Are YubiKey's HMAC-SHA1 responses actually 20 bytes, or are they truncated?

[danimoh]

While the output length of SHA-1 is obviously 20 bytes, and that's also the length that KeePassXC's code assumes being returned by YubiKey's HMAC-SHA1, I'm wondering whether that is actually the case? Yubico's documentation seems to hint at the response being truncated to 6-10 digits. When using a YubiKey as a second factor for unlocking the database, obviously 6-10 digits would add only limited additional protection over the master secret, and would be reasonable to brute force, if the master secret got leaked.
While I hope, and guess, that the documentation is simply inaccurate, wanted to open an issue for clarification nonetheless, as it would be quite bad, if the response is actually truncated.
Maybe someone who has more experience with such things than me can run a quick experiment that indeed 20 entirely different bytes are returned for different challenges, and not that the remainder is for example padded with 0s, or some other static bytes?

[droidmonkey]

Yes it is actually 20 bytes, see the Yubikey code here:

keepassxc/src/thirdparty/ykcore/ykcore.c

Lines 370 to 407 in fb022cb

	int yk_challenge_response(YK_KEY *yk, uint8_t yk_cmd, int may_block,
	unsigned int challenge_len, const unsigned char *challenge,
	unsigned int response_len, unsigned char *response)
	{
	unsigned int flags = 0;
	unsigned int bytes_read = 0;
	unsigned int expect_bytes = 0;
	switch(yk_cmd) {
	case SLOT_CHAL_HMAC1:
	case SLOT_CHAL_HMAC2:
	expect_bytes = 20;
	break;
	case SLOT_CHAL_OTP1:
	case SLOT_CHAL_OTP2:
	expect_bytes = 16;
	break;
	default:
	yk_errno = YK_EINVALIDCMD;
	return 0;
	}
	if (may_block)
	flags |= YK_FLAG_MAYBLOCK;
	if (! yk_write_to_key(yk, yk_cmd, challenge, challenge_len)) {
	return 0;
	}
	if (! yk_read_response_from_key(yk, yk_cmd, flags,
	response, response_len,
	expect_bytes,
	&bytes_read)) {
	return 0;
	}
	return 1;
	}

I have no idea what the documentation is even saying by 6-10 digits, that makes zero sense

It's hard to tell because the response is literal bytes (not digits), but you can see the response is 20 bytes + residual which is then truncated to 20 bytes of data (the actual response):

[danimoh]

Hello @droidmonkey. Thank you so much for taking the time to confirm this ♥️
That's reassuring.