restrict shell replacement for salt

tomb-kdf-pbkdf2 requires hexadecimal input, therefore restrict input to those symbols.

tomb

@@ -1625,7 +1625,7 @@ gen_key() {
 				if $(command -v tomb-kdb-pbkdf2-gensalt 1>/dev/null 2>/dev/null); then
 					kdfsalt=`tomb-kdb-pbkdf2-gensalt`
 				else
-					kdfsalt=$(LC_CTYPE=C tr -cd 'a-z0-9' < /dev/random | head -c 64)
+					kdfsalt=$(LC_CTYPE=C tr -cd 'a-f0-9' < /dev/random | head -c 64)
 				fi
 				_message "kdf salt: ::1 kdfsalt::" $kdfsalt
 
@@ -1642,8 +1642,8 @@ gen_key() {
 					pbkdf2_iter=`tomb-kdb-pbkdf2-getiter $microseconds`
 					_message "encoding the password"
 					# We use a length of 64bytes = 512bits (more than needed!?)
-					tombpass=`tomb-kdb-pbkdf2 $kdf_salt $pbkdf2_iter 64 <<<"${tombpass}"`
-					header="_KDF_pbkdf2sha1_${kdf_salt}_${pbkdf2_iter}_64\n"
+					tombpass=`tomb-kdb-pbkdf2 $kdfsalt $pbkdf2_iter 64 <<<"${tombpass}"`
+					header="_KDF_pbkdf2sha1_${kdfsalt}_${pbkdf2_iter}_64\n"
 					;;
 				argon2)
 					_success "Using Argon2 as KDF"