diff --git a/src/JWT.php b/src/JWT.php
index 725a0832..1226102c 100644
--- a/src/JWT.php
+++ b/src/JWT.php
@@ -284,7 +284,7 @@ private static function verify($msg, $signature, $key, $alg)
             case 'hash_hmac':
             default:
                 $hash = \hash_hmac($algorithm, $msg, $key, true);
-                return self::constantTimeEquals($signature, $hash);
+                return self::constantTimeEquals($hash, $signature);
         }
     }
 
@@ -420,8 +420,8 @@ private static function getKey($keyOrKeyArray, $kid = null)
     }
 
     /**
-     * @param string $left
-     * @param string $right
+     * @param string $left  The string of known length to compare against
+     * @param string $right The user-supplied string
      * @return bool
      */
     public static function constantTimeEquals($left, $right)