Deprecate EC_KEY + Update ec apps to use EVP_PKEY

Co-author: Richard Levitte <levitte@openssl.org>
Co-author: Tomas Mraz <tmraz@openssl.org>

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13139)

diff --git a/CHANGES.md b/CHANGES.md
index fbd80c33c0851263b62b6a30bb4e051be80372a7..e512b080c7de8c0ae660dd6b1164cf3a695a4ced 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -69,6 +69,49 @@ OpenSSL 3.0
 
    *Dmitry Belyavskiy*
 
+ * All of the low level EC_KEY functions have been deprecated including:
+
+   EC_KEY_OpenSSL, EC_KEY_get_default_method, EC_KEY_set_default_method,
+   EC_KEY_get_method, EC_KEY_set_method, EC_KEY_new_method
+   EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init,
+   EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key,
+   EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify,
+   EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen,
+   EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign,
+   EC_KEY_METHOD_get_verify,
+   EC_KEY_new_ex, EC_KEY_new, EC_KEY_get_flags, EC_KEY_set_flags,
+   EC_KEY_clear_flags, EC_KEY_decoded_from_explicit_params,
+   EC_KEY_new_by_curve_name_ex, EC_KEY_new_by_curve_name, EC_KEY_free,
+   EC_KEY_copy, EC_KEY_dup, EC_KEY_up_ref, EC_KEY_get0_engine,
+   EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key,
+   EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key,
+   EC_KEY_get_enc_flags, EC_KEY_set_enc_flags, EC_KEY_get_conv_form,
+   EC_KEY_set_conv_form, EC_KEY_set_ex_data, EC_KEY_get_ex_data,
+   EC_KEY_set_asn1_flag, EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_can_sign,
+   EC_KEY_set_public_key_affine_coordinates, EC_KEY_key2buf, EC_KEY_oct2key,
+   EC_KEY_oct2priv, EC_KEY_priv2oct and EC_KEY_priv2buf.
+   Applications that need to implement an EC_KEY_METHOD need to consider
+   implementation of the functionality in a special provider.
+   For replacement of the functions manipulating the EC_KEY objects
+   see the EVP_PKEY-EC(7) manual page.
+
+   Additionally functions that read and write EC_KEY objects such as
+   o2i_ECPublicKey, i2o_ECPublicKey, ECParameters_print_fp, EC_KEY_print_fp,
+   d2i_ECPKParameters, d2i_ECParameters, d2i_ECPrivateKey, d2i_ECPrivateKey_bio,
+   d2i_ECPrivateKey_fp, d2i_EC_PUBKEY, d2i_EC_PUBKEY_bio, d2i_EC_PUBKEY_fp,
+   i2d_ECPKParameters, i2d_ECParameters, i2d_ECPrivateKey, i2d_ECPrivateKey_bio,
+   i2d_ECPrivateKey_fp, i2d_EC_PUBKEY, i2d_EC_PUBKEY_bio and i2d_EC_PUBKEY_fp
+   have also been deprecated. Applications should instead use the
+   OSSL_DECODER and OSSL_ENCODER APIs to read and write EC files.
+
+   Finally functions that assign or obtain EC_KEY objects from an EVP_PKEY such as
+   EVP_PKEY_assign_EC_KEY, EVP_PKEY_get0_EC_KEY, EVP_PKEY_get1_EC_KEY and
+   EVP_PKEY_set1_EC_KEY are also deprecated. Applications should instead either
+   read or write an EVP_PKEY directly using the OSSL_DECODER and OSSL_ENCODER
+   APIs. Or load an EVP_PKEY directly from EC data using EVP_PKEY_fromdata().
+
+   *Shane Lontis, Paul Dale, Richard Levitte, and Tomas Mraz*
+
  * Deprecated all the libcrypto and libssl error string loading
    functions: ERR_load_ASN1_strings(), ERR_load_ASYNC_strings(),
    ERR_load_BIO_strings(), ERR_load_BN_strings(), ERR_load_BUF_strings(),
@@ -594,19 +637,6 @@ OpenSSL 3.0
 
    *Paul Dale*
 
- * Deprecated the EC_KEY_METHOD functions.  These include:
-
-   EC_KEY_METHOD_new, EC_KEY_METHOD_free, EC_KEY_METHOD_set_init,
-   EC_KEY_METHOD_set_keygen, EC_KEY_METHOD_set_compute_key,
-   EC_KEY_METHOD_set_sign, EC_KEY_METHOD_set_verify,
-   EC_KEY_METHOD_get_init, EC_KEY_METHOD_get_keygen,
-   EC_KEY_METHOD_get_compute_key, EC_KEY_METHOD_get_sign and
-   EC_KEY_METHOD_get_verify.
-
-   Instead applications and extension writers should use the OSSL_PROVIDER APIs.
-
-   *Paul Dale*
-
  * Deprecated EVP_PKEY_decrypt_old(), please use EVP_PKEY_decrypt_init()
    and EVP_PKEY_decrypt() instead.
    Deprecated EVP_PKEY_encrypt_old(), please use EVP_PKEY_encrypt_init()

diff --git a/apps/ec.c b/apps/ec.c
index e1d447de81b3fad974e8efbed7f106f533c8c6bb..109e3eaeeb3faab154ffa7c056f75ab7b7d63e64 100644 (file)
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -8,29 +8,17 @@
  */
 
 #include <openssl/opensslconf.h>
+#include <openssl/evp.h>
+#include <openssl/encoder.h>
+#include <openssl/decoder.h>
+#include <openssl/core_names.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/params.h>
+#include <openssl/err.h>
 
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
 #include "apps.h"
 #include "progs.h"
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-
-static OPT_PAIR conv_forms[] = {
-    {"compressed", POINT_CONVERSION_COMPRESSED},
-    {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
-    {"hybrid", POINT_CONVERSION_HYBRID},
-    {NULL}
-};
-
-static OPT_PAIR param_enc[] = {
-    {"named_curve", OPENSSL_EC_NAMED_CURVE},
-    {"explicit", 0},
-    {NULL}
-};
+#include "ec_common.h"
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -74,19 +62,22 @@ const OPTIONS ec_options[] = {
 
 int ec_main(int argc, char **argv)
 {
+    OSSL_ENCODER_CTX *ectx = NULL;
+    OSSL_DECODER_CTX *dctx = NULL;
+    EVP_PKEY_CTX *pctx = NULL;
+    EVP_PKEY *eckey = NULL;
     BIO *in = NULL, *out = NULL;
     ENGINE *e = NULL;
-    EC_KEY *eckey = NULL;
-    const EC_GROUP *group;
     const EVP_CIPHER *enc = NULL;
-    point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
     char *infile = NULL, *outfile = NULL, *prog;
     char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
     OPTION_CHOICE o;
-    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
-    int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
-    int no_public = 0, check = 0;
+    int pubin = 0, pubout = 0, param_out = 0, ret = 1, private = 0;
+    int check = 0;
+    char *asn1_encoding = NULL;
+    char *point_format = NULL;
+    int no_public = 0;
 
     prog = opt_init(argc, argv, ec_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -143,16 +134,14 @@ int ec_main(int argc, char **argv)
                 goto opthelp;
             break;
         case OPT_CONV_FORM:
-            if (!opt_pair(opt_arg(), conv_forms, &i))
+            point_format = opt_arg();
+            if (!opt_string(point_format, point_format_options))
                 goto opthelp;
-            new_form = 1;
-            form = i;
             break;
         case OPT_PARAM_ENC:
-            if (!opt_pair(opt_arg(), param_enc, &i))
+            asn1_encoding = opt_arg();
+            if (!opt_string(asn1_encoding, asn1_encoding_options))
                 goto opthelp;
-            new_asn1_flag = 1;
-            asn1_flag = i;
             break;
         case OPT_NO_PUBLIC:
             no_public = 1;
@@ -188,30 +177,14 @@ int ec_main(int argc, char **argv)
     }
 
     BIO_printf(bio_err, "read EC key\n");
-    if (informat == FORMAT_ASN1) {
-        if (pubin)
-            eckey = d2i_EC_PUBKEY_bio(in, NULL);
-        else
-            eckey = d2i_ECPrivateKey_bio(in, NULL);
-    } else if (informat == FORMAT_ENGINE) {
-        EVP_PKEY *pkey;
-        if (pubin)
-            pkey = load_pubkey(infile, informat, 1, passin, e, "public key");
-        else
-            pkey = load_key(infile, informat, 1, passin, e, "private key");
-        if (pkey != NULL) {
-            eckey = EVP_PKEY_get1_EC_KEY(pkey);
-            EVP_PKEY_free(pkey);
-        }
-    } else {
-        if (pubin)
-            eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL);
-        else
-            eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin);
-    }
+
+    if (pubin)
+        eckey = load_pubkey(infile, informat, 1, passin, e, "public key");
+    else
+        eckey = load_key(infile, informat, 1, passin, e, "private key");
+
     if (eckey == NULL) {
         BIO_printf(bio_err, "unable to load Key\n");
-        ERR_print_errors(bio_err);
         goto end;
     }
 
@@ -219,74 +192,96 @@ int ec_main(int argc, char **argv)
     if (out == NULL)
         goto end;
 
-    group = EC_KEY_get0_group(eckey);
-
-    if (new_form)
-        EC_KEY_set_conv_form(eckey, form);
+    if (point_format
+        && !EVP_PKEY_set_utf8_string_param(
+                eckey, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
+                point_format)) {
+        BIO_printf(bio_err, "unable to set point conversion format\n");
+        goto end;
+    }
 
-    if (new_asn1_flag)
-        EC_KEY_set_asn1_flag(eckey, asn1_flag);
+    if (asn1_encoding != NULL
+        && !EVP_PKEY_set_utf8_string_param(
+                eckey, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
+        BIO_printf(bio_err, "unable to set asn1 encoding format\n");
+        goto end;
+    }
 
-    if (no_public)
-        EC_KEY_set_enc_flags(eckey, EC_PKEY_NO_PUBKEY);
+    if (no_public
+        && !EVP_PKEY_set_int_param(eckey, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, 0)) {
+        BIO_printf(bio_err, "unable to disable public key encoding\n");
+        goto end;
+    }
 
     if (text) {
         assert(pubin || private);
-        if (!EC_KEY_print(out, eckey, 0)) {
-            perror(outfile);
-            ERR_print_errors(bio_err);
+        if ((pubin && EVP_PKEY_print_public(out, eckey, 0, NULL) <= 0)
+            || (!pubin && EVP_PKEY_print_private(out, eckey, 0, NULL) <= 0)) {
+            BIO_printf(bio_err, "unable to print EC key\n");
             goto end;
         }
     }
 
     if (check) {
-        if (EC_KEY_check_key(eckey) == 1) {
-            BIO_printf(bio_err, "EC Key valid.\n");
-        } else {
-            BIO_printf(bio_err, "EC Key Invalid!\n");
-            ERR_print_errors(bio_err);
+        pctx = EVP_PKEY_CTX_new_from_pkey(NULL, eckey, NULL);
+        if (pctx == NULL) {
+            BIO_printf(bio_err, "unable to check EC key\n");
+            goto end;
         }
+        if (!EVP_PKEY_check(pctx))
+            BIO_printf(bio_err, "EC Key Invalid!\n");
+        else
+            BIO_printf(bio_err, "EC Key valid.\n");
+        ERR_print_errors(bio_err);
     }
 
-    if (noout) {
-        ret = 0;
-        goto end;
-    }
+    if (!noout) {
+        int selection;
+        const char *output_type = outformat == FORMAT_ASN1 ? "DER" : "PEM";
+        const char *output_structure = "type-specific";
 
-    BIO_printf(bio_err, "writing EC key\n");
-    if (outformat == FORMAT_ASN1) {
+        BIO_printf(bio_err, "writing EC key\n");
         if (param_out) {
-            i = i2d_ECPKParameters_bio(out, group);
+            selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS;
         } else if (pubin || pubout) {
-            i = i2d_EC_PUBKEY_bio(out, eckey);
+            selection = OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS
+                | OSSL_KEYMGMT_SELECT_PUBLIC_KEY;
+            output_structure = "SubjectPublicKeyInfo";
         } else {
+            selection = OSSL_KEYMGMT_SELECT_ALL;
             assert(private);
-            i = i2d_ECPrivateKey_bio(out, eckey);
         }
-    } else {
-        if (param_out) {
-            i = PEM_write_bio_ECPKParameters(out, group);
-        } else if (pubin || pubout) {
-            i = PEM_write_bio_EC_PUBKEY(out, eckey);
-        } else {
-            assert(private);
-            i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
-                                           NULL, 0, NULL, passout);
+
+        ectx = OSSL_ENCODER_CTX_new_by_EVP_PKEY(eckey, selection,
+                                                output_type, output_structure,
+                                                NULL);
+        if (enc != NULL) {
+            OSSL_ENCODER_CTX_set_cipher(ectx, EVP_CIPHER_name(enc), NULL);
+            if (passout != NULL)
+                OSSL_ENCODER_CTX_set_passphrase(ectx,
+                                                (const unsigned char *)passout,
+                                                strlen(passout));
+        }
+        if (!OSSL_ENCODER_to_bio(ectx, out)) {
+            BIO_printf(bio_err, "unable to write EC key\n");
+            goto end;
         }
     }
 
-    if (!i) {
-        BIO_printf(bio_err, "unable to write private key\n");
+    ret = 0;
+end:
+    if (ret != 0)
         ERR_print_errors(bio_err);
-    } else {
-        ret = 0;
-    }
- end:
     BIO_free(in);
     BIO_free_all(out);
-    EC_KEY_free(eckey);
+    EVP_PKEY_free(eckey);
+    OSSL_ENCODER_CTX_free(ectx);
+    OSSL_DECODER_CTX_free(dctx);
+    EVP_PKEY_CTX_free(pctx);
     release_engine(e);
-    OPENSSL_free(passin);
-    OPENSSL_free(passout);
+    if (passin != NULL)
+        OPENSSL_clear_free(passin, strlen(passin));
+    if (passout != NULL)
+        OPENSSL_clear_free(passout, strlen(passout));
     return ret;
 }

diff --git a/apps/ecparam.c b/apps/ecparam.c
index 06f017a5483725bf6dff0abcc358860939d21d68..505868eb182190b3aba4b48d17aace59f4da1ccc 100644 (file)
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -9,19 +9,16 @@
  */
 
 #include <openssl/opensslconf.h>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <time.h>
-#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/encoder.h>
+#include <openssl/decoder.h>
+#include <openssl/core_names.h>
+#include <openssl/core_dispatch.h>
+#include <openssl/params.h>
+#include <openssl/err.h>
 #include "apps.h"
 #include "progs.h"
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/bn.h>
-#include <openssl/ec.h>
-#include <openssl/x509.h>
-#include <openssl/pem.h>
+#include "ec_common.h"
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -67,36 +64,51 @@ const OPTIONS ecparam_options[] = {
     {NULL}
 };
 
-static OPT_PAIR forms[] = {
-    {"compressed", POINT_CONVERSION_COMPRESSED},
-    {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
-    {"hybrid", POINT_CONVERSION_HYBRID},
-    {NULL}
-};
+static int list_builtin_curves(BIO *out)
+{
+    int ret = 0;
+    EC_builtin_curve *curves = NULL;
+    size_t n, crv_len = EC_get_builtin_curves(NULL, 0);
 
-static OPT_PAIR encodings[] = {
-    {"named_curve", OPENSSL_EC_NAMED_CURVE},
-    {"explicit", 0},
-    {NULL}
-};
+    curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
+    if (!EC_get_builtin_curves(curves, crv_len))
+        goto end;
+
+    for (n = 0; n < crv_len; n++) {
+        const char *comment = curves[n].comment;
+        const char *sname = OBJ_nid2sn(curves[n].nid);
+
+        if (comment == NULL)
+            comment = "CURVE DESCRIPTION NOT AVAILABLE";
+        if (sname == NULL)
+            sname = "";
+
+        BIO_printf(out, "  %-10s: ", sname);
+        BIO_printf(out, "%s\n", comment);
+    }
+    ret = 1;
+end:
+    OPENSSL_free(curves);
+    return ret;
+}
 
 int ecparam_main(int argc, char **argv)
 {
+    EVP_PKEY_CTX *gctx_params = NULL, *gctx_key = NULL, *pctx = NULL;
+    EVP_PKEY *params_key = NULL, *key = NULL;
+    OSSL_ENCODER_CTX *ectx_key = NULL, *ectx_params = NULL;
+    OSSL_DECODER_CTX *dctx_params = NULL;
     ENGINE *e = NULL;
-    BIGNUM *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
-    BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL;
     BIO *in = NULL, *out = NULL;
-    EC_GROUP *group = NULL;
-    point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
     char *curve_name = NULL;
+    char *asn1_encoding = NULL;
+    char *point_format = NULL;
     char *infile = NULL, *outfile = NULL, *prog;
-    unsigned char *buffer = NULL;
     OPTION_CHOICE o;
-    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0;
     int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0;
     int ret = 1, private = 0;
-    int list_curves = 0, no_seed = 0, check = 0, new_form = 0;
-    int text = 0, i, genkey = 0, check_named = 0;
+    int no_seed = 0, check = 0, check_named = 0, text = 0, genkey = 0;
+    int list_curves = 0;
 
     prog = opt_init(argc, argv, ecparam_options);
     while ((o = opt_next()) != OPT_EOF) {
@@ -146,15 +158,14 @@ int ecparam_main(int argc, char **argv)
             curve_name = opt_arg();
             break;
         case OPT_CONV_FORM:
-            if (!opt_pair(opt_arg(), forms, &new_form))
+            point_format = opt_arg();
+            if (!opt_string(point_format, point_format_options))
                 goto opthelp;
-            form = new_form;
-            new_form = 1;
             break;
         case OPT_PARAM_ENC:
-            if (!opt_pair(opt_arg(), encodings, &asn1_flag))
+            asn1_encoding = opt_arg();
+            if (!opt_string(asn1_encoding, asn1_encoding_options))
                 goto opthelp;
-            new_asn1_flag = 1;
             break;
         case OPT_GENKEY:
             genkey = 1;
@@ -188,111 +199,88 @@ int ecparam_main(int argc, char **argv)
         goto end;
 
     if (list_curves) {
-        EC_builtin_curve *curves = NULL;
-        size_t crv_len = EC_get_builtin_curves(NULL, 0);
-        size_t n;
-
-        curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
-        if (!EC_get_builtin_curves(curves, crv_len)) {
-            OPENSSL_free(curves);
-            goto end;
-        }
-
-        for (n = 0; n < crv_len; n++) {
-            const char *comment;
-            const char *sname;
-            comment = curves[n].comment;
-            sname = OBJ_nid2sn(curves[n].nid);
-            if (comment == NULL)
-                comment = "CURVE DESCRIPTION NOT AVAILABLE";
-            if (sname == NULL)
-                sname = "";
-
-            BIO_printf(out, "  %-10s: ", sname);
-            BIO_printf(out, "%s\n", comment);
-        }
-
-        OPENSSL_free(curves);
-        ret = 0;
+        if (list_builtin_curves(out))
+            ret = 0;
         goto end;
     }
 
     if (curve_name != NULL) {
-        int nid;
+        OSSL_PARAM params[4];
+        OSSL_PARAM *p = params;
 
-        /*
-         * workaround for the SECG curve names secp192r1 and secp256r1 (which
-         * are the same as the curves prime192v1 and prime256v1 defined in
-         * X9.62)
-         */
         if (strcmp(curve_name, "secp192r1") == 0) {
-            BIO_printf(bio_err, "using curve name prime192v1 "
-                       "instead of secp192r1\n");
-            nid = NID_X9_62_prime192v1;
+            BIO_printf(bio_err,
+                       "using curve name prime192v1 instead of secp192r1\n");
+            curve_name = SN_X9_62_prime192v1;
         } else if (strcmp(curve_name, "secp256r1") == 0) {
-            BIO_printf(bio_err, "using curve name prime256v1 "
-                       "instead of secp256r1\n");
-            nid = NID_X9_62_prime256v1;
-        } else {
-            nid = OBJ_sn2nid(curve_name);
+            BIO_printf(bio_err,
+                       "using curve name prime256v1 instead of secp256r1\n");
+            curve_name = SN_X9_62_prime256v1;
         }
-
-        if (nid == 0)
-            nid = EC_curve_nist2nid(curve_name);
-
-        if (nid == 0) {
-            BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name);
+        *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME,
+                                                curve_name, 0);
+        if (asn1_encoding != NULL)
+            *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
+                                                    asn1_encoding, 0);
+        if (point_format != NULL)
+            *p++ = OSSL_PARAM_construct_utf8_string(
+                       OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
+                       point_format, 0);
+        *p = OSSL_PARAM_construct_end();
+        gctx_params = EVP_PKEY_CTX_new_from_name(NULL, "ec", NULL);
+        if (gctx_params == NULL
+            || EVP_PKEY_keygen_init(gctx_params) <= 0
+            || EVP_PKEY_CTX_set_params(gctx_params, params) <= 0
+            || EVP_PKEY_keygen(gctx_params, &params_key) <= 0) {
+            BIO_printf(bio_err, "unable to generate key\n");
+            goto end;
+        }
+    } else {
+        params_key = load_keyparams(infile, 1, "EC", "EC parameters");
+        if (!EVP_PKEY_is_a(params_key, "EC"))
+            goto end;
+        if (point_format
+            && !EVP_PKEY_set_utf8_string_param(
+                    params_key, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
+                    point_format)) {
+            BIO_printf(bio_err, "unable to set point conversion format\n");
             goto end;
         }
 
-        group = EC_GROUP_new_by_curve_name(nid);
-        if (group == NULL) {
-            BIO_printf(bio_err, "unable to create curve (%s)\n", curve_name);
+        if (asn1_encoding != NULL
+            && !EVP_PKEY_set_utf8_string_param(
+                    params_key, OSSL_PKEY_PARAM_EC_ENCODING, asn1_encoding)) {
+            BIO_printf(bio_err, "unable to set asn1 encoding format\n");
             goto end;
         }
-        EC_GROUP_set_asn1_flag(group, asn1_flag);
-        EC_GROUP_set_point_conversion_form(group, form);
-    } else if (informat == FORMAT_ASN1) {
-        group = d2i_ECPKParameters_bio(in, NULL);
-    } else {
-        group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
     }
-    if (group == NULL) {
-        BIO_printf(bio_err, "unable to load elliptic curve parameters\n");
-        ERR_print_errors(bio_err);
+
+    if (no_seed
+        && !EVP_PKEY_set_octet_string_param(params_key, OSSL_PKEY_PARAM_EC_SEED,
+                                            NULL, 0)) {
+        BIO_printf(bio_err, "unable to clear seed\n");
         goto end;
     }
 
-    if (new_form)
-        EC_GROUP_set_point_conversion_form(group, form);
-
-    if (new_asn1_flag)
-        EC_GROUP_set_asn1_flag(group, asn1_flag);
-
-    if (no_seed) {
-        EC_GROUP_set_seed(group, NULL, 0);
+    if (text
+        && !EVP_PKEY_print_params(out, params_key, 0, NULL)) {
+        BIO_printf(bio_err, "unable to print params\n");
+        goto end;
     }
 
-    if (text) {
-        if (!ECPKParameters_print(out, group, 0))
-            goto end;
-    }
+    if (check || check_named) {
+        BIO_printf(bio_err, "checking elliptic curve parameters: ");
 
-    if (check_named) {
-        BIO_printf(bio_err, "validating named elliptic curve parameters: ");
-        if (EC_GROUP_check_named_curve(group, 0, NULL) <= 0) {
-            BIO_printf(bio_err, "failed\n");
-            ERR_print_errors(bio_err);
-            goto end;
+        if (check_named
+            && !EVP_PKEY_set_utf8_string_param(params_key,
+                                           OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE,
+                                           OSSL_PKEY_EC_GROUP_CHECK_NAMED)) {
+                BIO_printf(bio_err, "unable to set check_type\n");
+                goto end;
         }
-        BIO_printf(bio_err, "ok\n");
-    }
-
-    if (check) {
-        BIO_printf(bio_err, "checking elliptic curve parameters: ");
-        if (!EC_GROUP_check(group, NULL)) {
+        pctx = EVP_PKEY_CTX_new_from_pkey(NULL, params_key, NULL);
+        if (pctx == NULL || !EVP_PKEY_param_check(pctx)) {
             BIO_printf(bio_err, "failed\n");
-            ERR_print_errors(bio_err);
             goto end;
         }
         BIO_printf(bio_err, "ok\n");
@@ -302,60 +290,54 @@ int ecparam_main(int argc, char **argv)
         noout = 1;
 
     if (!noout) {
-        if (outformat == FORMAT_ASN1)
-            i = i2d_ECPKParameters_bio(out, group);
-        else
-            i = PEM_write_bio_ECPKParameters(out, group);
-        if (!i) {
-            BIO_printf(bio_err, "unable to write elliptic "
-                       "curve parameters\n");
-            ERR_print_errors(bio_err);
+        ectx_params = OSSL_ENCODER_CTX_new_by_EVP_PKEY(
+                          params_key, OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS,
+                          outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
+        if (!OSSL_ENCODER_to_bio(ectx_params, out)) {
+            BIO_printf(bio_err, "unable to write elliptic curve parameters\n");
             goto end;
         }
     }
 
     if (genkey) {
-        EC_KEY *eckey = EC_KEY_new();
-
-        if (eckey == NULL)
-            goto end;
-
-        if (EC_KEY_set_group(eckey, group) == 0) {
-            BIO_printf(bio_err, "unable to set group when generating key\n");
-            EC_KEY_free(eckey);
-            ERR_print_errors(bio_err);
-            goto end;
-        }
-
-        if (new_form)
-            EC_KEY_set_conv_form(eckey, form);
-
-        if (!EC_KEY_generate_key(eckey)) {
+        /*
+         * NOTE: EC keygen does not normally need to pass in the param_key
+         * for named curves. This can be achieved using:
+         *    gctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL);
+         *    EVP_PKEY_keygen_init(gctx);
+         *    EVP_PKEY_CTX_set_group_name(gctx, curvename);
+         *    EVP_PKEY_keygen(gctx, &key) <= 0)
+         */
+        gctx_key = EVP_PKEY_CTX_new_from_pkey(NULL, params_key, NULL);
+        if (EVP_PKEY_keygen_init(gctx_key) <= 0
+            || EVP_PKEY_keygen(gctx_key, &key) <= 0) {
             BIO_printf(bio_err, "unable to generate key\n");
-            EC_KEY_free(eckey);
-            ERR_print_errors(bio_err);
             goto end;
         }
         assert(private);
-        if (outformat == FORMAT_ASN1)
-            i = i2d_ECPrivateKey_bio(out, eckey);
-        else
-            i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
-                                           NULL, 0, NULL, NULL);
-        EC_KEY_free(eckey);
+        ectx_key = OSSL_ENCODER_CTX_new_by_EVP_PKEY(
+                       key, OSSL_KEYMGMT_SELECT_ALL,
+                       outformat == FORMAT_ASN1 ? "DER" : "PEM", NULL, NULL);
+        if (!OSSL_ENCODER_to_bio(ectx_key, out)) {
+            BIO_printf(bio_err, "unable to write elliptic "
+                       "curve parameters\n");
+            goto end;
+        }
     }
 
     ret = 0;
- end:
-    BN_free(ec_p);
-    BN_free(ec_a);
-    BN_free(ec_b);
-    BN_free(ec_gen);
-    BN_free(ec_order);
-    BN_free(ec_cofactor);
-    OPENSSL_free(buffer);
-    EC_GROUP_free(group);
+end:
+    if (ret != 0)
+        ERR_print_errors(bio_err);
     release_engine(e);
+    EVP_PKEY_free(params_key);
+    EVP_PKEY_free(key);
+    EVP_PKEY_CTX_free(pctx);
+    EVP_PKEY_CTX_free(gctx_params);
+    EVP_PKEY_CTX_free(gctx_key);
+    OSSL_DECODER_CTX_free(dctx_params);
+    OSSL_ENCODER_CTX_free(ectx_params);
+    OSSL_ENCODER_CTX_free(ectx_key);
     BIO_free(in);
     BIO_free_all(out);
     return ret;

diff --git a/apps/include/ec_common.h b/apps/include/ec_common.h
new file mode 100644 (file)
index 0000000..4ed1216
--- /dev/null
+++ b/apps/include/ec_common.h
@@ -0,0 +1,23 @@
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#ifndef OPENSSL_NO_EC
+static const char *point_format_options[] = {
+    "uncompressed",
+    "compressed",
+    "hybrid",
+    NULL
+};
+
+static const char *asn1_encoding_options[] = {
+    "named_curve",
+    "explicit",
+    NULL
+};
+#endif

diff --git a/apps/include/opt.h b/apps/include/opt.h
index 15375e3a80f4bcc28a210468d53e5983bd64c467..34298cf50d54e5951a3087cfa89a99462a7315a0 100644 (file)
--- a/apps/include/opt.h
+++ b/apps/include/opt.h
@@ -363,6 +363,7 @@ int opt_umax(const char *arg, uintmax_t *result);
 # define uintmax_t unsigned long
 #endif
 int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
+int opt_string(const char *name, const char **options);
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
 int opt_md(const char *name, const EVP_MD **mdp);
 char *opt_arg(void);

diff --git a/apps/lib/opt.c b/apps/lib/opt.c
index 9675bc474dd61dfedf8ae089bf8150a8ab15d117..11a9a13496f156d2af9ad984acebf4d22c148726 100644 (file)
--- a/apps/lib/opt.c
+++ b/apps/lib/opt.c
@@ -391,6 +391,20 @@ int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
     return 0;
 }
 
+/* Look through a list of valid names */
+int opt_string(const char *name, const char **options)
+{
+    const char **p;
+
+    for (p = options; *p != NULL; p++)
+        if (strcmp(*p, name) == 0)
+            return 1;
+    opt_printf_stderr("%s: Value must be one of:\n", prog);
+    for (p = options; *p != NULL; p++)
+        opt_printf_stderr("\t%s\n", *p);
+    return 0;
+}
+
 /* Parse an int, put it into *result; return 0 on failure, else 1. */
 int opt_int(const char *value, int *result)
 {

diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 67e0fbd5bd88f77793e976ea2f31b2069028d8d3..d77647246d8c2ae8c39a3e32164940c7faaa79d1 100644 (file)
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -397,15 +397,13 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
 #ifndef OPENSSL_NO_EC
     case EVP_PKEY_EC:
         {
-            EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
-            int nid;
-            const char *cname;
-            nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
-            EC_KEY_free(ec);
-            cname = EC_curve_nid2nist(nid);
-            if (cname == NULL)
-                cname = OBJ_nid2sn(nid);
-            BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key));
+            char name[80];
+            size_t name_len;
+
+            if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME,
+                                                name, sizeof(name), &name_len))
+                strcpy(name, "?");
+            BIO_printf(out, "ECDH, %s, %d bits\n", name, EVP_PKEY_bits(key));
         }
     break;
 #endif

diff --git a/apps/pkey.c b/apps/pkey.c
index 5d12cc059a10e95bcb6ef41f7bd71b1c7aaf6593..33ed5ebf58aeeb5c4caaed28971ecf24eb8b2eac 100644 (file)
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -11,26 +11,11 @@
 #include <string.h>
 #include "apps.h"
 #include "progs.h"
+#include "ec_common.h"
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-
-#ifndef OPENSSL_NO_EC
-# include <openssl/ec.h>
-
-static OPT_PAIR ec_conv_forms[] = {
-    {"compressed", POINT_CONVERSION_COMPRESSED},
-    {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
-    {"hybrid", POINT_CONVERSION_HYBRID},
-    {NULL}
-};
-
-static OPT_PAIR ec_param_enc[] = {
-    {"named_curve", OPENSSL_EC_NAMED_CURVE},
-    {"explicit", 0},
-    {NULL}
-};
-#endif
+#include <openssl/core_names.h>
 
 typedef enum OPTION_choice {
     OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -94,10 +79,8 @@ int pkey_main(int argc, char **argv)
     int pubin = 0, pubout = 0, text_pub = 0, text = 0, noout = 0, ret = 1;
     int private = 0, traditional = 0, check = 0, pub_check = 0;
 #ifndef OPENSSL_NO_EC
-    EC_KEY *eckey;
-    int ec_asn1_flag = OPENSSL_EC_NAMED_CURVE, new_ec_asn1_flag = 0;
-    int i, new_ec_form = 0;
-    point_conversion_form_t ec_form = POINT_CONVERSION_UNCOMPRESSED;
+    char *asn1_encoding = NULL;
+    char *point_format = NULL;
 #endif
 
     prog = opt_init(argc, argv, pkey_options);
@@ -167,20 +150,18 @@ int pkey_main(int argc, char **argv)
 #ifdef OPENSSL_NO_EC
             goto opthelp;
 #else
-            if (!opt_pair(opt_arg(), ec_conv_forms, &i))
+            point_format = opt_arg();
+            if (!opt_string(point_format, point_format_options))
                 goto opthelp;
-            new_ec_form = 1;
-            ec_form = i;
             break;
 #endif
         case OPT_EC_PARAM_ENC:
 #ifdef OPENSSL_NO_EC
             goto opthelp;
 #else
-            if (!opt_pair(opt_arg(), ec_param_enc, &i))
+            asn1_encoding = opt_arg();
+            if (!opt_string(asn1_encoding, asn1_encoding_options))
                 goto opthelp;
-            new_ec_asn1_flag = 1;
-            ec_asn1_flag = i;
             break;
 #endif
         case OPT_PROV_CASES:
@@ -234,20 +215,22 @@ int pkey_main(int argc, char **argv)
         goto end;
 
 #ifndef OPENSSL_NO_EC
-    /*
-     * TODO: remove this and use a set params call with a 'pkeyopt' command
-     * line option instead.
-     */
-    if (new_ec_form || new_ec_asn1_flag) {
-        if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) {
-            ERR_print_errors(bio_err);
+    if (asn1_encoding != NULL || point_format != NULL) {
+        OSSL_PARAM params[3], *p = params;
+
+        if (!EVP_PKEY_is_a(pkey, "EC"))
             goto end;
-        }
-        if (new_ec_form)
-            EC_KEY_set_conv_form(eckey, ec_form);
 
-        if (new_ec_asn1_flag)
-            EC_KEY_set_asn1_flag(eckey, ec_asn1_flag);
+        if (asn1_encoding != NULL)
+            *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
+                                                    asn1_encoding, 0);
+        if (point_format != NULL)
+            *p++ = OSSL_PARAM_construct_utf8_string(
+                       OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
+                       point_format, 0);
+        *p = OSSL_PARAM_construct_end();
+        if (EVP_PKEY_set_params(pkey, params) <= 0)
+            goto end;
     }
 #endif
 

diff --git a/apps/speed.c b/apps/speed.c
index c8c4f65b47bcfc1a73d11f38f95a38bf19a26eca..e2b98c86b55970499fb1d65e5122204dd5efb67b 100644 (file)
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -583,7 +583,9 @@ typedef struct loopargs_st {
     DSA *dsa_key[DSA_NUM];
 #endif
 #ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_DEPRECATED_3_0
     EC_KEY *ecdsa[ECDSA_NUM];
+# endif
     EVP_PKEY_CTX *ecdh_ctx[EC_NUM];
     EVP_MD_CTX *eddsa_ctx[EdDSA_NUM];
     EVP_MD_CTX *eddsa_ctx2[EdDSA_NUM];
@@ -4082,8 +4084,10 @@ int speed_main(int argc, char **argv)
             DSA_free(loopargs[i].dsa_key[k]);
 #endif
 #ifndef OPENSSL_NO_EC
+# if !defined(OPENSSL_NO_DEPRECATED_3_0)
         for (k = 0; k < ECDSA_NUM; k++)
             EC_KEY_free(loopargs[i].ecdsa[k]);
+# endif
         for (k = 0; k < EC_NUM; k++)
             EVP_PKEY_CTX_free(loopargs[i].ecdh_ctx[k]);
         for (k = 0; k < EdDSA_NUM; k++) {

diff --git a/crypto/asn1/asn1_item_list.h b/crypto/asn1/asn1_item_list.h
index 01d907635081a2b566b0992f1270f3dd8492c819..b8c558114655c60c282dc78fdf861cc3dcc26e65 100644 (file)
--- a/crypto/asn1/asn1_item_list.h
+++ b/crypto/asn1/asn1_item_list.h
@@ -63,8 +63,10 @@ static ASN1_ITEM_EXP *asn1_item_list[] = {
     ASN1_ITEM_ref(DIST_POINT_NAME),
     ASN1_ITEM_ref(DIST_POINT),
 #ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_DEPRECATED_3_0
     ASN1_ITEM_ref(ECPARAMETERS),
     ASN1_ITEM_ref(ECPKPARAMETERS),
+# endif
 #endif
     ASN1_ITEM_ref(EDIPARTYNAME),
     ASN1_ITEM_ref(EXTENDED_KEY_USAGE),

diff --git a/crypto/ec/ec_backend.c b/crypto/ec/ec_backend.c
index f95065717390b81ad2cc58ca2a73360a215c7179..06acb7d607ae8704a7f6e1736dc23d5e15893476 100644 (file)
--- a/crypto/ec/ec_backend.c
+++ b/crypto/ec/ec_backend.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * Low level APIs related to EC_KEY are deprecated for public use,
+ * but still ok for internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/core_names.h>
 #include <openssl/objects.h>
 #include <openssl/params.h>
@@ -23,6 +29,18 @@ static const OSSL_ITEM encoding_nameid_map[] = {
     { OPENSSL_EC_NAMED_CURVE, OSSL_PKEY_EC_ENCODING_GROUP },
 };
 
+static const OSSL_ITEM check_group_type_nameid_map[] = {
+    { 0, OSSL_PKEY_EC_GROUP_CHECK_DEFAULT },
+    { EC_FLAG_CHECK_NAMED_GROUP, OSSL_PKEY_EC_GROUP_CHECK_NAMED },
+    { EC_FLAG_CHECK_NAMED_GROUP_NIST, OSSL_PKEY_EC_GROUP_CHECK_NAMED_NIST },
+};
+
+static const OSSL_ITEM format_nameid_map[] = {
+    { (int)POINT_CONVERSION_UNCOMPRESSED, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_UNCOMPRESSED },
+    { (int)POINT_CONVERSION_COMPRESSED, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED },
+    { (int)POINT_CONVERSION_HYBRID, OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_HYBRID },
+};
+
 int ec_encoding_name2id(const char *name)
 {
     size_t i, sz;
@@ -49,13 +67,95 @@ static char *ec_param_encoding_id2name(int id)
     return NULL;
 }
 
+char *ec_check_group_type_id2name(int id)
+{
+    size_t i, sz;
+
+    for (i = 0, sz = OSSL_NELEM(check_group_type_nameid_map); i < sz; i++) {
+        if (id == (int)check_group_type_nameid_map[i].id)
+            return check_group_type_nameid_map[i].ptr;
+    }
+    return NULL;
+}
+
+static int ec_check_group_type_name2id(const char *name)
+{
+    size_t i, sz;
+
+    /* Return the default value if there is no name */
+    if (name == NULL)
+        return 0;
+
+    for (i = 0, sz = OSSL_NELEM(check_group_type_nameid_map); i < sz; i++) {
+        if (strcasecmp(name, check_group_type_nameid_map[i].ptr) == 0)
+            return check_group_type_nameid_map[i].id;
+    }
+    return -1;
+}
+
+int ec_set_check_group_type_from_name(EC_KEY *ec, const char *name)
+{
+    int flags = ec_check_group_type_name2id(name);
+
+    if (flags == -1)
+        return 0;
+    EC_KEY_clear_flags(ec, EC_FLAG_CHECK_NAMED_GROUP_MASK);
+    EC_KEY_set_flags(ec, flags);
+    return 1;
+}
+
+static int ec_set_check_group_type_from_param(EC_KEY *ec, const OSSL_PARAM *p)
+{
+    const char *name = NULL;
+    int status = 0;
+
+    switch (p->data_type) {
+    case OSSL_PARAM_UTF8_STRING:
+        name = p->data;
+        status = (name != NULL);
+        break;
+    case OSSL_PARAM_UTF8_PTR:
+        status = OSSL_PARAM_get_utf8_ptr(p, &name);
+        break;
+    }
+    if (status)
+        return ec_set_check_group_type_from_name(ec, name);
+    return 0;
+}
+
+int ec_pt_format_name2id(const char *name)
+{
+    size_t i, sz;
+
+    /* Return the default value if there is no name */
+    if (name == NULL)
+        return (int)POINT_CONVERSION_UNCOMPRESSED;
+
+    for (i = 0, sz = OSSL_NELEM(format_nameid_map); i < sz; i++) {
+        if (strcasecmp(name, format_nameid_map[i].ptr) == 0)
+            return format_nameid_map[i].id;
+    }
+    return -1;
+}
+
+char *ec_pt_format_id2name(int id)
+{
+    size_t i, sz;
+
+    for (i = 0, sz = OSSL_NELEM(format_nameid_map); i < sz; i++) {
+        if (id == (int)format_nameid_map[i].id)
+            return format_nameid_map[i].ptr;
+    }
+    return NULL;
+}
+
 int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl,
                     OSSL_PARAM params[], OSSL_LIB_CTX *libctx,
                     const char *propq,
                     BN_CTX *bnctx, unsigned char **genbuf)
 {
     int ret = 0, curve_nid, encoding_flag;
-    const char *field_type, *encoding_name;
+    const char *field_type, *encoding_name, *pt_form_name;
     const BIGNUM *cofactor, *order;
     BIGNUM *p = NULL, *a = NULL, *b = NULL;
     point_conversion_form_t genform;
@@ -68,6 +168,15 @@ int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl,
         return 0;
     }
 
+    genform = EC_GROUP_get_point_conversion_form(group);
+    pt_form_name = ec_pt_format_id2name(genform);
+    if (pt_form_name == NULL
+        || !ossl_param_build_set_utf8_string(
+                tmpl, params,
+                OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, pt_form_name)) {
+        ECerr(0, EC_R_INVALID_FORM);
+        return 0;
+    }
     encoding_flag = EC_GROUP_get_asn1_flag(group) & OPENSSL_EC_NAMED_CURVE;
     encoding_name = ec_param_encoding_id2name(encoding_flag);
     if (encoding_name == NULL
@@ -115,7 +224,6 @@ int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl,
             ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR);
             goto err;
         }
-        genform = EC_GROUP_get_point_conversion_form(group);
         genbuf_len = EC_POINT_point2buf(group, genpt, genform, genbuf, bnctx);
         if (genbuf_len == 0) {
             ERR_raise(ERR_LIB_EC, EC_R_INVALID_GENERATOR);
@@ -336,17 +444,50 @@ int ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
 
     if (!EC_KEY_set_group(ec, group))
         goto err;
-
-    /*
-     * TODO(3.0): if the group has changed, should we invalidate the private and
-     * public key?
-     */
     ok = 1;
 err:
     EC_GROUP_free(group);
     return ok;
 }
 
+static int ec_key_point_format_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
+{
+    const OSSL_PARAM *p;
+    int format = -1;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT);
+    if (p != NULL) {
+        if (!ec_pt_format_param2id(p, &format)) {
+            ECerr(0, EC_R_INVALID_FORM);
+            return 0;
+        }
+        EC_KEY_set_conv_form(ec, format);
+    }
+    return 1;
+}
+
+static int ec_key_group_check_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
+{
+    const OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE);
+    if (p != NULL)
+        return ec_set_check_group_type_from_param(ec, p);
+    return 1;
+}
+
+static int ec_set_include_public(EC_KEY *ec, int include)
+{
+    int flags = EC_KEY_get_enc_flags(ec);
+
+    if (!include)
+        flags |= EC_PKEY_NO_PUBKEY;
+    else
+        flags &= ~EC_PKEY_NO_PUBKEY;
+    EC_KEY_set_enc_flags(ec, flags);
+    return 1;
+}
+
 int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
 {
     const OSSL_PARAM *p;
@@ -363,5 +504,69 @@ int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[])
             return 0;
     }
 
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC);
+    if (p != NULL) {
+        int include = 1;
+
+        if (!OSSL_PARAM_get_int(p, &include)
+            || !ec_set_include_public(ec, include))
+            return 0;
+    }
+    if (!ec_key_point_format_fromdata(ec, params))
+        return 0;
+    if (!ec_key_group_check_fromdata(ec, params))
+        return 0;
     return 1;
 }
+
+int ec_encoding_param2id(const OSSL_PARAM *p, int *id)
+{
+    const char *name = NULL;
+    int status = 0;
+
+    switch (p->data_type) {
+    case OSSL_PARAM_UTF8_STRING:
+        /* The OSSL_PARAM functions have no support for this */
+        name = p->data;
+        status = (name != NULL);
+        break;
+    case OSSL_PARAM_UTF8_PTR:
+        status = OSSL_PARAM_get_utf8_ptr(p, &name);
+        break;
+    }
+    if (status) {
+        int i = ec_encoding_name2id(name);
+
+        if (i >= 0) {
+            *id = i;
+            return 1;
+        }
+    }
+    return 0;
+}
+
+int ec_pt_format_param2id(const OSSL_PARAM *p, int *id)
+{
+    const char *name = NULL;
+    int status = 0;
+
+    switch (p->data_type) {
+    case OSSL_PARAM_UTF8_STRING:
+        /* The OSSL_PARAM functions have no support for this */
+        name = p->data;
+        status = (name != NULL);
+        break;
+    case OSSL_PARAM_UTF8_PTR:
+        status = OSSL_PARAM_get_utf8_ptr(p, &name);
+        break;
+    }
+    if (status) {
+        int i = ec_pt_format_name2id(name);
+
+        if (i >= 0) {
+            *id = i;
+            return 1;
+        }
+    }
+    return 0;
+}

diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c
index d03c75e8aa1fc8454f61d4f8787a5e4d66cb367d..d354fd484ef44478f977323818e194e7a2c1ee7f 100644 (file)
--- a/crypto/ec/ec_key.c
+++ b/crypto/ec/ec_key.c
@@ -9,7 +9,7 @@
  */
 
 /*
- * ECDSA low level APIs are deprecated for public use, but still ok for
+ * EC_KEY low level APIs are deprecated for public use, but still ok for
  * internal use.
  */
 #include "internal/deprecated.h"

diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c
index 678b77047de977eeccb93dcf4d05bb819ec7f9c6..e1b92f7c334899c7c198465d5726ef0e6d5061f2 100644 (file)
--- a/crypto/ec/ec_lib.c
+++ b/crypto/ec/ec_lib.c
@@ -9,7 +9,7 @@
  */
 
 /*
- * ECDSA low level APIs are deprecated for public use, but still ok for
+ * EC_GROUP low level APIs are deprecated for public use, but still ok for
  * internal use.
  */
 #include "internal/deprecated.h"
@@ -1461,32 +1461,6 @@ err:
     return NULL;
 }
 
-static int ec_encoding_param2id(const OSSL_PARAM *p, int *id)
-{
-    const char *name = NULL;
-    int status = 0;
-
-    switch (p->data_type) {
-    case OSSL_PARAM_UTF8_STRING:
-        /* The OSSL_PARAM functions have no support for this */
-        name = p->data;
-        status = (name != NULL);
-        break;
-    case OSSL_PARAM_UTF8_PTR:
-        status = OSSL_PARAM_get_utf8_ptr(p, &name);
-        break;
-    }
-    if (status) {
-        int i = ec_encoding_name2id(name);
-
-        if (i >= 0) {
-            *id = i;
-            return 1;
-        }
-    }
-    return 0;
-}
-
 static EC_GROUP *group_new_from_name(const OSSL_PARAM *p,
                                      OSSL_LIB_CTX *libctx, const char *propq)
 {
@@ -1516,6 +1490,42 @@ static EC_GROUP *group_new_from_name(const OSSL_PARAM *p,
     return NULL;
 }
 
+/* These parameters can be set directly into an EC_GROUP */
+int ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[])
+{
+    int encoding_flag = -1, format = -1;
+    const OSSL_PARAM *p;
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT);
+    if (p != NULL) {
+        if (!ec_pt_format_param2id(p, &format)) {
+            ECerr(0, EC_R_INVALID_FORM);
+            return 0;
+        }
+        EC_GROUP_set_point_conversion_form(group, format);
+    }
+
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING);
+    if (p != NULL) {
+        if (!ec_encoding_param2id(p, &encoding_flag)) {
+            ECerr(0, EC_R_INVALID_FORM);
+            return 0;
+        }
+        EC_GROUP_set_asn1_flag(group, encoding_flag);
+    }
+    /* Optional seed */
+    p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_SEED);
+    if (p != NULL) {
+        /* The seed is allowed to be NULL */
+        if (p->data_type != OSSL_PARAM_OCTET_STRING
+            || !EC_GROUP_set_seed(group, p->data, p->data_size)) {
+            ECerr(0, EC_R_INVALID_SEED);
+            return 0;
+        }
+    }
+    return 1;
+}
+
 EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
                                    OSSL_LIB_CTX *libctx, const char *propq)
 {
@@ -1530,19 +1540,19 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
     const unsigned char *buf = NULL;
     int encoding_flag = -1;
 
-    ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING);
-    if (ptmp != NULL && !ec_encoding_param2id(ptmp, &encoding_flag)) {
-        ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING);
-        return 0;
-    }
-
+    /* This is the simple named group case */
     ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_GROUP_NAME);
     if (ptmp != NULL) {
         group = group_new_from_name(ptmp, libctx, propq);
-        if (group != NULL)
-            EC_GROUP_set_asn1_flag(group, encoding_flag);
+        if (group != NULL) {
+            if (!ec_group_set_params(group, params)) {
+                EC_GROUP_free(group);
+                group = NULL;
+            }
+        }
         return group;
     }
+    /* If it gets here then we are trying explicit parameters */
     bnctx = BN_CTX_new_ex(libctx);
     if (bnctx == NULL) {
         ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE);
@@ -1690,6 +1700,12 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[],
          * If we did not find a named group then the encoding should be explicit
          * if it was specified
          */
+        ptmp = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_EC_ENCODING);
+        if (ptmp != NULL
+            && !ec_encoding_param2id(ptmp, &encoding_flag)) {
+            ECerr(0, EC_R_INVALID_ENCODING);
+            return 0;
+        }
         if (encoding_flag == OPENSSL_EC_NAMED_CURVE) {
             ERR_raise(ERR_LIB_EC, EC_R_INVALID_ENCODING);
             goto err;

diff --git a/crypto/ec/eck_prn.c b/crypto/ec/eck_prn.c
index 20c6065a31c960c9acfd5c81f12c7b96dec742cb..e731d7c36902679a7afb2e93fea1d97c73bfa3a5 100644 (file)
--- a/crypto/ec/eck_prn.c
+++ b/crypto/ec/eck_prn.c
@@ -8,13 +8,16 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/evp.h>
 #include <openssl/ec.h>
 #include <openssl/bn.h>
 
-#ifndef OPENSSL_NO_STDIO
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_STDIO
 int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off)
 {
     BIO *b;
@@ -59,7 +62,7 @@ int ECParameters_print_fp(FILE *fp, const EC_KEY *x)
     BIO_free(b);
     return ret;
 }
-#endif
+#endif /* OPENSSL_NO_STDIO */
 
 static int print_bin(BIO *fp, const char *str, const unsigned char *num,
                      size_t len, int off);
@@ -256,3 +259,4 @@ static int print_bin(BIO *fp, const char *name, const unsigned char *buf,
 
     return 1;
 }
+#endif /* OPENSSL_NO_DEPRECATED_3_0 */

diff --git a/crypto/evp/ec_ctrl.c b/crypto/evp/ec_ctrl.c
index 541d8549d49e2c8da375fd9bde468b65df131846..5bb078639cc921a889cdd5d4b7e22f862d422cfc 100644 (file)
--- a/crypto/evp/ec_ctrl.c
+++ b/crypto/evp/ec_ctrl.c
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "internal/deprecated.h"
+
 #include <string.h>
 
 #include <openssl/core_names.h>
@@ -466,7 +468,7 @@ int evp_pkey_ctx_set_ec_param_enc_prov(EVP_PKEY_CTX *ctx, int param_enc)
 
