From cf276937cdd362ee902f59f0ae01cec5ae47e24f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Tue, 19 Mar 2024 09:24:41 +0100
Subject: [PATCH 01/13] padding: Set correct output length in PKCS#1 v1.5
 depadding

(cherry picked from commit 556cbf3ef71425e69eb3914961332f67335cd9ff)
---
 src/libopensc/padding.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/src/libopensc/padding.c b/src/libopensc/padding.c
index e8899a5131..6e09e45711 100644
--- a/src/libopensc/padding.c
+++ b/src/libopensc/padding.c
@@ -154,13 +154,15 @@ sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const
 {
 	unsigned int i = 0;
 	u8 *msg, *msg_orig = NULL;
-	unsigned int good, found_zero_byte, mask;
+	unsigned int good, found_zero_byte, mask, tmp_outlen;
 	unsigned int zero_index = 0, msg_index, mlen = -1, len = 0;
 	LOG_FUNC_CALLED(ctx);
 
-	if (data == NULL || data_len <= 0 || data_len > n || n < SC_PKCS1_PADDING_MIN_SIZE)
+	if (data == NULL || data_len <= 0 || data_len > n ||
+			n < SC_PKCS1_PADDING_MIN_SIZE || out_len == NULL)
 		LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL);
 
+	tmp_outlen = *out_len;
 	msg = msg_orig = calloc(n, sizeof(u8));
 	if (msg == NULL)
 		LOG_FUNC_RETURN(ctx, SC_ERROR_INTERNAL);
@@ -201,18 +203,18 @@ sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const
 	mlen = data_len - msg_index;
 
 	// check that message fits into out buffer
-	good &= constant_time_ge(*out_len, mlen);
+	good &= constant_time_ge(tmp_outlen, mlen);
 
 	// move the result in-place by |num|-SC_PKCS1_PADDING_MIN_SIZE-|mlen| bytes to the left.
-	*out_len = constant_time_select(constant_time_lt(n - SC_PKCS1_PADDING_MIN_SIZE, *out_len),
-			n - SC_PKCS1_PADDING_MIN_SIZE, *out_len);
+	tmp_outlen = constant_time_select(constant_time_lt(n - SC_PKCS1_PADDING_MIN_SIZE, tmp_outlen),
+			n - SC_PKCS1_PADDING_MIN_SIZE, tmp_outlen);
 	for (msg_index = 1; msg_index < n - SC_PKCS1_PADDING_MIN_SIZE; msg_index <<= 1) {
 		mask = ~constant_time_eq(msg_index & (n - SC_PKCS1_PADDING_MIN_SIZE - mlen), 0);
 		for (i = SC_PKCS1_PADDING_MIN_SIZE; i < n - msg_index; i++)
 			msg[i] = constant_time_select_8(mask, msg[i + msg_index], msg[i]);
 	}
 	// move message into out buffer, if good
-	for (i = 0; i < *out_len; i++) {
+	for (i = 0; i < tmp_outlen; i++) {
 		unsigned int msg_index;
 		// when out is longer than message in data, use some bogus index in msg
 		mask = good & constant_time_lt(i, mlen);
@@ -220,6 +222,7 @@ sc_pkcs1_strip_02_padding_constant_time(sc_context_t *ctx, unsigned int n, const
 		out[i] = constant_time_select_8(mask, msg[msg_index], out[i]);
 	}
 
+	*out_len = constant_time_select(good, mlen, *out_len);
 	free(msg_orig);
 	return constant_time_select(good, mlen, SC_ERROR_WRONG_PADDING);
 }

From 2b205a5044804e5e678645c04b5ed5cf971138e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Wed, 20 Mar 2024 11:57:50 +0100
Subject: [PATCH 02/13] minidriver: Remove logging to prevent Marvin attack

(cherry picked from commit 21a0a25e516cc46724659efb1f08e778d1c225f5)
---
 src/minidriver/minidriver.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
index 7796afdac2..fb59fb5923 100644
--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@@ -4721,18 +4721,14 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_DATA pCardData,
 	}
 	dwret = constant_time_select_s(good, SCARD_S_SUCCESS, SCARD_F_INTERNAL_ERROR);
 
