summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--nitrocli/CHANGELOG.md2
-rw-r--r--nitrocli/src/commands.rs7
-rw-r--r--nitrocli/src/tests/otp.rs2
3 files changed, 9 insertions, 2 deletions
diff --git a/nitrocli/CHANGELOG.md b/nitrocli/CHANGELOG.md
index fe3ac74..71a54df 100644
--- a/nitrocli/CHANGELOG.md
+++ b/nitrocli/CHANGELOG.md
@@ -5,6 +5,8 @@ Unreleased
- Check the status of a PWS slot before accessing it in `pws get`
- Added `NITROCLI_NO_CACHE` environment variable to bypass caching of
secrets
+- Clear cached PIN entry as part of `pin set` command to prevent
+ spurious authentication failures
- Bumped `libc` dependency to `0.2.55`
- Bumped `cc` dependency to `1.0.37`
diff --git a/nitrocli/src/commands.rs b/nitrocli/src/commands.rs
index a81859c..7bb314c 100644
--- a/nitrocli/src/commands.rs
+++ b/nitrocli/src/commands.rs
@@ -725,7 +725,12 @@ pub fn pin_set(ctx: &mut args::ExecCtx<'_>, pin_type: pinentry::PinType) -> Resu
pinentry::PinType::Admin => device.change_admin_pin(&current_pin, &new_pin),
pinentry::PinType::User => device.change_user_pin(&current_pin, &new_pin),
},
- )
+ )?;
+
+ // We just changed the PIN but confirmed the action with the old PIN,
+ // which may have caused it to be cached. Since it no longer applies,
+ // make sure to evict the corresponding entry from the cache.
+ pinentry::clear(&pin_entry)
}
/// Unblock and reset the user PIN.
diff --git a/nitrocli/src/tests/otp.rs b/nitrocli/src/tests/otp.rs
index d99a6f8..39ddf29 100644
--- a/nitrocli/src/tests/otp.rs
+++ b/nitrocli/src/tests/otp.rs
@@ -51,7 +51,7 @@ fn status(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
let mut ncli = Nitrocli::with_dev(device);
// Make sure that we have at least something to display by ensuring
- // that there are there is one slot programmed.
+ // that there is one slot programmed.
let _ = ncli.handle(&["otp", "set", "0", "the-name", "123456"])?;
let out = ncli.handle(&["otp", "status"])?;