fix: correct order for hash_equals (#393)

bshaffer · web-flow · commit abc63f3fc6c7 · 2022-02-07T06:54:21.000-08:00
diff --git a/src/JWT.php b/src/JWT.php
@@ -284,7 +284,7 @@ private static function verify($msg, $signature, $key, $alg)
             case 'hash_hmac':
             default:
                 $hash = \hash_hmac($algorithm, $msg, $key, true);
-                return self::constantTimeEquals($signature, $hash);
+                return self::constantTimeEquals($hash, $signature);
         }
     }
 
@@ -420,8 +420,8 @@ private static function getKey($keyOrKeyArray, $kid = null)
     }
 
     /**
-     * @param string $left
-     * @param string $right
+     * @param string $left  The string of known length to compare against
+     * @param string $right The user-supplied string
      * @return bool
      */
     public static function constantTimeEquals($left, $right)

Original file line number	Diff line number	Diff line change
`@@ -284,7 +284,7 @@ private static function verify($msg, $signature, $key, $alg)`
`284`	`284`	`case 'hash_hmac':`
`285`	`285`	`default:`
`286`	`286`	`$hash = \hash_hmac($algorithm, $msg, $key, true);`
`287`		`- return self::constantTimeEquals($signature, $hash);`
	`287`	`+ return self::constantTimeEquals($hash, $signature);`
`288`	`288`	`}`
`289`	`289`	`}`
`290`	`290`
`@@ -420,8 +420,8 @@ private static function getKey($keyOrKeyArray, $kid = null)`
`420`	`420`	`}`
`421`	`421`
`422`	`422`	`/**`
`423`		`- * @param string $left`
`424`		`- * @param string $right`
	`423`	`+ * @param string $left The string of known length to compare against`
	`424`	`+ * @param string $right The user-supplied string`
`425`	`425`	`* @return bool`
`426`	`426`	`*/`
`427`	`427`	`public static function constantTimeEquals($left, $right)`