[v3] CryptoPkg: Retire the deprecated functions

[edk2-devel] [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm

Posted by Gao, Zhichao 5 years, 9 months ago

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

HMAC SHA1 is not secure any longer.
Remove the HMAC SHA1 support from edk2.
Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any long.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
---
 CryptoPkg/CryptoPkg.dsc                       |   3 -
 CryptoPkg/Driver/Crypto.c                     | 128 ++---------
 CryptoPkg/Include/Library/BaseCryptLib.h      | 133 -----------
 .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
 .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ------------------
 .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     | 139 -----------
 .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
 .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
 .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.inf      |   4 +-
 .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
 .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
 .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 -----------
 .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 151 ------------
 CryptoPkg/Private/Protocol/Crypto.h           | 121 ++--------
 16 files changed, 45 insertions(+), 1009 deletions(-)
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
 delete mode 100644 CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c

diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
index 9ddf73f9fa..1af78468a1 100644
--- a/CryptoPkg/CryptoPkg.dsc
+++ b/CryptoPkg/CryptoPkg.dsc
@@ -137,7 +137,6 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
 
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family                              | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -163,7 +162,6 @@
 !endif
 
 !if $(CRYPTO_SERVICES) == MIN_PEI
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                 | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family                     | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family                   | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
@@ -178,7 +176,6 @@
 !endif
 
 !if $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs1v2Encrypt             | TRUE
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkcs5HashPassword          | TRUE
diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
index dfde1cc005..95172de981 100644
--- a/CryptoPkg/Driver/Crypto.c
+++ b/CryptoPkg/Driver/Crypto.c
@@ -1170,154 +1170,68 @@ DeprecatedCryptoServiceHmacMd5Final (
 }
 
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
+  HMAC SHA1 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 VOID *
 EFIAPI
-CryptoServiceHmacSha1New (
+DeprecatedCryptoServiceHmacSha1New (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.New, HmacSha1New, (), NULL);
+  return BaseCryptLibServciceDeprecated ("HmacSha1New"), NULL;
 }
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 VOID
 EFIAPI
-CryptoServiceHmacSha1Free (
+DeprecatedCryptoServiceHmacSha1Free (
   IN  VOID  *HmacSha1Ctx
   )
 {
-  CALL_VOID_BASECRYPTLIB (HmacSha1.Services.Free, HmacSha1Free, (HmacSha1Ctx));
+  BaseCryptLibServciceDeprecated ("HmacSha1Free");
 }
 
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1SetKey (
+DeprecatedCryptoServiceHmacSha1SetKey (
   OUT  VOID         *HmacSha1Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.SetKey, HmacSha1SetKey, (HmacSha1Context, Key, KeySize), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacSha1SetKey"), FALSE;
 }
 
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Duplicate (
+DeprecatedCryptoServiceHmacSha1Duplicate (
   IN   CONST VOID  *HmacSha1Context,
   OUT  VOID        *NewHmacSha1Context
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Duplicate, HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacSha1Duplicate"), FALSE;
 }
 
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Update (
+DeprecatedCryptoServiceHmacSha1Update (
   IN OUT  VOID        *HmacSha1Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Update, HmacSha1Update, (HmacSha1Context, Data, DataSize), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacSha1Update"), FALSE;
 }
 
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacSha1Final (
+DeprecatedCryptoServiceHmacSha1Final (
   IN OUT  VOID   *HmacSha1Context,
   OUT     UINT8  *HmacValue
   )
 {
-  return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
+  return BaseCryptLibServciceDeprecated ("HmacSha1Final"), FALSE;
 }
 
 /**
@@ -3972,13 +3886,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   DeprecatedCryptoServiceHmacMd5Duplicate,
   DeprecatedCryptoServiceHmacMd5Update,
   DeprecatedCryptoServiceHmacMd5Final,
-  /// HMAC SHA1
-  CryptoServiceHmacSha1New,
-  CryptoServiceHmacSha1Free,
-  CryptoServiceHmacSha1SetKey,
-  CryptoServiceHmacSha1Duplicate,
-  CryptoServiceHmacSha1Update,
-  CryptoServiceHmacSha1Final,
+  /// HMAC SHA1 - deprecated and unsupported
+  DeprecatedCryptoServiceHmacSha1New,
+  DeprecatedCryptoServiceHmacSha1Free,
+  DeprecatedCryptoServiceHmacSha1SetKey,
+  DeprecatedCryptoServiceHmacSha1Duplicate,
+  DeprecatedCryptoServiceHmacSha1Update,
+  DeprecatedCryptoServiceHmacSha1Final,
   /// HMAC SHA256
   CryptoServiceHmacSha256New,
   CryptoServiceHmacSha256Free,
diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
index b99401661c..1b1ffa75ef 100644
--- a/CryptoPkg/Include/Library/BaseCryptLib.h
+++ b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -880,139 +880,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  );
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  );
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  );
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  );
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  );
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  );
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
 
diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index 33d7c13bff..4aae2aba95 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256.c
   Hash/CryptSha512.c
   Hash/CryptSm3.c
-  Hmac/CryptHmacSha1.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c
   Cipher/CryptAes.c
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
deleted file mode 100644
index 7593ca55b1..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
+++ /dev/null
@@ -1,216 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation over OpenSSL.
-
-Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-#include <openssl/hmac.h>
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  //
-  // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
-  //
-  return (VOID *) HMAC_CTX_new ();
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  //
-  // Free OpenSSL HMAC_CTX Context
-  //
-  HMAC_CTX_free ((HMAC_CTX *)HmacSha1Ctx);
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || KeySize > INT_MAX) {
-    return FALSE;
-  }
-
-  if (HMAC_Init_ex ((HMAC_CTX *)HmacSha1Context, Key, (UINT32) KeySize, EVP_sha1(), NULL) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || NewHmacSha1Context == NULL) {
-    return FALSE;
-  }
-
-  if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacSha1Context, (HMAC_CTX *)HmacSha1Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL) {
-    return FALSE;
-  }
-
-  //
-  // Check invalid parameters, in case that only DataLength was checked in OpenSSL
-  //
-  if (Data == NULL && DataSize != 0) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-SHA1 digest update
-  //
-  if (HMAC_Update ((HMAC_CTX *)HmacSha1Context, Data, DataSize) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 digest computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  UINT32  Length;
-
-  //
-  // Check input parameters.
-  //
-  if (HmacSha1Context == NULL || HmacValue == NULL) {
-    return FALSE;
-  }
-
-  //
-  // OpenSSL HMAC-SHA1 digest finalization
-  //
-  if (HMAC_Final ((HMAC_CTX *)HmacSha1Context, HmacValue, &Length) != 1) {
-    return FALSE;
-  }
-  if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha1Context) != 1) {
-    return FALSE;
-  }
-
-  return TRUE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
deleted file mode 100644
index e8c0f341b7..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @return  NULL  This interface is not supported..
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index 2a630ef290..dc28e3a11d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note:
-#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
 #  certificate handler functions, authenticode signature verification functions,
 #  PEM handler functions, and pseudorandom number generator functions are not
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 95c71a8ae2..20ae64e8bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
 // signature verification functions, PEM handler functions, and pseudorandom number
@@ -21,5 +21,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index 1642521087..5005beed02 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
+#  HMAC-SHA256 functions, AES functions, RSA external
 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
@@ -40,7 +40,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index f7e1acb3a7..0cf378c5ab 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index ec9c8e7c05..91ec3e03bf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,8 +7,7 @@
 #  buffer overflow or integer overflow.
 #
 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
-#  HMAC-SHA1 functions, RSA external
-#  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
+#  RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
 #  authenticode signature verification functions are not supported in this instance.
 #
 #  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
@@ -39,7 +38,6 @@
   Hash/CryptSha256.c
   Hash/CryptSm3.c
   Hash/CryptSha512Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAes.c
diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 8eb3acac93..f0c33abbcf 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,7 +6,7 @@
 // This external input must be validated carefully to avoid security issues such as
 // buffer overflow or integer overflow.
 //
-// Note: HMAC-SHA1 functions, AES
+// Note: AES
 // functions, RSA external functions, PKCS#7 SignedData sign functions,
 // Diffie-Hellman functions, and authenticode signature verification functions are
 // not supported in this instance.
@@ -20,5 +20,5 @@
 
 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"
 
-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."
 
diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index 558ccfc002..689af4fedd 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256Null.c
   Hash/CryptSha512Null.c
   Hash/CryptSm3Null.c
-  Hmac/CryptHmacSha1Null.c
   Hmac/CryptHmacSha256Null.c
   Kdf/CryptHkdfNull.c
   Cipher/CryptAesNull.c
diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
deleted file mode 100644
index e8c0f341b7..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
+++ /dev/null
@@ -1,139 +0,0 @@
-/** @file
-  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
-
-Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
-SPDX-License-Identifier: BSD-2-Clause-Patent
-
-**/
-
-#include "InternalCryptLib.h"
-
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  Return NULL to indicate this interface is not supported.
-
-  @return  NULL  This interface is not supported..
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  ASSERT (FALSE);
-  return NULL;
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  This function will do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  ASSERT (FALSE);
-  return;
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  Return FALSE to indicate this interface is not supported.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  ASSERT (FALSE);
-  return FALSE;
-}
diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index dfe7fb7e91..a614b61ed4 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1015,157 +1015,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacSha1New (
-  VOID
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1New, (), NULL);
-}
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacSha1Free (
-  IN  VOID  *HmacSha1Ctx
-  )
-{
-  CALL_VOID_CRYPTO_SERVICE (HmacSha1Free, (HmacSha1Ctx));
-}
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1SetKey (
-  OUT  VOID         *HmacSha1Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1SetKey, (HmacSha1Context, Key, KeySize), FALSE);
-}
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Duplicate (
-  IN   CONST VOID  *HmacSha1Context,
-  OUT  VOID        *NewHmacSha1Context
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
-}
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Update (
-  IN OUT  VOID        *HmacSha1Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Update, (HmacSha1Context, Data, DataSize), FALSE);
-}
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacSha1Final (
-  IN OUT  VOID   *HmacSha1Context,
-  OUT     UINT8  *HmacValue
-  )
-{
-  CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue), FALSE);
-}
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256 use.
 
diff --git a/CryptoPkg/Private/Protocol/Crypto.h b/CryptoPkg/Private/Protocol/Crypto.h
index bd4cd7f383..d167390774 100644
--- a/CryptoPkg/Private/Protocol/Crypto.h
+++ b/CryptoPkg/Private/Protocol/Crypto.h
@@ -89,140 +89,49 @@ BOOLEAN
   OUT     UINT8  *HmacValue
   );
 
-
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacSha1New() returns NULL.
-  @return  NULL   This interface is not supported.
+  HMAC SHA1 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
 **/
 typedef
 VOID*
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_NEW) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW) (
   VOID
   );
 
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
 typedef
 VOID
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FREE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE) (
   IN  VOID  *HmacSha1Ctx
   );
 
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacSha1Update().
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
-  @param[in]   Key              Pointer to the user-supplied key.
-  @param[in]   KeySize          Key size in bytes.
-
-  @retval TRUE   The Key is set successfully.
-  @retval FALSE  The Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
   OUT  VOID         *HmacSha1Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   );
 
-
-/**
-  Makes a copy of an existing HMAC-SHA1 context.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If NewHmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being copied.
-  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
-
-  @retval TRUE   HMAC-SHA1 context copy succeeded.
-  @retval FALSE  HMAC-SHA1 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
   IN   CONST VOID  *HmacSha1Context,
   OUT  VOID        *NewHmacSha1Context
   );
 
-
-/**
-  Digests the input data and updates HMAC-SHA1 context.
-
-  This function performs HMAC-SHA1 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized by
-  HmacSha1Final(). Behavior with invalid context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-SHA1 data digest succeeded.
-  @retval FALSE  HMAC-SHA1 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
   IN OUT  VOID        *HmacSha1Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   );
 
-
-/**
-  Completes computation of the HMAC-SHA1 digest value.
-
-  This function completes HMAC-SHA1 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-SHA1 context cannot
-  be used again.
-  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not be finalized
-  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
-
-  If HmacSha1Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
-  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-SHA1 digest
-                                    value (20 bytes).
-
-  @retval TRUE   HMAC-SHA1 digest computation succeeded.
-  @retval FALSE  HMAC-SHA1 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
 typedef
 BOOLEAN
-(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FINAL) (
+(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL) (
   IN OUT  VOID   *HmacSha1Context,
   OUT     UINT8  *HmacValue
   );
@@ -3538,13 +3447,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE      DeprecatedHmacMd5Duplicate;
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE         DeprecatedHmacMd5Update;
   DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL          DeprecatedHmacMd5Final;
-  /// HMAC SHA1
-  EDKII_CRYPTO_HMAC_SHA1_NEW                      HmacSha1New;
-  EDKII_CRYPTO_HMAC_SHA1_FREE                     HmacSha1Free;
-  EDKII_CRYPTO_HMAC_SHA1_SET_KEY                  HmacSha1SetKey;
-  EDKII_CRYPTO_HMAC_SHA1_DUPLICATE                HmacSha1Duplicate;
-  EDKII_CRYPTO_HMAC_SHA1_UPDATE                   HmacSha1Update;
-  EDKII_CRYPTO_HMAC_SHA1_FINAL                    HmacSha1Final;
+  /// HMAC SHA1 - deprecated and unsupported
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW           DeprecatedHmacSha1New;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE          DeprecatedHmacSha1Free;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY       DeprecatedHmacSha1SetKey;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE     DeprecatedHmacSha1Duplicate;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE        DeprecatedHmacSha1Update;
+  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL         DeprecatedHmacSha1Final;
   /// HMAC SHA256
   EDKII_CRYPTO_HMAC_SHA256_NEW                    HmacSha256New;
   EDKII_CRYPTO_HMAC_SHA256_FREE                   HmacSha256Free;
-- 
2.21.0.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#58763): https://edk2.groups.io/g/devel/message/58763
Mute This Topic: https://groups.io/mt/74041199/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [edk2-devel] [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm

Posted by Wang, Jian J 5 years, 9 months ago

Just a typo (see below). With it addressed,

Reviewed-by: Jian J Wang <jian.j.wang@intel.com>

Regards,
Jian

> -----Original Message-----
> From: Gao, Zhichao <zhichao.gao@intel.com>
> Sent: Thursday, May 07, 2020 7:58 AM
> To: devel@edk2.groups.io
> Cc: Wang, Jian J <jian.j.wang@intel.com>; Lu, XiaoyuX <xiaoyux.lu@intel.com>;
> Fu, Siyuan <siyuan.fu@intel.com>; Kinney, Michael D
> <michael.d.kinney@intel.com>; Yao, Jiewen <jiewen.yao@intel.com>
> Subject: [PATCH V3 7/8] CryptoPkg/BaseCryptLib: Retire HMAC SHA1 algorithm
> 
> REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898
> 
> HMAC SHA1 is not secure any longer.
> Remove the HMAC SHA1 support from edk2.
> Change the HMAC SHA1 field name in EDKII_CRYPTO_PROTOCOL to indicate the
> function is unsupported any long.

'long' --> 'longer'

> 
> Cc: Jian J Wang <jian.j.wang@intel.com>
> Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
> Cc: Siyuan Fu <siyuan.fu@intel.com>
> Cc: Michael D Kinney <michael.d.kinney@intel.com>
> Cc: Jiewen Yao <jiewen.yao@intel.com>
> Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>
> ---
>  CryptoPkg/CryptoPkg.dsc                       |   3 -
>  CryptoPkg/Driver/Crypto.c                     | 128 ++---------
>  CryptoPkg/Include/Library/BaseCryptLib.h      | 133 -----------
>  .../Library/BaseCryptLib/BaseCryptLib.inf     |   1 -
>  .../Library/BaseCryptLib/Hmac/CryptHmacSha1.c | 216 ------------------
>  .../BaseCryptLib/Hmac/CryptHmacSha1Null.c     | 139 -----------
>  .../Library/BaseCryptLib/PeiCryptLib.inf      |   3 +-
>  .../Library/BaseCryptLib/PeiCryptLib.uni      |   4 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.inf  |   3 +-
>  .../Library/BaseCryptLib/RuntimeCryptLib.uni  |   4 +-
>  .../Library/BaseCryptLib/SmmCryptLib.inf      |   4 +-
>  .../Library/BaseCryptLib/SmmCryptLib.uni      |   4 +-
>  .../BaseCryptLibNull/BaseCryptLibNull.inf     |   1 -
>  .../BaseCryptLibNull/Hmac/CryptHmacSha1Null.c | 139 -----------
>  .../BaseCryptLibOnProtocolPpi/CryptLib.c      | 151 ------------
>  CryptoPkg/Private/Protocol/Crypto.h           | 121 ++--------
>  16 files changed, 45 insertions(+), 1009 deletions(-)
>  delete mode 100644 CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
>  delete mode 100644
> CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> 
> diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
> index 9ddf73f9fa..1af78468a1 100644
> --- a/CryptoPkg/CryptoPkg.dsc
> +++ b/CryptoPkg/CryptoPkg.dsc
> @@ -137,7 +137,6 @@
>    gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
> 
>  !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> @@ -163,7 +162,6 @@
>  !endif
> 
>  !if $(CRYPTO_SERVICES) == MIN_PEI
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
>    gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Sha256.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> @@ -178,7 +176,6 @@
>  !endif
> 
>  !if $(CRYPTO_SERVICES) == MIN_DXE_MIN_SMM
> -
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family
> | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Fam
> ily                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkc
> s1v2Encrypt             | TRUE
> 
> gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Pkcs.Services.Pkc
> s5HashPassword          | TRUE
> diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
> index dfde1cc005..95172de981 100644
> --- a/CryptoPkg/Driver/Crypto.c
> +++ b/CryptoPkg/Driver/Crypto.c
> @@ -1170,154 +1170,68 @@ DeprecatedCryptoServiceHmacMd5Final (
>  }
> 
>  /**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -  @return  NULL   This interface is not supported.
> +  HMAC SHA1 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  VOID *
>  EFIAPI
> -CryptoServiceHmacSha1New (
> +DeprecatedCryptoServiceHmacSha1New (
>    VOID
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.New, HmacSha1New, (),
> NULL);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1New"), NULL;
>  }
> 
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
>  VOID
>  EFIAPI
> -CryptoServiceHmacSha1Free (
> +DeprecatedCryptoServiceHmacSha1Free (
>    IN  VOID  *HmacSha1Ctx
>    )
>  {
> -  CALL_VOID_BASECRYPTLIB (HmacSha1.Services.Free, HmacSha1Free,
> (HmacSha1Ctx));
> +  BaseCryptLibServciceDeprecated ("HmacSha1Free");
>  }
> 
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacSha1SetKey (
> +DeprecatedCryptoServiceHmacSha1SetKey (
>    OUT  VOID         *HmacSha1Context,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeySize
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.SetKey, HmacSha1SetKey,
> (HmacSha1Context, Key, KeySize), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1SetKey"), FALSE;
>  }
> 
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacSha1Duplicate (
> +DeprecatedCryptoServiceHmacSha1Duplicate (
>    IN   CONST VOID  *HmacSha1Context,
>    OUT  VOID        *NewHmacSha1Context
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.Duplicate,
> HmacSha1Duplicate, (HmacSha1Context, NewHmacSha1Context), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1Duplicate"), FALSE;
>  }
> 
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacSha1Update (
> +DeprecatedCryptoServiceHmacSha1Update (
>    IN OUT  VOID        *HmacSha1Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.Update, HmacSha1Update,
> (HmacSha1Context, Data, DataSize), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1Update"), FALSE;
>  }
> 
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> -  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  BOOLEAN
>  EFIAPI
> -CryptoServiceHmacSha1Final (
> +DeprecatedCryptoServiceHmacSha1Final (
>    IN OUT  VOID   *HmacSha1Context,
>    OUT     UINT8  *HmacValue
>    )
>  {
> -  return CALL_BASECRYPTLIB (HmacSha1.Services.Final, HmacSha1Final,
> (HmacSha1Context, HmacValue), FALSE);
> +  return BaseCryptLibServciceDeprecated ("HmacSha1Final"), FALSE;
>  }
> 
>  /**
> @@ -3972,13 +3886,13 @@ const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
>    DeprecatedCryptoServiceHmacMd5Duplicate,
>    DeprecatedCryptoServiceHmacMd5Update,
>    DeprecatedCryptoServiceHmacMd5Final,
> -  /// HMAC SHA1
> -  CryptoServiceHmacSha1New,
> -  CryptoServiceHmacSha1Free,
> -  CryptoServiceHmacSha1SetKey,
> -  CryptoServiceHmacSha1Duplicate,
> -  CryptoServiceHmacSha1Update,
> -  CryptoServiceHmacSha1Final,
> +  /// HMAC SHA1 - deprecated and unsupported
> +  DeprecatedCryptoServiceHmacSha1New,
> +  DeprecatedCryptoServiceHmacSha1Free,
> +  DeprecatedCryptoServiceHmacSha1SetKey,
> +  DeprecatedCryptoServiceHmacSha1Duplicate,
> +  DeprecatedCryptoServiceHmacSha1Update,
> +  DeprecatedCryptoServiceHmacSha1Final,
>    /// HMAC SHA256
>    CryptoServiceHmacSha256New,
>    CryptoServiceHmacSha256Free,
> diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h
> b/CryptoPkg/Include/Library/BaseCryptLib.h
> index b99401661c..1b1ffa75ef 100644
> --- a/CryptoPkg/Include/Library/BaseCryptLib.h
> +++ b/CryptoPkg/Include/Library/BaseCryptLib.h
> @@ -880,139 +880,6 @@ Sm3HashAll (
>  //    MAC (Message Authentication Code) Primitive
> 
> //===============================================================
> ======================
> 
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -  @return  NULL   This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  );
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  );
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  );
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  );
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  );
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> -  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  );
> -
>  /**
>    Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256
> use.
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> index 33d7c13bff..4aae2aba95 100644
> --- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
> @@ -34,7 +34,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSha512.c
>    Hash/CryptSm3.c
> -  Hmac/CryptHmacSha1.c
>    Hmac/CryptHmacSha256.c
>    Kdf/CryptHkdf.c
>    Cipher/CryptAes.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> deleted file mode 100644
> index 7593ca55b1..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1.c
> +++ /dev/null
> @@ -1,216 +0,0 @@
> -/** @file
> -  HMAC-SHA1 Wrapper Implementation over OpenSSL.
> -
> -Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -#include <openssl/hmac.h>
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  )
> -{
> -  //
> -  // Allocates & Initializes HMAC_CTX Context by OpenSSL HMAC_CTX_new()
> -  //
> -  return (VOID *) HMAC_CTX_new ();
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  )
> -{
> -  //
> -  // Free OpenSSL HMAC_CTX Context
> -  //
> -  HMAC_CTX_free ((HMAC_CTX *)HmacSha1Ctx);
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacSha1Context == NULL || KeySize > INT_MAX) {
> -    return FALSE;
> -  }
> -
> -  if (HMAC_Init_ex ((HMAC_CTX *)HmacSha1Context, Key, (UINT32) KeySize,
> EVP_sha1(), NULL) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacSha1Context == NULL || NewHmacSha1Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  if (HMAC_CTX_copy ((HMAC_CTX *)NewHmacSha1Context, (HMAC_CTX
> *)HmacSha1Context) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacSha1Context == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // Check invalid parameters, in case that only DataLength was checked in
> OpenSSL
> -  //
> -  if (Data == NULL && DataSize != 0) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL HMAC-SHA1 digest update
> -  //
> -  if (HMAC_Update ((HMAC_CTX *)HmacSha1Context, Data, DataSize) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 digest computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  UINT32  Length;
> -
> -  //
> -  // Check input parameters.
> -  //
> -  if (HmacSha1Context == NULL || HmacValue == NULL) {
> -    return FALSE;
> -  }
> -
> -  //
> -  // OpenSSL HMAC-SHA1 digest finalization
> -  //
> -  if (HMAC_Final ((HMAC_CTX *)HmacSha1Context, HmacValue, &Length) != 1) {
> -    return FALSE;
> -  }
> -  if (HMAC_CTX_reset ((HMAC_CTX *)HmacSha1Context) != 1) {
> -    return FALSE;
> -  }
> -
> -  return TRUE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> b/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> deleted file mode 100644
> index e8c0f341b7..0000000000
> --- a/CryptoPkg/Library/BaseCryptLib/Hmac/CryptHmacSha1Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> -  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  Return NULL to indicate this interface is not supported.
> -
> -  @return  NULL  This interface is not supported..
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return NULL;
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  This function will do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  )
> -{
> -  ASSERT (FALSE);
> -  return;
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> index 2a630ef290..dc28e3a11d 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note:
> -#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
> +#  HMAC-SHA256 functions, AES functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509
>  #  certificate handler functions, authenticode signature verification functions,
>  #  PEM handler functions, and pseudorandom number generator functions are
> not
> @@ -40,7 +40,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512.c
> -  Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> index 95c71a8ae2..20ae64e8bf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, X.509 certificate handler functions, authenticode
>  // signature verification functions, PEM handler functions, and pseudorandom
> number
> @@ -21,5 +21,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for PEIM"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, X.509 certificate handler functions, authenticode signature
> verification functions, PEM handler functions, and pseudorandom number
> generator functions are not supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> X.509 certificate handler functions, authenticode signature verification functions,
> PEM handler functions, and pseudorandom number generator functions are not
> supported in this instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> index 1642521087..5005beed02 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
> @@ -7,7 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-SHA1/SHA256 functions, AES functions, RSA external
> +#  HMAC-SHA256 functions, AES functions, RSA external
>  #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
> @@ -40,7 +40,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512Null.c
> -  Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> index f7e1acb3a7..0cf378c5ab 100644
> --- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for DXE_RUNTIME_DRIVER"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> index ec9c8e7c05..91ec3e03bf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
> @@ -7,8 +7,7 @@
>  #  buffer overflow or integer overflow.
>  #
>  #  Note: SHA-384 Digest functions, SHA-512 Digest functions,
> -#  HMAC-SHA1 functions, RSA external
> -#  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and
> +#  RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman
> functions, and
>  #  authenticode signature verification functions are not supported in this
> instance.
>  #
>  #  Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>
> @@ -39,7 +38,6 @@
>    Hash/CryptSha256.c
>    Hash/CryptSm3.c
>    Hash/CryptSha512Null.c
> -  Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAes.c
> diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> index 8eb3acac93..f0c33abbcf 100644
> --- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> +++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
> @@ -6,7 +6,7 @@
>  // This external input must be validated carefully to avoid security issues such as
>  // buffer overflow or integer overflow.
>  //
> -// Note: HMAC-SHA1 functions, AES
> +// Note: AES
>  // functions, RSA external functions, PKCS#7 SignedData sign functions,
>  // Diffie-Hellman functions, and authenticode signature verification functions
> are
>  // not supported in this instance.
> @@ -20,5 +20,5 @@
> 
>  #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic
> Library Instance for SMM driver"
> 
> -#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: HMAC-SHA1 functions,
> AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-
> Hellman functions, and authenticode signature verification functions are not
> supported in this instance."
> +#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This
> module requires additional review when modified. This library will have external
> input - signature. This external input must be validated carefully to avoid security
> issues such as buffer overflow or integer overflow. Note: AES functions, RSA
> external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions,
> and authenticode signature verification functions are not supported in this
> instance."
> 
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> index 558ccfc002..689af4fedd 100644
> --- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> +++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
> @@ -34,7 +34,6 @@
>    Hash/CryptSha256Null.c
>    Hash/CryptSha512Null.c
>    Hash/CryptSm3Null.c
> -  Hmac/CryptHmacSha1Null.c
>    Hmac/CryptHmacSha256Null.c
>    Kdf/CryptHkdfNull.c
>    Cipher/CryptAesNull.c
> diff --git a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> b/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> deleted file mode 100644
> index e8c0f341b7..0000000000
> --- a/CryptoPkg/Library/BaseCryptLibNull/Hmac/CryptHmacSha1Null.c
> +++ /dev/null
> @@ -1,139 +0,0 @@
> -/** @file
> -  HMAC-SHA1 Wrapper Implementation which does not provide real capabilities.
> -
> -Copyright (c) 2012 - 2020, Intel Corporation. All rights reserved.<BR>
> -SPDX-License-Identifier: BSD-2-Clause-Patent
> -
> -**/
> -
> -#include "InternalCryptLib.h"
> -
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  Return NULL to indicate this interface is not supported.
> -
> -  @return  NULL  This interface is not supported..
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  )
> -{
> -  ASSERT (FALSE);
> -  return NULL;
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  This function will do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  )
> -{
> -  ASSERT (FALSE);
> -  return;
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  Return FALSE to indicate this interface is not supported.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  ASSERT (FALSE);
> -  return FALSE;
> -}
> diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> index dfe7fb7e91..a614b61ed4 100644
> --- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> +++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
> @@ -1015,157 +1015,6 @@ Sm3HashAll (
>  //    MAC (Message Authentication Code) Primitive
> 
> //===============================================================
> ======================
> 
> -/**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -  @return  NULL   This interface is not supported.
> -
> -**/
> -VOID *
> -EFIAPI
> -HmacSha1New (
> -  VOID
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1New, (), NULL);
> -}
> -
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
> -VOID
> -EFIAPI
> -HmacSha1Free (
> -  IN  VOID  *HmacSha1Ctx
> -  )
> -{
> -  CALL_VOID_CRYPTO_SERVICE (HmacSha1Free, (HmacSha1Ctx));
> -}
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1SetKey (
> -  OUT  VOID         *HmacSha1Context,
> -  IN   CONST UINT8  *Key,
> -  IN   UINTN        KeySize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1SetKey, (HmacSha1Context, Key, KeySize),
> FALSE);
> -}
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Duplicate (
> -  IN   CONST VOID  *HmacSha1Context,
> -  OUT  VOID        *NewHmacSha1Context
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1Duplicate, (HmacSha1Context,
> NewHmacSha1Context), FALSE);
> -}
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Update (
> -  IN OUT  VOID        *HmacSha1Context,
> -  IN      CONST VOID  *Data,
> -  IN      UINTN       DataSize
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1Update, (HmacSha1Context, Data,
> DataSize), FALSE);
> -}
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> -  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
> -BOOLEAN
> -EFIAPI
> -HmacSha1Final (
> -  IN OUT  VOID   *HmacSha1Context,
> -  OUT     UINT8  *HmacValue
> -  )
> -{
> -  CALL_CRYPTO_SERVICE (HmacSha1Final, (HmacSha1Context, HmacValue),
> FALSE);
> -}
> -
>  /**
>    Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA256
> use.
> 
> diff --git a/CryptoPkg/Private/Protocol/Crypto.h
> b/CryptoPkg/Private/Protocol/Crypto.h
> index bd4cd7f383..d167390774 100644
> --- a/CryptoPkg/Private/Protocol/Crypto.h
> +++ b/CryptoPkg/Private/Protocol/Crypto.h
> @@ -89,140 +89,49 @@ BOOLEAN
>    OUT     UINT8  *HmacValue
>    );
> 
> -
>  /**
> -  Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1
> use.
> -
> -  If this interface is not supported, then return NULL.
> -
> -  @return  Pointer to the HMAC_CTX context that has been initialized.
> -           If the allocations fails, HmacSha1New() returns NULL.
> -  @return  NULL   This interface is not supported.
> +  HMAC SHA1 is deprecated and unsupported any longer.
> +  Keep the function field for binary compability.
> 
>  **/
>  typedef
>  VOID*
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_NEW) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW) (
>    VOID
>    );
> 
> -/**
> -  Release the specified HMAC_CTX context.
> -
> -  If this interface is not supported, then do nothing.
> -
> -  @param[in]  HmacSha1Ctx  Pointer to the HMAC_CTX context to be released.
> -
> -**/
>  typedef
>  VOID
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FREE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE) (
>    IN  VOID  *HmacSha1Ctx
>    );
> 
> -
> -/**
> -  Set user-supplied key for subsequent use. It must be done before any
> -  calling to HmacSha1Update().
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[out]  HmacSha1Context  Pointer to HMAC-SHA1 context.
> -  @param[in]   Key              Pointer to the user-supplied key.
> -  @param[in]   KeySize          Key size in bytes.
> -
> -  @retval TRUE   The Key is set successfully.
> -  @retval FALSE  The Key is set unsuccessfully.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY) (
>    OUT  VOID         *HmacSha1Context,
>    IN   CONST UINT8  *Key,
>    IN   UINTN        KeySize
>    );
> 
> -
> -/**
> -  Makes a copy of an existing HMAC-SHA1 context.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If NewHmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in]  HmacSha1Context     Pointer to HMAC-SHA1 context being
> copied.
> -  @param[out] NewHmacSha1Context  Pointer to new HMAC-SHA1 context.
> -
> -  @retval TRUE   HMAC-SHA1 context copy succeeded.
> -  @retval FALSE  HMAC-SHA1 context copy failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE) (
>    IN   CONST VOID  *HmacSha1Context,
>    OUT  VOID        *NewHmacSha1Context
>    );
> 
> -
> -/**
> -  Digests the input data and updates HMAC-SHA1 context.
> -
> -  This function performs HMAC-SHA1 digest on a data buffer of the specified
> size.
> -  It can be called multiple times to compute the digest of long or discontinuous
> data streams.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized by
> -  HmacSha1Final(). Behavior with invalid context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context Pointer to the HMAC-SHA1 context.
> -  @param[in]       Data            Pointer to the buffer containing the data to be
> digested.
> -  @param[in]       DataSize        Size of Data buffer in bytes.
> -
> -  @retval TRUE   HMAC-SHA1 data digest succeeded.
> -  @retval FALSE  HMAC-SHA1 data digest failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE) (
>    IN OUT  VOID        *HmacSha1Context,
>    IN      CONST VOID  *Data,
>    IN      UINTN       DataSize
>    );
> 
> -
> -/**
> -  Completes computation of the HMAC-SHA1 digest value.
> -
> -  This function completes HMAC-SHA1 hash computation and retrieves the
> digest value into
> -  the specified memory. After this function has been called, the HMAC-SHA1
> context cannot
> -  be used again.
> -  HMAC-SHA1 context should be initialized by HmacSha1New(), and should not
> be finalized
> -  by HmacSha1Final(). Behavior with invalid HMAC-SHA1 context is undefined.
> -
> -  If HmacSha1Context is NULL, then return FALSE.
> -  If HmacValue is NULL, then return FALSE.
> -  If this interface is not supported, then return FALSE.
> -
> -  @param[in, out]  HmacSha1Context  Pointer to the HMAC-SHA1 context.
> -  @param[out]      HmacValue        Pointer to a buffer that receives the HMAC-
> SHA1 digest
> -                                    value (20 bytes).
> -
> -  @retval TRUE   HMAC-SHA1 digest computation succeeded.
> -  @retval FALSE  HMAC-SHA1 digest computation failed.
> -  @retval FALSE  This interface is not supported.
> -
> -**/
>  typedef
>  BOOLEAN
> -(EFIAPI *EDKII_CRYPTO_HMAC_SHA1_FINAL) (
> +(EFIAPI *DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL) (
>    IN OUT  VOID   *HmacSha1Context,
>    OUT     UINT8  *HmacValue
>    );
> @@ -3538,13 +3447,13 @@ struct _EDKII_CRYPTO_PROTOCOL {
>    DEPRECATED_EDKII_CRYPTO_HMAC_MD5_DUPLICATE
> DeprecatedHmacMd5Duplicate;
>    DEPRECATED_EDKII_CRYPTO_HMAC_MD5_UPDATE
> DeprecatedHmacMd5Update;
>    DEPRECATED_EDKII_CRYPTO_HMAC_MD5_FINAL
> DeprecatedHmacMd5Final;
> -  /// HMAC SHA1
> -  EDKII_CRYPTO_HMAC_SHA1_NEW                      HmacSha1New;
> -  EDKII_CRYPTO_HMAC_SHA1_FREE                     HmacSha1Free;
> -  EDKII_CRYPTO_HMAC_SHA1_SET_KEY                  HmacSha1SetKey;
> -  EDKII_CRYPTO_HMAC_SHA1_DUPLICATE                HmacSha1Duplicate;
> -  EDKII_CRYPTO_HMAC_SHA1_UPDATE                   HmacSha1Update;
> -  EDKII_CRYPTO_HMAC_SHA1_FINAL                    HmacSha1Final;
> +  /// HMAC SHA1 - deprecated and unsupported
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_NEW
> DeprecatedHmacSha1New;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FREE
> DeprecatedHmacSha1Free;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_SET_KEY
> DeprecatedHmacSha1SetKey;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_DUPLICATE
> DeprecatedHmacSha1Duplicate;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_UPDATE
> DeprecatedHmacSha1Update;
> +  DEPRECATED_EDKII_CRYPTO_HMAC_SHA1_FINAL
> DeprecatedHmacSha1Final;
>    /// HMAC SHA256
>    EDKII_CRYPTO_HMAC_SHA256_NEW                    HmacSha256New;
>    EDKII_CRYPTO_HMAC_SHA256_FREE                   HmacSha256Free;
> --
> 2.21.0.windows.1


-=-=-=-=-=-=-=-=-=-=-=-
Groups.io Links: You receive all messages sent to this group.

View/Reply Online (#58891): https://edk2.groups.io/g/devel/message/58891
Mute This Topic: https://groups.io/mt/74041199/1787277
Group Owner: devel+owner@edk2.groups.io
Unsubscribe: https://edk2.groups.io/g/devel/unsub  [importer@patchew.org]
-=-=-=-=-=-=-=-=-=-=-=-