upstream: Hash challenge supplied by client during FIDO key enrollment

prior to passing it to libfido2, which does expect a hash.

There is no effect for users who are simply generating FIDO keys using
ssh-keygen - by default we generate a random 256 bit challenge, but
people building attestation workflows around our tools should now have
a more consistent experience (esp. fewer failures when they fail to
guess the magic 32-byte challenge length requirement).

ok markus@

OpenBSD-Commit-ID: b8d5363a6a7ca3b23dc28f3ca69470472959f2b5

sk-usbhid.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sk-usbhid.c,v 1.29 2021/02/18 02:15:07 djm Exp $ */
+/* $OpenBSD: sk-usbhid.c,v 1.30 2021/05/31 06:48:42 djm Exp $ */
 /*
  * Copyright (c) 2019 Markus Friedl
  * Copyright (c) 2020 Pedro Martelletto
@@ -669,7 +669,7 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 {
 	fido_cred_t *cred = NULL;
 	const uint8_t *ptr;
-	uint8_t user_id[32];
+	uint8_t user_id[32], chall_hash[32];
 	struct sk_usbhid *sk = NULL;
 	struct sk_enroll_response *response = NULL;
 	size_t len;
@@ -721,8 +721,13 @@ sk_enroll(uint32_t alg, const uint8_t *challenge, size_t challenge_len,
 		skdebug(__func__, "fido_cred_set_type: %s", fido_strerr(r));
 		goto out;
 	}
-	if ((r = fido_cred_set_clientdata_hash(cred, challenge,
-	    challenge_len)) != FIDO_OK) {
+	if (sha256_mem(challenge, challenge_len,
+	    chall_hash, sizeof(chall_hash)) != 0) {
+		skdebug(__func__, "hash challenge failed");
+		goto out;
+	}
+	if ((r = fido_cred_set_clientdata_hash(cred, chall_hash,
+	    sizeof(chall_hash))) != FIDO_OK) {
 		skdebug(__func__, "fido_cred_set_clientdata_hash: %s",
 		    fido_strerr(r));
 		goto out;