X509v3_get_ext_by_NID.pod: Add warning on counter-intuitive behavior of X509v3_delete_ext() etc.

Also simplify two uses of these functions.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13711)

1 files changed, 8 insertions, 3 deletions

diff --git a/doc/man3/X509v3_get_ext_by_NID.pod b/doc/man3/X509v3_get_ext_by_NID.pod
index f77474ca80..79c68e1478 100644
--- a/doc/man3/X509v3_get_ext_by_NID.pod
+++ b/doc/man3/X509v3_get_ext_by_NID.pod
@@ -74,9 +74,9 @@ looks for an extension of criticality B<crit>. A zero value for B<crit>
 looks for a non-critical extension a nonzero value looks for a critical
 extension.
 
-X509v3_delete_ext() deletes the extension with index B<loc> from B<x>. The
-deleted extension is returned and must be freed by the caller. If B<loc>
-is in invalid index value B<NULL> is returned.
+X509v3_delete_ext() deletes the extension with index B<loc> from B<x>.
+The deleted extension is returned and must be freed by the caller.
+If B<loc> is in invalid index value B<NULL> is returned.
 
 X509v3_add_ext() adds extension B<ex> to stack B<*x> at position B<loc>. If
 B<loc> is B<-1> the new extension is added to the end. If B<*x> is B<NULL>
@@ -111,6 +111,11 @@ error. These search functions start from the extension B<after> the B<lastpos>
 parameter so it should initially be set to B<-1>, if it is set to zero the
 initial extension will not be checked.
 
+=head1 BUGS
+
+X509v3_delete_ext() and its variants are a bit counter-intuitive
+because these functions do not free the extension they delete.
+
 =head1 RETURN VALUES
 
 X509v3_get_ext_count() returns the extension count.