- Standard:
. Fixed bug #78241 (touch() does not handle dates after 2038 in PHP 64-bit).
(cmb)
+ . Fixed bug #78269 (password_hash uses weak options for argon2). (Remi)
27 Jun 2019, PHP 7.2.20
#define PHP_PASSWORD_BCRYPT_COST 10
#if HAVE_ARGON2LIB
-#define PHP_PASSWORD_ARGON2_MEMORY_COST 1<<10
-#define PHP_PASSWORD_ARGON2_TIME_COST 2
-#define PHP_PASSWORD_ARGON2_THREADS 2
+#define PHP_PASSWORD_ARGON2_MEMORY_COST (64 << 10)
+#define PHP_PASSWORD_ARGON2_TIME_COST 4
+#define PHP_PASSWORD_ARGON2_THREADS 1
#endif
typedef enum {
$hash = password_hash('test', PASSWORD_ARGON2I);
var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => 1<<17]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => 4]));
-var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['threads' => 4]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST * 2]));
+var_dump(password_needs_rehash($hash, PASSWORD_ARGON2I, ['time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST +1]));
echo "OK!";
?>
--EXPECT--
bool(false)
bool(true)
bool(true)
-bool(true)
OK!