diff --git a/crypto/err/ssl.errordata b/crypto/err/ssl.errordata
index adef2815..767d0787 100644
--- a/crypto/err/ssl.errordata
+++ b/crypto/err/ssl.errordata
@@ -3,6 +3,8 @@ SSL,function,101,SSL_CTX_new
 SSL,function,102,SSL_CTX_set_cipher_list
 SSL,function,103,SSL_CTX_set_cipher_list_tls11
 SSL,function,104,SSL_CTX_set_session_id_context
+SSL,function,268,SSL_CTX_set_tmp_dh
+SSL,function,269,SSL_CTX_set_tmp_ecdh
 SSL,function,105,SSL_CTX_use_PrivateKey
 SSL,function,106,SSL_CTX_use_PrivateKey_ASN1
 SSL,function,107,SSL_CTX_use_PrivateKey_file
@@ -34,6 +36,8 @@ SSL,function,132,SSL_set_cipher_list
 SSL,function,133,SSL_set_fd
 SSL,function,134,SSL_set_rfd
 SSL,function,135,SSL_set_session_id_context
+SSL,function,270,SSL_set_tmp_dh
+SSL,function,271,SSL_set_tmp_ecdh
 SSL,function,136,SSL_set_wfd
 SSL,function,137,SSL_shutdown
 SSL,function,138,SSL_use_PrivateKey
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index e12135da..14fa04d2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1573,9 +1573,6 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_ERROR_PENDING_SESSION 11
 #define SSL_ERROR_PENDING_CERTIFICATE 12
 
-#define SSL_CTRL_SET_TMP_DH 3
-#define SSL_CTRL_SET_TMP_ECDH 4
-
 #define SSL_CTRL_EXTRA_CHAIN_CERT 14
 
 /* see tls1.h for macros based on these */
@@ -1651,27 +1648,29 @@ OPENSSL_EXPORT int SSL_session_reused(const SSL *ssl);
  * peformed by |ssl|. This includes the pending renegotiation, if any. */
 OPENSSL_EXPORT int SSL_total_renegotiations(const SSL *ssl);
 
-#define SSL_CTX_set_tmp_dh(ctx, dh) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
+/* SSL_CTX_set_tmp_dh configures |ctx| to use the group from |dh| as the group
+ * for DHE. Only the group is used, so |dh| needn't have a keypair. It returns
+ * one on success and zero on error. */
+OPENSSL_EXPORT int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh);
 
-/* SSL_CTX_set_tmp_ecdh configures |ctx| to use the curve from |ecdh| (a const
- * EC_KEY *) as the curve for ephemeral ECDH keys. For historical reasons, this
- * API expects an |EC_KEY|, but only the curve is used. It returns one on
- * success and zero on error. If unset, an appropriate curve will be chosen
- * automatically. (This is recommended.) */
-#define SSL_CTX_set_tmp_ecdh(ctx, ecdh) \
-  SSL_CTX_ctrl(ctx, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh)
+/* SSL_set_tmp_dh configures |ssl| to use the group from |dh| as the group for
+ * DHE. Only the group is used, so |dh| needn't have a keypair. It returns one
+ * on success and zero on error. */
+OPENSSL_EXPORT int SSL_set_tmp_dh(SSL *ssl, const DH *dh);
 
-#define SSL_set_tmp_dh(ssl, dh) \
-  SSL_ctrl(ssl, SSL_CTRL_SET_TMP_DH, 0, (char *)dh)
+/* SSL_CTX_set_tmp_ecdh configures |ctx| to use the curve from |ecdh| as the
+ * curve for ephemeral ECDH keys. For historical reasons, this API expects an
+ * |EC_KEY|, but only the curve is used. It returns one on success and zero on
+ * error. If unset, an appropriate curve will be chosen automatically. (This is
+ * recommended.) */
+OPENSSL_EXPORT int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key);
 
-/* SSL_set_tmp_ecdh configures |ssl| to use the curve from |ecdh| (a const
- * EC_KEY *) as the curve for ephemeral ECDH keys. For historical reasons, this
- * API expects an |EC_KEY|, but only the curve is used. It returns one on
- * success and zero on error. If unset, an appropriate curve will be chosen
- * automatically. (This is recommended.) */
-#define SSL_set_tmp_ecdh(ssl, ecdh) \
-  SSL_ctrl(ssl, SSL_CTRL_SET_TMP_ECDH, 0, (char *)ecdh)
+/* SSL_set_tmp_ecdh configures |ssl| to use the curve from |ecdh| as the curve
+ * for ephemeral ECDH keys. For historical reasons, this API expects an
+ * |EC_KEY|, but only the curve is used. It returns one on success and zero on
+ * error. If unset, an appropriate curve will be chosen automatically. (This is
+ * recommended.) */
+OPENSSL_EXPORT int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key);
 
