Skip to content

Commit 92c8e4e

Browse files
tmm1tmm1
committed
Update to jBCrypt 0.3 to fix security vulnerability (http://www.mindrot.org/projects/jBCrypt/news/rel03.html)
1 parent 9905c5d commit 92c8e4e

2 files changed

Lines changed: 26 additions & 7 deletions

File tree

ext/jruby/bcrypt_jruby/BCrypt.java

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -63,7 +63,7 @@
6363
*/
6464
public class BCrypt {
6565
// BCrypt parameters
66-
private static int GENSALT_DEFAULT_LOG2_ROUNDS = 10;
66+
private static final int GENSALT_DEFAULT_LOG2_ROUNDS = 10;
6767
private static final int BCRYPT_SALT_LEN = 16;
6868

6969
// Blowfish parameters
@@ -655,13 +655,14 @@ public static String hashpw(String password, String salt) {
655655

656656
if (salt.charAt(0) != '$' || salt.charAt(1) != '2')
657657
throw new IllegalArgumentException ("Invalid salt version");
658-
if (salt.charAt(1) != '$') {
658+
if (salt.charAt(2) == '$')
659+
off = 3;
660+
else {
659661
minor = salt.charAt(2);
660662
if (minor != 'a' || salt.charAt(3) != '$')
661663
throw new IllegalArgumentException ("Invalid salt revision");
662664
off = 4;
663-
} else
664-
off = 3;
665+
}
665666

666667
// Extract number of rounds
667668
if (salt.charAt(off + 2) > '$')
@@ -670,10 +671,9 @@ public static String hashpw(String password, String salt) {
670671

671672
real_salt = salt.substring(off + 3, off + 25);
672673
try {
673-
passwordb = (password + (minor >= 'a' ? "\000" : "")).getBytes("US-ASCII");
674+
passwordb = (password + (minor >= 'a' ? "\000" : "")).getBytes("UTF-8");
674675
} catch (UnsupportedEncodingException uee) {
675-
// The JDK guarantees that US-ASCII is supported.
676-
throw new AssertionError("US-ASCII is not supported");
676+
throw new AssertionError("UTF-8 is not supported");
677677
}
678678

679679
saltb = decode_base64(real_salt, BCRYPT_SALT_LEN);

spec/TestBCrypt.java

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -172,4 +172,23 @@ public void testCheckpw_failure() {
172172
}
173173
System.out.println("");
174174
}
175+
176+
/**
177+
* Test for correct hashing of non-US-ASCII passwords
178+
*/
179+
public void testInternationalChars() {
180+
System.out.print("BCrypt.hashpw w/ international chars: ");
181+
String pw1 = "ππππππππ";
182+
String pw2 = "????????";
183+
184+
String h1 = BCrypt.hashpw(pw1, BCrypt.gensalt());
185+
assertFalse(BCrypt.checkpw(pw2, h1));
186+
System.out.print(".");
187+
188+
String h2 = BCrypt.hashpw(pw2, BCrypt.gensalt());
189+
assertFalse(BCrypt.checkpw(pw1, h2));
190+
System.out.print(".");
191+
System.out.println("");
192+
}
193+
175194
}

0 commit comments

Comments
 (0)