From 10746875e27ade1cc38caa1d0eb921f38fcb0058 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Mon, 2 May 2022 16:54:13 +0300
Subject: [PATCH] OpenSSL: Allow no OCSP response when resuming a session with
 TLS 1.3

TLS 1.3 sends the OCSP response with the server Certificate message.
Since that Certificate message is not sent when resuming a session,
there can be no new OCSP response. Allow this since the OCSP response
was validated when checking the initial certificate exchange.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---
 src/crypto/tls_openssl.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index f992f8bf9..240b8b8f7 100644
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -4980,6 +4980,17 @@ static int ocsp_resp_cb(SSL *s, void *arg)
 
 	len = SSL_get_tlsext_status_ocsp_resp(s, &p);
 	if (!p) {
+		if (SSL_version(s) == TLS1_3_VERSION && SSL_session_reused(s)) {
+			/* TLS 1.3 sends the OCSP response with the server
+			 * Certificate message. Since that Certificate message
+			 * is not sent when resuming a session, there can be no
+			 * new OCSP response. Allow this since the OCSP response
+			 * was validated when checking the initial certificate
+			 * exchange. */
+			wpa_printf(MSG_DEBUG,
+				   "OpenSSL: Allow no OCSP response when using TLS 1.3 and a resumed session");
+			return 1;
+		}
 		wpa_printf(MSG_DEBUG, "OpenSSL: No OCSP response received");
 		return (conn->flags & TLS_CONN_REQUIRE_OCSP) ? 0 : 1;
 	}