[PATCH V3 0/8] CryptoPkg: Retire the deprecated functions

[PATCH V3 0/8] CryptoPkg: Retire the deprecated functions

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Retire below deprecated functions:
MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.

V2:
Seprate the MD5 and SHA1 changes to other patch set.
Change the deprecated function wrapper implementatuion in
EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug
message and assert.

V3:
Remove the missing part of deprecated functions in V2.
Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate
the function is deprecated and unsupported.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>

Zhichao Gao (8):
  CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
  CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
  CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
  CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
  CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
  CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
  CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
  CryptoPkg/Crypto.h: Update the version of Crypto Driver

 CryptoPkg/CryptoPkg.dsc                       |   46 +-
 CryptoPkg/Driver/Crypto.c                     |  780 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      |  809 ------------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |    7 +-
 .../Library/BaseCryptLib/Cipher/CryptAes.c    |  114 --
 .../BaseCryptLib/Cipher/CryptAesNull.c        |   52 -
 .../Library/BaseCryptLib/Cipher/CryptArc4.c   |  205 ---
 .../BaseCryptLib/Cipher/CryptArc4Null.c       |  124 --
 .../Library/BaseCryptLib/Cipher/CryptTdes.c   |  364 ------
 .../BaseCryptLib/Cipher/CryptTdesNull.c       |  160 ---
 .../Library/BaseCryptLib/Hash/CryptMd4.c      |  223 ----
 .../Library/BaseCryptLib/Hash/CryptMd4Null.c  |  143 --
 .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  |  216 ---
 .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      |  139 --
 .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c |  216 ---
 .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     |  139 --
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   11 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |    4 +-
 CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |    7 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   11 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |    4 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   12 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |    4 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |    5 -
 .../BaseCryptLibNull/Cipher/CryptAesNull.c    |   52 -
 .../BaseCryptLibNull/Cipher/CryptArc4Null.c   |  124 --
 .../BaseCryptLibNull/Cipher/CryptTdesNull.c   |  160 ---
 .../BaseCryptLibNull/Hash/CryptMd4Null.c      |  143 --
 .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  |  139 --
 .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |  139 --
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 1157 ++---------------
 .../Library/Include/openssl/opensslconf.h     |    9 +
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   28 -
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   28 -
 CryptoPkg/Private/Protocol/Crypto.h           |  708 ++--------
 35 files changed, 389 insertions(+), 6093 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c

-- 
2.21.0.windows.1

[PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Add a internal worker function to indicate the deprecated functions.
It would print out debug messages and asserts ot inform the consumer
they are using a deprecated function.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 35bf2d3d92..05ad4b5d55 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
   ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
 }
 
+/**
+  Internal worker function that prints a debug message and asserts if a call is
+  made to a BaseCryptLib function that is deprecated and unsupported any longer.
+
+  @param[in]  FunctionName  Null-terminated ASCII string that is the name of an
+                            EDK II Crypto service.
+
+**/
+static
+VOID
+BaseCryptLibServciceDeprecated (
+  IN CONST CHAR8  *FunctionName
+  )
+{
+  DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and unsupported any longer\n", gEfiCallerBaseName, FunctionName));
+  ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
+}
+
 /**
   Returns the version of the EDK II Crypto Protocol.
 
-- 
2.21.0.windows.1

Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm

[Philippe Mathieu-Daudé]

On 5/7/20 1:57 AM, Gao, Zhichao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> Add a internal worker function to indicate the deprecated functions.
> It would print out debug messages and asserts ot inform the consumer

Typo "to inform".

> they are using a deprecated function.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>   CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
>   1 file changed, 18 insertions(+)
> 
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 35bf2d3d92..05ad4b5d55 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
>     ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
>   }
>   
> +/**
> +  Internal worker function that prints a debug message and asserts if a call is
> +  made to a BaseCryptLib function that is deprecated and unsupported any longer.
> +
> +  @param[in]  FunctionName  Null-terminated ASCII string that is the name of an
> +                            EDK II Crypto service.
> +
> +**/
> +static
> +VOID
> +BaseCryptLibServciceDeprecated (
> +  IN CONST CHAR8  *FunctionName

Why extra space alignment?

Otherwise:
Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>

> +  )
> +{
> +  DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and unsupported any longer\n", gEfiCallerBaseName, FunctionName));
> +  ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> +}
> +
>   /**
>     Returns the version of the EDK II Crypto Protocol.
>   
> 

Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm

[Philippe Mathieu-Daudé]

On Thu, May 7, 2020 at 9:45 AM Philippe Mathieu-Daudé <philmd@redhat.com> wrote:
>
> On 5/7/20 1:57 AM, Gao, Zhichao wrote:
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> >
> > Add a internal worker function to indicate the deprecated functions.
> > It would print out debug messages and asserts ot inform the consumer
>
> Typo "to inform".
>
> > they are using a deprecated function.
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > ---
> >   CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
> >   1 file changed, 18 insertions(+)
> >
> > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> > index 35bf2d3d92..05ad4b5d55 100644
> > --- a/CryptoPkg/Driver/Crypto.c
> > +++ b/CryptoPkg/Driver/Crypto.c
> > @@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
> >     ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> >   }
> >
> > +/**
> > +  Internal worker function that prints a debug message and asserts if a call is
> > +  made to a BaseCryptLib function that is deprecated and unsupported any longer.
> > +
> > +  @param[in]  FunctionName  Null-terminated ASCII string that is the name of an
> > +                            EDK II Crypto service.
> > +
> > +**/
> > +static
> > +VOID
> > +BaseCryptLibServciceDeprecated (

Oh also another typo (extra 'c'):

"BaseCryptLibServiceDeprecated"

Maybe rename as "BaseCryptLibDeprecatedService"?

> > +  IN CONST CHAR8  *FunctionName
>
> Why extra space alignment?
>
> Otherwise:
> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
>
> > +  )
> > +{
> > +  DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and unsupported any longer\n", gEfiCallerBaseName, FunctionName));
> > +  ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> > +}
> > +
> >   /**
> >     Returns the version of the EDK II Crypto Protocol.
> >
> >

Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm

[Gao, Zhichao]

Thanks for point out the typo. I would fix it.
About the align, see below.

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Philippe
> Mathieu-Daudé
> Sent: Thursday, May 7, 2020 3:48 PM
> To: edk2-devel-groups-io <devel@edk2.groups.io>; Gao, Zhichao
> <zhichao.gao@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to
> indicate the deprecated algorithm
> 
> On Thu, May 7, 2020 at 9:45 AM Philippe Mathieu-Daudé <philmd@redhat.com>
> wrote:
> >
> > On 5/7/20 1:57 AM, Gao, Zhichao wrote:
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> > >
> > > Add a internal worker function to indicate the deprecated functions.
> > > It would print out debug messages and asserts ot inform the consumer
> >
> > Typo "to inform".
> >
> > > they are using a deprecated function.
> > >
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > > ---
> > >   CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
> > >   1 file changed, 18 insertions(+)
> > >
> > > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> > > index 35bf2d3d92..05ad4b5d55 100644
> > > --- a/CryptoPkg/Driver/Crypto.c
> > > +++ b/CryptoPkg/Driver/Crypto.c
> > > @@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
> > >     ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
> > >   }
> > >
> > > +/**
> > > +  Internal worker function that prints a debug message and asserts
> > > +if a call is
> > > +  made to a BaseCryptLib function that is deprecated and unsupported any
> longer.
> > > +
> > > +  @param[in]  FunctionName  Null-terminated ASCII string that is the name
> of an
> > > +                            EDK II Crypto service.
> > > +
> > > +**/
> > > +static
> > > +VOID
> > > +BaseCryptLibServciceDeprecated (
> 
> Oh also another typo (extra 'c'):
> 
> "BaseCryptLibServiceDeprecated"
> 
> Maybe rename as "BaseCryptLibDeprecatedService"?
> 
> > > +  IN CONST CHAR8  *FunctionName
> >
> > Why extra space alignment?

See the CCS spec 2.1, 5.7.17:
5.7.1.7 The next lines contain parameters.
Each line will contain a single argument and will start indented two spaces (one tab stop). Type
and argument columns should be aligned to maximize readability and should include
appropriate spacing to ensure this alignment. No comments are allowed in this region.
Parameters are documented clearly in the function header comment block.

Thanks,
Zhichao

> >
> > Otherwise:
> > Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
> >
> > > +  )
> > > +{
> > > +  DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and
> > > +unsupported any longer\n", gEfiCallerBaseName, FunctionName));
> > > +  ASSERT_EFI_ERROR (EFI_UNSUPPORTED); }
> > > +
> > >   /**
> > >     Returns the version of the EDK II Crypto Protocol.
> > >
> > >
> 
> 
> 

Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm

[Philippe Mathieu-Daudé]

On 5/8/20 3:09 AM, Gao, Zhichao wrote:
> Thanks for point out the typo. I would fix it.
> About the align, see below.
> 
>> -----Original Message-----
>> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Philippe
>> Mathieu-Daudé
>> Sent: Thursday, May 7, 2020 3:48 PM
>> To: edk2-devel-groups-io <devel@edk2.groups.io>; Gao, Zhichao
>> <zhichao.gao@intel.com>
>> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
>> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
>> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
>> Subject: Re: [edk2-devel] [PATCH V3 1/8] CryptoPkg/CryptoDxe: Add function to
>> indicate the deprecated algorithm
>>
>> On Thu, May 7, 2020 at 9:45 AM Philippe Mathieu-Daudé <philmd@redhat.com>
>> wrote:
>>>
>>> On 5/7/20 1:57 AM, Gao, Zhichao wrote:
>>>> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>>>>
>>>> Add a internal worker function to indicate the deprecated functions.
>>>> It would print out debug messages and asserts ot inform the consumer
>>>
>>> Typo "to inform".
>>>
>>>> they are using a deprecated function.
>>>>
>>>> Cc: Jian J Wang <jian.j.wang@intel.com>
>>>> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
>>>> Cc: Siyuan Fu <siyuan.fu@intel.com>
>>>> Cc: Michael D Kinney <michael.d.kinney@intel.com>
>>>> Cc: Jiewen Yao <jiewen.yao@intel.com>
>>>> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
>>>> ---
>>>>    CryptoPkg/Driver/Crypto.c | 18 ++++++++++++++++++
>>>>    1 file changed, 18 insertions(+)
>>>>
>>>> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
>>>> index 35bf2d3d92..05ad4b5d55 100644
>>>> --- a/CryptoPkg/Driver/Crypto.c
>>>> +++ b/CryptoPkg/Driver/Crypto.c
>>>> @@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
>>>>      ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
>>>>    }
>>>>
>>>> +/**
>>>> +  Internal worker function that prints a debug message and asserts
>>>> +if a call is
>>>> +  made to a BaseCryptLib function that is deprecated and unsupported any
>> longer.
>>>> +
>>>> +  @param[in]  FunctionName  Null-terminated ASCII string that is the name
>> of an
>>>> +                            EDK II Crypto service.
>>>> +
>>>> +**/
>>>> +static
>>>> +VOID
>>>> +BaseCryptLibServciceDeprecated (
>>
>> Oh also another typo (extra 'c'):
>>
>> "BaseCryptLibServiceDeprecated"
>>
>> Maybe rename as "BaseCryptLibDeprecatedService"?
>>
>>>> +  IN CONST CHAR8  *FunctionName
>>>
>>> Why extra space alignment?
> 
> See the CCS spec 2.1, 5.7.17:
> 5.7.1.7 The next lines contain parameters.
> Each line will contain a single argument and will start indented two spaces (one tab stop). Type
> and argument columns should be aligned to maximize readability and should include
> appropriate spacing to ensure this alignment. No comments are allowed in this region.
> Parameters are documented clearly in the function header comment block.

OK, thanks Zhichao.

> 
> Thanks,
> Zhichao
> 
>>>
>>> Otherwise:
>>> Reviewed-by: Philippe Mathieu-Daude <philmd@redhat.com>
>>>
>>>> +  )
>>>> +{
>>>> +  DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and
>>>> +unsupported any longer\n", gEfiCallerBaseName, FunctionName));
>>>> +  ASSERT_EFI_ERROR (EFI_UNSUPPORTED); }
>>>> +
>>>>    /**
>>>>      Returns the version of the EDK II Crypto Protocol.
>>>>
>>>>
>>
>>
>> 
> 

[PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

MD4 is not secure any longer.
Remove the MD4 support from edk2.
Change the MD4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |   1 -
 CryptoPkg/Driver/Crypto.c                     | 135 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 145 ------------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   3 +-
 .../Library/BaseCryptLib/Hash/CryptMd4.c      | 223 ------------------
 .../Library/BaseCryptLib/Hash/CryptMd4Null.c  | 143 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   5 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   5 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   5 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Hash/CryptMd4Null.c      | 143 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 158 -------------
 .../Library/Include/openssl/opensslconf.h     |   3 +
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   3 -
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   3 -
 CryptoPkg/Private/Protocol/Crypto.h           | 123 ++--------
 19 files changed, 55 insertions(+), 1062 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index f79ff331cf..6ed7046563 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -140,7 +140,6 @@
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family    | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md4.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family         | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 05ad4b5d55..95fc834bde 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -124,161 +124,68 @@ CryptoServiceGetCryptoVersion (
 //=====================================================================================
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-  @retval  0   This interface is not supported.
+  MD4 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 UINTN
 EFIAPI
-CryptoServiceMd4GetContextSize (
+DeprecatedCryptoServiceMd4GetContextSize (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.GetContextSize, Md4GetContextSize, (), 0);
+  return BaseCryptLibServciceDeprecated ("Md4GetContextSize"), 0;
 }
 
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4Init (
+DeprecatedCryptoServiceMd4Init (
   OUT  VOID  *Md4Context
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.Init, Md4Init, (Md4Context), FALSE);
+  return BaseCryptLibServciceDeprecated ("Md4Init"), FALSE;
 }
 
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4Duplicate (
+DeprecatedCryptoServiceMd4Duplicate (
   IN   CONST VOID  *Md4Context,
   OUT  VOID        *NewMd4Context
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.Duplicate, Md4Duplicate, (Md4Context, NewMd4Context), FALSE);
+  return BaseCryptLibServciceDeprecated ("Md4Duplicate"), FALSE;
 }
 
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4Update (
+DeprecatedCryptoServiceMd4Update (
   IN OUT  VOID        *Md4Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.Update, Md4Update, (Md4Context, Data, DataSize), FALSE);
+  return BaseCryptLibServciceDeprecated ("Md4Update"), FALSE;
 }
 
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4Final (
+DeprecatedCryptoServiceMd4Final (
   IN OUT  VOID   *Md4Context,
   OUT     UINT8  *HashValue
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.Final, Md4Final, (Md4Context, HashValue), FALSE);
+  return BaseCryptLibServciceDeprecated ("Md4Final"), FALSE;
 }
 
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4HashAll (
+DeprecatedCryptoServiceMd4HashAll (
   IN   CONST VOID  *Data,
   IN   UINTN       DataSize,
   OUT  UINT8       *HashValue
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.HashAll, Md4HashAll, (Data, DataSize, HashValue), FALSE);
+  return BaseCryptLibServciceDeprecated ("Md4HashAll"), FALSE;
 }
 
 /**
@@ -4440,13 +4347,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   CryptoServiceHmacSha256Duplicate,
   CryptoServiceHmacSha256Update,
   CryptoServiceHmacSha256Final,
-  /// Md4
-  CryptoServiceMd4GetContextSize,
-  CryptoServiceMd4Init,
-  CryptoServiceMd4Duplicate,
-  CryptoServiceMd4Update,
-  CryptoServiceMd4Final,
-  CryptoServiceMd4HashAll,
+  /// Md4 - deprecated and unsupported
+  DeprecatedCryptoServiceMd4GetContextSize,
+  DeprecatedCryptoServiceMd4Init,
+  DeprecatedCryptoServiceMd4Duplicate,
+  DeprecatedCryptoServiceMd4Update,
+  DeprecatedCryptoServiceMd4Final,
+  DeprecatedCryptoServiceMd4HashAll,
   /// Md5
   CryptoServiceMd5GetContextSize,
   CryptoServiceMd5Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 5e8f2e0a10..c862f0334f 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -14,11 +14,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include <Uefi/UefiBaseType.h>
 
-///
-/// MD4 digest size in bytes
-///
-#define MD4_DIGEST_SIZE     16
-
 ///
 /// MD5 digest size in bytes
 ///
@@ -77,146 +72,6 @@ typedef enum {
 //    One-Way Cryptographic Hash Primitives
 //=====================================================================================
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  );
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  );
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  );
-
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  );
-
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  );
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  );
-
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index a63ad66b4f..22992e7d43 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -6,7 +6,7 @@
 #  This external input must be validated carefully to avoid security issues such as
 #  buffer overflow or integer overflow.
 #
-#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -29,7 +29,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
deleted file mode 100644
index bc02da07b0..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/** @file
-  MD4 Digest Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/md4.h>
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  )
-{
-  //
-  // Retrieves the OpenSSL MD4 Context Size
-  //
-  return (UINTN) (sizeof (MD4_CTX));
-}
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (Md4Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL MD4 Context Initialization
-  //
-  return (BOOLEAN) (MD4_Init ((MD4_CTX *) Md4Context));
-}
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (Md4Context == NULL || NewMd4Context == NULL) {
-    return FALSE;
-  }
-
-  CopyMem (NewMd4Context, Md4Context, sizeof (MD4_CTX));
-
-  return TRUE;
-}
-
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (Md4Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // Check invalid parameters, in case that only DataLength was checked in OpenSSL
-  //
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL MD4 Hash Update
-  //
-  return (BOOLEAN) (MD4_Update ((MD4_CTX *) Md4Context, Data, DataSize));
-}
-
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (Md4Context == NULL || HashValue == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL MD4 Hash Finalization
-  //
-  return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *) Md4Context));
-}
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HashValue == NULL) {
-    return FALSE;
-  }
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL MD4 Hash Computation.
-  //
-  if (MD4 (Data, DataSize, HashValue) == NULL) {
-    return FALSE;
-  } else {
-    return TRUE;
-  }
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
deleted file mode 100644
index 610c61c713..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
+++ /dev/null
@@ -1,143 +0,0 @@
-/** @file
-  MD4 Digest Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash
-  operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates MD4 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the MD4 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index c836c257f8..e9add0127d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -6,14 +6,14 @@
 #  This external input must be validated carefully to avoid security issues such as
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions,
+#  Note:
 #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
 #  supported in this instance.
 #
-#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -35,7 +35,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 9937555beb..374bfb3f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,13 +6,13 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
 // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
 // generator functions are not supported in this instance.
 //
-// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index e5b8ececc1..0a2eb03232 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -6,12 +6,12 @@
 #  This external input must be validated carefully to avoid security issues such as
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
 #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
-#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -35,7 +35,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index c0a16f1b84..b6d751176e 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,12 +6,12 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
 // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index cc0b65fd25..139983075e 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -6,12 +6,12 @@
 #  This external input must be validated carefully to avoid security issues such as
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
 #  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
-#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -34,7 +34,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 83485fbb90..b8d7953d2b 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,12 +6,12 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
 // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
-// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 9b4991cbb0..b03681b146 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -29,7 +29,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5Null.c
   Hash/CryptSha1Null.c
   Hash/CryptSha256Null.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
deleted file mode 100644
index 610c61c713..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
+++ /dev/null
@@ -1,143 +0,0 @@
-/** @file
-  MD4 Digest Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash
-  operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates MD4 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the MD4 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index c2a1df9afc..5e470028f4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -99,164 +99,6 @@ CryptoServiceNotAvailable (
 //    One-Way Cryptographic Hash Primitives
 //=====================================================================================
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4GetContextSize, (), 0);
-}
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4Init, (Md4Context), FALSE);
-}
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4Duplicate, (Md4Context, NewMd4Context), FALSE);
-}
-
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4Update, (Md4Context, Data, DataSize), FALSE);
-}
-
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4Final, (Md4Context, HashValue), FALSE);
-}
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4HashAll, (Data, DataSize, HashValue), FALSE);
-}
-
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index bd34e53ef2..4f3f9ba377 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -241,6 +241,9 @@ extern "C" {
 #ifndef OPENSSL_NO_AFALGENG
 # define OPENSSL_NO_AFALGENG
 #endif
+#ifndef OPENSSL_NO_MD4
+# define OPENSSL_NO_MD4
+#endif
 
 
 /*
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 9ed0175553..10710e4a7c 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -294,8 +294,6 @@
   $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
   $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
   $(OPENSSL_PATH)/crypto/lhash/lhash.c
-  $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
-  $(OPENSSL_PATH)/crypto/md4/md4_one.c
   $(OPENSSL_PATH)/crypto/md5/md5_dgst.c
   $(OPENSSL_PATH)/crypto/md5/md5_one.c
   $(OPENSSL_PATH)/crypto/mem.c
@@ -525,7 +523,6 @@
   $(OPENSSL_PATH)/crypto/evp/evp_locl.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
-  $(OPENSSL_PATH)/crypto/md4/md4_locl.h
   $(OPENSSL_PATH)/crypto/md5/md5_locl.h
   $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
   $(OPENSSL_PATH)/crypto/objects/obj_dat.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 03da266627..d9782a3098 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -294,8 +294,6 @@
   $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
   $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
   $(OPENSSL_PATH)/crypto/lhash/lhash.c
-  $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
-  $(OPENSSL_PATH)/crypto/md4/md4_one.c
   $(OPENSSL_PATH)/crypto/md5/md5_dgst.c
   $(OPENSSL_PATH)/crypto/md5/md5_one.c
   $(OPENSSL_PATH)/crypto/mem.c
@@ -525,7 +523,6 @@
   $(OPENSSL_PATH)/crypto/evp/evp_locl.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
-  $(OPENSSL_PATH)/crypto/md4/md4_locl.h
   $(OPENSSL_PATH)/crypto/md5/md5_locl.h
   $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
   $(OPENSSL_PATH)/crypto/objects/obj_dat.h
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index 40c387e002..ae0f29695c 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -451,145 +451,52 @@ BOOLEAN
 //=====================================================================================
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-  @retval  0   This interface is not supported.
+  MD4 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 UINTN
-(EFIAPI *EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
   VOID
   );
 
 
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_INIT) (
   OUT  VOID  *Md4Context
   );
 
 
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE) (
   IN   CONST VOID  *Md4Context,
   OUT  VOID        *NewMd4Context
   );
 
 
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_UPDATE) (
   IN OUT  VOID        *Md4Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   );
 
 
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_FINAL) (
   IN OUT  VOID   *Md4Context,
   OUT     UINT8  *HashValue
   );
 
 
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_HASH_ALL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL) (
   IN   CONST VOID  *Data,
   IN   UINTN       DataSize,
   OUT  UINT8       *HashValue
@@ -4007,13 +3914,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_HMAC_SHA256_DUPLICATE              HmacSha256Duplicate;
   EDKII_CRYPTO_HMAC_SHA256_UPDATE                 HmacSha256Update;
   EDKII_CRYPTO_HMAC_SHA256_FINAL                  HmacSha256Final;
-  /// Md4
-  EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE               Md4GetContextSize;
-  EDKII_CRYPTO_MD4_INIT                           Md4Init;
-  EDKII_CRYPTO_MD4_DUPLICATE                      Md4Duplicate;
-  EDKII_CRYPTO_MD4_UPDATE                         Md4Update;
-  EDKII_CRYPTO_MD4_FINAL                          Md4Final;
-  EDKII_CRYPTO_MD4_HASH_ALL                       Md4HashAll;
+  /// Md4 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE    DeprecatedMd4GetContextSize;
+  DEPRECATED_EDKII_CRYPTO_MD4_INIT                DeprecatedMd4Init;
+  DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE           DeprecatedMd4Duplicate;
+  DEPRECATED_EDKII_CRYPTO_MD4_UPDATE              DeprecatedMd4Update;
+  DEPRECATED_EDKII_CRYPTO_MD4_FINAL               DeprecatedMd4Final;
+  DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL            DeprecatedMd4HashAll;
   /// Md5
   EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE               Md5GetContextSize;
   EDKII_CRYPTO_MD5_INIT                           Md5Init;
-- 
2.21.0.windows.1

Re: [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm

[Wang, Jian J]

Sorry for the out-of-order review. Please refer to comments for patch 3.

