Fix X509_V_FLAG_TRUSTED_FIRST OpenSSL 1.0.2 workaround

The original comparison contained a typo,
0x1000200fL == (ver & 0xfffff000L) and could never match.

Fix, and also match at compile time to not even reference
this flag on other OpenSSL versions.

2 files changed, 10 insertions, 5 deletions

diff --git a/NEWS b/NEWS
index f75000ce..8e5bc68d 100644
--- a/NEWS
+++ b/NEWS
@@ -101,6 +101,10 @@ fetchmail-6.4.25 (not yet released):
   release, and 1.0.2u is publicly available from
   https://www.openssl.org/source/old/1.0.2/
 
+# BUG FIXES
+* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
+  contained a typo and would not kick in properly.
+
 --------------------------------------------------------------------------------
 fetchmail-6.4.24 (released 2021-11-20, 30218 LoC):
 
diff --git a/socket.c b/socket.c
index 1d022689..0b762411 100644
--- a/socket.c
+++ b/socket.c
@@ -1225,16 +1225,17 @@ int SSLOpen(int sock, char *mycert, char *mykey, const char *myproto, int certck
 		ERR_print_errors_fp(stderr);
 	    }
 
+#if (OPENSSL_VERSION_NUMBER & 0xfffff000L) == 0x10002000
+#pragma message "enabling OpenSSL 1.0.2 X509_V_FLAG_TRUSTED_FIRST flag setter"
 	    /* OpenSSL 1.0.2 and 1.0.2 only:
 	     * work around Let's Encrypt Cross-Signing Certificate Expiry,
 	     * https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
 	     * Workaround #2 */
-	    /* OpenSSL 1.x.x: 0xMNNFFPPSL: major minor fix patch status
-	     * OpenSSL 3.0.0: 0xMNN00PPSL: synthesized */
+	    /* OpenSSL 1.x.y: 0xMNNFFPPSL: major minor fix patch status
+	     * OpenSSL 3.0.z: 0xMNN00PPSL: synthesized */
 	    /*  0xMNNFFPPsL           0xMNNFFPPsL  */
-	    if (0x1000200fL == (ver & 0xfffff000L)) {
-		X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST);
-	    }
+	    X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_TRUSTED_FIRST);
+#endif
 
 	    /* param is a pointer to internal OpenSSL data, must not be freed,
 	     * and just goes out of scope */