Provide RFC 3394 default IV explicitly for AES key wrap#1
Closed
gregakespret wants to merge 1 commit into
Closed
Conversation
openssl 0.10.80 enforces that any cipher with a defined IV must have one supplied explicitly — passing `None` panics at runtime with "an IV is required for this cipher" inside `Crypter::new` / `decrypt` (see openssl-rs/symm.rs around the IV-required check). The two call sites here are in the RFC 6637 OpenPGP key-wrap helpers and both go through AES Key Wrap (RFC 3394). RFC 3394 §2.2.3.1 defines the "default initial value" for the wrap function as the constant `A6A6A6A6A6A6A6A6`, used when no Alternative Initial Value is supplied. Pass that constant explicitly so the cipher contract is satisfied without changing the wire-level behaviour (the byte stream produced/consumed on the network is identical to what older openssl versions did when `None` was passed). Reproduces with the export-findmy tool against any CloudKit zone that returns PCS-encrypted records (e.g. the FindMy BeaconStore zone) when built against current openssl crate releases. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
gregakespret
added a commit
to gregakespret/rustpush
that referenced
this pull request
May 25, 2026
gregakespret
added a commit
to gregakespret/export-findmy
that referenced
this pull request
May 25, 2026
thisiscam/rustpush#1 contains a one-line openssl-compatibility fix required for `cargo build` against openssl >= 0.10.80 (without it the extractor panics on the first PCS-encrypted record). Until that PR merges upstream, this fork's main points at gregakespret/rustpush which has the patch already merged on the same findmy-export-support branch. Revert this commit (or rebase onto upstream main) once thisiscam/rustpush#1 is merged and thisiscam/master is updated. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Author
|
Closing as a duplicate of OpenBubbles/rustpush#22 — same one-line fix (RFC 3394 default IV constant for Leaving a reproduction signal on the upstream PR so it can be picked up there. If/when upstream merges and this fork rebases, the fix will land here automatically. Apologies for the noise — should have grep'd upstream PRs before filing. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The two
Crypter::new(...ID_AES128_WRAP..., None)/decrypt(..., None, ...)calls in
rfc6637_wrap_key/rfc6637_unwrap_keypanic at runtime againstrecent openssl crate releases (
0.10.80+) with:openssl'sCrypter::newnow enforces that any cipher whoseiv_len()is non-zero must be supplied an IV explicitly; passing
Noneno longerfalls through to the cipher's default.
The two call sites here are RFC 6637 OpenPGP key-wrap helpers and both
internally use AES Key Wrap (RFC 3394). RFC 3394 §2.2.3.1
defines the default initial value for the wrap function as the constant
0xA6A6A6A6A6A6A6A6, used when no Alternative Initial Value is supplied.This PR passes that constant explicitly. The wire-level output is
identical to what older openssl versions produced when
Nonewas passed— the constant is exactly what the cipher was already using internally as
its IV default; we're just no longer relying on openssl to fill it in.
How was this tested
Built locally against
openssl = 0.10.80and ranexport-findmyagainstmy live iCloud account: previously panicked at the first
pcs_keys_for_recordcall (the FindMy BeaconStore zone returnsPCS-encrypted records that need RFC 6637 unwrap during key derivation);
after the fix, all 9
MasterBeaconRecords decrypt cleanly and downstreamfindmy.pylocation fetch returns reports for all 4 AirTags on theaccount.
Reproducible: any CloudKit zone returning PCS-encrypted records will hit
this path. The FindMy BeaconStore zone is the easiest reproduction (via
thisiscam/export-findmy).