From ad51998d673bb76c7ab69bad92c212ebbaae7a22 Mon Sep 17 00:00:00 2001
From: Daniel Supernault <danielsupernault@gmail.com>
Date: Sun, 11 Mar 2018 18:55:59 -0600
Subject: [PATCH] [CORE] Add timing safe backwards compatible password_verify

---
 plugins/AuthCrypt/AuthCryptPlugin.php | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/plugins/AuthCrypt/AuthCryptPlugin.php b/plugins/AuthCrypt/AuthCryptPlugin.php
index b213e0483c..0f3e7a6f71 100644
--- a/plugins/AuthCrypt/AuthCryptPlugin.php
+++ b/plugins/AuthCrypt/AuthCryptPlugin.php
@@ -52,6 +52,13 @@ class AuthCryptPlugin extends AuthenticationPlugin
             return false;
         }
 
+        // Timing safe password verification on supported PHP versions
+        if (function_exists('password_verify')) {
+            if (password_verify($password, $user->password)) {
+                return $user;
+            }
+        }
+
         // crypt understands what the salt part of $user->password is
         if ($user->password === crypt($password, $user->password)) {
             return $user;