diff options
-rw-r--r-- | nitrocli/CHANGELOG.md | 2 | ||||
-rw-r--r-- | nitrocli/src/commands.rs | 7 | ||||
-rw-r--r-- | nitrocli/src/tests/otp.rs | 2 |
3 files changed, 9 insertions, 2 deletions
diff --git a/nitrocli/CHANGELOG.md b/nitrocli/CHANGELOG.md index fe3ac74..71a54df 100644 --- a/nitrocli/CHANGELOG.md +++ b/nitrocli/CHANGELOG.md @@ -5,6 +5,8 @@ Unreleased - Check the status of a PWS slot before accessing it in `pws get` - Added `NITROCLI_NO_CACHE` environment variable to bypass caching of secrets +- Clear cached PIN entry as part of `pin set` command to prevent + spurious authentication failures - Bumped `libc` dependency to `0.2.55` - Bumped `cc` dependency to `1.0.37` diff --git a/nitrocli/src/commands.rs b/nitrocli/src/commands.rs index a81859c..7bb314c 100644 --- a/nitrocli/src/commands.rs +++ b/nitrocli/src/commands.rs @@ -725,7 +725,12 @@ pub fn pin_set(ctx: &mut args::ExecCtx<'_>, pin_type: pinentry::PinType) -> Resu pinentry::PinType::Admin => device.change_admin_pin(¤t_pin, &new_pin), pinentry::PinType::User => device.change_user_pin(¤t_pin, &new_pin), }, - ) + )?; + + // We just changed the PIN but confirmed the action with the old PIN, + // which may have caused it to be cached. Since it no longer applies, + // make sure to evict the corresponding entry from the cache. + pinentry::clear(&pin_entry) } /// Unblock and reset the user PIN. diff --git a/nitrocli/src/tests/otp.rs b/nitrocli/src/tests/otp.rs index d99a6f8..39ddf29 100644 --- a/nitrocli/src/tests/otp.rs +++ b/nitrocli/src/tests/otp.rs @@ -51,7 +51,7 @@ fn status(device: nitrokey::DeviceWrapper) -> crate::Result<()> { let mut ncli = Nitrocli::with_dev(device); // Make sure that we have at least something to display by ensuring - // that there are there is one slot programmed. + // that there is one slot programmed. let _ = ncli.handle(&["otp", "set", "0", "the-name", "123456"])?; let out = ncli.handle(&["otp", "status"])?; |