Hi, as Tobias noted in this mail, https://lists.strongswan.org/pipermail/users/2012-February/007124.html Android 4 sends a superflous nullbyte at the end of the XAUTH secret.
The suggested workaround of adding a null in the ipsec.secrets on the server quickly becomes a maintenance problem: you have to know which user has which device when creating the secrets file. When one user has multiple devices, some Android and some others which don't have this problem, you have to create multiple user accounts. Once Google fixes this with an Over-The-Air update the updated devices can't log in anymore. Etc. So I created the attached patch with a workaround for Android: strongswan then accepts one extra null byte at the end of the secret. I don't think this weakens security as no sane configuration would allow a nullbyte in a password. Please consider merging upstream. <rant>Why in hell did stupid Google chose a buggy patched racoon over strongswan? They could have had IKEv2, a working MOBIKE implementation, EAP- AKA,...</rant> Kind regards, Gerd
From 5c8276123dee4f98a0e3aaedc769c9491338046f Mon Sep 17 00:00:00 2001 From: Gerd von Egidy <[email protected]> Date: Mon, 23 Apr 2012 23:09:02 +0200 Subject: [PATCH] Workaround for Android 4: it sends an extra nullbyte at the end --- src/pluto/plugins/xauth/xauth_default_verifier.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.c b/src/pluto/plugins/xauth/xauth_default_verifier.c index 776f771..21b783b 100644 --- a/src/pluto/plugins/xauth/xauth_default_verifier.c +++ b/src/pluto/plugins/xauth/xauth_default_verifier.c @@ -43,6 +43,19 @@ METHOD(xauth_verifier_t, verify_secret, bool, if (get_xauth_secret(user, server, &xauth_secret)) { success = chunk_equals(secret, xauth_secret); + + /* Workaround for Android 4: it sends an extra nullbyte at the end */ + if (success == FALSE) + { + char nullbyte=0; + chunk_t nullbyte_chunk=chunk_create(&nullbyte,1); + chunk_t xauth_secret_nullbyte=chunk_cat("cc",xauth_secret,nullbyte_chunk); + + success = chunk_equals(secret, xauth_secret_nullbyte); + + chunk_clear(&xauth_secret_nullbyte); + } + chunk_clear(&xauth_secret); } return success; -- 1.7.6.5
_______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
