Review comment

src/ssl.c

@@ -3452,7 +3452,7 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm)
 #if defined(WOLFSSL_SIGNER_DER_CERT)
 /******************************************************************************
 * wolfSSL_CertManagerGetCerts - retrieve stack of X509 certificates in a
-* certificate manager (CM), also knows as cert store in OpenSSL.
+* certificate manager (CM).
 *
 * RETURNS:
 * returns stack of X509 certs on success, otherwise returns a NULL.

wolfssl/test.h

@@ -1645,6 +1645,14 @@ static WC_INLINE void OCSPRespFreeCb(void* ioCtx, unsigned char* response)
 #endif /* !NO_CERTS */
 
 static int myVerifyFail = 0;
+
+/* The verify callback is called for every certificate only when
+ * --enable-opensslextra is defined because it sets WOLFSSL_ALWAYS_VERIFY_CB and
+ * WOLFSSL_VERIFY_CB_ALL_CERTS.
+ * Normal cases of the verify callback only occur on certificate failures when the
+ * wolfSSL_set_verify(ssl, SSL_VERIFY_PEER, myVerifyCb); is called
+*/
+
 static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
 {
     char buffer[WOLFSSL_MAX_ERROR_SZ];
@@ -1688,7 +1696,7 @@ static WC_INLINE int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
         XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL);
         XFREE(issuer,  0, DYNAMIC_TYPE_OPENSSL);
 #if defined(SHOW_CERTS) && !defined(NO_FILESYSTEM)
-/* avoid printing same certs since myVerify is called for every cert in the chain */
+/* avoid printing duplicate certs */
         if (store->depth == 1) {
             /* retrieve x509 certs and display them on stdout */
             sk = wolfSSL_X509_STORE_GetCerts(store);