DANE has been an experimental thing and is imho dead.

Thanks for the report. However, for 1.4 we will only apply important real world security patches. A brief review did not reveal any setious problems. Theoretical memory leaks will not be fixed. Note that your report also includes patches to parts of the code which are not anymore used.

Code for avoiding the COMMON section has been there, because of RISC OS.
I think that it will be easier to enable that for all (but not for RISC OS only).

Okay. Now since configure.ac is already touching CFLAGS, it seemed like a good place to add that additional option here. All this is guarded by a test for GCC, and since clang mimics that behaviour, it works for them as well.

Take care: gpg is also used on platforms with proprietary compilers which don't support -f options. Thus you need to limit this to gcc.

After some more checking: LLVM-11 introduced the same behaviour in that regard, but appearently not a pragma/attribute to override this: https://releases.llvm.org/11.0.0/tools/clang/docs/ReleaseNotes.html

Thus better add a

&& !defined(__clang__)

Sure that the FreeBSD compiler does not define it? I am pretty sure it does.

According to list of attributes in the clang 12 documention, there is no such attribute in clang. However, the clang-11 compiler (as seen in Debian) does not define __GNUC__, so the proposed patch does not affect the status when building with clang.

Reconsidering this: Running the test suite with gpg1 is not a proper use case. gpg1 may be installed in addition to gpg but it should never be used on a build machine solely.

I've just tried the test suite of GnuPG 1.4.23 on debian buster and all tests pass.

Thanks. I tried to install the latest released version, 1.4.23, but I got the same error.

That is a very old version (2015); please retry using the latest released version 1.4.23 (from 2018).

It's in 2.2.4 and 1.4.23.
Closing.

ee1fc420fb9741b2cfaea6fa820a00be2923f514 contains a proposed fix for this.

@dkg can you please take this up with Debian and other distros? See the commit for a brief description.

Applied to STABLE-BRANCH-1-4, too.

Good catch. Thanks. Fixed in STABLE-BRANCH-2-2.

FYI : when submitting a buffer composed of

• a leading 00 byte,
• the 255 bytes encrypted session key value

to HSM/PKCS11 for decyption, decrypt returns without any errors, and returned plain session key is the one expected.

Some enlightenments here because i may have not mention some info in the first place :

Our HSM is a certified FIPS 140-2, sec level3, hardware module, exposing a PKCS#11 v2.30 spec compliant API.

What kind of hardware token?

It's fixed in master.
It is good to backport this to GnuPG 2.2 and GnuPG 1.4.

OK, closed.

Won't we fixed for 1.4 and 2.0 (which is too close to EOL). Has been fixed for master; see T2359.

GnuPG 1.4 is only for old features. New features are only supported by GnuPG 2.2.

Same issue exists in 2.2:

Won't be fixed for 1.4.

There should be a backup file in these cases.