[BUGFIX] Fix PHP warning on second call to reset password link

This patch fixes a PHP warning being logged to sys_log when clicking
the reset password link again after the password has been changed.

Resolves: #92960
Releases: 10.4, 9.5
Change-Id: I67fb11838a99a40c4f935541fc69f45806af1140
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/67308

Reviewed-by: Stephan Großberndt <stephan.grossberndt@typo3.org>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>

typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php

@@ -341,13 +341,15 @@ class FrontendLoginController extends AbstractPlugin implements LoggerAwareInter
             $user = $this->pi_getRecord('fe_users', (int)$uid);
             $userHash = $user['felogin_forgotHash'];
             $compareHash = explode('|', $userHash);
-            if (strlen($compareHash[1]) === 40) {
+            if (!$compareHash || !$compareHash[1] || $compareHash[0] < time() || !hash_equals($compareHash[0], $hash[0])) {
+                $hashEquals = false;
+            } elseif (strlen($compareHash[1]) === 40) {
                 $hashEquals = hash_equals($compareHash[1], GeneralUtility::hmac((string)$hash[1]));
             } else {
                 // backward-compatibility for previous MD5 hashes
                 $hashEquals = hash_equals($compareHash[1], md5($hash[1]));
             }
-            if (!$compareHash || !$compareHash[1] || $compareHash[0] < time() || !hash_equals($compareHash[0], $hash[0]) || !$hashEquals) {
+            if (!$hashEquals) {
                 $markerArray['###STATUS_MESSAGE###'] = $this->getDisplayText(
                     'change_password_notvalid_message',
                     $this->conf['changePasswordNotValidMessage_stdWrap.']