public inbox for devel@edk2.groups.io
 help / color / mirror / Atom feed
* [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
@ 2020-05-11 18:27 Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 01/11] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
                   ` (11 more replies)
  0 siblings, 12 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Retire below deprecated functions:
MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.

V2:
Seprate the MD5 and SHA1 changes to other patch set.
Change the deprecated function wrapper implementatuion in
EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug
message and assert.

V3:
Remove the missing part of deprecated functions in V2.
Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate
the function is deprecated and unsupported.

V4:
Fixed some typos.
Separate the change of OpensslLib and make the change with
process_files.pl.
Moving the incorrect changes of AES_ECB from HAMC MD5 patch
to Aes Ecb one.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>

Zhichao Gao (8):
  CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
  CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
  CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
  CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
  CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
  CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
  CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
  CryptoPkg/Crypto.h: Update the version of Crypto Driver

Zhiguang Liu (3):
  CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib
  CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib
  CryptoPkg/OpensslLib: Set TDES disable in OpensslLib

 CryptoPkg/CryptoPkg.dsc                       |   46 +-
 CryptoPkg/Driver/Crypto.c                     |  786 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      |  809 ------------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |    7 +-
 .../Library/BaseCryptLib/Cipher/CryptAes.c    |  114 --
 .../BaseCryptLib/Cipher/CryptAesNull.c        |   52 -
 .../Library/BaseCryptLib/Cipher/CryptArc4.c   |  205 ---
 .../BaseCryptLib/Cipher/CryptArc4Null.c       |  124 --
 .../Library/BaseCryptLib/Cipher/CryptTdes.c   |  364 ------
 .../BaseCryptLib/Cipher/CryptTdesNull.c       |  160 ---
 .../Library/BaseCryptLib/Hash/CryptMd4.c      |  223 ----
 .../Library/BaseCryptLib/Hash/CryptMd4Null.c  |  143 --
 .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  |  216 ---
 .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      |  139 --
 .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c |  216 ---
 .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     |  139 --
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   11 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |    8 +-
 CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |    7 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   11 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |    8 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   12 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |    8 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |    5 -
 .../BaseCryptLibNull/Cipher/CryptAesNull.c    |   52 -
 .../BaseCryptLibNull/Cipher/CryptArc4Null.c   |  124 --
 .../BaseCryptLibNull/Cipher/CryptTdesNull.c   |  160 ---
 .../BaseCryptLibNull/Hash/CryptMd4Null.c      |  143 --
 .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  |  139 --
 .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |  139 --
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 1157 ++---------------
 .../Library/Include/openssl/opensslconf.h     |    9 +
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   28 -
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   28 -
 CryptoPkg/Library/OpensslLib/process_files.pl |    3 +
 CryptoPkg/Private/Protocol/Crypto.h           |  709 ++--------
 36 files changed, 402 insertions(+), 6102 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c

-- 
2.21.0.windows.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* [PATCH V4 01/11] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
                   ` (10 subsequent siblings)
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Add a internal worker function to indicate the deprecated functions.
It would print out debug messages and asserts to inform the consumer
they are using a deprecated function.
Change the Name of BaseCryptLibServciceNotEnabled to correct spelling
BaseCryptLibServiceNotEnabled.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Driver/Crypto.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 35bf2d3d92..ed0083cccf 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -41,7 +41,7 @@
 #define CALL_BASECRYPTLIB(Enable, Function, Args, ErrorReturnValue) \
   EDKII_CRYPTO_PCD->Enable                                          \
     ? Function Args                                                 \
-    : (BaseCryptLibServciceNotEnabled (#Function), ErrorReturnValue)
+    : (BaseCryptLibServiceNotEnabled (#Function), ErrorReturnValue)
 
 /**
   A macro used to call a void BaseCryptLib function if it is enabled.
@@ -61,7 +61,7 @@
 #define CALL_VOID_BASECRYPTLIB(Enable, Function, Args)  \
   EDKII_CRYPTO_PCD->Enable                              \
     ? Function Args                                     \
-    : BaseCryptLibServciceNotEnabled (#Function)
+    : BaseCryptLibServiceNotEnabled (#Function)
 
 /**
   Internal worker function that prints a debug message and asserts if a call is
@@ -78,7 +78,7 @@
 **/
 static
 VOID
-BaseCryptLibServciceNotEnabled (
+BaseCryptLibServiceNotEnabled (
   IN CONST CHAR8  *FunctionName
   )
 {
@@ -86,6 +86,24 @@ BaseCryptLibServciceNotEnabled (
   ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
 }
 
+/**
+  Internal worker function that prints a debug message and asserts if a call is
+  made to a BaseCryptLib function that is deprecated and unsupported any longer.
+
+  @param[in]  FunctionName  Null-terminated ASCII string that is the name of an
+                            EDK II Crypto service.
+
+**/
+static
+VOID
+BaseCryptLibServiceDeprecated (
+  IN CONST CHAR8  *FunctionName
+  )
+{
+  DEBUG ((DEBUG_ERROR, "[%a] Function %a() is deprecated and unsupported any longer\n", gEfiCallerBaseName, FunctionName));
+  ASSERT_EFI_ERROR (EFI_UNSUPPORTED);
+}
+
 /**
   Returns the version of the EDK II Crypto Protocol.
 
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 01/11] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-14  3:13   ` [edk2-devel] " Guomin Jiang
  2020-05-11 18:27 ` [PATCH V4 03/11] CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib Gao, Zhichao
                   ` (9 subsequent siblings)
  11 siblings, 1 reply; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

MD4 is not secure any longer.
Remove the MD4 support from edk2.
Change the MD4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>.
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |   1 -
 CryptoPkg/Driver/Crypto.c                     | 135 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 145 ------------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   3 +-
 .../Library/BaseCryptLib/Hash/CryptMd4.c      | 223 ------------------
 .../Library/BaseCryptLib/Hash/CryptMd4Null.c  | 143 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   5 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   5 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   5 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Hash/CryptMd4Null.c      | 143 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 158 -------------
 CryptoPkg/Private/Protocol/Crypto.h           | 123 ++--------
 16 files changed, 52 insertions(+), 1056 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index f79ff331cf..6ed7046563 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -140,7 +140,6 @@
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family    | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md4.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family         | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index ed0083cccf..c7a54182c7 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -124,161 +124,68 @@ CryptoServiceGetCryptoVersion (
 //=====================================================================================
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-  @retval  0   This interface is not supported.
+  MD4 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 UINTN
 EFIAPI
-CryptoServiceMd4GetContextSize (
+DeprecatedCryptoServiceMd4GetContextSize (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.GetContextSize, Md4GetContextSize, (), 0);
+  return BaseCryptLibServiceDeprecated ("Md4GetContextSize"), 0;
 }
 
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4Init (
+DeprecatedCryptoServiceMd4Init (
   OUT  VOID  *Md4Context
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.Init, Md4Init, (Md4Context), FALSE);
+  return BaseCryptLibServiceDeprecated ("Md4Init"), FALSE;
 }
 
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4Duplicate (
+DeprecatedCryptoServiceMd4Duplicate (
   IN   CONST VOID  *Md4Context,
   OUT  VOID        *NewMd4Context
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.Duplicate, Md4Duplicate, (Md4Context, NewMd4Context), FALSE);
+  return BaseCryptLibServiceDeprecated ("Md4Duplicate"), FALSE;
 }
 
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4Update (
+DeprecatedCryptoServiceMd4Update (
   IN OUT  VOID        *Md4Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.Update, Md4Update, (Md4Context, Data, DataSize), FALSE);
+  return BaseCryptLibServiceDeprecated ("Md4Update"), FALSE;
 }
 
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4Final (
+DeprecatedCryptoServiceMd4Final (
   IN OUT  VOID   *Md4Context,
   OUT     UINT8  *HashValue
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.Final, Md4Final, (Md4Context, HashValue), FALSE);
+  return BaseCryptLibServiceDeprecated ("Md4Final"), FALSE;
 }
 
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceMd4HashAll (
+DeprecatedCryptoServiceMd4HashAll (
   IN   CONST VOID  *Data,
   IN   UINTN       DataSize,
   OUT  UINT8       *HashValue
   )
 {
-  return CALL_BASECRYPTLIB (Md4.Services.HashAll, Md4HashAll, (Data, DataSize, HashValue), FALSE);
+  return BaseCryptLibServiceDeprecated ("Md4HashAll"), FALSE;
 }
 
 /**
@@ -4440,13 +4347,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   CryptoServiceHmacSha256Duplicate,
   CryptoServiceHmacSha256Update,
   CryptoServiceHmacSha256Final,
-  /// Md4
-  CryptoServiceMd4GetContextSize,
-  CryptoServiceMd4Init,
-  CryptoServiceMd4Duplicate,
-  CryptoServiceMd4Update,
-  CryptoServiceMd4Final,
-  CryptoServiceMd4HashAll,
+  /// Md4 - deprecated and unsupported
+  DeprecatedCryptoServiceMd4GetContextSize,
+  DeprecatedCryptoServiceMd4Init,
+  DeprecatedCryptoServiceMd4Duplicate,
+  DeprecatedCryptoServiceMd4Update,
+  DeprecatedCryptoServiceMd4Final,
+  DeprecatedCryptoServiceMd4HashAll,
   /// Md5
   CryptoServiceMd5GetContextSize,
   CryptoServiceMd5Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 5e8f2e0a10..c862f0334f 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -14,11 +14,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
 
 #include <Uefi/UefiBaseType.h>
 
-///
-/// MD4 digest size in bytes
-///
-#define MD4_DIGEST_SIZE     16
-
 ///
 /// MD5 digest size in bytes
 ///
@@ -77,146 +72,6 @@ typedef enum {
 //    One-Way Cryptographic Hash Primitives
 //=====================================================================================
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  );
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  );
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  );
-
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  );
-
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  );
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  );
-
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index a63ad66b4f..22992e7d43 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -6,7 +6,7 @@
 #  This external input must be validated carefully to avoid security issues such as
 #  buffer overflow or integer overflow.
 #
-#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -29,7 +29,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
deleted file mode 100644
index bc02da07b0..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
+++ /dev/null
@@ -1,223 +0,0 @@
-/** @file
-  MD4 Digest Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/md4.h>
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  )
-{
-  //
-  // Retrieves the OpenSSL MD4 Context Size
-  //
-  return (UINTN) (sizeof (MD4_CTX));
-}
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (Md4Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL MD4 Context Initialization
-  //
-  return (BOOLEAN) (MD4_Init ((MD4_CTX *) Md4Context));
-}
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (Md4Context == NULL || NewMd4Context == NULL) {
-    return FALSE;
-  }
-
-  CopyMem (NewMd4Context, Md4Context, sizeof (MD4_CTX));
-
-  return TRUE;
-}
-
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (Md4Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // Check invalid parameters, in case that only DataLength was checked in OpenSSL
-  //
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL MD4 Hash Update
-  //
-  return (BOOLEAN) (MD4_Update ((MD4_CTX *) Md4Context, Data, DataSize));
-}
-
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (Md4Context == NULL || HashValue == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL MD4 Hash Finalization
-  //
-  return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *) Md4Context));
-}
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HashValue == NULL) {
-    return FALSE;
-  }
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL MD4 Hash Computation.
-  //
-  if (MD4 (Data, DataSize, HashValue) == NULL) {
-    return FALSE;
-  } else {
-    return TRUE;
-  }
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
deleted file mode 100644
index 610c61c713..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
+++ /dev/null
@@ -1,143 +0,0 @@
-/** @file
-  MD4 Digest Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash
-  operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates MD4 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the MD4 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index c836c257f8..e9add0127d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -6,14 +6,14 @@
 #  This external input must be validated carefully to avoid security issues such as
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions,
+#  Note:
 #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
 #  supported in this instance.
 #
-#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -35,7 +35,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 9937555beb..374bfb3f65 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,13 +6,13 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
 // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
 // generator functions are not supported in this instance.
 //
-// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index e5b8ececc1..0a2eb03232 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -6,12 +6,12 @@
 #  This external input must be validated carefully to avoid security issues such as
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
 #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
-#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
@@ -35,7 +35,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index c0a16f1b84..b6d751176e 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,12 +6,12 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
 // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
-// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index cc0b65fd25..139983075e 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -6,12 +6,12 @@
 #  This external input must be validated carefully to avoid security issues such as
 #  buffer overflow or integer overflow.
 #
-#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest functions,
+#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
 #  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
-#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
+#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 #  SPDX-License-Identifier: BSD-2-Clause-Patent
 #
 ##
@@ -34,7 +34,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5.c
   Hash/CryptSha1.c
   Hash/CryptSha256.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 83485fbb90..b8d7953d2b 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,12 +6,12 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
 // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
-// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 //
 // SPDX-License-Identifier: BSD-2-Clause-Patent
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 9b4991cbb0..b03681b146 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -29,7 +29,6 @@
 
 [Sources]
   InternalCryptLib.h
-  Hash/CryptMd4Null.c
   Hash/CryptMd5Null.c
   Hash/CryptSha1Null.c
   Hash/CryptSha256Null.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
deleted file mode 100644
index 610c61c713..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
+++ /dev/null
@@ -1,143 +0,0 @@
-/** @file
-  MD4 Digest Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash
-  operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates MD4 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the MD4 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index c2a1df9afc..5e470028f4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -99,164 +99,6 @@ CryptoServiceNotAvailable (
 //    One-Way Cryptographic Hash Primitives
 //=====================================================================================
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Md4GetContextSize (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4GetContextSize, (), 0);
-}
-
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Init (
-  OUT  VOID  *Md4Context
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4Init, (Md4Context), FALSE);
-}
-
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Duplicate (
-  IN   CONST VOID  *Md4Context,
-  OUT  VOID        *NewMd4Context
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4Duplicate, (Md4Context, NewMd4Context), FALSE);
-}
-
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Update (
-  IN OUT  VOID        *Md4Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4Update, (Md4Context, Data, DataSize), FALSE);
-}
-
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4Final (
-  IN OUT  VOID   *Md4Context,
-  OUT     UINT8  *HashValue
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4Final, (Md4Context, HashValue), FALSE);
-}
-
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Md4HashAll (
-  IN   CONST VOID  *Data,
-  IN   UINTN       DataSize,
-  OUT  UINT8       *HashValue
-  )
-{
-  CALL_CRYPTO_SERVICE (Md4HashAll, (Data, DataSize, HashValue), FALSE);
-}
-
 /**
   Retrieves the size, in bytes, of the context buffer required for MD5 hash operations.
 
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index 40c387e002..ae0f29695c 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -451,145 +451,52 @@ BOOLEAN
 //=====================================================================================
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for MD4 hash operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for MD4 hash operations.
-  @retval  0   This interface is not supported.
+  MD4 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 UINTN
-(EFIAPI *EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
   VOID
   );
 
 
-/**
-  Initializes user-supplied memory pointed by Md4Context as MD4 hash context for
-  subsequent use.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Md4Context  Pointer to MD4 context being initialized.
-
-  @retval TRUE   MD4 context initialization succeeded.
-  @retval FALSE  MD4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_INIT) (
   OUT  VOID  *Md4Context
   );
 
 
-/**
-  Makes a copy of an existing MD4 context.
-
-  If Md4Context is NULL, then return FALSE.
-  If NewMd4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  Md4Context     Pointer to MD4 context being copied.
-  @param[out] NewMd4Context  Pointer to new MD4 context.
-
-  @retval TRUE   MD4 context copy succeeded.
-  @retval FALSE  MD4 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE) (
   IN   CONST VOID  *Md4Context,
   OUT  VOID        *NewMd4Context
   );
 
 
-/**
-  Digests the input data and updates MD4 context.
-
-  This function performs MD4 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be finalized
-  by Md4Final(). Behavior with invalid context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[in]       Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]       DataSize    Size of Data buffer in bytes.
-
-  @retval TRUE   MD4 data digest succeeded.
-  @retval FALSE  MD4 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_UPDATE) (
   IN OUT  VOID        *Md4Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   );
 
 
-/**
-  Completes computation of the MD4 digest value.
-
-  This function completes MD4 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the MD4 context cannot
-  be used again.
-  MD4 context should be already correctly initialized by Md4Init(), and should not be
-  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
-
-  If Md4Context is NULL, then return FALSE.
-  If HashValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Md4Context  Pointer to the MD4 context.
-  @param[out]      HashValue   Pointer to a buffer that receives the MD4 digest
-                               value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_FINAL) (
   IN OUT  VOID   *Md4Context,
   OUT     UINT8  *HashValue
   );
 
 
-/**
-  Computes the MD4 message digest of a input data buffer.
-
-  This function performs the MD4 message digest of a given data buffer, and places
-  the digest value into the specified memory.
-
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   Data        Pointer to the buffer containing the data to be hashed.
-  @param[in]   DataSize    Size of Data buffer in bytes.
-  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
-                           value (16 bytes).
-
-  @retval TRUE   MD4 digest computation succeeded.
-  @retval FALSE  MD4 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_MD4_HASH_ALL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL) (
   IN   CONST VOID  *Data,
   IN   UINTN       DataSize,
   OUT  UINT8       *HashValue
@@ -4007,13 +3914,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_HMAC_SHA256_DUPLICATE              HmacSha256Duplicate;
   EDKII_CRYPTO_HMAC_SHA256_UPDATE                 HmacSha256Update;
   EDKII_CRYPTO_HMAC_SHA256_FINAL                  HmacSha256Final;
-  /// Md4
-  EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE               Md4GetContextSize;
-  EDKII_CRYPTO_MD4_INIT                           Md4Init;
-  EDKII_CRYPTO_MD4_DUPLICATE                      Md4Duplicate;
-  EDKII_CRYPTO_MD4_UPDATE                         Md4Update;
-  EDKII_CRYPTO_MD4_FINAL                          Md4Final;
-  EDKII_CRYPTO_MD4_HASH_ALL                       Md4HashAll;
+  /// Md4 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE    DeprecatedMd4GetContextSize;
+  DEPRECATED_EDKII_CRYPTO_MD4_INIT                DeprecatedMd4Init;
+  DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE           DeprecatedMd4Duplicate;
+  DEPRECATED_EDKII_CRYPTO_MD4_UPDATE              DeprecatedMd4Update;
+  DEPRECATED_EDKII_CRYPTO_MD4_FINAL               DeprecatedMd4Final;
+  DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL            DeprecatedMd4HashAll;
   /// Md5
   EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE               Md5GetContextSize;
   EDKII_CRYPTO_MD5_INIT                           Md5Init;
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 03/11] CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 01/11] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 04/11] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
                   ` (8 subsequent siblings)
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Zhiguang Liu, Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney,
	Jiewen Yao, Philippe Mathieu-Daude

From: Zhiguang Liu <zhiguang.liu@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

This patch is create by adding the setting "no_md4" of
process_files.pl and running it thru perl.
It would remove the MD4 from OpensslLib.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Library/Include/openssl/opensslconf.h   | 3 +++
 CryptoPkg/Library/OpensslLib/OpensslLib.inf       | 3 ---
 CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 3 ---
 CryptoPkg/Library/OpensslLib/process_files.pl     | 1 +
 4 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index bd34e53ef2..84672636dc 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -61,6 +61,9 @@ extern "C" {
 #ifndef OPENSSL_NO_MD2
 # define OPENSSL_NO_MD2
 #endif
+#ifndef OPENSSL_NO_MD4
+# define OPENSSL_NO_MD4
+#endif
 #ifndef OPENSSL_NO_MDC2
 # define OPENSSL_NO_MDC2
 #endif
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 9ed0175553..10710e4a7c 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -294,8 +294,6 @@
   $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
   $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
   $(OPENSSL_PATH)/crypto/lhash/lhash.c
-  $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
-  $(OPENSSL_PATH)/crypto/md4/md4_one.c
   $(OPENSSL_PATH)/crypto/md5/md5_dgst.c
   $(OPENSSL_PATH)/crypto/md5/md5_one.c
   $(OPENSSL_PATH)/crypto/mem.c
@@ -525,7 +523,6 @@
   $(OPENSSL_PATH)/crypto/evp/evp_locl.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
-  $(OPENSSL_PATH)/crypto/md4/md4_locl.h
   $(OPENSSL_PATH)/crypto/md5/md5_locl.h
   $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
   $(OPENSSL_PATH)/crypto/objects/obj_dat.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 03da266627..d9782a3098 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -294,8 +294,6 @@
   $(OPENSSL_PATH)/crypto/kdf/tls1_prf.c
   $(OPENSSL_PATH)/crypto/lhash/lh_stats.c
   $(OPENSSL_PATH)/crypto/lhash/lhash.c
-  $(OPENSSL_PATH)/crypto/md4/md4_dgst.c
-  $(OPENSSL_PATH)/crypto/md4/md4_one.c
   $(OPENSSL_PATH)/crypto/md5/md5_dgst.c
   $(OPENSSL_PATH)/crypto/md5/md5_one.c
   $(OPENSSL_PATH)/crypto/mem.c
@@ -525,7 +523,6 @@
   $(OPENSSL_PATH)/crypto/evp/evp_locl.h
   $(OPENSSL_PATH)/crypto/hmac/hmac_lcl.h
   $(OPENSSL_PATH)/crypto/lhash/lhash_lcl.h
-  $(OPENSSL_PATH)/crypto/md4/md4_locl.h
   $(OPENSSL_PATH)/crypto/md5/md5_locl.h
   $(OPENSSL_PATH)/crypto/modes/modes_lcl.h
   $(OPENSSL_PATH)/crypto/objects/obj_dat.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 4ba25da407..bd4a84da24 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -73,6 +73,7 @@ BEGIN {
                 "no-gost",
                 "no-hw",
                 "no-idea",
+                "no-md4",
                 "no-mdc2",
                 "no-pic",
                 "no-ocb",
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 04/11] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (2 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 03/11] CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 05/11] CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib Gao, Zhichao
                   ` (7 subsequent siblings)
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

