CMP: fix OSSL_CMP_MSG_http_perform() by adding option OSSL_CMP_OPT_USE_TLS

Fixes #21120

Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21176)

6 files changed, 26 insertions, 3 deletions

diff --git a/apps/cmp.c b/apps/cmp.c
index 911d94c198..dd5a69af7c 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -1945,6 +1945,8 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
         CMP_warn("assuming -tls_used since -server URL indicates HTTPS");
         opt_tls_used = 1;
     }
+    if (!OSSL_CMP_CTX_set_option(ctx, OSSL_CMP_OPT_USE_TLS, opt_tls_used))
+        goto err;
 
     BIO_snprintf(server_port, sizeof(server_port), "%s", port);
     if (opt_path == NULL)
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index b95c540133..947d2ceb8f 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -123,6 +123,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
 
     ctx->keep_alive = 1;
     ctx->msg_timeout = -1;
+    ctx->tls_used = -1; /* default for backward compatibility */
 
     if ((ctx->untrusted = sk_X509_new_null()) == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
@@ -949,6 +950,9 @@ int OSSL_CMP_CTX_set_option(OSSL_CMP_CTX *ctx, int opt, int val)
     case OSSL_CMP_OPT_TOTAL_TIMEOUT:
         ctx->total_timeout = val;
         break;
+    case OSSL_CMP_OPT_USE_TLS:
+        ctx->tls_used = val;
+        break;
     case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
         ctx->permitTAInExtraCertsForIR = val;
         break;
@@ -1013,6 +1017,8 @@ int OSSL_CMP_CTX_get_option(const OSSL_CMP_CTX *ctx, int opt)
         return ctx->msg_timeout;
     case OSSL_CMP_OPT_TOTAL_TIMEOUT:
         return ctx->total_timeout;
+    case OSSL_CMP_OPT_USE_TLS:
+        return ctx->tls_used;
     case OSSL_CMP_OPT_PERMIT_TA_IN_EXTRACERTS_FOR_IR:
         return ctx->permitTAInExtraCertsForIR;
     case OSSL_CMP_OPT_REVOCATION_REASON:
diff --git a/crypto/cmp/cmp_http.c b/crypto/cmp/cmp_http.c
index ef77d251ef..d08c362a70 100644
--- a/crypto/cmp/cmp_http.c
+++ b/crypto/cmp/cmp_http.c
@@ -68,7 +68,8 @@ OSSL_CMP_MSG *OSSL_CMP_MSG_http_perform(OSSL_CMP_CTX *ctx,
 
     if (ctx->serverPort != 0)
         BIO_snprintf(server_port, sizeof(server_port), "%d", ctx->serverPort);
-    tls_used = OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL;
+    tls_used = ctx->tls_used >= 0 ? ctx->tls_used != 0
+        : OSSL_CMP_CTX_get_http_cb_arg(ctx) != NULL; /* backward compat */
     if (ctx->http_ctx == NULL)
         ossl_cmp_log3(DEBUG, ctx, "connecting to CMP server %s:%s%s",
                       ctx->server, server_port, tls_used ? " using TLS" : "");
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 3fb479ca39..29aa84cd2a 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -49,6 +49,7 @@ struct ossl_cmp_ctx_st {
     int keep_alive; /* persistent connection: 0=no, 1=prefer, 2=require */
     int msg_timeout; /* max seconds to wait for each CMP message round trip */
     int total_timeout; /* max number of seconds an enrollment may take, incl. */
+    int tls_used; /* whether to use TLS for client-side HTTP connections */
     /* attempts polling for a response if a 'waiting' PKIStatus is received */
     time_t end_time; /* session start time + totaltimeout */
 # ifndef OPENSSL_NO_HTTP
diff --git a/doc/man3/OSSL_CMP_CTX_new.pod b/doc/man3/OSSL_CMP_CTX_new.pod
index 488b22de9b..8109970171 100644
--- a/doc/man3/OSSL_CMP_CTX_new.pod
+++ b/doc/man3/OSSL_CMP_CTX_new.pod
@@ -237,6 +237,17 @@ The following options can be set:
         A value <= 0 means no limitation (waiting indefinitely).
         Default is 0.
 
+=item B<OSSL_CMP_OPT_USE_TLS>
+
+        Use this option to indicate to the HTTP implementation
+        whether TLS is going to be used for the connection (resulting in HTTPS).
+        The value 1 indicates that TLS is used for client-side HTTP connections,
+        which needs to be implemented via a callback function set by
+        OSSL_CMP_CTX_set_http_cb().
+        The value 0 indicates that TLS is not used.
+        Default is -1 for backward compatibility: TLS is used by the client side
+        if and only if OSSL_CMP_CTX_set_http_cb_arg() sets a non-NULL I<arg>.
+
 =item B<OSSL_CMP_OPT_VALIDITY_DAYS>
 
         Number of days new certificates are asked to be valid for.
@@ -384,6 +395,7 @@ as described for the I<bio_update_fn> parameter of L<OSSL_HTTP_open(3)>.
 The callback may make use of a custom defined argument I<arg>,
 as described for the I<arg> parameter of L<OSSL_HTTP_open(3)>.
 The argument is stored in the OSSL_CMP_CTX using OSSL_CMP_CTX_set_http_cb_arg().
+See also the B<OSSL_CMP_OPT_USE_TLS> option described above.
 
 OSSL_CMP_CTX_set_http_cb_arg() sets the argument, respectively a pointer to
 a structure containing arguments such as an B<SSL_CTX> structure,
diff --git a/include/openssl/cmp.h.in b/include/openssl/cmp.h.in
index e6af016c7f..5bd8beb57a 100644
--- a/include/openssl/cmp.h.in
+++ b/include/openssl/cmp.h.in
@@ -285,9 +285,10 @@ const char *OSSL_CMP_CTX_get0_propq(const OSSL_CMP_CTX *ctx);
 /* CMP general options: */
 #  define OSSL_CMP_OPT_LOG_VERBOSITY 0
 /* CMP transfer options: */
-#  define OSSL_CMP_OPT_KEEP_ALIVE 10
-#  define OSSL_CMP_OPT_MSG_TIMEOUT 11
+#  define OSSL_CMP_OPT_KEEP_ALIVE    10
+#  define OSSL_CMP_OPT_MSG_TIMEOUT   11
 #  define OSSL_CMP_OPT_TOTAL_TIMEOUT 12
+#  define OSSL_CMP_OPT_USE_TLS       13
 /* CMP request options: */
 #  define OSSL_CMP_OPT_VALIDITY_DAYS 20
 #  define OSSL_CMP_OPT_SUBJECTALTNAME_NODEFAULT 21