From af5452ba765be92e8bc68f51e4671aa7456856d6 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 8 Feb 2013 11:24:39 +0100
Subject: [PATCH] Allow more than one CERTREQ payload for IKEv2

There is no reason not to do so (RFC 5996 explicitly mentions multiple
CERTREQ payloads) and some implementations seem to use the same behavior
as had to be used with IKEv1 (i.e. each CA in its own CERTREQ payload).
---
 src/libcharon/encoding/message.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c
index 28fdda7353..ca964d7499 100644
--- a/src/libcharon/encoding/message.c
+++ b/src/libcharon/encoding/message.c
@@ -151,7 +151,7 @@ static payload_rule_t ike_sa_init_r_rules[] = {
 	{SECURITY_ASSOCIATION,			1,	1,						FALSE,	FALSE},
 	{KEY_EXCHANGE,					1,	1,						FALSE,	FALSE},
 	{NONCE,							1,	1,						FALSE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						FALSE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	FALSE,	FALSE},
 	{VENDOR_ID,						0,	MAX_VID_PAYLOADS,		FALSE,	FALSE},
 };
 
@@ -181,7 +181,7 @@ static payload_rule_t ike_auth_i_rules[] = {
 	{AUTHENTICATION,				0,	1,						TRUE,	TRUE},
 	{ID_INITIATOR,					0,	1,						TRUE,	FALSE},
 	{CERTIFICATE,					0,	MAX_CERT_PAYLOADS,		TRUE,	FALSE},
-	{CERTIFICATE_REQUEST,			0,	1,						TRUE,	FALSE},
+	{CERTIFICATE_REQUEST,			0,	MAX_CERTREQ_PAYLOADS,	TRUE,	FALSE},
 	{ID_RESPONDER,					0,	1,						TRUE,	FALSE},
 #ifdef ME
 	{SECURITY_ASSOCIATION,			0,	1,						TRUE,	FALSE},
-- 
2.47.2