From 142a397e9daa5b7789664bbeb07d351e691b89c6 Mon Sep 17 00:00:00 2001
From: Dmytro Novash <novashdima@gmail.com>
Date: Mon, 16 Sep 2024 17:05:10 +0300
Subject: [PATCH] mitigate timing attacks

---
 src/htpasswd.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/htpasswd.php b/src/htpasswd.php
index a6602f3..3f62f38 100644
--- a/src/htpasswd.php
+++ b/src/htpasswd.php
@@ -52,9 +52,9 @@ class Htpasswd {
 			$apr1 = new APR1_MD5();
 			return $apr1->check($pass, $hash);
 		} elseif (substr($hash, 0, 5) == '{SHA}') {
-			return base64_encode(sha1($pass, true)) == substr($hash, 5);
+			return hash_equals(substr($hash, 5), base64_encode(sha1($pass, true)));
 		} else { // assume CRYPT
-			return crypt($pass, $hash) == $hash;
+			return hash_equals($hash, crypt($pass, $hash));
 		}
 	}
 }
@@ -133,6 +133,6 @@ class APR1_MD5 {
 
 	public static function check($plain, $hash) {
 		$parts = explode('$', $hash);
-		return self::hash($plain, $parts[2]) === $hash;
+		return hash_equals($hash, self::hash($plain, $parts[2]));
 	}
 }