Improve KDF handling

tomb

@@ -65,6 +65,7 @@ typeset -i SPHINX=1
 typeset -i RESIZER=1
 typeset -i RECOLL=1
 typeset -i QRENCODE=1
+typeset -i ARGON2=1
 
 # Default mount options
 typeset		 MOUNTOPTS="rw,noatime,nodev"
@@ -840,8 +841,12 @@ usage() {
 		_print " --sphx-host  host associated with the key (for use with pitchforkedsphinx)"
 	}
 
-	[[ $KDF == 1 ]] && {
-		_print " --kdf        forge keys armored against dictionary attacks"
+	[[ $KDF == 1 ]] || [[ $ARGON2 == 1 ]] && {
+		_print " --kdf        forge keys armored against dictionary attacks" # needs the note, that this also accepts an argument for iteration
+		_print " --kdftype    what KDF function to use (pbkdf2, argon2)"
+	}
+	[[ $ARGON2 == 1 ]] && {
+		_print " --kdfmem     memory to be used for argon2"
 	}
 
 	echo
@@ -1589,11 +1594,18 @@ gen_key() {
 		fi
 
 		header=""
-		[[ $KDF == 1 ]] && {
+		([[ $KDF == 1 ]] || [[ $ARGON2 == 1 ]]) && {
 			{ option_is_set --kdf } && {
-				# KDF is a new key strenghtening technique against brute forcing
+				# KDF is a key strengthening technique against brute forcing
 				# see: https://github.com/dyne/Tomb/issues/82
+				# Two algorithm currently supported:
+				# * pbkdf2 (covers against CPU)
+				# * argon2 (covers against CPU, memory and)
 				itertime="`option_value --kdf`"
+				itertime=${itertime:-3}
+				# Set default (argon2 has a default of 3 iterations; the resulting itertime with this
+				# default is considered safe enough for pbkdf2)
+
 				# removing support of floating points because they can't be type checked well
 				# if [[ "$itertime" != <-> ]]; then
 				# 	unset tombpass
@@ -1602,34 +1614,35 @@ gen_key() {
 				# 	_failure "Depending on the speed of machines using this tomb, use 1 to 10, or more"
 				# 	return 1
 				# fi
-				# # --kdf takes one parameter: iter time (on present machine) in seconds
+				# # --kdf takes one optional parameter: iter time (on present machine) in seconds
+
+				# Generating salt (either via tomb-kdb-pbkdf2 or a shell fallback)
+				if $(command -v tomb-kdb-pbkdf2-gensalt 1>/dev/null 2>/dev/null); then
+					kdfsalt=`tomb-kdb-pbkdf2-gensalt`
+				else
+					kdfsalt=$(LC_CTYPE=C tr -cd 'a-z0-9' < /dev/random | head -c 64)
+				fi
+				_message "kdf salt: ::1 kdfsalt::" $kdfsalt
 
 				kdftype="`option_value --kdftype`"
 				kdftype=${kdftype:-pbkdf2}
 				case ${kdftype} in
 				    pbkdf2)
 					local -i microseconds
 					microseconds=$(( itertime * 1000000 ))
-					_success "Using KDF, iteration time: ::1 microseconds::" $microseconds
-					_message "generating salt"
-					pbkdf2_salt=`tomb-kdb-pbkdf2-gensalt`
+					_success "Using pbkdf2 as KDF, iteration time: ::1 microseconds::" $microseconds
 					_message "calculating iterations"
 					pbkdf2_iter=`tomb-kdb-pbkdf2-getiter $microseconds`
 					_message "encoding the password"
 					# We use a length of 64bytes = 512bits (more than needed!?)
-					tombpass=`tomb-kdb-pbkdf2 $pbkdf2_salt $pbkdf2_iter 64 <<<"${tombpass}"`
-
-					header="_KDF_pbkdf2sha1_${pbkdf2_salt}_${pbkdf2_iter}_64\n"
+					tombpass=`tomb-kdb-pbkdf2 $kdf_salt $pbkdf2_iter 64 <<<"${tombpass}"`
+					header="_KDF_pbkdf2sha1_${kdf_salt}_${pbkdf2_iter}_64\n"
 					;;
 				    argon2)
-					_success "Using KDF Argon2"
+					_success "Using Argon2 as KDF"
 					kdfmem="`option_value --kdfmem`"
 					kdfmem=${kdfmem:-18}
 					_message "memory used: 2^::1 kdfmemory::" $kdfmem
-          itertime="`option_value --kdf`"
-          itertime=${itertime:-3}
-					kdfsalt=`tomb-kdb-pbkdf2-gensalt`
-					_message "kdf salt: ::1 kdfsalt::" $kdfsalt
 					_message "kdf iterations: ::1 kdfiterations::" $itertime
 					tombpass=`argon2 $kdfsalt -m $kdfmem -t $itertime -l 64 -r <<<"${tombpass}"`
 					header="_KDF_argon2_${kdfsalt}_${itertime}_${kdfmem}_64\n"
@@ -2095,7 +2108,7 @@ forge_key() {
 			 $destkey $algo
 
 	[[ $KDF == 1 ]] && { ! option_is_set -g } && {
-		_message "Using KDF to protect the key password (`option_value --kdf` rounds)"
+		_message "Using KDF to protect the key password (`option_value --kdf` rounds)" # something to be done here to see the default
 	}
 
 	TOMBKEYFILE="$destkey"	  # Set global variable