Commit 5ff19a7297 for openssl.org

commit 5ff19a7297ea149e145b848c2b536dbaebd6f598
Author: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date:   Wed Apr 1 00:17:34 2026 +0800

    docs: Document required output buffer length in EVP_CIPHER-DES

    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    Reviewed-by: Richard Levitte <levitte@openssl.org>
    MergeDate: Sun May  3 13:41:54 2026
    (Merged from https://github.com/openssl/openssl/pull/30651)

diff --git a/doc/man7/EVP_CIPHER-DES.pod b/doc/man7/EVP_CIPHER-DES.pod
index 7ece7c5e0f..cf294cdc31 100644
--- a/doc/man7/EVP_CIPHER-DES.pod
+++ b/doc/man7/EVP_CIPHER-DES.pod
@@ -61,6 +61,16 @@ The following algorithms are available in the legacy provider:
 This implementation supports the parameters described in
 L<EVP_EncryptInit(3)/PARAMETERS> including "encrypt-check" and "fips-indicator".

+=head1 NOTES
+
+The DES3-WRAP implementation does not support streaming. That means to obtain
+correct results there can be only one L<EVP_EncryptUpdate(3)> or
+L<EVP_DecryptUpdate(3)> call after the initialization of the context.
+
+When wrapping (encrypting) with DES3-WRAP, the output buffer must be at least
+I<input_length> + 16 bytes. The extra 16 bytes accommodate an 8-byte IV and an
+8-byte integrity check value (ICV) prepended and appended by the algorithm.
+
 =head1 SEE ALSO

 L<provider-cipher(7)>, L<OSSL_PROVIDER-FIPS(7)>, L<OSSL_PROVIDER-default(7)>,
@@ -68,7 +78,7 @@ L<OSSL_PROVIDER-legacy(7)>,

 =head1 COPYRIGHT

-Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2021-2026 The OpenSSL Project Authors. All Rights Reserved.

 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy