php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78516 password_hash(): Memory cost is outside of allowed memory range
Submitted: 2019-09-09 10:17 UTC Modified: 2019-09-09 17:15 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: patrick at heppler dot net Assigned: cmb (profile)
Status: Closed Package: hash related
PHP Version: 7.4.0RC1 OS: CentOS 7.6
Private report: No CVE-ID: None
 [2019-09-09 10:17 UTC] patrick at heppler dot net
Description:
------------
Using password_hash with PASSWORD_ARGON2I or PASSWORD_ARGON2ID and a memory_cost of less than 8192 throws: 
password_hash(): Memory cost is outside of allowed memory range

Test script:
---------------
password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8191])
password_hash('secret',PASSWORD_ARGON2I,['memory_cost'=>8191])

Expected result:
----------------
A hashed password

Actual result:
--------------
PHP Warning:  password_hash(): Memory cost is outside of allowed memory range

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-09 10:23 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2019-09-09 10:23 UTC] requinix@php.net
Argon2 requires a minimum of 8KB.
 [2019-09-09 16:11 UTC] patrick at heppler dot net
Okay, but with PHP 7.2.22 and PHP 7.3.9 I can use
password_hash('secret',PASSWORD_ARGON2I,['memory_cost'=>1024])
password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>1024]) 
and it works. So I thought it's a bug.
 [2019-09-09 16:33 UTC] requinix@php.net
First a correction: memory_cost is KB, not bytes, so memory_cost=8191 ~ 8MB. So the minimum is memory_cost=8.

To be absolutely clear here, you're saying that this *exact* code
  password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8191]);
fails with that error (in PHP 7.4) while
  password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8192]);
does not?
 [2019-09-09 16:39 UTC] patrick at heppler dot net
Yes, exactly!

password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8191]);
Results in: 
password_hash(): Memory cost is outside of allowed memory range

While this works
password_hash('secret',PASSWORD_ARGON2ID,['memory_cost'=>8192]);

PHP is php74-php-cli-7.4.0~rc1-18.el7.remi.x86_64 on CentOS 7.6
 [2019-09-09 16:48 UTC] cmb@php.net
See <https://bugs.php.net/bug.php?id=78269#1562751980>.
OP uses libsodium.
 [2019-09-09 17:02 UTC] cmb@php.net
-Status: Not a bug +Status: Verified
 [2019-09-09 17:02 UTC] cmb@php.net
Actually confirmed.  In my opinion, the options should have the
same meaning, regardless of whether libargon or libsodium is used.
 [2019-09-09 17:04 UTC] patrick at heppler dot net
Ok, now it's clear.
In PHP 7.2 and 7.3 memory_cost=8192 will end up in 8MB, while on PHP 7.4 it get's 8KB, right?
 [2019-09-09 17:15 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2019-09-09 17:15 UTC] cmb@php.net
> […], while on PHP 7.4 it get's 8KB, right?

Just seen that it's always 8MB[1]; only the check[2] doesn't yet
cater to that.

[1] <https://github.com/php/php-src/blob/php-7.4.0RC1/ext/sodium/sodium_pwhash.c#L76>
[2] <https://github.com/php/php-src/blob/php-7.4.0RC1/ext/sodium/sodium_pwhash.c#L57>
 [2019-09-10 09:39 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #78516: password_hash(): Memory cost is outside of allowed memory…
On GitHub:  https://github.com/php/php-src/pull/4695
Patch:      https://github.com/php/php-src/pull/4695.patch
 [2019-09-16 12:59 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=145ffd93fcac5fc04ae50464a34bc5e14fccc203
Log: Fix #78516: password_hash(): Memory cost is not in allowed range
 [2019-09-16 12:59 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 04:01:25 2019 UTC