V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/cdi_0100_arg/0100_arg_mismatch.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Wrapper for mismatched Arguments.
+# Globals:
+#   RED
+#   RES
+#   ERR_ARG_MISMATCH
+#   NL
+#   VAR_AUTO_INSTALL
+#   VAR_IN_DIALOG_WR
+# Arguments:
+#   1: Message to be printed.
+#######################################
+arg_mismatch() {
+  ### Call cleaner if and only if not in auto-install mode.
+  if [[ "${VAR_AUTO_INSTALL}" == "false" ]]; then
+    ### Dynamically select the cleaner based on the dialog wrapper type.
+    case "${VAR_IN_DIALOG_WR}" in
+      box|gauge) "dialog_${VAR_IN_DIALOG_WR}_cleaner" ;;
+    esac
+  fi
+  printf "%b❌ Error: '%s'. %b%b" "${RED}" "${1}" "${RES}" "${NL}" >&2
+  read -pr $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+  exit "${ERR_ARG_MISMATCH}"
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0101_arg_sanitizer.sh

@@ -0,0 +1,95 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Argument Check Wrapper.
+# Arguments:
+#   1: "$@" of ./setup.sh
+#######################################
+arg_check() {
+  declare a
+  declare sanitized_args=()
+  for a in "$@"; do
+    sanitized_args+=("$( sanitize_arg "${a}")")
+  done
+  set -- "${sanitized_args[@]}"
+}
+
+#######################################
+# Function to sanitize a single argument
+# Globals:
+#   RED
+#   RES
+#   ERR_UNSAFE_CHARACTER
+#   LOG_ERR
+#   NL
+#   VAR_IN_DIALOG_WR
+# Arguments:
+#   1: Argument to be sanitized.
+#######################################
+sanitize_arg() {
+  declare input="${1}"
+  declare disallowed_ctrl=""
+  ### Step 1: Check for control characters
+  if printf '%s' "${input}" | grep -qP '[[:cntrl:]]'; then
+    # shellcheck disable=SC2312
+    disallowed_ctrl=$(printf '%s' "${input}" | sed -n 's/[^[:cntrl:]]//gp' | sed $'s/./&\\n/g' \
+      | while read -r c; do printf "%02X " "'${c}"; done)
+    {
+      printf "❌ Control character   : '%s'. %b" "${disallowed_ctrl}" "${NL}"
+      printf "❌         in argument : '%s'. %b" "${input}" "${NL}"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %b" "${NL}"
+      printf "%b" "${NL}"
+    } >> "${LOG_ERR}"
+
+    case "${VAR_IN_DIALOG_WR}" in
+      box   ) dialog_box_cleaner   ;;
+      gauge ) dialog_gauge_cleaner ;;
+    esac
+
+    printf "%b❌ Control character   : '%s'. %b%b" "${RED}" "${disallowed_ctrl}" "${RES}" "${NL}" >&2
+    printf "%b❌         in argument : '%s'. %b%b" "${RED}" "${input}" "${RES}" "${NL}" >&2
+    printf "%b❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %b%b" "${RED}" "${RES}" "${NL}" >&2
+    # shellcheck disable=SC2162
+    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+    exit "${ERR_UNSAFE_CHARACTER}"
+  fi
+
+  ### Step 2: Define allowed characters:
+  ### letters, digits, dot, underscore, slash, equals, [, ], colon, double-quote, hyphen, space.
+  declare allowed='a-zA-Z0-9._/=\[\]:"\-+ '
+  declare disallowed
+  disallowed=$(printf '%s' "${input}" | tr -d "${allowed}")
+  if [[ -n ${disallowed} ]]; then
+    {
+      printf "❌ Invalid character   : '%s'. %b" "${disallowed//?/& }" "${NL}"
+      printf "❌         in argument : '%s'. %b" "${input}" "${NL}"
+      printf "❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %b" "${NL}"
+      printf "%b" "${NL}"
+    } >> "${LOG_ERR}"
+    case "${VAR_IN_DIALOG_WR}" in
+      box   ) dialog_box_cleaner   ;;
+      gauge ) dialog_gauge_cleaner ;;
+    esac
+    printf "%s❌ Invalid character   : '%s'. %b%b" "${RED}" "${disallowed//?/& }" "${RES}" "${NL}" >&2
+    printf "%b❌         in argument : '%s'. %b%b" "${RED}" "${input}" "${RES}" "${NL}" >&2
+    printf "%b❌ Allowed Characters  : 'a-z A-Z 0-9 . _ / = [ ] : \" - + space' %b%b" "${RED}" "${RES}" "${NL}" >&2
+    # shellcheck disable=SC2162
+    read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+    exit "${ERR_UNSAFE_CHARACTER}"
+  else
+    printf '%s' "${input}"
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0102_arg_parser.sh

@@ -0,0 +1,115 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Argument Parser
+# Globals:
+#   VAR_DEFAULT_LOG_LEVEL
+#   VAR_AUTO_INSTALL
+#   VAR_IN_DIALOG_WR
+#   VAR_PRIORITY
+#   VAR_REIONICE_CLASS
+#   VAR_REIONICE_PRIORITY
+# Arguments:
+#   None
+#######################################
+arg_parser() {
+  while [[ $# -gt 0 ]]; do
+    declare argument="${1}"
+      case "${argument,,}" in
+
+        -a | --autoinstall)
+          if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--autoinstall MUST NOT be followed by an argument."; fi
+          shift 1
+          ;;
+
+        -c | --contact)
+          if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--contact MUST NOT be followed by an argument."; fi
+          shift 1
+          ;;
+
+        -d | --debug)
+          shift 1
+          while [[ $# -gt 0 && ! "$1" =~ ^- ]]; do
+            shift 1
+          done
+          ;;
+
+        -h | --help)
+          if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--help MUST NOT be followed by an argument."; fi
+          shift 1
+          ;;
+
+        -l | --log)
+          case "${2,,}" in
+            debug|info|notice|warn|error|critical|fatal|emergency) declare -gx VAR_DEFAULT_LOG_LEVEL="$2"; shift 2 ;;
+            *)
+              if [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == true ]]; then dialog_box_cleaner; fi
+              usage
+              ;;
+            esac
+          ;;
+
+        -v | --version)
+          if [[ -n "${2}" && "${2}" != -* ]]; then arg_mismatch "--version MUST NOT be followed by an argument."; fi
+          shift 1
+          ;;
+
+        --renice-priority)
+          if [[ -n ${2} && ${2} =~ ^-?[0-9]+$ && ${2} -ge -19 && ${2} -le 19 ]]; then
+            VAR_PRIORITY="${2}"
+            shift 2
+          else
+            arg_mismatch "--renice-priority MUST be an integer between '-19' and '19'."
+          fi
+          ;;
+
+        --reionice-priority)
+          if [[ -z "${2}" ]]; then
+            arg_mismatch "--reionice-priority no values provided."
+          else
+            if [[ "${2}" =~ ^[1-3]$ ]]; then
+              VAR_REIONICE_CLASS="${2}"
+              if [[ -z "${3}" ]]; then
+                :
+              else
+                if [[ "${3}" =~ ^[0-7]$ ]]; then
+                  VAR_REIONICE_PRIORITY="${3}"
+                else
+                  arg_mismatch "--reionice-priority PRIORITY MUST be an integer between '0' and '7'."
+                fi
+              fi
+            else
+              arg_mismatch "--reionice-priority CLASS MUST be an integer between '1' and '3'."
+            fi
+          fi
+          if [[ -n ${VAR_REIONICE_PRIORITY} ]]; then
+            shift 3
+          else
+            shift 2
+          fi
+          ;;
+
+        *)
+          if [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == "box" ]]; then
+            dialog_box_cleaner
+          elif [[ "${VAR_AUTO_INSTALL}" == "false" && "${VAR_IN_DIALOG_WR}" == "gauge" ]]; then
+            dialog_gauge_cleaner
+          fi
+          usage
+          ;;
+    esac
+  done
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0103_arg_priority_check.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Check and setup Script Priorities
+# Globals:
+#   GRE
+#   RES
+#   NL
+#   VAR_PRIORITY
+#   VAR_REIONICE_CLASS
+#   VAR_REIONICE_PRIORITY
+# Arguments:
+#   None
+#######################################
+arg_priority_check() {
+  declare var
+  ### Check if nice PRIORITY is set and adjust nice priority.
+  if [[ -n "${VAR_PRIORITY}" ]]; then
+    renice "${VAR_PRIORITY}" -p "$$" > /dev/null 2>&1
+    var=$(ps -o ni= -p $$) > /dev/null 2>&1
+    do_log "info" "file_only" "0103() New renice value: '${var}'."
+  fi
+
+  ### Check if ionice PRIORITY is set and adjust ionice priority.
+  if [[ -n "${VAR_REIONICE_CLASS}" ]]; then
+    ionice -c"${VAR_REIONICE_CLASS}" -n"${VAR_REIONICE_PRIORITY}" -p "$$"
+    var=$(ionice -p $$) > /dev/null 2>&1
+    do_log "info" "file_only" "0103() New ionice value: '${var}'."
+  fi
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0104_arg_passphrase_modules.sh

@@ -0,0 +1,84 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Generates salt.
+# Globals:
+#   ERR_GENERATE_SALT
+#   NL
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_GENERATE_SALT
+#######################################
+generate_salt() {
+  declare var_salt=""
+  while :; do
+    # shellcheck disable=SC2312
+    var_salt=$(head -c 12 /dev/random | base64 | tr -dc 'A-Za-z0-9' | head -c 16) || return "${ERR_GENERATE_SALT}"
+    [[ ${#var_salt} -eq 16 ]] && break
+  done
+  printf '%s%b' "${var_salt}" "${NL}"
+  return 0
+}
+
+#######################################
+# Reads and validates a secure one-line password file.
+# Globals:
+#   ERR_READ_PASS_FILE
+#   VAR_DEBUG_TRACE
+# Arguments:
+#   1: Path to password file
+#   2: Name of target variable (via nameref)
+# Returns:
+#   0: on success
+#   ERR_READ_PASS_FILE
+#######################################
+read_password_file() {
+  declare -r var_input_file="${1}"
+  declare -n var_output_file="${2}"
+  declare -a lines=()
+
+  ### No tracing for security reasons
+  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  if [[ ! -f "${var_input_file}" ]]; then
+    do_log "fatal" "file_only" "0104() Password file '${var_input_file}' not found."
+    return "${ERR_READ_PASS_FILE}"
+  fi
+
+  mapfile -t lines < "${var_input_file}"
+
+  if (( ${#lines[@]} != 1 )); then
+    do_log "fatal" "file_only" "0104() Password file '${var_input_file}' MUST contain exactly one line."
+    return "${ERR_READ_PASS_FILE}"
+  fi
+
+  var_output_file="${lines[0]}"
+  ### Trim leading and trailing whitespace.
+  var_output_file="${var_output_file#"${var_output_file%%[![:space:]]*}"}" ### leading
+  var_output_file="${var_output_file%"${var_output_file##*[![:space:]]}"}" ### trailing
+
+  if [[ -z "${var_output_file}" ]]; then
+    do_log "fatal" "file_only" "0104() Password file '${var_input_file}' contains only whitespace."
+    return "${ERR_READ_PASS_FILE}"
+  fi
+
+  ### Turn on tracing again
+  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+
+  unset lines
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/cdi_0100_arg/0105_arg_nuke_converter.sh

@@ -0,0 +1,67 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Generates 'nuke=HASH' Bootparameter.
+# Globals:
+#   DIR_CNF
+#   ERR_READ_NUKE_FILE
+#   VAR_DEBUG_TRACE
+#   VAR_NUKE_HASH
+# Arguments:
+#   None
+# Returns:
+#   0: on success
+#   ERR_READ_NUKE_FILE
+#######################################
+nuke_passphrase() {
+  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
+  declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt=""
+
+  ### No tracing for security reasons
+  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
+    return "${ERR_READ_NUKE_FILE}"
+  fi
+  ### Turn on tracing again
+  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+
+  if ! var_salt="$(generate_salt)"; then
+    return "${ERR_GENERATE_SALT}"
+  fi
+
+  ### No tracing for security reasons
+  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds=8388608 "${var_temp_plain_nuke_pwd}")
+  ### Turn on tracing again
+  [[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+
+  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
+  unset var_temp_nuke_hash var_temp_plain_nuke_pwd
+
+  do_log "debug" "file_only" "0105() NUKE hash starts with: ${VAR_NUKE_HASH:0:32}..."
+
+  sync
+  if shred -vfzu -n 5 "${var_nuke_pwd_file}" > /dev/null 2>&1; then
+    do_log "info" "file_only" "0105() Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> done."
+  else
+    do_log "warn" "file_only" "0105() Password file '${var_nuke_pwd_file}': shred -vfzu -n 5 >> NOT successful."
+  fi
+  sync
+
+  do_log "info" "file_only" "0105() Nuke Hash generated."
+  return 0
+}
+
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh