From: Neil Horman Date: Fri, 27 Sep 2024 13:33:35 +0000 (-0400) Subject: Add some documentation to describe the encap/decap requirements X-Git-Tag: openssl-3.1.8~107 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3c6227a723ac6ff455a62ba3b13d96974456010;p=thirdparty%2Fopenssl.git Add some documentation to describe the encap/decap requirements Document the fact that we now require unwrappedlen/wrappedlen to be set to the size of the unwrapped/wrapped buffers Reviewed-by: Shane Lontis Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25522) (cherry picked from commit 1c1223ff535944de880a23cbf0ef9bba6092b0d9) --- diff --git a/doc/man3/EVP_PKEY_decapsulate.pod b/doc/man3/EVP_PKEY_decapsulate.pod index 833c34152ac..cd6f5f0221a 100644 --- a/doc/man3/EVP_PKEY_decapsulate.pod +++ b/doc/man3/EVP_PKEY_decapsulate.pod @@ -25,10 +25,13 @@ specifying the private key to use. The EVP_PKEY_decapsulate() function performs a private key decapsulation operation using I. The data to be decapsulated is specified using the I and I parameters. -If I is NULL then the maximum size of the output secret buffer +If I is NULL then the size of the output secret buffer is written to I<*unwrappedlen>. If I is not NULL and the call is successful then the decapsulated secret data is written to I -and the amount of data written to I<*unwrappedlen>. +and the amount of data written to I<*unwrappedlen>. Note that, if I +is not NULL in this call, the value it points to must be initialised to the length of +I, so that the call can validate it is of sufficient size to hold the +result of the operation. =head1 NOTES diff --git a/doc/man3/EVP_PKEY_encapsulate.pod b/doc/man3/EVP_PKEY_encapsulate.pod index 573088c3bf5..eb51836d795 100644 --- a/doc/man3/EVP_PKEY_encapsulate.pod +++ b/doc/man3/EVP_PKEY_encapsulate.pod @@ -35,7 +35,10 @@ unless I is NULL. If I is not NULL and the call is successful then the internally generated key is written to I and its size is written to I<*genkeylen>. The encapsulated version of the generated key is written to -I and its size is written to I<*wrappedkeylen>. +I and its size is written to I<*wrappedkeylen>. Note that if +I is not NULL, then the value it points to must initially hold the size of +the I buffer so that its size can be validated by the call, ensuring +it is large enough to hold the result written to I. =head1 NOTES diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 6b48c8e92b8..d3fdb69614a 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -266,6 +266,11 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, return 1; } + /* + * If outlen is specified, then it must report the length + * of the out buffer on input so that we can confirm + * its size is sufficent for encapsulation + */ if (outlen != NULL && *outlen < nlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); return 0; @@ -340,6 +345,12 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx, ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); return 0; } + + /* + * If outlen is specified, then it must report the length + * of the out buffer, so that we can confirm that it is of + * sufficient size to hold the output of decapsulation + */ if (outlen != NULL && *outlen < nlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); return 0;