Hey folks,

The recently released version 0.9.2 contains a breaking change due to upgrading reqwest to 0.11. That version uses Tokio 1.0, making this crate no longer compatible with projects that still haven't migrated to Tokio 1.x.

This shows up as a runtime panic saying it could not find a Tokio 1.x executor running.

It may be a good idea to yank this version and release it as 0.10.

When verifying against multiple OTP servers, the caller may exit before other threads finish, and as a result, will call an invalid channel Sender that no longer exists and panic.

This is due to how (according to spec) it sends out 5 requests simultaneously to the default YubiCloud servers, and if one of the threads returns that the OTP is ok, it will immediately return the result to calling code. Unfortunately, after the verify caller exits, the other threads will still be alive and will receive responses and attempt to send then back to the caller through a channel that no longer exists and will panic.

A way to tackle it would be forcibly quitting all other threads once one has returned successfully.

Hi,

It appears I made a couple mistakes in my recent work on supporting asynchronous requests. I find it quite hard to maintain all the conditional compilation annotations across the whole crate. In the meantime, I think the USB use case and the online one are very different and I can hardly think of a use case for both at the same time. I would like to split the crate into these crates:

• yubico-core: shared code, crypto, etc.
• yubico-usb
• yubico-online

This would make it easier to segregate imports for both the crate developers and its users.

Would you agree with that?

Just a quick heads-up from a passer-by:
https://github.com/wisespace-io/yubico-rs/blob/master/src/lib.rs#L198
This comparison might be vulnerable to timing attacks because it's not constant-time. Not sure if that's relevant here at all. I'm reporting such issues to a couple of repositories, please just ignore/close if it isn't applicable here.

Currently you just have the host boiled into the code, making it so people are required to be using the default yubico OTP validation server, but it's possible to host your own.

How do I get the serial number from the yubikey?

Would you be interested in implementing that mode to this crate?

I'm not super familiar with how yubikeys work so I'm not sure I could help with anything but looking at the available modes (and wanting to support yubikey in one of my applications) it feels like the most fitting one for me to use

For a current project, the reqwest dependency introduces an unwanted openssl linkage, I build to a muslc target which makes linking OpenSSL rather cumbersome and the final project will not make use of the verification feature that Yubico offers. Since I can't link OpenSSL I made a small patch which introduces a new "online" feature. By setting default features to false, the crate will build without any online functionality (ie, verifying codes against the yubico servers), this functionality is enabled by using the online feature.

The patch mostly consists of disabling various code via a #[cfg] macro.

yubico-rs.patch

The Yubico crate already use the "reqwest" crate for communication with Yubico servers, however the Yubico crate does not allow to specify HTTP proxy settings, the "reqwest" create has an option to specify an HTTP proxy when buidling a "reqwest" client.

Please add the option to specify a "reqwest" client (with proxy settings) before invoking the verify, will be a nice feature.

The following link shows how an HTTP proxy can be specified when building a reqwest client:
https://docs.rs/reqwest/0.10.6/reqwest/struct.Proxy.html