From 8ef887a4dbce66cf975e69b9ab3f8f214be85cac Mon Sep 17 00:00:00 2001
From: schwarze <>
Date: Sat, 12 Aug 2017 14:09:34 +0000
Subject: Import the SSL_CTX_set1_groups(3) manual page from OpenSSL, deleting
 the read accessors we don't have and fixing the prototypes - the data type of
 each and every argument differs in the OpenSSL manuals. Reference the new
 page from SSL_set_tmp_ecdh(3) as suggested by jsing@.

---
 src/lib/libssl/man/Makefile                  |   3 +-
 src/lib/libssl/man/SSL_CTX_set1_groups.3     | 161 +++++++++++++++++++++++++++
 src/lib/libssl/man/SSL_CTX_set_cipher_list.3 |   5 +-
 src/lib/libssl/man/SSL_set_tmp_ecdh.3        |   7 +-
 src/lib/libssl/man/ssl.3                     |   3 +-
 5 files changed, 173 insertions(+), 6 deletions(-)
 create mode 100644 src/lib/libssl/man/SSL_CTX_set1_groups.3

diff --git a/src/lib/libssl/man/Makefile b/src/lib/libssl/man/Makefile
index 3a704dd5ff..2fcc90eab9 100644
--- a/src/lib/libssl/man/Makefile
+++ b/src/lib/libssl/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.56 2017/08/12 12:31:30 schwarze Exp $
+# $OpenBSD: Makefile,v 1.57 2017/08/12 14:09:34 schwarze Exp $
 
