From 3d2eb0ea8aa5813db1474ec790eb1f490dcb6344 Mon Sep 17 00:00:00 2001
From: selsta <selsta@sent.at>
Date: Tue, 21 Apr 2026 13:33:42 +0200
Subject: [PATCH] wallet_rpc_server: fix ssl_allowed_fingerprints hex parsing

---
 src/wallet/wallet_rpc_server.cpp | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/wallet/wallet_rpc_server.cpp b/src/wallet/wallet_rpc_server.cpp
index 6691d558a..0411518a0 100644
--- a/src/wallet/wallet_rpc_server.cpp
+++ b/src/wallet/wallet_rpc_server.cpp
@@ -4770,10 +4770,25 @@ namespace tools
     ssl_allowed_fingerprints.reserve(req.ssl_allowed_fingerprints.size());
     for (const std::string &fp: req.ssl_allowed_fingerprints)
     {
-      ssl_allowed_fingerprints.push_back({});
-      std::vector<uint8_t> &v = ssl_allowed_fingerprints.back();
-      for (auto c: fp)
-        v.push_back(c);
+      std::vector<uint8_t> decoded;
+      try
+      {
+        decoded = epee::from_hex_locale::to_vector(fp);
+      }
+      catch (const std::exception &)
+      {
+        er.code = WALLET_RPC_ERROR_CODE_NO_DAEMON_CONNECTION;
+        er.message = "ssl_allowed_fingerprints[] entries must be hex-encoded SHA-256 values";
+        return false;
+      }
+
+      if (decoded.size() != SSL_FINGERPRINT_SIZE)
+      {
+        er.code = WALLET_RPC_ERROR_CODE_NO_DAEMON_CONNECTION;
+        er.message = "Each ssl_allowed_fingerprints[] entry must decode to exactly " BOOST_PP_STRINGIZE(SSL_FINGERPRINT_SIZE) " bytes";
+        return false;
+      }
+      ssl_allowed_fingerprints.emplace_back(std::move(decoded));
     }
 
     epee::net_utils::ssl_options_t ssl_options = epee::net_utils::ssl_support_t::e_ssl_support_enabled;