V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

lib/0104_arg_passphrase_reader.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.installer
+# SPDX-Security-Contact: security@coresecret.eu
+
+guard_sourcing
+
+#######################################
+# Reads and validates a secure one-line password file.
+# Globals:
+#   ERR_READ_PASS_FILE
+#   VAR_DEBUG_TRACE
+# Arguments:
+#   1: Path to password file
+#   2: Name of target variable (via nameref)
+# Returns:
+#   0: on success
+#   ERR_READ_PASS_FILE
+#######################################
+read_password_file() {
+  declare -r var_input_file="${1}"
+  declare -n var_output_file="${2}"
+  declare -a lines=()
+
+  ### No tracing for security reasons
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
+  if [[ ! -f "${var_input_file}" ]]; then
+    do_log "fatal" "file_only" "Password file '${var_input_file}' not found."
+    return "${ERR_READ_PASS_FILE}"
+  fi
+
+  mapfile -t lines < "${var_input_file}"
+
+  if (( ${#lines[@]} != 1 )); then
+    do_log "fatal" "file_only" "Password file '${var_input_file}' MUST contain exactly one line."
+    return "${ERR_READ_PASS_FILE}"
+  fi
+
+  var_output_file="${lines[0]}"
+  ### Trim leading and trailing whitespace.
+  var_output_file="${var_output_file#"${var_output_file%%[![:space:]]*}"}" ### leading
+  var_output_file="${var_output_file%"${var_output_file##*[![:space:]]}"}" ### trailing
+
+  if [[ -z "${var_output_file}" ]]; then
+    do_log "fatal" "file_only" "Password file '${var_input_file}' contains only whitespace."
+    return "${ERR_READ_PASS_FILE}"
+  fi
+
+  ### Turn on tracing again
+  #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set -x
+
+  unset lines
+  return 0
+}
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

lib/0105_arg_nuke_converter.sh

@@ -31,16 +31,7 @@ nuke_passphrase() {
 
   ### No tracing for security reasons
   #[[ "${VAR_DEBUG_TRACE,,}" == "true" ]] && set +x
-  if [[ ! -f "${var_nuke_pwd_file}" ]]; then
+  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
-    return "${ERR_READ_NUKE_FILE}"
-  fi
-
-  if ! read -r var_temp_plain_nuke_pwd < "${var_nuke_pwd_file}"; then
-    return "${ERR_READ_NUKE_FILE}"
-  fi
-
-  if [[ -z "${var_temp_plain_nuke_pwd}" ]]; then
-    do_log "fatal" "file_only" "Nuke password file '${var_nuke_pwd_file}' is empty."
     return "${ERR_READ_NUKE_FILE}"
   fi
   ### Turn on tracing again

meta_loader_lib.sh

@@ -31,7 +31,8 @@ source_guard "./lib/0100_arg_mismatch.sh"
 source_guard "./lib/0101_arg_sanitizer.sh"
 source_guard "./lib/0102_arg_parser.sh"
 source_guard "./lib/0103_arg_priority_check.sh"
-source_guard "./lib/0104_arg_nuke_converter.sh"
+source_guard "./lib/0104_arg_passphrase_reader.sh"
+source_guard "./lib/0105_arg_nuke_converter.sh"
 #source_guard "./lib/0110_check_kernel.sh"
 #source_guard "./lib/0120_check_provider.sh"
 source_guard "./lib/0200_dialog_helper.sh"

var/errors.var.sh

@@ -49,6 +49,7 @@ declare -girx ERR_GRUB_ARCHITECTURE=224 # Architecture is not supported by Grub.
 declare -girx ERR_PATH_NOT_VALID=223    # Specific path is not existing.
 declare -girx ERR_READ_NUKE_FILE=222    # Error reading Luks Nuke password file.
 declare -girx ERR_READ_GRUB_FILE=221    # Error reading Grub password file.
+declare -girx ERR_READ_PASS_FILE=220    # Error reading password file.
 
 ### Definition of error trap vars.
 declare -gx ERRCODE=""                  # = $?                   = $1 = ERRCODE