     *p++ = OSSL_PARAM_construct_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING,
                                             (char *)enc, 0);
-    *p++ = OSSL_PARAM_construct_end();
+    *p = OSSL_PARAM_construct_end();
 
     ret = evp_pkey_ctx_set_params_strict(ctx, params);
  end:

diff --git a/crypto/evp/p_legacy.c b/crypto/evp/p_legacy.c
index cad4d67d73dfa9c95ed98ac9d9713690f02f8a4f..a4e478c223a077f5be9659601a4ce874a1ef59e2 100644 (file)
--- a/crypto/evp/p_legacy.c
+++ b/crypto/evp/p_legacy.c
@@ -17,6 +17,7 @@
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/rsa.h>
+#include <openssl/ec.h>
 #include "crypto/types.h"
 #include "crypto/evp.h"
 #include "evp_local.h"
@@ -24,6 +25,7 @@
 int EVP_PKEY_set1_RSA(EVP_PKEY *pkey, RSA *key)
 {
     int ret = EVP_PKEY_assign_RSA(pkey, key);
+
     if (ret)
         RSA_up_ref(key);
     return ret;
@@ -45,7 +47,41 @@ RSA *EVP_PKEY_get0_RSA(const EVP_PKEY *pkey)
 RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey)
 {
     RSA *ret = EVP_PKEY_get0_RSA(pkey);
+
     if (ret != NULL)
         RSA_up_ref(ret);
     return ret;
 }
+
+#ifndef OPENSSL_NO_EC
+int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
+{
+    int ret = EVP_PKEY_assign_EC_KEY(pkey, key);
+
+    if (ret)
+        EC_KEY_up_ref(key);
+    return ret;
+}
+
+EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey)
+{
+    if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
+        ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
+        return NULL;
+    }
+    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
+        EVPerr(EVP_F_EVP_PKEY_GET0_EC_KEY, EVP_R_EXPECTING_A_EC_KEY);
+        return NULL;
+    }
+    return pkey->pkey.ec;
+}
+
+EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
+{
+    EC_KEY *ret = EVP_PKEY_get0_EC_KEY(pkey);
+
+    if (ret != NULL)
+        EC_KEY_up_ref(ret);
+    return ret;
+}
+#endif /* OPENSSL_NO_EC */

diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c
index f43f5488d0468971d534148e8b656e96e38e5595..6fdc186507fbe27ab38b5fb60c65520dc66404b6 100644 (file)
--- a/crypto/evp/p_lib.c
+++ b/crypto/evp/p_lib.c
@@ -43,7 +43,6 @@
 
 #include "crypto/ec.h"
 
-/* TODO remove this when the EVP_PKEY_is_a() #legacy support hack is removed */
 #include "e_os.h"                /* strcasecmp on Windows */
 
 static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
@@ -115,8 +114,7 @@ void *EVP_PKEY_get_ex_data(const EVP_PKEY *key, int idx)
 int EVP_PKEY_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from)
 {
     /*
-     * TODO: clean up legacy stuff from this function when legacy support
-     * is gone.
+     * Clean up legacy stuff from this function when legacy support is gone.
      */
 
     /*
@@ -814,35 +812,6 @@ DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey)
 
 #ifndef FIPS_MODULE
 # ifndef OPENSSL_NO_EC
-int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, EC_KEY *key)
-{
-    int ret = EVP_PKEY_assign_EC_KEY(pkey, key);
-    if (ret)
-        EC_KEY_up_ref(key);
-    return ret;
-}
-
-EC_KEY *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey)
-{
-    if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {
-        ERR_raise(ERR_LIB_EVP, EVP_R_INACCESSIBLE_KEY);
-        return NULL;
-    }
-    if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
-        ERR_raise(ERR_LIB_EVP, EVP_R_EXPECTING_A_EC_KEY);
-        return NULL;
-    }
-    return pkey->pkey.ec;
-}
-
-EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey)
-{
-    EC_KEY *ret = EVP_PKEY_get0_EC_KEY(pkey);
-    if (ret != NULL)
-        EC_KEY_up_ref(ret);
-    return ret;
-}
-
 static ECX_KEY *evp_pkey_get0_ECX_KEY(const EVP_PKEY *pkey, int type)
 {
     if (!evp_pkey_downgrade((EVP_PKEY *)pkey)) {

diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c
index 5f73f93ce8a0231279bdc3d0594c88168fa16bb3..a31b81ceec7d275fafb7434a8f4f53fa4fdbb1df 100644 (file)
--- a/crypto/pem/pem_all.c
+++ b/crypto/pem/pem_all.c
@@ -128,7 +128,9 @@ DSA *PEM_read_DSAPrivateKey(FILE *fp, DSA **dsa, pem_password_cb *cb, void *u)
 
 IMPLEMENT_PEM_rw(DSAparams, DSA, PEM_STRING_DSAPARAMS, DSAparams)
 #endif
-#ifndef OPENSSL_NO_EC
+
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_EC
 static EC_KEY *pkey_get_eckey(EVP_PKEY *key, EC_KEY **eckey)
 {
     EC_KEY *dtmp;
@@ -160,7 +162,7 @@ IMPLEMENT_PEM_rw(ECPKParameters, EC_GROUP, PEM_STRING_ECPARAMETERS,
 IMPLEMENT_PEM_write_cb(ECPrivateKey, EC_KEY, PEM_STRING_ECPRIVATEKEY,
                        ECPrivateKey)
 IMPLEMENT_PEM_rw(EC_PUBKEY, EC_KEY, PEM_STRING_PUBLIC, EC_PUBKEY)
-# ifndef OPENSSL_NO_STDIO
+#  ifndef OPENSSL_NO_STDIO
 EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb,
                               void *u)
 {
@@ -168,10 +170,9 @@ EC_KEY *PEM_read_ECPrivateKey(FILE *fp, EC_KEY **eckey, pem_password_cb *cb,
     pktmp = PEM_read_PrivateKey(fp, NULL, cb, u);
     return pkey_get_eckey(pktmp, eckey); /* will free pktmp */
 }
-
-# endif
-
-#endif
+#  endif
+# endif /* !OPENSSL_NO_EC */
+#endif /* !OPENSSL_NO_DEPRECATED_3_0 */
 
 #ifndef OPENSSL_NO_DH
 

diff --git a/crypto/sm2/sm2_key.c b/crypto/sm2/sm2_key.c
index 5182d0105838bc99b5361fe2de1d4b165a2bb5fd..c91a712b67bc4bf7638aa5e1a9dbdaaf2881edf5 100644 (file)
--- a/crypto/sm2/sm2_key.c
+++ b/crypto/sm2/sm2_key.c
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "internal/deprecated.h" /* to be able to use EC_KEY and EC_GROUP */
+
 #include <openssl/err.h>
 #include "crypto/sm2err.h"
 #include "crypto/sm2.h"

diff --git a/crypto/sm2/sm2_sign.c b/crypto/sm2/sm2_sign.c
index 94ea3aef969eb84c20c88523ffe116b04c312b04..1383e2e4f8f29e7ddd1127dc94600442a7e58a2a 100644 (file)
--- a/crypto/sm2/sm2_sign.c
+++ b/crypto/sm2/sm2_sign.c
@@ -9,6 +9,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "internal/deprecated.h"
+
 #include "crypto/sm2.h"
 #include "crypto/sm2err.h"
 #include "crypto/ec.h" /* ec_group_do_inverse_ord() */

diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index d18d1e2b67dea1bcd413ddd917ad92c67fb58db6..fb34d5cefcfbe06f923beece35dacd7957afeeaf 100644 (file)
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -400,13 +400,19 @@ int X509_check_private_key(const X509 *x, const EVP_PKEY *k)
 
 static int check_suite_b(EVP_PKEY *pkey, int sign_nid, unsigned long *pflags)
 {
-    const EC_GROUP *grp = NULL;
+    char curve_name[80];
+    size_t curve_name_len;
     int curve_nid;
-    if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_EC)
-        grp = EC_KEY_get0_group(EVP_PKEY_get0_EC_KEY(pkey));
-    if (!grp)
+
+    if (pkey == NULL || !EVP_PKEY_is_a(pkey, "EC"))
         return X509_V_ERR_SUITE_B_INVALID_ALGORITHM;
-    curve_nid = EC_GROUP_get_curve_name(grp);
+
+    if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
+                                        curve_name, sizeof(curve_name),
+                                        &curve_name_len))
+        return X509_V_ERR_SUITE_B_INVALID_CURVE;
+
+    curve_nid = OBJ_txt2nid(curve_name);
     /* Check curve is consistent with LOS */
     if (curve_nid == NID_secp384r1) { /* P-384 */
         /*

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 1d7944933117ba7ed5c1e4438e6b14881cf4e6f3..2e619697916cfcbd51187c25a1346b110909ae60 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include <time.h>
 #include <errno.h>

diff --git a/doc/man3/d2i_RSAPrivateKey.pod b/doc/man3/d2i_RSAPrivateKey.pod
index 7375f1bab320fefbe2fa1fa3f7e6ffe4fbd07601..8e7c010578885faa9faafbc1b11d10a0d8c6ef32 100644 (file)
--- a/doc/man3/d2i_RSAPrivateKey.pod
+++ b/doc/man3/d2i_RSAPrivateKey.pod
@@ -28,6 +28,14 @@ d2i_RSA_PUBKEY_fp,
 d2i_DHparams,
 d2i_DHparams_bio,
 d2i_DHparams_fp,
+d2i_ECPKParameters,
+d2i_ECParameters,
+d2i_ECPrivateKey,
+d2i_ECPrivateKey_bio,
+d2i_ECPrivateKey_fp,
+d2i_EC_PUBKEY,
+d2i_EC_PUBKEY_bio,
+d2i_EC_PUBKEY_fp,
 i2d_RSAPrivateKey,
 i2d_RSAPrivateKey_bio,
 i2d_RSAPrivateKey_fp,
@@ -39,7 +47,15 @@ i2d_RSA_PUBKEY_bio,
 i2d_RSA_PUBKEY_fp,
 i2d_DHparams,
 i2d_DHparams_bio,
-i2d_DHparams_fp
+i2d_DHparams_fp,
+i2d_ECPKParameters,
+i2d_ECParameters,
+i2d_ECPrivateKey,
+i2d_ECPrivateKey_bio,
+i2d_ECPrivateKey_fp,
+i2d_EC_PUBKEY,
+i2d_EC_PUBKEY_bio,
+i2d_EC_PUBKEY_fp
 - DEPRECATED
 
 =head1 SYNOPSIS

diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod
index d5c684e31deed6ff58e93ee52ccb5ebccf5577b6..02542ba32d2d07c589c5d100ee28c15d765dc810 100644 (file)
--- a/doc/man3/d2i_X509.pod
+++ b/doc/man3/d2i_X509.pod
@@ -53,14 +53,6 @@ d2i_DIST_POINT,
 d2i_DIST_POINT_NAME,
 d2i_DSA_SIG,
 d2i_ECDSA_SIG,
-d2i_ECPKParameters,
-d2i_ECParameters,
-d2i_ECPrivateKey,
-d2i_ECPrivateKey_bio,
-d2i_ECPrivateKey_fp,
-d2i_EC_PUBKEY,
-d2i_EC_PUBKEY_bio,
-d2i_EC_PUBKEY_fp,
 d2i_EDIPARTYNAME,
 d2i_ESS_CERT_ID,
 d2i_ESS_CERT_ID_V2,
@@ -237,14 +229,6 @@ i2d_DSA_PUBKEY_fp,
 i2d_DSA_SIG,
 i2d_DSAparams,
 i2d_ECDSA_SIG,
-i2d_ECPKParameters,
-i2d_ECParameters,
-i2d_ECPrivateKey,
-i2d_ECPrivateKey_bio,
-i2d_ECPrivateKey_fp,
-i2d_EC_PUBKEY,
-i2d_EC_PUBKEY_bio,
-i2d_EC_PUBKEY_fp,
 i2d_EDIPARTYNAME,
 i2d_ESS_CERT_ID,
 i2d_ESS_CERT_ID_V2,

diff --git a/doc/man7/EVP_PKEY-EC.pod b/doc/man7/EVP_PKEY-EC.pod
index be6e507169c69f59a87eb479941b25c78d2e894d..ad188c6f4694d53aded7ffb6d2412fcb0e2f3143 100644 (file)
--- a/doc/man7/EVP_PKEY-EC.pod
+++ b/doc/man7/EVP_PKEY-EC.pod
@@ -79,6 +79,26 @@ EC curve's cofactor (note for some curves the cofactor is 1).
 Set the format used for serializing the EC group parameters.
 Valid values are "explicit" or "named_curve". The default value is "named_curve".
 
+=item "point-format" (B<OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT>) <utf8 string>
+
+Sets or gets the point_conversion_form for the I<key>. For a description of
+point_conversion_forms please see L<EC_POINT_new(3)>. Valid values are
+"uncompressed" or "compressed". The default value is "uncompressed".
+
+=item "group-check" (B<OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE>) <utf8 string>
+
+Sets or Gets the type of group check done when EVP_PKEY_param_check() is called.
+Valid values are "default", "named" and "named-nist".
+The "named" type checks that the domain parameters match the inbuilt curve parameters,
+"named-nist" is similiar but also checks that the named curve is a nist curve.
+The "default" type does domain parameter validation for the OpenSSL default provider,
+but is equivalent to "named-nist" for the OpenSSL fips provider.
+
+=item "include-public" (B<OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC>) <integer>
+
+Setting this value to 0 indicates that the public key should not be included when
+encoding the private key. The default value of 1 will include the public key.
+
 See also L<EVP_KEYEXCH-ECDH(7)> for the related
 B<OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE> parameter that can be set on a
 per-operation basis.

diff --git a/fuzz/asn1.c b/fuzz/asn1.c
index b0d2ecd14ef79679cb9d46946378a9b0957ad6dc..e85a9607a4307df517bf9a2e8eafbbb062151568 100644 (file)
--- a/fuzz/asn1.c
+++ b/fuzz/asn1.c
@@ -96,7 +96,7 @@ static ASN1_ITEM_EXP *item_type[] = {
     ASN1_ITEM_ref(DISPLAYTEXT),
     ASN1_ITEM_ref(DIST_POINT),
     ASN1_ITEM_ref(DIST_POINT_NAME),
-#ifndef OPENSSL_NO_EC
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     ASN1_ITEM_ref(ECPARAMETERS),
     ASN1_ITEM_ref(ECPKPARAMETERS),
 #endif
@@ -347,10 +347,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     DO_TEST_NO_PRINT(RSA, d2i_RSAPublicKey, i2d_RSAPublicKey);
 #endif
 #ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_DEPRECATED_3_0
     DO_TEST_PRINT_OFFSET(EC_GROUP, d2i_ECPKParameters, i2d_ECPKParameters, ECPKParameters_print);
     DO_TEST_PRINT_OFFSET(EC_KEY, d2i_ECPrivateKey, i2d_ECPrivateKey, EC_KEY_print);
     DO_TEST(EC_KEY, d2i_ECParameters, i2d_ECParameters, ECParameters_print);
-# ifndef OPENSSL_NO_DEPRECATED_3_0
     DO_TEST_NO_PRINT(ECDSA_SIG, d2i_ECDSA_SIG, i2d_ECDSA_SIG);
 # endif
 #endif

diff --git a/fuzz/server.c b/fuzz/server.c
index ead9fc1105134097c7ada31e6729f8538a977f42..9631787885c773e55ac9558f57208a128b2386b0 100644 (file)
--- a/fuzz/server.c
+++ b/fuzz/server.c
@@ -12,7 +12,7 @@
 
 /* Test first part of SSL server handshake. */
 
-/* We need to use the deprecated RSA low level calls */
+/* We need to use the deprecated RSA/EC low level calls */
 #define OPENSSL_SUPPRESS_DEPRECATED
 
 #include <time.h>
@@ -200,8 +200,8 @@ static const uint8_t kRSAPrivateKeyDER[] = {
 };
 #endif
 
-
 #ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_DEPRECATED_3_0
 /*
  *  -----BEGIN EC PRIVATE KEY-----
  *  MHcCAQEEIJLyl7hJjpQL/RhP1x2zS79xdiPJQB683gWeqcqHPeZkoAoGCCqGSM49
@@ -230,6 +230,7 @@ static const char ECDSAPrivateKeyPEM[] = {
     0x4e, 0x44, 0x20, 0x45, 0x43, 0x20, 0x50, 0x52, 0x49, 0x56, 0x41, 0x54,
     0x45, 0x20, 0x4b, 0x45, 0x59, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x0a
 };
+# endif
 
 /*
  * -----BEGIN CERTIFICATE-----
@@ -522,14 +523,14 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     RSA *privkey;
 #endif
     const uint8_t *bufp;
-#if !defined(OPENSSL_NO_DEPRECATED_3_0)         \
-    || !defined(OPENSSL_NO_DSA)                 \
-    || !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_DEPRECATED_3_0)
     EVP_PKEY *pkey;
 #endif
     X509 *cert;
-#ifndef OPENSSL_NO_EC
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+# ifndef OPENSSL_NO_EC
     EC_KEY *ecdsakey = NULL;
+# endif
 #endif
 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     DSA *dsakey = NULL;
@@ -571,6 +572,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     X509_free(cert);
 
 #ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_DEPRECATED_3_0
     /* ECDSA */
     bio_buf = BIO_new(BIO_s_mem());
     OPENSSL_assert((size_t)BIO_write(bio_buf, ECDSAPrivateKeyPEM, sizeof(ECDSAPrivateKeyPEM)) == sizeof(ECDSAPrivateKeyPEM));
@@ -583,7 +585,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     ret = SSL_CTX_use_PrivateKey(ctx, pkey);
     OPENSSL_assert(ret == 1);
     EVP_PKEY_free(pkey);
-
+# endif
     bio_buf = BIO_new(BIO_s_mem());
     OPENSSL_assert((size_t)BIO_write(bio_buf, ECDSACertPEM, sizeof(ECDSACertPEM)) == sizeof(ECDSACertPEM));
     cert = PEM_read_bio_X509(bio_buf, NULL, NULL, NULL);

diff --git a/include/crypto/ec.h b/include/crypto/ec.h
index 087457fa50784db3de41f2ae458e62d346849547..4127b6e9a0cfa3f42fe3d6cbe955f97038ca6c1a 100644 (file)
--- a/include/crypto/ec.h
+++ b/include/crypto/ec.h
@@ -23,6 +23,7 @@ int evp_pkey_ctx_set_ec_param_enc_prov(EVP_PKEY_CTX *ctx, int param_enc);
 # ifndef OPENSSL_NO_EC
 #  include <openssl/core.h>
 #  include <openssl/ec.h>
+#  include "crypto/types.h"
 
 /*-
  * Computes the multiplicative inverse of x in the range
@@ -69,10 +70,18 @@ int ec_group_todata(const EC_GROUP *group, OSSL_PARAM_BLD *tmpl,
                     const char *propq,
                     BN_CTX *bnctx, unsigned char **genbuf);
 int ec_group_fromdata(EC_KEY *ec, const OSSL_PARAM params[]);
+int ec_group_set_params(EC_GROUP *group, const OSSL_PARAM params[]);
 int ec_key_fromdata(EC_KEY *ecx, const OSSL_PARAM params[], int include_private);
 int ec_key_otherparams_fromdata(EC_KEY *ec, const OSSL_PARAM params[]);
 int ec_set_ecdh_cofactor_mode(EC_KEY *ec, int mode);
 int ec_encoding_name2id(const char *name);
+int ec_encoding_param2id(const OSSL_PARAM *p, int *id);
+int ec_pt_format_name2id(const char *name);
+int ec_pt_format_param2id(const OSSL_PARAM *p, int *id);
+char *ec_pt_format_id2name(int id);
+
+char *ec_check_group_type_id2name(int flags);
+int ec_set_check_group_type_from_name(EC_KEY *ec, const char *name);
 
 # endif /* OPENSSL_NO_EC */
 #endif

diff --git a/include/crypto/sm2.h b/include/crypto/sm2.h
index e442e7aec71f6d5c5484e674a6b301ea45be61b0..a38d940a70610f890c4fd2ed6b9eb1ae30d04dd3 100644 (file)
--- a/include/crypto/sm2.h
+++ b/include/crypto/sm2.h
@@ -16,6 +16,7 @@
 # ifndef OPENSSL_NO_SM2
 
 #  include <openssl/ec.h>
+#  include "crypto/types.h"
 
 int sm2_key_private_check(const EC_KEY *eckey);
 

diff --git a/include/crypto/types.h b/include/crypto/types.h
index ccb75e3cbf17135776d1e4248a175831416fb301..e6e90d6177522fbf4b425e81eb3b1b04efc5d964 100644 (file)
--- a/include/crypto/types.h
+++ b/include/crypto/types.h
@@ -12,5 +12,6 @@
 #ifdef OPENSSL_NO_DEPRECATED_3_0
 typedef struct rsa_st RSA;
 typedef struct rsa_meth_st RSA_METHOD;
+typedef struct ec_key_st EC_KEY;
+typedef struct ec_key_method_st EC_KEY_METHOD;
 #endif
-

diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h
index 17b0573ac36b2e6e57c56dc13d44982188164d97..7b9af629626060dd94ff1e10a7b0b852da0366f6 100644 (file)
--- a/include/openssl/core_names.h
+++ b/include/openssl/core_names.h
@@ -400,12 +400,23 @@ extern "C" {
 #define OSSL_PKEY_PARAM_FFC_DIGEST       OSSL_PKEY_PARAM_DIGEST
 #define OSSL_PKEY_PARAM_FFC_DIGEST_PROPS OSSL_PKEY_PARAM_PROPERTIES
 
-#define OSSL_PKEY_PARAM_EC_ENCODING      "encoding" /* utf8_string */
+#define OSSL_PKEY_PARAM_EC_ENCODING                "encoding" /* utf8_string */
+#define OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT "point-format"
+#define OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE        "group-check"
+#define OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC          "include-public"
 
 /* OSSL_PKEY_PARAM_EC_ENCODING values */
 #define OSSL_PKEY_EC_ENCODING_EXPLICIT  "explicit"
 #define OSSL_PKEY_EC_ENCODING_GROUP     "named_curve"
 
+#define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_UNCOMPRESSED "uncompressed"
+#define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_COMPRESSED   "compressed"
+#define OSSL_PKEY_EC_POINT_CONVERSION_FORMAT_HYBRID       "hybrid"
+
+#define OSSL_PKEY_EC_GROUP_CHECK_DEFAULT     "default"
+#define OSSL_PKEY_EC_GROUP_CHECK_NAMED       "named"
+#define OSSL_PKEY_EC_GROUP_CHECK_NAMED_NIST  "named-nist"
+
 /* Key Exchange parameters */
 #define OSSL_EXCHANGE_PARAM_PAD                   "pad" /* uint */
 #define OSSL_EXCHANGE_PARAM_EC_ECDH_COFACTOR_MODE "ecdh-cofactor-mode" /* int */

diff --git a/include/openssl/ec.h b/include/openssl/ec.h
index 1f01c09fb23e94eeea8e01e53c2f967d61075cd9..2d9b7714e31fefa9c04b81558744b9e08e4b4a66 100644 (file)
--- a/include/openssl/ec.h
+++ b/include/openssl/ec.h
@@ -106,40 +106,41 @@ typedef struct ec_parameters_st ECPARAMETERS;
 /*               EC_METHODs for curves over GF(p)                   */
 /********************************************************************/
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /** Returns the basic GFp ec methods which provides the basis for the
  *  optimized methods.
  *  \return  EC_METHOD object
  */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_GFp_simple_method(void))
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_GFp_simple_method(void);
 
 /** Returns GFp methods using montgomery multiplication.
  *  \return  EC_METHOD object
  */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_GFp_mont_method(void))
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_GFp_mont_method(void);
 
 /** Returns GFp methods using optimized methods for NIST recommended curves
  *  \return  EC_METHOD object
  */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_GFp_nist_method(void))
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_GFp_nist_method(void);
 
-#  ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
+#   ifndef OPENSSL_NO_EC_NISTP_64_GCC_128
 /** Returns 64-bit optimized methods for nistp224
  *  \return  EC_METHOD object
  */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_GFp_nistp224_method(void))
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_GFp_nistp224_method(void);
 
 /** Returns 64-bit optimized methods for nistp256
  *  \return  EC_METHOD object
  */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_GFp_nistp256_method(void))
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_GFp_nistp256_method(void);
 
 /** Returns 64-bit optimized methods for nistp521
  *  \return  EC_METHOD object
  */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_GFp_nistp521_method(void))
-#  endif
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_GFp_nistp521_method(void);
+#   endif /* OPENSSL_NO_EC_NISTP_64_GCC_128 */
 
-#  ifndef OPENSSL_NO_EC2M
+#   ifndef OPENSSL_NO_EC2M
 /********************************************************************/
 /*           EC_METHOD for curves over GF(2^m)                      */
 /********************************************************************/
@@ -147,9 +148,9 @@ DEPRECATEDIN_3_0(const EC_METHOD *EC_GFp_nistp521_method(void))
 /** Returns the basic GF2m ec method
  *  \return  EC_METHOD object
  */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_GF2m_simple_method(void))
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_GF2m_simple_method(void);
 
-#  endif
+#   endif
 
 /********************************************************************/
 /*                   EC_GROUP functions                             */
@@ -160,18 +161,31 @@ DEPRECATEDIN_3_0(const EC_METHOD *EC_GF2m_simple_method(void))
  *  \param   meth   EC_METHOD to use
  *  \return  newly created EC_GROUP object or NULL in case of an error.
  */
-DEPRECATEDIN_3_0(EC_GROUP *EC_GROUP_new(const EC_METHOD *meth))
+OSSL_DEPRECATEDIN_3_0 EC_GROUP *EC_GROUP_new(const EC_METHOD *meth);
+
+/** Clears and frees a EC_GROUP object
+ *  \param  group  EC_GROUP object to be cleared and freed.
+ */
+OSSL_DEPRECATEDIN_3_0 void EC_GROUP_clear_free(EC_GROUP *group);
+
+/** Returns the EC_METHOD of the EC_GROUP object.
+ *  \param  group  EC_GROUP object
+ *  \return EC_METHOD used in this EC_GROUP object.
+ */
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group);
+
+/** Returns the field type of the EC_METHOD.
+ *  \param  meth  EC_METHOD object
+ *  \return NID of the underlying field type OID.
+ */
+OSSL_DEPRECATEDIN_3_0 int EC_METHOD_get_field_type(const EC_METHOD *meth);
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
 /** Frees a EC_GROUP object
  *  \param  group  EC_GROUP object to be freed.
  */
 void EC_GROUP_free(EC_GROUP *group);
 
-/** Clears and frees a EC_GROUP object
- *  \param  group  EC_GROUP object to be cleared and freed.
- */
-DEPRECATEDIN_3_0(void EC_GROUP_clear_free(EC_GROUP *group))
-
 /** Copies EC_GROUP objects. Note: both EC_GROUPs must use the same EC_METHOD.
  *  \param  dst  destination EC_GROUP object
  *  \param  src  source EC_GROUP object
@@ -186,18 +200,6 @@ int EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src);
  */
 EC_GROUP *EC_GROUP_dup(const EC_GROUP *src);
 
-/** Returns the EC_METHOD of the EC_GROUP object.
- *  \param  group  EC_GROUP object
- *  \return EC_METHOD used in this EC_GROUP object.
- */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group))
-
-/** Returns the field type of the EC_METHOD.
- *  \param  meth  EC_METHOD object
- *  \return NID of the underlying field type OID.
- */
-DEPRECATEDIN_3_0(int EC_METHOD_get_field_type(const EC_METHOD *meth))
-
 /** Sets the generator and its order/cofactor of a EC_GROUP object.
  *  \param  group      EC_GROUP object
  *  \param  generator  EC_POINT object with the generator.
@@ -317,6 +319,7 @@ int EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a,
 int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
                        BN_CTX *ctx);
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /** Sets the parameters of an ec curve. Synonym for EC_GROUP_set_curve
  *  \param  group  EC_GROUP object
  *  \param  p      BIGNUM with the prime number (GFp) or the polynomial
@@ -326,9 +329,11 @@ int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p,
-                                          const BIGNUM *a, const BIGNUM *b,
-                                          BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_GROUP_set_curve_GFp(EC_GROUP *group,
+                                                 const BIGNUM *p,
+                                                 const BIGNUM *a,
+                                                 const BIGNUM *b,
+                                                 BN_CTX *ctx);
 
 /** Gets the parameters of an ec curve. Synonym for EC_GROUP_get_curve
  *  \param  group  EC_GROUP object
@@ -339,11 +344,12 @@ DEPRECATEDIN_3_0(int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p,
-                                          BIGNUM *a, BIGNUM *b,
-                                          BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_GROUP_get_curve_GFp(const EC_GROUP *group,
+                                                 BIGNUM *p,
+                                                 BIGNUM *a, BIGNUM *b,
+                                                 BN_CTX *ctx);
 
-#  ifndef OPENSSL_NO_EC2M
+#   ifndef OPENSSL_NO_EC2M
 /** Sets the parameter of an ec curve. Synonym for EC_GROUP_set_curve
  *  \param  group  EC_GROUP object
  *  \param  p      BIGNUM with the prime number (GFp) or the polynomial
@@ -353,9 +359,11 @@ DEPRECATEDIN_3_0(int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p,
-                                           const BIGNUM *a, const BIGNUM *b,
-                                           BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_GROUP_set_curve_GF2m(EC_GROUP *group,
+                                                  const BIGNUM *p,
+                                                  const BIGNUM *a,
+                                                  const BIGNUM *b,
+                                                  BN_CTX *ctx);
 
 /** Gets the parameters of an ec curve. Synonym for EC_GROUP_get_curve
  *  \param  group  EC_GROUP object
@@ -366,10 +374,13 @@ DEPRECATEDIN_3_0(int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p,
-                                           BIGNUM *a, BIGNUM *b,
-                                           BN_CTX *ctx))
-#  endif
+OSSL_DEPRECATEDIN_3_0 int EC_GROUP_get_curve_GF2m(const EC_GROUP *group,
+                                                  BIGNUM *p,
+                                                  BIGNUM *a, BIGNUM *b,
+                                                  BN_CTX *ctx);
+#   endif /* OPENSSL_NO_EC2M */
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
+
 /** Returns the number of bits needed to represent a field element
  *  \param  group  EC_GROUP object
  *  \return number of bits needed to represent a field element
@@ -550,12 +561,6 @@ int EC_POINT_copy(EC_POINT *dst, const EC_POINT *src);
  */
 EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group);
 
-/** Returns the EC_METHOD used in EC_POINT object
- *  \param  point  EC_POINT object
- *  \return the EC_METHOD used
- */
-DEPRECATEDIN_3_0(const EC_METHOD *EC_POINT_method_of(const EC_POINT *point))
-
 /** Sets a point to infinity (neutral element)
  *  \param  group  underlying EC_GROUP object
  *  \param  point  EC_POINT to set to infinity
@@ -563,6 +568,13 @@ DEPRECATEDIN_3_0(const EC_METHOD *EC_POINT_method_of(const EC_POINT *point))
  */
 int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point);
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+/** Returns the EC_METHOD used in EC_POINT object
+ *  \param  point  EC_POINT object
+ *  \return the EC_METHOD used
+ */
+OSSL_DEPRECATEDIN_3_0 const EC_METHOD *EC_POINT_method_of(const EC_POINT *point);
+
 /** Sets the jacobian projective coordinates of a EC_POINT over GFp
  *  \param  group  underlying EC_GROUP object
  *  \param  p      EC_POINT object
@@ -572,10 +584,10 @@ int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point);
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group,
-                                             EC_POINT *p, const BIGNUM *x,
-                                             const BIGNUM *y, const BIGNUM *z,
-                                             BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_set_Jprojective_coordinates_GFp
+                      (const EC_GROUP *group, EC_POINT *p,
+                       const BIGNUM *x, const BIGNUM *y, const BIGNUM *z,
+                       BN_CTX *ctx);
 
 /** Gets the jacobian projective coordinates of a EC_POINT over GFp
  *  \param  group  underlying EC_GROUP object
@@ -586,10 +598,10 @@ DEPRECATEDIN_3_0(int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *gr
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group,
-                                             const EC_POINT *p, BIGNUM *x,
-                                             BIGNUM *y, BIGNUM *z,
-                                             BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_get_Jprojective_coordinates_GFp
+                      (const EC_GROUP *group, const EC_POINT *p,
+                       BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx);
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
 /** Sets the affine coordinates of an EC_POINT
  *  \param  group  underlying EC_GROUP object
@@ -614,6 +626,7 @@ int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *p,
 int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p,
                                     BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /** Sets the affine coordinates of an EC_POINT. A synonym of
  *  EC_POINT_set_affine_coordinates
  *  \param  group  underlying EC_GROUP object
@@ -623,11 +636,9 @@ int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,
-                                                       EC_POINT *p,
-                                                       const BIGNUM *x,
-                                                       const BIGNUM *y,
-                                                       BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_set_affine_coordinates_GFp
+                      (const EC_GROUP *group, EC_POINT *p,
+                       const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
 
 /** Gets the affine coordinates of an EC_POINT. A synonym of
  *  EC_POINT_get_affine_coordinates
@@ -638,11 +649,10 @@ DEPRECATEDIN_3_0(int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group,
-                                                       const EC_POINT *p,
-                                                       BIGNUM *x,
-                                                       BIGNUM *y,
-                                                       BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_get_affine_coordinates_GFp
+                      (const EC_GROUP *group, const EC_POINT *p,
+                       BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
 /** Sets the x9.62 compressed coordinates of a EC_POINT
  *  \param  group  underlying EC_GROUP object
@@ -656,6 +666,7 @@ int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p,
                                         const BIGNUM *x, int y_bit,
                                         BN_CTX *ctx);
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /** Sets the x9.62 compressed coordinates of a EC_POINT. A synonym of
  *  EC_POINT_set_compressed_coordinates
  *  \param  group  underlying EC_GROUP object
@@ -665,12 +676,10 @@ int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group,
-                                                           EC_POINT *p,
-                                                           const BIGNUM *x,
-                                                           int y_bit,
-                                                           BN_CTX *ctx))
-#  ifndef OPENSSL_NO_EC2M
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_set_compressed_coordinates_GFp
+                      (const EC_GROUP *group, EC_POINT *p,
+                       const BIGNUM *x, int y_bit, BN_CTX *ctx);
+#   ifndef OPENSSL_NO_EC2M
 /** Sets the affine coordinates of an EC_POINT. A synonym of
  *  EC_POINT_set_affine_coordinates
  *  \param  group  underlying EC_GROUP object
@@ -680,11 +689,9 @@ DEPRECATEDIN_3_0(int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *gro
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group,
-                                                        EC_POINT *p,
-                                                        const BIGNUM *x,
-                                                        const BIGNUM *y,
-                                                        BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_set_affine_coordinates_GF2m
+                      (const EC_GROUP *group, EC_POINT *p,
+                       const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx);
 
 /** Gets the affine coordinates of an EC_POINT. A synonym of
  *  EC_POINT_get_affine_coordinates
@@ -695,11 +702,9 @@ DEPRECATEDIN_3_0(int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
-                                                        const EC_POINT *p,
-                                                        BIGNUM *x,
-                                                        BIGNUM *y,
-                                                        BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_get_affine_coordinates_GF2m
+                      (const EC_GROUP *group, const EC_POINT *p,
+                       BIGNUM *x, BIGNUM *y, BN_CTX *ctx);
 
 /** Sets the x9.62 compressed coordinates of a EC_POINT. A synonym of
  *  EC_POINT_set_compressed_coordinates
@@ -710,12 +715,12 @@ DEPRECATEDIN_3_0(int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group,
-                                                            EC_POINT *p,
-                                                            const BIGNUM *x,
-                                                            int y_bit,
-                                                            BN_CTX *ctx))
-#  endif
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_set_compressed_coordinates_GF2m
+                      (const EC_GROUP *group, EC_POINT *p,
+                       const BIGNUM *x, int y_bit, BN_CTX *ctx);
+#   endif
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
+
 /** Encodes a EC_POINT object to a octet string
  *  \param  group  underlying EC_GROUP object
  *  \param  p      EC_POINT object
@@ -828,10 +833,11 @@ int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point,
 int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b,
                  BN_CTX *ctx);
 
-DEPRECATEDIN_3_0(int EC_POINT_make_affine(const EC_GROUP *group,
-                                          EC_POINT *point, BN_CTX *ctx))
-DEPRECATEDIN_3_0(int EC_POINTs_make_affine(const EC_GROUP *group, size_t num,
-                                           EC_POINT *points[], BN_CTX *ctx))
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 int EC_POINT_make_affine(const EC_GROUP *group,
+                                               EC_POINT *point, BN_CTX *ctx);
+OSSL_DEPRECATEDIN_3_0 int EC_POINTs_make_affine(const EC_GROUP *group, size_t num,
+                                                EC_POINT *points[], BN_CTX *ctx);
 
 /** Computes r = generator * n + sum_{i=0}^{num-1} p[i] * m[i]
  *  \param  group  underlying EC_GROUP object
@@ -843,10 +849,11 @@ DEPRECATEDIN_3_0(int EC_POINTs_make_affine(const EC_GROUP *group, size_t num,
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r,
-                                   const BIGNUM *n, size_t num,
-                                   const EC_POINT *p[], const BIGNUM *m[],
-                                   BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r,
+                                        const BIGNUM *n, size_t num,
+                                        const EC_POINT *p[], const BIGNUM *m[],
+                                        BN_CTX *ctx);
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
 /** Computes r = generator * n + q * m
  *  \param  group  underlying EC_GROUP object
@@ -860,18 +867,20 @@ DEPRECATEDIN_3_0(int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r,
 int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n,
                  const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx);
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /** Stores multiples of generator for faster point multiplication
  *  \param  group  EC_GROUP object
  *  \param  ctx    BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred
  */
-DEPRECATEDIN_3_0(int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx);
 
 /** Reports whether a precomputation has been done
  *  \param  group  EC_GROUP object
  *  \return 1 if a pre-computation has been done and 0 otherwise
  */
-DEPRECATEDIN_3_0(int EC_GROUP_have_precompute_mult(const EC_GROUP *group))
+OSSL_DEPRECATEDIN_3_0 int EC_GROUP_have_precompute_mult(const EC_GROUP *group);
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
 /********************************************************************/
 /*                       ASN1 stuff                                 */
@@ -906,10 +915,14 @@ int i2d_ECPKParameters(const EC_GROUP *, unsigned char **out);
 #  define i2d_ECPKParameters_fp(fp,x) \
     ASN1_i2d_fp(i2d_ECPKParameters,(fp), (unsigned char *)(x))
 
-int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off);
-#  ifndef OPENSSL_NO_STDIO
-int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
-#  endif
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 int ECPKParameters_print(BIO *bp, const EC_GROUP *x,
+                                               int off);
+#   ifndef OPENSSL_NO_STDIO
+OSSL_DEPRECATEDIN_3_0 int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x,
+                                                  int off);
+#   endif
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
 /********************************************************************/
 /*                      EC_KEY functions                            */
@@ -920,33 +933,40 @@ int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off);
 #  define EC_PKEY_NO_PUBKEY       0x002
 
 /* some values for the flags field */
-#  define EC_FLAG_NON_FIPS_ALLOW  0x1
-#  define EC_FLAG_FIPS_CHECKED    0x2
-#  define EC_FLAG_COFACTOR_ECDH   0x1000
-#  define EC_FLAG_SM2_RANGE       0x4
+#  define EC_FLAG_SM2_RANGE              0x0004
+#  define EC_FLAG_COFACTOR_ECDH          0x1000
+#  define EC_FLAG_CHECK_NAMED_GROUP      0x2000
+#  define EC_FLAG_CHECK_NAMED_GROUP_NIST 0x4000
+#  define EC_FLAG_CHECK_NAMED_GROUP_MASK \
+    (EC_FLAG_CHECK_NAMED_GROUP | EC_FLAG_CHECK_NAMED_GROUP_NIST)
+
+/* Deprecated flags -  it was using 0x01..0x02 */
+#  define EC_FLAG_NON_FIPS_ALLOW         0x0000
+#  define EC_FLAG_FIPS_CHECKED           0x0000
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /**
  *  Creates a new EC_KEY object.
  *  \param  ctx  The library context for to use for this EC_KEY. May be NULL in
  *               which case the default library context is used.
  *  \return EC_KEY object or NULL if an error occurred.
  */
-EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_ex(OSSL_LIB_CTX *ctx, const char *propq);
 
 /**
  *  Creates a new EC_KEY object. Same as calling EC_KEY_new_ex with a
  *  NULL library context
  *  \return EC_KEY object or NULL if an error occurred.
  */
-EC_KEY *EC_KEY_new(void);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new(void);
 
-int EC_KEY_get_flags(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_get_flags(const EC_KEY *key);
 
-void EC_KEY_set_flags(EC_KEY *key, int flags);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_set_flags(EC_KEY *key, int flags);
 
-void EC_KEY_clear_flags(EC_KEY *key, int flags);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_clear_flags(EC_KEY *key, int flags);
 
-int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
 
 /**
  *  Creates a new EC_KEY object using a named curve as underlying
@@ -957,8 +977,9 @@ int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
  *  \param  nid   NID of the named curve.
  *  \return EC_KEY object or NULL if an error occurred.
  */
-EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
-                                    int nid);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx,
+                                                          const char *propq,
+                                                          int nid);
 
 /**
  *  Creates a new EC_KEY object using a named curve as underlying
@@ -967,44 +988,43 @@ EC_KEY *EC_KEY_new_by_curve_name_ex(OSSL_LIB_CTX *ctx, const char *propq,
  *  \param  nid  NID of the named curve.
  *  \return EC_KEY object or NULL if an error occurred.
  */
-EC_KEY *EC_KEY_new_by_curve_name(int nid);
-
+OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_by_curve_name(int nid);
 
 /** Frees a EC_KEY object.
  *  \param  key  EC_KEY object to be freed.
  */
-void EC_KEY_free(EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
 
 /** Copies a EC_KEY object.
  *  \param  dst  destination EC_KEY object
  *  \param  src  src EC_KEY object
  *  \return dst or NULL if an error occurred.
  */
-EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src);
 
 /** Creates a new EC_KEY object and copies the content from src to it.
  *  \param  src  the source EC_KEY object
  *  \return newly created EC_KEY object or NULL if an error occurred.
  */
-EC_KEY *EC_KEY_dup(const EC_KEY *src);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_dup(const EC_KEY *src);
 
 /** Increases the internal reference count of a EC_KEY object.
  *  \param  key  EC_KEY object
  *  \return 1 on success and 0 if an error occurred.
  */
-int EC_KEY_up_ref(EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_up_ref(EC_KEY *key);
 
 /** Returns the ENGINE object of a EC_KEY object
  *  \param  eckey  EC_KEY object
  *  \return the ENGINE object (possibly NULL).
  */
-ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey);
+OSSL_DEPRECATEDIN_3_0 ENGINE *EC_KEY_get0_engine(const EC_KEY *eckey);
 
 /** Returns the EC_GROUP object of a EC_KEY object
  *  \param  key  EC_KEY object
  *  \return the EC_GROUP object (possibly NULL).
  */
-const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
 
 /** Sets the EC_GROUP of a EC_KEY object.
  *  \param  key    EC_KEY object
@@ -1012,13 +1032,13 @@ const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
  *                 object will use an own copy of the EC_GROUP).
  *  \return 1 on success and 0 if an error occurred.
  */
-int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group);
 
 /** Returns the private key of a EC_KEY object.
  *  \param  key  EC_KEY object
  *  \return a BIGNUM with the private key (possibly NULL).
  */
-const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
 
 /** Sets the private key of a EC_KEY object.
  *  \param  key  EC_KEY object
@@ -1026,13 +1046,13 @@ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key);
  *               will use an own copy of the BIGNUM).
  *  \return 1 on success and 0 if an error occurred.
  */
-int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv);
 
 /** Returns the public key of a EC_KEY object.
  *  \param  key  the EC_KEY object
  *  \return a EC_POINT object with the public key (possibly NULL)
  */
-const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
 
 /** Sets the public key of a EC_KEY object.
  *  \param  key  EC_KEY object
@@ -1040,20 +1060,24 @@ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
  *               will use an own copy of the EC_POINT object).
  *  \return 1 on success and 0 if an error occurred.
  */
-int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub);
 
-unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
-void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
-point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
-void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
+OSSL_DEPRECATEDIN_3_0 unsigned EC_KEY_get_enc_flags(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags);
+OSSL_DEPRECATEDIN_3_0 point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_set_conv_form(EC_KEY *eckey,
+                                                point_conversion_form_t cform);
+#  endif /*OPENSSL_NO_DEPRECATED_3_0 */
 
 # define EC_KEY_get_ex_new_index(l, p, newf, dupf, freef) \
     CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_EC_KEY, l, p, newf, dupf, freef)
-int EC_KEY_set_ex_data(EC_KEY *key, int idx, void *arg);
-void *EC_KEY_get_ex_data(const EC_KEY *key, int idx);
+
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_set_ex_data(EC_KEY *key, int idx, void *arg);
+OSSL_DEPRECATEDIN_3_0 void *EC_KEY_get_ex_data(const EC_KEY *key, int idx);
 
 /* wrapper functions for the underlying EC_GROUP object */
-void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
 
 /** Creates a table of pre-computed multiples of the generator to
  *  accelerate further EC_KEY operations.
@@ -1061,25 +1085,25 @@ void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
  *  \param  ctx  BN_CTX object (optional)
  *  \return 1 on success and 0 if an error occurred.
  */
-DEPRECATEDIN_3_0(int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx))
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
 
 /** Creates a new ec private (and optional a new public) key.
  *  \param  key  EC_KEY object
  *  \return 1 on success and 0 if an error occurred.
  */
-int EC_KEY_generate_key(EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_generate_key(EC_KEY *key);
 
 /** Verifies that a private and/or public key is valid.
  *  \param  key  the EC_KEY object
  *  \return 1 on success and 0 otherwise.
  */
-int EC_KEY_check_key(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_check_key(const EC_KEY *key);
 
 /** Indicates if an EC_KEY can be used for signing.
  *  \param  eckey  the EC_KEY object
  *  \return 1 if can can sign and 0 otherwise.
  */
-int EC_KEY_can_sign(const EC_KEY *eckey);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_can_sign(const EC_KEY *eckey);
 
 /** Sets a public key from affine coordinates performing
  *  necessary NIST PKV tests.
@@ -1088,8 +1112,9 @@ int EC_KEY_can_sign(const EC_KEY *eckey);
  *  \param  y    public key y coordinate
  *  \return 1 on success and 0 otherwise.
  */
-int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
-                                             BIGNUM *y);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key,
+                                                                   BIGNUM *x,
+                                                                   BIGNUM *y);
 
 /** Encodes an EC_KEY public key to an allocated octet string
  *  \param  key    key to encode
@@ -1098,8 +1123,9 @@ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x,
  *  \param  ctx    BN_CTX object (optional)
  *  \return the length of the encoded octet string or 0 if an error occurred
  */
-size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
-                      unsigned char **pbuf, BN_CTX *ctx);
+OSSL_DEPRECATEDIN_3_0 size_t EC_KEY_key2buf(const EC_KEY *key,
+                                            point_conversion_form_t form,
+                                            unsigned char **pbuf, BN_CTX *ctx);
 
 /** Decodes a EC_KEY public key from a octet string
  *  \param  key    key to decode
@@ -1109,8 +1135,8 @@ size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
  *  \return 1 on success and 0 if an error occurred
  */
 
-int EC_KEY_oct2key(EC_KEY *key, const unsigned char *buf, size_t len,
-                   BN_CTX *ctx);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_oct2key(EC_KEY *key, const unsigned char *buf,
+                                         size_t len, BN_CTX *ctx);
 
 /** Decodes an EC_KEY private key from an octet string
  *  \param  key    key to decode
@@ -1119,7 +1145,8 @@ int EC_KEY_oct2key(EC_KEY *key, const unsigned char *buf, size_t len,
  *  \return 1 on success and 0 if an error occurred
  */
 
-int EC_KEY_oct2priv(EC_KEY *key, const unsigned char *buf, size_t len);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_oct2priv(EC_KEY *key, const unsigned char *buf,
+                                          size_t len);
 
 /** Encodes a EC_KEY private key to an octet string
  *  \param  key    key to encode
@@ -1129,14 +1156,16 @@ int EC_KEY_oct2priv(EC_KEY *key, const unsigned char *buf, size_t len);
  *  \return the length of the encoded octet string or 0 if an error occurred
  */
 
-size_t EC_KEY_priv2oct(const EC_KEY *key, unsigned char *buf, size_t len);
+OSSL_DEPRECATEDIN_3_0 size_t EC_KEY_priv2oct(const EC_KEY *key,
+                                             unsigned char *buf, size_t len);
 
 /** Encodes an EC_KEY private key to an allocated octet string
  *  \param  eckey  key to encode
  *  \param  pbuf   returns pointer to allocated buffer
  *  \return the length of the encoded octet string or 0 if an error occurred
  */
-size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
+OSSL_DEPRECATEDIN_3_0 size_t EC_KEY_priv2buf(const EC_KEY *eckey,
+                                             unsigned char **pbuf);
 
 /********************************************************************/
 /*        de- and encoding functions for SEC1 ECPrivateKey          */
@@ -1148,7 +1177,9 @@ size_t EC_KEY_priv2buf(const EC_KEY *eckey, unsigned char **pbuf);
  *  \param  len  length of the DER encoded private key
  *  \return the decoded private key or NULL if an error occurred.
  */
-EC_KEY *d2i_ECPrivateKey(EC_KEY **key, const unsigned char **in, long len);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_ECPrivateKey(EC_KEY **key,
+                                               const unsigned char **in,
+                                               long len);
 
 /** Encodes a private key object and stores the result in a buffer.
  *  \param  key  the EC_KEY object to encode
@@ -1156,7 +1187,8 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **key, const unsigned char **in, long len);
  *               of bytes needed).
  *  \return 1 on success and 0 if an error occurred.
  */
-int i2d_ECPrivateKey(const EC_KEY *key, unsigned char **out);
+OSSL_DEPRECATEDIN_3_0 int i2d_ECPrivateKey(const EC_KEY *key,
+                                           unsigned char **out);
 
 /********************************************************************/
 /*        de- and encoding functions for EC parameters              */
@@ -1169,7 +1201,9 @@ int i2d_ECPrivateKey(const EC_KEY *key, unsigned char **out);
  *  \return a EC_KEY object with the decoded parameters or NULL if an error
  *          occurred.
  */
-EC_KEY *d2i_ECParameters(EC_KEY **key, const unsigned char **in, long len);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_ECParameters(EC_KEY **key,
+                                               const unsigned char **in,
+                                               long len);
 
 /** Encodes ec parameter and stores the result in a buffer.
  *  \param  key  the EC_KEY object with ec parameters to encode
@@ -1177,7 +1211,8 @@ EC_KEY *d2i_ECParameters(EC_KEY **key, const unsigned char **in, long len);
  *               of bytes needed).
  *  \return 1 on success and 0 if an error occurred.
  */
-int i2d_ECParameters(const EC_KEY *key, unsigned char **out);
+OSSL_DEPRECATEDIN_3_0 int i2d_ECParameters(const EC_KEY *key,
+                                           unsigned char **out);
 
 /********************************************************************/
 /*         de- and encoding functions for EC public key             */
@@ -1191,7 +1226,8 @@ int i2d_ECParameters(const EC_KEY *key, unsigned char **out);
  *  \return EC_KEY object with decoded public key or NULL if an error
  *          occurred.
  */
-EC_KEY *o2i_ECPublicKey(EC_KEY **key, const unsigned char **in, long len);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *o2i_ECPublicKey(EC_KEY **key,
+                                              const unsigned char **in, long len);
 
 /** Encodes a ec public key in an octet string.
  *  \param  key  the EC_KEY object with the public key
@@ -1199,14 +1235,14 @@ EC_KEY *o2i_ECPublicKey(EC_KEY **key, const unsigned char **in, long len);
  *               of bytes needed).
  *  \return 1 on success and 0 if an error occurred
  */
-int i2o_ECPublicKey(const EC_KEY *key, unsigned char **out);
+OSSL_DEPRECATEDIN_3_0 int i2o_ECPublicKey(const EC_KEY *key, unsigned char **out);
 
 /** Prints out the ec parameters on human readable form.
  *  \param  bp   BIO object to which the information is printed
  *  \param  key  EC_KEY object
  *  \return 1 on success and 0 if an error occurred
  */
-int ECParameters_print(BIO *bp, const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 int ECParameters_print(BIO *bp, const EC_KEY *key);
 
 /** Prints out the contents of a EC_KEY object
  *  \param  bp   BIO object to which the information is printed
@@ -1214,15 +1250,15 @@ int ECParameters_print(BIO *bp, const EC_KEY *key);
  *  \param  off  line offset
  *  \return 1 on success and 0 if an error occurred
  */
-int EC_KEY_print(BIO *bp, const EC_KEY *key, int off);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_print(BIO *bp, const EC_KEY *key, int off);
 
-#  ifndef OPENSSL_NO_STDIO
+#   ifndef OPENSSL_NO_STDIO
 /** Prints out the ec parameters on human readable form.
  *  \param  fp   file descriptor to which the information is printed
  *  \param  key  EC_KEY object
  *  \return 1 on success and 0 if an error occurred
  */
-int ECParameters_print_fp(FILE *fp, const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 int ECParameters_print_fp(FILE *fp, const EC_KEY *key);
 
 /** Prints out the contents of a EC_KEY object
  *  \param  fp   file descriptor to which the information is printed
@@ -1230,32 +1266,33 @@ int ECParameters_print_fp(FILE *fp, const EC_KEY *key);
  *  \param  off  line offset
  *  \return 1 on success and 0 if an error occurred
  */
-int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off);
-
-#  endif
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off);
+#   endif /* OPENSSL_NO_STDIO */
 
-const EC_KEY_METHOD *EC_KEY_OpenSSL(void);
-const EC_KEY_METHOD *EC_KEY_get_default_method(void);
-void EC_KEY_set_default_method(const EC_KEY_METHOD *meth);
-const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key);
-int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth);
-EC_KEY *EC_KEY_new_method(ENGINE *engine);
+OSSL_DEPRECATEDIN_3_0 const EC_KEY_METHOD *EC_KEY_OpenSSL(void);
+OSSL_DEPRECATEDIN_3_0 const EC_KEY_METHOD *EC_KEY_get_default_method(void);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_set_default_method(const EC_KEY_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key);
+OSSL_DEPRECATEDIN_3_0 int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *EC_KEY_new_method(ENGINE *engine);
 
 /** The old name for ecdh_KDF_X9_63
  *  The ECDH KDF specification has been mistakingly attributed to ANSI X9.62,
  *  it is actually specified in ANSI X9.63.
  *  This identifier is retained for backwards compatibility
  */
-DEPRECATEDIN_3_0(int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
-                                    const unsigned char *Z, size_t Zlen,
-                                    const unsigned char *sinfo, size_t sinfolen,
-                                    const EVP_MD *md))
-
-DEPRECATEDIN_3_0(int ECDH_compute_key(void *out, size_t outlen,
-                                      const EC_POINT *pub_key,
-                                      const EC_KEY *ecdh,
-                                      void *(*KDF)(const void *in, size_t inlen,
-                                                   void *out, size_t *outlen)))
+OSSL_DEPRECATEDIN_3_0 int ECDH_KDF_X9_62(unsigned char *out, size_t outlen,
+                                         const unsigned char *Z, size_t Zlen,
+                                         const unsigned char *sinfo,
+                                         size_t sinfolen, const EVP_MD *md);
+
+OSSL_DEPRECATEDIN_3_0 int ECDH_compute_key(void *out, size_t outlen,
+                                           const EC_POINT *pub_key,
+                                           const EC_KEY *ecdh,
+                                           void *(*KDF)(const void *in,
+                                                        size_t inlen, void *out,
+                                                        size_t *outlen));
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
 typedef struct ECDSA_SIG_st ECDSA_SIG;
 
@@ -1310,6 +1347,7 @@ const BIGNUM *ECDSA_SIG_get0_s(const ECDSA_SIG *sig);
  */
 int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
 
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
 /** Computes the ECDSA signature of the given hash value using
  *  the supplied private key and returns the created signature.
  *  \param  dgst      pointer to the hash value
@@ -1317,8 +1355,8 @@ int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
  *  \param  eckey     EC_KEY object containing a private EC key
  *  \return pointer to a ECDSA_SIG structure or NULL if an error occurred
  */
-DEPRECATEDIN_3_0(ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst,
-                                          int dgst_len, EC_KEY *eckey))
+OSSL_DEPRECATEDIN_3_0 ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst,
+                                               int dgst_len, EC_KEY *eckey);
 
 /** Computes ECDSA signature of a given hash value using the supplied
  *  private key (note: sig must point to ECDSA_size(eckey) bytes of memory).
@@ -1330,9 +1368,9 @@ DEPRECATEDIN_3_0(ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst,
  *  \param  eckey    EC_KEY object containing a private EC key
  *  \return pointer to a ECDSA_SIG structure or NULL if an error occurred
  */
-DEPRECATEDIN_3_0(ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst,
-                                             int dgstlen, const BIGNUM *kinv,
-                                             const BIGNUM *rp, EC_KEY *eckey))
+OSSL_DEPRECATEDIN_3_0 ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst,
+                                                  int dgstlen, const BIGNUM *kinv,
+                                                  const BIGNUM *rp, EC_KEY *eckey);
 
 /** Verifies that the supplied signature is a valid ECDSA
  *  signature of the supplied hash value using the supplied public key.
@@ -1343,8 +1381,8 @@ DEPRECATEDIN_3_0(ECDSA_SIG *ECDSA_do_sign_ex(const unsigned char *dgst,
  *  \return 1 if the signature is valid, 0 if the signature is invalid
  *          and -1 on error
  */
-DEPRECATEDIN_3_0(int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
-                                     const ECDSA_SIG *sig, EC_KEY *eckey))
+OSSL_DEPRECATEDIN_3_0 int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
+                                          const ECDSA_SIG *sig, EC_KEY *eckey);
 
 /** Precompute parts of the signing operation
  *  \param  eckey  EC_KEY object containing a private EC key
@@ -1353,8 +1391,8 @@ DEPRECATEDIN_3_0(int ECDSA_do_verify(const unsigned char *dgst, int dgst_len,
  *  \param  rp     BIGNUM pointer for x coordinate of k * generator
  *  \return 1 on success and 0 otherwise
  */
-DEPRECATEDIN_3_0(int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx,
-                                      BIGNUM **kinv, BIGNUM **rp))
+OSSL_DEPRECATEDIN_3_0 int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx,
+                                           BIGNUM **kinv, BIGNUM **rp);
 
 /** Computes ECDSA signature of a given hash value using the supplied
  *  private key (note: sig must point to ECDSA_size(eckey) bytes of memory).
@@ -1366,9 +1404,9 @@ DEPRECATEDIN_3_0(int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx,
  *  \param  eckey    EC_KEY object containing a private EC key
  *  \return 1 on success and 0 otherwise
  */
-DEPRECATEDIN_3_0(int ECDSA_sign(int type, const unsigned char *dgst,
-                                int dgstlen, unsigned char *sig,
-                                unsigned int *siglen, EC_KEY *eckey))
+OSSL_DEPRECATEDIN_3_0 int ECDSA_sign(int type, const unsigned char *dgst,
+                                     int dgstlen, unsigned char *sig,
+                                     unsigned int *siglen, EC_KEY *eckey);
 
 /** Computes ECDSA signature of a given hash value using the supplied
  *  private key (note: sig must point to ECDSA_size(eckey) bytes of memory).
@@ -1383,10 +1421,10 @@ DEPRECATEDIN_3_0(int ECDSA_sign(int type, const unsigned char *dgst,
  *  \param  eckey    EC_KEY object containing a private EC key
  *  \return 1 on success and 0 otherwise
  */
-DEPRECATEDIN_3_0(int ECDSA_sign_ex(int type, const unsigned char *dgst,
-                                   int dgstlen, unsigned char *sig,
-                                   unsigned int *siglen, const BIGNUM *kinv,
-                                   const BIGNUM *rp, EC_KEY *eckey))
+OSSL_DEPRECATEDIN_3_0 int ECDSA_sign_ex(int type, const unsigned char *dgst,
+                                        int dgstlen, unsigned char *sig,
+                                        unsigned int *siglen, const BIGNUM *kinv,
+                                        const BIGNUM *rp, EC_KEY *eckey);
 
 /** Verifies that the given signature is valid ECDSA signature
  *  of the supplied hash value using the specified public key.
@@ -1399,119 +1437,112 @@ DEPRECATEDIN_3_0(int ECDSA_sign_ex(int type, const unsigned char *dgst,
  *  \return 1 if the signature is valid, 0 if the signature is invalid
  *          and -1 on error
  */
-DEPRECATEDIN_3_0(int ECDSA_verify(int type, const unsigned char *dgst,
-                                  int dgstlen, const unsigned char *sig,
-                                  int siglen, EC_KEY *eckey))
+OSSL_DEPRECATEDIN_3_0 int ECDSA_verify(int type, const unsigned char *dgst,
+                                       int dgstlen, const unsigned char *sig,
+                                       int siglen, EC_KEY *eckey);
 
 /** Returns the maximum length of the DER encoded signature
  *  \param  eckey  EC_KEY object
  *  \return numbers of bytes required for the DER encoded signature
  */
-DEPRECATEDIN_3_0(int ECDSA_size(const EC_KEY *eckey))
+OSSL_DEPRECATEDIN_3_0 int ECDSA_size(const EC_KEY *eckey);
 
 /********************************************************************/
 /*  EC_KEY_METHOD constructors, destructors, writers and accessors  */
 /********************************************************************/
 
-DEPRECATEDIN_3_0(EC_KEY_METHOD *EC_KEY_METHOD_new(const EC_KEY_METHOD *meth))
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_free(EC_KEY_METHOD *meth))
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_set_init
-                 (EC_KEY_METHOD *meth,
-                  int (*init)(EC_KEY *key),
-                  void (*finish)(EC_KEY *key),
-                  int (*copy)(EC_KEY *dest, const EC_KEY *src),
-                  int (*set_group)(EC_KEY *key, const EC_GROUP *grp),
-                  int (*set_private)(EC_KEY *key,
-                                     const BIGNUM *priv_key),
-                  int (*set_public)(EC_KEY *key,
-                                    const EC_POINT *pub_key)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_set_keygen(EC_KEY_METHOD *meth,
-                                               int (*keygen)(EC_KEY *key)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_set_compute_key
-                 (EC_KEY_METHOD *meth,
-                  int (*ckey)(unsigned char **psec,
-                              size_t *pseclen,
-                              const EC_POINT *pub_key,
-                              const EC_KEY *ecdh)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_set_sign
-                 (EC_KEY_METHOD *meth,
-                  int (*sign)(int type, const unsigned char *dgst,
-                              int dlen, unsigned char *sig,
-                              unsigned int *siglen,
-                              const BIGNUM *kinv, const BIGNUM *r,
-                              EC_KEY *eckey),
-                  int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
-                                    BIGNUM **kinvp, BIGNUM **rp),
-                  ECDSA_SIG *(*sign_sig)(const unsigned char *dgst,
-                                         int dgst_len,
-                                         const BIGNUM *in_kinv,
-                                         const BIGNUM *in_r,
-                                         EC_KEY *eckey)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_set_verify
-                 (EC_KEY_METHOD *meth,
-                  int (*verify)(int type, const unsigned
-                                char *dgst, int dgst_len,
-                                const unsigned char *sigbuf,
-                                int sig_len, EC_KEY *eckey),
-                  int (*verify_sig)(const unsigned char *dgst,
-                                    int dgst_len,
-                                    const ECDSA_SIG *sig,
-                                    EC_KEY *eckey)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_get_init
-                 (const EC_KEY_METHOD *meth,
-                  int (**pinit)(EC_KEY *key),
-                  void (**pfinish)(EC_KEY *key),
-                  int (**pcopy)(EC_KEY *dest, const EC_KEY *src),
-                  int (**pset_group)(EC_KEY *key,
-                                     const EC_GROUP *grp),
-                  int (**pset_private)(EC_KEY *key,
-                                       const BIGNUM *priv_key),
-                  int (**pset_public)(EC_KEY *key,
-                                      const EC_POINT *pub_key)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_get_keygen(const EC_KEY_METHOD *meth,
-                                               int (**pkeygen)(EC_KEY *key)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_get_compute_key
-                 (const EC_KEY_METHOD *meth,
-                  int (**pck)(unsigned char **psec,
-                              size_t *pseclen,
-                              const EC_POINT *pub_key,
-                              const EC_KEY *ecdh)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_get_sign
-                 (const EC_KEY_METHOD *meth,
-                  int (**psign)(int type, const unsigned char *dgst,
-                                int dlen, unsigned char *sig,
-                                unsigned int *siglen,
-                                const BIGNUM *kinv, const BIGNUM *r,
-                                EC_KEY *eckey),
-                  int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
-                                      BIGNUM **kinvp, BIGNUM **rp),
-                  ECDSA_SIG *(**psign_sig)(const unsigned char *dgst,
+OSSL_DEPRECATEDIN_3_0 EC_KEY_METHOD *EC_KEY_METHOD_new(const EC_KEY_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_free(EC_KEY_METHOD *meth);
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_set_init
+                      (EC_KEY_METHOD *meth,
+                       int (*init)(EC_KEY *key),
+                       void (*finish)(EC_KEY *key),
+                       int (*copy)(EC_KEY *dest, const EC_KEY *src),
+                       int (*set_group)(EC_KEY *key, const EC_GROUP *grp),
+                       int (*set_private)(EC_KEY *key, const BIGNUM *priv_key),
+                       int (*set_public)(EC_KEY *key, const EC_POINT *pub_key));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_set_keygen(EC_KEY_METHOD *meth,
+                                                    int (*keygen)(EC_KEY *key));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_set_compute_key
+                      (EC_KEY_METHOD *meth,
+                       int (*ckey)(unsigned char **psec, size_t *pseclen,
+                                   const EC_POINT *pub_key, const EC_KEY *ecdh));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_set_sign
+                      (EC_KEY_METHOD *meth,
+                       int (*sign)(int type, const unsigned char *dgst,
+                                   int dlen, unsigned char *sig,
+                                   unsigned int *siglen,
+                                   const BIGNUM *kinv, const BIGNUM *r,
+                                   EC_KEY *eckey),
+                       int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
+                                         BIGNUM **kinvp, BIGNUM **rp),
+                       ECDSA_SIG *(*sign_sig)(const unsigned char *dgst,
+                                              int dgst_len,
+                                              const BIGNUM *in_kinv,
+                                              const BIGNUM *in_r,
+                                              EC_KEY *eckey));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_set_verify
+                      (EC_KEY_METHOD *meth,
+                       int (*verify)(int type, const unsigned
+                                     char *dgst, int dgst_len,
+                                     const unsigned char *sigbuf,
+                                     int sig_len, EC_KEY *eckey),
+                       int (*verify_sig)(const unsigned char *dgst,
+                                         int dgst_len, const ECDSA_SIG *sig,
+                                         EC_KEY *eckey));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_init
+                      (const EC_KEY_METHOD *meth,
+                       int (**pinit)(EC_KEY *key),
+                       void (**pfinish)(EC_KEY *key),
+                       int (**pcopy)(EC_KEY *dest, const EC_KEY *src),
+                       int (**pset_group)(EC_KEY *key, const EC_GROUP *grp),
+                       int (**pset_private)(EC_KEY *key, const BIGNUM *priv_key),
+                       int (**pset_public)(EC_KEY *key, const EC_POINT *pub_key));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_keygen
+                      (const EC_KEY_METHOD *meth, int (**pkeygen)(EC_KEY *key));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_compute_key
+                      (const EC_KEY_METHOD *meth,
+                       int (**pck)(unsigned char **psec,
+                       size_t *pseclen,
+                       const EC_POINT *pub_key,
+                       const EC_KEY *ecdh));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_sign
+                      (const EC_KEY_METHOD *meth,
+                       int (**psign)(int type, const unsigned char *dgst,
+                                     int dlen, unsigned char *sig,
+                                     unsigned int *siglen,
+                                     const BIGNUM *kinv, const BIGNUM *r,
+                                     EC_KEY *eckey),
+                       int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx_in,
+                                           BIGNUM **kinvp, BIGNUM **rp),
+                       ECDSA_SIG *(**psign_sig)(const unsigned char *dgst,
+                                                int dgst_len,
+                                                const BIGNUM *in_kinv,
+                                                const BIGNUM *in_r,
+                                                EC_KEY *eckey));
+
+OSSL_DEPRECATEDIN_3_0 void EC_KEY_METHOD_get_verify
+                      (const EC_KEY_METHOD *meth,
+                       int (**pverify)(int type, const unsigned
+                                       char *dgst, int dgst_len,
+                                       const unsigned char *sigbuf,
+                                       int sig_len, EC_KEY *eckey),
+                       int (**pverify_sig)(const unsigned char *dgst,
                                            int dgst_len,
-                                           const BIGNUM *in_kinv,
-                                           const BIGNUM *in_r,
-                                           EC_KEY *eckey)))
-
-DEPRECATEDIN_3_0(void EC_KEY_METHOD_get_verify
-                 (const EC_KEY_METHOD *meth,
-                  int (**pverify)(int type, const unsigned
-                                  char *dgst, int dgst_len,
-                                  const unsigned char *sigbuf,
-                                  int sig_len, EC_KEY *eckey),
-                  int (**pverify_sig)(const unsigned char *dgst,
-                                      int dgst_len,
-                                      const ECDSA_SIG *sig,
-                                      EC_KEY *eckey)))
+                                           const ECDSA_SIG *sig,
+                                           EC_KEY *eckey));
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 
 #  define ECParameters_dup(x) ASN1_dup_of(EC_KEY, i2d_ECParameters, \
-                                           d2i_ECParameters, x)
+                                          d2i_ECParameters, x)
 
 #  ifndef __cplusplus
 #   if defined(__SUNPRO_C)

diff --git a/include/openssl/evp.h b/include/openssl/evp.h
index 6893b49ce47b1747381574408959013a6df006fc..bfab06d5df1b84ce5ac6922a7310cc0a91aa3df9 100644 (file)
--- a/include/openssl/evp.h
+++ b/include/openssl/evp.h
@@ -494,9 +494,11 @@ typedef int (EVP_PBE_KEYGEN) (EVP_CIPHER_CTX *ctx, const char *pass,
 #  define EVP_PKEY_assign_DH(pkey,dh) EVP_PKEY_assign((pkey),EVP_PKEY_DH,(dh))
 # endif
 
-# ifndef OPENSSL_NO_EC
-#  define EVP_PKEY_assign_EC_KEY(pkey,eckey) EVP_PKEY_assign((pkey),EVP_PKEY_EC,\
-                                        (eckey))
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_EC
+#   define EVP_PKEY_assign_EC_KEY(pkey,eckey) \
+        EVP_PKEY_assign((pkey), EVP_PKEY_EC, (eckey))
+#  endif
 # endif
 # ifndef OPENSSL_NO_SIPHASH
 #  define EVP_PKEY_assign_SIPHASH(pkey,shkey) EVP_PKEY_assign((pkey),\
@@ -1261,11 +1263,16 @@ OSSL_DEPRECATEDIN_3_0 struct dh_st *EVP_PKEY_get0_DH(const EVP_PKEY *pkey);
 OSSL_DEPRECATEDIN_3_0 struct dh_st *EVP_PKEY_get1_DH(EVP_PKEY *pkey);
 #  endif
 # endif
-# ifndef OPENSSL_NO_EC
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_EC
 struct ec_key_st;
+OSSL_DEPRECATEDIN_3_0
 int EVP_PKEY_set1_EC_KEY(EVP_PKEY *pkey, struct ec_key_st *key);
+OSSL_DEPRECATEDIN_3_0
 struct ec_key_st *EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey);
+OSSL_DEPRECATEDIN_3_0
 struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
+#  endif
 # endif
 
 EVP_PKEY *EVP_PKEY_new(void);

diff --git a/include/openssl/pem.h b/include/openssl/pem.h
index 97d52e729b6e8e169dca9a4abea5cc9ee64a1e14..22d42be8e4a600483149796286df9354791acfb4 100644 (file)
--- a/include/openssl/pem.h
+++ b/include/openssl/pem.h
@@ -455,11 +455,15 @@ DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DSA_PUBKEY, DSA)
 DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DSAparams, DSA)
 #  endif
 # endif
-# ifndef OPENSSL_NO_EC
-DECLARE_PEM_rw(ECPKParameters, EC_GROUP)
-DECLARE_PEM_rw_cb(ECPrivateKey, EC_KEY)
-DECLARE_PEM_rw(EC_PUBKEY, EC_KEY)
+
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_EC
+DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, ECPKParameters, EC_GROUP)
+DECLARE_PEM_rw_cb_attr(OSSL_DEPRECATEDIN_3_0, ECPrivateKey, EC_KEY)
+DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, EC_PUBKEY, EC_KEY)
+#  endif
 # endif
+
 # ifndef OPENSSL_NO_DH
 #  ifndef OPENSSL_NO_DEPRECATED_3_0
 DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DHparams, DH)

diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in
index 0025a2a8cd2752bafa638de1db5d7298ec23d861..8c01334f49ee781483382e4d60b5f267fe684c79 100644 (file)
--- a/include/openssl/ssl.h.in
+++ b/include/openssl/ssl.h.in
@@ -1227,13 +1227,13 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 # define SSL_ERROR_WANT_ASYNC            9
 # define SSL_ERROR_WANT_ASYNC_JOB       10
 # define SSL_ERROR_WANT_CLIENT_HELLO_CB 11
+
 # ifndef OPENSSL_NO_DEPRECATED_3_0
 #  define SSL_CTRL_SET_TMP_DH                    3
-# endif
-# define SSL_CTRL_SET_TMP_ECDH                   4
-# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  define SSL_CTRL_SET_TMP_ECDH                  4
 #  define SSL_CTRL_SET_TMP_DH_CB                 6
 # endif
+
 # define SSL_CTRL_GET_CLIENT_CERT_REQUEST        9
 # define SSL_CTRL_GET_NUM_RENEGOTIATIONS         10
 # define SSL_CTRL_CLEAR_NUM_RENEGOTIATIONS       11

diff --git a/include/openssl/types.h b/include/openssl/types.h
index cf11b8549dce895bb840a5b17dec60eb04d20f66..56437f96f960a1cd15f67318cb314a962a9bb9c7 100644 (file)
--- a/include/openssl/types.h
+++ b/include/openssl/types.h
@@ -144,8 +144,10 @@ typedef struct rsa_meth_st RSA_METHOD;
 # endif
 typedef struct rsa_pss_params_st RSA_PSS_PARAMS;
 
+# ifndef OPENSSL_NO_DEPRECATED_3_0
 typedef struct ec_key_st EC_KEY;
 typedef struct ec_key_method_st EC_KEY_METHOD;
+# endif
 
 typedef struct rand_meth_st RAND_METHOD;
 typedef struct rand_drbg_st RAND_DRBG;

diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index bf525f427f56eb2c64300a8247c4ad3d9ceda395..cb4f126edfeccbd62b45bb638e96217a9b7d639e 100644 (file)
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -430,12 +430,14 @@ OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
 OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa);
 #   endif
 #  endif
-#  ifndef OPENSSL_NO_EC
-EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
-int i2d_EC_PUBKEY_fp(FILE *fp, const EC_KEY *eckey);
-EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
-int i2d_ECPrivateKey_fp(FILE *fp, const EC_KEY *eckey);
-#  endif
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   ifndef OPENSSL_NO_EC
+OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
+OSSL_DEPRECATEDIN_3_0 int i2d_EC_PUBKEY_fp(FILE *fp, const EC_KEY *eckey);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey);
+OSSL_DEPRECATEDIN_3_0 int i2d_ECPrivateKey_fp(FILE *fp, const EC_KEY *eckey);
+#   endif /* OPENSSL_NO_EC */
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
 X509_SIG *d2i_PKCS8_fp(FILE *fp, X509_SIG **p8);
 int i2d_PKCS8_fp(FILE *fp, const X509_SIG *p8);
 X509_PUBKEY *d2i_X509_PUBKEY_fp(FILE *fp, X509_PUBKEY **xpk);
@@ -474,12 +476,16 @@ OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
 OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa);
 #   endif
 #  endif
-#  ifndef OPENSSL_NO_EC
-EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
-int i2d_EC_PUBKEY_bio(BIO *bp, const EC_KEY *eckey);
-EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
-int i2d_ECPrivateKey_bio(BIO *bp, const EC_KEY *eckey);
-#  endif
+
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   ifndef OPENSSL_NO_EC
+OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
+OSSL_DEPRECATEDIN_3_0 int i2d_EC_PUBKEY_bio(BIO *bp, const EC_KEY *eckey);
+OSSL_DEPRECATEDIN_3_0 EC_KEY *d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey);
+OSSL_DEPRECATEDIN_3_0 int i2d_ECPrivateKey_bio(BIO *bp, const EC_KEY *eckey);
+#   endif /* OPENSSL_NO_EC */
+#  endif /* OPENSSL_NO_DEPRECATED_3_0 */
+
 X509_SIG *d2i_PKCS8_bio(BIO *bp, X509_SIG **p8);
 int i2d_PKCS8_bio(BIO *bp, const X509_SIG *p8);
 X509_PUBKEY *d2i_X509_PUBKEY_bio(BIO *bp, X509_PUBKEY **xpk);
@@ -555,8 +561,10 @@ DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA, RSA_PUBKEY)
 DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,DSA, DSA_PUBKEY)
 #  endif
 # endif
-# ifndef OPENSSL_NO_EC
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(EC_KEY, EC_PUBKEY)
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_EC
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0, EC_KEY, EC_PUBKEY)
+#  endif
 # endif
 
 DECLARE_ASN1_FUNCTIONS(X509_SIG)

diff --git a/providers/common/der/der_ec.h.in b/providers/common/der/der_ec.h.in
index 2d56119ba1c8b6a1e4b1112f4ff5e8e714463b49..0ec78389a4f346ca25a4dfc810aa8c5418b880de 100644 (file)
--- a/providers/common/der/der_ec.h.in
+++ b/providers/common/der/der_ec.h.in
@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "crypto/ec.h"
 #include "internal/der.h"
 
 /* Well known OIDs precompiled */

diff --git a/providers/common/der/der_sm2.h.in b/providers/common/der/der_sm2.h.in
index 406ddf2b165d43a34240fb8cdce358b7c3e4d54a..721c63d4214f51b6c2c53ee5c0fb9aa90d4d94a9 100644 (file)
--- a/providers/common/der/der_sm2.h.in
+++ b/providers/common/der/der_sm2.h.in
@@ -7,6 +7,7 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "crypto/ec.h"
 #include "internal/der.h"
 
 /* Well known OIDs precompiled */

diff --git a/providers/implementations/asymciphers/sm2_enc.c b/providers/implementations/asymciphers/sm2_enc.c
index a67e2c26e4bf9c65c4990b2d2e049dd59ae38454..b1f62b03c77ced592f032ff1f2aa62d9620fed73 100644 (file)
--- a/providers/implementations/asymciphers/sm2_enc.c
+++ b/providers/implementations/asymciphers/sm2_enc.c
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "internal/deprecated.h"
+
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/core_dispatch.h>

diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c
index 8775622a017a19a76d8f722e2f31e3bfe1ffd949..5d71d3ee1df9c4d73a77506ab76d4424a019f78f 100644 (file)
--- a/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/providers/implementations/keymgmt/ec_kmgmt.c
@@ -229,11 +229,33 @@ static ossl_inline
 int otherparams_to_params(const EC_KEY *ec, OSSL_PARAM_BLD *tmpl,
                           OSSL_PARAM params[])
 {
-    int ecdh_cofactor_mode = 0;
+    int ecdh_cofactor_mode = 0, group_check = 0;
+    const char *name = NULL;
+    point_conversion_form_t format;
 
     if (ec == NULL)
         return 0;
 
+    format = EC_KEY_get_conv_form(ec);
+    name = ec_pt_format_id2name((int)format);
+    if (name != NULL
+        && !ossl_param_build_set_utf8_string(tmpl, params,
+                                             OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
+                                             name))
+        return 0;
+
+    group_check = EC_KEY_get_flags(ec) & EC_FLAG_CHECK_NAMED_GROUP_MASK;
+    name = ec_check_group_type_id2name(group_check);
+    if (name != NULL
+        && !ossl_param_build_set_utf8_string(tmpl, params,
+                                             OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE,
+                                             name))
+        return 0;
+
+    if ((EC_KEY_get_enc_flags(ec) & EC_PKEY_NO_PUBKEY) != 0)
+        ossl_param_build_set_int(tmpl, params,
+                                 OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, 0);
+
     ecdh_cofactor_mode =
         (EC_KEY_get_flags(ec) & EC_FLAG_COFACTOR_ECDH) ? 1 : 0;
     return ossl_param_build_set_int(tmpl, params,
@@ -462,6 +484,7 @@ end:
 # define EC_IMEXPORTABLE_DOM_PARAMETERS                                        \
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),               \
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING, NULL, 0),              \
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, NULL, 0),\
     OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_FIELD_TYPE, NULL, 0),            \
     OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_P, NULL, 0),                              \
     OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_A, NULL, 0),                              \
@@ -476,7 +499,8 @@ end:
 # define EC_IMEXPORTABLE_PRIVATE_KEY                                           \
     OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0)
 # define EC_IMEXPORTABLE_OTHER_PARAMETERS                                      \
-    OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL)
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),                   \
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL)
 
 /*
  * Include all the possible combinations of OSSL_PARAM arrays for
@@ -484,11 +508,6 @@ end:
  *
  * They are in a separate file as it is ~100 lines of unreadable and
  * uninteresting machine generated stuff.
- *
- * TODO(3.0): the generated list looks quite ugly, as to cover all possible
- * combinations of the bits in `selection`, it also includes combinations that
- * are not really useful: we might want to consider alternatives to this
- * solution.
  */
 #include "ec_kmgmt_imexport.inc"
 
@@ -727,6 +746,11 @@ const OSSL_PARAM *ec_gettable_params(void *provctx)
 static const OSSL_PARAM ec_known_settable_params[] = {
     OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
     OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY, NULL, 0),
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING, NULL, 0),
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, NULL, 0),
+    OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_EC_SEED, NULL, 0),
+    OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL),
+    OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE, NULL, 0),
     OSSL_PARAM_END
 };
 
@@ -742,6 +766,12 @@ int ec_set_params(void *key, const OSSL_PARAM params[])
     EC_KEY *eck = key;
     const OSSL_PARAM *p;
 
+    if (key == NULL)
+        return 0;
+
+    if (!ec_group_set_params((EC_GROUP *)EC_KEY_get0_group(key), params))
+        return 0;
+
     p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENCODED_PUBLIC_KEY);
     if (p != NULL) {
         BN_CTX *ctx = BN_CTX_new_ex(ec_key_get_libctx(key));
@@ -850,8 +880,15 @@ int ec_validate(const void *keydata, int selection)
     if ((selection & EC_POSSIBLE_SELECTIONS) != 0)
         ok = 1;
 
-    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0)
-        ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
+    if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) {
+        int flags = EC_KEY_get_flags(eck);
+
+        if ((flags & EC_FLAG_CHECK_NAMED_GROUP) != 0)
+            ok = ok && EC_GROUP_check_named_curve(EC_KEY_get0_group(eck),
+                           (flags & EC_FLAG_CHECK_NAMED_GROUP_NIST) != 0, ctx);
+        else
+            ok = ok && EC_GROUP_check(EC_KEY_get0_group(eck), ctx);
+    }
 
     if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0)
         ok = ok && ec_key_public_check(eck, ctx);
@@ -870,6 +907,8 @@ struct ec_gen_ctx {
     OSSL_LIB_CTX *libctx;
     char *group_name;
     char *encoding;
+    char *pt_format;
+    char *group_check;
     char *field_type;
     BIGNUM *p, *a, *b, *order, *cofactor;
     unsigned char *gen, *seed;
@@ -972,6 +1011,8 @@ static int ec_gen_set_params(void *genctx, const OSSL_PARAM params[])
     COPY_UTF8_PARAM(params, OSSL_PKEY_PARAM_GROUP_NAME, gctx->group_name);
     COPY_UTF8_PARAM(params, OSSL_PKEY_PARAM_EC_FIELD_TYPE, gctx->field_type);
     COPY_UTF8_PARAM(params, OSSL_PKEY_PARAM_EC_ENCODING, gctx->encoding);
+    COPY_UTF8_PARAM(params, OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, gctx->pt_format);
+    COPY_UTF8_PARAM(params, OSSL_PKEY_PARAM_EC_GROUP_CHECK_TYPE, gctx->group_check);
 
     COPY_BN_PARAM(params, OSSL_PKEY_PARAM_EC_P, gctx->p);
     COPY_BN_PARAM(params, OSSL_PKEY_PARAM_EC_A, gctx->a);
@@ -1005,6 +1046,12 @@ static int ec_gen_set_group_from_params(struct ec_gen_ctx *gctx)
                                             gctx->encoding, 0))
         goto err;
 
+    if (gctx->pt_format != NULL
+        && !OSSL_PARAM_BLD_push_utf8_string(bld,
+                                            OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
+                                            gctx->pt_format, 0))
+        goto err;
+
     if (gctx->group_name != NULL) {
         if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_PKEY_PARAM_GROUP_NAME,
                                              gctx->group_name, 0))
@@ -1066,6 +1113,7 @@ static const OSSL_PARAM *ec_gen_settable_params(void *provctx)
         OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_GROUP_NAME, NULL, 0),
         OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL),
         OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_ENCODING, NULL, 0),
+        OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT, NULL, 0),
         OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_EC_FIELD_TYPE, NULL, 0),
         OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_P, NULL, 0),
         OSSL_PARAM_BN(OSSL_PKEY_PARAM_EC_A, NULL, 0),
@@ -1107,12 +1155,20 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
         if (!ec_gen_set_group_from_params(gctx))
             goto err;
     } else {
-        if (gctx->encoding) {
+        if (gctx->encoding != NULL) {
             int flags = ec_encoding_name2id(gctx->encoding);
+
             if (flags < 0)
                 goto err;
             EC_GROUP_set_asn1_flag(gctx->gen_group, flags);
         }
+        if (gctx->pt_format != NULL) {
+            int format = ec_pt_format_name2id(gctx->pt_format);
+
+            if (format < 0)
+                goto err;
+            EC_GROUP_set_point_conversion_form(gctx->gen_group, format);
+        }
     }
 
     /* We must always assign a group, no matter what */
@@ -1125,6 +1181,8 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
     if (gctx->ecdh_mode != -1)
         ret = ret && ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode);
 
+    if (gctx->group_check != NULL)
+        ret = ret && ec_set_check_group_type_from_name(ec, gctx->group_check);
     if (ret)
         return ec;
 err:
@@ -1154,10 +1212,18 @@ static void *sm2_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg)
     } else {
         if (gctx->encoding) {
             int flags = ec_encoding_name2id(gctx->encoding);
+
             if (flags < 0)
                 goto err;
             EC_GROUP_set_asn1_flag(gctx->gen_group, flags);
         }
+        if (gctx->pt_format != NULL) {
+            int format = ec_pt_format_name2id(gctx->pt_format);
+
+            if (format < 0)
+                goto err;
+            EC_GROUP_set_point_conversion_form(gctx->gen_group, format);
+        }
     }
 
     /* We must always assign a group, no matter what */
@@ -1197,7 +1263,8 @@ static void ec_gen_cleanup(void *genctx)
     BN_free(gctx->order);
     BN_free(gctx->cofactor);
     OPENSSL_free(gctx->group_name);
-    OPENSSL_free(gctx->field_type);;
+    OPENSSL_free(gctx->field_type);
+    OPENSSL_free(gctx->pt_format);
     OPENSSL_free(gctx->encoding);
     OPENSSL_free(gctx->seed);
     OPENSSL_free(gctx->gen);

diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 0739bc9082d7d316d4802e29b730a791293086d3..34980b0bc6751772c0d8989f92ca9dfc46767d5b 100644 (file)
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -18,6 +18,7 @@
 #include <openssl/rand.h>
 #include <openssl/trace.h>
 #include <openssl/x509v3.h>
+#include <openssl/core_names.h>
 #include "internal/cryptlib.h"
 
 #define TLS13_NUM_CIPHERS       OSSL_NELEM(tls13_ciphers)
@@ -3429,6 +3430,29 @@ static char *srp_password_from_info_cb(SSL *s, void *arg)
 }
 #endif
 
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+static int ssl_set_tmp_ecdh_groups(uint16_t **pext, size_t *pextlen,
+                                   EVP_PKEY *pkey)
+{
+    char name[80];
+    int nid, ret = 0;
+    size_t name_len;
+
+    if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
+                                        name, sizeof(name), &name_len)) {
+        SSLerr(0, EC_R_MISSING_PARAMETERS);
+        return 0;
+    }
+    nid = OBJ_txt2nid(name);
+    if (nid == NID_undef)
+        goto end;
+    ret = tls1_set_groups(pext, pextlen, &nid, 1);
+end:
+    EVP_PKEY_free(pkey);
+    return ret;
+}
+#endif
+
 static int ssl3_set_req_cert_type(CERT *c, const unsigned char *p, size_t len);
 
 long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
@@ -3472,33 +3496,28 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
             ERR_raise(ERR_LIB_SSL, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
             return ret;
         }
-# endif
+#endif
     case SSL_CTRL_SET_DH_AUTO:
         s->cert->dh_tmp_auto = larg;
         return 1;
-#ifndef OPENSSL_NO_EC
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     case SSL_CTRL_SET_TMP_ECDH:
         {
-            const EC_GROUP *group = NULL;
-            int nid;
+            EVP_PKEY *pkecdh = NULL;
 
             if (parg == NULL) {
                 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
                 return 0;
             }
-            group = EC_KEY_get0_group((const EC_KEY *)parg);
-            if (group == NULL) {
-                ERR_raise(ERR_LIB_SSL, EC_R_MISSING_PARAMETERS);
+            pkecdh = ssl_ecdh_to_pkey(parg);
+            if (pkecdh == NULL) {
+                ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
                 return 0;
             }
-            nid = EC_GROUP_get_curve_name(group);
-            if (nid == NID_undef)
-                return 0;
-            return tls1_set_groups(&s->ext.supportedgroups,
-                                   &s->ext.supportedgroups_len,
-                                   &nid, 1);
+            return ssl_set_tmp_ecdh_groups(&s->ext.supportedgroups,
+                                           &s->ext.supportedgroups_len,
+                                           pkecdh);
         }
-        break;
 #endif                          /* !OPENSSL_NO_EC */
     case SSL_CTRL_SET_TLSEXT_HOSTNAME:
         /*
@@ -3816,27 +3835,23 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
     case SSL_CTRL_SET_DH_AUTO:
         ctx->cert->dh_tmp_auto = larg;
         return 1;
-#ifndef OPENSSL_NO_EC
+#if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     case SSL_CTRL_SET_TMP_ECDH:
         {
-            const EC_GROUP *group = NULL;
-            int nid;
+            EVP_PKEY *pkecdh = NULL;
 
             if (parg == NULL) {
                 ERR_raise(ERR_LIB_SSL, ERR_R_PASSED_NULL_PARAMETER);
                 return 0;
             }
-            group = EC_KEY_get0_group((const EC_KEY *)parg);
-            if (group == NULL) {
-                ERR_raise(ERR_LIB_SSL, EC_R_MISSING_PARAMETERS);
+            pkecdh = ssl_ecdh_to_pkey(parg);
+            if (pkecdh == NULL) {
+                ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE);
                 return 0;
             }
-            nid = EC_GROUP_get_curve_name(group);
-            if (nid == NID_undef)
-                return 0;
-            return tls1_set_groups(&ctx->ext.supportedgroups,
-                                   &ctx->ext.supportedgroups_len,
-                                   &nid, 1);
+            return ssl_set_tmp_ecdh_groups(&ctx->ext.supportedgroups,
+                                           &ctx->ext.supportedgroups_len,
+                                           pkecdh);
         }
 #endif                          /* !OPENSSL_NO_EC */
     case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:

diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h
index 22ab387422796271a91b298ed689e69d65a609e7..1819ccd981f5eb18fd35d5efb53d090f2fe85cc8 100644 (file)
--- a/ssl/ssl_local.h
+++ b/ssl/ssl_local.h
@@ -2468,6 +2468,9 @@ __owur int ssl_encapsulate(SSL *s, EVP_PKEY *pubkey,
                            unsigned char **ctp, size_t *ctlenp,
                            int gensecret);
 __owur EVP_PKEY *ssl_dh_to_pkey(DH *dh);
+# if !defined(OPENSSL_NO_EC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
+__owur EVP_PKEY *ssl_ecdh_to_pkey(EC_KEY *ec);
+# endif
 __owur unsigned int ssl_get_max_send_fragment(const SSL *ssl);
 __owur unsigned int ssl_get_split_send_fragment(const SSL *ssl);
 

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index 60c17dd809c0fef7964cdb5ed5fce2ae6c17aff0..799ff357f8103399b7e2093c2b83b9fe91254057 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -818,32 +818,39 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
 /* Check a key is compatible with compression extension */
 static int tls1_check_pkey_comp(SSL *s, EVP_PKEY *pkey)
 {
-    const EC_KEY *ec;
-    const EC_GROUP *grp;
     unsigned char comp_id;
     size_t i;
+    char name[80];
+    size_t name_len;
+
 
     /* If not an EC key nothing to check */
     if (!EVP_PKEY_is_a(pkey, "EC"))
         return 1;
-    ec = EVP_PKEY_get0_EC_KEY(pkey);
-    grp = EC_KEY_get0_group(ec);
+
+    if (!EVP_PKEY_get_utf8_string_param(pkey,
+                                        OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT,
+                                        name, sizeof(name), &name_len))
+        return 0;
 
     /* Get required compression id */
-    if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_UNCOMPRESSED) {
-            comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
+    if (strcasecmp(name, "uncompressed") == 0) {
+        comp_id = TLSEXT_ECPOINTFORMAT_uncompressed;
     } else if (SSL_IS_TLS13(s)) {
-            /*
-             * ec_point_formats extension is not used in TLSv1.3 so we ignore
-             * this check.
-             */
-            return 1;
+        /*
+         * ec_point_formats extension is not used in TLSv1.3 so we ignore
+         * this check.
+         */
+        return 1;
     } else {
-        int field_type = EC_GROUP_get_field_type(grp);
+        if (!EVP_PKEY_get_utf8_string_param(pkey,
+                                            OSSL_PKEY_PARAM_EC_FIELD_TYPE,
+                                            name, sizeof(name), &name_len))
+            return 0;
 
-        if (field_type == NID_X9_62_prime_field)
+        if (strcasecmp(name, SN_X9_62_prime_field) == 0)
             comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime;
-        else if (field_type == NID_X9_62_characteristic_two_field)
+        else if (strcasecmp(name, SN_X9_62_characteristic_two_field) == 0)
             comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2;
         else
             return 0;

diff --git a/ssl/tls_depr.c b/ssl/tls_depr.c
index 6f2103ad91ab7cb201213e33d86ed2b921f1b30c..68b007b12de1b256caaae35c3b2e68be9d76ac98 100644 (file)
--- a/ssl/tls_depr.c
+++ b/ssl/tls_depr.c
@@ -159,5 +159,21 @@ EVP_PKEY *ssl_dh_to_pkey(DH *dh)
     return ret;
 }
 # endif
-#endif
 
+/* Some deprecated public APIs pass EC_KEY objects */
+# ifndef OPENSSL_NO_EC
+EVP_PKEY *ssl_ecdh_to_pkey(EC_KEY *ec)
+{
+    EVP_PKEY *ret;
+
+    if (ec == NULL)
+        return NULL;
+    ret = EVP_PKEY_new();
+    if (EVP_PKEY_set1_EC_KEY(ret, ec) <= 0) {
+        EVP_PKEY_free(ret);
+        return NULL;
+    }
+    return ret;
+}
+# endif
+#endif

diff --git a/test/build.info b/test/build.info
index a8f60c385bfd924104bb4c2d1815a7aa738df570..b9e6d4f3b19347085f66e31fc648a62da0641304 100644 (file)
--- a/test/build.info
+++ b/test/build.info
@@ -32,7 +32,7 @@ IF[{- !$disabled{tests} -}]
           versions \
           aborttest test_test pkcs12_format_test \
           sanitytest rsa_complex exdatatest bntest \
-          ectest ecstresstest gmdifftest pbelutest \
+          ecstresstest gmdifftest pbelutest \
           destest mdc2test \
           exptest \
           evp_pkey_provided_test evp_test evp_extra_test evp_extra_test2 \
@@ -96,7 +96,7 @@ IF[{- !$disabled{tests} -}]
 
   SOURCE[ectest]=ectest.c
   INCLUDE[ectest]=../include ../apps/include
-  DEPEND[ectest]=../libcrypto libtestutil.a
+  DEPEND[ectest]=../libcrypto.a libtestutil.a
 
   SOURCE[ecstresstest]=ecstresstest.c
   INCLUDE[ecstresstest]=../include ../apps/include
@@ -548,7 +548,7 @@ IF[{- !$disabled{tests} -}]
       PROGRAMS{noinst}=sm4_internal_test
     ENDIF
     IF[{- !$disabled{ec} -}]
-      PROGRAMS{noinst}=ec_internal_test curve448_internal_test
+      PROGRAMS{noinst}=ectest ec_internal_test curve448_internal_test
     ENDIF
     IF[{- !$disabled{cmac} -}]
       PROGRAMS{noinst}=cmactest

diff --git a/test/ectest.c b/test/ectest.c
index 9088fd166ac73a2d0bb1ee7289f50b4059d9507a..b047d88c3e5ee21ac567754c94b168117b234183 100644 (file)
--- a/test/ectest.c
+++ b/test/ectest.c
@@ -9,13 +9,10 @@
  */
 
 /*
- * We need access to the deprecated EC_POINTs_mul, EC_GROUP_precompute_mult,
- * and EC_GROUP_have_precompute_mult for testing purposes
- * when the deprecated calls are not hidden
+ * EC_KEY low level APIs are deprecated for public use, but still ok for
+ * internal use.
  */
-#ifndef OPENSSL_NO_DEPRECATED_3_0
-# define OPENSSL_SUPPRESS_DEPRECATED
-#endif
+#include "internal/deprecated.h"
 
 #include <string.h>
 #include "internal/nelem.h"

diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c
index 4358fbe5c5b498ebaf39ce914eaf710020c96741..440b4759dde0af0c14feb1b7aafbb1731a494efd 100644 (file)
--- a/test/evp_extra_test.c
+++ b/test/evp_extra_test.c
@@ -384,6 +384,7 @@ static const unsigned char pExampleECParamDER[] = {
 typedef struct APK_DATA_st {
     const unsigned char *kder;
     size_t size;
+    const char *keytype;
     int evptype;
     int check;
     int pub_check;
@@ -392,22 +393,22 @@ typedef struct APK_DATA_st {
 } APK_DATA;
 
 static APK_DATA keydata[] = {
-    {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), EVP_PKEY_RSA},
-    {kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), EVP_PKEY_RSA},
+    {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA},
+    {kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), "RSA", EVP_PKEY_RSA},
 #ifndef OPENSSL_NO_EC
-    {kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC}
+    {kExampleECKeyDER, sizeof(kExampleECKeyDER), "EC", EVP_PKEY_EC}
 #endif
 };
 
 static APK_DATA keycheckdata[] = {
-    {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), EVP_PKEY_RSA, 1, 1, 1, 0},
-    {kExampleBadRSAKeyDER, sizeof(kExampleBadRSAKeyDER), EVP_PKEY_RSA,
+    {kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), "RSA", EVP_PKEY_RSA, 1, 1, 1, 0},
+    {kExampleBadRSAKeyDER, sizeof(kExampleBadRSAKeyDER), "RSA", EVP_PKEY_RSA,
      0, 1, 1, 0},
 #ifndef OPENSSL_NO_EC
-    {kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC, 1, 1, 1, 0},
+    {kExampleECKeyDER, sizeof(kExampleECKeyDER), "EC", EVP_PKEY_EC, 1, 1, 1, 0},
     /* group is also associated in our pub key */
-    {kExampleECPubKeyDER, sizeof(kExampleECPubKeyDER), EVP_PKEY_EC, 0, 1, 1, 1},
-    {pExampleECParamDER, sizeof(pExampleECParamDER), EVP_PKEY_EC, 0, 0, 1, 2}
+    {kExampleECPubKeyDER, sizeof(kExampleECPubKeyDER), "EC", EVP_PKEY_EC, 0, 1, 1, 1},
+    {pExampleECParamDER, sizeof(pExampleECParamDER), "EC", EVP_PKEY_EC, 0, 0, 1, 2}
 #endif
 };
 
@@ -911,18 +912,14 @@ static struct ec_der_pub_keys_st {
 static int test_invalide_ec_char2_pub_range_decode(int id)
 {
     int ret = 0;
-    BIO *bio = NULL;
-    EC_KEY *eckey = NULL;
+    EVP_PKEY *pkey;
 
-    if (!TEST_ptr(bio = BIO_new_mem_buf(ec_der_pub_keys[id].der,
-                                        ec_der_pub_keys[id].len)))
-        goto err;
-    eckey = d2i_EC_PUBKEY_bio(bio, NULL);
-    ret = (ec_der_pub_keys[id].valid && TEST_ptr(eckey))
-          || TEST_ptr_null(eckey);
-err:
-    EC_KEY_free(eckey);
-    BIO_free(bio);
+    pkey = load_example_key("EC", ec_der_pub_keys[id].der,
+                            ec_der_pub_keys[id].len);
+
+    ret = (ec_der_pub_keys[id].valid && TEST_ptr(pkey))
+          || TEST_ptr_null(pkey);
+    EVP_PKEY_free(pkey);
     return ret;
 }
 
@@ -1417,11 +1414,7 @@ static EVP_PKEY_METHOD *custom_pmeth;
 static int test_EVP_PKEY_check(int i)
 {
     int ret = 0;
-    const unsigned char *p;
     EVP_PKEY *pkey = NULL;
-#ifndef OPENSSL_NO_EC
-    EC_KEY *eckey = NULL;
-#endif
     EVP_PKEY_CTX *ctx = NULL;
 #ifndef OPENSSL_NO_DEPRECATED_3_0
     EVP_PKEY_CTX *ctx2 = NULL;
@@ -1434,36 +1427,12 @@ static int test_EVP_PKEY_check(int i)
     int expected_pub_check = ak->pub_check;
     int expected_param_check = ak->param_check;
     int type = ak->type;
-    BIO *pubkey = NULL;
-
-    p = input;
 
-    switch (type) {
-    case 0:
-        if (!TEST_ptr(pkey = d2i_AutoPrivateKey(NULL, &p, input_len))
-            || !TEST_ptr_eq(p, input + input_len)
-            || !TEST_int_eq(EVP_PKEY_id(pkey), expected_id))
-            goto done;
-        break;
-#ifndef OPENSSL_NO_EC
-    case 1:
-        if (!TEST_ptr(pubkey = BIO_new_mem_buf(input, input_len))
-            || !TEST_ptr(eckey = d2i_EC_PUBKEY_bio(pubkey, NULL))
-            || !TEST_ptr(pkey = EVP_PKEY_new())
-            || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)))
-            goto done;
-        break;
-    case 2:
-        if (!TEST_ptr(eckey = d2i_ECParameters(NULL, &p, input_len))
-            || !TEST_ptr_eq(p, input + input_len)
-            || !TEST_ptr(pkey = EVP_PKEY_new())
-            || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey)))
-            goto done;
-        break;
-#endif
-    default:
-        return 0;
-    }
+    if (!TEST_ptr(pkey = load_example_key(ak->keytype, input, input_len)))
+        goto done;
+    if (type == 0
+        && !TEST_int_eq(EVP_PKEY_id(pkey), expected_id))
+        goto done;
 
     if (!TEST_ptr(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
         goto done;
@@ -1501,7 +1470,6 @@ static int test_EVP_PKEY_check(int i)
     EVP_PKEY_CTX_free(ctx2);
 #endif
     EVP_PKEY_free(pkey);
-    BIO_free(pubkey);
     return ret;
 }
 

diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c
index 08fcd39beadc160c5ece7be4b4634f4f1fbe7390..0711639fd190f67b8fb0f69b85a1e2b43f352004 100644 (file)
--- a/test/helpers/handshake.c
+++ b/test/helpers/handshake.c
@@ -12,6 +12,7 @@
 #include <openssl/bio.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/ssl.h>
+#include <openssl/core_names.h>
 #ifndef OPENSSL_NO_SRP
 #include <openssl/srp.h>
 #endif
@@ -1270,15 +1271,18 @@ static char *dup_str(const unsigned char *in, size_t len)
 
 static int pkey_type(EVP_PKEY *pkey)
 {
-    int nid = EVP_PKEY_id(pkey);
-
 #ifndef OPENSSL_NO_EC
-    if (nid == EVP_PKEY_EC) {
-        const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
-        return EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+    if (EVP_PKEY_is_a(pkey, "EC")) {
+        char name[80];
+        size_t name_len;
+
+        if (!EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
+                                            name, sizeof(name), &name_len))
+            return NID_undef;
+        return OBJ_txt2nid(name);
     }
 #endif
-    return nid;
+    return EVP_PKEY_id(pkey);
 }
 
 static int peer_pkey_type(SSL *s)

diff --git a/test/ssl_old_test.c b/test/ssl_old_test.c
index 4114d9491750a68d14cf199d513cde0f98482c60..f63ec678548ee6e20ca4e5976f914a190b4c0ef4 100644 (file)
--- a/test/ssl_old_test.c
+++ b/test/ssl_old_test.c
@@ -718,6 +718,7 @@ static void sv_usage(void)
 static void print_key_details(BIO *out, EVP_PKEY *key)
 {
     int keyid = EVP_PKEY_id(key);
+#if 0
 #ifndef OPENSSL_NO_EC
     if (keyid == EVP_PKEY_EC) {
         EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
@@ -730,6 +731,7 @@ static void print_key_details(BIO *out, EVP_PKEY *key)
             cname = OBJ_nid2sn(nid);
         BIO_printf(out, "%d bits EC (%s)", EVP_PKEY_bits(key), cname);
     } else
+#endif
 #endif
     {
         const char *algname;

