YubiKey: Fix database locking

* Save the master seed upon first challenge so it can be used as a
  challenge at a later point.
* When verifyKey() is called, verify that the challenge is successful.
* Uncheck YubiKey box to not leak information about how the database is
  protected.

Signed-off-by: Kyle Manna <kyle@kylemanna.com>
This commit is contained in:
Kyle Manna 2014-09-07 16:43:04 -07:00
parent 77cc99acd3
commit 951fa96848
3 changed files with 19 additions and 0 deletions

View File

@ -183,6 +183,7 @@ QByteArray Database::challengeResponseKey() const
bool Database::challengeMasterSeed(const QByteArray& masterSeed)
{
m_data.masterSeed = masterSeed;
return m_data.key.challenge(masterSeed, m_data.challengeResponseKey);
}
@ -256,6 +257,22 @@ bool Database::verifyKey(const CompositeKey& key) const
{
Q_ASSERT(hasKey());
/* If the database has challenge response keys, then the the verification
* key better as well */
if (!m_data.challengeResponseKey.isEmpty()) {
QByteArray result;
if (!key.challenge(m_data.masterSeed, result)) {
/* Challenge failed, (YubiKey?) removed? */
return false;
}
if (m_data.challengeResponseKey != result) {
/* Wrong response from challenged device(s) */
return false;
}
}
return (m_data.key.rawKey() == key.rawKey());
}

View File

@ -59,6 +59,7 @@ public:
QByteArray transformedMasterKey;
CompositeKey key;
bool hasKey;
QByteArray masterSeed;
QByteArray challengeResponseKey;
};

View File

@ -33,6 +33,7 @@ void UnlockDatabaseWidget::clearForms()
m_ui->comboKeyFile->clear();
m_ui->checkPassword->setChecked(false);
m_ui->checkKeyFile->setChecked(false);
m_ui->checkChallengeResponse->setChecked(false);
m_ui->buttonTogglePassword->setChecked(false);
m_db = nullptr;
}