tls: add CURLOPT_SSL_EC_CURVES and --curves

Closes #5892

7 files changed, 77 insertions, 0 deletions

diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc
index aa1acabe0..792cadb3c 100644
--- a/docs/cmdline-opts/Makefile.inc
+++ b/docs/cmdline-opts/Makefile.inc
@@ -41,6 +41,7 @@ DPAGES =					\
   cookie.d					\
   create-dirs.d					\
   crlf.d crlfile.d				\
+  curves.d					\
   data-ascii.d					\
   data-binary.d					\
   data-urlencode.d				\
diff --git a/docs/cmdline-opts/curves.d b/docs/cmdline-opts/curves.d
new file mode 100644
index 000000000..03264c05a
--- /dev/null
+++ b/docs/cmdline-opts/curves.d
@@ -0,0 +1,17 @@
+Long: curves
+Arg: <algorithm list>
+Help: (EC) TLS key exchange algorithm(s) to request
+Protocols: TLS
+Added: 7.73.0
+---
+Tells curl to request specific curves to use during SSL session establishment
+according to RFC 8422, 5.1.  Multiple algorithms can be provided by separating
+them with ":" (e.g.  "X25519:P-521").  The parameter is available identically
+in the "openssl s_client/s_server" utilities.
+
+--curves allows a OpenSSL powered curl to make SSL-connections with exactly
+the (EC) curve requested by the client, avoiding intransparent client/server
+negotiations.
+
+If this option is set, the default curves list built into openssl will be
+ignored.
diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
index a64375e0c..7f6016614 100644
--- a/docs/libcurl/curl_easy_setopt.3
+++ b/docs/libcurl/curl_easy_setopt.3
@@ -532,6 +532,8 @@ Proxy client key type. See \fICURLOPT_PROXY_SSLKEYTYPE(3)\fP
 Client key password. See \fICURLOPT_KEYPASSWD(3)\fP
 .IP CURLOPT_PROXY_KEYPASSWD
 Proxy client key password. See \fICURLOPT_PROXY_KEYPASSWD(3)\fP
+.IP CURLOPT_SSL_EC_CURVES
+Set key exchange curves. See \fICURLOPT_SSL_EC_CURVES(3)\fP
 .IP CURLOPT_SSL_ENABLE_ALPN
 Enable use of ALPN. See \fICURLOPT_SSL_ENABLE_ALPN(3)\fP
 .IP CURLOPT_SSL_ENABLE_NPN
diff --git a/docs/libcurl/opts/CURLOPT_SSL_EC_CURVES.3 b/docs/libcurl/opts/CURLOPT_SSL_EC_CURVES.3
new file mode 100644
index 000000000..f98f0c17a
--- /dev/null
+++ b/docs/libcurl/opts/CURLOPT_SSL_EC_CURVES.3
@@ -0,0 +1,54 @@
+.\" **************************************************************************
+.\" *                                  _   _ ____  _
+.\" *  Project                     ___| | | |  _ \| |
+.\" *                             / __| | | | |_) | |
+.\" *                            | (__| |_| |  _ <| |___
+.\" *                             \___|\___/|_| \_\_____|
+.\" *
+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" *
+.\" * This software is licensed as described in the file COPYING, which
+.\" * you should have received as part of this distribution. The terms
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
+.\" *
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
+.\" * copies of the Software, and permit persons to whom the Software is
+.\" * furnished to do so, under the terms of the COPYING file.
+.\" *
+.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
+.\" * KIND, either express or implied.
+.\" *
+.\" **************************************************************************
+.\"
+.TH CURLOPT_SSL_EC_CURVES 3 "29 Aug 2020" "libcurl 7.73.0" "curl_easy_setopt options"
+.SH NAME
+CURLOPT_SSL_EC_CURVES \- set key exchange curves
+.SH SYNOPSIS
+#include <curl/curl.h>
+
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_EC_CURVES, char *alg_list);
+.SH DESCRIPTION
+Pass a string as parameter with a colon delimited list of (EC) algorithms. This
+option defines the client's key exchange algorithms in the SSL handshake (if
+the SSL backend libcurl is built to use supports it).
+.SH DEFAULT
+"", embedded in SSL backend
+.SH PROTOCOLS
+HTTP
+.SH EXAMPLE
+.nf
+CURL *curl = curl_easy_init();
+if(curl) {
+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com/");
+  curl_easy_setopt(curl, CURLOPT_SSL_EC_CURVES, "X25519:P-521");
+  ret = curl_easy_perform(curl);
+  curl_easy_cleanup(curl);
+}
+.fi
+.SH AVAILABILITY
+Added in 7.73.0. Supported by the OpenSSL backend.
+.SH RETURN VALUE
+Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
+.SH "SEE ALSO"
+.BR CURLOPT_SSL_OPTIONS "(3), " CURLOPT_SSL_CIPHER_LIST "(3), "
+.BR CURLOPT_TLS13_CIPHERS "(3), "
diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc
index ebf234002..fe4177579 100644
--- a/docs/libcurl/opts/Makefile.inc
+++ b/docs/libcurl/opts/Makefile.inc
@@ -331,6 +331,7 @@ man_MANS =                                      \
   CURLOPT_SSL_CIPHER_LIST.3                     \
   CURLOPT_SSL_CTX_DATA.3                        \
   CURLOPT_SSL_CTX_FUNCTION.3                    \
+  CURLOPT_SSL_EC_CURVES.3			\
   CURLOPT_SSL_ENABLE_ALPN.3                     \
   CURLOPT_SSL_ENABLE_NPN.3                      \
   CURLOPT_SSL_FALSESTART.3                      \
diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
index 82a8e8b3d..74b955093 100644
--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
@@ -616,6 +616,7 @@ CURLOPT_SSLVERSION              7.1
 CURLOPT_SSL_CIPHER_LIST         7.9
 CURLOPT_SSL_CTX_DATA            7.10.6
 CURLOPT_SSL_CTX_FUNCTION        7.10.6
+CURLOPT_SSL_EC_CURVES           7.73.0
 CURLOPT_SSL_ENABLE_ALPN         7.36.0
 CURLOPT_SSL_ENABLE_NPN          7.36.0
 CURLOPT_SSL_FALSESTART          7.42.0
diff --git a/docs/options-in-versions b/docs/options-in-versions
index ba070a47f..683363239 100644
--- a/docs/options-in-versions
+++ b/docs/options-in-versions
@@ -32,6 +32,7 @@
 --create-dirs                        7.10.3
 --crlf                               5.7
 --crlfile                            7.19.7
+--curves                             7.73.0
 --data (-d)                          4.0
 --data-ascii                         7.2
 --data-binary                        7.2