updated documentation on KDF whitespace bug

fix #307

AUTHORS.md

@@ -27,10 +27,11 @@ The Grugq, Reiven, GDrooid, Alphazo, Brian May, fsLeg, JoelMon,
 Narrat, Jerry Polfer, Jim Turner, Maxime Arthaud, RobertMX,
 mhogomchungu Mandeep Bhutani, Emil Lundberg, Joel Montes de Oca, Armin
 Mesbah, Arusekk, Stephan Schindel, Asbjørn Apeland, Victor Calvert,
-bjonnh, SargoDevel and...  the Linux Action Show!
+bjonnh, SargoDevel, AitorATuin and...  the Linux Action Show!
 
 Tomb includes an implementation of the "Password-Based Key Derivation
-Function v2" based on GCrypt and written by Anthony Thyssen.
+Function v2" based on GCrypt and written by Anthony Thyssen, with
+fixes contributed by AitorATuin.
 
 Tomb developers can be contacted via GitHub issues on
 https://www.github.com/dyne/Tomb or over IRC https://irc.dyne.org

KNOWN_BUGS.md

@@ -1,3 +1,18 @@
+# Whitespaces in KDF passwords
+## Issue affecting passwords used with PBKDF2 keys (<2.6)
+
+ Up until and including Tomb's version 2.5 the PBKDF2 wrapper for keys
+ in Tomb has a bug affecting passwords that contain whitespaces. Since
+ the passwords are trimmed at the first whitespace, this makes them
+ weaker, while fortunately the KDF transformation still applies.
+
+ This issue is fixed in Tomb version 2.6: all users adopting KDF keys
+ that have passwords containing whitespaces should change them,
+ knowing that their "old password" is trimmed until the whitespace.
+
+ Users adopting GPG keys or plain (without KDF wrapper) can ignore
+ this bug.
+
 # Vulnerability to password bruteforcing
 ## Issue affecting keys used in steganography
 

extras/kdf-keys/pbkdf2.c

@@ -28,6 +28,7 @@
 *************
 **
 ** Anthony Thyssen   4 November 2009      A.Thyssen@griffith.edu.au
+** AitorATuin        3 February 2018  (whitespace password fix in Tomb) 
 **
 ** Based on a test program "pkcs5.c" found on
 **   http://www.mail-archive.com/openssl-users@openssl.org