You are here

public function PhpassHashedPassword::check in Drupal 10

Same name and namespace in other branches
  1. 8 core/lib/Drupal/Core/Password/PhpassHashedPassword.php \Drupal\Core\Password\PhpassHashedPassword::check()
  2. 9 core/lib/Drupal/Core/Password/PhpassHashedPassword.php \Drupal\Core\Password\PhpassHashedPassword::check()

Check whether a plain text password matches a hashed password.

Parameters

string $password: A plain-text password

string $hash: A hashed password.

Return value

bool TRUE if the password is valid, FALSE if not.

Overrides PasswordInterface::check

File

core/lib/Drupal/Core/Password/PhpassHashedPassword.php, line 222

Class

PhpassHashedPassword
Secure password hashing functions based on the Portable PHP password hashing framework.

Namespace

Drupal\Core\Password

Code

public function check($password, $hash) {
  if (substr($hash, 0, 2) == 'U$') {

    // This may be an updated password from user_update_7000(). Such hashes
    // have 'U' added as the first character and need an extra md5() (see the
    // Drupal 7 documentation).
    $stored_hash = substr($hash, 1);
    $password = md5($password);
  }
  else {
    $stored_hash = $hash;
  }
  $type = substr($stored_hash, 0, 3);
  switch ($type) {
    case '$S$':

      // A normal Drupal 7 password using sha512.
      $computed_hash = $this
        ->crypt('sha512', $password, $stored_hash);
      break;
    case '$H$':

    // phpBB3 uses "$H$" for the same thing as "$P$".
    case '$P$':

      // A phpass password generated using md5.  This is an
      // imported password or from an earlier Drupal version.
      $computed_hash = $this
        ->crypt('md5', $password, $stored_hash);
      break;
    default:
      return FALSE;
  }

  // Compare using hash_equals() instead of === to mitigate timing attacks.
  return $computed_hash && hash_equals($stored_hash, $computed_hash);
}