From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 8 Feb 2013 10:24:39 +0000 (+0100)
Subject: Allow more than one CERTREQ payload for IKEv2
X-Git-Tag: 5.0.3dr1~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=af5452ba765be92e8bc68f51e4671aa7456856d6;p=thirdparty%2Fstrongswan.git

Allow more than one CERTREQ payload for IKEv2

There is no reason not to do so (RFC 5996 explicitly mentions multiple
CERTREQ payloads) and some implementations seem to use the same behavior
as had to be used with IKEv1 (i.e. each CA in its own CERTREQ payload).
---

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 28fdda7353..ca964d7499 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -151,7 +151,7 @@ static payload_rule_t ike_sa_init_r_rules[] = {
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
 	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
 	{NONCE,							1,	1,						FALSE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						FALSE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 };
 
@@ -181,7 +181,7 @@ static payload_rule_t ike_auth_i_rules[] = {
 	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
 	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
 	{CERTIFICATE,					0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	TRUE,	FALSE},
 	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
 #ifdef ME
 	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},