V9.14.002.2026.05.13

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-05-17 13:34:00 +01:00
parent 39aeea84a7
commit 6307bc2b7c
67 changed files with 315 additions and 176 deletions
@@ -18,14 +18,33 @@ export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

 ### Declare Arrays, HashMaps, and Variables.
-declare var_dropbear_version="2025.88"
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
 declare var_tar="/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2"
 declare var_build_dir="/root/build/dropbear-${var_dropbear_version}"
 declare var_logfile="/root/.ciss/cdlb/log/0020_dropbear_build.log"

 mkdir -p "/root/build"
+
+[[ -r "${var_tar}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear tarball: [%s] \e[0m\n" "${var_tar}" >&2
+  exit 43
+}
+
 cp "${var_tar}" "/root/build"
-tar xjf "/root/dropbear/dropbear-${var_dropbear_version}.tar.bz2" -C "/root/build"
+tar xjf "${var_tar}" -C "/root/build"
 cp "/root/dropbear/localoptions.h" "${var_build_dir}"
 cd "${var_build_dir}"

@@ -13,13 +13,28 @@ set -Ceuo pipefail

 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

-### Declare Arrays, HashMaps, and Variables.
-declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
-
 [[ -r /root/ciss_xdg_tmp.sh ]] && . /root/ciss_xdg_tmp.sh
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

+### Declare Arrays, HashMaps, and Variables.
+declare var_dropbear_env="/root/dropbear.env"
+[[ -r "${var_dropbear_env}" ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Missing Dropbear environment file: [%s] \e[0m\n" "${var_dropbear_env}" >&2
+  exit 43
+}
+
+# shellcheck disable=SC1090
+. "${var_dropbear_env}"
+declare var_dropbear_version="${DROPBEAR_VERSION:?DROPBEAR_VERSION is not set}"
+[[ "${var_dropbear_version}" =~ ^[0-9]{4}\.[0-9]+$ ]] || {
+  printf "\e[91m++++ ++++ ++++ ++++ ++++ ++++ ++ ❌ ERROR: Invalid Dropbear version: [%s] \e[0m\n" "${var_dropbear_version}" >&2
+  exit 43
+}
+
+declare var_dropbear_build_dir="/root/build/dropbear-${var_dropbear_version}"
+declare var_logfile="/root/.ciss/cdlb/log/0021_dropbear_initramfs.log"
+
 apt-get install -y --no-install-recommends --no-install-suggests cryptsetup-initramfs dropbear-initramfs dropbear-bin 2>&1 | tee -a "${var_logfile}"
 apt-get purge -y dropbear 2>&1 | tee -a "${var_logfile}" || true
 apt-get install -y --no-install-recommends --no-install-suggests gpgv 2>&1 | tee -a "${var_logfile}"
@@ -32,16 +47,18 @@ rm -f /root/dropbear.file

 mkdir -p /root/.ciss/cdlb/backup/usr/sbin
 mv /usr/sbin/dropbear /root/.ciss/cdlb/backup/usr/sbin/dropbear.trixie
-install -m 0755 -o root -g root /root/build/dropbear-2025.88/dropbear /usr/sbin/
+install -m 0755 -o root -g root "${var_dropbear_build_dir}/dropbear" /usr/sbin/

 mkdir -p /root/.ciss/cdlb/backup/usr/bin
 for var_file in dbclient dropbearconvert dropbearkey; do

  mv "/usr/bin/${var_file}" "/root/.ciss/cdlb/backup/usr/bin/${var_file}.trixie"
-  install -m 0755 -o root -g root "/root/build/dropbear-2025.88/${var_file}" /usr/bin/
+  install -m 0755 -o root -g root "${var_dropbear_build_dir}/${var_file}" /usr/bin/

 done

+rm -f "${var_dropbear_env}"
+
 mkdir -p /etc/initramfs-tools/scripts/init-bottom

 cat << 'EOF' >| /etc/initramfs-tools/scripts/init-bottom/zzzz-dropbear-kill
@@ -17,7 +17,7 @@ printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "
 export DEBIAN_FRONTEND="noninteractive"
 export INITRD="No"

-SOPS_VER="v3.11.0"
+SOPS_VER="v3.13.0"
 ARCH="$(dpkg --print-architecture)"
 case "${ARCH}" in
  amd64)  SOPS_FILE="sops-${SOPS_VER}.linux.amd64" ;;
@@ -122,7 +122,7 @@ x509_extensions	= usr_cert		# The extensions to add to the cert
 name_opt 	= ca_default		# Subject Name options
 cert_opt 	= ca_default		# Certificate field options

