Allow more than one CERTREQ payload for IKEv2

There is no reason not to do so (RFC 5996 explicitly mentions multiple
CERTREQ payloads) and some implementations seem to use the same behavior
as had to be used with IKEv1 (i.e. each CA in its own CERTREQ payload).

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 28fdda7353904b9b616a0502c265cbf56fa03643..ca964d7499a2f0783be7d9d0752311f03e36e725 100644 (file)
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -151,7 +151,7 @@ static payload_rule_t ike_sa_init_r_rules[] = {
        {SECURITY_ASSOCIATION,                  1,      1,                                              FALSE,  FALSE},
        {KEY_EXCHANGE,                                  1,      1,                                              FALSE,  FALSE},
        {NONCE,                                                 1,      1,                                              FALSE,  FALSE},
-       {CERTIFICATE_REQUEST,                   0,      1,                                              FALSE,  FALSE},
+       {CERTIFICATE_REQUEST,                   0,      MAX_CERTREQ_PAYLOADS,   FALSE,  FALSE},
        {VENDOR_ID,                                             0,      MAX_VID_PAYLOADS,               FALSE,  FALSE},
 };
 
@@ -181,7 +181,7 @@ static payload_rule_t ike_auth_i_rules[] = {
        {AUTHENTICATION,                                0,      1,                                              TRUE,   TRUE},
        {ID_INITIATOR,                                  0,      1,                                              TRUE,   FALSE},
        {CERTIFICATE,                                   0,      MAX_CERT_PAYLOADS,              TRUE,   FALSE},
-       {CERTIFICATE_REQUEST,                   0,      1,                                              TRUE,   FALSE},
+       {CERTIFICATE_REQUEST,                   0,      MAX_CERTREQ_PAYLOADS,   TRUE,   FALSE},
        {ID_RESPONDER,                                  0,      1,                                              TRUE,   FALSE},
 #ifdef ME
        {SECURITY_ASSOCIATION,                  0,      1,                                              TRUE,   FALSE},