Add AEAD encryption function with explicit sequence number

Not-Nik · Not-Nik · commit 49e7588059dc · 2026-04-29T15:50:28.000+02:00
diff --git a/src/aead.rs b/src/aead.rs
@@ -590,6 +590,51 @@ impl Aead {
         Ok(ct)
     }
 
+    /// Encrypt with an explicit sequence number. Mirrors `open`'s nonce
+    /// construction: the final nonce is `nonce_base XOR encode_be(seq)` over
+    /// the trailing 8 bytes. The NSS PKCS#11 context's internal counter is
+    /// not used (CKG_NO_GENERATE). The caller must never reuse
+    /// `(nonce_base, seq)` with the same key.
+    pub fn encrypt_with_seq(
+        &mut self,
+        aad: &[u8],
+        seq: SequenceNumber,
+        pt: &[u8],
+    ) -> Result<Vec<u8>, Error> {
+        crate::init()?;
+
+        assert_eq!(self.mode, Mode::Encrypt);
+        let mut nonce = self.nonce_base;
+        for (i, n) in nonce.iter_mut().rev().take(COUNTER_LEN).enumerate() {
+            *n ^= u8::try_from((seq >> (8 * i)) & 0xff).unwrap();
+        }
+        let mut ct = vec![0; pt.len() + TAG_LEN];
+        let mut ct_len: c_int = 0;
+        let mut tag = vec![0; TAG_LEN];
+        secstatus_to_res(unsafe {
+            PK11_AEADOp(
+                *self.ctx,
+                CK_GENERATOR_FUNCTION::from(CKG_NO_GENERATE),
+                0,
+                nonce.as_mut_ptr(),
+                c_int_len(nonce.len())?,
+                aad.as_ptr(),
+                c_int_len(aad.len())?,
+                ct.as_mut_ptr(),
+                &mut ct_len,
+                c_int_len(ct.len())?,
+                tag.as_mut_ptr(),
+                c_int_len(tag.len())?,
+                pt.as_ptr(),
+                c_int_len(pt.len())?,
+            )
+        })?;
+        ct.truncate(usize::try_from(ct_len).unwrap());
+        debug_assert_eq!(ct.len(), pt.len());
+        ct.append(&mut tag);
+        Ok(ct)
+    }
+
     pub fn decrypt(
         &mut self,
         aad: &[u8],
@@ -767,4 +812,33 @@ mod test {
         // Now use the real nonce and sequence number from the example.
         decrypt(ALG, KEY, NONCE_BASE, 654_360_564, AAD, PT, CT);
     }
+
+    fn roundtrip_seal_with_seq(algorithm: AeadAlgorithms, key: &[u8]) {
+        fixture_init();
+
+        const NONCE_BASE: [u8; NONCE_LEN] = [0; NONCE_LEN];
+        const AAD: &[u8] = b"associated";
+        const PT: &[u8] = b"hello sframe";
+        const SEQ: SequenceNumber = 0x0123_4567_89ab;
+
+        let k = Aead::import_key(algorithm, key).unwrap();
+        let mut enc = Aead::new(Mode::Encrypt, algorithm, &k, NONCE_BASE).unwrap();
+        let ct = enc.encrypt_with_seq(AAD, SEQ, PT).unwrap();
+
+        let mut dec = Aead::new(Mode::Decrypt, algorithm, &k, NONCE_BASE).unwrap();
+        let pt = dec.decrypt(AAD, SEQ, &ct).unwrap();
+        assert_eq!(&pt[..], PT);
+    }
+
+    #[test]
+    fn seal_with_seq_aes128gcm() {
+        const KEY: &[u8] = &[0x42; 16];
+        roundtrip_seal_with_seq(AeadAlgorithms::Aes128Gcm, KEY);
+    }
+
+    #[test]
+    fn seal_with_seq_aes256gcm() {
+        const KEY: &[u8] = &[0x42; 32];
+        roundtrip_seal_with_seq(AeadAlgorithms::Aes256Gcm, KEY);
+    }
 }
