PHP :: Bug #46386 :: [PATCH] Digest authentication with SOAP module fails against MSSQL SOAP services

Bug #46386

[PATCH] Digest authentication with SOAP module fails against MSSQL SOAP services

Submitted:

2008-10-25 16:54 UTC

Modified:

2009-06-03 12:42 UTC

Votes:	5
Avg. Score:	4.2 ± 1.0
Reproduced:	3 of 3 (100.0%)
Same Version:	3 (100.0%)
Same OS:	3 (100.0%)

From:

lordelph at gmail dot com

Assigned:

Status:

Closed

Package:

SOAP related

PHP Version:

5.*, 6CVS (2009-05-05)

OS:

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	lordelph at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2008-10-25 16:54 UTC] lordelph at gmail dot com

Description:
------------
Using the SoapClient class to talk to SOAP services provided by MSSQL server configured with Digest authorization fails if the server specifies that the MD5-sess algorithm be used

Reproduce code:
---------------
// reproduction requires an MSSQL server configured with 
// SOAP services and protected with Digest authorization
// Prior to testing, verify the Digest support by making a
// a request with a third party tool like cURL

$options=array(
'trace'      => 1,					
'authentication' => SOAP_AUTHENTICATION_DIGEST,
'login'=> $user, 
'password'=>$pass
);
  			
$client = new SoapClient($wsdlfile, $options);  
			
$client->Foo(); 

Expected result:
----------------
Expect SOAP call 'Foo' to succeed

Actual result:
--------------
SoapFault exception is thrown with the message "Unauthorized"

$client->__getLastRequestHeaders() returns

POST /ept/cv HTTP/1.1
Host: 168.143.179.36
Connection: Keep-Alive
User-Agent: PHP-SOAP/5.2.6-1ubuntu4
Content-Type: text/xml; charset=utf-8
SOAPAction: "ASP.EPT.CVListTerms"
Content-Length: 393
Authorization: Digest username="admin8", realm="Digest", nonce="987675a1c136c901ec4171a06bd402000eb60bf1fd307a9faf41324273b0872d8b56905071490005", uri="/ept/cv", qop="auth", nc="00000001", cnonce="4942e49e", response="3ee12e732e2e04a50c23ffd910164cb8"



$client->__getLastResponseHeaders() returns this:

HTTP/1.1 401 Unauthorized
Content-Length: 0
WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="857594a1c136c90161f301be706f9f1e5a4146c3d7a1bf3b63a6b8b14dea6b3afcc195ff8d1fce37",charset=utf-8,realm="Digest"
Server: Microsoft-SQL/9.0 Microsoft-HTTPAPI/1.0
Date: Sat, 25 Oct 2008 16:49:21 GMT
Connection: close

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-10-25 17:04 UTC] lordelph at gmail dot com

The problem occurs because the Authorization header returned by the SOAP module does not include the algorithm="MD5-sess" value, even though the server has specified this algorithm and the module has obeyed by applying a second hashing round to the HA1 value.

The fix is simply to add an algorithm="xyz" value to the Authorization. 

I have verified that this fix works by writng a PHP-based simulation of what the C source code is doing. When the Authorize header is fixed, it works normally. This demonstration is here: http://pastebin.com/f7996ccbe

You can see around lne 507 of ext/soap/php_http.c the code applies the extra hashing step required for MD5-sess, but further down, around line 606, it should be adding the algorithm="foo" value to the Authorization response header.

Because it fails to do this, MS SQL server fails to authenticate the request.

[2008-10-27 11:17 UTC] lordelph at gmail dot com

Here's a patch which can be applied in /ext/soap to fix the php_http.c file for this issue

http://files.dixo.net/php_bug_46386.patch

It simply ensures the request header containing the authorization response uses the same algorithm value as contained in the server's response.

[2009-06-03 12:42 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Oct 27 16:01:27 2024 UTC