Bug 1132946 - Missing support for whirlpool HMAC authentication in NetworkManager-openvpn
Missing support for whirlpool HMAC authentication in NetworkManager-openvpn
Status: NEW
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Network
Leap 15.0
Other Other
: P5 - None : Normal (vote)
: ---
Assigned To: openSUSE GNOME
E-mail List
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-20 20:31 UTC by Stefan Pledl
Modified: 2019-11-27 09:00 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Patch to enable whirlpool HMAC authentication in NetworkManagar-openvpn (1.96 KB, patch)
2019-04-20 20:31 UTC, Stefan Pledl
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Pledl 2019-04-20 20:31:44 UTC
Created attachment 803302 [details]
Patch to enable whirlpool HMAC authentication in NetworkManagar-openvpn

Our VPN uses whirlpool HMAC authentication  (openvpn --auth whirlpool).
Currently Networkmanager-openvpn can not handle this authentication method.

Attached you can find a patch which solves this problem.

journalctl -f

Apr 20 21:22:20 <HOST> kdeinit5[2337]: VPN Setting  type: "vpn"                                                        
                                                     initialized: true                                                               
                                                     service-type: "org.freedesktop.NetworkManager.openvpn"                          
                                                     user-name: ""                                                                   
                                                     data: QMap(("auth", "whirlpool")("ca", "<CA-FILE>")("cert", "<CERT-FILE>")("cert-pass-flags", "0")("cipher", "AES-256-CBC")("comp-lzo", "yes")("connection-type", "password-tls")("key", "<KEY-FILE>")("mssfix", "yes")("password-flags", "1")("port", "1194")("proto-tcp", "yes")("remote", "<REMOTE-IP>")("reneg-seconds", "0")("tunnel-mtu", "1463"))                                                                                 
                                                     secrets: QMap()                                                                 
                                                     persistent: false                                                               
                                                     timeout: 0                                                                      
Apr 20 21:22:42 <HOST> NetworkManager[941]: <warn>  [1555788162.5856] vpn-connection[0x560e12db41e0,0ba16679-22d7-49db-9e39-acec4a05694f,"<VPN-NAME>",0]: VPN connection: failed to connect: 'Invalid HMAC auth.'            
Apr 20 21:22:42 <HOST> NetworkManager[941]: <info>  [1555788162.5868] vpn-connection[0x560e12db41e0,0ba16679-22d7-49db-9e39-acec4a05694f,"<VPN-NAME>",0]: VPN plugin: state changed: stopped (6)
Apr 20 21:22:42 <HOST> NetworkManager[941]: <info>  [1555788162.5878] vpn-connection[0x560e12db41e0,0ba16679-22d7-49db-9e39-acec4a05694f,"<VPN-NAME>",0]: VPN service disappeared
Apr 20 21:22:42 <HOST> kdeinit5[2337]: plasma-nm: Unhandled VPN connection state change:  3
Comment 1 Swamp Workflow Management 2019-05-01 21:00:07 UTC
This is an autogenerated message for OBS integration:
This bug (1132946) was mentioned in
https://build.opensuse.org/request/show/699923 15.0 / NetworkManager-openvpn
Comment 3 Swamp Workflow Management 2019-06-21 19:11:23 UTC
SUSE-RU-2019:1646-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1132946
CVE References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    NetworkManager-openvpn-1.8.2-4.3.2
SUSE Linux Enterprise Workstation Extension 15 (src):    NetworkManager-openvpn-1.8.2-4.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2019-06-27 19:11:04 UTC
openSUSE-RU-2019:1660-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1132946
CVE References: 
Sources used:
openSUSE Leap 15.1 (src):    NetworkManager-openvpn-1.8.2-lp151.4.3.1
openSUSE Leap 15.0 (src):    NetworkManager-openvpn-1.8.2-lp150.3.3.1
Comment 5 Frederic Crozat 2019-11-27 09:00:28 UTC
I'm a bit surprised to discover this patch was:
 - never submitted upstream to https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/
 - not submitted either to openSUSE:Factory, breaking Factory first policy.