From: Martin Willi <martin@revosec.ch>
Date: Tue, 8 Jan 2013 13:52:04 +0000 (+0100)
Subject: Load multiple comma seperarated certificates in the leftcert option
X-Git-Tag: 5.0.3dr3~37^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=78af36db50013943d8453c6d78c427f35ac05891;p=thirdparty%2Fstrongswan.git

Load multiple comma seperarated certificates in the leftcert option
---

diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index 9f6124dc99..d0fc9ea55c 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -447,25 +447,42 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 	identity = identification_create_from_string(id);
 	if (cert)
 	{
-		certificate = this->cred->load_peer(this->cred, cert);
-		if (certificate)
+		enumerator_t *enumerator;
+		bool has_subject = FALSE;
+		certificate_t *first = NULL;
+
+		enumerator = enumerator_create_token(cert, ",", " ");
+		while (enumerator->enumerate(enumerator, &cert))
 		{
-			if (local)
-			{
-				this->ca->check_for_hash_and_url(this->ca, certificate);
-			}
-			cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
-			if (identity->get_type(identity) == ID_ANY ||
-				!certificate->has_subject(certificate, identity))
+			certificate = this->cred->load_peer(this->cred, cert);
+			if (certificate)
 			{
-				DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
-					 "defaulting to '%Y'", identity,
-					 certificate->get_subject(certificate));
-				identity->destroy(identity);
-				identity = certificate->get_subject(certificate);
-				identity = identity->clone(identity);
+				if (local)
+				{
+					this->ca->check_for_hash_and_url(this->ca, certificate);
+				}
+				cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
+				if (!first)
+				{
+					first = certificate;
+				}
+				if (identity->get_type(identity) != ID_ANY &&
+					certificate->has_subject(certificate, identity))
+				{
+					has_subject = TRUE;
+				}
 			}
 		}
+		enumerator->destroy(enumerator);
+
+		if (first && !has_subject)
+		{
+			DBG1(DBG_CFG, "  id '%Y' not confirmed by certificate, "
+				 "defaulting to '%Y'", identity, first->get_subject(first));
+			identity->destroy(identity);
+			identity = first->get_subject(first);
+			identity = identity->clone(identity);
+		}
 	}
 	if (identity->get_type(identity) != ID_ANY)
 	{