Add SSL_CTX_set_tmp_ecdh.pod

Signed-off-by: Antoine Salon <asalon@vmware.com>

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7522)

doc/man3/SSL_CTX_set_tmp_ecdh.pod

@@ -0,0 +1,48 @@
+=pod
+
+=head1 NAME
+
+SSL_CTX_set_tmp_ecdh, SSL_set_tmp_ecdh, SSL_CTX_set_ecdh_auto, SSL_set_ecdh_auto
+- handle ECDH keys for ephemeral key exchange
+
+=head1 SYNOPSIS
+
+#include <openssl/ssl.h>
+
+long SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ecdh);
+long SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ecdh);
+
+long SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state);
+long SSL_set_ecdh_auto(SSL *ssl, int state);
+
+=head1 DESCRIPTION
+
+SSL_CTX_set_tmp_ecdh() sets ECDH parameters to be used to be B<ecdh>.
+The key is inherited by all B<ssl> objects created from B<ctx>.
+
+SSL_set_tmp_ecdh() sets the parameters only for B<ssl>.
+
+SSL_CTX_set_ecdh_auto() and SSL_set_ecdh_auto() are deprecated and
+have no effect.
+
+=head1 RETURN VALUES
+
+SSL_CTX_set_tmp_ecdh() and SSL_set_tmp_ecdh() return 1 on success and 0
+on failure.
+
+=head1 SEE ALSO
+
+L<ssl(7)>, L<SSL_CTX_set1_curves(3)>, L<SSL_CTX_set_cipher_list(3)>,
+L<SSL_CTX_set_options(3)>, L<SSL_CTX_set_tmp_dh_callback(3)>,
+L<ciphers(1)>, L<ecparam(1)>
+
+=head1 COPYRIGHT
+
+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the OpenSSL license (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut

doc/man7/ssl.pod

@@ -383,6 +383,8 @@ Use the file path to locate trusted CA certificates.
 
 =item long B<SSL_CTX_set_tmp_dh_callback>(SSL_CTX *ctx, DH *(*cb)(void));
 
+=item long B<SSL_CTX_set_tmp_ecdh>(SSL_CTX* ctx, const EC_KEY *ecdh);
+
 =item void B<SSL_CTX_set_verify>(SSL_CTX *ctx, int mode, int (*cb);(void))
 
 =item int B<SSL_CTX_use_PrivateKey>(SSL_CTX *ctx, EVP_PKEY *pkey);
@@ -678,6 +680,12 @@ fresh handle for each connection.
 
 =item void B<SSL_set_timeout>(SSL *ssl, long t);
 
+=item long B<SSL_set_tmp_dh>(SSL *ssl, DH *dh);
+
+=item long B<SSL_set_tmp_dh_callback>(SSL *ssl, DH *(*cb)(void));
+
+=item long B<SSL_set_tmp_ecdh>(SSL *ssl, const EC_KEY *ecdh);
+
 =item void B<SSL_set_verify>(SSL *ssl, int mode, int (*callback);(void))
 
 =item void B<SSL_set_verify_result>(SSL *ssl, long arg);
@@ -785,6 +793,7 @@ L<SSL_CTX_set_session_id_context(3)>,
 L<SSL_CTX_set_ssl_version(3)>,
 L<SSL_CTX_set_timeout(3)>,
 L<SSL_CTX_set_tmp_dh_callback(3)>,
+L<SSL_CTX_set_tmp_ecdh(3)>,
 L<SSL_CTX_set_verify(3)>,
 L<SSL_CTX_use_certificate(3)>,
 L<SSL_alert_type_string(3)>,

ssl/s3_lib.c

@@ -3414,7 +3414,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
             EVP_PKEY *pkdh = NULL;
             if (dh == NULL) {
                 SSLerr(SSL_F_SSL3_CTRL, ERR_R_PASSED_NULL_PARAMETER);
-                return ret;
+                return 0;
             }
             pkdh = ssl_dh_to_pkey(dh);
             if (pkdh == NULL) {
@@ -3425,11 +3425,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                               EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
                 SSLerr(SSL_F_SSL3_CTRL, SSL_R_DH_KEY_TOO_SMALL);
                 EVP_PKEY_free(pkdh);
-                return ret;
+                return 0;
             }
             EVP_PKEY_free(s->cert->dh_tmp);
             s->cert->dh_tmp = pkdh;
-            ret = 1;
+            return 1;
         }
         break;
     case SSL_CTRL_SET_TMP_DH_CB:
@@ -3781,7 +3781,7 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                                   EVP_PKEY_security_bits(pkdh), 0, pkdh)) {
                 SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_DH_KEY_TOO_SMALL);
                 EVP_PKEY_free(pkdh);
-                return 1;
+                return 0;
             }
             EVP_PKEY_free(ctx->cert->dh_tmp);
             ctx->cert->dh_tmp = pkdh;

util/private.num

@@ -365,6 +365,7 @@ SSL_CTX_set1_sigalgs                    define
 SSL_CTX_set1_sigalgs_list               define
 SSL_CTX_set1_verify_cert_store          define
 SSL_CTX_set_current_cert                define
+SSL_CTX_set_ecdh_auto                   define
 SSL_CTX_set_max_cert_list               define
 SSL_CTX_set_max_pipelines               define
 SSL_CTX_set_max_proto_version           define
@@ -382,6 +383,7 @@ SSL_CTX_set_tlsext_status_cb            define
 SSL_CTX_set_tlsext_status_type          define
 SSL_CTX_set_tlsext_ticket_key_cb        define
 SSL_CTX_set_tmp_dh                      define
+SSL_CTX_set_tmp_ecdh                    define
 SSL_add0_chain_cert                     define
 SSL_add1_chain_cert                     define
 SSL_build_cert_chain                    define
@@ -433,6 +435,7 @@ SSL_set1_sigalgs                        define
 SSL_set1_sigalgs_list                   define
 SSL_set1_verify_cert_store              define
 SSL_set_current_cert                    define
+SSL_set_ecdh_auto                       define
 SSL_set_max_cert_list                   define
 SSL_set_max_pipelines                   define
 SSL_set_max_proto_version               define
@@ -448,6 +451,7 @@ SSL_set_tlsext_host_name                define
 SSL_set_tlsext_status_ocsp_resp         define
 SSL_set_tlsext_status_type              define
 SSL_set_tmp_dh                          define
+SSL_set_tmp_ecdh                        define
 SSL_want_async                          define
 SSL_want_async_job                      define
 SSL_want_client_hello_cb                define