ARC4 is not secure any longer.
Remove the ARC4 support from edk2.
Change the ARC4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Driver/Crypto.c                     | 125 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 132 -----------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Cipher/CryptArc4.c   | 205 ------------------
 .../BaseCryptLib/Cipher/CryptArc4Null.c       | 124 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Cipher/CryptArc4Null.c   | 124 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 147 -------------
 CryptoPkg/Private/Protocol/Crypto.h           | 115 ++--------
 15 files changed, 40 insertions(+), 955 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index c7a54182c7..832fcda3b9 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1982,150 +1982,61 @@ CryptoServiceAesCbcDecrypt (
 }
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-  @retval  0   This interface is not supported.
+  ARC4 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 UINTN
 EFIAPI
-CryptoServiceArc4GetContextSize (
+DeprecatedCryptoServiceArc4GetContextSize (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.GetContextSize, Arc4GetContextSize, (), 0);
+  return BaseCryptLibServiceDeprecated ("Arc4GetContextSize"), 0;
 }
 
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceArc4Init (
+DeprecatedCryptoServiceArc4Init (
   OUT  VOID         *Arc4Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.Init, Arc4Init, (Arc4Context, Key, KeySize), FALSE);
+  return BaseCryptLibServiceDeprecated ("Arc4Init"), FALSE;
 }
 
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceArc4Encrypt (
+DeprecatedCryptoServiceArc4Encrypt (
   IN OUT  VOID         *Arc4Context,
   IN      CONST UINT8  *Input,
   IN      UINTN        InputSize,
   OUT     UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.Encrypt, Arc4Encrypt, (Arc4Context, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServiceDeprecated ("Arc4Encrypt"), FALSE;
 }
 
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceArc4Decrypt (
+DeprecatedCryptoServiceArc4Decrypt (
   IN OUT  VOID   *Arc4Context,
   IN      UINT8  *Input,
   IN      UINTN  InputSize,
   OUT     UINT8  *Output
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.Decrypt, Arc4Decrypt, (Arc4Context, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServiceDeprecated ("Arc4Decrypt"), FALSE;
 }
 
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceArc4Reset (
+DeprecatedCryptoServiceArc4Reset (
   IN OUT  VOID  *Arc4Context
   )
 {
-  return CALL_BASECRYPTLIB (Arc4.Services.Reset, Arc4Reset, (Arc4Context), FALSE);
+  return BaseCryptLibServiceDeprecated ("Arc4Reset"), FALSE;
 }
 
 //=====================================================================================
@@ -4447,12 +4358,12 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   CryptoServiceAesEcbDecrypt,
   CryptoServiceAesCbcEncrypt,
   CryptoServiceAesCbcDecrypt,
-  /// Arc4
-  CryptoServiceArc4GetContextSize,
-  CryptoServiceArc4Init,
-  CryptoServiceArc4Encrypt,
-  CryptoServiceArc4Decrypt,
-  CryptoServiceArc4Reset,
+  /// Arc4 - deprecated and unsupported
+  DeprecatedCryptoServiceArc4GetContextSize,
+  DeprecatedCryptoServiceArc4Init,
+  DeprecatedCryptoServiceArc4Encrypt,
+  DeprecatedCryptoServiceArc4Decrypt,
+  DeprecatedCryptoServiceArc4Reset,
   /// SM3
   CryptoServiceSm3GetContextSize,
   CryptoServiceSm3Init,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index c862f0334f..25e236c4a3 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1667,138 +1667,6 @@ AesCbcDecrypt (
   OUT  UINT8        *Output
   );
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  );
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  );
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  );
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  );
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  );
-
 //=====================================================================================
 //    Asymmetric Cryptography Primitive
 //=====================================================================================
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 22992e7d43..da38ea552f 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -40,7 +40,6 @@
   Kdf/CryptHkdf.c
   Cipher/CryptAes.c
   Cipher/CryptTdes.c
-  Cipher/CryptArc4.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExt.c
   Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
deleted file mode 100644
index 388d312bed..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
+++ /dev/null
@@ -1,205 +0,0 @@
-/** @file
-  ARC4 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/rc4.h>
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  )
-{
-  //
-  // Memory for 2 copies of RC4_KEY is allocated, one for working copy, and the other
-  // for backup copy. When Arc4Reset() is called, we can use the backup copy to restore
-  // the working copy to the initial state.
-  //
-  return (UINTN) (2 * sizeof (RC4_KEY));
-}
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  RC4_KEY  *Rc4Key;
-
-  //
-  // Check input parameters.
-  //
-  if (Arc4Context == NULL || Key == NULL || (KeySize < 5 || KeySize > 256)) {
-    return FALSE;
-  }
-
-  Rc4Key = (RC4_KEY *) Arc4Context;
-
-  RC4_set_key (Rc4Key, (UINT32) KeySize, Key);
-
-  CopyMem (Rc4Key +  1, Rc4Key, sizeof (RC4_KEY));
-
-  return TRUE;
-}
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  )
-{
-  RC4_KEY  *Rc4Key;
-
-  //
-  // Check input parameters.
-  //
-  if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize > INT_MAX) {
-    return FALSE;
-  }
-
-  Rc4Key = (RC4_KEY *) Arc4Context;
-
-  RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
-
-  return TRUE;
-}
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  )
-{
-  RC4_KEY  *Rc4Key;
-
-  //
-  // Check input parameters.
-  //
-  if (Arc4Context == NULL || Input == NULL || Output == NULL || InputSize > INT_MAX) {
-    return FALSE;
-  }
-
-  Rc4Key = (RC4_KEY *) Arc4Context;
-
-  RC4 (Rc4Key, (UINT32) InputSize, Input, Output);
-
-  return TRUE;
-}
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  )
-{
-  RC4_KEY  *Rc4Key;
-
-  //
-  // Check input parameters.
-  //
-  if (Arc4Context == NULL) {
-    return FALSE;
-  }
-
-  Rc4Key = (RC4_KEY *) Arc4Context;
-
-  CopyMem (Rc4Key, Rc4Key + 1, sizeof (RC4_KEY));
-
-  return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
deleted file mode 100644
index 1f09bfa30e..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/** @file
-  ARC4 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index e9add0127d..f43953b78c 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -46,7 +46,6 @@
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
   Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 374bfb3f65..5abd8e8dfb 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -7,7 +7,7 @@
 // buffer overflow or integer overflow.
 //
 // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
 // generator functions are not supported in this instance.
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 0a2eb03232..f1eb099b67 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4 functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -46,7 +46,6 @@
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
   Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index b6d751176e..5a48d2a308 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -7,7 +7,7 @@
 // buffer overflow or integer overflow.
 //
 // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 139983075e..3a94655775 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -45,7 +45,6 @@
   Kdf/CryptHkdfNull.c
   Cipher/CryptAes.c
   Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index b8d7953d2b..0561f107e8 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -7,7 +7,7 @@
 // buffer overflow or integer overflow.
 //
 // Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions,
+// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index b03681b146..a205c9005d 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -40,7 +40,6 @@
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
   Cipher/CryptTdesNull.c
-  Cipher/CryptArc4Null.c
   Pk/CryptRsaBasicNull.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
deleted file mode 100644
index 1f09bfa30e..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
+++ /dev/null
@@ -1,124 +0,0 @@
-/** @file
-  ARC4 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 5e470028f4..77915bdb86 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1892,153 +1892,6 @@ AesCbcDecrypt (
   CALL_CRYPTO_SERVICE (AesCbcDecrypt, (AesContext, Input, InputSize, Ivec, Output), FALSE);
 }
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-Arc4GetContextSize (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4GetContextSize, (), 0);
-}
-
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Init (
-  OUT  VOID         *Arc4Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4Init, (Arc4Context, Key, KeySize), FALSE);
-}
-
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Encrypt (
-  IN OUT  VOID         *Arc4Context,
-  IN      CONST UINT8  *Input,
-  IN      UINTN        InputSize,
-  OUT     UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4Encrypt, (Arc4Context, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Decrypt (
-  IN OUT  VOID   *Arc4Context,
-  IN      UINT8  *Input,
-  IN      UINTN  InputSize,
-  OUT     UINT8  *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4Decrypt, (Arc4Context, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-Arc4Reset (
-  IN OUT  VOID  *Arc4Context
-  )
-{
-  CALL_CRYPTO_SERVICE (Arc4Reset, (Arc4Context), FALSE);
-}
-
 //=====================================================================================
 //    Asymmetric Cryptography Primitive
 //=====================================================================================
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index ae0f29695c..f36c5c1aff 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2785,134 +2785,45 @@ BOOLEAN
   );
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for ARC4 operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for ARC4 operations.
-  @retval  0   This interface is not supported.
+  ARC4 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 UINTN
-(EFIAPI *EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE) (
   VOID
   );
 
-/**
-  Initializes user-supplied memory as ARC4 context for subsequent use.
-
-  This function initializes user-supplied memory pointed by Arc4Context as ARC4 context.
-  In addition, it sets up all ARC4 key materials for subsequent encryption and decryption
-  operations.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeySize does not in the range of [5, 256] bytes, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  Arc4Context  Pointer to ARC4 context being initialized.
-  @param[in]   Key          Pointer to the user-supplied ARC4 key.
-  @param[in]   KeySize      Size of ARC4 key in bytes.
-
-  @retval TRUE   ARC4 context initialization succeeded.
-  @retval FALSE  ARC4 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_INIT) (
   OUT  VOID         *Arc4Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   );
 
-/**
-  Performs ARC4 encryption on a data buffer of the specified size.
-
-  This function performs ARC4 encryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 encryption output.
-
-  @retval TRUE   ARC4 encryption succeeded.
-  @retval FALSE  ARC4 encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT) (
   IN OUT  VOID         *Arc4Context,
   IN      CONST UINT8  *Input,
   IN      UINTN        InputSize,
   OUT     UINT8        *Output
   );
 
-/**
-  Performs ARC4 decryption on a data buffer of the specified size.
-
-  This function performs ARC4 decryption on data buffer pointed by Input, of specified
-  size of InputSize.
-  Arc4Context should be already correctly initialized by Arc4Init(). Behavior with
-  invalid ARC4 context is undefined.
-
-  If Arc4Context is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-  @param[in]       Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]       InputSize    Size of the Input buffer in bytes.
-  @param[out]      Output       Pointer to a buffer that receives the ARC4 decryption output.
-
-  @retval TRUE   ARC4 decryption succeeded.
-  @retval FALSE  ARC4 decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT) (
   IN OUT  VOID   *Arc4Context,
   IN      UINT8  *Input,
   IN      UINTN  InputSize,
   OUT     UINT8  *Output
   );
 
-/**
-  Resets the ARC4 context to the initial state.
-
-  The function resets the ARC4 context to the state it had immediately after the
-  ARC4Init() function call.
-  Contrary to ARC4Init(), Arc4Reset() requires no secret key as input, but ARC4 context
-  should be already correctly initialized by ARC4Init().
-
-  If Arc4Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  Arc4Context  Pointer to the ARC4 context.
-
-  @retval TRUE   ARC4 reset succeeded.
-  @retval FALSE  ARC4 reset failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_ARC4_RESET) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_ARC4_RESET) (
   IN OUT  VOID  *Arc4Context
   );
 
@@ -4014,12 +3925,12 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_AES_ECB_DECRYPT                    AesEcbDecrypt;
   EDKII_CRYPTO_AES_CBC_ENCRYPT                    AesCbcEncrypt;
   EDKII_CRYPTO_AES_CBC_DECRYPT                    AesCbcDecrypt;
-  /// Arc4
-  EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE              Arc4GetContextSize;
-  EDKII_CRYPTO_ARC4_INIT                          Arc4Init;
-  EDKII_CRYPTO_ARC4_ENCRYPT                       Arc4Encrypt;
-  EDKII_CRYPTO_ARC4_DECRYPT                       Arc4Decrypt;
-  EDKII_CRYPTO_ARC4_RESET                         Arc4Reset;
+  /// Arc4 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_ARC4_GET_CONTEXT_SIZE   DeprecatedArc4GetContextSize;
+  DEPRECATED_EDKII_CRYPTO_ARC4_INIT               DeprecatedArc4Init;
+  DEPRECATED_EDKII_CRYPTO_ARC4_ENCRYPT            DeprecatedArc4Encrypt;
+  DEPRECATED_EDKII_CRYPTO_ARC4_DECRYPT            DeprecatedArc4Decrypt;
+  DEPRECATED_EDKII_CRYPTO_ARC4_RESET              DeprecatedArc4Reset;
   /// SM3
   EDKII_CRYPTO_SM3_GET_CONTEXT_SIZE               Sm3GetContextSize;
   EDKII_CRYPTO_SM3_INIT                           Sm3Init;
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 05/11] CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (3 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 04/11] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 06/11] CryptoPkg/BaseCryptLib: Retire the TDES algorithm Gao, Zhichao
                   ` (6 subsequent siblings)
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Zhiguang Liu, Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney,
	Jiewen Yao, Philippe Mathieu-Daude

From: Zhiguang Liu <zhiguang.liu@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

This patch is create by adding the setting "no_rc4" of
process_files.pl and running it thru perl.
It would remove the ARC4 from OpensslLib.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Library/Include/openssl/opensslconf.h   | 3 +++
 CryptoPkg/Library/OpensslLib/OpensslLib.inf       | 3 ---
 CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf | 3 ---
 CryptoPkg/Library/OpensslLib/process_files.pl     | 1 +
 4 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index 84672636dc..bab07db583 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -73,6 +73,9 @@ extern "C" {
 #ifndef OPENSSL_NO_RC2
 # define OPENSSL_NO_RC2
 #endif
+#ifndef OPENSSL_NO_RC4
+# define OPENSSL_NO_RC4
+#endif
 #ifndef OPENSSL_NO_RC5
 # define OPENSSL_NO_RC5
 #endif
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index 10710e4a7c..dfaefd1c08 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -374,8 +374,6 @@
   $(OPENSSL_PATH)/crypto/rand/rand_unix.c
   $(OPENSSL_PATH)/crypto/rand/rand_vms.c
   $(OPENSSL_PATH)/crypto/rand/rand_win.c
-  $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
-  $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
@@ -531,7 +529,6 @@
   $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
   $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
   $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
-  $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
   $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
   $(OPENSSL_PATH)/crypto/sha/sha_locl.h
   $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index d9782a3098..080e1d9305 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -374,8 +374,6 @@
   $(OPENSSL_PATH)/crypto/rand/rand_unix.c
   $(OPENSSL_PATH)/crypto/rand/rand_vms.c
   $(OPENSSL_PATH)/crypto/rand/rand_win.c
-  $(OPENSSL_PATH)/crypto/rc4/rc4_enc.c
-  $(OPENSSL_PATH)/crypto/rc4/rc4_skey.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_ameth.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_asn1.c
   $(OPENSSL_PATH)/crypto/rsa/rsa_chk.c
@@ -531,7 +529,6 @@
   $(OPENSSL_PATH)/crypto/ocsp/ocsp_lcl.h
   $(OPENSSL_PATH)/crypto/pkcs12/p12_lcl.h
   $(OPENSSL_PATH)/crypto/rand/rand_lcl.h
-  $(OPENSSL_PATH)/crypto/rc4/rc4_locl.h
   $(OPENSSL_PATH)/crypto/rsa/rsa_locl.h
   $(OPENSSL_PATH)/crypto/sha/sha_locl.h
   $(OPENSSL_PATH)/crypto/siphash/siphash_local.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index bd4a84da24..254bc4dbcc 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -80,6 +80,7 @@ BEGIN {
                 "no-poly1305",
                 "no-posix-io",
                 "no-rc2",
+                "no-rc4",
                 "no-rfc3779",
                 "no-rmd160",
                 "no-scrypt",
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 06/11] CryptoPkg/BaseCryptLib: Retire the TDES algorithm
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (4 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 05/11] CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 07/11] CryptoPkg/OpensslLib: Set TDES disable in OpensslLib Gao, Zhichao
                   ` (5 subsequent siblings)
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

TDES is not secure any longer.
Remove the Tdes support from edk2.
Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Driver/Crypto.c                     | 181 +--------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 196 ----------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Cipher/CryptTdes.c   | 364 ------------------
 .../BaseCryptLib/Cipher/CryptTdesNull.c       | 160 --------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
 CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |   7 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Cipher/CryptTdesNull.c   | 160 --------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 214 ----------
 CryptoPkg/Private/Protocol/Crypto.h           | 169 +-------
 16 files changed, 50 insertions(+), 1430 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 832fcda3b9..22b49762bd 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1557,167 +1557,57 @@ CryptoServiceHmacSha256Final (
 //=====================================================================================
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-  @retval  0   This interface is not supported.
+  TDES is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 UINTN
 EFIAPI
-CryptoServiceTdesGetContextSize (
+DeprecatedCryptoServiceTdesGetContextSize (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.GetContextSize, TdesGetContextSize, (), 0);
+  return BaseCryptLibServiceDeprecated ("TdesGetContextSize"), 0;
 }
 
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesInit (
+DeprecatedCryptoServiceTdesInit (
   OUT  VOID         *TdesContext,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeyLength
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.Init, TdesInit, (TdesContext, Key, KeyLength), FALSE);
+  return BaseCryptLibServiceDeprecated ("TdesInit"), FALSE;
 }
 
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesEcbEncrypt (
+DeprecatedCryptoServiceTdesEcbEncrypt (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.EcbEncrypt, TdesEcbEncrypt, (TdesContext, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServiceDeprecated ("TdesEcbEncrypt"), FALSE;
 }
 
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesEcbDecrypt (
+DeprecatedCryptoServiceTdesEcbDecrypt (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.EcbDecrypt, TdesEcbDecrypt, (TdesContext, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServiceDeprecated ("TdesEcbDecrypt"), FALSE;
 }
 
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesCbcEncrypt (
+DeprecatedCryptoServiceTdesCbcEncrypt (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -1725,41 +1615,12 @@ CryptoServiceTdesCbcEncrypt (
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.CbcEncrypt, TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
+  return BaseCryptLibServiceDeprecated ("TdesCbcEncrypt"), FALSE;
 }
 
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceTdesCbcDecrypt (
+DeprecatedCryptoServiceTdesCbcDecrypt (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -1767,7 +1628,7 @@ CryptoServiceTdesCbcDecrypt (
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Tdes.Services.CbcDecrypt, TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
+  return BaseCryptLibServiceDeprecated ("TdesCbcDecrypt"), FALSE;
 }
 
 /**
@@ -4344,13 +4205,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   CryptoServiceX509Free,
   CryptoServiceX509StackFree,
   CryptoServiceX509GetTBSCert,
-  /// TDES
-  CryptoServiceTdesGetContextSize,
-  CryptoServiceTdesInit,
-  CryptoServiceTdesEcbEncrypt,
-  CryptoServiceTdesEcbDecrypt,
-  CryptoServiceTdesCbcEncrypt,
-  CryptoServiceTdesCbcDecrypt,
+  /// TDES - deprecated and unsupported
+  DeprecatedCryptoServiceTdesGetContextSize,
+  DeprecatedCryptoServiceTdesInit,
+  DeprecatedCryptoServiceTdesEcbEncrypt,
+  DeprecatedCryptoServiceTdesEcbDecrypt,
+  DeprecatedCryptoServiceTdesCbcEncrypt,
+  DeprecatedCryptoServiceTdesCbcDecrypt,
   /// AES
   CryptoServiceAesGetContextSize,
   CryptoServiceAesInit,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 25e236c4a3..621bcfd1c4 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1278,202 +1278,6 @@ HmacSha256Final (
 //    Symmetric Cryptography Primitive
 //=====================================================================================
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  );
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  );
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  );
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  );
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  );
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  );
-
 /**
   Retrieves the size, in bytes, of the context buffer required for AES operations.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index da38ea552f..2de8e9c346 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -39,7 +39,6 @@
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c
   Cipher/CryptAes.c
-  Cipher/CryptTdes.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExt.c
   Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
deleted file mode 100644
index fd799f3398..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
+++ /dev/null
@@ -1,364 +0,0 @@
-/** @file
-  TDES Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/des.h>
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  )
-{
-  //
-  // Memory for 3 copies of DES_key_schedule is allocated, for K1, K2 and K3 each.
-  //
-  return (UINTN) (3 * sizeof (DES_key_schedule));
-}
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  )
-{
-  DES_key_schedule  *KeySchedule;
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Key == NULL || (KeyLength != 64 && KeyLength != 128 && KeyLength != 192)) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-
-  //
-  // If input Key is a weak key, return error.
-  //
-  if (DES_is_weak_key ((const_DES_cblock *) Key) == 1) {
-    return FALSE;
-  }
-
-  DES_set_key_unchecked ((const_DES_cblock *) Key, KeySchedule);
-
-  if (KeyLength == 64) {
-    CopyMem (KeySchedule + 1, KeySchedule, sizeof (DES_key_schedule));
-    CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
-    return TRUE;
-  }
-
-  if (DES_is_weak_key ((const_DES_cblock *) (Key + 8)) == 1) {
-    return FALSE;
-  }
-
-  DES_set_key_unchecked ((const_DES_cblock *) (Key + 8), KeySchedule + 1);
-
-  if (KeyLength == 128) {
-    CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));
-    return TRUE;
-  }
-
-  if (DES_is_weak_key ((const_DES_cblock *) (Key + 16)) == 1) {
-    return FALSE;
-  }
-
-  DES_set_key_unchecked ((const_DES_cblock *) (Key + 16), KeySchedule + 2);
-
-  return TRUE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  DES_key_schedule  *KeySchedule;
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-
-  while (InputSize > 0) {
-    DES_ecb3_encrypt (
-      (const_DES_cblock *) Input,
-      (DES_cblock *) Output,
-      KeySchedule,
-      KeySchedule + 1,
-      KeySchedule + 2,
-      DES_ENCRYPT
-      );
-    Input     += TDES_BLOCK_SIZE;
-    Output    += TDES_BLOCK_SIZE;
-    InputSize -= TDES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  DES_key_schedule  *KeySchedule;
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-
-  while (InputSize > 0) {
-    DES_ecb3_encrypt (
-      (const_DES_cblock *) Input,
-      (DES_cblock *) Output,
-      KeySchedule,
-      KeySchedule + 1,
-      KeySchedule + 2,
-      DES_DECRYPT
-      );
-    Input     += TDES_BLOCK_SIZE;
-    Output    += TDES_BLOCK_SIZE;
-    InputSize -= TDES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  DES_key_schedule  *KeySchedule;
-  UINT8             IvecBuffer[TDES_BLOCK_SIZE];
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) {
-    return FALSE;
-  }
-
-  if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-  CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
-
-  DES_ede3_cbc_encrypt (
-    Input,
-    Output,
-    (UINT32) InputSize,
-    KeySchedule,
-    KeySchedule + 1,
-    KeySchedule + 2,
-    (DES_cblock *) IvecBuffer,
-    DES_ENCRYPT
-    );
-
-  return TRUE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  DES_key_schedule  *KeySchedule;
-  UINT8             IvecBuffer[TDES_BLOCK_SIZE];
-
-  //
-  // Check input parameters.
-  //
-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) {
-    return FALSE;
-  }
-
-  if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {
-    return FALSE;
-  }
-
-  KeySchedule = (DES_key_schedule *) TdesContext;
-  CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);
-
-  DES_ede3_cbc_encrypt (
-    Input,
-    Output,
-    (UINT32) InputSize,
-    KeySchedule,
-    KeySchedule + 1,
-    KeySchedule + 2,
-    (DES_cblock *) IvecBuffer,
-    DES_DECRYPT
-    );
-
-  return TRUE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
deleted file mode 100644
index efa2716063..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/** @file
-  TDES Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f43953b78c..f631f8d879 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -45,7 +45,6 @@
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
-  Cipher/CryptTdesNull.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 5abd8e8dfb..c906935d3d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
 // generator functions are not supported in this instance.
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
index 75a133bd0c..6f7e1971f8 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
@@ -1,7 +1,7 @@
 /** @file
   PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL.
 
