[openssl] master update

Richard Levitte levitte at openssl.org
Wed Nov 18 22:39:34 UTC 2020


The branch master has been updated
       via  d7e498ac55f12bc2f4e7f948cbb8de2e3eeafc74 (commit)
      from  b24d6c335d3beb431f8f9847623d4db39ae1f96b (commit)


- Log -----------------------------------------------------------------
commit d7e498ac55f12bc2f4e7f948cbb8de2e3eeafc74
Author: Richard Levitte <levitte at openssl.org>
Date:   Sun Oct 4 16:34:31 2020 +0200

    Deprecate RSA harder
    
    This deprecates all functions that deal with the types RSA and RSA_METHOD
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/13096)

-----------------------------------------------------------------------

Summary of changes:
 apps/genrsa.c                                 |  11 +-
 apps/req.c                                    |   9 +-
 apps/rsa.c                                    | 144 ++++---
 apps/rsautl.c                                 |  62 +--
 apps/x509.c                                   |   9 +-
 crypto/asn1/asn1_item_list.c                  |   3 +
 crypto/asn1/asn1_item_list.h                  |   2 +
 crypto/asn1/i2d_evp.c                         |   8 +-
 crypto/evp/build.info                         |   2 +-
 crypto/evp/p_dec.c                            |   7 +-
 crypto/evp/p_enc.c                            |   7 +-
 crypto/evp/p_legacy.c                         |  51 +++
 crypto/evp/p_lib.c                            |  31 --
 crypto/pem/pem_all.c                          |   8 +-
 crypto/pem/pem_local.h                        |   3 +
 crypto/rsa/rsa_backend.c                      |   6 +
 crypto/rsa/rsa_local.h                        |   1 -
 doc/man3/d2i_RSAPrivateKey.pod                | 242 +++++++++++
 doc/man3/d2i_X509.pod                         |  31 +-
 fuzz/asn1.c                                   |   6 +-
 fuzz/server.c                                 |   9 +
 include/crypto/rsa.h                          |   1 +
 include/{internal/asn1.h => crypto/types.h}   |   9 +-
 include/openssl/evp.h                         |  15 +-
 include/openssl/pem.h                         |  10 +-
 include/openssl/rsa.h                         | 576 ++++++++++++++------------
 include/openssl/ssl.h.in                      |  24 +-
 include/openssl/types.h                       |   3 +
 include/openssl/x509.h.in                     |  38 +-
 providers/common/der/der_rsa_key.c            |   6 +
 providers/common/include/prov/securitycheck.h |   2 +
 ssl/build.info                                |   2 +-
 ssl/ssl_local.h                               |   1 -
 ssl/ssl_rsa.c                                 | 171 --------
 ssl/ssl_rsa_legacy.c                          | 180 ++++++++
 ssl/statem/statem_clnt.c                      |   3 +-
 ssl/statem/statem_lib.c                       |   1 +
 ssl/statem/statem_srvr.c                      |   1 +
 test/endecoder_legacy_test.c                  |   6 +
 test/evp_extra_test.c                         |  73 ++--
 test/keymgmt_internal_test.c                  |   6 +
 test/rsa_sp800_56b_test.c                     |   7 +
 util/libcrypto.num                            | 132 +++---
 util/libssl.num                               |  12 +-
 44 files changed, 1171 insertions(+), 760 deletions(-)
 create mode 100644 crypto/evp/p_legacy.c
 create mode 100644 doc/man3/d2i_RSAPrivateKey.pod
 copy include/{internal/asn1.h => crypto/types.h} (67%)
 create mode 100644 ssl/ssl_rsa_legacy.c

diff --git a/apps/genrsa.c b/apps/genrsa.c
index f471814e08..32f088238d 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -79,9 +79,7 @@ int genrsa_main(int argc, char **argv)
     BN_GENCB *cb = BN_GENCB_new();
     ENGINE *eng = NULL;
     BIGNUM *bn = BN_new();
-    RSA *rsa;
     BIO *out = NULL;
-    const BIGNUM *e;
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *ctx = NULL;
     const EVP_CIPHER *enc = NULL;
@@ -205,9 +203,11 @@ opthelp:
     }
 
     if (verbose) {
-        if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) {
-            RSA_get0_key(rsa, NULL, &e, NULL);
-        } else {
+        BIGNUM *e = NULL;
+
+        /* Every RSA key has an 'e' */
+        EVP_PKEY_get_bn_param(pkey, "e", &e);
+        if (e == NULL) {
             BIO_printf(bio_err, "Error cannot access RSA e\n");
             goto end;
         }
@@ -218,6 +218,7 @@ opthelp:
         }
         OPENSSL_free(hexe);
         OPENSSL_free(dece);
+        BN_free(e);
     }
     if (traditional) {
         if (!PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
diff --git a/apps/req.c b/apps/req.c
index 9fa3429baf..41a78593b0 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -939,10 +939,13 @@ int req_main(int argc, char **argv)
         }
         fprintf(stdout, "Modulus=");
 #ifndef OPENSSL_NO_RSA
-        if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
-            const BIGNUM *n;
-            RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
+        if (EVP_PKEY_is_a(tpubkey, "RSA")) {
+            BIGNUM *n;
+
+            /* Every RSA key has an 'n' */
+            EVP_PKEY_get_bn_param(pkey, "n", &n);
             BN_print(out, n);
+            BN_free(n);
         } else
 #endif
             fprintf(stdout, "Wrong Algorithm type");
diff --git a/apps/rsa.c b/apps/rsa.c
index 558b126560..da1342b4c0 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -22,6 +22,13 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/bn.h>
+#include <openssl/encoder.h>
+
+/*
+ * TODO: This include is to get OSSL_KEYMGMT_SELECT_*, which feels a bit
+ * much just for those macros...  they might serve better as EVP macros.
+ */
+#include <openssl/core_dispatch.h>
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -62,12 +69,10 @@ const OPTIONS rsa_options[] = {
     {"traditional", OPT_TRADITIONAL, '-',
      "Use traditional format for private keys"},
 
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
     OPT_SECTION("PVK"),
     {"pvk-strong", OPT_PVK_STRONG, '-', "Enable 'Strong' PVK encoding level (default)"},
     {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"},
     {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"},
-#endif
 
     OPT_PROV_OPTIONS,
     {NULL}
@@ -77,20 +82,21 @@ int rsa_main(int argc, char **argv)
 {
     ENGINE *e = NULL;
     BIO *out = NULL;
-    RSA *rsa = NULL;
     EVP_PKEY *pkey = NULL;
     EVP_PKEY_CTX *pctx;
     const EVP_CIPHER *enc = NULL;
     char *infile = NULL, *outfile = NULL, *prog;
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
-    int i, private = 0;
+    int private = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
     int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
     int pvk_encr = 2;
-#endif
     OPTION_CHOICE o;
     int traditional = 0;
+    const char *output_type = NULL;
+    const char *output_structure = NULL;
+    int selection = 0;
+    OSSL_ENCODER_CTX *ectx = NULL;
 
     prog = opt_init(argc, argv, rsa_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -142,9 +148,7 @@ int rsa_main(int argc, char **argv)
         case OPT_PVK_STRONG:    /* pvk_encr:= 2 */
         case OPT_PVK_WEAK:      /* pvk_encr:= 1 */
         case OPT_PVK_NONE:      /* pvk_encr:= 0 */
-#if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
             pvk_encr = (o - OPT_PVK_NONE);
-#endif
             break;
         case OPT_NOOUT:
             noout = 1;
@@ -203,13 +207,14 @@ int rsa_main(int argc, char **argv)
         pkey = load_key(infile, informat, 1, passin, e, "private key");
     }
 
-    if (pkey != NULL)
-        rsa = EVP_PKEY_get1_RSA(pkey);
-
-    if (rsa == NULL) {
+    if (pkey == NULL) {
         ERR_print_errors(bio_err);
         goto end;
     }
+    if (!EVP_PKEY_is_a(pkey, "RSA")) {
+        BIO_printf(bio_err, "Not an RSA key\n");
+        goto end;
+    }
 
     out = bio_open_owner(outfile, outformat, private);
     if (out == NULL)
@@ -226,11 +231,14 @@ int rsa_main(int argc, char **argv)
     }
 
     if (modulus) {
-        const BIGNUM *n;
-        RSA_get0_key(rsa, &n, NULL, NULL);
+        BIGNUM *n = NULL;
+
+        /* Every RSA key has an 'n' */
+        EVP_PKEY_get_bn_param(pkey, "n", &n);
         BIO_printf(out, "Modulus=");
         BN_print(out, n);
         BIO_printf(out, "\n");
+        BN_free(n);
     }
 
     if (check) {
@@ -268,77 +276,81 @@ int rsa_main(int argc, char **argv)
         goto end;
     }
     BIO_printf(bio_err, "writing RSA key\n");
+
+    /* Choose output type for the format */
     if (outformat == FORMAT_ASN1) {
-        if (pubout || pubin) {
-            if (pubout == 2)
-                i = i2d_RSAPublicKey_bio(out, rsa);
-            else
-                i = i2d_RSA_PUBKEY_bio(out, rsa);
-        } else {
-            assert(private);
-            i = i2d_RSAPrivateKey_bio(out, rsa);
-        }
+        output_type = "DER";
     } else if (outformat == FORMAT_PEM) {
+        output_type = "PEM";
+    } else if (outformat == FORMAT_MSBLOB) {
+        output_type = "MSBLOB";
+    } else if (outformat == FORMAT_PVK) {
+        if (pubin) {
+            BIO_printf(bio_err, "PVK form impossible with public key input\n");
+            goto end;
+        }
+        output_type = "PVK";
+    } else {
+        BIO_printf(bio_err, "bad output format specified for outfile\n");
+        goto end;
+    }
+
+    /* Select what you want in the output */
+    if (pubout || pubin) {
+        selection = OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+    } else {
+        assert(private);
+        selection = (OSSL_KEYMGMT_SELECT_KEYPAIR
+                     | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS);
+    }
+
+    /* For DER based output, select the desired output structure */
+    if (outformat == FORMAT_ASN1 || outformat == FORMAT_PEM) {
         if (pubout || pubin) {
             if (pubout == 2)
-                i = PEM_write_bio_RSAPublicKey(out, rsa);
+                output_structure = "SubjectPublicKeyInfo";
             else
-                i = PEM_write_bio_RSA_PUBKEY(out, rsa);
+                output_structure = "pkcs1"; /* "type-specific" would work too */
         } else {
             assert(private);
-            if (traditional) {
-                i = PEM_write_bio_PrivateKey_traditional(out, pkey, enc, NULL, 0,
-                                                         NULL, passout);
-            } else {
-                i = PEM_write_bio_PrivateKey(out, pkey,
-                                             enc, NULL, 0, NULL, passout);
-            }
+            if (traditional)
+                output_structure = "pkcs1"; /* "type-specific" would work too */
+            else
+                output_structure = "pkcs8";
         }
-#ifndef OPENSSL_NO_DSA
-    } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
-        EVP_PKEY *pk;
-        pk = EVP_PKEY_new();
-        if (pk == NULL)
-            goto end;
+    }
 
-        EVP_PKEY_set1_RSA(pk, rsa);
-        if (outformat == FORMAT_PVK) {
-            if (pubin) {
-                BIO_printf(bio_err, "PVK form impossible with public key input\n");
-                EVP_PKEY_free(pk);
-                goto end;
-            }
-            assert(private);
-# ifdef OPENSSL_NO_RC4
-            BIO_printf(bio_err, "PVK format not supported\n");
-            EVP_PKEY_free(pk);
+    /* Now, perform the encoding */
+    ectx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection,
+                                            output_type, output_structure,
+                                            NULL, NULL);
+    if (OSSL_ENCODER_CTX_get_num_encoders(ectx) == 0) {
+        BIO_printf(bio_err, "%s format not supported\n", output_type);
+        goto end;
+    }
+
+    /* PVK is a bit special... */
+    if (outformat == FORMAT_PVK) {
+        OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+
+        params[0] = OSSL_PARAM_construct_int("encrypt-level", &pvk_encr);
+        if (!OSSL_ENCODER_CTX_set_params(ectx, params)) {
+            BIO_printf(bio_err, "invalid PVK encryption level\n");
             goto end;
-# else
-            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
-# endif
-        } else if (pubin || pubout) {
-            i = i2b_PublicKey_bio(out, pk);
-        } else {
-            assert(private);
-            i = i2b_PrivateKey_bio(out, pk);
         }
-        EVP_PKEY_free(pk);
-#endif
-    } else {
-        BIO_printf(bio_err, "bad output format specified for outfile\n");
-        goto end;
     }
-    if (i <= 0) {
+
+    if (!OSSL_ENCODER_to_bio(ectx, out)) {
         BIO_printf(bio_err, "unable to write key\n");
         ERR_print_errors(bio_err);
-    } else {
-        ret = 0;
+        goto end;
     }
+    ret = 0;
  end:
+    OSSL_ENCODER_CTX_free(ectx);
     release_engine(e);
     BIO_free_all(out);
     EVP_PKEY_free(pkey);
-    RSA_free(rsa);
     OPENSSL_free(passin);
     OPENSSL_free(passout);
     return ret;
diff --git a/apps/rsautl.c b/apps/rsautl.c
index 9b5456cb89..8fefaee8f5 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -7,9 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use the deprecated RSA low level calls */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
 #include <openssl/opensslconf.h>
 
 #include "apps.h"
@@ -78,14 +75,15 @@ int rsautl_main(int argc, char **argv)
     BIO *in = NULL, *out = NULL;
     ENGINE *e = NULL;
     EVP_PKEY *pkey = NULL;
-    RSA *rsa = NULL;
+    EVP_PKEY_CTX *ctx = NULL;
     X509 *x;
     char *infile = NULL, *outfile = NULL, *keyfile = NULL;
     char *passinarg = NULL, *passin = NULL, *prog;
     char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
     unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING;
-    int rsa_inlen, keyformat = FORMAT_PEM, keysize, ret = 1;
-    int rsa_outlen = 0, hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0;
+    size_t rsa_inlen, rsa_outlen = 0;
+    int keyformat = FORMAT_PEM, keysize, ret = 1, rv;
+    int hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0;
     OPTION_CHOICE o;
 
     prog = opt_init(argc, argv, rsautl_options);
@@ -208,15 +206,6 @@ int rsautl_main(int argc, char **argv)
     if (pkey == NULL)
         return 1;
 
-    rsa = EVP_PKEY_get1_RSA(pkey);
-    EVP_PKEY_free(pkey);
-
-    if (rsa == NULL) {
-        BIO_printf(bio_err, "Error getting RSA key\n");
-        ERR_print_errors(bio_err);
-        goto end;
-    }
-
     in = bio_open_default(infile, 'r', FORMAT_BINARY);
     if (in == NULL)
         goto end;
@@ -224,48 +213,58 @@ int rsautl_main(int argc, char **argv)
     if (out == NULL)
         goto end;
 
-    keysize = RSA_size(rsa);
+    keysize = EVP_PKEY_size(pkey);
 
     rsa_in = app_malloc(keysize * 2, "hold rsa key");
     rsa_out = app_malloc(keysize, "output rsa key");
+    rsa_outlen = keysize;
 
     /* Read the input data */
-    rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
-    if (rsa_inlen < 0) {
+    rv = BIO_read(in, rsa_in, keysize * 2);
+    if (rv < 0) {
         BIO_printf(bio_err, "Error reading input Data\n");
         goto end;
     }
+    rsa_inlen = rv;
     if (rev) {
-        int i;
+        size_t i;
         unsigned char ctmp;
+
         for (i = 0; i < rsa_inlen / 2; i++) {
             ctmp = rsa_in[i];
             rsa_in[i] = rsa_in[rsa_inlen - 1 - i];
             rsa_in[rsa_inlen - 1 - i] = ctmp;
         }
     }
-    switch (rsa_mode) {
 
+    if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL)
+        goto end;
+
+    switch (rsa_mode) {
     case RSA_VERIFY:
-        rsa_outlen = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        rv = EVP_PKEY_verify_recover_init(ctx)
+            && EVP_PKEY_CTX_set_rsa_padding(ctx, pad)
+            && EVP_PKEY_verify_recover(ctx, rsa_out, &rsa_outlen,
+                                       rsa_in, rsa_inlen);
         break;
-
     case RSA_SIGN:
-        rsa_outlen =
-            RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        rv = EVP_PKEY_sign_init(ctx)
+            && EVP_PKEY_CTX_set_rsa_padding(ctx, pad)
+            && EVP_PKEY_sign(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen);
         break;
-
     case RSA_ENCRYPT:
-        rsa_outlen = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        rv = EVP_PKEY_encrypt_init(ctx)
+            && EVP_PKEY_CTX_set_rsa_padding(ctx, pad)
+            && EVP_PKEY_encrypt(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen);
         break;
-
     case RSA_DECRYPT:
-        rsa_outlen =
-            RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        rv = EVP_PKEY_decrypt_init(ctx)
+            && EVP_PKEY_CTX_set_rsa_padding(ctx, pad)
+            && EVP_PKEY_decrypt(ctx, rsa_out, &rsa_outlen, rsa_in, rsa_inlen);
         break;
     }
 
-    if (rsa_outlen < 0) {
+    if (!rv) {
         BIO_printf(bio_err, "RSA operation error\n");
         ERR_print_errors(bio_err);
         goto end;
@@ -281,7 +280,8 @@ int rsautl_main(int argc, char **argv)
         BIO_write(out, rsa_out, rsa_outlen);
     }
  end:
-    RSA_free(rsa);
+    EVP_PKEY_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
     release_engine(e);
     BIO_free(in);
     BIO_free_all(out);
diff --git a/apps/x509.c b/apps/x509.c
index 0d0d93edc0..ad627f4558 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -757,10 +757,13 @@ int x509_main(int argc, char **argv)
                 }
                 BIO_printf(out, "Modulus=");
 #ifndef OPENSSL_NO_RSA
-                if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
-                    const BIGNUM *n;
-                    RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &n, NULL, NULL);
+                if (EVP_PKEY_is_a(pkey, "RSA")) {
+                    BIGNUM *n;
+
+                    /* Every RSA key has an 'n' */
+                    EVP_PKEY_get_bn_param(pkey, "n", &n);
                     BN_print(out, n);
+                    BN_free(n);
                 } else
 #endif
 #ifndef OPENSSL_NO_DSA
diff --git a/crypto/asn1/asn1_item_list.c b/crypto/asn1/asn1_item_list.c
index 5a711546bf..c7000c20e9 100644
--- a/crypto/asn1/asn1_item_list.c
+++ b/crypto/asn1/asn1_item_list.c
@@ -7,6 +7,9 @@
  * https://www.openssl.org/source/license.html
  */
 
+/* We need to use the low level ASN1 items until they are removed */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1.h>
diff --git a/crypto/asn1/asn1_item_list.h b/crypto/asn1/asn1_item_list.h
index 4cdf1d221a..b5a8661bd4 100644
--- a/crypto/asn1/asn1_item_list.h
+++ b/crypto/asn1/asn1_item_list.h
@@ -135,10 +135,12 @@ static ASN1_ITEM_EXP *asn1_item_list[] = {
     ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
     ASN1_ITEM_ref(PROXY_POLICY),
 #ifndef OPENSSL_NO_RSA
+# ifndef OPENSSL_NO_DEPRECATED_3_0
     ASN1_ITEM_ref(RSAPrivateKey),
     ASN1_ITEM_ref(RSAPublicKey),
     ASN1_ITEM_ref(RSA_OAEP_PARAMS),
     ASN1_ITEM_ref(RSA_PSS_PARAMS),
+# endif
 #endif
 #ifndef OPENSSL_NO_SCRYPT
     ASN1_ITEM_ref(SCRYPT_PARAMS),
diff --git a/crypto/asn1/i2d_evp.c b/crypto/asn1/i2d_evp.c
index a81ae415fa..d0468bf5c2 100644
--- a/crypto/asn1/i2d_evp.c
+++ b/crypto/asn1/i2d_evp.c
@@ -16,7 +16,9 @@
 #include <openssl/encoder.h>
 #include <openssl/buffer.h>
 #include <openssl/x509.h>
-#include <openssl/rsa.h>         /* For i2d_RSAPublicKey */
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+# include <openssl/rsa.h>        /* For i2d_RSAPublicKey */
+#endif
 #include <openssl/dsa.h>         /* For i2d_DSAPublicKey */
 #include <openssl/ec.h>          /* For i2o_ECPublicKey */
 #include "crypto/asn1.h"
@@ -105,9 +107,11 @@ int i2d_PublicKey(const EVP_PKEY *a, unsigned char **pp)
         return i2d_provided(a, EVP_PKEY_PUBLIC_KEY, output_structures, pp);
     }
     switch (EVP_PKEY_id(a)) {
-#ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_RSA
     case EVP_PKEY_RSA:
         return i2d_RSAPublicKey(EVP_PKEY_get0_RSA(a), pp);
+# endif
 #endif
 #ifndef OPENSSL_NO_DSA
     case EVP_PKEY_DSA:
diff --git a/crypto/evp/build.info b/crypto/evp/build.info
index 7f1459a15c..358709a6a4 100644
--- a/crypto/evp/build.info
+++ b/crypto/evp/build.info
@@ -9,7 +9,7 @@ SOURCE[../../libcrypto]=$COMMON\
         e_des.c e_bf.c e_idea.c e_des3.c \
         e_rc4.c e_aes.c names.c e_aria.c e_sm4.c \
         e_xcbc_d.c e_rc2.c e_cast.c e_rc5.c m_null.c \
-        p_seal.c p_sign.c p_verify.c \
+        p_seal.c p_sign.c p_verify.c p_legacy.c \
         bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \
         c_allc.c c_alld.c bio_ok.c \
         evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \
diff --git a/crypto/evp/p_dec.c b/crypto/evp/p_dec.c
index ef0e715d65..c71e88d9b0 100644
--- a/crypto/evp/p_dec.c
+++ b/crypto/evp/p_dec.c
@@ -7,11 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
+/* We need to use the deprecated RSA low level calls */
+#define OPENSSL_SUPPRESS_DEPRECATED
 
 #include <stdio.h>
 #include "internal/cryptlib.h"
diff --git a/crypto/evp/p_enc.c b/crypto/evp/p_enc.c
index b149c7bbcf..4847c752ed 100644
--- a/crypto/evp/p_enc.c
+++ b/crypto/evp/p_enc.c
@@ -7,11 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
+/* We need to use the deprecated RSA low level calls */
+#define OPENSSL_SUPPRESS_DEPRECATED
 
 #include <stdio.h>
 #include "internal/cryptlib.h"
diff --git a/crypto/evp/p_legacy.c b/crypto/evp/p_legacy.c
new file mode 100644
index 0000000000..cad4d67d73
--- /dev/null
+++ b/crypto/evp/p_legacy.c
@@ -0,0 +1,51 @@
+/*
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/*
+ * Legacy EVP_PKEY assign/set/get APIs are deprecated for public use, but
+ * still ok for internal use, particularly in providers.
+ */
+#include "internal/deprecated.h"
+
+#include <openssl/types.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+#include "crypto/types.h"
+#include "crypto/evp.h"
+#include "evp_local.h"
+
+int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
+{
+    int ret = EVP_PKEY_assign_RSA(pkey, key);
+    if (ret)
+        RSA_up_ref(key);
+    return ret;
+}
+
+RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey)
+{
+    if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
+        return NULL;
+    }
+    if (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_RSA_PSS) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_AN_RSA_KEY);
+        return NULL;
+    }
+    return pkey->pkey.rsa;
+}
+
+RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
+{
+    RSA *ret = EVP_PKEY_get0_RSA(pkey);
+    if (ret != NULL)
+        RSA_up_ref(ret);
+    return ret;
+}
diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index 7a258fa31b..a0c131d0c0 100644
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -784,37 +784,6 @@ const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len)
 }
 # endif
 
-# ifndef OPENSSL_NO_RSA
-int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
-{
-    int ret = EVP_PKEY_assign_RSA(pkey, key);
-    if (ret)
-        RSA_up_ref(key);
-    return ret;
-}
-
-RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey)
-{
-    if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
-        ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
-        return NULL;
-    }
-    if (pkey->type != EVP_PKEY_RSA && pkey->type != EVP_PKEY_RSA_PSS) {
-        ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_AN_RSA_KEY);
-        return NULL;
-    }
-    return pkey->pkey.rsa;
-}
-
-RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
-{
-    RSA *ret = EVP_PKEY_get0_RSA(pkey);
-    if (ret != NULL)
-        RSA_up_ref(ret);
-    return ret;
-}
-# endif
-
 # ifndef OPENSSL_NO_DSA
 DSA *EVP_PKEY_get0_DSA(const EVP_PKEY *pkey)
 {
diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c
index 8d5b25156c..ea758f04be 100644
--- a/crypto/pem/pem_all.c
+++ b/crypto/pem/pem_all.c
@@ -45,7 +45,8 @@ IMPLEMENT_PEM_rw(PKCS7, PKCS7, PEM_STRING_PKCS7, PKCS7)
 
 IMPLEMENT_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE,
                  PEM_STRING_X509, NETSCAPE_CERT_SEQUENCE)
-#ifndef OPENSSL_NO_RSA
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_RSA
 /*
  * We treat RSA or DSA private keys as a special case. For private keys we
  * read in an EVP_PKEY structure with PEM_read_bio_PrivateKey() and extract
@@ -76,7 +77,7 @@ RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **rsa, pem_password_cb *cb,
     return pkey_get_rsa(pktmp, rsa);
 }
 
-# ifndef OPENSSL_NO_STDIO
+#  ifndef OPENSSL_NO_STDIO
 
 RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, void *u)
 {
@@ -85,11 +86,12 @@ RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **rsa, pem_password_cb *cb, void *u)
     return pkey_get_rsa(pktmp, rsa);
 }
 
-# endif
+#  endif
 
 IMPLEMENT_PEM_write_cb(RSAPrivateKey, RSA, PEM_STRING_RSA, RSAPrivateKey)
 IMPLEMENT_PEM_rw(RSAPublicKey, RSA, PEM_STRING_RSA_PUBLIC, RSAPublicKey)
 IMPLEMENT_PEM_rw(RSA_PUBKEY, RSA, PEM_STRING_PUBLIC, RSA_PUBKEY)
+# endif
 #endif
 #ifndef OPENSSL_NO_DSA
 static DSA *pkey_get_dsa(EVP_PKEY *key, DSA **dsa)
diff --git a/crypto/pem/pem_local.h b/crypto/pem/pem_local.h
index 10761b03d3..7de2a71045 100644
--- a/crypto/pem/pem_local.h
+++ b/crypto/pem/pem_local.h
@@ -39,6 +39,9 @@
 # define PEM_STRUCTURE_PrivateKey "pkcs8"
 # define PEM_STRUCTURE_Parameters "type-specific"
 
+# define PEM_STRUCTURE_RSAPrivateKey "type-specific"
+# define PEM_STRUCTURE_RSAPublicKey "type-specific"
+
 /* Alternative IMPLEMENT macros for provided encoders */
 
 # define IMPLEMENT_PEM_provided_write_body_vars(type, asn1)             \
diff --git a/crypto/rsa/rsa_backend.c b/crypto/rsa/rsa_backend.c
index f64fb34d52..2f430b34d4 100644
--- a/crypto/rsa/rsa_backend.c
+++ b/crypto/rsa/rsa_backend.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>
 #include <openssl/core_names.h>
 #include <openssl/params.h>
diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h
index 60e590998b..49a0071031 100644
--- a/crypto/rsa/rsa_local.h
+++ b/crypto/rsa/rsa_local.h
@@ -10,7 +10,6 @@
 #ifndef OSSL_CRYPTO_RSA_LOCAL_H
 #define OSSL_CRYPTO_RSA_LOCAL_H
 
-#include "crypto/rsa.h"
 #include "internal/refcount.h"
 #include "crypto/rsa.h"
 
diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod
new file mode 100644
index 0000000000..e7cf3989ab
--- /dev/null
+++ b/doc/man3/d2i_RSAPrivateKey.pod
@@ -0,0 +1,242 @@
+=pod
+
+=begin comment
+
+Any deprecated keypair function from d2i_X509.pod are collected in this file.
+
+=end comment
+
+=head1 NAME
+
+d2i_RSAPrivateKey,
+d2i_RSAPrivateKey_bio,
+d2i_RSAPrivateKey_fp,
+d2i_RSAPublicKey,
+d2i_RSAPublicKey_bio,
+d2i_RSAPublicKey_fp,
+d2i_RSA_PUBKEY,
+d2i_RSA_PUBKEY_bio,
+d2i_RSA_PUBKEY_fp,
+i2d_RSAPrivateKey,
+i2d_RSAPrivateKey_bio,
+i2d_RSAPrivateKey_fp,
+i2d_RSAPublicKey,
+i2d_RSAPublicKey_bio,
+i2d_RSAPublicKey_fp,
+i2d_RSA_PUBKEY,
+i2d_RSA_PUBKEY_bio,
+i2d_RSA_PUBKEY_fp
+- DEPRECATED
+
+=head1 SYNOPSIS
+
+=for openssl generic
+
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ TYPE *d2i_TYPEPrivateKey(TYPE **a, const unsigned char **ppin, long length);
+ TYPE *d2i_TYPEPrivateKey_bio(BIO *bp, TYPE **a);
+ TYPE *d2i_TYPEPrivateKey_fp(FILE *fp, TYPE **a);
+ TYPE *d2i_TYPEPublicKey(TYPE **a, const unsigned char **ppin, long length);
+ TYPE *d2i_TYPEPublicKey_bio(BIO *bp, TYPE **a);
+ TYPE *d2i_TYPEPublicKey_fp(FILE *fp, TYPE **a);
+ TYPE *d2i_TYPEparams(TYPE **a, const unsigned char **ppin, long length);
+ TYPE *d2i_TYPEparams_bio(BIO *bp, TYPE **a);
+ TYPE *d2i_TYPEparams_fp(FILE *fp, TYPE **a);
+ TYPE *d2i_TYPE_PUBKEY(TYPE **a, const unsigned char **ppin, long length);
+ TYPE *d2i_TYPE_PUBKEY_bio(BIO *bp, TYPE **a);
+ TYPE *d2i_TYPE_PUBKEY_fp(FILE *fp, TYPE **a);
+
+ int i2d_TYPEPrivateKey(const TYPE *a, unsigned char **ppout);
+ int i2d_TYPEPrivateKey(TYPE *a, unsigned char **ppout);
+ int i2d_TYPEPrivateKey_fp(FILE *fp, const TYPE *a);
+ int i2d_TYPEPrivateKey_fp(FILE *fp, TYPE *a);
+ int i2d_TYPEPrivateKey_bio(BIO *bp, const TYPE *a);
+ int i2d_TYPEPrivateKey_bio(BIO *bp, TYPE *a);
+ int i2d_TYPEPublicKey(const TYPE *a, unsigned char **ppout);
+ int i2d_TYPEPublicKey(TYPE *a, unsigned char **ppout);
+ int i2d_TYPEPublicKey_fp(FILE *fp, const TYPE *a);
+ int i2d_TYPEPublicKey_fp(FILE *fp, TYPE *a);
+ int i2d_TYPEPublicKey_bio(BIO *bp, const TYPE *a);
+ int i2d_TYPEPublicKey_bio(BIO *bp, TYPE *a);
+ int i2d_TYPEparams(const TYPE *a, unsigned char **ppout);
+ int i2d_TYPEparams(TYPE *a, unsigned char **ppout);
+ int i2d_TYPEparams_fp(FILE *fp, const TYPE *a);
+ int i2d_TYPEparams_fp(FILE *fp, TYPE *a);
+ int i2d_TYPEparams_bio(BIO *bp, const TYPE *a);
+ int i2d_TYPEparams_bio(BIO *bp, TYPE *a);
+ int i2d_TYPE_PUBKEY(const TYPE *a, unsigned char **ppout);
+ int i2d_TYPE_PUBKEY(TYPE *a, unsigned char **ppout);
+ int i2d_TYPE_PUBKEY_fp(FILE *fp, const TYPE *a);
+ int i2d_TYPE_PUBKEY_fp(FILE *fp, TYPE *a);
+ int i2d_TYPE_PUBKEY_bio(BIO *bp, const TYPE *a);
+ int i2d_TYPE_PUBKEY_bio(BIO *bp, TYPE *a);
+
+=head1 DESCRIPTION
+
+All functions described here are deprecated.  Please use L<OSSL_DECODER(3)>
+instead of the B<d2i> functions and L<OSSL_ENCODER(3)> instead of the B<i2d>
+functions.  See L</Migration> below.
+
+In the description here, B<I<TYPE>> is used a placeholder for any of the
+OpenSSL datatypes, such as B<RSA>.
+The function parameters I<ppin> and I<ppout> are generally either both named
+I<pp> in the headers, or I<in> and I<out>.
+
+All the functions here behave the way that's described in L<d2i_X509(3)>.
+
+Please note that not all functions in the synopsis are available for all key
+types.  For example, there are no d2i_RSAparams() or i2d_RSAparams(),
+because the PKCS#1 B<RSA> structure doesn't include any key parameters.
+
+B<d2i_I<TYPE>PrivateKey>() and derivates thereof decode DER encoded
+B<I<TYPE>> private key data organized in a type specific structure.
+
+B<d2i_I<TYPE>PublicKey>() and derivates thereof decode DER encoded
+B<I<TYPE>> public key data organized in a type specific structure.
+
+B<d2i_I<TYPE>params>() and derivates thereof decode DER encoded B<I<TYPE>>
+key parameters organized in a type specific structure.
+
+B<d2i_I<TYPE>_PUBKEY>() and derivates thereof decode DER encoded B<I<TYPE>>
+public key data organized in a B<SubjectPublicKeyInfo> structure.
+
+B<i2d_I<TYPE>PrivateKey>() and derivates thereof encode the private key
+B<I<TYPE>> data into a type specific DER encoded structure.
+
+B<i2d_I<TYPE>PublicKey>() and derivates thereof encode the public key
+B<I<TYPE>> data into a type specific DER encoded structure.
+
+B<i2d_I<TYPE>params>() and derivates thereof encode the B<I<TYPE>> key
+parameters data into a type specific DER encoded structure.
+
+B<i2d_I<TYPE>_PUBKEY>() and derivates thereof encode the public key
+B<I<TYPE>> data into a DER encoded B<SubjectPublicKeyInfo> structure.
+
+For example, d2i_RSAPrivateKey() and d2i_RSAPublicKey() expects the
+structure defined by PKCS#1.
+Similarly, i2d_RSAPrivateKey() and  i2d_RSAPublicKey() produce DER encoded
+string organized according to PKCS#1.
+
+=head2 Migration
+
+Migration from the diverse B<I<TYPE>>s requires using corresponding new
+OpenSSL types.  For all B<I<TYPE>>s described here, the corresponding new
+type is B<EVP_PKEY>.  The rest of this section assumes that this has been
+done, exactly how to do that is described elsewhere.
+
+There are two migration paths:
+
+=over 4
+
+=item *
+
+Replace
+b<d2i_I<TYPE>PrivateKey()> with L<d2i_PrivateKey(3)>, 
+b<d2i_I<TYPE>PublicKey()> with L<d2i_PublicKey(3)>, 
+b<d2i_I<TYPE>params()> with L<d2i_KeyParams(3)>, 
+b<d2i_I<TYPE>_PUBKEY()> with L<d2i_PUBKEY(3)>, 
+b<i2d_I<TYPE>PrivateKey()> with L<i2d_PrivateKey(3)>, 
+b<i2d_I<TYPE>PublicKey()> with L<i2d_PublicKey(3)>, 
+b<i2d_I<TYPE>params()> with L<i2d_KeyParams(3)>, 
+b<i2d_I<TYPE>_PUBKEY()> with L<i2d_PUBKEY(3)>.
+A caveat is that L<i2d_PrivateKey(3)> may output a DER encoded PKCS#8
+outermost structure instead of the type specific structure, and that
+L<d2i_PrivateKey(3)> recognises and unpacks a PKCS#8 structures.
+
+=item *
+
+Use L<OSSL_DECODER(3)> and L<OSSL_ENCODER(3)>.  How to migrate is described
+below.  All those descriptions assume that the key to be encoded is in the
+variable I<pkey>.
+
+=back
+
+=head3 Migrating B<i2d> functions to B<OSSL_ENCODER>
+
+The exact L<OSSL_ENCODER(3)> output is driven by arguments rather than by
+function names.  The sample code to get DER encoded output in a type
+specific structure is uniform, the only things that vary are the selection
+of what part of the B<EVP_PKEY> should be output, and the structure.  The
+B<i2d> functions names can therefore be translated into two variables,
+I<selection> and I<structure> as follows:
+
+=over 4
+
+=item B<i2d_I<TYPE>PrivateKey>() translates into:
+
+ int selection = EVP_PKEY_PRIVATE_KEY;
+ const char *structure = "type-specific";
+
+=item B<i2d_I<TYPE>PublicKey>() translates into:
+
+ int selection = EVP_PKEY_PUBLIC_KEY;
+ const char *structure = "type-specific";
+
+=item B<i2d_I<TYPE>params>() translates into:
+
+ int selection = EVP_PKEY_PARAMETERS;
+ const char *structure = "type-specific";
+
+=item B<i2d_I<TYPE>_PUBKEY>() translates into:
+
+ int selection = EVP_PKEY_PUBLIC_KEY;
+ const char *structure = "SubjectPublicKeyInfo";
+
+=back
+
+The following sample code does the rest of the work:
+
+ unsigned char *p = buffer;     /* |buffer| is supplied by the caller */
+ size_t len = buffer_size;      /* assumed be the size of |buffer| */
+ OSSL_ENCODER_CTX *ctx =
+     OSSL_ENCODER_CTX_new_by_EVP_PKEY(pkey, selection, "DER", structure,
+                                      NULL, NULL);
+ if (ctx == NULL) {
+     /* fatal error handling */
+ }
+ if (OSSL_ENCODER_CTX_get_num_encoders(ctx) == 0) {
+     OSSL_ENCODER_CTX_free(ctx);
+     /* non-fatal error handling */
+ }
+ if (!OSSL_ENCODER_to_data(ctx, &p, &len)) {
+     OSSL_ENCODER_CTX_free(ctx);
+     /* error handling */
+ }
+ OSSL_ENCODER_CTX_free(ctx);
+
+=for comment TODO: a similar section on OSSL_DECODER is to be added
+
+=head1 RETURN VALUES
+
+B<d2i_I<TYPE>>(), B<d2i_I<TYPE>_bio>() and B<d2i_I<TYPE>_fp>() return a valid
+B<I<TYPE>> structure or NULL if an error occurs.  If the "reuse" capability has
+been used with a valid structure being passed in via I<a>, then the object is
+freed in the event of error and I<*a> is set to NULL.
+
+B<i2d_I<TYPE>>() returns the number of bytes successfully encoded or a negative
+value if an error occurs.
+
+B<i2d_I<TYPE>_bio>() and B<i2d_I<TYPE>_fp>() return 1 for success and 0 if an
+error occurs.
+
+=head1 SEE ALSO
+
+L<OSSL_ENCODER(3)>, L<OSSL_DECODER(3)>,
+L<d2i_PrivateKey(3)>, L<d2i_PublicKey(3)>, L<d2i_KeyParams(3)>,
+L<d2i_PUBKEY(3)>,
+L<i2d_PrivateKey(3)>, L<i2d_PublicKey(3)>, L<i2d_KeyParams(3)>,
+L<i2d_PUBKEY(3)>
+
+=head1 COPYRIGHT
+
+Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index a46977bc93..0b3414ba8f 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -1,5 +1,12 @@
 =pod
 
+=begin comment
+
+Any keypair function here that gets deprecated should be moved to
+d2i_RSAPrivateKey.pod.
+
+=end comment
+
 =head1 NAME
 
 d2i_ACCESS_DESCRIPTION,
@@ -141,17 +148,8 @@ d2i_POLICYQUALINFO,
 d2i_PROFESSION_INFO,
 d2i_PROXY_CERT_INFO_EXTENSION,
 d2i_PROXY_POLICY,
-d2i_RSAPrivateKey,
-d2i_RSAPrivateKey_bio,
-d2i_RSAPrivateKey_fp,
-d2i_RSAPublicKey,
-d2i_RSAPublicKey_bio,
-d2i_RSAPublicKey_fp,
 d2i_RSA_OAEP_PARAMS,
 d2i_RSA_PSS_PARAMS,
-d2i_RSA_PUBKEY,
-d2i_RSA_PUBKEY_bio,
-d2i_RSA_PUBKEY_fp,
 d2i_SCRYPT_PARAMS,
 d2i_SCT_LIST,
 d2i_SXNET,
@@ -337,17 +335,8 @@ i2d_POLICYQUALINFO,
 i2d_PROFESSION_INFO,
 i2d_PROXY_CERT_INFO_EXTENSION,
 i2d_PROXY_POLICY,
-i2d_RSAPrivateKey,
-i2d_RSAPrivateKey_bio,
-i2d_RSAPrivateKey_fp,
-i2d_RSAPublicKey,
-i2d_RSAPublicKey_bio,
-i2d_RSAPublicKey_fp,
 i2d_RSA_OAEP_PARAMS,
 i2d_RSA_PSS_PARAMS,
-i2d_RSA_PUBKEY,
-i2d_RSA_PUBKEY_bio,
-i2d_RSA_PUBKEY_fp,
 i2d_SCRYPT_PARAMS,
 i2d_SCT_LIST,
 i2d_SXNET,
@@ -411,7 +400,7 @@ i2d_X509_VAL,
 =head1 DESCRIPTION
 
 In the description here, B<I<TYPE>> is used a placeholder
-for any of the OpenSSL datatypes, such as I<X509_CRL>.
+for any of the OpenSSL datatypes, such as B<X509_CRL>.
 The function parameters I<ppin> and I<ppout> are generally
 either both named I<pp> in the headers, or I<in> and I<out>.
 
@@ -512,10 +501,6 @@ L<PEM_write_PrivateKey(3)>, or similar instead.
 
 Represents an ECDSA signature.
 
-=item B<RSAPublicKey>
-
-Represents a PKCS#1 RSA public key structure.
-
 =item B<X509_ALGOR>
 
 Represents an B<AlgorithmIdentifier> structure as used in IETF RFC 6960 and
diff --git a/fuzz/asn1.c b/fuzz/asn1.c
index 8fe8583815..9a4e454b2f 100644
--- a/fuzz/asn1.c
+++ b/fuzz/asn1.c
@@ -169,9 +169,11 @@ static ASN1_ITEM_EXP *item_type[] = {
     ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION),
     ASN1_ITEM_ref(PROXY_POLICY),
     ASN1_ITEM_ref(RSA_OAEP_PARAMS),
-    ASN1_ITEM_ref(RSAPrivateKey),
     ASN1_ITEM_ref(RSA_PSS_PARAMS),
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+    ASN1_ITEM_ref(RSAPrivateKey),
     ASN1_ITEM_ref(RSAPublicKey),
+#endif
     ASN1_ITEM_ref(SXNET),
     ASN1_ITEM_ref(SXNETID),
     ASN1_ITEM_ref(USERNOTICE),
@@ -339,7 +341,9 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     DO_TEST_NO_PRINT(DSA, d2i_DSAPublicKey, i2d_DSAPublicKey);
     DO_TEST_NO_PRINT(DSA, d2i_DSAparams, i2d_DSAparams);
 #endif
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     DO_TEST_NO_PRINT(RSA, d2i_RSAPublicKey, i2d_RSAPublicKey);
+#endif
 #ifndef OPENSSL_NO_EC
     DO_TEST_PRINT_OFFSET(EC_GROUP, d2i_ECPKParameters, i2d_ECPKParameters, ECPKParameters_print);
     DO_TEST_PRINT_OFFSET(EC_KEY, d2i_ECPrivateKey, i2d_ECPrivateKey, EC_KEY_print);
diff --git a/fuzz/server.c b/fuzz/server.c
index 8123c90994..4055b58222 100644
--- a/fuzz/server.c
+++ b/fuzz/server.c
@@ -12,6 +12,9 @@
 
 /* Test first part of SSL server handshake. */
 
+/* We need to use the deprecated RSA low level calls */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include <time.h>
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
@@ -92,6 +95,7 @@ static const uint8_t kCertificateDER[] = {
     0x76, 0x8a, 0xbb,
 };
 
+#ifndef OPENSSL_NO_DEPRECATED_3_0
 static const uint8_t kRSAPrivateKeyDER[] = {
     0x30, 0x82, 0x04, 0xa5, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
     0xce, 0x47, 0xcb, 0x11, 0xbb, 0xd2, 0x9d, 0x8e, 0x9e, 0xd2, 0x1e, 0x14,
@@ -194,6 +198,7 @@ static const uint8_t kRSAPrivateKeyDER[] = {
     0xb2, 0xc6, 0xb2, 0x0a, 0x2a, 0x7c, 0x6d, 0x6a, 0x40, 0xfc, 0xf5, 0x50,
     0x98, 0x46, 0x89, 0x82, 0x40,
 };
+#endif
 
 
 #ifndef OPENSSL_NO_EC
@@ -512,7 +517,9 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
 #endif
     SSL_CTX *ctx;
     int ret;
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     RSA *privkey;
+#endif
     const uint8_t *bufp;
     EVP_PKEY *pkey;
     X509 *cert;
@@ -539,6 +546,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     ret = SSL_CTX_set_cipher_list(ctx, "ALL:eNULL:@SECLEVEL=0");
     OPENSSL_assert(ret == 1);
 
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     /* RSA */
     bufp = kRSAPrivateKeyDER;
     privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
@@ -548,6 +556,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     ret = SSL_CTX_use_PrivateKey(ctx, pkey);
     OPENSSL_assert(ret == 1);
     EVP_PKEY_free(pkey);
+#endif
 
     bufp = kCertificateDER;
     cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h
index 1ee1991f57..ede11cfd41 100644
--- a/include/crypto/rsa.h
+++ b/include/crypto/rsa.h
@@ -12,6 +12,7 @@
 
 # include <openssl/core.h>
 # include <openssl/rsa.h>
+# include "crypto/types.h"
 
 typedef struct rsa_pss_params_30_st {
     int hash_algorithm_nid;
diff --git a/include/internal/asn1.h b/include/crypto/types.h
similarity index 67%
copy from include/internal/asn1.h
copy to include/crypto/types.h
index 8448786919..ccb75e3cbf 100644
--- a/include/internal/asn1.h
+++ b/include/crypto/types.h
@@ -7,9 +7,10 @@
  * https://www.openssl.org/source/license.html
  */
 
-#ifndef OSSL_INTERNAL_ASN1_H
-# define OSSL_INTERNAL_ASN1_H
-
-int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb);
+/* When removal is simulated, we still need the type internally */
 
+#ifdef OPENSSL_NO_DEPRECATED_3_0
+typedef struct rsa_st RSA;
+typedef struct rsa_meth_st RSA_METHOD;
 #endif
+
diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 0dcb56e078..3f39e9ef4a 100644
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -457,9 +457,11 @@ typedef int (EVP_PBE_KEYGEN) (EVP_CIPHER_CTX *ctx, const char *pass,
                               const EVP_CIPHER *cipher, const EVP_MD *md,
                               int en_de);
 
-# ifndef OPENSSL_NO_RSA
-#  define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
-                                                        (rsa))
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_RSA
+#   define EVP_PKEY_assign_RSA(pkey,rsa) EVP_PKEY_assign((pkey),EVP_PKEY_RSA,\
+                                                         (rsa))
+#  endif
 # endif
 
 # ifndef OPENSSL_NO_DSA
@@ -1211,11 +1213,16 @@ const unsigned char *EVP_PKEY_get0_poly1305(const EVP_PKEY *pkey, size_t *len);
 const unsigned char *EVP_PKEY_get0_siphash(const EVP_PKEY *pkey, size_t *len);
 # endif
 
-# ifndef OPENSSL_NO_RSA
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_RSA
 struct rsa_st;
+OSSL_DEPRECATEDIN_3_0
 int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, struct rsa_st *key);
+OSSL_DEPRECATEDIN_3_0
 struct rsa_st *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey);
+OSSL_DEPRECATEDIN_3_0
 struct rsa_st *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
+#  endif
 # endif
 # ifndef OPENSSL_NO_DSA
 struct dsa_st;
diff --git a/include/openssl/pem.h b/include/openssl/pem.h
index 3066918b27..3dcf97e36c 100644
--- a/include/openssl/pem.h
+++ b/include/openssl/pem.h
@@ -373,10 +373,12 @@ DECLARE_PEM_rw(PKCS7, PKCS7)
 DECLARE_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE)
 DECLARE_PEM_rw(PKCS8, X509_SIG)
 DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO)
-# ifndef OPENSSL_NO_RSA
-DECLARE_PEM_rw_cb(RSAPrivateKey, RSA)
-DECLARE_PEM_rw(RSAPublicKey, RSA)
-DECLARE_PEM_rw(RSA_PUBKEY, RSA)
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_RSA
+DECLARE_PEM_rw_cb_attr(OSSL_DEPRECATEDIN_3_0, RSAPrivateKey, RSA)
+DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, RSAPublicKey, RSA)
+DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, RSA_PUBKEY, RSA)
+#  endif
 # endif
 # ifndef OPENSSL_NO_DSA
 DECLARE_PEM_rw_cb(DSAPrivateKey, DSA)
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 24b2a7eb55..2681d1a543 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -37,6 +37,9 @@ extern "C" {
 #   define OPENSSL_RSA_MAX_MODULUS_BITS   16384
 #  endif
 
+#  define RSA_3   0x3L
+#  define RSA_F4  0x10001L
+
 #  ifndef OPENSSL_NO_DEPRECATED_3_0
 /* The types RSA and RSA_METHOD are defined in ossl_typ.h */
 
@@ -50,24 +53,13 @@ extern "C" {
 #   ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
 #    define OPENSSL_RSA_MAX_PUBEXP_BITS    64
 #   endif
-#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
-
-#  define RSA_3   0x3L
-#  define RSA_F4  0x10001L
-
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /* based on RFC 8017 appendix A.1.2 */
 #   define RSA_ASN1_VERSION_DEFAULT        0
 #   define RSA_ASN1_VERSION_MULTI          1
 
 #   define RSA_DEFAULT_PRIME_NUM           2
-#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
-/* Don't check pub/private match */
-/* TODO(3.0): deprecate this? It is exposed for sls/t1_lib.c's use */
-#  define RSA_METHOD_FLAG_NO_CHECK        0x0001
-
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   define RSA_METHOD_FLAG_NO_CHECK        0x0001
 #   define RSA_FLAG_CACHE_PUBLIC           0x0002
 #   define RSA_FLAG_CACHE_PRIVATE          0x0004
 #   define RSA_FLAG_BLINDING               0x0008
@@ -132,11 +124,13 @@ int EVP_PKEY_CTX_set_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int saltlen);
 int EVP_PKEY_CTX_get_rsa_pss_saltlen(EVP_PKEY_CTX *ctx, int *saltlen);
 
 int EVP_PKEY_CTX_set_rsa_keygen_bits(EVP_PKEY_CTX *ctx, int bits);
-DEPRECATEDIN_3_0(int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx,
-                                                        BIGNUM *pubexp))
 int EVP_PKEY_CTX_set1_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
 int EVP_PKEY_CTX_set_rsa_keygen_primes(EVP_PKEY_CTX *ctx, int primes);
 int EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(EVP_PKEY_CTX *ctx, int saltlen);
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0
+int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp);
+#  endif
 
 /* Salt length matches digest */
 #  define RSA_PSS_SALTLEN_DIGEST -1
@@ -206,99 +200,113 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
 #  define RSA_set_app_data(s,arg)         RSA_set_ex_data(s,0,arg)
 #  define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
 
-RSA *RSA_new(void);
-DEPRECATEDIN_3_0(RSA *RSA_new_method(ENGINE *engine))
-int RSA_bits(const RSA *rsa);
-DEPRECATEDIN_3_0(int RSA_size(const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_security_bits(const RSA *rsa))
-
-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-int RSA_set0_multi_prime_params(RSA *r, BIGNUM *primes[], BIGNUM *exps[],
-                                BIGNUM *coeffs[], int pnum);
-void RSA_get0_key(const RSA *r,
-                  const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-int RSA_get_multi_prime_extra_count(const RSA *r);
-int RSA_get0_multi_prime_factors(const RSA *r, const BIGNUM *primes[]);
-void RSA_get0_crt_params(const RSA *r,
-                         const BIGNUM **dmp1, const BIGNUM **dmq1,
-                         const BIGNUM **iqmp);
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 RSA *RSA_new(void);
+OSSL_DEPRECATEDIN_3_0 RSA *RSA_new_method(ENGINE *engine);
+OSSL_DEPRECATEDIN_3_0 int RSA_bits(const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 int RSA_size(const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 int RSA_security_bits(const RSA *rsa);
+
+OSSL_DEPRECATEDIN_3_0 int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+OSSL_DEPRECATEDIN_3_0 int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
+OSSL_DEPRECATEDIN_3_0 int RSA_set0_crt_params(RSA *r,
+                                              BIGNUM *dmp1, BIGNUM *dmq1,
+                                              BIGNUM *iqmp);
+OSSL_DEPRECATEDIN_3_0 int RSA_set0_multi_prime_params(RSA *r,
+                                                      BIGNUM *primes[],
+                                                      BIGNUM *exps[],
+                                                      BIGNUM *coeffs[],
+                                                      int pnum);
+OSSL_DEPRECATEDIN_3_0 void RSA_get0_key(const RSA *r,
+                                        const BIGNUM **n, const BIGNUM **e,
+                                        const BIGNUM **d);
+OSSL_DEPRECATEDIN_3_0 void RSA_get0_factors(const RSA *r,
+                                            const BIGNUM **p, const BIGNUM **q);
+OSSL_DEPRECATEDIN_3_0 int RSA_get_multi_prime_extra_count(const RSA *r);
+OSSL_DEPRECATEDIN_3_0 int RSA_get0_multi_prime_factors(const RSA *r,
+                                                       const BIGNUM *primes[]);
+OSSL_DEPRECATEDIN_3_0 void RSA_get0_crt_params(const RSA *r,
+                                               const BIGNUM **dmp1,
+                                               const BIGNUM **dmq1,
+                                               const BIGNUM **iqmp);
+OSSL_DEPRECATEDIN_3_0
 int RSA_get0_multi_prime_crt_params(const RSA *r, const BIGNUM *exps[],
                                     const BIGNUM *coeffs[]);
-const BIGNUM *RSA_get0_n(const RSA *d);
-const BIGNUM *RSA_get0_e(const RSA *d);
-const BIGNUM *RSA_get0_d(const RSA *d);
-const BIGNUM *RSA_get0_p(const RSA *d);
-const BIGNUM *RSA_get0_q(const RSA *d);
-const BIGNUM *RSA_get0_dmp1(const RSA *r);
-const BIGNUM *RSA_get0_dmq1(const RSA *r);
-const BIGNUM *RSA_get0_iqmp(const RSA *r);
-DEPRECATEDIN_3_0(const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r))
-void RSA_clear_flags(RSA *r, int flags);
-int RSA_test_flags(const RSA *r, int flags);
-void RSA_set_flags(RSA *r, int flags);
-DEPRECATEDIN_3_0(int RSA_get_version(RSA *r))
-DEPRECATEDIN_3_0(ENGINE *RSA_get0_engine(const RSA *r))
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *RSA_get0_n(const RSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *RSA_get0_e(const RSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *RSA_get0_d(const RSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *RSA_get0_p(const RSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *RSA_get0_q(const RSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *RSA_get0_dmp1(const RSA *r);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *RSA_get0_dmq1(const RSA *r);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *RSA_get0_iqmp(const RSA *r);
+OSSL_DEPRECATEDIN_3_0 const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r);
+OSSL_DEPRECATEDIN_3_0 void RSA_clear_flags(RSA *r, int flags);
+OSSL_DEPRECATEDIN_3_0 int RSA_test_flags(const RSA *r, int flags);
+OSSL_DEPRECATEDIN_3_0 void RSA_set_flags(RSA *r, int flags);
+OSSL_DEPRECATEDIN_3_0 int RSA_get_version(RSA *r);
+OSSL_DEPRECATEDIN_3_0 ENGINE *RSA_get0_engine(const RSA *r);
 
 /* Deprecated version */
-DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
-                                         (*callback) (int, int, void *),
-                                         void *cb_arg))
+OSSL_DEPRECATEDIN_0_9_8 RSA *RSA_generate_key(int bits, unsigned long e, void
+                                              (*callback) (int, int, void *),
+                                              void *cb_arg);
 
 /* New version */
-DEPRECATEDIN_3_0(int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
-                                         BN_GENCB *cb))
+OSSL_DEPRECATEDIN_3_0 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
+                                              BN_GENCB *cb);
 /* Multi-prime version */
-DEPRECATEDIN_3_0(int RSA_generate_multi_prime_key(RSA *rsa, int bits,
-                                                  int primes, BIGNUM *e,
-                                                  BN_GENCB *cb))
-
-DEPRECATEDIN_3_0(int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2,
-                                        BIGNUM *q1, BIGNUM *q2,
-                                        const BIGNUM *Xp1, const BIGNUM *Xp2,
-                                        const BIGNUM *Xp, const BIGNUM *Xq1,
-                                        const BIGNUM *Xq2, const BIGNUM *Xq,
-                                        const BIGNUM *e, BN_GENCB *cb))
-DEPRECATEDIN_3_0(int RSA_X931_generate_key_ex(RSA *rsa, int bits,
-                                              const BIGNUM *e, BN_GENCB *cb))
-
-DEPRECATEDIN_3_0(int RSA_check_key(const RSA *))
-DEPRECATEDIN_3_0(int RSA_check_key_ex(const RSA *, BN_GENCB *cb))
+OSSL_DEPRECATEDIN_3_0 int RSA_generate_multi_prime_key(RSA *rsa, int bits,
+                                                       int primes, BIGNUM *e,
+                                                       BN_GENCB *cb);
+
+OSSL_DEPRECATEDIN_3_0
+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2,
+                       BIGNUM *q1, BIGNUM *q2,
+                       const BIGNUM *Xp1, const BIGNUM *Xp2,
+                       const BIGNUM *Xp, const BIGNUM *Xq1,
+                       const BIGNUM *Xq2, const BIGNUM *Xq,
+                       const BIGNUM *e, BN_GENCB *cb);
+OSSL_DEPRECATEDIN_3_0 int RSA_X931_generate_key_ex(RSA *rsa, int bits,
+                                                   const BIGNUM *e,
+                                                   BN_GENCB *cb);
+
+OSSL_DEPRECATEDIN_3_0 int RSA_check_key(const RSA *);
+OSSL_DEPRECATEDIN_3_0 int RSA_check_key_ex(const RSA *, BN_GENCB *cb);
         /* next 4 return -1 on error */
-DEPRECATEDIN_3_0(int RSA_public_encrypt(int flen, const unsigned char *from,
-                                        unsigned char *to, RSA *rsa,
-                                        int padding))
-DEPRECATEDIN_3_0(int RSA_private_encrypt(int flen, const unsigned char *from,
-                                         unsigned char *to, RSA *rsa,
-                                         int padding))
-DEPRECATEDIN_3_0(int RSA_public_decrypt(int flen, const unsigned char *from,
-                                        unsigned char *to, RSA *rsa,
-                                        int padding))
-DEPRECATEDIN_3_0(int RSA_private_decrypt(int flen, const unsigned char *from,
-                                         unsigned char *to, RSA *rsa,
-                                         int padding))
-void RSA_free(RSA *r);
+OSSL_DEPRECATEDIN_3_0
+int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to,
+                       RSA *rsa, int padding);
+OSSL_DEPRECATEDIN_3_0
+int RSA_private_encrypt(int flen, const unsigned char *from, unsigned char *to,
+                        RSA *rsa, int padding);
+OSSL_DEPRECATEDIN_3_0
+int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to,
+                       RSA *rsa, int padding);
+OSSL_DEPRECATEDIN_3_0
+int RSA_private_decrypt(int flen, const unsigned char *from, unsigned char *to,
+                        RSA *rsa, int padding);
+OSSL_DEPRECATEDIN_3_0 void RSA_free(RSA *r);
 /* "up" the RSA object's reference count */
-int RSA_up_ref(RSA *r);
-
-/* TODO(3.0): deprecate this one ssl/ssl_rsa.c can be changed to avoid it */
-int RSA_flags(const RSA *r);
+OSSL_DEPRECATEDIN_3_0 int RSA_up_ref(RSA *r);
+OSSL_DEPRECATEDIN_3_0 int RSA_flags(const RSA *r);
 
-DEPRECATEDIN_3_0(void RSA_set_default_method(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(const RSA_METHOD *RSA_get_default_method(void))
-DEPRECATEDIN_3_0(const RSA_METHOD *RSA_null_method(void))
-DEPRECATEDIN_3_0(const RSA_METHOD *RSA_get_method(const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_set_method(RSA *rsa, const RSA_METHOD *meth))
+OSSL_DEPRECATEDIN_3_0 void RSA_set_default_method(const RSA_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 const RSA_METHOD *RSA_get_default_method(void);
+OSSL_DEPRECATEDIN_3_0 const RSA_METHOD *RSA_null_method(void);
+OSSL_DEPRECATEDIN_3_0 const RSA_METHOD *RSA_get_method(const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
 
 /* these are the actual RSA functions */
-DEPRECATEDIN_3_0(const RSA_METHOD *RSA_PKCS1_OpenSSL(void))
+OSSL_DEPRECATEDIN_3_0 const RSA_METHOD *RSA_PKCS1_OpenSSL(void);
 
-int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2);
+DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(OSSL_DEPRECATEDIN_3_0,
+                                        RSA, RSAPublicKey)
+DECLARE_ASN1_ENCODE_FUNCTIONS_name_attr(OSSL_DEPRECATEDIN_3_0,
+                                        RSA, RSAPrivateKey)
+#  endif  /* !OPENSSL_NO_DEPRECATED_3_0 */
 
-DECLARE_ASN1_ENCODE_FUNCTIONS_name(RSA, RSAPublicKey)
-DECLARE_ASN1_ENCODE_FUNCTIONS_name(RSA, RSAPrivateKey)
+int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2);
 
 struct rsa_pss_params_st {
     X509_ALGOR *hashAlgorithm;
@@ -321,130 +329,127 @@ typedef struct rsa_oaep_params_st {
 
 DECLARE_ASN1_FUNCTIONS(RSA_OAEP_PARAMS)
 
-#  ifndef OPENSSL_NO_STDIO
-DEPRECATEDIN_3_0(int RSA_print_fp(FILE *fp, const RSA *r, int offset))
-#  endif
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   ifndef OPENSSL_NO_STDIO
+OSSL_DEPRECATEDIN_3_0 int RSA_print_fp(FILE *fp, const RSA *r, int offset);
+#   endif
 
-DEPRECATEDIN_3_0(int RSA_print(BIO *bp, const RSA *r, int offset))
+OSSL_DEPRECATEDIN_3_0 int RSA_print(BIO *bp, const RSA *r, int offset);
 
 /*
  * The following 2 functions sign and verify a X509_SIG ASN1 object inside
  * PKCS#1 padded RSA encryption
  */
-DEPRECATEDIN_3_0(int RSA_sign(int type, const unsigned char *m,
-                              unsigned int m_length, unsigned char *sigret,
-                              unsigned int *siglen, RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_verify(int type, const unsigned char *m,
-                                unsigned int m_length,
-                                const unsigned char *sigbuf,
-                                unsigned int siglen, RSA *rsa))
+OSSL_DEPRECATEDIN_3_0 int RSA_sign(int type, const unsigned char *m,
+                                   unsigned int m_length, unsigned char *sigret,
+                                   unsigned int *siglen, RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 int RSA_verify(int type, const unsigned char *m,
+                                     unsigned int m_length,
+                                     const unsigned char *sigbuf,
+                                     unsigned int siglen, RSA *rsa);
 
 /*
  * The following 2 function sign and verify a ASN1_OCTET_STRING object inside
  * PKCS#1 padded RSA encryption
  */
-DEPRECATEDIN_3_0(int RSA_sign_ASN1_OCTET_STRING(int type,
-                                                const unsigned char *m,
-                                                unsigned int m_length,
-                                                unsigned char *sigret,
-                                                unsigned int *siglen, RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_verify_ASN1_OCTET_STRING(int type,
-                                                  const unsigned char *m,
-                                                  unsigned int m_length,
-                                                  unsigned char *sigbuf,
-                                                  unsigned int siglen,
-                                                  RSA *rsa))
-
-/* TODO(3.0): figure out how to deprecate these two */
-int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
-void RSA_blinding_off(RSA *rsa);
-DEPRECATEDIN_3_0(BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx))
-
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
-                                                  const unsigned char *f,
-                                                  int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
-                                                    const unsigned char *f,
-                                                    int fl, int rsa_len))
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
-                                                  const unsigned char *f,
-                                                  int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
-                                                    const unsigned char *f,
-                                                    int fl, int rsa_len))
-DEPRECATEDIN_3_0(int PKCS1_MGF1(unsigned char *mask, long len,
-                                const unsigned char *seed, long seedlen,
-                                const EVP_MD *dgst))
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
-                                                const unsigned char *f, int fl,
-                                                const unsigned char *p, int pl))
-DEPRECATEDIN_3_0(int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
-                                                  const unsigned char *f,
-                                                  int fl, int rsa_len,
-                                                  const unsigned char *p,
-                                                  int pl))
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to,
-                                                     int tlen,
-                                                     const unsigned char *from,
-                                                     int flen,
-                                                     const unsigned char *param,
-                                                     int plen,
-                                                     const EVP_MD *md,
-                                                     const EVP_MD *mgf1md))
-DEPRECATEDIN_3_0(int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
-                                                       int tlen,
-                                                       const unsigned char *from,
-                                                       int flen, int num,
-                                                       const unsigned char *param,
-                                                       int plen, const EVP_MD *md,
-                                                       const EVP_MD *mgf1md))
-DEPRECATEDIN_3_0(int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
-                                            const unsigned char *f, int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
-                                              const unsigned char *f, int fl,
-                                              int rsa_len))
-DEPRECATEDIN_3_0(int RSA_padding_add_none(unsigned char *to, int tlen,
-                                          const unsigned char *f, int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_none(unsigned char *to, int tlen,
-                                            const unsigned char *f, int fl,
-                                            int rsa_len))
-DEPRECATEDIN_3_0(int RSA_padding_add_X931(unsigned char *to, int tlen,
-                                          const unsigned char *f, int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_X931(unsigned char *to, int tlen,
-                                            const unsigned char *f, int fl,
-                                            int rsa_len))
-DEPRECATEDIN_3_0(int RSA_X931_hash_id(int nid))
-
-DEPRECATEDIN_3_0(int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
-                                          const EVP_MD *Hash,
-                                          const unsigned char *EM, int sLen))
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
-                                               const unsigned char *mHash,
-                                               const EVP_MD *Hash, int sLen))
-
-DEPRECATEDIN_3_0(int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa,
-                                               const unsigned char *mHash,
-                                               const EVP_MD *Hash,
-                                               const EVP_MD *mgf1Hash,
-                                               const unsigned char *EM,
-                                               int sLen))
-
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa,
-                                                    unsigned char *EM,
-                                                    const unsigned char *mHash,
-                                                    const EVP_MD *Hash,
-                                                    const EVP_MD *mgf1Hash,
-                                                    int sLen))
+OSSL_DEPRECATEDIN_3_0
+int RSA_sign_ASN1_OCTET_STRING(int type,
+                               const unsigned char *m, unsigned int m_length,
+                               unsigned char *sigret, unsigned int *siglen,
+                               RSA *rsa);
+OSSL_DEPRECATEDIN_3_0
+int RSA_verify_ASN1_OCTET_STRING(int type,
+                                 const unsigned char *m, unsigned int m_length,
+                                 unsigned char *sigbuf, unsigned int siglen,
+                                 RSA *rsa);
+
+OSSL_DEPRECATEDIN_3_0 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
+OSSL_DEPRECATEDIN_3_0 void RSA_blinding_off(RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
+
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
+                                 const unsigned char *f, int fl);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
+                                   const unsigned char *f, int fl,
+                                   int rsa_len);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
+                                 const unsigned char *f, int fl);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
+                                   const unsigned char *f, int fl,
+                                   int rsa_len);
+OSSL_DEPRECATEDIN_3_0 int PKCS1_MGF1(unsigned char *mask, long len,
+                                     const unsigned char *seed, long seedlen,
+                                     const EVP_MD *dgst);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+                               const unsigned char *f, int fl,
+                               const unsigned char *p, int pl);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+                                 const unsigned char *f, int fl, int rsa_len,
+                                 const unsigned char *p, int pl);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+                                    const unsigned char *from, int flen,
+                                    const unsigned char *param, int plen,
+                                    const EVP_MD *md, const EVP_MD *mgf1md);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+                                      const unsigned char *from, int flen,
+                                      int num,
+                                      const unsigned char *param, int plen,
+                                      const EVP_MD *md, const EVP_MD *mgf1md);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
+                           const unsigned char *f, int fl);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
+                             const unsigned char *f, int fl,
+                             int rsa_len);
+OSSL_DEPRECATEDIN_3_0 int RSA_padding_add_none(unsigned char *to, int tlen,
+                                               const unsigned char *f, int fl);
+OSSL_DEPRECATEDIN_3_0 int RSA_padding_check_none(unsigned char *to, int tlen,
+                                                 const unsigned char *f, int fl,
+                                                 int rsa_len);
+OSSL_DEPRECATEDIN_3_0 int RSA_padding_add_X931(unsigned char *to, int tlen,
+                                               const unsigned char *f, int fl);
+OSSL_DEPRECATEDIN_3_0 int RSA_padding_check_X931(unsigned char *to, int tlen,
+                                                 const unsigned char *f, int fl,
+                                                 int rsa_len);
+OSSL_DEPRECATEDIN_3_0 int RSA_X931_hash_id(int nid);
+
+OSSL_DEPRECATEDIN_3_0
+int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
+                         const EVP_MD *Hash, const unsigned char *EM,
+                         int sLen);
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
+                              const unsigned char *mHash, const EVP_MD *Hash,
+                              int sLen);
+
+OSSL_DEPRECATEDIN_3_0
+int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                              const unsigned char *EM, int sLen);
+
+OSSL_DEPRECATEDIN_3_0
+int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+                                   const unsigned char *mHash,
+                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                                   int sLen);
 
 #  define RSA_get_ex_new_index(l, p, newf, dupf, freef) \
     CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, l, p, newf, dupf, freef)
-DEPRECATEDIN_3_0(int RSA_set_ex_data(RSA *r, int idx, void *arg))
-DEPRECATEDIN_3_0(void *RSA_get_ex_data(const RSA *r, int idx))
+OSSL_DEPRECATEDIN_3_0 int RSA_set_ex_data(RSA *r, int idx, void *arg);
+OSSL_DEPRECATEDIN_3_0 void *RSA_get_ex_data(const RSA *r, int idx);
 
-DECLARE_ASN1_DUP_FUNCTION_name(RSA, RSAPublicKey)
-DECLARE_ASN1_DUP_FUNCTION_name(RSA, RSAPrivateKey)
+DECLARE_ASN1_DUP_FUNCTION_name_attr(OSSL_DEPRECATEDIN_3_0, RSA, RSAPublicKey)
+DECLARE_ASN1_DUP_FUNCTION_name_attr(OSSL_DEPRECATEDIN_3_0, RSA, RSAPrivateKey)
 
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /*
  * If this flag is set the RSA method is FIPS compliant and can be used in
  * FIPS mode. This is set in the validated module method. If an application
@@ -466,95 +471,134 @@ DECLARE_ASN1_DUP_FUNCTION_name(RSA, RSAPrivateKey)
  * check.
  */
 #   define RSA_FLAG_CHECKED                        0x0800
-#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
-DEPRECATEDIN_3_0(RSA_METHOD *RSA_meth_new(const char *name, int flags))
-DEPRECATEDIN_3_0(void RSA_meth_free(RSA_METHOD *meth))
-DEPRECATEDIN_3_0(RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(const char *RSA_meth_get0_name(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(int RSA_meth_set1_name(RSA_METHOD *meth, const char *name))
-DEPRECATEDIN_3_0(int RSA_meth_get_flags(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(int RSA_meth_set_flags(RSA_METHOD *meth, int flags))
-DEPRECATEDIN_3_0(void *RSA_meth_get0_app_data(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
-    (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding))
-DEPRECATEDIN_3_0(int RSA_meth_set_pub_enc(RSA_METHOD *rsa,
+OSSL_DEPRECATEDIN_3_0 RSA_METHOD *RSA_meth_new(const char *name, int flags);
+OSSL_DEPRECATEDIN_3_0 void RSA_meth_free(RSA_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 const char *RSA_meth_get0_name(const RSA_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 int RSA_meth_set1_name(RSA_METHOD *meth,
+                                             const char *name);
+OSSL_DEPRECATEDIN_3_0 int RSA_meth_get_flags(const RSA_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 int RSA_meth_set_flags(RSA_METHOD *meth, int flags);
+OSSL_DEPRECATEDIN_3_0 void *RSA_meth_get0_app_data(const RSA_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 int RSA_meth_set0_app_data(RSA_METHOD *meth,
+                                                 void *app_data);
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth)) (int flen,
+                                                     const unsigned char *from,
+                                                     unsigned char *to,
+                                                     RSA *rsa, int padding);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_pub_enc(RSA_METHOD *rsa,
                          int (*pub_enc) (int flen, const unsigned char *from,
                                          unsigned char *to, RSA *rsa,
-                                         int padding)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
-    (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding))
-DEPRECATEDIN_3_0(int RSA_meth_set_pub_dec(RSA_METHOD *rsa,
+                                         int padding));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth)) (int flen,
+                                                     const unsigned char *from,
+                                                     unsigned char *to,
+                                                     RSA *rsa, int padding);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_pub_dec(RSA_METHOD *rsa,
                          int (*pub_dec) (int flen, const unsigned char *from,
                                          unsigned char *to, RSA *rsa,
-                                         int padding)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
-    (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding))
-DEPRECATEDIN_3_0(int RSA_meth_set_priv_enc(RSA_METHOD *rsa,
+                                         int padding));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth)) (int flen,
+                                                      const unsigned char *from,
+                                                      unsigned char *to,
+                                                      RSA *rsa, int padding);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_priv_enc(RSA_METHOD *rsa,
                           int (*priv_enc) (int flen, const unsigned char *from,
                                            unsigned char *to, RSA *rsa,
-                                           int padding)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
-    (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding))
-DEPRECATEDIN_3_0(int RSA_meth_set_priv_dec(RSA_METHOD *rsa,
+                                           int padding));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth)) (int flen,
+                                                      const unsigned char *from,
+                                                      unsigned char *to,
+                                                      RSA *rsa, int padding);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_priv_dec(RSA_METHOD *rsa,
                           int (*priv_dec) (int flen, const unsigned char *from,
                                            unsigned char *to, RSA *rsa,
-                                           int padding)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
-    (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx))
-DEPRECATEDIN_3_0(int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
+                                           int padding));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth)) (BIGNUM *r0,
+                                                     const BIGNUM *i,
+                                                     RSA *rsa, BN_CTX *ctx);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
                          int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
-                                         BN_CTX *ctx)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
-    (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx))
-DEPRECATEDIN_3_0(int RSA_meth_set_bn_mod_exp(RSA_METHOD *rsa,
+                                         BN_CTX *ctx));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth)) (BIGNUM *r,
+                                                        const BIGNUM *a,
+                                                        const BIGNUM *p,
+                                                        const BIGNUM *m,
+                                                        BN_CTX *ctx,
+                                                        BN_MONT_CTX *m_ctx);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_bn_mod_exp(RSA_METHOD *rsa,
                             int (*bn_mod_exp) (BIGNUM *r,
                                                const BIGNUM *a,
                                                const BIGNUM *p,
                                                const BIGNUM *m,
                                                BN_CTX *ctx,
-                                               BN_MONT_CTX *m_ctx)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_meth_set_init(RSA_METHOD *rsa, int (*init) (RSA *rsa)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_meth_set_finish(RSA_METHOD *rsa,
-                            int (*finish) (RSA *rsa)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_sign(const RSA_METHOD *meth))
-    (int type,
-     const unsigned char *m, unsigned int m_length,
-     unsigned char *sigret, unsigned int *siglen,
-     const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_meth_set_sign(RSA_METHOD *rsa,
+                                               BN_MONT_CTX *m_ctx));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_init(RSA_METHOD *rsa, int (*init) (RSA *rsa));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_finish(RSA_METHOD *rsa, int (*finish) (RSA *rsa));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_sign(const RSA_METHOD *meth)) (int type,
+                                                  const unsigned char *m,
+                                                  unsigned int m_length,
+                                                  unsigned char *sigret,
+                                                  unsigned int *siglen,
+                                                  const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_sign(RSA_METHOD *rsa,
                       int (*sign) (int type, const unsigned char *m,
                                    unsigned int m_length,
                                    unsigned char *sigret, unsigned int *siglen,
-                                   const RSA *rsa)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_verify(const RSA_METHOD *meth))
-    (int dtype, const unsigned char *m,
-     unsigned int m_length, const unsigned char *sigbuf,
-     unsigned int siglen, const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_meth_set_verify(RSA_METHOD *rsa,
+                                   const RSA *rsa));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_verify(const RSA_METHOD *meth)) (int dtype,
+                                                    const unsigned char *m,
+                                                    unsigned int m_length,
+                                                    const unsigned char *sigbuf,
+                                                    unsigned int siglen,
+                                                    const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_verify(RSA_METHOD *rsa,
                         int (*verify) (int dtype, const unsigned char *m,
                                        unsigned int m_length,
                                        const unsigned char *sigbuf,
-                                       unsigned int siglen, const RSA *rsa)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_keygen(const RSA_METHOD *meth))
-    (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb))
-DEPRECATEDIN_3_0(int RSA_meth_set_keygen(RSA_METHOD *rsa,
+                                       unsigned int siglen, const RSA *rsa));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_keygen(const RSA_METHOD *meth)) (RSA *rsa, int bits,
+                                                    BIGNUM *e, BN_GENCB *cb);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_keygen(RSA_METHOD *rsa,
                         int (*keygen) (RSA *rsa, int bits, BIGNUM *e,
-                                       BN_GENCB *cb)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_multi_prime_keygen(const RSA_METHOD *meth))
-    (RSA *rsa, int bits, int primes, BIGNUM *e, BN_GENCB *cb))
-DEPRECATEDIN_3_0(int RSA_meth_set_multi_prime_keygen(RSA_METHOD *meth,
+                                       BN_GENCB *cb));
+OSSL_DEPRECATEDIN_3_0
+int (*RSA_meth_get_multi_prime_keygen(const RSA_METHOD *meth)) (RSA *rsa,
+                                                                int bits,
+                                                                int primes,
+                                                                BIGNUM *e,
+                                                                BN_GENCB *cb);
+OSSL_DEPRECATEDIN_3_0
+int RSA_meth_set_multi_prime_keygen(RSA_METHOD *meth,
                                     int (*keygen) (RSA *rsa, int bits,
                                                    int primes, BIGNUM *e,
-                                                   BN_GENCB *cb)))
+                                                   BN_GENCB *cb));
+#endif  /* !OPENSSL_NO_DEPRECATED_3_0 */
 
 #  ifdef  __cplusplus
 }
diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index a02227be0c..f9a61609e4 100644
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1606,9 +1606,12 @@ void SSL_set_verify(SSL *s, int mode, SSL_verify_cb callback);
 void SSL_set_verify_depth(SSL *s, int depth);
 void SSL_set_cert_cb(SSL *s, int (*cb) (SSL *ssl, void *arg), void *arg);
 # ifndef OPENSSL_NO_RSA
-__owur int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
-__owur int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d,
-                                      long len);
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 __owur int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa);
+OSSL_DEPRECATEDIN_3_0
+__owur int SSL_use_RSAPrivateKey_ASN1(SSL *ssl,
+                                      const unsigned char *d, long len);
+#  endif
 # endif
 __owur int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey);
 __owur int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d,
@@ -1632,15 +1635,22 @@ __owur int SSL_CTX_use_serverinfo_ex(SSL_CTX *ctx, unsigned int version,
 __owur int SSL_CTX_use_serverinfo_file(SSL_CTX *ctx, const char *file);
 
 #ifndef OPENSSL_NO_RSA
-__owur int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type);
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 __owur int SSL_use_RSAPrivateKey_file(SSL *ssl,
+                                                            const char *file,
+                                                            int type);
+# endif
 #endif
 
 __owur int SSL_use_PrivateKey_file(SSL *ssl, const char *file, int type);
 __owur int SSL_use_certificate_file(SSL *ssl, const char *file, int type);
 
 #ifndef OPENSSL_NO_RSA
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0
 __owur int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file,
                                           int type);
+# endif
 #endif
 __owur int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file,
                                        int type);
@@ -1751,9 +1761,13 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
 void SSL_CTX_set_cert_cb(SSL_CTX *c, int (*cb) (SSL *ssl, void *arg),
                          void *arg);
 # ifndef OPENSSL_NO_RSA
-__owur int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 __owur int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx,
+                                                           RSA *rsa);
+OSSL_DEPRECATEDIN_3_0
 __owur int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
                                           long len);
+#  endif
 # endif
 __owur int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey);
 __owur int SSL_CTX_use_PrivateKey_ASN1(int pk, SSL_CTX *ctx,
diff --git a/include/openssl/types.h b/include/openssl/types.h
index 8ca2d144c7..6cb5a663cc 100644
--- a/include/openssl/types.h
+++ b/include/openssl/types.h
@@ -18,6 +18,7 @@ extern "C" {
 
 # include <openssl/e_os2.h>
 # include <openssl/safestack.h>
+# include <openssl/macros.h>
 
 typedef struct ossl_provider_st OSSL_PROVIDER; /* Provider Object */
 
@@ -135,8 +136,10 @@ typedef struct dh_method DH_METHOD;
 typedef struct dsa_st DSA;
 typedef struct dsa_method DSA_METHOD;
 
+# ifndef OPENSSL_NO_DEPRECATED_3_0
 typedef struct rsa_st RSA;
 typedef struct rsa_meth_st RSA_METHOD;
+# endif
 typedef struct rsa_pss_params_st RSA_PSS_PARAMS;
 
 typedef struct ec_key_st EC_KEY;
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index eda5ee986f..14a4a02da7 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -414,13 +414,15 @@ X509_CRL *d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl);
 int i2d_X509_CRL_fp(FILE *fp, const X509_CRL *crl);
 X509_REQ *d2i_X509_REQ_fp(FILE *fp, X509_REQ **req);
 int i2d_X509_REQ_fp(FILE *fp, const X509_REQ *req);
-#  ifndef OPENSSL_NO_RSA
-RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);
-int i2d_RSAPrivateKey_fp(FILE *fp, const RSA *rsa);
-RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);
-int i2d_RSAPublicKey_fp(FILE *fp, const RSA *rsa);
-RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
-int i2d_RSA_PUBKEY_fp(FILE *fp, const RSA *rsa);
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   ifndef OPENSSL_NO_RSA
+OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_RSAPrivateKey_fp(FILE *fp, const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_RSAPublicKey_fp(FILE *fp, const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_fp(FILE *fp, const RSA *rsa);
+#   endif
 #  endif
 #  ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
@@ -456,13 +458,15 @@ X509_CRL *d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl);
 int i2d_X509_CRL_bio(BIO *bp, const X509_CRL *crl);
 X509_REQ *d2i_X509_REQ_bio(BIO *bp, X509_REQ **req);
 int i2d_X509_REQ_bio(BIO *bp, const X509_REQ *req);
-#  ifndef OPENSSL_NO_RSA
-RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);
-int i2d_RSAPrivateKey_bio(BIO *bp, const RSA *rsa);
-RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);
-int i2d_RSAPublicKey_bio(BIO *bp, const RSA *rsa);
-RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
-int i2d_RSA_PUBKEY_bio(BIO *bp, const RSA *rsa);
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   ifndef OPENSSL_NO_RSA
+OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_RSAPrivateKey_bio(BIO *bp, const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_RSAPublicKey_bio(BIO *bp, const RSA *rsa);
+OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_bio(BIO *bp, const RSA *rsa);
+#   endif
 #  endif
 #  ifndef OPENSSL_NO_DSA
 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
@@ -543,8 +547,10 @@ long X509_get_pathlen(X509 *x);
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(EVP_PKEY, PUBKEY)
 EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length,
                         OSSL_LIB_CTX *libctx, const char *propq);
-# ifndef OPENSSL_NO_RSA
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(RSA, RSA_PUBKEY)
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_RSA
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA, RSA_PUBKEY)
+#  endif
 # endif
 # ifndef OPENSSL_NO_DSA
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSA_PUBKEY)
diff --git a/providers/common/der/der_rsa_key.c b/providers/common/der/der_rsa_key.c
index a20c334b23..1cc5874290 100644
--- a/providers/common/der/der_rsa_key.c
+++ b/providers/common/der/der_rsa_key.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/obj_mac.h>
 #include "internal/cryptlib.h"
 #include "prov/der_rsa.h"
diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h
index 8ab3370263..a9e69c8a29 100644
--- a/providers/common/include/prov/securitycheck.h
+++ b/providers/common/include/prov/securitycheck.h
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "crypto/types.h"
+
 /* Functions that are common */
 int ossl_rsa_check_key(const RSA *rsa, int protect);
 int ec_check_key(const EC_KEY *ec, int protect);
diff --git a/ssl/build.info b/ssl/build.info
index 36755819dd..4efd9d02cc 100644
--- a/ssl/build.info
+++ b/ssl/build.info
@@ -35,7 +35,7 @@ SOURCE[../libssl]=\
         statem/statem.c record/ssl3_record_tls13.c record/tls_pad.c \
         tls_depr.c $KTLSSRC
 IF[{- !$disabled{'deprecated-3.0'} -}]
-  SOURCE[../libssl]=s3_cbc.c
+  SOURCE[../libssl]=s3_cbc.c  ssl_rsa_legacy.c
 ENDIF
 DEFINE[../libssl]=$AESDEF
 
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index a14d97b8e9..3b76084831 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -21,7 +21,6 @@
 # include <openssl/buffer.h>
 # include <openssl/comp.h>
 # include <openssl/bio.h>
-# include <openssl/rsa.h>
 # include <openssl/dsa.h>
 # include <openssl/err.h>
 # include <openssl/ssl.h>
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 17e10eef6a..bfdd5ff43d 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -115,34 +115,6 @@ int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len)
     return ret;
 }
 
-#ifndef OPENSSL_NO_RSA
-int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
-{
-    EVP_PKEY *pkey;
-    int ret;
-
-    if (rsa == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
-        return 0;
-    }
-    if ((pkey = EVP_PKEY_new()) == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
-        return 0;
-    }
-
-    RSA_up_ref(rsa);
-    if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
-        RSA_free(rsa);
-        EVP_PKEY_free(pkey);
-        return 0;
-    }
-
-    ret = ssl_set_pkey(ssl->cert, pkey);
-    EVP_PKEY_free(pkey);
-    return ret;
-}
-#endif
-
 static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
 {
     size_t i;
@@ -180,64 +152,6 @@ static int ssl_set_pkey(CERT *c, EVP_PKEY *pkey)
     return 1;
 }
 
-#ifndef OPENSSL_NO_RSA
-int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
-{
-    int j, ret = 0;
-    BIO *in;
-    RSA *rsa = NULL;
-
-    in = BIO_new(BIO_s_file());
-    if (in == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
-        goto end;
-    }
-
-    if (BIO_read_filename(in, file) <= 0) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB);
-        goto end;
-    }
-    if (type == SSL_FILETYPE_ASN1) {
-        j = ERR_R_ASN1_LIB;
-        rsa = d2i_RSAPrivateKey_bio(in, NULL);
-    } else if (type == SSL_FILETYPE_PEM) {
-        j = ERR_R_PEM_LIB;
-        rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
-                                         ssl->default_passwd_callback,
-                                         ssl->default_passwd_callback_userdata);
-    } else {
-        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE);
-        goto end;
-    }
-    if (rsa == NULL) {
-        ERR_raise(ERR_LIB_SSL, j);
-        goto end;
-    }
-    ret = SSL_use_RSAPrivateKey(ssl, rsa);
-    RSA_free(rsa);
- end:
-    BIO_free(in);
-    return ret;
-}
-
-int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
-{
-    int ret;
-    const unsigned char *p;
-    RSA *rsa;
-
-    p = d;
-    if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB);
-        return 0;
-    }
-
-    ret = SSL_use_RSAPrivateKey(ssl, rsa);
-    RSA_free(rsa);
-    return ret;
-}
-#endif                          /* !OPENSSL_NO_RSA */
-
 int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
 {
     int ret;
@@ -445,91 +359,6 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d)
     return ret;
 }
 
-#ifndef OPENSSL_NO_RSA
-int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
-{
-    int ret;
-    EVP_PKEY *pkey;
-
-    if (rsa == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
-        return 0;
-    }
-    if ((pkey = EVP_PKEY_new()) == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
-        return 0;
-    }
-
-    RSA_up_ref(rsa);
-    if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
-        RSA_free(rsa);
-        EVP_PKEY_free(pkey);
-        return 0;
-    }
-
-    ret = ssl_set_pkey(ctx->cert, pkey);
-    EVP_PKEY_free(pkey);
-    return ret;
-}
-
-int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
-{
-    int j, ret = 0;
-    BIO *in;
-    RSA *rsa = NULL;
-
-    in = BIO_new(BIO_s_file());
-    if (in == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
-        goto end;
-    }
-
-    if (BIO_read_filename(in, file) <= 0) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB);
-        goto end;
-    }
-    if (type == SSL_FILETYPE_ASN1) {
-        j = ERR_R_ASN1_LIB;
-        rsa = d2i_RSAPrivateKey_bio(in, NULL);
-    } else if (type == SSL_FILETYPE_PEM) {
-        j = ERR_R_PEM_LIB;
-        rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
-                                         ctx->default_passwd_callback,
-                                         ctx->default_passwd_callback_userdata);
-    } else {
-        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE);
-        goto end;
-    }
-    if (rsa == NULL) {
-        ERR_raise(ERR_LIB_SSL, j);
-        goto end;
-    }
-    ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
-    RSA_free(rsa);
- end:
-    BIO_free(in);
-    return ret;
-}
-
-int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
-                                   long len)
-{
-    int ret;
-    const unsigned char *p;
-    RSA *rsa;
-
-    p = d;
-    if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
-        ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB);
-        return 0;
-    }
-
-    ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
-    RSA_free(rsa);
-    return ret;
-}
-#endif                          /* !OPENSSL_NO_RSA */
-
 int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
 {
     if (pkey == NULL) {
diff --git a/ssl/ssl_rsa_legacy.c b/ssl/ssl_rsa_legacy.c
new file mode 100644
index 0000000000..49cd7a3bba
--- /dev/null
+++ b/ssl/ssl_rsa_legacy.c
@@ -0,0 +1,180 @@
+/*
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* We need to use the deprecated RSA low level calls */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
+#include <openssl/err.h>
+#include <openssl/rsa.h>
+#include <openssl/ssl.h>
+
+int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa)
+{
+    EVP_PKEY *pkey;
+    int ret;
+
+    if (rsa == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
+        return 0;
+    }
+    if ((pkey = EVP_PKEY_new()) == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
+        return 0;
+    }
+
+    RSA_up_ref(rsa);
+    if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
+        RSA_free(rsa);
+        EVP_PKEY_free(pkey);
+        return 0;
+    }
+
+    ret = SSL_use_PrivateKey(ssl, pkey);
+    EVP_PKEY_free(pkey);
+    return ret;
+}
+
+int SSL_use_RSAPrivateKey_file(SSL *ssl, const char *file, int type)
+{
+    int j, ret = 0;
+    BIO *in;
+    RSA *rsa = NULL;
+
+    in = BIO_new(BIO_s_file());
+    if (in == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
+        goto end;
+    }
+
+    if (BIO_read_filename(in, file) <= 0) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB);
+        goto end;
+    }
+    if (type == SSL_FILETYPE_ASN1) {
+        j = ERR_R_ASN1_LIB;
+        rsa = d2i_RSAPrivateKey_bio(in, NULL);
+    } else if (type == SSL_FILETYPE_PEM) {
+        j = ERR_R_PEM_LIB;
+        rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
+                                         SSL_get_default_passwd_cb(ssl),
+                                         SSL_get_default_passwd_cb_userdata(ssl));
+    } else {
+        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE);
+        goto end;
+    }
+    if (rsa == NULL) {
+        ERR_raise(ERR_LIB_SSL, j);
+        goto end;
+    }
+    ret = SSL_use_RSAPrivateKey(ssl, rsa);
+    RSA_free(rsa);
+ end:
+    BIO_free(in);
+    return ret;
+}
+
+int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len)
+{
+    int ret;
+    const unsigned char *p;
+    RSA *rsa;
+
+    p = d;
+    if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB);
+        return 0;
+    }
+
+    ret = SSL_use_RSAPrivateKey(ssl, rsa);
+    RSA_free(rsa);
+    return ret;
+}
+
+int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa)
+{
+    int ret;
+    EVP_PKEY *pkey;
+
+    if (rsa == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
+        return 0;
+    }
+    if ((pkey = EVP_PKEY_new()) == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_EVP_LIB);
+        return 0;
+    }
+
+    RSA_up_ref(rsa);
+    if (EVP_PKEY_assign_RSA(pkey, rsa) <= 0) {
+        RSA_free(rsa);
+        EVP_PKEY_free(pkey);
+        return 0;
+    }
+
+    ret = SSL_CTX_use_PrivateKey(ctx, pkey);
+    EVP_PKEY_free(pkey);
+    return ret;
+}
+
+int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX *ctx, const char *file, int type)
+{
+    int j, ret = 0;
+    BIO *in;
+    RSA *rsa = NULL;
+
+    in = BIO_new(BIO_s_file());
+    if (in == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_BUF_LIB);
+        goto end;
+    }
+
+    if (BIO_read_filename(in, file) <= 0) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_SYS_LIB);
+        goto end;
+    }
+    if (type == SSL_FILETYPE_ASN1) {
+        j = ERR_R_ASN1_LIB;
+        rsa = d2i_RSAPrivateKey_bio(in, NULL);
+    } else if (type == SSL_FILETYPE_PEM) {
+        j = ERR_R_PEM_LIB;
+        rsa = PEM_read_bio_RSAPrivateKey(in, NULL,
+                                         SSL_CTX_get_default_passwd_cb(ctx),
+                                         SSL_CTX_get_default_passwd_cb_userdata(ctx));
+    } else {
+        ERR_raise(ERR_LIB_SSL, SSL_R_BAD_SSL_FILETYPE);
+        goto end;
+    }
+    if (rsa == NULL) {
+        ERR_raise(ERR_LIB_SSL, j);
+        goto end;
+    }
+    ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
+    RSA_free(rsa);
+ end:
+    BIO_free(in);
+    return ret;
+}
+
+int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d,
+                                   long len)
+{
+    int ret;
+    const unsigned char *p;
+    RSA *rsa;
+
+    p = d;
+    if ((rsa = d2i_RSAPrivateKey(NULL, &p, (long)len)) == NULL) {
+        ERR_raise(ERR_LIB_SSL, ERR_R_ASN1_LIB);
+        return 0;
+    }
+
+    ret = SSL_CTX_use_RSAPrivateKey(ctx, rsa);
+    RSA_free(rsa);
+    return ret;
+}
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 5b7b7cd5f5..277998f954 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -20,6 +20,7 @@
 #include <openssl/evp.h>
 #include <openssl/md5.h>
 #include <openssl/dh.h>
+#include <openssl/rsa.h>
 #include <openssl/bn.h>
 #include <openssl/engine.h>
 #include <openssl/trace.h>
@@ -2824,7 +2825,7 @@ static int tls_construct_cke_rsa(SSL *s, WPACKET *pkt)
     }
 
     pkey = X509_get0_pubkey(s->session->peer);
-    if (EVP_PKEY_get0_RSA(pkey) == NULL) {
+    if (!EVP_PKEY_is_a(pkey, "RSA")) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
         return 0;
     }
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 2dd3bf1fbc..0773b42e0e 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -18,6 +18,7 @@
 #include <openssl/buffer.h>
 #include <openssl/objects.h>
 #include <openssl/evp.h>
+#include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include <openssl/trace.h>
 
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index c478c5a7e8..16bd24d103 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -20,6 +20,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/dh.h>
+#include <openssl/rsa.h>
 #include <openssl/bn.h>
 #include <openssl/md5.h>
 #include <openssl/trace.h>
diff --git a/test/endecoder_legacy_test.c b/test/endecoder_legacy_test.c
index 1bdbda79fa..6fd7b356cd 100644
--- a/test/endecoder_legacy_test.c
+++ b/test/endecoder_legacy_test.c
@@ -35,6 +35,12 @@
 
 #include <stdlib.h>
 #include <string.h>
+
+/*
+ * We test deprecated functions, so we need to suppress deprecation warnings.
+ */
+#define OPENSSL_SUPPRESS_DEPRECATED
+
 #include <openssl/bio.h>
 #include <openssl/evp.h>
 #include <openssl/asn1.h>
diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index e0f6af1f06..e2f78f1496 100644
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -18,16 +18,17 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/kdf.h>
 #include <openssl/provider.h>
 #include <openssl/core_names.h>
 #include <openssl/params.h>
+#include <openssl/param_build.h>
 #include <openssl/dsa.h>
 #include <openssl/dh.h>
 #include <openssl/aes.h>
+#include <openssl/decoder.h>
 #include "testutil.h"
 #include "internal/nelem.h"
 #include "internal/sizes.h"
@@ -410,28 +411,25 @@ static APK_DATA keycheckdata[] = {
 #endif
 };
 
-static EVP_PKEY *load_example_rsa_key(void)
+static EVP_PKEY *load_example_key(const char *keytype,
+                                  const unsigned char *data, size_t data_len)
 {
-    EVP_PKEY *ret = NULL;
-    const unsigned char *derp = kExampleRSAKeyDER;
+    const unsigned char **pdata = &data;
     EVP_PKEY *pkey = NULL;
-    RSA *rsa = NULL;
-
-    if (!TEST_true(d2i_RSAPrivateKey(&rsa, &derp, sizeof(kExampleRSAKeyDER))))
-        return NULL;
-
-    if (!TEST_ptr(pkey = EVP_PKEY_new())
-            || !TEST_true(EVP_PKEY_set1_RSA(pkey, rsa)))
-        goto end;
+    OSSL_DECODER_CTX *dctx =
+        OSSL_DECODER_CTX_new_by_EVP_PKEY(&pkey, "DER", NULL, keytype, 0,
+                                         testctx, NULL);
 
-    ret = pkey;
-    pkey = NULL;
-
-end:
-    EVP_PKEY_free(pkey);
-    RSA_free(rsa);
+    /* |pkey| will be NULL on error */
+    (void)OSSL_DECODER_from_data(dctx, pdata, &data_len);
+    OSSL_DECODER_CTX_free(dctx);
+    return pkey;
+}
 
-    return ret;
+static EVP_PKEY *load_example_rsa_key(void)
+{
+    return load_example_key("RSA", kExampleRSAKeyDER,
+                            sizeof(kExampleRSAKeyDER));
 }
 
 #ifndef OPENSSL_NO_DSA
@@ -1690,8 +1688,10 @@ static int test_DSA_get_set_params(void)
 
 static int test_RSA_get_set_params(void)
 {
-    RSA *rsa = NULL;
+    OSSL_PARAM_BLD *bld = NULL;
+    OSSL_PARAM *params = NULL;
     BIGNUM *n = NULL, *e = NULL, *d = NULL;
+    EVP_PKEY_CTX *pctx = NULL;
     EVP_PKEY *pkey = NULL;
     int ret = 0;
 
@@ -1699,30 +1699,33 @@ static int test_RSA_get_set_params(void)
      * Setup the parameters for our RSA object. For our purposes they don't
      * have to actually be *valid* parameters. We just need to set something.
      */
-    rsa = RSA_new();
-    n = BN_new();
-    e = BN_new();
-    d = BN_new();
-    if (!TEST_ptr(rsa)
-            || !TEST_ptr(n)
-            || !TEST_ptr(e)
-            || !TEST_ptr(d)
-        || !RSA_set0_key(rsa, n, e, d))
+    if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "RSA", NULL))
+        || !TEST_ptr(bld = OSSL_PARAM_BLD_new())
+        || !TEST_ptr(n = BN_new())
+        || !TEST_ptr(e = BN_new())
+        || !TEST_ptr(d = BN_new()))
+        goto err;
+    if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, n))
+        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e))
+        || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_D, d)))
+        goto err;
+    if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)))
         goto err;
-    n = e = d = NULL;
 
-    pkey = EVP_PKEY_new();
-    if (!TEST_ptr(pkey)
-            || !TEST_true(EVP_PKEY_assign_RSA(pkey, rsa)))
+    if (!TEST_int_gt(EVP_PKEY_key_fromdata_init(pctx), 0)
+        || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkey, params), 0))
         goto err;
 
-    rsa = NULL;
+    if (!TEST_ptr(pkey))
+        goto err;
 
     ret = test_EVP_PKEY_CTX_get_set_params(pkey);
 
  err:
     EVP_PKEY_free(pkey);
-    RSA_free(rsa);
+    EVP_PKEY_CTX_free(pctx);
+    OSSL_PARAM_BLD_free_params(params);
+    OSSL_PARAM_BLD_free(bld);
     BN_free(n);
     BN_free(e);
     BN_free(d);
diff --git a/test/keymgmt_internal_test.c b/test/keymgmt_internal_test.c
index 596019d294..77414dbc27 100644
--- a/test/keymgmt_internal_test.c
+++ b/test/keymgmt_internal_test.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>
 
 #include <openssl/bio.h>
diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c
index 72451b37ca..94369ce701 100644
--- a/test/rsa_sp800_56b_test.c
+++ b/test/rsa_sp800_56b_test.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * RSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <string.h>
 
@@ -215,6 +221,7 @@ static int test_check_prime_factor(void)
     return ret;
 }
 
+/* This test uses legacy functions because they can take invalid numbers */
 static int test_check_private_exponent(void)
 {
     int ret = 0;
diff --git a/util/libcrypto.num b/util/libcrypto.num
index a5baf503e1..4b4c675207 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -41,7 +41,7 @@ EVP_PKEY_meth_set_verify_recover        41	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_
 UI_set_method                           42	3_0_0	EXIST::FUNCTION:
 PKCS7_ISSUER_AND_SERIAL_it              43	3_0_0	EXIST::FUNCTION:
 EC_GROUP_method_of                      44	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
-RSA_blinding_on                         45	3_0_0	EXIST::FUNCTION:RSA
+RSA_blinding_on                         45	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 X509_get0_signature                     47	3_0_0	EXIST::FUNCTION:
 X509_REVOKED_get0_extensions            48	3_0_0	EXIST::FUNCTION:
 NETSCAPE_SPKI_verify                    49	3_0_0	EXIST::FUNCTION:
@@ -62,7 +62,7 @@ BIO_free_all                            63	3_0_0	EXIST::FUNCTION:
 EVP_idea_ofb                            64	3_0_0	EXIST::FUNCTION:IDEA
 DSO_bind_func                           65	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_meth_get_copy                  66	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
-RSA_up_ref                              67	3_0_0	EXIST::FUNCTION:RSA
+RSA_up_ref                              67	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 EVP_PKEY_meth_set_ctrl                  68	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 OCSP_basic_sign                         69	3_0_0	EXIST::FUNCTION:OCSP
 BN_GENCB_set                            70	3_0_0	EXIST::FUNCTION:
@@ -324,7 +324,7 @@ RAND_load_file                          329	3_0_0	EXIST::FUNCTION:
 BIO_ctrl_reset_read_request             330	3_0_0	EXIST::FUNCTION:
 CRYPTO_ccm128_tag                       331	3_0_0	EXIST::FUNCTION:
 BIO_new_dgram_sctp                      332	3_0_0	EXIST::FUNCTION:DGRAM,SCTP
-d2i_RSAPrivateKey_fp                    333	3_0_0	EXIST::FUNCTION:RSA,STDIO
+d2i_RSAPrivateKey_fp                    333	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 s2i_ASN1_IA5STRING                      334	3_0_0	EXIST::FUNCTION:
 UI_get_ex_data                          335	3_0_0	EXIST::FUNCTION:
 EVP_EncryptUpdate                       336	3_0_0	EXIST::FUNCTION:
@@ -461,20 +461,20 @@ DH_new                                  469	3_0_0	EXIST::FUNCTION:DH
 OCSP_RESPID_free                        470	3_0_0	EXIST::FUNCTION:OCSP
 PKCS5_pbe2_set                          471	3_0_0	EXIST::FUNCTION:
 SCT_set_signature_nid                   473	3_0_0	EXIST::FUNCTION:CT
-i2d_RSA_PUBKEY_fp                       474	3_0_0	EXIST::FUNCTION:RSA,STDIO
+i2d_RSA_PUBKEY_fp                       474	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 PKCS12_BAGS_it                          475	3_0_0	EXIST::FUNCTION:
 X509_pubkey_digest                      476	3_0_0	EXIST::FUNCTION:
 ENGINE_register_all_RSA                 477	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 CRYPTO_THREAD_set_local                 478	3_0_0	EXIST::FUNCTION:
 X509_get_default_cert_dir_env           479	3_0_0	EXIST::FUNCTION:
 X509_CRL_sort                           480	3_0_0	EXIST::FUNCTION:
-i2d_RSA_PUBKEY_bio                      481	3_0_0	EXIST::FUNCTION:RSA
+i2d_RSA_PUBKEY_bio                      481	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 ASN1_T61STRING_free                     482	3_0_0	EXIST::FUNCTION:
 PEM_write_CMS                           483	3_0_0	EXIST::FUNCTION:CMS,STDIO
 OPENSSL_sk_find                         484	3_0_0	EXIST::FUNCTION:
 ENGINE_get_ciphers                      485	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 EVP_rc2_ofb                             486	3_0_0	EXIST::FUNCTION:RC2
-EVP_PKEY_set1_RSA                       487	3_0_0	EXIST::FUNCTION:RSA
+EVP_PKEY_set1_RSA                       487	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 CMS_SignerInfo_get0_md_ctx              488	3_0_0	EXIST::FUNCTION:CMS
 X509_STORE_set_trust                    489	3_0_0	EXIST::FUNCTION:
 d2i_POLICYINFO                          490	3_0_0	EXIST::FUNCTION:
@@ -523,19 +523,19 @@ OBJ_sigid_free                          534	3_0_0	EXIST::FUNCTION:
 TS_STATUS_INFO_get0_status              535	3_0_0	EXIST::FUNCTION:TS
 EC_KEY_get_flags                        536	3_0_0	EXIST::FUNCTION:EC
 ASN1_TYPE_cmp                           537	3_0_0	EXIST::FUNCTION:
-i2d_RSAPublicKey                        538	3_0_0	EXIST::FUNCTION:RSA
+i2d_RSAPublicKey                        538	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 EC_GROUP_get_trinomial_basis            539	3_0_0	EXIST::FUNCTION:EC,EC2M
 BIO_ADDRINFO_protocol                   540	3_0_0	EXIST::FUNCTION:SOCK
 i2d_PBKDF2PARAM                         541	3_0_0	EXIST::FUNCTION:
 ENGINE_unregister_RAND                  542	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
-PEM_write_bio_RSAPrivateKey             543	3_0_0	EXIST::FUNCTION:RSA
+PEM_write_bio_RSAPrivateKey             543	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 CONF_get_number                         544	3_0_0	EXIST::FUNCTION:
 X509_EXTENSION_get_object               545	3_0_0	EXIST::FUNCTION:
 X509_EXTENSIONS_it                      546	3_0_0	EXIST::FUNCTION:
 EC_POINT_set_compressed_coordinates_GF2m 547	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,EC2M
 RSA_sign_ASN1_OCTET_STRING              548	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 d2i_X509_CRL_fp                         549	3_0_0	EXIST::FUNCTION:STDIO
-i2d_RSA_PUBKEY                          550	3_0_0	EXIST::FUNCTION:RSA
+i2d_RSA_PUBKEY                          550	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 EVP_aes_128_ccm                         551	3_0_0	EXIST::FUNCTION:
 ECParameters_print                      552	3_0_0	EXIST::FUNCTION:EC
 OCSP_SINGLERESP_get1_ext_d2i            553	3_0_0	EXIST::FUNCTION:OCSP
@@ -544,7 +544,7 @@ EVP_ripemd160                           555	3_0_0	EXIST::FUNCTION:RMD160
 EVP_MD_meth_set_final                   556	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ENGINE_get_cmd_defns                    557	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 d2i_PKEY_USAGE_PERIOD                   558	3_0_0	EXIST::FUNCTION:
-RSAPublicKey_dup                        559	3_0_0	EXIST::FUNCTION:RSA
+RSAPublicKey_dup                        559	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RAND_write_file                         560	3_0_0	EXIST::FUNCTION:
 BN_GF2m_mod                             561	3_0_0	EXIST::FUNCTION:EC2M
 EC_GROUP_get_pentanomial_basis          562	3_0_0	EXIST::FUNCTION:EC,EC2M
@@ -583,7 +583,7 @@ RAND_query_egd_bytes                    596	3_0_0	EXIST::FUNCTION:EGD
 i2d_ASN1_PRINTABLE                      597	3_0_0	EXIST::FUNCTION:
 ENGINE_cmd_is_executable                598	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 BIO_puts                                599	3_0_0	EXIST::FUNCTION:
-RSAPublicKey_it                         601	3_0_0	EXIST::FUNCTION:RSA
+RSAPublicKey_it                         601	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 ISSUING_DIST_POINT_new                  602	3_0_0	EXIST::FUNCTION:
 X509_VAL_it                             603	3_0_0	EXIST::FUNCTION:
 EVP_DigestVerifyInit                    604	3_0_0	EXIST::FUNCTION:
@@ -795,10 +795,10 @@ X509_cmp                                814	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_set1_EC_KEY                    815	3_0_0	EXIST::FUNCTION:EC
 ECPKParameters_print_fp                 816	3_0_0	EXIST::FUNCTION:EC,STDIO
 GENERAL_SUBTREE_free                    817	3_0_0	EXIST::FUNCTION:
-RSA_blinding_off                        818	3_0_0	EXIST::FUNCTION:RSA
+RSA_blinding_off                        818	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 i2d_OCSP_REVOKEDINFO                    819	3_0_0	EXIST::FUNCTION:OCSP
 X509V3_add_standard_extensions          820	3_0_0	EXIST::FUNCTION:
-PEM_write_bio_RSA_PUBKEY                821	3_0_0	EXIST::FUNCTION:RSA
+PEM_write_bio_RSA_PUBKEY                821	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 i2d_ASN1_UTF8STRING                     822	3_0_0	EXIST::FUNCTION:
 TS_REQ_delete_ext                       823	3_0_0	EXIST::FUNCTION:TS
 PKCS7_DIGEST_free                       824	3_0_0	EXIST::FUNCTION:
@@ -825,7 +825,7 @@ X509_REQ_get_attr_by_NID                844	3_0_0	EXIST::FUNCTION:
 PBE2PARAM_new                           845	3_0_0	EXIST::FUNCTION:
 DES_ecb_encrypt                         846	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DES
 EVP_camellia_256_ecb                    847	3_0_0	EXIST::FUNCTION:CAMELLIA
-PEM_read_RSA_PUBKEY                     848	3_0_0	EXIST::FUNCTION:RSA,STDIO
+PEM_read_RSA_PUBKEY                     848	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 d2i_NETSCAPE_SPKAC                      849	3_0_0	EXIST::FUNCTION:
 ASN1_TIME_check                         851	3_0_0	EXIST::FUNCTION:
 PKCS7_DIGEST_new                        852	3_0_0	EXIST::FUNCTION:
@@ -938,7 +938,7 @@ EVP_PKEY_meth_set_keygen                961	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3
 RSA_PSS_PARAMS_new                      962	3_0_0	EXIST::FUNCTION:RSA
 RSA_sign                                963	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 EVP_DigestVerifyFinal                   964	3_0_0	EXIST::FUNCTION:
-d2i_RSA_PUBKEY_bio                      965	3_0_0	EXIST::FUNCTION:RSA
+d2i_RSA_PUBKEY_bio                      965	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 TS_RESP_dup                             966	3_0_0	EXIST::FUNCTION:TS
 ERR_set_error_data                      967	3_0_0	EXIST::FUNCTION:
 BN_RECP_CTX_new                         968	3_0_0	EXIST::FUNCTION:
@@ -977,7 +977,7 @@ PKCS12_decrypt_skey                     1001	3_0_0	EXIST::FUNCTION:
 ENGINE_register_EC                      1002	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 OCSP_RESPONSE_new                       1003	3_0_0	EXIST::FUNCTION:OCSP
 CRYPTO_cbc128_encrypt                   1004	3_0_0	EXIST::FUNCTION:
-i2d_RSAPublicKey_bio                    1005	3_0_0	EXIST::FUNCTION:RSA
+i2d_RSAPublicKey_bio                    1005	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 X509_chain_check_suiteb                 1006	3_0_0	EXIST::FUNCTION:
 i2d_OCSP_REQUEST                        1007	3_0_0	EXIST::FUNCTION:OCSP
 BN_X931_generate_Xpq                    1008	3_0_0	EXIST::FUNCTION:
@@ -1050,7 +1050,7 @@ DES_is_weak_key                         1076	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 EVP_PKEY_verify                         1077	3_0_0	EXIST::FUNCTION:
 ERR_load_BIO_strings                    1078	3_0_0	EXIST::FUNCTION:
 BIO_nread                               1079	3_0_0	EXIST::FUNCTION:
-PEM_read_bio_RSAPrivateKey              1080	3_0_0	EXIST::FUNCTION:RSA
+PEM_read_bio_RSAPrivateKey              1080	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 OBJ_nid2obj                             1081	3_0_0	EXIST::FUNCTION:
 CRYPTO_ofb128_encrypt                   1082	3_0_0	EXIST::FUNCTION:
 ENGINE_set_init_function                1083	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
@@ -1109,7 +1109,7 @@ ENGINE_get_digest                       1135	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 EC_GROUP_have_precompute_mult           1136	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 OPENSSL_gmtime                          1137	3_0_0	EXIST::FUNCTION:
 X509_set_issuer_name                    1138	3_0_0	EXIST::FUNCTION:
-RSA_new                                 1139	3_0_0	EXIST::FUNCTION:RSA
+RSA_new                                 1139	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 ASN1_STRING_set_by_NID                  1140	3_0_0	EXIST::FUNCTION:
 PEM_write_bio_PKCS7                     1141	3_0_0	EXIST::FUNCTION:
 MDC2_Final                              1142	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MDC2
@@ -1127,7 +1127,7 @@ DES_check_key_parity                    1153	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 EVP_aes_256_ocb                         1154	3_0_0	EXIST::FUNCTION:OCB
 X509_VAL_free                           1155	3_0_0	EXIST::FUNCTION:
 X509_STORE_CTX_get1_certs               1156	3_0_0	EXIST::FUNCTION:
-PEM_write_RSA_PUBKEY                    1157	3_0_0	EXIST::FUNCTION:RSA,STDIO
+PEM_write_RSA_PUBKEY                    1157	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 PKCS12_SAFEBAG_get0_p8inf               1158	3_0_0	EXIST::FUNCTION:
 X509_CRL_set_issuer_name                1159	3_0_0	EXIST::FUNCTION:
 CMS_EncryptedData_encrypt               1160	3_0_0	EXIST::FUNCTION:CMS
@@ -1257,7 +1257,7 @@ UI_add_error_string                     1285	3_0_0	EXIST::FUNCTION:
 X509_TRUST_cleanup                      1286	3_0_0	EXIST::FUNCTION:
 PEM_read_X509                           1287	3_0_0	EXIST::FUNCTION:STDIO
 EC_KEY_new_method                       1288	3_0_0	EXIST::FUNCTION:EC
-i2d_RSAPublicKey_fp                     1289	3_0_0	EXIST::FUNCTION:RSA,STDIO
+i2d_RSAPublicKey_fp                     1289	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 CRYPTO_ctr128_encrypt_ctr32             1290	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_move_peername         1291	3_0_0	EXIST::FUNCTION:
 OCSP_SINGLERESP_it                      1292	3_0_0	EXIST::FUNCTION:OCSP
@@ -1387,7 +1387,7 @@ ASN1_BIT_STRING_set_asc                 1419	3_0_0	EXIST::FUNCTION:
 d2i_GENERAL_NAME                        1420	3_0_0	EXIST::FUNCTION:
 i2d_ESS_CERT_ID                         1421	3_0_0	EXIST::FUNCTION:
 X509_TRUST_get_by_id                    1422	3_0_0	EXIST::FUNCTION:
-d2i_RSA_PUBKEY_fp                       1423	3_0_0	EXIST::FUNCTION:RSA,STDIO
+d2i_RSA_PUBKEY_fp                       1423	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 EVP_PBE_get                             1424	3_0_0	EXIST::FUNCTION:
 CRYPTO_nistcts128_encrypt               1425	3_0_0	EXIST::FUNCTION:
 CONF_modules_finish                     1426	3_0_0	EXIST::FUNCTION:
@@ -1829,7 +1829,7 @@ EVP_aes_128_cbc                         1871	3_0_0	EXIST::FUNCTION:
 CRYPTO_dup_ex_data                      1872	3_0_0	EXIST::FUNCTION:
 OCSP_single_get0_status                 1873	3_0_0	EXIST::FUNCTION:OCSP
 d2i_AUTHORITY_INFO_ACCESS               1874	3_0_0	EXIST::FUNCTION:
-PEM_read_RSAPrivateKey                  1875	3_0_0	EXIST::FUNCTION:RSA,STDIO
+PEM_read_RSAPrivateKey                  1875	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 BIO_closesocket                         1876	3_0_0	EXIST::FUNCTION:SOCK
 RSA_verify_ASN1_OCTET_STRING            1877	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 SCT_set_log_entry_type                  1878	3_0_0	EXIST::FUNCTION:CT
@@ -1885,10 +1885,10 @@ X509_LOOKUP_by_subject                  1930	3_0_0	EXIST::FUNCTION:
 X509_REQ_add_extensions                 1931	3_0_0	EXIST::FUNCTION:
 Camellia_cbc_encrypt                    1932	3_0_0	EXIST::FUNCTION:CAMELLIA,DEPRECATEDIN_3_0
 EC_KEY_METHOD_new                       1933	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
-RSA_flags                               1934	3_0_0	EXIST::FUNCTION:RSA
+RSA_flags                               1934	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 X509_NAME_add_entry                     1935	3_0_0	EXIST::FUNCTION:
 EVP_CIPHER_get_asn1_iv                  1936	3_0_0	EXIST::FUNCTION:
-i2d_RSAPrivateKey_bio                   1937	3_0_0	EXIST::FUNCTION:RSA
+i2d_RSAPrivateKey_bio                   1937	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 PKCS5_PBE_keyivgen                      1938	3_0_0	EXIST::FUNCTION:
 i2d_OCSP_SERVICELOC                     1939	3_0_0	EXIST::FUNCTION:OCSP
 EC_POINT_copy                           1940	3_0_0	EXIST::FUNCTION:EC
@@ -2000,7 +2000,7 @@ EVP_DecryptFinal                        2046	3_0_0	EXIST::FUNCTION:
 ASN1_ENUMERATED_it                      2047	3_0_0	EXIST::FUNCTION:
 o2i_ECPublicKey                         2048	3_0_0	EXIST::FUNCTION:EC
 ERR_load_BUF_strings                    2049	3_0_0	EXIST::FUNCTION:
-PEM_read_bio_RSA_PUBKEY                 2050	3_0_0	EXIST::FUNCTION:RSA
+PEM_read_bio_RSA_PUBKEY                 2050	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 OCSP_SINGLERESP_new                     2051	3_0_0	EXIST::FUNCTION:OCSP
 ASN1_SCTX_free                          2052	3_0_0	EXIST::FUNCTION:
 i2d_ECPrivateKey_fp                     2053	3_0_0	EXIST::FUNCTION:EC,STDIO
@@ -2034,7 +2034,7 @@ BN_mul                                  2080	3_0_0	EXIST::FUNCTION:
 BN_get0_nist_prime_384                  2081	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_set1_ip_asc           2082	3_0_0	EXIST::FUNCTION:
 CONF_modules_load                       2083	3_0_0	EXIST::FUNCTION:
-d2i_RSAPublicKey                        2084	3_0_0	EXIST::FUNCTION:RSA
+d2i_RSAPublicKey                        2084	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 i2d_ASN1_GENERALSTRING                  2085	3_0_0	EXIST::FUNCTION:
 POLICYQUALINFO_new                      2086	3_0_0	EXIST::FUNCTION:
 PKCS7_RECIP_INFO_get0_alg               2087	3_0_0	EXIST::FUNCTION:
@@ -2120,7 +2120,7 @@ EC_POINT_method_of                      2165	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 PKCS7_ENCRYPT_it                        2166	3_0_0	EXIST::FUNCTION:
 AUTHORITY_INFO_ACCESS_it                2167	3_0_0	EXIST::FUNCTION:
 X509_EXTENSION_create_by_NID            2168	3_0_0	EXIST::FUNCTION:
-i2d_RSAPrivateKey                       2169	3_0_0	EXIST::FUNCTION:RSA
+i2d_RSAPrivateKey                       2169	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 d2i_CERTIFICATEPOLICIES                 2170	3_0_0	EXIST::FUNCTION:
 CMAC_CTX_get0_cipher_ctx                2171	3_0_0	EXIST::FUNCTION:CMAC,DEPRECATEDIN_3_0
 X509_STORE_load_locations               2172	3_0_0	EXIST::FUNCTION:
@@ -2239,7 +2239,7 @@ SCT_set1_extensions                     2286	3_0_0	EXIST::FUNCTION:CT
 PKCS12_SAFEBAG_new                      2287	3_0_0	EXIST::FUNCTION:
 TS_TST_INFO_set_nonce                   2288	3_0_0	EXIST::FUNCTION:TS
 PEM_read_ECPrivateKey                   2289	3_0_0	EXIST::FUNCTION:EC,STDIO
-RSA_free                                2290	3_0_0	EXIST::FUNCTION:RSA
+RSA_free                                2290	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 X509_CRL_INFO_new                       2291	3_0_0	EXIST::FUNCTION:
 AES_cfb8_encrypt                        2292	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 d2i_ASN1_SEQUENCE_ANY                   2293	3_0_0	EXIST::FUNCTION:
@@ -2267,7 +2267,7 @@ EC_POINT_new                            2314	3_0_0	EXIST::FUNCTION:EC
 PKCS7_ISSUER_AND_SERIAL_digest          2315	3_0_0	EXIST::FUNCTION:
 EVP_des_ofb                             2316	3_0_0	EXIST::FUNCTION:DES
 DSA_set_method                          2317	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA
-EVP_PKEY_get1_RSA                       2318	3_0_0	EXIST::FUNCTION:RSA
+EVP_PKEY_get1_RSA                       2318	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 EC_KEY_OpenSSL                          2319	3_0_0	EXIST::FUNCTION:EC
 EVP_camellia_192_ofb                    2320	3_0_0	EXIST::FUNCTION:CAMELLIA
 ASN1_STRING_length                      2321	3_0_0	EXIST::FUNCTION:
@@ -2363,7 +2363,7 @@ EVP_MD_CTX_md_data                      2412	3_0_0	EXIST::FUNCTION:
 ASN1_PCTX_set_nm_flags                  2413	3_0_0	EXIST::FUNCTION:
 BIO_ctrl                                2414	3_0_0	EXIST::FUNCTION:
 X509_CRL_set_default_method             2415	3_0_0	EXIST::FUNCTION:
-d2i_RSAPublicKey_fp                     2417	3_0_0	EXIST::FUNCTION:RSA,STDIO
+d2i_RSAPublicKey_fp                     2417	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 UI_method_get_flusher                   2418	3_0_0	EXIST::FUNCTION:
 EC_POINT_dbl                            2419	3_0_0	EXIST::FUNCTION:EC
 i2d_X509_CRL_INFO                       2420	3_0_0	EXIST::FUNCTION:
@@ -2586,7 +2586,7 @@ d2i_PBKDF2PARAM                         2640	3_0_0	EXIST::FUNCTION:
 ERR_load_COMP_strings                   2641	3_0_0	EXIST::FUNCTION:COMP
 EVP_PKEY_meth_add0                      2642	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 EVP_rc4_40                              2643	3_0_0	EXIST::FUNCTION:RC4
-RSA_bits                                2645	3_0_0	EXIST::FUNCTION:RSA
+RSA_bits                                2645	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 ASN1_item_dup                           2646	3_0_0	EXIST::FUNCTION:
 GENERAL_NAMES_it                        2647	3_0_0	EXIST::FUNCTION:
 X509_issuer_name_hash                   2648	3_0_0	EXIST::FUNCTION:
@@ -2680,7 +2680,7 @@ CRYPTO_THREAD_lock_new                  2736	3_0_0	EXIST::FUNCTION:
 BIO_get_ex_data                         2737	3_0_0	EXIST::FUNCTION:
 CMS_digest_create                       2738	3_0_0	EXIST::FUNCTION:CMS
 EC_KEY_METHOD_set_verify                2739	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
-PEM_read_RSAPublicKey                   2740	3_0_0	EXIST::FUNCTION:RSA,STDIO
+PEM_read_RSAPublicKey                   2740	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 ENGINE_pkey_asn1_find_str               2741	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 ENGINE_get_load_privkey_function        2742	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 d2i_IPAddressRange                      2743	3_0_0	EXIST::FUNCTION:RFC3779
@@ -2716,7 +2716,7 @@ ENGINE_unregister_DSA                   2773	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 ASN1_bn_print                           2774	3_0_0	EXIST::FUNCTION:
 CMS_is_detached                         2775	3_0_0	EXIST::FUNCTION:CMS
 X509_REQ_INFO_it                        2776	3_0_0	EXIST::FUNCTION:
-RSAPrivateKey_it                        2777	3_0_0	EXIST::FUNCTION:RSA
+RSAPrivateKey_it                        2777	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 X509_NAME_ENTRY_free                    2778	3_0_0	EXIST::FUNCTION:
 BIO_new_fd                              2779	3_0_0	EXIST::FUNCTION:
 OPENSSL_sk_value                        2781	3_0_0	EXIST::FUNCTION:
@@ -2837,7 +2837,7 @@ ASIdentifiers_it                        2898	3_0_0	EXIST::FUNCTION:RFC3779
 BN_mod_lshift                           2899	3_0_0	EXIST::FUNCTION:
 ENGINE_get_last                         2900	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 EVP_PKEY_encrypt_init                   2901	3_0_0	EXIST::FUNCTION:
-i2d_RSAPrivateKey_fp                    2902	3_0_0	EXIST::FUNCTION:RSA,STDIO
+i2d_RSAPrivateKey_fp                    2902	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 X509_REQ_print                          2903	3_0_0	EXIST::FUNCTION:
 RSA_size                                2904	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 EVP_CIPHER_CTX_iv_noconst               2905	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -2938,14 +2938,14 @@ COMP_CTX_get_type                       3000	3_0_0	EXIST::FUNCTION:COMP
 TS_RESP_CTX_set_status_info             3001	3_0_0	EXIST::FUNCTION:TS
 BIO_f_nbio_test                         3002	3_0_0	EXIST::FUNCTION:
 SEED_ofb128_encrypt                     3003	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED
-d2i_RSAPrivateKey_bio                   3004	3_0_0	EXIST::FUNCTION:RSA
+d2i_RSAPrivateKey_bio                   3004	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 DH_KDF_X9_42                            3005	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 EVP_PKEY_meth_set_signctx               3006	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_CRL_get_version                    3007	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_meth_get0_info                 3008	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
-PEM_read_bio_RSAPublicKey               3009	3_0_0	EXIST::FUNCTION:RSA
+PEM_read_bio_RSAPublicKey               3009	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 EVP_PKEY_asn1_set_private               3010	3_0_0	EXIST::FUNCTION:
-EVP_PKEY_get0_RSA                       3011	3_0_0	EXIST::FUNCTION:RSA
+EVP_PKEY_get0_RSA                       3011	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 DES_ede3_cfb64_encrypt                  3012	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DES
 POLICY_MAPPING_free                     3014	3_0_0	EXIST::FUNCTION:
 EVP_aes_128_gcm                         3015	3_0_0	EXIST::FUNCTION:
@@ -2959,7 +2959,7 @@ BN_rand                                 3023	3_0_0	EXIST::FUNCTION:
 ASN1_TYPE_unpack_sequence               3024	3_0_0	EXIST::FUNCTION:
 X509_CRL_sign_ctx                       3025	3_0_0	EXIST::FUNCTION:
 X509_STORE_add_crl                      3026	3_0_0	EXIST::FUNCTION:
-PEM_write_RSAPrivateKey                 3027	3_0_0	EXIST::FUNCTION:RSA,STDIO
+PEM_write_RSAPrivateKey                 3027	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 RC4_set_key                             3028	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RC4
 EVP_CIPHER_CTX_cipher                   3029	3_0_0	EXIST::FUNCTION:
 PEM_write_bio_PKCS8PrivateKey_nid       3030	3_0_0	EXIST::FUNCTION:
@@ -3000,7 +3000,7 @@ ASN1_PCTX_set_str_flags                 3064	3_0_0	EXIST::FUNCTION:
 i2a_ASN1_INTEGER                        3065	3_0_0	EXIST::FUNCTION:
 d2i_TS_RESP                             3066	3_0_0	EXIST::FUNCTION:TS
 EVP_des_ede_cfb64                       3067	3_0_0	EXIST::FUNCTION:DES
-d2i_RSAPrivateKey                       3068	3_0_0	EXIST::FUNCTION:RSA
+d2i_RSAPrivateKey                       3068	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 ERR_load_BN_strings                     3069	3_0_0	EXIST::FUNCTION:
 BF_encrypt                              3070	3_0_0	EXIST::FUNCTION:BF,DEPRECATEDIN_3_0
 MD5                                     3071	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD5
@@ -3008,7 +3008,7 @@ BN_GF2m_arr2poly                        3072	3_0_0	EXIST::FUNCTION:EC2M
 EVP_PKEY_meth_get_ctrl                  3073	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 i2d_X509_REQ_bio                        3074	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_set1_name             3075	3_0_0	EXIST::FUNCTION:
-d2i_RSAPublicKey_bio                    3076	3_0_0	EXIST::FUNCTION:RSA
+d2i_RSAPublicKey_bio                    3076	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 X509_REQ_get_X509_PUBKEY                3077	3_0_0	EXIST::FUNCTION:
 ENGINE_load_private_key                 3078	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 GENERAL_NAMES_new                       3079	3_0_0	EXIST::FUNCTION:
@@ -3119,7 +3119,7 @@ CTLOG_get0_public_key                   3184	3_0_0	EXIST::FUNCTION:CT
 OCSP_REQUEST_get_ext_by_OBJ             3185	3_0_0	EXIST::FUNCTION:OCSP
 X509_NAME_oneline                       3186	3_0_0	EXIST::FUNCTION:
 X509V3_set_nconf                        3187	3_0_0	EXIST::FUNCTION:
-RSAPrivateKey_dup                       3188	3_0_0	EXIST::FUNCTION:RSA
+RSAPrivateKey_dup                       3188	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 BN_mod_add                              3189	3_0_0	EXIST::FUNCTION:
 EC_POINT_set_affine_coordinates_GFp     3190	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_get_default_cert_file              3191	3_0_0	EXIST::FUNCTION:
@@ -3200,7 +3200,7 @@ d2i_ASN1_OCTET_STRING                   3265	3_0_0	EXIST::FUNCTION:
 ENGINE_set_load_pubkey_function         3266	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 BIO_vprintf                             3267	3_0_0	EXIST::FUNCTION:
 CMS_RecipientInfo_decrypt               3268	3_0_0	EXIST::FUNCTION:CMS
-RSA_generate_key                        3269	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_0_9_8,RSA
+RSA_generate_key                        3269	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 PKCS7_set0_type_other                   3270	3_0_0	EXIST::FUNCTION:
 OCSP_REQUEST_new                        3271	3_0_0	EXIST::FUNCTION:OCSP
 BIO_lookup                              3272	3_0_0	EXIST::FUNCTION:SOCK
@@ -3508,7 +3508,7 @@ ASN1_TIME_to_generalizedtime            3583	3_0_0	EXIST::FUNCTION:
 X509_CRL_get_ext_by_critical            3584	3_0_0	EXIST::FUNCTION:
 ASN1_STRING_type                        3585	3_0_0	EXIST::FUNCTION:
 X509_REQ_add1_attr_by_txt               3586	3_0_0	EXIST::FUNCTION:
-PEM_write_RSAPublicKey                  3587	3_0_0	EXIST::FUNCTION:RSA,STDIO
+PEM_write_RSAPublicKey                  3587	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
 EVP_MD_meth_dup                         3588	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ENGINE_unregister_ciphers               3589	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 X509_issuer_and_serial_cmp              3590	3_0_0	EXIST::FUNCTION:
@@ -3613,7 +3613,7 @@ OTHERNAME_free                          3692	3_0_0	EXIST::FUNCTION:
 OCSP_REVOKEDINFO_free                   3693	3_0_0	EXIST::FUNCTION:OCSP
 EVP_CIPHER_CTX_encrypting               3694	3_0_0	EXIST::FUNCTION:
 EC_KEY_can_sign                         3695	3_0_0	EXIST::FUNCTION:EC
-PEM_write_bio_RSAPublicKey              3696	3_0_0	EXIST::FUNCTION:RSA
+PEM_write_bio_RSAPublicKey              3696	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 X509_CRL_set1_lastUpdate                3697	3_0_0	EXIST::FUNCTION:
 OCSP_sendreq_nbio                       3698	3_0_0	EXIST::FUNCTION:OCSP
 PKCS8_encrypt                           3699	3_0_0	EXIST::FUNCTION:
@@ -3730,7 +3730,7 @@ PKEY_USAGE_PERIOD_it                    3810	3_0_0	EXIST::FUNCTION:
 BN_mul_word                             3811	3_0_0	EXIST::FUNCTION:
 i2d_IPAddressRange                      3813	3_0_0	EXIST::FUNCTION:RFC3779
 CMS_unsigned_add1_attr_by_txt           3814	3_0_0	EXIST::FUNCTION:CMS
-d2i_RSA_PUBKEY                          3815	3_0_0	EXIST::FUNCTION:RSA
+d2i_RSA_PUBKEY                          3815	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 PKCS12_gen_mac                          3816	3_0_0	EXIST::FUNCTION:
 ERR_load_ENGINE_strings                 3817	3_0_0	EXIST::FUNCTION:ENGINE
 ERR_load_CT_strings                     3818	3_0_0	EXIST::FUNCTION:CT
@@ -3907,30 +3907,30 @@ DSA_get0_engine                         3990	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 X509_VERIFY_PARAM_set_auth_level        3991	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_get_auth_level        3992	3_0_0	EXIST::FUNCTION:
 X509_REQ_get0_pubkey                    3993	3_0_0	EXIST::FUNCTION:
-RSA_set0_key                            3994	3_0_0	EXIST::FUNCTION:RSA
+RSA_set0_key                            3994	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_flags                      3995	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_finish                     3996	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_priv_dec                   3997	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_sign                       3998	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_bn_mod_exp                 3999	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_test_flags                          4000	3_0_0	EXIST::FUNCTION:RSA
+RSA_test_flags                          4000	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_new                            4001	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get0_app_data                  4002	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_dup                            4003	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set1_name                      4004	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set0_app_data                  4005	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_set_flags                           4006	3_0_0	EXIST::FUNCTION:RSA
+RSA_set_flags                           4006	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_sign                       4007	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_clear_flags                         4008	3_0_0	EXIST::FUNCTION:RSA
+RSA_clear_flags                         4008	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_keygen                     4009	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_keygen                     4010	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_pub_dec                    4011	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_finish                     4012	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_get0_key                            4013	3_0_0	EXIST::FUNCTION:RSA
+RSA_get0_key                            4013	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_get0_engine                         4014	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_priv_enc                   4015	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_verify                     4016	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_get0_factors                        4017	3_0_0	EXIST::FUNCTION:RSA
+RSA_get0_factors                        4017	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get0_name                      4018	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_mod_exp                    4019	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_flags                      4020	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
@@ -3940,14 +3940,14 @@ RSA_meth_get_init                       4023	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 RSA_meth_free                           4024	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_pub_enc                    4025	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_mod_exp                    4026	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_set0_factors                        4027	3_0_0	EXIST::FUNCTION:RSA
+RSA_set0_factors                        4027	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_pub_enc                    4028	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_priv_dec                   4029	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_verify                     4030	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_init                       4031	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_priv_enc                   4032	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_set0_crt_params                     4037	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_crt_params                     4038	3_0_0	EXIST::FUNCTION:RSA
+RSA_set0_crt_params                     4037	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_crt_params                     4038	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 DH_set0_pqg                             4039	3_0_0	EXIST::FUNCTION:DH
 DH_clear_flags                          4041	3_0_0	EXIST::FUNCTION:DH
 DH_get0_key                             4042	3_0_0	EXIST::FUNCTION:DH
@@ -4248,7 +4248,7 @@ EVP_sm4_ofb                             4356	3_0_0	EXIST::FUNCTION:SM4
 EVP_sm4_ecb                             4357	3_0_0	EXIST::FUNCTION:SM4
 EVP_sm4_cfb128                          4358	3_0_0	EXIST::FUNCTION:SM4
 EVP_sm3                                 4359	3_0_0	EXIST::FUNCTION:SM3
-RSA_get0_multi_prime_factors            4360	3_0_0	EXIST::FUNCTION:RSA
+RSA_get0_multi_prime_factors            4360	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 EVP_PKEY_public_check                   4361	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_param_check                    4362	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_meth_set_public_check          4363	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -4261,10 +4261,10 @@ DH_check_ex                             4369	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_
 DH_check_pub_key_ex                     4370	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 DH_check_params_ex                      4371	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 RSA_generate_multi_prime_key            4372	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_get_multi_prime_extra_count         4373	3_0_0	EXIST::FUNCTION:RSA
+RSA_get_multi_prime_extra_count         4373	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 OCSP_resp_get0_signer                   4374	3_0_0	EXIST::FUNCTION:OCSP
-RSA_get0_multi_prime_crt_params         4375	3_0_0	EXIST::FUNCTION:RSA
-RSA_set0_multi_prime_params             4376	3_0_0	EXIST::FUNCTION:RSA
+RSA_get0_multi_prime_crt_params         4375	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_set0_multi_prime_params             4376	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_get_version                         4377	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_get_multi_prime_keygen         4378	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 RSA_meth_set_multi_prime_keygen         4379	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
@@ -4355,14 +4355,14 @@ DSA_get0_pub_key                        4479	3_0_0	EXIST::FUNCTION:DSA
 DSA_get0_q                              4480	3_0_0	EXIST::FUNCTION:DSA
 DSA_get0_p                              4481	3_0_0	EXIST::FUNCTION:DSA
 DSA_get0_g                              4482	3_0_0	EXIST::FUNCTION:DSA
-RSA_get0_dmp1                           4483	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_d                              4484	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_n                              4485	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_dmq1                           4486	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_e                              4487	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_q                              4488	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_p                              4489	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_iqmp                           4490	3_0_0	EXIST::FUNCTION:RSA
+RSA_get0_dmp1                           4483	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_d                              4484	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_n                              4485	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_dmq1                           4486	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_e                              4487	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_q                              4488	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_p                              4489	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_iqmp                           4490	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 ECDSA_SIG_get0_r                        4491	3_0_0	EXIST::FUNCTION:EC
 ECDSA_SIG_get0_s                        4492	3_0_0	EXIST::FUNCTION:EC
 X509_LOOKUP_meth_get_get_by_fingerprint 4493	3_0_0	EXIST::FUNCTION:
diff --git a/util/libssl.num b/util/libssl.num
index 75e45bb17f..a505e5300b 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -18,14 +18,14 @@ SSL_CTX_sess_get_get_cb                 18	3_0_0	EXIST::FUNCTION:
 SSL_CTX_get_default_passwd_cb_userdata  19	3_0_0	EXIST::FUNCTION:
 SSL_set_tmp_dh_callback                 20	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 SSL_CTX_get_verify_depth                21	3_0_0	EXIST::FUNCTION:
-SSL_CTX_use_RSAPrivateKey_file          22	3_0_0	EXIST::FUNCTION:RSA
+SSL_CTX_use_RSAPrivateKey_file          22	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 SSL_use_PrivateKey_file                 23	3_0_0	EXIST::FUNCTION:
 SSL_set_generate_session_id             24	3_0_0	EXIST::FUNCTION:
 SSL_get_ex_data_X509_STORE_CTX_idx      25	3_0_0	EXIST::FUNCTION:
 SSL_get_quiet_shutdown                  26	3_0_0	EXIST::FUNCTION:
 SSL_dane_enable                         27	3_0_0	EXIST::FUNCTION:
 SSL_COMP_add_compression_method         28	3_0_0	EXIST::FUNCTION:
-SSL_CTX_use_RSAPrivateKey               29	3_0_0	EXIST::FUNCTION:RSA
+SSL_CTX_use_RSAPrivateKey               29	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 SSL_CTX_sess_get_new_cb                 30	3_0_0	EXIST::FUNCTION:
 d2i_SSL_SESSION                         31	3_0_0	EXIST::FUNCTION:
 SSL_use_PrivateKey_ASN1                 32	3_0_0	EXIST::FUNCTION:
@@ -65,7 +65,7 @@ SSL_set_security_level                  65	3_0_0	EXIST::FUNCTION:
 DTLSv1_2_method                         66	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_1_1_0,DTLS1_2_METHOD
 SSL_get_fd                              67	3_0_0	EXIST::FUNCTION:
 SSL_get1_session                        68	3_0_0	EXIST::FUNCTION:
-SSL_use_RSAPrivateKey                   69	3_0_0	EXIST::FUNCTION:RSA
+SSL_use_RSAPrivateKey                   69	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 SSL_CTX_set_srp_cb_arg                  70	3_0_0	EXIST::FUNCTION:SRP
 SSL_CTX_add_session                     71	3_0_0	EXIST::FUNCTION:
 SSL_get_srp_N                           72	3_0_0	EXIST::FUNCTION:SRP
@@ -168,7 +168,7 @@ TLSv1_1_server_method                   168	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_1
 PEM_write_bio_SSL_SESSION               169	3_0_0	EXIST::FUNCTION:
 SSL_write                               170	3_0_0	EXIST::FUNCTION:
 SSL_set1_host                           171	3_0_0	EXIST::FUNCTION:
-SSL_use_RSAPrivateKey_file              172	3_0_0	EXIST::FUNCTION:RSA
+SSL_use_RSAPrivateKey_file              172	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 SSL_CTX_get_info_callback               173	3_0_0	EXIST::FUNCTION:
 SSL_get0_peername                       174	3_0_0	EXIST::FUNCTION:
 SSL_set_srp_server_param                175	3_0_0	EXIST::FUNCTION:SRP
@@ -193,7 +193,7 @@ SSL_CTX_dane_mtype_set                  193	3_0_0	EXIST::FUNCTION:
 SSL_get_wfd                             194	3_0_0	EXIST::FUNCTION:
 SSL_get_ssl_method                      195	3_0_0	EXIST::FUNCTION:
 SSL_set_verify_result                   196	3_0_0	EXIST::FUNCTION:
-SSL_use_RSAPrivateKey_ASN1              197	3_0_0	EXIST::FUNCTION:RSA
+SSL_use_RSAPrivateKey_ASN1              197	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 SSL_CIPHER_get_name                     198	3_0_0	EXIST::FUNCTION:
 OPENSSL_init_ssl                        199	3_0_0	EXIST::FUNCTION:
 SSL_dup                                 200	3_0_0	EXIST::FUNCTION:
@@ -320,7 +320,7 @@ SSL_clear_options                       320	3_0_0	EXIST::FUNCTION:
 SSL_CTX_use_PrivateKey                  321	3_0_0	EXIST::FUNCTION:
 SSL_get_info_callback                   322	3_0_0	EXIST::FUNCTION:
 SSL_CTX_use_psk_identity_hint           323	3_0_0	EXIST::FUNCTION:PSK
-SSL_CTX_use_RSAPrivateKey_ASN1          324	3_0_0	EXIST::FUNCTION:RSA
+SSL_CTX_use_RSAPrivateKey_ASN1          324	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
 SSL_CTX_use_PrivateKey_ASN1             325	3_0_0	EXIST::FUNCTION:
 SSL_CTX_get0_privatekey                 326	3_0_0	EXIST::FUNCTION:
 BIO_f_ssl                               327	3_0_0	EXIST::FUNCTION:


More information about the openssl-commits mailing list