YubiKey: Fix database locking

* Save the master seed upon first challenge so it can be used as a
  challenge at a later point.
* When verifyKey() is called, verify that the challenge is successful.
* Uncheck YubiKey box to not leak information about how the database is
  protected.

Signed-off-by: Kyle Manna <kyle@kylemanna.com>

src/core/Database.cpp

@@ -183,6 +183,7 @@ QByteArray Database::challengeResponseKey() const
 
 bool Database::challengeMasterSeed(const QByteArray& masterSeed)
 {
+    m_data.masterSeed = masterSeed;
     return m_data.key.challenge(masterSeed, m_data.challengeResponseKey);
 }
 
@@ -256,6 +257,22 @@ bool Database::verifyKey(const CompositeKey& key) const
 {
     Q_ASSERT(hasKey());
 
+    /* If the database has challenge response keys, then the the verification
+     * key better as well */
+    if (!m_data.challengeResponseKey.isEmpty()) {
+        QByteArray result;
+
+        if (!key.challenge(m_data.masterSeed, result)) {
+            /* Challenge failed, (YubiKey?) removed? */
+            return false;
+        }
+
+        if (m_data.challengeResponseKey != result) {
+            /* Wrong response from challenged device(s) */
+            return false;
+        }
+    }
+
     return (m_data.key.rawKey() == key.rawKey());
 }
 

src/core/Database.h

@@ -59,6 +59,7 @@ public:
         QByteArray transformedMasterKey;
         CompositeKey key;
         bool hasKey;
+        QByteArray masterSeed;
         QByteArray challengeResponseKey;
     };
 

src/gui/UnlockDatabaseWidget.cpp

@@ -33,6 +33,7 @@ void UnlockDatabaseWidget::clearForms()
     m_ui->comboKeyFile->clear();
     m_ui->checkPassword->setChecked(false);
     m_ui->checkKeyFile->setChecked(false);
+    m_ui->checkChallengeResponse->setChecked(false);
     m_ui->buttonTogglePassword->setChecked(false);
     m_db = nullptr;
 }