Security
   * Improve padding calculations in CBC decryption, NIST key unwrapping and
     RSA OAEP decryption. With the previous implementation, some compilers
     (notably recent versions of Clang) could produce non-constant time code,
     which could allow a padding oracle attack if the attacker has access to
     precise timing measurements.