Fix several memory leaks and mishandling of the privilege status
where a function returned failure indication, and previously
allocated memory was not freed (and the referece was lost), or
previously droped privileges where not restored.

Change the function that creates the path for challenge-response
storate to take a "suffix" argument, so we can have multiple files.
Isolate the part of the challenge-response forming function that
fills in the expected response into a callback, so we now can store
other things in the "expected response" field.

Implement a second 'action' of ykpamcfg to create a file containing
challenge and a secret string encrypted with the response (by OTP).
Future update in the PAM module will inject this string as
PAM_AUTHTOKEN, so it could be used by subsequent PAM modules.

Implement function in the PAM module, when given the argument
"supply_authtoken", to extract and decode data stored by
ykpamcfg action "add_saved_password" and supply it as
PAM_AUTHTOK to subsequent PAM modules. Particularly to
pam_gnome_keyring module (and equivalents) to decode the
keyring if yubikey was used as the sole authentication factor.