From 42a85fc5d95c0c5e867cafcca8ebfca9d90e6c88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Fri, 6 Oct 2023 14:27:01 +0200
Subject: [PATCH] password_hash: Increase PHP_PASSWORD_BCRYPT_COST to 12
 (#12367)

RFC: https://wiki.php.net/rfc/bcrypt_cost_2023
---
 NEWS                                                      | 1 +
 UPGRADING                                                 | 4 ++++
 ext/standard/php_password.h                               | 2 +-
 ext/standard/tests/password/password_hash.phpt            | 8 +++++---
 .../tests/password/password_removed_salt_option.phpt      | 2 ++
 5 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 49bd2b22d13..1d6a43deeb7 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,7 @@ Standard:
   . Partly fix GH-12143 (Incorrect round() result for 0.49999999999999994).
     (timwolla)
   . Fix GH-12252 (round(): Validate the rounding mode). (timwolla)
+  . Increase the default BCrypt cost to 12. (timwolla)
 
 XSL:
   . Implement request #64137 (XSLTProcessor::setParameter() should allow both
diff --git a/UPGRADING b/UPGRADING
index d8327ed9334..1f8e7ad3aa7 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -80,6 +80,10 @@ PHP 8.4 UPGRADE NOTES
     would have resulted in 1.0 instead of the correct result 0.0. Additional
     inputs might also be affected and result in different outputs compared to
     earlier PHP versions.
+  . The default value of the 'cost' option for PASSWORD_BCRYPT for password_hash()
+    has been increased from '10' to '12'.
+
+    RFC: https://wiki.php.net/rfc/bcrypt_cost_2023
 
 ========================================
 6. New Functions
diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h
index 50f330d3d6c..aa74b1a58f0 100644
--- a/ext/standard/php_password.h
+++ b/ext/standard/php_password.h
@@ -22,7 +22,7 @@ PHP_MINIT_FUNCTION(password);
 PHP_MSHUTDOWN_FUNCTION(password);
 
 #define PHP_PASSWORD_DEFAULT    PHP_PASSWORD_BCRYPT
-#define PHP_PASSWORD_BCRYPT_COST 10
+#define PHP_PASSWORD_BCRYPT_COST 12
 
 #ifdef HAVE_ARGON2LIB
 /**
diff --git a/ext/standard/tests/password/password_hash.phpt b/ext/standard/tests/password/password_hash.phpt
index 2ddfda32d1b..6eb786887ba 100644
--- a/ext/standard/tests/password/password_hash.phpt
+++ b/ext/standard/tests/password/password_hash.phpt
@@ -1,10 +1,12 @@
 --TEST--
 Test normal operation of password_hash()
+--SKIPIF--
+<?php if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); ?>
 --FILE--
 <?php
 //-=-=-=-
 
-var_dump(strlen(password_hash("foo", PASSWORD_BCRYPT)));
+var_dump(password_hash("foo", PASSWORD_BCRYPT));
 
 $algos = [
   PASSWORD_BCRYPT,
@@ -19,8 +21,8 @@ foreach ($algos as $algo) {
 
 echo "OK!";
 ?>
---EXPECT--
-int(60)
+--EXPECTF--
+string(60) "$2y$12$%s"
 bool(true)
 bool(true)
 bool(true)
diff --git a/ext/standard/tests/password/password_removed_salt_option.phpt b/ext/standard/tests/password/password_removed_salt_option.phpt
index da7cb22d1c5..f802e162e3e 100644
--- a/ext/standard/tests/password/password_removed_salt_option.phpt
+++ b/ext/standard/tests/password/password_removed_salt_option.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Test removed support for explicit salt option
+--SKIPIF--
+<?php if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); ?>
 --FILE--
 <?php
 //-=-=-=-