From f1fea8dc461a0454685cf8c9476a771d4d67423c Mon Sep 17 00:00:00 2001
From: "W.C.A. Wijngaards" <wouter@nlnetlabs.nl>
Date: Mon, 29 Sep 2025 14:24:31 +0200
Subject: [PATCH] - Fix #1353: auth-zone can not use empty label for $ORIGIN
 when   http download.

---
 doc/Changelog                                 |  2 +
 services/authzone.c                           | 35 ++++++-----
 .../127.0.0.1/example.com.zone                |  5 ++
 .../auth_https_origin.conf                    | 17 +++++
 .../auth_https_origin.dsc                     | 16 +++++
 .../auth_https_origin.post                    | 11 ++++
 .../auth_https_origin.pre                     | 34 ++++++++++
 .../auth_https_origin.test                    | 63 +++++++++++++++++++
 testdata/auth_https_origin.tdir/petal.key     | 21 +++++++
 testdata/auth_https_origin.tdir/petal.pem     | 14 +++++
 10 files changed, 201 insertions(+), 17 deletions(-)
 create mode 100644 testdata/auth_https_origin.tdir/127.0.0.1/example.com.zone
 create mode 100644 testdata/auth_https_origin.tdir/auth_https_origin.conf
 create mode 100644 testdata/auth_https_origin.tdir/auth_https_origin.dsc
 create mode 100644 testdata/auth_https_origin.tdir/auth_https_origin.post
 create mode 100644 testdata/auth_https_origin.tdir/auth_https_origin.pre
 create mode 100644 testdata/auth_https_origin.tdir/auth_https_origin.test
 create mode 100644 testdata/auth_https_origin.tdir/petal.key
 create mode 100644 testdata/auth_https_origin.tdir/petal.pem

diff --git a/doc/Changelog b/doc/Changelog
index 532cbdb4b..2b958843f 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -6,6 +6,8 @@
 	- Neaten up the change in acx_nlnetlabs.m4 to version 49.
 	- Fix fr_atomic_copy_cfg.
 	- Rebuild configure script from its sources.
+	- Fix #1353: auth-zone can not use empty label for $ORIGIN when
+	  http download.
 
 29 September 2025: Yorgos
 	- Merge #1349: Fix #1346: [FR] Please allow back TLS 1.2.
diff --git a/services/authzone.c b/services/authzone.c
index e4dd32465..a4424a280 100644
--- a/services/authzone.c
+++ b/services/authzone.c
@@ -4556,6 +4556,23 @@ http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
 	return 0;
 }
 
+/** remove newlines from collated line */
+static void
+chunkline_newline_removal(sldns_buffer* buf)
+{
+	size_t i, end=sldns_buffer_limit(buf);
+	for(i=0; i<end; i++) {
+		char c = (char)sldns_buffer_read_u8_at(buf, i);
+		if(c == '\n' && i==end-1) {
+			sldns_buffer_write_u8_at(buf, i, 0);
+			sldns_buffer_set_limit(buf, end-1);
+			return;
+		}
+		if(c == '\n')
+			sldns_buffer_write_u8_at(buf, i, (uint8_t)' ');
+	}
+}
+
 /** find noncomment RR line in chunks, collates lines if ( ) format */
 static int
 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
@@ -4563,6 +4580,7 @@ chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
 {
 	int ret;
 	while(chunkline_get_line_collated(chunk, chunk_pos, buf)) {
+		chunkline_newline_removal(buf);
 		if(chunkline_is_comment_line_or_empty(buf)) {
 			/* a comment, go to next line */
 			continue;
@@ -4638,23 +4656,6 @@ chunklist_sum(struct auth_chunk* list)
 	return s;
 }
 
