libgcrypt 1.12.0: g_mime_multipart_encrypted_decrypt failing on i386

Stuart Henderson stu at spacehopper.org
Fri Feb 6 15:41:30 CET 2026 

When building the "notmuch" email indexer, the configure script tests
that gmime can extract a session key, which it does using gcrypt.
Since 1.12.0 this frequently, though not always, fails on i386 (32-bit).

This is not changed by applying the patch
https://lists.gnupg.org/pipermail/gcrypt-devel/2026-January/006025.html

The problem is no longer seen after neutering part of
https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=commit;h=4f56fd8c5e03f389a9f27a5e9206b9dfb49c92e3

Index: mpi/ec.c
--- mpi/ec.c.orig
+++ mpi/ec.c
@@ -305,7 +305,7 @@ ec_mod (gcry_mpi_t w, mpi_ec_t ec)
   else
     _gcry_mpi_mod (w, w, ec->p);
 
-  if ((ec->flags & GCRYECC_FLAG_LEAST_LEAK))
+  if (0 && (ec->flags & GCRYECC_FLAG_LEAST_LEAK))
     w->nlimbs = ec->p->nlimbs;
 }
 

The script below replicates the test setup used by notmuch (requires
gmime and gnupg to be installed).

#!/bin/sh
set -e

tmp=$(mktemp -d /tmp/notmuchtest.XXXXXXXXX)
cd $tmp

cat << EOF > _check_session_keys.c
#include <gmime/gmime.h>
#include <stdio.h>

int main () {
    GError *error = NULL;
    GMimeParser *parser = NULL;
    GMimeMultipartEncrypted *body = NULL;
    GMimeDecryptResult *decrypt_result = NULL;
    GMimeObject *output = NULL;

    g_mime_init ();
    parser = g_mime_parser_new ();
    g_mime_parser_init_with_stream (parser, g_mime_stream_file_open("basic-encrypted.eml", "r", &error));
    if (error) return !! fprintf (stderr, "failed to instantiate parser with basic-encrypted.eml\n");

    body = GMIME_MULTIPART_ENCRYPTED(g_mime_message_get_mime_part (g_mime_parser_construct_message (parser, NULL)));
    if (body == NULL) return !! fprintf (stderr, "did not find a multipart encrypted message\n");

    output = g_mime_multipart_encrypted_decrypt (body, GMIME_DECRYPT_EXPORT_SESSION_KEY, NULL, &decrypt_result, &error);
    if (error || output == NULL) return !! fprintf (stderr, "decryption failed\n");

    if (decrypt_result == NULL) return !! fprintf (stderr, "no GMimeDecryptResult found\n");
    if (decrypt_result->session_key == NULL) return !! fprintf (stderr, "GMimeDecryptResult has no session key\n");

    printf ("%s\n", decrypt_result->session_key);
    return 0;
}
EOF

cat << EOF > openpgp4-secret-key.asc
-----BEGIN PGP PRIVATE KEY BLOCK-----

lFgEYxhtlxYJKwYBBAHaRw8BAQdA0PoNKr90DaQV1dIK77wbWm4RT+JQzqBkwIjA
HQM9RHYAAQDQ5wSfkOGXvKYroALWgibztISzXS5b8boGXykcHERo6w/ctDtOb3Rt
dWNoIFRlc3QgU3VpdGUgKElOU0VDVVJFISkgPHRlc3Rfc3VpdGVAbm90bXVjaG1h
aWwub3JnPoiQBBMWCAA4AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEmjr+
bGAGWhSP1LWKfmq+kkZFzGAFAmMYbZwACgkQfmq+kkZFzGDtrwEAjQRn3xhEomah
wICjQjfi4RKNbvnRViZgosijDBANUAgA/28GrK1tPnQsXWqmuZxQ1Cd5ry4NAnj/
4jsxD3cTbnEHnF0EYxhtlxIKKwYBBAGXVQEFAQEHQEOd3EyCD5qo4+QuHz0lruCG
VM6n6RI4dtAh3cX9uHwiAwEIBwAA/1oe+p5jNjNE5lEj4yTpYjCxCeC98MolbiAy
0yY7526wECqIeAQYFggAIBYhBJo6/mxgBloUj9S1in5qvpJGRcxgBQJjGG2XAhsM
AAoJEH5qvpJGRcxgBdsA/R9ZECoxai5QhOitDIAUZVCRr59Pm1VMPiJOOIla2N1p
AQCNESwJ9IJOdO/06q+bR2GG4WyEkB4VoVBiA3hFx/zZAA==
=uGTo
-----END PGP PRIVATE KEY BLOCK-----
EOF

cat << EOF > basic-encrypted.eml
From: test_suite at notmuchmail.org
To: test_suite at notmuchmail.org
Subject: Here is the password
Date: Sat, 01 Jan 2000 12:00:00 +0000
Message-ID: <basic-encrypted at crypto.notmuchmail.org>
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="=-=-=";
        protocol="application/pgp-encrypted"

--=-=-=
Content-Type: application/pgp-encrypted

Version: 1

--=-=-=
Content-Type: application/octet-stream

-----BEGIN PGP MESSAGE-----

hF4DHXHP849rSK8SAQdAYbv9NFaU2Fbd6JbfE87h/yZNyWLJYZ2EseU0WyOz7Agw
/+KTbbIqRcEYhnpQhQXBQ2wqIN5gmdRhaqrj5q0VLV2BOKNJKqXGs/W4DghXwfAu
0oMBqjTd/mMbF0nJLw3bPX+LW47RHQdZ8vUVPlPr0ALg8kqgcfy95Qqy5h796Uyq
xs+I/UUOt7fzTDAw0B4qkRbdSangwYy80N4X43KrAfKSstBH3/7O4285XZr86YhF
rEtsBuwhoXI+DaG3uYZBBMTkzfButmBKHwB2CmWutmVpQL087A==
=lhSz
-----END PGP MESSAGE-----
--=-=-=--
EOF

cc $(pkg-config --cflags gmime-3.0) _check_session_keys.c \
   $(pkg-config --libs gmime-3.0) -o _check_session_keys

export GNUPGHOME=$tmp
gpg --batch --quiet --import < openpgp4-secret-key.asc
echo "cd $tmp; GNUPGHOME=$tmp ./_check_session_keys"
./_check_session_keys

More information about the Gcrypt-devel mailing list