 /* SSL_enable_tls_channel_id either configures a TLS server to accept TLS
  * client IDs from clients, or configure a client to send TLS client IDs to
@@ -2393,6 +2392,8 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 
 #define SSL_CTRL_NEED_TMP_RSA doesnt_exist
 #define SSL_CTRL_SET_TMP_RSA doesnt_exist
+#define SSL_CTRL_SET_TMP_DH doesnt_exist
+#define SSL_CTRL_SET_TMP_ECDH doesnt_exist
 #define SSL_CTRL_SET_TMP_RSA_CB doesnt_exist
 #define SSL_CTRL_SET_TMP_DH_CB doesnt_exist
 #define SSL_CTRL_SET_TMP_ECDH_CB doesnt_exist
@@ -2426,6 +2427,10 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 #define SSL_need_tmp_RSA SSL_need_tmp_RSA
 #define SSL_CTX_set_tmp_rsa SSL_CTX_set_tmp_rsa
 #define SSL_set_tmp_rsa SSL_set_tmp_rsa
+#define SSL_CTX_set_tmp_dh SSL_CTX_set_tmp_dh
+#define SSL_set_tmp_dh SSL_set_tmp_dh
+#define SSL_CTX_set_tmp_ecdh SSL_CTX_set_tmp_ecdh
+#define SSL_set_tmp_ecdh SSL_set_tmp_ecdh
 #define SSL_session_reused SSL_session_reused
 #define SSL_num_renegotiations SSL_num_renegotiations
 #define SSL_total_renegotiations SSL_total_renegotiations
@@ -2657,6 +2662,10 @@ OPENSSL_EXPORT const char *SSLeay_version(int unused);
 #define SSL_F_dtls1_hm_fragment_new 265
 #define SSL_F_ssl3_seal_record 266
 #define SSL_F_ssl3_record_sequence_update 267
+#define SSL_F_SSL_CTX_set_tmp_dh 268
+#define SSL_F_SSL_CTX_set_tmp_ecdh 269
+#define SSL_F_SSL_set_tmp_dh 270
+#define SSL_F_SSL_set_tmp_ecdh 271
 #define SSL_R_APP_DATA_IN_HANDSHAKE 100
 #define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 101
 #define SSL_R_BAD_ALERT 102
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 59e7a9a2..63ceba86 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -605,34 +605,48 @@ int SSL_set_tmp_rsa(SSL *ssl, const RSA *rsa) {
   return 1;
 }
 
+int SSL_CTX_set_tmp_dh(SSL_CTX *ctx, const DH *dh) {
+  DH_free(ctx->cert->dh_tmp);
+  ctx->cert->dh_tmp = DHparams_dup(dh);
+  if (ctx->cert->dh_tmp == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_CTX_set_tmp_dh, ERR_R_DH_LIB);
+    return 0;
+  }
+  return 1;
+}
+
+int SSL_set_tmp_dh(SSL *ssl, const DH *dh) {
+  DH_free(ssl->cert->dh_tmp);
+  ssl->cert->dh_tmp = DHparams_dup(dh);
+  if (ssl->cert->dh_tmp == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_set_tmp_dh, ERR_R_DH_LIB);
+    return 0;
+  }
+  return 1;
+}
+
+int SSL_CTX_set_tmp_ecdh(SSL_CTX *ctx, const EC_KEY *ec_key) {
+  if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_CTX_set_tmp_ecdh, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+  ctx->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
+  return 1;
+}
+
+int SSL_set_tmp_ecdh(SSL *ssl, const EC_KEY *ec_key) {
+  if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
+    OPENSSL_PUT_ERROR(SSL, SSL_set_tmp_ecdh, ERR_R_PASSED_NULL_PARAMETER);
+    return 0;
+  }
+  ssl->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
+  return 1;
+}
+
 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) {
   int ret = 0;
 
   switch (cmd) {
-    case SSL_CTRL_SET_TMP_DH:
-      DH_free(s->cert->dh_tmp);
-      s->cert->dh_tmp = DHparams_dup((DH *)parg);
-      if (s->cert->dh_tmp == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);
-        ret = 0;
-        break;
-      }
-      ret = 1;
-      break;
-
-    case SSL_CTRL_SET_TMP_ECDH: {
-      /* For historical reasons, this API expects an |EC_KEY|, but only the
-       * group is used. */
-      const EC_KEY *ec_key = (const EC_KEY *)parg;
-      if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctrl, ERR_R_PASSED_NULL_PARAMETER);
-        return ret;
-      }
-      s->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
-      ret = 1;
-      break;
-    }
-
     case SSL_CTRL_SET_TLSEXT_HOSTNAME:
       if (larg == TLSEXT_NAMETYPE_host_name) {
         OPENSSL_free(s->tlsext_hostname);
@@ -808,27 +822,6 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) {
   cert = ctx->cert;
 
   switch (cmd) {
-    case SSL_CTRL_SET_TMP_DH:
-      DH_free(cert->dh_tmp);
-      cert->dh_tmp = DHparams_dup((DH *)parg);
-      if (cert->dh_tmp == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_DH_LIB);
-        return 0;
-      }
-      return 1;
-
-    case SSL_CTRL_SET_TMP_ECDH: {
-      /* For historical reasons, this API expects an |EC_KEY|, but only the
-       * group is used. */
-      const EC_KEY *ec_key = (const EC_KEY *)parg;
-      if (ec_key == NULL || EC_KEY_get0_group(ec_key) == NULL) {
-        OPENSSL_PUT_ERROR(SSL, ssl3_ctx_ctrl, ERR_R_PASSED_NULL_PARAMETER);
-        return 0;
-      }
-      ctx->cert->ecdh_nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec_key));
-      return 1;
-    }
-
     case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
       ctx->tlsext_servername_arg = parg;
       break;