-/** remove newlines from collated line */
-static void
-chunkline_newline_removal(sldns_buffer* buf)
-{
-	size_t i, end=sldns_buffer_limit(buf);
-	for(i=0; i<end; i++) {
-		char c = (char)sldns_buffer_read_u8_at(buf, i);
-		if(c == '\n' && i==end-1) {
-			sldns_buffer_write_u8_at(buf, i, 0);
-			sldns_buffer_set_limit(buf, end-1);
-			return;
-		}
-		if(c == '\n')
-			sldns_buffer_write_u8_at(buf, i, (uint8_t)' ');
-	}
-}
-
 /** for http download, parse and add RR to zone */
 static int
 http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z,
diff --git a/testdata/auth_https_origin.tdir/127.0.0.1/example.com.zone b/testdata/auth_https_origin.tdir/127.0.0.1/example.com.zone
new file mode 100644
index 000000000..e5ef82f14
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/127.0.0.1/example.com.zone
@@ -0,0 +1,5 @@
+$ORIGIN .
+$TTL 7200
+example.com. IN SOA ns.example.com. hostmaster.example.com. 1 3600 900 86400 3600
+example.com.	IN NS	ns.example.net.
+www.example.com. IN A	1.2.3.4
diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.conf b/testdata/auth_https_origin.tdir/auth_https_origin.conf
new file mode 100644
index 000000000..bfe013e44
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.conf
@@ -0,0 +1,17 @@
+server:
+	verbosity: 7
+	# num-threads: 1
+	interface: 127.0.0.1
+	port: @PORT@
+	use-syslog: no
+	directory: ""
+	pidfile: "unbound.pid"
+	chroot: ""
+	username: ""
+	do-not-query-localhost: no
+auth-zone:
+	name: "example.com"
+	for-upstream: yes
+	for-downstream: yes
+	url: "https://127.0.0.1:@TOPORT@/example.com.zone"
+
diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.dsc b/testdata/auth_https_origin.tdir/auth_https_origin.dsc
new file mode 100644
index 000000000..9727fc6d1
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.dsc
@@ -0,0 +1,16 @@
+BaseName: auth_https_origin
+Version: 1.0
+Description: Perform https for authority zone with $ORIGIN
+CreationDate: Mon 29 September 14:35:40 CEST 2025
+Maintainer: dr. W.C.A. Wijngaards
+Category: 
+Component:
+CmdDepends: 
+Depends: 
+Help:
+Pre: auth_https_origin.pre
+Post: auth_https_origin.post
+Test: auth_https_origin.test
+AuxFiles: 
+Passed:
+Failure:
diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.post b/testdata/auth_https_origin.tdir/auth_https_origin.post
new file mode 100644
index 000000000..f642d5401
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.post
@@ -0,0 +1,11 @@
+# #-- auth_https_origin.post --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# source the test var file when it's there
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+#
+# do your teardown here
+PRE="../.."
+. ../common.sh
+kill_pid $UNBOUND_PID
+kill_pid $PETAL_PID
diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.pre b/testdata/auth_https_origin.tdir/auth_https_origin.pre
new file mode 100644
index 000000000..ec838c571
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.pre
@@ -0,0 +1,34 @@
+# #-- auth_https_origin.pre--#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+get_random_port 2
+UNBOUND_PORT=$RND_PORT
+PETAL_PORT=$(($RND_PORT + 1))
+echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test
+echo "PETAL_PORT=$PETAL_PORT" >> .tpkg.var.test
+
+get_make
+(cd $PRE; $MAKE petal)
+
+# start https daemon
+$PRE/petal -v -a "127.0.0.1" -p $PETAL_PORT >petal.log 2>&1 &
+PETAL_PID=$!
+echo "PETAL_PID=$PETAL_PID" >> .tpkg.var.test
+cat .tpkg.var.test
+wait_petal_up petal.log
+
+# make config file
+sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$PETAL_PORT'/' < auth_https_origin.conf > ub.conf
+# start unbound in the background
+$PRE/unbound -d -c ub.conf >unbound.log 2>&1 &
+UNBOUND_PID=$!
+echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test
+
+cat .tpkg.var.test
+wait_unbound_up unbound.log
+
diff --git a/testdata/auth_https_origin.tdir/auth_https_origin.test b/testdata/auth_https_origin.tdir/auth_https_origin.test
