[tptacek]

IIUC, the original 2001 countermeasure for this is embedded in the modexp routine, and both OpenSSL (in rsa_ossl.c) and LibreSSL libcrypto (in rsa_eay.c) have substantially the same logic.

Look for the comment:

    /*
     * 'I' and 'vrfy' aren't congruent mod n. Don't leak
     * miscalculated CRT output, just do a raw (slower)
     * mod_exp and return that instead.
     */

[fweimer]

Note that in the OpenSSL case at least, this check is in the default engine/plugin, not in generic code. If you load a different plugin, you only get protection if the engine/plugin implements a similar check internally.

(I expect that LibreSSL removed the plugin framework, but I haven't checked.)