Function extract_session_data 

pub fn extract_session_data<R>(
    reader: &mut R,
    file_version: u8,
    public_iv: &Iv16,
    setup_key: &Aes256Key32,
    session_iv_out: &mut Iv16,
    session_key_out: &mut Aes256Key32,
) -> Result<(), AescryptError>
where
    R: Read,

Recovers the session IV and session key from the file header into the caller’s pre-allocated secure-gate buffers.

The behavior depends on file_version:

• v0: the setup key is the session key; session_iv_out is set to public_iv, session_key_out to setup_key. No HMAC, no decryption.
• v1/v2: reads a 48-byte AES-256-CBC encrypted session block plus a 32-byte HMAC-SHA256 tag, verifies the tag with constant-time equality, then CBC-decrypts the block under setup_key chained off public_iv.
• v3: same as v1/v2, but the version byte (0x03) is folded into the session HMAC after the encrypted block, matching the v3 spec.

Errors

• AescryptError::Io — reader error while consuming the encrypted block or HMAC tag.
• AescryptError::Header — session HMAC mismatch ("session data corrupted or tampered (HMAC mismatch)").

Panics

Never panics on valid input. The internal expect calls on setup_key ("setup_key is always 32 bytes") and on computed_hmac ("computed hmac is 32 bytes") are structural invariants of Aes256Key32 and HMAC-SHA256.

Security

• HMAC verification uses secure-gate’s ConstantTimeEq.
• Encrypted session block, HMAC tag, and CBC working buffers are all secure-gate aliases that zeroize on drop.
• For file_version == 0, session_key_out is overwritten with a copy of setup_key; both buffers continue to zeroize independently.