Merge pull request #1393 from markstory/constant-time-login

Hash passwords even when users don't exist.

lib/Cake/Controller/Component/Auth/BaseAuthenticate.php

@@ -83,6 +83,9 @@ abstract class BaseAuthenticate {
  * conditions for Model::find('first'). If the $password param is not provided
  * the password field will be present in returned array.
  *
+ * Input passwords will be hashed even when a user doesn't exist. This
+ * helps mitigate timing attacks that are attempting to find valid usernames.
+ *
  * @param string|array $username The username/identifier, or an array of find conditions.
  * @param string $password The password, only used if $username param is string.
  * @return boolean|array Either false on failure, or an array of user data.
@@ -95,9 +98,6 @@ abstract class BaseAuthenticate {
 		if (is_array($username)) {
 			$conditions = $username;
 		} else {
-			if (!$password) {
-				return false;
-			}
 			$conditions = array(
 				$model . '.' . $fields['username'] => $username
 			);
@@ -113,6 +113,7 @@ abstract class BaseAuthenticate {
 			'contain' => $this->settings['contain'],
 		));
 		if (empty($result[$model])) {
+			$this->passwordHasher()->hash($password);
 			return false;
 		}
 

lib/Cake/Controller/Component/Auth/DigestAuthenticate.php

@@ -86,7 +86,8 @@ class DigestAuthenticate extends BasicAuthenticate {
 		'realm' => '',
 		'qop' => 'auth',
 		'nonce' => '',
-		'opaque' => ''
+		'opaque' => '',
+		'passwordHasher' => 'Simple',
 	);
 
 /**