xref: /freebsd/secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3 (revision 7893419d492c40ca82b68fca3dcc0f5f7047d39b)
Automatically generated by Pod::Man 4.14 (Pod::Simple 3.42)

Standard preamble:
========================================================================
..
..
.. Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. \*(C+ will
give a nicer C++. Capital omega is used to do unbreakable dashes and
therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
nothing in troff, for use with C<>.
.tr \(*W- . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\}
Escape single quotes in literal strings from groff's Unicode transform.

If the F register is >0, we'll generate index entries on stderr for
titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
entries marked with X<> in POD. Of course, you'll have to process the
output yourself in some meaningful fashion.

Avoid warning from groff about undefined register 'F'.
.. .nr rF 0 . if \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{\ . nr % 0 . nr F 2 . \} . \} .\} .rr rF Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ========================================================================

Title "SSL_CTX_SET1_CURVES 3ossl"
SSL_CTX_SET1_CURVES 3ossl "2023-09-19" "3.0.11" "OpenSSL"
For nroff, turn off justification. Always turn off hyphenation; it makes
way too many mistakes in technical documents.
"NAME"
SSL_CTX_set1_groups, SSL_CTX_set1_groups_list, SSL_set1_groups, SSL_set1_groups_list, SSL_get1_groups, SSL_get_shared_group, SSL_get_negotiated_group, SSL_CTX_set1_curves, SSL_CTX_set1_curves_list, SSL_set1_curves, SSL_set1_curves_list, SSL_get1_curves, SSL_get_shared_curve \- EC supported curve functions
"SYNOPSIS"
Header "SYNOPSIS" .Vb 1 #include <openssl/ssl.h> \& int SSL_CTX_set1_groups(SSL_CTX *ctx, int *glist, int glistlen); int SSL_CTX_set1_groups_list(SSL_CTX *ctx, char *list); \& int SSL_set1_groups(SSL *ssl, int *glist, int glistlen); int SSL_set1_groups_list(SSL *ssl, char *list); \& int SSL_get1_groups(SSL *ssl, int *groups); int SSL_get_shared_group(SSL *s, int n); int SSL_get_negotiated_group(SSL *s); \& int SSL_CTX_set1_curves(SSL_CTX *ctx, int *clist, int clistlen); int SSL_CTX_set1_curves_list(SSL_CTX *ctx, char *list); \& int SSL_set1_curves(SSL *ssl, int *clist, int clistlen); int SSL_set1_curves_list(SSL *ssl, char *list); \& int SSL_get1_curves(SSL *ssl, int *curves); int SSL_get_shared_curve(SSL *s, int n); .Ve
"DESCRIPTION"
Header "DESCRIPTION" For all of the functions below that set the supported groups there must be at least one group in the list. A number of these functions identify groups via a unique integer \s-1NID\s0 value. However, support for some groups may be added by external providers. In this case there will be no \s-1NID\s0 assigned for the group. When setting such groups applications should use the \*(L"list\*(R" form of these functions (i.e. SSL_CTX_set1_groups_list() and SSL_set1_groups_list).

\fBSSL_CTX_set1_groups() sets the supported groups for ctx to glistlen groups in the array glist. The array consist of all NIDs of groups in preference order. For a \s-1TLS\s0 client the groups are used directly in the supported groups extension. For a \s-1TLS\s0 server the groups are used to determine the set of shared groups. Currently supported groups for \fBTLSv1.3 are NID_X9_62_prime256v1, NID_secp384r1, NID_secp521r1, \fB\s-1NID_X25519\s0, \s-1NID_X448\s0, NID_ffdhe2048, NID_ffdhe3072, \fBNID_ffdhe4096, NID_ffdhe6144 and NID_ffdhe8192.

\fBSSL_CTX_set1_groups_list() sets the supported groups for ctx to string list. The string is a colon separated list of group NIDs or names, for example \*(L"P-521:P-384:P-256:X25519:ffdhe2048\*(R". Currently supported groups for TLSv1.3 are P-256, P-384, P-521, X25519, X448, \fBffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192. Support for other groups may be added by external providers.

\fBSSL_set1_groups() and SSL_set1_groups_list() are similar except they set supported groups for the \s-1SSL\s0 structure ssl.

\fBSSL_get1_groups() returns the set of supported groups sent by a client in the supported groups extension. It returns the total number of supported groups. The groups parameter can be \s-1NULL\s0 to simply return the number of groups for memory allocation purposes. The \fBgroups array is in the form of a set of group NIDs in preference order. It can return zero if the client did not send a supported groups extension. If a supported group \s-1NID\s0 is unknown then the value is set to the bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the group.

\fBSSL_get_shared_group() returns the \s-1NID\s0 of the shared group n for a server-side \s-1SSL\s0 ssl. If n is -1 then the total number of shared groups is returned, which may be zero. Other than for diagnostic purposes, most applications will only be interested in the first shared group so n is normally set to zero. If the value n is out of range, NID_undef is returned. If the \s-1NID\s0 for the shared group is unknown then the value is set to the bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the group.

\fBSSL_get_negotiated_group() returns the \s-1NID\s0 of the negotiated group used for the handshake key exchange process. For TLSv1.3 connections this typically reflects the state of the current connection, though in the case of PSK-only resumption, the returned value will be from a previous connection. For earlier \s-1TLS\s0 versions, when a session has been resumed, it always reflects the group used for key exchange during the initial handshake (otherwise it is from the current, non-resumption, connection). This can be called by either client or server. If the \s-1NID\s0 for the shared group is unknown then the value is set to the bitwise \s-1OR\s0 of TLSEXT_nid_unknown (0x1000000) and the id of the group.

All these functions are implemented as macros.

The curve functions are synonyms for the equivalently named group functions and are identical in every respect. They exist because, prior to \s-1TLS1.3,\s0 there was only the concept of supported curves. In \s-1TLS1.3\s0 this was renamed to supported groups, and extended to include Diffie Hellman groups. The group functions should be used in preference.

"NOTES"
Header "NOTES" If an application wishes to make use of several of these functions for configuration purposes either on a command line or in a file it should consider using the \s-1SSL_CONF\s0 interface instead of manually parsing options.
"RETURN VALUES"
Header "RETURN VALUES" \fBSSL_CTX_set1_groups(), SSL_CTX_set1_groups_list(), SSL_set1_groups() and \fBSSL_set1_groups_list(), return 1 for success and 0 for failure.

\fBSSL_get1_groups() returns the number of groups, which may be zero.

\fBSSL_get_shared_group() returns the \s-1NID\s0 of shared group n or NID_undef if there is no shared group n; or the total number of shared groups if n is -1.

When called on a client ssl, SSL_get_shared_group() has no meaning and returns -1.

\fBSSL_get_negotiated_group() returns the \s-1NID\s0 of the negotiated group used for key exchange, or NID_undef if there was no negotiated group.

"SEE ALSO"
Header "SEE ALSO" \fBssl\|(7), \fBSSL_CTX_add_extra_chain_cert\|(3)
"HISTORY"
Header "HISTORY" The curve functions were added in OpenSSL 1.0.2. The equivalent group functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function was added in OpenSSL 3.0.0.
"COPYRIGHT"
Header "COPYRIGHT" Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the \*(L"License\*(R"). You may not use this file except in compliance with the License. You can obtain a copy in the file \s-1LICENSE\s0 in the source distribution or at <https://www.openssl.org/source/license.html>.