diff --git a/util/libcrypto.num b/util/libcrypto.num
index 8b23993b078312d843f937aa7a411991c0cbbaef..964ac7d7259fd9fc5c339c5c17b4829b0a0a0fe1 100644 (file)
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -1,4 +1,4 @@
-d2i_EC_PUBKEY                           1      3_0_0   EXIST::FUNCTION:EC
+d2i_EC_PUBKEY                           1      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 b2i_PVK_bio                             2      3_0_0   EXIST::FUNCTION:
 PEM_read_bio_NETSCAPE_CERT_SEQUENCE     3      3_0_0   EXIST::FUNCTION:
 X509_STORE_CTX_get0_chain               4      3_0_0   EXIST::FUNCTION:
@@ -15,7 +15,7 @@ X509at_get_attr_by_NID                  14    3_0_0   EXIST::FUNCTION:
 X509_PUBKEY_set0_param                  15     3_0_0   EXIST::FUNCTION:
 PKCS12_it                               16     3_0_0   EXIST::FUNCTION:
 i2d_ASN1_OCTET_STRING                   17     3_0_0   EXIST::FUNCTION:
-EC_KEY_set_private_key                  18     3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_private_key                  18     3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 SRP_VBASE_get_by_user                   19     3_0_0   EXIST::FUNCTION:DEPRECATEDIN_1_1_0,SRP
 Camellia_cfb128_encrypt                 21     3_0_0   EXIST::FUNCTION:CAMELLIA,DEPRECATEDIN_3_0
 DES_ncbc_encrypt                        22     3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DES
@@ -180,7 +180,7 @@ i2d_ASN1_PRINTABLESTRING                183 3_0_0   EXIST::FUNCTION:
 X509_VERIFY_PARAM_set_hostflags         184    3_0_0   EXIST::FUNCTION:
 SCT_get0_log_id                         185    3_0_0   EXIST::FUNCTION:CT
 ASN1_IA5STRING_it                       186    3_0_0   EXIST::FUNCTION:
-PEM_write_bio_ECPrivateKey              187    3_0_0   EXIST::FUNCTION:EC
+PEM_write_bio_ECPrivateKey              187    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 BN_consttime_swap                       188    3_0_0   EXIST::FUNCTION:
 BIO_f_buffer                            189    3_0_0   EXIST::FUNCTION:
 CMS_SignerInfo_get0_signer_id           190    3_0_0   EXIST::FUNCTION:CMS
@@ -198,7 +198,7 @@ OCSP_request_add0_id                    201 3_0_0   EXIST::FUNCTION:OCSP
 EVP_seed_cfb128                         202    3_0_0   EXIST::FUNCTION:SEED
 BASIC_CONSTRAINTS_free                  203    3_0_0   EXIST::FUNCTION:
 EVP_CIPHER_flags                        204    3_0_0   EXIST::FUNCTION:
-PEM_write_bio_ECPKParameters            205    3_0_0   EXIST::FUNCTION:EC
+PEM_write_bio_ECPKParameters            205    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 SCT_set_version                         206    3_0_0   EXIST::FUNCTION:CT
 CMS_add1_ReceiptRequest                 207    3_0_0   EXIST::FUNCTION:CMS
 d2i_CRL_DIST_POINTS                     208    3_0_0   EXIST::FUNCTION:
@@ -206,7 +206,7 @@ X509_CRL_INFO_free                      209 3_0_0   EXIST::FUNCTION:
 ERR_load_UI_strings                     210    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 ERR_load_strings                        211    3_0_0   EXIST::FUNCTION:
 RSA_X931_hash_id                        212    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
-EC_KEY_set_method                       213    3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_method                       213    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PEM_write_PKCS8_PRIV_KEY_INFO           214    3_0_0   EXIST::FUNCTION:STDIO
 X509at_get0_data_by_OBJ                 215    3_0_0   EXIST::FUNCTION:
 b2i_PublicKey_bio                       216    3_0_0   EXIST::FUNCTION:
@@ -234,9 +234,9 @@ ASN1_item_i2d                           238 3_0_0   EXIST::FUNCTION:
 OCSP_copy_nonce                         239    3_0_0   EXIST::FUNCTION:OCSP
 OBJ_txt2nid                             240    3_0_0   EXIST::FUNCTION:
 SEED_set_key                            241    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,SEED
-EC_KEY_clear_flags                      242    3_0_0   EXIST::FUNCTION:EC
+EC_KEY_clear_flags                      242    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 CMS_RecipientInfo_ktri_get0_algs        243    3_0_0   EXIST::FUNCTION:CMS
-i2d_EC_PUBKEY                           244    3_0_0   EXIST::FUNCTION:EC
+i2d_EC_PUBKEY                           244    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 MDC2                                    245    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,MDC2
 BN_clear_free                           246    3_0_0   EXIST::FUNCTION:
 ENGINE_get_pkey_asn1_meths              247    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
@@ -254,7 +254,7 @@ EVP_md2                                 259 3_0_0   EXIST::FUNCTION:MD2
 RC2_ecb_encrypt                         260    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,RC2
 ENGINE_register_DH                      261    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 ASN1_NULL_free                          262    3_0_0   EXIST::FUNCTION:
-EC_KEY_copy                             263    3_0_0   EXIST::FUNCTION:EC
+EC_KEY_copy                             263    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_des_ede3                            264    3_0_0   EXIST::FUNCTION:DES
 PKCS7_add1_attrib_digest                265    3_0_0   EXIST::FUNCTION:
 EC_POINT_get_affine_coordinates_GFp     266    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
@@ -318,7 +318,7 @@ BIO_s_accept                            323 3_0_0   EXIST::FUNCTION:SOCK
 EVP_whirlpool                           324    3_0_0   EXIST::FUNCTION:WHIRLPOOL
 OCSP_ONEREQ_get1_ext_d2i                325    3_0_0   EXIST::FUNCTION:OCSP
 d2i_ESS_SIGNING_CERT                    326    3_0_0   EXIST::FUNCTION:
-EC_KEY_set_default_method               327    3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_default_method               327    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_OBJECT_up_ref_count                328    3_0_0   EXIST::FUNCTION:
 RAND_load_file                          329    3_0_0   EXIST::FUNCTION:
 BIO_ctrl_reset_read_request             330    3_0_0   EXIST::FUNCTION:
@@ -521,7 +521,7 @@ X509_CRL_add1_ext_i2d                   532 3_0_0   EXIST::FUNCTION:
 i2d_TS_TST_INFO                         533    3_0_0   EXIST::FUNCTION:TS
 OBJ_sigid_free                          534    3_0_0   EXIST::FUNCTION:
 TS_STATUS_INFO_get0_status              535    3_0_0   EXIST::FUNCTION:TS
-EC_KEY_get_flags                        536    3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get_flags                        536    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 ASN1_TYPE_cmp                           537    3_0_0   EXIST::FUNCTION:
 i2d_RSAPublicKey                        538    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 EC_GROUP_get_trinomial_basis            539    3_0_0   EXIST::FUNCTION:EC,EC2M
@@ -537,7 +537,7 @@ RSA_sign_ASN1_OCTET_STRING              548 3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3
 d2i_X509_CRL_fp                         549    3_0_0   EXIST::FUNCTION:STDIO
 i2d_RSA_PUBKEY                          550    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 EVP_aes_128_ccm                         551    3_0_0   EXIST::FUNCTION:
-ECParameters_print                      552    3_0_0   EXIST::FUNCTION:EC
+ECParameters_print                      552    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 OCSP_SINGLERESP_get1_ext_d2i            553    3_0_0   EXIST::FUNCTION:OCSP
 RAND_status                             554    3_0_0   EXIST::FUNCTION:
 EVP_ripemd160                           555    3_0_0   EXIST::FUNCTION:RMD160
@@ -645,7 +645,7 @@ OCSP_resp_get0_produced_at              661 3_0_0   EXIST::FUNCTION:OCSP
 IDEA_encrypt                            662    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,IDEA
 CRYPTO_nistcts128_encrypt_block         663    3_0_0   EXIST::FUNCTION:
 EVP_MD_do_all                           664    3_0_0   EXIST::FUNCTION:
-EC_KEY_oct2priv                         665    3_0_0   EXIST::FUNCTION:EC
+EC_KEY_oct2priv                         665    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 CONF_parse_list                         666    3_0_0   EXIST::FUNCTION:
 ENGINE_set_table_flags                  667    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 EVP_MD_meth_get_ctrl                    668    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -772,7 +772,7 @@ CONF_get1_default_config_file           790 3_0_0   EXIST::FUNCTION:
 CRYPTO_ocb128_encrypt                   791    3_0_0   EXIST::FUNCTION:OCB
 EXTENDED_KEY_USAGE_new                  792    3_0_0   EXIST::FUNCTION:
 EVP_EncryptFinal                        793    3_0_0   EXIST::FUNCTION:
-PEM_write_ECPrivateKey                  794    3_0_0   EXIST::FUNCTION:EC,STDIO
+PEM_write_ECPrivateKey                  794    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 EVP_CIPHER_meth_set_get_asn1_params     796    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 PKCS7_dataInit                          797    3_0_0   EXIST::FUNCTION:
 EVP_PKEY_CTX_set_app_data               798    3_0_0   EXIST::FUNCTION:
@@ -792,8 +792,8 @@ i2a_ASN1_ENUMERATED                     811 3_0_0   EXIST::FUNCTION:
 PKCS7_ISSUER_AND_SERIAL_new             812    3_0_0   EXIST::FUNCTION:
 d2i_USERNOTICE                          813    3_0_0   EXIST::FUNCTION:
 X509_cmp                                814    3_0_0   EXIST::FUNCTION:
-EVP_PKEY_set1_EC_KEY                    815    3_0_0   EXIST::FUNCTION:EC
-ECPKParameters_print_fp                 816    3_0_0   EXIST::FUNCTION:EC,STDIO
+EVP_PKEY_set1_EC_KEY                    815    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
+ECPKParameters_print_fp                 816    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 GENERAL_SUBTREE_free                    817    3_0_0   EXIST::FUNCTION:
 RSA_blinding_off                        818    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 i2d_OCSP_REVOKEDINFO                    819    3_0_0   EXIST::FUNCTION:OCSP
@@ -910,7 +910,7 @@ DHparams_dup                            932 3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3
 X509_get_ext                            933    3_0_0   EXIST::FUNCTION:
 X509_issuer_and_serial_hash             934    3_0_0   EXIST::FUNCTION:
 ASN1_BMPSTRING_it                       935    3_0_0   EXIST::FUNCTION:
-PEM_read_EC_PUBKEY                      936    3_0_0   EXIST::FUNCTION:EC,STDIO
+PEM_read_EC_PUBKEY                      936    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 d2i_ASN1_IA5STRING                      937    3_0_0   EXIST::FUNCTION:
 TS_TST_INFO_ext_free                    938    3_0_0   EXIST::FUNCTION:TS
 i2d_X509_CRL_fp                         939    3_0_0   EXIST::FUNCTION:STDIO
@@ -920,7 +920,7 @@ TS_VERIFY_CTX_set_certs                 942 3_0_0   EXIST::FUNCTION:TS
 BN_MONT_CTX_copy                        943    3_0_0   EXIST::FUNCTION:
 OPENSSL_INIT_new                        945    3_0_0   EXIST::FUNCTION:
 TS_ACCURACY_dup                         946    3_0_0   EXIST::FUNCTION:TS
-i2d_ECPrivateKey                        947    3_0_0   EXIST::FUNCTION:EC
+i2d_ECPrivateKey                        947    3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_NAME_ENTRY_create_by_OBJ           948    3_0_0   EXIST::FUNCTION:
 TS_VERIFY_CTX_cleanup                   949    3_0_0   EXIST::FUNCTION:TS
 ASN1_INTEGER_get                        950    3_0_0   EXIST::FUNCTION:
@@ -1021,7 +1021,7 @@ X509_EXTENSION_new                      1047      3_0_0   EXIST::FUNCTION:
 X509_getm_notAfter                      1048   3_0_0   EXIST::FUNCTION:
 X509_ALGOR_dup                          1049   3_0_0   EXIST::FUNCTION:
 d2i_X509_REQ_INFO                       1050   3_0_0   EXIST::FUNCTION:
-d2i_EC_PUBKEY_bio                       1051   3_0_0   EXIST::FUNCTION:EC
+d2i_EC_PUBKEY_bio                       1051   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_STORE_CTX_set_error                1052   3_0_0   EXIST::FUNCTION:
 EC_KEY_METHOD_set_keygen                1053   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 CRYPTO_free                             1054   3_0_0   EXIST::FUNCTION:
@@ -1074,7 +1074,7 @@ X509_CRL_set1_nextUpdate                1100      3_0_0   EXIST::FUNCTION:
 EVP_des_ede3_cfb64                      1101   3_0_0   EXIST::FUNCTION:DES
 BN_to_ASN1_INTEGER                      1102   3_0_0   EXIST::FUNCTION:
 EXTENDED_KEY_USAGE_free                 1103   3_0_0   EXIST::FUNCTION:
-PEM_read_bio_EC_PUBKEY                  1104   3_0_0   EXIST::FUNCTION:EC
+PEM_read_bio_EC_PUBKEY                  1104   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 BN_MONT_CTX_set                         1105   3_0_0   EXIST::FUNCTION:
 TS_CONF_set_serial                      1106   3_0_0   EXIST::FUNCTION:TS
 X509_NAME_ENTRY_new                     1107   3_0_0   EXIST::FUNCTION:
@@ -1091,7 +1091,7 @@ X509_STORE_CTX_get0_store               1117      3_0_0   EXIST::FUNCTION:
 PKCS12_pack_p7data                      1118   3_0_0   EXIST::FUNCTION:
 RSA_print_fp                            1119   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,STDIO
 OPENSSL_INIT_set_config_appname         1120   3_0_0   EXIST::FUNCTION:STDIO
-EC_KEY_print_fp                         1121   3_0_0   EXIST::FUNCTION:EC,STDIO
+EC_KEY_print_fp                         1121   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 BIO_dup_chain                           1122   3_0_0   EXIST::FUNCTION:
 PKCS8_PRIV_KEY_INFO_it                  1123   3_0_0   EXIST::FUNCTION:
 RSA_OAEP_PARAMS_free                    1124   3_0_0   EXIST::FUNCTION:
@@ -1185,7 +1185,7 @@ EC_GFp_simple_method                    1211      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_
 X509_it                                 1212   3_0_0   EXIST::FUNCTION:
 d2i_PROXY_POLICY                        1213   3_0_0   EXIST::FUNCTION:
 MDC2_Update                             1214   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,MDC2
-EC_KEY_new_by_curve_name                1215   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_new_by_curve_name                1215   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_CRL_free                           1216   3_0_0   EXIST::FUNCTION:
 i2d_PKCS7_SIGN_ENVELOPE                 1217   3_0_0   EXIST::FUNCTION:
 OCSP_CERTSTATUS_it                      1218   3_0_0   EXIST::FUNCTION:OCSP
@@ -1256,7 +1256,7 @@ MD5_Init                                1284      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_
 UI_add_error_string                     1285   3_0_0   EXIST::FUNCTION:
 X509_TRUST_cleanup                      1286   3_0_0   EXIST::FUNCTION:
 PEM_read_X509                           1287   3_0_0   EXIST::FUNCTION:STDIO
-EC_KEY_new_method                       1288   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_new_method                       1288   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 i2d_RSAPublicKey_fp                     1289   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,STDIO
 CRYPTO_ctr128_encrypt_ctr32             1290   3_0_0   EXIST::FUNCTION:
 X509_VERIFY_PARAM_move_peername         1291   3_0_0   EXIST::FUNCTION:
@@ -1266,7 +1266,7 @@ X509_CRL_METHOD_free                    1294      3_0_0   EXIST::FUNCTION:
 PEM_read_NETSCAPE_CERT_SEQUENCE         1295   3_0_0   EXIST::FUNCTION:STDIO
 OPENSSL_load_builtin_modules            1296   3_0_0   EXIST::FUNCTION:
 X509_set_version                        1297   3_0_0   EXIST::FUNCTION:
-i2d_EC_PUBKEY_bio                       1298   3_0_0   EXIST::FUNCTION:EC
+i2d_EC_PUBKEY_bio                       1298   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_REQ_get_attr_count                 1299   3_0_0   EXIST::FUNCTION:
 CMS_set1_signers_certs                  1300   3_0_0   EXIST::FUNCTION:CMS
 TS_ACCURACY_free                        1301   3_0_0   EXIST::FUNCTION:TS
@@ -1312,7 +1312,7 @@ CRYPTO_mem_leaks_fp                     1340      3_0_0   EXIST::FUNCTION:CRYPTO_MDEBUG
 DES_set_key_unchecked                   1341   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DES
 BN_free                                 1342   3_0_0   EXIST::FUNCTION:
 EVP_aes_128_cfb1                        1343   3_0_0   EXIST::FUNCTION:
-EC_KEY_get0_group                       1344   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get0_group                       1344   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PEM_write_bio_CMS_stream                1345   3_0_0   EXIST::FUNCTION:CMS
 BIO_f_linebuffer                        1346   3_0_0   EXIST::FUNCTION:
 ASN1_item_d2i_bio                       1347   3_0_0   EXIST::FUNCTION:
@@ -1403,7 +1403,7 @@ ASN1_check_infinite_end                 1435      3_0_0   EXIST::FUNCTION:
 i2d_PKCS7_DIGEST                        1436   3_0_0   EXIST::FUNCTION:
 ERR_lib_error_string                    1437   3_0_0   EXIST::FUNCTION:
 X509_ATTRIBUTE_set1_object              1438   3_0_0   EXIST::FUNCTION:
-i2d_ECPrivateKey_bio                    1439   3_0_0   EXIST::FUNCTION:EC
+i2d_ECPrivateKey_bio                    1439   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 BN_GENCB_free                           1440   3_0_0   EXIST::FUNCTION:
 HMAC_size                               1441   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 EVP_PKEY_get0_DH                        1442   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
@@ -1513,7 +1513,7 @@ EVP_CIPHER_asn1_to_param                1546      3_0_0   EXIST::FUNCTION:
 OCSP_request_onereq_get0                1547   3_0_0   EXIST::FUNCTION:OCSP
 ERR_load_PKCS7_strings                  1548   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_PUBKEY_get                         1549   3_0_0   EXIST::FUNCTION:
-EC_KEY_free                             1550   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_free                             1550   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 BIO_read                                1551   3_0_0   EXIST::FUNCTION:
 EVP_PKEY_get_attr_by_NID                1552   3_0_0   EXIST::FUNCTION:
 BIO_get_accept_socket                   1553   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_1_1_0,SOCK
@@ -1629,7 +1629,7 @@ i2d_CMS_bio_stream                      1667      3_0_0   EXIST::FUNCTION:CMS
 DES_quad_cksum                          1668   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DES
 X509_ATTRIBUTE_create_by_NID            1669   3_0_0   EXIST::FUNCTION:
 TS_VERIFY_CTX_free                      1670   3_0_0   EXIST::FUNCTION:TS
-EC_KEY_up_ref                           1671   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_up_ref                           1671   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EC_GROUP_get_basis_type                 1672   3_0_0   EXIST::FUNCTION:EC
 OCSP_crlID_new                          1673   3_0_0   EXIST:!VMS:FUNCTION:OCSP
 OCSP_crlID2_new                         1673   3_0_0   EXIST:VMS:FUNCTION:OCSP
@@ -1650,9 +1650,9 @@ OBJ_find_sigid_by_algs                  1687      3_0_0   EXIST::FUNCTION:
 ASN1_generate_nconf                     1688   3_0_0   EXIST::FUNCTION:
 CMS_add0_recipient_password             1689   3_0_0   EXIST::FUNCTION:CMS
 UI_get_string_type                      1690   3_0_0   EXIST::FUNCTION:
-PEM_read_bio_ECPrivateKey               1691   3_0_0   EXIST::FUNCTION:EC
+PEM_read_bio_ECPrivateKey               1691   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_PKEY_get_attr                       1692   3_0_0   EXIST::FUNCTION:
-PEM_read_bio_ECPKParameters             1693   3_0_0   EXIST::FUNCTION:EC
+PEM_read_bio_ECPKParameters             1693   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 d2i_PKCS12_MAC_DATA                     1694   3_0_0   EXIST::FUNCTION:
 ENGINE_ctrl_cmd                         1695   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 PKCS12_SAFEBAG_get_bag_nid              1696   3_0_0   EXIST::FUNCTION:
@@ -1793,7 +1793,7 @@ EVP_MD_meth_set_update                  1835      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_
 EVP_camellia_192_cbc                    1836   3_0_0   EXIST::FUNCTION:CAMELLIA
 OPENSSL_LH_stats_bio                    1837   3_0_0   EXIST::FUNCTION:
 PKCS7_set_signed_attributes             1838   3_0_0   EXIST::FUNCTION:
-EC_KEY_priv2buf                         1839   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_priv2buf                         1839   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 BN_BLINDING_free                        1840   3_0_0   EXIST::FUNCTION:
 IPAddressChoice_new                     1841   3_0_0   EXIST::FUNCTION:RFC3779
 X509_CRL_get_ext_count                  1842   3_0_0   EXIST::FUNCTION:
@@ -1928,7 +1928,7 @@ NCONF_load_fp                           1973      3_0_0   EXIST::FUNCTION:STDIO
 i2d_OCSP_REQINFO                        1974   3_0_0   EXIST::FUNCTION:OCSP
 EVP_PKEY_sign                           1975   3_0_0   EXIST::FUNCTION:
 TS_REQ_get_ext_by_critical              1976   3_0_0   EXIST::FUNCTION:TS
-EC_KEY_key2buf                          1977   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_key2buf                          1977   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_EXTENSION_it                       1978   3_0_0   EXIST::FUNCTION:
 i2d_PKCS8_fp                            1979   3_0_0   EXIST::FUNCTION:STDIO
 UTF8_getc                               1980   3_0_0   EXIST::FUNCTION:
@@ -1972,7 +1972,7 @@ UI_dup_input_boolean                    2017      3_0_0   EXIST::FUNCTION:
 PKCS7_dup                               2018   3_0_0   EXIST::FUNCTION:
 i2d_TS_REQ_fp                           2019   3_0_0   EXIST::FUNCTION:STDIO,TS
 i2d_OTHERNAME                           2020   3_0_0   EXIST::FUNCTION:
-EC_KEY_get0_private_key                 2021   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get0_private_key                 2021   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 SCT_get0_extensions                     2022   3_0_0   EXIST::FUNCTION:CT
 OPENSSL_LH_node_stats_bio               2023   3_0_0   EXIST::FUNCTION:
 i2d_DIRECTORYSTRING                     2024   3_0_0   EXIST::FUNCTION:
@@ -1998,12 +1998,12 @@ PKCS7_SIGN_ENVELOPE_it                  2044    3_0_0   EXIST::FUNCTION:
 ASN1_d2i_fp                             2045   3_0_0   EXIST::FUNCTION:STDIO
 EVP_DecryptFinal                        2046   3_0_0   EXIST::FUNCTION:
 ASN1_ENUMERATED_it                      2047   3_0_0   EXIST::FUNCTION:
-o2i_ECPublicKey                         2048   3_0_0   EXIST::FUNCTION:EC
+o2i_ECPublicKey                         2048   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 ERR_load_BUF_strings                    2049   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 PEM_read_bio_RSA_PUBKEY                 2050   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 OCSP_SINGLERESP_new                     2051   3_0_0   EXIST::FUNCTION:OCSP
 ASN1_SCTX_free                          2052   3_0_0   EXIST::FUNCTION:
-i2d_ECPrivateKey_fp                     2053   3_0_0   EXIST::FUNCTION:EC,STDIO
+i2d_ECPrivateKey_fp                     2053   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 EVP_CIPHER_CTX_original_iv              2054   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 PKCS7_SIGNED_free                       2055   3_0_0   EXIST::FUNCTION:
 X509_TRUST_get0_name                    2056   3_0_0   EXIST::FUNCTION:
@@ -2168,7 +2168,7 @@ CRYPTO_ccm128_decrypt_ccm64             2215      3_0_0   EXIST::FUNCTION:
 TS_RESP_CTX_set_clock_precision_digits  2216   3_0_0   EXIST::FUNCTION:TS
 SCT_LIST_validate                       2217   3_0_0   EXIST::FUNCTION:CT
 X509_PURPOSE_get_id                     2218   3_0_0   EXIST::FUNCTION:
-EC_KEY_get_ex_data                      2219   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get_ex_data                      2219   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_MD_size                             2220   3_0_0   EXIST::FUNCTION:
 CRYPTO_malloc                           2221   3_0_0   EXIST::FUNCTION:
 ERR_load_ASN1_strings                   2222   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -2238,7 +2238,7 @@ SXNET_get_id_asc                        2285      3_0_0   EXIST::FUNCTION:
 SCT_set1_extensions                     2286   3_0_0   EXIST::FUNCTION:CT
 PKCS12_SAFEBAG_new                      2287   3_0_0   EXIST::FUNCTION:
 TS_TST_INFO_set_nonce                   2288   3_0_0   EXIST::FUNCTION:TS
-PEM_read_ECPrivateKey                   2289   3_0_0   EXIST::FUNCTION:EC,STDIO
+PEM_read_ECPrivateKey                   2289   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 RSA_free                                2290   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_CRL_INFO_new                       2291   3_0_0   EXIST::FUNCTION:
 AES_cfb8_encrypt                        2292   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -2268,7 +2268,7 @@ PKCS7_ISSUER_AND_SERIAL_digest          2315      3_0_0   EXIST::FUNCTION:
 EVP_des_ofb                             2316   3_0_0   EXIST::FUNCTION:DES
 DSA_set_method                          2317   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA
 EVP_PKEY_get1_RSA                       2318   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
-EC_KEY_OpenSSL                          2319   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_OpenSSL                          2319   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_camellia_192_ofb                    2320   3_0_0   EXIST::FUNCTION:CAMELLIA
 ASN1_STRING_length                      2321   3_0_0   EXIST::FUNCTION:
 PKCS7_set_digest                        2322   3_0_0   EXIST::FUNCTION:
@@ -2345,11 +2345,11 @@ BN_sqr                                  2393    3_0_0   EXIST::FUNCTION:
 TS_TST_INFO_set_time                    2394   3_0_0   EXIST::FUNCTION:TS
 OPENSSL_die                             2395   3_0_0   EXIST::FUNCTION:
 X509_LOOKUP_by_alias                    2396   3_0_0   EXIST::FUNCTION:
-EC_KEY_set_conv_form                    2397   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_conv_form                    2397   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_TRUST_get_count                    2399   3_0_0   EXIST::FUNCTION:
 IPAddressOrRange_free                   2400   3_0_0   EXIST::FUNCTION:RFC3779
 RSA_padding_add_PKCS1_OAEP              2401   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
-EC_KEY_set_ex_data                      2402   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_ex_data                      2402   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 SRP_VBASE_new                           2403   3_0_0   EXIST::FUNCTION:SRP
 i2d_ECDSA_SIG                           2404   3_0_0   EXIST::FUNCTION:EC
