cfg80211: Fix BIP (AES-CMAC) cipher validation

This cipher can be used only as a group management frame cipher and as
such, there is no point in validating that it is not used with non-zero
key-index. Instead, verify that it is not used as a pairwise cipher
regardless of the key index.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
[change code to use switch statement which is easier to extend]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

net/wireless/util.c

@@ -227,18 +227,26 @@ int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
 	if (pairwise && !mac_addr)
 		return -EINVAL;
 
-	/*
+	switch (params->cipher) {
-	 * Disallow pairwise keys with non-zero index unless it's WEP
+	case WLAN_CIPHER_SUITE_TKIP:
-	 * or a vendor specific cipher (because current deployments use
+	case WLAN_CIPHER_SUITE_CCMP:
-	 * pairwise WEP keys with non-zero indices and for vendor specific
+		/* Disallow pairwise keys with non-zero index unless it's WEP
-	 * ciphers this should be validated in the driver or hardware level
+		 * or a vendor specific cipher (because current deployments use
-	 * - but 802.11i clearly specifies to use zero)
+		 * pairwise WEP keys with non-zero indices and for vendor
-	 */
+		 * specific ciphers this should be validated in the driver or
-	if (pairwise && key_idx &&
+		 * hardware level - but 802.11i clearly specifies to use zero)
-	    ((params->cipher == WLAN_CIPHER_SUITE_TKIP) ||
+		 */
-	     (params->cipher == WLAN_CIPHER_SUITE_CCMP) ||
+		if (pairwise && key_idx)
-	     (params->cipher == WLAN_CIPHER_SUITE_AES_CMAC)))
+			return -EINVAL;
-		return -EINVAL;
+		break;
+	case WLAN_CIPHER_SUITE_AES_CMAC:
+		/* Disallow BIP (group-only) cipher as pairwise cipher */
+		if (pairwise)
+			return -EINVAL;
+		break;
+	default:
+		break;
+	}
 
 	switch (params->cipher) {
 	case WLAN_CIPHER_SUITE_WEP40: