V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

includes/target/etc/initramfs-tools/files/unlock_wrapper.sh

@@ -16,7 +16,7 @@
 #######################################
 # Variable declaration
 #######################################
-declare -r ASKPASS='/lib/cryptsetup/askpass'
+#declare -r ASKPASS='/lib/cryptsetup/askpass'
 # shellcheck disable=SC2016
 declare -r REGEX='^\$6\$(rounds=([1-9][0-9]{3,8})\$)?([./A-Za-z0-9]{1,16})\$([./A-Za-z0-9]{86})$'
 # shellcheck disable=SC2155
@@ -30,6 +30,22 @@ declare -g NUKE_ENABLED='false'
 declare -g NUKE_HASH=''
 declare -g PASSPHRASE=''
 
+#######################################
+# Read passphrase strictly from STDIN (SSH channel), not '/dev/console'.
+# Arguments:
+#   1: Prompt to print on terminal
+#   2: Variable name to capture passphrase
+#######################################
+ask_via_stdin() {
+  declare -r  prompt="$1"
+  declare -r  varname="$2"
+  ### Prompt to STDERR so pipes don't capture it.
+  printf "%s" "${prompt}" >&2
+  ### Silent, canonical read from FD 0 (SSH channel when forced-command).
+  IFS= read -r -s "${varname?}" <&0
+  printf "\n" >&2
+}
+
 #######################################
 # Print-colored text.
 # Arguments:
@@ -78,7 +94,7 @@ extract_nuke_hash() {
     case "${ARG,,}" in
 
       nuke=*)
-        NUKE_HASH="${ARG#nuke=}"
+        NUKE_HASH="${ARG#*=}"
         if [[ "${NUKE_HASH}" =~ ${REGEX} ]]; then
 
           NUKE_ENABLED="true"
@@ -246,25 +262,33 @@ fi)\
 #   0: on success
 #######################################
 read_passphrase() {
-  declare -a  METHODS=( "sha512crypt" )
-  declare     METHOD="" SALT=""
+  declare -i  ROUNDS=0
+  declare     CAND="" SALT=""
 
-  PASSPHRASE="$(${ASKPASS} "Enter passphrase: ")"
+  ### Read from SSH STDIN (or TTY fallback), never via '/lib/cryptsetup/askpass'.
+  ask_via_stdin "Enter passphrase: " PASSPHRASE
 
-  if [[ "${NUKE_ENABLED,,}" == 'true' ]]; then
+  ### NUKE pre-check
+  if [[ "${NUKE_ENABLED,,}" == "true" ]]; then
 
-    SALT="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
+    ROUNDS="$(cut -d'$' -f3 <<< "${NUKE_HASH}")"
+    ROUNDS="${ROUNDS#rounds=}"
+    SALT="$(cut -d'$' -f4 <<< "${NUKE_HASH}")"
 
-    for METHOD in "${METHODS[@]}"; do
+    CAND="$(mkpasswd --method=sha-512 --salt="${SALT}" --rounds="${ROUNDS}" "${PASSPHRASE}" 2>/dev/null)"
 
-      # shellcheck disable=SC2312
-      if mkpasswd -m "${METHOD}" -S "${SALT}" "${PASSPHRASE}" 2>/dev/null | grep -qF -- "${NUKE_HASH}"; then
+    # TODO: DEBUGGER
+    echo "${ROUNDS}"
+    echo "${SALT}"
+    echo "${CAND}"
 
-        nuke
+    if [[ "${CAND}" == "${NUKE_HASH}" ]]; then
 
-      fi
+      echo "${CAND}" "==" "${NUKE_HASH}"
 
-    done
+      nuke
+
+    fi
 
   fi