Two Vulnerabilities in One Line

[paragonie-scott]

This line of code has two cryptographic vulnerabilities.

1. The PHP "magic hash" evaluation flaw
2. String comparison is vulnerable to timing attacks

I'd suggest replacing it with hash_equals().

A MIT licensed polyfill for hash_equals() already exists.

[paragonie-scott]

Is there any interest in fixing this?

[rnapier]

My PHP background is weak, and I haven't heard from @curtisdf in a while. I've asked a colleague of mine with much more PHP experience to take a look. I'd also be happy to look at a pull request.

Thanks for the issue.

[curtisdf]

Hi @rnapier. Sorry for being AWOL. I wasn't receiving any emails about RNCryptor so it was out of sight out of mind.

I have migrated the project to use hash_equals() along with the polyfill library. I also took the opportunity to fix up our TravisCI configs. Since PHP 5.4 is at EOL, I have moved the minimum supported PHP version to 5.5. I also added support for testing in PHP7.

We are now at version 3.1.0. Thanks @paragonie-scott for the feedback.