CryptoPkg: Add SNI support

Add Server Name Indication support. Signed-off-by: Kanagavel S <Kanagavels@ami.com>
author: INDIA\kanagavels <kanagavels@ami.com> 2025-07-09 16:34:36 +0530
committer: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> 2025-09-04 08:32:34 +0000
commit: 1dacf4c40825e184f08be4d3041dc9e2be4d3c5c (patch)
tree: ea55864cd96bd821f921659f143773fdafb7c452
parent: 41cde6e2e313382f6ec4078577ad3dfbbd0c743c (diff)
download: edk2-1dacf4c40825e184f08be4d3041dc9e2be4d3c5c.zip
edk2-1dacf4c40825e184f08be4d3041dc9e2be4d3c5c.tar.gz
edk2-1dacf4c40825e184f08be4d3041dc9e2be4d3c5c.tar.bz2
8 files changed, 190 insertions, 1 deletions
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 201ed8c..e2c49f1 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -5104,6 +5104,27 @@ CryptoServiceTlsSetCertRevocationList (
 }
 
 /**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  )
+{
+  return CALL_BASECRYPTLIB (TlsSet.Services.ServerName, TlsSetServerName, (Tls, SslCtx, HostName), EFI_UNSUPPORTED);
+}
+
+/**
   Set the signature algorithm list to used by the TLS object.
 
   This function sets the signature algorithms for use by a specified TLS object.
@@ -7116,4 +7137,6 @@ const EDKII_CRYPTO_PROTOCOL  mEdkiiCrypto = {
   CryptoServicePkcs1v2Decrypt,
   CryptoServiceRsaOaepEncrypt,
   CryptoServiceRsaOaepDecrypt,
+  /// TLS Set (continued)
+  CryptoServiceTlsSetServerName,
 };
diff --git a/CryptoPkg/Include/Library/TlsLib.h b/CryptoPkg/Include/Library/TlsLib.h
index d37c5fc..fab9b5b 100644
--- a/CryptoPkg/Include/Library/TlsLib.h
+++ b/CryptoPkg/Include/Library/TlsLib.h
@@ -436,6 +436,23 @@ TlsSetVerifyHost (
   );
 
 /**
+  Set the specified server name to be verified.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+**/
+EFI_STATUS
+EFIAPI
+TlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  );
+
+/**
   Sets a TLS/SSL session ID to be used during TLS/SSL connect.
 
   This function sets a session ID to be used when the TLS/SSL connection is
diff --git a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
index 7b37413..ad6a608 100644
--- a/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
+++ b/CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h
@@ -327,6 +327,7 @@ typedef struct {
       UINT8    HostPrivateKeyEx   : 1;
       UINT8    SignatureAlgoList  : 1;
       UINT8    EcCurve            : 1;
+      UINT8    ServerName         : 1;
     } Services;
     UINT32    Family;
   } TlsSet;
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index e51f178..28d6061 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -4166,6 +4166,27 @@ TlsSetVerifyHost (
 }
 
 /**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+EFIAPI
+TlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  )
+{
+  CALL_CRYPTO_SERVICE (TlsSetServerName, (Tls, SslCtx, HostName), EFI_UNSUPPORTED);
+}
+
+/**
   Sets a TLS/SSL session ID to be used during TLS/SSL connect.
 
   This function sets a session ID to be used when the TLS/SSL connection is
diff --git a/CryptoPkg/Library/TlsLib/InternalTlsLib.h b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
index 97a46af..aca226b 100644
--- a/CryptoPkg/Library/TlsLib/InternalTlsLib.h
+++ b/CryptoPkg/Library/TlsLib/InternalTlsLib.h
@@ -41,4 +41,10 @@ typedef struct {
   BIO    *OutBio;
 } TLS_CONNECTION;
 
+/* This is a context that we pass to callbacks */
+typedef struct {
+  BIO      *BioDebug;
+  INT32    Ack;
+} TLS_EXT_CTX;
+
 #endif
diff --git a/CryptoPkg/Library/TlsLib/TlsConfig.c b/CryptoPkg/Library/TlsLib/TlsConfig.c
index afbc583..ac1fe46 100644
--- a/CryptoPkg/Library/TlsLib/TlsConfig.c
+++ b/CryptoPkg/Library/TlsLib/TlsConfig.c
@@ -553,6 +553,85 @@ TlsSetVerifyHost (
 }
 
