Open mhenry07 opened 6 years ago
The documentation appears to be inconsistent with the source, and therefore it appears Apache's implementation of bcrypt does not currently support work factor/cost greater than 17. Therefore this issue won't be fixed for this Docker image without an upstream fix.
_crypt_gensalt_blowfish_rn
in crypt_blowfish.c has a condition which returns an error if count > 17
.
mkrecord
in htpasswd.c callsmkhash
in passwd_common.c callsapr_bcrypt_encode
in apr_passwd.c calls_crypt_gensalt_blowfish_rn
in crypt_blowfish.cApache bug report: https://bz.apache.org/bugzilla/show_bug.cgi?id=62078
Steps to reproduce:
htpasswd
with a work factor of 18 or higherdocker run --rm mhenry07/apache2-utils htpasswd -nbB -C 18 test password
Error message:
However, the following works with no problem (work factor of 4 to 17):
docker run --rm mhenry07/apache2-utils htpasswd -nbB -C 17 test password
The htpasswd documentation claims that it supports work factors between 4 and 31, so it should support 18 to 31, but it's failing for some reason.