From 09436649cce72642f73e57eb2e000f567d5680f2 Mon Sep 17 00:00:00 2001
From: Jan Brennenstuhl <jan.brennenstuhl@zalando.de>
Date: Tue, 6 Dec 2016 12:17:35 +0100
Subject: [PATCH] handling null-values for salts properly now - fixes gh-4147

---
 .../springframework/security/crypto/bcrypt/BCrypt.java |  7 ++++++-
 .../security/crypto/bcrypt/BCryptTests.java            | 10 ++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
index d6f0890ccf..d91dd5caed 100644
--- a/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
+++ b/crypto/src/main/java/org/springframework/security/crypto/bcrypt/BCrypt.java
@@ -532,8 +532,9 @@ public class BCrypt {
 	 * @param password the password to hash
 	 * @param salt the salt to hash with (perhaps generated using BCrypt.gensalt)
 	 * @return the hashed password
+	 * @throws IllegalArgumentException if invalid salt is passed
 	 */
-	public static String hashpw(String password, String salt) {
+	public static String hashpw(String password, String salt) throws IllegalArgumentException {
 		BCrypt B;
 		String real_salt;
 		byte passwordb[], saltb[], hashed[];
@@ -541,6 +542,10 @@ public class BCrypt {
 		int rounds, off = 0;
 		StringBuilder rs = new StringBuilder();
 
+		if (salt == null) {
+			throw new IllegalArgumentException("Invalid salt");
+		}
+
 		int saltLength = salt.length();
 
 		if (saltLength < 28) {
diff --git a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
index 411bbac026..e2fa5c298a 100644
--- a/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
+++ b/crypto/src/test/java/org/springframework/security/crypto/bcrypt/BCryptTests.java
@@ -14,10 +14,11 @@
 
 package org.springframework.security.crypto.bcrypt;
 
+import org.junit.Test;
+
 import java.util.Arrays;
 
-import org.junit.Test;
-import static org.assertj.core.api.Assertions.*;
+import static org.assertj.core.api.Assertions.assertThat;
 
 /**
  * JUnit unit tests for BCrypt routines
@@ -271,6 +272,11 @@ public class BCryptTests {
 		assertThat(BCrypt.gensalt(31).startsWith("$2a$31$")).isTrue();
 	}
 
+	@Test(expected = IllegalArgumentException.class)
+	public void hashpwFailsWhenSaltIsNull() {
+		BCrypt.hashpw("password", null);
+	}
+
 	@Test(expected = IllegalArgumentException.class)
 	public void hashpwFailsWhenSaltSpecifiesTooFewRounds() {
 		BCrypt.hashpw("password", "$2a$03$......................");