Add an admin port command to retrieve the peer certificate. Submitted by Timo Teras.

crypto/dist/ipsec-tools/src/racoon/admin.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.c,v 1.23 2008/06/18 07:04:23 mgrooms Exp $	*/
+/*	$NetBSD: admin.c,v 1.24 2008/06/18 07:12:04 mgrooms Exp $	*/
 
 /* Id: admin.c,v 1.25 2006/04/06 14:31:04 manubsd Exp */
 
@@ -241,6 +241,31 @@ admin_process(so2, combuf)
 		}
 		break;
 
+	case ADMIN_GET_SA_CERT: {
+		struct admin_com_indexes *ndx;
+		struct sockaddr *src, *dst;
+		struct ph1handle *iph1;
+
+		ndx = (struct admin_com_indexes *) ((caddr_t)com + sizeof(*com));
+		src = (struct sockaddr *) &ndx->src;
+		dst = (struct sockaddr *) &ndx->dst;
+
+		if (com->ac_proto != ADMIN_PROTO_ISAKMP) {
+			ac_errno = ENOTSUP;
+			break;
+		}
+
+		iph1 = getph1byaddrwop(src, dst);
+		if (iph1 == NULL) {
+			ac_errno = ENOENT;
+			break;
+		}
+
+		if (iph1->cert_p != NULL)
+			buf = vdup(&iph1->cert_p->cert);
+		break;
+	}
+
 	case ADMIN_FLUSH_SA:
 		switch (com->ac_proto) {
 		case ADMIN_PROTO_ISAKMP:

crypto/dist/ipsec-tools/src/racoon/admin.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: admin.h,v 1.5 2008/03/06 00:34:11 mgrooms Exp $	*/
+/*	$NetBSD: admin.h,v 1.6 2008/06/18 07:12:04 mgrooms Exp $	*/
 
 /* Id: admin.h,v 1.11 2005/06/19 22:37:47 manubsd Exp */
 
@@ -80,6 +80,8 @@ struct admin_com {
 #define ADMIN_ESTABLISH_SA	0x0202
 #define ADMIN_DELETE_ALL_SA_DST	0x0204	/* All SA for a given peer */
 
+#define ADMIN_GET_SA_CERT	0x0206
+
 /*
  * The admin_com_indexes and admin_com_psk follow, see below.
  */

crypto/dist/ipsec-tools/src/racoon/racoonctl.8

@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoonctl.8,v 1.16 2008/03/06 00:46:04 mgrooms Exp $
+.\"	$NetBSD: racoonctl.8,v 1.17 2008/06/18 07:12:04 mgrooms Exp $
 .\"
 .\" Id: racoonctl.8,v 1.6 2006/05/07 21:32:59 manubsd Exp
 .\"
@@ -47,6 +47,10 @@ show-schedule
 show-sa
 .Op isakmp|esp|ah|ipsec
 .Nm
+get-sa-cert
+.Op inet|inet6
+.Ar src dst
+.Nm
 flush-sa
 .Op isakmp|esp|ah|ipsec
 .Nm
@@ -99,6 +103,15 @@ IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.
 Use
 .Fl l
 to increase verbosity.
+.It Xo get-sa-cert
+.Oo inet|inet6
+.Oc Ar src dst
+.Xc
+Output the raw certificate that was used to authenticate the phase 1
+matching
+.Ar src
+and
+.Ar dst .
 .It flush-sa Op isakmp|esp|ah|ipsec
 is used to flush all SAs if no SA class is provided, or a class of SAs,
 either ISAKMP SAs, IPsec ESP SAs, IPsec AH SAs, or all IPsec SAs.

crypto/dist/ipsec-tools/src/racoon/racoonctl.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: racoonctl.c,v 1.11 2008/06/18 06:27:49 mgrooms Exp $	*/
+/*	$NetBSD: racoonctl.c,v 1.12 2008/06/18 07:12:04 mgrooms Exp $	*/
 
 /*	Id: racoonctl.c,v 1.11 2006/04/06 17:06:25 manubsd Exp */
 
@@ -93,6 +93,7 @@ static int handle_recv __P((vchar_t *));
 static vchar_t *f_reload __P((int, char **));
 static vchar_t *f_getsched __P((int, char **));
 static vchar_t *f_getsa __P((int, char **));
+static vchar_t *f_getsacert __P((int, char **));
 static vchar_t *f_flushsa __P((int, char **));
 static vchar_t *f_deletesa __P((int, char **));
 static vchar_t *f_exchangesa __P((int, char **));
@@ -113,6 +114,8 @@ struct cmd_tag {
 	{ f_getsched,	"sc" },
 	{ f_getsa,	"show-sa" },
 	{ f_getsa,	"ss" },
+	{ f_getsacert,	"get-cert" },
+	{ f_getsacert,	"gc" },
 	{ f_flushsa,	"flush-sa" },
 	{ f_flushsa,	"fs" },
 	{ f_deletesa,	"delete-sa" },
@@ -412,6 +415,30 @@ f_getsa(ac, av)
 	return make_request(ADMIN_SHOW_SA, proto, 0);
 }
 
+static vchar_t *
+f_getsacert(ac, av)
+	int ac;
+	char **av;
+{
+	vchar_t *buf, *index;
+	struct admin_com_indexes *com;
+
+	index = get_index(ac, av);
+	if (index == NULL)
+		return NULL;
+
+	com = (struct admin_com_indexes *) index->v;
+	buf = make_request(ADMIN_GET_SA_CERT, ADMIN_PROTO_ISAKMP, index->l);
+	if (buf == NULL)
+		errx(1, "Cannot allocate buffer");
+
+	memcpy(buf->v+sizeof(struct admin_com), index->v, index->l);
+
+	vfree(index);
+
+	return buf;
+}
+
 static vchar_t *
 f_flushsa(ac, av)
 	int ac;
@@ -1408,6 +1435,10 @@ handle_recv(combuf)
 		break;
 	}
 
+	case ADMIN_GET_SA_CERT:
+		fwrite(buf, len, 1, stdout);
+		break;
+
 	case ADMIN_SHOW_SA:
 	   {
 		switch (com->ac_proto) {