CryptoPkg/BaseCryptLib: Retire the TDES algorithm

REF: https://bugzilla.tianocore.org/show_bug.cgi?id=1898

TDES is not secure any longer.
Remove the Tdes support from edk2.
Change the Tdes field name in EDKII_CRYPTO_PROTOCOL to indicate the
function is unsupported any longer.

Cc: Jian J Wang <jian.j.wang@intel.com>
Cc: Xiaoyu Lu <xiaoyux.lu@intel.com>
Cc: Siyuan Fu <siyuan.fu@intel.com>
Cc: Michael D Kinney <michael.d.kinney@intel.com>
Cc: Jiewen Yao <jiewen.yao@intel.com>
Cc: Philippe Mathieu-Daude <philmd@redhat.com>
Reviewed-by: Jian J Wang <jian.j.wang@intel.com>
Signed-off-by: Zhichao Gao <zhichao.gao@intel.com>

13 files changed, 14 insertions, 920 deletions

diff --git a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
index da38ea552f..2de8e9c346 100644
--- a/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/BaseCryptLib.inf
@@ -39,7 +39,6 @@
   Hmac/CryptHmacSha256.c

   Kdf/CryptHkdf.c

   Cipher/CryptAes.c

-  Cipher/CryptTdes.c

   Pk/CryptRsaBasic.c

   Pk/CryptRsaExt.c

   Pk/CryptPkcs1Oaep.c

diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
deleted file mode 100644
index fd799f3398..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdes.c
+++ /dev/null
@@ -1,364 +0,0 @@
-/** @file

-  TDES Wrapper Implementation over OpenSSL.

-

-Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>

-SPDX-License-Identifier: BSD-2-Clause-Patent

-

-**/

-

-#include "InternalCryptLib.h"

-#include <openssl/des.h>

-

-/**

-  Retrieves the size, in bytes, of the context buffer required for TDES operations.

-

-  @return  The size, in bytes, of the context buffer required for TDES operations.

-

-**/

-UINTN

-EFIAPI

-TdesGetContextSize (

-  VOID

-  )

-{

-  //

-  // Memory for 3 copies of DES_key_schedule is allocated, for K1, K2 and K3 each.

-  //

-  return (UINTN) (3 * sizeof (DES_key_schedule));

-}

-

-/**

-  Initializes user-supplied memory as TDES context for subsequent use.

-

-  This function initializes user-supplied memory pointed by TdesContext as TDES context.

-  In addition, it sets up all TDES key materials for subsequent encryption and decryption

-  operations.

-  There are 3 key options as follows:

-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)

-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)

-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)

-

-  If TdesContext is NULL, then return FALSE.

-  If Key is NULL, then return FALSE.

-  If KeyLength is not valid, then return FALSE.

-

-  @param[out]  TdesContext  Pointer to TDES context being initialized.

-  @param[in]   Key          Pointer to the user-supplied TDES key.

-  @param[in]   KeyLength    Length of TDES key in bits.

-

-  @retval TRUE   TDES context initialization succeeded.

-  @retval FALSE  TDES context initialization failed.

-

-**/

-BOOLEAN

-EFIAPI

-TdesInit (

-  OUT  VOID         *TdesContext,

-  IN   CONST UINT8  *Key,

-  IN   UINTN        KeyLength

-  )

-{

-  DES_key_schedule  *KeySchedule;

-

-  //

-  // Check input parameters.

-  //

-  if (TdesContext == NULL || Key == NULL || (KeyLength != 64 && KeyLength != 128 && KeyLength != 192)) {

-    return FALSE;

-  }

-

-  KeySchedule = (DES_key_schedule *) TdesContext;

-

-  //

-  // If input Key is a weak key, return error.

-  //

-  if (DES_is_weak_key ((const_DES_cblock *) Key) == 1) {

-    return FALSE;

-  }

-

-  DES_set_key_unchecked ((const_DES_cblock *) Key, KeySchedule);

-

-  if (KeyLength == 64) {

-    CopyMem (KeySchedule + 1, KeySchedule, sizeof (DES_key_schedule));

-    CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));

-    return TRUE;

-  }

-

-  if (DES_is_weak_key ((const_DES_cblock *) (Key + 8)) == 1) {

-    return FALSE;

-  }

-

-  DES_set_key_unchecked ((const_DES_cblock *) (Key + 8), KeySchedule + 1);

-

-  if (KeyLength == 128) {

-    CopyMem (KeySchedule + 2, KeySchedule, sizeof (DES_key_schedule));

-    return TRUE;

-  }

-

-  if (DES_is_weak_key ((const_DES_cblock *) (Key + 16)) == 1) {

-    return FALSE;

-  }

-

-  DES_set_key_unchecked ((const_DES_cblock *) (Key + 16), KeySchedule + 2);

-

-  return TRUE;

-}

-

-/**

-  Performs TDES encryption on a data buffer of the specified size in ECB mode.

-

-  This function performs TDES encryption on data buffer pointed by Input, of specified

-  size of InputSize, in ECB mode.

-  InputSize must be multiple of block size (8 bytes). This function does not perform

-  padding. Caller must perform padding, if necessary, to ensure valid input data size.

-  TdesContext should be already correctly initialized by TdesInit(). Behavior with

-  invalid TDES context is undefined.

-

-  If TdesContext is NULL, then return FALSE.

-  If Input is NULL, then return FALSE.

-  If InputSize is not multiple of block size (8 bytes), then return FALSE.

-  If Output is NULL, then return FALSE.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval TRUE   TDES encryption succeeded.

-  @retval FALSE  TDES encryption failed.

-

-**/

-BOOLEAN

-EFIAPI

-TdesEcbEncrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  OUT  UINT8        *Output

-  )

-{

-  DES_key_schedule  *KeySchedule;

-

-  //

-  // Check input parameters.

-  //

-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Output == NULL) {

-    return FALSE;

-  }

-

-  KeySchedule = (DES_key_schedule *) TdesContext;

-

-  while (InputSize > 0) {

-    DES_ecb3_encrypt (

-      (const_DES_cblock *) Input,

-      (DES_cblock *) Output,

-      KeySchedule,

-      KeySchedule + 1,

-      KeySchedule + 2,

-      DES_ENCRYPT

-      );

-    Input     += TDES_BLOCK_SIZE;

-    Output    += TDES_BLOCK_SIZE;

-    InputSize -= TDES_BLOCK_SIZE;

-  }

-

-  return TRUE;

-}

-

-/**

-  Performs TDES decryption on a data buffer of the specified size in ECB mode.

-

-  This function performs TDES decryption on data buffer pointed by Input, of specified

-  size of InputSize, in ECB mode.

-  InputSize must be multiple of block size (8 bytes). This function does not perform

-  padding. Caller must perform padding, if necessary, to ensure valid input data size.

-  TdesContext should be already correctly initialized by TdesInit(). Behavior with

-  invalid TDES context is undefined.

-

-  If TdesContext is NULL, then return FALSE.

-  If Input is NULL, then return FALSE.

-  If InputSize is not multiple of block size (8 bytes), then return FALSE.

-  If Output is NULL, then return FALSE.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.

-

-  @retval TRUE   TDES decryption succeeded.

-  @retval FALSE  TDES decryption failed.

-

-**/

-BOOLEAN

-EFIAPI

-TdesEcbDecrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  OUT  UINT8        *Output

-  )

-{

-  DES_key_schedule  *KeySchedule;

-

-  //

-  // Check input parameters.

-  //

-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0 || Output == NULL) {

-    return FALSE;

-  }

-

-  KeySchedule = (DES_key_schedule *) TdesContext;

-

-  while (InputSize > 0) {

-    DES_ecb3_encrypt (

-      (const_DES_cblock *) Input,

-      (DES_cblock *) Output,

-      KeySchedule,

-      KeySchedule + 1,

-      KeySchedule + 2,

-      DES_DECRYPT

-      );

-    Input     += TDES_BLOCK_SIZE;

-    Output    += TDES_BLOCK_SIZE;

-    InputSize -= TDES_BLOCK_SIZE;

-  }

-

-  return TRUE;

-}

-

-/**

-  Performs TDES encryption on a data buffer of the specified size in CBC mode.

-

-  This function performs TDES encryption on data buffer pointed by Input, of specified

-  size of InputSize, in CBC mode.

-  InputSize must be multiple of block size (8 bytes). This function does not perform

-  padding. Caller must perform padding, if necessary, to ensure valid input data size.

-  Initialization vector should be one block size (8 bytes).