 /**
+  Callback function to get the server name.
+
+  @param[in]  SSL
+  @param[in]  INT32
+  @param[in]  Arg
+
+  @retval  INT32
+**/
+STATIC
+INT32
+SslServerNameCallback (
+  SSL    *Ssl,
+  INT32  *Ad,
+  VOID   *Arg
+  )
+{
+  const CHAR8  *HostName = NULL;
+  TLS_EXT_CTX  *TlsCtx   = (TLS_EXT_CTX *)Arg;
+
+  HostName = SSL_get_servername (Ssl, TLSEXT_NAMETYPE_host_name);
+
+  if (SSL_get_servername_type (Ssl) != -1) {
+    TlsCtx->Ack = !SSL_session_reused (Ssl) && HostName != NULL;
+  }
+
+  return SSL_TLSEXT_ERR_OK;
+}
+
+/**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+EFIAPI
+TlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  )
+{
+  SSL_CTX         *Ctx;
+  TLS_CONNECTION  *TlsConn;
+  UINT32          RetVal;
+  TLS_EXT_CTX     *TlsExtCtx = NULL;
+
+  TlsConn = (TLS_CONNECTION *)Tls;
+  Ctx     = (SSL_CTX *)SslCtx;
+
+  TlsExtCtx = AllocateZeroPool (sizeof (TLS_EXT_CTX));
+  if (TlsExtCtx == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  RetVal = SSL_CTX_set_tlsext_servername_callback (Ctx, SslServerNameCallback);
+  if (!RetVal) {
+    return EFI_UNSUPPORTED;
+  }
+
+  RetVal = SSL_CTX_set_tlsext_servername_arg (Ctx, TlsExtCtx);
+  if (!RetVal) {
+    return EFI_UNSUPPORTED;
+  }
+
+  RetVal = SSL_set_tlsext_host_name (TlsConn->Ssl, HostName);
+
+  if (!RetVal) {
+    return EFI_UNSUPPORTED;
+  }
+
+  return EFI_SUCCESS;
+}
+
+/**
   Sets a TLS/SSL session ID to be used during TLS/SSL connect.
 
   This function sets a session ID to be used when the TLS/SSL connection is
diff --git a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
index 18dd604..cbf5ee7 100644
--- a/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
+++ b/CryptoPkg/Library/TlsLibNull/TlsConfigNull.c
@@ -324,6 +324,28 @@ TlsSetCertRevocationList (
 }
 
 /**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+EFIAPI
+TlsSetServerName (
+  IN     VOID   *Tls,
+  IN     VOID   *SslCtx,
+  IN     CHAR8  *HostName
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
+/**
   Set the signature algorithm list to used by the TLS object.
 
   This function sets the signature algorithms for use by a specified TLS object.
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index 4d91fb7..b3a5553 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -21,7 +21,7 @@
 /// the EDK II Crypto Protocol is extended, this version define must be
 /// increased.
 ///
-#define EDKII_CRYPTO_VERSION  17
+#define EDKII_CRYPTO_VERSION  18
 
 ///
 /// EDK II Crypto Protocol forward declaration
@@ -3952,6 +3952,24 @@ EFI_STATUS
   );
 
 /**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_CRYPTO_TLS_SET_SERVER_NAME)(
+  IN     VOID            *Tls,
+  IN     VOID            *SslCtx,
+  IN     CHAR8           *HostName
+  );
+
+/**
   Gets the protocol version used by the specified TLS connection.
 
   This function returns the protocol version used by the specified TLS
@@ -5710,6 +5728,8 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_PKCS1V2_DECRYPT                        Pkcs1v2Decrypt;
   EDKII_CRYPTO_RSA_OAEP_ENCRYPT                       RsaOaepEncrypt;
   EDKII_CRYPTO_RSA_OAEP_DECRYPT                       RsaOaepDecrypt;
+  /// TLS Set (continued)
+  EDKII_CRYPTO_TLS_SET_SERVER_NAME                    TlsSetServerName;
 };
 
 extern GUID  gEdkiiCryptoProtocolGuid;
author	INDIA\kanagavels <kanagavels@ami.com>	2025-07-09 16:34:36 +0530
committer	mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>	2025-09-04 08:32:34 +0000
commit	1dacf4c40825e184f08be4d3041dc9e2be4d3c5c (patch)
tree	ea55864cd96bd821f921659f143773fdafb7c452
parent	41cde6e2e313382f6ec4078577ad3dfbbd0c743c (diff)
download	edk2-1dacf4c40825e184f08be4d3041dc9e2be4d3c5c.zip edk2-1dacf4c40825e184f08be4d3041dc9e2be4d3c5c.tar.gz edk2-1dacf4c40825e184f08be4d3041dc9e2be4d3c5c.tar.bz2