http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=35646689f4b80955ff7dbe1687bf2c479c53421e --- mpi/mpi-pow.c 2012-01-20 11:51:16.000000000 +0100 +++ mpi/mpi-pow.c.oden 2013-08-01 08:44:49.190705059 +0200 @@ -1,5 +1,6 @@ /* mpi-pow.c - MPI functions - * Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc. + * Copyright (C) 1994, 1996, 1998, 2000 Free Software Foundation, Inc. + * Copyright (C) 2013 Werner Koch * * This file is part of GnuPG. * @@ -209,7 +210,14 @@ mpi_powm( MPI res, MPI base, MPI exponen tp = rp; rp = xp; xp = tp; rsize = xsize; - if( (mpi_limb_signed_t)e < 0 ) { + /* To mitigate the Yarom/Falkner flush+reload cache + * side-channel attack on the RSA secret exponent, we + * do the multiplication regardless of the value of + * the high-bit of E. But to avoid this performance + * penalty we do it only if the exponent has been + * stored in secure memory and we can thus assume it + * is a secret exponent. */ + if (esec || (mpi_limb_signed_t)e < 0) { /*mpihelp_mul( xp, rp, rsize, bp, bsize );*/ if( bsize < KARATSUBA_THRESHOLD ) { mpihelp_mul( xp, rp, rsize, bp, bsize ); @@ -224,7 +232,8 @@ mpi_powm( MPI res, MPI base, MPI exponen mpihelp_divrem(xp + msize, 0, xp, xsize, mp, msize); xsize = msize; } - + } + if ((mpi_limb_signed_t)e < 0) { tp = rp; rp = xp; xp = tp; rsize = xsize; }