-# Extension copying option: use with caution.
+# Extension copying option: use it with caution.
 # copy_extensions = copy

 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
@@ -232,7 +232,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

@@ -282,7 +282,7 @@ basicConstraints = critical,CA:true

 # DER hex encoding of an extension: beware experts only!
 # obj=DER:02:03
-# Where 'obj' is a standard or added object
+# Where 'obj' is a standard or added object.
 # You can even override a supported extension:
 # basicConstraints= critical, DER:30:03:01:01:FF

@@ -305,7 +305,7 @@ basicConstraints=CA:FALSE
 # This is typical in keyUsage for a client certificate.
 # keyUsage = nonRepudiation, digitalSignature, keyEncipherment

-# PKIX recommendations harmless if included in all certificates.
+# PKIX recommendations are harmless if included in all certificates.
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer

@@ -418,33 +418,24 @@ ssl_conf = ssl_sect
 system_default = system_default_sect

 [system_default_sect]
-# Protocol floor / ceiling:
-# - only TLS 1.2 and 1.3.
-# - TLS 1.3 is FS by design;
-# - TLS 1.2 FS enforced via the cipher list.
 MinProtocol = TLSv1.2
 MaxProtocol = TLSv1.3

-# TLS 1.2 cipher policy:
-# - Forward secrecy only: ECDHE or DHE (no static RSA kx);
-# - AES-256 *GCM* only (no DHE (dheatattack), no AES-128, no CBC);
-# - Keep distro default SECLEVEL=2 explicitly.
-CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:ECDHE+ARIA256-GCM:ECDHE+CAMELLIA256-GCM:!kRSA:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2
+# TLS 1.2: FS only, AEAD only, no AES128, no static RSA negotiation, no DHE negotiation.
+CipherString = ECDHE+AES256-GCM:ECDHE+CHACHA20:!AES128:!kRSA:!DHE:!PSK:!SRP:!aNULL:!eNULL:@SECLEVEL=2

-# TLS 1.3 cipher policy: AES-256 and ChaCha20-Poly1305 only:
+# TLS 1.3: only AES-256-GCM and ChaCha20-Poly1305.
 Ciphersuites = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

-# Prefer strong, widely supported ECDHE groups (first = most preferred):
+# Preferred ECDHE groups.
 Groups = X448:P-521:P-384

-SignatureAlgorithms = rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
-
-# Operational flags:
-# -SessionTicket  : disable TLS session tickets (TLS 1.2 + 1.3)
-# ServerPreference: honor server cipher order (TLS 1.2)
-# NoRenegotiation : disallow TLS 1.2 renegotiation
+# Flags: Tickets off, servers order, renegotiation off.
 Options = -SessionTicket,ServerPreference,NoRenegotiation

+# Permitted signature algorithms.
+SignatureAlgorithms = ecdsa_secp521r1_sha512:ecdsa_secp384r1_sha384:ed448:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256
+
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=conf
 EOF

@@ -0,0 +1,19 @@
+#!/bin/bash
+# SPDX-Version: 3.0
+# SPDX-CreationInfo: 2026-05-16; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
+# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
+# SPDX-FileCopyrightText: 2024-2026; WEIDNER, Marc S.; <msw@coresecret.dev>
+# SPDX-FileType: SOURCE
+# SPDX-License-Identifier: LicenseRef-CNCL-1.1 OR LicenseRef-CCLA-1.1
+# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
+# SPDX-PackageName: CISS.debian.live.builder
+# SPDX-Security-Contact: security@coresecret.eu
+set -Ceuo pipefail
+
+printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"
+
+printf "\e[92m++++ ++++ ++++ ++++ ++++ ++++ ++ ✅ '%s' applied successfully. \e[0m\n" "${0}"
+
+exit 0
+# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
@@ -11,6 +11,8 @@
 # SPDX-Security-Contact: security@coresecret.eu
 set -Ceuo pipefail

+# ToDo: Unify --integrity hmac-sha512 mode for standalone and runner mode.
+
 printf "\e[95m++++ ++++ ++++ ++++ ++++ ++++ ++ 🧪 '%s' starting ... \e[0m\n" "${0}"

 __umask=$(umask)