 .include <bsd.own.mk>
 
@@ -45,6 +45,7 @@ MAN =	BIO_f_ssl.3 \
 	SSL_CTX_set_tmp_dh_callback.3 \
 	SSL_CTX_set_tmp_rsa_callback.3 \
 	SSL_CTX_set_verify.3 \
+	SSL_CTX_set1_groups.3 \
 	SSL_CTX_use_certificate.3 \
 	SSL_SESSION_free.3 \
 	SSL_SESSION_get_compress_id.3 \
diff --git a/src/lib/libssl/man/SSL_CTX_set1_groups.3 b/src/lib/libssl/man/SSL_CTX_set1_groups.3
new file mode 100644
index 0000000000..e4ac450354
--- /dev/null
+++ b/src/lib/libssl/man/SSL_CTX_set1_groups.3
@@ -0,0 +1,161 @@
+.\"	$OpenBSD: SSL_CTX_set1_groups.3,v 1.1 2017/08/12 14:09:34 schwarze Exp $
+.\"	OpenSSL SSL_CTX_set1_curves.pod de4d764e Nov 9 14:51:06 2016 +0000
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 2013, 2014, 2016 The OpenSSL Project.  All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: August 12 2017 $
+.Dt SSL_CTX_SET1_GROUPS 3
+.Os
+.Sh NAME
+.Nm SSL_CTX_set1_groups ,
+.Nm SSL_CTX_set1_groups_list ,
+.Nm SSL_set1_groups ,
+.Nm SSL_set1_groups_list ,
+.Nm SSL_CTX_set1_curves ,
+.Nm SSL_CTX_set1_curves_list ,
+.Nm SSL_set1_curves ,
+.Nm SSL_set1_curves_list
+.Nd choose supported EC groups
+.Sh SYNOPSIS
+.In openssl/ssl.h
+.Ft int
+.Fo SSL_CTX_set1_groups
+.Fa "SSL_CTX *ctx"
+.Fa "const int *glist"
+.Fa "size_t glistlen"
+.Fc
+.Ft int
+.Fo SSL_CTX_set1_groups_list
+.Fa "SSL_CTX *ctx"
+.Fa "const char *list"
+.Fc
+.Ft int
+.Fo SSL_set1_groups
+.Fa "SSL *ssl"
+.Fa "const int *glist"
+.Fa "size_t glistlen"
+.Fc
+.Ft int
+.Fo SSL_set1_groups_list
+.Fa "SSL *ssl"
+.Fa "const char *list"
+.Fc
+.Ft int
+.Fo SSL_CTX_set1_curves
+.Fa "SSL_CTX *ctx"
+.Fa "const int *clist"
+.Fa "size_t clistlen"
+.Fc
+.Ft int
+.Fo SSL_CTX_set1_curves_list
+.Fa "SSL_CTX *ctx"
+.Fa "const char *list"
+.Fc
+.Ft int
+.Fo SSL_set1_curves
+.Fa "SSL *ssl"
+.Fa "const int *clist"
+.Fa "size_t clistlen"
+.Fc
+.Ft int
+.Fo SSL_set1_curves_list
+.Fa "SSL *ssl"
+.Fa "const char *list"
+.Fc
+.Sh DESCRIPTION
+.Fn SSL_CTX_set1_groups
+sets the supported groups for
+.Fa ctx
+to the
+.Fa glistlen
+groups in the array
+.Fa glist .
+The array consist of group NIDs in preference order.
+For a TLS client, the groups are used directly in the supported groups
+extension.
+For a TLS server, the groups are used to determine the set of shared
+groups.
+.Pp
+.Fn SSL_CTX_set1_groups_list
+sets the supported groups for
+.Fa ctx
+to the
+.Fa list
+represented as a colon separated list of group NIDs or names, for example
+"P-521:P-384:P-256".
+.Pp
+.Fn SSL_set1_groups
+and
+.Fn SSL_set1_groups_list
+are similar except that they set supported groups for the SSL structure
+.Fa ssl
+only.
+.Pp
+The curve functions are deprecated synonyms for the equivalently
+named group functions and are identical in every respect except
+that they are implemented as macros.
+They exist because prior to TLS1.3, there was only the concept of
+supported curves.
+In TLS1.3, this was renamed to supported groups and extended to include
+Diffie Hellman groups.
+.Pp
+If an application wishes to make use of several of these functions for
+configuration purposes either on a command line or in a file, it should
+consider using the SSL_CONF interface instead of manually parsing
+options.
+.Sh RETURN VALUES
+All these functions return 1 for success or 0 for failure.
+.Sh SEE ALSO
+.Xr ssl 3 ,
+.Xr SSL_CTX_add_extra_chain_cert 3 ,
+.Xr SSL_CTX_set_cipher_list 3 ,
+.Xr SSL_CTX_set_options 3 ,
+.Xr SSL_new 3
+.Sh HISTORY
+The curve functions first appeared in OpenSSL 1.0.2
+and the group functions in OpenSSL 1.1.1.
diff --git a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3 b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
index 1f12fa3296..779f97913c 100644
--- a/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
+++ b/src/lib/libssl/man/SSL_CTX_set_cipher_list.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SSL_CTX_set_cipher_list.3,v 1.2 2016/11/30 17:25:20 schwarze Exp $
+.\"	$OpenBSD: SSL_CTX_set_cipher_list.3,v 1.3 2017/08/12 14:09:34 schwarze Exp $
 .\"	OpenSSL b97fdb57 Nov 11 09:33:09 2016 +0100
 .\"
 .\" This file was written by Lutz Jaenicke <jaenicke@openssl.org>.
@@ -48,7 +48,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 30 2016 $
+.Dd $Mdocdate: August 12 2017 $
 .Dt SSL_CTX_SET_CIPHER_LIST 3
 .Os
 .Sh NAME
@@ -119,5 +119,6 @@ return 1 if any cipher could be selected and 0 on complete failure.
 .Sh SEE ALSO
 .Xr ssl 3 ,
 .Xr SSL_CTX_set_tmp_dh_callback 3 ,
+.Xr SSL_CTX_set1_groups 3 ,
 .Xr SSL_CTX_use_certificate 3 ,
 .Xr SSL_get_ciphers 3
diff --git a/src/lib/libssl/man/SSL_set_tmp_ecdh.3 b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
index 34e59172d1..0960609012 100644
--- a/src/lib/libssl/man/SSL_set_tmp_ecdh.3
+++ b/src/lib/libssl/man/SSL_set_tmp_ecdh.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SSL_set_tmp_ecdh.3,v 1.1 2017/08/12 12:31:30 schwarze Exp $
+.\"	$OpenBSD: SSL_set_tmp_ecdh.3,v 1.2 2017/08/12 14:09:34 schwarze Exp $
 .\"
 .\" Copyright (c) 2017 Ingo Schwarze <schwarze@openbsd.org>
 .\"
@@ -68,7 +68,9 @@ is that the curve of the given
 .Fa ecdh
 key becomes the only curve enabled for the
 .Fa ssl
-connection.
+connection, so it is equivalent to calling
+.Xr SSL_set1_groups_list 3
+with the same single curve name.
 .Pp
 .Fn SSL_CTX_set_tmp_ecdh
 has the same effect on all connections that will be created from
@@ -99,4 +101,5 @@ always return 1.
 .Xr SSL_CTX_set_cipher_list 3 ,
 .Xr SSL_CTX_set_options 3 ,
 .Xr SSL_CTX_set_tmp_dh_callback 3 ,
+.Xr SSL_CTX_set1_groups 3 ,
 .Xr SSL_new 3
diff --git a/src/lib/libssl/man/ssl.3 b/src/lib/libssl/man/ssl.3
index c01bddd0df..031df50190 100644
--- a/src/lib/libssl/man/ssl.3
+++ b/src/lib/libssl/man/ssl.3
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssl.3,v 1.8 2017/08/12 12:31:30 schwarze Exp $
+.\"	$OpenBSD: ssl.3,v 1.9 2017/08/12 14:09:34 schwarze Exp $
 .\"	OpenSSL e330f55d Nov 11 00:51:04 2016 +0100
 .\"
 .\" This file was written by Ralf S. Engelschall <rse@openssl.org>,
@@ -221,6 +221,7 @@ Configuration functions:
 .Xr SSL_CTX_set_tmp_dh_callback 3 ,
 .Xr SSL_CTX_set_tmp_rsa_callback 3 ,
 .Xr SSL_CTX_set_verify 3 ,
+.Xr SSL_CTX_set1_groups 3 ,
 .Xr SSL_CTX_use_certificate 3 ,
 .Xr SSL_set_tmp_ecdh 3 ,
 .Xr SSL_set1_param 3
-- 
cgit v1.2.3-55-g6feb