php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #46386 [PATCH] Digest authentication with SOAP module fails against MSSQL SOAP services
Submitted: 2008-10-25 16:54 UTC Modified: 2009-06-03 12:42 UTC
Votes:5
Avg. Score:4.2 ± 1.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: lordelph at gmail dot com Assigned:
Status: Closed Package: SOAP related
PHP Version: 5.*, 6CVS (2009-05-05) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lordelph at gmail dot com
New email:
PHP Version: OS:

 

 [2008-10-25 16:54 UTC] lordelph at gmail dot com
Description:
------------
Using the SoapClient class to talk to SOAP services provided by MSSQL server configured with Digest authorization fails if the server specifies that the MD5-sess algorithm be used

Reproduce code:
---------------
// reproduction requires an MSSQL server configured with 
// SOAP services and protected with Digest authorization
// Prior to testing, verify the Digest support by making a
// a request with a third party tool like cURL

$options=array(
'trace'      => 1,					
'authentication' => SOAP_AUTHENTICATION_DIGEST,
'login'=> $user, 
'password'=>$pass
);
  			
$client = new SoapClient($wsdlfile, $options);  
			
$client->Foo(); 

Expected result:
----------------
Expect SOAP call 'Foo' to succeed

Actual result:
--------------
SoapFault exception is thrown with the message "Unauthorized"

$client->__getLastRequestHeaders() returns

POST /ept/cv HTTP/1.1
Host: 168.143.179.36
Connection: Keep-Alive
User-Agent: PHP-SOAP/5.2.6-1ubuntu4
Content-Type: text/xml; charset=utf-8
SOAPAction: "ASP.EPT.CVListTerms"
Content-Length: 393
Authorization: Digest username="admin8", realm="Digest", nonce="987675a1c136c901ec4171a06bd402000eb60bf1fd307a9faf41324273b0872d8b56905071490005", uri="/ept/cv", qop="auth", nc="00000001", cnonce="4942e49e", response="3ee12e732e2e04a50c23ffd910164cb8"



$client->__getLastResponseHeaders() returns this:

HTTP/1.1 401 Unauthorized
Content-Length: 0
WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="857594a1c136c90161f301be706f9f1e5a4146c3d7a1bf3b63a6b8b14dea6b3afcc195ff8d1fce37",charset=utf-8,realm="Digest"
Server: Microsoft-SQL/9.0 Microsoft-HTTPAPI/1.0
Date: Sat, 25 Oct 2008 16:49:21 GMT
Connection: close


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-10-25 17:04 UTC] lordelph at gmail dot com
The problem occurs because the Authorization header returned by the SOAP module does not include the algorithm="MD5-sess" value, even though the server has specified this algorithm and the module has obeyed by applying a second hashing round to the HA1 value.

The fix is simply to add an algorithm="xyz" value to the Authorization. 

I have verified that this fix works by writng a PHP-based simulation of what the C source code is doing. When the Authorize header is fixed, it works normally. This demonstration is here: http://pastebin.com/f7996ccbe

You can see around lne 507 of ext/soap/php_http.c the code applies the extra hashing step required for MD5-sess, but further down, around line 606, it should be adding the algorithm="foo" value to the Authorization response header.

Because it fails to do this, MS SQL server fails to authenticate the request.
 [2008-10-27 11:17 UTC] lordelph at gmail dot com
Here's a patch which can be applied in /ext/soap to fix the php_http.c file for this issue

http://files.dixo.net/php_bug_46386.patch

It simply ensures the request header containing the authorization response uses the same algorithm value as contained in the server's response.
 [2009-06-03 12:42 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC