From 457cf7748bb42de9bb6f769b1bed8fd20fc6e088 Mon Sep 17 00:00:00 2001
From: Joe Orton <jorton@apache.org>
Date: Fri, 9 Aug 2019 13:25:20 +0000
Subject: [PATCH] Merge r1846254 from trunk (under "documentation" RTC
 exception):

* support/htpasswd.c (usage): Fix bcrypt round maximum.

* docs/manual/programs/htpasswd.xml: Document that bcrypt rounds are
capped at 17.

PR: 62078



git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1864798 13f79535-47bb-0310-9956-ffa450edef68
---
 docs/manual/programs/htpasswd.xml | 7 ++++++-
 support/htpasswd.c                | 2 +-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/docs/manual/programs/htpasswd.xml b/docs/manual/programs/htpasswd.xml
index 7f0f8350545..e148a17d357 100644
--- a/docs/manual/programs/htpasswd.xml
+++ b/docs/manual/programs/htpasswd.xml
@@ -137,7 +137,7 @@ distribution.</seealso>
     <dt><code>-C</code></dt>
     <dd>This flag is only allowed in combination with <code>-B</code> (bcrypt
     encryption). It sets the computing time used for the bcrypt algorithm
-    (higher is more secure but slower, default: 5, valid: 4 to 31).</dd>
+    (higher is more secure but slower, default: 5, valid: 4 to 17).</dd>
 
     <dt><code>-d</code></dt>
     <dd>Use <code>crypt()</code> encryption for passwords. This is not
@@ -259,6 +259,11 @@ distribution.</seealso>
 
     <p>Usernames are limited to <code>255</code> bytes and may not include the
     character <code>:</code>.</p>
+
+    <p>The cost of computing a bcrypt password hash value increases
+    with the number of rounds specified by the <code>-C</code> option.
+    The <code>apr-util</code> library enforces a maximum number of
+    rounds of 17 in version <code>1.6.0</code> and later.</p>
 </section>
 
 </manualpage>
diff --git a/support/htpasswd.c b/support/htpasswd.c
index 660a27c7927..73b291d72c1 100644
--- a/support/htpasswd.c
+++ b/support/htpasswd.c
@@ -111,7 +111,7 @@ static void usage(void)
         " -m  Force MD5 encryption of the password (default)." NL
         " -B  Force bcrypt encryption of the password (very secure)." NL
         " -C  Set the computing time used for the bcrypt algorithm" NL
-        "     (higher is more secure but slower, default: %d, valid: 4 to 31)." NL
+        "     (higher is more secure but slower, default: %d, valid: 4 to 17)." NL
         " -d  Force CRYPT encryption of the password (8 chars max, insecure)." NL
         " -s  Force SHA encryption of the password (insecure)." NL
         " -p  Do not encrypt the password (plaintext, insecure)." NL
-- 
2.47.3