You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2018/11/09 16:33:04 UTC

svn commit: r1846254 - in /httpd/httpd/trunk: docs/manual/programs/htpasswd.xml support/htpasswd.c

Author: jorton
Date: Fri Nov  9 16:33:04 2018
New Revision: 1846254

URL: http://svn.apache.org/viewvc?rev=1846254&view=rev
Log:
* support/htpasswd.c (usage): Fix bcrypt round maximum.

* docs/manual/programs/htpasswd.xml: Document that bcrypt rounds are
capped at 17.

PR: 62078

Modified:
    httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
    httpd/httpd/trunk/support/htpasswd.c

Modified: httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/programs/htpasswd.xml?rev=1846254&r1=1846253&r2=1846254&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/trunk/docs/manual/programs/htpasswd.xml Fri Nov  9 16:33:04 2018
@@ -137,7 +137,7 @@ distribution.</seealso>
     <dt><code>-C</code></dt>
     <dd>This flag is only allowed in combination with <code>-B</code> (bcrypt
     encryption). It sets the computing time used for the bcrypt algorithm
-    (higher is more secure but slower, default: 5, valid: 4 to 31).</dd>
+    (higher is more secure but slower, default: 5, valid: 4 to 17).</dd>
 
     <dt><code>-d</code></dt>
     <dd>Use <code>crypt()</code> encryption for passwords. This is not
@@ -259,6 +259,11 @@ distribution.</seealso>
 
     <p>Usernames are limited to <code>255</code> bytes and may not include the
     character <code>:</code>.</p>
+
+    <p>The cost of computing a bcrypt password hash value increases
+    with the number of rounds specified by the <code>-C</code> option.
+    The <code>apr-util</code> library enforces a maximum number of
+    rounds of 17 in version <code>1.6.0</code> and later.</p>
 </section>
 
 </manualpage>

Modified: httpd/httpd/trunk/support/htpasswd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htpasswd.c?rev=1846254&r1=1846253&r2=1846254&view=diff
==============================================================================
--- httpd/httpd/trunk/support/htpasswd.c (original)
+++ httpd/httpd/trunk/support/htpasswd.c Fri Nov  9 16:33:04 2018
@@ -111,7 +111,7 @@ static void usage(void)
         " -m  Force MD5 encryption of the password (default)." NL
         " -B  Force bcrypt encryption of the password (very secure)." NL
         " -C  Set the computing time used for the bcrypt algorithm" NL
-        "     (higher is more secure but slower, default: %d, valid: 4 to 31)." NL
+        "     (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
         " -d  Force CRYPT encryption of the password (8 chars max, insecure)." NL
         " -s  Force SHA encryption of the password (insecure)." NL
         " -p  Do not encrypt the password (plaintext, insecure)." NL