In 1995, Eric A. Young chose a confusing name for the "lastUpdate" field

of the X509_CRL_INFO object.  It should have been called "thisUpdate"
like in RFC 5280 section 5.1 (and in its precursor RFC 2459).  Then again,
RFC 2459 was only published in 1999, so maybe the terminology wasn't
firmly established yet when Young wrote his code several years earlier -
just guessing, neither we nor the OpenSSL folks appear to know the real
reasons...

Anyway, we have been stuck with the "lastUpdate" names in the API for
more than two decades now, so clarify in the documentation what they
refer to and what they really mean.

Requested by and OK tb@.

2 files changed, 20 insertions, 12 deletions

diff --git a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
index b3d0ee3069..1f221563cb 100644
--- a/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
+++ b/src/lib/libcrypto/man/X509_STORE_CTX_get_error.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.27 2023/04/30 14:49:47 tb Exp $
+.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.28 2023/06/06 16:20:13 schwarze Exp $
 .\" full merge up to:
 .\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100
 .\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100
@@ -68,7 +68,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 30 2023 $
+.Dd $Mdocdate: June 6 2023 $
 .Dt X509_STORE_CTX_GET_ERROR 3
 .Os
 .Sh NAME
@@ -386,7 +386,9 @@ The certificate notBefore field contains an invalid time.
 The certificate notAfter field contains an invalid time.
 .It Dv X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD : \
  No format error in CRL's lastUpdate field
-The CRL lastUpdate field contains an invalid time.
+The CRL thisUpdate field (sic!) contains an invalid time.
+Both the name of the error constant and the text of the error message
+give a wrong name for the field that contains the problem.
 .It Dv X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD : \
  No format error in CRL's nextUpdate field
 The CRL nextUpdate field contains an invalid time.
diff --git a/src/lib/libcrypto/man/X509_get0_notBefore.3 b/src/lib/libcrypto/man/X509_get0_notBefore.3
index e9f0d62992..53b18d5991 100644
--- a/src/lib/libcrypto/man/X509_get0_notBefore.3
+++ b/src/lib/libcrypto/man/X509_get0_notBefore.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get0_notBefore.3,v 1.5 2020/06/24 14:59:41 schwarze Exp $
+.\" $OpenBSD: X509_get0_notBefore.3,v 1.6 2023/06/06 16:20:13 schwarze Exp $
 .\" content checked up to: OpenSSL 27b138e9 May 19 00:16:38 2017 +0000
 .\"
 .\" Copyright (c) 2018, 2020 Ingo Schwarze <schwarze@openbsd.org>
@@ -15,7 +15,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: June 24 2020 $
+.Dd $Mdocdate: June 6 2023 $
 .Dt X509_GET0_NOTBEFORE 3
 .Os
 .Sh NAME
@@ -142,14 +142,20 @@ and
 are identical except for the const qualifier on the return type.
 .Pp
 .Fn X509_CRL_get0_lastUpdate
-and
+is misnamed in a confusing way: it returns a pointer to the
+.Fa thisUpdate
+field of the
+.Fa crl ,
+indicating the time when this
+.Fa crl
+was issued.
+.Pp
 .Fn X509_CRL_get0_nextUpdate
-return pointers to the
-.Fa lastUpdate
-and
+returns a pointer to the
 .Fa nextUpdate
-fields of
-.Fa crl .
+field of the
+.Fa crl ,
+indicating the time when issuing the subsequent CRL will be due.
 .Pp
 .Fn X509_CRL_get_lastUpdate
 and
@@ -165,7 +171,7 @@ and
 set the
 .Fa notBefore ,
 .Fa notAfter ,
-.Fa lastUpdate ,
+.Fa thisUpdate Pq sic!\& ,
 or
 .Fa nextUpdate
 field of