Rip out our own HMAC-SHA1 and replace with crypto API.  
Can now choose hmac-sha1, hmac-md5, or none with regards to what
HMAC to use for cookie echo verification.