CMP: introduce version 3, while version 2 stays the default

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/18294)

crypto/cmp/cmp_local.h

@@ -446,7 +446,7 @@ DECLARE_ASN1_FUNCTIONS(OSSL_CMP_POLLREPCONTENT)
 
 /*-
  * PKIHeader ::= SEQUENCE {
- *     pvno                INTEGER     { cmp1999(1), cmp2000(2) },
+ *     pvno                INTEGER     { cmp1999(1), cmp2000(2), cmp2021(3) },
  *     sender              GeneralName,
  *     -- identifies the sender
  *     recipient           GeneralName,

crypto/cmp/cmp_vfy.c

@@ -749,7 +749,8 @@ int ossl_cmp_msg_check_update(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
     }
 
     /* check CMP version number in header */
-    if (ossl_cmp_hdr_get_pvno(hdr) != OSSL_CMP_PVNO) {
+    if (ossl_cmp_hdr_get_pvno(hdr) != OSSL_CMP_PVNO_2
+            && ossl_cmp_hdr_get_pvno(hdr) != OSSL_CMP_PVNO_3) {
 #ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
         ERR_raise(ERR_LIB_CMP, CMP_R_UNEXPECTED_PVNO);
         return 0;

doc/internal/man3/ossl_cmp_msg_check_update.pod

@@ -33,7 +33,7 @@ The B<msg> is checked for the following:
 =item its protection is present and valid (or a callback function B<cb>
 is present and indicates that a missing or invalid protection is acceptable),
 
-=item its CMP protocol version is acceptable, namely B<OSSL_CMP_PVNO>,
+=item its CMP protocol version is acceptable,
 
 =item its body type is valid,
 

include/openssl/cmp.h.in

@@ -36,7 +36,9 @@ use OpenSSL::stackhash qw(generate_stack_macros);
 extern "C" {
 #  endif
 
-#  define OSSL_CMP_PVNO 2
+#  define OSSL_CMP_PVNO_2 2
+#  define OSSL_CMP_PVNO_3 3
+#  define OSSL_CMP_PVNO OSSL_CMP_PVNO_2 /* v2 is the default */
 
 /*-
  *   PKIFailureInfo ::= BIT STRING {