diff --git a/src/common/crypto.c b/src/common/crypto.c
index ebbb5b28c2..c6f5b55205 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -534,11 +534,13 @@ int crypto_pk_private_sign_digest(crypto_pk_env_t *env, const unsigned char *fro
  *   The beginning of the source data prefixed with a 16-symmetric key,
  *   padded and encrypted with the public key; followed by the rest of
  *   the source data encrypted in AES-CTR mode with the symmetric key.
+ *
+ * DOCDOC force.
  */
 int crypto_pk_public_hybrid_encrypt(crypto_pk_env_t *env,
                                     const unsigned char *from,
                                     int fromlen, unsigned char *to,
-                                    int padding)
+                                    int padding, int force)
 {
   int overhead, pkeylen, outlen, r, symlen;
   crypto_cipher_env_t *cipher = NULL;
@@ -552,7 +554,7 @@ int crypto_pk_public_hybrid_encrypt(crypto_pk_env_t *env,
   if (padding == PK_NO_PADDING && fromlen < pkeylen)
     return -1;
 
-  if (fromlen+overhead <= pkeylen) {
+  if (!force && fromlen+overhead <= pkeylen) {
     /* It all fits in a single encrypt. */
     return crypto_pk_public_encrypt(env,from,fromlen,to,padding);
   }
diff --git a/src/common/crypto.h b/src/common/crypto.h
index 94a18abf2e..d9da82a05f 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -64,7 +64,7 @@ int crypto_pk_public_checksig(crypto_pk_env_t *env, const unsigned char *from, i
 int crypto_pk_public_checksig_digest(crypto_pk_env_t *env, const unsigned char *data, int datalen, const unsigned char *sig, int siglen);
 int crypto_pk_public_hybrid_encrypt(crypto_pk_env_t *env,
                                     const unsigned char *from, int fromlen,
-                                    unsigned char *to, int padding);
+                                    unsigned char *to, int padding, int force);
 int crypto_pk_private_hybrid_decrypt(crypto_pk_env_t *env,
                                      const unsigned char *from, int fromlen,
                                      unsigned char *to,int padding);
diff --git a/src/or/onion.c b/src/or/onion.c
index 6ff58ee375..0185a47555 100644
--- a/src/or/onion.c
+++ b/src/or/onion.c
@@ -585,7 +585,7 @@ onion_skin_create(crypto_pk_env_t *dest_router_key,
   /* set meeting point, meeting cookie, etc here. Leave zero for now. */
   if (crypto_pk_public_hybrid_encrypt(dest_router_key, challenge,
                                       ONIONSKIN_CHALLENGE_LEN-CIPHER_KEY_LEN,
-                                      onion_skin_out, PK_NO_PADDING)<0)
+                                      onion_skin_out, PK_NO_PADDING, 1)<0)
     goto err;
 
   tor_free(challenge);
diff --git a/src/or/rendclient.c b/src/or/rendclient.c
index ec50465791..470f30d77e 100644
--- a/src/or/rendclient.c
+++ b/src/or/rendclient.c
@@ -100,7 +100,7 @@ rend_client_send_introduction(circuit_t *introcirc, circuit_t *rendcirc) {
   r = crypto_pk_public_hybrid_encrypt(parsed->pk, tmp,
                            MAX_NICKNAME_LEN+1+REND_COOKIE_LEN+DH_KEY_LEN,
                                       payload+DIGEST_LEN,
-                                      PK_PKCS1_OAEP_PADDING);
+                                      PK_PKCS1_OAEP_PADDING, 0);
   if (r<0) {
     log_fn(LOG_WARN,"hybrid pk encrypt failed.");
     goto err;
diff --git a/src/or/test.c b/src/or/test.c
index eb04532774..276636670f 100644
--- a/src/or/test.c
+++ b/src/or/test.c
@@ -418,7 +418,7 @@ test_crypto()
         continue;
       p = (i==0)?PK_NO_PADDING:
         (i==1)?PK_PKCS1_PADDING:PK_PKCS1_OAEP_PADDING;
-      len = crypto_pk_public_hybrid_encrypt(pk1,data1,j,data2,p);
+      len = crypto_pk_public_hybrid_encrypt(pk1,data1,j,data2,p,0);
       test_assert(len>=0);
       len = crypto_pk_private_hybrid_decrypt(pk1,data2,len,data3,p);
       test_eq(len,j);