Strengthen password hashing algorithm

lib/osm.rb

@@ -5,7 +5,6 @@ module OSM
   require 'rexml/parsers/sax2parser'
   require 'rexml/text'
   require 'xml/libxml'
-  require 'digest/md5'
 
   if defined?(SystemTimer)
     Timer = SystemTimer
@@ -569,12 +568,6 @@ module OSM
     return token
   end
 
-  # Return an encrypted version of a password
-  def self.encrypt_password(password, salt)
-    return Digest::MD5.hexdigest(password) if salt.nil?
-    return Digest::MD5.hexdigest(salt + password)
-  end
-
   # Return an SQL fragment to select a given area of the globe
   def self.sql_for_area(bbox, prefix = nil)
     tilesql = QuadTile.sql_for_area(bbox, prefix)

lib/password_hash.rb

@@ -0,0 +1,39 @@
+require "securerandom"
+require "openssl"
+require "base64"
+require "digest/md5"
+
+module PasswordHash
+  SALT_BYTE_SIZE = 32
+  HASH_BYTE_SIZE = 32
+  PBKDF2_ITERATIONS = 1000
+  DIGEST_ALGORITHM = "sha512"
+
+  def self.create(password)
+    salt = SecureRandom.base64(SALT_BYTE_SIZE)
+    hash = self.hash(password, salt, PBKDF2_ITERATIONS, HASH_BYTE_SIZE, DIGEST_ALGORITHM)
+    return hash, [DIGEST_ALGORITHM, PBKDF2_ITERATIONS, salt].join("!")
+  end
+
+  def self.check(hash, salt, candidate)
+    if salt.nil?
+      candidate = Digest::MD5.hexdigest(candidate)
+    elsif salt =~ /!/
+      algorithm, iterations, salt = salt.split("!")
+      size = Base64.strict_decode64(hash).length
+      candidate = self.hash(candidate, salt, iterations.to_i, size, algorithm)
+    else
+      candidate = Digest::MD5.hexdigest(salt + candidate)
+    end
+
+    return hash == candidate
+  end
+
+private
+
+  def self.hash(password, salt, iterations, size, algorithm)
+    digest = OpenSSL::Digest.new(algorithm)
+    pbkdf2 = OpenSSL::PKCS5::pbkdf2_hmac(password, salt, iterations, size, digest)
+    Base64.strict_encode64(pbkdf2)
+  end
+end