Digest Authentication

I have a PTZ camera that requires Digest HTTP authentication. Through a lot of google searching I have found your library that mentions Digest authentication in the description.

I couldn’t find any examples of how to use digest so started implementing the module in the same way basic authentication works.
Code Sample
require("http.php");
require("sasl.php");
set_time_limit(0);
$http=new http_class;
$http->timeout=0;
$http->data_timeout=0;
$http->debug=1; /* Trying to get the bottom of things */
$http->html_debug=1;

$user="admin";
$password="password";
$realm=""; /* Authentication realm or domain */
$workstation=""; /* Workstation for NTLM authentication */
$authentication=(strlen($user) ? UrlEncode($user).":".UrlEncode($password)."@" : "");

$url="http://".$authentication."192.168.1.107/pantiltcontrol.cgi";
$error=$http->GetRequestArguments($url,$arguments);
$arguments["RequestMethod"]="POST";
$arguments["PostValues"]=array(
'PanSingleMoveDegree' => '1',
'TiltSingleMoveDegree' => '1',
'PanTiltSingleMove' => '1'
);
//EVERYTHING BELOW THIS IS FROM “test_http_post.php” Line 46 and on.
$arguments["Referer"]="………………

Problem …. Here is the HTTP output from the code


/******** BEGIN HTML CUT PASTE *******/
• Opening connection to:
192.168.1.107
Connecting to 192.168.1.107
Connecting to HTTP server IP 192.168.1.107 port 80...
Connected to 192.168.1.107
C POST /pantiltcontrol.cgi HTTP/1.1
C Host: 192.168.1.107
C User-Agent: httpclient (http://www.phpclasses.org/httpclient $Revision: 1.90 $)
C Connection: Keep-Alive
C Content-Type: application/x-www-form-urlencoded
C Content-Length: 64
C
C PanSingleMoveDegree=1&TiltSingleMoveDegree=1&PanTiltSingleMove=1
• Request:
POST /pantiltcontrol.cgi HTTP/1.1
• Request headers:
Host: 192.168.1.107
User-Agent: httpclient (http://www.phpclasses.org/httpclient $Revision: 1.90 $)
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 64
• Request body:
PanSingleMoveDegree=1&TiltSingleMoveDegree=1&PanTiltSingleMove=1
S HTTP/1.0 401 Authorization Required
S Server: alphapd
S Date: Mon Jul 1 17:24:26 2013
S Pragma: no-cache
S Cache-Control: no-cache
S Content-type: text/html
S WWW-Authenticate: Digest realm="TV-IP851WC",qop="auth", nonce="92ce3129fe2c00edcd081e3773ce5e77"
S
/******** END HTML CUT PASTE *******/

Its like it stops as soon as it sees Digest authentication.


Thoughts?
I’m not sure I implemented the username:password part correctly, is the above correct?
Is there a place to set the authentication type (Basic vs Digest)?

one more note, I can re-aim the camera with the following HTML

<HTML>
<FORM action="http://192.168.1.107/pantiltcontrol.cgi" method="post">
PanSingleMoveDegree <INPUT type="text" name="PanSingleMoveDegree" Value="1">
TiltSingleMoveDegree <INPUT type="text" name="TiltSingleMoveDegree" value="1">
PanTiltSingleMove <INPUT type="text" name="PanTiltSingleMove" value="5">

<INPUT type="submit">

</FORM>
</HTML>


when I watch with Wireshark i can see that the 192.168.1.107 server tells the browser that it requires Digest authentication, then the browser asks for a password, once complete the browser sends the MD5 hash and re-posts the data. After that the camera physically moves.


(that's what happens from a working system)

if required I can get a Wireshark from the php attempt.

Progress....
sasl needed some more dependencies....

Here is the new http output, (still doesn't move the camera)

Opening connection to:

192.168.1.107

Connecting to 192.168.1.107
Connecting to HTTP server IP 192.168.1.107 port 80...
Connected to 192.168.1.107
C POST /pantiltcontrol.cgi HTTP/1.1
C Host: 192.168.1.107
C User-Agent: httpclient (http://www.phpclasses.org/httpclient $Revision: 1.90 $)
C Connection: Keep-Alive
C Content-Type: application/x-www-form-urlencoded
C Content-Length: 64
C
C PanSingleMoveDegree=1&TiltSingleMoveDegree=1&PanTiltSingleMove=1
Request:

POST /pantiltcontrol.cgi HTTP/1.1

Request headers:

Host: 192.168.1.107
User-Agent: httpclient (http://www.phpclasses.org/httpclient $Revision: 1.90 $)
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 64

Request body:

PanSingleMoveDegree=1&TiltSingleMoveDegree=1&PanTiltSingleMove=1

S HTTP/1.0 401 Authorization Required
S Server: alphapd
S Date: Mon Jul 1 19:03:01 2013
S Pragma: no-cache
S Cache-Control: no-cache
S Content-type: text/html
S WWW-Authenticate: Digest realm="TV-IP851WC",qop="auth", nonce="7bf5c030c43343a382f6da644005a6f0"
S
S <html><body><h2>Error: Authorization Required</h2>
<p>Authentication was requested</p></body></html>


Keeping the connection alive to 192.168.1.107
Reusing connection to 192.168.1.107
C POST /pantiltcontrol.cgi HTTP/1.1
C Host: 192.168.1.107
C User-Agent: httpclient (http://www.phpclasses.org/httpclient $Revision: 1.90 $)
C Connection: Keep-Alive
C Authorization: Digest username="admin", realm="TV-IP851WC", nonce="7bf5c030c43343a382f6da644005a6f0", uri="/pantiltcontrol.cgi", response="e84eb01246a5cbd5d661071f52ebccc0", qop="auth", nc=00000001, cnonce="40789457063198e57ffb1085c939055a"
C Content-Type: application/x-www-form-urlencoded
C Content-Length: 64
C
C PanSingleMoveDegree=1&TiltSingleMoveDegree=1&PanTiltSingleMove=1
Response headers:

Response body:

Disconnected from 192.168.1.107
Error: could not read request reply: reached the end of data while reading from the HTTP server connection: the server disconnected

More debuging....

Down to compairing wireshark logs now...

I have noticed that the value of cnonce being sent from the client to the server under Firefox and IE is ALLWays 16 characters


Digest username=\"admin\", realm=\"TV-IP851WC\", nonce=\"c4f0a3b48859c400e2fc689b2a9e55f1\", uri=\"/c1_tl.gif\", response=\"3ac264538856b11fe05f958847714e22\", qop=auth, nc=00000041, cnonce=\"a3e833dc0a034714\"

Digest username=\"admin\", realm=\"TV-IP851WC\", nonce=\"c4f0a3b48859c400e2fc689b2a9e55f1\", uri=\"/top_1.gif\", response=\"c8b5c29258e6d04b9ff9e8eaa5c95d35\", qop=auth, nc=00000042, cnonce=\"3471e807766c9429\"

Digest username=\"admin\", realm=\"TV-IP851WC\", nonce=\"c4f0a3b48859c400e2fc689b2a9e55f1\", uri=\"/c1_tr.gif\", response=\"29a45ae56a10105d347c3fcfe540115c\", qop=auth, nc=00000043, cnonce=\"d021319aaab43d8e\"


however the output from the sasl library is ALWAYS 32 characters, and "qop=auth" has quotes around "auth" as well (not sure if that's a bad thing)

Digest username="admin", realm="TV-IP851WC", nonce="4dd6f79e02faca2e2c8a593fbc664001", uri="/pantiltcontrol.cgi", response="1aa72e898903697139f4299d31ebdadf", qop="auth", nc=00000001, cnonce="4d8bb06e9a8933adffea006a8c870de2"

Digest username="admin", realm="TV-IP851WC", nonce="07d0cfb5964de6469e6c716a108d02c4", uri="/pantiltcontrol.cgi", response="b539c94690ffc25c6c38705e43a52332", qop="auth", nc=00000001, cnonce="6a9ae4ab216a2be2cd2aeb070837f37f"

Digest username="admin", realm="TV-IP851WC", nonce="013600819f5073f55377a0a4c3207f56", uri="/pantiltcontrol.cgi", response="252a1cf0349a76dffbc0cc7e10821191", qop="auth", nc=00000001, cnonce="b1ae9f0d90e9e6e8882fafb853d80b5c"

I am not able to reproduce this because I do not have access to a server that implements digest authentication. Can you provide access to a server like that so I can try to reproduce the problem?