password_hash: Increase PHP_PASSWORD_BCRYPT_COST to 12 (#12367)

RFC: https://wiki.php.net/rfc/bcrypt_cost_2023

NEWS

@@ -25,6 +25,7 @@ Standard:
   . Partly fix GH-12143 (Incorrect round() result for 0.49999999999999994).
     (timwolla)
   . Fix GH-12252 (round(): Validate the rounding mode). (timwolla)
+  . Increase the default BCrypt cost to 12. (timwolla)
 
 XSL:
   . Implement request #64137 (XSLTProcessor::setParameter() should allow both

UPGRADING

@@ -80,6 +80,10 @@ PHP 8.4 UPGRADE NOTES
     would have resulted in 1.0 instead of the correct result 0.0. Additional
     inputs might also be affected and result in different outputs compared to
     earlier PHP versions.
+  . The default value of the 'cost' option for PASSWORD_BCRYPT for password_hash()
+    has been increased from '10' to '12'.
+
+    RFC: https://wiki.php.net/rfc/bcrypt_cost_2023
 
 ========================================
 6. New Functions

ext/standard/php_password.h

@@ -22,7 +22,7 @@ PHP_MINIT_FUNCTION(password);
 PHP_MSHUTDOWN_FUNCTION(password);
 
 #define PHP_PASSWORD_DEFAULT    PHP_PASSWORD_BCRYPT
-#define PHP_PASSWORD_BCRYPT_COST 10
+#define PHP_PASSWORD_BCRYPT_COST 12
 
 #ifdef HAVE_ARGON2LIB
 /**

ext/standard/tests/password/password_hash.phpt

@@ -1,10 +1,12 @@
 --TEST--
 Test normal operation of password_hash()
+--SKIPIF--
+<?php if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); ?>
 --FILE--
 <?php
 //-=-=-=-
 
-var_dump(strlen(password_hash("foo", PASSWORD_BCRYPT)));
+var_dump(password_hash("foo", PASSWORD_BCRYPT));
 
 $algos = [
   PASSWORD_BCRYPT,
@@ -19,8 +21,8 @@ foreach ($algos as $algo) {
 
 echo "OK!";
 ?>
---EXPECT--
-int(60)
+--EXPECTF--
+string(60) "$2y$12$%s"
 bool(true)
 bool(true)
 bool(true)

ext/standard/tests/password/password_removed_salt_option.phpt

@@ -1,5 +1,7 @@
 --TEST--
 Test removed support for explicit salt option
+--SKIPIF--
+<?php if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); ?>
 --FILE--
 <?php
 //-=-=-=-