-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
 SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -82,11 +82,8 @@ RsaGetPrivateKeyFromPem (
 
   //
   // Add possible block-cipher descriptor for PEM data decryption.
-  // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.
+  // NOTE: Only support most popular ciphers AES for the encrypted PEM.
   //
-  if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {
-    return FALSE;
-  }
   if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {
     return FALSE;
   }
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index f1eb099b67..672e19299c 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -45,7 +45,6 @@
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
-  Cipher/CryptTdesNull.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index 5a48d2a308..0a3bb1c04f 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 3a94655775..cc3556ae3f 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external
+#  HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -44,7 +44,6 @@
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAes.c
-  Cipher/CryptTdesNull.c
   Pk/CryptRsaBasic.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1Oaep.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 0561f107e8..2e362c635f 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,
+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
 //
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index a205c9005d..04b552f8b7 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -39,7 +39,6 @@
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
-  Cipher/CryptTdesNull.c
   Pk/CryptRsaBasicNull.c
   Pk/CryptRsaExtNull.c
   Pk/CryptPkcs1OaepNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
deleted file mode 100644
index efa2716063..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/** @file
-  TDES Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  Return zero to indicate this interface is not supported.
-
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return 0;
-}
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 77915bdb86..43ee4e0841 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1467,220 +1467,6 @@ HmacSha256Final (
 //    Symmetric Cryptography Primitive
 //=====================================================================================
 
-/**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-  @retval  0   This interface is not supported.
-
-**/
-UINTN
-EFIAPI
-TdesGetContextSize (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesGetContextSize, (), 0);
-}
-
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesInit (
-  OUT  VOID         *TdesContext,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeyLength
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesInit, (TdesContext, Key, KeyLength), FALSE);
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesEcbEncrypt, (TdesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesEcbDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesEcbDecrypt, (TdesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcEncrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
-}
-
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-TdesCbcDecrypt (
-  IN   VOID         *TdesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  IN   CONST UINT8  *Ivec,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);
-}
-
 /**
   Retrieves the size, in bytes, of the context buffer required for AES operations.
 
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index f36c5c1aff..a30660c192 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2396,155 +2396,45 @@ BOOLEAN
 //=====================================================================================
 
 /**
-  Retrieves the size, in bytes, of the context buffer required for TDES operations.
-
-  If this interface is not supported, then return zero.
-
-  @return  The size, in bytes, of the context buffer required for TDES operations.
-  @retval  0   This interface is not supported.
+  TDES is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 UINTN
-(EFIAPI *EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE) (
   VOID
   );
 
-/**
-  Initializes user-supplied memory as TDES context for subsequent use.
-
-  This function initializes user-supplied memory pointed by TdesContext as TDES context.
-  In addition, it sets up all TDES key materials for subsequent encryption and decryption
-  operations.
-  There are 3 key options as follows:
-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)
-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)
-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)
-
-  If TdesContext is NULL, then return FALSE.
-  If Key is NULL, then return FALSE.
-  If KeyLength is not valid, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  TdesContext  Pointer to TDES context being initialized.
-  @param[in]   Key          Pointer to the user-supplied TDES key.
-  @param[in]   KeyLength    Length of TDES key in bits.
-
-  @retval TRUE   TDES context initialization succeeded.
-  @retval FALSE  TDES context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_INIT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_INIT) (
   OUT  VOID         *TdesContext,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeyLength
   );
 
-/**
-  Performs TDES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT) (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   );
 
-/**
-  Performs TDES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_ECB_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT) (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   );
 
-/**
-  Performs TDES encryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES encryption succeeded.
-  @retval FALSE  TDES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT) (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -2552,38 +2442,9 @@ BOOLEAN
   OUT  UINT8        *Output
   );
 
-/**
-  Performs TDES decryption on a data buffer of the specified size in CBC mode.
-
-  This function performs TDES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in CBC mode.
-  InputSize must be multiple of block size (8 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  Initialization vector should be one block size (8 bytes).
-  TdesContext should be already correctly initialized by TdesInit(). Behavior with
-  invalid TDES context is undefined.
-
-  If TdesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (8 bytes), then return FALSE.
-  If Ivec is NULL, then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   TdesContext  Pointer to the TDES context.
-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize    Size of the Input buffer in bytes.
-  @param[in]   Ivec         Pointer to initialization vector.
-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.
-
-  @retval TRUE   TDES decryption succeeded.
-  @retval FALSE  TDES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_TDES_CBC_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT) (
   IN   VOID         *TdesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -3911,13 +3772,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
   EDKII_CRYPTO_X509_FREE                          X509Free;
   EDKII_CRYPTO_X509_STACK_FREE                    X509StackFree;
   EDKII_CRYPTO_X509_GET_TBS_CERT                  X509GetTBSCert;
-  /// TDES
-  EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE              TdesGetContextSize;
-  EDKII_CRYPTO_TDES_INIT                          TdesInit;
-  EDKII_CRYPTO_TDES_ECB_ENCRYPT                   TdesEcbEncrypt;
-  EDKII_CRYPTO_TDES_ECB_DECRYPT                   TdesEcbDecrypt;
-  EDKII_CRYPTO_TDES_CBC_ENCRYPT                   TdesCbcEncrypt;
-  EDKII_CRYPTO_TDES_CBC_DECRYPT                   TdesCbcDecrypt;
+  /// TDES - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_TDES_GET_CONTEXT_SIZE   DeprecatedTdesGetContextSize;
+  DEPRECATED_EDKII_CRYPTO_TDES_INIT               DeprecatedTdesInit;
+  DEPRECATED_EDKII_CRYPTO_TDES_ECB_ENCRYPT        DeprecatedTdesEcbEncrypt;
+  DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT        DeprecatedTdesEcbDecrypt;
+  DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT        DeprecatedTdesCbcEncrypt;
+  DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT        DeprecatedTdesCbcDecrypt;
   /// AES
   EDKII_CRYPTO_AES_GET_CONTEXT_SIZE               AesGetContextSize;
   EDKII_CRYPTO_AES_INIT                           AesInit;
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 07/11] CryptoPkg/OpensslLib: Set TDES disable in OpensslLib
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (5 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 06/11] CryptoPkg/BaseCryptLib: Retire the TDES algorithm Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 08/11] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
                   ` (4 subsequent siblings)
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Zhiguang Liu, Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney,
	Jiewen Yao, Philippe Mathieu-Daude

From: Zhiguang Liu <zhiguang.liu@intel.com>

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

This patch is create by adding the setting "no_des" of
process_files.pl and running it thru perl.
It would remove the TDES from OpensslLib.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 .../Library/Include/openssl/opensslconf.h     |  3 +++
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   | 21 -------------------
 .../Library/OpensslLib/OpensslLibCrypto.inf   | 21 -------------------
 CryptoPkg/Library/OpensslLib/process_files.pl |  1 +
 4 files changed, 4 insertions(+), 42 deletions(-)

diff --git a/CryptoPkg/Library/Include/openssl/opensslconf.h b/CryptoPkg/Library/Include/openssl/opensslconf.h
index bab07db583..fc2a7bdec9 100644
--- a/CryptoPkg/Library/Include/openssl/opensslconf.h
+++ b/CryptoPkg/Library/Include/openssl/opensslconf.h
@@ -49,6 +49,9 @@ extern "C" {
 #ifndef OPENSSL_NO_CT
 # define OPENSSL_NO_CT
 #endif
+#ifndef OPENSSL_NO_DES
+# define OPENSSL_NO_DES
+#endif
 #ifndef OPENSSL_NO_DSA
 # define OPENSSL_NO_DSA
 #endif
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index dfaefd1c08..d66f1cb03f 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -178,25 +178,6 @@
   $(OPENSSL_PATH)/crypto/cryptlib.c
   $(OPENSSL_PATH)/crypto/ctype.c
   $(OPENSSL_PATH)/crypto/cversion.c
-  $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
-  $(OPENSSL_PATH)/crypto/des/cbc_enc.c
-  $(OPENSSL_PATH)/crypto/des/cfb64ede.c
-  $(OPENSSL_PATH)/crypto/des/cfb64enc.c
-  $(OPENSSL_PATH)/crypto/des/cfb_enc.c
-  $(OPENSSL_PATH)/crypto/des/des_enc.c
-  $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
-  $(OPENSSL_PATH)/crypto/des/ecb_enc.c
-  $(OPENSSL_PATH)/crypto/des/fcrypt.c
-  $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
-  $(OPENSSL_PATH)/crypto/des/ofb64ede.c
-  $(OPENSSL_PATH)/crypto/des/ofb64enc.c
-  $(OPENSSL_PATH)/crypto/des/ofb_enc.c
-  $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
-  $(OPENSSL_PATH)/crypto/des/qud_cksm.c
-  $(OPENSSL_PATH)/crypto/des/rand_key.c
-  $(OPENSSL_PATH)/crypto/des/set_key.c
-  $(OPENSSL_PATH)/crypto/des/str2key.c
-  $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
   $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
   $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
   $(OPENSSL_PATH)/crypto/dh/dh_check.c
@@ -514,8 +495,6 @@
   $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
   $(OPENSSL_PATH)/crypto/conf/conf_def.h
   $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
-  $(OPENSSL_PATH)/crypto/des/des_locl.h
-  $(OPENSSL_PATH)/crypto/des/spr.h
   $(OPENSSL_PATH)/crypto/dh/dh_locl.h
   $(OPENSSL_PATH)/crypto/dso/dso_locl.h
   $(OPENSSL_PATH)/crypto/evp/evp_locl.h
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 080e1d9305..5788d13cf7 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -178,25 +178,6 @@
   $(OPENSSL_PATH)/crypto/cryptlib.c
   $(OPENSSL_PATH)/crypto/ctype.c
   $(OPENSSL_PATH)/crypto/cversion.c
-  $(OPENSSL_PATH)/crypto/des/cbc_cksm.c
-  $(OPENSSL_PATH)/crypto/des/cbc_enc.c
-  $(OPENSSL_PATH)/crypto/des/cfb64ede.c
-  $(OPENSSL_PATH)/crypto/des/cfb64enc.c
-  $(OPENSSL_PATH)/crypto/des/cfb_enc.c
-  $(OPENSSL_PATH)/crypto/des/des_enc.c
-  $(OPENSSL_PATH)/crypto/des/ecb3_enc.c
-  $(OPENSSL_PATH)/crypto/des/ecb_enc.c
-  $(OPENSSL_PATH)/crypto/des/fcrypt.c
-  $(OPENSSL_PATH)/crypto/des/fcrypt_b.c
-  $(OPENSSL_PATH)/crypto/des/ofb64ede.c
-  $(OPENSSL_PATH)/crypto/des/ofb64enc.c
-  $(OPENSSL_PATH)/crypto/des/ofb_enc.c
-  $(OPENSSL_PATH)/crypto/des/pcbc_enc.c
-  $(OPENSSL_PATH)/crypto/des/qud_cksm.c
-  $(OPENSSL_PATH)/crypto/des/rand_key.c
-  $(OPENSSL_PATH)/crypto/des/set_key.c
-  $(OPENSSL_PATH)/crypto/des/str2key.c
-  $(OPENSSL_PATH)/crypto/des/xcbc_enc.c
   $(OPENSSL_PATH)/crypto/dh/dh_ameth.c
   $(OPENSSL_PATH)/crypto/dh/dh_asn1.c
   $(OPENSSL_PATH)/crypto/dh/dh_check.c
@@ -514,8 +495,6 @@
   $(OPENSSL_PATH)/crypto/comp/comp_lcl.h
   $(OPENSSL_PATH)/crypto/conf/conf_def.h
   $(OPENSSL_PATH)/crypto/conf/conf_lcl.h
-  $(OPENSSL_PATH)/crypto/des/des_locl.h
-  $(OPENSSL_PATH)/crypto/des/spr.h
   $(OPENSSL_PATH)/crypto/dh/dh_locl.h
   $(OPENSSL_PATH)/crypto/dso/dso_locl.h
   $(OPENSSL_PATH)/crypto/evp/evp_locl.h
diff --git a/CryptoPkg/Library/OpensslLib/process_files.pl b/CryptoPkg/Library/OpensslLib/process_files.pl
index 254bc4dbcc..5ceedf5d37 100755
--- a/CryptoPkg/Library/OpensslLib/process_files.pl
+++ b/CryptoPkg/Library/OpensslLib/process_files.pl
@@ -62,6 +62,7 @@ BEGIN {
                 "no-cms",
                 "no-ct",
                 "no-deprecated",
+                "no-des",
                 "no-dgram",
                 "no-dsa",
                 "no-dynamic-engine",
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 08/11] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (6 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 07/11] CryptoPkg/OpensslLib: Set TDES disable in OpensslLib Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 09/11] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm Gao, Zhichao
                   ` (3 subsequent siblings)
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

Aes Ecb mode is not secure any longer.
Remove the Aes Ecb mode support from edk2.
Change the Aes Ecb mode field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |  45 +++----
 CryptoPkg/Driver/Crypto.c                     |  65 ++--------
 CryptoPkg/Include/Library/BaseCryptLib.h      |  70 -----------
 .../Library/BaseCryptLib/Cipher/CryptAes.c    | 114 ------------------
 .../BaseCryptLib/Cipher/CryptAesNull.c        |  52 --------
 .../BaseCryptLibNull/Cipher/CryptAesNull.c    |  52 --------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      |  76 ------------
 CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   1 -
 .../Library/OpensslLib/OpensslLibCrypto.inf   |   1 -
 CryptoPkg/Private/Protocol/Crypto.h           |  61 ++--------
 10 files changed, 40 insertions(+), 497 deletions(-)

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 6ed7046563..1f68cc633b 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,27 +137,30 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
 
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family    | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family         | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family       | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family                           | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family                                | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Random.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Rsa.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha384.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha512.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.X509.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tdes.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.GetContextSize              | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.Init                        | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcEncrypt                  | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Aes.Services.CbcDecrypt                  | TRUE
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Arc4.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sm3.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Hkdf.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Tls.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsSet.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
+  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.TlsGet.Family                            | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
 !endif
 
 !if $(CRYPTO_SERVICES) == MIN_PEI
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 22b49762bd..7d462ff068 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1683,79 +1683,32 @@ CryptoServiceAesInit (
 }
 
 /**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-  @retval FALSE  This interface is not supported.
+  AES ECB Mode is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 BOOLEAN
 EFIAPI
-CryptoServiceAesEcbEncrypt (
+DeprecatedCryptoServiceAesEcbEncrypt (
   IN   VOID         *AesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Aes.Services.EcbEncrypt, AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServiceDeprecated ("AesEcbEncrypt"), FALSE;
 }
 
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceAesEcbDecrypt (
+DeprecatedCryptoServiceAesEcbDecrypt (
   IN   VOID         *AesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   )
 {
-  return CALL_BASECRYPTLIB (Aes.Services.EcbDecrypt, AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE);
+  return BaseCryptLibServiceDeprecated ("AesEcbDecrypt"), FALSE;
 }
 
 /**
@@ -4212,11 +4165,11 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   DeprecatedCryptoServiceTdesEcbDecrypt,
   DeprecatedCryptoServiceTdesCbcEncrypt,
   DeprecatedCryptoServiceTdesCbcDecrypt,
-  /// AES
+  /// AES - ECB mode is deprecated and unsupported
   CryptoServiceAesGetContextSize,
   CryptoServiceAesInit,
-  CryptoServiceAesEcbEncrypt,
-  CryptoServiceAesEcbDecrypt,
+  DeprecatedCryptoServiceAesEcbEncrypt,
+  DeprecatedCryptoServiceAesEcbDecrypt,
   CryptoServiceAesCbcEncrypt,
   CryptoServiceAesCbcDecrypt,
   /// Arc4 - deprecated and unsupported
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 621bcfd1c4..86175c7a8a 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -1323,76 +1323,6 @@ AesInit (
   IN   UINTN        KeyLength
   );
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  );
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  );
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
index 2515b34bb8..914cffb211 100644
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
+++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAes.c
@@ -78,120 +78,6 @@ AesInit (
   return TRUE;
 }
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  AES_KEY  *AesKey;
-
-  //
-  // Check input parameters.
-  //
-  if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  AesKey = (AES_KEY *) AesContext;
-
-  //
-  // Perform AES data encryption with ECB mode (block-by-block)
-  //
-  while (InputSize > 0) {
-    AES_ecb_encrypt (Input, Output, AesKey, AES_ENCRYPT);
-    Input     += AES_BLOCK_SIZE;
-    Output    += AES_BLOCK_SIZE;
-    InputSize -= AES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  AES_KEY  *AesKey;
-
-  //
-  // Check input parameters.
-  //
-  if (AesContext == NULL || Input == NULL || (InputSize % AES_BLOCK_SIZE) != 0 || Output == NULL) {
-    return FALSE;
-  }
-
-  AesKey = (AES_KEY *) AesContext;
-
-  //
-  // Perform AES data decryption with ECB mode (block-by-block)
-  //
-  while (InputSize > 0) {
-    AES_ecb_encrypt (Input, Output, AesKey + 1, AES_DECRYPT);
-    Input     += AES_BLOCK_SIZE;
-    Output    += AES_BLOCK_SIZE;
-    InputSize -= AES_BLOCK_SIZE;
-  }
-
-  return TRUE;
-}
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
index a82adacf4f..d235422e7a 100644
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
+++ b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptAesNull.c
@@ -50,58 +50,6 @@ AesInit (
   return FALSE;
 }
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
index a82adacf4f..d235422e7a 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
+++ b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptAesNull.c
@@ -50,58 +50,6 @@ AesInit (
   return FALSE;
 }
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 43ee4e0841..c937f8540d 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1518,82 +1518,6 @@ AesInit (
   CALL_CRYPTO_SERVICE (AesInit, (AesContext, Key, KeyLength), FALSE);
 }
 
-/**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbEncrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (AesEcbEncrypt, (AesContext, Input, InputSize, Output), FALSE);
-}
-
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-AesEcbDecrypt (
-  IN   VOID         *AesContext,
-  IN   CONST UINT8  *Input,
-  IN   UINTN        InputSize,
-  OUT  UINT8        *Output
-  )
-{
-  CALL_CRYPTO_SERVICE (AesEcbDecrypt, (AesContext, Input, InputSize, Output), FALSE);
-}
-
 /**
   Performs AES encryption on a data buffer of the specified size in CBC mode.
 
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLib.inf b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
index d66f1cb03f..c8ec9454bd 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLib.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLib.inf
@@ -29,7 +29,6 @@
   $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
   $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
   $(OPENSSL_PATH)/crypto/aes/aes_core.c
-  $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
   $(OPENSSL_PATH)/crypto/aes/aes_ige.c
   $(OPENSSL_PATH)/crypto/aes/aes_misc.c
   $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
diff --git a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
index 5788d13cf7..2f232e3e12 100644
--- a/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
+++ b/CryptoPkg/Library/OpensslLib/OpensslLibCrypto.inf
@@ -29,7 +29,6 @@
   $(OPENSSL_PATH)/crypto/aes/aes_cbc.c
   $(OPENSSL_PATH)/crypto/aes/aes_cfb.c
   $(OPENSSL_PATH)/crypto/aes/aes_core.c
-  $(OPENSSL_PATH)/crypto/aes/aes_ecb.c
   $(OPENSSL_PATH)/crypto/aes/aes_ige.c
   $(OPENSSL_PATH)/crypto/aes/aes_misc.c
   $(OPENSSL_PATH)/crypto/aes/aes_ofb.c
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index a30660c192..e76ff623a5 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2498,69 +2498,22 @@ BOOLEAN
   );
 
 /**
-  Performs AES encryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES encryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be encrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES encryption output.
-
-  @retval TRUE   AES encryption succeeded.
-  @retval FALSE  AES encryption failed.
-  @retval FALSE  This interface is not supported.
+  AES ECB Mode is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_AES_ECB_ENCRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT) (
   IN   VOID         *AesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
   OUT  UINT8        *Output
   );
 
-/**
-  Performs AES decryption on a data buffer of the specified size in ECB mode.
-
-  This function performs AES decryption on data buffer pointed by Input, of specified
-  size of InputSize, in ECB mode.
-  InputSize must be multiple of block size (16 bytes). This function does not perform
-  padding. Caller must perform padding, if necessary, to ensure valid input data size.
-  AesContext should be already correctly initialized by AesInit(). Behavior with
-  invalid AES context is undefined.
-
-  If AesContext is NULL, then return FALSE.
-  If Input is NULL, then return FALSE.
-  If InputSize is not multiple of block size (16 bytes), then return FALSE.
-  If Output is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]   AesContext  Pointer to the AES context.
-  @param[in]   Input       Pointer to the buffer containing the data to be decrypted.
-  @param[in]   InputSize   Size of the Input buffer in bytes.
-  @param[out]  Output      Pointer to a buffer that receives the AES decryption output.
-
-  @retval TRUE   AES decryption succeeded.
-  @retval FALSE  AES decryption failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_AES_ECB_DECRYPT) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT) (
   IN   VOID         *AesContext,
   IN   CONST UINT8  *Input,
   IN   UINTN        InputSize,
@@ -3779,11 +3732,11 @@ struct _EDKII_CRYPTO_PROTOCOL {
   DEPRECATED_EDKII_CRYPTO_TDES_ECB_DECRYPT        DeprecatedTdesEcbDecrypt;
   DEPRECATED_EDKII_CRYPTO_TDES_CBC_ENCRYPT        DeprecatedTdesCbcEncrypt;
   DEPRECATED_EDKII_CRYPTO_TDES_CBC_DECRYPT        DeprecatedTdesCbcDecrypt;
-  /// AES
+  /// AES - ECB Mode is deprecated and unsupported
   EDKII_CRYPTO_AES_GET_CONTEXT_SIZE               AesGetContextSize;
   EDKII_CRYPTO_AES_INIT                           AesInit;
-  EDKII_CRYPTO_AES_ECB_ENCRYPT                    AesEcbEncrypt;
-  EDKII_CRYPTO_AES_ECB_DECRYPT                    AesEcbDecrypt;
+  DEPRECATED_EDKII_CRYPTO_AES_ECB_ENCRYPT         DeprecatedAesEcbEncrypt;
+  DEPRECATED_EDKII_CRYPTO_AES_ECB_DECRYPT         DeprecatedAesEcbDecrypt;
   EDKII_CRYPTO_AES_CBC_ENCRYPT                    AesCbcEncrypt;
   EDKII_CRYPTO_AES_CBC_DECRYPT                    AesCbcDecrypt;
   /// Arc4 - deprecated and unsupported
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 09/11] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (7 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 08/11] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 10/11] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm Gao, Zhichao
                   ` (2 subsequent siblings)
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

HMAC MD5 is not secure any longer.
Remove the HMAC MD5 support from edk2.
Change the HMAC MD5 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |   1 -
 CryptoPkg/Driver/Crypto.c                     | 128 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 133 -----------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  | 216 ------------------
 .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      | 139 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  | 139 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 151 ------------
 CryptoPkg/Private/Protocol/Crypto.h           | 117 ++--------
 16 files changed, 45 insertions(+), 1002 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 1f68cc633b..9ddf73f9fa 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,7 +137,6 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
 
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family                           | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 7d462ff068..3d6c8f4d38 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1105,154 +1105,68 @@ CryptoServiceSm3HashAll (
 //=====================================================================================
 
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 VOID *
 EFIAPI
-CryptoServiceHmacMd5New (
+DeprecatedCryptoServiceHmacMd5New (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.New, HmacMd5New, (), NULL);
+  return BaseCryptLibServiceDeprecated ("HmacMd5New"), NULL;
 }
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 VOID
 EFIAPI
-CryptoServiceHmacMd5Free (
+DeprecatedCryptoServiceHmacMd5Free (
   IN  VOID  *HmacMd5Ctx
   )
 {
-  CALL_VOID_BASECRYPTLIB (HmacMd5.Services.Free, HmacMd5Free, (HmacMd5Ctx));
+  BaseCryptLibServiceDeprecated ("HmacMd5Free");
 }
 
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5SetKey (
+DeprecatedCryptoServiceHmacMd5SetKey (
   OUT  VOID         *HmacMd5Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.SetKey, HmacMd5SetKey, (HmacMd5Context, Key, KeySize), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacMd5SetKey"), FALSE;
 }
 
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Duplicate (
+DeprecatedCryptoServiceHmacMd5Duplicate (
   IN   CONST VOID  *HmacMd5Context,
   OUT  VOID        *NewHmacMd5Context
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Duplicate, HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacMd5Duplicate"), FALSE;
 }
 
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Update (
+DeprecatedCryptoServiceHmacMd5Update (
   IN OUT  VOID        *HmacMd5Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Update, HmacMd5Update, (HmacMd5Context, Data, DataSize), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacMd5Update"), FALSE;
 }
 
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Final (
+DeprecatedCryptoServiceHmacMd5Final (
   IN OUT  VOID   *HmacMd5Context,
   OUT     UINT8  *HmacValue
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Final, HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacMd5Final"), FALSE;
 }
 
 /**
@@ -4051,13 +3965,13 @@ CryptoServiceTlsGetCertRevocationList (
 const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   /// Version
   CryptoServiceGetCryptoVersion,
-  /// HMAC MD5
-  CryptoServiceHmacMd5New,
-  CryptoServiceHmacMd5Free,
-  CryptoServiceHmacMd5SetKey,
-  CryptoServiceHmacMd5Duplicate,
-  CryptoServiceHmacMd5Update,
-  CryptoServiceHmacMd5Final,
+  /// HMAC MD5 - deprecated and unsupported
+  DeprecatedCryptoServiceHmacMd5New,
+  DeprecatedCryptoServiceHmacMd5Free,
+  DeprecatedCryptoServiceHmacMd5SetKey,
+  DeprecatedCryptoServiceHmacMd5Duplicate,
+  DeprecatedCryptoServiceHmacMd5Update,
+  DeprecatedCryptoServiceHmacMd5Final,
   /// HMAC SHA1
   CryptoServiceHmacSha1New,
   CryptoServiceHmacSha1Free,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index 86175c7a8a..b99401661c 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -880,139 +880,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  );
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  );
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  );
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  );
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  );
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  );
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 2de8e9c346..33d7c13bff 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256.c
   Hash/CryptSha512.c
   Hash/CryptSm3.c
-  Hmac/CryptHmacMd5.c
   Hmac/CryptHmacSha1.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
deleted file mode 100644
index da46ce09f4..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/** @file
-  HMAC-MD5 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/hmac.h>
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  )
-{
-  //
-  // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
-  //
-  return (VOID *) HMAC_CTX_new ();
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  )
-{
-  //
-  // Free OpenSSL HMAC_CTX Context
-  //
-  HMAC_CTX_free ((HMAC_CTX *)HmacMd5Ctx);
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacMd5Context == NULL || KeySize > INT_MAX) {
-    return FALSE;
-  }
-
-  if (HMAC_Init_ex ((HMAC_CTX *)HmacMd5Context, Key, (UINT32) KeySize, EVP_md5(), NULL) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacMd5Context == NULL || NewHmacMd5Context == NULL) {
-    return FALSE;
-  }
-
-  if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacMd5Context, (HMAC_CTX *)HmacMd5Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacMd5Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // Check invalid parameters, in case that only DataLength was checked in OpenSSL
-  //
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-MD5 digest update
-  //
-  if (HMAC_Update ((HMAC_CTX *)HmacMd5Context, Data, DataSize) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 digest computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  UINT32  Length;
-
-  //
-  // Check input parameters.
-  //
-  if (HmacMd5Context == NULL || HmacValue == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-MD5 digest finalization
-  //
-  if (HMAC_Final ((HMAC_CTX *)HmacMd5Context, HmacValue, &Length) != 1) {
-    return FALSE;
-  }
-  if (HMAC_CTX_reset ((HMAC_CTX *)HmacMd5Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
deleted file mode 100644
index 5de55bf0d5..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @retval NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f631f8d879..2a630ef290 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512.c
-  Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index c906935d3d..95c71a8ae2 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 672e19299c..1642521087 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index 0a3bb1c04f..f7e1acb3a7 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index cc3556ae3f..ec9c8e7c05 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-MD5 functions, HMAC-SHA1 functions, RSA external
+#  HMAC-SHA1 functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -39,7 +39,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 2e362c635f..8eb3acac93 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES
+// Note: HMAC-SHA1 functions, AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 04b552f8b7..558ccfc002 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256Null.c
   Hash/CryptSha512Null.c
   Hash/CryptSm3Null.c
-  Hmac/CryptHmacMd5Null.c
   Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
deleted file mode 100644
index 5de55bf0d5..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-MD5 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @retval NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index c937f8540d..dfe7fb7e91 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1015,157 +1015,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5New, (), NULL);
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  )
-{
-  CALL_VOID_CRYPTO_SERVICE (HmacMd5Free, (HmacMd5Ctx));
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5SetKey, (HmacMd5Context, Key, KeySize), FALSE);
-}
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
-}
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5Update, (HmacMd5Context, Data, DataSize), FALSE);
-}
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
-}
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
 
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index e76ff623a5..bd4cd7f383 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -43,135 +43,48 @@ UINTN
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 VOID*
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_NEW) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW) (
   VOID
   );
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 typedef
 VOID
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FREE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE) (
   IN  VOID  *HmacMd5Ctx
   );
 
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   HMAC-MD5 context initialization succeeded.
-  @retval FALSE  HMAC-MD5 context initialization failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY) (
   OUT  VOID         *HmacMd5Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   );
 
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE) (
   IN   CONST VOID  *HmacMd5Context,
   OUT  VOID        *NewHmacMd5Context
   );
 
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE) (
   IN OUT  VOID        *HmacMd5Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   );
 
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_MD5_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL) (
   IN OUT  VOID   *HmacMd5Context,
   OUT     UINT8  *HmacValue
   );
@@ -3618,13 +3531,13 @@ EFI_STATUS
 struct _EDKII_CRYPTO_PROTOCOL {
   /// Version
   EDKII_CRYPTO_GET_VERSION                        GetVersion;
-  /// HMAC MD5
-  EDKII_CRYPTO_HMAC_MD5_NEW                       HmacMd5New;
-  EDKII_CRYPTO_HMAC_MD5_FREE                      HmacMd5Free;
-  EDKII_CRYPTO_HMAC_MD5_SET_KEY                   HmacMd5SetKey;
-  EDKII_CRYPTO_HMAC_MD5_DUPLICATE                 HmacMd5Duplicate;
-  EDKII_CRYPTO_HMAC_MD5_UPDATE                    HmacMd5Update;
-  EDKII_CRYPTO_HMAC_MD5_FINAL                     HmacMd5Final;
+  /// HMAC MD5 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_NEW            DeprecatedHmacMd5New;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FREE           DeprecatedHmacMd5Free;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_SET_KEY        DeprecatedHmacMd5SetKey;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE      DeprecatedHmacMd5Duplicate;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE         DeprecatedHmacMd5Update;
+  DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL          DeprecatedHmacMd5Final;
   /// HMAC SHA1
   EDKII_CRYPTO_HMAC_SHA1_NEW                      HmacSha1New;
   EDKII_CRYPTO_HMAC_SHA1_FREE                     HmacSha1Free;
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 10/11] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (8 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 09/11] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-11 18:27 ` [PATCH V4 11/11] CryptoPkg/Crypto.h: Update the version of Crypto Driver Gao, Zhichao
  2020-05-13 13:48 ` [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Wang, Jian J
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

HMAC SHA1 is not secure any longer.
Remove the HMAC SHA1 support from edk2.
Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |   3 -
 CryptoPkg/Driver/Crypto.c                     | 128 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 133 -----------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ------------------
 .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     | 139 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 151 ------------
 CryptoPkg/Private/Protocol/Crypto.h           | 121 ++--------
 16 files changed, 45 insertions(+), 1009 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 9ddf73f9fa..1af78468a1 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,7 +137,6 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
 
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -163,7 +162,6 @@
 !endif
 
 !if $(CRYPTO_SERVICES) == MIN_PEI
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                 | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family                     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family                   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -178,7 +176,6 @@
 !endif
 
 !if $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs1v2Encrypt             | TRUE
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword          | TRUE
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index 3d6c8f4d38..071d8c8529 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1170,154 +1170,68 @@ DeprecatedCryptoServiceHmacMd5Final (
 }
 
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
+  HMAC SHA1 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 VOID *
 EFIAPI
-CryptoServiceHmacSha1New (
+DeprecatedCryptoServiceHmacSha1New (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.New, HmacSha1New, (), NULL);
+  return BaseCryptLibServiceDeprecated ("HmacSha1New"), NULL;
 }
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 VOID
 EFIAPI
-CryptoServiceHmacSha1Free (
+DeprecatedCryptoServiceHmacSha1Free (
   IN  VOID  *HmacSha1Ctx
   )
 {
-  CALL_VOID_BASECRYPTLIB (HmacSha1.Services.Free, HmacSha1Free, (HmacSha1Ctx));
+  BaseCryptLibServiceDeprecated ("HmacSha1Free");
 }
 
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1SetKey (
+DeprecatedCryptoServiceHmacSha1SetKey (
   OUT  VOID         *HmacSha1Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.SetKey, HmacSha1SetKey, (HmacSha1Context, Key, KeySize), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacSha1SetKey"), FALSE;
 }
 
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Duplicate (
+DeprecatedCryptoServiceHmacSha1Duplicate (
   IN   CONST VOID  *HmacSha1Context,
   OUT  VOID        *NewHmacSha1Context
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Duplicate, HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacSha1Duplicate"), FALSE;
 }
 
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Update (
+DeprecatedCryptoServiceHmacSha1Update (
   IN OUT  VOID        *HmacSha1Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Update, HmacSha1Update, (HmacSha1Context, Data, DataSize), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacSha1Update"), FALSE;
 }
 
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Final (
+DeprecatedCryptoServiceHmacSha1Final (
   IN OUT  VOID   *HmacSha1Context,
   OUT     UINT8  *HmacValue
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacSha1Final"), FALSE;
 }
 
 /**
@@ -3972,13 +3886,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   DeprecatedCryptoServiceHmacMd5Duplicate,
   DeprecatedCryptoServiceHmacMd5Update,
   DeprecatedCryptoServiceHmacMd5Final,
-  /// HMAC SHA1
-  CryptoServiceHmacSha1New,
-  CryptoServiceHmacSha1Free,
-  CryptoServiceHmacSha1SetKey,
-  CryptoServiceHmacSha1Duplicate,
-  CryptoServiceHmacSha1Update,
-  CryptoServiceHmacSha1Final,
+  /// HMAC SHA1 - deprecated and unsupported
+  DeprecatedCryptoServiceHmacSha1New,
+  DeprecatedCryptoServiceHmacSha1Free,
+  DeprecatedCryptoServiceHmacSha1SetKey,
+  DeprecatedCryptoServiceHmacSha1Duplicate,
+  DeprecatedCryptoServiceHmacSha1Update,
+  DeprecatedCryptoServiceHmacSha1Final,
   /// HMAC SHA256
   CryptoServiceHmacSha256New,
   CryptoServiceHmacSha256Free,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index b99401661c..1b1ffa75ef 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -880,139 +880,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  );
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  );
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  );
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  );
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  );
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  );
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 33d7c13bff..4aae2aba95 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256.c
   Hash/CryptSha512.c
   Hash/CryptSm3.c
-  Hmac/CryptHmacSha1.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c
   Cipher/CryptAes.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
deleted file mode 100644
index 7593ca55b1..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/hmac.h>
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  //
-  // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
-  //
-  return (VOID *) HMAC_CTX_new ();
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  //
-  // Free OpenSSL HMAC_CTX Context
-  //
-  HMAC_CTX_free ((HMAC_CTX *)HmacSha1Ctx);
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || KeySize > INT_MAX) {
-    return FALSE;
-  }
-
-  if (HMAC_Init_ex ((HMAC_CTX *)HmacSha1Context, Key, (UINT32) KeySize, EVP_sha1(), NULL) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || NewHmacSha1Context == NULL) {
-    return FALSE;
-  }
-
-  if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacSha1Context, (HMAC_CTX *)HmacSha1Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // Check invalid parameters, in case that only DataLength was checked in OpenSSL
-  //
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-SHA1 digest update
-  //
-  if (HMAC_Update ((HMAC_CTX *)HmacSha1Context, Data, DataSize) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 digest computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  UINT32  Length;
-
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || HmacValue == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-SHA1 digest finalization
-  //
-  if (HMAC_Final ((HMAC_CTX *)HmacSha1Context, HmacValue, &Length) != 1) {
-    return FALSE;
-  }
-  if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha1Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
deleted file mode 100644
index e8c0f341b7..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @return  NULL  This interface is not supported..
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 2a630ef290..dc28e3a11d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 95c71a8ae2..20ae64e8bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 1642521087..5005beed02 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index f7e1acb3a7..0cf378c5ab 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index ec9c8e7c05..91ec3e03bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,8 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-SHA1 functions, RSA external
-#  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
+#  RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
 #  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
@@ -39,7 +38,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAes.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 8eb3acac93..f0c33abbcf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 558ccfc002..689af4fedd 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256Null.c
   Hash/CryptSha512Null.c
   Hash/CryptSm3Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
deleted file mode 100644
index e8c0f341b7..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @return  NULL  This interface is not supported..
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index dfe7fb7e91..a614b61ed4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1015,157 +1015,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1New, (), NULL);
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  CALL_VOID_CRYPTO_SERVICE (HmacSha1Free, (HmacSha1Ctx));
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1SetKey, (HmacSha1Context, Key, KeySize), FALSE);
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Update, (HmacSha1Context, Data, DataSize), FALSE);
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
-}
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
 
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index bd4cd7f383..d167390774 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -89,140 +89,49 @@ BOOLEAN
   OUT     UINT8  *HmacValue
   );
 
-
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
+  HMAC SHA1 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 VOID*
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_NEW) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW) (
   VOID
   );
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 typedef
 VOID
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FREE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE) (
   IN  VOID  *HmacSha1Ctx
   );
 
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
   OUT  VOID         *HmacSha1Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   );
 
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
   IN   CONST VOID  *HmacSha1Context,
   OUT  VOID        *NewHmacSha1Context
   );
 
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
   IN OUT  VOID        *HmacSha1Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   );
 
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL) (
   IN OUT  VOID   *HmacSha1Context,
   OUT     UINT8  *HmacValue
   );
@@ -3538,13 +3447,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE      DeprecatedHmacMd5Duplicate;
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE         DeprecatedHmacMd5Update;
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL          DeprecatedHmacMd5Final;
-  /// HMAC SHA1
-  EDKII_CRYPTO_HMAC_SHA1_NEW                      HmacSha1New;
-  EDKII_CRYPTO_HMAC_SHA1_FREE                     HmacSha1Free;
-  EDKII_CRYPTO_HMAC_SHA1_SET_KEY                  HmacSha1SetKey;
-  EDKII_CRYPTO_HMAC_SHA1_DUPLICATE                HmacSha1Duplicate;
-  EDKII_CRYPTO_HMAC_SHA1_UPDATE                   HmacSha1Update;
-  EDKII_CRYPTO_HMAC_SHA1_FINAL                    HmacSha1Final;
+  /// HMAC SHA1 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW           DeprecatedHmacSha1New;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE          DeprecatedHmacSha1Free;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY       DeprecatedHmacSha1SetKey;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE     DeprecatedHmacSha1Duplicate;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE        DeprecatedHmacSha1Update;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL         DeprecatedHmacSha1Final;
   /// HMAC SHA256
   EDKII_CRYPTO_HMAC_SHA256_NEW                    HmacSha256New;
   EDKII_CRYPTO_HMAC_SHA256_FREE                   HmacSha256Free;
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* [PATCH V4 11/11] CryptoPkg/Crypto.h: Update the version of Crypto Driver
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (9 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 10/11] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm Gao, Zhichao
@ 2020-05-11 18:27 ` Gao, Zhichao
  2020-05-13 13:48 ` [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Wang, Jian J
  11 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-11 18:27 UTC (permalink / raw)
  To: devel
  Cc: Jian J Wang, Xiaoyu Lu, Siyuan Fu, Michael D Kinney, Jiewen Yao,
	Philippe Mathieu-Daude

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

The binary is totally changed, so update the Crypto Version to 7:
1. Retire below deprecated function:
MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/Private/Protocol/Crypto.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index d167390774..c399e0d67a 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -2,6 +2,7 @@
   This Protocol provides Crypto services to DXE modules
 
   Copyright (C) Microsoft Corporation. All rights reserved.
+  Copyright (c) 2020, Intel Corporation. All rights reserved.<BR>
   SPDX-License-Identifier: BSD-2-Clause-Patent
 
 **/
@@ -20,7 +21,7 @@
 /// the EDK II Crypto Protocol is extended, this version define must be
 /// increased.
 ///
-#define EDKII_CRYPTO_VERSION 6
+#define EDKII_CRYPTO_VERSION 7
 
 ///
 /// EDK II Crypto Protocol forward declaration
-- 
2.21.0.windows.1


^ permalink raw reply related	[flat|nested] 18+ messages in thread

* Re: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
  2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
                   ` (10 preceding siblings ...)
  2020-05-11 18:27 ` [PATCH V4 11/11] CryptoPkg/Crypto.h: Update the version of Crypto Driver Gao, Zhichao
@ 2020-05-13 13:48 ` Wang, Jian J
  2020-05-14  2:49   ` Gao, Zhichao
  11 siblings, 1 reply; 18+ messages in thread
From: Wang, Jian J @ 2020-05-13 13:48 UTC (permalink / raw)
  To: Gao, Zhichao, devel@edk2.groups.io, Fu, Siyuan, Kinney, Michael D,
	Yao, Jiewen, Philippe Mathieu-Daude, Lu, XiaoyuX

Zhichao,

Two general comments for improvement needed in your future patches:
1. Add r-b for those patch files which have got r-b
2. It'd be better to add summary of changes between this and previous version
    of patches

For v4,
    patch 8: the updates of OpensslLib should be done by process_files.pl

With this addressed (for the whole patch series),

    Reviewed-by: Jian J Wang <jian.j.wang@intel.com>


Mike, Jiewen, Siyuan, Philippe: any more comments for v4?

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Tuesday, May 12, 2020 2:27 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Philippe
> Mathieu-Daude <philmd@redhat.com>
> Subject: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> Retire below deprecated functions:
> MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.
> 
> V2:
> Seprate the MD5 and SHA1 changes to other patch set.
> Change the deprecated function wrapper implementatuion in
> EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug
> message and assert.
> 
> V3:
> Remove the missing part of deprecated functions in V2.
> Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate
> the function is deprecated and unsupported.
> 
> V4:
> Fixed some typos.
> Separate the change of OpensslLib and make the change with
> process_files.pl.
> Moving the incorrect changes of AES_ECB from HAMC MD5 patch
> to Aes Ecb one.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Cc: Philippe Mathieu-Daude <philmd@redhat.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> 
> Zhichao Gao (8):
>   CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
>   CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
>   CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
>   CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
>   CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
>   CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
>   CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
>   CryptoPkg/Crypto.h: Update the version of Crypto Driver
> 
> Zhiguang Liu (3):
>   CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib
>   CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib
>   CryptoPkg/OpensslLib: Set TDES disable in OpensslLib
> 
>  CryptoPkg/CryptoPkg.dsc                       |   46 +-
>  CryptoPkg/Driver/Crypto.c                     |  786 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      |  809 ------------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |    7 +-
>  .../Library/BaseCryptLib/Cipher/CryptAes.c    |  114 --
>  .../BaseCryptLib/Cipher/CryptAesNull.c        |   52 -
>  .../Library/BaseCryptLib/Cipher/CryptArc4.c   |  205 ---
>  .../BaseCryptLib/Cipher/CryptArc4Null.c       |  124 --
>  .../Library/BaseCryptLib/Cipher/CryptTdes.c   |  364 ------
>  .../BaseCryptLib/Cipher/CryptTdesNull.c       |  160 ---
>  .../Library/BaseCryptLib/Hash/CryptMd4.c      |  223 ----
>  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  |  143 --
>  .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  |  216 ---
>  .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      |  139 --
>  .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c |  216 ---
>  .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     |  139 --
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   11 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |    8 +-
>  CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |    7 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   11 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |    8 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   12 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |    8 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |    5 -
>  .../BaseCryptLibNull/Cipher/CryptAesNull.c    |   52 -
>  .../BaseCryptLibNull/Cipher/CryptArc4Null.c   |  124 --
>  .../BaseCryptLibNull/Cipher/CryptTdesNull.c   |  160 ---
>  .../BaseCryptLibNull/Hash/CryptMd4Null.c      |  143 --
>  .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  |  139 --
>  .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |  139 --
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 1157 ++---------------
>  .../Library/Include/openssl/opensslconf.h     |    9 +
>  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   28 -
>  .../Library/OpensslLib/OpensslLibCrypto.inf   |   28 -
>  CryptoPkg/Library/OpensslLib/process_files.pl |    3 +
>  CryptoPkg/Private/Protocol/Crypto.h           |  709 ++--------
>  36 files changed, 402 insertions(+), 6102 deletions(-)
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> 
> --
> 2.21.0.windows.1


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
  2020-05-13 13:48 ` [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Wang, Jian J
@ 2020-05-14  2:49   ` Gao, Zhichao
  2020-05-14  5:11     ` Wang, Jian J
  0 siblings, 1 reply; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-14  2:49 UTC (permalink / raw)
  To: Wang, Jian J, devel@edk2.groups.io, Fu, Siyuan, Kinney, Michael D,
	Yao, Jiewen, Philippe Mathieu-Daude, Lu, XiaoyuX


> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com>
> Sent: Wednesday, May 13, 2020 9:49 PM
> To: Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io; Fu, Siyuan
> <siyuan.fu@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Yao,
> Jiewen <jiewen.yao@intel.com>; Philippe Mathieu-Daude <philmd@redhat.com>;
> Lu, XiaoyuX <xiaoyux.lu@intel.com>
> Subject: RE: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
> 
> Zhichao,
> 
> Two general comments for improvement needed in your future patches:
> 1. Add r-b for those patch files which have got r-b 2. It'd be better to add
> summary of changes between this and previous version
>     of patches

1. I change the typo of the function definition. So all the patches are changed. That is why I didn't keep any R-B
2. I put the summary change in cover-letter. Thanks for the suggestion. I would put the changes for every patch but  not put them in the commit message.

> 
> For v4,
>     patch 8: the updates of OpensslLib should be done by process_files.pl

I didn't find the config string to disable the AES ECB mode only. Can you help guide me on this? Or should I remove the change of OpensslLib in patch #8?

Thanks,
Zhichao

> 
> With this addressed (for the whole patch series),
> 
>     Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
> 
> 
> Mike, Jiewen, Siyuan, Philippe: any more comments for v4?
> 
> Regards,
> Jian
> 
> > -----Original Message-----
> > From: Gao, Zhichao <zhichao.gao@intel.com>
> > Sent: Tuesday, May 12, 2020 2:27 AM
> > To: devel@edk2.groups.io
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> > <xiaoyux.lu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Kinney,
> > Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > <jiewen.yao@intel.com>; Philippe Mathieu-Daude <philmd@redhat.com>
> > Subject: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> >
> > Retire below deprecated functions:
> > MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.
> >
> > V2:
> > Seprate the MD5 and SHA1 changes to other patch set.
> > Change the deprecated function wrapper implementatuion in
> > EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug message
> > and assert.
> >
> > V3:
> > Remove the missing part of deprecated functions in V2.
> > Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate the
> > function is deprecated and unsupported.
> >
> > V4:
> > Fixed some typos.
> > Separate the change of OpensslLib and make the change with
> > process_files.pl.
> > Moving the incorrect changes of AES_ECB from HAMC MD5 patch to Aes Ecb
> > one.
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > Cc: Philippe Mathieu-Daude <philmd@redhat.com>
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> >
> > Zhichao Gao (8):
> >   CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
> >   CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
> >   CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
> >   CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
> >   CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
> >   CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
> >   CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
> >   CryptoPkg/Crypto.h: Update the version of Crypto Driver
> >
> > Zhiguang Liu (3):
> >   CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib
> >   CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib
> >   CryptoPkg/OpensslLib: Set TDES disable in OpensslLib
> >
> >  CryptoPkg/CryptoPkg.dsc                       |   46 +-
> >  CryptoPkg/Driver/Crypto.c                     |  786 ++---------
> >  CryptoPkg/Include/Library/BaseCryptLib.h      |  809 ------------
> >  .../Library/BaseCryptLib/BaseCryptLib.inf     |    7 +-
> >  .../Library/BaseCryptLib/Cipher/CryptAes.c    |  114 --
> >  .../BaseCryptLib/Cipher/CryptAesNull.c        |   52 -
> >  .../Library/BaseCryptLib/Cipher/CryptArc4.c   |  205 ---
> >  .../BaseCryptLib/Cipher/CryptArc4Null.c       |  124 --
> >  .../Library/BaseCryptLib/Cipher/CryptTdes.c   |  364 ------
> >  .../BaseCryptLib/Cipher/CryptTdesNull.c       |  160 ---
> >  .../Library/BaseCryptLib/Hash/CryptMd4.c      |  223 ----
> >  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  |  143 --
> > .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  |  216 ---
> >  .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      |  139 --
> >  .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c |  216 ---
> >  .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     |  139 --
> >  .../Library/BaseCryptLib/PeiCryptLib.inf      |   11 +-
> >  .../Library/BaseCryptLib/PeiCryptLib.uni      |    8 +-
> >  CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |    7 +-
> >  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   11 +-
> >  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |    8 +-
> >  .../Library/BaseCryptLib/SmmCryptLib.inf      |   12 +-
> >  .../Library/BaseCryptLib/SmmCryptLib.uni      |    8 +-
> >  .../BaseCryptLibNull/BaseCryptLibNull.inf     |    5 -
> >  .../BaseCryptLibNull/Cipher/CryptAesNull.c    |   52 -
> >  .../BaseCryptLibNull/Cipher/CryptArc4Null.c   |  124 --
> >  .../BaseCryptLibNull/Cipher/CryptTdesNull.c   |  160 ---
> >  .../BaseCryptLibNull/Hash/CryptMd4Null.c      |  143 --
> >  .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  |  139 --
> > .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |  139 --
> >  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 1157 ++---------------
> >  .../Library/Include/openssl/opensslconf.h     |    9 +
> >  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   28 -
> >  .../Library/OpensslLib/OpensslLibCrypto.inf   |   28 -
> >  CryptoPkg/Library/OpensslLib/process_files.pl |    3 +
> >  CryptoPkg/Private/Protocol/Crypto.h           |  709 ++--------
> >  36 files changed, 402 insertions(+), 6102 deletions(-)  delete mode
> > 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> >
> > --
> > 2.21.0.windows.1
> 


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
  2020-05-11 18:27 ` [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
@ 2020-05-14  3:13   ` Guomin Jiang
  2020-05-14  5:58     ` Gao, Zhichao
  0 siblings, 1 reply; 18+ messages in thread
From: Guomin Jiang @ 2020-05-14  3:13 UTC (permalink / raw)
  To: devel@edk2.groups.io, Gao, Zhichao
  Cc: Wang, Jian J, Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D,
	Yao, Jiewen, Philippe Mathieu-Daude

Add commit inline.

> -----Original Message-----
> From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gao,
> Zhichao
> Sent: Tuesday, May 12, 2020 2:27 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> <xiaoyux.lu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael
> D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> Philippe Mathieu-Daude <philmd@redhat.com>
> Subject: [edk2-devel] [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4
> algorithm
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> MD4 is not secure any longer.
> Remove the MD4 support from edk2.
> Change the MD4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any longer.
> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>.

The Cc format is incorrect and please remove '.' character at the end of line.

> Cc: Philippe Mathieu-Daude <philmd@redhat.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dsc                       |   1 -
>  CryptoPkg/Driver/Crypto.c                     | 135 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      | 145 ------------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |   3 +-
>  .../Library/BaseCryptLib/Hash/CryptMd4.c      | 223 ------------------
>  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  | 143 -----------
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   5 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   5 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   5 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
>  .../BaseCryptLibNull/Hash/CryptMd4Null.c      | 143 -----------
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 158 -------------
>  CryptoPkg/Private/Protocol/Crypto.h           | 123 ++--------
>  16 files changed, 52 insertions(+), 1056 deletions(-)
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> 
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index f79ff331cf..6ed7046563 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -140,7 +140,6 @@
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Fa
> mily    | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Fa
> mily   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.
> Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md4.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index ed0083cccf..c7a54182c7 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -124,161 +124,68 @@ CryptoServiceGetCryptoVersion (
> 
> //=========================================================
> ============================
> 
>  /**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -  @retval  0   This interface is not supported.
> +  MD4 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  UINTN
>  EFIAPI
> -CryptoServiceMd4GetContextSize (
> +DeprecatedCryptoServiceMd4GetContextSize (
>    VOID
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.GetContextSize,
> Md4GetContextSize, (), 0);
> +  return BaseCryptLibServiceDeprecated ("Md4GetContextSize"), 0;
>  }
> 
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> context for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4Init (
> +DeprecatedCryptoServiceMd4Init (
>    OUT  VOID  *Md4Context
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.Init, Md4Init, (Md4Context),
> FALSE);
> +  return BaseCryptLibServiceDeprecated ("Md4Init"), FALSE;
>  }
> 
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4Duplicate (
> +DeprecatedCryptoServiceMd4Duplicate (
>    IN   CONST VOID  *Md4Context,
>    OUT  VOID        *NewMd4Context
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.Duplicate, Md4Duplicate,
> (Md4Context, NewMd4Context), FALSE);
> +  return BaseCryptLibServiceDeprecated ("Md4Duplicate"), FALSE;
>  }
> 
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or
> discontinuous data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4Update (
> +DeprecatedCryptoServiceMd4Update (
>    IN OUT  VOID        *Md4Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.Update, Md4Update,
> (Md4Context, Data, DataSize), FALSE);
> +  return BaseCryptLibServiceDeprecated ("Md4Update"), FALSE;
>  }
> 
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest
> value into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4Final (
> +DeprecatedCryptoServiceMd4Final (
>    IN OUT  VOID   *Md4Context,
>    OUT     UINT8  *HashValue
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.Final, Md4Final, (Md4Context,
> HashValue), FALSE);
> +  return BaseCryptLibServiceDeprecated ("Md4Final"), FALSE;
>  }
> 
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceMd4HashAll (
> +DeprecatedCryptoServiceMd4HashAll (
>    IN   CONST VOID  *Data,
>    IN   UINTN       DataSize,
>    OUT  UINT8       *HashValue
>    )
>  {
> -  return CALL_BASECRYPTLIB (Md4.Services.HashAll, Md4HashAll, (Data,
> DataSize, HashValue), FALSE);
> +  return BaseCryptLibServiceDeprecated ("Md4HashAll"), FALSE;
>  }
> 
>  /**
> @@ -4440,13 +4347,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =
> {
>    CryptoServiceHmacSha256Duplicate,
>    CryptoServiceHmacSha256Update,
>    CryptoServiceHmacSha256Final,
> -  /// Md4
> -  CryptoServiceMd4GetContextSize,
> -  CryptoServiceMd4Init,
> -  CryptoServiceMd4Duplicate,
> -  CryptoServiceMd4Update,
> -  CryptoServiceMd4Final,
> -  CryptoServiceMd4HashAll,
> +  /// Md4 - deprecated and unsupported
> +  DeprecatedCryptoServiceMd4GetContextSize,
> +  DeprecatedCryptoServiceMd4Init,
> +  DeprecatedCryptoServiceMd4Duplicate,
> +  DeprecatedCryptoServiceMd4Update,
> +  DeprecatedCryptoServiceMd4Final,
> +  DeprecatedCryptoServiceMd4HashAll,
>    /// Md5
>    CryptoServiceMd5GetContextSize,
>    CryptoServiceMd5Init,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index 5e8f2e0a10..c862f0334f 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -14,11 +14,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> 
>  #include <Uefi/UefiBaseType.h>
> 
> -///
> -/// MD4 digest size in bytes
> -///
> -#define MD4_DIGEST_SIZE     16
> -
>  ///
>  /// MD5 digest size in bytes
>  ///
> @@ -77,146 +72,6 @@ typedef enum {
>  //    One-Way Cryptographic Hash Primitives
> 
> //=========================================================
> ============================
> 
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  );
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> context for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  );
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  );
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or
> discontinuous data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  );
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest
> value into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  );
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  );
> -
>  /**
>    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index a63ad66b4f..22992e7d43 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -6,7 +6,7 @@
>  #  This external input must be validated carefully to avoid security issues
> such as
>  #  buffer overflow or integer overflow.
>  #
> -#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights
> reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
> @@ -29,7 +29,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4.c
>    Hash/CryptMd5.c
>    Hash/CryptSha1.c
>    Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> deleted file mode 100644
> index bc02da07b0..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> +++ /dev/null
> @@ -1,223 +0,0 @@
> -/** @file
> -  MD4 Digest Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/md4.h>
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  )
> -{
> -  //
> -  // Retrieves the OpenSSL MD4 Context Size
> -  //
> -  return (UINTN) (sizeof (MD4_CTX));
> -}
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> context for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (Md4Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL MD4 Context Initialization
> -  //
> -  return (BOOLEAN) (MD4_Init ((MD4_CTX *) Md4Context));
> -}
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (Md4Context == NULL || NewMd4Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  CopyMem (NewMd4Context, Md4Context, sizeof (MD4_CTX));
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or
> discontinuous data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (Md4Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // Check invalid parameters, in case that only DataLength was checked in
> OpenSSL
> -  //
> -  if (Data == NULL && DataSize != 0) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL MD4 Hash Update
> -  //
> -  return (BOOLEAN) (MD4_Update ((MD4_CTX *) Md4Context, Data,
> DataSize));
> -}
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest
> value into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (Md4Context == NULL || HashValue == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL MD4 Hash Finalization
> -  //
> -  return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *) Md4Context));
> -}
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HashValue == NULL) {
> -    return FALSE;
> -  }
> -  if (Data == NULL && DataSize != 0) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL MD4 Hash Computation.
> -  //
> -  if (MD4 (Data, DataSize, HashValue) == NULL) {
> -    return FALSE;
> -  } else {
> -    return TRUE;
> -  }
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> deleted file mode 100644
> index 610c61c713..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> +++ /dev/null
> @@ -1,143 +0,0 @@
> -/** @file
> -  MD4 Digest Wrapper Implementation which does not provide real
> capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> -  operations.
> -
> -  Return zero to indicate this interface is not supported.
> -
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return 0;
> -}
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> context for
> -  subsequent use.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> digest
> -                               value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index c836c257f8..e9add0127d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -6,14 +6,14 @@
>  #  This external input must be validated carefully to avoid security issues
> such as
>  #  buffer overflow or integer overflow.
>  #
> -#  Note: MD4 Digest functions,
> +#  Note:
>  #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> X.509
>  #  certificate handler functions, authenticode signature verification
> functions,
>  #  PEM handler functions, and pseudorandom number generator functions
> are not
>  #  supported in this instance.
>  #
> -#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
>  ##
> @@ -35,7 +35,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4Null.c
>    Hash/CryptMd5.c
>    Hash/CryptSha1.c
>    Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 9937555beb..374bfb3f65 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,13 +6,13 @@
>  // This external input must be validated carefully to avoid security issues
> such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1
> functions, AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
>  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
>  // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
>  // signature verification functions, PEM handler functions, and
> pseudorandom number
>  // generator functions are not supported in this instance.
>  //
> -// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  //
>  // SPDX-License-Identifier: BSD-2-Clause-Patent
>  //
> @@ -21,5 +21,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for PEIM"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have
> external input - signature. This external input must be validated carefully to
> avoid security issues such as buffer overflow or integer overflow. Note: MD4
> Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions, Diffie-Hellman functions, X.509 certificate handler functions,
> authenticode signature verification functions, PEM handler functions, and
> pseudorandom number generator functions are not supported in this
> instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have
> external input - signature. This external input must be validated carefully to
> avoid security issues such as buffer overflow or integer overflow. Note:
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions,
> RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> functions, X.509 certificate handler functions, authenticode signature
> verification functions, PEM handler functions, and pseudorandom number
> generator functions are not supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index e5b8ececc1..0a2eb03232 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -6,12 +6,12 @@
>  #  This external input must be validated carefully to avoid security issues
> such as
>  #  buffer overflow or integer overflow.
>  #
> -#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest
> functions,
> +#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
>  #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> -#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights
> reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
> @@ -35,7 +35,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4Null.c
>    Hash/CryptMd5.c
>    Hash/CryptSha1.c
>    Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index c0a16f1b84..b6d751176e 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,12 +6,12 @@
>  // This external input must be validated carefully to avoid security issues
> such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1
> functions, AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
>  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
>  // Diffie-Hellman functions, and authenticode signature verification
> functions are
>  // not supported in this instance.
>  //
> -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
>  //
>  // SPDX-License-Identifier: BSD-2-Clause-Patent
>  //
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have
> external input - signature. This external input must be validated carefully to
> avoid security issues such as buffer overflow or integer overflow. Note: MD4
> Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions, Diffie-Hellman functions, and authenticode signature verification
> functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have
> external input - signature. This external input must be validated carefully to
> avoid security issues such as buffer overflow or integer overflow. Note:
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions,
> RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> functions, and authenticode signature verification functions are not
> supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index cc0b65fd25..139983075e 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -6,12 +6,12 @@
>  #  This external input must be validated carefully to avoid security issues
> such as
>  #  buffer overflow or integer overflow.
>  #
> -#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest
> functions,
> +#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
>  #  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA
> external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> -#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
> +#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  #  SPDX-License-Identifier: BSD-2-Clause-Patent
>  #
>  ##
> @@ -34,7 +34,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4Null.c
>    Hash/CryptMd5.c
>    Hash/CryptSha1.c
>    Hash/CryptSha256.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 83485fbb90..b8d7953d2b 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,12 +6,12 @@
>  // This external input must be validated carefully to avoid security issues
> such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1
> functions, AES/
> +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
>  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions,
>  // Diffie-Hellman functions, and authenticode signature verification
> functions are
>  // not supported in this instance.
>  //
> -// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
>  //
>  // SPDX-License-Identifier: BSD-2-Clause-Patent
>  //
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for SMM driver"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have
> external input - signature. This external input must be validated carefully to
> avoid security issues such as buffer overflow or integer overflow. Note: MD4
> Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> functions, Diffie-Hellman functions, and authenticode signature verification
> functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have
> external input - signature. This external input must be validated carefully to
> avoid security issues such as buffer overflow or integer overflow. Note:
> HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions,
> RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> functions, and authenticode signature verification functions are not
> supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index 9b4991cbb0..b03681b146 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -29,7 +29,6 @@
> 
>  [Sources]
>    InternalCryptLib.h
> -  Hash/CryptMd4Null.c
>    Hash/CryptMd5Null.c
>    Hash/CryptSha1Null.c
>    Hash/CryptSha256Null.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> deleted file mode 100644
> index 610c61c713..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> +++ /dev/null
> @@ -1,143 +0,0 @@
> -/** @file
> -  MD4 Digest Wrapper Implementation which does not provide real
> capabilities.
> -
> -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> -  operations.
> -
> -  Return zero to indicate this interface is not supported.
> -
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return 0;
> -}
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> context for
> -  subsequent use.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> digest
> -                               value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index c2a1df9afc..5e470028f4 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -99,164 +99,6 @@ CryptoServiceNotAvailable (
>  //    One-Way Cryptographic Hash Primitives
> 
> //=========================================================
> ============================
> 
> -/**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -  @retval  0   This interface is not supported.
> -
> -**/
> -UINTN
> -EFIAPI
> -Md4GetContextSize (
> -  VOID
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4GetContextSize, (), 0);
> -}
> -
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> context for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Init (
> -  OUT  VOID  *Md4Context
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4Init, (Md4Context), FALSE);
> -}
> -
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Duplicate (
> -  IN   CONST VOID  *Md4Context,
> -  OUT  VOID        *NewMd4Context
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4Duplicate, (Md4Context, NewMd4Context),
> FALSE);
> -}
> -
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or
> discontinuous data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Update (
> -  IN OUT  VOID        *Md4Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4Update, (Md4Context, Data, DataSize),
> FALSE);
> -}
> -
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest
> value into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4Final (
> -  IN OUT  VOID   *Md4Context,
> -  OUT     UINT8  *HashValue
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4Final, (Md4Context, HashValue), FALSE);
> -}
> -
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -Md4HashAll (
> -  IN   CONST VOID  *Data,
> -  IN   UINTN       DataSize,
> -  OUT  UINT8       *HashValue
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (Md4HashAll, (Data, DataSize, HashValue), FALSE);
> -}
> -
>  /**
>    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> operations.
> 
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index 40c387e002..ae0f29695c 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -451,145 +451,52 @@ BOOLEAN
> 
> //=========================================================
> ============================
> 
>  /**
> -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> operations.
> -
> -  If this interface is not supported, then return zero.
> -
> -  @return  The size, in bytes, of the context buffer required for MD4 hash
> operations.
> -  @retval  0   This interface is not supported.
> +  MD4 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  typedef
>  UINTN
> -(EFIAPI *EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
>    VOID
>    );
> 
> 
> -/**
> -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> context for
> -  subsequent use.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> -
> -  @retval TRUE   MD4 context initialization succeeded.
> -  @retval FALSE  MD4 context initialization failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_INIT) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_INIT) (
>    OUT  VOID  *Md4Context
>    );
> 
> 
> -/**
> -  Makes a copy of an existing MD4 context.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If NewMd4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> -  @param[out] NewMd4Context  Pointer to new MD4 context.
> -
> -  @retval TRUE   MD4 context copy succeeded.
> -  @retval FALSE  MD4 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_DUPLICATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE) (
>    IN   CONST VOID  *Md4Context,
>    OUT  VOID        *NewMd4Context
>    );
> 
> 
> -/**
> -  Digests the input data and updates MD4 context.
> -
> -  This function performs MD4 digest on a data buffer of the specified size.
> -  It can be called multiple times to compute the digest of long or
> discontinuous data streams.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be finalized
> -  by Md4Final(). Behavior with invalid context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[in]       Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]       DataSize    Size of Data buffer in bytes.
> -
> -  @retval TRUE   MD4 data digest succeeded.
> -  @retval FALSE  MD4 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_UPDATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_UPDATE) (
>    IN OUT  VOID        *Md4Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    );
> 
> 
> -/**
> -  Completes computation of the MD4 digest value.
> -
> -  This function completes MD4 hash computation and retrieves the digest
> value into
> -  the specified memory. After this function has been called, the MD4 context
> cannot
> -  be used again.
> -  MD4 context should be already correctly initialized by Md4Init(), and should
> not be
> -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> -
> -  If Md4Context is NULL, then return FALSE.
> -  If HashValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> digest
> -                               value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_FINAL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_FINAL) (
>    IN OUT  VOID   *Md4Context,
>    OUT     UINT8  *HashValue
>    );
> 
> 
> -/**
> -  Computes the MD4 message digest of a input data buffer.
> -
> -  This function performs the MD4 message digest of a given data buffer, and
> places
> -  the digest value into the specified memory.
> -
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]   Data        Pointer to the buffer containing the data to be
> hashed.
> -  @param[in]   DataSize    Size of Data buffer in bytes.
> -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> -                           value (16 bytes).
> -
> -  @retval TRUE   MD4 digest computation succeeded.
> -  @retval FALSE  MD4 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_MD4_HASH_ALL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL) (
>    IN   CONST VOID  *Data,
>    IN   UINTN       DataSize,
>    OUT  UINT8       *HashValue
> @@ -4007,13 +3914,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
>    EDKII_CRYPTO_HMAC_SHA256_DUPLICATE              HmacSha256Duplicate;
>    EDKII_CRYPTO_HMAC_SHA256_UPDATE                 HmacSha256Update;
>    EDKII_CRYPTO_HMAC_SHA256_FINAL                  HmacSha256Final;
> -  /// Md4
> -  EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE               Md4GetContextSize;
> -  EDKII_CRYPTO_MD4_INIT                           Md4Init;
> -  EDKII_CRYPTO_MD4_DUPLICATE                      Md4Duplicate;
> -  EDKII_CRYPTO_MD4_UPDATE                         Md4Update;
> -  EDKII_CRYPTO_MD4_FINAL                          Md4Final;
> -  EDKII_CRYPTO_MD4_HASH_ALL                       Md4HashAll;
> +  /// Md4 - deprecated and unsupported
> +  DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE
> DeprecatedMd4GetContextSize;
> +  DEPRECATED_EDKII_CRYPTO_MD4_INIT                DeprecatedMd4Init;
> +  DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE
> DeprecatedMd4Duplicate;
> +  DEPRECATED_EDKII_CRYPTO_MD4_UPDATE
> DeprecatedMd4Update;
> +  DEPRECATED_EDKII_CRYPTO_MD4_FINAL               DeprecatedMd4Final;
> +  DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL
> DeprecatedMd4HashAll;
>    /// Md5
>    EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE               Md5GetContextSize;
>    EDKII_CRYPTO_MD5_INIT                           Md5Init;
> --
> 2.21.0.windows.1
> 
> 
> 


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
  2020-05-14  2:49   ` Gao, Zhichao
@ 2020-05-14  5:11     ` Wang, Jian J
  2020-05-14  6:14       ` Gao, Zhichao
  0 siblings, 1 reply; 18+ messages in thread
From: Wang, Jian J @ 2020-05-14  5:11 UTC (permalink / raw)
  To: Gao, Zhichao, devel@edk2.groups.io, Fu, Siyuan, Kinney, Michael D,
	Yao, Jiewen, Philippe Mathieu-Daude, Lu, XiaoyuX

Zhichao


> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 14, 2020 10:49 AM
> To: Wang, Jian J <jian.j.wang@intel.com>; devel@edk2.groups.io; Fu, Siyuan
> <siyuan.fu@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Yao,
> Jiewen <jiewen.yao@intel.com>; Philippe Mathieu-Daude
> <philmd@redhat.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>
> Subject: RE: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
> 
> 
> > -----Original Message-----
> > From: Wang, Jian J <jian.j.wang@intel.com>
> > Sent: Wednesday, May 13, 2020 9:49 PM
> > To: Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io; Fu, Siyuan
> > <siyuan.fu@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Yao,
> > Jiewen <jiewen.yao@intel.com>; Philippe Mathieu-Daude
> <philmd@redhat.com>;
> > Lu, XiaoyuX <xiaoyux.lu@intel.com>
> > Subject: RE: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
> >
> > Zhichao,
> >
> > Two general comments for improvement needed in your future patches:
> > 1. Add r-b for those patch files which have got r-b 2. It'd be better to add
> > summary of changes between this and previous version
> >     of patches
> 
> 1. I change the typo of the function definition. So all the patches are changed.
> That is why I didn't keep any R-B
> 2. I put the summary change in cover-letter. Thanks for the suggestion. I would
> put the changes for every patch but  not put them in the commit message.
> 
> >
> > For v4,
> >     patch 8: the updates of OpensslLib should be done by process_files.pl
> 
> I didn't find the config string to disable the AES ECB mode only. Can you help
> guide me on this? Or should I remove the change of OpensslLib in patch #8?

You can remove those files from .inf by excluding them from @cryptofilelist
and @sslfilelist in process_files.pl. Don't manually remove anything from 
autogenerated content in inf file.

Regards,
Jian
> 
> Thanks,
> Zhichao
> 
> >
> > With this addressed (for the whole patch series),
> >
> >     Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
> >
> >
> > Mike, Jiewen, Siyuan, Philippe: any more comments for v4?
> >
> > Regards,
> > Jian
> >
> > > -----Original Message-----
> > > From: Gao, Zhichao <zhichao.gao@intel.com>
> > > Sent: Tuesday, May 12, 2020 2:27 AM
> > > To: devel@edk2.groups.io
> > > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> > > <xiaoyux.lu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Kinney,
> > > Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > > <jiewen.yao@intel.com>; Philippe Mathieu-Daude <philmd@redhat.com>
> > > Subject: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
> > >
> > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> > >
> > > Retire below deprecated functions:
> > > MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.
> > >
> > > V2:
> > > Seprate the MD5 and SHA1 changes to other patch set.
> > > Change the deprecated function wrapper implementatuion in
> > > EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug message
> > > and assert.
> > >
> > > V3:
> > > Remove the missing part of deprecated functions in V2.
> > > Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate the
> > > function is deprecated and unsupported.
> > >
> > > V4:
> > > Fixed some typos.
> > > Separate the change of OpensslLib and make the change with
> > > process_files.pl.
> > > Moving the incorrect changes of AES_ECB from HAMC MD5 patch to Aes Ecb
> > > one.
> > >
> > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > Cc: Philippe Mathieu-Daude <philmd@redhat.com>
> > > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > >
> > > Zhichao Gao (8):
> > >   CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
> > >   CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
> > >   CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
> > >   CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
> > >   CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
> > >   CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
> > >   CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
> > >   CryptoPkg/Crypto.h: Update the version of Crypto Driver
> > >
> > > Zhiguang Liu (3):
> > >   CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib
> > >   CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib
> > >   CryptoPkg/OpensslLib: Set TDES disable in OpensslLib
> > >
> > >  CryptoPkg/CryptoPkg.dsc                       |   46 +-
> > >  CryptoPkg/Driver/Crypto.c                     |  786 ++---------
> > >  CryptoPkg/Include/Library/BaseCryptLib.h      |  809 ------------
> > >  .../Library/BaseCryptLib/BaseCryptLib.inf     |    7 +-
> > >  .../Library/BaseCryptLib/Cipher/CryptAes.c    |  114 --
> > >  .../BaseCryptLib/Cipher/CryptAesNull.c        |   52 -
> > >  .../Library/BaseCryptLib/Cipher/CryptArc4.c   |  205 ---
> > >  .../BaseCryptLib/Cipher/CryptArc4Null.c       |  124 --
> > >  .../Library/BaseCryptLib/Cipher/CryptTdes.c   |  364 ------
> > >  .../BaseCryptLib/Cipher/CryptTdesNull.c       |  160 ---
> > >  .../Library/BaseCryptLib/Hash/CryptMd4.c      |  223 ----
> > >  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  |  143 --
> > > .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  |  216 ---
> > >  .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      |  139 --
> > >  .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c |  216 ---
> > >  .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     |  139 --
> > >  .../Library/BaseCryptLib/PeiCryptLib.inf      |   11 +-
> > >  .../Library/BaseCryptLib/PeiCryptLib.uni      |    8 +-
> > >  CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |    7 +-
> > >  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   11 +-
> > >  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |    8 +-
> > >  .../Library/BaseCryptLib/SmmCryptLib.inf      |   12 +-
> > >  .../Library/BaseCryptLib/SmmCryptLib.uni      |    8 +-
> > >  .../BaseCryptLibNull/BaseCryptLibNull.inf     |    5 -
> > >  .../BaseCryptLibNull/Cipher/CryptAesNull.c    |   52 -
> > >  .../BaseCryptLibNull/Cipher/CryptArc4Null.c   |  124 --
> > >  .../BaseCryptLibNull/Cipher/CryptTdesNull.c   |  160 ---
> > >  .../BaseCryptLibNull/Hash/CryptMd4Null.c      |  143 --
> > >  .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  |  139 --
> > > .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |  139 --
> > >  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 1157 ++---------------
> > >  .../Library/Include/openssl/opensslconf.h     |    9 +
> > >  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   28 -
> > >  .../Library/OpensslLib/OpensslLibCrypto.inf   |   28 -
> > >  CryptoPkg/Library/OpensslLib/process_files.pl |    3 +
> > >  CryptoPkg/Private/Protocol/Crypto.h           |  709 ++--------
> > >  36 files changed, 402 insertions(+), 6102 deletions(-)  delete mode
> > > 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> > >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> > >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> > >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> > >  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> > >  delete mode 100644
> > > CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> > >
> > > --
> > > 2.21.0.windows.1
> >
> 


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [edk2-devel] [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
  2020-05-14  3:13   ` [edk2-devel] " Guomin Jiang
@ 2020-05-14  5:58     ` Gao, Zhichao
  0 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-14  5:58 UTC (permalink / raw)
  To: Jiang, Guomin, devel@edk2.groups.io
  Cc: Wang, Jian J, Lu, XiaoyuX, Fu, Siyuan, Kinney, Michael D,
	Yao, Jiewen, Philippe Mathieu-Daude

Thanks for the reminder, Guomin.

I would fix it in next patch set.

Thanks,
Zhichao

> -----Original Message-----
> From: Jiang, Guomin <guomin.jiang@intel.com>
> Sent: Thursday, May 14, 2020 11:14 AM
> To: devel@edk2.groups.io; Gao, Zhichao <zhichao.gao@intel.com>
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>; Philippe
> Mathieu-Daude <philmd@redhat.com>
> Subject: RE: [edk2-devel] [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4
> algorithm
> 
> Add commit inline.
> 
> > -----Original Message-----
> > From: devel@edk2.groups.io <devel@edk2.groups.io> On Behalf Of Gao,
> > Zhichao
> > Sent: Tuesday, May 12, 2020 2:27 AM
> > To: devel@edk2.groups.io
> > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> > <xiaoyux.lu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael
> > D <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> > Philippe Mathieu-Daude <philmd@redhat.com>
> > Subject: [edk2-devel] [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4
> > algorithm
> >
> > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> >
> > MD4 is not secure any longer.
> > Remove the MD4 support from edk2.
> > Change the MD4 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> > function is unsupported any longer.
> >
> > Cc: Jian J Wang <jian.j.wang@intel.com>
> > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > Cc: Jiewen Yao <jiewen.yao@intel.com>.
> 
> The Cc format is incorrect and please remove '.' character at the end of line.
> 
> > Cc: Philippe Mathieu-Daude <philmd@redhat.com>
> > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > ---
> >  CryptoPkg/CryptoPkg.dsc                       |   1 -
> >  CryptoPkg/Driver/Crypto.c                     | 135 ++---------
> >  CryptoPkg/Include/Library/BaseCryptLib.h      | 145 ------------
> >  .../Library/BaseCryptLib/BaseCryptLib.inf     |   3 +-
> >  .../Library/BaseCryptLib/Hash/CryptMd4.c      | 223 ------------------
> >  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  | 143 -----------
> >  .../Library/BaseCryptLib/PeiCryptLib.inf      |   5 +-
> >  .../Library/BaseCryptLib/PeiCryptLib.uni      |   6 +-
> >  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   5 +-
> >  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   6 +-
> >  .../Library/BaseCryptLib/SmmCryptLib.inf      |   5 +-
> >  .../Library/BaseCryptLib/SmmCryptLib.uni      |   6 +-
> >  .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
> >  .../BaseCryptLibNull/Hash/CryptMd4Null.c      | 143 -----------
> >  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 158 -------------
> >  CryptoPkg/Private/Protocol/Crypto.h           | 123 ++--------
> >  16 files changed, 52 insertions(+), 1056 deletions(-)
> >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> >
> > diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> > index f79ff331cf..6ed7046563 100644
> > --- a/CryptoPkg/CryptoPkg.dsc
> > +++ b/CryptoPkg/CryptoPkg.dsc
> > @@ -140,7 +140,6 @@
> >
> > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Fa
> > mily    | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> >
> > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Fa
> > mily   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> >
> > gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.
> > Family | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> > -  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md4.Family
> > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> >    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> >    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> >    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Dh.Family
> > | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> > diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> > index ed0083cccf..c7a54182c7 100644
> > --- a/CryptoPkg/Driver/Crypto.c
> > +++ b/CryptoPkg/Driver/Crypto.c
> > @@ -124,161 +124,68 @@ CryptoServiceGetCryptoVersion (
> >
> > //=========================================================
> > ============================
> >
> >  /**
> > -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -
> > -  If this interface is not supported, then return zero.
> > -
> > -  @return  The size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -  @retval  0   This interface is not supported.
> > +  MD4 is deprecated and unsupported any longer.
> > +  Keep the function field for binary compability.
> >
> >  **/
> >  UINTN
> >  EFIAPI
> > -CryptoServiceMd4GetContextSize (
> > +DeprecatedCryptoServiceMd4GetContextSize (
> >    VOID
> >    )
> >  {
> > -  return CALL_BASECRYPTLIB (Md4.Services.GetContextSize,
> > Md4GetContextSize, (), 0);
> > +  return BaseCryptLibServiceDeprecated ("Md4GetContextSize"), 0;
> >  }
> >
> > -/**
> > -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> > context for
> > -  subsequent use.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> > -
> > -  @retval TRUE   MD4 context initialization succeeded.
> > -  @retval FALSE  MD4 context initialization failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  BOOLEAN
> >  EFIAPI
> > -CryptoServiceMd4Init (
> > +DeprecatedCryptoServiceMd4Init (
> >    OUT  VOID  *Md4Context
> >    )
> >  {
> > -  return CALL_BASECRYPTLIB (Md4.Services.Init, Md4Init, (Md4Context),
> > FALSE);
> > +  return BaseCryptLibServiceDeprecated ("Md4Init"), FALSE;
> >  }
> >
> > -/**
> > -  Makes a copy of an existing MD4 context.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If NewMd4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> > -  @param[out] NewMd4Context  Pointer to new MD4 context.
> > -
> > -  @retval TRUE   MD4 context copy succeeded.
> > -  @retval FALSE  MD4 context copy failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  BOOLEAN
> >  EFIAPI
> > -CryptoServiceMd4Duplicate (
> > +DeprecatedCryptoServiceMd4Duplicate (
> >    IN   CONST VOID  *Md4Context,
> >    OUT  VOID        *NewMd4Context
> >    )
> >  {
> > -  return CALL_BASECRYPTLIB (Md4.Services.Duplicate, Md4Duplicate,
> > (Md4Context, NewMd4Context), FALSE);
> > +  return BaseCryptLibServiceDeprecated ("Md4Duplicate"), FALSE;
> >  }
> >
> > -/**
> > -  Digests the input data and updates MD4 context.
> > -
> > -  This function performs MD4 digest on a data buffer of the specified size.
> > -  It can be called multiple times to compute the digest of long or
> > discontinuous data streams.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be finalized
> > -  by Md4Final(). Behavior with invalid context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[in]       Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]       DataSize    Size of Data buffer in bytes.
> > -
> > -  @retval TRUE   MD4 data digest succeeded.
> > -  @retval FALSE  MD4 data digest failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  BOOLEAN
> >  EFIAPI
> > -CryptoServiceMd4Update (
> > +DeprecatedCryptoServiceMd4Update (
> >    IN OUT  VOID        *Md4Context,
> >    IN      CONST VOID  *Data,
> >    IN      UINTN       DataSize
> >    )
> >  {
> > -  return CALL_BASECRYPTLIB (Md4.Services.Update, Md4Update,
> > (Md4Context, Data, DataSize), FALSE);
> > +  return BaseCryptLibServiceDeprecated ("Md4Update"), FALSE;
> >  }
> >
> > -/**
> > -  Completes computation of the MD4 digest value.
> > -
> > -  This function completes MD4 hash computation and retrieves the digest
> > value into
> > -  the specified memory. After this function has been called, the MD4 context
> > cannot
> > -  be used again.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be
> > -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If HashValue is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> > digest
> > -                               value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  BOOLEAN
> >  EFIAPI
> > -CryptoServiceMd4Final (
> > +DeprecatedCryptoServiceMd4Final (
> >    IN OUT  VOID   *Md4Context,
> >    OUT     UINT8  *HashValue
> >    )
> >  {
> > -  return CALL_BASECRYPTLIB (Md4.Services.Final, Md4Final, (Md4Context,
> > HashValue), FALSE);
> > +  return BaseCryptLibServiceDeprecated ("Md4Final"), FALSE;
> >  }
> >
> > -/**
> > -  Computes the MD4 message digest of a input data buffer.
> > -
> > -  This function performs the MD4 message digest of a given data buffer, and
> > places
> > -  the digest value into the specified memory.
> > -
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]   Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]   DataSize    Size of Data buffer in bytes.
> > -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> > -                           value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  BOOLEAN
> >  EFIAPI
> > -CryptoServiceMd4HashAll (
> > +DeprecatedCryptoServiceMd4HashAll (
> >    IN   CONST VOID  *Data,
> >    IN   UINTN       DataSize,
> >    OUT  UINT8       *HashValue
> >    )
> >  {
> > -  return CALL_BASECRYPTLIB (Md4.Services.HashAll, Md4HashAll, (Data,
> > DataSize, HashValue), FALSE);
> > +  return BaseCryptLibServiceDeprecated ("Md4HashAll"), FALSE;
> >  }
> >
> >  /**
> > @@ -4440,13 +4347,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto =
> > {
> >    CryptoServiceHmacSha256Duplicate,
> >    CryptoServiceHmacSha256Update,
> >    CryptoServiceHmacSha256Final,
> > -  /// Md4
> > -  CryptoServiceMd4GetContextSize,
> > -  CryptoServiceMd4Init,
> > -  CryptoServiceMd4Duplicate,
> > -  CryptoServiceMd4Update,
> > -  CryptoServiceMd4Final,
> > -  CryptoServiceMd4HashAll,
> > +  /// Md4 - deprecated and unsupported
> > +  DeprecatedCryptoServiceMd4GetContextSize,
> > +  DeprecatedCryptoServiceMd4Init,
> > +  DeprecatedCryptoServiceMd4Duplicate,
> > +  DeprecatedCryptoServiceMd4Update,
> > +  DeprecatedCryptoServiceMd4Final,
> > +  DeprecatedCryptoServiceMd4HashAll,
> >    /// Md5
> >    CryptoServiceMd5GetContextSize,
> >    CryptoServiceMd5Init,
> > diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> > b/CryptoPkg/Include/Library/BaseCryptLib.h
> > index 5e8f2e0a10..c862f0334f 100644
> > --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> > +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> > @@ -14,11 +14,6 @@ SPDX-License-Identifier: BSD-2-Clause-Patent
> >
> >  #include <Uefi/UefiBaseType.h>
> >
> > -///
> > -/// MD4 digest size in bytes
> > -///
> > -#define MD4_DIGEST_SIZE     16
> > -
> >  ///
> >  /// MD5 digest size in bytes
> >  ///
> > @@ -77,146 +72,6 @@ typedef enum {
> >  //    One-Way Cryptographic Hash Primitives
> >
> > //=========================================================
> > ============================
> >
> > -/**
> > -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -
> > -  If this interface is not supported, then return zero.
> > -
> > -  @return  The size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -  @retval  0   This interface is not supported.
> > -
> > -**/
> > -UINTN
> > -EFIAPI
> > -Md4GetContextSize (
> > -  VOID
> > -  );
> > -
> > -/**
> > -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> > context for
> > -  subsequent use.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> > -
> > -  @retval TRUE   MD4 context initialization succeeded.
> > -  @retval FALSE  MD4 context initialization failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Init (
> > -  OUT  VOID  *Md4Context
> > -  );
> > -
> > -/**
> > -  Makes a copy of an existing MD4 context.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If NewMd4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> > -  @param[out] NewMd4Context  Pointer to new MD4 context.
> > -
> > -  @retval TRUE   MD4 context copy succeeded.
> > -  @retval FALSE  MD4 context copy failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Duplicate (
> > -  IN   CONST VOID  *Md4Context,
> > -  OUT  VOID        *NewMd4Context
> > -  );
> > -
> > -/**
> > -  Digests the input data and updates MD4 context.
> > -
> > -  This function performs MD4 digest on a data buffer of the specified size.
> > -  It can be called multiple times to compute the digest of long or
> > discontinuous data streams.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be finalized
> > -  by Md4Final(). Behavior with invalid context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[in]       Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]       DataSize    Size of Data buffer in bytes.
> > -
> > -  @retval TRUE   MD4 data digest succeeded.
> > -  @retval FALSE  MD4 data digest failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Update (
> > -  IN OUT  VOID        *Md4Context,
> > -  IN      CONST VOID  *Data,
> > -  IN      UINTN       DataSize
> > -  );
> > -
> > -/**
> > -  Completes computation of the MD4 digest value.
> > -
> > -  This function completes MD4 hash computation and retrieves the digest
> > value into
> > -  the specified memory. After this function has been called, the MD4 context
> > cannot
> > -  be used again.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be
> > -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If HashValue is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> > digest
> > -                               value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Final (
> > -  IN OUT  VOID   *Md4Context,
> > -  OUT     UINT8  *HashValue
> > -  );
> > -
> > -/**
> > -  Computes the MD4 message digest of a input data buffer.
> > -
> > -  This function performs the MD4 message digest of a given data buffer, and
> > places
> > -  the digest value into the specified memory.
> > -
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]   Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]   DataSize    Size of Data buffer in bytes.
> > -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> > -                           value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4HashAll (
> > -  IN   CONST VOID  *Data,
> > -  IN   UINTN       DataSize,
> > -  OUT  UINT8       *HashValue
> > -  );
> > -
> >  /**
> >    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> > operations.
> >
> > diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > index a63ad66b4f..22992e7d43 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> > @@ -6,7 +6,7 @@
> >  #  This external input must be validated carefully to avoid security issues
> > such as
> >  #  buffer overflow or integer overflow.
> >  #
> > -#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
> > +#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> >  #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights
> > reserved.<BR>
> >  #  SPDX-License-Identifier: BSD-2-Clause-Patent
> >  #
> > @@ -29,7 +29,6 @@
> >
> >  [Sources]
> >    InternalCryptLib.h
> > -  Hash/CryptMd4.c
> >    Hash/CryptMd5.c
> >    Hash/CryptSha1.c
> >    Hash/CryptSha256.c
> > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> > b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> > deleted file mode 100644
> > index bc02da07b0..0000000000
> > --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> > +++ /dev/null
> > @@ -1,223 +0,0 @@
> > -/** @file
> > -  MD4 Digest Wrapper Implementation over OpenSSL.
> > -
> > -Copyright (c) 2010 - 2016, Intel Corporation. All rights reserved.<BR>
> > -SPDX-License-Identifier: BSD-2-Clause-Patent
> > -
> > -**/
> > -
> > -#include "InternalCryptLib.h"
> > -#include <openssl/md4.h>
> > -
> > -/**
> > -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -
> > -  @return  The size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -
> > -**/
> > -UINTN
> > -EFIAPI
> > -Md4GetContextSize (
> > -  VOID
> > -  )
> > -{
> > -  //
> > -  // Retrieves the OpenSSL MD4 Context Size
> > -  //
> > -  return (UINTN) (sizeof (MD4_CTX));
> > -}
> > -
> > -/**
> > -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> > context for
> > -  subsequent use.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -
> > -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> > -
> > -  @retval TRUE   MD4 context initialization succeeded.
> > -  @retval FALSE  MD4 context initialization failed.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Init (
> > -  OUT  VOID  *Md4Context
> > -  )
> > -{
> > -  //
> > -  // Check input parameters.
> > -  //
> > -  if (Md4Context == NULL) {
> > -    return FALSE;
> > -  }
> > -
> > -  //
> > -  // OpenSSL MD4 Context Initialization
> > -  //
> > -  return (BOOLEAN) (MD4_Init ((MD4_CTX *) Md4Context));
> > -}
> > -
> > -/**
> > -  Makes a copy of an existing MD4 context.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If NewMd4Context is NULL, then return FALSE.
> > -
> > -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> > -  @param[out] NewMd4Context  Pointer to new MD4 context.
> > -
> > -  @retval TRUE   MD4 context copy succeeded.
> > -  @retval FALSE  MD4 context copy failed.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Duplicate (
> > -  IN   CONST VOID  *Md4Context,
> > -  OUT  VOID        *NewMd4Context
> > -  )
> > -{
> > -  //
> > -  // Check input parameters.
> > -  //
> > -  if (Md4Context == NULL || NewMd4Context == NULL) {
> > -    return FALSE;
> > -  }
> > -
> > -  CopyMem (NewMd4Context, Md4Context, sizeof (MD4_CTX));
> > -
> > -  return TRUE;
> > -}
> > -
> > -/**
> > -  Digests the input data and updates MD4 context.
> > -
> > -  This function performs MD4 digest on a data buffer of the specified size.
> > -  It can be called multiple times to compute the digest of long or
> > discontinuous data streams.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be finalized
> > -  by Md4Final(). Behavior with invalid context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[in]       Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]       DataSize    Size of Data buffer in bytes.
> > -
> > -  @retval TRUE   MD4 data digest succeeded.
> > -  @retval FALSE  MD4 data digest failed.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Update (
> > -  IN OUT  VOID        *Md4Context,
> > -  IN      CONST VOID  *Data,
> > -  IN      UINTN       DataSize
> > -  )
> > -{
> > -  //
> > -  // Check input parameters.
> > -  //
> > -  if (Md4Context == NULL) {
> > -    return FALSE;
> > -  }
> > -
> > -  //
> > -  // Check invalid parameters, in case that only DataLength was checked in
> > OpenSSL
> > -  //
> > -  if (Data == NULL && DataSize != 0) {
> > -    return FALSE;
> > -  }
> > -
> > -  //
> > -  // OpenSSL MD4 Hash Update
> > -  //
> > -  return (BOOLEAN) (MD4_Update ((MD4_CTX *) Md4Context, Data,
> > DataSize));
> > -}
> > -
> > -/**
> > -  Completes computation of the MD4 digest value.
> > -
> > -  This function completes MD4 hash computation and retrieves the digest
> > value into
> > -  the specified memory. After this function has been called, the MD4 context
> > cannot
> > -  be used again.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be
> > -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If HashValue is NULL, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> > digest
> > -                               value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Final (
> > -  IN OUT  VOID   *Md4Context,
> > -  OUT     UINT8  *HashValue
> > -  )
> > -{
> > -  //
> > -  // Check input parameters.
> > -  //
> > -  if (Md4Context == NULL || HashValue == NULL) {
> > -    return FALSE;
> > -  }
> > -
> > -  //
> > -  // OpenSSL MD4 Hash Finalization
> > -  //
> > -  return (BOOLEAN) (MD4_Final (HashValue, (MD4_CTX *) Md4Context));
> > -}
> > -
> > -/**
> > -  Computes the MD4 message digest of a input data buffer.
> > -
> > -  This function performs the MD4 message digest of a given data buffer, and
> > places
> > -  the digest value into the specified memory.
> > -
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]   Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]   DataSize    Size of Data buffer in bytes.
> > -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> > -                           value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4HashAll (
> > -  IN   CONST VOID  *Data,
> > -  IN   UINTN       DataSize,
> > -  OUT  UINT8       *HashValue
> > -  )
> > -{
> > -  //
> > -  // Check input parameters.
> > -  //
> > -  if (HashValue == NULL) {
> > -    return FALSE;
> > -  }
> > -  if (Data == NULL && DataSize != 0) {
> > -    return FALSE;
> > -  }
> > -
> > -  //
> > -  // OpenSSL MD4 Hash Computation.
> > -  //
> > -  if (MD4 (Data, DataSize, HashValue) == NULL) {
> > -    return FALSE;
> > -  } else {
> > -    return TRUE;
> > -  }
> > -}
> > diff --git a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> > b/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> > deleted file mode 100644
> > index 610c61c713..0000000000
> > --- a/CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> > +++ /dev/null
> > @@ -1,143 +0,0 @@
> > -/** @file
> > -  MD4 Digest Wrapper Implementation which does not provide real
> > capabilities.
> > -
> > -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> > -SPDX-License-Identifier: BSD-2-Clause-Patent
> > -
> > -**/
> > -
> > -#include "InternalCryptLib.h"
> > -
> > -/**
> > -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> > -  operations.
> > -
> > -  Return zero to indicate this interface is not supported.
> > -
> > -  @retval  0   This interface is not supported.
> > -
> > -**/
> > -UINTN
> > -EFIAPI
> > -Md4GetContextSize (
> > -  VOID
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return 0;
> > -}
> > -
> > -/**
> > -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> > context for
> > -  subsequent use.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Init (
> > -  OUT  VOID  *Md4Context
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > -
> > -/**
> > -  Makes a copy of an existing MD4 context.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> > -  @param[out] NewMd4Context  Pointer to new MD4 context.
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Duplicate (
> > -  IN   CONST VOID  *Md4Context,
> > -  OUT  VOID        *NewMd4Context
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > -
> > -/**
> > -  Digests the input data and updates MD4 context.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[in]       Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]       DataSize    Size of Data buffer in bytes.
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Update (
> > -  IN OUT  VOID        *Md4Context,
> > -  IN      CONST VOID  *Data,
> > -  IN      UINTN       DataSize
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > -
> > -/**
> > -  Completes computation of the MD4 digest value.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> > digest
> > -                               value (16 bytes).
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Final (
> > -  IN OUT  VOID   *Md4Context,
> > -  OUT     UINT8  *HashValue
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > -
> > -/**
> > -  Computes the MD4 message digest of a input data buffer.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[in]   Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]   DataSize    Size of Data buffer in bytes.
> > -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> > -                           value (16 bytes).
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4HashAll (
> > -  IN   CONST VOID  *Data,
> > -  IN   UINTN       DataSize,
> > -  OUT  UINT8       *HashValue
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > index c836c257f8..e9add0127d 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> > @@ -6,14 +6,14 @@
> >  #  This external input must be validated carefully to avoid security issues
> > such as
> >  #  buffer overflow or integer overflow.
> >  #
> > -#  Note: MD4 Digest functions,
> > +#  Note:
> >  #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> > functions, RSA external
> >  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> > X.509
> >  #  certificate handler functions, authenticode signature verification
> > functions,
> >  #  PEM handler functions, and pseudorandom number generator functions
> > are not
> >  #  supported in this instance.
> >  #
> > -#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
> > +#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> >  #  SPDX-License-Identifier: BSD-2-Clause-Patent
> >  #
> >  ##
> > @@ -35,7 +35,6 @@
> >
> >  [Sources]
> >    InternalCryptLib.h
> > -  Hash/CryptMd4Null.c
> >    Hash/CryptMd5.c
> >    Hash/CryptSha1.c
> >    Hash/CryptSha256.c
> > diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> > b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> > index 9937555beb..374bfb3f65 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> > +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> > @@ -6,13 +6,13 @@
> >  // This external input must be validated carefully to avoid security issues
> > such as
> >  // buffer overflow or integer overflow.
> >  //
> > -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1
> > functions, AES/
> > +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> >  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> > functions,
> >  // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
> >  // signature verification functions, PEM handler functions, and
> > pseudorandom number
> >  // generator functions are not supported in this instance.
> >  //
> > -// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> > +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> >  //
> >  // SPDX-License-Identifier: BSD-2-Clause-Patent
> >  //
> > @@ -21,5 +21,5 @@
> >
> >  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> > Library Instance for PEIM"
> >
> > -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> > module requires additional review when modified. This library will have
> > external input - signature. This external input must be validated carefully to
> > avoid security issues such as buffer overflow or integer overflow. Note: MD4
> > Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> > TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> > functions, Diffie-Hellman functions, X.509 certificate handler functions,
> > authenticode signature verification functions, PEM handler functions, and
> > pseudorandom number generator functions are not supported in this
> > instance."
> > +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> > module requires additional review when modified. This library will have
> > external input - signature. This external input must be validated carefully to
> > avoid security issues such as buffer overflow or integer overflow. Note:
> > HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions,
> > RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> > functions, X.509 certificate handler functions, authenticode signature
> > verification functions, PEM handler functions, and pseudorandom number
> > generator functions are not supported in this instance."
> >
> > diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > index e5b8ececc1..0a2eb03232 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> > @@ -6,12 +6,12 @@
> >  #  This external input must be validated carefully to avoid security issues
> > such as
> >  #  buffer overflow or integer overflow.
> >  #
> > -#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest
> > functions,
> > +#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> >  #  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES/ARC4
> > functions, RSA external
> >  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> > and
> >  #  authenticode signature verification functions are not supported in this
> > instance.
> >  #
> > -#  Copyright (c) 2009 - 2019, Intel Corporation. All rights reserved.<BR>
> > +#  Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> >  #  Copyright (c) 2020, Hewlett Packard Enterprise Development LP. All rights
> > reserved.<BR>
> >  #  SPDX-License-Identifier: BSD-2-Clause-Patent
> >  #
> > @@ -35,7 +35,6 @@
> >
> >  [Sources]
> >    InternalCryptLib.h
> > -  Hash/CryptMd4Null.c
> >    Hash/CryptMd5.c
> >    Hash/CryptSha1.c
> >    Hash/CryptSha256.c
> > diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> > b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> > index c0a16f1b84..b6d751176e 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> > +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> > @@ -6,12 +6,12 @@
> >  // This external input must be validated carefully to avoid security issues
> > such as
> >  // buffer overflow or integer overflow.
> >  //
> > -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1
> > functions, AES/
> > +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> >  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> > functions,
> >  // Diffie-Hellman functions, and authenticode signature verification
> > functions are
> >  // not supported in this instance.
> >  //
> > -// Copyright (c) 2009 - 2018, Intel Corporation. All rights reserved.<BR>
> > +// Copyright (c) 2009 - 2020, Intel Corporation. All rights reserved.<BR>
> >  //
> >  // SPDX-License-Identifier: BSD-2-Clause-Patent
> >  //
> > @@ -20,5 +20,5 @@
> >
> >  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> > Library Instance for DXE_RUNTIME_DRIVER"
> >
> > -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> > module requires additional review when modified. This library will have
> > external input - signature. This external input must be validated carefully to
> > avoid security issues such as buffer overflow or integer overflow. Note: MD4
> > Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> > TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> > functions, Diffie-Hellman functions, and authenticode signature verification
> > functions are not supported in this instance."
> > +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> > module requires additional review when modified. This library will have
> > external input - signature. This external input must be validated carefully to
> > avoid security issues such as buffer overflow or integer overflow. Note:
> > HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions,
> > RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> > functions, and authenticode signature verification functions are not
> > supported in this instance."
> >
> > diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > index cc0b65fd25..139983075e 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> > @@ -6,12 +6,12 @@
> >  #  This external input must be validated carefully to avoid security issues
> > such as
> >  #  buffer overflow or integer overflow.
> >  #
> > -#  Note: MD4 Digest functions, SHA-384 Digest functions, SHA-512 Digest
> > functions,
> > +#  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> >  #  HMAC-MD5 functions, HMAC-SHA1 functions, TDES/ARC4 functions, RSA
> > external
> >  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> > and
> >  #  authenticode signature verification functions are not supported in this
> > instance.
> >  #
> > -#  Copyright (c) 2010 - 2019, Intel Corporation. All rights reserved.<BR>
> > +#  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> >  #  SPDX-License-Identifier: BSD-2-Clause-Patent
> >  #
> >  ##
> > @@ -34,7 +34,6 @@
> >
> >  [Sources]
> >    InternalCryptLib.h
> > -  Hash/CryptMd4Null.c
> >    Hash/CryptMd5.c
> >    Hash/CryptSha1.c
> >    Hash/CryptSha256.c
> > diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> > b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> > index 83485fbb90..b8d7953d2b 100644
> > --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> > +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> > @@ -6,12 +6,12 @@
> >  // This external input must be validated carefully to avoid security issues
> > such as
> >  // buffer overflow or integer overflow.
> >  //
> > -// Note: MD4 Digest functions, HMAC-MD5 functions, HMAC-SHA1
> > functions, AES/
> > +// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> >  // TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> > functions,
> >  // Diffie-Hellman functions, and authenticode signature verification
> > functions are
> >  // not supported in this instance.
> >  //
> > -// Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>
> > +// Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> >  //
> >  // SPDX-License-Identifier: BSD-2-Clause-Patent
> >  //
> > @@ -20,5 +20,5 @@
> >
> >  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> > Library Instance for SMM driver"
> >
> > -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> > module requires additional review when modified. This library will have
> > external input - signature. This external input must be validated carefully to
> > avoid security issues such as buffer overflow or integer overflow. Note: MD4
> > Digest functions, HMAC-MD5 functions, HMAC-SHA1 functions, AES/
> > TDES/ARC4 functions, RSA external functions, PKCS#7 SignedData sign
> > functions, Diffie-Hellman functions, and authenticode signature verification
> > functions are not supported in this instance."
> > +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> > module requires additional review when modified. This library will have
> > external input - signature. This external input must be validated carefully to
> > avoid security issues such as buffer overflow or integer overflow. Note:
> > HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES/ARC4 functions,
> > RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> > functions, and authenticode signature verification functions are not
> > supported in this instance."
> >
> > diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> > b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> > index 9b4991cbb0..b03681b146 100644
> > --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> > +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> > @@ -29,7 +29,6 @@
> >
> >  [Sources]
> >    InternalCryptLib.h
> > -  Hash/CryptMd4Null.c
> >    Hash/CryptMd5Null.c
> >    Hash/CryptSha1Null.c
> >    Hash/CryptSha256Null.c
> > diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> > b/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> > deleted file mode 100644
> > index 610c61c713..0000000000
> > --- a/CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> > +++ /dev/null
> > @@ -1,143 +0,0 @@
> > -/** @file
> > -  MD4 Digest Wrapper Implementation which does not provide real
> > capabilities.
> > -
> > -Copyright (c) 2012 - 2018, Intel Corporation. All rights reserved.<BR>
> > -SPDX-License-Identifier: BSD-2-Clause-Patent
> > -
> > -**/
> > -
> > -#include "InternalCryptLib.h"
> > -
> > -/**
> > -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> > -  operations.
> > -
> > -  Return zero to indicate this interface is not supported.
> > -
> > -  @retval  0   This interface is not supported.
> > -
> > -**/
> > -UINTN
> > -EFIAPI
> > -Md4GetContextSize (
> > -  VOID
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return 0;
> > -}
> > -
> > -/**
> > -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> > context for
> > -  subsequent use.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Init (
> > -  OUT  VOID  *Md4Context
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > -
> > -/**
> > -  Makes a copy of an existing MD4 context.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> > -  @param[out] NewMd4Context  Pointer to new MD4 context.
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Duplicate (
> > -  IN   CONST VOID  *Md4Context,
> > -  OUT  VOID        *NewMd4Context
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > -
> > -/**
> > -  Digests the input data and updates MD4 context.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[in]       Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]       DataSize    Size of Data buffer in bytes.
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Update (
> > -  IN OUT  VOID        *Md4Context,
> > -  IN      CONST VOID  *Data,
> > -  IN      UINTN       DataSize
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > -
> > -/**
> > -  Completes computation of the MD4 digest value.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> > digest
> > -                               value (16 bytes).
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Final (
> > -  IN OUT  VOID   *Md4Context,
> > -  OUT     UINT8  *HashValue
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > -
> > -/**
> > -  Computes the MD4 message digest of a input data buffer.
> > -
> > -  Return FALSE to indicate this interface is not supported.
> > -
> > -  @param[in]   Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]   DataSize    Size of Data buffer in bytes.
> > -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> > -                           value (16 bytes).
> > -
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4HashAll (
> > -  IN   CONST VOID  *Data,
> > -  IN   UINTN       DataSize,
> > -  OUT  UINT8       *HashValue
> > -  )
> > -{
> > -  ASSERT (FALSE);
> > -  return FALSE;
> > -}
> > diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > index c2a1df9afc..5e470028f4 100644
> > --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> > @@ -99,164 +99,6 @@ CryptoServiceNotAvailable (
> >  //    One-Way Cryptographic Hash Primitives
> >
> > //=========================================================
> > ============================
> >
> > -/**
> > -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -
> > -  If this interface is not supported, then return zero.
> > -
> > -  @return  The size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -  @retval  0   This interface is not supported.
> > -
> > -**/
> > -UINTN
> > -EFIAPI
> > -Md4GetContextSize (
> > -  VOID
> > -  )
> > -{
> > -  CALL_CRYPTO_SERVICE (Md4GetContextSize, (), 0);
> > -}
> > -
> > -/**
> > -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> > context for
> > -  subsequent use.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> > -
> > -  @retval TRUE   MD4 context initialization succeeded.
> > -  @retval FALSE  MD4 context initialization failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Init (
> > -  OUT  VOID  *Md4Context
> > -  )
> > -{
> > -  CALL_CRYPTO_SERVICE (Md4Init, (Md4Context), FALSE);
> > -}
> > -
> > -/**
> > -  Makes a copy of an existing MD4 context.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If NewMd4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> > -  @param[out] NewMd4Context  Pointer to new MD4 context.
> > -
> > -  @retval TRUE   MD4 context copy succeeded.
> > -  @retval FALSE  MD4 context copy failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Duplicate (
> > -  IN   CONST VOID  *Md4Context,
> > -  OUT  VOID        *NewMd4Context
> > -  )
> > -{
> > -  CALL_CRYPTO_SERVICE (Md4Duplicate, (Md4Context, NewMd4Context),
> > FALSE);
> > -}
> > -
> > -/**
> > -  Digests the input data and updates MD4 context.
> > -
> > -  This function performs MD4 digest on a data buffer of the specified size.
> > -  It can be called multiple times to compute the digest of long or
> > discontinuous data streams.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be finalized
> > -  by Md4Final(). Behavior with invalid context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[in]       Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]       DataSize    Size of Data buffer in bytes.
> > -
> > -  @retval TRUE   MD4 data digest succeeded.
> > -  @retval FALSE  MD4 data digest failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Update (
> > -  IN OUT  VOID        *Md4Context,
> > -  IN      CONST VOID  *Data,
> > -  IN      UINTN       DataSize
> > -  )
> > -{
> > -  CALL_CRYPTO_SERVICE (Md4Update, (Md4Context, Data, DataSize),
> > FALSE);
> > -}
> > -
> > -/**
> > -  Completes computation of the MD4 digest value.
> > -
> > -  This function completes MD4 hash computation and retrieves the digest
> > value into
> > -  the specified memory. After this function has been called, the MD4 context
> > cannot
> > -  be used again.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be
> > -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If HashValue is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> > digest
> > -                               value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4Final (
> > -  IN OUT  VOID   *Md4Context,
> > -  OUT     UINT8  *HashValue
> > -  )
> > -{
> > -  CALL_CRYPTO_SERVICE (Md4Final, (Md4Context, HashValue), FALSE);
> > -}
> > -
> > -/**
> > -  Computes the MD4 message digest of a input data buffer.
> > -
> > -  This function performs the MD4 message digest of a given data buffer, and
> > places
> > -  the digest value into the specified memory.
> > -
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]   Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]   DataSize    Size of Data buffer in bytes.
> > -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> > -                           value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> > -BOOLEAN
> > -EFIAPI
> > -Md4HashAll (
> > -  IN   CONST VOID  *Data,
> > -  IN   UINTN       DataSize,
> > -  OUT  UINT8       *HashValue
> > -  )
> > -{
> > -  CALL_CRYPTO_SERVICE (Md4HashAll, (Data, DataSize, HashValue), FALSE);
> > -}
> > -
> >  /**
> >    Retrieves the size, in bytes, of the context buffer required for MD5 hash
> > operations.
> >
> > diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> > b/CryptoPkg/Private/Protocol/Crypto.h
> > index 40c387e002..ae0f29695c 100644
> > --- a/CryptoPkg/Private/Protocol/Crypto.h
> > +++ b/CryptoPkg/Private/Protocol/Crypto.h
> > @@ -451,145 +451,52 @@ BOOLEAN
> >
> > //=========================================================
> > ============================
> >
> >  /**
> > -  Retrieves the size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -
> > -  If this interface is not supported, then return zero.
> > -
> > -  @return  The size, in bytes, of the context buffer required for MD4 hash
> > operations.
> > -  @retval  0   This interface is not supported.
> > +  MD4 is deprecated and unsupported any longer.
> > +  Keep the function field for binary compability.
> >
> >  **/
> >  typedef
> >  UINTN
> > -(EFIAPI *EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
> > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE) (
> >    VOID
> >    );
> >
> >
> > -/**
> > -  Initializes user-supplied memory pointed by Md4Context as MD4 hash
> > context for
> > -  subsequent use.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[out]  Md4Context  Pointer to MD4 context being initialized.
> > -
> > -  @retval TRUE   MD4 context initialization succeeded.
> > -  @retval FALSE  MD4 context initialization failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  typedef
> >  BOOLEAN
> > -(EFIAPI *EDKII_CRYPTO_MD4_INIT) (
> > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_INIT) (
> >    OUT  VOID  *Md4Context
> >    );
> >
> >
> > -/**
> > -  Makes a copy of an existing MD4 context.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If NewMd4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]  Md4Context     Pointer to MD4 context being copied.
> > -  @param[out] NewMd4Context  Pointer to new MD4 context.
> > -
> > -  @retval TRUE   MD4 context copy succeeded.
> > -  @retval FALSE  MD4 context copy failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  typedef
> >  BOOLEAN
> > -(EFIAPI *EDKII_CRYPTO_MD4_DUPLICATE) (
> > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE) (
> >    IN   CONST VOID  *Md4Context,
> >    OUT  VOID        *NewMd4Context
> >    );
> >
> >
> > -/**
> > -  Digests the input data and updates MD4 context.
> > -
> > -  This function performs MD4 digest on a data buffer of the specified size.
> > -  It can be called multiple times to compute the digest of long or
> > discontinuous data streams.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be finalized
> > -  by Md4Final(). Behavior with invalid context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[in]       Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]       DataSize    Size of Data buffer in bytes.
> > -
> > -  @retval TRUE   MD4 data digest succeeded.
> > -  @retval FALSE  MD4 data digest failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  typedef
> >  BOOLEAN
> > -(EFIAPI *EDKII_CRYPTO_MD4_UPDATE) (
> > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_UPDATE) (
> >    IN OUT  VOID        *Md4Context,
> >    IN      CONST VOID  *Data,
> >    IN      UINTN       DataSize
> >    );
> >
> >
> > -/**
> > -  Completes computation of the MD4 digest value.
> > -
> > -  This function completes MD4 hash computation and retrieves the digest
> > value into
> > -  the specified memory. After this function has been called, the MD4 context
> > cannot
> > -  be used again.
> > -  MD4 context should be already correctly initialized by Md4Init(), and should
> > not be
> > -  finalized by Md4Final(). Behavior with invalid MD4 context is undefined.
> > -
> > -  If Md4Context is NULL, then return FALSE.
> > -  If HashValue is NULL, then return FALSE.
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in, out]  Md4Context  Pointer to the MD4 context.
> > -  @param[out]      HashValue   Pointer to a buffer that receives the MD4
> > digest
> > -                               value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  typedef
> >  BOOLEAN
> > -(EFIAPI *EDKII_CRYPTO_MD4_FINAL) (
> > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_FINAL) (
> >    IN OUT  VOID   *Md4Context,
> >    OUT     UINT8  *HashValue
> >    );
> >
> >
> > -/**
> > -  Computes the MD4 message digest of a input data buffer.
> > -
> > -  This function performs the MD4 message digest of a given data buffer, and
> > places
> > -  the digest value into the specified memory.
> > -
> > -  If this interface is not supported, then return FALSE.
> > -
> > -  @param[in]   Data        Pointer to the buffer containing the data to be
> > hashed.
> > -  @param[in]   DataSize    Size of Data buffer in bytes.
> > -  @param[out]  HashValue   Pointer to a buffer that receives the MD4 digest
> > -                           value (16 bytes).
> > -
> > -  @retval TRUE   MD4 digest computation succeeded.
> > -  @retval FALSE  MD4 digest computation failed.
> > -  @retval FALSE  This interface is not supported.
> > -
> > -**/
> >  typedef
> >  BOOLEAN
> > -(EFIAPI *EDKII_CRYPTO_MD4_HASH_ALL) (
> > +(EFIAPI *DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL) (
> >    IN   CONST VOID  *Data,
> >    IN   UINTN       DataSize,
> >    OUT  UINT8       *HashValue
> > @@ -4007,13 +3914,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
> >    EDKII_CRYPTO_HMAC_SHA256_DUPLICATE              HmacSha256Duplicate;
> >    EDKII_CRYPTO_HMAC_SHA256_UPDATE                 HmacSha256Update;
> >    EDKII_CRYPTO_HMAC_SHA256_FINAL                  HmacSha256Final;
> > -  /// Md4
> > -  EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE               Md4GetContextSize;
> > -  EDKII_CRYPTO_MD4_INIT                           Md4Init;
> > -  EDKII_CRYPTO_MD4_DUPLICATE                      Md4Duplicate;
> > -  EDKII_CRYPTO_MD4_UPDATE                         Md4Update;
> > -  EDKII_CRYPTO_MD4_FINAL                          Md4Final;
> > -  EDKII_CRYPTO_MD4_HASH_ALL                       Md4HashAll;
> > +  /// Md4 - deprecated and unsupported
> > +  DEPRECATED_EDKII_CRYPTO_MD4_GET_CONTEXT_SIZE
> > DeprecatedMd4GetContextSize;
> > +  DEPRECATED_EDKII_CRYPTO_MD4_INIT                DeprecatedMd4Init;
> > +  DEPRECATED_EDKII_CRYPTO_MD4_DUPLICATE
> > DeprecatedMd4Duplicate;
> > +  DEPRECATED_EDKII_CRYPTO_MD4_UPDATE
> > DeprecatedMd4Update;
> > +  DEPRECATED_EDKII_CRYPTO_MD4_FINAL               DeprecatedMd4Final;
> > +  DEPRECATED_EDKII_CRYPTO_MD4_HASH_ALL
> > DeprecatedMd4HashAll;
> >    /// Md5
> >    EDKII_CRYPTO_MD5_GET_CONTEXT_SIZE               Md5GetContextSize;
> >    EDKII_CRYPTO_MD5_INIT                           Md5Init;
> > --
> > 2.21.0.windows.1
> >
> >
> > 


