From 401965f1e9f74b43c88477d2ff6ac4d6c62ab5a8 Mon Sep 17 00:00:00 2001
From: Paul Selkirk <paul@psgd.org>
Date: Tue, 28 Apr 2020 12:11:49 -0400
Subject: The new keywrap core now talks directly to the MKM, so I split the
 code that talks to that core out of aes_keywrap.c. The HSM will now be built
 with just the keywrap core, with no user access to aes or mkmif.

---
 ks.c | 19 +++----------------
 1 file changed, 3 insertions(+), 16 deletions(-)

(limited to 'ks.c')

diff --git a/ks.c b/ks.c
index 72bb0fe..5f81132 100644
--- a/ks.c
+++ b/ks.c
@@ -538,9 +538,6 @@ static hal_error_t construct_key_block(hal_ks_block_t *block,
     return HAL_ERROR_IMPOSSIBLE;
 
   hal_ks_key_block_t *k = &block->key;
-  hal_error_t err = HAL_OK;
-  uint8_t kek[KEK_LENGTH];
-  size_t kek_len;
 
   memset(block, 0xFF, sizeof(*block));
 
@@ -554,12 +551,7 @@ static hal_error_t construct_key_block(hal_ks_block_t *block,
   k->der_len = SIZEOF_KS_KEY_BLOCK_DER;
   k->attributes_len = 0;
 
-  if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) == HAL_OK)
-    err = hal_aes_keywrap(NULL, kek, kek_len, der, der_len, k->der, &k->der_len);
-
-  memset(kek, 0, sizeof(kek));
-
-  return err;
+  return hal_keywrap_wrap(NULL, NULL, 0, der, der_len, k->der, &k->der_len);
 }
 
 /*
@@ -660,19 +652,14 @@ hal_error_t hal_ks_fetch(hal_ks_t *ks,
 
   if (der != NULL) {
 
-    uint8_t kek[KEK_LENGTH];
-    size_t kek_len, der_len_;
-    hal_error_t err;
+    size_t der_len_;
 
     if (der_len == NULL)
       der_len = &der_len_;
 
     *der_len = der_max;
 
-    if ((err = hal_mkm_get_kek(kek, &kek_len, sizeof(kek))) == HAL_OK)
-      err = hal_aes_keyunwrap(NULL, kek, kek_len, der, k_der_len, der, der_len);
-
-    memset(kek, 0, sizeof(kek));
+    err = hal_keywrap_unwrap(NULL, NULL, 0, der, k_der_len, der, der_len);
   }
 
   return err;
-- 
cgit v1.2.3