From 6812fa1d0f75ddd6530f730244d33c56203186f8 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Fri, 27 Sep 2024 09:33:35 -0400 Subject: [PATCH] Add some documentation to describe the encap/decap requirements Document the fact that we now require unwrappedlen/wrappedlen to be set to the size of the unwrapped/wrapped buffers Reviewed-by: Shane Lontis Reviewed-by: Viktor Dukhovni Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/25522) (cherry picked from commit 1c1223ff535944de880a23cbf0ef9bba6092b0d9) --- doc/man3/EVP_PKEY_decapsulate.pod | 7 +++++-- doc/man3/EVP_PKEY_encapsulate.pod | 5 ++++- providers/implementations/kem/rsa_kem.c | 11 +++++++++++ 3 files changed, 20 insertions(+), 3 deletions(-) diff --git a/doc/man3/EVP_PKEY_decapsulate.pod b/doc/man3/EVP_PKEY_decapsulate.pod index c18427e4115..286e956400f 100644 --- a/doc/man3/EVP_PKEY_decapsulate.pod +++ b/doc/man3/EVP_PKEY_decapsulate.pod @@ -31,10 +31,13 @@ key that is used during decapsulation. The EVP_PKEY_decapsulate() function performs a private key decapsulation operation using I. The data to be decapsulated is specified using the I and I parameters. -If I is NULL then the maximum size of the output secret buffer +If I is NULL then the size of the output secret buffer is written to I<*unwrappedlen>. If I is not NULL and the call is successful then the decapsulated secret data is written to I -and the amount of data written to I<*unwrappedlen>. +and the amount of data written to I<*unwrappedlen>. Note that, if I +is not NULL in this call, the value it points to must be initialised to the length of +I, so that the call can validate it is of sufficient size to hold the +result of the operation. =head1 NOTES diff --git a/doc/man3/EVP_PKEY_encapsulate.pod b/doc/man3/EVP_PKEY_encapsulate.pod index 042b169a175..04025592d9a 100644 --- a/doc/man3/EVP_PKEY_encapsulate.pod +++ b/doc/man3/EVP_PKEY_encapsulate.pod @@ -41,7 +41,10 @@ unless I is NULL. If I is not NULL and the call is successful then the internally generated key is written to I and its size is written to I<*genkeylen>. The encapsulated version of the generated key is written to -I and its size is written to I<*wrappedkeylen>. +I and its size is written to I<*wrappedkeylen>. Note that if +I is not NULL, then the value it points to must initially hold the size of +the I buffer so that its size can be validated by the call, ensuring +it is large enough to hold the result written to I. =head1 NOTES diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index b999789b2d0..5b8c2f2f15f 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c @@ -266,6 +266,11 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, return 1; } + /* + * If outlen is specified, then it must report the length + * of the out buffer on input so that we can confirm + * its size is sufficent for encapsulation + */ if (outlen != NULL && *outlen < nlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); return 0; @@ -340,6 +345,12 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx, ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); return 0; } + + /* + * If outlen is specified, then it must report the length + * of the out buffer, so that we can confirm that it is of + * sufficient size to hold the output of decapsulation + */ if (outlen != NULL && *outlen < nlen) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_OUTPUT_LENGTH); return 0; -- 2.47.2