Commit 6e9f47be2e for openssl.org

commit 6e9f47be2e8ae71358a5805f826cd9c3e932e3de
Author: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date:   Wed Apr 1 00:28:34 2026 +0800

    docs: Fix and add documentation about AES-WRAP-PAD ciphers out parameter

    Reviewed-by: Tomas Mraz <tomas@openssl.foundation>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    MergeDate: Wed Apr 22 08:13:31 2026
    (Merged from https://github.com/openssl/openssl/pull/30653)

diff --git a/crypto/modes/wrap128.c b/crypto/modes/wrap128.c
index 9dbb640129..c06a5490fe 100644
--- a/crypto/modes/wrap128.c
+++ b/crypto/modes/wrap128.c
@@ -178,7 +178,9 @@ size_t CRYPTO_128_unwrap(void *key, const unsigned char *iv,
  *
  *  @param[in]  key    Key value.
  *  @param[in]  icv    (Non-standard) IV, 4 bytes. NULL = use default_aiv.
- *  @param[out] out    Ciphertext. Minimal buffer length = (inlen + 15) bytes.
+ *  @param[out] out    Ciphertext. Minimal buffer length =
+ *                     (inlen rounded up to 8 + 8) bytes, i.e.
+ *                     ((inlen + 7) / 8) * 8 + 8.
  *                     Input and output buffers can overlap if block function
  *                     supports that.
  *  @param[in]  in     Plaintext as n 64-bit blocks, n >= 2.
diff --git a/doc/man3/EVP_EncryptInit.pod b/doc/man3/EVP_EncryptInit.pod
index 8c57d756ce..ee438947ab 100644
--- a/doc/man3/EVP_EncryptInit.pod
+++ b/doc/man3/EVP_EncryptInit.pod
@@ -417,7 +417,8 @@ encrypted data.
 For most ciphers and modes, the amount of data written can be anything
 from zero bytes to (inl + cipher_block_size - 1) bytes.
 For wrap cipher modes, the amount of data written can be anything
-from zero bytes to (inl + cipher_block_size) bytes.
+from zero bytes to (inl rounded up to cipher_block_size + cipher_block_size)
+bytes.
 For stream ciphers, the amount of data written can be anything from zero
 bytes to inl bytes.
 Thus, the buffer pointed to by I<out> must contain sufficient room for the
diff --git a/doc/man7/EVP_CIPHER-AES.pod b/doc/man7/EVP_CIPHER-AES.pod
index 7bd3746c9b..6da3f96a2d 100644
--- a/doc/man7/EVP_CIPHER-AES.pod
+++ b/doc/man7/EVP_CIPHER-AES.pod
@@ -69,6 +69,10 @@ The AES-SIV and AES-WRAP mode implementations do not support streaming. That
 means to obtain correct results there can be only one L<EVP_EncryptUpdate(3)>
 or L<EVP_DecryptUpdate(3)> call after the initialization of the context.

+When wrapping with AES-WRAP-PAD ciphers, the output buffer must be at least
+I<inl> rounded up to the cipher block size (8 bytes) plus the block size.
+That is, the minimum output buffer size is C<((inl + 7) / 8) * 8 + 8> bytes.
+
 The AES-XTS implementations allow streaming to be performed, but each
 L<EVP_EncryptUpdate(3)> or L<EVP_DecryptUpdate(3)> call requires each input
 to be a multiple of the blocksize. Only the final EVP_EncryptUpdate() or