handling null-values for salts properly now - fixes gh-4147

crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java

@@ -532,8 +532,9 @@ public class BCrypt {
 	 * @param password the password to hash
 	 * @param salt the salt to hash with (perhaps generated using BCrypt.gensalt)
 	 * @return the hashed password
+	 * @throws IllegalArgumentException if invalid salt is passed
 	 */
-	public static String hashpw(String password, String salt) {
+	public static String hashpw(String password, String salt) throws IllegalArgumentException {
 		BCrypt B;
 		String real_salt;
 		byte passwordb[], saltb[], hashed[];
@@ -541,6 +542,10 @@ public class BCrypt {
 		int rounds, off = 0;
 		StringBuilder rs = new StringBuilder();
 
+		if (salt == null) {
+			throw new IllegalArgumentException("Invalid salt");
+		}
+
 		int saltLength = salt.length();
 
 		if (saltLength < 28) {

crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java

@@ -14,10 +14,11 @@
 
 package org.springframework.security.crypto.bcrypt;
 
+import org.junit.Test;
+
 import java.util.Arrays;
 
-import org.junit.Test;
-import static org.assertj.core.api.Assertions.*;
+import static org.assertj.core.api.Assertions.assertThat;
 
 /**
  * JUnit unit tests for BCrypt routines
@@ -271,6 +272,11 @@ public class BCryptTests {
 		assertThat(BCrypt.gensalt(31).startsWith("$2a$31$")).isTrue();
 	}
 
+	@Test(expected = IllegalArgumentException.class)
+	public void hashpwFailsWhenSaltIsNull() {
+		BCrypt.hashpw("password", null);
+	}
+
 	@Test(expected = IllegalArgumentException.class)
 	public void hashpwFailsWhenSaltSpecifiesTooFewRounds() {
 		BCrypt.hashpw("password", "$2a$03$......................");