3

I'm trying to make blowfish hashing available to php on a debian server.

Taken from the php manual on the crypt() function ( http://php.net/manual/en/function.crypt.php ), the following code checks for cryptographic functions...

<?php
echo("DES is " . CRYPT_STD_DES."<br>Extended DES is ".CRYPT_EXT_DES."<br>MD5 is ".CRYPT_MD5."<br>BlowFish is ".CRYPT_BLOWFISH."<br>");

if (CRYPT_STD_DES == 1) {
    echo 'Standard DES: ' . crypt('rasmuslerdorf', 'rl') . "<br>\n";
}
if (CRYPT_EXT_DES == 1) {
    echo 'Extended DES: ' . crypt('rasmuslerdorf', '_J9..rasm') . "<br>\n";
}
if (CRYPT_MD5 == 1) {
    echo 'MD5:          ' . crypt('rasmuslerdorf', '$1$rasmusle$') . "<br>\n";
}
if (CRYPT_BLOWFISH == 1) {
    echo 'Blowfish:     ' . crypt('rasmuslerdorf', '$2a$07$usesomesillystringforsalt$') . "<br>\n";
}
if (CRYPT_SHA256 == 1) {
    echo 'SHA-256:      ' . crypt('rasmuslerdorf', '$5$rounds=5000$usesomesillystringforsalt$') . "<br>\n";
}
if (CRYPT_SHA512 == 1) {
    echo 'SHA-512:      ' . crypt('rasmuslerdorf', '$6$rounds=5000$usesomesillystringforsalt$') . "<br>\n";
}

 echo "System salt size: ". CRYPT_SALT_LENGTH;
?>

The result on my server shows the following hashes as available:

testDES is 1 Extended DES is 0 MD5 is 1 BlowFish is 0 Standard DES: rl.3StKT.4T8M MD5: $1$rasmusle$rISCgZzpwk3UhDidwXvin0

Whereas on my local ubuntu machine I appear to have blowfish and the sha family available.

What do I need to install to get blowfish running in php on debian 5.0?

Kzqai
  • 1,278
  • 4
  • 18
  • 32

1 Answers1

2

$2a$ blowfish hashing isn't supported by glibc's crypt() function without patches. Presumably if you tracked down the patches other distributions are applying, you could rebuild your glibc with that patch. This site links to a patch for glibc 2.10.1, which you'll probably have to wrestle with to apply to lenny's glibc 2.7. If you're lucky PHP detects what crypt() can do at runtime, otherwise you might have to recompile PHP as well.

According to PHP's crypt docs, as of php5.3, PHP has its own crypt() implementation that can handle hash algorithms not supported on the local system. You can get php 5.3 packages built for lenny (oldstable) from the php53 dotdeb repository.

If you can't use 5.3, then the php5.2 in dotdeb's 5.2 oldstable repository might have a new enough hardening/suhosin patch to add CRYPT_BLOWFISH.

DerfK
  • 19,493
  • 2
  • 38
  • 54
  • Sounds about right, I'll try the package upgrade. – Kzqai Mar 01 '11 at 21:23
  • Is this a solution that you've used yourself for password hashing? – Kzqai Mar 01 '11 at 21:27
  • @Tchalvak What, patching glibc? No, I upgraded to Debian squeeze (6.0). C'mon over to the new stable! Everything's new and shiny here, php5 supports CRYPT_BLOWFISH out of the box, and we have cake! :-) *(Not responsible for hair loss, swearing, and/or demonic possession caused by the upgrade process)* – DerfK Mar 01 '11 at 22:03
  • Hohoho. Mainly I was curious as to whether any php-native implementation of blowfish was fast, seems like a php implementation might suffer from speed issues. Maybe I'll upgrade on some weekend when I don't feel like going out at all. – Kzqai Mar 01 '11 at 22:35
  • @Tchalvak I'm *fairly* sure that PHP 5.3's internal implementation is written in whatever the rest of PHP is written in (C, I guess), not in actual PHP. As for speed though, CRYPT_BLOWFISH is designed to be slow(ish). The second parameter of the hash (eg the 07 in $2a$07$....) is the base-2 log of the number of times you loop through the process (so you have to run the entire calculation 2^7 times to get the right value) in order to slow down dictionary/brute force attacks. – DerfK Mar 01 '11 at 23:55
  • Yeah, I guess it'll just take some tuning of the process to get it to the sweet spot speed. – Kzqai Mar 02 '11 at 00:55
  • Turns out, as you mentioned, that the suhosin php-hardening patch adds native support for blowfish crypt. Since that sidesteps the need to upgrade to php5.3 (which is not yet supported by zend optimizer) I plan to persue that first. – Kzqai Mar 03 '11 at 04:07