Index: sk-usbhid.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sk-usbhid.c,v
retrieving revision 1.38
diff -u -p -r1.38 sk-usbhid.c
--- sk-usbhid.c	7 Feb 2022 01:25:12 -0000	1.38
+++ sk-usbhid.c	8 Apr 2022 00:56:54 -0000
@@ -23,6 +23,7 @@
 #include <stddef.h>
 #include <stdarg.h>
 #include <time.h>
+#include <sha2.h>
 
 #ifdef WITH_OPENSSL
 #include <openssl/opensslv.h>
@@ -271,6 +272,58 @@ sk_touch_poll(struct sk_usbhid **skv, si
 	}
 	*touch = 0;
 	return 0;
+}
+
+/* Calculate SHA256(m) */
+static int
+sha256_mem(const void *m, size_t mlen, u_char *d, size_t dlen)
+{
+	SHA2_CTX ctx;
+
+	if (dlen != 32)
+		return -1;
+	SHA256Init(&ctx);
+	SHA256Update(&ctx, (const uint8_t *)m, mlen);
+	SHA256Final(d, &ctx);
+	return 0;
+}
+
+static int
+fido_cred_set_clientdata(fido_cred_t *cred, const u_char *ptr, size_t len)
+{
+	uint8_t d[32];
+	int r;
+
+	if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
+		skdebug(__func__, "hash challenge failed");
+		return FIDO_ERR_INTERNAL;
+	}
+	r = fido_cred_set_clientdata_hash(cred, d, sizeof(d));
+	explicit_bzero(d, sizeof(d));
+	if (r != FIDO_OK) {
+		skdebug(__func__, "fido_cred_set_clientdata_hash failed: %s",
+		    fido_strerr(r));
+	}
+	return r;
+}
+
+static int
+fido_assert_set_clientdata(fido_assert_t *assert, const u_char *ptr, size_t len)
+{
+	uint8_t d[32];
+	int r;
+
+	if (sha256_mem(ptr, len, d, sizeof(d)) != 0) {
+		skdebug(__func__, "hash challenge failed");
+		return FIDO_ERR_INTERNAL;
+	}
+	r = fido_assert_set_clientdata_hash(assert, d, sizeof(d));
+	explicit_bzero(d, sizeof(d));
+	if (r != FIDO_OK) {
+		skdebug(__func__, "fido_assert_set_clientdata_hash failed: %s",
+		    fido_strerr(r));
+	}
+	return r;
 }
 
 /* Check if the specified key handle exists on a given sk. */