Compare the signatures before base64 encoding

Flavio Oliveira · Flavio Oliveira · commit 3b478702070f · 2017-01-18T13:36:43.000+01:00
diff --git a/README.md b/README.md
@@ -1,5 +1,5 @@
-[![License](http://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/wisespace-io/yubico-rs/blob/master/LICENSE)
-[![](https://meritbadge.herokuapp.com/yubico)](https://crates.io/crates/yubico)
+[![Build Status](https://travis-ci.org/wisespace-io/yubico-rs.png?branch=master)](https://travis-ci.org/wisespace-io/yubico-rs)
+[![Crates.io](https://img.shields.io/crates/v/yubico.svg)](https://crates.io/crates/yubico)
 
 # Yubico
 Yubikey client API library, [validation protocol version 2.0](https://developers.yubico.com/yubikey-val/Validation_Protocol_V2.0.html).
diff --git a/src/.travis.yml b/src/.travis.yml
@@ -0,0 +1,5 @@
+language: rust
+rust:
+    - nightly
+    - stable
+sudo: false
diff --git a/src/lib.rs b/src/lib.rs
@@ -12,7 +12,7 @@ use hyper::Client;
 use hyper::header::{Headers};
 use std::io::prelude::*;
 use base64::{encode, decode};
-use crypto::mac::{Mac};
+use crypto::mac::{Mac, MacResult};
 use crypto::hmac::Hmac;
 use crypto::sha1::Sha1;
 use rand::{thread_rng, Rng};
@@ -74,13 +74,15 @@ impl Yubico {
                 let mut query = format!("id={}&nonce={}&otp={}&sl=secure", self.client_id, nonce, otp);
 
                 let signature = self.build_signature(query.clone());
+                // Base 64 encode the resulting value according to RFC 4648
+                let encoded_signature = encode(signature.code());
 
                 // Append the value under key h to the message.
-                let signature_param = format!("&h={}", signature);
+                let signature_param = format!("&h={}", encoded_signature);
                 let encoded = utf8_percent_encode(signature_param.as_ref(), QUERY_ENCODE_SET).collect::<String>();
                 query.push_str(encoded.as_ref());
 
-                let request = Request {otp: otp, nonce: nonce, signature: signature, query: query};
+                let request = Request {otp: otp, nonce: nonce, signature: encoded_signature, query: query};
 
                 let pool = ThreadPool::new(3);
                 let (tx, rx) = channel();
@@ -122,12 +124,10 @@ impl Yubico {
     }
 
     //  1. Apply the HMAC-SHA-1 algorithm on the line as an octet string using the API key as key
-    //  2. Base 64 encode the resulting value according to RFC 4648
-    fn build_signature(&self, query: String) -> String {
+    fn build_signature(&self, query: String) -> MacResult {
         let mut hmac = Hmac::new(Sha1::new(), &self.key[..]);
         hmac.input(query.as_bytes());
-        let signature = encode(hmac.result().code());
-        format!("{}", signature)
+        hmac.result()
     }
 
     // Recommendation is that clients only check that the input consists of 32-48 printable characters
@@ -195,7 +195,10 @@ impl Yubico {
 
         let signature = self.build_signature(query.clone());
 
-        if signature == signature_response { true } else { false }
+
+        let decoded_signature = &decode(signature_response).unwrap()[..];
+
+        crypto::util::fixed_time_eq(signature.code(), decoded_signature)
     }
 
     fn build_response_map(&self, result: String) -> BTreeMap<String, String> {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +language: rust
 +rust:
 +    - nightly
 +    - stable
 +sudo: false