[CORE] Add timing safe backwards compatible password_verify

author Daniel Supernault <danielsupernault@gmail.com>

Mon, 12 Mar 2018 00:55:59 +0000 (18:55 -0600)

committer Diogo Cordeiro <diogo@fc.up.pt>

Sat, 3 Aug 2019 16:47:25 +0000 (17:47 +0100)
author Daniel Supernault <danielsupernault@gmail.com>
Mon, 12 Mar 2018 00:55:59 +0000 (18:55 -0600)
committer Diogo Cordeiro <diogo@fc.up.pt>
Sat, 3 Aug 2019 16:47:25 +0000 (17:47 +0100)
diff --git a/plugins/AuthCrypt/AuthCryptPlugin.php b/plugins/AuthCrypt/AuthCryptPlugin.php

index b213e0483c585085513a3cda7786a54d7737aa07..0f3e7a6f71e4c7c14308efeb618f0ae76f9d9815 100644 (file)
--- a/plugins/AuthCrypt/AuthCryptPlugin.php
+++ b/plugins/AuthCrypt/AuthCryptPlugin.php
@@ -52,6 +52,13 @@ class AuthCryptPlugin extends AuthenticationPlugin
              return false;
          }
  
+        // Timing safe password verification on supported PHP versions
+        if (function_exists('password_verify')) {
+            if (password_verify($password, $user->password)) {
+                return $user;
+            }
+        }
+
          // crypt understands what the salt part of $user->password is
          if ($user->password === crypt($password, $user->password)) {
              return $user;
author	Daniel Supernault <danielsupernault@gmail.com>
	Mon, 12 Mar 2018 00:55:59 +0000 (18:55 -0600)
committer	Diogo Cordeiro <diogo@fc.up.pt>
	Sat, 3 Aug 2019 16:47:25 +0000 (17:47 +0100)