From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Wed, 4 May 2022 21:35:47 +0000 (+0300)
Subject: OpenSSL: Fix build with old library versions that do not support TLS 1.3
X-Git-Tag: hostap_2_11~1954
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c8e822801d48317bb6293d076d15a105f58557e4;p=thirdparty%2Fhostap.git

OpenSSL: Fix build with old library versions that do not support TLS 1.3

The OCSP check here is specific to TLS 1.3 and the TLS1_3_VERSION value
is not available in older library versions. Comment this check out from
such cases since it is not applicable with such an old library.

Fixes: 10746875e27a ("OpenSSL: Allow no OCSP response when resuming a session with TLS 1.3")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 81c93c139..6602ac64f 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -5003,6 +5003,8 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 
 	len = SSL_get_tlsext_status_ocsp_resp(s, &p);
 	if (!p) {
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER >= 0x30400000L
 		if (SSL_version(s) == TLS1_3_VERSION && SSL_session_reused(s)) {
 			/* TLS 1.3 sends the OCSP response with the server
 			 * Certificate message. Since that Certificate message
@@ -5014,6 +5016,8 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 				   "OpenSSL: Allow no OCSP response when using TLS 1.3 and a resumed session");
 			return 1;
 		}
+#endif
+#endif
 		wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
 		return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
 	}