From c65a8508fdde9d6c974210a4a640c36e2b63131b Mon Sep 17 00:00:00 2001
From: Flavio Oliveira <rusty@wisespace.io>
Date: Sun, 7 May 2017 21:34:37 +0200
Subject: [PATCH] printable_characters - check if it is ascii

---
 Cargo.toml | 11 +++++++----
 LICENSE    | 21 ++++-----------------
 README.md  |  3 +++
 src/lib.rs | 16 ++++++++++++----
 4 files changed, 26 insertions(+), 25 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index f8431af..5dd57ed 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,15 +1,18 @@
 [package]
 name = "yubico"
-version = "0.1.3"
+version = "0.1.4"
 authors = ["Flavio Oliveira <rusty@wisespace.io>"]
 
 description = "Yubikey client API library"
-license = "MIT"
+license = "MIT OR Apache-2.0"
 keywords = ["HMS", "yubikey", "authentication", "encryption", "OTP"]
-
+categories = ["authentication"]
 repository = "https://github.com/wisespace-io/yubico-rs"
 readme = "README.md"
 
+[badges]
+travis-ci = { repository = "wisespace-io/yubico-rs" }
+
 [lib]
 name = "yubico"
 path = "src/lib.rs"
@@ -19,6 +22,6 @@ url = "1.4"
 hyper = { version = "0.10", default-features = false }
 hyper-native-tls = "0.2.2"
 rand = "0.3.15"
-base64 = "^0.4"
+base64 = "^0.5"
 threadpool = "1.3"
 rust-crypto = "^0.2"
\ No newline at end of file
diff --git a/LICENSE b/LICENSE
index 065f43f..8129c31 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,21 +1,8 @@
-MIT License
-
 Copyright (c) 2016 Flavio Oliveira
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+Licensed under either of
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+ * Apache License, Version 2.0, (http://www.apache.org/licenses/LICENSE-2.0)
+ * MIT license (http://opensource.org/licenses/MIT)
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
\ No newline at end of file
+at your option.
\ No newline at end of file
diff --git a/README.md b/README.md
index e8c70ba..c4b2d93 100644
--- a/README.md
+++ b/README.md
@@ -36,4 +36,7 @@ fn main() {
 
 ## License
 
+Licensed under either of
+
 * MIT license (see [LICENSE](LICENSE) or <http://opensource.org/licenses/MIT>)
+* Apache License, Version 2.0 (see [LICENSE](LICENSE) or <http://www.apache.org/licenses/LICENSE-2.0>)
diff --git a/src/lib.rs b/src/lib.rs
index e063bb4..35fae1b 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -8,6 +8,7 @@ extern crate threadpool;
 
 pub mod yubicoerror;
 
+use std::ascii::AsciiExt;
 use yubicoerror::YubicoError;
 use hyper::net::HttpsConnector;
 use hyper_native_tls::NativeTlsClient;
@@ -62,7 +63,7 @@ impl Yubico {
     pub fn new(client_id: String, key: String) -> Self {
         Yubico {
             client_id: client_id,
-            key: decode(key.as_ref()).unwrap(),
+            key: decode(&key[..]).unwrap(),
         }
     }
 
@@ -70,7 +71,7 @@ impl Yubico {
     pub fn verify(&self, otp: String) -> Result<String> {
         match self.printable_characters(otp.clone()) {
             false => Err(YubicoError::BadOTP),
-            _ => {
+            _ => {                
                 let nonce: String = self.generate_nonce();
                 let mut query = format!("id={}&nonce={}&otp={}&sl=secure", self.client_id, nonce, otp);
 
@@ -133,7 +134,12 @@ impl Yubico {
 
     // Recommendation is that clients only check that the input consists of 32-48 printable characters
     fn printable_characters(&self, otp: String) -> bool {
-        if otp.len() < 32 || otp.len() > 48 { false } else { true }
+        for c in otp.chars() { 
+            if !c.is_ascii() { 
+                return false; 
+            }    
+        }
+        otp.len() > 32 && otp.len() < 48
     }
 
     fn process(&self, sender: Sender<Response>, api_host: &str, request: Request) {
@@ -146,18 +152,21 @@ impl Yubico {
                 let signature_response : &str = &*response_map.get("h").unwrap();
                 if !self.is_same_signature(signature_response, response_map.clone()) {
                     sender.send(Response::Signal(Err(YubicoError::SignatureMismatch))).unwrap();
+                    return;
                 }
 
                 // Check if "otp" in the response is the same as the "otp" supplied in the request.
                 let otp_response : &str = &*response_map.get("otp").unwrap();
                 if !request.otp.contains(otp_response) {
                     sender.send(Response::Signal(Err(YubicoError::OTPMismatch))).unwrap();
+                    return;
                 }
 
                 // Check if "nonce" in the response is the same as the "nonce" supplied in the request.
                 let nonce_response : &str = &*response_map.get("nonce").unwrap();
                 if !request.nonce.contains(nonce_response) {
                     sender.send(Response::Signal(Err(YubicoError::NonceMismatch))).unwrap();
+                    return;
                 }
 
                 // Check the status of the operation
@@ -195,7 +204,6 @@ impl Yubico {
         query.pop(); // remove last &
 
         let signature = self.build_signature(query.clone());
-
         let decoded_signature = &decode(signature_response).unwrap()[..];
 
         crypto::util::fixed_time_eq(signature.code(), decoded_signature)