openssl-3.0.0-dev_revert.patch

diff --git a/apps/build.info b/apps/build.info
index 2186de3a27..ee934e1fb1 100644
--- a/apps/build.info
+++ b/apps/build.info
@@ -14,14 +14,14 @@ $OPENSSLSRC=\
         openssl.c progs.c \
         asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c \
         ec.c ecparam.c enc.c engine.c errstr.c \
-        genpkey.c kdf.c mac.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c \
-        pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c \
-        s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
+        genpkey.c genrsa.c kdf.c mac.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c \
+        pkcs8.c pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c \
+        rsautl.c s_client.c s_server.c s_time.c sess_id.c smime.c speed.c \
         spkac.c srp.c ts.c verify.c version.c x509.c rehash.c storeutl.c \
         list.c info.c provider.c fipsinstall.c
 IF[{- !$disabled{'deprecated-3.0'} -}]
   $OPENSSLSRC=$OPENSSLSRC \
-        dhparam.c dsa.c dsaparam.c gendsa.c rsa.c rsautl.c genrsa.c
+        dhparam.c dsa.c dsaparam.c gendsa.c
 ENDIF
 IF[{- !$disabled{'cmp'} -}]
   $OPENSSLSRC=$OPENSSLSRC cmp_mock_srv.c
diff --git a/apps/genrsa.c b/apps/genrsa.c
index 3f76d9bada..a7d04fed30 100644
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -7,9 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use the deprecated RSA low level calls */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
 #include <openssl/opensslconf.h>
 #ifdef OPENSSL_NO_RSA
 NON_EMPTY_TRANSLATION_UNIT
diff --git a/apps/rsa.c b/apps/rsa.c
index d626bbb31a..539b0144ab 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -7,9 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use the deprecated RSA low level calls */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
 #include <openssl/opensslconf.h>
 #ifdef OPENSSL_NO_RSA
 NON_EMPTY_TRANSLATION_UNIT
diff --git a/apps/rsautl.c b/apps/rsautl.c
index b72f527ce4..ddd507ce9a 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -7,9 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/* We need to use the deprecated RSA low level calls */
-#define OPENSSL_SUPPRESS_DEPRECATED
-
 #include <openssl/opensslconf.h>
 #ifdef OPENSSL_NO_RSA
 NON_EMPTY_TRANSLATION_UNIT
diff --git a/apps/speed.c b/apps/speed.c
index 9d4ab2c330..c735ad2031 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -94,7 +94,7 @@
 #ifndef OPENSSL_NO_CAST
 # include <openssl/cast.h>
 #endif
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
 # include <openssl/rsa.h>
 # include "./testrsa.h"
 #endif
@@ -417,7 +417,7 @@ static const OPT_PAIR dsa_choices[DSA_NUM] = {
 static double dsa_results[DSA_NUM][2];  /* 2 ops: sign then verify */
 #endif  /* OPENSSL_NO_DSA */
 
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
 enum {
     R_RSA_512, R_RSA_1024, R_RSA_2048, R_RSA_3072, R_RSA_4096, R_RSA_7680,
     R_RSA_15360, RSA_NUM
@@ -543,7 +543,7 @@ typedef struct loopargs_st {
     unsigned char *key;
     unsigned int siglen;
     size_t sigsize;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
     RSA *rsa_key[RSA_NUM];
 #endif
 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
@@ -1022,7 +1022,7 @@ static int EVP_CMAC_loop(void *args)
 }
 #endif
 
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
 static long rsa_c[RSA_NUM][2];  /* # RSA iteration test */
 
 static int RSA_sign_loop(void *args)
@@ -1504,7 +1504,7 @@ int speed_main(int argc, char **argv)
 #if !defined(OPENSSL_NO_CAMELLIA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     CAMELLIA_KEY camellia_ks[3];
 #endif
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
     static const struct {
         const unsigned char *data;
         unsigned int length;
@@ -1712,10 +1712,8 @@ int speed_main(int argc, char **argv)
                 goto end;
             break;
         case OPT_PRIMES:
-#ifndef OPENSSL_NO_DEPRECATED_3_0
             if (!opt_int(opt_arg(), &primes))
                 goto end;
-#endif
             break;
         case OPT_SECONDS:
             seconds.sym = seconds.rsa = seconds.dsa = seconds.ecdsa
@@ -1753,7 +1751,7 @@ int speed_main(int argc, char **argv)
             doit[D_SHA1] = doit[D_SHA256] = doit[D_SHA512] = 1;
             continue;
         }
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
         if (strcmp(algo, "openssl") == 0) /* just for compatibility */
             continue;
         if (strncmp(algo, "rsa", 3) == 0) {
@@ -1916,7 +1914,7 @@ int speed_main(int argc, char **argv)
     if (argc == 0 && !doit[D_EVP] && !doit[D_EVP_HMAC] && !doit[D_EVP_CMAC]) {
         memset(doit, 1, sizeof(doit));
         doit[D_EVP] = doit[D_EVP_HMAC] = doit[D_EVP_CMAC] = 0;
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
         memset(rsa_doit, 1, sizeof(rsa_doit));
 #endif
 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
@@ -1940,7 +1938,7 @@ int speed_main(int argc, char **argv)
                    "You have chosen to measure elapsed time "
                    "instead of user CPU time.\n");
 
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
     for (i = 0; i < loopargs_len; i++) {
         if (primes > RSA_DEFAULT_PRIME_NUM) {
             /* for multi-prime RSA, skip this */
@@ -2110,7 +2108,7 @@ int speed_main(int argc, char **argv)
         c[D_IGE_256_AES][i] = c[D_IGE_256_AES][i - 1] * l0 / l1;
     }
 
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#  ifndef OPENSSL_NO_RSA
     rsa_c[R_RSA_512][0] = count / 2000;
     rsa_c[R_RSA_512][1] = count / 400;
     for (i = 1; i < RSA_NUM; i++) {
@@ -2866,7 +2864,7 @@ int speed_main(int argc, char **argv)
         if (RAND_bytes(loopargs[i].buf, 36) <= 0)
             goto end;
 
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
     for (testnum = 0; testnum < RSA_NUM; testnum++) {
         int st = 0;
         if (!rsa_doit[testnum])
@@ -3571,7 +3569,7 @@ int speed_main(int argc, char **argv)
         }
         printf("\n");
     }
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
     testnum = 1;
     for (k = 0; k < RSA_NUM; k++) {
         if (!rsa_doit[k])
@@ -3698,7 +3696,7 @@ int speed_main(int argc, char **argv)
         OPENSSL_free(loopargs[i].buf_malloc);
         OPENSSL_free(loopargs[i].buf2_malloc);
 
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+#ifndef OPENSSL_NO_RSA
         for (k = 0; k < RSA_NUM; k++)
             RSA_free(loopargs[i].rsa_key[k]);
 #endif
@@ -3894,9 +3892,7 @@ static int do_multi(int multi, int size_num)
                 sstrsep(&p, sep);
                 for (j = 0; j < size_num; ++j)
                     results[alg][j] += atof(sstrsep(&p, sep));
-            }
-#if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
-            else if (strncmp(buf, "+F2:", 4) == 0) {
+            } else if (strncmp(buf, "+F2:", 4) == 0) {
                 int k;
                 double d;
 
@@ -3910,7 +3906,6 @@ static int do_multi(int multi, int size_num)
                 d = atof(sstrsep(&p, sep));
                 rsa_results[k][1] += d;
             }
-#endif
 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
             else if (strncmp(buf, "+F3:", 4) == 0) {
                 int k;
diff --git a/crypto/evp/p_dec.c b/crypto/evp/p_dec.c
index 9a6f271000..d1d8b0b59e 100644
--- a/crypto/evp/p_dec.c
+++ b/crypto/evp/p_dec.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/rsa.h>
diff --git a/crypto/evp/p_enc.c b/crypto/evp/p_enc.c
index 349eabde4c..4c169857c2 100644
--- a/crypto/evp/p_enc.c
+++ b/crypto/evp/p_enc.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/rsa.h>
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index fb378ae039..f4a5a06e5d 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
diff --git a/crypto/rsa/rsa_asn1.c b/crypto/rsa/rsa_asn1.c
index 8798bd52d6..e6b81253fa 100644
--- a/crypto/rsa/rsa_asn1.c
+++ b/crypto/rsa/rsa_asn1.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c
index e6b700bc0d..6ba0010c77 100644
--- a/crypto/rsa/rsa_chk.c
+++ b/crypto/rsa/rsa_chk.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include "crypto/rsa.h"
diff --git a/crypto/rsa/rsa_crpt.c b/crypto/rsa/rsa_crpt.c
index 83cae46103..6abee298c6 100644
--- a/crypto/rsa/rsa_crpt.c
+++ b/crypto/rsa/rsa_crpt.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include <openssl/crypto.h>
 #include "internal/cryptlib.h"
diff --git a/crypto/rsa/rsa_depr.c b/crypto/rsa/rsa_depr.c
index 8ba6e8c2ee..ed63262645 100644
--- a/crypto/rsa/rsa_depr.c
+++ b/crypto/rsa/rsa_depr.c
@@ -12,12 +12,6 @@
  * "new" versions).
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <openssl/opensslconf.h>
 #ifdef OPENSSL_NO_DEPRECATED_0_9_8
 NON_EMPTY_TRANSLATION_UNIT
diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index 5d82ae6f34..b74f43f8a1 100644
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -13,12 +13,6 @@
  * Geoff
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include <time.h>
 #include "internal/cryptlib.h"
diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c
index e9a5b48fbc..51fd3c5ca0 100644
--- a/crypto/rsa/rsa_lib.c
+++ b/crypto/rsa/rsa_lib.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include <openssl/crypto.h>
 #include <openssl/core_names.h>
diff --git a/crypto/rsa/rsa_meth.c b/crypto/rsa/rsa_meth.c
index 6bbe21814e..a2a0426ee4 100644
--- a/crypto/rsa/rsa_meth.c
+++ b/crypto/rsa/rsa_meth.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <string.h>
 #include "rsa_local.h"
 #include <openssl/err.h>
diff --git a/crypto/rsa/rsa_none.c b/crypto/rsa/rsa_none.c
index 5298ca7328..833ab94028 100644
--- a/crypto/rsa/rsa_none.c
+++ b/crypto/rsa/rsa_none.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c
index ed486acbe6..a0af741183 100644
--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -20,12 +20,6 @@
  * one-wayness.  For the RSA function, this is an equivalent notion.
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "internal/constant_time.h"
 
 #include <stdio.h>
diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c
index 504ad82f17..7746f6d961 100644
--- a/crypto/rsa/rsa_ossl.c
+++ b/crypto/rsa/rsa_ossl.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "internal/cryptlib.h"
 #include "crypto/bn.h"
 #include "rsa_local.h"
diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c
index b8aa49d701..c6bbf2dcd6 100644
--- a/crypto/rsa/rsa_pk1.c
+++ b/crypto/rsa/rsa_pk1.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "internal/constant_time.h"
 
 #include <stdio.h>
diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c
index 7a298d5d93..96937ae059 100644
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "internal/constant_time.h"
 
 #include <stdio.h>
diff --git a/crypto/rsa/rsa_prn.c b/crypto/rsa/rsa_prn.c
index 1e52e9e3e6..5e4c098a16 100644
--- a/crypto/rsa/rsa_prn.c
+++ b/crypto/rsa/rsa_prn.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/rsa.h>
diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c
index 999fc3122f..bd82faf54a 100644
--- a/crypto/rsa/rsa_pss.c
+++ b/crypto/rsa/rsa_pss.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
diff --git a/crypto/rsa/rsa_saos.c b/crypto/rsa/rsa_saos.c
index e7041ca2ae..7041535cc0 100644
--- a/crypto/rsa/rsa_saos.c
+++ b/crypto/rsa/rsa_saos.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c
index 544cca446e..3d89a8db54 100644
--- a/crypto/rsa/rsa_sign.c
+++ b/crypto/rsa/rsa_sign.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
diff --git a/crypto/rsa/rsa_ssl.c b/crypto/rsa/rsa_ssl.c
index 0309665338..49005a54a4 100644
--- a/crypto/rsa/rsa_ssl.c
+++ b/crypto/rsa/rsa_ssl.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
diff --git a/crypto/rsa/rsa_x931.c b/crypto/rsa/rsa_x931.c
index 7a1503752f..3caafb699f 100644
--- a/crypto/rsa/rsa_x931.c
+++ b/crypto/rsa/rsa_x931.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
diff --git a/crypto/rsa/rsa_x931g.c b/crypto/rsa/rsa_x931g.c
index 7b65133ec8..1f6042a3d2 100644
--- a/crypto/rsa/rsa_x931g.c
+++ b/crypto/rsa/rsa_x931g.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include <string.h>
 #include <time.h>
diff --git a/engines/build.info b/engines/build.info
index 3bfe1dc057..fca41358e9 100644
--- a/engines/build.info
+++ b/engines/build.info
@@ -78,7 +78,6 @@ IF[{- !$disabled{"engine"} -}]
       SOURCE[dasync]=dasync.ld
       GENERATE[dasync.ld]=../util/engines.num
     ENDIF
-
     SOURCE[ossltest]=e_ossltest.c
     DEPEND[ossltest]=../libcrypto
     INCLUDE[ossltest]=../include
diff --git a/engines/e_dasync.c b/engines/e_dasync.c
index 446680e535..c5d58ded09 100644
--- a/engines/e_dasync.c
+++ b/engines/e_dasync.c
@@ -15,7 +15,6 @@
  */
 #include "internal/deprecated.h"
 
-#include <openssl/opensslconf.h>
 #if defined(_WIN32)
 # include <windows.h>
 #endif
@@ -102,29 +101,22 @@ static int dasync_digest_nids(const int **nids)
 }
 
 /* RSA */
-static int dasync_pkey(ENGINE *e, EVP_PKEY_METHOD **pmeth,
-                       const int **pnids, int nid);
-
-static int dasync_rsa_init(EVP_PKEY_CTX *ctx);
-static void dasync_rsa_cleanup(EVP_PKEY_CTX *ctx);
-static int dasync_rsa_paramgen_init(EVP_PKEY_CTX *ctx);
-static int dasync_rsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
-static int dasync_rsa_keygen_init(EVP_PKEY_CTX *ctx);
-static int dasync_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey);
-static int dasync_rsa_encrypt_init(EVP_PKEY_CTX *ctx);
-static int dasync_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
-                              size_t *outlen, const unsigned char *in,
-                              size_t inlen);
-static int dasync_rsa_decrypt_init(EVP_PKEY_CTX *ctx);
-static int dasync_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
-                              size_t *outlen, const unsigned char *in,
-                              size_t inlen);
-static int dasync_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
-static int dasync_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
-                               const char *value);
-
-static EVP_PKEY_METHOD *dasync_rsa;
-static const EVP_PKEY_METHOD *dasync_rsa_orig;
+
+static int dasync_pub_enc(int flen, const unsigned char *from,
+                    unsigned char *to, RSA *rsa, int padding);
+static int dasync_pub_dec(int flen, const unsigned char *from,
+                    unsigned char *to, RSA *rsa, int padding);
+static int dasync_rsa_priv_enc(int flen, const unsigned char *from,
+                      unsigned char *to, RSA *rsa, int padding);
+static int dasync_rsa_priv_dec(int flen, const unsigned char *from,
+                      unsigned char *to, RSA *rsa, int padding);
+static int dasync_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa,
+                              BN_CTX *ctx);
+
+static int dasync_rsa_init(RSA *rsa);
+static int dasync_rsa_finish(RSA *rsa);
+
+static RSA_METHOD *dasync_rsa_method = NULL;
 
 /* AES */
 
@@ -205,30 +197,26 @@ static int dasync_cipher_nids[] = {
 
 static int bind_dasync(ENGINE *e)
 {
-    /* Setup RSA */
-    ;
-    if ((dasync_rsa_orig = EVP_PKEY_meth_find(EVP_PKEY_RSA)) == NULL
-        || (dasync_rsa = EVP_PKEY_meth_new(EVP_PKEY_RSA, 0)) == NULL)
+    /* Setup RSA_METHOD */
+    if ((dasync_rsa_method = RSA_meth_new("Dummy Async RSA method", 0)) == NULL
+        || RSA_meth_set_pub_enc(dasync_rsa_method, dasync_pub_enc) == 0
+        || RSA_meth_set_pub_dec(dasync_rsa_method, dasync_pub_dec) == 0
+        || RSA_meth_set_priv_enc(dasync_rsa_method, dasync_rsa_priv_enc) == 0
+        || RSA_meth_set_priv_dec(dasync_rsa_method, dasync_rsa_priv_dec) == 0
+        || RSA_meth_set_mod_exp(dasync_rsa_method, dasync_rsa_mod_exp) == 0
+        || RSA_meth_set_bn_mod_exp(dasync_rsa_method, BN_mod_exp_mont) == 0
+        || RSA_meth_set_init(dasync_rsa_method, dasync_rsa_init) == 0
+        || RSA_meth_set_finish(dasync_rsa_method, dasync_rsa_finish) == 0) {
+        DASYNCerr(DASYNC_F_BIND_DASYNC, DASYNC_R_INIT_FAILED);
         return 0;
-    EVP_PKEY_meth_set_init(dasync_rsa, dasync_rsa_init);
-    EVP_PKEY_meth_set_cleanup(dasync_rsa, dasync_rsa_cleanup);
-    EVP_PKEY_meth_set_paramgen(dasync_rsa, dasync_rsa_paramgen_init,
-                               dasync_rsa_paramgen);
-    EVP_PKEY_meth_set_keygen(dasync_rsa, dasync_rsa_keygen_init,
-                             dasync_rsa_keygen);
-    EVP_PKEY_meth_set_encrypt(dasync_rsa, dasync_rsa_encrypt_init,
-                              dasync_rsa_encrypt);
-    EVP_PKEY_meth_set_decrypt(dasync_rsa, dasync_rsa_decrypt_init,
-                              dasync_rsa_decrypt);
-    EVP_PKEY_meth_set_ctrl(dasync_rsa, dasync_rsa_ctrl,
-                           dasync_rsa_ctrl_str);
+    }
 
     /* Ensure the dasync error handling is set up */
     ERR_load_DASYNC_strings();
 
     if (!ENGINE_set_id(e, engine_dasync_id)
         || !ENGINE_set_name(e, engine_dasync_name)
-        || !ENGINE_set_pkey_meths(e, dasync_pkey)
+        || !ENGINE_set_RSA(e, dasync_rsa_method)
         || !ENGINE_set_digests(e, dasync_digests)
         || !ENGINE_set_ciphers(e, dasync_ciphers)
         || !ENGINE_set_destroy_function(e, dasync_destroy)
@@ -307,13 +295,6 @@ static int bind_dasync(ENGINE *e)
     return 1;
 }
 
-static void destroy_pkey(void)
-{
-    EVP_PKEY_meth_free(dasync_rsa);
-    dasync_rsa_orig = NULL;
-    dasync_rsa = NULL;
-}
-
 # ifndef OPENSSL_NO_DYNAMIC_ENGINE
 static int bind_helper(ENGINE *e, const char *id)
 {
@@ -366,30 +347,11 @@ static int dasync_destroy(ENGINE *e)
 {
     destroy_digests();
     destroy_ciphers();
-    destroy_pkey();
+    RSA_meth_free(dasync_rsa_method);
     ERR_unload_DASYNC_strings();
     return 1;
 }
 
-static int dasync_pkey(ENGINE *e, EVP_PKEY_METHOD **pmeth,
-                       const int **pnids, int nid)
-{
-    static const int rnid = EVP_PKEY_RSA;
-
-    if (pmeth == NULL) {
-        *pnids = &rnid;
-        return 1;
-    }
-
-    if (nid == EVP_PKEY_RSA) {
-        *pmeth = dasync_rsa;
-        return 1;
-    }
-
-    *pmeth = NULL;
-    return 0;
-}
-
 static int dasync_digests(ENGINE *e, const EVP_MD **digest,
                           const int **nids, int nid)
 {
@@ -560,6 +522,60 @@ static int dasync_sha1_final(EVP_MD_CTX *ctx, unsigned char *md)
     return EVP_MD_meth_get_final(EVP_sha1())(ctx, md);
 }
 
+/*
+ * RSA implementation
+ */
+
+static int dasync_pub_enc(int flen, const unsigned char *from,
+                    unsigned char *to, RSA *rsa, int padding) {
+    /* Ignore errors - we carry on anyway */
+    dummy_pause_job();
+    return RSA_meth_get_pub_enc(RSA_PKCS1_OpenSSL())
+        (flen, from, to, rsa, padding);
+}
+
+static int dasync_pub_dec(int flen, const unsigned char *from,
+                    unsigned char *to, RSA *rsa, int padding) {
+    /* Ignore errors - we carry on anyway */
+    dummy_pause_job();
+    return RSA_meth_get_pub_dec(RSA_PKCS1_OpenSSL())
+        (flen, from, to, rsa, padding);
+}
+
+static int dasync_rsa_priv_enc(int flen, const unsigned char *from,
+                      unsigned char *to, RSA *rsa, int padding)
+{
+    /* Ignore errors - we carry on anyway */
+    dummy_pause_job();
+    return RSA_meth_get_priv_enc(RSA_PKCS1_OpenSSL())
+        (flen, from, to, rsa, padding);
+}
+
+static int dasync_rsa_priv_dec(int flen, const unsigned char *from,
+                      unsigned char *to, RSA *rsa, int padding)
+{
+    /* Ignore errors - we carry on anyway */
+    dummy_pause_job();
+    return RSA_meth_get_priv_dec(RSA_PKCS1_OpenSSL())
+        (flen, from, to, rsa, padding);
+}
+
+static int dasync_rsa_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx)
+{
+    /* Ignore errors - we carry on anyway */
+    dummy_pause_job();
+    return RSA_meth_get_mod_exp(RSA_PKCS1_OpenSSL())(r0, I, rsa, ctx);
+}
+
+static int dasync_rsa_init(RSA *rsa)
+{
+    return RSA_meth_get_init(RSA_PKCS1_OpenSSL())(rsa);
+}
+static int dasync_rsa_finish(RSA *rsa)
+{
+    return RSA_meth_get_finish(RSA_PKCS1_OpenSSL())(rsa);
+}
+
 /* Cipher helper functions */
 
 static int dasync_cipher_ctrl_helper(EVP_CIPHER_CTX *ctx, int type, int arg,
@@ -787,125 +803,3 @@ static int dasync_aes128_cbc_hmac_sha1_cleanup(EVP_CIPHER_CTX *ctx)
      */
     return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc_hmac_sha1());
 }
-
-
-/*
- * RSA implementation
- */
-static int dasync_rsa_init(EVP_PKEY_CTX *ctx)
-{
-    static int (*pinit)(EVP_PKEY_CTX *ctx);
-
-    if (pinit == NULL)
-        EVP_PKEY_meth_get_init(dasync_rsa_orig, &pinit);
-    return pinit(ctx);
-}
-
-static void dasync_rsa_cleanup(EVP_PKEY_CTX *ctx)
-{
-    static void (*pcleanup)(EVP_PKEY_CTX *ctx);
-
-    if (pcleanup == NULL)
-        EVP_PKEY_meth_get_cleanup(dasync_rsa_orig, &pcleanup);
-    pcleanup(ctx);
-}
-
-static int dasync_rsa_paramgen_init(EVP_PKEY_CTX *ctx)
-{
-    static int (*pparamgen_init)(EVP_PKEY_CTX *ctx);
-
-    if (pparamgen_init == NULL)
-        EVP_PKEY_meth_get_paramgen(dasync_rsa_orig, &pparamgen_init, NULL);
-    return pparamgen_init(ctx);
-}
-
-static int dasync_rsa_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
-{
-    static int (*pparamgen)(EVP_PKEY_CTX *c, EVP_PKEY *pkey);
-
-    if (pparamgen == NULL)
-        EVP_PKEY_meth_get_paramgen(dasync_rsa_orig, NULL, &pparamgen);
-    return pparamgen(ctx, pkey);
-}
-
-static int dasync_rsa_keygen_init(EVP_PKEY_CTX *ctx)
-{
-    static int (*pkeygen_init)(EVP_PKEY_CTX *ctx);
-
-    if (pkeygen_init == NULL)
-        EVP_PKEY_meth_get_keygen(dasync_rsa_orig, &pkeygen_init, NULL);
-    return pkeygen_init(ctx);
-}
-
-static int dasync_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey)
-{
-    static int (*pkeygen)(EVP_PKEY_CTX *c, EVP_PKEY *pkey);
-
-    if (pkeygen == NULL)
-        EVP_PKEY_meth_get_keygen(dasync_rsa_orig, NULL, &pkeygen);
-    return pkeygen(ctx, pkey);
-}
-
-static int dasync_rsa_encrypt_init(EVP_PKEY_CTX *ctx)
-{
-    static int (*pencrypt_init)(EVP_PKEY_CTX *ctx);
-
-    if (pencrypt_init == NULL)
-        EVP_PKEY_meth_get_encrypt(dasync_rsa_orig, &pencrypt_init, NULL);
-    return pencrypt_init(ctx);
-}
-
-static int dasync_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
-                              size_t *outlen, const unsigned char *in,
-                              size_t inlen)
-{
-    static int (*pencryptfn)(EVP_PKEY_CTX *ctx, unsigned char *out,
-                             size_t *outlen, const unsigned char *in,
-                             size_t inlen);
-
-    if (pencryptfn == NULL)
-        EVP_PKEY_meth_get_encrypt(dasync_rsa_orig, NULL, &pencryptfn);
-    return pencryptfn(ctx, out, outlen, in, inlen);
-}
-
-static int dasync_rsa_decrypt_init(EVP_PKEY_CTX *ctx)
-{
-    static int (*pdecrypt_init)(EVP_PKEY_CTX *ctx);
-
-    if (pdecrypt_init == NULL)
-        EVP_PKEY_meth_get_decrypt(dasync_rsa_orig, &pdecrypt_init, NULL);
-    return pdecrypt_init(ctx);
-}
-
-static int dasync_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out,
-                              size_t *outlen, const unsigned char *in,
-                              size_t inlen)
-{
-    static int (*pdecrypt)(EVP_PKEY_CTX *ctx, unsigned char *out,
-                             size_t *outlen, const unsigned char *in,
-                             size_t inlen);
-
-    if (pdecrypt == NULL)
-        EVP_PKEY_meth_get_encrypt(dasync_rsa_orig, NULL, &pdecrypt);
-    return pdecrypt(ctx, out, outlen, in, inlen);
-}
-
-static int dasync_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
-{
-    static int (*pctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2);
-
-    if (pctrl == NULL)
-        EVP_PKEY_meth_get_ctrl(dasync_rsa_orig, &pctrl, NULL);
-    return pctrl(ctx, type, p1, p2);
-}
-
-static int dasync_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
-                               const char *value)
-{
-    static int (*pctrl_str)(EVP_PKEY_CTX *ctx, const char *type,
-                            const char *value);
-
-    if (pctrl_str == NULL)
-        EVP_PKEY_meth_get_ctrl(dasync_rsa_orig, NULL, &pctrl_str);
-    return pctrl_str(ctx, type, value);
-}
diff --git a/fuzz/asn1.c b/fuzz/asn1.c
index 0858bee91d..0212e5674d 100644
--- a/fuzz/asn1.c
+++ b/fuzz/asn1.c
@@ -338,7 +338,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     DO_TEST_NO_PRINT(DSA, d2i_DSAPublicKey, i2d_DSAPublicKey);
     DO_TEST_NO_PRINT(DSA, d2i_DSAparams, i2d_DSAparams);
 #endif
-    DO_TEST_NO_PRINT(RSA, d2i_RSAPublicKey, i2d_RSAPublicKey);
+    DO_TEST_PRINT_OFFSET(RSA, d2i_RSAPublicKey, i2d_RSAPublicKey, RSA_print);
 #ifndef OPENSSL_NO_EC
     DO_TEST_PRINT_OFFSET(EC_GROUP, d2i_ECPKParameters, i2d_ECPKParameters, ECPKParameters_print);
     DO_TEST_PRINT_OFFSET(EC_KEY, d2i_ECPrivateKey, i2d_ECPrivateKey, EC_KEY_print);
diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h
index 49040bf7e6..1df1c08eb3 100644
--- a/include/openssl/rsa.h
+++ b/include/openssl/rsa.h
@@ -33,50 +33,46 @@
 extern "C" {
 #  endif
 
+/* The types RSA and RSA_METHOD are defined in ossl_typ.h */
+
 #  ifndef OPENSSL_RSA_MAX_MODULUS_BITS
 #   define OPENSSL_RSA_MAX_MODULUS_BITS   16384
 #  endif
 
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-/* The types RSA and RSA_METHOD are defined in ossl_typ.h */
-
-#   define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
+#  define OPENSSL_RSA_FIPS_MIN_MODULUS_BITS 1024
 
-#   ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
-#    define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
-#   endif
+#  ifndef OPENSSL_RSA_SMALL_MODULUS_BITS
+#   define OPENSSL_RSA_SMALL_MODULUS_BITS 3072
+#  endif
+#  ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
 
 /* exponent limit enforced for "large" modulus only */
-#   ifndef OPENSSL_RSA_MAX_PUBEXP_BITS
-#    define OPENSSL_RSA_MAX_PUBEXP_BITS    64
-#   endif
+#   define OPENSSL_RSA_MAX_PUBEXP_BITS    64
+#  endif
 
-#   define RSA_3   0x3L
-#   define RSA_F4  0x10001L
+#  define RSA_3   0x3L
+#  define RSA_F4  0x10001L
 
 /* based on RFC 8017 appendix A.1.2 */
-#   define RSA_ASN1_VERSION_DEFAULT        0
-#   define RSA_ASN1_VERSION_MULTI          1
+#  define RSA_ASN1_VERSION_DEFAULT        0
+#  define RSA_ASN1_VERSION_MULTI          1
 
-#   define RSA_DEFAULT_PRIME_NUM           2
-#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
+#  define RSA_DEFAULT_PRIME_NUM           2
 
 /* Don't check pub/private match */
-/* TODO(3.0): deprecate this? It is exposed for sls/t1_lib.c's use */
 #  define RSA_METHOD_FLAG_NO_CHECK        0x0001
 
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
-#   define RSA_FLAG_CACHE_PUBLIC           0x0002
-#   define RSA_FLAG_CACHE_PRIVATE          0x0004
-#   define RSA_FLAG_BLINDING               0x0008
-#   define RSA_FLAG_THREAD_SAFE            0x0010
+#  define RSA_FLAG_CACHE_PUBLIC           0x0002
+#  define RSA_FLAG_CACHE_PRIVATE          0x0004
+#  define RSA_FLAG_BLINDING               0x0008
+#  define RSA_FLAG_THREAD_SAFE            0x0010
 /*
  * This flag means the private key operations will be handled by rsa_mod_exp
  * and that they do not depend on the private key components being present:
  * for example a key stored in external hardware. Without this flag
  * bn_mod_exp gets called when private key components are absent.
  */
-#   define RSA_FLAG_EXT_PKEY               0x0020
+#  define RSA_FLAG_EXT_PKEY               0x0020
 
 /*
  * new with 0.9.6j and 0.9.7b; the built-in
@@ -84,14 +80,14 @@ extern "C" {
  * default (ignoring RSA_FLAG_BLINDING),
  * but other engines might not need it
  */
-#   define RSA_FLAG_NO_BLINDING            0x0080
-#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
+#  define RSA_FLAG_NO_BLINDING            0x0080
+#  ifndef OPENSSL_NO_DEPRECATED_1_1_0
 /*
  * Does nothing. Previously this switched off constant time behaviour.
  */
-#  ifndef OPENSSL_NO_DEPRECATED_1_1_0
 #   define RSA_FLAG_NO_CONSTTIME           0x0000
 #  endif
+#  ifndef OPENSSL_NO_DEPRECATED_0_9_8
 /* deprecated name for the flag*/
 /*
  * new with 0.9.7h; the built-in RSA
@@ -101,7 +97,6 @@ extern "C" {
  * faster variable sliding window method to
  * be used for all exponents.
  */
-#  ifndef OPENSSL_NO_DEPRECATED_0_9_8
 #   define RSA_FLAG_NO_EXP_CONSTTIME RSA_FLAG_NO_CONSTTIME
 #  endif
 
@@ -135,6 +130,7 @@ int EVP_PKEY_CTX_get_rsa_mgf1_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
 int EVP_PKEY_CTX_get_rsa_mgf1_md_name(EVP_PKEY_CTX *ctx, char *name,
                                       size_t namelen);
 
+
 #  define  EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(ctx, md) \
         EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \
                           EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md))
@@ -145,7 +141,8 @@ int EVP_PKEY_CTX_set_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, const char *mdname,
 int EVP_PKEY_CTX_get_rsa_oaep_md(EVP_PKEY_CTX *ctx, const EVP_MD **md);
 int EVP_PKEY_CTX_get_rsa_oaep_md_name(EVP_PKEY_CTX *ctx, char *name,
                                       size_t namelen);
-int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label, int llen);
+int EVP_PKEY_CTX_set0_rsa_oaep_label(EVP_PKEY_CTX *ctx, void *label,
+                                     int llen);
 int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
 
 #  define  EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md) \
@@ -189,10 +186,10 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label);
 #  define RSA_get_app_data(s)             RSA_get_ex_data(s,0)
 
 RSA *RSA_new(void);
-DEPRECATEDIN_3_0(RSA *RSA_new_method(ENGINE *engine))
-DEPRECATEDIN_3_0(int RSA_bits(const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_size(const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_security_bits(const RSA *rsa))
+RSA *RSA_new_method(ENGINE *engine);
+int RSA_bits(const RSA *rsa);
+int RSA_size(const RSA *rsa);
+int RSA_security_bits(const RSA *rsa);
 
 int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
 int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
@@ -217,12 +214,12 @@ const BIGNUM *RSA_get0_q(const RSA *d);
 const BIGNUM *RSA_get0_dmp1(const RSA *r);
 const BIGNUM *RSA_get0_dmq1(const RSA *r);
 const BIGNUM *RSA_get0_iqmp(const RSA *r);
-DEPRECATEDIN_3_0(const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r))
+const RSA_PSS_PARAMS *RSA_get0_pss_params(const RSA *r);
 void RSA_clear_flags(RSA *r, int flags);
 int RSA_test_flags(const RSA *r, int flags);
 void RSA_set_flags(RSA *r, int flags);
-DEPRECATEDIN_3_0(int RSA_get_version(RSA *r))
-DEPRECATEDIN_3_0(ENGINE *RSA_get0_engine(const RSA *r))
+int RSA_get_version(RSA *r);
+ENGINE *RSA_get0_engine(const RSA *r);
 
 /* Deprecated version */
 DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
@@ -230,52 +227,43 @@ DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
                                          void *cb_arg))
 
 /* New version */
-DEPRECATEDIN_3_0(int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e,
-                                         BN_GENCB *cb))
+int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
 /* Multi-prime version */
-DEPRECATEDIN_3_0(int RSA_generate_multi_prime_key(RSA *rsa, int bits,
-                                                  int primes, BIGNUM *e,
-                                                  BN_GENCB *cb))
-
-DEPRECATEDIN_3_0(int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2,
-                                        BIGNUM *q1, BIGNUM *q2,
-                                        const BIGNUM *Xp1, const BIGNUM *Xp2,
-                                        const BIGNUM *Xp, const BIGNUM *Xq1,
-                                        const BIGNUM *Xq2, const BIGNUM *Xq,
-                                        const BIGNUM *e, BN_GENCB *cb))
-DEPRECATEDIN_3_0(int RSA_X931_generate_key_ex(RSA *rsa, int bits,
-                                              const BIGNUM *e, BN_GENCB *cb))
-
-DEPRECATEDIN_3_0(int RSA_check_key(const RSA *))
-DEPRECATEDIN_3_0(int RSA_check_key_ex(const RSA *, BN_GENCB *cb))
+int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes,
+                                 BIGNUM *e, BN_GENCB *cb);
+
+int RSA_X931_derive_ex(RSA *rsa, BIGNUM *p1, BIGNUM *p2, BIGNUM *q1,
+                       BIGNUM *q2, const BIGNUM *Xp1, const BIGNUM *Xp2,
+                       const BIGNUM *Xp, const BIGNUM *Xq1, const BIGNUM *Xq2,
+                       const BIGNUM *Xq, const BIGNUM *e, BN_GENCB *cb);
+int RSA_X931_generate_key_ex(RSA *rsa, int bits, const BIGNUM *e,
+                             BN_GENCB *cb);
+
+int RSA_check_key(const RSA *);
+int RSA_check_key_ex(const RSA *, BN_GENCB *cb);
         /* next 4 return -1 on error */
-DEPRECATEDIN_3_0(int RSA_public_encrypt(int flen, const unsigned char *from,
-                                        unsigned char *to, RSA *rsa,
-                                        int padding))
-DEPRECATEDIN_3_0(int RSA_private_encrypt(int flen, const unsigned char *from,
-                                         unsigned char *to, RSA *rsa,
-                                         int padding))
-DEPRECATEDIN_3_0(int RSA_public_decrypt(int flen, const unsigned char *from,
-                                        unsigned char *to, RSA *rsa,
-                                        int padding))
-DEPRECATEDIN_3_0(int RSA_private_decrypt(int flen, const unsigned char *from,
-                                         unsigned char *to, RSA *rsa,
-                                         int padding))
+int RSA_public_encrypt(int flen, const unsigned char *from,
+                       unsigned char *to, RSA *rsa, int padding);
+int RSA_private_encrypt(int flen, const unsigned char *from,
+                        unsigned char *to, RSA *rsa, int padding);
+int RSA_public_decrypt(int flen, const unsigned char *from,
+                       unsigned char *to, RSA *rsa, int padding);
+int RSA_private_decrypt(int flen, const unsigned char *from,
+                        unsigned char *to, RSA *rsa, int padding);
 void RSA_free(RSA *r);
 /* "up" the RSA object's reference count */
 int RSA_up_ref(RSA *r);
 
-/* TODO(3.0): deprecate this one ssl/ssl_rsa.c can be changed to avoid it */
 int RSA_flags(const RSA *r);
 
-DEPRECATEDIN_3_0(void RSA_set_default_method(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(const RSA_METHOD *RSA_get_default_method(void))
-DEPRECATEDIN_3_0(const RSA_METHOD *RSA_null_method(void))
-DEPRECATEDIN_3_0(const RSA_METHOD *RSA_get_method(const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_set_method(RSA *rsa, const RSA_METHOD *meth))
+void RSA_set_default_method(const RSA_METHOD *meth);
+const RSA_METHOD *RSA_get_default_method(void);
+const RSA_METHOD *RSA_null_method(void);
+const RSA_METHOD *RSA_get_method(const RSA *rsa);
+int RSA_set_method(RSA *rsa, const RSA_METHOD *meth);
 
 /* these are the actual RSA functions */
-DEPRECATEDIN_3_0(const RSA_METHOD *RSA_PKCS1_OpenSSL(void))
+const RSA_METHOD *RSA_PKCS1_OpenSSL(void);
 
 int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2);
 
@@ -304,129 +292,101 @@ typedef struct rsa_oaep_params_st {
 DECLARE_ASN1_FUNCTIONS(RSA_OAEP_PARAMS)
 
 #  ifndef OPENSSL_NO_STDIO
-DEPRECATEDIN_3_0(int RSA_print_fp(FILE *fp, const RSA *r, int offset))
+int RSA_print_fp(FILE *fp, const RSA *r, int offset);
 #  endif
 
-DEPRECATEDIN_3_0(int RSA_print(BIO *bp, const RSA *r, int offset))
+int RSA_print(BIO *bp, const RSA *r, int offset);
 
 /*
  * The following 2 functions sign and verify a X509_SIG ASN1 object inside
  * PKCS#1 padded RSA encryption
  */
-DEPRECATEDIN_3_0(int RSA_sign(int type, const unsigned char *m,
-                              unsigned int m_length, unsigned char *sigret,
-                              unsigned int *siglen, RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_verify(int type, const unsigned char *m,
-                                unsigned int m_length,
-                                const unsigned char *sigbuf,
-                                unsigned int siglen, RSA *rsa))
+int RSA_sign(int type, const unsigned char *m, unsigned int m_length,
+             unsigned char *sigret, unsigned int *siglen, RSA *rsa);
+int RSA_verify(int type, const unsigned char *m, unsigned int m_length,
+               const unsigned char *sigbuf, unsigned int siglen, RSA *rsa);
 
 /*
  * The following 2 function sign and verify a ASN1_OCTET_STRING object inside
  * PKCS#1 padded RSA encryption
  */
-DEPRECATEDIN_3_0(int RSA_sign_ASN1_OCTET_STRING(int type,
-                                                const unsigned char *m,
-                                                unsigned int m_length,
-                                                unsigned char *sigret,
-                                                unsigned int *siglen, RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_verify_ASN1_OCTET_STRING(int type,
-                                                  const unsigned char *m,
-                                                  unsigned int m_length,
-                                                  unsigned char *sigbuf,
-                                                  unsigned int siglen,
-                                                  RSA *rsa))
-
-/* TODO(3.0): figure out how to deprecate these two */
+int RSA_sign_ASN1_OCTET_STRING(int type,
+                               const unsigned char *m, unsigned int m_length,
+                               unsigned char *sigret, unsigned int *siglen,
+                               RSA *rsa);
+int RSA_verify_ASN1_OCTET_STRING(int type, const unsigned char *m,
+                                 unsigned int m_length, unsigned char *sigbuf,
+                                 unsigned int siglen, RSA *rsa);
+
 int RSA_blinding_on(RSA *rsa, BN_CTX *ctx);
 void RSA_blinding_off(RSA *rsa);
-DEPRECATEDIN_3_0(BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx))
-
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
-                                                  const unsigned char *f,
-                                                  int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
-                                                    const unsigned char *f,
-                                                    int fl, int rsa_len))
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
-                                                  const unsigned char *f,
-                                                  int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
-                                                    const unsigned char *f,
-                                                    int fl, int rsa_len))
-DEPRECATEDIN_3_0(int PKCS1_MGF1(unsigned char *mask, long len,
-                                const unsigned char *seed, long seedlen,
-                                const EVP_MD *dgst))
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
-                                                const unsigned char *f, int fl,
-                                                const unsigned char *p, int pl))
-DEPRECATEDIN_3_0(int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
-                                                  const unsigned char *f,
-                                                  int fl, int rsa_len,
-                                                  const unsigned char *p,
-                                                  int pl))
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to,
-                                                     int tlen,
-                                                     const unsigned char *from,
-                                                     int flen,
-                                                     const unsigned char *param,
-                                                     int plen,
-                                                     const EVP_MD *md,
-                                                     const EVP_MD *mgf1md))
-DEPRECATEDIN_3_0(int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to,
-                                                       int tlen,
-                                                       const unsigned char *from,
-                                                       int flen, int num,
-                                                       const unsigned char *param,
-                                                       int plen, const EVP_MD *md,
-                                                       const EVP_MD *mgf1md))
-DEPRECATEDIN_3_0(int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
-                                            const unsigned char *f, int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
-                                              const unsigned char *f, int fl,
-                                              int rsa_len))
-DEPRECATEDIN_3_0(int RSA_padding_add_none(unsigned char *to, int tlen,
-                                          const unsigned char *f, int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_none(unsigned char *to, int tlen,
-                                            const unsigned char *f, int fl,
-                                            int rsa_len))
-DEPRECATEDIN_3_0(int RSA_padding_add_X931(unsigned char *to, int tlen,
-                                          const unsigned char *f, int fl))
-DEPRECATEDIN_3_0(int RSA_padding_check_X931(unsigned char *to, int tlen,
-                                            const unsigned char *f, int fl,
-                                            int rsa_len))
-DEPRECATEDIN_3_0(int RSA_X931_hash_id(int nid))
-
-DEPRECATEDIN_3_0(int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
-                                          const EVP_MD *Hash,
-                                          const unsigned char *EM, int sLen))
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
-                                               const unsigned char *mHash,
-                                               const EVP_MD *Hash, int sLen))
-
-DEPRECATEDIN_3_0(int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa,
-                                               const unsigned char *mHash,
-                                               const EVP_MD *Hash,
-                                               const EVP_MD *mgf1Hash,
-                                               const unsigned char *EM,
-                                               int sLen))
-
-DEPRECATEDIN_3_0(int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa,
-                                                    unsigned char *EM,
-                                                    const unsigned char *mHash,
-                                                    const EVP_MD *Hash,
-                                                    const EVP_MD *mgf1Hash,
-                                                    int sLen))
+BN_BLINDING *RSA_setup_blinding(RSA *rsa, BN_CTX *ctx);
+
+int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
+                                 const unsigned char *f, int fl);
+int RSA_padding_check_PKCS1_type_1(unsigned char *to, int tlen,
+                                   const unsigned char *f, int fl,
+                                   int rsa_len);
+int RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
+                                 const unsigned char *f, int fl);
+int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen,
+                                   const unsigned char *f, int fl,
+                                   int rsa_len);
+int PKCS1_MGF1(unsigned char *mask, long len, const unsigned char *seed,
+               long seedlen, const EVP_MD *dgst);
+int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
+                               const unsigned char *f, int fl,
+                               const unsigned char *p, int pl);
+int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
+                                 const unsigned char *f, int fl, int rsa_len,
+                                 const unsigned char *p, int pl);
+int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+                                    const unsigned char *from, int flen,
+                                    const unsigned char *param, int plen,
+                                    const EVP_MD *md, const EVP_MD *mgf1md);
+int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+                                      const unsigned char *from, int flen,
+                                      int num, const unsigned char *param,
+                                      int plen, const EVP_MD *md,
+                                      const EVP_MD *mgf1md);
+int RSA_padding_add_SSLv23(unsigned char *to, int tlen,
+                           const unsigned char *f, int fl);
+int RSA_padding_check_SSLv23(unsigned char *to, int tlen,
+                             const unsigned char *f, int fl, int rsa_len);
+int RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *f,
+                         int fl);
+int RSA_padding_check_none(unsigned char *to, int tlen,
+                           const unsigned char *f, int fl, int rsa_len);
+int RSA_padding_add_X931(unsigned char *to, int tlen, const unsigned char *f,
+                         int fl);
+int RSA_padding_check_X931(unsigned char *to, int tlen,
+                           const unsigned char *f, int fl, int rsa_len);
+int RSA_X931_hash_id(int nid);
+
+int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash,
+                         const EVP_MD *Hash, const unsigned char *EM,
+                         int sLen);
+int RSA_padding_add_PKCS1_PSS(RSA *rsa, unsigned char *EM,
+                              const unsigned char *mHash, const EVP_MD *Hash,
+                              int sLen);
+
+int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash,
+                              const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                              const unsigned char *EM, int sLen);
+
+int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
+                                   const unsigned char *mHash,
+                                   const EVP_MD *Hash, const EVP_MD *mgf1Hash,
+                                   int sLen);
 
 #  define RSA_get_ex_new_index(l, p, newf, dupf, freef) \
     CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_RSA, l, p, newf, dupf, freef)
-DEPRECATEDIN_3_0(int RSA_set_ex_data(RSA *r, int idx, void *arg))
-DEPRECATEDIN_3_0(void *RSA_get_ex_data(const RSA *r, int idx))
+int RSA_set_ex_data(RSA *r, int idx, void *arg);
+void *RSA_get_ex_data(const RSA *r, int idx);
 
 DECLARE_ASN1_DUP_FUNCTION_name(RSA, RSAPublicKey)
 DECLARE_ASN1_DUP_FUNCTION_name(RSA, RSAPrivateKey)
 
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /*
  * If this flag is set the RSA method is FIPS compliant and can be used in
  * FIPS mode. This is set in the validated module method. If an application
@@ -434,7 +394,7 @@ DECLARE_ASN1_DUP_FUNCTION_name(RSA, RSAPrivateKey)
  * result is compliant.
  */
 
-#   define RSA_FLAG_FIPS_METHOD                    0x0400
+#  define RSA_FLAG_FIPS_METHOD                    0x0400
 
 /*
  * If this flag is set the operations normally disabled in FIPS mode are
@@ -442,101 +402,99 @@ DECLARE_ASN1_DUP_FUNCTION_name(RSA, RSAPrivateKey)
  * usage is compliant.
  */
 
-#   define RSA_FLAG_NON_FIPS_ALLOW                 0x0400
+#  define RSA_FLAG_NON_FIPS_ALLOW                 0x0400
 /*
  * Application has decided PRNG is good enough to generate a key: don't
  * check.
  */
-#   define RSA_FLAG_CHECKED                        0x0800
-#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
-
-DEPRECATEDIN_3_0(RSA_METHOD *RSA_meth_new(const char *name, int flags))
-DEPRECATEDIN_3_0(void RSA_meth_free(RSA_METHOD *meth))
-DEPRECATEDIN_3_0(RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(const char *RSA_meth_get0_name(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(int RSA_meth_set1_name(RSA_METHOD *meth, const char *name))
-DEPRECATEDIN_3_0(int RSA_meth_get_flags(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(int RSA_meth_set_flags(RSA_METHOD *meth, int flags))
-DEPRECATEDIN_3_0(void *RSA_meth_get0_app_data(const RSA_METHOD *meth))
-DEPRECATEDIN_3_0(int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
+#  define RSA_FLAG_CHECKED                        0x0800
+
+RSA_METHOD *RSA_meth_new(const char *name, int flags);
+void RSA_meth_free(RSA_METHOD *meth);
+RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
+const char *RSA_meth_get0_name(const RSA_METHOD *meth);
+int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
+int RSA_meth_get_flags(const RSA_METHOD *meth);
+int RSA_meth_set_flags(RSA_METHOD *meth, int flags);
+void *RSA_meth_get0_app_data(const RSA_METHOD *meth);
+int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data);
+int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))
     (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding))
-DEPRECATEDIN_3_0(int RSA_meth_set_pub_enc(RSA_METHOD *rsa,
+     unsigned char *to, RSA *rsa, int padding);
+int RSA_meth_set_pub_enc(RSA_METHOD *rsa,
                          int (*pub_enc) (int flen, const unsigned char *from,
                                          unsigned char *to, RSA *rsa,
-                                         int padding)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
+                                         int padding));
+int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))
     (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding))
-DEPRECATEDIN_3_0(int RSA_meth_set_pub_dec(RSA_METHOD *rsa,
+     unsigned char *to, RSA *rsa, int padding);
+int RSA_meth_set_pub_dec(RSA_METHOD *rsa,
                          int (*pub_dec) (int flen, const unsigned char *from,
                                          unsigned char *to, RSA *rsa,
-                                         int padding)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
+                                         int padding));
+int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))
     (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding))
-DEPRECATEDIN_3_0(int RSA_meth_set_priv_enc(RSA_METHOD *rsa,
+     unsigned char *to, RSA *rsa, int padding);
+int RSA_meth_set_priv_enc(RSA_METHOD *rsa,
                           int (*priv_enc) (int flen, const unsigned char *from,
                                            unsigned char *to, RSA *rsa,
-                                           int padding)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
+                                           int padding));
+int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))
     (int flen, const unsigned char *from,
-     unsigned char *to, RSA *rsa, int padding))
-DEPRECATEDIN_3_0(int RSA_meth_set_priv_dec(RSA_METHOD *rsa,
+     unsigned char *to, RSA *rsa, int padding);
+int RSA_meth_set_priv_dec(RSA_METHOD *rsa,
                           int (*priv_dec) (int flen, const unsigned char *from,
                                            unsigned char *to, RSA *rsa,
-                                           int padding)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
-    (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx))
-DEPRECATEDIN_3_0(int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
+                                           int padding));
+int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))
+    (BIGNUM *r0, const BIGNUM *i, RSA *rsa, BN_CTX *ctx);
+int RSA_meth_set_mod_exp(RSA_METHOD *rsa,
                          int (*mod_exp) (BIGNUM *r0, const BIGNUM *i, RSA *rsa,
-                                         BN_CTX *ctx)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
+                                         BN_CTX *ctx));
+int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))
     (BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
-     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx))
-DEPRECATEDIN_3_0(int RSA_meth_set_bn_mod_exp(RSA_METHOD *rsa,
+     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx);
+int RSA_meth_set_bn_mod_exp(RSA_METHOD *rsa,
                             int (*bn_mod_exp) (BIGNUM *r,
                                                const BIGNUM *a,
                                                const BIGNUM *p,
                                                const BIGNUM *m,
                                                BN_CTX *ctx,
-                                               BN_MONT_CTX *m_ctx)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_meth_set_init(RSA_METHOD *rsa, int (*init) (RSA *rsa)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_meth_set_finish(RSA_METHOD *rsa,
-                            int (*finish) (RSA *rsa)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_sign(const RSA_METHOD *meth))
+                                               BN_MONT_CTX *m_ctx));
+int (*RSA_meth_get_init(const RSA_METHOD *meth)) (RSA *rsa);
+int RSA_meth_set_init(RSA_METHOD *rsa, int (*init) (RSA *rsa));
+int (*RSA_meth_get_finish(const RSA_METHOD *meth)) (RSA *rsa);
+int RSA_meth_set_finish(RSA_METHOD *rsa, int (*finish) (RSA *rsa));
+int (*RSA_meth_get_sign(const RSA_METHOD *meth))
     (int type,
      const unsigned char *m, unsigned int m_length,
      unsigned char *sigret, unsigned int *siglen,
-     const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_meth_set_sign(RSA_METHOD *rsa,
+     const RSA *rsa);
+int RSA_meth_set_sign(RSA_METHOD *rsa,
                       int (*sign) (int type, const unsigned char *m,
                                    unsigned int m_length,
                                    unsigned char *sigret, unsigned int *siglen,
-                                   const RSA *rsa)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_verify(const RSA_METHOD *meth))
+                                   const RSA *rsa));
+int (*RSA_meth_get_verify(const RSA_METHOD *meth))
     (int dtype, const unsigned char *m,
      unsigned int m_length, const unsigned char *sigbuf,
-     unsigned int siglen, const RSA *rsa))
-DEPRECATEDIN_3_0(int RSA_meth_set_verify(RSA_METHOD *rsa,
+     unsigned int siglen, const RSA *rsa);
+int RSA_meth_set_verify(RSA_METHOD *rsa,
                         int (*verify) (int dtype, const unsigned char *m,
                                        unsigned int m_length,
                                        const unsigned char *sigbuf,
-                                       unsigned int siglen, const RSA *rsa)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_keygen(const RSA_METHOD *meth))
-    (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb))
-DEPRECATEDIN_3_0(int RSA_meth_set_keygen(RSA_METHOD *rsa,
+                                       unsigned int siglen, const RSA *rsa));
+int (*RSA_meth_get_keygen(const RSA_METHOD *meth))
+    (RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb);
+int RSA_meth_set_keygen(RSA_METHOD *rsa,
                         int (*keygen) (RSA *rsa, int bits, BIGNUM *e,
-                                       BN_GENCB *cb)))
-DEPRECATEDIN_3_0(int (*RSA_meth_get_multi_prime_keygen(const RSA_METHOD *meth))
-    (RSA *rsa, int bits, int primes, BIGNUM *e, BN_GENCB *cb))
-DEPRECATEDIN_3_0(int RSA_meth_set_multi_prime_keygen(RSA_METHOD *meth,
+                                       BN_GENCB *cb));
+int (*RSA_meth_get_multi_prime_keygen(const RSA_METHOD *meth))
+    (RSA *rsa, int bits, int primes, BIGNUM *e, BN_GENCB *cb);
+int RSA_meth_set_multi_prime_keygen(RSA_METHOD *meth,
                                     int (*keygen) (RSA *rsa, int bits,
                                                    int primes, BIGNUM *e,
-                                                   BN_GENCB *cb)))
+                                                   BN_GENCB *cb));
 
 #  ifdef  __cplusplus
 }
diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c
index 5f05d1810b..dad9edf962 100644
--- a/providers/implementations/asymciphers/rsa_enc.c
+++ b/providers/implementations/asymciphers/rsa_enc.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/core_numbers.h>
diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c
index 8ea394115b..f117d99001 100644
--- a/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <openssl/core_numbers.h>
 #include <openssl/core_names.h>
 #include <openssl/bn.h>
diff --git a/providers/implementations/serializers/serializer_rsa.c b/providers/implementations/serializers/serializer_rsa.c
index 21898f9e3d..594c3d758f 100644
--- a/providers/implementations/serializers/serializer_rsa.c
+++ b/providers/implementations/serializers/serializer_rsa.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include "crypto/rsa.h"           /* rsa_get0_all_params() */
 #include "prov/bio.h"             /* ossl_prov_bio_printf() */
 #include "prov/implementations.h" /* rsa_keymgmt_functions */
diff --git a/providers/implementations/serializers/serializer_rsa_priv.c b/providers/implementations/serializers/serializer_rsa_priv.c
index 23042041de..af0aadcda1 100644
--- a/providers/implementations/serializers/serializer_rsa_priv.c
+++ b/providers/implementations/serializers/serializer_rsa_priv.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <openssl/core_numbers.h>
 #include <openssl/core_names.h>
 #include <openssl/err.h>
diff --git a/providers/implementations/serializers/serializer_rsa_pub.c b/providers/implementations/serializers/serializer_rsa_pub.c
index 3ee0501ee1..f7eccf7624 100644
--- a/providers/implementations/serializers/serializer_rsa_pub.c
+++ b/providers/implementations/serializers/serializer_rsa_pub.c
@@ -7,12 +7,6 @@
  * https://www.openssl.org/source/license.html
  */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <openssl/core_numbers.h>
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
diff --git a/ssl/s3_enc.c b/ssl/s3_enc.c
index 76bea32dbd..ea0fb750f1 100644
--- a/ssl/s3_enc.c
+++ b/ssl/s3_enc.c
@@ -86,7 +86,7 @@ static int ssl3_generate_key_block(SSL *s, unsigned char *km, int num)
  err:
     EVP_MD_CTX_free(m5);
     EVP_MD_CTX_free(s1);
-    ssl_evp_md_free(md5);
+    EVP_MD_free(md5);
     return ret;
 }
 
@@ -257,16 +257,13 @@ int ssl3_setup_key_block(SSL *s)
     if (s->s3.tmp.key_block_length != 0)
         return 1;
 
-    if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, &comp,
-                            0)) {
+    if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, &comp, 0)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_SSL3_SETUP_KEY_BLOCK,
                  SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
         return 0;
     }
 
-    ssl_evp_cipher_free(s->s3.tmp.new_sym_enc);
     s->s3.tmp.new_sym_enc = c;
-    ssl_evp_md_free(s->s3.tmp.new_hash);
     s->s3.tmp.new_hash = hash;
 #ifdef OPENSSL_NO_COMP
     s->s3.tmp.new_compression = NULL;
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 9902fa3811..26f19108ee 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -3334,9 +3334,6 @@ void ssl3_free(SSL *s)
     s->s3.tmp.pkey = NULL;
 #endif
 
-    ssl_evp_cipher_free(s->s3.tmp.new_sym_enc);
-    ssl_evp_md_free(s->s3.tmp.new_hash);
-
     OPENSSL_free(s->s3.tmp.ctype);
     sk_X509_NAME_pop_free(s->s3.tmp.peer_ca_names, X509_NAME_free);
     OPENSSL_free(s->s3.tmp.ciphers_raw);
@@ -4160,6 +4157,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
     STACK_OF(SSL_CIPHER) *prio, *allow;
     int i, ii, ok, prefer_sha256 = 0;
     unsigned long alg_k = 0, alg_a = 0, mask_k = 0, mask_a = 0;
+    const EVP_MD *mdsha256 = EVP_sha256();
 #ifndef OPENSSL_NO_CHACHA
     STACK_OF(SSL_CIPHER) *prio_chacha = NULL;
 #endif
@@ -4333,12 +4331,7 @@ const SSL_CIPHER *ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt,
             if (prefer_sha256) {
                 const SSL_CIPHER *tmp = sk_SSL_CIPHER_value(allow, ii);
 
-                /*
-                 * TODO: When there are no more legacy digests we can just use
-                 * OSSL_DIGEST_NAME_SHA2_256 instead of calling OBJ_nid2sn
-                 */
-                if (EVP_MD_is_a(ssl_md(s->ctx, tmp->algorithm2),
-                                       OBJ_nid2sn(NID_sha256))) {
+                if (ssl_md(tmp->algorithm2) == mdsha256) {
                     ret = tmp;
                     break;
                 }
diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c
index 066c38a7cc..04ffae325c 100644
--- a/ssl/ssl_ciph.c
+++ b/ssl/ssl_ciph.c
@@ -22,6 +22,30 @@
 #include "internal/thread_once.h"
 #include "internal/cryptlib.h"
 
+#define SSL_ENC_DES_IDX         0
+#define SSL_ENC_3DES_IDX        1
+#define SSL_ENC_RC4_IDX         2
+#define SSL_ENC_RC2_IDX         3
+#define SSL_ENC_IDEA_IDX        4
+#define SSL_ENC_NULL_IDX        5
+#define SSL_ENC_AES128_IDX      6
+#define SSL_ENC_AES256_IDX      7
+#define SSL_ENC_CAMELLIA128_IDX 8
+#define SSL_ENC_CAMELLIA256_IDX 9
+#define SSL_ENC_GOST89_IDX      10
+#define SSL_ENC_SEED_IDX        11
+#define SSL_ENC_AES128GCM_IDX   12
+#define SSL_ENC_AES256GCM_IDX   13
+#define SSL_ENC_AES128CCM_IDX   14
+#define SSL_ENC_AES256CCM_IDX   15
+#define SSL_ENC_AES128CCM8_IDX  16
+#define SSL_ENC_AES256CCM8_IDX  17
+#define SSL_ENC_GOST8912_IDX    18
+#define SSL_ENC_CHACHA_IDX      19
+#define SSL_ENC_ARIA128GCM_IDX  20
+#define SSL_ENC_ARIA256GCM_IDX  21
+#define SSL_ENC_NUM_IDX         22
+
 /* NB: make sure indices in these tables match values above */
 
 typedef struct {
@@ -55,6 +79,8 @@ static const ssl_cipher_table ssl_cipher_table_cipher[SSL_ENC_NUM_IDX] = {
     {SSL_ARIA256GCM, NID_aria_256_gcm}, /* SSL_ENC_ARIA256GCM_IDX 21 */
 };
 
+static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
+
 #define SSL_COMP_NULL_IDX       0
 #define SSL_COMP_ZLIB_IDX       1
 #define SSL_COMP_NUM_IDX        2
@@ -65,6 +91,13 @@ static STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
 static CRYPTO_ONCE ssl_load_builtin_comp_once = CRYPTO_ONCE_STATIC_INIT;
 #endif
 
+/*
+ * Constant SSL_MAX_DIGEST equal to size of digests array should be defined
+ * in the ssl_local.h
+ */
+
+#define SSL_MD_NUM_IDX  SSL_MAX_DIGEST
+
 /* NB: make sure indices in this table matches values above */
 static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
     {SSL_MD5, NID_md5},         /* SSL_MD_MD5_IDX 0 */
@@ -81,6 +114,10 @@ static const ssl_cipher_table ssl_cipher_table_mac[SSL_MD_NUM_IDX] = {
     {0, NID_sha512}             /* SSL_MD_SHA512_IDX 11 */
 };
 
+static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = {
+    NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL
+};
+
 /* *INDENT-OFF* */
 static const ssl_cipher_table ssl_cipher_table_kx[] = {
     {SSL_kRSA,      NID_kx_rsa},
@@ -139,6 +176,8 @@ static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = {
     NID_undef, NID_undef, NID_undef
 };
 
+static size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
+
 #define CIPHER_ADD      1
 #define CIPHER_KILL     2
 #define CIPHER_DEL      3
@@ -317,37 +356,41 @@ static uint32_t disabled_mac_mask;
 static uint32_t disabled_mkey_mask;
 static uint32_t disabled_auth_mask;
 
-int ssl_load_ciphers(SSL_CTX *ctx)
+int ssl_load_ciphers(void)
 {
     size_t i;
     const ssl_cipher_table *t;
 
     disabled_enc_mask = 0;
+    ssl_sort_cipher_list();
     for (i = 0, t = ssl_cipher_table_cipher; i < SSL_ENC_NUM_IDX; i++, t++) {
-        if (t->nid != NID_undef) {
-            const EVP_CIPHER *cipher
-                = ssl_evp_cipher_fetch(ctx->libctx, t->nid, ctx->propq);
-
-            ctx->ssl_cipher_methods[i] = cipher;
+        if (t->nid == NID_undef) {
+            ssl_cipher_methods[i] = NULL;
+        } else {
+            const EVP_CIPHER *cipher = EVP_get_cipherbynid(t->nid);
+            ssl_cipher_methods[i] = cipher;
             if (cipher == NULL)
                 disabled_enc_mask |= t->mask;
         }
     }
     disabled_mac_mask = 0;
     for (i = 0, t = ssl_cipher_table_mac; i < SSL_MD_NUM_IDX; i++, t++) {
-        const EVP_MD *md
-            = ssl_evp_md_fetch(ctx->libctx, t->nid, ctx->propq);
-
-        ctx->ssl_digest_methods[i] = md;
+        const EVP_MD *md = EVP_get_digestbynid(t->nid);
+        ssl_digest_methods[i] = md;
         if (md == NULL) {
             disabled_mac_mask |= t->mask;
         } else {
             int tmpsize = EVP_MD_size(md);
             if (!ossl_assert(tmpsize >= 0))
                 return 0;
-            ctx->ssl_mac_secret_size[i] = tmpsize;
+            ssl_mac_secret_size[i] = tmpsize;
         }
     }
+    /* Make sure we can access MD5 and SHA1 */
+    if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL))
+        return 0;
+    if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL))
+        return 0;
 
     disabled_mkey_mask = 0;
     disabled_auth_mask = 0;
@@ -380,14 +423,14 @@ int ssl_load_ciphers(SSL_CTX *ctx)
      */
     ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX] = get_optional_pkey_id("gost-mac");
     if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX])
-        ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
+        ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32;
     else
         disabled_mac_mask |= SSL_GOST89MAC;
 
     ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX] =
         get_optional_pkey_id("gost-mac-12");
     if (ssl_mac_pkey_id[SSL_MD_GOST89MAC12_IDX])
-        ctx->ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
+        ssl_mac_secret_size[SSL_MD_GOST89MAC12_IDX] = 32;
     else
         disabled_mac_mask |= SSL_GOST89MAC12;
 
@@ -440,39 +483,9 @@ static int load_builtin_compressions(void)
 }
 #endif
 
-int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
-                              const EVP_CIPHER **enc)
-{
-    int i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, sslc->algorithm_enc);
-
-    if (i == -1) {
-        *enc = NULL;
-    } else {
-        if (i == SSL_ENC_NULL_IDX) {
-            /*
-             * We assume we don't care about this coming from an ENGINE so
-             * just do a normal EVP_CIPHER_fetch instead of
-             * ssl_evp_cipher_fetch()
-             */
-            *enc = EVP_CIPHER_fetch(ctx->libctx, "NULL", ctx->propq);
-            if (*enc == NULL)
-                return 0;
-        } else {
-            const EVP_CIPHER *cipher = ctx->ssl_cipher_methods[i];
-
-            if (cipher == NULL
-                    || !ssl_evp_cipher_up_ref(cipher))
-                return 0;
-            *enc = ctx->ssl_cipher_methods[i];
-        }
-    }
-    return 1;
-}
-
-int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
-                       const EVP_CIPHER **enc, const EVP_MD **md,
-                       int *mac_pkey_type, size_t *mac_secret_size,
-                       SSL_COMP **comp, int use_etm)
+int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+                       const EVP_MD **md, int *mac_pkey_type,
+                       size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
 {
     int i;
     const SSL_CIPHER *c;
@@ -504,8 +517,16 @@ int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
     if ((enc == NULL) || (md == NULL))
         return 0;
 
-    if (!ssl_cipher_get_evp_cipher(ctx, c, enc))
-        return 0;
+    i = ssl_cipher_info_lookup(ssl_cipher_table_cipher, c->algorithm_enc);
+
+    if (i == -1) {
+        *enc = NULL;
+    } else {
+        if (i == SSL_ENC_NULL_IDX)
+            *enc = EVP_enc_null();
+        else
+            *enc = ssl_cipher_methods[i];
+    }
 
     i = ssl_cipher_info_lookup(ssl_cipher_table_mac, c->algorithm_mac);
     if (i == -1) {
@@ -517,80 +538,67 @@ int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
         if (c->algorithm_mac == SSL_AEAD)
             mac_pkey_type = NULL;
     } else {
-        if (!ssl_evp_md_up_ref(ctx->ssl_digest_methods[i])) {
-            ssl_evp_cipher_free(*enc);
-            return 0;
-        }
-        *md = ctx->ssl_digest_methods[i];
+        *md = ssl_digest_methods[i];
         if (mac_pkey_type != NULL)
             *mac_pkey_type = ssl_mac_pkey_id[i];
         if (mac_secret_size != NULL)
-            *mac_secret_size = ctx->ssl_mac_secret_size[i];
+            *mac_secret_size = ssl_mac_secret_size[i];
     }
 
     if ((*enc != NULL) &&
         (*md != NULL || (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER))
         && (!mac_pkey_type || *mac_pkey_type != NID_undef)) {
-        const EVP_CIPHER *evp = NULL;
+        const EVP_CIPHER *evp;
 
-        if (use_etm
-                || s->ssl_version >> 8 != TLS1_VERSION_MAJOR
-                || s->ssl_version < TLS1_VERSION)
+        if (use_etm)
             return 1;
 
-        if (c->algorithm_enc == SSL_RC4
-                && c->algorithm_mac == SSL_MD5)
-            evp = ssl_evp_cipher_fetch(ctx->libctx, NID_rc4_hmac_md5,
-                                       ctx->propq);
-        else if (c->algorithm_enc == SSL_AES128
-                    && c->algorithm_mac == SSL_SHA1)
-            evp = ssl_evp_cipher_fetch(ctx->libctx,
-                                       NID_aes_128_cbc_hmac_sha1,
-                                       ctx->propq);
-        else if (c->algorithm_enc == SSL_AES256
-                    && c->algorithm_mac == SSL_SHA1)
-             evp = ssl_evp_cipher_fetch(ctx->libctx,
-                                        NID_aes_256_cbc_hmac_sha1,
-                                        ctx->propq);
-        else if (c->algorithm_enc == SSL_AES128
-                    && c->algorithm_mac == SSL_SHA256)
-            evp = ssl_evp_cipher_fetch(ctx->libctx,
-                                       NID_aes_128_cbc_hmac_sha256,
-                                       ctx->propq);
-        else if (c->algorithm_enc == SSL_AES256
-                    && c->algorithm_mac == SSL_SHA256)
-            evp = ssl_evp_cipher_fetch(ctx->libctx,
-                                       NID_aes_256_cbc_hmac_sha256,
-                                       ctx->propq);
-
-        if (evp != NULL) {
-            ssl_evp_cipher_free(*enc);
-            ssl_evp_md_free(*md);
-            *enc = evp;
-            *md = NULL;
-        }
+        if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR ||
+            s->ssl_version < TLS1_VERSION)
+            return 1;
+
+        if (c->algorithm_enc == SSL_RC4 &&
+            c->algorithm_mac == SSL_MD5 &&
+            (evp = EVP_get_cipherbyname("RC4-HMAC-MD5")))
+            *enc = evp, *md = NULL;
+        else if (c->algorithm_enc == SSL_AES128 &&
+                 c->algorithm_mac == SSL_SHA1 &&
+                 (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1")))
+            *enc = evp, *md = NULL;
+        else if (c->algorithm_enc == SSL_AES256 &&
+                 c->algorithm_mac == SSL_SHA1 &&
+                 (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1")))
+            *enc = evp, *md = NULL;
+        else if (c->algorithm_enc == SSL_AES128 &&
+                 c->algorithm_mac == SSL_SHA256 &&
+                 (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA256")))
+            *enc = evp, *md = NULL;
+        else if (c->algorithm_enc == SSL_AES256 &&
+                 c->algorithm_mac == SSL_SHA256 &&
+                 (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA256")))
+            *enc = evp, *md = NULL;
         return 1;
+    } else {
+        return 0;
     }
-
-    return 0;
 }
 
-const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
+const EVP_MD *ssl_md(int idx)
 {
     idx &= SSL_HANDSHAKE_MAC_MASK;
     if (idx < 0 || idx >= SSL_MD_NUM_IDX)
         return NULL;
-    return ctx->ssl_digest_methods[idx];
+    return ssl_digest_methods[idx];
 }
 
 const EVP_MD *ssl_handshake_md(SSL *s)
 {
-    return ssl_md(s->ctx, ssl_get_algorithm2(s));
+    return ssl_md(ssl_get_algorithm2(s));
 }
 
 const EVP_MD *ssl_prf_md(SSL *s)
 {
-    return ssl_md(s->ctx, ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT);
+    return ssl_md(ssl_get_algorithm2(s) >> TLS1_PRF_DGST_SHIFT);
 }
 
 #define ITEM_SEP(a) \
@@ -2087,7 +2095,7 @@ const EVP_MD *SSL_CIPHER_get_handshake_digest(const SSL_CIPHER *c)
 
     if (idx < 0 || idx >= SSL_MD_NUM_IDX)
         return NULL;
-    return EVP_get_digestbynid(ssl_cipher_table_mac[idx].nid);
+    return ssl_digest_methods[idx];
 }
 
 int SSL_CIPHER_is_aead(const SSL_CIPHER *c)
diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c
index 2ccbda7fa3..3e85426112 100644
--- a/ssl/ssl_init.c
+++ b/ssl/ssl_init.c
@@ -94,7 +94,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_base)
      */
     SSL_COMP_get_compression_methods();
 #endif
-    ssl_sort_cipher_list();
+    /* initialize cipher/digest methods table */
+    if (!ssl_load_ciphers())
+        return 0;
+
     OSSL_TRACE(INIT,"ossl_init_ssl_base: SSL_add_ssl_module()\n");
     /*
      * We ignore an error return here. Not much we can do - but not that bad
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a08ddb138b..b5239d6eb2 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3146,10 +3146,6 @@ SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq,
         goto err;
 #endif
 
-    /* initialize cipher/digest methods table */
-    if (!ssl_load_ciphers(ret))
-        goto err2;
-
     if (!SSL_CTX_set_ciphersuites(ret, OSSL_default_ciphersuites()))
         goto err;
 
@@ -3166,12 +3162,14 @@ SSL_CTX *SSL_CTX_new_with_libctx(OPENSSL_CTX *libctx, const char *propq,
     if (ret->param == NULL)
         goto err;
 
-    /*
-     * If these aren't available from the provider we'll get NULL returns.
-     * That's fine but will cause errors later if SSLv3 is negotiated
-     */
-    ret->md5 = ssl_evp_md_fetch(libctx, NID_md5, propq);
-    ret->sha1 = ssl_evp_md_fetch(libctx, NID_sha1, propq);
+    if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) {
+        SSLerr(0, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES);
+        goto err2;
+    }
+    if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) {
+        SSLerr(0, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES);
+        goto err2;
+    }
 
     if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL)
         goto err;
@@ -3361,14 +3359,6 @@ void SSL_CTX_free(SSL_CTX *a)
     OPENSSL_free(a->ext.alpn);
     OPENSSL_secure_free(a->ext.secure);
 
-    ssl_evp_md_free(a->md5);
-    ssl_evp_md_free(a->sha1);
-
-    for (i = 0; i < SSL_ENC_NUM_IDX; i++)
-        ssl_evp_cipher_free(a->ssl_cipher_methods[i]);
-    for (i = 0; i < SSL_MD_NUM_IDX; i++)
-        ssl_evp_md_free(a->ssl_digest_methods[i]);
-
     CRYPTO_THREAD_lock_free(a->lock);
 
     OPENSSL_free(a->propq);
@@ -5843,112 +5833,3 @@ void SSL_set_allow_early_data_cb(SSL *s,
     s->allow_early_data_cb = cb;
     s->allow_early_data_cb_data = arg;
 }
-
-const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
-                                       int nid,
-                                       const char *properties)
-{
-    EVP_CIPHER *ciph;
-
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE *eng;
-
-    /*
-     * If there is an Engine available for this cipher we use the "implicit"
-     * form to ensure we use that engine later.
-     */
-    eng = ENGINE_get_cipher_engine(nid);
-    if (eng != NULL) {
-        ENGINE_finish(eng);
-        return EVP_get_cipherbynid(nid);
-    }
-#endif
-
-    /* Otherwise we do an explicit fetch. This may fail and that could be ok */
-    ERR_set_mark();
-    ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
-    ERR_pop_to_mark();
-    return ciph;
-}
-
-
-int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher)
-{
-    /* Don't up-ref an implicit EVP_CIPHER */
-    if (EVP_CIPHER_provider(cipher) == NULL)
-        return 1;
-
-    /*
-     * The cipher was explicitly fetched and therefore it is safe to cast
-     * away the const
-     */
-    return EVP_CIPHER_up_ref((EVP_CIPHER *)cipher);
-}
-
-void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
-{
-    if (cipher == NULL)
-        return;
-
-    if (EVP_CIPHER_provider(cipher) != NULL) {
-        /*
-         * The cipher was explicitly fetched and therefore it is safe to cast
-         * away the const
-         */
-        EVP_CIPHER_free((EVP_CIPHER *)cipher);
-    }
-}
-
-const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
-                               int nid,
-                               const char *properties)
-{
-    EVP_MD *md;
-
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE *eng;
-
-    /*
-     * If there is an Engine available for this digest we use the "implicit"
-     * form to ensure we use that engine later.
-     */
-    eng = ENGINE_get_digest_engine(nid);
-    if (eng != NULL) {
-        ENGINE_finish(eng);
-        return EVP_get_digestbynid(nid);
-    }
-#endif
-
-    /* Otherwise we do an explicit fetch */
-    ERR_set_mark();
-    md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
-    ERR_pop_to_mark();
-    return md;
-}
-
-int ssl_evp_md_up_ref(const EVP_MD *md)
-{
-    /* Don't up-ref an implicit EVP_MD */
-    if (EVP_MD_provider(md) == NULL)
-        return 1;
-
-    /*
-     * The digest was explicitly fetched and therefore it is safe to cast
-     * away the const
-     */
-    return EVP_MD_up_ref((EVP_MD *)md);
-}
-
-void ssl_evp_md_free(const EVP_MD *md)
-{
-    if (md == NULL)
-        return;
-
-    if (EVP_MD_provider(md) != NULL) {
-        /*
-         * The digest was explicitly fetched and therefore it is safe to cast
-         * away the const
-         */
-        EVP_MD_free((EVP_MD *)md);
-    }
-}
diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index c48bcb9a9a..f0f0a53ecf 100644
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -276,8 +276,6 @@
 # define SSL_MD_SHA512_IDX 11
 # define SSL_MAX_DIGEST 12
 
-#define SSL_MD_NUM_IDX  SSL_MAX_DIGEST
-
 /* Bits for algorithm2 (handshake digests and other extra flags) */
 
 /* Bits 0-7 are handshake MAC */
@@ -391,30 +389,6 @@
 # define SSL_PKEY_ED448          8
 # define SSL_PKEY_NUM            9
 
-# define SSL_ENC_DES_IDX         0
-# define SSL_ENC_3DES_IDX        1
-# define SSL_ENC_RC4_IDX         2
-# define SSL_ENC_RC2_IDX         3
-# define SSL_ENC_IDEA_IDX        4
-# define SSL_ENC_NULL_IDX        5
-# define SSL_ENC_AES128_IDX      6
-# define SSL_ENC_AES256_IDX      7
-# define SSL_ENC_CAMELLIA128_IDX 8
-# define SSL_ENC_CAMELLIA256_IDX 9
-# define SSL_ENC_GOST89_IDX      10
-# define SSL_ENC_SEED_IDX        11
-# define SSL_ENC_AES128GCM_IDX   12
-# define SSL_ENC_AES256GCM_IDX   13
-# define SSL_ENC_AES128CCM_IDX   14
-# define SSL_ENC_AES256CCM_IDX   15
-# define SSL_ENC_AES128CCM8_IDX  16
-# define SSL_ENC_AES256CCM8_IDX  17
-# define SSL_ENC_GOST8912_IDX    18
-# define SSL_ENC_CHACHA_IDX      19
-# define SSL_ENC_ARIA128GCM_IDX  20
-# define SSL_ENC_ARIA256GCM_IDX  21
-# define SSL_ENC_NUM_IDX         22
-
 /*-
  * SSL_kRSA <- RSA_ENC
  * SSL_kDH  <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN)
@@ -891,7 +865,7 @@ struct ssl_ctx_st {
     CRYPTO_EX_DATA ex_data;
 
     const EVP_MD *md5;          /* For SSLv3/TLSv1 'ssl3-md5' */
-    const EVP_MD *sha1;         /* For SSLv3/TLSv1 'ssl3-sha1' */
+    const EVP_MD *sha1;         /* For SSLv3/TLSv1 'ssl3->sha1' */
 
     STACK_OF(X509) *extra_certs;
     STACK_OF(SSL_COMP) *comp_methods; /* stack of SSL_COMP, SSLv3/TLSv1 */
@@ -1135,10 +1109,6 @@ struct ssl_ctx_st {
     void *async_cb_arg;
 
     char *propq;
-
-    const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX];
-    const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX];
-    size_t ssl_mac_secret_size[SSL_MD_NUM_IDX];
 };
 
 typedef struct cert_pkey_st CERT_PKEY;
@@ -2363,12 +2333,10 @@ __owur int bytes_to_cipher_list(SSL *s, PACKET *cipher_suites,
                                 STACK_OF(SSL_CIPHER) **scsvs, int sslv2format,
                                 int fatal);
 void ssl_update_cache(SSL *s, int mode);
-__owur int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
-                                     const EVP_CIPHER **enc);
-__owur int ssl_cipher_get_evp(SSL_CTX *ctxc, const SSL_SESSION *s,
-                              const EVP_CIPHER **enc, const EVP_MD **md,
-                              int *mac_pkey_type, size_t *mac_secret_size,
-                              SSL_COMP **comp, int use_etm);
+__owur int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+                              const EVP_MD **md, int *mac_pkey_type,
+                              size_t *mac_secret_size, SSL_COMP **comp,
+                              int use_etm);
 __owur int ssl_cipher_get_overhead(const SSL_CIPHER *c, size_t *mac_overhead,
                                    size_t *int_overhead, size_t *blocksize,
                                    size_t *ext_overhead);
@@ -2408,7 +2376,7 @@ void ssl_set_masks(SSL *s);
 __owur STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s);
 __owur int ssl_x509err2alert(int type);
 void ssl_sort_cipher_list(void);
-int ssl_load_ciphers(SSL_CTX *ctx);
+int ssl_load_ciphers(void);
 __owur int ssl_fill_hello_random(SSL *s, int server, unsigned char *field,
                                  size_t len, DOWNGRADE dgrd);
 __owur int ssl_generate_master_secret(SSL *s, unsigned char *pms, size_t pmslen,
@@ -2663,8 +2631,7 @@ __owur int tls1_save_u16(PACKET *pkt, uint16_t **pdest, size_t *pdestlen);
 __owur int tls1_save_sigalgs(SSL *s, PACKET *pkt, int cert);
 __owur int tls1_process_sigalgs(SSL *s);
 __owur int tls1_set_peer_legacy_sigalg(SSL *s, const EVP_PKEY *pkey);
-__owur int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu,
-                          const EVP_MD **pmd);
+__owur int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd);
 __owur size_t tls12_get_psigalgs(SSL *s, int sent, const uint16_t **psigs);
 #  ifndef OPENSSL_NO_EC
 __owur int tls_check_sigalg_curve(const SSL *s, int curve);
@@ -2675,7 +2642,7 @@ __owur int ssl_cipher_disabled(const SSL *s, const SSL_CIPHER *c, int op, int ec
 
 __owur int ssl_handshake_hash(SSL *s, unsigned char *out, size_t outlen,
                                  size_t *hashlen);
-__owur const EVP_MD *ssl_md(SSL_CTX *ctx, int idx);
+__owur const EVP_MD *ssl_md(int idx);
 __owur const EVP_MD *ssl_handshake_md(SSL *s);
 __owur const EVP_MD *ssl_prf_md(SSL *s);
 
@@ -2753,18 +2720,6 @@ void ssl_comp_free_compression_methods_int(void);
 /* ssl_mcnf.c */
 void ssl_ctx_system_config(SSL_CTX *ctx);
 
-const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
-                                       int nid,
-                                       const char *properties);
-int ssl_evp_cipher_up_ref(const EVP_CIPHER *cipher);
-void ssl_evp_cipher_free(const EVP_CIPHER *cipher);
-const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
-                               int nid,
-                               const char *properties);
-int ssl_evp_md_up_ref(const EVP_MD *md);
-void ssl_evp_md_free(const EVP_MD *md);
-
-
 # else /* OPENSSL_UNIT_TEST */
 
 #  define ssl_init_wbio_buffer SSL_test_functions()->p_ssl_init_wbio_buffer
diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c
index 09d00bacbe..bc3fcfbd1d 100644
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@@ -117,7 +117,7 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
     if (x->compress_meth != 0) {
         SSL_COMP *comp = NULL;
 
-        if (!ssl_cipher_get_evp(NULL, x, NULL, NULL, NULL, NULL, &comp, 0))
+        if (!ssl_cipher_get_evp(x, NULL, NULL, NULL, NULL, &comp, 0))
             goto err;
         if (comp == NULL) {
             if (BIO_printf(bp, "\n    Compression: %d", x->compress_meth) <= 0)
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 776473e659..75fecdeaa6 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -981,7 +981,7 @@ EXT_RETURN tls_construct_ctos_padding(SSL *s, WPACKET *pkt,
     if (s->session->ssl_version == TLS1_3_VERSION
             && s->session->ext.ticklen != 0
             && s->session->cipher != NULL) {
-        const EVP_MD *md = ssl_md(s->ctx, s->session->cipher->algorithm2);
+        const EVP_MD *md = ssl_md(s->session->cipher->algorithm2);
 
         if (md != NULL) {
             /*
@@ -1059,7 +1059,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
                      ERR_R_INTERNAL_ERROR);
             return EXT_RETURN_FAIL;
         }
-        mdres = ssl_md(s->ctx, s->session->cipher->algorithm2);
+        mdres = ssl_md(s->session->cipher->algorithm2);
         if (mdres == NULL) {
             /*
              * Don't recognize this cipher so we can't use the session.
@@ -1132,7 +1132,7 @@ EXT_RETURN tls_construct_ctos_psk(SSL *s, WPACKET *pkt, unsigned int context,
         return EXT_RETURN_NOT_SENT;
 
     if (s->psksession != NULL) {
-        mdpsk = ssl_md(s->ctx, s->psksession->cipher->algorithm2);
+        mdpsk = ssl_md(s->psksession->cipher->algorithm2);
         if (mdpsk == NULL) {
             /*
              * Don't recognize this cipher so we can't use the session.
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 549a207430..756ceafb50 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1239,9 +1239,8 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
             }
         }
 
-        md = ssl_md(s->ctx, sess->cipher->algorithm2);
-        if (!EVP_MD_is_a(md,
-                EVP_MD_name(ssl_md(s->ctx, s->s3.tmp.new_cipher->algorithm2)))) {
+        md = ssl_md(sess->cipher->algorithm2);
+        if (md != ssl_md(s->s3.tmp.new_cipher->algorithm2)) {
             /* The ciphersuite is not compatible with this session. */
             SSL_SESSION_free(sess);
             sess = NULL;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index cdd413d1ef..8d843099f9 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -1376,8 +1376,8 @@ static int set_client_ciphersuite(SSL *s, const unsigned char *cipherchars)
              * In TLSv1.3 it is valid for the server to select a different
              * ciphersuite as long as the hash is the same.
              */
-            if (ssl_md(s->ctx, c->algorithm2)
-                    != ssl_md(s->ctx, s->session->cipher->algorithm2)) {
+            if (ssl_md(c->algorithm2)
+                    != ssl_md(s->session->cipher->algorithm2)) {
                 SSLfatal(s, SSL_AD_ILLEGAL_PARAMETER,
                          SSL_F_SET_CLIENT_CIPHERSUITE,
                          SSL_R_CIPHERSUITE_DIGEST_HAS_CHANGED);
@@ -2339,7 +2339,7 @@ MSG_PROCESS_RETURN tls_process_key_exchange(SSL *s, PACKET *pkt)
             goto err;
         }
 
-        if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
+        if (!tls1_lookup_md(s->s3.tmp.peer_sigalg, &md)) {
             SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_KEY_EXCHANGE,
                      ERR_R_INTERNAL_ERROR);
             goto err;
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index e9cfee027e..b89566d840 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -247,7 +247,7 @@ int tls_construct_cert_verify(SSL *s, WPACKET *pkt)
     }
     pkey = s->s3.tmp.cert->privatekey;
 
-    if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
+    if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_CERT_VERIFY,
                  ERR_R_INTERNAL_ERROR);
         goto err;
@@ -422,7 +422,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
             goto err;
     }
 
-    if (!tls1_lookup_md(s->ctx, s->s3.tmp.peer_sigalg, &md)) {
+    if (!tls1_lookup_md(s->s3.tmp.peer_sigalg, &md)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_CERT_VERIFY,
                  ERR_R_INTERNAL_ERROR);
         goto err;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 43f9811163..a23187290e 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -2773,7 +2773,7 @@ int tls_construct_server_key_exchange(SSL *s, WPACKET *pkt)
         unsigned char *sigbytes1, *sigbytes2, *tbs;
         size_t siglen = 0, tbslen;
 
-        if (pkey == NULL || !tls1_lookup_md(s->ctx, lu, &md)) {
+        if (pkey == NULL || !tls1_lookup_md(lu, &md)) {
             /* Should never happen */
             SSLfatal(s, SSL_AD_INTERNAL_ERROR,
                      SSL_F_TLS_CONSTRUCT_SERVER_KEY_EXCHANGE,
diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index c50905589b..0a5c770a84 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -540,16 +540,14 @@ int tls1_setup_key_block(SSL *s)
     if (s->s3.tmp.key_block_length != 0)
         return 1;
 
-    if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, &mac_type,
-                            &mac_secret_size, &comp, s->ext.use_etm)) {
+    if (!ssl_cipher_get_evp(s->session, &c, &hash, &mac_type, &mac_secret_size,
+                            &comp, s->ext.use_etm)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS1_SETUP_KEY_BLOCK,
                  SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
         return 0;
     }
 
-    ssl_evp_cipher_free(s->s3.tmp.new_sym_enc);
     s->s3.tmp.new_sym_enc = c;
-    ssl_evp_md_free(s->s3.tmp.new_hash);
     s->s3.tmp.new_hash = hash;
     s->s3.tmp.new_mac_pkey_type = mac_type;
     s->s3.tmp.new_mac_secret_size = mac_secret_size;
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 624add64a8..235f5661ad 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -893,7 +893,7 @@ static const SIGALG_LOOKUP *tls1_lookup_sigalg(uint16_t sigalg)
     return NULL;
 }
 /* Lookup hash: return 0 if invalid or not enabled */
-int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
+int tls1_lookup_md(const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
 {
     const EVP_MD *md;
     if (lu == NULL)
@@ -902,7 +902,7 @@ int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
     if (lu->hash == NID_undef) {
         md = NULL;
     } else {
-        md = ssl_md(ctx, lu->hash_idx);
+        md = ssl_md(lu->hash_idx);
         if (md == NULL)
             return 0;
     }
@@ -919,16 +919,15 @@ int tls1_lookup_md(SSL_CTX *ctx, const SIGALG_LOOKUP *lu, const EVP_MD **pmd)
  * with a 128 byte (1024 bit) key.
  */
 #define RSA_PSS_MINIMUM_KEY_SIZE(md) (2 * EVP_MD_size(md) + 2)
-static int rsa_pss_check_min_key_size(SSL_CTX *ctx, const EVP_PKEY *pkey,
-                                      const SIGALG_LOOKUP *lu)
+static int rsa_pss_check_min_key_size(const RSA *rsa, const SIGALG_LOOKUP *lu)
 {
     const EVP_MD *md;
 
-    if (pkey == NULL)
+    if (rsa == NULL)
         return 0;
-    if (!tls1_lookup_md(ctx, lu, &md) || md == NULL)
+    if (!tls1_lookup_md(lu, &md) || md == NULL)
         return 0;
-    if (EVP_PKEY_size(pkey) < RSA_PSS_MINIMUM_KEY_SIZE(md))
+    if (RSA_size(rsa) < RSA_PSS_MINIMUM_KEY_SIZE(md))
         return 0;
     return 1;
 }
@@ -979,7 +978,7 @@ static const SIGALG_LOOKUP *tls1_get_legacy_sigalg(const SSL *s, int idx)
     if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) {
         const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]);
 
-        if (!tls1_lookup_md(s->ctx, lu, NULL))
+        if (!tls1_lookup_md(lu, NULL))
             return NULL;
         if (!tls12_sigalg_allowed(s, SSL_SECOP_SIGALG_SUPPORTED, lu))
             return NULL;
@@ -1075,31 +1074,6 @@ int tls_check_sigalg_curve(const SSL *s, int curve)
 }
 #endif
 
-/*
- * Return the number of security bits for the signature algorithm, or 0 on
- * error.
- */
-static int sigalg_security_bits(SSL_CTX *ctx, const SIGALG_LOOKUP *lu)
-{
-    const EVP_MD *md = NULL;
-    int secbits = 0;
-
-    if (!tls1_lookup_md(ctx, lu, &md))
-        return 0;
-    if (md != NULL)
-    {
-        /* Security bits: half digest bits */
-        secbits = EVP_MD_size(md) * 4;
-    } else {
-        /* Values from https://tools.ietf.org/html/rfc8032#section-8.5 */
-        if (lu->sigalg == TLSEXT_SIGALG_ed25519)
-            secbits = 128;
-        else if (lu->sigalg == TLSEXT_SIGALG_ed448)
-            secbits = 224;
-    }
-    return secbits;
-}
-
 /*
  * Check signature algorithm is consistent with sent supported signature
  * algorithms and if so set relevant digest and signature scheme in
@@ -1113,7 +1087,6 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
     size_t sent_sigslen, i, cidx;
     int pkeyid = EVP_PKEY_id(pkey);
     const SIGALG_LOOKUP *lu;
-    int secbits = 0;
 
     /* Should never happen */
     if (pkeyid == -1)
@@ -1210,25 +1183,25 @@ int tls12_check_peer_sigalg(SSL *s, uint16_t sig, EVP_PKEY *pkey)
                  SSL_R_WRONG_SIGNATURE_TYPE);
         return 0;
     }
-    if (!tls1_lookup_md(s->ctx, lu, &md)) {
+    if (!tls1_lookup_md(lu, &md)) {
         SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
                  SSL_R_UNKNOWN_DIGEST);
         return 0;
     }
-    /*
-     * Make sure security callback allows algorithm. For historical
-     * reasons we have to pass the sigalg as a two byte char array.
-     */
-    sigalgstr[0] = (sig >> 8) & 0xff;
-    sigalgstr[1] = sig & 0xff;
-    secbits = sigalg_security_bits(s->ctx, lu);
-    if (secbits == 0 ||
-        !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits,
-                      md != NULL ? EVP_MD_type(md) : NID_undef,
-                      (void *)sigalgstr)) {
-        SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
-                 SSL_R_WRONG_SIGNATURE_TYPE);
-        return 0;
+    if (md != NULL) {
+        /*
+         * Make sure security callback allows algorithm. For historical
+         * reasons we have to pass the sigalg as a two byte char array.
+         */
+        sigalgstr[0] = (sig >> 8) & 0xff;
+        sigalgstr[1] = sig & 0xff;
+        if (!ssl_security(s, SSL_SECOP_SIGALG_CHECK,
+                    EVP_MD_size(md) * 4, EVP_MD_type(md),
+                    (void *)sigalgstr)) {
+            SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS12_CHECK_PEER_SIGALG,
+                     SSL_R_WRONG_SIGNATURE_TYPE);
+            return 0;
+        }
     }
     /* Store the sigalg the peer uses */
     s->s3.tmp.peer_sigalg = lu;
@@ -1705,7 +1678,7 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
     int secbits;
 
     /* See if sigalgs is recognised and if hash is enabled */
-    if (!tls1_lookup_md(s->ctx, lu, NULL))
+    if (!tls1_lookup_md(lu, NULL))
         return 0;
     /* DSA is not allowed in TLS 1.3 */
     if (SSL_IS_TLS13(s) && lu->sig == EVP_PKEY_DSA)
@@ -1760,8 +1733,11 @@ static int tls12_sigalg_allowed(const SSL *s, int op, const SIGALG_LOOKUP *lu)
         }
     }
 
+    if (lu->hash == NID_undef)
+        return 1;
+    /* Security bits: half digest bits */
+    secbits = EVP_MD_size(ssl_md(lu->hash_idx)) * 4;
     /* Finally see if security callback allows it */
-    secbits = sigalg_security_bits(s->ctx, lu);
     sigalgstr[0] = (lu->sigalg >> 8) & 0xff;
     sigalgstr[1] = lu->sigalg & 0xff;
     return ssl_security(s, op, secbits, lu->hash, (void *)sigalgstr);
@@ -2809,7 +2785,7 @@ static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
             || lu->sig == EVP_PKEY_RSA)
             continue;
         /* Check that we have a cert, and signature_algorithms_cert */
-        if (!tls1_lookup_md(s->ctx, lu, NULL))
+        if (!tls1_lookup_md(lu, NULL))
             continue;
         if ((pkey == NULL && !has_usable_cert(s, lu, -1))
                 || (pkey != NULL && !is_cert_usable(s, lu, x, pkey)))
@@ -2831,7 +2807,7 @@ static const SIGALG_LOOKUP *find_sig_alg(SSL *s, X509 *x, EVP_PKEY *pkey)
 #endif
         } else if (lu->sig == EVP_PKEY_RSA_PSS) {
             /* validate that key is large enough for the signature algorithm */
-            if (!rsa_pss_check_min_key_size(s->ctx, tmppkey, lu))
+            if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(tmppkey), lu))
                 continue;
         }
         break;
@@ -2917,7 +2893,7 @@ int tls_choose_sigalg(SSL *s, int fatalerrs)
                         /* validate that key is large enough for the signature algorithm */
                         EVP_PKEY *pkey = s->cert->pkeys[sig_idx].privatekey;
 
-                        if (!rsa_pss_check_min_key_size(s->ctx, pkey, lu))
+                        if (!rsa_pss_check_min_key_size(EVP_PKEY_get0(pkey), lu))
                             continue;
                     }
 #ifndef OPENSSL_NO_EC
diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c
index fba12fe5e4..181f3920a1 100644
--- a/ssl/tls13_enc.c
+++ b/ssl/tls13_enc.c
@@ -36,8 +36,7 @@ int tls13_hkdf_expand(SSL *s, const EVP_MD *md, const unsigned char *secret,
 #else
     static const unsigned char label_prefix[] = "tls13 ";
 #endif
-    EVP_KDF *kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_HKDF,
-                                 s->ctx->propq);
+    EVP_KDF *kdf = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_HKDF, NULL);
     EVP_KDF_CTX *kctx;
     OSSL_PARAM params[5], *p = params;
     int mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY;
@@ -195,7 +194,7 @@ int tls13_generate_secret(SSL *s, const EVP_MD *md,
 #endif
     unsigned char preextractsec[EVP_MAX_MD_SIZE];
 
-    kdf = EVP_KDF_fetch(s->ctx->libctx, OSSL_KDF_NAME_HKDF, s->ctx->propq);
+    kdf = EVP_KDF_fetch(NULL, OSSL_KDF_NAME_HKDF, NULL);
     kctx = EVP_KDF_CTX_new(kdf);
     EVP_KDF_free(kdf);
     if (kctx == NULL) {
@@ -312,27 +311,11 @@ int tls13_generate_master_secret(SSL *s, unsigned char *out,
 size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
                              unsigned char *out)
 {
-    const char *mdname = EVP_MD_name(ssl_handshake_md(s));
-    EVP_MAC *hmac = EVP_MAC_fetch(s->ctx->libctx, "HMAC", s->ctx->propq);
+    const EVP_MD *md = ssl_handshake_md(s);
     unsigned char hash[EVP_MAX_MD_SIZE];
-    unsigned char finsecret[EVP_MAX_MD_SIZE];
     size_t hashlen, ret = 0;
-    EVP_MAC_CTX *ctx = NULL;
-    OSSL_PARAM params[4], *p = params;
-
-    if (hmac == NULL) {
-        SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC,
-                 ERR_R_INTERNAL_ERROR);
-        goto err;
-    }
-
-    /* Safe to cast away const here since we're not "getting" any data */
-    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_DIGEST,
-                                            (char *)mdname, 0);
-    if (s->ctx->propq != NULL)
-        *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_PROPERTIES,
-                                                (char *)s->ctx->propq,
-                                                0);
+    EVP_PKEY *key = NULL;
+    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 
     if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
         /* SSLfatal() already called */
@@ -340,31 +323,29 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
     }
 
     if (str == s->method->ssl3_enc->server_finished_label) {
-        *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
-                                                 s->server_finished_secret,
-                                                 hashlen);
+        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
+                                           s->server_finished_secret, hashlen);
     } else if (SSL_IS_FIRST_HANDSHAKE(s)) {
-        *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY,
-                                                 s->client_finished_secret,
-                                                 hashlen);
+        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
+                                           s->client_finished_secret, hashlen);
     } else {
+        unsigned char finsecret[EVP_MAX_MD_SIZE];
+
         if (!tls13_derive_finishedkey(s, ssl_handshake_md(s),
                                       s->client_app_traffic_secret,
                                       finsecret, hashlen))
             goto err;
 
-        *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, finsecret,
-                                                 hashlen);
+        key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret,
+                                           hashlen);
+        OPENSSL_cleanse(finsecret, sizeof(finsecret));
     }
-    *p++ = OSSL_PARAM_construct_end();
 
-    ctx = EVP_MAC_CTX_new(hmac);
-    if (ctx == NULL
-            || !EVP_MAC_CTX_set_params(ctx, params)
-            || !EVP_MAC_init(ctx)
-            || !EVP_MAC_update(ctx, hash, hashlen)
-               /* outsize as per sizeof(peer_finish_md) */
-            || !EVP_MAC_final(ctx, out, &hashlen, EVP_MAX_MD_SIZE * 2)) {
+    if (key == NULL
+            || ctx == NULL
+            || EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0
+            || EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0
+            || EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC,
                  ERR_R_INTERNAL_ERROR);
         goto err;
@@ -372,9 +353,8 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
 
     ret = hashlen;
  err:
-    OPENSSL_cleanse(finsecret, sizeof(finsecret));
-    EVP_MAC_CTX_free(ctx);
-    EVP_MAC_free(hmac);
+    EVP_PKEY_free(key);
+    EVP_MD_CTX_free(ctx);
     return ret;
 }
 
@@ -388,16 +368,13 @@ int tls13_setup_key_block(SSL *s)
     const EVP_MD *hash;
 
     s->session->cipher = s->s3.tmp.new_cipher;
-    if (!ssl_cipher_get_evp(s->ctx, s->session, &c, &hash, NULL, NULL, NULL,
-                            0)) {
+    if (!ssl_cipher_get_evp(s->session, &c, &hash, NULL, NULL, NULL, 0)) {
         SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_SETUP_KEY_BLOCK,
                  SSL_R_CIPHER_OR_HASH_UNAVAILABLE);
         return 0;
     }
 
-    ssl_evp_cipher_free(s->s3.tmp.new_sym_enc);
     s->s3.tmp.new_sym_enc = c;
-    ssl_evp_md_free(s->s3.tmp.new_hash);
     s->s3.tmp.new_hash = hash;
 
     return 1;
@@ -599,19 +576,8 @@ int tls13_change_cipher_state(SSL *s, int which)
                          SSL_F_TLS13_CHANGE_CIPHER_STATE, ERR_R_MALLOC_FAILURE);
                 goto err;
             }
-
-            /*
-             * This ups the ref count on cipher so we better make sure we free
-             * it again
-             */
-            if (!ssl_cipher_get_evp_cipher(s->ctx, sslcipher, &cipher)) {
-                SSLfatal(s, SSL_AD_INTERNAL_ERROR,
-                         SSL_F_TLS13_CHANGE_CIPHER_STATE,
-                         SSL_R_ALGORITHM_FETCH_FAILED);
-                goto err;
-            }
-
-            md = ssl_md(s->ctx, sslcipher->algorithm2);
+            cipher = EVP_get_cipherbynid(SSL_CIPHER_get_cipher_nid(sslcipher));
+            md = ssl_md(sslcipher->algorithm2);
             if (md == NULL || !EVP_DigestInit_ex(mdctx, md, NULL)
                     || !EVP_DigestUpdate(mdctx, hdata, handlen)
                     || !EVP_DigestFinal_ex(mdctx, hashval, &hashlenui)) {
@@ -766,10 +732,6 @@ int tls13_change_cipher_state(SSL *s, int which)
         s->statem.enc_write_state = ENC_WRITE_STATE_VALID;
     ret = 1;
  err:
-    if ((which & SSL3_CC_EARLY) != 0) {
-        /* We up-refed this so now we need to down ref */
-        ssl_evp_cipher_free(cipher);
-    }
     OPENSSL_cleanse(secret, sizeof(secret));
     return ret;
 }
@@ -900,7 +862,7 @@ int tls13_export_keying_material_early(SSL *s, unsigned char *out, size_t olen,
     else
         sslcipher = SSL_SESSION_get0_cipher(s->session);
 
-    md = ssl_md(s->ctx, sslcipher->algorithm2);
+    md = ssl_md(sslcipher->algorithm2);
 
     /*
      * Calculate the hash value and store it in |data|. The reason why
diff --git a/test/build.info b/test/build.info
index 6d670ea175..f7ccdd5d9c 100644
--- a/test/build.info
+++ b/test/build.info
@@ -35,6 +35,7 @@ IF[{- !$disabled{tests} -}]
           ectest ecstresstest gmdifftest pbelutest \
           destest mdc2test \
           enginetest exptest \
+          ssltest_old exptest rsa_test \
           evp_pkey_provided_test evp_test evp_extra_test evp_fetch_prov_test \
           v3nametest v3ext \
           crltest danetest bad_dtls_test lhash_test sparse_array_test \
@@ -115,6 +116,14 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[exptest]=../include ../apps/include
   DEPEND[exptest]=../libcrypto libtestutil.a
 
+  SOURCE[rsa_test]=rsa_test.c
+  INCLUDE[rsa_test]=../include ../apps/include
+  DEPEND[rsa_test]=../libcrypto libtestutil.a
+
+  SOURCE[rsa_mp_test]=rsa_mp_test.c
+  INCLUDE[rsa_mp_test]=../include ../apps/include
+  DEPEND[rsa_mp_test]=../libcrypto.a libtestutil.a
+
   SOURCE[fatalerrtest]=fatalerrtest.c ssltestlib.c
   INCLUDE[fatalerrtest]=../include ../apps/include
   DEPEND[fatalerrtest]=../libcrypto ../libssl libtestutil.a
@@ -494,8 +503,8 @@ IF[{- !$disabled{tests} -}]
   IF[1]
     PROGRAMS{noinst}=asn1_internal_test modes_internal_test x509_internal_test \
                      tls13encryptiontest wpackettest ctype_internal_test \
-                     rdrand_sanitytest property_test ideatest rsa_mp_test \
-                     rsa_sp800_56b_test bn_internal_test ecdsatest rsa_test \
+                     rdrand_sanitytest property_test ideatest \
+                     rsa_sp800_56b_test bn_internal_test ecdsatest \
                      rc2test rc4test rc5test hmactest ffc_internal_test \
                      asn1_dsa_internal_test dsatest dsa_no_digest_size_test \
                      dhtest ssltest_old
@@ -539,13 +548,6 @@ IF[{- !$disabled{tests} -}]
     INCLUDE[x509_internal_test]=.. ../include ../apps/include
     DEPEND[x509_internal_test]=../libcrypto.a libtestutil.a
 
-    SOURCE[rsa_test]=rsa_test.c
-    INCLUDE[rsa_test]=../include ../apps/include
-    DEPEND[rsa_test]=../libcrypto.a libtestutil.a
-
-    SOURCE[rsa_mp_test]=rsa_mp_test.c
-    INCLUDE[rsa_mp_test]=../include ../apps/include
-    DEPEND[rsa_mp_test]=../libcrypto.a libtestutil.a
 
     SOURCE[ecdsatest]=ecdsatest.c
     INCLUDE[ecdsatest]=../include ../apps/include
diff --git a/test/recipes/15-test_genrsa.t b/test/recipes/15-test_genrsa.t
index 0ec0e65f18..d7d146a1d9 100644
--- a/test/recipes/15-test_genrsa.t
+++ b/test/recipes/15-test_genrsa.t
@@ -16,18 +16,10 @@ use OpenSSL::Test::Utils;
 
 setup("test_genrsa");
 
-plan tests => 9;
+plan tests => 5;
 
 # We want to know that an absurdly small number of bits isn't support
-if (disabled("deprecated-3.0")) {
-    is(run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem',
-                 '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_bits:8',
-                 '-pkeyopt', 'rsa_keygen_pubexp:3'])),
-               0, "genrsa -3 8");
-} else {
-    is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])),
-               0, "genrsa -3 8");
-}
+is(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', '8'])), 0, "genrsa -3 8");
 
 # Depending on the shared library, we might have different lower limits.
 # Let's find it!  This is a simple binary search
@@ -37,21 +29,10 @@ if (disabled("deprecated-3.0")) {
 note "Looking for lowest amount of bits";
 my $bad = 3;                    # Log2 of number of bits (2 << 3  == 8)
 my $good = 11;                  # Log2 of number of bits (2 << 11 == 2048)
-my $fin;
 while ($good > $bad + 1) {
     my $checked = int(($good + $bad + 1) / 2);
-    my $bits = 2 ** $checked;
-    if (disabled("deprecated-3.0")) {
-        $fin = run(app([ 'openssl', 'genpkey', '-out', 'genrsatest.pem',
-                         '-algorithm', 'RSA', '-pkeyopt', 'rsa_keygen_pubexp:3',
-                         '-pkeyopt', "rsa_keygen_bits:$bits",
-                       ], stderr => undef));
-    } else {
-        $fin = run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem',
-                         $bits
-                       ], stderr => undef));
-    }
-    if ($fin) {
+    if (run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem',
+                  2 ** $checked ], stderr => undef))) {
         note 2 ** $checked, " bits is good";
         $good = $checked;
     } else {
@@ -63,30 +44,11 @@ $good++ if $good == $bad;
 $good = 2 ** $good;
 note "Found lowest allowed amount of bits to be $good";
 
-ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'RSA',
-             '-pkeyopt', 'rsa_keygen_pubexp:3',
-             '-pkeyopt', "rsa_keygen_bits:$good",
-             '-out', 'genrsatest.pem' ])),
-   "genpkey -3 $good");
-ok(run(app([ 'openssl', 'pkey', '-check', '-in', 'genrsatest.pem', '-noout' ])),
-   "pkey -check");
-ok(run(app([ 'openssl', 'genpkey', '-algorithm', 'RSA',
-             '-pkeyopt', 'rsa_keygen_pubexp:65537',
-             '-pkeyopt', "rsa_keygen_bits:$good",
-             '-out', 'genrsatest.pem' ])),
-   "genpkey -f4 $good");
-ok(run(app([ 'openssl', 'pkey', '-check', '-in', 'genrsatest.pem', '-noout' ])),
-   "pkey -check");
-
- SKIP: {
-    skip "Skipping rsa command line test", 4 if disabled("deprecated-3.0");
-
-    ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', $good ])),
-       "genrsa -3 $good");
-    ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
-       "rsa -check");
-    ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])),
-       "genrsa -f4 $good");
-    ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
-       "rsa -check");
-}
+ok(run(app([ 'openssl', 'genrsa', '-3', '-out', 'genrsatest.pem', $good ])),
+   "genrsa -3 $good");
+ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
+   "rsa -check");
+ok(run(app([ 'openssl', 'genrsa', '-f4', '-out', 'genrsatest.pem', $good ])),
+   "genrsa -f4 $good");
+ok(run(app([ 'openssl', 'rsa', '-check', '-in', 'genrsatest.pem', '-noout' ])),
+   "rsa -check");
diff --git a/test/recipes/15-test_mp_rsa.t b/test/recipes/15-test_mp_rsa.t
index 6ecf80c4e2..4a4ac3569d 100644
--- a/test/recipes/15-test_mp_rsa.t
+++ b/test/recipes/15-test_mp_rsa.t
@@ -17,6 +17,12 @@ use OpenSSL::Test::Utils;
 
 setup("test_mp_rsa");
 
+plan tests => 31;
+
+ok(run(test(["rsa_mp_test"])), "running rsa multi prime test");
+
+my $cleartext = data_file("plain_text");
+
 my @test_param = (
     # 3 primes, 2048-bit
     {
@@ -35,14 +41,8 @@ my @test_param = (
     },
 );
 
-plan tests => 1 + scalar(@test_param) * 5 * (disabled('deprecated-3.0') ? 1 : 2);
-
-ok(run(test(["rsa_mp_test"])), "running rsa multi prime test");
-
-my $cleartext = data_file("plain_text");
-
 # genrsa
-run_mp_tests(0) if !disabled('deprecated-3.0');
+run_mp_tests(0);
 # evp
 run_mp_tests(1);
 
@@ -60,9 +60,17 @@ sub run_mp_tests {
                          '-pkeyopt', "rsa_keygen_primes:$primes",
                          '-pkeyopt', "rsa_keygen_bits:$bits"])),
                "genrsa $name");
-            ok(run(app([ 'openssl', 'pkey', '-check',
-                         '-in', "rsamptest-$name.pem", '-noout'])),
-               "rsa -check $name");
+        } else {
+            ok(run(app([ 'openssl', 'genrsa', '-out', "rsamptest-$name.pem",
+                         '-primes', $primes, $bits])),
+               "genrsa $name");
+        }
+
+        ok(run(app([ 'openssl', 'rsa', '-check', '-in', "rsamptest-$name.pem",
+                     '-noout'])),
+           "rsa -check $name");
+
+        if ($evp) {
             ok(run(app([ 'openssl', 'pkeyutl', '-inkey', "rsamptest-$name.pem",
                          '-encrypt', '-in', $cleartext,
                          '-out', "rsamptest-$name.enc" ])),
@@ -72,11 +80,6 @@ sub run_mp_tests {
                          '-out', "rsamptest-$name.dec" ])),
                "rsa $name decrypt");
         } else {
-            ok(run(app([ 'openssl', 'genrsa', '-out', "rsamptest-$name.pem",
-                         '-primes', $primes, $bits])), "genrsa $name");
-            ok(run(app([ 'openssl', 'rsa', '-check',
-                         '-in', "rsamptest-$name.pem", '-noout'])),
-               "rsa -check $name");
             ok(run(app([ 'openssl', 'rsautl', '-inkey', "rsamptest-$name.pem",
                          '-encrypt', '-in', $cleartext,
                          '-out', "rsamptest-$name.enc" ])),
@@ -86,6 +89,7 @@ sub run_mp_tests {
                          '-out', "rsamptest-$name.dec" ])),
                "rsa $name decrypt");
         }
+
         ok(check_msg("rsamptest-$name.dec"), "rsa $name check result");
     }
 }
diff --git a/test/recipes/15-test_rsa.t b/test/recipes/15-test_rsa.t
index 2e8afa8213..3b1a0fcd5d 100644
--- a/test/recipes/15-test_rsa.t
+++ b/test/recipes/15-test_rsa.t
@@ -16,48 +16,32 @@ use OpenSSL::Test::Utils;
 
 setup("test_rsa");
 
-#plan skip_all => "RSA command line tool not built"
-#    if disabled("deprecated-3.0");
+plan tests => 6;
 
-plan tests => 10;
-
-require_ok(srctop_file('test', 'recipes', 'tconversion.pl'));
+require_ok(srctop_file('test','recipes','tconversion.pl'));
 
 ok(run(test(["rsa_test"])), "running rsatest");
 
-run_rsa_tests("pkey");
+ok(run(app([ 'openssl', 'rsa', '-check', '-in', srctop_file('test', 'testrsa.pem'), '-noout'])), "rsa -check");
 
  SKIP: {
-    skip "Skipping rsa command line tests", 4 if disabled('deprecated-3.0');
-
-    run_rsa_tests("rsa");
+     skip "Skipping rsa conversion test", 3
+	 if disabled("rsa");
+
+     subtest 'rsa conversions -- private key' => sub {
+	 tconversion("rsa", srctop_file("test","testrsa.pem"));
+     };
+     subtest 'rsa conversions -- private key PKCS#8' => sub {
+	 tconversion("rsa", srctop_file("test","testrsa.pem"), "pkey");
+     };
 }
 
-sub run_rsa_tests {
-    my $cmd = shift;
-
-    ok(run(app([ 'openssl', $cmd, '-check', '-in', srctop_file('test', 'testrsa.pem'), '-noout'])),
-           "$cmd -check" );
-
-     SKIP: {
-         skip "Skipping $cmd conversion test", 3
-	     if disabled("rsa");
-
-         subtest "$cmd conversions -- private key" => sub {
-	     tconversion($cmd, srctop_file("test", "testrsa.pem"));
-         };
-         subtest "$cmd conversions -- private key PKCS#8" => sub {
-	     tconversion($cmd, srctop_file("test", "testrsa.pem"), "pkey");
-         };
-    }
-
-     SKIP: {
-         skip "Skipping msblob conversion test", 1
-	     if disabled($cmd) || disabled("dsa") || $cmd == 'pkey';
-
-         subtest "$cmd conversions -- public key" => sub {
-	     tconversion("msb", srctop_file("test", "testrsapub.pem"), "rsa",
-		         "-pubin", "-pubout");
-         };
-    }
+ SKIP: {
+     skip "Skipping msblob conversion test", 1
+	 if disabled("rsa") || disabled("dsa");
+
+     subtest 'rsa conversions -- public key' => sub {
+	 tconversion("msb", srctop_file("test","testrsapub.pem"), "rsa",
+		     "-pubin", "-pubout");
+     };
 }
diff --git a/test/rsa_mp_test.c b/test/rsa_mp_test.c
index 53e2966997..baa9dd2272 100644
--- a/test/rsa_mp_test.c
+++ b/test/rsa_mp_test.c
@@ -10,12 +10,6 @@
 
 /* This aims to test the setting functions, including internal ones */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include <string.h>
 
diff --git a/test/rsa_test.c b/test/rsa_test.c
index 1fbfe821cb..084f533ac1 100644
--- a/test/rsa_test.c
+++ b/test/rsa_test.c
@@ -9,12 +9,6 @@
 
 /* test vectors from p1ovect1.txt */
 
-/*
- * RSA low level APIs are deprecated for public use, but still ok for
- * internal use.
- */
-#include "internal/deprecated.h"
-
 #include <stdio.h>
 #include <string.h>
 
diff --git a/test/tls13secretstest.c b/test/tls13secretstest.c
index c6f65eaded..def78b9920 100644
--- a/test/tls13secretstest.c
+++ b/test/tls13secretstest.c
@@ -165,16 +165,9 @@ void RECORD_LAYER_reset_write_sequence(RECORD_LAYER *rl)
 {
 }
 
-int ssl_cipher_get_evp_cipher(SSL_CTX *ctx, const SSL_CIPHER *sslc,
-                                     const EVP_CIPHER **enc)
-{
-    return 0;
-}
-
-int ssl_cipher_get_evp(SSL_CTX *ctx, const SSL_SESSION *s,
-                       const EVP_CIPHER **enc, const EVP_MD **md,
-                       int *mac_pkey_type, size_t *mac_secret_size,
-                       SSL_COMP **comp, int use_etm)
+int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
+                       const EVP_MD **md, int *mac_pkey_type,
+                       size_t *mac_secret_size, SSL_COMP **comp, int use_etm)
 
 {
     return 0;
@@ -193,7 +186,7 @@ int ssl_log_secret(SSL *ssl,
     return 1;
 }
 
-const EVP_MD *ssl_md(SSL_CTX *ctx, int idx)
+const EVP_MD *ssl_md(int idx)
 {
     return EVP_sha256();
 }
@@ -213,14 +206,6 @@ int ossl_statem_export_early_allowed(SSL *s)
     return 1;
 }
 
-void ssl_evp_cipher_free(const EVP_CIPHER *cipher)
-{
-}
-
-void ssl_evp_md_free(const EVP_MD *md)
-{
-}
-
 /* End of mocked out code */
 
 static int test_secret(SSL *s, unsigned char *prk,
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 12761e4adc..f81fefb9b2 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -205,7 +205,7 @@ d2i_CRL_DIST_POINTS                     208	3_0_0	EXIST::FUNCTION:
 X509_CRL_INFO_free                      209	3_0_0	EXIST::FUNCTION:
 ERR_load_UI_strings                     210	3_0_0	EXIST::FUNCTION:
 ERR_load_strings                        211	3_0_0	EXIST::FUNCTION:
-RSA_X931_hash_id                        212	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_X931_hash_id                        212	3_0_0	EXIST::FUNCTION:RSA
 EC_KEY_set_method                       213	3_0_0	EXIST::FUNCTION:EC
 PEM_write_PKCS8_PRIV_KEY_INFO           214	3_0_0	EXIST::FUNCTION:STDIO
 X509at_get0_data_by_OBJ                 215	3_0_0	EXIST::FUNCTION:
@@ -241,7 +241,7 @@ MDC2                                    245	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3
 BN_clear_free                           246	3_0_0	EXIST::FUNCTION:
 ENGINE_get_pkey_asn1_meths              247	3_0_0	EXIST::FUNCTION:ENGINE
 DSO_merge                               248	3_0_0	EXIST::FUNCTION:
-RSA_get_ex_data                         249	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get_ex_data                         249	3_0_0	EXIST::FUNCTION:RSA
 EVP_PKEY_meth_get_decrypt               250	3_0_0	EXIST::FUNCTION:
 DES_cfb_encrypt                         251	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DES
 CMS_SignerInfo_set1_signer_cert         252	3_0_0	EXIST::FUNCTION:CMS
@@ -275,7 +275,7 @@ d2i_PKCS7_ENC_CONTENT                   280	3_0_0	EXIST::FUNCTION:
 BUF_MEM_grow                            281	3_0_0	EXIST::FUNCTION:
 TS_REQ_free                             282	3_0_0	EXIST::FUNCTION:TS
 PEM_read_DHparams                       283	3_0_0	EXIST::FUNCTION:DH,STDIO
-RSA_private_decrypt                     284	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_private_decrypt                     284	3_0_0	EXIST::FUNCTION:RSA
 X509V3_EXT_get_nid                      285	3_0_0	EXIST::FUNCTION:
 BIO_s_log                               286	3_0_0	EXIST::FUNCTION:
 EC_POINT_set_to_infinity                287	3_0_0	EXIST::FUNCTION:EC
@@ -345,7 +345,7 @@ RC4                                     350	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3
 PKCS7_stream                            352	3_0_0	EXIST::FUNCTION:
 i2t_ASN1_OBJECT                         353	3_0_0	EXIST::FUNCTION:
 EC_GROUP_get0_generator                 354	3_0_0	EXIST::FUNCTION:EC
-RSA_padding_add_PKCS1_PSS_mgf1          355	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_PKCS1_PSS_mgf1          355	3_0_0	EXIST::FUNCTION:RSA
 EVP_MD_meth_set_init                    356	3_0_0	EXIST::FUNCTION:
 X509_get_issuer_name                    357	3_0_0	EXIST::FUNCTION:
 EVP_SignFinal                           358	3_0_0	EXIST::FUNCTION:
@@ -367,7 +367,7 @@ BIO_new_mem_buf                         373	3_0_0	EXIST::FUNCTION:
 UI_get_input_flags                      374	3_0_0	EXIST::FUNCTION:
 X509V3_EXT_REQ_add_nconf                375	3_0_0	EXIST::FUNCTION:
 X509v3_asid_subset                      376	3_0_0	EXIST::FUNCTION:RFC3779
-RSA_check_key_ex                        377	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_check_key_ex                        377	3_0_0	EXIST::FUNCTION:RSA
 d2i_TS_MSG_IMPRINT_bio                  378	3_0_0	EXIST::FUNCTION:TS
 i2d_ASN1_TYPE                           379	3_0_0	EXIST::FUNCTION:
 EVP_aes_256_wrap_pad                    380	3_0_0	EXIST::FUNCTION:
@@ -440,7 +440,7 @@ X509_get_default_private_dir            447	3_0_0	EXIST::FUNCTION:
 X509_STORE_CTX_set0_dane                448	3_0_0	EXIST::FUNCTION:
 EVP_des_ecb                             449	3_0_0	EXIST::FUNCTION:DES
 OCSP_resp_get0                          450	3_0_0	EXIST::FUNCTION:OCSP
-RSA_X931_generate_key_ex                452	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_X931_generate_key_ex                452	3_0_0	EXIST::FUNCTION:RSA
 X509_get_serialNumber                   453	3_0_0	EXIST::FUNCTION:
 BIO_sock_should_retry                   454	3_0_0	EXIST::FUNCTION:SOCK
 ENGINE_get_digests                      455	3_0_0	EXIST::FUNCTION:ENGINE
@@ -533,7 +533,7 @@ CONF_get_number                         544	3_0_0	EXIST::FUNCTION:
 X509_EXTENSION_get_object               545	3_0_0	EXIST::FUNCTION:
 X509_EXTENSIONS_it                      546	3_0_0	EXIST::FUNCTION:
 EC_POINT_set_compressed_coordinates_GF2m 547	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,EC2M
-RSA_sign_ASN1_OCTET_STRING              548	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_sign_ASN1_OCTET_STRING              548	3_0_0	EXIST::FUNCTION:RSA
 d2i_X509_CRL_fp                         549	3_0_0	EXIST::FUNCTION:STDIO
 i2d_RSA_PUBKEY                          550	3_0_0	EXIST::FUNCTION:RSA
 EVP_aes_128_ccm                         551	3_0_0	EXIST::FUNCTION:
@@ -553,7 +553,7 @@ X509_EXTENSION_free                     564	3_0_0	EXIST::FUNCTION:
 EVP_DigestSignInit                      565	3_0_0	EXIST::FUNCTION:
 CT_POLICY_EVAL_CTX_get0_issuer          566	3_0_0	EXIST::FUNCTION:CT
 TLS_FEATURE_new                         567	3_0_0	EXIST::FUNCTION:
-RSA_get_default_method                  568	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get_default_method                  568	3_0_0	EXIST::FUNCTION:RSA
 CRYPTO_cts128_encrypt_block             569	3_0_0	EXIST::FUNCTION:
 ASN1_digest                             570	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ERR_load_X509V3_strings                 571	3_0_0	EXIST::FUNCTION:
@@ -726,7 +726,7 @@ BN_set_params                           744	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_0
 BN_add                                  745	3_0_0	EXIST::FUNCTION:
 OPENSSL_sk_free                         746	3_0_0	EXIST::FUNCTION:
 TS_TST_INFO_get_ext_d2i                 747	3_0_0	EXIST::FUNCTION:TS
-RSA_check_key                           748	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_check_key                           748	3_0_0	EXIST::FUNCTION:RSA
 TS_MSG_IMPRINT_set_algo                 749	3_0_0	EXIST::FUNCTION:TS
 BN_nist_mod_521                         750	3_0_0	EXIST::FUNCTION:
 CRYPTO_THREAD_get_local                 751	3_0_0	EXIST::FUNCTION:
@@ -838,18 +838,18 @@ X509_STORE_free                         858	3_0_0	EXIST::FUNCTION:
 ECDSA_sign_ex                           859	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 TXT_DB_insert                           860	3_0_0	EXIST::FUNCTION:
 EC_POINTs_make_affine                   861	3_0_0	EXIST::FUNCTION:EC
-RSA_padding_add_PKCS1_PSS               862	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_PKCS1_PSS               862	3_0_0	EXIST::FUNCTION:RSA
 BF_options                              863	3_0_0	EXIST::FUNCTION:BF,DEPRECATEDIN_3_0
 OCSP_BASICRESP_it                       864	3_0_0	EXIST::FUNCTION:OCSP
 X509_VERIFY_PARAM_get0_name             865	3_0_0	EXIST::FUNCTION:
 TS_RESP_CTX_set_signer_digest           866	3_0_0	EXIST::FUNCTION:TS
 X509_VERIFY_PARAM_set1_email            867	3_0_0	EXIST::FUNCTION:
 BIO_sock_error                          868	3_0_0	EXIST::FUNCTION:SOCK
-RSA_set_default_method                  869	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_set_default_method                  869	3_0_0	EXIST::FUNCTION:RSA
 BN_GF2m_mod_sqrt_arr                    870	3_0_0	EXIST::FUNCTION:EC2M
 X509_get0_extensions                    871	3_0_0	EXIST::FUNCTION:
 TS_STATUS_INFO_set_status               872	3_0_0	EXIST::FUNCTION:TS
-RSA_verify                              873	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_verify                              873	3_0_0	EXIST::FUNCTION:RSA
 ASN1_FBOOLEAN_it                        874	3_0_0	EXIST::FUNCTION:
 d2i_ASN1_TIME                           875	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_meth_get_signctx               876	3_0_0	EXIST::FUNCTION:
@@ -899,7 +899,7 @@ CONF_set_default_method                 920	3_0_0	EXIST::FUNCTION:
 ASN1_PCTX_get_nm_flags                  921	3_0_0	EXIST::FUNCTION:
 X509_add1_ext_i2d                       922	3_0_0	EXIST::FUNCTION:
 i2d_PKCS7_RECIP_INFO                    924	3_0_0	EXIST::FUNCTION:
-PKCS1_MGF1                              925	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+PKCS1_MGF1                              925	3_0_0	EXIST::FUNCTION:RSA
 BIO_vsnprintf                           926	3_0_0	EXIST::FUNCTION:
 X509_STORE_CTX_get0_current_issuer      927	3_0_0	EXIST::FUNCTION:
 CRYPTO_secure_malloc_initialized        928	3_0_0	EXIST::FUNCTION:
@@ -936,7 +936,7 @@ PKEY_USAGE_PERIOD_new                   959	3_0_0	EXIST::FUNCTION:
 OBJ_NAME_init                           960	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_meth_set_keygen                961	3_0_0	EXIST::FUNCTION:
 RSA_PSS_PARAMS_new                      962	3_0_0	EXIST::FUNCTION:RSA
-RSA_sign                                963	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_sign                                963	3_0_0	EXIST::FUNCTION:RSA
 EVP_DigestVerifyFinal                   964	3_0_0	EXIST::FUNCTION:
 d2i_RSA_PUBKEY_bio                      965	3_0_0	EXIST::FUNCTION:RSA
 TS_RESP_dup                             966	3_0_0	EXIST::FUNCTION:TS
@@ -1078,7 +1078,7 @@ PEM_read_bio_EC_PUBKEY                  1104	3_0_0	EXIST::FUNCTION:EC
 BN_MONT_CTX_set                         1105	3_0_0	EXIST::FUNCTION:
 TS_CONF_set_serial                      1106	3_0_0	EXIST::FUNCTION:TS
 X509_NAME_ENTRY_new                     1107	3_0_0	EXIST::FUNCTION:
-RSA_security_bits                       1108	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_security_bits                       1108	3_0_0	EXIST::FUNCTION:RSA
 X509v3_addr_add_prefix                  1109	3_0_0	EXIST::FUNCTION:RFC3779
 X509_REQ_print_fp                       1110	3_0_0	EXIST::FUNCTION:STDIO
 ASN1_item_ex_new                        1111	3_0_0	EXIST::FUNCTION:
@@ -1089,7 +1089,7 @@ ASN1_TYPE_get                           1115	3_0_0	EXIST::FUNCTION:
 i2d_X509_EXTENSIONS                     1116	3_0_0	EXIST::FUNCTION:
 X509_STORE_CTX_get0_store               1117	3_0_0	EXIST::FUNCTION:
 PKCS12_pack_p7data                      1118	3_0_0	EXIST::FUNCTION:
-RSA_print_fp                            1119	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA,STDIO
+RSA_print_fp                            1119	3_0_0	EXIST::FUNCTION:RSA,STDIO
 OPENSSL_INIT_set_config_appname         1120	3_0_0	EXIST::FUNCTION:STDIO
 EC_KEY_print_fp                         1121	3_0_0	EXIST::FUNCTION:EC,STDIO
 BIO_dup_chain                           1122	3_0_0	EXIST::FUNCTION:
@@ -1192,7 +1192,7 @@ OCSP_CERTSTATUS_it                      1218	3_0_0	EXIST::FUNCTION:OCSP
 BIO_f_reliable                          1219	3_0_0	EXIST::FUNCTION:
 OCSP_resp_count                         1220	3_0_0	EXIST::FUNCTION:OCSP
 i2d_X509_AUX                            1221	3_0_0	EXIST::FUNCTION:
-RSA_verify_PKCS1_PSS_mgf1               1222	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_verify_PKCS1_PSS_mgf1               1222	3_0_0	EXIST::FUNCTION:RSA
 X509_time_adj                           1223	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_asn1_find_str                  1224	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_get_flags             1225	3_0_0	EXIST::FUNCTION:
@@ -1209,7 +1209,7 @@ X509_NAME_hash_old                      1235	3_0_0	EXIST::FUNCTION:
 PBKDF2PARAM_free                        1236	3_0_0	EXIST::FUNCTION:
 i2d_CMS_ContentInfo                     1237	3_0_0	EXIST::FUNCTION:CMS
 EVP_CIPHER_meth_set_ctrl                1238	3_0_0	EXIST::FUNCTION:
-RSA_public_decrypt                      1239	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_public_decrypt                      1239	3_0_0	EXIST::FUNCTION:RSA
 ENGINE_get_id                           1240	3_0_0	EXIST::FUNCTION:ENGINE
 PKCS12_item_decrypt_d2i                 1241	3_0_0	EXIST::FUNCTION:
 PEM_read_bio_DSAparams                  1242	3_0_0	EXIST::FUNCTION:DSA
@@ -1299,7 +1299,7 @@ EVP_CIPHER_do_all                       1327	3_0_0	EXIST::FUNCTION:
 POLICY_MAPPINGS_it                      1328	3_0_0	EXIST::FUNCTION:
 SCT_set0_log_id                         1329	3_0_0	EXIST::FUNCTION:CT
 CRYPTO_cfb128_encrypt                   1330	3_0_0	EXIST::FUNCTION:
-RSA_padding_add_PKCS1_type_2            1331	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_PKCS1_type_2            1331	3_0_0	EXIST::FUNCTION:RSA
 TS_CONF_set_signer_cert                 1332	3_0_0	EXIST::FUNCTION:TS
 i2d_ASN1_OBJECT                         1333	3_0_0	EXIST::FUNCTION:
 d2i_PKCS8_PRIV_KEY_INFO_bio             1334	3_0_0	EXIST::FUNCTION:
@@ -1392,7 +1392,7 @@ EVP_PBE_get                             1424	3_0_0	EXIST::FUNCTION:
 CRYPTO_nistcts128_encrypt               1425	3_0_0	EXIST::FUNCTION:
 CONF_modules_finish                     1426	3_0_0	EXIST::FUNCTION:
 BN_value_one                            1427	3_0_0	EXIST::FUNCTION:
-RSA_padding_add_SSLv23                  1428	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_SSLv23                  1428	3_0_0	EXIST::FUNCTION:RSA
 OCSP_RESPBYTES_it                       1429	3_0_0	EXIST::FUNCTION:OCSP
 EVP_aes_192_wrap                        1430	3_0_0	EXIST::FUNCTION:
 OCSP_CERTID_it                          1431	3_0_0	EXIST::FUNCTION:OCSP
@@ -1559,7 +1559,7 @@ CTLOG_get0_name                         1593	3_0_0	EXIST::FUNCTION:CT
 ASN1_TBOOLEAN_it                        1594	3_0_0	EXIST::FUNCTION:
 RC2_set_key                             1595	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RC2
 X509_REVOKED_get_ext_by_NID             1596	3_0_0	EXIST::FUNCTION:
-RSA_padding_add_none                    1597	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_none                    1597	3_0_0	EXIST::FUNCTION:RSA
 EVP_rc5_32_12_16_cbc                    1599	3_0_0	EXIST::FUNCTION:RC5
 PEM_dek_info                            1600	3_0_0	EXIST::FUNCTION:
 ASN1_SCTX_get_template                  1601	3_0_0	EXIST::FUNCTION:
@@ -1613,7 +1613,7 @@ i2d_EDIPARTYNAME                        1649	3_0_0	EXIST::FUNCTION:
 X509_policy_tree_get0_policies          1650	3_0_0	EXIST::FUNCTION:
 X509at_add1_attr                        1651	3_0_0	EXIST::FUNCTION:
 X509_get_ex_data                        1653	3_0_0	EXIST::FUNCTION:
-RSA_set_method                          1654	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_set_method                          1654	3_0_0	EXIST::FUNCTION:RSA
 X509_REVOKED_dup                        1655	3_0_0	EXIST::FUNCTION:
 ASN1_TIME_new                           1656	3_0_0	EXIST::FUNCTION:
 PEM_write_NETSCAPE_CERT_SEQUENCE        1657	3_0_0	EXIST::FUNCTION:STDIO
@@ -1664,7 +1664,7 @@ ESS_SIGNING_CERT_dup                    1701	3_0_0	EXIST::FUNCTION:
 ENGINE_set_default_DSA                  1702	3_0_0	EXIST::FUNCTION:ENGINE
 X509_REVOKED_new                        1703	3_0_0	EXIST::FUNCTION:
 NCONF_WIN32                             1704	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
-RSA_padding_check_PKCS1_OAEP_mgf1       1705	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_PKCS1_OAEP_mgf1       1705	3_0_0	EXIST::FUNCTION:RSA
 X509_policy_tree_get0_level             1706	3_0_0	EXIST::FUNCTION:
 ASN1_parse_dump                         1708	3_0_0	EXIST::FUNCTION:
 BIO_vfree                               1709	3_0_0	EXIST::FUNCTION:
@@ -1831,7 +1831,7 @@ OCSP_single_get0_status                 1873	3_0_0	EXIST::FUNCTION:OCSP
 d2i_AUTHORITY_INFO_ACCESS               1874	3_0_0	EXIST::FUNCTION:
 PEM_read_RSAPrivateKey                  1875	3_0_0	EXIST::FUNCTION:RSA,STDIO
 BIO_closesocket                         1876	3_0_0	EXIST::FUNCTION:SOCK
-RSA_verify_ASN1_OCTET_STRING            1877	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_verify_ASN1_OCTET_STRING            1877	3_0_0	EXIST::FUNCTION:RSA
 SCT_set_log_entry_type                  1878	3_0_0	EXIST::FUNCTION:CT
 BN_new                                  1879	3_0_0	EXIST::FUNCTION:
 X509_OBJECT_retrieve_by_subject         1880	3_0_0	EXIST::FUNCTION:
@@ -2070,7 +2070,7 @@ i2d_ASIdentifiers                       2115	3_0_0	EXIST::FUNCTION:RFC3779
 X509V3_EXT_cleanup                      2116	3_0_0	EXIST::FUNCTION:
 CAST_ecb_encrypt                        2117	3_0_0	EXIST::FUNCTION:CAST,DEPRECATEDIN_3_0
 BIO_s_file                              2118	3_0_0	EXIST::FUNCTION:
-RSA_X931_derive_ex                      2119	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_X931_derive_ex                      2119	3_0_0	EXIST::FUNCTION:RSA
 EVP_PKEY_decrypt_init                   2120	3_0_0	EXIST::FUNCTION:
 ENGINE_get_destroy_function             2121	3_0_0	EXIST::FUNCTION:ENGINE
 SHA224_Init                             2122	3_0_0	EXIST::FUNCTION:
@@ -2252,7 +2252,7 @@ ESS_ISSUER_SERIAL_free                  2299	3_0_0	EXIST::FUNCTION:
 BN_mod_exp_mont_word                    2300	3_0_0	EXIST::FUNCTION:
 X509V3_EXT_nconf_nid                    2301	3_0_0	EXIST::FUNCTION:
 UTF8_putc                               2302	3_0_0	EXIST::FUNCTION:
-RSA_private_encrypt                     2303	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_private_encrypt                     2303	3_0_0	EXIST::FUNCTION:RSA
 X509_LOOKUP_shutdown                    2304	3_0_0	EXIST::FUNCTION:
 TS_TST_INFO_set_accuracy                2305	3_0_0	EXIST::FUNCTION:TS
 OCSP_basic_verify                       2306	3_0_0	EXIST::FUNCTION:OCSP
@@ -2348,7 +2348,7 @@ X509_LOOKUP_by_alias                    2396	3_0_0	EXIST::FUNCTION:
 EC_KEY_set_conv_form                    2397	3_0_0	EXIST::FUNCTION:EC
 X509_TRUST_get_count                    2399	3_0_0	EXIST::FUNCTION:
 IPAddressOrRange_free                   2400	3_0_0	EXIST::FUNCTION:RFC3779
-RSA_padding_add_PKCS1_OAEP              2401	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_PKCS1_OAEP              2401	3_0_0	EXIST::FUNCTION:RSA
 EC_KEY_set_ex_data                      2402	3_0_0	EXIST::FUNCTION:EC
 SRP_VBASE_new                           2403	3_0_0	EXIST::FUNCTION:SRP
 i2d_ECDSA_SIG                           2404	3_0_0	EXIST::FUNCTION:EC
@@ -2375,7 +2375,7 @@ ASN1_GENERALIZEDTIME_it                 2425	3_0_0	EXIST::FUNCTION:
 PKCS8_pkey_get0                         2426	3_0_0	EXIST::FUNCTION:
 OCSP_sendreq_new                        2427	3_0_0	EXIST::FUNCTION:OCSP
 EVP_aes_256_cfb128                      2428	3_0_0	EXIST::FUNCTION:
-RSA_set_ex_data                         2429	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_set_ex_data                         2429	3_0_0	EXIST::FUNCTION:RSA
 BN_GENCB_call                           2430	3_0_0	EXIST::FUNCTION:
 X509V3_EXT_add_nconf_sk                 2431	3_0_0	EXIST::FUNCTION:
 i2d_TS_MSG_IMPRINT_fp                   2432	3_0_0	EXIST::FUNCTION:STDIO,TS
@@ -2521,7 +2521,7 @@ EVP_CIPHER_meth_get_cleanup             2574	3_0_0	EXIST::FUNCTION:
 ASN1_item_ex_d2i                        2575	3_0_0	EXIST::FUNCTION:
 EVP_MD_meth_free                        2576	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_meth_new                       2577	3_0_0	EXIST::FUNCTION:
-RSA_padding_check_PKCS1_OAEP            2578	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_PKCS1_OAEP            2578	3_0_0	EXIST::FUNCTION:RSA
 OCSP_SERVICELOC_it                      2579	3_0_0	EXIST::FUNCTION:OCSP
 PKCS12_SAFEBAG_get_nid                  2580	3_0_0	EXIST::FUNCTION:
 EVP_MD_CTX_set_update_fn                2581	3_0_0	EXIST::FUNCTION:
@@ -2586,7 +2586,7 @@ d2i_PBKDF2PARAM                         2640	3_0_0	EXIST::FUNCTION:
 ERR_load_COMP_strings                   2641	3_0_0	EXIST::FUNCTION:COMP
 EVP_PKEY_meth_add0                      2642	3_0_0	EXIST::FUNCTION:
 EVP_rc4_40                              2643	3_0_0	EXIST::FUNCTION:RC4
-RSA_bits                                2645	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_bits                                2645	3_0_0	EXIST::FUNCTION:RSA
 ASN1_item_dup                           2646	3_0_0	EXIST::FUNCTION:
 GENERAL_NAMES_it                        2647	3_0_0	EXIST::FUNCTION:
 X509_issuer_name_hash                   2648	3_0_0	EXIST::FUNCTION:
@@ -2610,7 +2610,7 @@ X509_load_cert_file                     2665	3_0_0	EXIST::FUNCTION:
 EC_GFp_nistp521_method                  2667	3_0_0	EXIST::FUNCTION:EC,EC_NISTP_64_GCC_128
 ECDSA_SIG_free                          2668	3_0_0	EXIST::FUNCTION:EC
 d2i_PKCS12_BAGS                         2669	3_0_0	EXIST::FUNCTION:
-RSA_public_encrypt                      2670	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_public_encrypt                      2670	3_0_0	EXIST::FUNCTION:RSA
 X509_CRL_get0_extensions                2671	3_0_0	EXIST::FUNCTION:
 CMS_digest_verify                       2672	3_0_0	EXIST::FUNCTION:CMS
 ASN1_GENERALIZEDTIME_set                2673	3_0_0	EXIST::FUNCTION:
@@ -2839,7 +2839,7 @@ ENGINE_get_last                         2900	3_0_0	EXIST::FUNCTION:ENGINE
 EVP_PKEY_encrypt_init                   2901	3_0_0	EXIST::FUNCTION:
 i2d_RSAPrivateKey_fp                    2902	3_0_0	EXIST::FUNCTION:RSA,STDIO
 X509_REQ_print                          2903	3_0_0	EXIST::FUNCTION:
-RSA_size                                2904	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_size                                2904	3_0_0	EXIST::FUNCTION:RSA
 EVP_CIPHER_CTX_iv_noconst               2905	3_0_0	EXIST::FUNCTION:
 DH_set_default_method                   2906	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 X509_ALGOR_new                          2907	3_0_0	EXIST::FUNCTION:
@@ -2933,7 +2933,7 @@ SHA384                                  2995	3_0_0	EXIST::FUNCTION:
 NCONF_get_string                        2996	3_0_0	EXIST::FUNCTION:
 d2i_PROXY_CERT_INFO_EXTENSION           2997	3_0_0	EXIST::FUNCTION:
 EC_POINT_point2buf                      2998	3_0_0	EXIST::FUNCTION:EC
-RSA_padding_add_PKCS1_OAEP_mgf1         2999	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_PKCS1_OAEP_mgf1         2999	3_0_0	EXIST::FUNCTION:RSA
 COMP_CTX_get_type                       3000	3_0_0	EXIST::FUNCTION:COMP
 TS_RESP_CTX_set_status_info             3001	3_0_0	EXIST::FUNCTION:TS
 BIO_f_nbio_test                         3002	3_0_0	EXIST::FUNCTION:
@@ -3014,7 +3014,7 @@ ENGINE_load_private_key                 3078	3_0_0	EXIST::FUNCTION:ENGINE
 GENERAL_NAMES_new                       3079	3_0_0	EXIST::FUNCTION:
 i2d_POLICYQUALINFO                      3080	3_0_0	EXIST::FUNCTION:
 EC_GF2m_simple_method                   3081	3_0_0	EXIST::FUNCTION:EC,EC2M
-RSA_get_method                          3082	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get_method                          3082	3_0_0	EXIST::FUNCTION:RSA
 d2i_ASRange                             3083	3_0_0	EXIST::FUNCTION:RFC3779
 CMS_ContentInfo_new                     3084	3_0_0	EXIST::FUNCTION:CMS
 OPENSSL_init_crypto                     3085	3_0_0	EXIST::FUNCTION:
@@ -3053,7 +3053,7 @@ i2d_RSA_PSS_PARAMS                      3117	3_0_0	EXIST::FUNCTION:RSA
 EVP_aes_128_wrap_pad                    3118	3_0_0	EXIST::FUNCTION:
 ASN1_BIT_STRING_set                     3119	3_0_0	EXIST::FUNCTION:
 PKCS5_PBKDF2_HMAC_SHA1                  3120	3_0_0	EXIST::FUNCTION:
-RSA_padding_check_PKCS1_type_2          3121	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_PKCS1_type_2          3121	3_0_0	EXIST::FUNCTION:RSA
 EVP_des_ede3_ecb                        3122	3_0_0	EXIST::FUNCTION:DES
 CBIGNUM_it                              3123	3_0_0	EXIST::FUNCTION:
 BIO_new_NDEF                            3124	3_0_0	EXIST::FUNCTION:
@@ -3124,7 +3124,7 @@ BN_mod_add                              3189	3_0_0	EXIST::FUNCTION:
 EC_POINT_set_affine_coordinates_GFp     3190	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_get_default_cert_file              3191	3_0_0	EXIST::FUNCTION:
 UI_method_set_flusher                   3192	3_0_0	EXIST::FUNCTION:
-RSA_new_method                          3193	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_new_method                          3193	3_0_0	EXIST::FUNCTION:RSA
 OCSP_request_verify                     3194	3_0_0	EXIST::FUNCTION:OCSP
 CRYPTO_THREAD_run_once                  3195	3_0_0	EXIST::FUNCTION:
 TS_REQ_print_bio                        3196	3_0_0	EXIST::FUNCTION:TS
@@ -3211,7 +3211,7 @@ POLICY_CONSTRAINTS_free                 3277	3_0_0	EXIST::FUNCTION:
 EVP_aes_256_cfb8                        3278	3_0_0	EXIST::FUNCTION:
 d2i_DSA_PUBKEY_bio                      3279	3_0_0	EXIST::FUNCTION:DSA
 X509_NAME_get_text_by_OBJ               3280	3_0_0	EXIST::FUNCTION:
-RSA_padding_check_none                  3281	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_none                  3281	3_0_0	EXIST::FUNCTION:RSA
 CRYPTO_set_mem_debug                    3282	3_0_0	EXIST::FUNCTION:CRYPTO_MDEBUG,DEPRECATEDIN_3_0
 TS_VERIFY_CTX_init                      3283	3_0_0	EXIST::FUNCTION:TS
 OCSP_cert_id_new                        3284	3_0_0	EXIST::FUNCTION:OCSP
@@ -3265,7 +3265,7 @@ X509_PKEY_free                          3332	3_0_0	EXIST::FUNCTION:
 OCSP_CRLID_new                          3333	3_0_0	EXIST::FUNCTION:OCSP
 CONF_dump_bio                           3334	3_0_0	EXIST::FUNCTION:
 d2i_PKCS8PrivateKey_fp                  3335	3_0_0	EXIST::FUNCTION:STDIO
-RSA_setup_blinding                      3336	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_setup_blinding                      3336	3_0_0	EXIST::FUNCTION:RSA
 ERR_peek_error_line                     3337	3_0_0	EXIST::FUNCTION:
 d2i_PKCS7                               3338	3_0_0	EXIST::FUNCTION:
 ERR_reason_error_string                 3339	3_0_0	EXIST::FUNCTION:
@@ -3286,7 +3286,7 @@ OPENSSL_sk_is_sorted                    3353	3_0_0	EXIST::FUNCTION:
 OCSP_SIGNATURE_new                      3354	3_0_0	EXIST::FUNCTION:OCSP
 EVP_PKEY_meth_get_paramgen              3355	3_0_0	EXIST::FUNCTION:
 X509_ATTRIBUTE_create_by_OBJ            3356	3_0_0	EXIST::FUNCTION:
-RSA_generate_key_ex                     3357	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_generate_key_ex                     3357	3_0_0	EXIST::FUNCTION:RSA
 CMS_SignerInfo_get0_algs                3358	3_0_0	EXIST::FUNCTION:CMS
 DIST_POINT_free                         3359	3_0_0	EXIST::FUNCTION:
 ESS_SIGNING_CERT_free                   3360	3_0_0	EXIST::FUNCTION:
@@ -3302,7 +3302,7 @@ PKCS7_ENVELOPE_new                      3369	3_0_0	EXIST::FUNCTION:
 EDIPARTYNAME_new                        3370	3_0_0	EXIST::FUNCTION:
 CMS_add1_cert                           3371	3_0_0	EXIST::FUNCTION:CMS
 DSO_convert_filename                    3372	3_0_0	EXIST::FUNCTION:
-RSA_padding_check_SSLv23                3373	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_SSLv23                3373	3_0_0	EXIST::FUNCTION:RSA
 CRYPTO_gcm128_finish                    3374	3_0_0	EXIST::FUNCTION:
 PKCS12_SAFEBAGS_it                      3375	3_0_0	EXIST::FUNCTION:
 PKCS12_PBE_add                          3376	3_0_0	EXIST::FUNCTION:
@@ -3393,7 +3393,7 @@ BIO_number_written                      3463	3_0_0	EXIST::FUNCTION:
 TS_TST_INFO_set_msg_imprint             3464	3_0_0	EXIST::FUNCTION:TS
 CRYPTO_get_ex_data                      3465	3_0_0	EXIST::FUNCTION:
 X509_PURPOSE_get0_sname                 3466	3_0_0	EXIST::FUNCTION:
-RSA_verify_PKCS1_PSS                    3467	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_verify_PKCS1_PSS                    3467	3_0_0	EXIST::FUNCTION:RSA
 HMAC_CTX_reset                          3468	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 EVP_PKEY_meth_set_init                  3469	3_0_0	EXIST::FUNCTION:
 X509_REQ_extension_nid                  3470	3_0_0	EXIST::FUNCTION:
@@ -3558,7 +3558,7 @@ SHA384_Update                           3635	3_0_0	EXIST::FUNCTION:
 CRYPTO_cfb128_1_encrypt                 3636	3_0_0	EXIST::FUNCTION:
 BIO_set_cipher                          3637	3_0_0	EXIST::FUNCTION:
 PEM_read_PUBKEY                         3638	3_0_0	EXIST::FUNCTION:STDIO
-RSA_PKCS1_OpenSSL                       3639	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_PKCS1_OpenSSL                       3639	3_0_0	EXIST::FUNCTION:RSA
 AUTHORITY_INFO_ACCESS_free              3640	3_0_0	EXIST::FUNCTION:
 SCT_get0_signature                      3641	3_0_0	EXIST::FUNCTION:CT
 DISPLAYTEXT_it                          3643	3_0_0	EXIST::FUNCTION:
@@ -3569,7 +3569,7 @@ X509_REQ_set_extension_nids             3647	3_0_0	EXIST::FUNCTION:
 X509_free                               3648	3_0_0	EXIST::FUNCTION:
 ERR_load_ERR_strings                    3649	3_0_0	EXIST::FUNCTION:
 ASN1_const_check_infinite_end           3650	3_0_0	EXIST::FUNCTION:
-RSA_null_method                         3651	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_null_method                         3651	3_0_0	EXIST::FUNCTION:RSA
 TS_REQ_ext_free                         3652	3_0_0	EXIST::FUNCTION:TS
 EVP_PKEY_meth_get_encrypt               3653	3_0_0	EXIST::FUNCTION:
 Camellia_ecb_encrypt                    3654	3_0_0	EXIST::FUNCTION:CAMELLIA,DEPRECATEDIN_3_0
@@ -3604,7 +3604,7 @@ BIO_ADDR_free                           3683	3_0_0	EXIST::FUNCTION:SOCK
 ASN1_STRING_free                        3684	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_inherit               3685	3_0_0	EXIST::FUNCTION:
 EC_GROUP_get_curve_name                 3686	3_0_0	EXIST::FUNCTION:EC
-RSA_print                               3687	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_print                               3687	3_0_0	EXIST::FUNCTION:RSA
 i2d_ASN1_BMPSTRING                      3688	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_decrypt_old                    3689	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0
 ASN1_UTCTIME_cmp_time_t                 3690	3_0_0	EXIST::FUNCTION:
@@ -3678,7 +3678,7 @@ BIO_set_callback                        3757	3_0_0	EXIST::FUNCTION:
 BN_GF2m_poly2arr                        3758	3_0_0	EXIST::FUNCTION:EC2M
 CMS_unsigned_get_attr_count             3759	3_0_0	EXIST::FUNCTION:CMS
 EVP_aes_256_gcm                         3760	3_0_0	EXIST::FUNCTION:
-RSA_padding_check_X931                  3761	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_check_X931                  3761	3_0_0	EXIST::FUNCTION:RSA
 ECDH_compute_key                        3762	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 ASN1_TIME_print                         3763	3_0_0	EXIST::FUNCTION:
 EVP_PKEY_CTX_get0_peerkey               3764	3_0_0	EXIST::FUNCTION:
@@ -3759,7 +3759,7 @@ i2d_ASN1_INTEGER                        3840	3_0_0	EXIST::FUNCTION:
 OCSP_SINGLERESP_add1_ext_i2d            3841	3_0_0	EXIST::FUNCTION:OCSP
 PKCS7_add_signed_attribute              3842	3_0_0	EXIST::FUNCTION:
 i2d_PrivateKey_bio                      3843	3_0_0	EXIST::FUNCTION:
-RSA_padding_add_PKCS1_type_1            3844	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_padding_add_PKCS1_type_1            3844	3_0_0	EXIST::FUNCTION:RSA
 i2d_re_X509_tbs                         3845	3_0_0	EXIST::FUNCTION:
 EVP_CIPHER_iv_length                    3846	3_0_0	EXIST::FUNCTION:
 OCSP_REQ_CTX_get0_mem_bio               3847	3_0_0	EXIST::FUNCTION:
@@ -3908,44 +3908,44 @@ X509_VERIFY_PARAM_set_auth_level        3991	3_0_0	EXIST::FUNCTION:
 X509_VERIFY_PARAM_get_auth_level        3992	3_0_0	EXIST::FUNCTION:
 X509_REQ_get0_pubkey                    3993	3_0_0	EXIST::FUNCTION:
 RSA_set0_key                            3994	3_0_0	EXIST::FUNCTION:RSA
-RSA_meth_get_flags                      3995	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_finish                     3996	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_priv_dec                   3997	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_sign                       3998	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_bn_mod_exp                 3999	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_meth_get_flags                      3995	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_finish                     3996	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_priv_dec                   3997	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_sign                       3998	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_bn_mod_exp                 3999	3_0_0	EXIST::FUNCTION:RSA
 RSA_test_flags                          4000	3_0_0	EXIST::FUNCTION:RSA
-RSA_meth_new                            4001	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get0_app_data                  4002	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_dup                            4003	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set1_name                      4004	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set0_app_data                  4005	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_meth_new                            4001	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get0_app_data                  4002	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_dup                            4003	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set1_name                      4004	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set0_app_data                  4005	3_0_0	EXIST::FUNCTION:RSA
 RSA_set_flags                           4006	3_0_0	EXIST::FUNCTION:RSA
-RSA_meth_set_sign                       4007	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_meth_set_sign                       4007	3_0_0	EXIST::FUNCTION:RSA
 RSA_clear_flags                         4008	3_0_0	EXIST::FUNCTION:RSA
-RSA_meth_get_keygen                     4009	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_keygen                     4010	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_pub_dec                    4011	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_finish                     4012	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_meth_get_keygen                     4009	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_keygen                     4010	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_pub_dec                    4011	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_finish                     4012	3_0_0	EXIST::FUNCTION:RSA
 RSA_get0_key                            4013	3_0_0	EXIST::FUNCTION:RSA
-RSA_get0_engine                         4014	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_priv_enc                   4015	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_verify                     4016	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_engine                         4014	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_priv_enc                   4015	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_verify                     4016	3_0_0	EXIST::FUNCTION:RSA
 RSA_get0_factors                        4017	3_0_0	EXIST::FUNCTION:RSA
-RSA_meth_get0_name                      4018	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_mod_exp                    4019	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_flags                      4020	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_pub_dec                    4021	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_bn_mod_exp                 4022	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_init                       4023	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_free                           4024	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_pub_enc                    4025	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_mod_exp                    4026	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_meth_get0_name                      4018	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_mod_exp                    4019	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_flags                      4020	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_pub_dec                    4021	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_bn_mod_exp                 4022	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_init                       4023	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_free                           4024	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_pub_enc                    4025	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_mod_exp                    4026	3_0_0	EXIST::FUNCTION:RSA
 RSA_set0_factors                        4027	3_0_0	EXIST::FUNCTION:RSA
-RSA_meth_set_pub_enc                    4028	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_priv_dec                   4029	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_verify                     4030	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_set_init                       4031	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
-RSA_meth_get_priv_enc                   4032	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_meth_set_pub_enc                    4028	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_priv_dec                   4029	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_verify                     4030	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_set_init                       4031	3_0_0	EXIST::FUNCTION:RSA
+RSA_meth_get_priv_enc                   4032	3_0_0	EXIST::FUNCTION:RSA
 RSA_set0_crt_params                     4037	3_0_0	EXIST::FUNCTION:RSA
 RSA_get0_crt_params                     4038	3_0_0	EXIST::FUNCTION:RSA
 DH_set0_pqg                             4039	3_0_0	EXIST::FUNCTION:DH
@@ -4899,7 +4899,7 @@ d2i_X509_PUBKEY_fp                      ?	3_0_0	EXIST::FUNCTION:STDIO
 i2d_X509_PUBKEY_fp                      ?	3_0_0	EXIST::FUNCTION:STDIO
 d2i_X509_PUBKEY_bio                     ?	3_0_0	EXIST::FUNCTION:
 i2d_X509_PUBKEY_bio                     ?	3_0_0	EXIST::FUNCTION:
-RSA_get0_pss_params                     ?	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_3_0,RSA
+RSA_get0_pss_params                     ?	3_0_0	EXIST::FUNCTION:RSA
 X509_cmp_timeframe                      ?	3_0_0	EXIST::FUNCTION:
 OSSL_CMP_MSG_get0_header                ?	3_0_0	EXIST::FUNCTION:CMP
 BIO_f_prefix                            ?	3_0_0	EXIST::FUNCTION: