handling null-values for salts properly now - fixes gh-4147

This commit is contained in:
Jan Brennenstuhl 2016-12-06 12:17:35 +01:00 committed by Rob Winch
parent f94399cff9
commit 09436649cc
2 changed files with 14 additions and 3 deletions

View File

@ -532,8 +532,9 @@ public class BCrypt {
* @param password the password to hash
* @param salt the salt to hash with (perhaps generated using BCrypt.gensalt)
* @return the hashed password
* @throws IllegalArgumentException if invalid salt is passed
*/
public static String hashpw(String password, String salt) {
public static String hashpw(String password, String salt) throws IllegalArgumentException {
BCrypt B;
String real_salt;
byte passwordb[], saltb[], hashed[];
@ -541,6 +542,10 @@ public class BCrypt {
int rounds, off = 0;
StringBuilder rs = new StringBuilder();
if (salt == null) {
throw new IllegalArgumentException("Invalid salt");
}
int saltLength = salt.length();
if (saltLength < 28) {

View File

@ -14,10 +14,11 @@
package org.springframework.security.crypto.bcrypt;
import org.junit.Test;
import java.util.Arrays;
import org.junit.Test;
import static org.assertj.core.api.Assertions.*;
import static org.assertj.core.api.Assertions.assertThat;
/**
* JUnit unit tests for BCrypt routines
@ -271,6 +272,11 @@ public class BCryptTests {
assertThat(BCrypt.gensalt(31).startsWith("$2a$31$")).isTrue();
}
@Test(expected = IllegalArgumentException.class)
public void hashpwFailsWhenSaltIsNull() {
BCrypt.hashpw("password", null);
}
@Test(expected = IllegalArgumentException.class)
public void hashpwFailsWhenSaltSpecifiesTooFewRounds() {
BCrypt.hashpw("password", "$2a$03$......................");