/// <summary>
/// Returns true, if there is a WWW-Authenticate header containing ts and tsm but mac
/// computed for ts does not match tsm, indicating possible tampering. Otherwise, returns false.
/// This method also sets the compensation field so that the timestamp in the subsequent requests
/// are adjusted to reduce the clock skew.
/// </summary>
private bool IsTimestampResponseTampered(ArtifactsContainer artifacts, HttpResponseMessage response)
{
if (response.Headers.WwwAuthenticate != null)
{
var wwwHeader = response.Headers.WwwAuthenticate.FirstOrDefault();
if (wwwHeader != null && wwwHeader.Scheme.ToLower() == HawkConstants.Scheme)
{
string parameter = wwwHeader.Parameter;
ArtifactsContainer timestampArtifacts;
if (!String.IsNullOrWhiteSpace(parameter) &&
ArtifactsContainer.TryParse(parameter, out timestampArtifacts))
{
var ts = new NormalizedTimestamp(timestampArtifacts.Timestamp, credentialFunc());
if (!ts.IsValid(timestampArtifacts.TimestampMac))
{
return(true);
}
lock (myPrecious)
HawkClient.CompensatorySeconds = (int)(timestampArtifacts.Timestamp - DateTime.UtcNow.ToUnixTime());
Tracing.Information("HawkClient.CompensatorySeconds set to " + HawkClient.CompensatorySeconds);
}
}
}
return(false);
}
/// <summary>
/// Returns true, if there is a WWW-Authenticate header containing ts and tsm but mac
/// computed for ts does not match tsm, indicating possible tampering. Otherwise, returns false.
/// This method also sets the compensation field so that the timestamp in the subsequent requests
/// are adjusted to reduce the clock skew.
/// </summary>
private bool IsTimestampResponseTampered(ArtifactsContainer artifacts, IResponseMessage response)
{
var wwwHeader = response.WwwAuthenticate;
if (wwwHeader != null)
{
string parameter = wwwHeader.Parameter;
ArtifactsContainer timestampArtifacts;
if (!String.IsNullOrWhiteSpace(parameter) &&
ArtifactsContainer.TryParse(parameter, out timestampArtifacts))
{
var ts = new NormalizedTimestamp(timestampArtifacts.Timestamp, options.CredentialsCallback(), options.LocalTimeOffsetMillis);
if (!ts.IsValid(timestampArtifacts.TimestampMac))
{
return(true);
}
lock (myPrecious)
HawkClient.CompensatorySeconds = (int)(timestampArtifacts.Timestamp - DateTime.UtcNow.ToUnixTime());
Tracing.Information("HawkClient.CompensatorySeconds set to " + HawkClient.CompensatorySeconds);
}
}
return(false);
}
public async Task TimestampInSubsequentRequestMustBeAdjustedBasedOnTimestampInWwwAuthenticateHeaderOfPrevious()
{
using (var invoker = new HttpMessageInvoker(server))
{
using (var request = new HttpRequestMessage(HttpMethod.Get, URI))
{
var client = ClientFactory.Create();
await client.CreateClientAuthorizationAsync(new WebApiRequestMessage(request));
using (var response = await invoker.SendAsync(request, CancellationToken.None))
{
// Simulate server clock running 5 minutes slower than client and
// produce the parameter with ts and tsm
var timestamp = new NormalizedTimestamp(DateTime.UtcNow.AddMinutes(-5), ServerFactory.DefaultCredential);
string timestampHeader = timestamp.ToWwwAuthenticateHeaderParameter();
// Add that to the WWW-Authenticate before authenticating with the
// client, to simulate clock skew
response.Headers.WwwAuthenticate.Add(new AuthenticationHeaderValue("hawk", timestampHeader));
// Client must have now calculated an offset of -300 seconds approx
Assert.IsTrue(await client.AuthenticateAsync(new WebApiResponseMessage(response)));
Assert.IsTrue(HawkClient.CompensatorySeconds <= -299 && HawkClient.CompensatorySeconds >= -301);
// Create a fresh request and see if this offset is applied to the timestamp
using (var subsequentRequest = new HttpRequestMessage(HttpMethod.Get, URI))
{
await client.CreateClientAuthorizationAsync(new WebApiRequestMessage(subsequentRequest));
string header = subsequentRequest.Headers.Authorization.Parameter;
ArtifactsContainer artifacts = null;
Assert.IsTrue(ArtifactsContainer.TryParse(header, out artifacts));
var timestampInSubsequentRequest = artifacts.Timestamp;
var now = DateTime.UtcNow.ToUnixTime();
// Since server clock is slow, the timestamp going out must be offset by the same 5 minutes
// or 300 seconds. Give leeway of a second while asserting.
ulong difference = now - timestampInSubsequentRequest;
Assert.IsTrue(difference >= 299 && difference <= 301);
}
}
}
}
}
/// <summary>
/// Returns true, if there is a WWW-Authenticate header containing ts and tsm but mac
/// computed for ts does not match tsm, indicating possible tampering. Otherwise, returns false.
/// This method also sets the compensation field so that the timestamp in the subsequent requests
/// are adjusted to reduce the clock skew.
/// </summary>
private bool IsTimestampResponseTampered(ArtifactsContainer artifacts, HttpResponseMessage response)
{
if (response.Headers.WwwAuthenticate != null)
{
var wwwHeader = response.Headers.WwwAuthenticate.FirstOrDefault();
if (wwwHeader != null && wwwHeader.Scheme.ToLower() == HawkConstants.Scheme)
{
string parameter = wwwHeader.Parameter;
ArtifactsContainer timestampArtifacts;
if (!String.IsNullOrWhiteSpace(parameter) &&
ArtifactsContainer.TryParse(parameter, out timestampArtifacts))
{
var ts = new NormalizedTimestamp(timestampArtifacts.Timestamp, credentialFunc());
if (!ts.IsValid(timestampArtifacts.TimestampMac))
return true;
lock (myPrecious)
HawkClient.CompensatorySeconds = (int)(timestampArtifacts.Timestamp - DateTime.UtcNow.ToUnixTime());
}
}
}
return false;
}