^ permalink raw reply	[flat|nested] 18+ messages in thread

* Re: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
  2020-05-14  5:11     ` Wang, Jian J
@ 2020-05-14  6:14       ` Gao, Zhichao
  0 siblings, 0 replies; 18+ messages in thread
From: Gao, Zhichao @ 2020-05-14  6:14 UTC (permalink / raw)
  To: Wang, Jian J, devel@edk2.groups.io, Fu, Siyuan, Kinney, Michael D,
	Yao, Jiewen, Philippe Mathieu-Daude, Lu, XiaoyuX

New patch set send to my fork branch: https://github.com/ZhichaoGao/edk2/commits/deprecated_algo
Take all the comments and add Jian's R-B.

V5 changes:
Fix incorrect symbol in patch #2.
Separate the patch #8 OpensslLib changes and create it thru change the process_files.pl.
Change the incorrect Author Name of patch #2, #4, #6.

Thanks,
Zhichao

> -----Original Message-----
> From: Wang, Jian J <jian.j.wang@intel.com>
> Sent: Thursday, May 14, 2020 1:12 PM
> To: Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io; Fu, Siyuan
> <siyuan.fu@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Yao,
> Jiewen <jiewen.yao@intel.com>; Philippe Mathieu-Daude <philmd@redhat.com>;
> Lu, XiaoyuX <xiaoyux.lu@intel.com>
> Subject: RE: [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions
> 
> Zhichao
> 
> 
> > -----Original Message-----
> > From: Gao, Zhichao <zhichao.gao@intel.com>
> > Sent: Thursday, May 14, 2020 10:49 AM
> > To: Wang, Jian J <jian.j.wang@intel.com>; devel@edk2.groups.io; Fu,
> > Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> > <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> > Philippe Mathieu-Daude <philmd@redhat.com>; Lu, XiaoyuX
> > <xiaoyux.lu@intel.com>
> > Subject: RE: [PATCH V4 00/11] CryptoPkg: Retire the deprecated
> > functions
> >
> >
> > > -----Original Message-----
> > > From: Wang, Jian J <jian.j.wang@intel.com>
> > > Sent: Wednesday, May 13, 2020 9:49 PM
> > > To: Gao, Zhichao <zhichao.gao@intel.com>; devel@edk2.groups.io; Fu,
> > > Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> > > <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>;
> > > Philippe Mathieu-Daude
> > <philmd@redhat.com>;
> > > Lu, XiaoyuX <xiaoyux.lu@intel.com>
> > > Subject: RE: [PATCH V4 00/11] CryptoPkg: Retire the deprecated
> > > functions
> > >
> > > Zhichao,
> > >
> > > Two general comments for improvement needed in your future patches:
> > > 1. Add r-b for those patch files which have got r-b 2. It'd be
> > > better to add summary of changes between this and previous version
> > >     of patches
> >
> > 1. I change the typo of the function definition. So all the patches are changed.
> > That is why I didn't keep any R-B
> > 2. I put the summary change in cover-letter. Thanks for the
> > suggestion. I would put the changes for every patch but  not put them in the
> commit message.
> >
> > >
> > > For v4,
> > >     patch 8: the updates of OpensslLib should be done by
> > > process_files.pl
> >
> > I didn't find the config string to disable the AES ECB mode only. Can
> > you help guide me on this? Or should I remove the change of OpensslLib in
> patch #8?
> 
> You can remove those files from .inf by excluding them from @cryptofilelist and
> @sslfilelist in process_files.pl. Don't manually remove anything from
> autogenerated content in inf file.
> 
> Regards,
> Jian
> >
> > Thanks,
> > Zhichao
> >
> > >
> > > With this addressed (for the whole patch series),
> > >
> > >     Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
> > >
> > >
> > > Mike, Jiewen, Siyuan, Philippe: any more comments for v4?
> > >
> > > Regards,
> > > Jian
> > >
> > > > -----Original Message-----
> > > > From: Gao, Zhichao <zhichao.gao@intel.com>
> > > > Sent: Tuesday, May 12, 2020 2:27 AM
> > > > To: devel@edk2.groups.io
> > > > Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX
> > > > <xiaoyux.lu@intel.com>; Fu, Siyuan <siyuan.fu@intel.com>; Kinney,
> > > > Michael D <michael.d.kinney@intel.com>; Yao, Jiewen
> > > > <jiewen.yao@intel.com>; Philippe Mathieu-Daude <philmd@redhat.com>
> > > > Subject: [PATCH V4 00/11] CryptoPkg: Retire the deprecated
> > > > functions
> > > >
> > > > REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> > > >
> > > > Retire below deprecated functions:
> > > > MD4, ARC4, TDES, AES ECB MODE, HMAC MD5, HMAC SHA1.
> > > >
> > > > V2:
> > > > Seprate the MD5 and SHA1 changes to other patch set.
> > > > Change the deprecated function wrapper implementatuion in
> > > > EDKII_CRYPTO_PROTOCOL to call a dummy function to print debug
> > > > message and assert.
> > > >
> > > > V3:
> > > > Remove the missing part of deprecated functions in V2.
> > > > Change the name field in the EDKII_CRYPTO_PROTOCOL to indicate the
> > > > function is deprecated and unsupported.
> > > >
> > > > V4:
> > > > Fixed some typos.
> > > > Separate the change of OpensslLib and make the change with
> > > > process_files.pl.
> > > > Moving the incorrect changes of AES_ECB from HAMC MD5 patch to Aes
> > > > Ecb one.
> > > >
> > > > Cc: Jian J Wang <jian.j.wang@intel.com>
> > > > Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> > > > Cc: Siyuan Fu <siyuan.fu@intel.com>
> > > > Cc: Michael D Kinney <michael.d.kinney@intel.com>
> > > > Cc: Jiewen Yao <jiewen.yao@intel.com>
> > > > Cc: Philippe Mathieu-Daude <philmd@redhat.com>
> > > > Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> > > >
> > > > Zhichao Gao (8):
> > > >   CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm
> > > >   CryptoPkg/BaseCrpytLib: Retire MD4 algorithm
> > > >   CryptoPkg/BaseCryptLib: Retire ARC4 algorithm
> > > >   CryptoPkg/BaseCryptLib: Retire the Tdes algorithm
> > > >   CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm
> > > >   CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm
> > > >   CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
> > > >   CryptoPkg/Crypto.h: Update the version of Crypto Driver
> > > >
> > > > Zhiguang Liu (3):
> > > >   CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib
> > > >   CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib
> > > >   CryptoPkg/OpensslLib: Set TDES disable in OpensslLib
> > > >
> > > >  CryptoPkg/CryptoPkg.dsc                       |   46 +-
> > > >  CryptoPkg/Driver/Crypto.c                     |  786 ++---------
> > > >  CryptoPkg/Include/Library/BaseCryptLib.h      |  809 ------------
> > > >  .../Library/BaseCryptLib/BaseCryptLib.inf     |    7 +-
> > > >  .../Library/BaseCryptLib/Cipher/CryptAes.c    |  114 --
> > > >  .../BaseCryptLib/Cipher/CryptAesNull.c        |   52 -
> > > >  .../Library/BaseCryptLib/Cipher/CryptArc4.c   |  205 ---
> > > >  .../BaseCryptLib/Cipher/CryptArc4Null.c       |  124 --
> > > >  .../Library/BaseCryptLib/Cipher/CryptTdes.c   |  364 ------
> > > >  .../BaseCryptLib/Cipher/CryptTdesNull.c       |  160 ---
> > > >  .../Library/BaseCryptLib/Hash/CryptMd4.c      |  223 ----
> > > >  .../Library/BaseCryptLib/Hash/CryptMd4Null.c  |  143 --
> > > > .../Library/BaseCryptLib/Hmac/CryptHmacMd5.c  |  216 ---
> > > >  .../BaseCryptLib/Hmac/CryptHmacMd5Null.c      |  139 --
> > > >  .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c |  216 ---
> > > >  .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     |  139 --
> > > >  .../Library/BaseCryptLib/PeiCryptLib.inf      |   11 +-
> > > >  .../Library/BaseCryptLib/PeiCryptLib.uni      |    8 +-
> > > >  CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c |    7 +-
> > > >  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   11 +-
> > > >  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |    8 +-
> > > >  .../Library/BaseCryptLib/SmmCryptLib.inf      |   12 +-
> > > >  .../Library/BaseCryptLib/SmmCryptLib.uni      |    8 +-
> > > >  .../BaseCryptLibNull/BaseCryptLibNull.inf     |    5 -
> > > >  .../BaseCryptLibNull/Cipher/CryptAesNull.c    |   52 -
> > > >  .../BaseCryptLibNull/Cipher/CryptArc4Null.c   |  124 --
> > > >  .../BaseCryptLibNull/Cipher/CryptTdesNull.c   |  160 ---
> > > >  .../BaseCryptLibNull/Hash/CryptMd4Null.c      |  143 --
> > > >  .../BaseCryptLibNull/Hmac/CryptHmacMd5Null.c  |  139 --
> > > > .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c |  139 --
> > > >  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 1157 ++---------------
> > > >  .../Library/Include/openssl/opensslconf.h     |    9 +
> > > >  CryptoPkg/Library/OpensslLib/OpensslLib.inf   |   28 -
> > > >  .../Library/OpensslLib/OpensslLibCrypto.inf   |   28 -
> > > >  CryptoPkg/Library/OpensslLib/process_files.pl |    3 +
> > > >  CryptoPkg/Private/Protocol/Crypto.h           |  709 ++--------
> > > >  36 files changed, 402 insertions(+), 6102 deletions(-)  delete
> > > > mode
> > > > 100644 CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Cipher/CryptArc4Null.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
> > > >  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Hash/CryptMd4Null.c
> > > >  delete mode 100644
> > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacMd5Null.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptArc4Null.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLibNull/Hash/CryptMd4Null.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacMd5Null.c
> > > >  delete mode 100644
> > > > CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> > > >
> > > > --
> > > > 2.21.0.windows.1
> > >
> >
> 


^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2020-05-14  6:14 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-05-11 18:27 [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 01/11] CryptoPkg/CryptoDxe: Add function to indicate the deprecated algorithm Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 02/11] CryptoPkg/BaseCrpytLib: Retire MD4 algorithm Gao, Zhichao
2020-05-14  3:13   ` [edk2-devel] " Guomin Jiang
2020-05-14  5:58     ` Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 03/11] CryptoPkg/OpensslLib: Set MD4 disable in OpensslLib Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 04/11] CryptoPkg/BaseCryptLib: Retire ARC4 algorithm Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 05/11] CryptoPkg/OpensslLib: Set ARC4 disable in OpensslLib Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 06/11] CryptoPkg/BaseCryptLib: Retire the TDES algorithm Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 07/11] CryptoPkg/OpensslLib: Set TDES disable in OpensslLib Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 08/11] CryptoPkg/BaseCryptLib: Retire Aes Ecb mode algorithm Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 09/11] CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 10/11] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm Gao, Zhichao
2020-05-11 18:27 ` [PATCH V4 11/11] CryptoPkg/Crypto.h: Update the version of Crypto Driver Gao, Zhichao
2020-05-13 13:48 ` [PATCH V4 00/11] CryptoPkg: Retire the deprecated functions Wang, Jian J
2020-05-14  2:49   ` Gao, Zhichao
2020-05-14  5:11     ` Wang, Jian J
2020-05-14  6:14       ` Gao, Zhichao

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox