From d788ccda2c8711942c2f253b50535880b283724a Mon Sep 17 00:00:00 2001
From: Matt Caswell <matt@openssl.org>
Date: Mon, 30 Apr 2018 15:05:45 +0100
Subject: [PATCH] Clarify BN_mod_exp docs

Specifically this is not supported with an even modulus and
BN_FLG_CONSTTIME.

Fixes #5082
---
 doc/man3/BN_add.pod | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod
index 98f2970a97677..3e193819a0e83 100644
--- a/doc/man3/BN_add.pod
+++ b/doc/man3/BN_add.pod
@@ -92,7 +92,9 @@ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
 BN_mul().
 
 BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p %
-m>). This function uses less time and space than BN_exp().
+m>). This function uses less time and space than BN_exp(). Note that calling
+this function with an even modulus and when any of B<a>, B<p> or B<m> have the
+BN_FLG_CONSTTIME flag set is not supported.
 
 BN_gcd() computes the greatest common divisor of I<a> and I<b> and
 places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or