You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2018/11/09 16:33:04 UTC
svn commit: r1846254 - in /httpd/httpd/trunk:
docs/manual/programs/htpasswd.xml support/htpasswd.c
Author: jorton
Date: Fri Nov 9 16:33:04 2018
New Revision: 1846254
URL: http://svn.apache.org/viewvc?rev=1846254&view=rev
Log:
* support/htpasswd.c (usage): Fix bcrypt round maximum.
* docs/manual/programs/htpasswd.xml: Document that bcrypt rounds are
capped at 17.
PR: 62078
Modified:
httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
httpd/httpd/trunk/support/htpasswd.c
Modified: httpd/httpd/trunk/docs/manual/programs/htpasswd.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/programs/htpasswd.xml?rev=1846254&r1=1846253&r2=1846254&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/programs/htpasswd.xml (original)
+++ httpd/httpd/trunk/docs/manual/programs/htpasswd.xml Fri Nov 9 16:33:04 2018
@@ -137,7 +137,7 @@ distribution.</seealso>
<dt><code>-C</code></dt>
<dd>This flag is only allowed in combination with <code>-B</code> (bcrypt
encryption). It sets the computing time used for the bcrypt algorithm
- (higher is more secure but slower, default: 5, valid: 4 to 31).</dd>
+ (higher is more secure but slower, default: 5, valid: 4 to 17).</dd>
<dt><code>-d</code></dt>
<dd>Use <code>crypt()</code> encryption for passwords. This is not
@@ -259,6 +259,11 @@ distribution.</seealso>
<p>Usernames are limited to <code>255</code> bytes and may not include the
character <code>:</code>.</p>
+
+ <p>The cost of computing a bcrypt password hash value increases
+ with the number of rounds specified by the <code>-C</code> option.
+ The <code>apr-util</code> library enforces a maximum number of
+ rounds of 17 in version <code>1.6.0</code> and later.</p>
</section>
</manualpage>
Modified: httpd/httpd/trunk/support/htpasswd.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/support/htpasswd.c?rev=1846254&r1=1846253&r2=1846254&view=diff
==============================================================================
--- httpd/httpd/trunk/support/htpasswd.c (original)
+++ httpd/httpd/trunk/support/htpasswd.c Fri Nov 9 16:33:04 2018
@@ -111,7 +111,7 @@ static void usage(void)
" -m Force MD5 encryption of the password (default)." NL
" -B Force bcrypt encryption of the password (very secure)." NL
" -C Set the computing time used for the bcrypt algorithm" NL
- " (higher is more secure but slower, default: %d, valid: 4 to 31)." NL
+ " (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
" -d Force CRYPT encryption of the password (8 chars max, insecure)." NL
" -s Force SHA encryption of the password (insecure)." NL
" -p Do not encrypt the password (plaintext, insecure)." NL