From 5f0d22145298485b5238851b6ce448dd90611c3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@bastelstu.be>
Date: Thu, 5 Oct 2023 20:11:58 +0200
Subject: [PATCH] password_hash: Increase PHP_PASSWORD_BCRYPT_COST to 12

RFC: https://wiki.php.net/rfc/bcrypt_cost_2023
---
 NEWS                                                      | 1 +
 UPGRADING                                                 | 4 ++++
 ext/standard/php_password.h                               | 2 +-
 ext/standard/tests/password/password_hash.phpt            | 8 +++++---
 .../tests/password/password_removed_salt_option.phpt      | 2 ++
 5 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 49bd2b22d13cf..1d6a43deeb7dc 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,7 @@ Standard:
   . Partly fix GH-12143 (Incorrect round() result for 0.49999999999999994).
     (timwolla)
   . Fix GH-12252 (round(): Validate the rounding mode). (timwolla)
+  . Increase the default BCrypt cost to 12. (timwolla)
 
 XSL:
   . Implement request #64137 (XSLTProcessor::setParameter() should allow both
diff --git a/UPGRADING b/UPGRADING
index d8327ed933488..1f8e7ad3aa73e 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -80,6 +80,10 @@ PHP 8.4 UPGRADE NOTES
     would have resulted in 1.0 instead of the correct result 0.0. Additional
     inputs might also be affected and result in different outputs compared to
     earlier PHP versions.
+  . The default value of the 'cost' option for PASSWORD_BCRYPT for password_hash()
+    has been increased from '10' to '12'.
+
+    RFC: https://wiki.php.net/rfc/bcrypt_cost_2023
 
 ========================================
 6. New Functions
diff --git a/ext/standard/php_password.h b/ext/standard/php_password.h
index 50f330d3d6ce8..aa74b1a58f0dd 100644
--- a/ext/standard/php_password.h
+++ b/ext/standard/php_password.h
@@ -22,7 +22,7 @@ PHP_MINIT_FUNCTION(password);
 PHP_MSHUTDOWN_FUNCTION(password);
 
 #define PHP_PASSWORD_DEFAULT    PHP_PASSWORD_BCRYPT
-#define PHP_PASSWORD_BCRYPT_COST 10
+#define PHP_PASSWORD_BCRYPT_COST 12
 
 #ifdef HAVE_ARGON2LIB
 /**
diff --git a/ext/standard/tests/password/password_hash.phpt b/ext/standard/tests/password/password_hash.phpt
index 2ddfda32d1b02..6eb786887ba72 100644
--- a/ext/standard/tests/password/password_hash.phpt
+++ b/ext/standard/tests/password/password_hash.phpt
@@ -1,10 +1,12 @@
 --TEST--
 Test normal operation of password_hash()
+--SKIPIF--
+<?php if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); ?>
 --FILE--
 <?php
 //-=-=-=-
 
-var_dump(strlen(password_hash("foo", PASSWORD_BCRYPT)));
+var_dump(password_hash("foo", PASSWORD_BCRYPT));
 
 $algos = [
   PASSWORD_BCRYPT,
@@ -19,8 +21,8 @@ foreach ($algos as $algo) {
 
 echo "OK!";
 ?>
---EXPECT--
-int(60)
+--EXPECTF--
+string(60) "$2y$12$%s"
 bool(true)
 bool(true)
 bool(true)
diff --git a/ext/standard/tests/password/password_removed_salt_option.phpt b/ext/standard/tests/password/password_removed_salt_option.phpt
index da7cb22d1c543..f802e162e3ea1 100644
--- a/ext/standard/tests/password/password_removed_salt_option.phpt
+++ b/ext/standard/tests/password/password_removed_salt_option.phpt
@@ -1,5 +1,7 @@
 --TEST--
 Test removed support for explicit salt option
+--SKIPIF--
+<?php if (getenv("SKIP_SLOW_TESTS")) die("skip slow test"); ?>
 --FILE--
 <?php
 //-=-=-=-