CryptoPkg/BaseCryptLib: Retire HMAC MD5 algorithm

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898 HMAC MD5 is not secure any longer. Remove the HMAC MD5 support from edk2. Change the HMAC MD5 field name in EDKII_CRYPTO_PROTOCOL to indicate the function is unsupported any longer. Cc: Jian J Wang <[email protected]> Cc: Xiaoyu Lu <[email protected]> Cc: Siyuan Fu <[email protected]> Cc: Michael D Kinney <[email protected]> Cc: Jiewen Yao <[email protected]> Cc: Philippe Mathieu-Daude <[email protected]> Reviewed-by: Jian J Wang <[email protected]> Signed-off-by: Zhichao Gao <[email protected]>
saislam · May 15, 2020 · b6174e2 · b6174e2
1 parent 89db28b
commit b6174e2
Show file tree

Hide file tree

Showing 16 changed files with 55 additions and 960 deletions.
diff --git a/CryptoPkg/CryptoPkg.dsc b/CryptoPkg/CryptoPkg.dsc
@@ -137,7 +137,6 @@
   gEfiMdePkgTokenSpaceGuid.PcdReportStatusCodePropertyMask|0x06
 
 !if $(CRYPTO_SERVICES) IN "PACKAGE ALL"
-  gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacMd5.Family                           | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha1.Family                          | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.HmacSha256.Family                        | PCD_CRYPTO_SERVICE_ENABLE_FAMILY
   gEfiCryptoPkgTokenSpaceGuid.PcdCryptoServiceFamilyEnable.Md5.Family                               | PCD_CRYPTO_SERVICE_ENABLE_FAMILY

diff --git a/CryptoPkg/Driver/Crypto.c b/CryptoPkg/Driver/Crypto.c
@@ -1160,154 +1160,120 @@ CryptoServiceSm3HashAll (
 //=====================================================================================
 
 /**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
   @retval  NULL  This interface is not supported.
 
 **/
 VOID *
 EFIAPI
-CryptoServiceHmacMd5New (
+DeprecatedCryptoServiceHmacMd5New (
   VOID
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.New, HmacMd5New, (), NULL);
+  return BaseCryptLibServiceDeprecated ("HmacMd5New"), NULL;
 }
 
 /**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
   @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
 
 **/
 VOID
 EFIAPI
-CryptoServiceHmacMd5Free (
+DeprecatedCryptoServiceHmacMd5Free (
   IN  VOID  *HmacMd5Ctx
   )
 {
-  CALL_VOID_BASECRYPTLIB (HmacMd5.Services.Free, HmacMd5Free, (HmacMd5Ctx));
+  BaseCryptLibServiceDeprecated ("HmacMd5Free");
 }
 
 /**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
   @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
   @param[in]   Key             Pointer to the user-supplied key.
   @param[in]   KeySize         Key size in bytes.
 
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
   @retval FALSE  This interface is not supported.
 
 **/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5SetKey (
+DeprecatedCryptoServiceHmacMd5SetKey (
   OUT  VOID         *HmacMd5Context,
   IN   CONST UINT8  *Key,
   IN   UINTN        KeySize
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.SetKey, HmacMd5SetKey, (HmacMd5Context, Key, KeySize), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacMd5SetKey"), FALSE;
 }
 
 /**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
   @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
   @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
 
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
   @retval FALSE  This interface is not supported.
 
 **/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Duplicate (
+DeprecatedCryptoServiceHmacMd5Duplicate (
   IN   CONST VOID  *HmacMd5Context,
   OUT  VOID        *NewHmacMd5Context
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Duplicate, HmacMd5Duplicate, (HmacMd5Context, NewHmacMd5Context), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacMd5Duplicate"), FALSE;
 }
 
 /**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
   @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
   @param[in]       Data            Pointer to the buffer containing the data to be digested.
   @param[in]       DataSize        Size of Data buffer in bytes.
 
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
   @retval FALSE  This interface is not supported.
 
 **/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Update (
+DeprecatedCryptoServiceHmacMd5Update (
   IN OUT  VOID        *HmacMd5Context,
   IN      CONST VOID  *Data,
   IN      UINTN       DataSize
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Update, HmacMd5Update, (HmacMd5Context, Data, DataSize), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacMd5Update"), FALSE;
 }
 
 /**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
+  HMAC MD5 is deprecated and unsupported any longer.
+  Keep the function field for binary compability.
 
   @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
   @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
                                    value (16 bytes).
 
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
   @retval FALSE  This interface is not supported.
 
 **/
 BOOLEAN
 EFIAPI
-CryptoServiceHmacMd5Final (
+DeprecatedCryptoServiceHmacMd5Final (
   IN OUT  VOID   *HmacMd5Context,
   OUT     UINT8  *HmacValue
   )
 {
-  return CALL_BASECRYPTLIB (HmacMd5.Services.Final, HmacMd5Final, (HmacMd5Context, HmacValue), FALSE);
+  return BaseCryptLibServiceDeprecated ("HmacMd5Final"), FALSE;
 }
 
 /**
@@ -4234,13 +4200,13 @@ CryptoServiceTlsGetCertRevocationList (
 const EDKII_CRYPTO_PROTOCOL mEdkiiCrypto = {
   /// Version
   CryptoServiceGetCryptoVersion,
-  /// HMAC MD5
-  CryptoServiceHmacMd5New,
-  CryptoServiceHmacMd5Free,
-  CryptoServiceHmacMd5SetKey,
-  CryptoServiceHmacMd5Duplicate,
-  CryptoServiceHmacMd5Update,
-  CryptoServiceHmacMd5Final,
+  /// HMAC MD5 - deprecated and unsupported
+  DeprecatedCryptoServiceHmacMd5New,
+  DeprecatedCryptoServiceHmacMd5Free,
+  DeprecatedCryptoServiceHmacMd5SetKey,
+  DeprecatedCryptoServiceHmacMd5Duplicate,
+  DeprecatedCryptoServiceHmacMd5Update,
+  DeprecatedCryptoServiceHmacMd5Final,
   /// HMAC SHA1
   CryptoServiceHmacSha1New,
   CryptoServiceHmacSha1Free,

diff --git a/CryptoPkg/Include/Library/BaseCryptLib.h b/CryptoPkg/Include/Library/BaseCryptLib.h
@@ -880,139 +880,6 @@ Sm3HashAll (
 //    MAC (Message Authentication Code) Primitive
 //=====================================================================================
 
-/**
-  Allocates and initializes one HMAC_CTX context for subsequent HMAC-MD5 use.
-
-  If this interface is not supported, then return NULL.
-
-  @return  Pointer to the HMAC_CTX context that has been initialized.
-           If the allocations fails, HmacMd5New() returns NULL.
-  @retval  NULL  This interface is not supported.
-
-**/
-VOID *
-EFIAPI
-HmacMd5New (
-  VOID
-  );
-
-/**
-  Release the specified HMAC_CTX context.
-
-  If this interface is not supported, then do nothing.
-
-  @param[in]  HmacMd5Ctx  Pointer to the HMAC_CTX context to be released.
-
-**/
-VOID
-EFIAPI
-HmacMd5Free (
-  IN  VOID  *HmacMd5Ctx
-  );
-
-/**
-  Set user-supplied key for subsequent use. It must be done before any
-  calling to HmacMd5Update().
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[out]  HmacMd5Context  Pointer to HMAC-MD5 context.
-  @param[in]   Key             Pointer to the user-supplied key.
-  @param[in]   KeySize         Key size in bytes.
-
-  @retval TRUE   Key is set successfully.
-  @retval FALSE  Key is set unsuccessfully.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5SetKey (
-  OUT  VOID         *HmacMd5Context,
-  IN   CONST UINT8  *Key,
-  IN   UINTN        KeySize
-  );
-
-/**
-  Makes a copy of an existing HMAC-MD5 context.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If NewHmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in]  HmacMd5Context     Pointer to HMAC-MD5 context being copied.
-  @param[out] NewHmacMd5Context  Pointer to new HMAC-MD5 context.
-
-  @retval TRUE   HMAC-MD5 context copy succeeded.
-  @retval FALSE  HMAC-MD5 context copy failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Duplicate (
-  IN   CONST VOID  *HmacMd5Context,
-  OUT  VOID        *NewHmacMd5Context
-  );
-
-/**
-  Digests the input data and updates HMAC-MD5 context.
-
-  This function performs HMAC-MD5 digest on a data buffer of the specified size.
-  It can be called multiple times to compute the digest of long or discontinuous data streams.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[in]       Data            Pointer to the buffer containing the data to be digested.
-  @param[in]       DataSize        Size of Data buffer in bytes.
-
-  @retval TRUE   HMAC-MD5 data digest succeeded.
-  @retval FALSE  HMAC-MD5 data digest failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Update (
-  IN OUT  VOID        *HmacMd5Context,
-  IN      CONST VOID  *Data,
-  IN      UINTN       DataSize
-  );
-
-/**
-  Completes computation of the HMAC-MD5 digest value.
-
-  This function completes HMAC-MD5 hash computation and retrieves the digest value into
-  the specified memory. After this function has been called, the HMAC-MD5 context cannot
-  be used again.
-  HMAC-MD5 context should be initialized by HmacMd5New(), and should not be finalized by
-  HmacMd5Final(). Behavior with invalid HMAC-MD5 context is undefined.
-
-  If HmacMd5Context is NULL, then return FALSE.
-  If HmacValue is NULL, then return FALSE.
-  If this interface is not supported, then return FALSE.
-
-  @param[in, out]  HmacMd5Context  Pointer to the HMAC-MD5 context.
-  @param[out]      HmacValue       Pointer to a buffer that receives the HMAC-MD5 digest
-                                   value (16 bytes).
-
-  @retval TRUE   HMAC-MD5 digest computation succeeded.
-  @retval FALSE  HMAC-MD5 digest computation failed.
-  @retval FALSE  This interface is not supported.
-
-**/
-BOOLEAN
-EFIAPI
-HmacMd5Final (
-  IN OUT  VOID   *HmacMd5Context,
-  OUT     UINT8  *HmacValue
-  );
-
 /**
   Allocates and initializes one HMAC_CTX context for subsequent HMAC-SHA1 use.
 

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -34,7 +34,6 @@
   Hash/CryptSha256.c
   Hash/CryptSha512.c
   Hash/CryptSm3.c
-  Hmac/CryptHmacMd5.c
   Hmac/CryptHmacSha1.c
   Hmac/CryptHmacSha256.c
   Kdf/CryptHkdf.c