From 60f5e48f44b0d4e4179960741e8b73e5c475d3e8 Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Fri, 8 Oct 2021 14:43:17 +0100
Subject: [PATCH] Add an additional note to EVP_DigestSign() documentation

Clarify what happens if it fails. Make it clear that you can pass a NULL
"sig" buffer to get the "siglen".

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16789)

(cherry picked from commit dc3f057ce1701d5fd77cc4fcc1d14afe3e3122a3)
---
 doc/man3/EVP_DigestSignInit.pod | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/doc/man3/EVP_DigestSignInit.pod b/doc/man3/EVP_DigestSignInit.pod
index 87480144654..c8385949fb6 100644
--- a/doc/man3/EVP_DigestSignInit.pod
+++ b/doc/man3/EVP_DigestSignInit.pod
@@ -130,7 +130,11 @@ written to I<siglen>.
 
 EVP_DigestSign() signs I<tbslen> bytes of data at I<tbs> and places the
 signature in I<sig> and its length in I<siglen> in a similar way to
-EVP_DigestSignFinal().
+EVP_DigestSignFinal(). In the event of a failure EVP_DigestSign() cannot be
+called again without reinitialising the EVP_MD_CTX. If I<sig> is NULL before the
+call then I<siglen> will be populated with the required size for the I<sig>
+buffer. If I<sig> is non-NULL before the call then I<siglen> should contain the
+length of the I<sig> buffer.
 
 =head1 RETURN VALUES
 
-- 
2.47.3