From 48e236ffc05125bdbbb82b6e5d2c2b57832051a6 Mon Sep 17 00:00:00 2001
From: David Goodwin <david@codepoets.co.uk>
Date: Sat, 14 Mar 2020 22:04:54 +0000
Subject: [PATCH] use hash_equals for login - see:
 https://github.com/postfixadmin/postfixadmin/issues/58

---
 model/PFAHandler.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/model/PFAHandler.php b/model/PFAHandler.php
index c85b110d..5303f240 100644
--- a/model/PFAHandler.php
+++ b/model/PFAHandler.php
@@ -840,11 +840,11 @@ abstract class PFAHandler {
 
             $crypt_password = pacrypt($password, $row['password']);
 
-            if ($row['password'] == $crypt_password) {
-                return true;
-            }
+            return hash_equals($row['password'], $crypt_password);
         }
-        return false;
+        // try and be near constant time regardless of whether the db user exists or not
+        $x = pacrypt('abc', 'def');
+        return hash_equals('not', 'comparable');
     }
 
     /**