[strongSwan-dev] [PATCH] XAUTH workaround for Android 4
Gerd v. Egidy
lists at egidy.de
Mon Apr 23 23:27:12 CEST 2012
Hi,
as Tobias noted in this mail,
https://lists.strongswan.org/pipermail/users/2012-February/007124.html
Android 4 sends a superflous nullbyte at the end of the XAUTH secret.
The suggested workaround of adding a null in the ipsec.secrets on the server
quickly becomes a maintenance problem: you have to know which user has which
device when creating the secrets file. When one user has multiple devices, some
Android and some others which don't have this problem, you have to create
multiple user accounts. Once Google fixes this with an Over-The-Air update the
updated devices can't log in anymore. Etc.
So I created the attached patch with a workaround for Android:
strongswan then accepts one extra null byte at the end of the secret.
I don't think this weakens security as no sane configuration would allow a
nullbyte in a password.
Please consider merging upstream.
<rant>Why in hell did stupid Google chose a buggy patched racoon over
strongswan? They could have had IKEv2, a working MOBIKE implementation, EAP-
AKA,...</rant>
Kind regards,
Gerd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Workaround-for-Android-4-it-sends-an-extra-nullbyte-.patch
Type: text/x-patch
Size: 1241 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120423/7e056d8d/attachment.bin>
More information about the Dev
mailing list