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 2/8] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> MD4 is not secure any longer.
> Remove the MD4 support from edk2.
> Change the MD4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dsc                       |   1 -
>  CryptoPkg/Driver/Crypto.c                     | 135 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      | 145 ------------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |   3 +-
>  .../Library/BaseCryptLib/Hash/CryptMd4.c      | 223 ------------------
>  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  | 143 -----------
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   5 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   5 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   5 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
>  .../BaseCryptLibNull/Hash/CryptMd4Null.c      | 143 -----------
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 158 -------------
>  .../Library/Include/openssl/opensslconf.h     |   3 +
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   3 -
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |   3 -
>  CryptoPkg/Private/Protocol/Crypto.h           | 123 ++--------
>  19 files changed, 55 insertions(+), 1062 deletions(-)
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> 
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index f79ff331cf..6ed7046563 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -140,7 +140,6 @@
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family         |
> PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 05ad4b5d55..95fc834bde 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -124,161 +124,68 @@ CryptoServiceGetCryptoVersion (
> 
> //===============================================================
> ======================
> 
>  /**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -  @retval  0   This interface is not supported.
> +  MD4 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  UINTN
>  EFIAPI
> -CryptoServiceMd4GetContextSize (
> +DeprecatedCryptoServiceMd4GetContextSize (
>    VOID
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.GetContextSize,
> Md4GetContextSize, (), 0);
> +  return BaseCryptLibServciceDeprecated ("Md4GetContextSize"), 0;
>  }
> 
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4Init (
> +DeprecatedCryptoServiceMd4Init (
>    OUT  VOID  *Md4Context
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.Init, Md4Init, (Md4Context), FALSE);
> +  return BaseCryptLibServciceDeprecated ("Md4Init"), FALSE;
>  }
> 
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4Duplicate (
> +DeprecatedCryptoServiceMd4Duplicate (
>    IN   CONST VOID  *Md4Context,
>    OUT  VOID        *NewMd4Context
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.Duplicate, Md4Duplicate,
> (Md4Context, NewMd4Context), FALSE);
> +  return BaseCryptLibServciceDeprecated ("Md4Duplicate"), FALSE;
>  }
> 
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4Update (
> +DeprecatedCryptoServiceMd4Update (
>    IN OUT  VOID        *Md4Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.Update, Md4Update, (Md4Context,
> Data, DataSize), FALSE);
> +  return BaseCryptLibServciceDeprecated ("Md4Update"), FALSE;
>  }
> 
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest value
> into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4Final (
> +DeprecatedCryptoServiceMd4Final (
>    IN OUT  VOID   *Md4Context,
>    OUT     UINT8  *HashValue
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.Final, Md4Final, (Md4Context,
> HashValue), FALSE);
> +  return BaseCryptLibServciceDeprecated ("Md4Final"), FALSE;
>  }
> 
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4HashAll (
> +DeprecatedCryptoServiceMd4HashAll (
>    IN   CONST VOID  *Data,
>    IN   UINTN       DataSize,
>    OUT  UINT8       *HashValue
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.HashAll, Md4HashAll, (Data,
> DataSize, HashValue), FALSE);
> +  return BaseCryptLibServciceDeprecated ("Md4HashAll"), FALSE;
>  }
> 
>  /**
> @@ -4440,13 +4347,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
>    CryptoServiceHmacSha256Duplicate,
>    CryptoServiceHmacSha256Update,
>    CryptoServiceHmacSha256Final,
> -  /// Md4
> -  CryptoServiceMd4GetContextSize,
> -  CryptoServiceMd4Init,
> -  CryptoServiceMd4Duplicate,
> -  CryptoServiceMd4Update,
> -  CryptoServiceMd4Final,
> -  CryptoServiceMd4HashAll,
> +  /// Md4 - deprecated and unsupported
> +  DeprecatedCryptoServiceMd4GetContextSize,
> +  DeprecatedCryptoServiceMd4Init,
> +  DeprecatedCryptoServiceMd4Duplicate,
> +  DeprecatedCryptoServiceMd4Update,
> +  DeprecatedCryptoServiceMd4Final,
> +  DeprecatedCryptoServiceMd4HashAll,
>    /// Md5
>    CryptoServiceMd5GetContextSize,
>    CryptoServiceMd5Init,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 5e8f2e0a10..c862f0334f 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -14,11 +14,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  #include <Uefi/UefiBaseType.h>
> 
> -///
> -/// MD4 digest size in bytes
> -///
> -#define MD4_DIGEST_SIZE     16
> -
>  ///
>  /// MD5 digest size in bytes
>  ///
> @@ -77,146 +72,6 @@ typedef enum {
>  //    One-Way Cryptographic Hash Primitives
> 
> //===============================================================
> ======================
> 
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  );
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  );
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  );
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  );
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest value
> into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  );
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  );
> -
>  /**
>    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index a63ad66b4f..22992e7d43 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -6,7 +6,7 @@
>  #  This external input must be validated carefully to avoid security issues such as
>  #  buffer overflow or integer overflow.
>  #
> -#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights
> reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
> @@ -29,7 +29,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4.c
>    Hash/CryptMd5.c
>    Hash/CryptSha1.c
>    Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> deleted file mode 100644
> index bc02da07b0..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> +++ /dev/null
> @@ -1,223 +0,0 @@
> -/** @file
> -  MD4 Digest Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/md4.h>
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  )
> -{
> -  //
> -  // Retrieves the OpenSSL MD4 Context Size
> -  //
> -  return (UINTN) (sizeof (MD4_CTX));
> -}
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (Md4Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL MD4 Context Initialization
> -  //
> -  return (BOOLEAN) (MD4_Init ((MD4_CTX *) Md4Context));
> -}
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (Md4Context == NULL || NewMd4Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  CopyMem (NewMd4Context, Md4Context, sizeof (MD4_CTX));
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (Md4Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // Check invalid parameters, in case that only DataLength was checked in
> OpenSSL
> -  //
> -  if (Data == NULL && DataSize != 0) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL MD4 Hash Update
> -  //
> -  return (BOOLEAN) (MD4_Update ((MD4_CTX *) Md4Context, Data, DataSize));
> -}
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest value
> into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (Md4Context == NULL || HashValue == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL MD4 Hash Finalization
> -  //
> -  return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *) Md4Context));
> -}
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HashValue == NULL) {
> -    return FALSE;
> -  }
> -  if (Data == NULL && DataSize != 0) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL MD4 Hash Computation.
> -  //
> -  if (MD4 (Data, DataSize, HashValue) == NULL) {
> -    return FALSE;
> -  } else {
> -    return TRUE;
> -  }
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> deleted file mode 100644
> index 610c61c713..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> +++ /dev/null
> @@ -1,143 +0,0 @@
> -/** @file
> -  MD4 Digest Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> -  operations.
> -
> -  Return zero to indicate this interface is not supported.
> -
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return 0;
> -}
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> -  subsequent use.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
> -                               value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index c836c257f8..e9add0127d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -6,14 +6,14 @@
>  #  This external input must be validated carefully to avoid security issues such as
>  #  buffer overflow or integer overflow.
>  #
> -#  Note: MD4 Digest functions,
> +#  Note:
>  #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
>  #  certificate handler functions, authenticode signature verification functions,
>  #  PEM handler functions, and pseudorandom number generator functions are
> not
>  #  supported in this instance.
>  #
> -#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
>  ##
> @@ -35,7 +35,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4Null.c
>    Hash/CryptMd5.c
>    Hash/CryptSha1.c
>    Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 9937555beb..374bfb3f65 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,13 +6,13 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions,
> AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
>  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
>  // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
>  // signature verification functions, PEM handler functions, and pseudorandom
> number
>  // generator functions are not supported in this instance.
>  //
> -// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  //
>  // SPDX-License-Identifier: BSD-2-Clause-Patent
>  //
> @@ -21,5 +21,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for PEIM"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: MD4 Digest functions,
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> X.509 certificate handler functions, authenticode signature verification functions,
> PEM handler functions, and pseudorandom number generator functions are not
> supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate
> handler functions, authenticode signature verification functions, PEM handler
> functions, and pseudorandom number generator functions are not supported in
> this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index e5b8ececc1..0a2eb03232 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -6,12 +6,12 @@
>  #  This external input must be validated carefully to avoid security issues such as
>  #  buffer overflow or integer overflow.
>  #
> -#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest
> functions,
> +#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
>  #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> -#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights
> reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
> @@ -35,7 +35,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4Null.c
>    Hash/CryptMd5.c
>    Hash/CryptSha1.c
>    Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index c0a16f1b84..b6d751176e 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,12 +6,12 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions,
> AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
>  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
>  //
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>  //
>  // SPDX-License-Identifier: BSD-2-Clause-Patent
>  //
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: MD4 Digest functions,
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode
> signature verification functions are not supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index cc0b65fd25..139983075e 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -6,12 +6,12 @@
>  #  This external input must be validated carefully to avoid security issues such as
>  #  buffer overflow or integer overflow.
>  #
> -#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest
> functions,
> +#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
>  #  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA
> external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> -#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
>  ##
> @@ -34,7 +34,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4Null.c
>    Hash/CryptMd5.c
>    Hash/CryptSha1.c
>    Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 83485fbb90..b8d7953d2b 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,12 +6,12 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions,
> AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
>  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
>  //
> -// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  //
>  // SPDX-License-Identifier: BSD-2-Clause-Patent
>  //
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for SMM driver"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: MD4 Digest functions,
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode
> signature verification functions are not supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index 9b4991cbb0..b03681b146 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -29,7 +29,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4Null.c
>    Hash/CryptMd5Null.c
>    Hash/CryptSha1Null.c
>    Hash/CryptSha256Null.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> deleted file mode 100644
> index 610c61c713..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> +++ /dev/null
> @@ -1,143 +0,0 @@
> -/** @file
> -  MD4 Digest Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> -  operations.
> -
> -  Return zero to indicate this interface is not supported.
> -
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return 0;
> -}
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> -  subsequent use.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
> -                               value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index c2a1df9afc..5e470028f4 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -99,164 +99,6 @@ CryptoServiceNotAvailable (
>  //    One-Way Cryptographic Hash Primitives
> 
> //===============================================================
> ======================
> 
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4GetContextSize, (), 0);
> -}
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4Init, (Md4Context), FALSE);
> -}
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4Duplicate, (Md4Context, NewMd4Context),
> FALSE);
> -}
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4Update, (Md4Context, Data, DataSize), FALSE);
> -}
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest value
> into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4Final, (Md4Context, HashValue), FALSE);
> -}
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4HashAll, (Data, DataSize, HashValue), FALSE);
> -}
> -
>  /**
>    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
> 
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index bd34e53ef2..4f3f9ba377 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -241,6 +241,9 @@ extern "C" {
>  #ifndef OPENSSL_NO_AFALGENG
>  # define OPENSSL_NO_AFALGENG
>  #endif
> +#ifndef OPENSSL_NO_MD4
> +# define OPENSSL_NO_MD4
> +#endif
> 
> 
>  /*
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index 9ed0175553..10710e4a7c 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -294,8 +294,6 @@
>    $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
>    $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
>    $(OPENSSL_PATH)/crypto/lhash/lhash.c
> -  $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
> -  $(OPENSSL_PATH)/crypto/md4/md4_one.c
>    $(OPENSSL_PATH)/crypto/md5/md5_dgst.c
>    $(OPENSSL_PATH)/crypto/md5/md5_one.c
>    $(OPENSSL_PATH)/crypto/mem.c
> @@ -525,7 +523,6 @@
>    $(OPENSSL_PATH)/crypto/evp/evp_locl.h
>    $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
>    $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
> -  $(OPENSSL_PATH)/crypto/md4/md4_locl.h
>    $(OPENSSL_PATH)/crypto/md5/md5_locl.h
>    $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
>    $(OPENSSL_PATH)/crypto/objects/obj_dat.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index 03da266627..d9782a3098 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -294,8 +294,6 @@
>    $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
>    $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
>    $(OPENSSL_PATH)/crypto/lhash/lhash.c
> -  $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
> -  $(OPENSSL_PATH)/crypto/md4/md4_one.c
>    $(OPENSSL_PATH)/crypto/md5/md5_dgst.c
>    $(OPENSSL_PATH)/crypto/md5/md5_one.c
>    $(OPENSSL_PATH)/crypto/mem.c
> @@ -525,7 +523,6 @@
>    $(OPENSSL_PATH)/crypto/evp/evp_locl.h
>    $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
>    $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
> -  $(OPENSSL_PATH)/crypto/md4/md4_locl.h
>    $(OPENSSL_PATH)/crypto/md5/md5_locl.h
>    $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
>    $(OPENSSL_PATH)/crypto/objects/obj_dat.h
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index 40c387e002..ae0f29695c 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -451,145 +451,52 @@ BOOLEAN
> 
> //===============================================================
> ======================
> 
>  /**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -  @retval  0   This interface is not supported.
> +  MD4 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  typedef
>  UINTN
> -(EFIAPI *EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
>    VOID
>    );
> 
> 
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash context
> for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_INIT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_INIT) (
>    OUT  VOID  *Md4Context
>    );
> 
> 
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_DUPLICATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE) (
>    IN   CONST VOID  *Md4Context,
>    OUT  VOID        *NewMd4Context
>    );
> 
> 
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_UPDATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_UPDATE) (
>    IN OUT  VOID        *Md4Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    );
> 
> 
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest value
> into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_FINAL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_FINAL) (
>    IN OUT  VOID   *Md4Context,
>    OUT     UINT8  *HashValue
>    );
> 
> 
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_HASH_ALL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL) (
>    IN   CONST VOID  *Data,
>    IN   UINTN       DataSize,
>    OUT  UINT8       *HashValue
> @@ -4007,13 +3914,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
>    EDKII_CRYPTO_HMAC_SHA256_DUPLICATE              HmacSha256Duplicate;
>    EDKII_CRYPTO_HMAC_SHA256_UPDATE                 HmacSha256Update;
>    EDKII_CRYPTO_HMAC_SHA256_FINAL                  HmacSha256Final;
> -  /// Md4
> -  EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE               Md4GetContextSize;
> -  EDKII_CRYPTO_MD4_INIT                           Md4Init;
> -  EDKII_CRYPTO_MD4_DUPLICATE                      Md4Duplicate;
> -  EDKII_CRYPTO_MD4_UPDATE                         Md4Update;
> -  EDKII_CRYPTO_MD4_FINAL                          Md4Final;
> -  EDKII_CRYPTO_MD4_HASH_ALL                       Md4HashAll;
> +  /// Md4 - deprecated and unsupported
> +  DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE
> DeprecatedMd4GetContextSize;
> +  DEPRECATED_EDKII_CRYPTO_MD4_INIT                DeprecatedMd4Init;
> +  DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE
> DeprecatedMd4Duplicate;
> +  DEPRECATED_EDKII_CRYPTO_MD4_UPDATE              DeprecatedMd4Update;
> +  DEPRECATED_EDKII_CRYPTO_MD4_FINAL               DeprecatedMd4Final;
> +  DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL            DeprecatedMd4HashAll;
>    /// Md5
>    EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE               Md5GetContextSize;
>    EDKII_CRYPTO_MD5_INIT                           Md5Init;
> --
> 2.21.0.windows.1

[PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

ARC4 is not secure any longer.
Remove the ARC4 support from edk2.
Change the ARC4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Driver/Crypto.c                     | 125 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 132 -----------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Cipher/CryptArc4.c   | 205 ------------------
 .../BaseCryptLib/Cipher/CryptArc4Null.c       | 124 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Cipher/CryptArc4Null.c   | 124 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 147 -------------
 .../Library/Include/openssl/opensslconf.h     |   3 +
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   3 -
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   3 -
 CryptoPkg/Private/Protocol/Crypto.h           | 115 ++--------
 18 files changed, 43 insertions(+), 961 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 95fc834bde..388a6e4b4b 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1982,150 +1982,61 @@ CryptoServiceAesCbcDecrypt (
 }
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-  @retval  0   This interface is not supported.
+  ARC4 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 UINTN
 EFIAPI
-CryptoServiceArc4GetContextSize (
+DeprecatedCryptoServiceArc4GetContextSize (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.GetContextSize, Arc4GetContextSize, (), 0);
+  return BaseCryptLibServciceDeprecated ("Arc4GetContextSize"), 0;
 }
 
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceArc4Init (
+DeprecatedCryptoServiceArc4Init (
   OUT  VOID         *Arc4Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.Init, Arc4Init, (Arc4Context, Key, KeySize), FALSE);
+  return BaseCryptLibServciceDeprecated ("Arc4Init"), FALSE;
 }
 
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceArc4Encrypt (
+DeprecatedCryptoServiceArc4Encrypt (
   IN OUT  VOID         *Arc4Context,
   IN      CONST UINT8  *Input,
   IN      UINTN        InputSize,
   OUT     UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.Encrypt, Arc4Encrypt, (Arc4Context, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServciceDeprecated ("Arc4Encrypt"), FALSE;
 }
 
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceArc4Decrypt (
+DeprecatedCryptoServiceArc4Decrypt (
   IN OUT  VOID   *Arc4Context,
   IN      UINT8  *Input,
   IN      UINTN  InputSize,
   OUT     UINT8  *Output
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.Decrypt, Arc4Decrypt, (Arc4Context, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServciceDeprecated ("Arc4Decrypt"), FALSE;
 }
 
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceArc4Reset (
+DeprecatedCryptoServiceArc4Reset (
   IN OUT  VOID  *Arc4Context
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.Reset, Arc4Reset, (Arc4Context), FALSE);
+  return BaseCryptLibServciceDeprecated ("Arc4Reset"), FALSE;
 }
 
 //=====================================================================================
@@ -4447,12 +4358,12 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   CryptoServiceAesEcbDecrypt,
   CryptoServiceAesCbcEncrypt,
   CryptoServiceAesCbcDecrypt,
-  /// Arc4
-  CryptoServiceArc4GetContextSize,
-  CryptoServiceArc4Init,
-  CryptoServiceArc4Encrypt,
-  CryptoServiceArc4Decrypt,
-  CryptoServiceArc4Reset,
+  /// Arc4 - deprecated and unsupported
+  DeprecatedCryptoServiceArc4GetContextSize,
+  DeprecatedCryptoServiceArc4Init,
+  DeprecatedCryptoServiceArc4Encrypt,
+  DeprecatedCryptoServiceArc4Decrypt,
+  DeprecatedCryptoServiceArc4Reset,
   /// SM3
   CryptoServiceSm3GetContextSize,
   CryptoServiceSm3Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index c862f0334f..25e236c4a3 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1667,138 +1667,6 @@ AesCbcDecrypt (
   OUT  UINT8        *Output
   );
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  );
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  );
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  );
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  );
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  );
-
 //=====================================================================================
 //    Asymmetric Cryptography Primitive
 //=====================================================================================
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 22992e7d43..da38ea552f 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -40,7 +40,6 @@
   Kdf/CryptHkdf.c
   Cipher/CryptAes.c
   Cipher/CryptTdes.c
-  Cipher/CryptArc4.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExt.c
   Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
deleted file mode 100644
index 388d312bed..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/** @file
-  ARC4 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/rc4.h>
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  )
-{
-  //
-  // Memory for 2 copies of RC4_KEY is allocated, one for working copy, and the other
-  // for backup copy. When Arc4Reset() is called, we can use the backup copy to restore
-  // the working copy to the initial state.
-  //
-  return (UINTN) (2 * sizeof (RC4_KEY));
-}
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  RC4_KEY  *Rc4Key;
-
-  //
-  // Check input parameters.
-  //
-  if (Arc4Context == NULL || Key == NULL || (KeySize < 5 || KeySize > 256)) {
-    return FALSE;
-  }
-
-  Rc4Key = (RC4_KEY *) Arc4Context;
-
-  RC4_set_key (Rc4Key, (UINT32) KeySize, Key);
-
-  CopyMem (Rc4Key +  1, Rc4Key, sizeof (RC4_KEY));
-
-  return TRUE;
-}
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  )
-{
-  RC4_KEY  *Rc4Key;
-
-  //
-  // Check input parameters.
-  //
-  if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize > INT_MAX) {
-    return FALSE;
-  }
-
-  Rc4Key = (RC4_KEY *) Arc4Context;
-
-  RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
-
-  return TRUE;
-}
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  )
-{
-  RC4_KEY  *Rc4Key;
-
-  //
-  // Check input parameters.
-  //
-  if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize > INT_MAX) {
-    return FALSE;
-  }
-
-  Rc4Key = (RC4_KEY *) Arc4Context;
-
-  RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
-
-  return TRUE;
-}
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  )
-{
-  RC4_KEY  *Rc4Key;
-
-  //
-  // Check input parameters.
-  //
-  if (Arc4Context == NULL) {
-    return FALSE;
-  }
-
-  Rc4Key = (RC4_KEY *) Arc4Context;
-
-  CopyMem (Rc4Key, Rc4Key + 1, sizeof (RC4_KEY));
-
-  return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
deleted file mode 100644
index 1f09bfa30e..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/** @file
-  ARC4 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index e9add0127d..f43953b78c 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -46,7 +46,6 @@
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
   Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 374bfb3f65..5abd8e8dfb 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -7,7 +7,7 @@
 // buffer overflow or integer overflow.
 //
 // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
 // generator functions are not supported in this instance.
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 0a2eb03232..f1eb099b67 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -46,7 +46,6 @@
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
   Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index b6d751176e..5a48d2a308 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -7,7 +7,7 @@
 // buffer overflow or integer overflow.
 //
 // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 139983075e..3a94655775 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -45,7 +45,6 @@
   Kdf/CryptHkdfNull.c
   Cipher/CryptAes.c
   Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index b8d7953d2b..0561f107e8 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -7,7 +7,7 @@
 // buffer overflow or integer overflow.
 //
 // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index b03681b146..a205c9005d 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -40,7 +40,6 @@
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
   Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasicNull.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
deleted file mode 100644
index 1f09bfa30e..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/** @file
-  ARC4 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 5e470028f4..77915bdb86 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1892,153 +1892,6 @@ AesCbcDecrypt (
   CALL_CRYPTO_SERVICE (AesCbcDecrypt, (AesContext, Input, InputSize, Ivec, Output), FALSE);
 }
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4GetContextSize, (), 0);
-}
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4Init, (Arc4Context, Key, KeySize), FALSE);
-}
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4Encrypt, (Arc4Context, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4Decrypt, (Arc4Context, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4Reset, (Arc4Context), FALSE);
-}
-
 //=====================================================================================
 //    Asymmetric Cryptography Primitive
 //=====================================================================================
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 4f3f9ba377..22acabef87 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -244,6 +244,9 @@ extern "C" {
 #ifndef OPENSSL_NO_MD4
 # define OPENSSL_NO_MD4
 #endif
+#ifndef OPENSSL_NO_RC4
+# define OPENSSL_NO_RC4
+#endif
 
 
 /*
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 10710e4a7c..dfaefd1c08 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -374,8 +374,6 @@
   $(OPENSSL_PATH)/crypto/rand/rand_unix.c
   $(OPENSSL_PATH)/crypto/rand/rand_vms.c
   $(OPENSSL_PATH)/crypto/rand/rand_win.c
-  $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
-  $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
@@ -531,7 +529,6 @@
   $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
   $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
   $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
-  $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
   $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
   $(OPENSSL_PATH)/crypto/sha/sha_locl.h
   $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index d9782a3098..080e1d9305 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -374,8 +374,6 @@
   $(OPENSSL_PATH)/crypto/rand/rand_unix.c
   $(OPENSSL_PATH)/crypto/rand/rand_vms.c
   $(OPENSSL_PATH)/crypto/rand/rand_win.c
-  $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
-  $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
@@ -531,7 +529,6 @@
   $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
   $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
   $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
-  $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
   $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
   $(OPENSSL_PATH)/crypto/sha/sha_locl.h
   $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index ae0f29695c..f36c5c1aff 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2785,134 +2785,45 @@ BOOLEAN
   );
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-  @retval  0   This interface is not supported.
+  ARC4 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 UINTN
-(EFIAPI *EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
   VOID
   );
 
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_INIT) (
   OUT  VOID         *Arc4Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   );
 
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT) (
   IN OUT  VOID         *Arc4Context,
   IN      CONST UINT8  *Input,
   IN      UINTN        InputSize,
   OUT     UINT8        *Output
   );
 
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT) (
   IN OUT  VOID   *Arc4Context,
   IN      UINT8  *Input,
   IN      UINTN  InputSize,
   OUT     UINT8  *Output
   );
 
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_RESET) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_RESET) (
   IN OUT  VOID  *Arc4Context
   );
 
@@ -4014,12 +3925,12 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_AES_ECB_DECRYPT                    AesEcbDecrypt;
   EDKII_CRYPTO_AES_CBC_ENCRYPT                    AesCbcEncrypt;
   EDKII_CRYPTO_AES_CBC_DECRYPT                    AesCbcDecrypt;
-  /// Arc4
-  EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE              Arc4GetContextSize;
-  EDKII_CRYPTO_ARC4_INIT                          Arc4Init;
-  EDKII_CRYPTO_ARC4_ENCRYPT                       Arc4Encrypt;
-  EDKII_CRYPTO_ARC4_DECRYPT                       Arc4Decrypt;
-  EDKII_CRYPTO_ARC4_RESET                         Arc4Reset;
+  /// Arc4 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE   DeprecatedArc4GetContextSize;
+  DEPRECATED_EDKII_CRYPTO_ARC4_INIT               DeprecatedArc4Init;
+  DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT            DeprecatedArc4Encrypt;
+  DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT            DeprecatedArc4Decrypt;
+  DEPRECATED_EDKII_CRYPTO_ARC4_RESET              DeprecatedArc4Reset;
   /// SM3
   EDKII_CRYPTO_SM3_GET_CONTEXT_SIZE               Sm3GetContextSize;
   EDKII_CRYPTO_SM3_INIT                           Sm3Init;
-- 
2.21.0.windows.1

Re: [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm

[Wang, Jian J]

Zhichao,

Thanks for making this patch series.

