| Security | |
| * Improve padding calculations in CBC decryption, NIST key unwrapping and | |
| RSA OAEP decryption. With the previous implementation, some compilers | |
| (notably recent versions of Clang) could produce non-constant time code, | |
| which could allow a padding oracle attack if the attacker has access to | |
| precise timing measurements. |