cfg80211: Fix BIP (AES-CMAC) cipher validation

This cipher can be used only as a group management frame cipher and as
such, there is no point in validating that it is not used with non-zero
key-index. Instead, verify that it is not used as a pairwise cipher
regardless of the key index.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
[change code to use switch statement which is easier to extend]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 3535e8ade48f2ee10bd5f544f130b36768114f33..08f136ad2ea536c3c44cb8006c3596619d0eae52 100644 (file)
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -227,18 +227,26 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
        if (pairwise && !mac_addr)
                return -EINVAL;
 
-       /*
-        * Disallow pairwise keys with non-zero index unless it's WEP
-        * or a vendor specific cipher (because current deployments use
-        * pairwise WEP keys with non-zero indices and for vendor specific
-        * ciphers this should be validated in the driver or hardware level
-        * - but 802.11i clearly specifies to use zero)
-        */
-       if (pairwise && key_idx &&
-           ((params->cipher == WLAN_CIPHER_SUITE_TKIP) ||
-            (params->cipher == WLAN_CIPHER_SUITE_CCMP) ||
-            (params->cipher == WLAN_CIPHER_SUITE_AES_CMAC)))
-               return -EINVAL;
+       switch (params->cipher) {
+       case WLAN_CIPHER_SUITE_TKIP:
+       case WLAN_CIPHER_SUITE_CCMP:
+               /* Disallow pairwise keys with non-zero index unless it's WEP
+                * or a vendor specific cipher (because current deployments use
+                * pairwise WEP keys with non-zero indices and for vendor
+                * specific ciphers this should be validated in the driver or
+                * hardware level - but 802.11i clearly specifies to use zero)
+                */
+               if (pairwise && key_idx)
+                       return -EINVAL;
+               break;
+       case WLAN_CIPHER_SUITE_AES_CMAC:
+               /* Disallow BIP (group-only) cipher as pairwise cipher */
+               if (pairwise)
+                       return -EINVAL;
+               break;
+       default:
+               break;
+       }
 
        switch (params->cipher) {
        case WLAN_CIPHER_SUITE_WEP40: