8 files changed, 65 insertions, 34 deletions
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index 9feaa28103..a74117df0d 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -318,8 +318,9 @@ sure to also leave TLS 1.1 enabled.
 =item B<Options>
 
 The B<value> argument is a comma separated list of various flags to set.
-If a flag string is preceded B<-> it is disabled. See the
-B<SSL_CTX_set_options> function for more details of individual options.
+If a flag string is preceded B<-> it is disabled.
+See the L<SSL_CTX_set_options(3)> function for more details of
+individual options.
 
 Each option is listed below. Where an operation is enabled by default
 the B<-flag> syntax is needed to disable it.
@@ -527,7 +528,8 @@ L<SSL_CONF_CTX_new(3)>,
 L<SSL_CONF_CTX_set_flags(3)>,
 L<SSL_CONF_CTX_set1_prefix(3)>,
 L<SSL_CONF_CTX_set_ssl_ctx(3)>,
-L<SSL_CONF_cmd_argv(3)>
+L<SSL_CONF_cmd_argv(3)>,
+L<SSL_CTX_set_options(3)>
 
 =head1 HISTORY
 
diff --git a/doc/ssl/SSL_CTX_new.pod b/doc/ssl/SSL_CTX_new.pod
index 136f97b366..53f621685e 100644
--- a/doc/ssl/SSL_CTX_new.pod
+++ b/doc/ssl/SSL_CTX_new.pod
@@ -139,9 +139,9 @@ If you want to limit the supported protocols for the version flexible
 methods you can use SSL_CTX_set_min_proto_version(),
 SSL_set_min_proto_version(), SSL_CTX_set_max_proto_version() and
 SSL_set_max_proto_version() functions.
-They can also be limited using by using an option like SSL_OP_NO_SSLv3
-of the SSL_CTX_set_options() or SSL_set_options() functions, but
-that's not recommended.
+They can also be limited by setting an option like B<SSL_OP_NO_SSLv3>
+via the L<SSL_CTX_set_options(3)> or L<SSL_set_options(3)> functions,
+but that's not recommended.
 Using these functions it is possible to choose e.g. TLS_server_method()
 and be able to negotiate with all possible clients, but to only
 allow newer protocols like TLS 1.0, TLS 1.1 or TLS 1.2.
diff --git a/doc/ssl/SSL_CTX_set_min_proto_version.pod b/doc/ssl/SSL_CTX_set_min_proto_version.pod
index 25f9cca23d..535ae83e7a 100644
--- a/doc/ssl/SSL_CTX_set_min_proto_version.pod
+++ b/doc/ssl/SSL_CTX_set_min_proto_version.pod
@@ -19,8 +19,9 @@ and maximum supported protocol version
 
 The functions set the minimum and maximum supported portocol versions
 for the B<ctx> or B<ssl>.
-This works in combination with the options set via SSL_CTX_set_options()
-that also make it possible to disable specific protocol versions.
+This works in combination with the options set via
+L<SSL_CTX_set_options(3)> that also make it possible to disable
+specific protocol versions.
 Use these functions instead of disabling specific protocol versions.
 
 Setting the minimum or maximum version to 0, will enable protocol
diff --git a/doc/ssl/SSL_CTX_set_options.pod b/doc/ssl/SSL_CTX_set_options.pod
index 56f62cc59f..c1325681e2 100644
--- a/doc/ssl/SSL_CTX_set_options.pod
+++ b/doc/ssl/SSL_CTX_set_options.pod
@@ -23,8 +23,6 @@ SSL_get_secure_renegotiation_support - manipulate SSL options
 
 =head1 DESCRIPTION
 
-Note: all these functions are implemented using macros.
-
 SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
 Options already set before are not cleared!
 
@@ -42,6 +40,7 @@ SSL_get_options() returns the options set for B<ssl>.
 
 SSL_get_secure_renegotiation_support() indicates whether the peer supports
 secure renegotiation.
+Note, this is implemented via a macro.
 
 =head1 NOTES
 
diff --git a/doc/ssl/ssl.pod b/doc/ssl/ssl.pod
index 0d29b54bdd..33133ff78f 100644
--- a/doc/ssl/ssl.pod
+++ b/doc/ssl/ssl.pod
@@ -315,7 +315,11 @@ Use the file path to locate trusted CA certficates.
 
 =item void B<SSL_CTX_set_msg_callback_arg>(SSL_CTX *ctx, void *arg);
 
-=item void B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
+=item unsigned long B<SSL_CTX_clear_options>(SSL_CTX *ctx, unsigned long op);
+
+=item unsigned long B<SSL_CTX_get_options>(SSL_CTX *ctx);
+
+=item unsigned long B<SSL_CTX_set_options>(SSL_CTX *ctx, unsigned long op);
 
 =item void B<SSL_CTX_set_quiet_shutdown>(SSL_CTX *ctx, int mode);
 
@@ -596,7 +600,11 @@ fresh handle for each connection.
 
 =item void B<SSL_set_msg_callback_arg>(SSL *ctx, void *arg);
 
-=item void B<SSL_set_options>(SSL *ssl, unsigned long op);
+=item unsigned long B<SSL_clear_options>(SSL *ssl, unsigned long op);
+
+=item unsigned long B<SSL_get_options>(SSL *ssl);
+
+=item unsigned long B<SSL_set_options>(SSL *ssl, unsigned long op);
 
 =item void B<SSL_set_quiet_shutdown>(SSL *ssl, int mode);
 
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index bb3f0aa40f..b6ba59b400 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -569,18 +569,12 @@ typedef int (*custom_ext_parse_cb) (SSL *s, unsigned int ext_type,
  * cannot be used to clear bits.
  */
 
-# define SSL_CTX_set_options(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,(op),NULL)
-# define SSL_CTX_clear_options(ctx,op) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
-# define SSL_CTX_get_options(ctx) \
-        SSL_CTX_ctrl((ctx),SSL_CTRL_OPTIONS,0,NULL)
-# define SSL_set_options(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_OPTIONS,(op),NULL)
-# define SSL_clear_options(ssl,op) \
-        SSL_ctrl((ssl),SSL_CTRL_CLEAR_OPTIONS,(op),NULL)
-# define SSL_get_options(ssl) \
-        SSL_ctrl((ssl),SSL_CTRL_OPTIONS,0,NULL)
+unsigned long SSL_CTX_get_options(const SSL_CTX *ctx);
+unsigned long SSL_get_options(const SSL* s);
+unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op);
+unsigned long SSL_clear_options(SSL *s, unsigned long op);
+unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op);
+unsigned long SSL_set_options(SSL *s, unsigned long op);
 
 # define SSL_CTX_set_mode(ctx,op) \
         SSL_CTX_ctrl((ctx),SSL_CTRL_MODE,(op),NULL)
@@ -1140,7 +1134,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_CTRL_SESS_MISSES                    29
 # define SSL_CTRL_SESS_TIMEOUTS                  30
 # define SSL_CTRL_SESS_CACHE_FULL                31
-# define SSL_CTRL_OPTIONS                        32
 # define SSL_CTRL_MODE                           33
 # define SSL_CTRL_GET_READ_AHEAD                 40
 # define SSL_CTRL_SET_READ_AHEAD                 41
@@ -1188,7 +1181,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define DTLS_CTRL_HANDLE_TIMEOUT        74
 # define DTLS_CTRL_LISTEN                        75
 # define SSL_CTRL_GET_RI_SUPPORT                 76
-# define SSL_CTRL_CLEAR_OPTIONS                  77
 # define SSL_CTRL_CLEAR_MODE                     78
 # define SSL_CTRL_SET_NOT_RESUMABLE_SESS_CB      79
 # define SSL_CTRL_GET_EXTRA_CHAIN_CERTS          82
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index edb368df67..1666cd2880 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1609,10 +1609,6 @@ long SSL_ctrl(SSL *s, int cmd, long larg, void *parg)
         s->msg_callback_arg = parg;
         return 1;
 
-    case SSL_CTRL_OPTIONS:
-        return (s->options |= larg);
-    case SSL_CTRL_CLEAR_OPTIONS:
-        return (s->options &= ~larg);
     case SSL_CTRL_MODE:
         return (s->mode |= larg);
     case SSL_CTRL_CLEAR_MODE:
@@ -1759,10 +1755,6 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
         return (ctx->stats.sess_timeout);
     case SSL_CTRL_SESS_CACHE_FULL:
         return (ctx->stats.sess_cache_full);
-    case SSL_CTRL_OPTIONS:
-        return (ctx->options |= larg);
-    case SSL_CTRL_CLEAR_OPTIONS:
-        return (ctx->options &= ~larg);
     case SSL_CTRL_MODE:
         return (ctx->mode |= larg);
     case SSL_CTRL_CLEAR_MODE:
@@ -3763,4 +3755,35 @@ void *SSL_CTX_get0_security_ex_data(const SSL_CTX *ctx)
     return ctx->cert->sec_ex;
 }
 
+
+/*
+ * Get/Set/Clear options in SSL_CTX or SSL, formerly macros, now functions that
+ * can return unsigned long, instead of the generic long return value from the
+ * control interface.
+ */
+unsigned long SSL_CTX_get_options(const SSL_CTX *ctx)
+{
+    return ctx->options;
+}
+unsigned long SSL_get_options(const SSL* s)
+{
+    return s->options;
+}
+unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op)
+{
+    return ctx->options |= op;
+}
+unsigned long SSL_set_options(SSL *s, unsigned long op)
+{
+    return s->options |= op;
+}
+unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
+{
+    return ctx->options &= ~op;
+}
+unsigned long SSL_clear_options(SSL *s, unsigned long op)
+{
+    return s->options &= ~op;
+}
+
 IMPLEMENT_OBJ_BSEARCH_GLOBAL_CMP_FN(SSL_CIPHER, SSL_CIPHER, ssl_cipher_id);
diff --git a/util/ssleay.num b/util/ssleay.num
index 6a68fe5053..8bd2b1ae67 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -427,3 +427,9 @@ SSL_get0_dane_tlsa                      461	1_1_0	EXIST::FUNCTION:
 SSL_set_hostflags                       462	1_1_0	EXIST::FUNCTION:
 SSL_dane_enable                         463	1_1_0	EXIST::FUNCTION:
 SSL_get0_dane                           464	1_1_0	EXIST::FUNCTION:
+SSL_CTX_set_options                     465	1_1_0	EXIST::FUNCTION:
+SSL_CTX_clear_options                   466	1_1_0	EXIST::FUNCTION:
+SSL_CTX_get_options                     467	1_1_0	EXIST::FUNCTION:
+SSL_clear_options                       468	1_1_0	EXIST::FUNCTION:
+SSL_set_options                         469	1_1_0	EXIST::FUNCTION:
+SSL_get_options                         470	1_1_0	EXIST::FUNCTION: