Meishin/LoginSystem
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

#848 Prevent "invalid salt version" when hash format is clearly not BCrypt

Browse Source
This commit is contained in:
ljacqu 2016-08-13 20:10:38 +02:00
parent 58308cffb5
commit 7f3c308009
5 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/main/java/fr/xephi/authme/security/HashUtils.java
View File

@ -67,6 +67,17 @@ public final class HashUtils {
} }
} }
/**
* Return whether the given hash starts like a BCrypt hash. Checking with this method
* beforehand prevents the BcryptService from throwing certain exceptions.
*
* @param hash The salt to verify
* @return True if the salt is valid, false otherwise
*/
public static boolean isValidBcryptHash(String hash) {
return hash.length() > 3 && hash.substring(0, 2).equals("$2");
}
/** /**
* Hash the message with the given algorithm and return the hash in its hexadecimal notation. * Hash the message with the given algorithm and return the hash in its hexadecimal notation.
* *

3
src/main/java/fr/xephi/authme/security/crypts/BCRYPT.java
View File

@ -1,6 +1,7 @@
package fr.xephi.authme.security.crypts; package fr.xephi.authme.security.crypts;
import fr.xephi.authme.ConsoleLogger; import fr.xephi.authme.ConsoleLogger;
import fr.xephi.authme.security.HashUtils;
import fr.xephi.authme.security.crypts.description.HasSalt; import fr.xephi.authme.security.crypts.description.HasSalt;
import fr.xephi.authme.security.crypts.description.Recommendation; import fr.xephi.authme.security.crypts.description.Recommendation;
import fr.xephi.authme.security.crypts.description.SaltType; import fr.xephi.authme.security.crypts.description.SaltType;
@ -36,7 +37,7 @@ public class BCRYPT implements EncryptionMethod {
@Override @Override
public boolean comparePassword(String password, HashedPassword hash, String name) { public boolean comparePassword(String password, HashedPassword hash, String name) {
try { try {
return hash.getHash().length() > 3 && BCryptService.checkpw(password, hash.getHash()); return HashUtils.isValidBcryptHash(hash.getHash()) && BCryptService.checkpw(password, hash.getHash());
} catch (IllegalArgumentException e) { } catch (IllegalArgumentException e) {
ConsoleLogger.warning("Bcrypt checkpw() returned " + StringUtils.formatException(e)); ConsoleLogger.warning("Bcrypt checkpw() returned " + StringUtils.formatException(e));
} }

3
src/main/java/fr/xephi/authme/security/crypts/IPB4.java
View File

@ -1,6 +1,7 @@
package fr.xephi.authme.security.crypts; package fr.xephi.authme.security.crypts;
import fr.xephi.authme.ConsoleLogger; import fr.xephi.authme.ConsoleLogger;
import fr.xephi.authme.security.HashUtils;
import fr.xephi.authme.security.RandomString; import fr.xephi.authme.security.RandomString;
import fr.xephi.authme.security.crypts.description.HasSalt; import fr.xephi.authme.security.crypts.description.HasSalt;
import fr.xephi.authme.security.crypts.description.Recommendation; import fr.xephi.authme.security.crypts.description.Recommendation;
@ -34,7 +35,7 @@ public class IPB4 implements EncryptionMethod {
@Override @Override
public boolean comparePassword(String password, HashedPassword hash, String name) { public boolean comparePassword(String password, HashedPassword hash, String name) {
try { try {
return hash.getHash().length() > 3 && BCryptService.checkpw(password, hash.getHash()); return HashUtils.isValidBcryptHash(hash.getHash()) && BCryptService.checkpw(password, hash.getHash());
} catch (IllegalArgumentException e) { } catch (IllegalArgumentException e) {
ConsoleLogger.warning("Bcrypt checkpw() returned " + StringUtils.formatException(e)); ConsoleLogger.warning("Bcrypt checkpw() returned " + StringUtils.formatException(e));
} }

3
src/main/java/fr/xephi/authme/security/crypts/XFBCRYPT.java
View File

@ -1,6 +1,7 @@
package fr.xephi.authme.security.crypts; package fr.xephi.authme.security.crypts;
import fr.xephi.authme.ConsoleLogger; import fr.xephi.authme.ConsoleLogger;
import fr.xephi.authme.security.HashUtils;
import fr.xephi.authme.util.StringUtils; import fr.xephi.authme.util.StringUtils;
import java.util.regex.Matcher; import java.util.regex.Matcher;
@ -29,7 +30,7 @@ public class XFBCRYPT implements EncryptionMethod {
@Override @Override
public boolean comparePassword(String password, HashedPassword hash, String salt) { public boolean comparePassword(String password, HashedPassword hash, String salt) {
try { try {
return hash.getHash().length() > 3 && BCryptService.checkpw(password, hash.getHash()); return HashUtils.isValidBcryptHash(hash.getHash()) && BCryptService.checkpw(password, hash.getHash());
} catch (IllegalArgumentException e) { } catch (IllegalArgumentException e) {
ConsoleLogger.warning("XfBCrypt checkpw() returned " + StringUtils.formatException(e)); ConsoleLogger.warning("XfBCrypt checkpw() returned " + StringUtils.formatException(e));
} }

10
src/test/java/fr/xephi/authme/security/HashUtilsTest.java
View File

@ -113,4 +113,14 @@ public class HashUtilsTest {
assertThat(digest.getAlgorithm(), equalTo("MD5")); assertThat(digest.getAlgorithm(), equalTo("MD5"));
} }
@Test
public void shouldCheckForValidBcryptHashStart() {
// given / when / then
assertThat(HashUtils.isValidBcryptHash(""), equalTo(false));
assertThat(HashUtils.isValidBcryptHash("$2afsdaf"), equalTo(true));
assertThat(HashUtils.isValidBcryptHash("$2"), equalTo(false));
assertThat(HashUtils.isValidBcryptHash("$2aead234adef"), equalTo(true));
assertThat(HashUtils.isValidBcryptHash("#2ae5fc78"), equalTo(false));
}
} }