V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_1200_validation/1220_validation_element.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Checks if a search pattern / string / value is present in an array.
+# Arguments:
+#   1: String to check against:
+#   2: "$@" Array
+# Returns:
+#   0: If String is present in Array.
+#   1: If String is NOT present in Array.
+#######################################
+validation_array() {
+  declare var_element
+  declare var_string="$1"; shift
+  for var_element in "$@"; do
+    if [[ "${var_element}" == "${var_string}" ]]; then
+      return 0
+    fi
+  done
+  return 1
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1200_validation/1221_validation_ip.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# IPv4 validation.
+# Globals:
+#   ERR_INVALID_IPV4
+# Arguments:
+#   1: IPv4 to validate.
+# Returns:
+#   ERR_INVALID_IPV4
+#######################################
+validation_ipv4() {
+  declare var_ip="$1"
+  ### Single-pass check: 4 octets, each 0-255, no leading zeros (unless the octet is exactly "0")
+  if [[ "${var_ip}" =~ ^((25[0-5]|2[0-4][0-9]|1?[0-9]{1,2})\.){3}(25[0-5]|2[0-4][0-9]|1?[0-9]{1,2})$ ]]; then
+    do_log "info" "file_only" "'${var_ip}' seems to be a valid IPv4."
+  else
+    return "${ERR_INVALID_IPV4}"
+  fi
+}
+
+#######################################
+# IPv6 validation, including
+#   - Standard IPv6 notation with eight groups such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334
+#   - Shortened notation with :: like 2001:db8::1
+#   - Addresses with embedded IPv4 addresses like ::ffff:192.0.2.128
+#   - Link-local addresses like fe80::1%eth0
+# Globals:
+#   ERR_INVALID_IPV6
+# Arguments:
+#   1: IPv6 address
+# Returns:
+#   ERR_INVALID_IPV6
+#######################################
+validation_ipv6() {
+  ### Original input (may include %zone).
+  declare var_ip="$1"
+  ### Strip optional zone id, e.g. fe80::1%eth0 -> fe80::1
+  declare var_addr="${var_ip%%\%*}"
+  declare var_has_double_colon=0
+
+  ### Step 1 - IPv4-mapped / -embedded addresses (::ffff:192.0.2.1)
+  if [[ "${var_addr}" == *.* ]]; then
+    declare var_ipv4_part="${var_addr##*:}"
+    validation_ipv4 "${var_ipv4_part}" || return "${ERR_INVALID_IPV6}"
+    ### Replace IPv4 part by a placeholder, so we can count hextets later
+    var_addr="${var_addr%:*}:0:0"
+  fi
+
+  ### Step 2 - Detect forbidden multiple '::'
+  if [[ "${var_addr}" == *::* ]]; then
+    var_has_double_colon=1
+    ### Remove first '::' and check there is no second one.
+    [[ ${var_addr#*::*} == *::* ]] && return "${ERR_INVALID_IPV6}"
+  fi
+
+  ### Step 3 - Split into hextets and validate format.
+  declare var_hextet
+  declare -a var_segments
+  IFS=':' read -ra var_segments <<< "${var_addr}"
+  declare seg_count=${#var_segments[@]}
+
+  for var_hextet in "${var_segments[@]}"; do
+    ### Empty part of '::' compression
+    [[ -z "${var_hextet}" ]] && continue
+    [[ "${var_hextet}" =~ ^[0-9a-fA-F]{1,4}$ ]] || return "${ERR_INVALID_IPV6}"
+  done
+
+  ### Step 4 - Check total hextet count.
+  if (( var_has_double_colon )); then
+    (( seg_count <= 8 )) || return "${ERR_INVALID_IPV6}"
+  else
+    (( seg_count == 8 )) || return "${ERR_INVALID_IPV6}"
+  fi
+
+  ### Success
+  do_log "info" "file_only" "'${var_ip}' seems to be a valid IPv6."
+}
+
+#######################################
+# Port validation.
+# Globals:
+#   ERR_INVALID_PORT
+# Arguments:
+#   1: Port number
+# Returns:
+#   ERR_INVALID_PORT
+#######################################
+validation_port() {
+  declare var_port="$1"
+  if [[ "${var_port}" =~ ^[0-9]+$ ]] && (( var_port >= 1 && var_port <= 65535 )); then
+    do_log "info" "file_only" "'${var_port}' seems to be a valid port."
+  else
+    do_log "error" "file_only" "'${var_port}' seems to be NOT a valid port."
+    return "${ERR_INVALID_PORT}"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

func/cdi_1200_validation/1222_validation_preseed.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Validate all preseed network variables (IPv4 & IPv6)
+# Arguments:
+#   None
+#######################################
+validation_preseed() {
+  declare var value
+
+  ### --- IPv4 variables ------------------------------------------------------
+  declare -a ipv4_vars=(
+    network_static_ipv4nameserver_0
+    network_static_ipv4nameserver_1
+    network_static_ipv4nameserver_fallback_0
+    network_static_ipv4nameserver_fallback_1
+    network_static_ipv4address
+    network_static_ipv4gateway
+  )
+
+  ### --- IPv6 variables ------------------------------------------------------
+  declare -a ipv6_vars=(
+    network_static_ipv6nameserver_0
+    network_static_ipv6nameserver_1
+    network_static_ipv6nameserver_fallback_0
+    network_static_ipv6nameserver_fallback_1
+    network_static_ipv6address
+  )
+
+  ### --- loop over both groups ----------------------------------------------
+  for var in "${ipv4_vars[@]}"; do
+    value="${!var}"
+    if [[ -n "${value}" ]]; then
+      validation_ipv4 "${value}"
+    else
+      do_log "info" "file_only" "'${var}' is not set."
+    fi
+  done
+
+  for var in "${ipv6_vars[@]}"; do
+    value="${!var}"
+    if [[ -n "${value}" ]]; then
+      validation_ipv6 "${value}"
+    else
+      do_log "info" "file_only" "'${var}' is not set."
+    fi
+  done
+
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh