From: Joe Orton <jorton@apache.org>
Date: Fri, 9 Nov 2018 16:33:04 +0000 (+0000)
Subject: * support/htpasswd.c (usage): Fix bcrypt round maximum.
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ac4243b7d71808fd7fe274dd37b30ae5a28cccab;p=apache

* support/htpasswd.c (usage): Fix bcrypt round maximum.

* docs/manual/programs/htpasswd.xml: Document that bcrypt rounds are
capped at 17.

PR: 62078


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1846254 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/programs/htpasswd.xml b/docs/manual/programs/htpasswd.xml
index c2c71fc628..efbf21022d 100644
--- a/docs/manual/programs/htpasswd.xml
+++ b/docs/manual/programs/htpasswd.xml
@@ -137,7 +137,7 @@ distribution.</seealso>
     <dt><code>-C</code></dt>
     <dd>This flag is only allowed in combination with <code>-B</code> (bcrypt
     encryption). It sets the computing time used for the bcrypt algorithm
-    (higher is more secure but slower, default: 5, valid: 4 to 31).</dd>
+    (higher is more secure but slower, default: 5, valid: 4 to 17).</dd>
 
     <dt><code>-d</code></dt>
     <dd>Use <code>crypt()</code> encryption for passwords. This is not
@@ -259,6 +259,11 @@ distribution.</seealso>
 
     <p>Usernames are limited to <code>255</code> bytes and may not include the
     character <code>:</code>.</p>
+
+    <p>The cost of computing a bcrypt password hash value increases
+    with the number of rounds specified by the <code>-C</code> option.
+    The <code>apr-util</code> library enforces a maximum number of
+    rounds of 17 in version <code>1.6.0</code> and later.</p>
 </section>
 
 </manualpage>
diff --git a/support/htpasswd.c b/support/htpasswd.c
index 660a27c792..73b291d72c 100644
--- a/support/htpasswd.c
+++ b/support/htpasswd.c
@@ -111,7 +111,7 @@ static void usage(void)
         " -m  Force MD5 encryption of the password (default)." NL
         " -B  Force bcrypt encryption of the password (very secure)." NL
         " -C  Set the computing time used for the bcrypt algorithm" NL
-        "     (higher is more secure but slower, default: %d, valid: 4 to 31)." NL
+        "     (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
         " -d  Force CRYPT encryption of the password (8 chars max, insecure)." NL
         " -s  Force SHA encryption of the password (insecure)." NL
         " -p  Do not encrypt the password (plaintext, insecure)." NL