[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Mon Mar 29 23:47:55 UTC 2021


The branch master has been updated
       via  8f81e3a1848819b3e2bf57d7bc810e440e29d8a5 (commit)
       via  e52b421575c279b36617b7cc9dfed8c54518a928 (commit)
      from  203c18f14aab47a1f9f0a18a5119997761184557 (commit)


- Log -----------------------------------------------------------------
commit 8f81e3a1848819b3e2bf57d7bc810e440e29d8a5
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Mon Mar 22 12:04:34 2021 +1000

    Fix DH gettable OSSL_PKEY_PARAM_DH_PRIV_LEN so that it has the correct
    type.
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14564)

commit e52b421575c279b36617b7cc9dfed8c54518a928
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Tue Mar 16 09:39:19 2021 +1000

    Update deprecated API's in the documentation.
    
    The reported issue related to EC_KEY deprecations
    Fixes #14545
    
    Searches were done in the pod files for all libcrypto.num
    entries containing DEPRECATEDIN_3_0 to find additional missing entries.
    
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14564)

-----------------------------------------------------------------------

Summary of changes:
 doc/man3/BIO_get_ex_new_index.pod            | 48 ++++++++++++--
 doc/man3/DH_get0_pqg.pod                     | 27 +++++---
 doc/man3/DH_get_1024_160.pod                 | 27 ++++++--
 doc/man3/DSA_do_sign.pod                     | 14 +++-
 doc/man3/DSA_generate_key.pod                | 14 +++-
 doc/man3/DSA_generate_parameters.pod         | 10 +++
 doc/man3/DSA_set_method.pod                  | 13 +++-
 doc/man3/DSA_sign.pod                        | 12 ++++
 doc/man3/ECPKParameters_print.pod            | 13 +++-
 doc/man3/EC_GROUP_new.pod                    | 25 ++++---
 doc/man3/EC_KEY_new.pod                      | 14 ++--
 doc/man3/OPENSSL_malloc.pod                  |  4 +-
 doc/man3/OSSL_STORE_LOADER.pod               | 12 ++--
 doc/man3/PEM_read_CMS.pod                    | 44 ++++++++++++-
 doc/man3/PEM_read_bio_PrivateKey.pod         | 99 +++++++++++++++++-----------
 doc/man3/RSA_blinding_on.pod                 | 12 +++-
 doc/man3/RSA_get0_key.pod                    | 12 +++-
 doc/man3/X509_dup.pod                        | 13 +++-
 doc/man3/d2i_RSAPrivateKey.pod               |  8 +++
 doc/man3/d2i_X509.pod                        |  8 ---
 providers/implementations/keymgmt/dh_kmgmt.c |  4 +-
 21 files changed, 337 insertions(+), 96 deletions(-)

diff --git a/doc/man3/BIO_get_ex_new_index.pod b/doc/man3/BIO_get_ex_new_index.pod
index a2d2f1b312..7dce548f90 100644
--- a/doc/man3/BIO_get_ex_new_index.pod
+++ b/doc/man3/BIO_get_ex_new_index.pod
@@ -6,7 +6,6 @@ BIO_get_ex_new_index, BIO_set_ex_data, BIO_get_ex_data,
 BIO_set_app_data, BIO_get_app_data,
 DH_get_ex_new_index, DH_set_ex_data, DH_get_ex_data,
 DSA_get_ex_new_index, DSA_set_ex_data, DSA_get_ex_data,
-ECDH_get_ex_new_index, ECDH_set_ex_data, ECDH_get_ex_data,
 EC_KEY_get_ex_new_index, EC_KEY_set_ex_data, EC_KEY_get_ex_data,
 ENGINE_get_ex_new_index, ENGINE_set_ex_data, ENGINE_get_ex_data,
 EVP_PKEY_get_ex_new_index, EVP_PKEY_set_ex_data, EVP_PKEY_get_ex_data,
@@ -44,11 +43,44 @@ X509_get_ex_new_index, X509_set_ex_data, X509_get_ex_data
  #define TYPE_set_app_data(TYPE *d, void *arg)
  #define TYPE_get_app_data(TYPE *d)
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                         CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+ int DH_set_ex_data(DH *type, int idx, void *arg);
+ void *DH_get_ex_data(DH *type, int idx);
+ int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+ int DSA_set_ex_data(DSA *type, int idx, void *arg);
+ void *DSA_get_ex_data(DSA *type, int idx);
+ int EC_KEY_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+ int EC_KEY_set_ex_data(EC_KEY *type, int idx, void *arg);
+ void *EC_KEY_get_ex_data(EC_KEY *type, int idx);
+ int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                          CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+ int RSA_set_ex_data(RSA *type, int idx, void *arg);
+ void *RSA_get_ex_data(RSA *type, int idx);
+ int RSA_set_app_data(RSA *type, void *arg);
+ void *RSA_get_app_data(RSA *type);
+ int ENGINE_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
+                             CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
+ int ENGINE_set_ex_data(ENGINE *type, int idx, void *arg);
+ void *ENGINE_get_ex_data(ENGINE *type, int idx);
+
 =head1 DESCRIPTION
 
