[strongSwan-dev] [PATCH] XAUTH workaround for Android 4

Gerd v. Egidy lists at egidy.de
Mon Apr 23 23:27:12 CEST 2012


as Tobias noted in this mail,
Android 4 sends a superflous nullbyte at the end of the XAUTH secret.

The suggested workaround of adding a null in the ipsec.secrets on the server 
quickly becomes a maintenance problem: you have to know which user has which 
device when creating the secrets file. When one user has multiple devices, some 
Android and some others which don't have this problem, you have to create 
multiple user accounts. Once Google fixes this with an Over-The-Air update the 
updated devices can't log in anymore. Etc.

So I created the attached patch with a workaround for Android: 
strongswan then accepts one extra null byte at the end of the secret.

I don't think this weakens security as no sane configuration would allow a 
nullbyte in a password.

Please consider merging upstream.

<rant>Why in hell did stupid Google chose a buggy patched racoon over 
strongswan? They could have had IKEv2, a working MOBIKE implementation, EAP-

Kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Workaround-for-Android-4-it-sends-an-extra-nullbyte-.patch
Type: text/x-patch
Size: 1241 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120423/7e056d8d/attachment.bin>

More information about the Dev mailing list