diff options
-rw-r--r-- | src/cli/cli.cpp | 8 | ||||
-rw-r--r-- | src/cli/cli.h | 7 | ||||
-rw-r--r-- | src/cli/psk.cpp | 6 | ||||
-rw-r--r-- | src/cli/pubkey.cpp | 19 | ||||
-rw-r--r-- | src/cli/tls_client.cpp | 2 | ||||
-rw-r--r-- | src/cli/tls_http_server.cpp | 2 | ||||
-rw-r--r-- | src/cli/tls_proxy.cpp | 2 | ||||
-rw-r--r-- | src/cli/utils.cpp | 7 | ||||
-rw-r--r-- | src/cli/x509.cpp | 16 |
9 files changed, 46 insertions, 23 deletions
diff --git a/src/cli/cli.cpp b/src/cli/cli.cpp index 988fa623a..1918a4fbd 100644 --- a/src/cli/cli.cpp +++ b/src/cli/cli.cpp @@ -207,6 +207,14 @@ Botan::RandomNumberGenerator& Command::rng() return *m_rng.get(); } +std::string Command::get_passphrase_arg(const std::string& prompt, const std::string& opt_name) + { + const std::string s = get_arg(opt_name); + if(s != "-") + return s; + return get_passphrase(prompt); + } + namespace { bool echo_suppression_supported() diff --git a/src/cli/cli.h b/src/cli/cli.h index fca8e5225..b6f6a3076 100644 --- a/src/cli/cli.h +++ b/src/cli/cli.h @@ -124,6 +124,13 @@ class Command std::string get_arg(const std::string& opt_name) const; + /** + * Like get_arg but if the value is '-' then reads a passphrase from + * the terminal with echo suppressed. + */ + std::string get_passphrase_arg(const std::string& prompt, + const std::string& opt_name); + /* * Like get_arg() but if the argument was not specified or is empty, returns otherwise */ diff --git a/src/cli/psk.cpp b/src/cli/psk.cpp index 45a5918d8..83b60225d 100644 --- a/src/cli/psk.cpp +++ b/src/cli/psk.cpp @@ -27,7 +27,7 @@ class PSK_Tool_Base : public Command void go() override { const std::string db_filename = get_arg("db"); - const Botan::secure_vector<uint8_t> db_key = Botan::hex_decode_locked(get_arg("db_key")); + const Botan::secure_vector<uint8_t> db_key = Botan::hex_decode_locked(get_passphrase_arg("Database key", "db_key")); std::shared_ptr<Botan::SQL_Database> db = std::make_shared<Botan::Sqlite3_Database>(db_filename); Botan::Encrypted_PSK_Database_SQL psk(db_key, db, "psk"); @@ -53,8 +53,8 @@ class PSK_Tool_Set final : public PSK_Tool_Base void psk_operation(Botan::PSK_Database& db) override { const std::string name = get_arg("name"); - Botan::secure_vector<uint8_t> key = Botan::hex_decode_locked(get_arg("psk")); - db.set_vec(name, key); + const Botan::secure_vector<uint8_t> psk = Botan::hex_decode_locked(get_passphrase_arg("PSK", "psk")); + db.set_vec(name, psk); } }; diff --git a/src/cli/pubkey.cpp b/src/cli/pubkey.cpp index 46655a6ae..6011c9701 100644 --- a/src/cli/pubkey.cpp +++ b/src/cli/pubkey.cpp @@ -60,7 +60,7 @@ class PK_Keygen final : public Command throw CLI_Error_Unsupported("keygen", algo); } - const std::string pass = get_arg("passphrase"); + const std::string pass = get_passphrase_arg("Key passphrase", "passphrase"); const bool der_out = flag_set("der-out"); const std::chrono::milliseconds pbe_millis(get_arg_sz("pbe-millis")); @@ -168,11 +168,11 @@ class PK_Sign final : public Command void go() override { - std::unique_ptr<Botan::Private_Key> key( - Botan::PKCS8::load_key( - get_arg("key"), - rng(), - get_arg("passphrase"))); + const std::string key_file = get_arg("key"); + const std::string passphrase = get_passphrase_arg("Passphrase for " + key_file, "passphrase"); + + Botan::DataSource_Stream input(key_file); + std::unique_ptr<Botan::Private_Key> key = Botan::PKCS8::load_key(input, passphrase);; if(!key) { @@ -265,9 +265,10 @@ class PKCS8_Tool final : public Command void go() override { - const std::string pass_in = get_arg("pass-in"); + const std::string key_file = get_arg("key"); + const std::string pass_in = get_passphrase_arg("Password for " + key_file, "pass-in"); - Botan::DataSource_Memory key_src(slurp_file(get_arg("key"))); + Botan::DataSource_Memory key_src(slurp_file(key_file)); std::unique_ptr<Botan::Private_Key> key; if(pass_in.empty()) @@ -296,7 +297,7 @@ class PKCS8_Tool final : public Command } else { - const std::string pass_out = get_arg("pass-out"); + const std::string pass_out = get_passphrase_arg("Passphrase to encrypt key", "pass-out"); if(der_out) { diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp index dfe874313..32ae4cea5 