 In the description here, I<TYPE> is used a placeholder
-for any of the OpenSSL datatypes listed in
-L<CRYPTO_get_ex_new_index(3)>.
+for any of the OpenSSL datatypes listed in L<CRYPTO_get_ex_new_index(3)>.
+
+All functions with a I<TYPE> of B<DH>, B<DSA>, B<RSA> and B<EC_KEY> are deprecated.
+Applications should instead use EVP_PKEY_set_ex_data(),
+EVP_PKEY_get_ex_data() and EVP_PKEY_get_ex_new_index().
+
+All functions with a I<TYPE> of B<ENGINE> are deprecated.
+Applications using engines should be replaced by providers.
 
 These functions handle application-specific data for OpenSSL data
 structures.
@@ -84,12 +116,16 @@ L<CRYPTO_get_ex_new_index(3)>.
 
 =head1 HISTORY
 
-The ENGINE_get_ex_new_index(), ENGINE_set_ex_data() and ENGINE_get_ex_data()
-functions were deprecated in OpenSSL 3.0.
+The functions DH_get_ex_new_index(), DH_set_ex_data(), DH_get_ex_data(),
+DSA_get_ex_new_index(), DSA_set_ex_data(), DSA_get_ex_data(),
+EC_KEY_get_ex_new_index(), EC_KEY_set_ex_data(), EC_KEY_get_ex_data(),
+ENGINE_get_ex_new_index(), ENGINE_set_ex_data(), ENGINE_get_ex_data(),
+RSA_get_ex_new_index(), RSA_set_ex_data(), RSA_get_ex_data(),
+RSA_set_app_data() and RSA_get_app_data() were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DH_get0_pqg.pod b/doc/man3/DH_get0_pqg.pod
index 28f5d06b4c..5de7bae219 100644
--- a/doc/man3/DH_get0_pqg.pod
+++ b/doc/man3/DH_get0_pqg.pod
@@ -12,6 +12,10 @@ DH_get_length, DH_set_length - Routines for getting and setting data in a DH obj
 
  #include <openssl/dh.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  void DH_get0_pqg(const DH *dh,
                   const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
  int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
@@ -30,14 +34,14 @@ DH_get_length, DH_set_length - Routines for getting and setting data in a DH obj
  long DH_get_length(const DH *dh);
  int DH_set_length(DH *dh, long length);
 
-Deprecated since OpenSSL 3.0, can be hidden entirely by defining
-B<OPENSSL_API_COMPAT> with a suitable version value, see
-L<openssl_user_macros(7)>:
-
  ENGINE *DH_get0_engine(DH *d);
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
+return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
+
 A DH object contains the parameters I<p>, I<q> and I<g>. Note that the I<q>
 parameter is optional. It also contains a public key (I<pub_key>) and
 (optionally) a private key (I<priv_key>).
@@ -89,15 +93,18 @@ zero if none of the flags are set. DH_clear_flags() clears the specified flags
 within the DH object.
 
 DH_get0_engine() returns a handle to the ENGINE that has been set for this DH
-object, or NULL if no such ENGINE has been set. This function is deprecated.
+object, or NULL if no such ENGINE has been set. This function is deprecated. All
+engines should be replaced by providers.
 
 The DH_get_length() and DH_set_length() functions get and set the optional
 length parameter associated with this DH object. If the length is nonzero then
 it is used, otherwise it is ignored. The I<length> parameter indicates the
-length of the secret exponent (private key) in bits. These functions are
-deprecated. For safe prime groups the optional length parameter I<length> can be
+length of the secret exponent (private key) in bits. For safe prime groups the optional length parameter I<length> can be
 set to a value greater or equal to 2 * maximum_target_security_strength(BN_num_bits(I<p>))
 as listed in SP800-56Ar3 Table(s) 25 & 26.
+These functions are deprecated and should be replaced with
+EVP_PKEY_CTX_set_params() and EVP_PKEY_get_int_param() using the parameter key
+B<OSSL_PKEY_PARAM_DH_PRIV_LEN> as described in L<EVP_PKEY-DH(7)>.
 
 =head1 NOTES
 
@@ -128,13 +135,13 @@ L<DH_set_method(3)>, L<DH_size(3)>, L<DH_meth_new(3)>
 
 =head1 HISTORY
 
-The DH_get0_engine() function was deprecated in OpenSSL 3.0.
-
 The functions described here were added in OpenSSL 1.1.0.
 
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DH_get_1024_160.pod b/doc/man3/DH_get_1024_160.pod
index 8bf9ddfadc..f4465930d1 100644
--- a/doc/man3/DH_get_1024_160.pod
+++ b/doc/man3/DH_get_1024_160.pod
@@ -23,9 +23,6 @@ BN_get_rfc3526_prime_8192
 =head1 SYNOPSIS
 
  #include <openssl/dh.h>
- DH *DH_get_1024_160(void);
- DH *DH_get_2048_224(void);
- DH *DH_get_2048_256(void);
 
  const BIGNUM *BN_get0_nist_prime_192(void);
  const BIGNUM *BN_get0_nist_prime_224(void);
@@ -42,10 +39,25 @@ BN_get_rfc3526_prime_8192
  BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn);
  BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn);
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ #include <openssl/dh.h>
+
+ DH *DH_get_1024_160(void);
+ DH *DH_get_2048_224(void);
+ DH *DH_get_2048_256(void);
+
 =head1 DESCRIPTION
 
 DH_get_1024_160(), DH_get_2048_224(), and DH_get_2048_256() each return
-a DH object for the IETF RFC 5114 value.
+a DH object for the IETF RFC 5114 value. These functions are deprecated.
+Applications should instead use EVP_PKEY_CTX_set_dh_rfc5114() and
+EVP_PKEY_CTX_set_dhx_rfc5114() as described in L<EVP_PKEY_CTX_ctrl(3)> or
+by setting the B<OSSL_PKEY_PARAM_GROUP_NAME> as specified in
+L<EVP_PKEY-DH(7)/DH parameters>) to one of "dh_1024_160", "dh_2048_224" or
+"dh_2048_256".
 
 BN_get0_nist_prime_192(), BN_get0_nist_prime_224(), BN_get0_nist_prime_256(),
 BN_get0_nist_prime_384(), and BN_get0_nist_prime_521() functions return
@@ -62,9 +74,14 @@ is not NULL, the BIGNUM will be set into that location as well.
 
 Defined above.
 
+=head1 HISTORY
+
+The functions DH_get_1024_160(), DH_get_2048_224() and DH_get_2048_256() were
+deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DSA_do_sign.pod b/doc/man3/DSA_do_sign.pod
index 08caffe13c..24d2d60b8e 100644
--- a/doc/man3/DSA_do_sign.pod
+++ b/doc/man3/DSA_do_sign.pod
@@ -8,6 +8,10 @@ DSA_do_sign, DSA_do_verify - raw DSA signature operations
 
  #include <openssl/dsa.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa);
 
  int DSA_do_verify(const unsigned char *dgst, int dgst_len,
@@ -15,6 +19,10 @@ DSA_do_sign, DSA_do_verify - raw DSA signature operations
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_sign_init(3)>, L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify_init(3)> and L<EVP_PKEY_verify(3)>.
+
 DSA_do_sign() computes a digital signature on the B<len> byte message
 digest B<dgst> using the private key B<dsa> and returns it in a
 newly allocated B<DSA_SIG> structure.
@@ -40,9 +48,13 @@ L<DSA_new(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>,
 L<DSA_SIG_new(3)>,
 L<DSA_sign(3)>
 
+=head1 HISTORY
+
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DSA_generate_key.pod b/doc/man3/DSA_generate_key.pod
index 079c2fef18..65cc29ddda 100644
--- a/doc/man3/DSA_generate_key.pod
+++ b/doc/man3/DSA_generate_key.pod
@@ -8,10 +8,18 @@ DSA_generate_key - generate DSA key pair
 
  #include <openssl/dsa.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int DSA_generate_key(DSA *a);
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_keygen_init(3)> and
+L<EVP_PKEY_keygen(3)> as described in L<EVP_PKEY-DSA(7)>.
+
 DSA_generate_key() expects B<a> to contain DSA parameters. It generates
 a new key pair and stores it in B<a-E<gt>pub_key> and B<a-E<gt>priv_key>.
 
@@ -29,9 +37,13 @@ The error codes can be obtained by L<ERR_get_error(3)>.
 L<DSA_new(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>,
 L<DSA_generate_parameters_ex(3)>
 
+=head1 HISTORY
+
+This function was deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DSA_generate_parameters.pod b/doc/man3/DSA_generate_parameters.pod
index 1a93841a68..74d03e4be8 100644
--- a/doc/man3/DSA_generate_parameters.pod
+++ b/doc/man3/DSA_generate_parameters.pod
@@ -8,6 +8,10 @@ DSA_generate_parameters_ex, DSA_generate_parameters - generate DSA parameters
 
  #include <openssl/dsa.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int DSA_generate_parameters_ex(DSA *dsa, int bits,
                                 const unsigned char *seed, int seed_len,
                                 int *counter_ret, unsigned long *h_ret,
@@ -23,6 +27,10 @@ L<openssl_user_macros(7)>:
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_paramgen_init(3)> and
+L<EVP_PKEY_keygen(3)> as described in L<EVP_PKEY-DSA(7)>.
+
 DSA_generate_parameters_ex() generates primes p and q and a generator g
 for use in the DSA and stores the result in B<dsa>.
 
@@ -111,6 +119,8 @@ L<DSA_free(3)>, L<BN_generate_prime(3)>
 
 =head1 HISTORY
 
+DSA_generate_parameters_ex() was deprecated in OpenSSL 3.0.
+
 DSA_generate_parameters() was deprecated in OpenSSL 0.9.8; use
 DSA_generate_parameters_ex() instead.
 
diff --git a/doc/man3/DSA_set_method.pod b/doc/man3/DSA_set_method.pod
index e66832fee7..0d5a0ff1c5 100644
--- a/doc/man3/DSA_set_method.pod
+++ b/doc/man3/DSA_set_method.pod
@@ -9,6 +9,10 @@ DSA_set_method, DSA_new_method, DSA_OpenSSL - select DSA method
 
  #include <openssl/dsa.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  void DSA_set_default_method(const DSA_METHOD *meth);
 
  const DSA_METHOD *DSA_get_default_method(void);
@@ -21,6 +25,9 @@ DSA_set_method, DSA_new_method, DSA_OpenSSL - select DSA method
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should providers instead of method overrides.
+
 A B<DSA_METHOD> specifies the functions that OpenSSL uses for DSA
 operations. By modifying the method, alternative implementations
 such as hardware accelerators may be used. IMPORTANT: See the NOTES section for
@@ -76,9 +83,13 @@ fails. Otherwise it returns a pointer to the newly allocated structure.
 
 L<DSA_new(3)>, L<DSA_new(3)>, L<DSA_meth_new(3)>
 
+=head1 HISTORY
+
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/DSA_sign.pod b/doc/man3/DSA_sign.pod
index bf99eccd45..0470af5058 100644
--- a/doc/man3/DSA_sign.pod
+++ b/doc/man3/DSA_sign.pod
@@ -8,6 +8,10 @@ DSA_sign, DSA_sign_setup, DSA_verify - DSA signatures
 
  #include <openssl/dsa.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int DSA_sign(int type, const unsigned char *dgst, int len,
               unsigned char *sigret, unsigned int *siglen, DSA *dsa);
 
@@ -18,6 +22,10 @@ DSA_sign, DSA_sign_setup, DSA_verify - DSA signatures
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_sign_init(3)>, L<EVP_PKEY_sign(3)>,
+L<EVP_PKEY_verify_init(3)> and L<EVP_PKEY_verify(3)>.
+
 DSA_sign() computes a digital signature on the B<len> byte message
 digest B<dgst> using the private key B<dsa> and places its ASN.1 DER
 encoding at B<sigret>. The length of the signature is places in
@@ -59,6 +67,10 @@ L<DSA_new(3)>, L<ERR_get_error(3)>, L<RAND_bytes(3)>,
 L<DSA_do_sign(3)>,
 L<RAND(7)>
 
+=head1 HISTORY
+
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/ECPKParameters_print.pod b/doc/man3/ECPKParameters_print.pod
index a8aca9fcaf..5b2c31917f 100644
--- a/doc/man3/ECPKParameters_print.pod
+++ b/doc/man3/ECPKParameters_print.pod
@@ -9,11 +9,18 @@ encoding ASN1 representations of elliptic curve entities
 
  #include <openssl/ec.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
  int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_print_params(3)>
+
 The ECPKParameters represent the public parameters for an
 B<EC_GROUP> structure, which represents a curve.
 
@@ -32,9 +39,13 @@ L<crypto(7)>, L<EC_GROUP_new(3)>, L<EC_GROUP_copy(3)>,
 L<EC_POINT_new(3)>, L<EC_POINT_add(3)>, L<EC_KEY_new(3)>,
 L<EC_GFp_simple_method(3)>,
 
+=head1 HISTORY
+
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2013-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/EC_GROUP_new.pod b/doc/man3/EC_GROUP_new.pod
index 0937b438a3..48b6aa7843 100644
--- a/doc/man3/EC_GROUP_new.pod
+++ b/doc/man3/EC_GROUP_new.pod
@@ -45,14 +45,6 @@ objects
                         const BIGNUM *b, BN_CTX *ctx);
  int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
                         BN_CTX *ctx);
- int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p,
-                            const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p,
-                            BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p,
-                             const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
- int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p,
-                             BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
 
  ECPARAMETERS *EC_GROUP_get_ecparameters(const EC_GROUP *group,
                                          ECPARAMETERS *params);
@@ -68,6 +60,15 @@ L<openssl_user_macros(7)>:
  EC_GROUP *EC_GROUP_new(const EC_METHOD *meth);
  void EC_GROUP_clear_free(EC_GROUP *group);
 
+ int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p,
+                            const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+ int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p,
+                            BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+ int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p,
+                             const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
+ int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p,
+                             BIGNUM *a, BIGNUM *b, BN_CTX *ctx);
+
 =head1 DESCRIPTION
 
 Within the library there are two forms of elliptic curve that are of interest.
@@ -206,11 +207,17 @@ added in OpenSSL 3.0.
 EC_GROUP_clear_free() was deprecated in OpenSSL 3.0; use EC_GROUP_free()
 instead.
 
+=item *
+
+ EC_GROUP_set_curve_GFp(), EC_GROUP_get_curve_GFp(),
+ EC_GROUP_set_curve_GF2m() and EC_GROUP_get_curve_GF2m() were deprecated in
+ OpenSSL 3.0; use EC_GROUP_set_curve() and EC_GROUP_get_curve() instead.
+
 =back
 
 =head1 COPYRIGHT
 
-Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/EC_KEY_new.pod b/doc/man3/EC_KEY_new.pod
index 653d255e8e..a572e490e1 100644
--- a/doc/man3/EC_KEY_new.pod
+++ b/doc/man3/EC_KEY_new.pod
@@ -20,6 +20,10 @@ EC_KEY objects
 
  #include <openssl/ec.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq);
  EC_KEY *EC_KEY_new(void);
  int EC_KEY_get_flags(const EC_KEY *key);
@@ -57,13 +61,13 @@ EC_KEY objects
  size_t EC_KEY_priv2oct(const EC_KEY *eckey, unsigned char *buf, size_t len);
 
  size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
-
-Deprecated since OpenSSL 3.0:
-
  int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_new(3)> and L<EVP_PKEY_free(3)>.
+
 An EC_KEY represents a public key and, optionally, the associated private
 key.
 A new EC_KEY with no associated curve can be constructed by calling
@@ -213,11 +217,11 @@ L<OSSL_LIB_CTX(3)>
 
 =head1 HISTORY
 
-EC_KEY_precompute_mult() was deprecated in OpenSSL 3.0.
+All of these functions were deprecated in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/OPENSSL_malloc.pod b/doc/man3/OPENSSL_malloc.pod
index acf457f737..678cd96438 100644
--- a/doc/man3/OPENSSL_malloc.pod
+++ b/doc/man3/OPENSSL_malloc.pod
@@ -66,7 +66,9 @@ OPENSSL_MALLOC_FD
  env OPENSSL_MALLOC_FAILURES=... <application>
  env OPENSSL_MALLOC_FD=... <application>
 
-Deprecated:
+Deprecated since OpenSSL 3.0.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
 
  int CRYPTO_mem_leaks(BIO *b);
  int CRYPTO_mem_leaks_fp(FILE *fp);
diff --git a/doc/man3/OSSL_STORE_LOADER.pod b/doc/man3/OSSL_STORE_LOADER.pod
index 7602396ee2..1cfce445b8 100644
--- a/doc/man3/OSSL_STORE_LOADER.pod
+++ b/doc/man3/OSSL_STORE_LOADER.pod
@@ -364,10 +364,14 @@ OSSL_STORE_LOADER_names_do_all() were added in OpenSSL 3.0.
 OSSL_STORE_open_ex_fn() was added in OpenSSL 3.0.
 
 B<OSSL_STORE_LOADER>, B<OSSL_STORE_LOADER_CTX>, OSSL_STORE_LOADER_new(),
-OSSL_STORE_LOADER_set0_scheme(), OSSL_STORE_LOADER_set_open(),
-OSSL_STORE_LOADER_set_ctrl(), OSSL_STORE_LOADER_set_load(),
-OSSL_STORE_LOADER_set_eof(), OSSL_STORE_LOADER_set_close(),
-OSSL_STORE_LOADER_free(), OSSL_STORE_register_loader(),
+OSSL_STORE_LOADER_set0_scheme(), OSSL_STORE_LOADER_get0_scheme(),
+OSSL_STORE_LOADER_get0_engine(), OSSL_STORE_LOADER_set_expect(),
+OSSL_STORE_LOADER_set_find(), OSSL_STORE_LOADER_set_attach(),
+OSSL_STORE_LOADER_set_open_ex(), OSSL_STORE_LOADER_set_open(),
+OSSL_STORE_LOADER_set_ctrl(),
+OSSL_STORE_LOADER_set_load(), OSSL_STORE_LOADER_set_eof(),
+OSSL_STORE_LOADER_set_close(), OSSL_STORE_LOADER_free(),
+OSSL_STORE_register_loader(), OSSL_STORE_LOADER_set_error(),
 OSSL_STORE_unregister_loader(), OSSL_STORE_open_fn(), OSSL_STORE_ctrl_fn(),
 OSSL_STORE_load_fn(), OSSL_STORE_eof_fn() and OSSL_STORE_close_fn()
 were added in OpenSSL 1.1.1, and became deprecated in OpenSSL 3.0.
diff --git a/doc/man3/PEM_read_CMS.pod b/doc/man3/PEM_read_CMS.pod
index 58c357516e..6c24c437e5 100644
--- a/doc/man3/PEM_read_CMS.pod
+++ b/doc/man3/PEM_read_CMS.pod
@@ -55,8 +55,39 @@ PEM_write_bio_X509_PUBKEY
  int PEM_write_TYPE(FILE *fp, const TYPE *a);
  int PEM_write_bio_TYPE(BIO *bp, const TYPE *a);
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ #include <openssl/pem.h>
+
+ int PEM_write_DHxparams(FILE *out, const DH *dh);
+ int PEM_write_bio_DHxparams(BIO *out, const DH *dh);
+ EC_GROUP *PEM_read_ECPKParameters(FILE *fp, EC_GROUP **x, pem_password_cb *cb, void *u);
+ EC_GROUP *PEM_read_bio_ECPKParameters(BIO *bp, EC_GROUP **x, pem_password_cb *cb, void *u);
+ int PEM_write_ECPKParameters(FILE *out, const EC_GROUP *x);
+ int PEM_write_bio_ECPKParameters(BIO *out, const EC_GROUP *x),
+
+ EC_KEY *PEM_read_EC_PUBKEY(FILE *fp, EC_KEY **x, pem_password_cb *cb, void *u);
+ EC_KEY *PEM_read_bio_EC_PUBKEY(BIO *bp, EC_KEY **x, pem_password_cb *cb, void *u);
+ int PEM_write_EC_PUBKEY(FILE *out, const EC_KEY *x);
+ int PEM_write_bio_EC_PUBKEY(BIO *out, const EC_KEY *x);
+
+ EC_KEY *PEM_read_ECPrivateKey(FILE *out, EC_KEY **x, pem_password_cb *cb, void *u);
+ EC_KEY *PEM_read_bio_ECPrivateKey(BIO *out, EC_KEY **x, pem_password_cb *cb, void *u);
+ int PEM_write_ECPrivateKey(FILE *out, const EC_KEY *x, const EVP_CIPHER *enc,
+                            const unsigned char *kstr, int klen,
+                            pem_password_cb *cb, void *u);
+ int PEM_write_bio_ECPrivateKey(BIO *out, const EC_KEY *x, const EVP_CIPHER *enc,
+                                const unsigned char *kstr, int klen,
+                                pem_password_cb *cb, void *u);
+
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should use OSSL_ENCODER_to_bio() and OSSL_ENCODER_from_bio()
+instead.
+
 In the description below, B<I<TYPE>> is used
 as a placeholder for any of the OpenSSL datatypes, such as B<X509>.
 The macro B<DECLARE_PEM_rw> expands to the set of declarations shown in
@@ -99,9 +130,20 @@ written or zero on error.
 L<PEM_read(3)>,
 L<passphrase-encoding(7)>
 
+=head1 HISTORY
+
+The functions PEM_write_DHxparams(), PEM_write_bio_DHxparams(),
+PEM_read_ECPKParameters(), PEM_read_bio_ECPKParameters(),
+PEM_write_ECPKParameters(), PEM_write_bio_ECPKParameters(),
+PEM_read_EC_PUBKEY(), PEM_read_bio_EC_PUBKEY(),
+PEM_write_EC_PUBKEY(), PEM_write_bio_EC_PUBKEY(),
+PEM_read_ECPrivateKey(), PEM_read_bio_ECPrivateKey(),
+PEM_write_ECPrivateKey() and PEM_write_bio_ECPrivateKey()
+were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 1998-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 1998-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/PEM_read_bio_PrivateKey.pod b/doc/man3/PEM_read_bio_PrivateKey.pod
index 3a2439d16b..2addbb4d61 100644
--- a/doc/man3/PEM_read_bio_PrivateKey.pod
+++ b/doc/man3/PEM_read_bio_PrivateKey.pod
@@ -98,6 +98,46 @@ PEM_write_bio_PKCS7, PEM_write_PKCS7 - PEM routines
                          OSSL_LIB_CTX *libctx, const char *propq);
  int PEM_write_PUBKEY(FILE *fp, EVP_PKEY *x);
 
+ EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,
+                                      OSSL_LIB_CTX *libctx, const char *propq);
+ EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
+ int PEM_write_bio_Parameters(BIO *bp, const EVP_PKEY *x);
+
+ X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
+ X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
+ int PEM_write_bio_X509(BIO *bp, X509 *x);
+ int PEM_write_X509(FILE *fp, X509 *x);
+
+ X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
+ X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
+ int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
+ int PEM_write_X509_AUX(FILE *fp, X509 *x);
+
+ X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
+                                 pem_password_cb *cb, void *u);
+ X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
+                             pem_password_cb *cb, void *u);
+ int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
+ int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
+ int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
+ int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
+
+ X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
+                                 pem_password_cb *cb, void *u);
+ X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
+                             pem_password_cb *cb, void *u);
+ int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
+ int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
+
+ PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
+ PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
+ int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
+ int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
+
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x,
                                  pem_password_cb *cb, void *u);
  RSA *PEM_read_RSAPrivateKey(FILE *fp, RSA **x,
@@ -140,12 +180,6 @@ PEM_write_bio_PKCS7, PEM_write_PKCS7 - PEM routines
                           pem_password_cb *cb, void *u);
  int PEM_write_bio_DSA_PUBKEY(BIO *bp, DSA *x);
  int PEM_write_DSA_PUBKEY(FILE *fp, DSA *x);
-
- EVP_PKEY *PEM_read_bio_Parameters_ex(BIO *bp, EVP_PKEY **x,
-                                      OSSL_LIB_CTX *libctx, const char *propq);
- EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x);
- int PEM_write_bio_Parameters(BIO *bp, const EVP_PKEY *x);
-
  DSA *PEM_read_bio_DSAparams(BIO *bp, DSA **x, pem_password_cb *cb, void *u);
  DSA *PEM_read_DSAparams(FILE *fp, DSA **x, pem_password_cb *cb, void *u);
  int PEM_write_bio_DSAparams(BIO *bp, DSA *x);
@@ -156,39 +190,12 @@ PEM_write_bio_PKCS7, PEM_write_PKCS7 - PEM routines
  int PEM_write_bio_DHparams(BIO *bp, DH *x);
  int PEM_write_DHparams(FILE *fp, DH *x);
 
- X509 *PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
- X509 *PEM_read_X509(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
- int PEM_write_bio_X509(BIO *bp, X509 *x);
- int PEM_write_X509(FILE *fp, X509 *x);
-
- X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **x, pem_password_cb *cb, void *u);
- X509 *PEM_read_X509_AUX(FILE *fp, X509 **x, pem_password_cb *cb, void *u);
- int PEM_write_bio_X509_AUX(BIO *bp, X509 *x);
- int PEM_write_X509_AUX(FILE *fp, X509 *x);
-
- X509_REQ *PEM_read_bio_X509_REQ(BIO *bp, X509_REQ **x,
-                                 pem_password_cb *cb, void *u);
- X509_REQ *PEM_read_X509_REQ(FILE *fp, X509_REQ **x,
-                             pem_password_cb *cb, void *u);
- int PEM_write_bio_X509_REQ(BIO *bp, X509_REQ *x);
- int PEM_write_X509_REQ(FILE *fp, X509_REQ *x);
- int PEM_write_bio_X509_REQ_NEW(BIO *bp, X509_REQ *x);
- int PEM_write_X509_REQ_NEW(FILE *fp, X509_REQ *x);
-
- X509_CRL *PEM_read_bio_X509_CRL(BIO *bp, X509_CRL **x,
-                                 pem_password_cb *cb, void *u);
- X509_CRL *PEM_read_X509_CRL(FILE *fp, X509_CRL **x,
-                             pem_password_cb *cb, void *u);
- int PEM_write_bio_X509_CRL(BIO *bp, X509_CRL *x);
- int PEM_write_X509_CRL(FILE *fp, X509_CRL *x);
-
- PKCS7 *PEM_read_bio_PKCS7(BIO *bp, PKCS7 **x, pem_password_cb *cb, void *u);
- PKCS7 *PEM_read_PKCS7(FILE *fp, PKCS7 **x, pem_password_cb *cb, void *u);
- int PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x);
- int PEM_write_PKCS7(FILE *fp, PKCS7 *x);
-
 =head1 DESCRIPTION
 
+All of the functions described on this page that have a I<TYPE> of B<DH>, B<DSA>
+and B<RSA> are deprecated. Applications should use OSSL_ENCODER_to_bio() and
+OSSL_ENCODER_from_bio() instead.
+
 The PEM functions read or write structures in PEM format. In
 this sense PEM format is simply base64 encoded data surrounded
 by header lines.
@@ -536,9 +543,25 @@ PEM_read_bio_PrivateKey_ex(), PEM_read_PrivateKey_ex(),
 PEM_read_bio_PUBKEY_ex(), PEM_read_PUBKEY_ex() and
 PEM_read_bio_Parameters_ex() were introduced in OpenSSL 3.0.
 
+The functions PEM_read_bio_RSAPrivateKey(), PEM_read_RSAPrivateKey(),
+PEM_write_bio_RSAPrivateKey(), PEM_write_RSAPrivateKey(),
+PEM_read_bio_RSAPublicKey(), PEM_read_RSAPublicKey(),
+PEM_write_bio_RSAPublicKey(), PEM_write_RSAPublicKey(),
+PEM_read_bio_RSA_PUBKEY(), PEM_read_RSA_PUBKEY(),
+PEM_write_bio_RSA_PUBKEY(), PEM_write_RSA_PUBKEY(),
+PEM_read_bio_DSAPrivateKey(), PEM_read_DSAPrivateKey(),
+PEM_write_bio_DSAPrivateKey(), PEM_write_DSAPrivateKey(),
+PEM_read_bio_DSA_PUBKEY(), PEM_read_DSA_PUBKEY(),
+PEM_write_bio_DSA_PUBKEY(), PEM_write_DSA_PUBKEY();
+PEM_read_bio_DSAparams(), PEM_read_DSAparams(),
+PEM_write_bio_DSAparams(), PEM_write_DSAparams(),
+PEM_read_bio_DHparams(), PEM_read_DHparams(),
+PEM_write_bio_DHparams() and PEM_write_DHparams() were deprecated in 3.0.
+
+
 =head1 COPYRIGHT
 
-Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RSA_blinding_on.pod b/doc/man3/RSA_blinding_on.pod
index b74ca4074f..36124e4123 100644
--- a/doc/man3/RSA_blinding_on.pod
+++ b/doc/man3/RSA_blinding_on.pod
@@ -8,12 +8,18 @@ RSA_blinding_on, RSA_blinding_off - protect the RSA operation from timing attack
 
  #include <openssl/rsa.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
 
  void RSA_blinding_off(RSA *rsa);
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+
 RSA is vulnerable to timing attacks. In a setup where attackers can
 measure the time of RSA decryption or signature operations, blinding
 must be used to protect the RSA operation from that attack.
@@ -31,9 +37,13 @@ RSA_blinding_on() returns 1 on success, and 0 if an error occurred.
 
 RSA_blinding_off() returns no value.
 
+=head1 HISTORY
+
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/RSA_get0_key.pod b/doc/man3/RSA_get0_key.pod
index 29101fb8a1..bdc6f0d289 100644
--- a/doc/man3/RSA_get0_key.pod
+++ b/doc/man3/RSA_get0_key.pod
@@ -16,6 +16,10 @@ RSA_set0_multi_prime_params, RSA_get_version
 
  #include <openssl/rsa.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
  int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
  int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
@@ -48,6 +52,10 @@ RSA_set0_multi_prime_params, RSA_get_version
 
 =head1 DESCRIPTION
 
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_PKEY_get_bn_param(3)> for any methods that
+return a B<BIGNUM>. Refer to L<EVP_PKEY-DH(7)> for more infomation.
+
 An RSA object contains the components for the public and private key,
 B<n>, B<e>, B<d>, B<p>, B<q>, B<dmp1>, B<dmq1> and B<iqmp>.  B<n> is
 the modulus common to both public and private key, B<e> is the public
@@ -172,9 +180,11 @@ and RSA_get_version() functions were added in OpenSSL 1.1.1.
 
 Other functions described here were added in OpenSSL 1.1.0.
 
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod
index 65df06c830..66668d0481 100644
--- a/doc/man3/X509_dup.pod
+++ b/doc/man3/X509_dup.pod
@@ -317,6 +317,14 @@ X509_dup,
  void TYPE_free(TYPE *a);
  int TYPE_print_ctx(BIO *out, TYPE *a, int indent, const ASN1_PCTX *pctx);
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
+ DSA *DSAparams_dup(const DSA *dsa);
+ RSA *RSAPrivateKey_dup(const RSA *rsa);
+ RSA *RSAPublicKey_dup(const RSA *rsa);
+
 =head1 DESCRIPTION
 
 In the description below, B<I<TYPE>> is used
@@ -366,9 +374,12 @@ B<I<TYPE>_print_ctx>() returns 1 on success or zero on failure.
 The functions PKCS7_new_ex() and CMS_ContentInfo_new_ex() were
 added in OpenSSL 3.0.
 
+The functions DSAparams_dup(), RSAPrivateKey_dup() and RSAPublicKey_dup() were
+deprecated in 3.0.
+
 =head1 COPYRIGHT
 
-Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod
index 475c53ca1d..3e991a0c9f 100644
--- a/doc/man3/d2i_RSAPrivateKey.pod
+++ b/doc/man3/d2i_RSAPrivateKey.pod
@@ -48,6 +48,14 @@ i2d_RSA_PUBKEY_fp,
 i2d_DHparams,
 i2d_DHparams_bio,
 i2d_DHparams_fp,
+i2d_DSAPrivateKey,
+i2d_DSAPrivateKey_bio,
+i2d_DSAPrivateKey_fp,
+i2d_DSAPublicKey,
+i2d_DSA_PUBKEY,
+i2d_DSA_PUBKEY_bio,
+i2d_DSA_PUBKEY_fp,
+i2d_DSAparams,
 i2d_ECPKParameters,
 i2d_ECParameters,
 i2d_ECPrivateKey,
diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index ca1e300879..5de84a9244 100644
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -219,15 +219,7 @@ i2d_DIRECTORYSTRING,
 i2d_DISPLAYTEXT,
 i2d_DIST_POINT,
 i2d_DIST_POINT_NAME,
-i2d_DSAPrivateKey,
-i2d_DSAPrivateKey_bio,
-i2d_DSAPrivateKey_fp,
-i2d_DSAPublicKey,
-i2d_DSA_PUBKEY,
-i2d_DSA_PUBKEY_bio,
-i2d_DSA_PUBKEY_fp,
 i2d_DSA_SIG,
-i2d_DSAparams,
 i2d_ECDSA_SIG,
 i2d_EDIPARTYNAME,
 i2d_ESS_CERT_ID,
diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c
index abaf6c9ce8..3a78d4863a 100644
--- a/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/providers/implementations/keymgmt/dh_kmgmt.c
@@ -228,9 +228,9 @@ err:
     OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_GINDEX, NULL),                          \
     OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_PCOUNTER, NULL),                        \
     OSSL_PARAM_int(OSSL_PKEY_PARAM_FFC_H, NULL),                               \
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL),                         \
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_FFC_SEED, NULL, 0),                \
-    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),               \
-    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_DH_PRIV_LEN, NULL, 0)
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0)
 # define DH_IMEXPORTABLE_PUBLIC_KEY                                            \
     OSSL_PARAM_BN(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0)
 # define DH_IMEXPORTABLE_PRIVATE_KEY                                           \


More information about the openssl-commits mailing list