Home / server / Questions / 241793
Accepted
Kzqai
Asked: 2011-03-02 09:55:13 +0800 CST

Php: How to enable blowfish hashing on a debian server

  • 772

I'm trying to make blowfish hashing available to php on a debian server.

Taken from the php manual on the crypt() function ( http://php.net/manual/en/function.crypt.php ), the following code checks for cryptographic functions...

<?php
echo("DES is " . CRYPT_STD_DES."<br>Extended DES is ".CRYPT_EXT_DES."<br>MD5 is ".CRYPT_MD5."<br>BlowFish is ".CRYPT_BLOWFISH."<br>");

if (CRYPT_STD_DES == 1) {
    echo 'Standard DES: ' . crypt('rasmuslerdorf', 'rl') . "<br>\n";
}
if (CRYPT_EXT_DES == 1) {
    echo 'Extended DES: ' . crypt('rasmuslerdorf', '_J9..rasm') . "<br>\n";
}
if (CRYPT_MD5 == 1) {
    echo 'MD5:          ' . crypt('rasmuslerdorf', '$1$rasmusle$') . "<br>\n";
}
if (CRYPT_BLOWFISH == 1) {
    echo 'Blowfish:     ' . crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$') . "<br>\n";
}
if (CRYPT_SHA256 == 1) {
    echo 'SHA-256:      ' . crypt('rasmuslerdorf', '$5$rounds=5000$usesomesillystringforsalt$') . "<br>\n";
}
if (CRYPT_SHA512 == 1) {
    echo 'SHA-512:      ' . crypt('rasmuslerdorf', '$6$rounds=5000$usesomesillystringforsalt$') . "<br>\n";
}

 echo "System salt size: ". CRYPT_SALT_LENGTH;
?>

The result on my server shows the following hashes as available:

testDES is 1 Extended DES is 0 MD5 is 1 BlowFish is 0 Standard DES: rl.3StKT.4T8M MD5: $1$rasmusle$rISCgZzpwk3UhDidwXvin0

Whereas on my local ubuntu machine I appear to have blowfish and the sha family available.

What do I need to install to get blowfish running in php on debian 5.0?

debian hash php5

1 Answers

  1. Best Answer

    $2a$ blowfish hashing isn't supported by glibc's crypt() function without patches. Presumably if you tracked down the patches other distributions are applying, you could rebuild your glibc with that patch. This site links to a patch for glibc 2.10.1, which you'll probably have to wrestle with to apply to lenny's glibc 2.7. If you're lucky PHP detects what crypt() can do at runtime, otherwise you might have to recompile PHP as well.

    According to PHP's crypt docs, as of php5.3, PHP has its own crypt() implementation that can handle hash algorithms not supported on the local system. You can get php 5.3 packages built for lenny (oldstable) from the php53 dotdeb repository.

    If you can't use 5.3, then the php5.2 in dotdeb's 5.2 oldstable repository might have a new enough hardening/suhosin patch to add CRYPT_BLOWFISH.

    • 2