pub fn decrypt_ciphertext_stream<R, W>(
input_reader: R,
output_writer: W,
initial_vector: &Iv16,
encryption_key: &Aes256Key32,
config: StreamConfig,
) -> Result<(), AescryptError>Expand description
Streams ciphertext from input_reader through AES-256-CBC decryption,
writes the recovered plaintext to output_writer, and verifies the
version-appropriate HMAC trailer.
decrypt_ciphertext_stream is the per-block worker for crate::decrypt().
It consumes the encrypted payload (everything after the encrypted session
block on disk), decrypts each 16-byte CBC block into the
crate::decryption ring buffer, and finally validates the trailer:
StreamConfig::V0/StreamConfig::V3: 32-byte contiguous HMAC-SHA256 tag.StreamConfig::V1/StreamConfig::V2: 33-byte trailer (modulo byte plus HMAC-SHA256 tag).
§Errors
AescryptError::Io— reader or writer error during the streaming loop or trailer write.AescryptError::Header— trailer length mismatch ("v0: expected 32-byte HMAC trailer","v1/v2: expected 33-byte trailer","v3: expected 32-byte HMAC trailer"), payload-HMAC mismatch ("HMAC verification failed"), or invalid v3 PKCS#7 padding ("v3: invalid PKCS#7 padding").
§Panics
Never panics on valid input. The internal expect("computed hmac is 32 bytes")
is a structural invariant of HMAC-SHA256.
§Security
- Decrypt-then-verify. Plaintext blocks are written to
output_writeras they are produced. The HMAC tag is checked after the stream ends, so partial unauthenticated plaintext may already be onoutput_writerwhen this function returns an error. Seecrate::decrypt()for the caller contract. - HMAC and PKCS#7 padding comparisons use
secure-gate’sConstantTimeEq. - All session keys, IVs, ring-buffer slots, and trailers live in
secure-gatealiases that zeroize on drop.
§Compatibility
V0/V1/V2are read-only legacy-format support.V3is bit-identical to ciphertext produced bycrate::encrypt()and the official AES Crypt v3 reference implementation.