new file mode 100644
index 000000000..ac6eda9bb
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/auth_https_origin.test
@@ -0,0 +1,63 @@
+# #-- auth_https_origin.test --#
+# source the master var file when it's there
+[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master
+# use .tpkg.var.test for in test variable passing
+[ -f .tpkg.var.test ] && source .tpkg.var.test
+
+PRE="../.."
+. ../common.sh
+# do the test
+echo "> dig www.example.com."
+dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 1
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 10
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+if grep SERVFAIL outfile; then
+	echo "> try again"
+	sleep 10
+	dig @127.0.0.1 -p $UNBOUND_PORT www.example.com. | tee outfile
+fi
+echo "> cat logfiles"
+cat petal.log 
+cat unbound.log
+echo "> check answer"
+if grep "1.2.3.4" outfile; then
+	echo "OK"
+else
+	echo "Not OK"
+	exit 1
+fi
+
+# Test that notify is allowed from the webserver address
+get_ldns_notify
+echo "> ldns-notify -z example.com"
+$LDNS_NOTIFY -p $UNBOUND_PORT -z example.com 127.0.0.1 | tee outfile
+if grep "rcode: REFUSED"  outfile; then
+	echo "Not OK"
+	exit 1
+else
+	echo "OK"
+fi
+
+exit 0
diff --git a/testdata/auth_https_origin.tdir/petal.key b/testdata/auth_https_origin.tdir/petal.key
new file mode 100644
index 000000000..6614e498f
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/petal.key
@@ -0,0 +1,21 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIDfQIBAAKBwQC1xQ/Kca6zszZbcCtdOTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJ
+RuN+Rm304SonpwghfP2/ULZNnuDgpG03/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1
+QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ867K029ypjOQtAJ85qdO3mERy7TGtdUcu
+O6hLeVet419YeQ2F8cfNxn63d7bOzNGLPW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeU
+J/i4YDWexFYSL+ECAwEAAQKBwCLXXQl+9O+5AEhSnd1Go1Jh0pSA7eBJOuXQcebG
+Rb7ykp+6C4G2NtDziwwPRNdI6wQQQ0sym18RfyVQHydGr78/nbiIbB3HCn5e92Mh
+mefzW6ow9Kvm2txLzGKA1lvoyRbNm81jnG/eygi3u7Nqd5PNv+4dHj2RkTlmxOeh
+qnDMVP5md8uZPv6lYNnrnIzvLCR5vnPNdVwn89AqzI85IcDZdy0R9ZX4NBbsDgAU
+6ig6uXuRXvSGiyJ/OUXSrnogaQJhAOjvkHUhVZQkPOxO90TNH4j0GdKKtbSWxIdz
+lKfuJeBAEqs0TL+C6vbS81Xw3W1alyDdUBk3rJMOBqW6Ryq5HNL+j5H+Jfsh7fvc
+Yle+5wHGci0P9zCFZCrY8It7n9XFIwJhAMfEi6oJa2G8waPJ1bQhxka82Tf9pnKM
+XCn/1BBOFjVIx5F842cpA+zp5a62GENTGYPQTTRBB/2/ZwnW5aIkrlg54AtmbqBZ
+Oh+2kJdJQD/tfoVmc5soUE2ScTHadK5RKwJhAN4w9kjkXS+MSZjX0kIMsBIBVkhh
+C+aREjJqa9ir7/Ey7RvmLXdYuCxtGLRXp7/R8+rjcK49Tx6O+IRJZe042mfhbq3C
+EhS1Tr86f4xXix9EXlDhs9bSxrOgcAN9Dv/opQJhAK7eBcPaav0rVfYh/8emqQHS
+3fJ9Pu6WnzbEksWTFS2ff9KDGCx9YspIFJ5TF/oXDAaumGZdZrlgirm6O1kr8tGY
+F97i04PZl1+bWAaWQH+1TUNI43m2WFUPE7coG2tb8QJgcddDg9VlXliZqgcETZfJ
+kJmYETxrcSn3ao6v116N8yxhEgUgjkmsCTiFgx36iDVnXwK6PIt+sIu8MC7eYNa3
+berrv/M21K0LRn20IWRxvUobG070weHCAgkko7fTWgr2
+-----END RSA PRIVATE KEY-----
diff --git a/testdata/auth_https_origin.tdir/petal.pem b/testdata/auth_https_origin.tdir/petal.pem
new file mode 100644
index 000000000..19c8b895b
--- /dev/null
+++ b/testdata/auth_https_origin.tdir/petal.pem
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICFzCCAUACCQDO660L5y5LGDANBgkqhkiG9w0BAQUFADAQMQ4wDAYDVQQDEwVw
+ZXRhbDAeFw0xMDA5MzAxMzQzMDFaFw0zMDA2MTcxMzQzMDFaMBAxDjAMBgNVBAMT
+BXBldGFsMIHfMA0GCSqGSIb3DQEBAQUAA4HNADCByQKBwQC1xQ/Kca6zszZbcCtd
+OTIH2Uy2gOy/DfabMUU7TmNPm0dVE0NJRuN+Rm304SonpwghfP2/ULZNnuDgpG03
+/32yI7k/VzG6iA4hiF7tT/KAAWC/+2l1QCsawCV2bSrFK0VhcZr7ALqXd8vkDaQ8
+67K029ypjOQtAJ85qdO3mERy7TGtdUcuO6hLeVet419YeQ2F8cfNxn63d7bOzNGL
+PW5xwaCd3UcgD+Ib0k4xfFvbinvPQUeUJ/i4YDWexFYSL+ECAwEAATANBgkqhkiG
+9w0BAQUFAAOBwQBBkX9KDP2RXbg+xPmdJ4P6CwvA5x1LZwC++ydVx4NlvT0pWicD
+ZUnXjcWAJlkeOuUBAqFG7WHTrXpUUAjmdqFVq2yFjteUYBdrFz0RDB2jM9feeKYO
+mTgxdZyT9a6humxCxt5VfgT02axLjm/2AqCyFPMbf4PASoJDln01AEuZLZ8Xl2gV
+bYHMnHTGoD1Hu6FNEzRgkMC6XT8X3YjHvzQhpc/qL5wEfEsinQGdX4twsuWbf8xd
+q7miNnkO8vd0maw=
+-----END CERTIFICATE-----
-- 
2.47.3