CryptoPkg: Add a Server Name Indication support.

CryptoPkg/Driver/Crypto.c

@@ -5103,6 +5103,27 @@ CryptoServiceTlsSetCertRevocationList (
   return CALL_BASECRYPTLIB (TlsSet.Services.CertRevocationList, TlsSetCertRevocationList, (Data, DataSize), EFI_UNSUPPORTED);
 }
 
+/**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+EFIAPI
+CryptoServiceTlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  )
+{
+  return CALL_BASECRYPTLIB (TlsSet.Services.ServerName, TlsSetServerName, (Tls, SslCtx, HostName), EFI_UNSUPPORTED);
+}
+
 /**
   Set the signature algorithm list to used by the TLS object.
 
@@ -7116,4 +7137,5 @@ const EDKII_CRYPTO_PROTOCOL  mEdkiiCrypto = {
   CryptoServicePkcs1v2Decrypt,
   CryptoServiceRsaOaepEncrypt,
   CryptoServiceRsaOaepDecrypt,
+  CryptoServiceTlsSetServerName,
 };

CryptoPkg/Include/Library/BaseCryptLib.h

@@ -2265,6 +2265,23 @@ RsaOaepDecrypt (
   OUT  UINTN   *OutDataSize
   );
 
+/**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+TlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  );
+
 /**
   The 3rd parameter of Pkcs7GetSigners will return all embedded
   X.509 certificate in one given PKCS7 signature. The format is:

CryptoPkg/Include/Library/TlsLib.h

@@ -435,6 +435,22 @@ TlsSetVerifyHost (
   IN     CHAR8   *HostName
   );
 
+/**
+  Set the specified server name to be verified.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+**/
+EFI_STATUS
+TlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  );
+
 /**
   Sets a TLS/SSL session ID to be used during TLS/SSL connect.
 

CryptoPkg/Include/Pcd/PcdCryptoServiceFamilyEnable.h

@@ -327,6 +327,7 @@ typedef struct {
       UINT8    HostPrivateKeyEx   : 1;
       UINT8    SignatureAlgoList  : 1;
       UINT8    EcCurve            : 1;
+      UINT8    ServerName         : 1;
     } Services;
     UINT32    Family;
   } TlsSet;

CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c

@@ -4165,6 +4165,26 @@ TlsSetVerifyHost (
   CALL_CRYPTO_SERVICE (TlsSetVerifyHost, (Tls, Flags, HostName), EFI_UNSUPPORTED);
 }
 
+/**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+TlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  )
+{
+  CALL_CRYPTO_SERVICE (TlsSetServerName, (Tls, SslCtx, HostName), EFI_UNSUPPORTED);
+}
+
 /**
   Sets a TLS/SSL session ID to be used during TLS/SSL connect.
 

CryptoPkg/Library/TlsLib/InternalTlsLib.h

@@ -41,4 +41,10 @@ typedef struct {
   BIO    *OutBio;
 } TLS_CONNECTION;
 
+/* This is a context that we pass to callbacks */
+typedef struct {
+  BIO      *BioDebug;
+  INT32    Ack;
+} TLS_EXT_CTX;
+
 #endif

CryptoPkg/Library/TlsLib/TlsConfig.c

@@ -8,6 +8,9 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 **/
 
 #include "InternalTlsLib.h"
+#include <openssl/tls1.h>
+#include <openssl/ssl.h>
+#include <ssl/ssl_local.h>
 
 typedef struct {
   //
@@ -552,6 +555,84 @@ TlsSetVerifyHost (
   return (ParamStatus == 1) ? EFI_SUCCESS : EFI_ABORTED;
 }
 
+/**
+  Callback function to get the server name.
+
+  @param[in]  SSL
+  @param[in]  INT32
+  @param[in]  Arg
+
+  @retval  INT32
+**/
+static
+INT32
+SslServerNameCallback (
+  SSL    *Ssl,
+  INT32  *Ad,
+  VOID   *Arg
+  )
+{
+  const CHAR8  *HostName = NULL;
+  TLS_EXT_CTX  *TlsCtx   = (TLS_EXT_CTX *)Arg;
+
+  HostName = SSL_get_servername (Ssl, TLSEXT_NAMETYPE_host_name);
+
+  if (SSL_get_servername_type (Ssl) != -1) {
+    TlsCtx->Ack = !SSL_session_reused (Ssl) && HostName != NULL;
+  }
+
+  return SSL_TLSEXT_ERR_OK;
+}
+
+/**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+TlsSetServerName (
+  VOID   *Tls,
+  VOID   *SslCtx,
+  CHAR8  *HostName
+  )
+{
+  SSL_CTX         *Ctx;
+  TLS_CONNECTION  *TlsConn;
+  UINT32          RetVal;
+  TLS_EXT_CTX     *TlsExtCtx = NULL;
+
+  TlsConn = (TLS_CONNECTION *)Tls;
+  Ctx     = (SSL_CTX *)SslCtx;
+
+  TlsExtCtx = AllocateZeroPool (sizeof (TLS_EXT_CTX));
+  if (TlsExtCtx == NULL) {
+    return EFI_OUT_OF_RESOURCES;
+  }
+
+  RetVal = SSL_CTX_set_tlsext_servername_callback (Ctx, SslServerNameCallback);
+  if (!RetVal) {
+    return EFI_UNSUPPORTED;
+  }
+
+  RetVal = SSL_CTX_set_tlsext_servername_arg (Ctx, TlsExtCtx);
+  if (!RetVal) {
+    return EFI_UNSUPPORTED;
+  }
+
+  RetVal = SSL_set_tlsext_host_name (TlsConn->Ssl, HostName);
+
+  if (!RetVal) {
+    return EFI_UNSUPPORTED;
+  }
+
+  return EFI_SUCCESS;
+}
+
 /**
   Sets a TLS/SSL session ID to be used during TLS/SSL connect.
 

CryptoPkg/Library/TlsLibNull/TlsConfigNull.c

@@ -323,6 +323,28 @@ TlsSetCertRevocationList (
   return EFI_UNSUPPORTED;
 }
 
+/**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+EFI_STATUS
+EFIAPI
+TlsSetServerName (
+  IN     VOID   *Tls,
+  IN     VOID   *SslCtx,
+  IN     CHAR8  *HostName
+  )
+{
+  ASSERT (FALSE);
+  return EFI_UNSUPPORTED;
+}
+
 /**
   Set the signature algorithm list to used by the TLS object.
 

CryptoPkg/Private/Protocol/Crypto.h

@@ -3951,6 +3951,24 @@ EFI_STATUS
   IN     UINTN                    DataSize
   );
 
+/**
+  Set the specified server name in Server/Client.
+
+  @param[in]  Tls           Pointer to the TLS object.
+  @param[in]  SslCtx        Pointer to the SSL object.
+  @param[in]  HostName      The specified server name to be set.
+
+  @retval  EFI_SUCCESS      The Server Name was set successfully.
+  @retval  EFI_UNSUPPORTED  Failed to set the Server Name.
+**/
+typedef
+EFI_STATUS
+(EFIAPI *EDKII_CRYPTO_TLS_SET_SERVER_NAME)(
+  IN     VOID            *Tls,
+  IN     VOID            *SslCtx,
+  IN     CHAR8           *HostName
+  );
+
 /**
   Gets the protocol version used by the specified TLS connection.
 
@@ -5710,6 +5728,7 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_PKCS1V2_DECRYPT                        Pkcs1v2Decrypt;
   EDKII_CRYPTO_RSA_OAEP_ENCRYPT                       RsaOaepEncrypt;
   EDKII_CRYPTO_RSA_OAEP_DECRYPT                       RsaOaepDecrypt;
+  EDKII_CRYPTO_TLS_SET_SERVER_NAME                    TlsSetServerName;
 };
 
 extern GUID  gEdkiiCryptoProtocolGuid;

NetworkPkg/TlsDxe/TlsProtocol.c

@@ -187,7 +187,11 @@ TlsSetSessionData (
       }
 
       Status = TlsSetVerifyHost (Instance->TlsConn, TlsVerifyHost->Flags, TlsVerifyHost->HostName);
+      if (EFI_ERROR (Status)) {
+        goto ON_EXIT;
+      }
 
+      Status = TlsSetServerName (Instance->TlsConn, Instance->Service->TlsCtx, TlsVerifyHost->HostName);
       break;
     case EfiTlsSessionID:
       if (DataSize != sizeof (EFI_TLS_SESSION_ID)) {