Document that BN_bn2bin is not constant-time.

Change-Id: Id503850f92cc792229ed7558371e5038399c98d7
Commit-Queue: David Benjamin <>
CQ-Verified: CQ bot account: <>
Reviewed-by: Steven Valdez <>
diff --git a/include/openssl/bn.h b/include/openssl/bn.h
index 9fd2509..14ea79e 100644
--- a/include/openssl/bn.h
+++ b/include/openssl/bn.h
@@ -237,7 +237,8 @@
 // BN_bn2bin serialises the absolute value of |in| to |out| as a big-endian
 // integer, which must have |BN_num_bytes| of space available. It returns the
-// number of bytes written.
+// number of bytes written. Note this function leaks the magnitude of |in|. If
+// |in| is secret, use |BN_bn2bin_padded| instead.
 OPENSSL_EXPORT size_t BN_bn2bin(const BIGNUM *in, uint8_t *out);
 // BN_le2bn sets |*ret| to the value of |len| bytes from |in|, interpreted as