dropbear: bump to 2022.83

- update dropbear to latest stable 2022.83;
  for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
  - 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
  - 901-bundled-libs-cflags.patch
- refresh remaining patches

Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>

package/network/services/dropbear/Makefile

@@ -8,14 +8,14 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=dropbear
-PKG_VERSION:=2022.82
-PKG_RELEASE:=5
+PKG_VERSION:=2022.83
+PKG_RELEASE:=1
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:= \
 	https://matt.ucc.asn.au/dropbear/releases/ \
 	https://dropbear.nl/mirror/releases/
-PKG_HASH:=3a038d2bbc02bf28bbdd20c012091f741a3ec5cbe460691811d714876aad75d1
+PKG_HASH:=bc5a121ffbc94b5171ad5ebe01be42746d50aa797c9549a4639894a16749443b
 
 PKG_LICENSE:=MIT
 PKG_LICENSE_FILES:=LICENSE libtomcrypt/LICENSE libtommath/LICENSE
@@ -114,6 +114,7 @@ DB_OPT_COMMON = \
 	DEFAULT_PATH|"$(TARGET_INIT_PATH)" \
 	!!LOCAL_IDENT|"SSH-2.0-dropbear" \
 	DROPBEAR_CLI_NETCAT|0 \
+	!!DROPBEAR_DSS|0 \
 	DROPBEAR_DSS|0 \
 	DO_MOTD|0 \
 
@@ -181,10 +182,12 @@ endef
 define Build/Compile
 	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
 		$(TARGET_CONFIGURE_OPTS) \
+		IGNORE_SPEED=1 \
 		PROGRAMS="dropbear $(if $(CONFIG_DROPBEAR_DBCLIENT),dbclient,) dropbearkey $(if $(CONFIG_DROPBEAR_SCP),scp,)" \
 		MULTI=1 SCPPROGRESS=1
 	+$(MAKE) $(PKG_JOBS) -C $(PKG_BUILD_DIR) \
 		$(TARGET_CONFIGURE_OPTS) \
+		IGNORE_SPEED=1 \
 		PROGRAMS="dropbearconvert"
 endef
 

package/network/services/dropbear/patches/001-fix-MAX_UNAUTH_CLIENTS-regression.patch

