Add a regression test for error handling and hash_dir

See bug.

Bug: 708
Change-Id: Ic7a8ab069a9149b085480094f434e36cb13b4908
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66987
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

crypto/x509/x509_test.cc

diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 6f08611..d7f4313 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -8150,9 +8150,16 @@
     EXPECT_EQ(X509_V_OK, test_issuer(old_collide_name2));
 
     // Test a certificate not in the store.
+    ERR_clear_error();
     EXPECT_EQ(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
               test_issuer("Not In Store"));
 
+    // Although, internally, this hits the filesystem and finds that a file does
+    // not exist, there should not be anything on the error queue about a
+    // missing file. |X509_verify_cert| generally does not use the error queue,
+    // so it will be empty. See https://crbug.com/boringssl/708.
+    EXPECT_EQ(ERR_get_error(), 0u);
+
     // Test CRL handling. First, if we cannot find a CRL, verification will
     // fail.
     //

include/openssl/x509.h

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 0bff5c3..32e0933 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -3022,6 +3022,9 @@
 // |X509_STORE_CTX_get1_chain| may be used to return the verified certificate
 // chain. On error, |X509_STORE_CTX_get_error| may be used to return additional
 // error information.
+//
+// WARNING: Most failure conditions from this function do not use the error
+// queue. Use |X509_STORE_CTX_get_error| to determine the cause of the error.
 OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx);
 
 // X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call,