Just two comments for patch 3:
(1) If possible, please group patch file based on module unit. For this patch,
I think at least OpensslLib can be put in separate patch file.
(2) Please update process_files.pl in OpensslLib to generate OpensslLibXxx.inf
and opensslconf.h.

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 3/8] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> ARC4 is not secure any longer.
> Remove the ARC4 support from edk2.
> Change the ARC4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/Driver/Crypto.c                     | 125 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      | 132 -----------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
>  .../Library/BaseCryptLib/Cipher/CryptArc4.c   | 205 ------------------
>  .../BaseCryptLib/Cipher/CryptArc4Null.c       | 124 -----------
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
>  .../BaseCryptLibNull/Cipher/CryptArc4Null.c   | 124 -----------
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 147 -------------
>  .../Library/Include/openssl/opensslconf.h     |   3 +
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   3 -
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |   3 -
>  CryptoPkg/Private/Protocol/Crypto.h           | 115 ++--------
>  18 files changed, 43 insertions(+), 961 deletions(-)
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> 
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 95fc834bde..388a6e4b4b 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1982,150 +1982,61 @@ CryptoServiceAesCbcDecrypt (
>  }
> 
>  /**
> -  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for ARC4 operations.
> -  @retval  0   This interface is not supported.
> +  ARC4 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  UINTN
>  EFIAPI
> -CryptoServiceArc4GetContextSize (
> +DeprecatedCryptoServiceArc4GetContextSize (
>    VOID
>    )
>  {
> -  return CALL_BASECRYPTLIB (Arc4.Services.GetContextSize,
> Arc4GetContextSize, (), 0);
> +  return BaseCryptLibServciceDeprecated ("Arc4GetContextSize"), 0;
>  }
> 
> -/**
> -  Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> -  In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> -  operations.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied ARC4 key.
> -  @param[in]   KeySize      Size of ARC4 key in bytes.
> -
> -  @retval TRUE   ARC4 context initialization succeeded.
> -  @retval FALSE  ARC4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceArc4Init (
> +DeprecatedCryptoServiceArc4Init (
>    OUT  VOID         *Arc4Context,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeySize
>    )
>  {
> -  return CALL_BASECRYPTLIB (Arc4.Services.Init, Arc4Init, (Arc4Context, Key,
> KeySize), FALSE);
> +  return BaseCryptLibServciceDeprecated ("Arc4Init"), FALSE;
>  }
> 
> -/**
> -  Performs ARC4 encryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> encryption output.
> -
> -  @retval TRUE   ARC4 encryption succeeded.
> -  @retval FALSE  ARC4 encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceArc4Encrypt (
> +DeprecatedCryptoServiceArc4Encrypt (
>    IN OUT  VOID         *Arc4Context,
>    IN      CONST UINT8  *Input,
>    IN      UINTN        InputSize,
>    OUT     UINT8        *Output
>    )
>  {
> -  return CALL_BASECRYPTLIB (Arc4.Services.Encrypt, Arc4Encrypt, (Arc4Context,
> Input, InputSize, Output), FALSE);
> +  return BaseCryptLibServciceDeprecated ("Arc4Encrypt"), FALSE;
>  }
> 
> -/**
> -  Performs ARC4 decryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> decryption output.
> -
> -  @retval TRUE   ARC4 decryption succeeded.
> -  @retval FALSE  ARC4 decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceArc4Decrypt (
> +DeprecatedCryptoServiceArc4Decrypt (
>    IN OUT  VOID   *Arc4Context,
>    IN      UINT8  *Input,
>    IN      UINTN  InputSize,
>    OUT     UINT8  *Output
>    )
>  {
> -  return CALL_BASECRYPTLIB (Arc4.Services.Decrypt, Arc4Decrypt, (Arc4Context,
> Input, InputSize, Output), FALSE);
> +  return BaseCryptLibServciceDeprecated ("Arc4Decrypt"), FALSE;
>  }
> 
> -/**
> -  Resets the ARC4 context to the initial state.
> -
> -  The function resets the ARC4 context to the state it had immediately after the
> -  ARC4Init() function call.
> -  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> -  should be already correctly initialized by ARC4Init().
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -
> -  @retval TRUE   ARC4 reset succeeded.
> -  @retval FALSE  ARC4 reset failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceArc4Reset (
> +DeprecatedCryptoServiceArc4Reset (
>    IN OUT  VOID  *Arc4Context
>    )
>  {
> -  return CALL_BASECRYPTLIB (Arc4.Services.Reset, Arc4Reset, (Arc4Context),
> FALSE);
> +  return BaseCryptLibServciceDeprecated ("Arc4Reset"), FALSE;
>  }
> 
> 
> //===============================================================
> ======================
> @@ -4447,12 +4358,12 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
>    CryptoServiceAesEcbDecrypt,
>    CryptoServiceAesCbcEncrypt,
>    CryptoServiceAesCbcDecrypt,
> -  /// Arc4
> -  CryptoServiceArc4GetContextSize,
> -  CryptoServiceArc4Init,
> -  CryptoServiceArc4Encrypt,
> -  CryptoServiceArc4Decrypt,
> -  CryptoServiceArc4Reset,
> +  /// Arc4 - deprecated and unsupported
> +  DeprecatedCryptoServiceArc4GetContextSize,
> +  DeprecatedCryptoServiceArc4Init,
> +  DeprecatedCryptoServiceArc4Encrypt,
> +  DeprecatedCryptoServiceArc4Decrypt,
> +  DeprecatedCryptoServiceArc4Reset,
>    /// SM3
>    CryptoServiceSm3GetContextSize,
>    CryptoServiceSm3Init,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index c862f0334f..25e236c4a3 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -1667,138 +1667,6 @@ AesCbcDecrypt (
>    OUT  UINT8        *Output
>    );
> 
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for ARC4 operations.
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> -  VOID
> -  );
> -
> -/**
> -  Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> -  In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> -  operations.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied ARC4 key.
> -  @param[in]   KeySize      Size of ARC4 key in bytes.
> -
> -  @retval TRUE   ARC4 context initialization succeeded.
> -  @retval FALSE  ARC4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> -  OUT  VOID         *Arc4Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  );
> -
> -/**
> -  Performs ARC4 encryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> encryption output.
> -
> -  @retval TRUE   ARC4 encryption succeeded.
> -  @retval FALSE  ARC4 encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> -  IN OUT  VOID         *Arc4Context,
> -  IN      CONST UINT8  *Input,
> -  IN      UINTN        InputSize,
> -  OUT     UINT8        *Output
> -  );
> -
> -/**
> -  Performs ARC4 decryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> decryption output.
> -
> -  @retval TRUE   ARC4 decryption succeeded.
> -  @retval FALSE  ARC4 decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> -  IN OUT  VOID   *Arc4Context,
> -  IN      UINT8  *Input,
> -  IN      UINTN  InputSize,
> -  OUT     UINT8  *Output
> -  );
> -
> -/**
> -  Resets the ARC4 context to the initial state.
> -
> -  The function resets the ARC4 context to the state it had immediately after the
> -  ARC4Init() function call.
> -  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> -  should be already correctly initialized by ARC4Init().
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -
> -  @retval TRUE   ARC4 reset succeeded.
> -  @retval FALSE  ARC4 reset failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> -  IN OUT  VOID  *Arc4Context
> -  );
> -
> 
> //===============================================================
> ======================
>  //    Asymmetric Cryptography Primitive
> 
> //===============================================================
> ======================
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 22992e7d43..da38ea552f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -40,7 +40,6 @@
>    Kdf/CryptHkdf.c
>    Cipher/CryptAes.c
>    Cipher/CryptTdes.c
> -  Cipher/CryptArc4.c
>    Pk/CryptRsaBasic.c
>    Pk/CryptRsaExt.c
>    Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> deleted file mode 100644
> index 388d312bed..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> +++ /dev/null
> @@ -1,205 +0,0 @@
> -/** @file
> -  ARC4 Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/rc4.h>
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> -  @return  The size, in bytes, of the context buffer required for ARC4 operations.
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> -  VOID
> -  )
> -{
> -  //
> -  // Memory for 2 copies of RC4_KEY is allocated, one for working copy, and
> the other
> -  // for backup copy. When Arc4Reset() is called, we can use the backup copy to
> restore
> -  // the working copy to the initial state.
> -  //
> -  return (UINTN) (2 * sizeof (RC4_KEY));
> -}
> -
> -/**
> -  Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> -  In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> -  operations.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> -
> -  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied ARC4 key.
> -  @param[in]   KeySize      Size of ARC4 key in bytes.
> -
> -  @retval TRUE   ARC4 context initialization succeeded.
> -  @retval FALSE  ARC4 context initialization failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> -  OUT  VOID         *Arc4Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  RC4_KEY  *Rc4Key;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (Arc4Context == NULL || Key == NULL || (KeySize < 5 || KeySize > 256)) {
> -    return FALSE;
> -  }
> -
> -  Rc4Key = (RC4_KEY *) Arc4Context;
> -
> -  RC4_set_key (Rc4Key, (UINT32) KeySize, Key);
> -
> -  CopyMem (Rc4Key +  1, Rc4Key, sizeof (RC4_KEY));
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Performs ARC4 encryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> encryption output.
> -
> -  @retval TRUE   ARC4 encryption succeeded.
> -  @retval FALSE  ARC4 encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> -  IN OUT  VOID         *Arc4Context,
> -  IN      CONST UINT8  *Input,
> -  IN      UINTN        InputSize,
> -  OUT     UINT8        *Output
> -  )
> -{
> -  RC4_KEY  *Rc4Key;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize >
> INT_MAX) {
> -    return FALSE;
> -  }
> -
> -  Rc4Key = (RC4_KEY *) Arc4Context;
> -
> -  RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Performs ARC4 decryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> decryption output.
> -
> -  @retval TRUE   ARC4 decryption succeeded.
> -  @retval FALSE  ARC4 decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> -  IN OUT  VOID   *Arc4Context,
> -  IN      UINT8  *Input,
> -  IN      UINTN  InputSize,
> -  OUT     UINT8  *Output
> -  )
> -{
> -  RC4_KEY  *Rc4Key;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize >
> INT_MAX) {
> -    return FALSE;
> -  }
> -
> -  Rc4Key = (RC4_KEY *) Arc4Context;
> -
> -  RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Resets the ARC4 context to the initial state.
> -
> -  The function resets the ARC4 context to the state it had immediately after the
> -  ARC4Init() function call.
> -  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> -  should be already correctly initialized by ARC4Init().
> -
> -  If Arc4Context is NULL, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -
> -  @retval TRUE   ARC4 reset succeeded.
> -  @retval FALSE  ARC4 reset failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> -  IN OUT  VOID  *Arc4Context
> -  )
> -{
> -  RC4_KEY  *Rc4Key;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (Arc4Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  Rc4Key = (RC4_KEY *) Arc4Context;
> -
> -  CopyMem (Rc4Key, Rc4Key + 1, sizeof (RC4_KEY));
> -
> -  return TRUE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> deleted file mode 100644
> index 1f09bfa30e..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> +++ /dev/null
> @@ -1,124 +0,0 @@
> -/** @file
> -  ARC4 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> -  Return zero to indicate this interface is not supported.
> -
> -  @retval  0   This interface is not supported.
> -
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return 0;
> -}
> -
> -/**
> -  Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied ARC4 key.
> -  @param[in]   KeySize      Size of ARC4 key in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> -  OUT  VOID         *Arc4Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs ARC4 encryption on a data buffer of the specified size.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> encryption output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> -  IN OUT  VOID         *Arc4Context,
> -  IN      CONST UINT8  *Input,
> -  IN      UINTN        InputSize,
> -  OUT     UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs ARC4 decryption on a data buffer of the specified size.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> decryption output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> -  IN OUT  VOID   *Arc4Context,
> -  IN      UINT8  *Input,
> -  IN      UINTN  InputSize,
> -  OUT     UINT8  *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Resets the ARC4 context to the initial state.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> -  IN OUT  VOID  *Arc4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index e9add0127d..f43953b78c 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note:
> -#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
> +#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
>  #  certificate handler functions, authenticode signature verification functions,
>  #  PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -46,7 +46,6 @@
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
>    Cipher/CryptTdesNull.c
> -  Cipher/CryptArc4Null.c
>    Pk/CryptRsaBasic.c
>    Pk/CryptRsaExtNull.c
>    Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 374bfb3f65..5abd8e8dfb 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -7,7 +7,7 @@
>  // buffer overflow or integer overflow.
>  //
>  // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> +// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
>  // signature verification functions, PEM handler functions, and pseudorandom
> number
>  // generator functions are not supported in this instance.
> @@ -21,5 +21,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for PEIM"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate
> handler functions, authenticode signature verification functions, PEM handler
> functions, and pseudorandom number generator functions are not supported in
> this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 0a2eb03232..f1eb099b67 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
> +#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> @@ -46,7 +46,6 @@
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
>    Cipher/CryptTdesNull.c
> -  Cipher/CryptArc4Null.c
>    Pk/CryptRsaBasic.c
>    Pk/CryptRsaExtNull.c
>    Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index b6d751176e..5a48d2a308 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -7,7 +7,7 @@
>  // buffer overflow or integer overflow.
>  //
>  // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> +// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
>  //
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode
> signature verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index 139983075e..3a94655775 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA
> external
> +#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> @@ -45,7 +45,6 @@
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAes.c
>    Cipher/CryptTdesNull.c
> -  Cipher/CryptArc4Null.c
>    Pk/CryptRsaBasic.c
>    Pk/CryptRsaExtNull.c
>    Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index b8d7953d2b..0561f107e8 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -7,7 +7,7 @@
>  // buffer overflow or integer overflow.
>  //
>  // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
> +// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
>  //
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for SMM driver"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions,
> PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode
> signature verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index b03681b146..a205c9005d 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -40,7 +40,6 @@
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
>    Cipher/CryptTdesNull.c
> -  Cipher/CryptArc4Null.c
>    Pk/CryptRsaBasicNull.c
>    Pk/CryptRsaExtNull.c
>    Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> deleted file mode 100644
> index 1f09bfa30e..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> +++ /dev/null
> @@ -1,124 +0,0 @@
> -/** @file
> -  ARC4 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> -  Return zero to indicate this interface is not supported.
> -
> -  @retval  0   This interface is not supported.
> -
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return 0;
> -}
> -
> -/**
> -  Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied ARC4 key.
> -  @param[in]   KeySize      Size of ARC4 key in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> -  OUT  VOID         *Arc4Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs ARC4 encryption on a data buffer of the specified size.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> encryption output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> -  IN OUT  VOID         *Arc4Context,
> -  IN      CONST UINT8  *Input,
> -  IN      UINTN        InputSize,
> -  OUT     UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs ARC4 decryption on a data buffer of the specified size.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> decryption output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> -  IN OUT  VOID   *Arc4Context,
> -  IN      UINT8  *Input,
> -  IN      UINTN  InputSize,
> -  OUT     UINT8  *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Resets the ARC4 context to the initial state.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> -  IN OUT  VOID  *Arc4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 5e470028f4..77915bdb86 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1892,153 +1892,6 @@ AesCbcDecrypt (
>    CALL_CRYPTO_SERVICE (AesCbcDecrypt, (AesContext, Input, InputSize, Ivec,
> Output), FALSE);
>  }
> 
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for ARC4 operations.
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Arc4GetContextSize (
> -  VOID
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Arc4GetContextSize, (), 0);
> -}
> -
> -/**
> -  Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> -  In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> -  operations.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied ARC4 key.
> -  @param[in]   KeySize      Size of ARC4 key in bytes.
> -
> -  @retval TRUE   ARC4 context initialization succeeded.
> -  @retval FALSE  ARC4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Init (
> -  OUT  VOID         *Arc4Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Arc4Init, (Arc4Context, Key, KeySize), FALSE);
> -}
> -
> -/**
> -  Performs ARC4 encryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> encryption output.
> -
> -  @retval TRUE   ARC4 encryption succeeded.
> -  @retval FALSE  ARC4 encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Encrypt (
> -  IN OUT  VOID         *Arc4Context,
> -  IN      CONST UINT8  *Input,
> -  IN      UINTN        InputSize,
> -  OUT     UINT8        *Output
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Arc4Encrypt, (Arc4Context, Input, InputSize, Output),
> FALSE);
> -}
> -
> -/**
> -  Performs ARC4 decryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> decryption output.
> -
> -  @retval TRUE   ARC4 decryption succeeded.
> -  @retval FALSE  ARC4 decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Decrypt (
> -  IN OUT  VOID   *Arc4Context,
> -  IN      UINT8  *Input,
> -  IN      UINTN  InputSize,
> -  OUT     UINT8  *Output
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Arc4Decrypt, (Arc4Context, Input, InputSize, Output),
> FALSE);
> -}
> -
> -/**
> -  Resets the ARC4 context to the initial state.
> -
> -  The function resets the ARC4 context to the state it had immediately after the
> -  ARC4Init() function call.
> -  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> -  should be already correctly initialized by ARC4Init().
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -
> -  @retval TRUE   ARC4 reset succeeded.
> -  @retval FALSE  ARC4 reset failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Arc4Reset (
> -  IN OUT  VOID  *Arc4Context
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Arc4Reset, (Arc4Context), FALSE);
> -}
> -
> 
> //===============================================================
> ======================
>  //    Asymmetric Cryptography Primitive
> 
> //===============================================================
> ======================
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index 4f3f9ba377..22acabef87 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -244,6 +244,9 @@ extern "C" {
>  #ifndef OPENSSL_NO_MD4
>  # define OPENSSL_NO_MD4
>  #endif
> +#ifndef OPENSSL_NO_RC4
> +# define OPENSSL_NO_RC4
> +#endif
> 
> 
>  /*
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index 10710e4a7c..dfaefd1c08 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -374,8 +374,6 @@
>    $(OPENSSL_PATH)/crypto/rand/rand_unix.c
>    $(OPENSSL_PATH)/crypto/rand/rand_vms.c
>    $(OPENSSL_PATH)/crypto/rand/rand_win.c
> -  $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
> -  $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
>    $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
>    $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
>    $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
> @@ -531,7 +529,6 @@
>    $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
>    $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
>    $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
> -  $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
>    $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
>    $(OPENSSL_PATH)/crypto/sha/sha_locl.h
>    $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index d9782a3098..080e1d9305 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -374,8 +374,6 @@
>    $(OPENSSL_PATH)/crypto/rand/rand_unix.c
>    $(OPENSSL_PATH)/crypto/rand/rand_vms.c
>    $(OPENSSL_PATH)/crypto/rand/rand_win.c
> -  $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
> -  $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
>    $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
>    $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
>    $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
> @@ -531,7 +529,6 @@
>    $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
>    $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
>    $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
> -  $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
>    $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
>    $(OPENSSL_PATH)/crypto/sha/sha_locl.h
>    $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index ae0f29695c..f36c5c1aff 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -2785,134 +2785,45 @@ BOOLEAN
>    );
> 
>  /**
> -  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for ARC4 operations.
> -  @retval  0   This interface is not supported.
> +  ARC4 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  typedef
>  UINTN
> -(EFIAPI *EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
>    VOID
>    );
> 
> -/**
> -  Initializes user-supplied memory as ARC4 context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by Arc4Context as ARC4
> context.
> -  In addition, it sets up all ARC4 key materials for subsequent encryption and
> decryption
> -  operations.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied ARC4 key.
> -  @param[in]   KeySize      Size of ARC4 key in bytes.
> -
> -  @retval TRUE   ARC4 context initialization succeeded.
> -  @retval FALSE  ARC4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_ARC4_INIT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_INIT) (
>    OUT  VOID         *Arc4Context,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeySize
>    );
> 
> -/**
> -  Performs ARC4 encryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> encryption output.
> -
> -  @retval TRUE   ARC4 encryption succeeded.
> -  @retval FALSE  ARC4 encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_ARC4_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT) (
>    IN OUT  VOID         *Arc4Context,
>    IN      CONST UINT8  *Input,
>    IN      UINTN        InputSize,
>    OUT     UINT8        *Output
>    );
> 
> -/**
> -  Performs ARC4 decryption on a data buffer of the specified size.
> -
> -  This function performs ARC4 decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize.
> -  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
> -  invalid ARC4 context is undefined.
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -  @param[in]       Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]       InputSize    Size of the Input buffer in bytes.
> -  @param[out]      Output       Pointer to a buffer that receives the ARC4
> decryption output.
> -
> -  @retval TRUE   ARC4 decryption succeeded.
> -  @retval FALSE  ARC4 decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_ARC4_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT) (
>    IN OUT  VOID   *Arc4Context,
>    IN      UINT8  *Input,
>    IN      UINTN  InputSize,
>    OUT     UINT8  *Output
>    );
> 
> -/**
> -  Resets the ARC4 context to the initial state.
> -
> -  The function resets the ARC4 context to the state it had immediately after the
> -  ARC4Init() function call.
> -  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4
> context
> -  should be already correctly initialized by ARC4Init().
> -
> -  If Arc4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
> -
> -  @retval TRUE   ARC4 reset succeeded.
> -  @retval FALSE  ARC4 reset failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_ARC4_RESET) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_RESET) (
>    IN OUT  VOID  *Arc4Context
>    );
> 
> @@ -4014,12 +3925,12 @@ struct _EDKII_CRYPTO_PROTOCOL {
>    EDKII_CRYPTO_AES_ECB_DECRYPT                    AesEcbDecrypt;
>    EDKII_CRYPTO_AES_CBC_ENCRYPT                    AesCbcEncrypt;
>    EDKII_CRYPTO_AES_CBC_DECRYPT                    AesCbcDecrypt;
> -  /// Arc4
> -  EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE              Arc4GetContextSize;
> -  EDKII_CRYPTO_ARC4_INIT                          Arc4Init;
> -  EDKII_CRYPTO_ARC4_ENCRYPT                       Arc4Encrypt;
> -  EDKII_CRYPTO_ARC4_DECRYPT                       Arc4Decrypt;
> -  EDKII_CRYPTO_ARC4_RESET                         Arc4Reset;
> +  /// Arc4 - deprecated and unsupported
> +  DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE
> DeprecatedArc4GetContextSize;
> +  DEPRECATED_EDKII_CRYPTO_ARC4_INIT               DeprecatedArc4Init;
> +  DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT            DeprecatedArc4Encrypt;
> +  DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT            DeprecatedArc4Decrypt;
> +  DEPRECATED_EDKII_CRYPTO_ARC4_RESET              DeprecatedArc4Reset;
>    /// SM3
>    EDKII_CRYPTO_SM3_GET_CONTEXT_SIZE               Sm3GetContextSize;
>    EDKII_CRYPTO_SM3_INIT                           Sm3Init;
> --
> 2.21.0.windows.1

[PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Tdes is not secure any longer.
Remove the Tdes support from edk2.
Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Driver/Crypto.c                     | 181 +--------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 196 ----------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Cipher/CryptTdes.c   | 364 ------------------
 .../BaseCryptLib/Cipher/CryptTdesNull.c       | 160 --------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
 CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |   7 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Cipher/CryptTdesNull.c   | 160 --------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 214 ----------
 .../Library/Include/openssl/opensslconf.h     |   3 +
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |  21 -
 .../Library/OpensslLib/OpensslLibCrypto.inf   |  21 -
 CryptoPkg/Private/Protocol/Crypto.h           | 169 +-------
 19 files changed, 53 insertions(+), 1472 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 388a6e4b4b..a4106aae0b 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1557,167 +1557,57 @@ CryptoServiceHmacSha256Final (
 //=====================================================================================
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-  @retval  0   This interface is not supported.
+  TDES is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 UINTN
 EFIAPI
-CryptoServiceTdesGetContextSize (
+DeprecatedCryptoServiceTdesGetContextSize (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.GetContextSize, TdesGetContextSize, (), 0);
+  return BaseCryptLibServciceDeprecated ("TdesGetContextSize"), 0;
 }
 
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesInit (
+DeprecatedCryptoServiceTdesInit (
   OUT  VOID         *TdesContext,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeyLength
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.Init, TdesInit, (TdesContext, Key, KeyLength), FALSE);
+  return BaseCryptLibServciceDeprecated ("TdesInit"), FALSE;
 }
 
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesEcbEncrypt (
+DeprecatedCryptoServiceTdesEcbEncrypt (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.EcbEncrypt, TdesEcbEncrypt, (TdesContext, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServciceDeprecated ("TdesEcbEncrypt"), FALSE;
 }
 
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesEcbDecrypt (
+DeprecatedCryptoServiceTdesEcbDecrypt (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.EcbDecrypt, TdesEcbDecrypt, (TdesContext, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServciceDeprecated ("TdesEcbDecrypt"), FALSE;
 }
 
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesCbcEncrypt (
+DeprecatedCryptoServiceTdesCbcEncrypt (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -1725,41 +1615,12 @@ CryptoServiceTdesCbcEncrypt (
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.CbcEncrypt, TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
+  return BaseCryptLibServciceDeprecated ("TdesCbcEncrypt"), FALSE;
 }
 
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesCbcDecrypt (
+DeprecatedCryptoServiceTdesCbcDecrypt (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -1767,7 +1628,7 @@ CryptoServiceTdesCbcDecrypt (
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.CbcDecrypt, TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
+  return BaseCryptLibServciceDeprecated ("TdesCbcDecrypt"), FALSE;
 }
 
 /**
@@ -4344,13 +4205,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   CryptoServiceX509Free,
   CryptoServiceX509StackFree,
   CryptoServiceX509GetTBSCert,
-  /// TDES
-  CryptoServiceTdesGetContextSize,
-  CryptoServiceTdesInit,
-  CryptoServiceTdesEcbEncrypt,
-  CryptoServiceTdesEcbDecrypt,
-  CryptoServiceTdesCbcEncrypt,
-  CryptoServiceTdesCbcDecrypt,
+  /// TDES - deprecated and unsupported
+  DeprecatedCryptoServiceTdesGetContextSize,
+  DeprecatedCryptoServiceTdesInit,
+  DeprecatedCryptoServiceTdesEcbEncrypt,
+  DeprecatedCryptoServiceTdesEcbDecrypt,
+  DeprecatedCryptoServiceTdesCbcEncrypt,
+  DeprecatedCryptoServiceTdesCbcDecrypt,
   /// AES
   CryptoServiceAesGetContextSize,
   CryptoServiceAesInit,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 25e236c4a3..621bcfd1c4 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1278,202 +1278,6 @@ HmacSha256Final (
 //    Symmetric Cryptography Primitive
 //=====================================================================================
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  );
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  );
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  );
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  );
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  );
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  );
-
 /**
   Retrieves the size, in bytes, of the context buffer required for AES operations.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index da38ea552f..2de8e9c346 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -39,7 +39,6 @@
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c
   Cipher/CryptAes.c
-  Cipher/CryptTdes.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExt.c
   Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
deleted file mode 100644
index fd799f3398..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
+++ /dev/null
@@ -1,364 +0,0 @@
-/** @file
-  TDES Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/des.h>
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  )
-{
-  //
-  // Memory for 3 copies of DES_key_schedule is allocated, for K1, K2 and K3 each.
-  //
-  return (UINTN) (3 * sizeof (DES_key_schedule));
-}
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  )
-{
-  DES_key_schedule  *KeySchedule;
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Key == NULL || (KeyLength != 64 && KeyLength != 128 && KeyLength != 192)) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-
-  //
-  // If input Key is a weak key, return error.
-  //
-  if (DES_is_weak_key ((const_DES_cblock *) Key) == 1) {
-    return FALSE;
-  }
-
-  DES_set_key_unchecked ((const_DES_cblock *) Key, KeySchedule);
-
-  if (KeyLength == 64) {
-    CopyMem (KeySchedule + 1, KeySchedule, sizeof (DES_key_schedule));
-    CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
-    return TRUE;
-  }
-
-  if (DES_is_weak_key ((const_DES_cblock *) (Key + 8)) == 1) {
-    return FALSE;
-  }
-
-  DES_set_key_unchecked ((const_DES_cblock *) (Key + 8), KeySchedule + 1);
-
-  if (KeyLength == 128) {
-    CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
-    return TRUE;
-  }
-
-  if (DES_is_weak_key ((const_DES_cblock *) (Key + 16)) == 1) {
-    return FALSE;
-  }
-
-  DES_set_key_unchecked ((const_DES_cblock *) (Key + 16), KeySchedule + 2);
-
-  return TRUE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  DES_key_schedule  *KeySchedule;
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-
-  while (InputSize > 0) {
-    DES_ecb3_encrypt (
-      (const_DES_cblock *) Input,
-      (DES_cblock *) Output,
-      KeySchedule,
-      KeySchedule + 1,
-      KeySchedule + 2,
-      DES_ENCRYPT
-      );
-    Input     += TDES_BLOCK_SIZE;
-    Output    += TDES_BLOCK_SIZE;
-    InputSize -= TDES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  DES_key_schedule  *KeySchedule;
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-
-  while (InputSize > 0) {
-    DES_ecb3_encrypt (
-      (const_DES_cblock *) Input,
-      (DES_cblock *) Output,
-      KeySchedule,
-      KeySchedule + 1,
-      KeySchedule + 2,
-      DES_DECRYPT
-      );
-    Input     += TDES_BLOCK_SIZE;
-    Output    += TDES_BLOCK_SIZE;
-    InputSize -= TDES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  DES_key_schedule  *KeySchedule;
-  UINT8             IvecBuffer[TDES_BLOCK_SIZE];
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) {
-    return FALSE;
-  }
-
-  if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-  CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
-
-  DES_ede3_cbc_encrypt (
-    Input,
-    Output,
-    (UINT32) InputSize,
-    KeySchedule,
-    KeySchedule + 1,
-    KeySchedule + 2,
-    (DES_cblock *) IvecBuffer,
-    DES_ENCRYPT
-    );
-
-  return TRUE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  DES_key_schedule  *KeySchedule;
-  UINT8             IvecBuffer[TDES_BLOCK_SIZE];
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) {
-    return FALSE;
-  }
-
-  if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-  CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
-
-  DES_ede3_cbc_encrypt (
-    Input,
-    Output,
-    (UINT32) InputSize,
-    KeySchedule,
-    KeySchedule + 1,
-    KeySchedule + 2,
-    (DES_cblock *) IvecBuffer,
-    DES_DECRYPT
-    );
-
-  return TRUE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
deleted file mode 100644
index efa2716063..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/** @file
-  TDES Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f43953b78c..f631f8d879 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -45,7 +45,6 @@
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
-  Cipher/CryptTdesNull.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 5abd8e8dfb..c906935d3d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
 // generator functions are not supported in this instance.
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
index 75a133bd0c..6f7e1971f8 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
@@ -1,7 +1,7 @@
 /** @file
   PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -82,11 +82,8 @@ RsaGetPrivateKeyFromPem (
 
   //
   // Add possible block-cipher descriptor for PEM data decryption.
-  // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
+  // NOTE: Only support most popular ciphers AES for the encrypted PEM.
   //
-  if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
-    return FALSE;
-  }
   if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
     return FALSE;
   }
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index f1eb099b67..672e19299c 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -45,7 +45,6 @@
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
-  Cipher/CryptTdesNull.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index 5a48d2a308..0a3bb1c04f 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 3a94655775..cc3556ae3f 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -44,7 +44,6 @@
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAes.c
-  Cipher/CryptTdesNull.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 0561f107e8..2e362c635f 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index a205c9005d..04b552f8b7 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -39,7 +39,6 @@
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
-  Cipher/CryptTdesNull.c
   Pk/CryptRsaBasicNull.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
deleted file mode 100644
index efa2716063..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/** @file
-  TDES Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 77915bdb86..43ee4e0841 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1467,220 +1467,6 @@ HmacSha256Final (
 //    Symmetric Cryptography Primitive
 //=====================================================================================
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesGetContextSize, (), 0);
-}
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesInit, (TdesContext, Key, KeyLength), FALSE);
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesEcbEncrypt, (TdesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesEcbDecrypt, (TdesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
-}
-
 /**
   Retrieves the size, in bytes, of the context buffer required for AES operations.
 
diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 22acabef87..4868cfa963 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -247,6 +247,9 @@ extern "C" {
 #ifndef OPENSSL_NO_RC4
 # define OPENSSL_NO_RC4
 #endif
+#ifndef OPENSSL_NO_DES
+# define OPENSSL_NO_DES
+#endif
 
 
 /*
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dfaefd1c08..d66f1cb03f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -178,25 +178,6 @@
   $(OPENSSL_PATH)/crypto/cryptlib.c
   $(OPENSSL_PATH)/crypto/ctype.c
   $(OPENSSL_PATH)/crypto/cversion.c
-  $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
-  $(OPENSSL_PATH)/crypto/des/cbc_enc.c
-  $(OPENSSL_PATH)/crypto/des/cfb64ede.c
-  $(OPENSSL_PATH)/crypto/des/cfb64enc.c
-  $(OPENSSL_PATH)/crypto/des/cfb_enc.c
-  $(OPENSSL_PATH)/crypto/des/des_enc.c
-  $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
-  $(OPENSSL_PATH)/crypto/des/ecb_enc.c
-  $(OPENSSL_PATH)/crypto/des/fcrypt.c
-  $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
-  $(OPENSSL_PATH)/crypto/des/ofb64ede.c
-  $(OPENSSL_PATH)/crypto/des/ofb64enc.c
-  $(OPENSSL_PATH)/crypto/des/ofb_enc.c
-  $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
-  $(OPENSSL_PATH)/crypto/des/qud_cksm.c
-  $(OPENSSL_PATH)/crypto/des/rand_key.c
-  $(OPENSSL_PATH)/crypto/des/set_key.c
-  $(OPENSSL_PATH)/crypto/des/str2key.c
-  $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
   $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
   $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
   $(OPENSSL_PATH)/crypto/dh/dh_check.c
@@ -514,8 +495,6 @@
   $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
   $(OPENSSL_PATH)/crypto/conf/conf_def.h
   $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
-  $(OPENSSL_PATH)/crypto/des/des_locl.h
-  $(OPENSSL_PATH)/crypto/des/spr.h
   $(OPENSSL_PATH)/crypto/dh/dh_locl.h
   $(OPENSSL_PATH)/crypto/dso/dso_locl.h
   $(OPENSSL_PATH)/crypto/evp/evp_locl.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 080e1d9305..5788d13cf7 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -178,25 +178,6 @@
   $(OPENSSL_PATH)/crypto/cryptlib.c
   $(OPENSSL_PATH)/crypto/ctype.c
   $(OPENSSL_PATH)/crypto/cversion.c
-  $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
-  $(OPENSSL_PATH)/crypto/des/cbc_enc.c
-  $(OPENSSL_PATH)/crypto/des/cfb64ede.c
-  $(OPENSSL_PATH)/crypto/des/cfb64enc.c
-  $(OPENSSL_PATH)/crypto/des/cfb_enc.c
-  $(OPENSSL_PATH)/crypto/des/des_enc.c
-  $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
-  $(OPENSSL_PATH)/crypto/des/ecb_enc.c
-  $(OPENSSL_PATH)/crypto/des/fcrypt.c
-  $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
-  $(OPENSSL_PATH)/crypto/des/ofb64ede.c
-  $(OPENSSL_PATH)/crypto/des/ofb64enc.c
-  $(OPENSSL_PATH)/crypto/des/ofb_enc.c
-  $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
-  $(OPENSSL_PATH)/crypto/des/qud_cksm.c
-  $(OPENSSL_PATH)/crypto/des/rand_key.c
-  $(OPENSSL_PATH)/crypto/des/set_key.c
-  $(OPENSSL_PATH)/crypto/des/str2key.c
-  $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
   $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
   $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
   $(OPENSSL_PATH)/crypto/dh/dh_check.c
@@ -514,8 +495,6 @@
   $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
   $(OPENSSL_PATH)/crypto/conf/conf_def.h
   $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
-  $(OPENSSL_PATH)/crypto/des/des_locl.h
-  $(OPENSSL_PATH)/crypto/des/spr.h
   $(OPENSSL_PATH)/crypto/dh/dh_locl.h
   $(OPENSSL_PATH)/crypto/dso/dso_locl.h
   $(OPENSSL_PATH)/crypto/evp/evp_locl.h
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index f36c5c1aff..a30660c192 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2396,155 +2396,45 @@ BOOLEAN
 //=====================================================================================
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-  @retval  0   This interface is not supported.
+  TDES is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 UINTN
-(EFIAPI *EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
   VOID
   );
 
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_INIT) (
   OUT  VOID         *TdesContext,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeyLength
   );
 
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   );
 
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_ECB_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT) (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   );
 
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -2552,38 +2442,9 @@ BOOLEAN
   OUT  UINT8        *Output
   );
 
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_CBC_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT) (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -3911,13 +3772,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_X509_FREE                          X509Free;
   EDKII_CRYPTO_X509_STACK_FREE                    X509StackFree;
   EDKII_CRYPTO_X509_GET_TBS_CERT                  X509GetTBSCert;
-  /// TDES
-  EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE              TdesGetContextSize;
-  EDKII_CRYPTO_TDES_INIT                          TdesInit;
-  EDKII_CRYPTO_TDES_ECB_ENCRYPT                   TdesEcbEncrypt;
-  EDKII_CRYPTO_TDES_ECB_DECRYPT                   TdesEcbDecrypt;
-  EDKII_CRYPTO_TDES_CBC_ENCRYPT                   TdesCbcEncrypt;
-  EDKII_CRYPTO_TDES_CBC_DECRYPT                   TdesCbcDecrypt;
+  /// TDES - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE   DeprecatedTdesGetContextSize;
+  DEPRECATED_EDKII_CRYPTO_TDES_INIT               DeprecatedTdesInit;
+  DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT        DeprecatedTdesEcbEncrypt;
+  DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT        DeprecatedTdesEcbDecrypt;
+  DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT        DeprecatedTdesCbcEncrypt;
+  DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT        DeprecatedTdesCbcDecrypt;
   /// AES
   EDKII_CRYPTO_AES_GET_CONTEXT_SIZE               AesGetContextSize;
   EDKII_CRYPTO_AES_INIT                           AesInit;
-- 
2.21.0.windows.1

Re: [edk2-devel] [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm

[Philippe Mathieu-Daudé]

On 5/7/20 1:57 AM, Gao, Zhichao wrote:
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> Tdes is not secure any longer.

Please write acronyms in caps: TDES.

> Remove the Tdes support from edk2.
> Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>   CryptoPkg/Driver/Crypto.c                     | 181 +--------
>   CryptoPkg/Include/Library/BaseCryptLib.h      | 196 ----------
>   .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
>   .../Library/BaseCryptLib/Cipher/CryptTdes.c   | 364 ------------------
>   .../BaseCryptLib/Cipher/CryptTdesNull.c       | 160 --------
>   .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
>   .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
>   CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |   7 +-
>   .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
>   .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
>   .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
>   .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
>   .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
>   .../BaseCryptLibNull/Cipher/CryptTdesNull.c   | 160 --------
>   .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 214 ----------
>   .../Library/Include/openssl/opensslconf.h     |   3 +
>   CryptoPkg/Library/OpensslLib/OpensslLib.inf   |  21 -
>   .../Library/OpensslLib/OpensslLibCrypto.inf   |  21 -
>   CryptoPkg/Private/Protocol/Crypto.h           | 169 +-------
>   19 files changed, 53 insertions(+), 1472 deletions(-)
>   delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
>   delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
>   delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c

Re: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm

[Wang, Jian J]

Zhichao,

Similar comments, please refer to them in my review email for patch 3.

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 4/8] CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> Tdes is not secure any longer.
> Remove the Tdes support from edk2.
> Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/Driver/Crypto.c                     | 181 +--------
>  CryptoPkg/Include/Library/BaseCryptLib.h      | 196 ----------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
>  .../Library/BaseCryptLib/Cipher/CryptTdes.c   | 364 ------------------
>  .../BaseCryptLib/Cipher/CryptTdesNull.c       | 160 --------
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
>  CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |   7 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
>  .../BaseCryptLibNull/Cipher/CryptTdesNull.c   | 160 --------
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 214 ----------
>  .../Library/Include/openssl/opensslconf.h     |   3 +
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |  21 -
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |  21 -
>  CryptoPkg/Private/Protocol/Crypto.h           | 169 +-------
>  19 files changed, 53 insertions(+), 1472 deletions(-)
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> 
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 388a6e4b4b..a4106aae0b 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1557,167 +1557,57 @@ CryptoServiceHmacSha256Final (
> 
> //===============================================================
> ======================
> 
>  /**
> -  Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for TDES operations.
> -  @retval  0   This interface is not supported.
> +  TDES is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  UINTN
>  EFIAPI
> -CryptoServiceTdesGetContextSize (
> +DeprecatedCryptoServiceTdesGetContextSize (
>    VOID
>    )
>  {
> -  return CALL_BASECRYPTLIB (Tdes.Services.GetContextSize,
> TdesGetContextSize, (), 0);
> +  return BaseCryptLibServciceDeprecated ("TdesGetContextSize"), 0;
>  }
> 
> -/**
> -  Initializes user-supplied memory as TDES context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> -  In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> -  operations.
> -  There are 3 key options as follows:
> -  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> -  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> -  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeyLength is not valid, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  TdesContext  Pointer to TDES context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied TDES key.
> -  @param[in]   KeyLength    Length of TDES key in bits.
> -
> -  @retval TRUE   TDES context initialization succeeded.
> -  @retval FALSE  TDES context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceTdesInit (
> +DeprecatedCryptoServiceTdesInit (
>    OUT  VOID         *TdesContext,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeyLength
>    )
>  {
> -  return CALL_BASECRYPTLIB (Tdes.Services.Init, TdesInit, (TdesContext, Key,
> KeyLength), FALSE);
> +  return BaseCryptLibServciceDeprecated ("TdesInit"), FALSE;
>  }
> 
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceTdesEcbEncrypt (
> +DeprecatedCryptoServiceTdesEcbEncrypt (
>    IN   VOID         *TdesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
>    OUT  UINT8        *Output
>    )
>  {
> -  return CALL_BASECRYPTLIB (Tdes.Services.EcbEncrypt, TdesEcbEncrypt,
> (TdesContext, Input, InputSize, Output), FALSE);
> +  return BaseCryptLibServciceDeprecated ("TdesEcbEncrypt"), FALSE;
>  }
> 
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES decryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceTdesEcbDecrypt (
> +DeprecatedCryptoServiceTdesEcbDecrypt (
>    IN   VOID         *TdesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
>    OUT  UINT8        *Output
>    )
>  {
> -  return CALL_BASECRYPTLIB (Tdes.Services.EcbDecrypt, TdesEcbDecrypt,
> (TdesContext, Input, InputSize, Output), FALSE);
> +  return BaseCryptLibServciceDeprecated ("TdesEcbDecrypt"), FALSE;
>  }
> 
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceTdesCbcEncrypt (
> +DeprecatedCryptoServiceTdesCbcEncrypt (
>    IN   VOID         *TdesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
> @@ -1725,41 +1615,12 @@ CryptoServiceTdesCbcEncrypt (
>    OUT  UINT8        *Output
>    )
>  {
> -  return CALL_BASECRYPTLIB (Tdes.Services.CbcEncrypt, TdesCbcEncrypt,
> (TdesContext, Input, InputSize, Ivec, Output), FALSE);
> +  return BaseCryptLibServciceDeprecated ("TdesCbcEncrypt"), FALSE;
>  }
> 
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceTdesCbcDecrypt (
> +DeprecatedCryptoServiceTdesCbcDecrypt (
>    IN   VOID         *TdesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
> @@ -1767,7 +1628,7 @@ CryptoServiceTdesCbcDecrypt (
>    OUT  UINT8        *Output
>    )
>  {
> -  return CALL_BASECRYPTLIB (Tdes.Services.CbcDecrypt, TdesCbcDecrypt,
> (TdesContext, Input, InputSize, Ivec, Output), FALSE);
> +  return BaseCryptLibServciceDeprecated ("TdesCbcDecrypt"), FALSE;
>  }
> 
>  /**
> @@ -4344,13 +4205,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
>    CryptoServiceX509Free,
>    CryptoServiceX509StackFree,
>    CryptoServiceX509GetTBSCert,
> -  /// TDES
> -  CryptoServiceTdesGetContextSize,
> -  CryptoServiceTdesInit,
> -  CryptoServiceTdesEcbEncrypt,
> -  CryptoServiceTdesEcbDecrypt,
> -  CryptoServiceTdesCbcEncrypt,
> -  CryptoServiceTdesCbcDecrypt,
> +  /// TDES - deprecated and unsupported
> +  DeprecatedCryptoServiceTdesGetContextSize,
> +  DeprecatedCryptoServiceTdesInit,
> +  DeprecatedCryptoServiceTdesEcbEncrypt,
> +  DeprecatedCryptoServiceTdesEcbDecrypt,
> +  DeprecatedCryptoServiceTdesCbcEncrypt,
> +  DeprecatedCryptoServiceTdesCbcDecrypt,
>    /// AES
>    CryptoServiceAesGetContextSize,
>    CryptoServiceAesInit,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 25e236c4a3..621bcfd1c4 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -1278,202 +1278,6 @@ HmacSha256Final (
>  //    Symmetric Cryptography Primitive
> 
> //===============================================================
> ======================
> 
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for TDES operations.
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> -  VOID
> -  );
> -
> -/**
> -  Initializes user-supplied memory as TDES context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> -  In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> -  operations.
> -  There are 3 key options as follows:
> -  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> -  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> -  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeyLength is not valid, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  TdesContext  Pointer to TDES context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied TDES key.
> -  @param[in]   KeyLength    Length of TDES key in bits.
> -
> -  @retval TRUE   TDES context initialization succeeded.
> -  @retval FALSE  TDES context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> -  OUT  VOID         *TdesContext,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeyLength
> -  );
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  );
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES decryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  );
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  );
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  );
> -
>  /**
>    Retrieves the size, in bytes, of the context buffer required for AES operations.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index da38ea552f..2de8e9c346 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -39,7 +39,6 @@
>    Hmac/CryptHmacSha256.c
>    Kdf/CryptHkdf.c
>    Cipher/CryptAes.c
> -  Cipher/CryptTdes.c
>    Pk/CryptRsaBasic.c
>    Pk/CryptRsaExt.c
>    Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> deleted file mode 100644
> index fd799f3398..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> +++ /dev/null
> @@ -1,364 +0,0 @@
> -/** @file
> -  TDES Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/des.h>
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> -  @return  The size, in bytes, of the context buffer required for TDES operations.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> -  VOID
> -  )
> -{
> -  //
> -  // Memory for 3 copies of DES_key_schedule is allocated, for K1, K2 and K3
> each.
> -  //
> -  return (UINTN) (3 * sizeof (DES_key_schedule));
> -}
> -
> -/**
> -  Initializes user-supplied memory as TDES context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> -  In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> -  operations.
> -  There are 3 key options as follows:
> -  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> -  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> -  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeyLength is not valid, then return FALSE.
> -
> -  @param[out]  TdesContext  Pointer to TDES context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied TDES key.
> -  @param[in]   KeyLength    Length of TDES key in bits.
> -
> -  @retval TRUE   TDES context initialization succeeded.
> -  @retval FALSE  TDES context initialization failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> -  OUT  VOID         *TdesContext,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeyLength
> -  )
> -{
> -  DES_key_schedule  *KeySchedule;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (TdesContext == NULL || Key == NULL || (KeyLength != 64 && KeyLength !=
> 128 && KeyLength != 192)) {
> -    return FALSE;
> -  }
> -
> -  KeySchedule = (DES_key_schedule *) TdesContext;
> -
> -  //
> -  // If input Key is a weak key, return error.
> -  //
> -  if (DES_is_weak_key ((const_DES_cblock *) Key) == 1) {
> -    return FALSE;
> -  }
> -
> -  DES_set_key_unchecked ((const_DES_cblock *) Key, KeySchedule);
> -
> -  if (KeyLength == 64) {
> -    CopyMem (KeySchedule + 1, KeySchedule, sizeof (DES_key_schedule));
> -    CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
> -    return TRUE;
> -  }
> -
> -  if (DES_is_weak_key ((const_DES_cblock *) (Key + 8)) == 1) {
> -    return FALSE;
> -  }
> -
> -  DES_set_key_unchecked ((const_DES_cblock *) (Key + 8), KeySchedule + 1);
> -
> -  if (KeyLength == 128) {
> -    CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
> -    return TRUE;
> -  }
> -
> -  if (DES_is_weak_key ((const_DES_cblock *) (Key + 16)) == 1) {
> -    return FALSE;
> -  }
> -
> -  DES_set_key_unchecked ((const_DES_cblock *) (Key + 16), KeySchedule + 2);
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  DES_key_schedule  *KeySchedule;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0 || Output == NULL) {
> -    return FALSE;
> -  }
> -
> -  KeySchedule = (DES_key_schedule *) TdesContext;
> -
> -  while (InputSize > 0) {
> -    DES_ecb3_encrypt (
> -      (const_DES_cblock *) Input,
> -      (DES_cblock *) Output,
> -      KeySchedule,
> -      KeySchedule + 1,
> -      KeySchedule + 2,
> -      DES_ENCRYPT
> -      );
> -    Input     += TDES_BLOCK_SIZE;
> -    Output    += TDES_BLOCK_SIZE;
> -    InputSize -= TDES_BLOCK_SIZE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES decryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  DES_key_schedule  *KeySchedule;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0 || Output == NULL) {
> -    return FALSE;
> -  }
> -
> -  KeySchedule = (DES_key_schedule *) TdesContext;
> -
> -  while (InputSize > 0) {
> -    DES_ecb3_encrypt (
> -      (const_DES_cblock *) Input,
> -      (DES_cblock *) Output,
> -      KeySchedule,
> -      KeySchedule + 1,
> -      KeySchedule + 2,
> -      DES_DECRYPT
> -      );
> -    Input     += TDES_BLOCK_SIZE;
> -    Output    += TDES_BLOCK_SIZE;
> -    InputSize -= TDES_BLOCK_SIZE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  DES_key_schedule  *KeySchedule;
> -  UINT8             IvecBuffer[TDES_BLOCK_SIZE];
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0) {
> -    return FALSE;
> -  }
> -
> -  if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
> -    return FALSE;
> -  }
> -
> -  KeySchedule = (DES_key_schedule *) TdesContext;
> -  CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
> -
> -  DES_ede3_cbc_encrypt (
> -    Input,
> -    Output,
> -    (UINT32) InputSize,
> -    KeySchedule,
> -    KeySchedule + 1,
> -    KeySchedule + 2,
> -    (DES_cblock *) IvecBuffer,
> -    DES_ENCRYPT
> -    );
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  DES_key_schedule  *KeySchedule;
> -  UINT8             IvecBuffer[TDES_BLOCK_SIZE];
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (TdesContext == NULL || Input == NULL || (InputSize %
> TDES_BLOCK_SIZE) != 0) {
> -    return FALSE;
> -  }
> -
> -  if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
> -    return FALSE;
> -  }
> -
> -  KeySchedule = (DES_key_schedule *) TdesContext;
> -  CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
> -
> -  DES_ede3_cbc_encrypt (
> -    Input,
> -    Output,
> -    (UINT32) InputSize,
> -    KeySchedule,
> -    KeySchedule + 1,
> -    KeySchedule + 2,
> -    (DES_cblock *) IvecBuffer,
> -    DES_DECRYPT
> -    );
> -
> -  return TRUE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> deleted file mode 100644
> index efa2716063..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> +++ /dev/null
> @@ -1,160 +0,0 @@
> -/** @file
> -  TDES Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> -  Return zero to indicate this interface is not supported.
> -
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return 0;
> -}
> -
> -/**
> -  Initializes user-supplied memory as TDES context for subsequent use.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  TdesContext  Pointer to TDES context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied TDES key.
> -  @param[in]   KeyLength    Length of TDES key in bits.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> -  OUT  VOID         *TdesContext,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeyLength
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES decryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index f43953b78c..f631f8d879 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note:
> -#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
> +#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
>  #  certificate handler functions, authenticode signature verification functions,
>  #  PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -45,7 +45,6 @@
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> -  Cipher/CryptTdesNull.c
>    Pk/CryptRsaBasic.c
>    Pk/CryptRsaExtNull.c
>    Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 5abd8e8dfb..c906935d3d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,8 +6,8 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
>  // signature verification functions, PEM handler functions, and pseudorandom
> number
>  // generator functions are not supported in this instance.
> @@ -21,5 +21,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for PEIM"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> index 75a133bd0c..6f7e1971f8 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
> @@ -1,7 +1,7 @@
>  /** @file
>    PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over
> OpenSSL.
> 
> -Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  **/
> @@ -82,11 +82,8 @@ RsaGetPrivateKeyFromPem (
> 
>    //
>    // Add possible block-cipher descriptor for PEM data decryption.
> -  // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
> +  // NOTE: Only support most popular ciphers AES for the encrypted PEM.
>    //
> -  if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
> -    return FALSE;
> -  }
>    if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
>      return FALSE;
>    }
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index f1eb099b67..672e19299c 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions,
> RSA external
> +#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> @@ -45,7 +45,6 @@
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> -  Cipher/CryptTdesNull.c
>    Pk/CryptRsaBasic.c
>    Pk/CryptRsaExtNull.c
>    Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index 5a48d2a308..0a3bb1c04f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,8 +6,8 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
>  //
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index 3a94655775..cc3556ae3f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
> +#  HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> @@ -44,7 +44,6 @@
>    Hmac/CryptHmacSha256.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAes.c
> -  Cipher/CryptTdesNull.c
>    Pk/CryptRsaBasic.c
>    Pk/CryptRsaExtNull.c
>    Pk/CryptPkcs1Oaep.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 0561f107e8..2e362c635f 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,8 +6,8 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> -// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
>  //
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for SMM driver"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index a205c9005d..04b552f8b7 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -39,7 +39,6 @@
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> -  Cipher/CryptTdesNull.c
>    Pk/CryptRsaBasicNull.c
>    Pk/CryptRsaExtNull.c
>    Pk/CryptPkcs1OaepNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> deleted file mode 100644
> index efa2716063..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> +++ /dev/null
> @@ -1,160 +0,0 @@
> -/** @file
> -  TDES Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> -  Return zero to indicate this interface is not supported.
> -
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return 0;
> -}
> -
> -/**
> -  Initializes user-supplied memory as TDES context for subsequent use.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  TdesContext  Pointer to TDES context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied TDES key.
> -  @param[in]   KeyLength    Length of TDES key in bits.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> -  OUT  VOID         *TdesContext,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeyLength
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES decryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 77915bdb86..43ee4e0841 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1467,220 +1467,6 @@ HmacSha256Final (
>  //    Symmetric Cryptography Primitive
> 
> //===============================================================
> ======================
> 
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for TDES operations.
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -TdesGetContextSize (
> -  VOID
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (TdesGetContextSize, (), 0);
> -}
> -
> -/**
> -  Initializes user-supplied memory as TDES context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> -  In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> -  operations.
> -  There are 3 key options as follows:
> -  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> -  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> -  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeyLength is not valid, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  TdesContext  Pointer to TDES context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied TDES key.
> -  @param[in]   KeyLength    Length of TDES key in bits.
> -
> -  @retval TRUE   TDES context initialization succeeded.
> -  @retval FALSE  TDES context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesInit (
> -  OUT  VOID         *TdesContext,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeyLength
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (TdesInit, (TdesContext, Key, KeyLength), FALSE);
> -}
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (TdesEcbEncrypt, (TdesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES decryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesEcbDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (TdesEcbDecrypt, (TdesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcEncrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec,
> Output), FALSE);
> -}
> -
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -TdesCbcDecrypt (
> -  IN   VOID         *TdesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  IN   CONST UINT8  *Ivec,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec,
> Output), FALSE);
> -}
> -
>  /**
>    Retrieves the size, in bytes, of the context buffer required for AES operations.
> 
> diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h
> b/CryptoPkg/Library/Include/openssl/opensslconf.h
> index 22acabef87..4868cfa963 100644
> --- a/CryptoPkg/Library/Include/openssl/opensslconf.h
> +++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
> @@ -247,6 +247,9 @@ extern "C" {
>  #ifndef OPENSSL_NO_RC4
>  # define OPENSSL_NO_RC4
>  #endif
> +#ifndef OPENSSL_NO_DES
> +# define OPENSSL_NO_DES
> +#endif
> 
> 
>  /*
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index dfaefd1c08..d66f1cb03f 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -178,25 +178,6 @@
>    $(OPENSSL_PATH)/crypto/cryptlib.c
>    $(OPENSSL_PATH)/crypto/ctype.c
>    $(OPENSSL_PATH)/crypto/cversion.c
> -  $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
> -  $(OPENSSL_PATH)/crypto/des/cbc_enc.c
> -  $(OPENSSL_PATH)/crypto/des/cfb64ede.c
> -  $(OPENSSL_PATH)/crypto/des/cfb64enc.c
> -  $(OPENSSL_PATH)/crypto/des/cfb_enc.c
> -  $(OPENSSL_PATH)/crypto/des/des_enc.c
> -  $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
> -  $(OPENSSL_PATH)/crypto/des/ecb_enc.c
> -  $(OPENSSL_PATH)/crypto/des/fcrypt.c
> -  $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
> -  $(OPENSSL_PATH)/crypto/des/ofb64ede.c
> -  $(OPENSSL_PATH)/crypto/des/ofb64enc.c
> -  $(OPENSSL_PATH)/crypto/des/ofb_enc.c
> -  $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
> -  $(OPENSSL_PATH)/crypto/des/qud_cksm.c
> -  $(OPENSSL_PATH)/crypto/des/rand_key.c
> -  $(OPENSSL_PATH)/crypto/des/set_key.c
> -  $(OPENSSL_PATH)/crypto/des/str2key.c
> -  $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
>    $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
>    $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
>    $(OPENSSL_PATH)/crypto/dh/dh_check.c
> @@ -514,8 +495,6 @@
>    $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
>    $(OPENSSL_PATH)/crypto/conf/conf_def.h
>    $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
> -  $(OPENSSL_PATH)/crypto/des/des_locl.h
> -  $(OPENSSL_PATH)/crypto/des/spr.h
>    $(OPENSSL_PATH)/crypto/dh/dh_locl.h
>    $(OPENSSL_PATH)/crypto/dso/dso_locl.h
>    $(OPENSSL_PATH)/crypto/evp/evp_locl.h
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index 080e1d9305..5788d13cf7 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -178,25 +178,6 @@
>    $(OPENSSL_PATH)/crypto/cryptlib.c
>    $(OPENSSL_PATH)/crypto/ctype.c
>    $(OPENSSL_PATH)/crypto/cversion.c
> -  $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
> -  $(OPENSSL_PATH)/crypto/des/cbc_enc.c
> -  $(OPENSSL_PATH)/crypto/des/cfb64ede.c
> -  $(OPENSSL_PATH)/crypto/des/cfb64enc.c
> -  $(OPENSSL_PATH)/crypto/des/cfb_enc.c
> -  $(OPENSSL_PATH)/crypto/des/des_enc.c
> -  $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
> -  $(OPENSSL_PATH)/crypto/des/ecb_enc.c
> -  $(OPENSSL_PATH)/crypto/des/fcrypt.c
> -  $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
> -  $(OPENSSL_PATH)/crypto/des/ofb64ede.c
> -  $(OPENSSL_PATH)/crypto/des/ofb64enc.c
> -  $(OPENSSL_PATH)/crypto/des/ofb_enc.c
> -  $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
> -  $(OPENSSL_PATH)/crypto/des/qud_cksm.c
> -  $(OPENSSL_PATH)/crypto/des/rand_key.c
> -  $(OPENSSL_PATH)/crypto/des/set_key.c
> -  $(OPENSSL_PATH)/crypto/des/str2key.c
> -  $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
>    $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
>    $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
>    $(OPENSSL_PATH)/crypto/dh/dh_check.c
> @@ -514,8 +495,6 @@
>    $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
>    $(OPENSSL_PATH)/crypto/conf/conf_def.h
>    $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
> -  $(OPENSSL_PATH)/crypto/des/des_locl.h
> -  $(OPENSSL_PATH)/crypto/des/spr.h
>    $(OPENSSL_PATH)/crypto/dh/dh_locl.h
>    $(OPENSSL_PATH)/crypto/dso/dso_locl.h
>    $(OPENSSL_PATH)/crypto/evp/evp_locl.h
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index f36c5c1aff..a30660c192 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -2396,155 +2396,45 @@ BOOLEAN
> 
> //===============================================================
> ======================
> 
>  /**
> -  Retrieves the size, in bytes, of the context buffer required for TDES operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for TDES operations.
> -  @retval  0   This interface is not supported.
> +  TDES is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  typedef
>  UINTN
> -(EFIAPI *EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
>    VOID
>    );
> 
> -/**
> -  Initializes user-supplied memory as TDES context for subsequent use.
> -
> -  This function initializes user-supplied memory pointed by TdesContext as TDES
> context.
> -  In addition, it sets up all TDES key materials for subsequent encryption and
> decryption
> -  operations.
> -  There are 3 key options as follows:
> -  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with
> DES)
> -  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
> -  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Key is NULL, then return FALSE.
> -  If KeyLength is not valid, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  TdesContext  Pointer to TDES context being initialized.
> -  @param[in]   Key          Pointer to the user-supplied TDES key.
> -  @param[in]   KeyLength    Length of TDES key in bits.
> -
> -  @retval TRUE   TDES context initialization succeeded.
> -  @retval FALSE  TDES context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_INIT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_INIT) (
>    OUT  VOID         *TdesContext,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeyLength
>    );
> 
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
>    IN   VOID         *TdesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
>    OUT  UINT8        *Output
>    );
> 
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES decryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_ECB_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT) (
>    IN   VOID         *TdesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
>    OUT  UINT8        *Output
>    );
> 
> -/**
> -  Performs TDES encryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES encryption succeeded.
> -  @retval FALSE  TDES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
>    IN   VOID         *TdesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
> @@ -2552,38 +2442,9 @@ BOOLEAN
>    OUT  UINT8        *Output
>    );
> 
> -/**
> -  Performs TDES decryption on a data buffer of the specified size in CBC mode.
> -
> -  This function performs TDES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in CBC mode.
> -  InputSize must be multiple of block size (8 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  Initialization vector should be one block size (8 bytes).
> -  TdesContext should be already correctly initialized by TdesInit(). Behavior with
> -  invalid TDES context is undefined.
> -
> -  If TdesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (8 bytes), then return FALSE.
> -  If Ivec is NULL, then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   TdesContext  Pointer to the TDES context.
> -  @param[in]   Input        Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize    Size of the Input buffer in bytes.
> -  @param[in]   Ivec         Pointer to initialization vector.
> -  @param[out]  Output       Pointer to a buffer that receives the TDES encryption
> output.
> -
> -  @retval TRUE   TDES decryption succeeded.
> -  @retval FALSE  TDES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_TDES_CBC_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT) (
>    IN   VOID         *TdesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
> @@ -3911,13 +3772,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
>    EDKII_CRYPTO_X509_FREE                          X509Free;
>    EDKII_CRYPTO_X509_STACK_FREE                    X509StackFree;
>    EDKII_CRYPTO_X509_GET_TBS_CERT                  X509GetTBSCert;
> -  /// TDES
> -  EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE              TdesGetContextSize;
> -  EDKII_CRYPTO_TDES_INIT                          TdesInit;
> -  EDKII_CRYPTO_TDES_ECB_ENCRYPT                   TdesEcbEncrypt;
> -  EDKII_CRYPTO_TDES_ECB_DECRYPT                   TdesEcbDecrypt;
> -  EDKII_CRYPTO_TDES_CBC_ENCRYPT                   TdesCbcEncrypt;
> -  EDKII_CRYPTO_TDES_CBC_DECRYPT                   TdesCbcDecrypt;
> +  /// TDES - deprecated and unsupported
> +  DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE
> DeprecatedTdesGetContextSize;
> +  DEPRECATED_EDKII_CRYPTO_TDES_INIT               DeprecatedTdesInit;
> +  DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT
> DeprecatedTdesEcbEncrypt;
> +  DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT
> DeprecatedTdesEcbDecrypt;
> +  DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT
> DeprecatedTdesCbcEncrypt;
> +  DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT
> DeprecatedTdesCbcDecrypt;
>    /// AES
>    EDKII_CRYPTO_AES_GET_CONTEXT_SIZE               AesGetContextSize;
>    EDKII_CRYPTO_AES_INIT                           AesInit;
> --
> 2.21.0.windows.1

[PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Aes Ecb mode is not secure any longer.
Remove the Aes Ecb mode support from edk2.
Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any long.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |  45 +++----
 CryptoPkg/Driver/Crypto.c                     |  65 ++--------
 .../Library/BaseCryptLib/Cipher/CryptAes.c    | 114 ------------------
 .../BaseCryptLib/Cipher/CryptAesNull.c        |  52 --------
 .../BaseCryptLibNull/Cipher/CryptAesNull.c    |  52 --------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      |  76 ------------
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   1 -
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   1 -
 CryptoPkg/Private/Protocol/Crypto.h           |  61 ++--------
 9 files changed, 40 insertions(+), 427 deletions(-)

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 6ed7046563..1f68cc633b 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,27 +137,30 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
 
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family    | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family         | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family                           | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family                                | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize              | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init                        | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt                  | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt                  | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
 !endif
 
 !if $(CRYPTO_SERVICES) == MIN_PEI
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index a4106aae0b..341df3b814 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1683,79 +1683,32 @@ CryptoServiceAesInit (
 }
 
 /**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-  @retval FALSE  This interface is not supported.
+  AES ECB Mode is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 BOOLEAN
 EFIAPI
-CryptoServiceAesEcbEncrypt (
+DeprecatedCryptoServiceAesEcbEncrypt (
   IN   VOID         *AesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Aes.Services.EcbEncrypt, AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServciceDeprecated ("AesEcbEncrypt"), FALSE;
 }
 
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceAesEcbDecrypt (
+DeprecatedCryptoServiceAesEcbDecrypt (
   IN   VOID         *AesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Aes.Services.EcbDecrypt, AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServciceDeprecated ("AesEcbDecrypt"), FALSE;
 }
 
