Home Original page

[PATCH] Digest authentication with SOAP module fails against MSSQL SOAP services

Bug #46386 [PATCH] Digest authentication with SOAP module fails against MSSQL SOAP services
Submitted: 2008-10-25 16:54 UTC Modified: 2009-06-03 12:42 UTC
Votes:5
Avg. Score:4.2 ± 1.0
Reproduced:3 of 3 (100.0%)
Same Version:3 (100.0%)
Same OS:3 (100.0%)
From: lordelph at gmail dot com Assigned:
Status: Closed Package: SOAP related
PHP Version: 5.*, 6CVS (2009-05-05) OS: *
Private report: No CVE-ID: None

 [2008-10-25 16:54 UTC] lordelph at gmail dot com

Description:
------------
Using the SoapClient class to talk to SOAP services provided by MSSQL server configured with Digest authorization fails if the server specifies that the MD5-sess algorithm be used

Reproduce code:
---------------
// reproduction requires an MSSQL server configured with 
// SOAP services and protected with Digest authorization
// Prior to testing, verify the Digest support by making a
// a request with a third party tool like cURL

$options=array(
'trace'      => 1,					
'authentication' => SOAP_AUTHENTICATION_DIGEST,
'login'=> $user, 
'password'=>$pass
);
  			
$client = new SoapClient($wsdlfile, $options);  
			
$client->Foo(); 

Expected result:
----------------
Expect SOAP call 'Foo' to succeed

Actual result:
--------------
SoapFault exception is thrown with the message "Unauthorized"

$client->__getLastRequestHeaders() returns

POST /ept/cv HTTP/1.1
Host: 168.143.179.36
Connection: Keep-Alive
User-Agent: PHP-SOAP/5.2.6-1ubuntu4
Content-Type: text/xml; charset=utf-8
SOAPAction: "ASP.EPT.CVListTerms"
Content-Length: 393
Authorization: Digest username="admin8", realm="Digest", nonce="987675a1c136c901ec4171a06bd402000eb60bf1fd307a9faf41324273b0872d8b56905071490005", uri="/ept/cv", qop="auth", nc="00000001", cnonce="4942e49e", response="3ee12e732e2e04a50c23ffd910164cb8"



$client->__getLastResponseHeaders() returns this:

HTTP/1.1 401 Unauthorized
Content-Length: 0
WWW-Authenticate: Digest qop="auth",algorithm=MD5-sess,nonce="857594a1c136c90161f301be706f9f1e5a4146c3d7a1bf3b63a6b8b14dea6b3afcc195ff8d1fce37",charset=utf-8,realm="Digest"
Server: Microsoft-SQL/9.0 Microsoft-HTTPAPI/1.0
Date: Sat, 25 Oct 2008 16:49:21 GMT
Connection: close

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2008-10-25 17:04 UTC] lordelph at gmail dot com

The problem occurs because the Authorization header returned by the SOAP module does not include the algorithm="MD5-sess" value, even though the server has specified this algorithm and the module has obeyed by applying a second hashing round to the HA1 value.

The fix is simply to add an algorithm="xyz" value to the Authorization. 

I have verified that this fix works by writng a PHP-based simulation of what the C source code is doing. When the Authorize header is fixed, it works normally. This demonstration is here: http://pastebin.com/f7996ccbe

You can see around lne 507 of ext/soap/php_http.c the code applies the extra hashing step required for MD5-sess, but further down, around line 606, it should be adding the algorithm="foo" value to the Authorization response header.

Because it fails to do this, MS SQL server fails to authenticate the request.

 [2008-10-27 11:17 UTC] lordelph at gmail dot com

Here's a patch which can be applied in /ext/soap to fix the php_http.c file for this issue

http://files.dixo.net/php_bug_46386.patch

It simply ensures the request header containing the authorization response uses the same algorithm value as contained in the server's response.

 [2009-06-03 12:42 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.