1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
//! Per-scheme raw cryptographic primitives.
//!
//! Each submodule exposes four functions for one scheme:
//!
//! - `encrypt(plaintext, key) -> Vec<u8>`
//! - `encrypt_into(plaintext, key, &mut Vec<u8>)`
//! - `decrypt(scheme_output, key) -> Vec<u8>`
//! - `decrypt_into(scheme_output, key, &mut Vec<u8>)`
//!
//! These produce / consume the scheme's own output bytes โ whatever the
//! underlying AEAD returns. The top-level [`crate::encrypt`] /
//! [`crate::decrypt`] dispatch to these by [`crate::Scheme`]; the output
//! carries no scheme marker.
//!
//! # Owned vs `_into`
//!
//! - The owned form (`encrypt` / `decrypt`) calls the AEAD's own
//! exact-capacity path โ fastest for "give me a `Vec`".
//! - The `_into` form writes directly into the caller's buffer via
//! `aead::encrypt_in_place` (with a private `TailBuffer` adapter) โ
//! zero intermediate allocation, intended for integrators that pipe
//! into a downstream encoder.
// Only the four real AEAD schemes use the in-place `_into` adapter; the
// mock schemes append directly. Gate it so a mock-only build stays
// warning-clean.
pub
/// Shared GCM-SIV key derivation for `dgcmsiv` / `pgcmsiv`.
///
/// Both GCM-SIV schemes derive the same 32-byte AES-256-GCM-SIV key
/// from the master; keeping that derivation in one place (rather than
/// duplicated per scheme) ensures the security-sensitive HKDF step
/// cannot drift between them.
pub