-	logprintf(pCardData, 2, "decrypted data(%lu):\n",
-		  (unsigned long)pInfo->cbData);
-	loghex(pCardData, 7, pbuf2, pInfo->cbData);
-
 	/*inversion donnees */
 	/* copy data in constant-time way to prevent leak */
 	for (ui = 0; ui < pbufLen; ui++) {
 		unsigned int mask, msg_index, inv_ui;
 		mask = good & constant_time_lt_s(ui, pInfo->cbData); /* ui should be in the bounds of pbuf2 */
 		inv_ui = pInfo->cbData - ui - 1;
-		msg_index = constant_time_select_s(mask, inv_ui, 0);
-		pInfo->pbData[ui] = constant_time_select_8(mask, pbuf2[msg_index], pInfo->pbData[ui]);
+		msg_index = constant_time_select_s(mask, inv_ui, ui); /* do not change data outside the depadded message */
+		pInfo->pbData[ui] = pbuf2[msg_index];
 	}
 
 	pCardData->pfnCspFree(pbuf);

From d84d8ad35b98c52e738737ad2a056c9083f3f9f3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Wed, 20 Mar 2024 16:50:54 +0100
Subject: [PATCH 03/13] unittests: Test correct output length for PKCS#1 v1.5
 depadding

(cherry picked from commit 29a98e5b2811f3df7cc7982d8b30a86e756c325c)
---
 src/tests/unittests/strip_pkcs1_2_padding.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/tests/unittests/strip_pkcs1_2_padding.c b/src/tests/unittests/strip_pkcs1_2_padding.c
index 990e94a38b..385841fc59 100644
--- a/src/tests/unittests/strip_pkcs1_2_padding.c
+++ b/src/tests/unittests/strip_pkcs1_2_padding.c
@@ -18,6 +18,7 @@ torture_long_output_buffer(void **state)
 	unsigned char result_msg[] = {'m', 's', 'g'};
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
 	assert_int_equal(r, 3);
+	assert_int_equal(r, (int)out_len);
 	assert_memory_equal(out, result_msg, r);
 	free(out);
 }
@@ -34,6 +35,7 @@ torture_short_output_buffer(void **state)
 	unsigned int out_len = 1;
 	unsigned char *out = calloc(out_len, sizeof(unsigned char));
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal((int)out_len, 1);
 	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
 	free(out);
 }
@@ -52,6 +54,7 @@ torture_short_message_correct_padding(void **state)
 	unsigned char result_msg[] = {'m', 's', 'g'};
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
 	assert_int_equal(r, 3);
+	assert_int_equal(r, (int)out_len);
 	assert_memory_equal(out, result_msg, r);
 	free(out);
 }
@@ -68,6 +71,7 @@ torture_missing_first_zero(void **state)
 	unsigned int out_len = 10;
 	unsigned char *out = calloc(out_len, sizeof(unsigned char));
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal((int)out_len, 10);
 	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
 	free(out);
 }
@@ -84,6 +88,7 @@ torture_missing_two(void **state)
 	unsigned int out_len = 10;
 	unsigned char *out = calloc(out_len, sizeof(unsigned char));
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal((int)out_len, 10);
 	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
 	free(out);
 }
@@ -100,6 +105,7 @@ torture_short_padding(void **state)
 	unsigned int out_len = 10;
 	unsigned char *out = calloc(out_len, sizeof(unsigned char));
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal((int)out_len, 10);
 	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
 	free(out);
 }
@@ -115,6 +121,7 @@ torture_missing_second_zero(void **state)
 	unsigned int out_len = 10;
 	unsigned char *out = calloc(out_len, sizeof(unsigned char));
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal((int)out_len, 10);
 	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
 	free(out);
 }
@@ -130,6 +137,7 @@ torture_missing_message(void **state)
 	unsigned int out_len = 11;
 	unsigned char *out = calloc(out_len, sizeof(unsigned char));
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal((int)out_len, 11);
 	assert_int_equal(r, SC_ERROR_WRONG_PADDING);
 	free(out);
 }
@@ -148,6 +156,7 @@ torture_one_byte_message(void **state)
 	unsigned char result_msg[] = {'m'};
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
 	assert_int_equal(r, 1);
+	assert_int_equal(r, (int)out_len);
 	assert_memory_equal(out, result_msg, r);
 	free(out);
 }
@@ -166,6 +175,7 @@ torture_longer_padding(void **state)
 	unsigned char result_msg[] = {0x9d, 0x98, 0x3d, 0xca, 0xa9, 0xa7, 0x11, 0x0a};
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
 	assert_int_equal(r, 8);
+	assert_int_equal(r, (int)out_len);
 	assert_memory_equal(out, result_msg, r);
 	free(out);
 }
@@ -181,6 +191,7 @@ torture_empty_message(void **state)
 	unsigned int out_len = 8;
 	unsigned char *out = calloc(out_len, sizeof(unsigned char));
 	int r = sc_pkcs1_strip_02_padding_constant_time(NULL, n, in, in_len, out, &out_len);
+	assert_int_equal((int)out_len, 0);
 	assert_int_equal(r, 0);
 	free(out);
 }

From fda2295ae3b83394e68b2a904ebe59cf2a5bb771 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Thu, 21 Mar 2024 10:45:30 +0100
Subject: [PATCH 04/13] minidriver: Refactor inversion of decrypted buffer

(cherry picked from commit 7471dd26cde84bf573c03af68b47c0b0dab5edfa)
---
 src/minidriver/minidriver.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
index fb59fb5923..1302f1b1d8 100644
--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@@ -4710,7 +4710,7 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_DATA pCardData,
 		goto err;
 	}
 
-	good = constant_time_eq_i(r, 0);
+	good = constant_time_ge(r, 1);
 	/* if no error or padding error, do not return here to prevent Marvin attack */
 	if (!(good | wrong_padding) && r < 0)   {
 		logprintf(pCardData, 2, "sc_pkcs15_decipher error(%i): %s\n", r, sc_strerror(r));
@@ -4724,11 +4724,13 @@ DWORD WINAPI CardRSADecrypt(__in PCARD_DATA pCardData,
 	/*inversion donnees */
 	/* copy data in constant-time way to prevent leak */
 	for (ui = 0; ui < pbufLen; ui++) {
-		unsigned int mask, msg_index, inv_ui;
-		mask = good & constant_time_lt_s(ui, pInfo->cbData); /* ui should be in the bounds of pbuf2 */
-		inv_ui = pInfo->cbData - ui - 1;
-		msg_index = constant_time_select_s(mask, inv_ui, ui); /* do not change data outside the depadded message */
-		pInfo->pbData[ui] = pbuf2[msg_index];
+		unsigned int mask, inv_ui;
+		unsigned char msg_byte, orig_byte;
+		mask = good & constant_time_lt_s(ui, pInfo->cbData);	 /* ui should be in bounds of decrypted message */
+		inv_ui = pInfo->cbData - ui - 1;			 /* compute inversed ui index */
+		msg_byte = pbuf2[constant_time_select(mask, inv_ui, 0)]; /* if in range of decrypted message, read on inversed index otherwise read some bogus value */
+		orig_byte = pInfo->pbData[ui];
+		pInfo->pbData[ui] = constant_time_select_s(mask, msg_byte, orig_byte); /* store message byte only if in correct range */
 	}
 
 	pCardData->pfnCspFree(pbuf);

From 1993f2e2ce8cd51b327f9206e5cad1c10beaf6d2 Mon Sep 17 00:00:00 2001
From: Jozsef Dojcsak <jozsef.dojcsak@gmail.com>
Date: Tue, 2 Apr 2024 16:29:11 +0200
Subject: [PATCH 05/13] Add check for the optional member app, fix #3084

(cherry picked from commit 1f0af543f6e5920c7212fab8ee903d74bb6a4931)
---
 src/minidriver/minidriver.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
index 1302f1b1d8..496c3db654 100644
--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@@ -513,9 +513,12 @@ get_pin_by_name(PCARD_DATA pCardData, struct sc_pkcs15_card *p15card, int role,
 	if (!conf_block)
 		MD_FUNC_RETURN(pCardData, 1, SCARD_F_INTERNAL_ERROR);
 
-	memset(str_path, 0, sizeof(str_path));
-	sc_bin_to_hex(p15card->app->path.value, p15card->app->path.len, str_path, sizeof(str_path), 0);
-	blocks = scconf_find_blocks(p15card->card->ctx->conf, conf_block, "application", str_path);
+	if ( p15card->app != NULL ) {
+		memset(str_path, 0, sizeof(str_path));
+		sc_bin_to_hex(p15card->app->path.value, p15card->app->path.len, str_path, sizeof(str_path), 0);
+		blocks = scconf_find_blocks(p15card->card->ctx->conf, conf_block, "application", str_path);
+	}
+	
 	if (blocks)   {
 		if (blocks[0]) {
 			pin = (char *)scconf_get_str(blocks[0], pin_type, NULL);

From 9b569103dfbac49fcd31806bf1ac709bff160da9 Mon Sep 17 00:00:00 2001
From: Jozsef Dojcsak <jozsef.dojcsak@gmail.com>
Date: Tue, 2 Apr 2024 16:46:25 +0200
Subject: [PATCH 06/13] Fix coding style

(cherry picked from commit 6a98d4a259c9839ac33361c8dd3f669435cc7774)
---
 src/minidriver/minidriver.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/minidriver/minidriver.c b/src/minidriver/minidriver.c
index 496c3db654..10da7dba43 100644
--- a/src/minidriver/minidriver.c
+++ b/src/minidriver/minidriver.c
@@ -513,12 +513,12 @@ get_pin_by_name(PCARD_DATA pCardData, struct sc_pkcs15_card *p15card, int role,
 	if (!conf_block)
 		MD_FUNC_RETURN(pCardData, 1, SCARD_F_INTERNAL_ERROR);
 
-	if ( p15card->app != NULL ) {
+	if (p15card->app != NULL) {
 		memset(str_path, 0, sizeof(str_path));
 		sc_bin_to_hex(p15card->app->path.value, p15card->app->path.len, str_path, sizeof(str_path), 0);
 		blocks = scconf_find_blocks(p15card->card->ctx->conf, conf_block, "application", str_path);
 	}
-	
+
 	if (blocks)   {
 		if (blocks[0]) {
 			pin = (char *)scconf_get_str(blocks[0], pin_type, NULL);

From 42abae72089145dad8f382643f6b1ecf27902167 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 7 Mar 2024 14:38:50 +0100
Subject: [PATCH 07/13] README: Use https for HTML preview

(cherry picked from commit 3a822b030619e667e4a7aa00340e50108287c1aa)
---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 6f594c020b..a35f53fb46 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,10 @@
 # OpenSC documentation
 
-Manual pages for the [OpenSC command line tools](htmlpreview.github.io/?https://github.com/OpenSC/OpenSC/blob/master/doc/tools/tools.html) as well as for the [OpenSC configuration files](http://htmlpreview.github.io/?https://github.com/OpenSC/OpenSC/blob/master/doc/files/files.html) are available online and typically distributed along with your installation.
+Manual pages for the
+[OpenSC command line tools](https://htmlpreview.github.io/?https://github.com/OpenSC/OpenSC/blob/master/doc/tools/tools.html)
+as well as for the
+[OpenSC configuration files](https://htmlpreview.github.io/?https://github.com/OpenSC/OpenSC/blob/master/doc/files/files.html)
+are available online and typically distributed along with your installation.
 
 The [OpenSC Wiki](https://github.com/OpenSC/OpenSC/wiki) includes, among others, information for:
  * [Windows Quick Start](https://github.com/OpenSC/OpenSC/wiki/Windows-Quick-Start)

From 0379fce293ad5be396f53f14fa946099c795555b Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 7 Mar 2024 14:41:02 +0100
Subject: [PATCH 08/13] doc: Include docbook-utf8.xml in the dist tarball

(cherry picked from commit d6ca03a94d36cf25053f74d543f217caa21c80d4)
---
 doc/Makefile.am | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/Makefile.am b/doc/Makefile.am
index 754720a995..85db89a212 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -2,5 +2,5 @@ MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 
 SUBDIRS = tools files
 
-dist_noinst_SCRIPTS = html.xsl man.xsl
+dist_noinst_SCRIPTS = html.xsl docbook-utf8.xsl man.xsl
 dist_noinst_DATA = api.css

From 9bc76d3b5d34971b4cd3c32dce660ef02b721ba9 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 7 Mar 2024 14:41:17 +0100
Subject: [PATCH 09/13] ci: Build docs by default

(cherry picked from commit b694d932481ca528cc9cdc74b7445749f3d568e3)
---
 .github/build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/build.sh b/.github/build.sh
index c955b8904c..ee4e54b746 100755
--- a/.github/build.sh
+++ b/.github/build.sh
@@ -54,7 +54,7 @@ else
 	fi
 	# normal procedure
 
-	CONFIGURE_FLAGS="--disable-dependency-tracking"
+	CONFIGURE_FLAGS="--disable-dependency-tracking --enable-doc"
 	if [ "$1" == "piv-sm" ]; then
 		CONFIGURE_FLAGS="$CONFIGURE_FLAGS --enable-piv-sm"
 	fi

From aa979d1d0e0ab5f34ebc079b10a2ce394456cc61 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 7 Mar 2024 14:56:36 +0100
Subject: [PATCH 10/13] ci: Pass the configure flags to distcheck too

(cherry picked from commit 4ba437c344d71cf1631debe8b7a2a3eee962e187)
---
 .github/build.sh | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/build.sh b/.github/build.sh
index ee4e54b746..7770590af1 100755
--- a/.github/build.sh
+++ b/.github/build.sh
@@ -92,6 +92,7 @@ fi
 # this is broken in old ubuntu
 if [ "$1" == "dist" -o "$2" == "dist" ]; then
 	set +e
+	DISTCHECK_CONFIGURE_FLAGS="$CONFIGURE_FLAGS"
 	make distcheck
 	RV=$?
 	if [ $RV -ne 0 ]; then

From 5709c2d6df8f6e701e6b8c840878a0a77bff9835 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 8 Mar 2024 11:57:21 +0100
Subject: [PATCH 11/13] README: Fix link on to AppVeyor build

(cherry picked from commit 6c15101fec17688257f07be5265f0bfab0ac20cb)
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a35f53fb46..d222721486 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ Nightly builds are available by their git hash in branches of [OpenSC/Nightly](h
 
 [![Linux build](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/linux.yml)
 [![OSX build](https://github.com/OpenSC/OpenSC/actions/workflows/macos.yml/badge.svg)](https://github.com/OpenSC/OpenSC/actions/workflows/macos.yml)
-[![AppVeyor CI Build Status](https://ci.appveyor.com/api/projects/status/github/OpenSC/OpenSC?branch=master&svg=true)](https://ci.appveyor.com/project/LudovicRousseau/OpenSC/branch/master)
+[![AppVeyor CI Build Status](https://ci.appveyor.com/api/projects/status/github/OpenSC/OpenSC?branch=master&svg=true)](https://ci.appveyor.com/project/frankmorgner/opensc/branch/master)
 [![Coverity Scan Status](https://scan.coverity.com/projects/4026/badge.svg)](https://scan.coverity.com/projects/4026)
 [![CodeQL](https://github.com/OpenSC/OpenSC/actions/workflows/codeql.yml/badge.svg?event=push)](https://github.com/OpenSC/OpenSC/actions/workflows/codeql.yml)
 [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/opensc.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:opensc)

From e5c377f7d9677bb3250ddc884de8ab063a267b93 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Thu, 4 Apr 2024 10:48:38 +0200
Subject: [PATCH 12/13] Remove branch suffix from Linux and AppVeyor build

---
 .appveyor.yml    | 3 +--
 .github/build.sh | 5 -----
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/.appveyor.yml b/.appveyor.yml
index 4599100ad2..bca1775ae3 100644
--- a/.appveyor.yml
+++ b/.appveyor.yml
@@ -96,8 +96,7 @@ build_script:
       }
   - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" == \"master\" -a -z \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap; fi"
   - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" == \"master\" -a -n \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap.ci -s \"-pr$APPVEYOR_PULL_REQUEST_NUMBER\"; fi"
-  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" != \"master\" -a -z \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap.ci -s \"-$APPVEYOR_REPO_BRANCH\"; fi"
-  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" != \"master\" -a -n \"$APPVEYOR_PULL_REQUEST_NUMBER\" ]; then ./bootstrap.ci -s \"-$APPVEYOR_REPO_BRANCH-prAPPVEYOR_PULL_REQUEST_NUMBER\"; fi"
+  - bash -c "exec 0</dev/null && if [ \"$APPVEYOR_REPO_BRANCH\" != \"master\" ]; then ./bootstrap; fi"
   # disable features to speed up the script
   - bash -c "exec 0</dev/null && ./configure --with-cygwin-native --disable-openssl --disable-readline --disable-zlib || cat config.log"
   - bash -c "exec 0</dev/null && rm src/getopt.h"
diff --git a/.github/build.sh b/.github/build.sh
index 7770590af1..afb58af450 100755
--- a/.github/build.sh
+++ b/.github/build.sh
@@ -15,11 +15,6 @@ if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
 	else
 		SUFFIX="$GITHUB_BASE_REF-pr$PR_NUMBER"
 	fi
-else
-	BRANCH=$(echo $GITHUB_REF | awk 'BEGIN { FS = "/" } ; { print $3 }')
-	if [ "$BRANCH" != "master" ]; then
-		SUFFIX="$BRANCH"
-	fi
 fi
 if [ -n "$SUFFIX" ]; then
 	./bootstrap.ci -s "$SUFFIX"

