From 083e83161cca3f87c64f5a13b16ad0b93abc865d Mon Sep 17 00:00:00 2001
From: Christian Bundy <christianbundy@fraction.io>
Date: Fri, 4 Sep 2020 08:34:16 -0700
Subject: [PATCH] Fix truncated comparison

Problem: The comparison was happening on the last 32 bytes instead of
the first 32.

Solution: Change the offset from 32 to 0, and set the end at 32 bytes.
---
 crypto_auth.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto_auth.js b/crypto_auth.js
index 2863e27..4c5e463 100644
--- a/crypto_auth.js
+++ b/crypto_auth.js
@@ -57,7 +57,7 @@ function crypto_auth_hmacsha512256 (out, input, k) {
 function crypto_auth_hmacsha512256_verify (h, input, k) {
   const correct = Sha512.HMAC(k).update(input).digest()
 
-  return crypto_verify_32(h, 0, correct, 0) | sodium_memcmp(correct.subarray(32), h, 32)
+  return crypto_verify_32(h, 0, correct, 0) | sodium_memcmp(correct.subarray(0, 32), h, 32)
 }
 
 function crypto_auth (out, input, k) {