Control: retitle -1 integritysetup: HMAC(SHA256) key truncated to 106/114bytes 
in standalone mode
Control: severity -1 important

On Thu, 13 May 2021 at 17:46:26 +0200, Guilhem Moulin wrote:
> Fortunately there are no Debian releases with integritysetup ≤2.0.4 so
> as far as Debian is concerned the impact is limited.

After some discussion on the upstream bug tracker: the fact that the
user-supplied key is truncated in the first place is an issue.  But fixing
that, like changing the truncation length in 2.0.5, yields
incompatibilities.

I'm not sure what's the best course of action for Bullseye.  Fixing the
truncation altogether isn't ideal given we're so late in the release cycle.
The safest might be to keep the 114-bytes truncation for Bullseye, but warn
the user of upcoming compatibility issues when --integrity-key-size exceeds
114 bytes (and suggest to use `--integrity-key-size 114`).  Any other
opinion?

-- 
Guilhem.

Attachment: signature.asc
Description: PGP signature

Reply via email to