 /**
@@ -4212,11 +4165,11 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   DeprecatedCryptoServiceTdesEcbDecrypt,
   DeprecatedCryptoServiceTdesCbcEncrypt,
   DeprecatedCryptoServiceTdesCbcDecrypt,
-  /// AES
+  /// AES - ECB mode is deprecated and unsupported
   CryptoServiceAesGetContextSize,
   CryptoServiceAesInit,
-  CryptoServiceAesEcbEncrypt,
-  CryptoServiceAesEcbDecrypt,
+  DeprecatedCryptoServiceAesEcbEncrypt,
+  DeprecatedCryptoServiceAesEcbDecrypt,
   CryptoServiceAesCbcEncrypt,
   CryptoServiceAesCbcDecrypt,
   /// Arc4 - deprecated and unsupported
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
index 2515b34bb8..914cffb211 100644
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
+++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
@@ -78,120 +78,6 @@ AesInit (
   return TRUE;
 }
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  AES_KEY  *AesKey;
-
-  //
-  // Check input parameters.
-  //
-  if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  AesKey = (AES_KEY *) AesContext;
-
-  //
-  // Perform AES data encryption with ECB mode (block-by-block)
-  //
-  while (InputSize > 0) {
-    AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT);
-    Input     += AES_BLOCK_SIZE;
-    Output    += AES_BLOCK_SIZE;
-    InputSize -= AES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  AES_KEY  *AesKey;
-
-  //
-  // Check input parameters.
-  //
-  if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  AesKey = (AES_KEY *) AesContext;
-
-  //
-  // Perform AES data decryption with ECB mode (block-by-block)
-  //
-  while (InputSize > 0) {
-    AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT);
-    Input     += AES_BLOCK_SIZE;
-    Output    += AES_BLOCK_SIZE;
-    InputSize -= AES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
index a82adacf4f..d235422e7a 100644
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
@@ -50,58 +50,6 @@ AesInit (
   return FALSE;
 }
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
index a82adacf4f..d235422e7a 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
@@ -50,58 +50,6 @@ AesInit (
   return FALSE;
 }
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 43ee4e0841..c937f8540d 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1518,82 +1518,6 @@ AesInit (
   CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE);
 }
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE);
-}
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d66f1cb03f..c8ec9454bd 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -29,7 +29,6 @@
   $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
   $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
   $(OPENSSL_PATH)/crypto/aes/aes_core.c
-  $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
   $(OPENSSL_PATH)/crypto/aes/aes_ige.c
   $(OPENSSL_PATH)/crypto/aes/aes_misc.c
   $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 5788d13cf7..2f232e3e12 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -29,7 +29,6 @@
   $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
   $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
   $(OPENSSL_PATH)/crypto/aes/aes_core.c
-  $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
   $(OPENSSL_PATH)/crypto/aes/aes_ige.c
   $(OPENSSL_PATH)/crypto/aes/aes_misc.c
   $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index a30660c192..e76ff623a5 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2498,69 +2498,22 @@ BOOLEAN
   );
 
 /**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-  @retval FALSE  This interface is not supported.
+  AES ECB Mode is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_AES_ECB_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT) (
   IN   VOID         *AesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   );
 
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_AES_ECB_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT) (
   IN   VOID         *AesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -3779,11 +3732,11 @@ struct _EDKII_CRYPTO_PROTOCOL {
   DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT        DeprecatedTdesEcbDecrypt;
   DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT        DeprecatedTdesCbcEncrypt;
   DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT        DeprecatedTdesCbcDecrypt;
-  /// AES
+  /// AES - ECB Mode is deprecated and unsupported
   EDKII_CRYPTO_AES_GET_CONTEXT_SIZE               AesGetContextSize;
   EDKII_CRYPTO_AES_INIT                           AesInit;
-  EDKII_CRYPTO_AES_ECB_ENCRYPT                    AesEcbEncrypt;
-  EDKII_CRYPTO_AES_ECB_DECRYPT                    AesEcbDecrypt;
+  DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT         DeprecatedAesEcbEncrypt;
+  DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT         DeprecatedAesEcbDecrypt;
   EDKII_CRYPTO_AES_CBC_ENCRYPT                    AesCbcEncrypt;
   EDKII_CRYPTO_AES_CBC_DECRYPT                    AesCbcDecrypt;
   /// Arc4 - deprecated and unsupported
-- 
2.21.0.windows.1

Re: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm

[Wang, Jian J]

Zhichao,

Similar to patch 3, please update OpensslLib/process_files.pl to update OpensslLibXxx.inf

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 5/8] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode
> algorithm
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> Aes Ecb mode is not secure any longer.
> Remove the Aes Ecb mode support from edk2.
> Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate
> the
> function is unsupported any long.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dsc                       |  45 +++----
>  CryptoPkg/Driver/Crypto.c                     |  65 ++--------
>  .../Library/BaseCryptLib/Cipher/CryptAes.c    | 114 ------------------
>  .../BaseCryptLib/Cipher/CryptAesNull.c        |  52 --------
>  .../BaseCryptLibNull/Cipher/CryptAesNull.c    |  52 --------
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      |  76 ------------
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   1 -
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |   1 -
>  CryptoPkg/Private/Protocol/Crypto.h           |  61 ++--------
>  9 files changed, 40 insertions(+), 427 deletions(-)
> 
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 6ed7046563..1f68cc633b 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -137,27 +137,30 @@
>    gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
> 
>  !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family         |
> PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family        |
> PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetC
> ontextSize              | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init
> | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcE
> ncrypt                  | TRUE
> +
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Cbc
> Decrypt                  | TRUE
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> +  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>  !endif
> 
>  !if $(CRYPTO_SERVICES) == MIN_PEI
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index a4106aae0b..341df3b814 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1683,79 +1683,32 @@ CryptoServiceAesInit (
>  }
> 
>  /**
> -  Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES encryption
> output.
> -
> -  @retval TRUE   AES encryption succeeded.
> -  @retval FALSE  AES encryption failed.
> -  @retval FALSE  This interface is not supported.
> +  AES ECB Mode is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceAesEcbEncrypt (
> +DeprecatedCryptoServiceAesEcbEncrypt (
>    IN   VOID         *AesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
>    OUT  UINT8        *Output
>    )
>  {
> -  return CALL_BASECRYPTLIB (Aes.Services.EcbEncrypt, AesEcbEncrypt,
> (AesContext, Input, InputSize, Output), FALSE);
> +  return BaseCryptLibServciceDeprecated ("AesEcbEncrypt"), FALSE;
>  }
> 
> -/**
> -  Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES decryption
> output.
> -
> -  @retval TRUE   AES decryption succeeded.
> -  @retval FALSE  AES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceAesEcbDecrypt (
> +DeprecatedCryptoServiceAesEcbDecrypt (
>    IN   VOID         *AesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
>    OUT  UINT8        *Output
>    )
>  {
> -  return CALL_BASECRYPTLIB (Aes.Services.EcbDecrypt, AesEcbDecrypt,
> (AesContext, Input, InputSize, Output), FALSE);
> +  return BaseCryptLibServciceDeprecated ("AesEcbDecrypt"), FALSE;
>  }
> 
>  /**
> @@ -4212,11 +4165,11 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
>    DeprecatedCryptoServiceTdesEcbDecrypt,
>    DeprecatedCryptoServiceTdesCbcEncrypt,
>    DeprecatedCryptoServiceTdesCbcDecrypt,
> -  /// AES
> +  /// AES - ECB mode is deprecated and unsupported
>    CryptoServiceAesGetContextSize,
>    CryptoServiceAesInit,
> -  CryptoServiceAesEcbEncrypt,
> -  CryptoServiceAesEcbDecrypt,
> +  DeprecatedCryptoServiceAesEcbEncrypt,
> +  DeprecatedCryptoServiceAesEcbDecrypt,
>    CryptoServiceAesCbcEncrypt,
>    CryptoServiceAesCbcDecrypt,
>    /// Arc4 - deprecated and unsupported
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> index 2515b34bb8..914cffb211 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
> @@ -78,120 +78,6 @@ AesInit (
>    return TRUE;
>  }
> 
> -/**
> -  Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES encryption
> output.
> -
> -  @retval TRUE   AES encryption succeeded.
> -  @retval FALSE  AES encryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  AES_KEY  *AesKey;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0
> || Output == NULL) {
> -    return FALSE;
> -  }
> -
> -  AesKey = (AES_KEY *) AesContext;
> -
> -  //
> -  // Perform AES data encryption with ECB mode (block-by-block)
> -  //
> -  while (InputSize > 0) {
> -    AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT);
> -    Input     += AES_BLOCK_SIZE;
> -    Output    += AES_BLOCK_SIZE;
> -    InputSize -= AES_BLOCK_SIZE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES decryption
> output.
> -
> -  @retval TRUE   AES decryption succeeded.
> -  @retval FALSE  AES decryption failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  AES_KEY  *AesKey;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0
> || Output == NULL) {
> -    return FALSE;
> -  }
> -
> -  AesKey = (AES_KEY *) AesContext;
> -
> -  //
> -  // Perform AES data decryption with ECB mode (block-by-block)
> -  //
> -  while (InputSize > 0) {
> -    AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT);
> -    Input     += AES_BLOCK_SIZE;
> -    Output    += AES_BLOCK_SIZE;
> -    InputSize -= AES_BLOCK_SIZE;
> -  }
> -
> -  return TRUE;
> -}
> -
>  /**
>    Performs AES encryption on a data buffer of the specified size in CBC mode.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> index a82adacf4f..d235422e7a 100644
> --- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> +++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
> @@ -50,58 +50,6 @@ AesInit (
>    return FALSE;
>  }
> 
> -/**
> -  Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES encryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES decryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
>  /**
>    Performs AES encryption on a data buffer of the specified size in CBC mode.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> index a82adacf4f..d235422e7a 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> +++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
> @@ -50,58 +50,6 @@ AesInit (
>    return FALSE;
>  }
> 
> -/**
> -  Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES encryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES decryption
> output.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
>  /**
>    Performs AES encryption on a data buffer of the specified size in CBC mode.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index 43ee4e0841..c937f8540d 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1518,82 +1518,6 @@ AesInit (
>    CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE);
>  }
> 
> -/**
> -  Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES encryption
> output.
> -
> -  @retval TRUE   AES encryption succeeded.
> -  @retval FALSE  AES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
> -/**
> -  Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES decryption
> output.
> -
> -  @retval TRUE   AES decryption succeeded.
> -  @retval FALSE  AES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize,
> Output), FALSE);
> -}
> -
>  /**
>    Performs AES encryption on a data buffer of the specified size in CBC mode.
> 
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> index d66f1cb03f..c8ec9454bd 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
> @@ -29,7 +29,6 @@
>    $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
>    $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
>    $(OPENSSL_PATH)/crypto/aes/aes_core.c
> -  $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
>    $(OPENSSL_PATH)/crypto/aes/aes_ige.c
>    $(OPENSSL_PATH)/crypto/aes/aes_misc.c
>    $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
> diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> index 5788d13cf7..2f232e3e12 100644
> --- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> +++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
> @@ -29,7 +29,6 @@
>    $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
>    $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
>    $(OPENSSL_PATH)/crypto/aes/aes_core.c
> -  $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
>    $(OPENSSL_PATH)/crypto/aes/aes_ige.c
>    $(OPENSSL_PATH)/crypto/aes/aes_misc.c
>    $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index a30660c192..e76ff623a5 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -2498,69 +2498,22 @@ BOOLEAN
>    );
> 
>  /**
> -  Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES encryption
> output.
> -
> -  @retval TRUE   AES encryption succeeded.
> -  @retval FALSE  AES encryption failed.
> -  @retval FALSE  This interface is not supported.
> +  AES ECB Mode is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_AES_ECB_ENCRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT) (
>    IN   VOID         *AesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
>    OUT  UINT8        *Output
>    );
> 
> -/**
> -  Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES decryption
> output.
> -
> -  @retval TRUE   AES decryption succeeded.
> -  @retval FALSE  AES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_AES_ECB_DECRYPT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT) (
>    IN   VOID         *AesContext,
>    IN   CONST UINT8  *Input,
>    IN   UINTN        InputSize,
> @@ -3779,11 +3732,11 @@ struct _EDKII_CRYPTO_PROTOCOL {
>    DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT
> DeprecatedTdesEcbDecrypt;
>    DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT
> DeprecatedTdesCbcEncrypt;
>    DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT
> DeprecatedTdesCbcDecrypt;
> -  /// AES
> +  /// AES - ECB Mode is deprecated and unsupported
>    EDKII_CRYPTO_AES_GET_CONTEXT_SIZE               AesGetContextSize;
>    EDKII_CRYPTO_AES_INIT                           AesInit;
> -  EDKII_CRYPTO_AES_ECB_ENCRYPT                    AesEcbEncrypt;
> -  EDKII_CRYPTO_AES_ECB_DECRYPT                    AesEcbDecrypt;
> +  DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT
> DeprecatedAesEcbEncrypt;
> +  DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT
> DeprecatedAesEcbDecrypt;
>    EDKII_CRYPTO_AES_CBC_ENCRYPT                    AesCbcEncrypt;
>    EDKII_CRYPTO_AES_CBC_DECRYPT                    AesCbcDecrypt;
>    /// Arc4 - deprecated and unsupported
> --
> 2.21.0.windows.1

[PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

HMAC MD5 is not secure any longer.
Remove the HMAC MD5 support from edk2.
Change the HMAC MD5 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any long.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |   1 -
 CryptoPkg/Driver/Crypto.c                     | 128 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 203 ----------------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  | 216 ------------------
 .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      | 139 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  | 139 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 151 ------------
 CryptoPkg/Private/Protocol/Crypto.h           | 117 ++--------
 16 files changed, 45 insertions(+), 1072 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 1f68cc633b..9ddf73f9fa 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,7 +137,6 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
 
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family                           | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 341df3b814..dfde1cc005 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1105,154 +1105,68 @@ CryptoServiceSm3HashAll (
 //=====================================================================================
 
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 VOID *
 EFIAPI
-CryptoServiceHmacMd5New (
+DeprecatedCryptoServiceHmacMd5New (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.New, HmacMd5New, (), NULL);
+  return BaseCryptLibServciceDeprecated ("HmacMd5New"), NULL;
 }
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 VOID
 EFIAPI
-CryptoServiceHmacMd5Free (
+DeprecatedCryptoServiceHmacMd5Free (
   IN  VOID  *HmacMd5Ctx
   )
 {
-  CALL_VOID_BASECRYPTLIB (HmacMd5.Services.Free, HmacMd5Free, (HmacMd5Ctx));
+  BaseCryptLibServciceDeprecated ("HmacMd5Free");
 }
 
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5SetKey (
+DeprecatedCryptoServiceHmacMd5SetKey (
   OUT  VOID         *HmacMd5Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.SetKey, HmacMd5SetKey, (HmacMd5Context, Key, KeySize), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacMd5SetKey"), FALSE;
 }
 
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Duplicate (
+DeprecatedCryptoServiceHmacMd5Duplicate (
   IN   CONST VOID  *HmacMd5Context,
   OUT  VOID        *NewHmacMd5Context
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Duplicate, HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacMd5Duplicate"), FALSE;
 }
 
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Update (
+DeprecatedCryptoServiceHmacMd5Update (
   IN OUT  VOID        *HmacMd5Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Update, HmacMd5Update, (HmacMd5Context, Data, DataSize), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacMd5Update"), FALSE;
 }
 
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Final (
+DeprecatedCryptoServiceHmacMd5Final (
   IN OUT  VOID   *HmacMd5Context,
   OUT     UINT8  *HmacValue
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Final, HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacMd5Final"), FALSE;
 }
 
 /**
@@ -4051,13 +3965,13 @@ CryptoServiceTlsGetCertRevocationList (
 const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   /// Version
   CryptoServiceGetCryptoVersion,
-  /// HMAC MD5
-  CryptoServiceHmacMd5New,
-  CryptoServiceHmacMd5Free,
-  CryptoServiceHmacMd5SetKey,
-  CryptoServiceHmacMd5Duplicate,
-  CryptoServiceHmacMd5Update,
-  CryptoServiceHmacMd5Final,
+  /// HMAC MD5 - deprecated and unsupported
+  DeprecatedCryptoServiceHmacMd5New,
+  DeprecatedCryptoServiceHmacMd5Free,
+  DeprecatedCryptoServiceHmacMd5SetKey,
+  DeprecatedCryptoServiceHmacMd5Duplicate,
+  DeprecatedCryptoServiceHmacMd5Update,
+  DeprecatedCryptoServiceHmacMd5Final,
   /// HMAC SHA1
   CryptoServiceHmacSha1New,
   CryptoServiceHmacSha1Free,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 621bcfd1c4..b99401661c 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -880,139 +880,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  );
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  );
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  );
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  );
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  );
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  );
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
 
@@ -1323,76 +1190,6 @@ AesInit (
   IN   UINTN        KeyLength
   );
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  );
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  );
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 2de8e9c346..33d7c13bff 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256.c
   Hash/CryptSha512.c
   Hash/CryptSm3.c
-  Hmac/CryptHmacMd5.c
   Hmac/CryptHmacSha1.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
deleted file mode 100644
index da46ce09f4..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/** @file
-  HMAC-MD5 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/hmac.h>
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  )
-{
-  //
-  // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
-  //
-  return (VOID *) HMAC_CTX_new ();
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  )
-{
-  //
-  // Free OpenSSL HMAC_CTX Context
-  //
-  HMAC_CTX_free ((HMAC_CTX *)HmacMd5Ctx);
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacMd5Context == NULL || KeySize > INT_MAX) {
-    return FALSE;
-  }
-
-  if (HMAC_Init_ex ((HMAC_CTX *)HmacMd5Context, Key, (UINT32) KeySize, EVP_md5(), NULL) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacMd5Context == NULL || NewHmacMd5Context == NULL) {
-    return FALSE;
-  }
-
-  if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacMd5Context, (HMAC_CTX *)HmacMd5Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacMd5Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // Check invalid parameters, in case that only DataLength was checked in OpenSSL
-  //
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-MD5 digest update
-  //
-  if (HMAC_Update ((HMAC_CTX *)HmacMd5Context, Data, DataSize) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 digest computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  UINT32  Length;
-
-  //
-  // Check input parameters.
-  //
-  if (HmacMd5Context == NULL || HmacValue == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-MD5 digest finalization
-  //
-  if (HMAC_Final ((HMAC_CTX *)HmacMd5Context, HmacValue, &Length) != 1) {
-    return FALSE;
-  }
-  if (HMAC_CTX_reset ((HMAC_CTX *)HmacMd5Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
deleted file mode 100644
index 5de55bf0d5..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @retval NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f631f8d879..2a630ef290 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512.c
-  Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index c906935d3d..95c71a8ae2 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 672e19299c..1642521087 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index 0a3bb1c04f..f7e1acb3a7 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index cc3556ae3f..ec9c8e7c05 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
+#  HMAC-SHA1 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -39,7 +39,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 2e362c635f..8eb3acac93 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 04b552f8b7..558ccfc002 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256Null.c
   Hash/CryptSha512Null.c
   Hash/CryptSm3Null.c
-  Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
deleted file mode 100644
index 5de55bf0d5..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @retval NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index c937f8540d..dfe7fb7e91 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1015,157 +1015,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5New, (), NULL);
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  )
-{
-  CALL_VOID_CRYPTO_SERVICE (HmacMd5Free, (HmacMd5Ctx));
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5SetKey, (HmacMd5Context, Key, KeySize), FALSE);
-}
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
-}
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5Update, (HmacMd5Context, Data, DataSize), FALSE);
-}
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
-}
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
 
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index e76ff623a5..bd4cd7f383 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -43,135 +43,48 @@ UINTN
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 VOID*
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_NEW) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW) (
   VOID
   );
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 typedef
 VOID
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FREE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE) (
   IN  VOID  *HmacMd5Ctx
   );
 
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   HMAC-MD5 context initialization succeeded.
-  @retval FALSE  HMAC-MD5 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
   OUT  VOID         *HmacMd5Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   );
 
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
   IN   CONST VOID  *HmacMd5Context,
   OUT  VOID        *NewHmacMd5Context
   );
 
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE) (
   IN OUT  VOID        *HmacMd5Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   );
 
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL) (
   IN OUT  VOID   *HmacMd5Context,
   OUT     UINT8  *HmacValue
   );
@@ -3618,13 +3531,13 @@ EFI_STATUS
 struct _EDKII_CRYPTO_PROTOCOL {
   /// Version
   EDKII_CRYPTO_GET_VERSION                        GetVersion;
-  /// HMAC MD5
-  EDKII_CRYPTO_HMAC_MD5_NEW                       HmacMd5New;
-  EDKII_CRYPTO_HMAC_MD5_FREE                      HmacMd5Free;
-  EDKII_CRYPTO_HMAC_MD5_SET_KEY                   HmacMd5SetKey;
-  EDKII_CRYPTO_HMAC_MD5_DUPLICATE                 HmacMd5Duplicate;
-  EDKII_CRYPTO_HMAC_MD5_UPDATE                    HmacMd5Update;
-  EDKII_CRYPTO_HMAC_MD5_FINAL                     HmacMd5Final;
+  /// HMAC MD5 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW            DeprecatedHmacMd5New;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE           DeprecatedHmacMd5Free;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY        DeprecatedHmacMd5SetKey;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE      DeprecatedHmacMd5Duplicate;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE         DeprecatedHmacMd5Update;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL          DeprecatedHmacMd5Final;
   /// HMAC SHA1
   EDKII_CRYPTO_HMAC_SHA1_NEW                      HmacSha1New;
   EDKII_CRYPTO_HMAC_SHA1_FREE                     HmacSha1Free;
-- 
2.21.0.windows.1

Re: [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm

[Wang, Jian J]

Zhichao,

The removal of AesEcbEncrypt() and AesEcbDecrypt() should go to patch 5.

