V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-08-11 08:12:39 +02:00
parent f39096f4f9
commit 034f4de335
5 changed files with 48 additions and 26 deletions
--- a/func/cdi_4500_user/4500_installation_accounts.sh
+++ b/func/cdi_4500_user/4500_installation_accounts.sh
@@ -181,8 +181,7 @@ write_google_authenticator_file() {
  declare -i  i=0

  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  ### No tracing for security reasons
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  #guard_trace on

  var_secret="$(generate_totp_secret "${var_user}")"

@@ -198,9 +197,8 @@ write_google_authenticator_file() {
    for i in {0..7}; do printf '%08d\n' "$(( RANDOM % 100000000 ))"; done
  } >| "${var_base}/.google_authenticator"

-  ### Turn on tracing again
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+  #guard_trace off

  chown "${var_user}:${var_user}" "${var_base}/.google_authenticator"

@@ -233,8 +231,7 @@ generate_totp_secret() {
  declare  var_secret=""

  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  ### No tracing for security reasons
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  #guard_trace on

  ### Derive 20 bytes via HKDF-SHA256 using OpenSSL 3 kdf, output as raw, then base32 (uppercase, no padding).
  # shellcheck disable=SC2312
@@ -243,9 +240,8 @@ generate_totp_secret() {
      -kdfopt salt:"${var_salt}" -kdfopt info:"${var_info}" -binary HKDF | base32 | tr -d '=' | tr '[:lower:]' '[:upper:]'
  )"

-  ### Turn on tracing again
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+  #guard_trace off

  printf '%s\n' "${var_secret}"
  return 0
@@ -268,18 +264,19 @@ read_totp_seed(){
  declare -g VAR_TEMP_PLAIN_MFA_SEED=""

  ### TODO: PASSWORD REMINDER START:NOT ACTIVE
-  ### No tracing for security reasons
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  #guard_trace on
+
  if ! read_password_file "${var_mfa_seed_file}" VAR_TEMP_PLAIN_MFA_SEED; then
+
    return "${ERR_READ_SEED_FILE}"
+
  fi

  ### Validate: exactly 64 hex.
  [[ "${VAR_TEMP_PLAIN_MFA_SEED}" =~ ^[0-9a-fA-F]{64}$ ]] || return "${ERR_READ_SEED_FILE}"

-  ### Turn on tracing again
-  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP:NOT ACTIVE
+  #guard_trace off

  return 0
 }
--- a/lib/cdi_0050_debug/0056_debug_guard.sh
+++ b/lib/cdi_0050_debug/0056_debug_guard.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Wrapper that enables and disables XTRACE password handling safely.
+# Globals:
+#   VAR_DEBUG_TRACE
+# Arguments:
+#   1: on [set +x] || off [set -x]
+#######################################
+guard_trace() {
+  case "${1,,}" in
+    on)  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x;;
+    off) [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x;;
+  esac
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/lib/cdi_0100_arg/0104_arg_passphrase_modules.sh
+++ b/lib/cdi_0100_arg/0104_arg_passphrase_modules.sh
@@ -57,8 +57,7 @@ read_password_file() {
  declare -a lines=()

  ### TODO: PASSWORD REMINDER START
-  ### No tracing for security reasons
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  guard_trace on

  if [[ ! -f "${var_input_file}" ]]; then

@@ -88,9 +87,8 @@ read_password_file() {

  fi

-  ### Turn on tracing again
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP
+  guard_trace off

  sync

--- a/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
+++ b/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
@@ -29,36 +29,34 @@ nuke_passphrase() {
  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
  declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt=""

-  ### TODO: PASSWORD REMINDER START
-  ### No tracing for security reasons
+  [[ ! -f "${var_nuke_pwd_file}" ]] && return 0

-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  ### TODO: PASSWORD REMINDER START
+  guard_trace on

  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then

    return "${ERR_READ_NUKE_FILE}"
+
  fi

-
-  ### Turn on tracing again
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP
+  guard_trace off

  if ! var_salt="$(generate_salt)"; then

    return "${ERR_GENERATE_SALT}"
+
  fi


  ### TODO: PASSWORD REMINDER START
-  ### No tracing for security reasons
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  guard_trace on

  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${VAR_NUKE_ROUNDS:-8388608}" "${var_temp_plain_nuke_pwd}")

-  ### Turn on tracing again
-  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
  ### TODO: PASSWORD REMINDER STOP
+  guard_trace off

  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
  unset var_temp_nuke_hash var_temp_plain_nuke_pwd
--- a/meta_loader_lib.sh
+++ b/meta_loader_lib.sh
@@ -30,6 +30,7 @@ source_guard "./lib/cdi_0050_debug/0052_debug_trace.sh"
 source_guard "./lib/cdi_0050_debug/0053_debug_trace_header.sh"
 source_guard "./lib/cdi_0050_debug/0054_debug_trap.sh"
 source_guard "./lib/cdi_0050_debug/0055_debug_trap_header.sh"
+source_guard "./lib/cdi_0050_debug/0056_debug_guard.sh"

 source_guard "./lib/cdi_0060_traps/0060_trap_err.sh"
 source_guard "./lib/cdi_0060_traps/0070_trap_exit.sh"