===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/ssh-sk.c,v
retrieving revision 1.29
retrieving revision 1.30
diff -u -r1.29 -r1.30
--- src/usr.bin/ssh/ssh-sk.c	2020/03/06 18:25:48	1.29
+++ src/usr.bin/ssh/ssh-sk.c	2020/04/28 04:02:29	1.30
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-sk.c,v 1.29 2020/03/06 18:25:48 markus Exp $ */
+/* $OpenBSD: ssh-sk.c,v 1.30 2020/04/28 04:02:29 djm Exp $ */
 /*
  * Copyright (c) 2019 Google LLC
  *
@@ -605,7 +605,6 @@
 	int type, alg;
 	struct sk_sign_response *resp = NULL;
 	struct sshbuf *inner_sig = NULL, *sig = NULL;
-	uint8_t message[32];
 	struct sk_option **opts = NULL;
 
 	debug("%s: provider \"%s\", key %s, flags 0x%02x%s", __func__,
@@ -640,15 +639,7 @@
 		goto out;
 	}
 
-	/* hash data to be signed before it goes to the security key */
-	if ((r = ssh_digest_memory(SSH_DIGEST_SHA256, data, datalen,
-	    message, sizeof(message))) != 0) {
-		error("%s: hash application failed: %s", __func__, ssh_err(r));
-		r = SSH_ERR_INTERNAL_ERROR;
-		goto out;
-	}
-	if ((r = skp->sk_sign(alg, message, sizeof(message),
-	    key->sk_application,
+	if ((r = skp->sk_sign(alg, data, datalen, key->sk_application,
 	    sshbuf_ptr(key->sk_key_handle), sshbuf_len(key->sk_key_handle),
 	    key->sk_flags, pin, opts, &resp)) != 0) {
 		debug("%s: sk_sign failed with code %d", __func__, r);
@@ -697,7 +688,6 @@
 	r = 0;
  out:
 	sshsk_free_options(opts);
-	explicit_bzero(message, sizeof(message));
 	sshsk_free(skp);
 	sshsk_free_sign_response(resp);
 	sshbuf_free(sig);