/// <summary> /// Returns true, if there is a WWW-Authenticate header containing ts and tsm but mac /// computed for ts does not match tsm, indicating possible tampering. Otherwise, returns false. /// This method also sets the compensation field so that the timestamp in the subsequent requests /// are adjusted to reduce the clock skew. /// </summary> private bool IsTimestampResponseTampered(ArtifactsContainer artifacts, HttpResponseMessage response) { if (response.Headers.WwwAuthenticate != null) { var wwwHeader = response.Headers.WwwAuthenticate.FirstOrDefault(); if (wwwHeader != null && wwwHeader.Scheme.ToLower() == HawkConstants.Scheme) { string parameter = wwwHeader.Parameter; ArtifactsContainer timestampArtifacts; if (!String.IsNullOrWhiteSpace(parameter) && ArtifactsContainer.TryParse(parameter, out timestampArtifacts)) { var ts = new NormalizedTimestamp(timestampArtifacts.Timestamp, credentialFunc()); if (!ts.IsValid(timestampArtifacts.TimestampMac)) { return(true); } lock (myPrecious) HawkClient.CompensatorySeconds = (int)(timestampArtifacts.Timestamp - DateTime.UtcNow.ToUnixTime()); Tracing.Information("HawkClient.CompensatorySeconds set to " + HawkClient.CompensatorySeconds); } } } return(false); }
/// <summary> /// Returns true, if there is a WWW-Authenticate header containing ts and tsm but mac /// computed for ts does not match tsm, indicating possible tampering. Otherwise, returns false. /// This method also sets the compensation field so that the timestamp in the subsequent requests /// are adjusted to reduce the clock skew. /// </summary> private bool IsTimestampResponseTampered(ArtifactsContainer artifacts, IResponseMessage response) { var wwwHeader = response.WwwAuthenticate; if (wwwHeader != null) { string parameter = wwwHeader.Parameter; ArtifactsContainer timestampArtifacts; if (!String.IsNullOrWhiteSpace(parameter) && ArtifactsContainer.TryParse(parameter, out timestampArtifacts)) { var ts = new NormalizedTimestamp(timestampArtifacts.Timestamp, options.CredentialsCallback(), options.LocalTimeOffsetMillis); if (!ts.IsValid(timestampArtifacts.TimestampMac)) { return(true); } lock (myPrecious) HawkClient.CompensatorySeconds = (int)(timestampArtifacts.Timestamp - DateTime.UtcNow.ToUnixTime()); Tracing.Information("HawkClient.CompensatorySeconds set to " + HawkClient.CompensatorySeconds); } } return(false); }
public async Task TimestampInSubsequentRequestMustBeAdjustedBasedOnTimestampInWwwAuthenticateHeaderOfPrevious() { using (var invoker = new HttpMessageInvoker(server)) { using (var request = new HttpRequestMessage(HttpMethod.Get, URI)) { var client = ClientFactory.Create(); await client.CreateClientAuthorizationAsync(new WebApiRequestMessage(request)); using (var response = await invoker.SendAsync(request, CancellationToken.None)) { // Simulate server clock running 5 minutes slower than client and // produce the parameter with ts and tsm var timestamp = new NormalizedTimestamp(DateTime.UtcNow.AddMinutes(-5), ServerFactory.DefaultCredential); string timestampHeader = timestamp.ToWwwAuthenticateHeaderParameter(); // Add that to the WWW-Authenticate before authenticating with the // client, to simulate clock skew response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("hawk", timestampHeader)); // Client must have now calculated an offset of -300 seconds approx Assert.IsTrue(await client.AuthenticateAsync(new WebApiResponseMessage(response))); Assert.IsTrue(HawkClient.CompensatorySeconds <= -299 && HawkClient.CompensatorySeconds >= -301); // Create a fresh request and see if this offset is applied to the timestamp using (var subsequentRequest = new HttpRequestMessage(HttpMethod.Get, URI)) { await client.CreateClientAuthorizationAsync(new WebApiRequestMessage(subsequentRequest)); string header = subsequentRequest.Headers.Authorization.Parameter; ArtifactsContainer artifacts = null; Assert.IsTrue(ArtifactsContainer.TryParse(header, out artifacts)); var timestampInSubsequentRequest = artifacts.Timestamp; var now = DateTime.UtcNow.ToUnixTime(); // Since server clock is slow, the timestamp going out must be offset by the same 5 minutes // or 300 seconds. Give leeway of a second while asserting. ulong difference = now - timestampInSubsequentRequest; Assert.IsTrue(difference >= 299 && difference <= 301); } } } } }
/// <summary> /// Returns true, if there is a WWW-Authenticate header containing ts and tsm but mac /// computed for ts does not match tsm, indicating possible tampering. Otherwise, returns false. /// This method also sets the compensation field so that the timestamp in the subsequent requests /// are adjusted to reduce the clock skew. /// </summary> private bool IsTimestampResponseTampered(ArtifactsContainer artifacts, HttpResponseMessage response) { if (response.Headers.WwwAuthenticate != null) { var wwwHeader = response.Headers.WwwAuthenticate.FirstOrDefault(); if (wwwHeader != null && wwwHeader.Scheme.ToLower() == HawkConstants.Scheme) { string parameter = wwwHeader.Parameter; ArtifactsContainer timestampArtifacts; if (!String.IsNullOrWhiteSpace(parameter) && ArtifactsContainer.TryParse(parameter, out timestampArtifacts)) { var ts = new NormalizedTimestamp(timestampArtifacts.Timestamp, credentialFunc()); if (!ts.IsValid(timestampArtifacts.TimestampMac)) return true; lock (myPrecious) HawkClient.CompensatorySeconds = (int)(timestampArtifacts.Timestamp - DateTime.UtcNow.ToUnixTime()); } } } return false; }