9 files changed, 46 insertions, 23 deletions

diff --git a/src/cli/cli.cpp b/src/cli/cli.cpp
index 988fa623a..1918a4fbd 100644
--- a/src/cli/cli.cpp
+++ b/src/cli/cli.cpp
@@ -207,6 +207,14 @@ Botan::RandomNumberGenerator& Command::rng()
    return *m_rng.get();
    }
 
+std::string Command::get_passphrase_arg(const std::string& prompt, const std::string& opt_name)
+   {
+   const std::string s = get_arg(opt_name);
+   if(s != "-")
+      return s;
+   return get_passphrase(prompt);
+   }
+
 namespace {
 
 bool echo_suppression_supported()
diff --git a/src/cli/cli.h b/src/cli/cli.h
index fca8e5225..b6f6a3076 100644
--- a/src/cli/cli.h
+++ b/src/cli/cli.h
@@ -124,6 +124,13 @@ class Command
 
       std::string get_arg(const std::string& opt_name) const;
 
+      /**
+      * Like get_arg but if the value is '-' then reads a passphrase from
+      * the terminal with echo suppressed.
+      */
+      std::string get_passphrase_arg(const std::string& prompt,
+                                     const std::string& opt_name);
+
       /*
       * Like get_arg() but if the argument was not specified or is empty, returns otherwise
       */
diff --git a/src/cli/psk.cpp b/src/cli/psk.cpp
index 45a5918d8..83b60225d 100644
--- a/src/cli/psk.cpp
+++ b/src/cli/psk.cpp
@@ -27,7 +27,7 @@ class PSK_Tool_Base : public Command
       void go() override
          {
          const std::string db_filename = get_arg("db");
-         const Botan::secure_vector<uint8_t> db_key = Botan::hex_decode_locked(get_arg("db_key"));
+         const Botan::secure_vector<uint8_t> db_key = Botan::hex_decode_locked(get_passphrase_arg("Database key", "db_key"));
 
          std::shared_ptr<Botan::SQL_Database> db = std::make_shared<Botan::Sqlite3_Database>(db_filename);
          Botan::Encrypted_PSK_Database_SQL psk(db_key, db, "psk");
@@ -53,8 +53,8 @@ class PSK_Tool_Set final : public PSK_Tool_Base
       void psk_operation(Botan::PSK_Database& db) override
          {
          const std::string name = get_arg("name");
-         Botan::secure_vector<uint8_t> key = Botan::hex_decode_locked(get_arg("psk"));
-         db.set_vec(name, key);
+         const Botan::secure_vector<uint8_t> psk = Botan::hex_decode_locked(get_passphrase_arg("PSK", "psk"));
+         db.set_vec(name, psk);
          }
    };
 
diff --git a/src/cli/pubkey.cpp b/src/cli/pubkey.cpp
index 46655a6ae..6011c9701 100644
--- a/src/cli/pubkey.cpp
+++ b/src/cli/pubkey.cpp
@@ -60,7 +60,7 @@ class PK_Keygen final : public Command
             throw CLI_Error_Unsupported("keygen", algo);
             }
 
-         const std::string pass = get_arg("passphrase");
+         const std::string pass = get_passphrase_arg("Key passphrase", "passphrase");
          const bool der_out = flag_set("der-out");
 
          const std::chrono::milliseconds pbe_millis(get_arg_sz("pbe-millis"));
@@ -168,11 +168,11 @@ class PK_Sign final : public Command
 
       void go() override
          {
-         std::unique_ptr<Botan::Private_Key> key(
-            Botan::PKCS8::load_key(
-               get_arg("key"),
-               rng(),
-               get_arg("passphrase")));
+         const std::string key_file = get_arg("key");
+         const std::string passphrase = get_passphrase_arg("Passphrase for " + key_file, "passphrase");
+
+         Botan::DataSource_Stream input(key_file);
+         std::unique_ptr<Botan::Private_Key> key = Botan::PKCS8::load_key(input, passphrase);;
 
          if(!key)
             {
@@ -265,9 +265,10 @@ class PKCS8_Tool final : public Command
 
       void go() override
          {
-         const std::string pass_in = get_arg("pass-in");
+         const std::string key_file = get_arg("key");
+         const std::string pass_in = get_passphrase_arg("Password for " + key_file, "pass-in");
 
