Track Joachim's latest keywrap core - KEK remains in the AES core until it times out or is explicitly zeroed out.

1 files changed, 3 insertions, 16 deletions

diff --git a/ks.c b/ks.c
index a682cd2..51ea303 100644
--- a/ks.c
+++ b/ks.c
@@ -536,9 +536,6 @@ static hal_error_t construct_key_block(hal_ks_block_t *block,
     return HAL_ERROR_IMPOSSIBLE;
 
   hal_ks_key_block_t *k = &block->key;
-  hal_error_t err = HAL_OK;
-  uint8_t kek[KEK_LENGTH];
-  size_t kek_len;
 
   memset(block, 0xFF, sizeof(*block));
 
@@ -552,12 +549,7 @@ static hal_error_t construct_key_block(hal_ks_block_t *block,
   k->der_len = SIZEOF_KS_KEY_BLOCK_DER;
   k->attributes_len = 0;
 
-  if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) == HAL_OK)
-    err = hal_aes_keywrap(NULL, kek, kek_len, der, der_len, k->der, &k->der_len);
-
-  memset(kek, 0, sizeof(kek));
-
-  return err;
+  return hal_aes_keywrap(NULL, NULL, 0, der, der_len, k->der, &k->der_len);
 }
 
 /*
@@ -658,19 +650,14 @@ hal_error_t hal_ks_fetch(hal_ks_t *ks,
 
   if (der != NULL) {
 
-    uint8_t kek[KEK_LENGTH];
-    size_t kek_len, der_len_;
-    hal_error_t err;
+    size_t der_len_;
 
     if (der_len == NULL)
       der_len = &der_len_;
 
     *der_len = der_max;
 
-    if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) == HAL_OK)
-      err = hal_aes_keyunwrap(NULL, kek, kek_len, der, k_der_len, der, der_len);
-
-    memset(kek, 0, sizeof(kek));
+    err = hal_aes_keyunwrap(NULL, NULL, 0, der, k_der_len, der, der_len);
   }
 
   return err;