Deprecate EVP_PKEY_HMAC.

Now that BoringSSL no longer uses it internally, deprecate it until we can get
any Google code off it and remove it altogether.

Change-Id: I0e15525600b27a65f84b4bb820b879b2424a0ef7
Reviewed-on: https://boringssl-review.googlesource.com/2701
Reviewed-by: Adam Langley <agl@google.com>

include/openssl/evp.h

diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 1e1dc83..9c2cf1f 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -135,9 +135,10 @@
  * |EVP_PKEY_RSA2| will be turned into |EVP_PKEY_RSA|. */
 OPENSSL_EXPORT int EVP_PKEY_type(int nid);
 
-/* EVP_PKEY_new_mac_key allocates a fresh |EVP_PKEY| of the given type (e.g.
- * |EVP_PKEY_HMAC|), sets |mac_key| as the MAC key and "generates" a new key,
- * suitable for signing. It returns the fresh |EVP_PKEY|, or NULL on error. */
+/* Deprecated: EVP_PKEY_new_mac_key allocates a fresh |EVP_PKEY| of the given
+ * type (e.g. |EVP_PKEY_HMAC|), sets |mac_key| as the MAC key and "generates" a
+ * new key, suitable for signing. It returns the fresh |EVP_PKEY|, or NULL on
+ * error. Use |HMAC_CTX| directly instead. */
 OPENSSL_EXPORT EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *engine,
                                               const uint8_t *mac_key,
                                               size_t mac_key_len);
@@ -174,6 +175,8 @@
 #define EVP_PKEY_DH NID_dhKeyAgreement
 #define EVP_PKEY_DHX NID_dhpublicnumber
 #define EVP_PKEY_EC NID_X9_62_id_ecPublicKey
+
+/* Deprecated: Use |HMAC_CTX| directly instead. */
 #define EVP_PKEY_HMAC NID_hmac
 
 /* EVP_PKEY_assign sets the underlying key of |pkey| to |key|, which must be of