@@ -1,134 +0,0 @@
-From: Matt Johnston <matt@ucc.asn.au>
-Date: Wed, 8 Jun 2022 21:26:20 +0800
-Subject: Fix MAX_UNAUTH_CLIENTS regression
-
-Since re-exec change in 2022.82 Dropbear count
-treat authenticated sessions towards the unauthenticated
-session limit. This is fixed by passing the childpipe FD
-through to the re-execed process.
----
- runopts.h     |  5 +++--
- svr-main.c    | 21 +++++++++++----------
- svr-runopts.c | 15 ++++++++++++---
- 3 files changed, 26 insertions(+), 15 deletions(-)
-
---- a/runopts.h
-+++ b/runopts.h
-@@ -79,8 +79,9 @@ typedef struct svr_runopts {
- 	char *addresses[DROPBEAR_MAX_PORTS];
- 
- 	int inetdmode;
--	/* Hidden "-2" flag indicates it's re-executing itself */
--	int reexec_child;
-+	/* Hidden "-2 childpipe_fd" flag indicates it's re-executing itself,
-+	   stores the childpipe preauth file descriptor. Set to -1 otherwise. */
-+	int reexec_childpipe;
- 
- 	/* Flags indicating whether to use ipv4 and ipv6 */
- 	/* not used yet
---- a/svr-main.c
-+++ b/svr-main.c
-@@ -71,7 +71,7 @@ int main(int argc, char ** argv)
- #endif
- 
- #if DROPBEAR_DO_REEXEC
--	if (svr_opts.reexec_child) {
-+	if (svr_opts.reexec_childpipe >= 0) {
- #ifdef PR_SET_NAME
- 		/* Fix the "Name:" in /proc/pid/status, otherwise it's
- 		a FD number from fexecve.
-@@ -102,7 +102,7 @@ static void main_inetd() {
- 
- 	seedrandom();
- 
--	if (!svr_opts.reexec_child) {
-+	if (svr_opts.reexec_childpipe < 0) {
- 		/* In case our inetd was lax in logging source addresses */
- 		get_socket_address(0, NULL, NULL, &host, &port, 0);
- 			dropbear_log(LOG_INFO, "Child connection from %s:%s", host, port);
-@@ -115,10 +115,8 @@ static void main_inetd() {
- 		setsid();
- 	}
- 
--	/* Start service program 
--	 * -1 is a dummy childpipe, just something we can close() without 
--	 * mattering. */
--	svr_session(0, -1);
-+	/* -1 for childpipe in the inetd case is discarded */
-+	svr_session(0, svr_opts.reexec_childpipe);
- 
- 	/* notreached */
- }
-@@ -347,9 +345,10 @@ static void main_noinetd(int argc, char
- 
- 				if (execfd >= 0) {
- #if DROPBEAR_DO_REEXEC
--					/* Add "-2" to the args and re-execute ourself. */
--					char **new_argv = m_malloc(sizeof(char*) * (argc+3));
--					int pos0 = 0, new_argc = argc+1;
-+					/* Add "-2 childpipe[1]" to the args and re-execute ourself. */
-+					char **new_argv = m_malloc(sizeof(char*) * (argc+4));
-+					char buf[10];
-+					int pos0 = 0, new_argc = argc+2;
- 
- 					/* We need to specially handle "dropbearmulti dropbear". */
- 					if (multipath) {
-@@ -359,7 +358,9 @@ static void main_noinetd(int argc, char
- 					}
- 
- 					memcpy(&new_argv[pos0], argv, sizeof(char*) * argc);
--					new_argv[new_argc-1] = "-2";
-+					new_argv[new_argc-2] = "-2";
-+					snprintf(buf, sizeof(buf), "%d", childpipe[1]);
-+					new_argv[new_argc-1] = buf;
- 					new_argv[new_argc] = NULL;
- 
- 					if ((dup2(childsock, STDIN_FILENO) < 0)) {
---- a/svr-runopts.c
-+++ b/svr-runopts.c
-@@ -138,6 +138,7 @@ void svr_getopts(int argc, char ** argv)
- 	char* keepalive_arg = NULL;
- 	char* idle_timeout_arg = NULL;
- 	char* maxauthtries_arg = NULL;
-+	char* reexec_fd_arg = NULL;
- 	char* keyfile = NULL;
- 	char c;
- #if DROPBEAR_PLUGIN
-@@ -175,6 +176,7 @@ void svr_getopts(int argc, char ** argv)
-         svr_opts.pubkey_plugin_options = NULL;
- #endif
- 	svr_opts.pass_on_env = 0;
-+	svr_opts.reexec_childpipe = -1;
- 
- #ifndef DISABLE_ZLIB
- 	opts.compress_mode = DROPBEAR_COMPRESS_DELAYED;
-@@ -250,12 +252,12 @@ void svr_getopts(int argc, char ** argv)
- #if DROPBEAR_DO_REEXEC && NON_INETD_MODE
- 				/* For internal use by re-exec */
- 				case '2':
--					svr_opts.reexec_child = 1;
-+					next = &reexec_fd_arg;
- 					break;
- #endif
- 				case 'p':
--				  nextisport = 1;
--				  break;
-+					nextisport = 1;
-+					break;
- 				case 'P':
- 					next = &svr_opts.pidfile;
- 					break;
-@@ -426,6 +428,13 @@ void svr_getopts(int argc, char ** argv)
- 		dropbear_log(LOG_INFO, "Forced command set to '%s'", svr_opts.forced_command);
- 	}
- 
-+	if (reexec_fd_arg) {
-+		if (m_str_to_uint(reexec_fd_arg, &svr_opts.reexec_childpipe) == DROPBEAR_FAILURE
-+			|| svr_opts.reexec_childpipe < 0) {
-+			dropbear_exit("Bad -2");
-+		}
-+	}
-+
- #if INETD_MODE
- 	if (svr_opts.inetdmode && (
- 		opts.usingsyslog == 0

package/network/services/dropbear/patches/100-pubkey_path.patch

@@ -1,6 +1,6 @@
 --- a/svr-authpubkey.c
 +++ b/svr-authpubkey.c
-@@ -77,6 +77,13 @@ static void send_msg_userauth_pk_ok(cons
+@@ -78,6 +78,13 @@ static void send_msg_userauth_pk_ok(cons
  		const unsigned char* keyblob, unsigned int keybloblen);
  static int checkfileperm(char * filename);
  
@@ -14,7 +14,7 @@
  /* process a pubkey auth request, sending success or failure message as
   * appropriate */
  void svr_auth_pubkey(int valid_user) {
-@@ -439,14 +446,21 @@ static int checkpubkey(const char* keyal
+@@ -462,14 +469,21 @@ static int checkpubkey(const char* keyal
  	if (checkpubkeyperms() == DROPBEAR_FAILURE) {
  		TRACE(("bad authorized_keys permissions, or file doesn't exist"))
  	} else {
@@ -44,7 +44,7 @@
  
  		authfile = fopen(filename, "r");
  		if (!authfile) {
-@@ -520,27 +534,41 @@ static int checkpubkeyperms() {
+@@ -543,27 +557,41 @@ static int checkpubkeyperms() {
  		goto out;
  	}
  

package/network/services/dropbear/patches/130-ssh_ignore_x_args.patch

@@ -1,8 +1,8 @@
 --- a/cli-runopts.c
 +++ b/cli-runopts.c
-@@ -325,6 +325,10 @@ void cli_getopts(int argc, char ** argv)
- 				case 'b':
- 					next = &bind_arg;
+@@ -329,6 +329,10 @@ void cli_getopts(int argc, char ** argv)
+ 				case 'z':
+ 					opts.disable_ip_tos = 1;
  					break;
 +				case 'x':
 +					/* compatibility with openssh cli

package/network/services/dropbear/patches/900-configure-hardening.patch

@@ -1,6 +1,6 @@
 --- a/configure.ac
 +++ b/configure.ac
-@@ -74,53 +74,6 @@ AC_ARG_ENABLE(harden,
+@@ -87,54 +87,6 @@ AC_ARG_ENABLE(harden,
  
  if test "$hardenbuild" -eq 1; then
  	AC_MSG_NOTICE(Checking for available hardened build flags:)
@@ -11,15 +11,15 @@
 -
 -		OLDLDFLAGS="$LDFLAGS"
 -		TESTFLAGS="-Wl,-pie"
--		LDFLAGS="$LDFLAGS $TESTFLAGS"
--		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
--			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-		LDFLAGS="$TESTFLAGS $LDFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -			[
 -				LDFLAGS="$OLDLDFLAGS"
 -				TESTFLAGS="-pie"
--				LDFLAGS="$LDFLAGS $TESTFLAGS"
--				AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
--					[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-				LDFLAGS="$TESTFLAGS $LDFLAGS"
+-				AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-					[AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -					[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
 -					)
 -			]
@@ -27,30 +27,31 @@
 -		# readonly elf relocation sections (relro)
 -		OLDLDFLAGS="$LDFLAGS"
 -		TESTFLAGS="-Wl,-z,now -Wl,-z,relro"
--		LDFLAGS="$LDFLAGS $TESTFLAGS"
--		AC_LINK_IFELSE([AC_LANG_PROGRAM([])], 
--			[AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-		LDFLAGS="$TESTFLAGS $LDFLAGS"
+-		AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-			[AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -			[AC_MSG_NOTICE([Not setting $TESTFLAGS]); LDFLAGS="$OLDLDFLAGS" ]
 -			)
 -	fi # non-static
 -	# stack protector. -strong is good but only in gcc 4.9 or later
 -	OLDCFLAGS="$CFLAGS"
 -	TESTFLAGS="-fstack-protector-strong"
--	CFLAGS="$CFLAGS $TESTFLAGS"
--	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
--	    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-	CFLAGS="$TESTFLAGS $CFLAGS"
+-	AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-	    [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -	    [
 -			CFLAGS="$OLDCFLAGS"
 -			TESTFLAGS="-fstack-protector --param=ssp-buffer-size=4"
--			CFLAGS="$CFLAGS $TESTFLAGS"
--			AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], 
--			    [AC_MSG_NOTICE([Setting $TESTFLAGS])], 
+-			CFLAGS="$TESTFLAGS $CFLAGS"
+-			AC_LINK_IFELSE([AC_LANG_PROGRAM([])],
+-			    [AC_MSG_NOTICE([Setting $TESTFLAGS])],
 -			    [AC_MSG_NOTICE([Not setting $TESTFLAGS]); CFLAGS="$OLDCFLAGS" ]
 -			    )
 -	    ]
 -	    )
 -	# FORTIFY_SOURCE
 -	DB_TRYADDCFLAGS([-D_FORTIFY_SOURCE=2])
- 
+-
  	# Spectre v2 mitigations
  	DB_TRYADDCFLAGS([-mfunction-return=thunk])
+ 	DB_TRYADDCFLAGS([-mindirect-branch=thunk])

