Use timing-safe hash comparision

[emarref]

This branch addresses a timing attack raised by Dennis Detering from [rub.de] when comparing hashes for symmetric encryption verification. Details are below.

Description

The PHP jwt library by Malcolm Fell version <= 1.0.2 is vulnerable to a timing attack on hash comparison in the symmetric encryption component resulting in crafting a valid signature for arbitrary content.

Details

The verification of the HMAC hash in the verify() function in Symmetric.php is vulnerable to a timing attack. No timing safe equal function, like e.g. hash_equals() (PHP >= 5.6.0 and PHP 7), is used.

This allows an attacker to craft a valid signature for an arbitrary content.

Recommendation

It is recommended to use a timing safe equal function for comparison. In PHP >= 5.6.0 and PHP 7, the hash_equals() function has been implemented.

For unsupported versions, the following example function might be used (taken from here - also recommended for further details of timing attacks on equals comparison):

/**
 * A timing safe equals comparison
 *
 * @param string $safe The internal (safe) value to be checked
 * @param string $user The user submitted (unsafe) value
 *
 * @return boolean True if the two strings are identical.
 */
function timingSafeEquals($safe, $user) {
    $safeLen = strlen($safe);
    $userLen = strlen($user);

    if ($userLen != $safeLen) {
        return false;
    }

    $result = 0;

    for ($i = 0; $i < $userLen; $i++) {
        $result |= (ord($safe[$i]) ^ ord($user[$i]));
    }

    // They are only identical strings if $result is exactly 0...
    return $result === 0;
}