php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #78516 password_hash(): Memory cost is outside of allowed memory range
Submitted: 2019-09-09 10:17 UTC Modified: 2019-09-09 17:15 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: patrick at heppler dot net Assigned: cmb (profile)
Status: Closed Package: hash related
PHP Version: 7.4.0RC1 OS: CentOS 7.6
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: patrick at heppler dot net
New email:
PHP Version: OS:

 

 [2019-09-09 10:17 UTC] patrick at heppler dot net 
Description:
------------
Using password_hash with PASSWORD_ARGON2I or PASSWORD_ARGON2ID and a memory_cost of less than 8192 throws: 
password_hash(): Memory cost is outside of allowed memory range

Test script:
---------------
password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8191])
password_hash('secret',PASSWORD_ARGON2I,['memory_cost'=>8191])

Expected result:
----------------
A hashed password

Actual result:
--------------
PHP Warning:  password_hash(): Memory cost is outside of allowed memory range

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-09 10:23 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2019-09-09 10:23 UTC] requinix@php.net 
Argon2 requires a minimum of 8KB.
 [2019-09-09 16:11 UTC] patrick at heppler dot net 
Okay, but with PHP 7.2.22 and PHP 7.3.9 I can use
password_hash('secret',PASSWORD_ARGON2I,['memory_cost'=>1024])
password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>1024]) 
and it works. So I thought it's a bug.
 [2019-09-09 16:33 UTC] requinix@php.net 
First a correction: memory_cost is KB, not bytes, so memory_cost=8191 ~ 8MB. So the minimum is memory_cost=8.

To be absolutely clear here, you're saying that this *exact* code
  password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8191]);
fails with that error (in PHP 7.4) while
  password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8192]);
does not?
 [2019-09-09 16:39 UTC] patrick at heppler dot net 
Yes, exactly!

password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8191]);
Results in: 
password_hash(): Memory cost is outside of allowed memory range

While this works
password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8192]);

PHP is php74-php-cli-7.4.0~rc1-18.el7.remi.x86_64 on CentOS 7.6
 [2019-09-09 16:48 UTC] cmb@php.net 
See <https://bugs.php.net/bug.php?id=78269#1562751980>.
OP uses libsodium.
 [2019-09-09 17:02 UTC] cmb@php.net
-Status: Not a bug +Status: Verified
 [2019-09-09 17:02 UTC] cmb@php.net 
Actually confirmed.  In my opinion, the options should have the
same meaning, regardless of whether libargon or libsodium is used.
 [2019-09-09 17:04 UTC] patrick at heppler dot net 
Ok, now it's clear.
In PHP 7.2 and 7.3 memory_cost=8192 will end up in 8MB, while on PHP 7.4 it get's 8KB, right?
 [2019-09-09 17:15 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2019-09-09 17:15 UTC] cmb@php.net 
> […], while on PHP 7.4 it get's 8KB, right?

Just seen that it's always 8MB[1]; only the check[2] doesn't yet
cater to that.

[1] <https://github.com/php/php-src/blob/php-7.4.0RC1/ext/sodium/sodium_pwhash.c#L76>
[2] <https://github.com/php/php-src/blob/php-7.4.0RC1/ext/sodium/sodium_pwhash.c#L57>
 [2019-09-10 09:39 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #78516: password_hash(): Memory cost is outside of allowed memory…
On GitHub:  https://github.com/php/php-src/pull/4695
Patch:      https://github.com/php/php-src/pull/4695.patch
 [2019-09-16 12:59 UTC] cmb@php.net 
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=145ffd93fcac5fc04ae50464a34bc5e14fccc203
Log: Fix #78516: password_hash(): Memory cost is not in allowed range
 [2019-09-16 12:59 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC