From 9acd90575aad09d86fafdc803f569fe1d22002af Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 15 Mar 2024 14:40:30 +0100
Subject: [PATCH] ike-cfg: Change how OCSP certificate requests are enabled

The previous option caused such requests to be enabled if not explicitly
disabled, which only the vici plugin did, for all other backends requests
would have been sent.

References strongswan/strongswan#2016
---
 src/libcharon/config/ike_cfg.c           | 2 +-
 src/libcharon/config/ike_cfg.h           | 4 ++--
 src/libcharon/plugins/vici/vici_config.c | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 84959934c6..ccc44c9139 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -624,7 +624,7 @@ ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data)
 		.refcount = 1,
 		.version = data->version,
 		.certreq = !data->no_certreq,
-		.ocsp_certreq = !data->no_ocsp_certreq,
+		.ocsp_certreq = data->ocsp_certreq,
 		.force_encap = data->force_encap,
 		.fragmentation = data->fragmentation,
 		.childless = data->childless,
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index f548242192..9c15815764 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -295,8 +295,8 @@ struct ike_cfg_create_t {
 	uint16_t remote_port;
 	/** TRUE to not send any certificate requests */
 	bool no_certreq;
-	/** TRUE to not send OCSP status requests */
-	bool no_ocsp_certreq;
+	/** TRUE to send OCSP status requests */
+	bool ocsp_certreq;
 	/** Enforce UDP encapsulation by faking NATD notify */
 	bool force_encap;
 	/** Use IKE fragmentation */
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 838fc36060..c858e9945c 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -2672,8 +2672,8 @@ CALLBACK(config_sn, bool,
 		.remote = peer.remote_addrs,
 		.remote_port = peer.remote_port,
 		.no_certreq = !peer.send_certreq,
-		.no_ocsp_certreq = peer.ocsp != OCSP_SEND_BOTH &&
-						   peer.ocsp != OCSP_SEND_REQUEST,
+		.ocsp_certreq = peer.ocsp == OCSP_SEND_BOTH ||
+						peer.ocsp == OCSP_SEND_REQUEST,
 		.force_encap = peer.encap,
 		.fragmentation = peer.fragmentation,
 		.childless = peer.childless,
-- 
2.47.2