Fix case-folding issue with pki names. They are case-insensitive.

Make sure a pki entry exists when used in a listen or relay rule.

2 files changed, 36 insertions, 13 deletions

diff --git a/usr.sbin/smtpd/lka.c b/usr.sbin/smtpd/lka.c
index 1f9153566ba..95fdf332034 100644
--- a/usr.sbin/smtpd/lka.c
+++ b/usr.sbin/smtpd/lka.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lka.c,v 1.158 2013/11/06 10:01:29 eric Exp $	*/
+/*	$OpenBSD: lka.c,v 1.159 2013/11/13 08:39:33 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
@@ -127,7 +127,9 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
 			req_ca_cert = imsg->data;
 			resp_ca_cert.reqid = req_ca_cert->reqid;
 
-			ssl = dict_get(env->sc_ssl_dict, req_ca_cert->name);
+			xlowercase(buf, req_ca_cert->name, sizeof(buf));
+			log_debug("debug: lka: looking up pki \"%s\"", buf);
+			ssl = dict_get(env->sc_ssl_dict, buf);
 			if (ssl == NULL) {
 				resp_ca_cert.status = CA_FAIL;
 				m_compose(p, IMSG_LKA_SSL_INIT, 0, 0, -1, &resp_ca_cert,
@@ -246,7 +248,9 @@ lka_imsg(struct mproc *p, struct imsg *imsg)
 			req_ca_cert = imsg->data;
 			resp_ca_cert.reqid = req_ca_cert->reqid;
 
-			ssl = dict_get(env->sc_ssl_dict, req_ca_cert->name);
+			xlowercase(buf, req_ca_cert->name, sizeof(buf));
+			log_debug("debug: lka: looking up pki \"%s\"", buf);
+			ssl = dict_get(env->sc_ssl_dict, buf);
 			if (ssl == NULL) {
 				resp_ca_cert.status = CA_FAIL;
 				m_compose(p, IMSG_LKA_SSL_INIT, 0, 0, -1, &resp_ca_cert,
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index 83875ee924e..3f647ca3254 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.126 2013/11/06 10:01:29 eric Exp $	*/
+/*	$OpenBSD: parse.y,v 1.127 2013/11/13 08:39:33 eric Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -408,10 +408,18 @@ opt_relay_common: AS STRING	{
 			    sizeof rule->r_value.relayhost.helotable);
 		}
 		| PKI STRING {
-			if (strlcpy(rule->r_value.relayhost.cert, $2,
-				sizeof(rule->r_value.relayhost.cert))
-			    >= sizeof(rule->r_value.relayhost.cert))
-				fatal("certificate path too long");
+			if (! lowercase(rule->r_value.relayhost.cert, $2,
+				sizeof(rule->r_value.relayhost.cert))) {
+				yyerror("pki name too long: %s", $2);
+				free($2);
+				YYERROR;
+			}
+			if (dict_get(conf->sc_ssl_dict,
+			    rule->r_value.relayhost.cert) == NULL) {
+				log_warnx("pki name not found: %s", $2);
+				free($2);
+				YYERROR;
+			}
 			free($2);
 		}
 		;
@@ -563,13 +571,15 @@ main		: BOUNCEWARN {
 		} filter_list
 		;
 		| PKI STRING	{
-			pki_ssl = dict_get(conf->sc_ssl_dict, $2);
+			char buf[MAXHOSTNAMELEN];
+			xlowercase(buf, $2, sizeof(buf));
+			free($2);
+			pki_ssl = dict_get(conf->sc_ssl_dict, buf);
 			if (pki_ssl == NULL) {
 				pki_ssl = xcalloc(1, sizeof *pki_ssl, "parse:pki");
-				xlowercase(pki_ssl->ssl_name, $2, sizeof pki_ssl->ssl_name);
+				strlcpy(pki_ssl->ssl_name, buf, sizeof(pki_ssl->ssl_name));
 				dict_set(conf->sc_ssl_dict, pki_ssl->ssl_name, pki_ssl);
 			}
-			free($2);
 		} pki
 		;
 
@@ -1698,8 +1708,17 @@ config_listener(struct listener *h,  struct listen_opts *lo)
 
 	if (lo->authtable != NULL)
 		(void)strlcpy(h->authtable, lo->authtable->t_name, sizeof(h->authtable));
-	if (lo->pki != NULL)
-		(void)strlcpy(h->ssl_cert_name, lo->pki, sizeof(h->ssl_cert_name));
+	if (lo->pki != NULL) {
+		if (! lowercase(h->ssl_cert_name, lo->pki,
+		    sizeof(h->ssl_cert_name))) {
+			log_warnx("pki name too long: %s", lo->pki);
+			fatalx(NULL);
+		}
+		if (dict_get(conf->sc_ssl_dict, h->ssl_cert_name) == NULL) {
+			log_warnx("pki name not found: %s", lo->pki);
+			fatalx(NULL);
+		}
+	}
 	if (lo->tag != NULL)
 		(void)strlcpy(h->tag, lo->tag, sizeof(h->tag));