Clarify BN_mod_exp docs

Specifically this is not supported with an even modulus and BN_FLG_CONSTTIME. Fixes #5082 Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6138) (cherry picked from commit 966b3df182b9c8644c154f1c3e686027d37acb05)
author: Matt Caswell <matt@openssl.org> 2018-04-30 15:05:45 +0100
committer: Matt Caswell <matt@openssl.org> 2018-05-01 14:26:10 +0100
commit: a96022b3c4d159d1b14f54bd6811fd97a52df636 (patch)
tree: a51053101ea3568f63e1eef342ba488f245e5cd8 /doc
parent: b9f0d1832ce9224d437d5c0b537b4e4004adafb7 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/doc/crypto/BN_add.pod b/doc/crypto/BN_add.pod
index 88c7a799ee..02e5486416 100644
--- a/doc/crypto/BN_add.pod
+++ b/doc/crypto/BN_add.pod
@@ -91,7 +91,9 @@ BN_exp() raises I<a> to the I<p>-th power and places the result in I<r>
 BN_mul().
 
 BN_mod_exp() computes I<a> to the I<p>-th power modulo I<m> (C<r=a^p %
-m>). This function uses less time and space than BN_exp().
+m>). This function uses less time and space than BN_exp(). Do not call this
+function when B<m> is even and any of the parameters have the
+B<BN_FLG_CONSTTIME> flag set.
 
 BN_gcd() computes the greatest common divisor of I<a> and I<b> and
 places the result in I<r>. I<r> may be the same B<BIGNUM> as I<a> or
author	Matt Caswell <matt@openssl.org>	2018-04-30 15:05:45 +0100
committer	Matt Caswell <matt@openssl.org>	2018-05-01 14:26:10 +0100
commit	a96022b3c4d159d1b14f54bd6811fd97a52df636 (patch)
tree	a51053101ea3568f63e1eef342ba488f245e5cd8 /doc
parent	b9f0d1832ce9224d437d5c0b537b4e4004adafb7 (diff)