-         Botan::DataSource_Memory key_src(slurp_file(get_arg("key")));
+         Botan::DataSource_Memory key_src(slurp_file(key_file));
          std::unique_ptr<Botan::Private_Key> key;
 
          if(pass_in.empty())
@@ -296,7 +297,7 @@ class PKCS8_Tool final : public Command
             }
          else
             {
-            const std::string pass_out = get_arg("pass-out");
+            const std::string pass_out = get_passphrase_arg("Passphrase to encrypt key", "pass-out");
 
             if(der_out)
                {
diff --git a/src/cli/tls_client.cpp b/src/cli/tls_client.cpp
index dfe874313..32ae4cea5 100644
--- a/src/cli/tls_client.cpp
+++ b/src/cli/tls_client.cpp
@@ -101,7 +101,7 @@ class TLS_Client final : public Command, public Botan::TLS::Callbacks
          if(!sessions_db.empty())
             {
 #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
-            const std::string sessions_passphrase = get_arg("session-db-pass");
+            const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass");
             session_mgr.reset(new Botan::TLS::Session_Manager_SQLite(sessions_passphrase, rng(), sessions_db));
 #else
             error_output() << "Ignoring session DB file, sqlite not enabled\n";
diff --git a/src/cli/tls_http_server.cpp b/src/cli/tls_http_server.cpp
index 6b5cefab4..cc59a71c3 100644
--- a/src/cli/tls_http_server.cpp
+++ b/src/cli/tls_http_server.cpp
@@ -531,7 +531,7 @@ class TLS_HTTP_Server final : public Command
          if(!sessions_db.empty())
             {
 #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
-            const std::string sessions_passphrase = get_arg("session-db-pass");
+            const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass");
             session_mgr.reset(new Botan::TLS::Session_Manager_SQLite(sessions_passphrase, rng(), sessions_db));
 #else
             throw CLI_Error_Unsupported("Sqlite3 support not available");
diff --git a/src/cli/tls_proxy.cpp b/src/cli/tls_proxy.cpp
index 717bbc6c6..49ffbe376 100644
--- a/src/cli/tls_proxy.cpp
+++ b/src/cli/tls_proxy.cpp
@@ -453,7 +453,7 @@ class TLS_Proxy final : public Command
          std::unique_ptr<Botan::TLS::Session_Manager> session_mgr;
 
 #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)
-         const std::string sessions_passphrase = get_arg("session-db-pass");
+         const std::string sessions_passphrase = get_passphrase_arg("Session DB passphrase", "session-db-pass");
          const std::string sessions_db = get_arg("session-db");
 
          if(!sessions_db.empty())
diff --git a/src/cli/utils.cpp b/src/cli/utils.cpp
index 1a7639937..99471fba5 100644
--- a/src/cli/utils.cpp
+++ b/src/cli/utils.cpp
@@ -540,7 +540,7 @@ class Generate_Bcrypt final : public Command
 
       void go() override
          {
-         const std::string password = get_arg("password");
+         const std::string password = get_passphrase_arg("Passphrase to hash", "password");
          const size_t wf = get_arg_sz("work-factor");
 
          if(wf < 4 || wf > 18)
@@ -574,7 +574,7 @@ class Check_Bcrypt final : public Command
 
       void go() override
          {
-         const std::string password = get_arg("password");
+         const std::string password = get_passphrase_arg("Password to check", "password");
          const std::string hash = get_arg("hash");
 
          if(hash.length() != 60)
@@ -585,6 +585,9 @@ class Check_Bcrypt final : public Command
          const bool ok = Botan::check_bcrypt(password, hash);
 
          output() << "Password is " << (ok ? "valid" : "NOT valid") << std::endl;
+
+         if(ok == false)
+            set_return_code(1);
          }
    };
 
diff --git a/src/cli/x509.cpp b/src/cli/x509.cpp
index adae8285c..d894b99a4 100644
--- a/src/cli/x509.cpp
+++ b/src/cli/x509.cpp
@@ -45,23 +45,25 @@ class Sign_Cert final : public Command
       void go() override
          {
          Botan::X509_Certificate ca_cert(get_arg("ca_cert"));
-         std::unique_ptr<Botan::Private_Key> key;
-         const std::string pass = get_arg("ca-key-pass");
+
+         const std::string key_file = get_arg("ca_key");
+         const std::string pass = get_passphrase_arg("Password for " + key_file, "ca-key-pass");
          const std::string emsa = get_arg("emsa");
          const std::string hash = get_arg("hash");
 
+         std::unique_ptr<Botan::Private_Key> key;
          if(!pass.empty())
             {
-            key.reset(Botan::PKCS8::load_key(get_arg("ca_key"), rng(), pass));
+            key.reset(Botan::PKCS8::load_key(key_file, rng(), pass));
             }
          else
             {
-            key.reset(Botan::PKCS8::load_key(get_arg("ca_key"), rng()));
+            key.reset(Botan::PKCS8::load_key(key_file, rng()));
             }
 
          if(!key)
             {
-            throw CLI_Error("Failed to load key from " + get_arg("ca_key"));
+            throw CLI_Error("Failed to load key from " + key_file);
             }
 
          std::map<std::string, std::string> options;
@@ -251,7 +253,9 @@ class Gen_Self_Signed final : public Command
 
       void go() override
          {
-         std::unique_ptr<Botan::Private_Key> key(Botan::PKCS8::load_key(get_arg("key"), rng(), get_arg("key-pass")));
+         const std::string key_file = get_arg("key");
+         const std::string passphrase = get_passphrase_arg("Passphrase for " + key_file, "key-pass");
+         std::unique_ptr<Botan::Private_Key> key(Botan::PKCS8::load_key(key_file, rng(), passphrase));
 
          if(!key)
             {