Add BoringSSL API_VERSION guard around SSL_CREDENTIAL call

TlsServerConnection::SetCertChain() had a BoringSSL version guard around the call to set the trust anchor IDs. This change puts the adjacent SSL_CREDENTIAL calls behind the same version guard.

Thanks to Dimitri John Ledkov for the change; see https://github.com/google/quiche/pull/93.

This does not affect production GFE because GFE's already on an up-to-date BoringSSL.

PiperOrigin-RevId: 797480658

quiche/quic/core/crypto/tls_server_connection.cc

diff --git a/quiche/quic/core/crypto/tls_server_connection.cc b/quiche/quic/core/crypto/tls_server_connection.cc
index 80a3aa7..bedfa30 100644
--- a/quiche/quic/core/crypto/tls_server_connection.cc
+++ b/quiche/quic/core/crypto/tls_server_connection.cc
@@ -76,6 +76,7 @@
 void TlsServerConnection::SetCertChain(
     const std::vector<CRYPTO_BUFFER*>& cert_chain,
     const std::string& trust_anchor_id) {
+#if defined(BORINGSSL_API_VERSION) && BORINGSSL_API_VERSION >= 36
   if (GetQuicReloadableFlag(enable_tls_trust_anchor_ids)) {
     QUIC_RELOADABLE_FLAG_COUNT_N(enable_tls_trust_anchor_ids, 1, 2);
     bssl::UniquePtr<SSL_CREDENTIAL> credential(SSL_CREDENTIAL_new_x509());
@@ -88,7 +89,6 @@
     }
     SSL_CREDENTIAL_set_private_key_method(
         credential.get(), &TlsServerConnection::kPrivateKeyMethod);
-#if defined(BORINGSSL_API_VERSION) && BORINGSSL_API_VERSION >= 36
     if (!trust_anchor_id.empty()) {
       SSL_CREDENTIAL_set1_trust_anchor_id(
           credential.get(),
@@ -96,10 +96,11 @@
           trust_anchor_id.size());
       SSL_CREDENTIAL_set_must_match_issuer(credential.get(), 1);
     }
-#else
-    (void)trust_anchor_id;  // Suppress unused parameter error.
-#endif
     SSL_add1_credential(ssl(), credential.get());
+#else
+  (void)trust_anchor_id;  // Suppress unused parameter error.
+  if (false) {
+#endif
   } else {
     SSL_set_chain_and_key(ssl(), cert_chain.data(), cert_chain.size(), nullptr,
                           &TlsServerConnection::kPrivateKeyMethod);