cfg80211: Fix BIP (AES-CMAC) cipher validation

This cipher can be used only as a group management frame cipher and as
such, there is no point in validating that it is not used with non-zero
key-index. Instead, verify that it is not used as a pairwise cipher
regardless of the key index.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
[change code to use switch statement which is easier to extend]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This commit is contained in:
Jouni Malinen 2015-01-24 19:52:04 +02:00 committed by Johannes Berg
parent 3cb10943fc
commit 37720569cc
1 changed files with 20 additions and 12 deletions

View File

@ -227,18 +227,26 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
if (pairwise && !mac_addr)
return -EINVAL;
/*
* Disallow pairwise keys with non-zero index unless it's WEP
* or a vendor specific cipher (because current deployments use
* pairwise WEP keys with non-zero indices and for vendor specific
* ciphers this should be validated in the driver or hardware level
* - but 802.11i clearly specifies to use zero)
*/
if (pairwise && key_idx &&
((params->cipher == WLAN_CIPHER_SUITE_TKIP) ||
(params->cipher == WLAN_CIPHER_SUITE_CCMP) ||
(params->cipher == WLAN_CIPHER_SUITE_AES_CMAC)))
return -EINVAL;
switch (params->cipher) {
case WLAN_CIPHER_SUITE_TKIP:
case WLAN_CIPHER_SUITE_CCMP:
/* Disallow pairwise keys with non-zero index unless it's WEP
* or a vendor specific cipher (because current deployments use
* pairwise WEP keys with non-zero indices and for vendor
* specific ciphers this should be validated in the driver or
* hardware level - but 802.11i clearly specifies to use zero)
*/
if (pairwise && key_idx)
return -EINVAL;
break;
case WLAN_CIPHER_SUITE_AES_CMAC:
/* Disallow BIP (group-only) cipher as pairwise cipher */
if (pairwise)
return -EINVAL;
break;
default:
break;
}
switch (params->cipher) {
case WLAN_CIPHER_SUITE_WEP40: