V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/cdi_0050_debug/0056_debug_guard.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Wrapper that enables and disables XTRACE password handling safely.
+# Globals:
+#   VAR_DEBUG_TRACE
+# Arguments:
+#   1: on [set +x] || off [set -x]
+#######################################
+guard_trace() {
+  case "${1,,}" in
+    on)  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x;;
+    off) [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x;;
+  esac
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0104_arg_passphrase_modules.sh

@@ -57,8 +57,7 @@ read_password_file() {
   declare -a lines=()
 
   ### TODO: PASSWORD REMINDER START
-  ### No tracing for security reasons
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  guard_trace on
 
   if [[ ! -f "${var_input_file}" ]]; then
 
@@ -88,9 +87,8 @@ read_password_file() {
 
   fi
 
-  ### Turn on tracing again
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
   ### TODO: PASSWORD REMINDER STOP
+  guard_trace off
 
   sync
 

lib/cdi_0100_arg/0105_arg_nuke_converter.sh

@@ -29,36 +29,34 @@ nuke_passphrase() {
   declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
   declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt=""
 
-  ### TODO: PASSWORD REMINDER START
-  ### No tracing for security reasons
+  [[ ! -f "${var_nuke_pwd_file}" ]] && return 0
 
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  ### TODO: PASSWORD REMINDER START
+  guard_trace on
 
   if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
 
     return "${ERR_READ_NUKE_FILE}"
+
   fi
 
-
-  ### Turn on tracing again
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
   ### TODO: PASSWORD REMINDER STOP
+  guard_trace off
 
   if ! var_salt="$(generate_salt)"; then
 
     return "${ERR_GENERATE_SALT}"
+
   fi
 
 
   ### TODO: PASSWORD REMINDER START
-  ### No tracing for security reasons
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  guard_trace on
 
   var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${VAR_NUKE_ROUNDS:-8388608}" "${var_temp_plain_nuke_pwd}")
 
-  ### Turn on tracing again
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
   ### TODO: PASSWORD REMINDER STOP
+  guard_trace off
 
   declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
   unset var_temp_nuke_hash var_temp_plain_nuke_pwd