define DROPBEAR_AES256
- /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
- /*#define DROPBEAR_BLOWFISH*/
--#define DROPBEAR_TWOFISH256
--#define DROPBEAR_TWOFISH128
-+/*#define DROPBEAR_TWOFISH256*/
-+/*#define DROPBEAR_TWOFISH128*/
- 
- /* Enable CBC mode for ciphers. This has security issues though
-  * is the most compatible with older SSH implementations */
--#define DROPBEAR_ENABLE_CBC_MODE
-+/*#define DROPBEAR_ENABLE_CBC_MODE*/
- 
- /* Enable "Counter Mode" for ciphers. This is more secure than normal
-  * CBC mode against certain attacks. It is recommended for security
-@@ -131,10 +131,10 @@ If you test it please contact the Dropbe
-  * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
-  * which are not the standard form. */
- #define DROPBEAR_SHA1_HMAC
--#define DROPBEAR_SHA1_96_HMAC
-+/*#define DROPBEAR_SHA1_96_HMAC*/
- #define DROPBEAR_SHA2_256_HMAC
--#define DROPBEAR_SHA2_512_HMAC
--#define DROPBEAR_MD5_HMAC
-+/*#define DROPBEAR_SHA2_512_HMAC*/
-+/*#define DROPBEAR_MD5_HMAC*/
- 
- /* You can also disable integrity. Don't bother disabling this if you're
-  * still using a cipher, it's relatively cheap. If you disable this it's dead
-@@ -146,7 +146,7 @@ If you test it please contact the Dropbe
-  * Removing either of these won't save very much space.
-  * SSH2 RFC Draft requires dss, recommends rsa */
- #define DROPBEAR_RSA
--#define DROPBEAR_DSS
-+/*#define DROPBEAR_DSS*/
- /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
-  * code (either ECDSA or ECDH) increases binary size - around 30kB
-  * on x86-64 */
-@@ -194,7 +194,7 @@ If you test it please contact the Dropbe
- 
- /* Whether to print the message of the day (MOTD). This doesn't add much code
-  * size */
--#define DO_MOTD
-+/*#define DO_MOTD*/
- 
- /* The MOTD file path */
- #ifndef MOTD_FILENAME
-@@ -242,7 +242,7 @@ Homedir is prepended unless path begins
-  * note that it will be provided for all "hidden" client-interactive
-  * style prompts - if you want something more sophisticated, use 
-  * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
--#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
-+/*#define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"*/
- 
- /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
-  * a helper program for the ssh client. The helper program should be
diff --git a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
index ab09c2f3dc..5e736320cc 100644
--- a/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
+++ b/package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch
@@ -1,6 +1,6 @@
 --- a/cli-runopts.c
 +++ b/cli-runopts.c
-@@ -296,6 +296,8 @@ void cli_getopts(int argc, char ** argv)
+@@ -299,6 +299,8 @@ void cli_getopts(int argc, char ** argv)
  					debug_trace = 1;
  					break;
  #endif
@@ -8,4 +8,4 @@
 +					break;
  				case 'F':
  				case 'e':
- #ifndef ENABLE_USER_ALGO_LIST
+ #if !DROPBEAR_USER_ALGO_LIST
diff --git a/package/network/services/dropbear/patches/140-disable_assert.patch b/package/network/services/dropbear/patches/140-disable_assert.patch
index 78b54acfa0..8c3ae7f119 100644
--- a/package/network/services/dropbear/patches/140-disable_assert.patch
+++ b/package/network/services/dropbear/patches/140-disable_assert.patch
@@ -1,6 +1,6 @@
 --- a/dbutil.h
 +++ b/dbutil.h
-@@ -78,7 +78,11 @@ int m_str_to_uint(const char* str, unsig
+@@ -75,7 +75,11 @@ int m_str_to_uint(const char* str, unsig
  #define DEF_MP_INT(X) mp_int X = {0, 0, 0, NULL}
  
  /* Dropbear assertion */
diff --git a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch b/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
deleted file mode 100644
index ccc2cb7925..0000000000
--- a/package/network/services/dropbear/patches/150-dbconvert_standalone.patch
+++ /dev/null
@@ -1,14 +0,0 @@
---- a/options.h
-+++ b/options.h
-@@ -5,6 +5,11 @@
- #ifndef DROPBEAR_OPTIONS_H_
- #define DROPBEAR_OPTIONS_H_
- 
-+#if !defined(DROPBEAR_CLIENT) && !defined(DROPBEAR_SERVER)
-+#define DROPBEAR_SERVER
-+#define DROPBEAR_CLIENT
-+#endif
-+
- /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
-  * parts are to allow for commandline -DDROPBEAR_XXX options etc. */
- 
diff --git a/package/network/services/dropbear/patches/160-lto-jobserver.patch b/package/network/services/dropbear/patches/160-lto-jobserver.patch
index bb94492833..02765335d3 100644
--- a/package/network/services/dropbear/patches/160-lto-jobserver.patch
+++ b/package/network/services/dropbear/patches/160-lto-jobserver.patch
@@ -1,6 +1,6 @@
 --- a/Makefile.in
 +++ b/Makefile.in
-@@ -163,17 +163,17 @@ dropbearkey: $(dropbearkeyobjs)
+@@ -189,17 +189,17 @@ dropbearkey: $(dropbearkeyobjs)
  dropbearconvert: $(dropbearconvertobjs)
  
  dropbear: $(HEADERS) $(LIBTOM_DEPS) Makefile
@@ -12,8 +12,8 @@
 +	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
  
  dropbearkey dropbearconvert: $(HEADERS) $(LIBTOM_DEPS) Makefile
--	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS)
-+	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS)
+-	$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
++	+$(CC) $(LDFLAGS) -o $@$(EXEEXT) $($@objs) $(LIBTOM_LIBS) $(LIBS)
  
  # scp doesn't use the libs so is special.
  scp: $(SCPOBJS)  $(HEADERS) Makefile
@@ -22,7 +22,7 @@
  
  
  # multi-binary compilation.
-@@ -184,7 +184,7 @@ ifeq ($(MULTI),1)
+@@ -210,7 +210,7 @@ ifeq ($(MULTI),1)
  endif
  
  dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
diff --git a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
index 7c67b086bb..b138862ca3 100644
--- a/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
+++ b/package/network/services/dropbear/patches/600-allow-blank-root-password.patch
@@ -1,6 +1,6 @@
 --- a/svr-auth.c
 +++ b/svr-auth.c
-@@ -149,7 +149,7 @@ void recv_msg_userauth_request() {
+@@ -125,7 +125,7 @@ void recv_msg_userauth_request() {
  				AUTH_METHOD_NONE_LEN) == 0) {
  		TRACE(("recv_msg_userauth_request: 'none' request"))
  		if (valid_user
diff --git a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch b/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
deleted file mode 100644
index a555a9e498..0000000000
--- a/package/network/services/dropbear/patches/610-skip-default-keys-in-custom-runs.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -505,6 +505,7 @@ void load_all_hostkeys() {
- 		m_free(hostkey_file);
- 	}
- 
-+	if (svr_opts.num_hostkey_files <= 0) {
- #ifdef DROPBEAR_RSA
- 	loadhostkey(RSA_PRIV_FILENAME, 0);
- #endif
-@@ -516,6 +517,7 @@ void load_all_hostkeys() {
- #ifdef DROPBEAR_ECDSA
- 	loadhostkey(ECDSA_PRIV_FILENAME, 0);
- #endif
-+	}
- 
- #ifdef DROPBEAR_DELAY_HOSTKEY
- 	if (svr_opts.delay_hostkey) {
-- 
2.30.2