trezor: add TrezorPayload

TrezorPayload stores 32 random bytes used for unlocking
the master key using a Trezor security module. The randomness makes sure
that a unique unlock value is used for each gocryptfs filesystem.

1 files changed, 5 insertions, 2 deletions

diff --git a/init_dir.go b/init_dir.go
index 0cd2957..e264cf0 100644
--- a/init_dir.go
+++ b/init_dir.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 
 	"github.com/rfjakob/gocryptfs/internal/configfile"
+	"github.com/rfjakob/gocryptfs/internal/cryptocore"
 	"github.com/rfjakob/gocryptfs/internal/exitcodes"
 	"github.com/rfjakob/gocryptfs/internal/nametransform"
 	"github.com/rfjakob/gocryptfs/internal/readpassword"
@@ -70,9 +71,11 @@ func initDir(args *argContainer) {
 	}
 	{
 		var password []byte
+		var trezorPayload []byte
 		if args.trezor {
+			trezorPayload = cryptocore.RandBytes(readpassword.TrezorPayloadLen)
 			// Get binary data from from Trezor
-			password = readpassword.Trezor()
+			password = readpassword.Trezor(trezorPayload)
 		} else {
 			// Normal password entry
 			password = readpassword.Twice(args.extpass)
@@ -80,7 +83,7 @@ func initDir(args *argContainer) {
 		}
 		creator := tlog.ProgramName + " " + GitVersion
 		err = configfile.Create(args.config, password, args.plaintextnames,
-			args.scryptn, creator, args.aessiv, args.devrandom, args.trezor)
+			args.scryptn, creator, args.aessiv, args.devrandom, trezorPayload)
 		if err != nil {
 			tlog.Fatal.Println(err)
 			os.Exit(exitcodes.WriteConf)