#46386 [Opn]: Digest authentication with SOAP module fails against MSSQL SOAP services
ID: 46386 User updated by: lordelph at gmail dot com Reported By: lordelph at gmail dot com Status: Open Bug Type: SOAP related Operating System: Linux PHP Version: 5.2.6 New Comment: Here's a patch which can be applied in /ext/soap to fix the php_http.c file for this issue http://files.dixo.net/php_bug_46386.patch It simply ensures the request header containing the authorization response uses the same algorithm value as contained in the server's response. Previous Comments: [2008-10-25 17:04:21] lordelph at gmail dot com The problem occurs because the Authorization header returned by the SOAP module does not include the algorithm="MD5-sess" value, even though the server has specified this algorithm and the module has obeyed by applying a second hashing round to the HA1 value. The fix is simply to add an algorithm="xyz" value to the Authorization. I have verified that this fix works by writng a PHP-based simulation of what the C source code is doing. When the Authorize header is fixed, it works normally. This demonstration is here: http://pastebin.com/f7996ccbe You can see around lne 507 of ext/soap/php_http.c the code applies the extra hashing step required for MD5-sess, but further down, around line 606, it should be adding the algorithm="foo" value to the Authorization response header. Because it fails to do this, MS SQL server fails to authenticate the request. ---- [2008-10-25 16:54:01] lordelph at gmail dot com Description: Using the SoapClient class to talk to SOAP services provided by MSSQL server configured with Digest authorization fails if the server specifies that the MD5-sess algorithm be used Reproduce code: --- // reproduction requires an MSSQL server configured with // SOAP services and protected with Digest authorization // Prior to testing, verify the Digest support by making a // a request with a third party tool like cURL $options=array( 'trace' => 1, 'authentication' => SOAP_AUTHENTICATION_DIGEST, 'login'=> $user, 'password'=>$pass ); $client = new SoapClient($wsdlfile, $options); $client->Foo(); Expected result: Expect SOAP call 'Foo' to succeed Actual result: -- SoapFault exception is thrown with the message "Unauthorized" $client->__getLastRequestHeaders() returns POST /ept/cv HTTP/1.1 Host: 168.143.179.36 Connection: Keep-Alive User-Agent: PHP-SOAP/5.2.6-1ubuntu4 Content-Type: text/xml; charset=utf-8 SOAPAction: "ASP.EPT.CVListTerms" Content-Length: 393 Authorization: Digest username="admin8", realm="Digest", nonce="987675a1c136c901ec4171a06bd402000eb60bf1fd307a9faf41324273b0872d8b56905071490005", uri="/ept/cv", qop="auth", nc="0001", cnonce="4942e49e", response="3ee12e732e2e04a50c23ffd910164cb8" $client->__getLastResponseHeaders() returns this: HTTP/1.1 401 Unauthorized Content-Length: 0 WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="857594a1c136c90161f301be706f9f1e5a4146c3d7a1bf3b63a6b8b14dea6b3afcc195ff8d1fce37",charset=utf-8,realm="Digest" Server: Microsoft-SQL/9.0 Microsoft-HTTPAPI/1.0 Date: Sat, 25 Oct 2008 16:49:21 GMT Connection: close -- Edit this bug report at http://bugs.php.net/?id=46386&edit=1
#46386 [Com]: Digest authentication with SOAP module fails against MSSQL SOAP services
ID: 46386 Comment by: lordelph at gmail dot com Reported By: lordelph at gmail dot com Status: Open Bug Type: SOAP related Operating System: Linux PHP Version: 5.2.6 New Comment: The problem occurs because the Authorization header returned by the SOAP module does not include the algorithm="MD5-sess" value, even though the server has specified this algorithm and the module has obeyed by applying a second hashing round to the HA1 value. The fix is simply to add an algorithm="xyz" value to the Authorization. I have verified that this fix works by writng a PHP-based simulation of what the C source code is doing. When the Authorize header is fixed, it works normally. This demonstration is here: http://pastebin.com/f7996ccbe You can see around lne 507 of ext/soap/php_http.c the code applies the extra hashing step required for MD5-sess, but further down, around line 606, it should be adding the algorithm="foo" value to the Authorization response header. Because it fails to do this, MS SQL server fails to authenticate the request. Previous Comments: ---- [2008-10-25 16:54:01] lordelph at gmail dot com Description: Using the SoapClient class to talk to SOAP services provided by MSSQL server configured with Digest authorization fails if the server specifies that the MD5-sess algorithm be used Reproduce code: --- // reproduction requires an MSSQL server configured with // SOAP services and protected with Digest authorization // Prior to testing, verify the Digest support by making a // a request with a third party tool like cURL $options=array( 'trace' => 1, 'authentication' => SOAP_AUTHENTICATION_DIGEST, 'login'=> $user, 'password'=>$pass ); $client = new SoapClient($wsdlfile, $options); $client->Foo(); Expected result: Expect SOAP call 'Foo' to succeed Actual result: -- SoapFault exception is thrown with the message "Unauthorized" $client->__getLastRequestHeaders() returns POST /ept/cv HTTP/1.1 Host: 168.143.179.36 Connection: Keep-Alive User-Agent: PHP-SOAP/5.2.6-1ubuntu4 Content-Type: text/xml; charset=utf-8 SOAPAction: "ASP.EPT.CVListTerms" Content-Length: 393 Authorization: Digest username="admin8", realm="Digest", nonce="987675a1c136c901ec4171a06bd402000eb60bf1fd307a9faf41324273b0872d8b56905071490005", uri="/ept/cv", qop="auth", nc="0001", cnonce="4942e49e", response="3ee12e732e2e04a50c23ffd910164cb8" $client->__getLastResponseHeaders() returns this: HTTP/1.1 401 Unauthorized Content-Length: 0 WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="857594a1c136c90161f301be706f9f1e5a4146c3d7a1bf3b63a6b8b14dea6b3afcc195ff8d1fce37",charset=utf-8,realm="Digest" Server: Microsoft-SQL/9.0 Microsoft-HTTPAPI/1.0 Date: Sat, 25 Oct 2008 16:49:21 GMT Connection: close -- Edit this bug report at http://bugs.php.net/?id=46386&edit=1
#46386 [NEW]: Digest authentication with SOAP module fails against MSSQL SOAP services
From: lordelph at gmail dot com Operating system: Linux PHP version: 5.2.6 PHP Bug Type: SOAP related Bug description: Digest authentication with SOAP module fails against MSSQL SOAP services Description: Using the SoapClient class to talk to SOAP services provided by MSSQL server configured with Digest authorization fails if the server specifies that the MD5-sess algorithm be used Reproduce code: --- // reproduction requires an MSSQL server configured with // SOAP services and protected with Digest authorization // Prior to testing, verify the Digest support by making a // a request with a third party tool like cURL $options=array( 'trace' => 1, 'authentication' => SOAP_AUTHENTICATION_DIGEST, 'login'=> $user, 'password'=>$pass ); $client = new SoapClient($wsdlfile, $options); $client->Foo(); Expected result: Expect SOAP call 'Foo' to succeed Actual result: -- SoapFault exception is thrown with the message "Unauthorized" $client->__getLastRequestHeaders() returns POST /ept/cv HTTP/1.1 Host: 168.143.179.36 Connection: Keep-Alive User-Agent: PHP-SOAP/5.2.6-1ubuntu4 Content-Type: text/xml; charset=utf-8 SOAPAction: "ASP.EPT.CVListTerms" Content-Length: 393 Authorization: Digest username="admin8", realm="Digest", nonce="987675a1c136c901ec4171a06bd402000eb60bf1fd307a9faf41324273b0872d8b56905071490005", uri="/ept/cv", qop="auth", nc="0001", cnonce="4942e49e", response="3ee12e732e2e04a50c23ffd910164cb8" $client->__getLastResponseHeaders() returns this: HTTP/1.1 401 Unauthorized Content-Length: 0 WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="857594a1c136c90161f301be706f9f1e5a4146c3d7a1bf3b63a6b8b14dea6b3afcc195ff8d1fce37",charset=utf-8,realm="Digest" Server: Microsoft-SQL/9.0 Microsoft-HTTPAPI/1.0 Date: Sat, 25 Oct 2008 16:49:21 GMT Connection: close -- Edit bug report at http://bugs.php.net/?id=46386&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46386&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46386&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46386&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46386&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=46386&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=46386&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46386&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=46386&r=needscript Try newer version: http://bugs.php.net/fix.php?id=46386&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46386&r=support Expected behavior: http://bugs.php.net/fix.php?id=46386&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46386&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46386&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46386&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46386&r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=46386&r=dst IIS Stability: http://bugs.php.net/fix.php?id=46386&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46386&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46386&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46386&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=46386&r=mysqlcfg
