WebSVN – php_utils – Path Comparison – / – /trunk/ Rev 91 and /trunk/ Rev 92

Compare Revisions

 /trunk/decode_jwt_token.inc.php
 ,7 → 58,7
                                 case 'HS':
                                         $hash = @hash_hmac($php_algo, $msg, $key, true);
                                         if (!$hash) break; // if the hash algo is not available, we just accept the JWT
-                                        if (!hash_equals($signature, $hash)) return false;
+                                        if (!hash_equals($hash, $signature)) return false;
                                         break;
                                 case 'PS':
                                         // This feature is new and not yet available in php-jwt

 /trunk/vts_crypt.inc.php
 ,10 → 228,10
                 // Create a VTS MCF 1.0 hash based on the parameters of $hash and the password $password
                 $calc_authkey_1 = vts_crypt_hash($algo, $password, $bin_salt, $ver, $mode, $iterations);
-                // We rewrite the MCF to make sure that they match (if params have the wrong order)
+                // We re-encode the MCF to make sure that it can be compared with the VTS MCF 1.0 (correct sorting of params etc.)
                 $calc_authkey_2 = crypt_modular_format_encode($id, $bin_salt, $bin_hash, $params);
-                return hash_equals($calc_authkey_1, $calc_authkey_2);
+                return hash_equals($calc_authkey_2, $calc_authkey_1);
         } else {
                 throw new Exception("Invalid VTS crypt version, expect 1.");
         }