ID: 46386 User updated by: lordelph at gmail dot com Reported By: lordelph at gmail dot com Status: Open Bug Type: SOAP related Operating System: Linux PHP Version: 5.2.6 New Comment:
Here's a patch which can be applied in /ext/soap to fix the php_http.c file for this issue http://files.dixo.net/php_bug_46386.patch It simply ensures the request header containing the authorization response uses the same algorithm value as contained in the server's response. Previous Comments: ------------------------------------------------------------------------ [2008-10-25 17:04:21] lordelph at gmail dot com The problem occurs because the Authorization header returned by the SOAP module does not include the algorithm="MD5-sess" value, even though the server has specified this algorithm and the module has obeyed by applying a second hashing round to the HA1 value. The fix is simply to add an algorithm="xyz" value to the Authorization. I have verified that this fix works by writng a PHP-based simulation of what the C source code is doing. When the Authorize header is fixed, it works normally. This demonstration is here: http://pastebin.com/f7996ccbe You can see around lne 507 of ext/soap/php_http.c the code applies the extra hashing step required for MD5-sess, but further down, around line 606, it should be adding the algorithm="foo" value to the Authorization response header. Because it fails to do this, MS SQL server fails to authenticate the request. ------------------------------------------------------------------------ [2008-10-25 16:54:01] lordelph at gmail dot com Description: ------------ Using the SoapClient class to talk to SOAP services provided by MSSQL server configured with Digest authorization fails if the server specifies that the MD5-sess algorithm be used Reproduce code: --------------- // reproduction requires an MSSQL server configured with // SOAP services and protected with Digest authorization // Prior to testing, verify the Digest support by making a // a request with a third party tool like cURL $options=array( 'trace' => 1, 'authentication' => SOAP_AUTHENTICATION_DIGEST, 'login'=> $user, 'password'=>$pass ); $client = new SoapClient($wsdlfile, $options); $client->Foo(); Expected result: ---------------- Expect SOAP call 'Foo' to succeed Actual result: -------------- SoapFault exception is thrown with the message "Unauthorized" $client->__getLastRequestHeaders() returns POST /ept/cv HTTP/1.1 Host: 168.143.179.36 Connection: Keep-Alive User-Agent: PHP-SOAP/5.2.6-1ubuntu4 Content-Type: text/xml; charset=utf-8 SOAPAction: "ASP.EPT.CVListTerms" Content-Length: 393 Authorization: Digest username="admin8", realm="Digest", nonce="987675a1c136c901ec4171a06bd402000eb60bf1fd307a9faf41324273b0872d8b56905071490005", uri="/ept/cv", qop="auth", nc="00000001", cnonce="4942e49e", response="3ee12e732e2e04a50c23ffd910164cb8" $client->__getLastResponseHeaders() returns this: HTTP/1.1 401 Unauthorized Content-Length: 0 WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="857594a1c136c90161f301be706f9f1e5a4146c3d7a1bf3b63a6b8b14dea6b3afcc195ff8d1fce37",charset=utf-8,realm="Digest" Server: Microsoft-SQL/9.0 Microsoft-HTTPAPI/1.0 Date: Sat, 25 Oct 2008 16:49:21 GMT Connection: close ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46386&edit=1