Remove status bits from OpenSSL >=3 version check.

OpenSSL traditionally did not guarantee ABI compatibility across release
(and development) versions.  Because of this, OpenSSH checked the lower 4
"status" bits returned by OpenSSL_version_num(), which were originally
set to 0 for development versions and 0xf for release versions and, if
they did not match, would report the discrepancy and exit.

OpenSSL (unintentionally) changed these bits in the 3.0.0 and subsequent
3.x releases, setting them to zero in the release versions (which happened
to also match the documentation), then changed them back in the 3.5.3
release.  If OpenSSL was upgraded to (or from) this version without
recompiling OpenSSH, it would cause OpenSSH flag it as potentially
incompatible and refuse to use it.  Ultimately OpenSSL rolled this
back, but the check now has no value so is being removed for OpenSSL
versions >=3.

bz#3865 and openssl/openssl#28575, ok djm@

Author: daztucker

openbsd-compat/openssl-compat.c

@@ -32,7 +32,8 @@
 #include "openssl-compat.h"
 
 /*
- * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+ * OpenSSL version numbers: MNNFFPPS: major minor fix patch status.
+ * See the OpenSSL_version_num(3ssl) man page.
  * Versions >=3 require only major versions to match.
  * For versions <3, we accept compatible fix versions (so we allow 1.0.1
  * to work with 1.0.0). Going backwards is only allowed within a patch series.
@@ -49,10 +50,10 @@ ssh_compatible_openssl(long headerver, long libver)
 		return 1;
 
 	/*
-	 * For versions >= 3.0, only the major and status must match.
+	 * For versions >= 3.0, only the major must match.
 	 */
-	if (headerver >= 0x3000000f) {
-		mask = 0xf000000fL; /* major,status */
+	if (headerver >= 0x30000000) {
+		mask = 0xf0000000L; /* major only */
 		return (headerver & mask) == (libver & mask);
 	}