-  TdesContext should be already correctly initialized by TdesInit(). Behavior with

-  invalid TDES context is undefined.

-

-  If TdesContext is NULL, then return FALSE.

-  If Input is NULL, then return FALSE.

-  If InputSize is not multiple of block size (8 bytes), then return FALSE.

-  If Ivec is NULL, then return FALSE.

-  If Output is NULL, then return FALSE.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[in]   Ivec         Pointer to initialization vector.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval TRUE   TDES encryption succeeded.

-  @retval FALSE  TDES encryption failed.

-

-**/

-BOOLEAN

-EFIAPI

-TdesCbcEncrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  IN   CONST UINT8  *Ivec,

-  OUT  UINT8        *Output

-  )

-{

-  DES_key_schedule  *KeySchedule;

-  UINT8             IvecBuffer[TDES_BLOCK_SIZE];

-

-  //

-  // Check input parameters.

-  //

-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) {

-    return FALSE;

-  }

-

-  if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {

-    return FALSE;

-  }

-

-  KeySchedule = (DES_key_schedule *) TdesContext;

-  CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);

-

-  DES_ede3_cbc_encrypt (

-    Input,

-    Output,

-    (UINT32) InputSize,

-    KeySchedule,

-    KeySchedule + 1,

-    KeySchedule + 2,

-    (DES_cblock *) IvecBuffer,

-    DES_ENCRYPT

-    );

-

-  return TRUE;

-}

-

-/**

-  Performs TDES decryption on a data buffer of the specified size in CBC mode.

-

-  This function performs TDES decryption on data buffer pointed by Input, of specified

-  size of InputSize, in CBC mode.

-  InputSize must be multiple of block size (8 bytes). This function does not perform

-  padding. Caller must perform padding, if necessary, to ensure valid input data size.

-  Initialization vector should be one block size (8 bytes).

-  TdesContext should be already correctly initialized by TdesInit(). Behavior with

-  invalid TDES context is undefined.

-

-  If TdesContext is NULL, then return FALSE.

-  If Input is NULL, then return FALSE.

-  If InputSize is not multiple of block size (8 bytes), then return FALSE.

-  If Ivec is NULL, then return FALSE.

-  If Output is NULL, then return FALSE.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[in]   Ivec         Pointer to initialization vector.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval TRUE   TDES decryption succeeded.

-  @retval FALSE  TDES decryption failed.

-

-**/

-BOOLEAN

-EFIAPI

-TdesCbcDecrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  IN   CONST UINT8  *Ivec,

-  OUT  UINT8        *Output

-  )

-{

-  DES_key_schedule  *KeySchedule;

-  UINT8             IvecBuffer[TDES_BLOCK_SIZE];

-

-  //

-  // Check input parameters.

-  //

-  if (TdesContext == NULL || Input == NULL || (InputSize % TDES_BLOCK_SIZE) != 0) {

-    return FALSE;

-  }

-

-  if (Ivec == NULL || Output == NULL || InputSize > INT_MAX) {

-    return FALSE;

-  }

-

-  KeySchedule = (DES_key_schedule *) TdesContext;

-  CopyMem (IvecBuffer, Ivec, TDES_BLOCK_SIZE);

-

-  DES_ede3_cbc_encrypt (

-    Input,

-    Output,

-    (UINT32) InputSize,

-    KeySchedule,

-    KeySchedule + 1,

-    KeySchedule + 2,

-    (DES_cblock *) IvecBuffer,

-    DES_DECRYPT

-    );

-

-  return TRUE;

-}

-

diff --git a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c b/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
deleted file mode 100644
index efa2716063..0000000000
--- a/CryptoPkg/Library/BaseCryptLib/Cipher/CryptTdesNull.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/** @file

-  TDES Wrapper Implementation which does not provide real capabilities.

-

-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>

-SPDX-License-Identifier: BSD-2-Clause-Patent

-

-**/

-

-#include "InternalCryptLib.h"

-

-/**

-  Retrieves the size, in bytes, of the context buffer required for TDES operations.

-

-  Return zero to indicate this interface is not supported.

-

-  @retval  0   This interface is not supported.

-

-**/

-UINTN

-EFIAPI

-TdesGetContextSize (

-  VOID

-  )

-{

-  ASSERT (FALSE);

-  return 0;

-}

-

-/**

-  Initializes user-supplied memory as TDES context for subsequent use.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[out]  TdesContext  Pointer to TDES context being initialized.

-  @param[in]   Key          Pointer to the user-supplied TDES key.

-  @param[in]   KeyLength    Length of TDES key in bits.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesInit (

-  OUT  VOID         *TdesContext,

-  IN   CONST UINT8  *Key,

-  IN   UINTN        KeyLength

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

-/**

-  Performs TDES encryption on a data buffer of the specified size in ECB mode.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesEcbEncrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  OUT  UINT8        *Output

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

-/**

-  Performs TDES decryption on a data buffer of the specified size in ECB mode.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesEcbDecrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  OUT  UINT8        *Output

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

-/**

-  Performs TDES encryption on a data buffer of the specified size in CBC mode.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[in]   Ivec         Pointer to initialization vector.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesCbcEncrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  IN   CONST UINT8  *Ivec,

-  OUT  UINT8        *Output

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

-/**

-  Performs TDES decryption on a data buffer of the specified size in CBC mode.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[in]   Ivec         Pointer to initialization vector.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesCbcDecrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  IN   CONST UINT8  *Ivec,

-  OUT  UINT8        *Output

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
index f43953b78c..f631f8d879 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.

 #

 #  Note:

-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external

+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external

 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509

 #  certificate handler functions, authenticode signature verification functions,

 #  PEM handler functions, and pseudorandom number generator functions are not

@@ -45,7 +45,6 @@
   Hmac/CryptHmacSha256Null.c

   Kdf/CryptHkdfNull.c

   Cipher/CryptAesNull.c

-  Cipher/CryptTdesNull.c

   Pk/CryptRsaBasic.c

   Pk/CryptRsaExtNull.c

   Pk/CryptPkcs1OaepNull.c

diff --git a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
index 5abd8e8dfb..c906935d3d 100644
--- a/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/PeiCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as

 // buffer overflow or integer overflow.

 //

-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/

-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,

+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES

+// functions, RSA external functions, PKCS#7 SignedData sign functions,

 // Diffie-Hellman functions, X.509 certificate handler functions, authenticode

 // signature verification functions, PEM handler functions, and pseudorandom number

 // generator functions are not supported in this instance.

@@ -21,5 +21,5 @@
 

 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for PEIM"

 

-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."

+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, X.509 certificate handler functions, authenticode signature verification functions, PEM handler functions, and pseudorandom number generator functions are not supported in this instance."

 

diff --git a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
index 75a133bd0c..6f7e1971f8 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pem/CryptPem.c
@@ -1,7 +1,7 @@
 /** @file

   PEM (Privacy Enhanced Mail) Format Handler Wrapper Implementation over OpenSSL.

 

-Copyright (c) 2010 - 2018, Intel Corporation. All rights reserved.<BR>

+Copyright (c) 2010 - 2020, Intel Corporation. All rights reserved.<BR>

 SPDX-License-Identifier: BSD-2-Clause-Patent

 

 **/

@@ -82,11 +82,8 @@ RsaGetPrivateKeyFromPem (
 

   //

   // Add possible block-cipher descriptor for PEM data decryption.

-  // NOTE: Only support most popular ciphers (3DES, AES) for the encrypted PEM.

+  // NOTE: Only support most popular ciphers AES for the encrypted PEM.

   //

-  if (EVP_add_cipher (EVP_des_ede3_cbc ()) == 0) {

-    return FALSE;

-  }

   if (EVP_add_cipher (EVP_aes_128_cbc ()) == 0) {

     return FALSE;

   }

diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
index f1eb099b67..672e19299c 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.

 #

 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,

-#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES/TDES functions, RSA external

+#  HMAC-MD5 functions, HMAC-SHA1/SHA256 functions, AES functions, RSA external

 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and

 #  authenticode signature verification functions are not supported in this instance.

 #

@@ -45,7 +45,6 @@
   Hmac/CryptHmacSha256Null.c

   Kdf/CryptHkdfNull.c

   Cipher/CryptAesNull.c

-  Cipher/CryptTdesNull.c

   Pk/CryptRsaBasic.c

   Pk/CryptRsaExtNull.c

   Pk/CryptPkcs1OaepNull.c

diff --git a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
index 5a48d2a308..0a3bb1c04f 100644
--- a/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/RuntimeCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as

 // buffer overflow or integer overflow.

 //

-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/

-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,

+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES

+// functions, RSA external functions, PKCS#7 SignedData sign functions,

 // Diffie-Hellman functions, and authenticode signature verification functions are

 // not supported in this instance.

 //

@@ -20,5 +20,5 @@
 

 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for DXE_RUNTIME_DRIVER"

 

-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."

+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."

 

diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
index 3a94655775..cc3556ae3f 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.inf
@@ -7,7 +7,7 @@
 #  buffer overflow or integer overflow.

 #

 #  Note: SHA-384 Digest functions, SHA-512 Digest functions,

-#  HMAC-MD5 functions, HMAC-SHA1 functions, TDES functions, RSA external

+#  HMAC-MD5 functions, HMAC-SHA1 functions, RSA external

 #  functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and

 #  authenticode signature verification functions are not supported in this instance.

 #

@@ -44,7 +44,6 @@
   Hmac/CryptHmacSha256.c

   Kdf/CryptHkdfNull.c

   Cipher/CryptAes.c

-  Cipher/CryptTdesNull.c

   Pk/CryptRsaBasic.c

   Pk/CryptRsaExtNull.c

   Pk/CryptPkcs1Oaep.c

diff --git a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
index 0561f107e8..2e362c635f 100644
--- a/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
+++ b/CryptoPkg/Library/BaseCryptLib/SmmCryptLib.uni
@@ -6,8 +6,8 @@
 // This external input must be validated carefully to avoid security issues such as

 // buffer overflow or integer overflow.

 //

-// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/

-// TDES functions, RSA external functions, PKCS#7 SignedData sign functions,

+// Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES

+// functions, RSA external functions, PKCS#7 SignedData sign functions,

 // Diffie-Hellman functions, and authenticode signature verification functions are

 // not supported in this instance.

 //

@@ -20,5 +20,5 @@
 

 #string STR_MODULE_ABSTRACT             #language en-US "Cryptographic Library Instance for SMM driver"

 

-#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES/ TDES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."

+#string STR_MODULE_DESCRIPTION          #language en-US "Caution: This module requires additional review when modified. This library will have external input - signature. This external input must be validated carefully to avoid security issues such as buffer overflow or integer overflow. Note: HMAC-MD5 functions, HMAC-SHA1 functions, AES functions, RSA external functions, PKCS#7 SignedData sign functions, Diffie-Hellman functions, and authenticode signature verification functions are not supported in this instance."

 

diff --git a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
index a205c9005d..04b552f8b7 100644
--- a/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
+++ b/CryptoPkg/Library/BaseCryptLibNull/BaseCryptLibNull.inf
@@ -39,7 +39,6 @@
   Hmac/CryptHmacSha256Null.c

   Kdf/CryptHkdfNull.c

   Cipher/CryptAesNull.c

-  Cipher/CryptTdesNull.c

   Pk/CryptRsaBasicNull.c

   Pk/CryptRsaExtNull.c

   Pk/CryptPkcs1OaepNull.c

diff --git a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c b/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
deleted file mode 100644
index efa2716063..0000000000
--- a/CryptoPkg/Library/BaseCryptLibNull/Cipher/CryptTdesNull.c
+++ /dev/null
@@ -1,160 +0,0 @@
-/** @file

-  TDES Wrapper Implementation which does not provide real capabilities.

-

-Copyright (c) 2012, Intel Corporation. All rights reserved.<BR>

-SPDX-License-Identifier: BSD-2-Clause-Patent

-

-**/

-

-#include "InternalCryptLib.h"

-

-/**

-  Retrieves the size, in bytes, of the context buffer required for TDES operations.

-

-  Return zero to indicate this interface is not supported.

-

-  @retval  0   This interface is not supported.

-

-**/

-UINTN

-EFIAPI

-TdesGetContextSize (

-  VOID

-  )

-{

-  ASSERT (FALSE);

-  return 0;

-}

-

-/**

-  Initializes user-supplied memory as TDES context for subsequent use.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[out]  TdesContext  Pointer to TDES context being initialized.

-  @param[in]   Key          Pointer to the user-supplied TDES key.

-  @param[in]   KeyLength    Length of TDES key in bits.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesInit (

-  OUT  VOID         *TdesContext,

-  IN   CONST UINT8  *Key,

-  IN   UINTN        KeyLength

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

-/**

-  Performs TDES encryption on a data buffer of the specified size in ECB mode.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesEcbEncrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  OUT  UINT8        *Output

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

-/**

-  Performs TDES decryption on a data buffer of the specified size in ECB mode.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesEcbDecrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  OUT  UINT8        *Output

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

-/**

-  Performs TDES encryption on a data buffer of the specified size in CBC mode.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[in]   Ivec         Pointer to initialization vector.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesCbcEncrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  IN   CONST UINT8  *Ivec,

-  OUT  UINT8        *Output

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

-/**

-  Performs TDES decryption on a data buffer of the specified size in CBC mode.

-

-  Return FALSE to indicate this interface is not supported.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[in]   Ivec         Pointer to initialization vector.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesCbcDecrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  IN   CONST UINT8  *Ivec,

-  OUT  UINT8        *Output

-  )

-{

-  ASSERT (FALSE);

-  return FALSE;

-}

-

diff --git a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
index 77915bdb86..43ee4e0841 100644
--- a/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
+++ b/CryptoPkg/Library/BaseCryptLibOnProtocolPpi/CryptLib.c
@@ -1468,220 +1468,6 @@ HmacSha256Final (
 //=====================================================================================

 

 /**

-  Retrieves the size, in bytes, of the context buffer required for TDES operations.

-

-  If this interface is not supported, then return zero.

-

-  @return  The size, in bytes, of the context buffer required for TDES operations.

-  @retval  0   This interface is not supported.

-

-**/

-UINTN

-EFIAPI

-TdesGetContextSize (

-  VOID

-  )

-{

-  CALL_CRYPTO_SERVICE (TdesGetContextSize, (), 0);

-}

-

-/**

-  Initializes user-supplied memory as TDES context for subsequent use.

-

-  This function initializes user-supplied memory pointed by TdesContext as TDES context.

-  In addition, it sets up all TDES key materials for subsequent encryption and decryption

-  operations.

-  There are 3 key options as follows:

-  KeyLength = 64,  Keying option 1: K1 == K2 == K3 (Backward compatibility with DES)

-  KeyLength = 128, Keying option 2: K1 != K2 and K3 = K1 (Less Security)

-  KeyLength = 192  Keying option 3: K1 != K2 != K3 (Strongest)

-

-  If TdesContext is NULL, then return FALSE.

-  If Key is NULL, then return FALSE.

-  If KeyLength is not valid, then return FALSE.

-  If this interface is not supported, then return FALSE.

-

-  @param[out]  TdesContext  Pointer to TDES context being initialized.

-  @param[in]   Key          Pointer to the user-supplied TDES key.

-  @param[in]   KeyLength    Length of TDES key in bits.

-

-  @retval TRUE   TDES context initialization succeeded.

-  @retval FALSE  TDES context initialization failed.

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesInit (

-  OUT  VOID         *TdesContext,

-  IN   CONST UINT8  *Key,

-  IN   UINTN        KeyLength

-  )

-{

-  CALL_CRYPTO_SERVICE (TdesInit, (TdesContext, Key, KeyLength), FALSE);

-}

-

-/**

-  Performs TDES encryption on a data buffer of the specified size in ECB mode.

-

-  This function performs TDES encryption on data buffer pointed by Input, of specified

-  size of InputSize, in ECB mode.

-  InputSize must be multiple of block size (8 bytes). This function does not perform

-  padding. Caller must perform padding, if necessary, to ensure valid input data size.

-  TdesContext should be already correctly initialized by TdesInit(). Behavior with

-  invalid TDES context is undefined.

-

-  If TdesContext is NULL, then return FALSE.

-  If Input is NULL, then return FALSE.

-  If InputSize is not multiple of block size (8 bytes), then return FALSE.

-  If Output is NULL, then return FALSE.

-  If this interface is not supported, then return FALSE.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval TRUE   TDES encryption succeeded.

-  @retval FALSE  TDES encryption failed.

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesEcbEncrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  OUT  UINT8        *Output

-  )

-{

-  CALL_CRYPTO_SERVICE (TdesEcbEncrypt, (TdesContext, Input, InputSize, Output), FALSE);

-}

-

-/**

-  Performs TDES decryption on a data buffer of the specified size in ECB mode.

