ConnectionRequest Digest ACS - curl not the same

Hello,

I try to make a connection request from the GenieACS but I always get the “Incorrect connection request credentials” message.

I read the other thread about this problem but my problem is not the same.

If I made a call with curl from the same machine, it triggers the connection request :
curl -i -u USERNAME:PASSWORD http://MY_CPE_IP:7547/cpe --digest

Answer :
HTTP/1.1 401 Unauthorized
Server: YAPS
WWW-Authenticate: Digest realm=“YapsieWorld”, qop=“auth”, nonce=“3d8ceffbe336ca61b1f983ae8325f8fc”, opaque=“e7c334cb94a7595234eaf7995785f445”
Content-Length: 0
Connection: close

HTTP/1.1 200 OK
Server: YAPS
Content-Length: 0
Connection: close

And I can see in the geniacs-cwmp that the connection request has been triggered immediatly.

I used wireshark to capture the difference between the curl query and the GenieACS one, the only difference I see is the cnonce with curl is much bigger :

GenieACS :
Digest username=“USERNAME”,realm=“YapsieWorld”,nonce=“32857f8d6076974084b2c9bb23c0655f”,uri="/cpe",qop=auth,nc=00000001,cnonce=“690cb04b5a5de2e7”,response=“cd5988750e35ab5f6031b5b0b833f633”,opaque=“1d83896d386c34d863a8d888cbdb9338”

Curl :
Digest username=“USERNAME”,realm=“YapsieWorld”,nonce=“0384f9417161ce3c5c826b1c15d0a751”,uri="/cpe",qop=auth,nc=00000001,cnonce=“MGM1N2VjMjE3M2ZhM2FiN2FlZTE4NmY2ZjE1NzNjYmE=”,response=“4e0293b12cd04a63501d728ede5beefa”,opaque=“d428476e9c92879e4cccc04e096b96ea”

Is there a config to set to solve this issue in GenieACS ?

Thank you and have a nice day !

There’s no config option for the length of the cnonce value. But you change it in the code in auth.ts line 146.

Thanks for your reply.

The only problem is that I installed GenieACS not from source, but from npm install (as described in the documentation), so I don’t really know where the files are stored. I tried to find them in the /usr/local/lib/node_modules/genieacs/ folder without success.

Can you tell me if it is possible to modify the code with a npm install or it’s only from source ?

Thank you and have a nice day !

Hello,

I found the problem : the issue comes from the encoding of cnonce in the auth.ts file.

I changed this line :

 const cnonce = randomBytes(8).toString("hex");

By this one :

 const cnonce = randomBytes(8).toString("base64");

And now it works.

I found in the RFC 2069 that it is recommended to encode the nonce in base64. I think that the CPE I’m using is using the base64 encoding :

 nonce
 A server-specified data string which may be uniquely generated each
 time a 401 response is made.  It is recommended that this string be
 base64 or hexadecimal data.  Specifically, since the string is
 passed in the header lines as a quoted string, the double-quote
 character is not allowed.

I don’t know if there is a way to fix this issue in a future release of GenieACS !

Thank you for your help !

The cnonce value is just a string that’s opaque to the server so I don’t see it’s attempting to parse and read it. This is definitely an issue that should be raised to the device manufacturer.

I have the same problem. With GenieACS 1.2.2 I receive “Incorrect connection request credentials”, and with the same credentials with curl ( curl -i -u username:password http://1x.x.x.x:7547/cpe --digest ) works…
I also installed genieacs via npm, how can I recompile it by putting the change in auth.ts file?

Hello,

To modify the code, you must clone the github repository and modify from there. You cannot modify the compiled versions…

Hello again,

I finally found why there is a problem with the authentication with my CPE.

The header HTTP “Authorization” contains all values for authentication Digest and they are correct. But the problem is there is no space between thoses values and the CPE deny the authentication.

To allow this, I modified the file lib/auth.ts at line 169 by adding a space between all parameters :

   let authString = `Digest username="${username}"`;
   authString += `, realm="${authHeader.realm}"`;
   authString += `, nonce="${authHeader.nonce}"`;
   authString += `, uri="${uri}"`;
   if (authHeader.algorithm) authString += `, algorithm=${authHeader.algorithm}`;
   if (qop) authString += `, qop=${qop}, nc=${nc}, cnonce="${cnonce}"`;
   authString += `, response="${hash}"`;
   if (authHeader.opaque) authString += `, opaque="${authHeader.opaque}"`;

And now it works !

I don’t know if this should be the standard in the HTTP “Authorization” header but I cannot try this on another modem…

Hope it helps !

In your comment from Sep 21 you said changing to base64 fixed the issue. Is this for a different device?