This line of code has two cryptographic vulnerabilities.
I'd suggest replacing it with hash_equals().
A MIT licensed polyfill for hash_equals() already exists.
Is there any interest in fixing this?
My PHP background is weak, and I haven't heard from @curtisdf in a while. I've asked a colleague of mine with much more PHP experience to take a look. I'd also be happy to look at a pull request.
Thanks for the issue.
Fix for GitHub issue #5 (hash_equals)
Hi @rnapier. Sorry for being AWOL. I wasn't receiving any emails about RNCryptor so it was out of sight out of mind.
I have migrated the project to use hash_equals() along with the polyfill library. I also took the opportunity to fix up our TravisCI configs. Since PHP 5.4 is at EOL, I have moved the minimum supported PHP version to 5.5. I also added support for testing in PHP7.
We are now at version 3.1.0. Thanks @paragonie-scott for the feedback.