From 55ef2f0509bf7690af21e62abd0258765b1d074b Mon Sep 17 00:00:00 2001
From: Uli Heller <uli.heller@daemons-point.com>
Date: Thu, 2 Jan 2025 12:46:59 +0100
Subject: [PATCH] Enable usage of multiple fido2 devices by supporting password
 change with explicit master key

---
 main.go | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/main.go b/main.go
index cd643b5a..f7a38db2 100644
--- a/main.go
+++ b/main.go
@@ -78,15 +78,19 @@ func changePassword(args *argContainer) {
 		if len(masterkey) == 0 {
 			log.Panic("empty masterkey")
 		}
+		var newPw []byte
 		if confFile.IsFeatureFlagSet(configfile.FlagFIDO2) {
-			tlog.Fatal.Printf("Password change is not supported on FIDO2-enabled filesystems.")
-			os.Exit(exitcodes.Usage)
-		}
-		tlog.Info.Println("Please enter your new password.")
-		newPw, err := readpassword.Twice(nil, nil)
-		if err != nil {
-			tlog.Fatal.Println(err)
-			os.Exit(exitcodes.ReadPassword)
+			var fido2CredentialID, fido2HmacSalt []byte
+			fido2CredentialID = confFile.FIDO2.CredentialID //fido2.Register(args.fido2, filepath.Base(args.cipherdir))
+			fido2HmacSalt = confFile.FIDO2.HMACSalt //cryptocore.RandBytes(32)
+			newPw = fido2.Secret(args.fido2, args.fido2_assert_options, fido2CredentialID,	fido2HmacSalt)
+		} else {
+			tlog.Info.Println("Please enter your new password.")
+			newPw, err = readpassword.Twice(nil, nil)
+			if err != nil {
+			  tlog.Fatal.Println(err)
+			  os.Exit(exitcodes.ReadPassword)
+			}
 		}
 		logN := confFile.ScryptObject.LogN()
 		if args._explicitScryptn {