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 6/8] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> HMAC MD5 is not secure any longer.
> Remove the HMAC MD5 support from edk2.
> Change the HMAC MD5 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any long.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dsc                       |   1 -
>  CryptoPkg/Driver/Crypto.c                     | 128 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      | 203 ----------------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
>  .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  | 216 ------------------
>  .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      | 139 -----------
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
>  .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  | 139 -----------
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 151 ------------
>  CryptoPkg/Private/Protocol/Crypto.h           | 117 ++--------
>  16 files changed, 45 insertions(+), 1072 deletions(-)
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> 
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 1f68cc633b..9ddf73f9fa 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -137,7 +137,6 @@
>    gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
> 
>  !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index 341df3b814..dfde1cc005 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1105,154 +1105,68 @@ CryptoServiceSm3HashAll (
> 
> //===============================================================
> ======================
> 
>  /**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacMd5New() returns NULL.
> -  @retval  NULL  This interface is not supported.
> +  HMAC MD5 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  VOID *
>  EFIAPI
> -CryptoServiceHmacMd5New (
> +DeprecatedCryptoServiceHmacMd5New (
>    VOID
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacMd5.Services.New, HmacMd5New, (),
> NULL);
> +  return BaseCryptLibServciceDeprecated ("HmacMd5New"), NULL;
>  }
> 
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
>  VOID
>  EFIAPI
> -CryptoServiceHmacMd5Free (
> +DeprecatedCryptoServiceHmacMd5Free (
>    IN  VOID  *HmacMd5Ctx
>    )
>  {
> -  CALL_VOID_BASECRYPTLIB (HmacMd5.Services.Free, HmacMd5Free,
> (HmacMd5Ctx));
> +  BaseCryptLibServciceDeprecated ("HmacMd5Free");
>  }
> 
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacMd5Update().
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
> -  @param[in]   Key             Pointer to the user-supplied key.
> -  @param[in]   KeySize         Key size in bytes.
> -
> -  @retval TRUE   Key is set successfully.
> -  @retval FALSE  Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacMd5SetKey (
> +DeprecatedCryptoServiceHmacMd5SetKey (
>    OUT  VOID         *HmacMd5Context,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeySize
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacMd5.Services.SetKey, HmacMd5SetKey,
> (HmacMd5Context, Key, KeySize), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacMd5SetKey"), FALSE;
>  }
> 
> -/**
> -  Makes a copy of an existing HMAC-MD5 context.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If NewHmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
> -  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
> -
> -  @retval TRUE   HMAC-MD5 context copy succeeded.
> -  @retval FALSE  HMAC-MD5 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacMd5Duplicate (
> +DeprecatedCryptoServiceHmacMd5Duplicate (
>    IN   CONST VOID  *HmacMd5Context,
>    OUT  VOID        *NewHmacMd5Context
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacMd5.Services.Duplicate,
> HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacMd5Duplicate"), FALSE;
>  }
> 
> -/**
> -  Digests the input data and updates HMAC-MD5 context.
> -
> -  This function performs HMAC-MD5 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-MD5 data digest succeeded.
> -  @retval FALSE  HMAC-MD5 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacMd5Update (
> +DeprecatedCryptoServiceHmacMd5Update (
>    IN OUT  VOID        *HmacMd5Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacMd5.Services.Update, HmacMd5Update,
> (HmacMd5Context, Data, DataSize), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacMd5Update"), FALSE;
>  }
> 
> -/**
> -  Completes computation of the HMAC-MD5 digest value.
> -
> -  This function completes HMAC-MD5 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> -  be used again.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-
> MD5 digest
> -                                   value (16 bytes).
> -
> -  @retval TRUE   HMAC-MD5 digest computation succeeded.
> -  @retval FALSE  HMAC-MD5 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacMd5Final (
> +DeprecatedCryptoServiceHmacMd5Final (
>    IN OUT  VOID   *HmacMd5Context,
>    OUT     UINT8  *HmacValue
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacMd5.Services.Final, HmacMd5Final,
> (HmacMd5Context, HmacValue), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacMd5Final"), FALSE;
>  }
> 
>  /**
> @@ -4051,13 +3965,13 @@ CryptoServiceTlsGetCertRevocationList (
>  const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
>    /// Version
>    CryptoServiceGetCryptoVersion,
> -  /// HMAC MD5
> -  CryptoServiceHmacMd5New,
> -  CryptoServiceHmacMd5Free,
> -  CryptoServiceHmacMd5SetKey,
> -  CryptoServiceHmacMd5Duplicate,
> -  CryptoServiceHmacMd5Update,
> -  CryptoServiceHmacMd5Final,
> +  /// HMAC MD5 - deprecated and unsupported
> +  DeprecatedCryptoServiceHmacMd5New,
> +  DeprecatedCryptoServiceHmacMd5Free,
> +  DeprecatedCryptoServiceHmacMd5SetKey,
> +  DeprecatedCryptoServiceHmacMd5Duplicate,
> +  DeprecatedCryptoServiceHmacMd5Update,
> +  DeprecatedCryptoServiceHmacMd5Final,
>    /// HMAC SHA1
>    CryptoServiceHmacSha1New,
>    CryptoServiceHmacSha1Free,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 621bcfd1c4..b99401661c 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -880,139 +880,6 @@ Sm3HashAll (
>  //    MAC (Message Authentication Code) Primitive
> 
> //===============================================================
> ======================
> 
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacMd5New() returns NULL.
> -  @retval  NULL  This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> -  VOID
> -  );
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> -  IN  VOID  *HmacMd5Ctx
> -  );
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacMd5Update().
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
> -  @param[in]   Key             Pointer to the user-supplied key.
> -  @param[in]   KeySize         Key size in bytes.
> -
> -  @retval TRUE   Key is set successfully.
> -  @retval FALSE  Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> -  OUT  VOID         *HmacMd5Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  );
> -
> -/**
> -  Makes a copy of an existing HMAC-MD5 context.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If NewHmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
> -  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
> -
> -  @retval TRUE   HMAC-MD5 context copy succeeded.
> -  @retval FALSE  HMAC-MD5 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> -  IN   CONST VOID  *HmacMd5Context,
> -  OUT  VOID        *NewHmacMd5Context
> -  );
> -
> -/**
> -  Digests the input data and updates HMAC-MD5 context.
> -
> -  This function performs HMAC-MD5 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-MD5 data digest succeeded.
> -  @retval FALSE  HMAC-MD5 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> -  IN OUT  VOID        *HmacMd5Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  );
> -
> -/**
> -  Completes computation of the HMAC-MD5 digest value.
> -
> -  This function completes HMAC-MD5 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> -  be used again.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-
> MD5 digest
> -                                   value (16 bytes).
> -
> -  @retval TRUE   HMAC-MD5 digest computation succeeded.
> -  @retval FALSE  HMAC-MD5 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> -  IN OUT  VOID   *HmacMd5Context,
> -  OUT     UINT8  *HmacValue
> -  );
> -
>  /**
>    Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> 
> @@ -1323,76 +1190,6 @@ AesInit (
>    IN   UINTN        KeyLength
>    );
> 
> -/**
> -  Performs AES encryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES encryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> encrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES encryption
> output.
> -
> -  @retval TRUE   AES encryption succeeded.
> -  @retval FALSE  AES encryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbEncrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  );
> -
> -/**
> -  Performs AES decryption on a data buffer of the specified size in ECB mode.
> -
> -  This function performs AES decryption on data buffer pointed by Input, of
> specified
> -  size of InputSize, in ECB mode.
> -  InputSize must be multiple of block size (16 bytes). This function does not
> perform
> -  padding. Caller must perform padding, if necessary, to ensure valid input data
> size.
> -  AesContext should be already correctly initialized by AesInit(). Behavior with
> -  invalid AES context is undefined.
> -
> -  If AesContext is NULL, then return FALSE.
> -  If Input is NULL, then return FALSE.
> -  If InputSize is not multiple of block size (16 bytes), then return FALSE.
> -  If Output is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   AesContext  Pointer to the AES context.
> -  @param[in]   Input       Pointer to the buffer containing the data to be
> decrypted.
> -  @param[in]   InputSize   Size of the Input buffer in bytes.
> -  @param[out]  Output      Pointer to a buffer that receives the AES decryption
> output.
> -
> -  @retval TRUE   AES decryption succeeded.
> -  @retval FALSE  AES decryption failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -AesEcbDecrypt (
> -  IN   VOID         *AesContext,
> -  IN   CONST UINT8  *Input,
> -  IN   UINTN        InputSize,
> -  OUT  UINT8        *Output
> -  );
> -
>  /**
>    Performs AES encryption on a data buffer of the specified size in CBC mode.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 2de8e9c346..33d7c13bff 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -34,7 +34,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSha512.c
>    Hash/CryptSm3.c
> -  Hmac/CryptHmacMd5.c
>    Hmac/CryptHmacSha1.c
>    Hmac/CryptHmacSha256.c
>    Kdf/CryptHkdf.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> deleted file mode 100644
> index da46ce09f4..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> +++ /dev/null
> @@ -1,216 +0,0 @@
> -/** @file
> -  HMAC-MD5 Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/hmac.h>
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacMd5New() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> -  VOID
> -  )
> -{
> -  //
> -  // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
> -  //
> -  return (VOID *) HMAC_CTX_new ();
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> -  IN  VOID  *HmacMd5Ctx
> -  )
> -{
> -  //
> -  // Free OpenSSL HMAC_CTX Context
> -  //
> -  HMAC_CTX_free ((HMAC_CTX *)HmacMd5Ctx);
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacMd5Update().
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -
> -  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
> -  @param[in]   Key             Pointer to the user-supplied key.
> -  @param[in]   KeySize         Key size in bytes.
> -
> -  @retval TRUE   Key is set successfully.
> -  @retval FALSE  Key is set unsuccessfully.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> -  OUT  VOID         *HmacMd5Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacMd5Context == NULL || KeySize > INT_MAX) {
> -    return FALSE;
> -  }
> -
> -  if (HMAC_Init_ex ((HMAC_CTX *)HmacMd5Context, Key, (UINT32) KeySize,
> EVP_md5(), NULL) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-MD5 context.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If NewHmacMd5Context is NULL, then return FALSE.
> -
> -  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
> -  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
> -
> -  @retval TRUE   HMAC-MD5 context copy succeeded.
> -  @retval FALSE  HMAC-MD5 context copy failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> -  IN   CONST VOID  *HmacMd5Context,
> -  OUT  VOID        *NewHmacMd5Context
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacMd5Context == NULL || NewHmacMd5Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacMd5Context, (HMAC_CTX
> *)HmacMd5Context) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-MD5 context.
> -
> -  This function performs HMAC-MD5 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-MD5 data digest succeeded.
> -  @retval FALSE  HMAC-MD5 data digest failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> -  IN OUT  VOID        *HmacMd5Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacMd5Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // Check invalid parameters, in case that only DataLength was checked in
> OpenSSL
> -  //
> -  if (Data == NULL && DataSize != 0) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL HMAC-MD5 digest update
> -  //
> -  if (HMAC_Update ((HMAC_CTX *)HmacMd5Context, Data, DataSize) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-MD5 digest value.
> -
> -  This function completes HMAC-MD5 digest computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> -  be used again.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-
> MD5 digest
> -                                   value (16 bytes).
> -
> -  @retval TRUE   HMAC-MD5 digest computation succeeded.
> -  @retval FALSE  HMAC-MD5 digest computation failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> -  IN OUT  VOID   *HmacMd5Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  UINT32  Length;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacMd5Context == NULL || HmacValue == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL HMAC-MD5 digest finalization
> -  //
> -  if (HMAC_Final ((HMAC_CTX *)HmacMd5Context, HmacValue, &Length) != 1) {
> -    return FALSE;
> -  }
> -  if (HMAC_CTX_reset ((HMAC_CTX *)HmacMd5Context) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> deleted file mode 100644
> index 5de55bf0d5..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> -  HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> -  Return NULL to indicate this interface is not supported.
> -
> -  @retval NULL  This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return NULL;
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  This function will do nothing.
> -
> -  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> -  IN  VOID  *HmacMd5Ctx
> -  )
> -{
> -  ASSERT (FALSE);
> -  return;
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacMd5Update().
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
> -  @param[in]   Key             Pointer to the user-supplied key.
> -  @param[in]   KeySize         Key size in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> -  OUT  VOID         *HmacMd5Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-MD5 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
> -  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> -  IN   CONST VOID  *HmacMd5Context,
> -  OUT  VOID        *NewHmacMd5Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-MD5 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> -  IN OUT  VOID        *HmacMd5Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-MD5 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-
> MD5 digest
> -                                   value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> -  IN OUT  VOID   *HmacMd5Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index f631f8d879..2a630ef290 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note:
> -#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
> +#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
>  #  certificate handler functions, authenticode signature verification functions,
>  #  PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -40,7 +40,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512.c
> -  Hmac/CryptHmacMd5Null.c
>    Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index c906935d3d..95c71a8ae2 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// Note: HMAC-SHA1 functions, AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
>  // signature verification functions, PEM handler functions, and pseudorandom
> number
> @@ -21,5 +21,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for PEIM"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler
> functions, authenticode signature verification functions, PEM handler functions,
> and pseudorandom number generator functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, X.509 certificate handler functions, authenticode signature
> verification functions, PEM handler functions, and pseudorandom number
> generator functions are not supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 672e19299c..1642521087 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA
> external
> +#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> @@ -40,7 +40,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512Null.c
> -  Hmac/CryptHmacMd5Null.c
>    Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index 0a3bb1c04f..f7e1acb3a7 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// Note: HMAC-SHA1 functions, AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index cc3556ae3f..ec9c8e7c05 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
> +#  HMAC-SHA1 functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> @@ -39,7 +39,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512Null.c
> -  Hmac/CryptHmacMd5Null.c
>    Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256.c
>    Kdf/CryptHkdfNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 2e362c635f..8eb3acac93 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
> +// Note: HMAC-SHA1 functions, AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for SMM driver"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions,
> HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7
> SignedData sign functions, Diffie-Hellman functions, and authenticode signature
> verification functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index 04b552f8b7..558ccfc002 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -34,7 +34,6 @@
>    Hash/CryptSha256Null.c
>    Hash/CryptSha512Null.c
>    Hash/CryptSm3Null.c
> -  Hmac/CryptHmacMd5Null.c
>    Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> deleted file mode 100644
> index 5de55bf0d5..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> -  HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> -  Return NULL to indicate this interface is not supported.
> -
> -  @retval NULL  This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return NULL;
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  This function will do nothing.
> -
> -  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> -  IN  VOID  *HmacMd5Ctx
> -  )
> -{
> -  ASSERT (FALSE);
> -  return;
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacMd5Update().
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
> -  @param[in]   Key             Pointer to the user-supplied key.
> -  @param[in]   KeySize         Key size in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> -  OUT  VOID         *HmacMd5Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-MD5 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
> -  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> -  IN   CONST VOID  *HmacMd5Context,
> -  OUT  VOID        *NewHmacMd5Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-MD5 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> -  IN OUT  VOID        *HmacMd5Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-MD5 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-
> MD5 digest
> -                                   value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> -  IN OUT  VOID   *HmacMd5Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index c937f8540d..dfe7fb7e91 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1015,157 +1015,6 @@ Sm3HashAll (
>  //    MAC (Message Authentication Code) Primitive
> 
> //===============================================================
> ======================
> 
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacMd5New() returns NULL.
> -  @retval  NULL  This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacMd5New (
> -  VOID
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacMd5New, (), NULL);
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacMd5Free (
> -  IN  VOID  *HmacMd5Ctx
> -  )
> -{
> -  CALL_VOID_CRYPTO_SERVICE (HmacMd5Free, (HmacMd5Ctx));
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacMd5Update().
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
> -  @param[in]   Key             Pointer to the user-supplied key.
> -  @param[in]   KeySize         Key size in bytes.
> -
> -  @retval TRUE   Key is set successfully.
> -  @retval FALSE  Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5SetKey (
> -  OUT  VOID         *HmacMd5Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacMd5SetKey, (HmacMd5Context, Key, KeySize),
> FALSE);
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-MD5 context.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If NewHmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
> -  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
> -
> -  @retval TRUE   HMAC-MD5 context copy succeeded.
> -  @retval FALSE  HMAC-MD5 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Duplicate (
> -  IN   CONST VOID  *HmacMd5Context,
> -  OUT  VOID        *NewHmacMd5Context
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacMd5Duplicate, (HmacMd5Context,
> NewHmacMd5Context), FALSE);
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-MD5 context.
> -
> -  This function performs HMAC-MD5 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-MD5 data digest succeeded.
> -  @retval FALSE  HMAC-MD5 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Update (
> -  IN OUT  VOID        *HmacMd5Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacMd5Update, (HmacMd5Context, Data,
> DataSize), FALSE);
> -}
> -
> -/**
> -  Completes computation of the HMAC-MD5 digest value.
> -
> -  This function completes HMAC-MD5 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> -  be used again.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-
> MD5 digest
> -                                   value (16 bytes).
> -
> -  @retval TRUE   HMAC-MD5 digest computation succeeded.
> -  @retval FALSE  HMAC-MD5 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacMd5Final (
> -  IN OUT  VOID   *HmacMd5Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacMd5Final, (HmacMd5Context, HmacValue),
> FALSE);
> -}
> -
>  /**
>    Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> 
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index e76ff623a5..bd4cd7f383 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -43,135 +43,48 @@ UINTN
>  //    MAC (Message Authentication Code) Primitive
> 
> //===============================================================
> ======================
>  /**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacMd5New() returns NULL.
> -  @retval  NULL  This interface is not supported.
> +  HMAC MD5 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  typedef
>  VOID*
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_NEW) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW) (
>    VOID
>    );
> 
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
>  typedef
>  VOID
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FREE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE) (
>    IN  VOID  *HmacMd5Ctx
>    );
> 
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacMd5Update().
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
> -  @param[in]   Key             Pointer to the user-supplied key.
> -  @param[in]   KeySize         Key size in bytes.
> -
> -  @retval TRUE   HMAC-MD5 context initialization succeeded.
> -  @retval FALSE  HMAC-MD5 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
>    OUT  VOID         *HmacMd5Context,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeySize
>    );
> 
> -/**
> -  Makes a copy of an existing HMAC-MD5 context.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If NewHmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
> -  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
> -
> -  @retval TRUE   HMAC-MD5 context copy succeeded.
> -  @retval FALSE  HMAC-MD5 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
>    IN   CONST VOID  *HmacMd5Context,
>    OUT  VOID        *NewHmacMd5Context
>    );
> 
> -/**
> -  Digests the input data and updates HMAC-MD5 context.
> -
> -  This function performs HMAC-MD5 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-MD5 data digest succeeded.
> -  @retval FALSE  HMAC-MD5 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_UPDATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE) (
>    IN OUT  VOID        *HmacMd5Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    );
> 
> -
> -/**
> -  Completes computation of the HMAC-MD5 digest value.
> -
> -  This function completes HMAC-MD5 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-MD5
> context cannot
> -  be used again.
> -  HMAC-MD5 context should be initialized by HmacMd5New(), and should not
> be finalized by
> -  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
> -
> -  If HmacMd5Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
> -  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-
> MD5 digest
> -                                   value (16 bytes).
> -
> -  @retval TRUE   HMAC-MD5 digest computation succeeded.
> -  @retval FALSE  HMAC-MD5 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FINAL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL) (
>    IN OUT  VOID   *HmacMd5Context,
>    OUT     UINT8  *HmacValue
>    );
> @@ -3618,13 +3531,13 @@ EFI_STATUS
>  struct _EDKII_CRYPTO_PROTOCOL {
>    /// Version
>    EDKII_CRYPTO_GET_VERSION                        GetVersion;
> -  /// HMAC MD5
> -  EDKII_CRYPTO_HMAC_MD5_NEW                       HmacMd5New;
> -  EDKII_CRYPTO_HMAC_MD5_FREE                      HmacMd5Free;
> -  EDKII_CRYPTO_HMAC_MD5_SET_KEY                   HmacMd5SetKey;
> -  EDKII_CRYPTO_HMAC_MD5_DUPLICATE                 HmacMd5Duplicate;
> -  EDKII_CRYPTO_HMAC_MD5_UPDATE                    HmacMd5Update;
> -  EDKII_CRYPTO_HMAC_MD5_FINAL                     HmacMd5Final;
> +  /// HMAC MD5 - deprecated and unsupported
> +  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW
> DeprecatedHmacMd5New;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE
> DeprecatedHmacMd5Free;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY
> DeprecatedHmacMd5SetKey;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE
> DeprecatedHmacMd5Duplicate;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE
> DeprecatedHmacMd5Update;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL
> DeprecatedHmacMd5Final;
>    /// HMAC SHA1
>    EDKII_CRYPTO_HMAC_SHA1_NEW                      HmacSha1New;
>    EDKII_CRYPTO_HMAC_SHA1_FREE                     HmacSha1Free;
> --
> 2.21.0.windows.1

[PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

HMAC SHA1 is not secure any longer.
Remove the HMAC SHA1 support from edk2.
Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any long.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |   3 -
 CryptoPkg/Driver/Crypto.c                     | 128 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 133 -----------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ------------------
 .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     | 139 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 151 ------------
 CryptoPkg/Private/Protocol/Crypto.h           | 121 ++--------
 16 files changed, 45 insertions(+), 1009 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 9ddf73f9fa..1af78468a1 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,7 +137,6 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
 
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -163,7 +162,6 @@
 !endif
 
 !if $(CRYPTO_SERVICES) == MIN_PEI
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                 | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family                     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family                   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -178,7 +176,6 @@
 !endif
 
 !if $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs1v2Encrypt             | TRUE
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword          | TRUE
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index dfde1cc005..95172de981 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1170,154 +1170,68 @@ DeprecatedCryptoServiceHmacMd5Final (
 }
 
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
+  HMAC SHA1 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 VOID *
 EFIAPI
-CryptoServiceHmacSha1New (
+DeprecatedCryptoServiceHmacSha1New (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.New, HmacSha1New, (), NULL);
+  return BaseCryptLibServciceDeprecated ("HmacSha1New"), NULL;
 }
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 VOID
 EFIAPI
-CryptoServiceHmacSha1Free (
+DeprecatedCryptoServiceHmacSha1Free (
   IN  VOID  *HmacSha1Ctx
   )
 {
-  CALL_VOID_BASECRYPTLIB (HmacSha1.Services.Free, HmacSha1Free, (HmacSha1Ctx));
+  BaseCryptLibServciceDeprecated ("HmacSha1Free");
 }
 
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1SetKey (
+DeprecatedCryptoServiceHmacSha1SetKey (
   OUT  VOID         *HmacSha1Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.SetKey, HmacSha1SetKey, (HmacSha1Context, Key, KeySize), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacSha1SetKey"), FALSE;
 }
 
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Duplicate (
+DeprecatedCryptoServiceHmacSha1Duplicate (
   IN   CONST VOID  *HmacSha1Context,
   OUT  VOID        *NewHmacSha1Context
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Duplicate, HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacSha1Duplicate"), FALSE;
 }
 
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Update (
+DeprecatedCryptoServiceHmacSha1Update (
   IN OUT  VOID        *HmacSha1Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Update, HmacSha1Update, (HmacSha1Context, Data, DataSize), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacSha1Update"), FALSE;
 }
 
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Final (
+DeprecatedCryptoServiceHmacSha1Final (
   IN OUT  VOID   *HmacSha1Context,
   OUT     UINT8  *HmacValue
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacSha1Final"), FALSE;
 }
 
 /**
@@ -3972,13 +3886,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   DeprecatedCryptoServiceHmacMd5Duplicate,
   DeprecatedCryptoServiceHmacMd5Update,
   DeprecatedCryptoServiceHmacMd5Final,
-  /// HMAC SHA1
-  CryptoServiceHmacSha1New,
-  CryptoServiceHmacSha1Free,
-  CryptoServiceHmacSha1SetKey,
-  CryptoServiceHmacSha1Duplicate,
-  CryptoServiceHmacSha1Update,
-  CryptoServiceHmacSha1Final,
+  /// HMAC SHA1 - deprecated and unsupported
+  DeprecatedCryptoServiceHmacSha1New,
+  DeprecatedCryptoServiceHmacSha1Free,
+  DeprecatedCryptoServiceHmacSha1SetKey,
+  DeprecatedCryptoServiceHmacSha1Duplicate,
+  DeprecatedCryptoServiceHmacSha1Update,
+  DeprecatedCryptoServiceHmacSha1Final,
   /// HMAC SHA256
   CryptoServiceHmacSha256New,
   CryptoServiceHmacSha256Free,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index b99401661c..1b1ffa75ef 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -880,139 +880,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  );
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  );
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  );
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  );
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  );
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  );
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 33d7c13bff..4aae2aba95 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256.c
   Hash/CryptSha512.c
   Hash/CryptSm3.c
-  Hmac/CryptHmacSha1.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c
   Cipher/CryptAes.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
deleted file mode 100644
index 7593ca55b1..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/hmac.h>
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  //
-  // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
-  //
-  return (VOID *) HMAC_CTX_new ();
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  //
-  // Free OpenSSL HMAC_CTX Context
-  //
-  HMAC_CTX_free ((HMAC_CTX *)HmacSha1Ctx);
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || KeySize > INT_MAX) {
-    return FALSE;
-  }
-
-  if (HMAC_Init_ex ((HMAC_CTX *)HmacSha1Context, Key, (UINT32) KeySize, EVP_sha1(), NULL) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || NewHmacSha1Context == NULL) {
-    return FALSE;
-  }
-
-  if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacSha1Context, (HMAC_CTX *)HmacSha1Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // Check invalid parameters, in case that only DataLength was checked in OpenSSL
-  //
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-SHA1 digest update
-  //
-  if (HMAC_Update ((HMAC_CTX *)HmacSha1Context, Data, DataSize) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 digest computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  UINT32  Length;
-
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || HmacValue == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-SHA1 digest finalization
-  //
-  if (HMAC_Final ((HMAC_CTX *)HmacSha1Context, HmacValue, &Length) != 1) {
-    return FALSE;
-  }
-  if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha1Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
deleted file mode 100644
index e8c0f341b7..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @return  NULL  This interface is not supported..
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 2a630ef290..dc28e3a11d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 95c71a8ae2..20ae64e8bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 1642521087..5005beed02 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index f7e1acb3a7..0cf378c5ab 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index ec9c8e7c05..91ec3e03bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,8 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-SHA1 functions, RSA external
-#  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
+#  RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
 #  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
@@ -39,7 +38,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAes.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 8eb3acac93..f0c33abbcf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 558ccfc002..689af4fedd 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256Null.c
   Hash/CryptSha512Null.c
   Hash/CryptSm3Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
deleted file mode 100644
index e8c0f341b7..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @return  NULL  This interface is not supported..
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index dfe7fb7e91..a614b61ed4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1015,157 +1015,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1New, (), NULL);
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  CALL_VOID_CRYPTO_SERVICE (HmacSha1Free, (HmacSha1Ctx));
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1SetKey, (HmacSha1Context, Key, KeySize), FALSE);
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Update, (HmacSha1Context, Data, DataSize), FALSE);
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
-}
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
 
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index bd4cd7f383..d167390774 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -89,140 +89,49 @@ BOOLEAN
   OUT     UINT8  *HmacValue
   );
 
-
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
+  HMAC SHA1 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 VOID*
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_NEW) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW) (
   VOID
   );
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 typedef
 VOID
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FREE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE) (
   IN  VOID  *HmacSha1Ctx
   );
 
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
   OUT  VOID         *HmacSha1Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   );
 
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
   IN   CONST VOID  *HmacSha1Context,
   OUT  VOID        *NewHmacSha1Context
   );
 
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
   IN OUT  VOID        *HmacSha1Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   );
 
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL) (
   IN OUT  VOID   *HmacSha1Context,
   OUT     UINT8  *HmacValue
   );
@@ -3538,13 +3447,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE      DeprecatedHmacMd5Duplicate;
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE         DeprecatedHmacMd5Update;
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL          DeprecatedHmacMd5Final;
-  /// HMAC SHA1
-  EDKII_CRYPTO_HMAC_SHA1_NEW                      HmacSha1New;
-  EDKII_CRYPTO_HMAC_SHA1_FREE                     HmacSha1Free;
-  EDKII_CRYPTO_HMAC_SHA1_SET_KEY                  HmacSha1SetKey;
-  EDKII_CRYPTO_HMAC_SHA1_DUPLICATE                HmacSha1Duplicate;
-  EDKII_CRYPTO_HMAC_SHA1_UPDATE                   HmacSha1Update;
-  EDKII_CRYPTO_HMAC_SHA1_FINAL                    HmacSha1Final;
+  /// HMAC SHA1 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW           DeprecatedHmacSha1New;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE          DeprecatedHmacSha1Free;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY       DeprecatedHmacSha1SetKey;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE     DeprecatedHmacSha1Duplicate;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE        DeprecatedHmacSha1Update;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL         DeprecatedHmacSha1Final;
   /// HMAC SHA256
   EDKII_CRYPTO_HMAC_SHA256_NEW                    HmacSha256New;
   EDKII_CRYPTO_HMAC_SHA256_FREE                   HmacSha256Free;
-- 
2.21.0.windows.1

Re: [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm

[Wang, Jian J]

Just a typo (see below). With it addressed,

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> HMAC SHA1 is not secure any longer.
> Remove the HMAC SHA1 support from edk2.
> Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any long.

'long' --> 'longer'

> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dsc                       |   3 -
>  CryptoPkg/Driver/Crypto.c                     | 128 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      | 133 -----------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
>  .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ------------------
>  .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     | 139 -----------
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   4 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
>  .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 -----------
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 151 ------------
>  CryptoPkg/Private/Protocol/Crypto.h           | 121 ++--------
>  16 files changed, 45 insertions(+), 1009 deletions(-)
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> 
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 9ddf73f9fa..1af78468a1 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -137,7 +137,6 @@
>    gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
> 
>  !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> @@ -163,7 +162,6 @@
>  !endif
> 
>  !if $(CRYPTO_SERVICES) == MIN_PEI
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> @@ -178,7 +176,6 @@
>  !endif
> 
>  !if $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkc
> s1v2Encrypt             | TRUE
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkc
> s5HashPassword          | TRUE
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index dfde1cc005..95172de981 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1170,154 +1170,68 @@ DeprecatedCryptoServiceHmacMd5Final (
>  }
> 
>  /**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -  @return  NULL   This interface is not supported.
> +  HMAC SHA1 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  VOID *
>  EFIAPI
> -CryptoServiceHmacSha1New (
> +DeprecatedCryptoServiceHmacSha1New (
>    VOID
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.New, HmacSha1New, (),
> NULL);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1New"), NULL;
>  }
> 
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
>  VOID
>  EFIAPI
> -CryptoServiceHmacSha1Free (
> +DeprecatedCryptoServiceHmacSha1Free (
>    IN  VOID  *HmacSha1Ctx
>    )
>  {
> -  CALL_VOID_BASECRYPTLIB (HmacSha1.Services.Free, HmacSha1Free,
> (HmacSha1Ctx));
> +  BaseCryptLibServciceDeprecated ("HmacSha1Free");
>  }
> 
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacSha1SetKey (
> +DeprecatedCryptoServiceHmacSha1SetKey (
>    OUT  VOID         *HmacSha1Context,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeySize
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.SetKey, HmacSha1SetKey,
> (HmacSha1Context, Key, KeySize), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1SetKey"), FALSE;
>  }
> 
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacSha1Duplicate (
> +DeprecatedCryptoServiceHmacSha1Duplicate (
>    IN   CONST VOID  *HmacSha1Context,
>    OUT  VOID        *NewHmacSha1Context
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.Duplicate,
> HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1Duplicate"), FALSE;
>  }
> 
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacSha1Update (
> +DeprecatedCryptoServiceHmacSha1Update (
>    IN OUT  VOID        *HmacSha1Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.Update, HmacSha1Update,
> (HmacSha1Context, Data, DataSize), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1Update"), FALSE;
>  }
> 
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> -  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacSha1Final (
> +DeprecatedCryptoServiceHmacSha1Final (
>    IN OUT  VOID   *HmacSha1Context,
>    OUT     UINT8  *HmacValue
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final,
> (HmacSha1Context, HmacValue), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1Final"), FALSE;
>  }
> 
>  /**
> @@ -3972,13 +3886,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
>    DeprecatedCryptoServiceHmacMd5Duplicate,
>    DeprecatedCryptoServiceHmacMd5Update,
>    DeprecatedCryptoServiceHmacMd5Final,
> -  /// HMAC SHA1
> -  CryptoServiceHmacSha1New,
> -  CryptoServiceHmacSha1Free,
> -  CryptoServiceHmacSha1SetKey,
> -  CryptoServiceHmacSha1Duplicate,
> -  CryptoServiceHmacSha1Update,
> -  CryptoServiceHmacSha1Final,
> +  /// HMAC SHA1 - deprecated and unsupported
> +  DeprecatedCryptoServiceHmacSha1New,
> +  DeprecatedCryptoServiceHmacSha1Free,
> +  DeprecatedCryptoServiceHmacSha1SetKey,
> +  DeprecatedCryptoServiceHmacSha1Duplicate,
> +  DeprecatedCryptoServiceHmacSha1Update,
> +  DeprecatedCryptoServiceHmacSha1Final,
>    /// HMAC SHA256
>    CryptoServiceHmacSha256New,
>    CryptoServiceHmacSha256Free,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index b99401661c..1b1ffa75ef 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -880,139 +880,6 @@ Sm3HashAll (
>  //    MAC (Message Authentication Code) Primitive
> 
> //===============================================================
> ======================
> 
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -  @return  NULL   This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  );
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  );
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  );
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  );
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  );
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> -  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  );
> -
>  /**
>    Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256
> use.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 33d7c13bff..4aae2aba95 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -34,7 +34,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSha512.c
>    Hash/CryptSm3.c
> -  Hmac/CryptHmacSha1.c
>    Hmac/CryptHmacSha256.c
>    Kdf/CryptHkdf.c
>    Cipher/CryptAes.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> deleted file mode 100644
> index 7593ca55b1..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> +++ /dev/null
> @@ -1,216 +0,0 @@
> -/** @file
> -  HMAC-SHA1 Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/hmac.h>
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  )
> -{
> -  //
> -  // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
> -  //
> -  return (VOID *) HMAC_CTX_new ();
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  )
> -{
> -  //
> -  // Free OpenSSL HMAC_CTX Context
> -  //
> -  HMAC_CTX_free ((HMAC_CTX *)HmacSha1Ctx);
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacSha1Context == NULL || KeySize > INT_MAX) {
> -    return FALSE;
> -  }
> -
> -  if (HMAC_Init_ex ((HMAC_CTX *)HmacSha1Context, Key, (UINT32) KeySize,
> EVP_sha1(), NULL) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacSha1Context == NULL || NewHmacSha1Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacSha1Context, (HMAC_CTX
> *)HmacSha1Context) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacSha1Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // Check invalid parameters, in case that only DataLength was checked in
> OpenSSL
> -  //
> -  if (Data == NULL && DataSize != 0) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL HMAC-SHA1 digest update
> -  //
> -  if (HMAC_Update ((HMAC_CTX *)HmacSha1Context, Data, DataSize) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 digest computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  UINT32  Length;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacSha1Context == NULL || HmacValue == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL HMAC-SHA1 digest finalization
> -  //
> -  if (HMAC_Final ((HMAC_CTX *)HmacSha1Context, HmacValue, &Length) != 1) {
> -    return FALSE;
> -  }
> -  if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha1Context) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> deleted file mode 100644
> index e8c0f341b7..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> -  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  Return NULL to indicate this interface is not supported.
> -
> -  @return  NULL  This interface is not supported..
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return NULL;
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  This function will do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  )
> -{
> -  ASSERT (FALSE);
> -  return;
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index 2a630ef290..dc28e3a11d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note:
> -#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
> +#  HMAC-SHA256 functions, AES functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
>  #  certificate handler functions, authenticode signature verification functions,
>  #  PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -40,7 +40,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512.c
> -  Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 95c71a8ae2..20ae64e8bf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
>  // signature verification functions, PEM handler functions, and pseudorandom
> number
> @@ -21,5 +21,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for PEIM"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, X.509 certificate handler functions, authenticode signature
> verification functions, PEM handler functions, and pseudorandom number
> generator functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> X.509 certificate handler functions, authenticode signature verification functions,
> PEM handler functions, and pseudorandom number generator functions are not
> supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 1642521087..5005beed02 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
> +#  HMAC-SHA256 functions, AES functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> @@ -40,7 +40,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512Null.c
> -  Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index f7e1acb3a7..0cf378c5ab 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index ec9c8e7c05..91ec3e03bf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,8 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-SHA1 functions, RSA external
> -#  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> +#  RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
>  #  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> @@ -39,7 +38,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512Null.c
> -  Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAes.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 8eb3acac93..f0c33abbcf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for SMM driver"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index 558ccfc002..689af4fedd 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -34,7 +34,6 @@
>    Hash/CryptSha256Null.c
>    Hash/CryptSha512Null.c
>    Hash/CryptSm3Null.c
> -  Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> deleted file mode 100644
> index e8c0f341b7..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> -  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  Return NULL to indicate this interface is not supported.
> -
> -  @return  NULL  This interface is not supported..
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return NULL;
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  This function will do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  )
> -{
> -  ASSERT (FALSE);
> -  return;
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index dfe7fb7e91..a614b61ed4 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1015,157 +1015,6 @@ Sm3HashAll (
>  //    MAC (Message Authentication Code) Primitive
> 
> //===============================================================
> ======================
> 
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -  @return  NULL   This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1New, (), NULL);
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  )
> -{
> -  CALL_VOID_CRYPTO_SERVICE (HmacSha1Free, (HmacSha1Ctx));
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1SetKey, (HmacSha1Context, Key, KeySize),
> FALSE);
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1Duplicate, (HmacSha1Context,
> NewHmacSha1Context), FALSE);
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1Update, (HmacSha1Context, Data,
> DataSize), FALSE);
> -}
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> -  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue),
> FALSE);
> -}
> -
>  /**
>    Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256
> use.
> 
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index bd4cd7f383..d167390774 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -89,140 +89,49 @@ BOOLEAN
>    OUT     UINT8  *HmacValue
>    );
> 
> -
>  /**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -  @return  NULL   This interface is not supported.
> +  HMAC SHA1 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  typedef
>  VOID*
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_NEW) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW) (
>    VOID
>    );
> 
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
>  typedef
>  VOID
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FREE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE) (
>    IN  VOID  *HmacSha1Ctx
>    );
> 
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
>    OUT  VOID         *HmacSha1Context,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeySize
>    );
> 
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
>    IN   CONST VOID  *HmacSha1Context,
>    OUT  VOID        *NewHmacSha1Context
>    );
> 
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
>    IN OUT  VOID        *HmacSha1Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    );
> 
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> -  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FINAL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL) (
>    IN OUT  VOID   *HmacSha1Context,
>    OUT     UINT8  *HmacValue
>    );
> @@ -3538,13 +3447,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
>    DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE
> DeprecatedHmacMd5Duplicate;
>    DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE
> DeprecatedHmacMd5Update;
>    DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL
> DeprecatedHmacMd5Final;
> -  /// HMAC SHA1
> -  EDKII_CRYPTO_HMAC_SHA1_NEW                      HmacSha1New;
> -  EDKII_CRYPTO_HMAC_SHA1_FREE                     HmacSha1Free;
> -  EDKII_CRYPTO_HMAC_SHA1_SET_KEY                  HmacSha1SetKey;
> -  EDKII_CRYPTO_HMAC_SHA1_DUPLICATE                HmacSha1Duplicate;
> -  EDKII_CRYPTO_HMAC_SHA1_UPDATE                   HmacSha1Update;
> -  EDKII_CRYPTO_HMAC_SHA1_FINAL                    HmacSha1Final;
> +  /// HMAC SHA1 - deprecated and unsupported
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW
> DeprecatedHmacSha1New;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE
> DeprecatedHmacSha1Free;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY
> DeprecatedHmacSha1SetKey;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE
> DeprecatedHmacSha1Duplicate;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE
> DeprecatedHmacSha1Update;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL
> DeprecatedHmacSha1Final;
>    /// HMAC SHA256
>    EDKII_CRYPTO_HMAC_SHA256_NEW                    HmacSha256New;
>    EDKII_CRYPTO_HMAC_SHA256_FREE                   HmacSha256Free;
> --
> 2.21.0.windows.1

[PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver

[Gao, Zhichao]

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

The binary is totally changed, so update the Crypto Version to 7:
1. Retire below deprecated function:
MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Private/Protocol/Crypto.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index d167390774..4e3292ffc1 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -20,7 +20,7 @@
 /// the EDK II Crypto Protocol is extended, this version define must be
 /// increased.
 ///
-#define EDKII_CRYPTO_VERSION 6
+#define EDKII_CRYPTO_VERSION 7
 
 ///
 /// EDK II Crypto Protocol forward declaration
-- 
2.21.0.windows.1

Re: [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto Driver

[Wang, Jian J]

Zhichao,

You could add 'Intel' copyright in file header. With it addressed,

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 8/8] CryptoPkg/Crypto.h: Update the version of Crypto
> Driver
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> The binary is totally changed, so update the Crypto Version to 7:
> 1. Retire below deprecated function:
> MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/Private/Protocol/Crypto.h | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index d167390774..4e3292ffc1 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -20,7 +20,7 @@
>  /// the EDK II Crypto Protocol is extended, this version define must be
>  /// increased.
>  ///
> -#define EDKII_CRYPTO_VERSION 6
> +#define EDKII_CRYPTO_VERSION 7
> 
>  ///
>  /// EDK II Crypto Protocol forward declaration
> --
> 2.21.0.windows.1

Re: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions

[Guomin Jiang]

It seem ok except some typo, please modify it.

Reviewed-by: Guomin Jiang <guomin.jiang@intel.com>

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gao,
> Zhichao
> Sent: Thursday, May 7, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated
> functions
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> Retire below deprecated functions:
> MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.
> 
> V2:
> Seprate the MD5 and SHA1 changes to other patch set.
> Change the deprecated function wrapper implementatuion in
> EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug message
> and assert.
> 
> V3:
> Remove the missing part of deprecated functions in V2.
> Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate the
> function is deprecated and unsupported.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> 
> Zhichao Gao (8):
>   CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
>   CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
>   CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
>   CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
>   CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
>   CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
>   CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
>   CryptoPkg/Crypto.h: Update the version of Crypto Driver
> 
>  CryptoPkg/CryptoPkg.dsc                       |   46 +-
>  CryptoPkg/Driver/Crypto.c                     |  780 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      |  809 ------------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |    7 +-
>  .../Library/BaseCryptLib/Cipher/CryptAes.c    |  114 --
>  .../BaseCryptLib/Cipher/CryptAesNull.c        |   52 -
>  .../Library/BaseCryptLib/Cipher/CryptArc4.c   |  205 ---
>  .../BaseCryptLib/Cipher/CryptArc4Null.c       |  124 --
>  .../Library/BaseCryptLib/Cipher/CryptTdes.c   |  364 ------
>  .../BaseCryptLib/Cipher/CryptTdesNull.c       |  160 ---
>  .../Library/BaseCryptLib/Hash/CryptMd4.c      |  223 ----
>  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  |  143 --
>   .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  |  216 ---
>  .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      |  139 --
>  .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c |  216 ---
>  .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     |  139 --
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   11 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |    4 +-
>  CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |    7 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   11 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |    4 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   12 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |    4 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |    5 -
>  .../BaseCryptLibNull/Cipher/CryptAesNull.c    |   52 -
>  .../BaseCryptLibNull/Cipher/CryptArc4Null.c   |  124 --
>  .../BaseCryptLibNull/Cipher/CryptTdesNull.c   |  160 ---
>  .../BaseCryptLibNull/Hash/CryptMd4Null.c      |  143 --
>  .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  |  139 --
>   .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |  139 --
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 1157 ++---------------
>  .../Library/Include/openssl/opensslconf.h     |    9 +
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   28 -
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |   28 -
>  CryptoPkg/Private/Protocol/Crypto.h           |  708 ++--------
>  35 files changed, 389 insertions(+), 6093 deletions(-)  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> 
> --
> 2.21.0.windows.1
> 
> 
> 

Re: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions

[Dong, Eric]

[-- Attachment #1: Type: text/plain, Size: 6382 bytes --]

Hi Guomin,

Where are the typos? Please point out all the typos you found; it makes easy for Zhichao to fix all the typos.

Thanks,
Eric
From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Guomin Jiang
Sent: Friday, May 8, 2020 3:24 PM
To: devel@edk2.groups.io; Gao, Zhichao <zhichao.gao@intel.com>
Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
Subject: Re: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated functions

It seem ok except some typo, please modify it.

Reviewed-by: Guomin Jiang <guomin.jiang@intel.com<mailto:guomin.jiang@intel.com>>

> -----Original Message-----
> From: devel@edk2.groups.io<mailto:devel@edk2.groups.io> <devel@edk2.groups.io<mailto:devel@edk2.groups.io>> On Behalf Of Gao,
> Zhichao
> Sent: Thursday, May 7, 2020 7:58 AM
> To: devel@edk2.groups.io<mailto:devel@edk2.groups.io>
> Cc: Wang, Jian J <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>; Lu, XiaoyuX <xiaoyux.lu@intel.com<mailto:xiaoyux.lu@intel.com>>;
> Fu, Siyuan <siyuan.fu@intel.com<mailto:siyuan.fu@intel.com>>; Kinney, Michael D
> <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>; Yao, Jiewen <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Subject: [edk2-devel] [PATCH V3 0/8] CryptoPkg: Retire the deprecated
> functions
>
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
>
> Retire below deprecated functions:
> MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.
>
> V2:
> Seprate the MD5 and SHA1 changes to other patch set.
> Change the deprecated function wrapper implementatuion in
> EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug message
> and assert.
>
> V3:
> Remove the missing part of deprecated functions in V2.
> Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate the
> function is deprecated and unsupported.
>
> Cc: Jian J Wang <jian.j.wang@intel.com<mailto:jian.j.wang@intel.com>>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com<mailto:xiaoyux.lu@intel.com>>
> Cc: Siyuan Fu <siyuan.fu@intel.com<mailto:siyuan.fu@intel.com>>
> Cc: Michael D Kinney <michael.d.kinney@intel.com<mailto:michael.d.kinney@intel.com>>
> Cc: Jiewen Yao <jiewen.yao@intel.com<mailto:jiewen.yao@intel.com>>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com<mailto:zhichao.gao@intel.com>>
>
> Zhichao Gao (8):
>   CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
>   CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
>   CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
>   CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
>   CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
>   CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
>   CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
>   CryptoPkg/Crypto.h: Update the version of Crypto Driver
>
>  CryptoPkg/CryptoPkg.dsc                       |   46 +-
>  CryptoPkg/Driver/Crypto.c                     |  780 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      |  809 ------------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |    7 +-
>  .../Library/BaseCryptLib/Cipher/CryptAes.c    |  114 --
>  .../BaseCryptLib/Cipher/CryptAesNull.c        |   52 -
>  .../Library/BaseCryptLib/Cipher/CryptArc4.c   |  205 ---
>  .../BaseCryptLib/Cipher/CryptArc4Null.c       |  124 --
>  .../Library/BaseCryptLib/Cipher/CryptTdes.c   |  364 ------
>  .../BaseCryptLib/Cipher/CryptTdesNull.c       |  160 ---
>  .../Library/BaseCryptLib/Hash/CryptMd4.c      |  223 ----
>  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  |  143 --
>   .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  |  216 ---
>  .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      |  139 --
>  .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c |  216 ---
>  .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     |  139 --
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   11 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |    4 +-
>  CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |    7 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   11 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |    4 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   12 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |    4 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |    5 -
>  .../BaseCryptLibNull/Cipher/CryptAesNull.c    |   52 -
>  .../BaseCryptLibNull/Cipher/CryptArc4Null.c   |  124 --
>  .../BaseCryptLibNull/Cipher/CryptTdesNull.c   |  160 ---
>  .../BaseCryptLibNull/Hash/CryptMd4Null.c      |  143 --
>  .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  |  139 --
>   .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |  139 --
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 1157 ++---------------
>  .../Library/Include/openssl/opensslconf.h     |    9 +
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   28 -
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |   28 -
>  CryptoPkg/Private/Protocol/Crypto.h           |  708 ++--------
>  35 files changed, 389 insertions(+), 6093 deletions(-)  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
>
> --
> 2.21.0.windows.1
>
>
>




[-- Attachment #2: Type: text/html, Size: 17629 bytes --]