function PhpassHashedPasswordBase::check

Same name in other branches
  1. 11.x core/lib/Drupal/Core/Password/PhpassHashedPasswordBase.php \Drupal\Core\Password\PhpassHashedPasswordBase::check()

File

core/lib/Drupal/Core/Password/PhpassHashedPasswordBase.php, line 262

Class

PhpassHashedPasswordBase
Legacy password hashing framework.

Namespace

Drupal\Core\Password

Code

public function check($password, $hash) {
    // Newly created accounts may have empty passwords.
    if ($hash === NULL || $hash === '') {
        return FALSE;
    }
    if (str_starts_with($hash, 'U$')) {
        // This may be an updated password from user_update_7000(). Such hashes
        // have 'U' added as the first character and need an extra md5() (see the
        // Drupal 7 documentation).
        $stored_hash = substr($hash, 1);
        $password = md5($password);
    }
    else {
        $stored_hash = $hash;
    }
    $type = substr($stored_hash, 0, 3);
    switch ($type) {
        case '$S$':
            // A normal Drupal 7 password using sha512.
            $computed_hash = $this->crypt('sha512', $password, $stored_hash);
            break;
        case '$H$':
        // phpBB3 uses "$H$" for the same thing as "$P$".
        case '$P$':
            // A phpass password generated using md5.  This is an
            // imported password or from an earlier Drupal version.
            $computed_hash = $this->crypt('md5', $password, $stored_hash);
            break;
        default:
            if (isset($this->corePassword)) {
                return $this->corePassword
                    ->check($password, $stored_hash);
            }
            return FALSE;
    }
    // Compare using hash_equals() instead of === to mitigate timing attacks.
    return $computed_hash && hash_equals($stored_hash, $computed_hash);
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.