Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 997a4a39 authored by Remi NGUYEN VAN's avatar Remi NGUYEN VAN
Browse files

Disallow PAP authentication when MPPE is requested 

MPPE cannot work if PAP is used as authentication, so it is not useful
to allow PAP authentication when MPPE is enforced: establishing the
tunnel would fail anyway with "MPPE required, but MS-CHAP[v2] auth not
performed".
Also users enforcing MPPE may assume that this means PAP will not be
used for authentication, so without this change MPPE enforcement gives a
false sense of security, as PAP uses plain-text credentials.

Bug: 201660636
Test: atest VpnTest
Change-Id: Ie318d45fe44294e97cf38da7f1834cf014cb4417
parent d74805e9

services/core/java/com/android/server/connectivity/Vpn.java

+7 −0
Original line number Diff line number Diff line
@@ -2310,6 +2310,13 @@ public class Vpn { 
                    "usepeerdns", "idle", "1800", "mtu", "1270", "mru", "1270",

                    (profile.mppe ? "+mppe" : "nomppe"),

                };

                if (profile.mppe) {

                    // Disallow PAP authentication when MPPE is requested, as MPPE cannot work

                    // with PAP anyway, and users may not expect PAP (plain text) to be used when

                    // MPPE was requested.

                    mtpd = Arrays.copyOf(mtpd, mtpd.length + 1);

                    mtpd[mtpd.length - 1] = "-pap";

                }

                break;

            case VpnProfile.TYPE_L2TP_IPSEC_PSK:

            case VpnProfile.TYPE_L2TP_IPSEC_RSA: