Deprecate the low level SHA functions.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10791)

apps/speed.c

@@ -342,9 +342,11 @@ static const OPT_PAIR doit_choices[] = {
     {"md5", D_MD5},
     {"hmac", D_HMAC},
 #endif
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     {"sha1", D_SHA1},
     {"sha256", D_SHA256},
     {"sha512", D_SHA512},
+#endif
 #if !defined(OPENSSL_NO_WHIRLPOOL) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     {"whirlpool", D_WHIRLPOOL},
 #endif
@@ -650,6 +652,7 @@ static int HMAC_loop(void *args)
 }
 #endif
 
+#ifndef OPENSSL_NO_DEPRECATED_3_0
 static int SHA1_loop(void *args)
 {
     loopargs_t *tempargs = *(loopargs_t **) args;
@@ -682,6 +685,7 @@ static int SHA512_loop(void *args)
         SHA512(buf, lengths[testnum], sha512);
     return count;
 }
+#endif
 
 #if !defined(OPENSSL_NO_WHIRLPOOL) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 static int WHIRLPOOL_loop(void *args)
@@ -2322,6 +2326,7 @@ int speed_main(int argc, char **argv)
             HMAC_CTX_free(loopargs[i].hctx);
     }
 #endif
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     if (doit[D_SHA1]) {
         for (testnum = 0; testnum < size_num; testnum++) {
             print_message(names[D_SHA1], c[D_SHA1][testnum], lengths[testnum],
@@ -2352,6 +2357,7 @@ int speed_main(int argc, char **argv)
             print_result(D_SHA512, testnum, count, d);
         }
     }
+#endif
 #if !defined(OPENSSL_NO_WHIRLPOOL) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_WHIRLPOOL]) {
         for (testnum = 0; testnum < size_num; testnum++) {

crypto/ct/ct_log.c

@@ -76,14 +76,14 @@ static int ct_v1_log_id_from_pkey(EVP_PKEY *pkey,
     int ret = 0;
     unsigned char *pkey_der = NULL;
     int pkey_der_len = i2d_PUBKEY(pkey, &pkey_der);
+    unsigned int len;
 
     if (pkey_der_len <= 0) {
         CTerr(CT_F_CT_V1_LOG_ID_FROM_PKEY, CT_R_LOG_KEY_INVALID);
         goto err;
     }
 
-    SHA256(pkey_der, pkey_der_len, log_id);
-    ret = 1;
+    ret = EVP_Digest(pkey_der, pkey_der_len, log_id, &len, EVP_sha256(), NULL);
 err:
     OPENSSL_free(pkey_der);
     return ret;

crypto/ec/curve25519.c

@@ -9,6 +9,7 @@
 
 #include <string.h>
 #include "ec_local.h"
+#include <openssl/evp.h>
 #include <openssl/sha.h>
 
 #if defined(X25519_ASM) && (defined(__x86_64) || defined(__x86_64__) || \
@@ -5436,39 +5437,50 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len,
     uint8_t nonce[SHA512_DIGEST_LENGTH];
     ge_p3 R;
     uint8_t hram[SHA512_DIGEST_LENGTH];
-    SHA512_CTX hash_ctx;
+    EVP_MD *sha512 = EVP_MD_fetch(NULL, SN_sha512, NULL);
+    EVP_MD_CTX *hash_ctx = EVP_MD_CTX_new();
+    unsigned int sz;
+    int res = 0;
 
-    SHA512_Init(&hash_ctx);
-    SHA512_Update(&hash_ctx, private_key, 32);
-    SHA512_Final(az, &hash_ctx);
+    if (sha512 == NULL || hash_ctx == NULL)
+        goto err;
+
+    if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)
+        || !EVP_DigestUpdate(hash_ctx, private_key, 32)
+        || !EVP_DigestFinal_ex(hash_ctx, az, &sz))
+        goto err;
 
     az[0] &= 248;
     az[31] &= 63;
     az[31] |= 64;
 
-    SHA512_Init(&hash_ctx);
-    SHA512_Update(&hash_ctx, az + 32, 32);
-    SHA512_Update(&hash_ctx, message, message_len);
-    SHA512_Final(nonce, &hash_ctx);
+    if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)
+        || !EVP_DigestUpdate(hash_ctx, az + 32, 32)
+        || !EVP_DigestUpdate(hash_ctx, message, message_len)
+        || !EVP_DigestFinal_ex(hash_ctx, nonce, &sz))
+        goto err;
 
     x25519_sc_reduce(nonce);
     ge_scalarmult_base(&R, nonce);
     ge_p3_tobytes(out_sig, &R);
 
-    SHA512_Init(&hash_ctx);
-    SHA512_Update(&hash_ctx, out_sig, 32);
-    SHA512_Update(&hash_ctx, public_key, 32);
-    SHA512_Update(&hash_ctx, message, message_len);
-    SHA512_Final(hram, &hash_ctx);
+    if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)
+        || !EVP_DigestUpdate(hash_ctx, out_sig, 32)
+        || !EVP_DigestUpdate(hash_ctx, public_key, 32)
+        || !EVP_DigestUpdate(hash_ctx, message, message_len)
+        || !EVP_DigestFinal_ex(hash_ctx, hram, &sz))
+        goto err;
 
     x25519_sc_reduce(hram);
     sc_muladd(out_sig + 32, hram, az, nonce);
 
-    OPENSSL_cleanse(&hash_ctx, sizeof(hash_ctx));
+    res = 1;
+err:
     OPENSSL_cleanse(nonce, sizeof(nonce));
     OPENSSL_cleanse(az, sizeof(az));
-
-    return 1;
+    EVP_MD_free(sha512);
+    EVP_MD_CTX_free(hash_ctx);
+    return res;
 }
 
 static const char allzeroes[15];
@@ -5479,7 +5491,10 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
     int i;
     ge_p3 A;
     const uint8_t *r, *s;
-    SHA512_CTX hash_ctx;
+    EVP_MD *sha512;
+    EVP_MD_CTX *hash_ctx = NULL;
+    unsigned int sz;
+    int res = 0;
     ge_p2 R;
     uint8_t rcheck[32];
     uint8_t h[SHA512_DIGEST_LENGTH];
@@ -5526,11 +5541,19 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
     fe_neg(A.X, A.X);
     fe_neg(A.T, A.T);
 
-    SHA512_Init(&hash_ctx);
-    SHA512_Update(&hash_ctx, r, 32);
-    SHA512_Update(&hash_ctx, public_key, 32);
-    SHA512_Update(&hash_ctx, message, message_len);
-    SHA512_Final(h, &hash_ctx);
+    sha512 = EVP_MD_fetch(NULL, SN_sha512, NULL);
+    if (sha512 == NULL)
+        return 0;
+    hash_ctx = EVP_MD_CTX_new();
+    if (hash_ctx == NULL)
+        goto err;
+
+    if (!EVP_DigestInit_ex(hash_ctx, sha512, NULL)
+        || !EVP_DigestUpdate(hash_ctx, r, 32)
+        || !EVP_DigestUpdate(hash_ctx, public_key, 32)
+        || !EVP_DigestUpdate(hash_ctx, message, message_len)
+        || !EVP_DigestFinal_ex(hash_ctx, h, &sz))
+        goto err;
 
     x25519_sc_reduce(h);
 
@@ -5538,7 +5561,11 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
 
     ge_tobytes(rcheck, &R);
 
-    return CRYPTO_memcmp(rcheck, r, sizeof(rcheck)) == 0;
+    res = CRYPTO_memcmp(rcheck, r, sizeof(rcheck)) == 0;
+err:
+    EVP_MD_free(sha512);
+    EVP_MD_CTX_free(hash_ctx);
+    return res;
 }
 
 void ED25519_public_from_private(uint8_t out_public_key[32],

crypto/ec/ecx_meth.c

@@ -1156,6 +1156,7 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     unsigned char x_dst[32], buff[SHA512_DIGEST_LENGTH];
     ECX_KEY *key;
     unsigned char *privkey = NULL, *pubkey;
+    unsigned int sz;
 
     key = OPENSSL_zalloc(sizeof(*key));
     if (key == NULL) {
@@ -1174,7 +1175,9 @@ static int s390x_pkey_ecd_keygen25519(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
     if (RAND_priv_bytes(privkey, ED25519_KEYLEN) <= 0)
         goto err;
 
-    SHA512(privkey, 32, buff);
+    if (!EVP_Digest(privkey, 32, buff, &sz, EVP_sha512(), NULL))
+        goto err;
+
     buff[0] &= 248;
     buff[31] &= 63;
     buff[31] |= 64;

crypto/engine/eng_openssl.c

@@ -9,8 +9,8 @@
  */
 
 /*
- * RC4 low level APIs are deprecated for public use, but still ok for internal
- * use.
+ * RC4 and SHA-1 low level APIs are deprecated for public use, but still ok
+ * for internal use.
  */
 #include "internal/deprecated.h"
 

crypto/evp/legacy_md5_sha1.c

@@ -7,6 +7,13 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.  The prov/md5_sha1.h include requires this, but this must
+ * be the first include loaded.
+ */
+#include "internal/deprecated.h"
+
 #include "crypto/evp.h"
 #include "prov/md5_sha1.h"   /* diverse MD5_SHA1 macros */
 #include "legacy_meth.h"

crypto/evp/legacy_sha.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * All SHA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/sha.h>         /* diverse SHA macros */
 #include "internal/sha3.h"       /* KECCAK1600_WIDTH */
 #include "crypto/evp.h"

crypto/md5/md5_sha1.c

@@ -6,6 +6,13 @@
  * in the file LICENSE in the source distribution or at
  * https://www.openssl.org/source/license.html
  */
+
+/*
+ * SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>
 #include "prov/md5_sha1.h"
 #include <openssl/evp.h>

crypto/sha/sha1_one.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <string.h>
 #include <openssl/crypto.h>

crypto/sha/sha1dgst.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/crypto.h>
 #include <openssl/opensslconf.h>
 

crypto/sha/sha256.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA256 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/opensslconf.h>
 
 #include <stdlib.h>

crypto/sha/sha512.c

@@ -7,6 +7,13 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA512 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
+#include <stdio.h>
 #include <openssl/opensslconf.h>
 /*-
  * IMPLEMENTATION NOTES.

doc/man3/SHA256_Init.pod

@@ -11,6 +11,10 @@ SHA512_Final - Secure Hash Algorithm
 
  #include <openssl/sha.h>
 
+Deprecated since OpenSSL 3.0, can be hidden entirely by defining
+B<OPENSSL_API_COMPAT> with a suitable version value, see
+L<openssl_user_macros(7)>:
+
  int SHA1_Init(SHA_CTX *c);
  int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
  int SHA1_Final(unsigned char *md, SHA_CTX *c);
@@ -43,9 +47,9 @@ SHA512_Final - Secure Hash Algorithm
 
 =head1 DESCRIPTION
 
-Applications should use the higher level functions
-L<EVP_DigestInit(3)> etc. instead of calling the hash
-functions directly.
+All of the functions described on this page are deprecated.
+Applications should instead use L<EVP_DigestInit_ex(3)>, L<EVP_DigestUpdate(3)>
+and L<EVP_DigestFinal_ex(3)>.
 
 SHA-1 (Secure Hash Algorithm) is a cryptographic hash function with a
 160 bit output.
@@ -96,6 +100,10 @@ ANSI X9.30
 
 L<EVP_DigestInit(3)>
 
+=head1 HISTORY
+
+All of these functions were deprecated in OpenSSL 3.0.
+
 =head1 COPYRIGHT
 
 Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.

engines/e_dasync.c

@@ -7,6 +7,14 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.  Note, that due to symbols not being exported, only the
+ * #defines and strucures can be accessed, in this case SHA_CBLOCK and
+ * sizeof(SHA_CTX).
+ */
+#include "internal/deprecated.h"
+
 #if defined(_WIN32)
 # include <windows.h>
 #endif
@@ -492,13 +500,11 @@ static void dummy_pause_job(void) {
  * SHA1 implementation. At the moment we just defer to the standard
  * implementation
  */
-#undef data
-#define data(ctx) ((SHA_CTX *)EVP_MD_CTX_md_data(ctx))
 static int dasync_sha1_init(EVP_MD_CTX *ctx)
 {
     dummy_pause_job();
 
-    return SHA1_Init(data(ctx));
+    return EVP_MD_meth_get_init(EVP_sha1())(ctx);
 }
 
 static int dasync_sha1_update(EVP_MD_CTX *ctx, const void *data,
@@ -506,14 +512,14 @@ static int dasync_sha1_update(EVP_MD_CTX *ctx, const void *data,
 {
     dummy_pause_job();
 
-    return SHA1_Update(data(ctx), data, (size_t)count);
+    return EVP_MD_meth_get_update(EVP_sha1())(ctx, data, count);
 }
 
 static int dasync_sha1_final(EVP_MD_CTX *ctx, unsigned char *md)
 {
     dummy_pause_job();
 
-    return SHA1_Final(md, data(ctx));
+    return EVP_MD_meth_get_final(EVP_sha1())(ctx, md);
 }
 
 /*

engines/e_ossltest.c

@@ -13,6 +13,15 @@
  * used for any purpose except testing
  */
 
+/*
+ * SHA low level APIs are deprecated for public use, but still ok for
+ * internal use.  Note, that due to symbols not being exported, only the
+ * #defines and type definitions can be accessed, function calls are not
+ * available.  The digest lengths, block sizes and sizeof(CTX) are used herein
+ * for several different digests.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <string.h>
 
@@ -134,10 +143,13 @@ static const EVP_MD *digest_sha256(void)
 
 /* SHA384/SHA512 */
 static int digest_sha384_init(EVP_MD_CTX *ctx);
+static int digest_sha384_update(EVP_MD_CTX *ctx, const void *data,
+                                size_t count);
+static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md);
+
 static int digest_sha512_init(EVP_MD_CTX *ctx);
 static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
                                 size_t count);
-static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md);
 static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md);
 
 static EVP_MD *_hidden_sha384_md = NULL;
@@ -153,7 +165,7 @@ static const EVP_MD *digest_sha384(void)
                                              sizeof(EVP_MD *) + sizeof(SHA512_CTX))
             || !EVP_MD_meth_set_flags(md, EVP_MD_FLAG_DIGALGID_ABSENT)
             || !EVP_MD_meth_set_init(md, digest_sha384_init)
-            || !EVP_MD_meth_set_update(md, digest_sha512_update)
+            || !EVP_MD_meth_set_update(md, digest_sha384_update)
             || !EVP_MD_meth_set_final(md, digest_sha384_final)) {
             EVP_MD_meth_free(md);
             md = NULL;
@@ -454,23 +466,20 @@ static void fill_known_data(unsigned char *md, unsigned int len)
  * value, so that all "MD5" digests using the test engine always end up with
  * the same value.
  */
-#undef data
-#define data(ctx) ((MD5_CTX *)EVP_MD_CTX_md_data(ctx))
 static int digest_md5_init(EVP_MD_CTX *ctx)
 {
-    return MD5_Init(data(ctx));
+   return EVP_MD_meth_get_init(EVP_md5())(ctx);
 }
 
 static int digest_md5_update(EVP_MD_CTX *ctx, const void *data,
                              size_t count)
 {
-    return MD5_Update(data(ctx), data, (size_t)count);
+    return EVP_MD_meth_get_update(EVP_md5())(ctx, data, count);
 }
 
 static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    int ret;
-    ret = MD5_Final(md, data(ctx));
+    int ret = EVP_MD_meth_get_final(EVP_md5())(ctx, md);
 
     if (ret > 0) {
         fill_known_data(md, MD5_DIGEST_LENGTH);
@@ -481,23 +490,20 @@ static int digest_md5_final(EVP_MD_CTX *ctx, unsigned char *md)
 /*
  * SHA1 implementation.
  */
-#undef data
-#define data(ctx) ((SHA_CTX *)EVP_MD_CTX_md_data(ctx))
 static int digest_sha1_init(EVP_MD_CTX *ctx)
 {
-    return SHA1_Init(data(ctx));
+    return EVP_MD_meth_get_init(EVP_sha1())(ctx);
 }
 
 static int digest_sha1_update(EVP_MD_CTX *ctx, const void *data,
                               size_t count)
 {
-    return SHA1_Update(data(ctx), data, (size_t)count);
+    return EVP_MD_meth_get_update(EVP_sha1())(ctx, data, count);
 }
 
 static int digest_sha1_final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    int ret;
-    ret = SHA1_Final(md, data(ctx));
+    int ret = EVP_MD_meth_get_final(EVP_sha1())(ctx, md);
 
     if (ret > 0) {
         fill_known_data(md, SHA_DIGEST_LENGTH);
@@ -508,23 +514,20 @@ static int digest_sha1_final(EVP_MD_CTX *ctx, unsigned char *md)
 /*
  * SHA256 implementation.
  */
-#undef data
-#define data(ctx) ((SHA256_CTX *)EVP_MD_CTX_md_data(ctx))
 static int digest_sha256_init(EVP_MD_CTX *ctx)
 {
-    return SHA256_Init(data(ctx));
+    return EVP_MD_meth_get_init(EVP_sha256())(ctx);
 }
 
 static int digest_sha256_update(EVP_MD_CTX *ctx, const void *data,
                                 size_t count)
 {
-    return SHA256_Update(data(ctx), data, (size_t)count);
+    return EVP_MD_meth_get_update(EVP_sha256())(ctx, data, count);
 }
 
 static int digest_sha256_final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    int ret;
-    ret = SHA256_Final(md, data(ctx));
+    int ret = EVP_MD_meth_get_final(EVP_sha256())(ctx, md);
 
     if (ret > 0) {
         fill_known_data(md, SHA256_DIGEST_LENGTH);
@@ -533,31 +536,22 @@ static int digest_sha256_final(EVP_MD_CTX *ctx, unsigned char *md)
 }
 
 /*
- * SHA384/512 implementation.
+ * SHA384 implementation.
  */
-#undef data
-#define data(ctx) ((SHA512_CTX *)EVP_MD_CTX_md_data(ctx))
 static int digest_sha384_init(EVP_MD_CTX *ctx)
 {
-    return SHA384_Init(data(ctx));
-}
-
-static int digest_sha512_init(EVP_MD_CTX *ctx)
-{
-    return SHA512_Init(data(ctx));
+    return EVP_MD_meth_get_init(EVP_sha384())(ctx);
 }
 
-static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
+static int digest_sha384_update(EVP_MD_CTX *ctx, const void *data,
                                 size_t count)
 {
-    return SHA512_Update(data(ctx), data, (size_t)count);
+    return EVP_MD_meth_get_update(EVP_sha384())(ctx, data, count);
 }
 
 static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    int ret;
-    /* Actually uses SHA512_Final! */
-    ret = SHA512_Final(md, data(ctx));
+    int ret = EVP_MD_meth_get_final(EVP_sha384())(ctx, md);
 
     if (ret > 0) {
         fill_known_data(md, SHA384_DIGEST_LENGTH);
@@ -565,10 +559,23 @@ static int digest_sha384_final(EVP_MD_CTX *ctx, unsigned char *md)
     return ret;
 }
 
+/*
+ * SHA512 implementation.
+ */
+static int digest_sha512_init(EVP_MD_CTX *ctx)
+{
+    return EVP_MD_meth_get_init(EVP_sha512())(ctx);
+}
+
+static int digest_sha512_update(EVP_MD_CTX *ctx, const void *data,
+                                size_t count)
+{
+    return EVP_MD_meth_get_update(EVP_sha512())(ctx, data, count);
+}
+
 static int digest_sha512_final(EVP_MD_CTX *ctx, unsigned char *md)
 {
-    int ret;
-    ret = SHA512_Final(md, data(ctx));
+    int ret = EVP_MD_meth_get_final(EVP_sha512())(ctx, md);
 
     if (ret > 0) {
         fill_known_data(md, SHA512_DIGEST_LENGTH);

include/openssl/sha.h

@@ -23,19 +23,21 @@
 extern "C" {
 # endif
 
+# define SHA_DIGEST_LENGTH 20
+
+# ifndef OPENSSL_NO_DEPRECATED_3_0
 /*-
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  * ! SHA_LONG has to be at least 32 bits wide.                    !
  * !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  */
-# define SHA_LONG unsigned int
+#  define SHA_LONG unsigned int
 
-# define SHA_LBLOCK      16
-# define SHA_CBLOCK      (SHA_LBLOCK*4)/* SHA treats input data as a
-                                        * contiguous array of 32 bit wide
-                                        * big-endian values. */
-# define SHA_LAST_BLOCK  (SHA_CBLOCK-8)
-# define SHA_DIGEST_LENGTH 20
+#  define SHA_LBLOCK      16
+#  define SHA_CBLOCK      (SHA_LBLOCK*4)/* SHA treats input data as a
+                                         * contiguous array of 32 bit wide
+                                         * big-endian values. */
+#  define SHA_LAST_BLOCK  (SHA_CBLOCK-8)
 
 typedef struct SHAstate_st {
     SHA_LONG h0, h1, h2, h3, h4;
@@ -43,14 +45,17 @@ typedef struct SHAstate_st {
     SHA_LONG data[SHA_LBLOCK];
     unsigned int num;
 } SHA_CTX;
+# endif /* !defined(OPENSSL_NO_DEPRECATED_3_0) */
 
-int SHA1_Init(SHA_CTX *c);
-int SHA1_Update(SHA_CTX *c, const void *data, size_t len);
-int SHA1_Final(unsigned char *md, SHA_CTX *c);
-unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md);
-void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
+DEPRECATEDIN_3_0(int SHA1_Init(SHA_CTX *c))
+DEPRECATEDIN_3_0(int SHA1_Update(SHA_CTX *c, const void *data, size_t len))
+DEPRECATEDIN_3_0(int SHA1_Final(unsigned char *md, SHA_CTX *c))
+DEPRECATEDIN_3_0(unsigned char *SHA1(const unsigned char *d, size_t n,
+                 unsigned char *md))
+DEPRECATEDIN_3_0(void SHA1_Transform(SHA_CTX *c, const unsigned char *data))
 
-# define SHA256_CBLOCK   (SHA_LBLOCK*4)/* SHA-256 treats input data as a
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  define SHA256_CBLOCK   (SHA_LBLOCK*4)/* SHA-256 treats input data as a
                                         * contiguous array of 32 bit wide
                                         * big-endian values. */
 
@@ -60,22 +65,27 @@ typedef struct SHA256state_st {
     SHA_LONG data[SHA_LBLOCK];
     unsigned int num, md_len;
 } SHA256_CTX;
-
-int SHA224_Init(SHA256_CTX *c);
-int SHA224_Update(SHA256_CTX *c, const void *data, size_t len);
-int SHA224_Final(unsigned char *md, SHA256_CTX *c);
-unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md);
-int SHA256_Init(SHA256_CTX *c);
-int SHA256_Update(SHA256_CTX *c, const void *data, size_t len);
-int SHA256_Final(unsigned char *md, SHA256_CTX *c);
-unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md);
-void SHA256_Transform(SHA256_CTX *c, const unsigned char *data);
+# endif /* !defined(OPENSSL_NO_DEPRECATED_3_0) */
+
+DEPRECATEDIN_3_0(int SHA224_Init(SHA256_CTX *c))
+DEPRECATEDIN_3_0(int SHA224_Update(SHA256_CTX *c, const void *data, size_t len))
+DEPRECATEDIN_3_0(int SHA224_Final(unsigned char *md, SHA256_CTX *c))
+DEPRECATEDIN_3_0(unsigned char *SHA224(const unsigned char *d, size_t n,
+                                       unsigned char *md))
+DEPRECATEDIN_3_0(int SHA256_Init(SHA256_CTX *c))
+DEPRECATEDIN_3_0(int SHA256_Update(SHA256_CTX *c, const void *data, size_t len))
+DEPRECATEDIN_3_0(int SHA256_Final(unsigned char *md, SHA256_CTX *c))
+DEPRECATEDIN_3_0(unsigned char *SHA256(const unsigned char *d, size_t n,
+                                       unsigned char *md))
+DEPRECATEDIN_3_0(void SHA256_Transform(SHA256_CTX *c,
+                                       const unsigned char *data))
 
 # define SHA224_DIGEST_LENGTH    28
 # define SHA256_DIGEST_LENGTH    32
 # define SHA384_DIGEST_LENGTH    48
 # define SHA512_DIGEST_LENGTH    64
 
+# ifndef OPENSSL_NO_DEPRECATED_3_0
 /*
  * Unlike 32-bit digest algorithms, SHA-512 *relies* on SHA_LONG64
  * being exactly 64-bit wide. See Implementation Notes in sha512.c
@@ -86,14 +96,14 @@ void SHA256_Transform(SHA256_CTX *c, const unsigned char *data);
  * contiguous array of 64 bit
  * wide big-endian values.
  */
-# define SHA512_CBLOCK   (SHA_LBLOCK*8)
-# if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
-#  define SHA_LONG64 unsigned __int64
-# elif defined(__arch64__)
-#  define SHA_LONG64 unsigned long
-# else
-#  define SHA_LONG64 unsigned long long
-# endif
+#  define SHA512_CBLOCK   (SHA_LBLOCK*8)
+#  if (defined(_WIN32) || defined(_WIN64)) && !defined(__MINGW32__)
+#   define SHA_LONG64 unsigned __int64
+#  elif defined(__arch64__)
+#   define SHA_LONG64 unsigned long
+#  else
+#   define SHA_LONG64 unsigned long long
+#  endif
 
 typedef struct SHA512state_st {
     SHA_LONG64 h[8];
@@ -104,16 +114,20 @@ typedef struct SHA512state_st {
     } u;
     unsigned int num, md_len;
 } SHA512_CTX;
-
-int SHA384_Init(SHA512_CTX *c);
-int SHA384_Update(SHA512_CTX *c, const void *data, size_t len);
-int SHA384_Final(unsigned char *md, SHA512_CTX *c);
-unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md);
-int SHA512_Init(SHA512_CTX *c);
-int SHA512_Update(SHA512_CTX *c, const void *data, size_t len);
-int SHA512_Final(unsigned char *md, SHA512_CTX *c);
-unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md);
-void SHA512_Transform(SHA512_CTX *c, const unsigned char *data);
+# endif /* !defined(OPENSSL_NO_DEPRECATED_3_0) */
+
+DEPRECATEDIN_3_0(int SHA384_Init(SHA512_CTX *c))
+DEPRECATEDIN_3_0(int SHA384_Update(SHA512_CTX *c, const void *data, size_t len))
+DEPRECATEDIN_3_0(int SHA384_Final(unsigned char *md, SHA512_CTX *c))
+DEPRECATEDIN_3_0(unsigned char *SHA384(const unsigned char *d, size_t n,
+                                       unsigned char *md))
+DEPRECATEDIN_3_0(int SHA512_Init(SHA512_CTX *c))
+DEPRECATEDIN_3_0(int SHA512_Update(SHA512_CTX *c, const void *data, size_t len))
+DEPRECATEDIN_3_0(int SHA512_Final(unsigned char *md, SHA512_CTX *c))
+DEPRECATEDIN_3_0(unsigned char *SHA512(const unsigned char *d, size_t n,
+                                       unsigned char *md))
+DEPRECATEDIN_3_0(void SHA512_Transform(SHA512_CTX *c,
+                                       const unsigned char *data))
 
 # ifdef  __cplusplus
 }

providers/implementations/ciphers/cipher_aes_cbc_hmac_sha1_hw.c

@@ -8,7 +8,7 @@
  */
 
 /*
- * AES low level APIs are deprecated for public use, but still ok for internal
+ * All low level APIs are deprecated for public use, but still ok for internal
  * use where we're using them to implement the higher level EVP interface, as is
  * the case here.
  */

providers/implementations/ciphers/cipher_aes_cbc_hmac_sha256_hw.c

@@ -8,7 +8,7 @@
  */
 
 /*
- * AES low level APIs are deprecated for public use, but still ok for internal
+ * All low level APIs are deprecated for public use, but still ok for internal
  * use where we're using them to implement the higher level EVP interface, as is
  * the case here.
  */

providers/implementations/ciphers/cipher_tdes_wrap.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/sha.h>
 #include "cipher_tdes_default.h"
 #include "crypto/evp.h"

providers/implementations/digests/md5_sha1_prov.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>

providers/implementations/digests/sha2_prov.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/crypto.h>
 #include <openssl/core_numbers.h>
 #include <openssl/evp.h>

ssl/s3_cbc.c

@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "internal/constant_time.h"
 #include "ssl_local.h"
 #include "internal/cryptlib.h"

test/build.info

@@ -34,7 +34,6 @@ IF[{- !$disabled{tests} -}]
           sanitytest rsa_complex exdatatest bntest \
           ectest ecstresstest ecdsatest gmdifftest pbelutest ideatest \
           hmactest \
-          rc2test rc4test rc5test \
           destest mdc2test \
           dhtest enginetest \
           ssltest_old dsatest dsa_no_digest_size_test exptest rsa_test \
@@ -508,6 +507,7 @@ IF[{- !$disabled{tests} -}]
                      tls13encryptiontest wpackettest ctype_internal_test \
                      rdrand_sanitytest property_test \
                      rsa_sp800_56b_test bn_internal_test \
+                     rc2test rc4test rc5test \
                      asn1_dsa_internal_test
 
     IF[{- !$disabled{poly1305} -}]
@@ -601,6 +601,10 @@ IF[{- !$disabled{tests} -}]
     INCLUDE[curve448_internal_test]=.. ../include ../apps/include ../crypto/ec/curve448
     DEPEND[curve448_internal_test]=../libcrypto.a libtestutil.a
 
+    SOURCE[rc4test]=rc4test.c
+    INCLUDE[rc4test]=../include ../apps/include
+    DEPEND[rc4test]=../libcrypto.a libtestutil.a
+
     SOURCE[rdrand_sanitytest]=rdrand_sanitytest.c
     INCLUDE[rdrand_sanitytest]=../include ../apps/include
     DEPEND[rdrand_sanitytest]=../libcrypto.a libtestutil.a

test/evp_fetch_prov_test.c

@@ -7,6 +7,13 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * SHA256 low level APIs are deprecated for public use, but still ok for
+ * internal use.  Note, that due to symbols not being exported, only the
+ * #defines can be accessed.  In this case SHA256_CBLOCK.
+ */
+#include "internal/deprecated.h"
+
 #include <string.h>
 #include <openssl/sha.h>
 #include <openssl/evp.h>

test/rc4test.c

@@ -8,8 +8,8 @@
  */
 
 /*
- * RC4 low level APIs are deprecated for public use, but still ok for internal
- * use.
+ * RC4 and SHA-1 low level APIs are deprecated for public use, but still ok for
+ * internal use.
  */
 #include "internal/deprecated.h"
 

util/libcrypto.num

@@ -1145,7 +1145,7 @@ BN_security_bits                        1171	3_0_0	EXIST::FUNCTION:
 X509_PURPOSE_get0_name                  1172	3_0_0	EXIST::FUNCTION:
 TS_TST_INFO_get_serial                  1173	3_0_0	EXIST::FUNCTION:TS
 ASN1_PCTX_get_str_flags                 1174	3_0_0	EXIST::FUNCTION:
-SHA256                                  1175	3_0_0	EXIST::FUNCTION:
+SHA256                                  1175	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_LOOKUP_hash_dir                    1176	3_0_0	EXIST::FUNCTION:
 ASN1_BIT_STRING_check                   1177	3_0_0	EXIST::FUNCTION:
 ENGINE_set_default_RAND                 1178	3_0_0	EXIST::FUNCTION:ENGINE
@@ -1376,7 +1376,7 @@ EVP_MD_meth_get_cleanup                 1408	3_0_0	EXIST::FUNCTION:
 SRP_Calc_server_key                     1409	3_0_0	EXIST::FUNCTION:SRP
 BN_mod_exp_simple                       1410	3_0_0	EXIST::FUNCTION:
 BIO_set_ex_data                         1411	3_0_0	EXIST::FUNCTION:
-SHA512                                  1412	3_0_0	EXIST::FUNCTION:
+SHA512                                  1412	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_STORE_CTX_get_explicit_policy      1413	3_0_0	EXIST::FUNCTION:
 EVP_DecodeBlock                         1414	3_0_0	EXIST::FUNCTION:
 OCSP_REQ_CTX_http                       1415	3_0_0	EXIST::FUNCTION:OCSP
@@ -1441,7 +1441,7 @@ X509V3_section_free                     1474	3_0_0	EXIST::FUNCTION:
 CRYPTO_mem_debug_free                   1475	3_0_0	EXIST::FUNCTION:CRYPTO_MDEBUG,DEPRECATEDIN_3_0
 d2i_OCSP_REQUEST                        1476	3_0_0	EXIST::FUNCTION:OCSP
 ENGINE_get_cipher_engine                1477	3_0_0	EXIST::FUNCTION:ENGINE
-SHA384_Final                            1478	3_0_0	EXIST::FUNCTION:
+SHA384_Final                            1478	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 TS_RESP_CTX_set_certs                   1479	3_0_0	EXIST::FUNCTION:TS
 BN_MONT_CTX_free                        1480	3_0_0	EXIST::FUNCTION:
 BN_GF2m_mod_solve_quad_arr              1481	3_0_0	EXIST::FUNCTION:EC2M
@@ -1467,7 +1467,7 @@ ASYNC_get_wait_ctx                      1500	3_0_0	EXIST::FUNCTION:
 ENGINE_set_load_privkey_function        1501	3_0_0	EXIST::FUNCTION:ENGINE
 CRYPTO_ccm128_setiv                     1502	3_0_0	EXIST::FUNCTION:
 PKCS7_dataFinal                         1503	3_0_0	EXIST::FUNCTION:
-SHA1_Final                              1504	3_0_0	EXIST::FUNCTION:
+SHA1_Final                              1504	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 i2a_ASN1_STRING                         1505	3_0_0	EXIST::FUNCTION:
 EVP_CIPHER_CTX_rand_key                 1506	3_0_0	EXIST::FUNCTION:
 AES_set_encrypt_key                     1507	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -1893,7 +1893,7 @@ PKCS5_PBE_keyivgen                      1938	3_0_0	EXIST::FUNCTION:
 i2d_OCSP_SERVICELOC                     1939	3_0_0	EXIST::FUNCTION:OCSP
 EC_POINT_copy                           1940	3_0_0	EXIST::FUNCTION:EC
 X509V3_EXT_CRL_add_nconf                1941	3_0_0	EXIST::FUNCTION:
-SHA256_Init                             1942	3_0_0	EXIST::FUNCTION:
+SHA256_Init                             1942	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_NAME_ENTRY_get_object              1943	3_0_0	EXIST::FUNCTION:
 ASN1_ENUMERATED_free                    1944	3_0_0	EXIST::FUNCTION:
 X509_CRL_set_meth_data                  1945	3_0_0	EXIST::FUNCTION:
@@ -1914,7 +1914,7 @@ EVP_PKEY_add1_attr                      1959	3_0_0	EXIST::FUNCTION:
 X509_STORE_CTX_purpose_inherit          1960	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_meth_get_keygen                1961	3_0_0	EXIST::FUNCTION:
 ENGINE_get_pkey_asn1_meth               1962	3_0_0	EXIST::FUNCTION:ENGINE
-SHA256_Update                           1963	3_0_0	EXIST::FUNCTION:
+SHA256_Update                           1963	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 d2i_PKCS7_ISSUER_AND_SERIAL             1964	3_0_0	EXIST::FUNCTION:
 PKCS12_unpack_authsafes                 1965	3_0_0	EXIST::FUNCTION:
 X509_CRL_it                             1966	3_0_0	EXIST::FUNCTION:
@@ -2073,7 +2073,7 @@ BIO_s_file                              2118	3_0_0	EXIST::FUNCTION:
 RSA_X931_derive_ex                      2119	3_0_0	EXIST::FUNCTION:RSA
 EVP_PKEY_decrypt_init                   2120	3_0_0	EXIST::FUNCTION:
 ENGINE_get_destroy_function             2121	3_0_0	EXIST::FUNCTION:ENGINE
-SHA224_Init                             2122	3_0_0	EXIST::FUNCTION:
+SHA224_Init                             2122	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509V3_EXT_add_conf                     2123	3_0_0	EXIST::FUNCTION:
 ASN1_object_size                        2124	3_0_0	EXIST::FUNCTION:
 X509_REVOKED_free                       2125	3_0_0	EXIST::FUNCTION:
@@ -2191,7 +2191,7 @@ PEM_write_bio_PKCS8_PRIV_KEY_INFO       2238	3_0_0	EXIST::FUNCTION:
 EC_GROUP_set_curve_GF2m                 2239	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,EC2M
 ENGINE_load_builtin_engines             2240	3_0_0	EXIST::FUNCTION:ENGINE
 SRP_VBASE_init                          2241	3_0_0	EXIST::FUNCTION:SRP
-SHA224_Final                            2242	3_0_0	EXIST::FUNCTION:
+SHA224_Final                            2242	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 OCSP_CERTSTATUS_free                    2243	3_0_0	EXIST::FUNCTION:OCSP
 d2i_TS_TST_INFO                         2244	3_0_0	EXIST::FUNCTION:TS
 IPAddressOrRange_it                     2245	3_0_0	EXIST::FUNCTION:RFC3779
@@ -2201,7 +2201,7 @@ TS_OBJ_print_bio                        2248	3_0_0	EXIST::FUNCTION:TS
 X509_time_adj_ex                        2249	3_0_0	EXIST::FUNCTION:
 OCSP_request_add1_cert                  2250	3_0_0	EXIST::FUNCTION:OCSP
 ERR_load_X509_strings                   2251	3_0_0	EXIST::FUNCTION:
-SHA1_Transform                          2252	3_0_0	EXIST::FUNCTION:
+SHA1_Transform                          2252	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 CMS_signed_get_attr_by_NID              2253	3_0_0	EXIST::FUNCTION:CMS
 X509_STORE_CTX_get_by_subject           2254	3_0_0	EXIST::FUNCTION:
 ASN1_OCTET_STRING_it                    2255	3_0_0	EXIST::FUNCTION:
@@ -2461,7 +2461,7 @@ BN_generate_dsa_nonce                   2512	3_0_0	EXIST::FUNCTION:
 X509_verify_cert                        2513	3_0_0	EXIST::FUNCTION:
 X509_policy_level_get0_node             2514	3_0_0	EXIST::FUNCTION:
 X509_REQ_get_attr                       2515	3_0_0	EXIST::FUNCTION:
-SHA1                                    2516	3_0_0	EXIST::FUNCTION:
+SHA1                                    2516	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_print                              2517	3_0_0	EXIST::FUNCTION:
 d2i_AutoPrivateKey                      2518	3_0_0	EXIST::FUNCTION:
 X509_REQ_new                            2519	3_0_0	EXIST::FUNCTION:
@@ -2497,7 +2497,7 @@ d2i_NETSCAPE_CERT_SEQUENCE              2550	3_0_0	EXIST::FUNCTION:
 X509_CRL_set_version                    2551	3_0_0	EXIST::FUNCTION:
 ASN1_PCTX_set_cert_flags                2552	3_0_0	EXIST::FUNCTION:
 PKCS8_PRIV_KEY_INFO_free                2553	3_0_0	EXIST::FUNCTION:
-SHA224_Update                           2554	3_0_0	EXIST::FUNCTION:
+SHA224_Update                           2554	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 EC_GROUP_new_by_curve_name              2555	3_0_0	EXIST::FUNCTION:EC
 X509_STORE_set_purpose                  2556	3_0_0	EXIST::FUNCTION:
 X509_CRL_get0_signature                 2557	3_0_0	EXIST::FUNCTION:
@@ -2728,7 +2728,7 @@ CMS_RecipientInfo_encrypt               2786	3_0_0	EXIST::FUNCTION:CMS
 X509_get_pubkey_parameters              2787	3_0_0	EXIST::FUNCTION:
 PKCS12_setup_mac                        2788	3_0_0	EXIST::FUNCTION:
 PEM_read_bio_PKCS7                      2789	3_0_0	EXIST::FUNCTION:
-SHA512_Final                            2790	3_0_0	EXIST::FUNCTION:
+SHA512_Final                            2790	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_VERIFY_PARAM_set1_host             2791	3_0_0	EXIST::FUNCTION:
 OCSP_resp_find_status                   2792	3_0_0	EXIST::FUNCTION:OCSP
 d2i_ASN1_T61STRING                      2793	3_0_0	EXIST::FUNCTION:
@@ -2902,14 +2902,14 @@ EC_curve_nid2nist                       2964	3_0_0	EXIST::FUNCTION:EC
 ENGINE_get_finish_function              2965	3_0_0	EXIST::FUNCTION:ENGINE
 EC_POINT_add                            2966	3_0_0	EXIST::FUNCTION:EC
 EC_KEY_oct2key                          2967	3_0_0	EXIST::FUNCTION:EC
-SHA384_Init                             2968	3_0_0	EXIST::FUNCTION:
+SHA384_Init                             2968	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ASN1_UNIVERSALSTRING_new                2969	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_print_private                  2970	3_0_0	EXIST::FUNCTION:
 ASN1_INTEGER_new                        2971	3_0_0	EXIST::FUNCTION:
 NAME_CONSTRAINTS_it                     2972	3_0_0	EXIST::FUNCTION:
 TS_REQ_get_cert_req                     2973	3_0_0	EXIST::FUNCTION:TS
 BIO_pop                                 2974	3_0_0	EXIST::FUNCTION:
-SHA256_Final                            2975	3_0_0	EXIST::FUNCTION:
+SHA256_Final                            2975	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 EVP_PKEY_set1_DH                        2976	3_0_0	EXIST::FUNCTION:DH
 DH_get_ex_data                          2977	3_0_0	EXIST::FUNCTION:DH
 CRYPTO_secure_malloc                    2978	3_0_0	EXIST::FUNCTION:
@@ -2929,7 +2929,7 @@ EC_GROUP_set_asn1_flag                  2991	3_0_0	EXIST::FUNCTION:EC
 EVP_PKEY_new                            2992	3_0_0	EXIST::FUNCTION:
 i2d_POLICYINFO                          2993	3_0_0	EXIST::FUNCTION:
 BN_get_flags                            2994	3_0_0	EXIST::FUNCTION:
-SHA384                                  2995	3_0_0	EXIST::FUNCTION:
+SHA384                                  2995	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 NCONF_get_string                        2996	3_0_0	EXIST::FUNCTION:
 d2i_PROXY_CERT_INFO_EXTENSION           2997	3_0_0	EXIST::FUNCTION:
 EC_POINT_point2buf                      2998	3_0_0	EXIST::FUNCTION:EC
@@ -2981,7 +2981,7 @@ i2d_X509_PUBKEY                         3045	3_0_0	EXIST::FUNCTION:
 EVP_DecryptUpdate                       3046	3_0_0	EXIST::FUNCTION:
 CAST_cbc_encrypt                        3047	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 BN_BLINDING_invert                      3048	3_0_0	EXIST::FUNCTION:
-SHA512_Update                           3049	3_0_0	EXIST::FUNCTION:
+SHA512_Update                           3049	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ESS_ISSUER_SERIAL_new                   3050	3_0_0	EXIST::FUNCTION:
 PKCS12_SAFEBAG_get0_pkcs8               3051	3_0_0	EXIST::FUNCTION:
 X509_get_ext_by_NID                     3052	3_0_0	EXIST::FUNCTION:
@@ -3326,7 +3326,7 @@ d2i_PKCS8_PRIV_KEY_INFO_fp              3395	3_0_0	EXIST::FUNCTION:STDIO
 X509_OBJECT_retrieve_match              3396	3_0_0	EXIST::FUNCTION:
 EVP_aes_128_ctr                         3397	3_0_0	EXIST::FUNCTION:
 EVP_PBE_find                            3398	3_0_0	EXIST::FUNCTION:
-SHA512_Transform                        3399	3_0_0	EXIST::FUNCTION:
+SHA512_Transform                        3399	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ERR_add_error_vdata                     3400	3_0_0	EXIST::FUNCTION:
 OCSP_REQUEST_get_ext                    3401	3_0_0	EXIST::FUNCTION:OCSP
 NETSCAPE_SPKAC_new                      3402	3_0_0	EXIST::FUNCTION:
@@ -3363,7 +3363,7 @@ EVP_OpenFinal                           3432	3_0_0	EXIST::FUNCTION:RSA
 RAND_egd_bytes                          3433	3_0_0	EXIST::FUNCTION:EGD
 UI_method_get_writer                    3434	3_0_0	EXIST::FUNCTION:
 BN_secure_new                           3435	3_0_0	EXIST::FUNCTION:
-SHA1_Update                             3437	3_0_0	EXIST::FUNCTION:
+SHA1_Update                             3437	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 BIO_s_connect                           3438	3_0_0	EXIST::FUNCTION:SOCK
 EVP_MD_meth_get_init                    3439	3_0_0	EXIST::FUNCTION:
 ASN1_BIT_STRING_free                    3440	3_0_0	EXIST::FUNCTION:
@@ -3513,7 +3513,7 @@ EVP_MD_meth_dup                         3588	3_0_0	EXIST::FUNCTION:
 ENGINE_unregister_ciphers               3589	3_0_0	EXIST::FUNCTION:ENGINE
 X509_issuer_and_serial_cmp              3590	3_0_0	EXIST::FUNCTION:
 OCSP_response_create                    3591	3_0_0	EXIST::FUNCTION:OCSP
-SHA224                                  3592	3_0_0	EXIST::FUNCTION:
+SHA224                                  3592	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 MD2_options                             3593	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,MD2
 X509_REQ_it                             3595	3_0_0	EXIST::FUNCTION:
 RAND_bytes                              3596	3_0_0	EXIST::FUNCTION:
@@ -3554,7 +3554,7 @@ PKCS5_pbe_set                           3631	3_0_0	EXIST::FUNCTION:
 TS_RESP_CTX_free                        3632	3_0_0	EXIST::FUNCTION:TS
 d2i_PUBKEY                              3633	3_0_0	EXIST::FUNCTION:
 ASYNC_cleanup_thread                    3634	3_0_0	EXIST::FUNCTION:
-SHA384_Update                           3635	3_0_0	EXIST::FUNCTION:
+SHA384_Update                           3635	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 CRYPTO_cfb128_1_encrypt                 3636	3_0_0	EXIST::FUNCTION:
 BIO_set_cipher                          3637	3_0_0	EXIST::FUNCTION:
 PEM_read_PUBKEY                         3638	3_0_0	EXIST::FUNCTION:STDIO
@@ -3576,7 +3576,7 @@ Camellia_ecb_encrypt                    3654	3_0_0	EXIST::FUNCTION:CAMELLIA,DEPR
 ENGINE_set_default_RSA                  3655	3_0_0	EXIST::FUNCTION:ENGINE
 EVP_EncodeBlock                         3656	3_0_0	EXIST::FUNCTION:
 SXNETID_free                            3657	3_0_0	EXIST::FUNCTION:
-SHA1_Init                               3658	3_0_0	EXIST::FUNCTION:
+SHA1_Init                               3658	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 CRYPTO_atomic_add                       3659	3_0_0	EXIST::FUNCTION:
 TS_CONF_load_certs                      3660	3_0_0	EXIST::FUNCTION:TS
 PEM_write_bio_DSAPrivateKey             3661	3_0_0	EXIST::FUNCTION:DSA
@@ -3599,7 +3599,7 @@ CRYPTO_mem_ctrl                         3678	3_0_0	EXIST::FUNCTION:CRYPTO_MDEBUG
 ASN1_verify                             3679	3_0_0	EXIST::FUNCTION:
 DSA_generate_parameters_ex              3680	3_0_0	EXIST::FUNCTION:DSA
 X509_sign                               3681	3_0_0	EXIST::FUNCTION:
-SHA256_Transform                        3682	3_0_0	EXIST::FUNCTION:
+SHA256_Transform                        3682	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 BIO_ADDR_free                           3683	3_0_0	EXIST::FUNCTION:SOCK
 ASN1_STRING_free                        3684	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_inherit               3685	3_0_0	EXIST::FUNCTION:
@@ -3816,7 +3816,7 @@ CRL_DIST_POINTS_free                    3899	3_0_0	EXIST::FUNCTION:
 d2i_OCSP_SINGLERESP                     3900	3_0_0	EXIST::FUNCTION:OCSP
 EVP_CIPHER_CTX_num                      3901	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_verify_recover_init            3902	3_0_0	EXIST::FUNCTION:
-SHA512_Init                             3903	3_0_0	EXIST::FUNCTION:
+SHA512_Init                             3903	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 TS_MSG_IMPRINT_set_msg                  3904	3_0_0	EXIST::FUNCTION:TS
 CMS_unsigned_add1_attr                  3905	3_0_0	EXIST::FUNCTION:CMS
 OPENSSL_LH_doall                        3906	3_0_0	EXIST::FUNCTION: