msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m26s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-09-03 13:11:24 +02:00
parent 44dcf86569
commit 16a20e38a0
2 changed files with 13 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
includes/target/etc/initramfs-tools/files/unlock_wrapper.sh
View File

@@ -11,12 +11,11 @@
# SPDX-Security-Contact: security@coresecret.eu
# SPDX-Comment: unlock_wrapper.sh to be executed as '/etc/crypttab' keyscript and as dropbear SSH forced command.
#set -Ceuo pipefail
set -Ceuo pipefail
#######################################
# Variable declaration
#######################################
#declare -r ASKPASS='/lib/cryptsetup/askpass'
# shellcheck disable=SC2016
declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$'
# shellcheck disable=SC2155
@@ -115,8 +114,8 @@ extract_nuke_hash() {
done
### No 'nuke=HASH' entry found.
return 1
color_echo "${GRE}" "✅ No Nuke Hash found. Proceeding."
return 0
}
#######################################
@@ -168,9 +167,7 @@ nuke() {
color_echo "${RED}" "✘ Error: LUKS Device malfunction. System Power Off in 16 seconds."
# TODO: DEBUGGER
drop_bash
#power_off 16
power_off 16
}
#######################################
@@ -263,7 +260,7 @@ fi)\
#######################################
read_passphrase() {
declare -i ROUNDS=0
declare CAND="" SALT=""
declare CAND="" SALT="" _FULL_SALT=""
### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
ask_via_stdin "Enter passphrase: " PASSPHRASE
@@ -271,14 +268,18 @@ read_passphrase() {
echo "NUKE_ENABLED: ${NUKE_ENABLED}"
echo "NUKE_HASH : ${NUKE_HASH}"
# BusyBox mkpasswd invocation (no options):
CAND="$(mkpasswd "${PASSPHRASE}" "${_FULL_SALT}")" || CAND=""
### NUKE pre-check
if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
ROUNDS="${ROUNDS#rounds=}"
SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
CAND=$(mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}")
_FULL_SALT="\$6\$rounds=${ROUNDS}\$${SALT}"
### BusyBox mkpasswd invocation (no options):
CAND="$(mkpasswd "${PASSPHRASE}" "${_FULL_SALT}")"
# TODO: DEBUGGER
echo "ROUNDS : ${ROUNDS}"