-

-  This function performs TDES decryption on data buffer pointed by Input, of specified

-  size of InputSize, in ECB mode.

-  InputSize must be multiple of block size (8 bytes). This function does not perform

-  padding. Caller must perform padding, if necessary, to ensure valid input data size.

-  TdesContext should be already correctly initialized by TdesInit(). Behavior with

-  invalid TDES context is undefined.

-

-  If TdesContext is NULL, then return FALSE.

-  If Input is NULL, then return FALSE.

-  If InputSize is not multiple of block size (8 bytes), then return FALSE.

-  If Output is NULL, then return FALSE.

-  If this interface is not supported, then return FALSE.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be decrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[out]  Output       Pointer to a buffer that receives the TDES decryption output.

-

-  @retval TRUE   TDES decryption succeeded.

-  @retval FALSE  TDES decryption failed.

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesEcbDecrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  OUT  UINT8        *Output

-  )

-{

-  CALL_CRYPTO_SERVICE (TdesEcbDecrypt, (TdesContext, Input, InputSize, Output), FALSE);

-}

-

-/**

-  Performs TDES encryption on a data buffer of the specified size in CBC mode.

-

-  This function performs TDES encryption on data buffer pointed by Input, of specified

-  size of InputSize, in CBC mode.

-  InputSize must be multiple of block size (8 bytes). This function does not perform

-  padding. Caller must perform padding, if necessary, to ensure valid input data size.

-  Initialization vector should be one block size (8 bytes).

-  TdesContext should be already correctly initialized by TdesInit(). Behavior with

-  invalid TDES context is undefined.

-

-  If TdesContext is NULL, then return FALSE.

-  If Input is NULL, then return FALSE.

-  If InputSize is not multiple of block size (8 bytes), then return FALSE.

-  If Ivec is NULL, then return FALSE.

-  If Output is NULL, then return FALSE.

-  If this interface is not supported, then return FALSE.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[in]   Ivec         Pointer to initialization vector.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval TRUE   TDES encryption succeeded.

-  @retval FALSE  TDES encryption failed.

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesCbcEncrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  IN   CONST UINT8  *Ivec,

-  OUT  UINT8        *Output

-  )

-{

-  CALL_CRYPTO_SERVICE (TdesCbcEncrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);

-}

-

-/**

-  Performs TDES decryption on a data buffer of the specified size in CBC mode.

-

-  This function performs TDES decryption on data buffer pointed by Input, of specified

-  size of InputSize, in CBC mode.

-  InputSize must be multiple of block size (8 bytes). This function does not perform

-  padding. Caller must perform padding, if necessary, to ensure valid input data size.

-  Initialization vector should be one block size (8 bytes).

-  TdesContext should be already correctly initialized by TdesInit(). Behavior with

-  invalid TDES context is undefined.

-

-  If TdesContext is NULL, then return FALSE.

-  If Input is NULL, then return FALSE.

-  If InputSize is not multiple of block size (8 bytes), then return FALSE.

-  If Ivec is NULL, then return FALSE.

-  If Output is NULL, then return FALSE.

-  If this interface is not supported, then return FALSE.

-

-  @param[in]   TdesContext  Pointer to the TDES context.

-  @param[in]   Input        Pointer to the buffer containing the data to be encrypted.

-  @param[in]   InputSize    Size of the Input buffer in bytes.

-  @param[in]   Ivec         Pointer to initialization vector.

-  @param[out]  Output       Pointer to a buffer that receives the TDES encryption output.

-

-  @retval TRUE   TDES decryption succeeded.

-  @retval FALSE  TDES decryption failed.

-  @retval FALSE  This interface is not supported.

-

-**/

-BOOLEAN

-EFIAPI

-TdesCbcDecrypt (

-  IN   VOID         *TdesContext,

-  IN   CONST UINT8  *Input,

-  IN   UINTN        InputSize,

-  IN   CONST UINT8  *Ivec,

-  OUT  UINT8        *Output

-  )

-{

-  CALL_CRYPTO_SERVICE (TdesCbcDecrypt, (TdesContext, Input, InputSize, Ivec, Output), FALSE);

-}

-

-/**

   Retrieves the size, in bytes, of the context buffer required for AES operations.

 

   If this interface is not supported, then return zero.