From: Tobias Brunner Date: Fri, 15 Mar 2024 13:40:30 +0000 (+0100) Subject: ike-cfg: Change how OCSP certificate requests are enabled X-Git-Tag: 5.9.14~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9acd90575aad09d86fafdc803f569fe1d22002af;p=thirdparty%2Fstrongswan.git ike-cfg: Change how OCSP certificate requests are enabled The previous option caused such requests to be enabled if not explicitly disabled, which only the vici plugin did, for all other backends requests would have been sent. References strongswan/strongswan#2016 --- diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c index 84959934c6..ccc44c9139 100644 --- a/src/libcharon/config/ike_cfg.c +++ b/src/libcharon/config/ike_cfg.c @@ -624,7 +624,7 @@ ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data) .refcount = 1, .version = data->version, .certreq = !data->no_certreq, - .ocsp_certreq = !data->no_ocsp_certreq, + .ocsp_certreq = data->ocsp_certreq, .force_encap = data->force_encap, .fragmentation = data->fragmentation, .childless = data->childless, diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h index f548242192..9c15815764 100644 --- a/src/libcharon/config/ike_cfg.h +++ b/src/libcharon/config/ike_cfg.h @@ -295,8 +295,8 @@ struct ike_cfg_create_t { uint16_t remote_port; /** TRUE to not send any certificate requests */ bool no_certreq; - /** TRUE to not send OCSP status requests */ - bool no_ocsp_certreq; + /** TRUE to send OCSP status requests */ + bool ocsp_certreq; /** Enforce UDP encapsulation by faking NATD notify */ bool force_encap; /** Use IKE fragmentation */ diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 838fc36060..c858e9945c 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -2672,8 +2672,8 @@ CALLBACK(config_sn, bool, .remote = peer.remote_addrs, .remote_port = peer.remote_port, .no_certreq = !peer.send_certreq, - .no_ocsp_certreq = peer.ocsp != OCSP_SEND_BOTH && - peer.ocsp != OCSP_SEND_REQUEST, + .ocsp_certreq = peer.ocsp == OCSP_SEND_BOTH || + peer.ocsp == OCSP_SEND_REQUEST, .force_encap = peer.encap, .fragmentation = peer.fragmentation, .childless = peer.childless,