EVP_DecryptUpdate: fix comment about required buffer size.

This has been wrong in BoringSSL's header file. I assume no existing
code actually violates this requirement, as OpenSSL's docs are clear
about requiring an entire blocksize additional buffer.

Bug: 42290361
Change-Id: Ifdfe90a5a24a1e6ea1736914cb8889c3e23867c5
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/83167
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: David Benjamin <davidben@google.com>
Auto-Submit: Rudolf Polzer <rpolzer@google.com>
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/cipher.h b/include/openssl/cipher.h
index 13e68ad..a5533ca 100644
--- a/include/openssl/cipher.h
+++ b/include/openssl/cipher.h
@@ -133,6 +133,12 @@
 // |out| must have sufficient space. The number of bytes actually output is
 // written to |*out_len|. It returns one on success and zero otherwise.
 //
+// Note that the total output length across |EVP_EncryptUpdate| and
+// |EVP_EncryptFinal_ex| will never exceed the sum of |in_len|. However, in
+// ciphers whose the block size is not 1, such as CBC, individual calls to
+// |EVP_EncryptUpdate| may output more or less than |in_len| bytes. In this
+// case, the maximum output length is |in_len| plus the block size minus one.
+//
 // If |ctx| is an AEAD cipher, e.g. |EVP_aes_128_gcm|, and |out| is NULL, this
 // function instead adds |in_len| bytes from |in| to the AAD and sets |*out_len|
 // to |in_len|. The AAD must be fully specified in this way before this function
@@ -141,19 +147,26 @@
                                      int *out_len, const uint8_t *in,
                                      int in_len);
 
-// EVP_EncryptFinal_ex writes at most a block of ciphertext to |out| and sets
-// |*out_len| to the number of bytes written. If padding is enabled (the
-// default) then standard padding is applied to create the final block. If
-// padding is disabled (with |EVP_CIPHER_CTX_set_padding|) then any partial
-// block remaining will cause an error. The function returns one on success and
-// zero otherwise.
+// EVP_EncryptFinal_ex writes at most a block of ciphertext (if block length is
+// >1) to |out| and sets |*out_len| to the number of bytes written. If padding
+// is enabled (the default) then standard padding is applied to create the
+// final block. If padding is disabled (with |EVP_CIPHER_CTX_set_padding|) then
+// any partial block remaining will cause an error. The function returns one on
+// success and zero otherwise.
 OPENSSL_EXPORT int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, uint8_t *out,
                                        int *out_len);
 
 // EVP_DecryptUpdate decrypts |in_len| bytes from |in| to |out|. The number of
-// output bytes may be up to |in_len| plus the block length minus one and |out|
-// must have sufficient space. The number of bytes actually output is written
-// to |*out_len|. It returns one on success and zero otherwise.
+// output bytes may be up to |in_len| plus the block length (if block length is
+// >1) and |out| must have sufficient space. The number of bytes actually
+// output is written to |*out_len|. It returns one on success and zero
+// otherwise.
+//
+// Note that the total output length across |EVP_DecryptUpdate| and
+// |EVP_DecryptFinal_ex| will never exceed the sum of |in_len|. However, in
+// ciphers whose the block size is not 1, such as CBC, individual calls to
+// |EVP_DecryptUpdate| may output more or less than |in_len| bytes. In this
+// case, the maximum output length is |in_len| plus the block size.
 //
 // If |ctx| is an AEAD cipher, e.g. |EVP_aes_128_gcm|, and |out| is NULL, this
 // function instead adds |in_len| bytes from |in| to the AAD and sets |*out_len|
@@ -163,9 +176,9 @@
                                      int *out_len, const uint8_t *in,
                                      int in_len);
 
-// EVP_DecryptFinal_ex writes at most a block of ciphertext to |out| and sets
-// |*out_len| to the number of bytes written. If padding is enabled (the
-// default) then padding is removed from the final block.
+// EVP_DecryptFinal_ex writes at most a block of ciphertext (if block length is
+// >1) to |out| and sets |*out_len| to the number of bytes written. If padding
+// is enabled (the default) then padding is removed from the final block.
 //
 // WARNING: it is unsafe to call this function with unauthenticated
 // ciphertext if padding is enabled.