From 0a4b772d6fdab9bfaaa3123775a48a7cb6c5e7c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Veronika=20Hanul=C3=ADkov=C3=A1?= <vhanulik@redhat.com>
Date: Thu, 4 Apr 2024 15:14:24 +0200
Subject: [PATCH 13/13] 0.25.1

---
 .appveyor.yml | 2 +-
 NEWS          | 9 +++++++++
 SECURITY.md   | 4 ++--
 configure.ac  | 4 ++--
 4 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/.appveyor.yml b/.appveyor.yml
index bca1775ae3..f5879c4ba4 100644
--- a/.appveyor.yml
+++ b/.appveyor.yml
@@ -1,4 +1,4 @@
-version: 0.25.0.{build}
+version: 0.25.1.{build}
 
 platform:
   - x86
diff --git a/NEWS b/NEWS
index 13017fd7be..4579e877a6 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,14 @@
 NEWS for OpenSC -- History of user visible changes
 
+# New in 0.25.0; 2024-04-05
+
+## General improvements
+* Add missing file to dist tarball to build documentation (#3063)
+
+## minidriver
+* Fix RSA decryption with PKCS#1 v1.5 padding (#3077)
+* Fix crash when app is not set (#3084)
+
 # New in 0.25.0; 2024-03-06
 ## Security
 * [CVE-2023-5992](https://github.com/OpenSC/OpenSC/wiki/CVE-2023-5992): Side-channel leaks while stripping encryption PKCS#1.5 padding in OpenSC (#2948)
diff --git a/SECURITY.md b/SECURITY.md
index bba5a39845..51236a8c15 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -9,8 +9,8 @@ backport security fixes into them. Only the last release is supported.
 
 | Version  | Supported          |
 | -------- | ------------------ |
-| 0.25.0   | :white_check_mark: |
-| < 0.25.0 | :x:                |
+| 0.25.1   | :white_check_mark: |
+| < 0.25.1 | :x:                |
 
 ## Reporting a Vulnerability
 
diff --git a/configure.ac b/configure.ac
index e8d502bd9e..b8224b5de7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,7 +8,7 @@ define([PRODUCT_BUGREPORT], [https://github.com/OpenSC/OpenSC/issues])
 define([PRODUCT_URL], [https://github.com/OpenSC/OpenSC])
 define([PACKAGE_VERSION_MAJOR], [0])
 define([PACKAGE_VERSION_MINOR], [25])
-define([PACKAGE_VERSION_FIX], [0])
+define([PACKAGE_VERSION_FIX], [1])
 define([PACKAGE_SUFFIX], [])
 
 define([VS_FF_LEGAL_COPYRIGHT], [OpenSC Project])
@@ -48,7 +48,7 @@ OPENSC_VS_FF_PRODUCT_URL="VS_FF_PRODUCT_URL"
 #   (Interfaces added:                  CURRENT++, REVISION=0)
 OPENSC_LT_CURRENT="11"
 OPENSC_LT_OLDEST="11"
-OPENSC_LT_REVISION="1"
+OPENSC_LT_REVISION="2"
 OPENSC_LT_AGE="$((${OPENSC_LT_CURRENT}-${OPENSC_LT_OLDEST}))"
 
 AC_CONFIG_SRCDIR([src/libopensc/sc.c])