[Pdns-users] SSHFP fingerprint size validation
atanas argirov
atanas at argirov.org
Wed Oct 4 15:08:06 UTC 2023
Hello Peter,
> On 4 Oct 2023, at 07:42, Peter Thomassen <peter at desec.io> wrote:
>
> Hi Atanas,
>
> On 10/3/23 18:56, atanas argirov via Pdns-users wrote:
>> * testing malformed fingerprint size of (hash size +/- 2) is accepted with no complaints from both API and pdnsutil
>> My question is:
>> * is there any validation on the SSHFP fingerprint size based on the hash type?
>
> Apparently not.
>
>> * where this trailing zero comes from on hash size of +/- 1?
> Each hex digit is half a byte. I expect the pdns code to process bytes (not half-bytes), and the missing bits are filled up with zero.
>
> Avoiding this would require keeping extra state about the input length, but there's probably not value in that if the operation is already bound to fail.
Thank you very much for the insights on the subject, appreciated. We will work around these limitations.
>
> Cheers,
> Peter
>
> --
> Like our community service? 💛
> Please consider donating at
>
> https://desec.io/
>
> deSEC e.V.
> Kyffhäuserstr. 5
> 10781 Berlin
> Germany
>
> Vorstandsvorsitz: Nils Wisiol
> Registergericht: AG Berlin (Charlottenburg) VR 37525
Best,
Atanas
—
PGP: 0178 A605 C5E5 D207 E940 D109 BACE D962 BA03 327F
More information about the Pdns-users
mailing list