package/network/services/dropbear/patches/901-bundled-libs-cflags.patch

@@ -1,48 +1,29 @@
---- a/libtomcrypt/makefile_include.mk
-+++ b/libtomcrypt/makefile_include.mk
-@@ -94,6 +94,13 @@ endif
+--- a/configure.ac
++++ b/configure.ac
+@@ -45,11 +45,8 @@ fi
+ # LTM_CFLAGS is given to ./configure by the user, 
+ # DROPBEAR_LTM_CFLAGS is substituted in the LTM Makefile.in
+ DROPBEAR_LTM_CFLAGS="$LTM_CFLAGS"
+-if test -z "$DROPBEAR_LTM_CFLAGS"; then
+-	DROPBEAR_LTM_CFLAGS="-O3 -funroll-loops -fomit-frame-pointer"
+-fi
+-AC_MSG_NOTICE(Setting LTM_CFLAGS to $DROPBEAR_LTM_CFLAGS)
+-AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Default -O3 -funroll-loops -fomit-frame-pointer)
++AC_MSG_NOTICE(Setting LTM_CFLAGS to '$DROPBEAR_LTM_CFLAGS')
++AC_ARG_VAR(LTM_CFLAGS, CFLAGS for bundled libtommath. Defaults to empty string)
+ AC_SUBST(DROPBEAR_LTM_CFLAGS)
  
- LTC_CFLAGS += -Wno-type-limits
+ AC_MSG_NOTICE([Checking if compiler '$CC' supports -Wno-pointer-sign])
+--- a/libtomcrypt/src/headers/tomcrypt_dropbear.h
++++ b/libtomcrypt/src/headers/tomcrypt_dropbear.h
+@@ -7,8 +7,10 @@
  
-+ifdef OPENWRT_BUILD
-+  ifeq (-Os,$(filter -Os,$(CFLAGS)))
-+    LTC_CFLAGS += -DLTC_SMALL_CODE
-+  endif
-+else
-+  ### ! OPENWRT_BUILD
-+
- ifdef LTC_DEBUG
- $(info Debug build)
- # compile for DEBUGGING (required for ccmalloc checking!!!)
-@@ -121,6 +128,9 @@ endif
- endif # COMPILE_SMALL
- endif # COMPILE_DEBUG
+ /* Use small code where possible */
+ #if DROPBEAR_SMALL_CODE
++#ifndef LTC_SMALL_CODE
+ #define LTC_SMALL_CODE
+ #endif
++#endif
  
-+  ### ! OPENWRT_BUILD
-+endif
-+
- 
- ifneq ($(findstring clang,$(CC)),)
- LTC_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header -Wno-missing-field-initializers
---- a/libtommath/makefile_include.mk
-+++ b/libtommath/makefile_include.mk
-@@ -70,6 +70,9 @@ else
- LTM_CFLAGS += -Wsystem-headers
- endif
- 
-+ifndef OPENWRT_BUILD
-+  ### ! OPENWRT_BUILD
-+
- ifdef COMPILE_DEBUG
- #debug
- LTM_CFLAGS += -g3
-@@ -90,6 +93,9 @@ endif
- 
- endif # COMPILE_SIZE
- 
-+  ### ! OPENWRT_BUILD
-+endif
-+
- ifneq ($(findstring clang,$(CC)),)
- LTM_CFLAGS += -Wno-typedef-redefinition -Wno-tautological-compare -Wno-builtin-requires-header
- endif
+ /* Fewer entries needed */
+ #define TAB_SIZE      5