100644 --- a/src/cli/tls_client.cpp +++ b/src/cli/tls_client.cpp @@ -101,7 +101,7 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks if(!sessions_db.empty()) { #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER) - const std::string sessions_passphrase = get_arg("session-db-pass"); + const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass"); session_mgr.reset(new Botan::TLS::Session_Manager_SQLite(sessions_passphrase, rng(), sessions_db)); #else error_output() << "Ignoring session DB file, sqlite not enabled\n"; diff --git a/src/cli/tls_http_server.cpp b/src/cli/tls_http_server.cpp index 6b5cefab4..cc59a71c3 100644 --- a/src/cli/tls_http_server.cpp +++ b/src/cli/tls_http_server.cpp @@ -531,7 +531,7 @@ class TLS_HTTP_Server final : public Command if(!sessions_db.empty()) { #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER) - const std::string sessions_passphrase = get_arg("session-db-pass"); + const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass"); session_mgr.reset(new Botan::TLS::Session_Manager_SQLite(sessions_passphrase, rng(), sessions_db)); #else throw CLI_Error_Unsupported("Sqlite3 support not available"); diff --git a/src/cli/tls_proxy.cpp b/src/cli/tls_proxy.cpp index 717bbc6c6..49ffbe376 100644 --- a/src/cli/tls_proxy.cpp +++ b/src/cli/tls_proxy.cpp @@ -453,7 +453,7 @@ class TLS_Proxy final : public Command std::unique_ptr<Botan::TLS::Session_Manager> session_mgr; #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER) - const std::string sessions_passphrase = get_arg("session-db-pass"); + const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass"); const std::string sessions_db = get_arg("session-db"); if(!sessions_db.empty()) diff --git a/src/cli/utils.cpp b/src/cli/utils.cpp index 1a7639937..99471fba5 100644 --- a/src/cli/utils.cpp +++ b/src/cli/utils.cpp @@ -540,7 +540,7 @@ class Generate_Bcrypt final : public Command void go() override { - const std::string password = get_arg("password"); + const std::string password = get_passphrase_arg("Passphrase to hash", "password"); const size_t wf = get_arg_sz("work-factor"); if(wf < 4 || wf > 18) @@ -574,7 +574,7 @@ class Check_Bcrypt final : public Command void go() override { - const std::string password = get_arg("password"); + const std::string password = get_passphrase_arg("Password to check", "password"); const std::string hash = get_arg("hash"); if(hash.length() != 60) @@ -585,6 +585,9 @@ class Check_Bcrypt final : public Command const bool ok = Botan::check_bcrypt(password, hash); output() << "Password is " << (ok ? "valid" : "NOT valid") << std::endl; + + if(ok == false) + set_return_code(1); } }; diff --git a/src/cli/x509.cpp b/src/cli/x509.cpp index adae8285c..d894b99a4 100644 --- a/src/cli/x509.cpp +++ b/src/cli/x509.cpp @@ -45,23 +45,25 @@ class Sign_Cert final : public Command void go() override { Botan::X509_Certificate ca_cert(get_arg("ca_cert")); - std::unique_ptr<Botan::Private_Key> key; - const std::string pass = get_arg("ca-key-pass"); + + const std::string key_file = get_arg("ca_key"); + const std::string pass = get_passphrase_arg("Password for " + key_file, "ca-key-pass"); const std::string emsa = get_arg("emsa"); const std::string hash = get_arg("hash"); + std::unique_ptr<Botan::Private_Key> key; if(!pass.empty()) { - key.reset(Botan::PKCS8::load_key(get_arg("ca_key"), rng(), pass)); + key.reset(Botan::PKCS8::load_key(key_file, rng(), pass)); } else { - key.reset(Botan::PKCS8::load_key(get_arg("ca_key"), rng())); + key.reset(Botan::PKCS8::load_key(key_file, rng())); } if(!key) { - throw CLI_Error("Failed to load key from " + get_arg("ca_key")); + throw CLI_Error("Failed to load key from " + key_file); } std::map<std::string, std::string> options; @@ -251,7 +253,9 @@ class Gen_Self_Signed final : public Command void go() override { - std::unique_ptr<Botan::Private_Key> key(Botan::PKCS8::load_key(get_arg("key"), rng(), get_arg("key-pass"))); + const std::string key_file = get_arg("key"); + const std::string passphrase = get_passphrase_arg("Passphrase for " + key_file, "key-pass"); + std::unique_ptr<Botan::Private_Key> key(Botan::PKCS8::load_key(key_file, rng(), passphrase)); if(!key) { |