AES: Document that the XTS, SIV, WRAP modes do not support streaming

Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com> (Merged from https://github.com/openssl/openssl/pull/23028) (cherry picked from commit 8f0f814d791e0825b96c30494594de619da3e5a5)
author: Tomas Mraz <tomas@openssl.org> 2023-12-13 10:06:59 +0100
committer: Tomas Mraz <tomas@openssl.org> 2023-12-22 13:43:15 +0100
commit: 782a34f76f5255ea8b4e5c7e8e8faa62a075beee (patch)
tree: 4da0fb261e74dd9c556b8b4d6672ef1aa9b94b9c /doc
parent: 141a7389c7612c7cf33c540ed65eee5f3e0284d0 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/doc/man7/EVP_CIPHER-AES.pod b/doc/man7/EVP_CIPHER-AES.pod
index fa1eaa843b..7bd3746c9b 100644
--- a/doc/man7/EVP_CIPHER-AES.pod
+++ b/doc/man7/EVP_CIPHER-AES.pod
@@ -63,6 +63,19 @@ FIPS provider:
 This implementation supports the parameters described in
 L<EVP_EncryptInit(3)/PARAMETERS>.
 
+=head1 NOTES
+
+The AES-SIV and AES-WRAP mode implementations do not support streaming. That
+means to obtain correct results there can be only one L<EVP_EncryptUpdate(3)>
+or L<EVP_DecryptUpdate(3)> call after the initialization of the context.
+
+The AES-XTS implementations allow streaming to be performed, but each
+L<EVP_EncryptUpdate(3)> or L<EVP_DecryptUpdate(3)> call requires each input
+to be a multiple of the blocksize. Only the final EVP_EncryptUpdate() or
+EVP_DecryptUpdate() call can optionally have an input that is not a multiple
+of the blocksize but is larger than one block. In that case ciphertext
+stealing (CTS) is used to fill the block.
+
 =head1 SEE ALSO
 
 L<provider-cipher(7)>, L<OSSL_PROVIDER-FIPS(7)>, L<OSSL_PROVIDER-default(7)>
author	Tomas Mraz <tomas@openssl.org>	2023-12-13 10:06:59 +0100
committer	Tomas Mraz <tomas@openssl.org>	2023-12-22 13:43:15 +0100
commit	782a34f76f5255ea8b4e5c7e8e8faa62a075beee (patch)
tree	4da0fb261e74dd9c556b8b4d6672ef1aa9b94b9c /doc
parent	141a7389c7612c7cf33c540ed65eee5f3e0284d0 (diff)