- Fix #1353: auth-zone can not use empty label for $ORIGIN when

  http download.

diff --git a/doc/Changelog b/doc/Changelog
index 532cbdb4b74701c3f3f302affda9df98ab1c02f7..2b958843fda121b211ca618ef4f0c8c923e5c62e 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -6,6 +6,8 @@
        - Neaten up the change in acx_nlnetlabs.m4 to version 49.
        - Fix fr_atomic_copy_cfg.
        - Rebuild configure script from its sources.
+       - Fix #1353: auth-zone can not use empty label for $ORIGIN when
+         http download.
 
 29 September 2025: Yorgos
        - Merge #1349: Fix #1346: [FR] Please allow back TLS 1.2.

diff --git a/services/authzone.c b/services/authzone.c
index e4dd32465b9f338bd8698c04784f5a806225ff25..a4424a28038369cf3717642919f8d6d5f6c46fc6 100644 (file)
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -4556,6 +4556,23 @@ http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
        return 0;
 }
 
+/** remove newlines from collated line */
+static void
+chunkline_newline_removal(sldns_buffer* buf)
+{
+       size_t i, end=sldns_buffer_limit(buf);
+       for(i=0; i<end; i++) {
+               char c = (char)sldns_buffer_read_u8_at(buf, i);
+               if(c == '\n' && i==end-1) {
+                       sldns_buffer_write_u8_at(buf, i, 0);
+                       sldns_buffer_set_limit(buf, end-1);
+                       return;
+               }
+               if(c == '\n')
+                       sldns_buffer_write_u8_at(buf, i, (uint8_t)' ');
+       }
+}
+
 /** find noncomment RR line in chunks, collates lines if ( ) format */
 static int
 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
@@ -4563,6 +4580,7 @@ chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
 {
        int ret;
        while(chunkline_get_line_collated(chunk, chunk_pos, buf)) {
+               chunkline_newline_removal(buf);
                if(chunkline_is_comment_line_or_empty(buf)) {
                        /* a comment, go to next line */
                        continue;
@@ -4638,23 +4656,6 @@ chunklist_sum(struct auth_chunk* list)
        return s;
 }
 
-/** remove newlines from collated line */
-static void
-chunkline_newline_removal(sldns_buffer* buf)
-{
-       size_t i, end=sldns_buffer_limit(buf);
-       for(i=0; i<end; i++) {
-               char c = (char)sldns_buffer_read_u8_at(buf, i);
-               if(c == '\n' && i==end-1) {
-                       sldns_buffer_write_u8_at(buf, i, 0);
-                       sldns_buffer_set_limit(buf, end-1);
-                       return;
-               }
-               if(c == '\n')
-                       sldns_buffer_write_u8_at(buf, i, (uint8_t)' ');
-       }
-}
-
 /** for http download, parse and add RR to zone */
 static int
 http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z,

diff --git a/testdata/auth_https_origin.tdir/127.0.0.1/example.com.zone b/testdata/auth_https_origin.tdir/127.0.0.1/example.com.zone
new file mode 100644 (file)
index 0000000..e5ef82f
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/127.0.0.1/example.com.zone
@@ -0,0 +1,5 @@
+$ORIGIN .
+$TTL 7200
+example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
+example.com.   IN NS   ns.example.net.
+www.example.com. IN A  1.2.3.4

diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.conf b/testdata/auth_https_origin.tdir/auth_https_origin.conf
new file mode 100644 (file)
index 0000000..bfe013e
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.conf
@@ -0,0 +1,17 @@
+server:
+       verbosity: 7
+       # num-threads: 1
+       interface: 127.0.0.1
+       port: @PORT@
+       use-syslog: no
+       directory: ""
+       pidfile: "unbound.pid"
+       chroot: ""
+       username: ""
+       do-not-query-localhost: no
+auth-zone:
+       name: "example.com"
+       for-upstream: yes
+       for-downstream: yes
+       url: "https://127.0.0.1:@TOPORT@/example.com.zone"
+

diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.dsc b/testdata/auth_https_origin.tdir/auth_https_origin.dsc
new file mode 100644 (file)
index 0000000..9727fc6
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.dsc
@@ -0,0 +1,16 @@
+BaseName: auth_https_origin
+Version: 1.0
+Description: Perform https for authority zone with $ORIGIN
+CreationDate: Mon 29 September 14:35:40 CEST 2025
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: auth_https_origin.pre
+Post: auth_https_origin.post
+Test: auth_https_origin.test
+AuxFiles: 
+Passed:
+Failure:

diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.post b/testdata/auth_https_origin.tdir/auth_https_origin.post
new file mode 100644 (file)
index 0000000..f642d54
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.post
@@ -0,0 +1,11 @@
+# #-- auth_https_origin.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+kill_pid $UNBOUND_PID
+kill_pid $PETAL_PID

diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.pre b/testdata/auth_https_origin.tdir/auth_https_origin.pre
new file mode 100644 (file)
index 0000000..ec838c5
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.pre
@@ -0,0 +1,34 @@
+# #-- auth_https_origin.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+PETAL_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "PETAL_PORT=$PETAL_PORT" >> .tpkg.var.test
+
+get_make
+(cd $PRE; $MAKE petal)
+
+# start https daemon
+$PRE/petal -v -a "127.0.0.1" -p $PETAL_PORT >petal.log 2>&1 &
+PETAL_PID=$!
+echo "PETAL_PID=$PETAL_PID" >> .tpkg.var.test
+cat .tpkg.var.test
+wait_petal_up petal.log
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$PETAL_PORT'/' < auth_https_origin.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_unbound_up unbound.log
+

diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.test b/testdata/auth_https_origin.tdir/auth_https_origin.test
new file mode 100644 (file)
index 0000000..ac6eda9
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.test
@@ -0,0 +1,63 @@
+# #-- auth_https_origin.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# do the test
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 1
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 10
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+       echo "> try again"
+       sleep 10
+       dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+echo "> cat logfiles"
+cat petal.log 
+cat unbound.log
+echo "> check answer"
+if grep "1.2.3.4" outfile; then
+       echo "OK"
+else
+       echo "Not OK"
+       exit 1
+fi
+
+# Test that notify is allowed from the webserver address
+get_ldns_notify
+echo "> ldns-notify -z example.com"
+$LDNS_NOTIFY -p $UNBOUND_PORT -z example.com 127.0.0.1 | tee outfile
+if grep "rcode: REFUSED"  outfile; then
+       echo "Not OK"
+       exit 1
+else
+       echo "OK"
+fi
+
+exit 0

diff --git a/testdata/auth_https_origin.tdir/petal.key b/testdata/auth_https_origin.tdir/petal.key
new file mode 100644 (file)
index 0000000..6614e49
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/petal.key
@@ -0,0 +1,21 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIDfQIBAAKBwQC1xQ/Kca6zszZbcCtdOTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJ
+RuN+Rm304SonpwghfP2/ULZNnuDgpG03/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1
+QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ867K029ypjOQtAJ85qdO3mERy7TGtdUcu
+O6hLeVet419YeQ2F8cfNxn63d7bOzNGLPW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeU
+J/i4YDWexFYSL+ECAwEAAQKBwCLXXQl+9O+5AEhSnd1Go1Jh0pSA7eBJOuXQcebG
+Rb7ykp+6C4G2NtDziwwPRNdI6wQQQ0sym18RfyVQHydGr78/nbiIbB3HCn5e92Mh
+mefzW6ow9Kvm2txLzGKA1lvoyRbNm81jnG/eygi3u7Nqd5PNv+4dHj2RkTlmxOeh
+qnDMVP5md8uZPv6lYNnrnIzvLCR5vnPNdVwn89AqzI85IcDZdy0R9ZX4NBbsDgAU
+6ig6uXuRXvSGiyJ/OUXSrnogaQJhAOjvkHUhVZQkPOxO90TNH4j0GdKKtbSWxIdz
+lKfuJeBAEqs0TL+C6vbS81Xw3W1alyDdUBk3rJMOBqW6Ryq5HNL+j5H+Jfsh7fvc
+Yle+5wHGci0P9zCFZCrY8It7n9XFIwJhAMfEi6oJa2G8waPJ1bQhxka82Tf9pnKM
+XCn/1BBOFjVIx5F842cpA+zp5a62GENTGYPQTTRBB/2/ZwnW5aIkrlg54AtmbqBZ
+Oh+2kJdJQD/tfoVmc5soUE2ScTHadK5RKwJhAN4w9kjkXS+MSZjX0kIMsBIBVkhh
+C+aREjJqa9ir7/Ey7RvmLXdYuCxtGLRXp7/R8+rjcK49Tx6O+IRJZe042mfhbq3C
+EhS1Tr86f4xXix9EXlDhs9bSxrOgcAN9Dv/opQJhAK7eBcPaav0rVfYh/8emqQHS
+3fJ9Pu6WnzbEksWTFS2ff9KDGCx9YspIFJ5TF/oXDAaumGZdZrlgirm6O1kr8tGY
+F97i04PZl1+bWAaWQH+1TUNI43m2WFUPE7coG2tb8QJgcddDg9VlXliZqgcETZfJ
+kJmYETxrcSn3ao6v116N8yxhEgUgjkmsCTiFgx36iDVnXwK6PIt+sIu8MC7eYNa3
+berrv/M21K0LRn20IWRxvUobG070weHCAgkko7fTWgr2
+-----END RSA PRIVATE KEY-----

diff --git a/testdata/auth_https_origin.tdir/petal.pem b/testdata/auth_https_origin.tdir/petal.pem
new file mode 100644 (file)
index 0000000..19c8b89
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/petal.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFzCCAUACCQDO660L5y5LGDANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDEwVw
+ZXRhbDAeFw0xMDA5MzAxMzQzMDFaFw0zMDA2MTcxMzQzMDFaMBAxDjAMBgNVBAMT
+BXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC1xQ/Kca6zszZbcCtd
+OTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJRuN+Rm304SonpwghfP2/ULZNnuDgpG03
+/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ8
+67K029ypjOQtAJ85qdO3mERy7TGtdUcuO6hLeVet419YeQ2F8cfNxn63d7bOzNGL
+PW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeUJ/i4YDWexFYSL+ECAwEAATANBgkqhkiG
+9w0BAQUFAAOBwQBBkX9KDP2RXbg+xPmdJ4P6CwvA5x1LZwC++ydVx4NlvT0pWicD
+ZUnXjcWAJlkeOuUBAqFG7WHTrXpUUAjmdqFVq2yFjteUYBdrFz0RDB2jM9feeKYO
+mTgxdZyT9a6humxCxt5VfgT02axLjm/2AqCyFPMbf4PASoJDln01AEuZLZ8Xl2gV
+bYHMnHTGoD1Hu6FNEzRgkMC6XT8X3YjHvzQhpc/qL5wEfEsinQGdX4twsuWbf8xd
+q7miNnkO8vd0maw=
+-----END CERTIFICATE-----