function PhpassHashedPassword::check

Same name and namespace in other branches
  1. 8.9.x core/lib/Drupal/Core/Password/PhpassHashedPassword.php \Drupal\Core\Password\PhpassHashedPassword::check()

Overrides PasswordInterface::check

File

core/lib/Drupal/Core/Password/PhpassHashedPassword.php, line 223

Class

PhpassHashedPassword
Secure hashing functions based on Portable PHP password hashing framework.

Namespace

Drupal\Core\Password

Code

public function check($password, $hash) {
    if (substr($hash, 0, 2) == 'U$') {
        // This may be an updated password from user_update_7000(). Such hashes
        // have 'U' added as the first character and need an extra md5() (see the
        // Drupal 7 documentation).
        $stored_hash = substr($hash, 1);
        $password = md5($password);
    }
    else {
        $stored_hash = $hash;
    }
    $type = substr($stored_hash, 0, 3);
    switch ($type) {
        case '$S$':
            // A normal Drupal 7 password using sha512.
            $computed_hash = $this->crypt('sha512', $password, $stored_hash);
            break;
        case '$H$':
        // phpBB3 uses "$H$" for the same thing as "$P$".
        case '$P$':
            // A phpass password generated using md5.  This is an
            // imported password or from an earlier Drupal version.
            $computed_hash = $this->crypt('md5', $password, $stored_hash);
            break;
        default:
            return FALSE;
    }
    // Compare using hash_equals() instead of === to mitigate timing attacks.
    return $computed_hash && hash_equals($stored_hash, $computed_hash);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.