[ruby/openssl] test: adjust test cases for LibreSSL 3.2.4

LibreSSL 3.2.4 made the certificate verification logic back closer to
pre-3.2.2 one, which is more compatible with OpenSSL.

Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support
on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only
(and ~3.3.1, however 3.3 does not have a stable release yet). Since both
releases are security fix, it should be safe to remove those special
treatment from our test suite.

While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and
TLS 1.3 variants for clarity.

https://github.com/ruby/openssl/commit/a9954bac22

1 files changed, 15 insertions, 22 deletions

diff --git a/test/openssl/test_x509store.rb b/test/openssl/test_x509store.rb
index 897f0f8b82..d6c0e707a2 100644
--- a/test/openssl/test_x509store.rb
+++ b/test/openssl/test_x509store.rb
@@ -32,17 +32,15 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
     assert_equal true, store.verify(cert1)
     assert_equal true, store.verify(cert2)
 
-    unless libressl?(3, 2, 2)
-      # X509::Store#add_path
-      Dir.mktmpdir do |dir|
-        hash1 = "%08x.%d" % [cert1_subj.hash, 0]
-        File.write(File.join(dir, hash1), cert1.to_pem)
-        store = OpenSSL::X509::Store.new
-        store.add_path(dir)
-
-        assert_equal true, store.verify(cert1)
-        assert_equal false, store.verify(cert2)
-      end
+    # X509::Store#add_path
+    Dir.mktmpdir do |dir|
+      hash1 = "%08x.%d" % [cert1_subj.hash, 0]
+      File.write(File.join(dir, hash1), cert1.to_pem)
+      store = OpenSSL::X509::Store.new
+      store.add_path(dir)
+
+      assert_equal true, store.verify(cert1)
+      assert_equal false, store.verify(cert2)
     end
 
     # OpenSSL < 1.1.1 leaks an error on a duplicate certificate
@@ -77,8 +75,8 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
     # Nothing trusted
     store = OpenSSL::X509::Store.new
     assert_equal(false, store.verify(ee1_cert, [ca2_cert, ca1_cert]))
-    assert_include([OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY], store.error)
-    assert_match(/self.signed|unable to get local issuer certificate/i, store.error_string)
+    assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, store.error)
+    assert_match(/self.signed/i, store.error_string)
 
     # CA1 trusted, CA2 missing
     store = OpenSSL::X509::Store.new
@@ -188,7 +186,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
     store.purpose = OpenSSL::X509::PURPOSE_CRL_SIGN
     store.add_cert(ca1_cert)
     assert_equal(true, store.verify(ca1_cert))
-    assert_equal(libressl?(3, 2, 2), store.verify(ee1_cert))
+    assert_equal(false, store.verify(ee1_cert))
   end
 
   def test_verify_validity_period
@@ -284,7 +282,7 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
     store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK
     store.add_cert(ca1_cert)
     assert_equal(false, store.verify(ca2_cert))
-    assert_include([OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error)
+    assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_CRL, store.error)
 
     # Intermediate CA revoked EE2
     store = OpenSSL::X509::Store.new
@@ -324,14 +322,9 @@ class OpenSSL::TestX509Store < OpenSSL::TestCase
     store.add_cert(ca2_cert)
     store.add_crl(ca1_crl1)
     store.add_crl(ca2_crl2) # issued by ca2 but expired
-    if libressl?(3, 2, 2)
-      assert_equal(false, store.verify(ca2_cert))
-      assert_include([OpenSSL::X509::V_ERR_CRL_SIGNATURE_FAILURE, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error)
-    else
-      assert_equal(true, store.verify(ca2_cert))
-    end
+    assert_equal(true, store.verify(ca2_cert))
     assert_equal(false, store.verify(ee1_cert))
-    assert_include([OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED, OpenSSL::X509::V_ERR_UNSPECIFIED], store.error)
+    assert_equal(OpenSSL::X509::V_ERR_CRL_HAS_EXPIRED, store.error)
     assert_equal(false, store.verify(ee2_cert))
   end