[Pdns-users] SSHFP fingerprint size validation
Peter Thomassen
peter at desec.io
Wed Oct 4 06:42:26 UTC 2023
Hi Atanas,
On 10/3/23 18:56, atanas argirov via Pdns-users wrote:
> * testing malformed fingerprint size of (hash size +/- 2) is accepted with no complaints from both API and pdnsutil
>
> My question is:
>
> * is there any validation on the SSHFP fingerprint size based on the hash type?
Apparently not.
> * where this trailing zero comes from on hash size of +/- 1?
Each hex digit is half a byte. I expect the pdns code to process bytes (not half-bytes), and the missing bits are filled up with zero.
Avoiding this would require keeping extra state about the input length, but there's probably not value in that if the operation is already bound to fail.
Cheers,
Peter
--
Like our community service? 💛
Please consider donating at
https://desec.io/
deSEC e.V.
Kyffhäuserstr. 5
10781 Berlin
Germany
Vorstandsvorsitz: Nils Wisiol
Registergericht: AG Berlin (Charlottenburg) VR 37525
More information about the Pdns-users
mailing list