You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Simon Levermann (JIRA)" <ji...@apache.org> on 2018/02/12 16:30:01 UTC
[jira] [Created] (CODEC-245) RegEx for verifying salts in ShaCrypt
is incorrect
Simon Levermann created CODEC-245:
-------------------------------------
Summary: RegEx for verifying salts in ShaCrypt is incorrect
Key: CODEC-245
URL: https://issues.apache.org/jira/browse/CODEC-245
Project: Commons Codec
Issue Type: Bug
Affects Versions: 1.11
Reporter: Simon Levermann
The regex/code that extracts the salt from a given salt string in Sha2Crypt treats some invalid salt formats as valid:
{code:java}
^\$([56])\$(rounds=(\d+)\$)?([\.\/a-zA-Z0-9]{1,16}).*
{code}
The code then goes on to use capture group 3 (the round count) to determine how many rounds are used, and capture group 4 (the actual salt) to use as salt data.
However, for an input that contains an invalid salt specification like this:
{code:java}
$5$notrounds=1000$asdfasdf
{code}
This string is treated as valid. The operation then uses "notrounds" as the salt for hashing:
{code:java}
System.out.println(Sha2Crypt.sha256Crypt(new byte[100], "$5$notrounds=1000$asdfasdf"));
{code}
The above code prints
{code:java}
$5$notrounds$aAEx6EzUBfc.aIIeiItVjUREbj/ar4xlb/qcMxD90NA
{code}
This code should probably throw an exceptions. Additionally, other invalid salt strings like
{code:java}
$6$rounds=1000$äöüäöü
{code}
Result in hashes like:
{code:java}
$5$rounds$ZIRdMgi25kK5Zmi1whKjcnFN/Pe8QCAOlTmxMfwAoq5
{code}
Completely ignoring the rounds parameter, and using the literal string "rounds" as the salt for hashing.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)