Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEC-1890: make illegal arguments more obvious in BCrypt #1

Closed
wants to merge 1 commit into from
Closed

SEC-1890: make illegal arguments more obvious in BCrypt #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -651,6 +651,10 @@ public static String hashpw(String password, String salt) {
char minor = (char)0;
int rounds, off = 0;
StringBuffer rs = new StringBuffer();

if (salt==null || salt.length()<4) {
throw new IllegalArgumentException ("Invalid salt length");
}

if (salt.charAt(0) != '$' || salt.charAt(1) != '2')
throw new IllegalArgumentException ("Invalid salt version");
Expand All @@ -663,7 +667,11 @@ public static String hashpw(String password, String salt) {
off = 4;
}

// Extract number of rounds
if (salt.length()<off+25) {
throw new IllegalArgumentException ("Invalid real salt length");
}

// Extract number of rounds
if (salt.charAt(off + 2) > '$')
throw new IllegalArgumentException ("Missing salt rounds");
rounds = Integer.parseInt(salt.substring(off, off + 2));
Expand Down
1 change: 0 additions & 1 deletion crypto/src/main/java/org/springframework/security/crypto/codec/Utf8.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@
import java.nio.CharBuffer;
import java.nio.charset.CharacterCodingException;
import java.nio.charset.Charset;
import java.util.*;

/**
* UTF-8 Charset encoder/decoder.
Expand Down
2 changes: 0 additions & 2 deletions ...c/main/java/org/springframework/security/crypto/keygen/SecureRandomBytesKeyGenerator.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,6 @@
*/
package org.springframework.security.crypto.keygen;

import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;

/**
Expand Down
1 change: 0 additions & 1 deletion crypto/src/main/java/org/springframework/security/crypto/password/Digester.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;

/**
* Helper for working with the MessageDigest API.
Expand Down
102 changes: 71 additions & 31 deletions .../src/test/java/org/springframework/security/crypto/bcrypt/BCryptPasswordEncoderTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,43 +18,83 @@
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertTrue;

import org.junit.Test;
import java.security.SecureRandom;

import org.junit.Test;

/**
* @author Dave Syer
*
*
*/
public class BCryptPasswordEncoderTests {

@Test
public void matches() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("password");
assertFalse(result.equals("password"));
assertTrue(encoder.matches("password", result));
}

@Test
public void unicode() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("passw\u9292rd");
assertFalse(encoder.matches("pass\u9292\u9292rd", result));
assertTrue(encoder.matches("passw\u9292rd", result));
}

@Test
public void matchesLengthChecked() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("password");
assertFalse(encoder.matches("password", result.substring(0,result.length()-2)));
}

@Test
public void notMatches() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("password");
assertFalse(encoder.matches("bogus", result));
}
@Test
public void matches() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("password");
assertFalse(result.equals("password"));
assertTrue(encoder.matches("password", result));
}

@Test
public void customStrength() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(8);
String result = encoder.encode("password");
assertTrue(encoder.matches("password", result));
}

@Test
public void customRandom() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder(8, new SecureRandom());
String result = encoder.encode("password");
assertTrue(encoder.matches("password", result));
}

@Test
public void unicode() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("passw\u9292rd");
assertFalse(encoder.matches("pass\u9292\u9292rd", result));
assertTrue(encoder.matches("passw\u9292rd", result));
}

@Test
public void matchesLengthChecked() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("password");
assertFalse(encoder.matches("password", result.substring(0, result.length() - 2)));
}

@Test
public void notMatches() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("password");
assertFalse(encoder.matches("bogus", result));
}

@Test(expected=IllegalArgumentException.class)
public void barfsOnNullEncodedValue() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
assertFalse(encoder.matches("password", null));
}

@Test(expected=IllegalArgumentException.class)
public void barfsOnEmptyEncodedValue() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
assertFalse(encoder.matches("password", ""));
}

@Test(expected=IllegalArgumentException.class)
public void barfsOnShortEncodedValue() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
String result = encoder.encode("password");
assertFalse(encoder.matches("password", result.substring(0, 4)));
}

@Test(expected=IllegalArgumentException.class)
public void barfsOnBogusEncodedValue() {
BCryptPasswordEncoder encoder = new BCryptPasswordEncoder();
assertFalse(encoder.matches("password", "012345678901234567890123456789"));
}

}
5 changes: 0 additions & 5 deletions crypto/src/test/java/org/springframework/security/crypto/password/DigesterTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,15 +1,10 @@
package org.springframework.security.crypto.password;

import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;

import java.security.MessageDigest;
import java.util.Arrays;

import org.junit.Test;
import org.springframework.security.crypto.codec.Hex;
import org.springframework.security.crypto.codec.Utf8;
import org.springframework.security.crypto.password.Digester;

public class DigesterTests {

Expand Down