From e22d54a186203093866cbee1d244dc3ebd0ecd32 Mon Sep 17 00:00:00 2001
From: jsing <jsing@openbsd.org>
Date: Tue, 31 Mar 2026 13:39:48 +0000
Subject: [PATCH] Add additional X.509 verifier test cases.

The second case (14b) currently triggers a bug in the new verifier.
---
 regress/lib/libcrypto/x509/callback.c | 11 ++++++++++-
 regress/lib/libcrypto/x509/verify.c   | 19 ++++++++++++++++++-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/regress/lib/libcrypto/x509/callback.c b/regress/lib/libcrypto/x509/callback.c
index c4d1575ae85..a3717bca240 100644
--- a/regress/lib/libcrypto/x509/callback.c
+++ b/regress/lib/libcrypto/x509/callback.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: callback.c,v 1.5 2024/08/23 12:56:26 anton Exp $ */
+/* $OpenBSD: callback.c,v 1.6 2026/03/31 13:39:48 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
@@ -340,6 +340,15 @@ struct verify_cert_test verify_cert_tests[] = {
 		.want_chains = 1,
 		.failing = 1,
 	},
+	{
+		.id = "14a",
+		.want_chains = 1,
+	},
+	{
+		.id = "14b",
+		.want_chains = 0,
+		.failing = 1,
+	},
 };
 
 #define N_VERIFY_CERT_TESTS \
diff --git a/regress/lib/libcrypto/x509/verify.c b/regress/lib/libcrypto/x509/verify.c
index b4b4e06cf73..2b5298a63ec 100644
--- a/regress/lib/libcrypto/x509/verify.c
+++ b/regress/lib/libcrypto/x509/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.12 2024/08/23 12:56:26 anton Exp $ */
+/* $OpenBSD: verify.c,v 1.13 2026/03/31 13:39:48 jsing Exp $ */
 /*
  * Copyright (c) 2020 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
@@ -460,6 +460,20 @@ struct verify_cert_test verify_cert_tests[] = {
 		.want_legacy_error_depth = 2,
 		.failing = 1,
 	},
+	{
+		.id = "14a",
+		.want_chains = 1,
+		.want_error_depth = 0,
+	},
+	{
+		.id = "14b",
+		.want_chains = 0,
+		.want_error = X509_V_ERR_CERT_CHAIN_TOO_LONG,
+		.want_error_depth = 32,
+		.want_legacy_error = 0,
+		.want_legacy_error_depth = 0,
+		.failing = 1,
+	},
 };
 
 #define N_VERIFY_CERT_TESTS \
@@ -557,10 +571,13 @@ main(int argc, char **argv)
 
 	fprintf(stderr, "\n\nTesting legacy x509_vfy\n");
 	failed |= verify_cert_test(argv[1], MODE_LEGACY_VFY);
+
 	fprintf(stderr, "\n\nTesting modern x509_vfy\n");
 	failed |= verify_cert_test(argv[1], MODE_MODERN_VFY);
+
 	fprintf(stderr, "\n\nTesting modern x509_vfy by_dir\n");
 	failed |= verify_cert_test(argv[1], MODE_MODERN_VFY_DIR);
+
 	fprintf(stderr, "\n\nTesting x509_verify\n");
 	failed |= verify_cert_test(argv[1], MODE_VERIFY);