From: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Mon, 8 Feb 2021 07:17:23 +0000 (+0100)
Subject: x509_vfy: Clarify relevance of ctx->error also on successful verification
X-Git-Tag: openssl-3.0.0-alpha12~97
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=990a15fe73b059d78d06c351e902115a30f02e70;p=thirdparty%2Fopenssl.git

x509_vfy: Clarify relevance of ctx->error also on successful verification

Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14127)
---

diff --git a/doc/man3/X509_STORE_CTX_get_error.pod b/doc/man3/X509_STORE_CTX_get_error.pod
index 479b02503bf..91e65f4af65 100644
--- a/doc/man3/X509_STORE_CTX_get_error.pod
+++ b/doc/man3/X509_STORE_CTX_get_error.pod
@@ -31,8 +31,10 @@ These functions are typically called after certificate or chain verification
 using L<X509_verify_cert(3)> or L<X509_STORE_CTX_verify(3)> has indicated
 an error or in a verification callback to determine the nature of an error.
 
-X509_STORE_CTX_get_error() returns the error code of B<ctx>, see
-the B<ERROR CODES> section for a full description of all error codes.
+X509_STORE_CTX_get_error() returns the error code of I<ctx>.
+See the L</ERROR CODES> section for a full description of all error codes.
+It may return a code != X509_V_OK even if X509_verify_cert() did not indicate
+an error, likely because a verification callback function has waived the error.
 
 X509_STORE_CTX_set_error() sets the error code of I<ctx> to I<s>. For example
 it might be used in a verification callback to set an error based on additional
diff --git a/doc/man3/X509_verify_cert.pod b/doc/man3/X509_verify_cert.pod
index 13854f5ed68..2f9cfa38581 100644
--- a/doc/man3/X509_verify_cert.pod
+++ b/doc/man3/X509_verify_cert.pod
@@ -49,7 +49,9 @@ otherwise they return 0, and in exceptional circumstances (such as malloc
 failure and internal errors) they can also return a negative code.
 
 On error or failure additional error information can be obtained by
-examining I<ctx> using, for example, L<X509_STORE_CTX_get_error(3)>.
+examining I<ctx> using, for example, L<X509_STORE_CTX_get_error(3)>.  Even if
+verification indicated success, the stored error code may be different from
+X509_V_OK, likely because a verification callback function has waived the error.
 
 =head1 SEE ALSO