[strongSwan-dev] [PATCH] XAUTH workaround for Android 4

Tobias Brunner tobias at strongswan.org
Tue Apr 24 09:43:40 CEST 2012

Hi Gerd,

> So I created the attached patch with a workaround for Android: 
> strongswan then accepts one extra null byte at the end of the secret.

Thanks for the patch.  I pushed an equivalent but slightly modified fix
to master (see [1]).

> I don't think this weakens security as no sane configuration would allow a 
> nullbyte in a password.

Yeah, probably not.  So this could theoretically also be fixed directly
when reading the XAuth password from the payload.  But that would break
if someone already configured secrets with null-bytes at the end.

> <rant>Why in hell did stupid Google chose a buggy patched racoon over 
> strongswan? They could have had IKEv2, a working MOBIKE implementation, EAP-
> AKA,...</rant>

Could be a licensing thing (see [2]).  IPsec-Tools (racoon) is licensed
under a more permissive BSD license.


[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=7d85bebc
[2] http://source.android.com/source/licenses.html

More information about the Dev mailing list