The RSA implementation in os/rsa.c uses the Chinese Remainder Theorem without blinding to efficiently decrypt. This introduces a timing attack, slightly different from the published one, where the variance of the runtime as a function of the argument to the reduction leaks the private components of the key. The standard countermeasure is blinding.
Handbook of Applied Cryptography states Barrett reduction potentially requires two subtractions at the end, not just the one performed in the code.
The RSA implementation in os/rsa.c uses the Chinese Remainder Theorem without blinding to efficiently decrypt. This introduces a timing attack, slightly different from the published one, where the variance of the runtime as a function of the argument to the reduction leaks the private components of the key. The standard countermeasure is blinding.
Handbook of Applied Cryptography states Barrett reduction potentially requires two subtractions at the end, not just the one performed in the code.