1 files changed, 13 insertions, 3 deletions

diff --git a/security/nss/lib/freebl/rsa.c b/security/nss/lib/freebl/rsa.c
index 4dac957902..52fd8b69fb 100644
--- a/security/nss/lib/freebl/rsa.c
+++ b/security/nss/lib/freebl/rsa.c
@@ -70,6 +70,8 @@ struct RSABlindingParamsStr {
     SECItem modulus;           /* list element "key"                 */
     blindingParams *free, *bp; /* Blinding parameters queue          */
     blindingParams array[RSA_BLINDING_PARAMS_MAX_CACHE_SIZE];
+    /* precalculate montegomery reduction value */
+    mp_digit n0i; /* n0i = -( n & MP_DIGIT) ** -1 mod mp_RADIX */
 };
 typedef struct RSABlindingParamsStr RSABlindingParams;
 
@@ -1210,6 +1212,8 @@ generate_blinding_params(RSAPrivateKey *key, mp_int *f, mp_int *g, mp_int *n,
     CHECK_MPI_OK(mp_exptmod(&k, &e, n, f));
     /* g = k**-1 mod n */
     CHECK_MPI_OK(mp_invmod(&k, n, g));
+    /* g in montgomery form.. */
+    CHECK_MPI_OK(mp_to_mont(g, n, g));
 cleanup:
     if (kb)
         PORT_ZFree(kb, modLen);
@@ -1246,13 +1250,16 @@ init_blinding_params(RSABlindingParams *rsabp, RSAPrivateKey *key,
     rsabp->bp = NULL;
     rsabp->free = bp;
 
+    /* precalculate montgomery reduction parameter */
+    rsabp->n0i = mp_calculate_mont_n0i(n);
+
     /* List elements are keyed using the modulus */
     return SECITEM_CopyItem(NULL, &rsabp->modulus, &key->modulus);
 }
 
 static SECStatus
 get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
-                    mp_int *f, mp_int *g)
+                    mp_int *f, mp_int *g, mp_digit *n0i)
 {
     RSABlindingParams *rsabp = NULL;
     blindingParams *bpUnlinked = NULL;
@@ -1312,6 +1319,7 @@ get_blinding_params(RSAPrivateKey *key, mp_int *n, unsigned int modLen,
         /* We've found (or created) the RSAblindingParams struct for this key.
          * Now, search its list of ready blinding params for a usable one.
          */
+        *n0i = rsabp->n0i;
         while (0 != (bp = rsabp->bp)) {
 #ifdef UNSAFE_FUZZER_MODE
             /* Found a match and there are still remaining uses left */
@@ -1426,6 +1434,7 @@ cleanup:
     if (err) {
         MP_TO_SEC_ERROR(err);
     }
+    *n0i = 0;
     return SECFailure;
 }
 
@@ -1445,6 +1454,7 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
     mp_err err;
     mp_int n, c, m;
     mp_int f, g;
+    mp_digit n0i;
     if (!key || !output || !input) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
@@ -1476,7 +1486,7 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
     ** blinding factor
     */
     if (nssRSAUseBlinding) {
-        CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g));
+        CHECK_SEC_OK(get_blinding_params(key, &n, modLen, &f, &g, &n0i));
         /* c' = c*f mod n */
         CHECK_MPI_OK(mp_mulmod(&c, &f, &n, &c));
     }
@@ -1497,7 +1507,7 @@ rsa_PrivateKeyOp(RSAPrivateKey *key,
     */
     if (nssRSAUseBlinding) {
         /* m = m'*g mod n */
-        CHECK_MPI_OK(mp_mulmod(&m, &g, &n, &m));
+        CHECK_MPI_OK(mp_mulmontmodCT(&m, &g, &n, n0i, &m));
     }
     err = mp_to_fixlen_octets(&m, output, modLen);
     if (err >= 0)