 BIO_dump_indent                         2405   3_0_0   EXIST::FUNCTION:
@@ -2393,7 +2393,7 @@ ASIdentifiers_new                       2443      3_0_0   EXIST::FUNCTION:RFC3779
 CONF_imodule_get_flags                  2444   3_0_0   EXIST::FUNCTION:
 PKCS12_SAFEBAG_it                       2445   3_0_0   EXIST::FUNCTION:
 EVP_CIPHER_meth_set_set_asn1_params     2446   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
-EC_KEY_get_enc_flags                    2447   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get_enc_flags                    2447   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_OBJECT_idx_by_subject              2448   3_0_0   EXIST::FUNCTION:
 EVP_PKEY_meth_copy                      2449   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 NETSCAPE_CERT_SEQUENCE_new              2450   3_0_0   EXIST::FUNCTION:
@@ -2488,7 +2488,7 @@ WHIRLPOOL                               2540      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_
 UI_set_default_method                   2542   3_0_0   EXIST::FUNCTION:
 EC_POINT_is_at_infinity                 2543   3_0_0   EXIST::FUNCTION:EC
 i2d_NOTICEREF                           2544   3_0_0   EXIST::FUNCTION:
-EC_KEY_new                              2545   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_new                              2545   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_chacha20                            2546   3_0_0   EXIST::FUNCTION:CHACHA
 BN_bn2dec                               2547   3_0_0   EXIST::FUNCTION:
 X509_REQ_print_ex                       2548   3_0_0   EXIST::FUNCTION:
@@ -2504,7 +2504,7 @@ X509_CRL_get0_signature                 2557      3_0_0   EXIST::FUNCTION:
 EVP_PKEY_CTX_get_keygen_info            2558   3_0_0   EXIST::FUNCTION:
 d2i_ASN1_UINTEGER                       2559   3_0_0   EXIST::FUNCTION:
 i2s_ASN1_INTEGER                        2560   3_0_0   EXIST::FUNCTION:
-d2i_EC_PUBKEY_fp                        2561   3_0_0   EXIST::FUNCTION:EC,STDIO
+d2i_EC_PUBKEY_fp                        2561   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 i2d_OCSP_SIGNATURE                      2562   3_0_0   EXIST::FUNCTION:OCSP
 i2d_X509_EXTENSION                      2563   3_0_0   EXIST::FUNCTION:
 PEM_read_bio_X509                       2564   3_0_0   EXIST::FUNCTION:
@@ -2566,7 +2566,7 @@ CMS_get0_type                           2620      3_0_0   EXIST::FUNCTION:CMS
 ASN1_PCTX_free                          2621   3_0_0   EXIST::FUNCTION:
 ESS_SIGNING_CERT_new                    2622   3_0_0   EXIST::FUNCTION:
 X509V3_EXT_conf_nid                     2623   3_0_0   EXIST::FUNCTION:
-EC_KEY_check_key                        2624   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_check_key                        2624   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PKCS5_PBKDF2_HMAC                       2625   3_0_0   EXIST::FUNCTION:
 CONF_get_section                        2626   3_0_0   EXIST::FUNCTION:
 CMS_RecipientInfo_kari_decrypt          2627   3_0_0   EXIST::FUNCTION:CMS
@@ -2601,7 +2601,7 @@ OPENSSL_sk_new                          2656      3_0_0   EXIST::FUNCTION:
 BN_dup                                  2657   3_0_0   EXIST::FUNCTION:
 TS_MSG_IMPRINT_print_bio                2658   3_0_0   EXIST::FUNCTION:TS
 CONF_module_set_usr_data                2659   3_0_0   EXIST::FUNCTION:
-EC_KEY_generate_key                     2660   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_generate_key                     2660   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 BIO_ctrl_get_write_guarantee            2661   3_0_0   EXIST::FUNCTION:
 EVP_PKEY_assign                         2662   3_0_0   EXIST::FUNCTION:
 EVP_aes_128_ofb                         2663   3_0_0   EXIST::FUNCTION:
@@ -2629,14 +2629,14 @@ TS_RESP_CTX_set_signer_cert             2685    3_0_0   EXIST::FUNCTION:TS
 X509V3_EXT_d2i                          2686   3_0_0   EXIST::FUNCTION:
 ASN1_GENERALSTRING_it                   2687   3_0_0   EXIST::FUNCTION:
 POLICYQUALINFO_free                     2688   3_0_0   EXIST::FUNCTION:
-EC_KEY_set_group                        2689   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_group                        2689   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 OCSP_check_validity                     2690   3_0_0   EXIST::FUNCTION:OCSP
-PEM_write_ECPKParameters                2691   3_0_0   EXIST::FUNCTION:EC,STDIO
+PEM_write_ECPKParameters                2691   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 X509_VERIFY_PARAM_lookup                2692   3_0_0   EXIST::FUNCTION:
 X509_LOOKUP_by_fingerprint              2693   3_0_0   EXIST::FUNCTION:
 EVP_CIPHER_meth_free                    2694   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 PKCS7_RECIP_INFO_new                    2695   3_0_0   EXIST::FUNCTION:
-d2i_ECPrivateKey_fp                     2696   3_0_0   EXIST::FUNCTION:EC,STDIO
+d2i_ECPrivateKey_fp                     2696   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 TS_CONF_set_ordering                    2697   3_0_0   EXIST::FUNCTION:TS
 X509_CRL_get_ext                        2698   3_0_0   EXIST::FUNCTION:
 X509_CRL_get_ext_by_OBJ                 2699   3_0_0   EXIST::FUNCTION:
@@ -2742,13 +2742,13 @@ EC_GROUP_set_point_conversion_form      2801    3_0_0   EXIST::FUNCTION:EC
 CMS_dataFinal                           2802   3_0_0   EXIST::FUNCTION:CMS
 ASN1_TIME_it                            2803   3_0_0   EXIST::FUNCTION:
 ENGINE_get_static_state                 2804   3_0_0   EXIST::FUNCTION:ENGINE
-EC_KEY_set_asn1_flag                    2805   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_asn1_flag                    2805   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EC_GFp_mont_method                      2806   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 OPENSSL_asc2uni                         2807   3_0_0   EXIST::FUNCTION:
 TS_REQ_new                              2808   3_0_0   EXIST::FUNCTION:TS
 ENGINE_register_all_DH                  2809   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 ERR_clear_error                         2810   3_0_0   EXIST::FUNCTION:
-EC_KEY_dup                              2811   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_dup                              2811   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_LOOKUP_init                        2812   3_0_0   EXIST::FUNCTION:
 i2b_PVK_bio                             2813   3_0_0   EXIST::FUNCTION:
 OCSP_ONEREQ_free                        2814   3_0_0   EXIST::FUNCTION:OCSP
@@ -2770,7 +2770,7 @@ X509_REQ_get_signature_nid              2830      3_0_0   EXIST::FUNCTION:
 TS_TST_INFO_get_ext                     2831   3_0_0   EXIST::FUNCTION:TS
 i2d_OCSP_RESPID                         2832   3_0_0   EXIST::FUNCTION:OCSP
 EVP_camellia_256_cfb8                   2833   3_0_0   EXIST::FUNCTION:CAMELLIA
-EC_KEY_get0_public_key                  2834   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get0_public_key                  2834   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 SRP_Calc_x                              2835   3_0_0   EXIST::FUNCTION:SRP
 a2i_ASN1_ENUMERATED                     2836   3_0_0   EXIST::FUNCTION:
 CONF_module_get_usr_data                2837   3_0_0   EXIST::FUNCTION:
@@ -2802,13 +2802,13 @@ BIO_socket_nbio                         2863    3_0_0   EXIST::FUNCTION:SOCK
 EVP_CIPHER_set_asn1_iv                  2864   3_0_0   EXIST::FUNCTION:
 EC_GFp_nistp224_method                  2865   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,EC_NISTP_64_GCC_128
 BN_swap                                 2866   3_0_0   EXIST::FUNCTION:
-d2i_ECParameters                        2867   3_0_0   EXIST::FUNCTION:EC
+d2i_ECParameters                        2867   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 X509_NAME_add_entry_by_OBJ              2868   3_0_0   EXIST::FUNCTION:
 TS_TST_INFO_get_ext_count               2869   3_0_0   EXIST::FUNCTION:TS
 i2d_OCSP_CERTID                         2870   3_0_0   EXIST::FUNCTION:OCSP
 BN_CTX_start                            2871   3_0_0   EXIST::FUNCTION:
 BN_print                                2872   3_0_0   EXIST::FUNCTION:
-EC_KEY_set_flags                        2873   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_flags                        2873   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_PKEY_get0                           2874   3_0_0   EXIST::FUNCTION:
 ENGINE_set_default                      2875   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 NCONF_get_number_e                      2876   3_0_0   EXIST::FUNCTION:
@@ -2827,7 +2827,7 @@ POLICY_CONSTRAINTS_it                   2888      3_0_0   EXIST::FUNCTION:
 NCONF_free_data                         2889   3_0_0   EXIST::FUNCTION:
 BIO_asn1_set_prefix                     2890   3_0_0   EXIST::FUNCTION:
 PEM_SignUpdate                          2891   3_0_0   EXIST::FUNCTION:
-PEM_write_bio_EC_PUBKEY                 2892   3_0_0   EXIST::FUNCTION:EC
+PEM_write_bio_EC_PUBKEY                 2892   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 CMS_add_simple_smimecap                 2893   3_0_0   EXIST::FUNCTION:CMS
 IPAddressChoice_free                    2894   3_0_0   EXIST::FUNCTION:RFC3779
 d2i_X509_AUX                            2895   3_0_0   EXIST::FUNCTION:
@@ -2901,7 +2901,7 @@ BN_CTX_new                              2963      3_0_0   EXIST::FUNCTION:
 EC_curve_nid2nist                       2964   3_0_0   EXIST::FUNCTION:EC
 ENGINE_get_finish_function              2965   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 EC_POINT_add                            2966   3_0_0   EXIST::FUNCTION:EC
-EC_KEY_oct2key                          2967   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_oct2key                          2967   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 SHA384_Init                             2968   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 ASN1_UNIVERSALSTRING_new                2969   3_0_0   EXIST::FUNCTION:
 EVP_PKEY_print_private                  2970   3_0_0   EXIST::FUNCTION:
@@ -2952,7 +2952,7 @@ EVP_aes_128_gcm                         3015      3_0_0   EXIST::FUNCTION:
 BIO_dgram_non_fatal_error               3016   3_0_0   EXIST::FUNCTION:DGRAM
 OCSP_request_is_signed                  3017   3_0_0   EXIST::FUNCTION:OCSP
 i2d_BASIC_CONSTRAINTS                   3018   3_0_0   EXIST::FUNCTION:
-EC_KEY_get_method                       3019   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get_method                       3019   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EC_POINT_bn2point                       3021   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PBE2PARAM_it                            3022   3_0_0   EXIST::FUNCTION:
 BN_rand                                 3023   3_0_0   EXIST::FUNCTION:
@@ -3026,7 +3026,7 @@ TS_TST_INFO_set_version                 3090      3_0_0   EXIST::FUNCTION:TS
 PKCS12_get0_mac                         3091   3_0_0   EXIST::FUNCTION:
 EVP_EncodeInit                          3092   3_0_0   EXIST::FUNCTION:
 X509_get0_trust_objects                 3093   3_0_0   EXIST::FUNCTION:
-d2i_ECPrivateKey_bio                    3094   3_0_0   EXIST::FUNCTION:EC
+d2i_ECPrivateKey_bio                    3094   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 BIO_s_secmem                            3095   3_0_0   EXIST::FUNCTION:
 ENGINE_get_default_EC                   3096   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 TS_RESP_create_response                 3097   3_0_0   EXIST::FUNCTION:TS
@@ -3110,7 +3110,7 @@ EVP_MD_CTX_update_fn                    3174      3_0_0   EXIST::FUNCTION:
 EVP_aes_128_ecb                         3175   3_0_0   EXIST::FUNCTION:
 i2d_PKCS7_bio_stream                    3176   3_0_0   EXIST::FUNCTION:
 i2a_ACCESS_DESCRIPTION                  3178   3_0_0   EXIST::FUNCTION:
-EC_KEY_set_enc_flags                    3179   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_enc_flags                    3179   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 i2d_PUBKEY_fp                           3180   3_0_0   EXIST::FUNCTION:STDIO
 b2i_PrivateKey_bio                      3181   3_0_0   EXIST::FUNCTION:
 OCSP_REQUEST_add_ext                    3182   3_0_0   EXIST::FUNCTION:OCSP
@@ -3155,13 +3155,13 @@ OCSP_CERTID_free                        3220    3_0_0   EXIST::FUNCTION:OCSP
 BIO_hex_string                          3221   3_0_0   EXIST::FUNCTION:
 X509_REQ_sign_ctx                       3222   3_0_0   EXIST::FUNCTION:
 CRYPTO_ocb128_init                      3223   3_0_0   EXIST::FUNCTION:OCB
-EVP_PKEY_get1_EC_KEY                    3224   3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_get1_EC_KEY                    3224   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 ASN1_PRINTABLESTRING_free               3225   3_0_0   EXIST::FUNCTION:
 BIO_get_retry_reason                    3226   3_0_0   EXIST::FUNCTION:
 X509_NAME_print                         3227   3_0_0   EXIST::FUNCTION:
 ACCESS_DESCRIPTION_free                 3228   3_0_0   EXIST::FUNCTION:
 BN_nist_mod_384                         3229   3_0_0   EXIST::FUNCTION:
-i2d_EC_PUBKEY_fp                        3230   3_0_0   EXIST::FUNCTION:EC,STDIO
+i2d_EC_PUBKEY_fp                        3230   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 ENGINE_set_default_pkey_meths           3231   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 DH_bits                                 3232   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 i2d_X509_ALGORS                         3233   3_0_0   EXIST::FUNCTION:
@@ -3193,7 +3193,7 @@ ENGINE_setup_bsd_cryptodev              3258      3_0_0   EXIST:__FreeBSD__:FUNCTION:DE
 PEM_read_bio_DHparams                   3259   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DH
 CMS_SharedInfo_encode                   3260   3_0_0   EXIST::FUNCTION:CMS
 ASN1_OBJECT_create                      3261   3_0_0   EXIST::FUNCTION:
-i2d_ECParameters                        3262   3_0_0   EXIST::FUNCTION:EC
+i2d_ECParameters                        3262   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 BN_GF2m_mod_arr                         3263   3_0_0   EXIST::FUNCTION:EC2M
 ENGINE_set_finish_function              3264   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 d2i_ASN1_OCTET_STRING                   3265   3_0_0   EXIST::FUNCTION:
@@ -3226,7 +3226,7 @@ NETSCAPE_SPKI_set_pubkey                3292      3_0_0   EXIST::FUNCTION:
 EVP_sha512                              3293   3_0_0   EXIST::FUNCTION:
 X509_CRL_match                          3294   3_0_0   EXIST::FUNCTION:
 i2s_ASN1_IA5STRING                      3295   3_0_0   EXIST::FUNCTION:
-EC_KEY_get_default_method               3296   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get_default_method               3296   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PKCS8_decrypt                           3297   3_0_0   EXIST::FUNCTION:
 EVP_PKEY_CTX_get_data                   3298   3_0_0   EXIST::FUNCTION:
 POLICYQUALINFO_it                       3299   3_0_0   EXIST::FUNCTION:
@@ -3248,7 +3248,7 @@ ASN1_STRING_dup                         3314      3_0_0   EXIST::FUNCTION:
 X509_LOOKUP_free                        3315   3_0_0   EXIST::FUNCTION:
 EC_GROUP_cmp                            3316   3_0_0   EXIST::FUNCTION:EC
 TS_TST_INFO_get_ext_by_critical         3317   3_0_0   EXIST::FUNCTION:TS
-ECParameters_print_fp                   3318   3_0_0   EXIST::FUNCTION:EC,STDIO
+ECParameters_print_fp                   3318   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 X509_REQ_sign                           3319   3_0_0   EXIST::FUNCTION:
 CRYPTO_xts128_encrypt                   3320   3_0_0   EXIST::FUNCTION:
 PEM_def_callback                        3321   3_0_0   EXIST::FUNCTION:
@@ -3306,7 +3306,7 @@ RSA_padding_check_SSLv23                3373      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_
 CRYPTO_gcm128_finish                    3374   3_0_0   EXIST::FUNCTION:
 PKCS12_SAFEBAGS_it                      3375   3_0_0   EXIST::FUNCTION:
 PKCS12_PBE_add                          3376   3_0_0   EXIST::FUNCTION:
-EC_KEY_set_public_key_affine_coordinates 3377  3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_public_key_affine_coordinates 3377  3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_EncryptInit_ex                      3378   3_0_0   EXIST::FUNCTION:
 ENGINE_add                              3379   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
 OPENSSL_LH_error                        3380   3_0_0   EXIST::FUNCTION:
@@ -3377,7 +3377,7 @@ BN_get_rfc3526_prime_2048               3448      3_0_0   EXIST::FUNCTION:
 BIO_new_bio_pair                        3449   3_0_0   EXIST::FUNCTION:
 EC_GFp_nistp256_method                  3450   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,EC_NISTP_64_GCC_128
 BIO_method_type                         3451   3_0_0   EXIST::FUNCTION:
-ECPKParameters_print                    3452   3_0_0   EXIST::FUNCTION:EC
+ECPKParameters_print                    3452   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_rc4                                 3453   3_0_0   EXIST::FUNCTION:RC4
 CMS_data_create                         3454   3_0_0   EXIST::FUNCTION:CMS
 EC_POINT_point2bn                       3455   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
@@ -3385,7 +3385,7 @@ CMS_unsigned_get0_data_by_OBJ           3456      3_0_0   EXIST::FUNCTION:CMS
 ASN1_OCTET_STRING_cmp                   3457   3_0_0   EXIST::FUNCTION:
 X509_NAME_print_ex                      3458   3_0_0   EXIST::FUNCTION:
 ASN1_parse                              3459   3_0_0   EXIST::FUNCTION:
-EC_KEY_priv2oct                         3460   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_priv2oct                         3460   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PKCS7_simple_smimecap                   3461   3_0_0   EXIST::FUNCTION:
 ASN1_TYPE_set_int_octetstring           3462   3_0_0   EXIST::FUNCTION:
 BIO_number_written                      3463   3_0_0   EXIST::FUNCTION:
@@ -3432,7 +3432,7 @@ BIO_ADDR_rawport                        3503      3_0_0   EXIST::FUNCTION:SOCK
 BUF_MEM_grow_clean                      3504   3_0_0   EXIST::FUNCTION:
 X509_NAME_print_ex_fp                   3505   3_0_0   EXIST::FUNCTION:STDIO
 X509_check_host                         3506   3_0_0   EXIST::FUNCTION:
-PEM_read_ECPKParameters                 3507   3_0_0   EXIST::FUNCTION:EC,STDIO
+PEM_read_ECPKParameters                 3507   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 X509_ATTRIBUTE_get0_data                3508   3_0_0   EXIST::FUNCTION:
 CMS_add1_signer                         3509   3_0_0   EXIST::FUNCTION:CMS
 BN_pseudo_rand                          3510   3_0_0   EXIST::FUNCTION:
@@ -3525,7 +3525,7 @@ CMS_get0_signers                        3602      3_0_0   EXIST::FUNCTION:CMS
 i2d_PrivateKey_fp                       3603   3_0_0   EXIST::FUNCTION:STDIO
 OTHERNAME_cmp                           3604   3_0_0   EXIST::FUNCTION:
 SMIME_write_PKCS7                       3605   3_0_0   EXIST::FUNCTION:
-EC_KEY_set_public_key                   3606   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_set_public_key                   3606   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 d2i_X509_EXTENSION                      3607   3_0_0   EXIST::FUNCTION:
 CMS_add1_recipient_cert                 3608   3_0_0   EXIST::FUNCTION:CMS
 CMS_RecipientInfo_kekri_get0_id         3609   3_0_0   EXIST::FUNCTION:CMS
@@ -3535,7 +3535,7 @@ BN_is_prime_ex                          3612      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_
 PKCS5_v2_PBE_keyivgen                   3613   3_0_0   EXIST::FUNCTION:
 CRYPTO_ctr128_encrypt                   3614   3_0_0   EXIST::FUNCTION:
 CMS_unsigned_add1_attr_by_OBJ           3615   3_0_0   EXIST::FUNCTION:CMS
-PEM_write_EC_PUBKEY                     3616   3_0_0   EXIST::FUNCTION:EC,STDIO
+PEM_write_EC_PUBKEY                     3616   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC,STDIO
 X509v3_asid_add_inherit                 3617   3_0_0   EXIST::FUNCTION:RFC3779
 ERR_get_error                           3618   3_0_0   EXIST::FUNCTION:
 TS_CONF_set_signer_digest               3619   3_0_0   EXIST::FUNCTION:TS
@@ -3611,7 +3611,7 @@ X509_VERIFY_PARAM_set1_ip               3691      3_0_0   EXIST::FUNCTION:
 OTHERNAME_free                          3692   3_0_0   EXIST::FUNCTION:
 OCSP_REVOKEDINFO_free                   3693   3_0_0   EXIST::FUNCTION:OCSP
 EVP_CIPHER_CTX_encrypting               3694   3_0_0   EXIST::FUNCTION:
-EC_KEY_can_sign                         3695   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_can_sign                         3695   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PEM_write_bio_RSAPublicKey              3696   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 X509_CRL_set1_lastUpdate                3697   3_0_0   EXIST::FUNCTION:
 OCSP_sendreq_nbio                       3698   3_0_0   EXIST::FUNCTION:OCSP
@@ -3647,7 +3647,7 @@ DES_set_key_checked                     3727      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_
 EVP_PKEY_meth_free                      3728   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
 EVP_sha224                              3729   3_0_0   EXIST::FUNCTION:
 ENGINE_set_id                           3730   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
-d2i_ECPrivateKey                        3731   3_0_0   EXIST::FUNCTION:EC
+d2i_ECPrivateKey                        3731   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 CMS_signed_add1_attr_by_NID             3732   3_0_0   EXIST::FUNCTION:CMS
 i2d_DSAPrivateKey_fp                    3733   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DSA,STDIO
 EVP_CIPHER_meth_get_set_asn1_params     3734   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -3701,7 +3701,7 @@ EC_GROUP_new_curve_GFp                  3782      3_0_0   EXIST::FUNCTION:EC
 UI_new_method                           3783   3_0_0   EXIST::FUNCTION:
 Camellia_ofb128_encrypt                 3784   3_0_0   EXIST::FUNCTION:CAMELLIA,DEPRECATEDIN_3_0
 X509_new                                3785   3_0_0   EXIST::FUNCTION:
-EC_KEY_get_conv_form                    3786   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get_conv_form                    3786   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 CTLOG_STORE_get0_log_by_id              3787   3_0_0   EXIST::FUNCTION:CT
 CMS_signed_add1_attr                    3788   3_0_0   EXIST::FUNCTION:CMS
 EVP_CIPHER_meth_set_iv_length           3789   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0
@@ -3746,14 +3746,14 @@ d2i_AUTHORITY_KEYID                     3828    3_0_0   EXIST::FUNCTION:
 RIPEMD160_Transform                     3829   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,RMD160
 DES_random_key                          3830   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,DES
 i2d_PKCS12_MAC_DATA                     3831   3_0_0   EXIST::FUNCTION:
-EVP_PKEY_get0_EC_KEY                    3832   3_0_0   EXIST::FUNCTION:EC
+EVP_PKEY_get0_EC_KEY                    3832   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 ASN1_SCTX_get_item                      3833   3_0_0   EXIST::FUNCTION:
 NOTICEREF_new                           3834   3_0_0   EXIST::FUNCTION:
 BN_GF2m_mod_inv                         3835   3_0_0   EXIST::FUNCTION:EC2M
 X509_CERT_AUX_free                      3836   3_0_0   EXIST::FUNCTION:
 BN_GF2m_mod_inv_arr                     3837   3_0_0   EXIST::FUNCTION:EC2M
 X509_REQ_get1_email                     3838   3_0_0   EXIST::FUNCTION:
-EC_KEY_print                            3839   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_print                            3839   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 i2d_ASN1_INTEGER                        3840   3_0_0   EXIST::FUNCTION:
 OCSP_SINGLERESP_add1_ext_i2d            3841   3_0_0   EXIST::FUNCTION:OCSP
 PKCS7_add_signed_attribute              3842   3_0_0   EXIST::FUNCTION:
@@ -3772,7 +3772,7 @@ d2i_OCSP_ONEREQ                         3854      3_0_0   EXIST::FUNCTION:OCSP
 EVP_PKEY_asn1_set_security_bits         3855   3_0_0   EXIST::FUNCTION:
 i2d_CERTIFICATEPOLICIES                 3856   3_0_0   EXIST::FUNCTION:
 i2d_X509_CERT_AUX                       3857   3_0_0   EXIST::FUNCTION:
-i2o_ECPublicKey                         3858   3_0_0   EXIST::FUNCTION:EC
+i2o_ECPublicKey                         3858   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 PKCS12_SAFEBAG_create0_pkcs8            3859   3_0_0   EXIST::FUNCTION:
 OBJ_get0_data                           3860   3_0_0   EXIST::FUNCTION:
 EC_GROUP_get0_seed                      3861   3_0_0   EXIST::FUNCTION:EC
@@ -4114,7 +4114,7 @@ EVP_aria_256_ctr                        4203      3_0_0   EXIST::FUNCTION:ARIA
 EVP_aria_128_ctr                        4204   3_0_0   EXIST::FUNCTION:ARIA
 EVP_aria_192_ctr                        4205   3_0_0   EXIST::FUNCTION:ARIA
 UI_null                                 4206   3_0_0   EXIST::FUNCTION:
-EC_KEY_get0_engine                      4207   3_0_0   EXIST::FUNCTION:EC
+EC_KEY_get0_engine                      4207   3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 INT32_it                                4208   3_0_0   EXIST::FUNCTION:
 UINT64_it                               4209   3_0_0   EXIST::FUNCTION:
 ZINT32_it                               4210   3_0_0   EXIST::FUNCTION:
@@ -5084,8 +5084,8 @@ OSSL_PROVIDER_query_operation           ? 3_0_0   EXIST::FUNCTION:
 OSSL_PROVIDER_get0_provider_ctx         ?      3_0_0   EXIST::FUNCTION:
 OSSL_PROVIDER_get_capabilities          ?      3_0_0   EXIST::FUNCTION:
 EC_GROUP_new_by_curve_name_ex           ?      3_0_0   EXIST::FUNCTION:EC
-EC_KEY_new_ex                           ?      3_0_0   EXIST::FUNCTION:EC
-EC_KEY_new_by_curve_name_ex             ?      3_0_0   EXIST::FUNCTION:EC
+EC_KEY_new_ex                           ?      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
+EC_KEY_new_by_curve_name_ex             ?      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 OSSL_LIB_CTX_set0_default               ?      3_0_0   EXIST::FUNCTION:
 PEM_X509_INFO_read_bio_ex               ?      3_0_0   EXIST::FUNCTION:
 PEM_X509_INFO_read_ex                   ?      3_0_0   EXIST::FUNCTION:STDIO
@@ -5232,7 +5232,7 @@ CMS_AuthEnvelopedData_create_ex         ? 3_0_0   EXIST::FUNCTION:CMS
 EVP_PKEY_CTX_set_ec_param_enc           ?      3_0_0   EXIST::FUNCTION:
 EVP_PKEY_get0_first_alg_name            ?      3_0_0   EXIST::FUNCTION:
 EVP_KEYMGMT_get0_first_name             ?      3_0_0   EXIST::FUNCTION:
-EC_KEY_decoded_from_explicit_params     ?      3_0_0   EXIST::FUNCTION:EC
+EC_KEY_decoded_from_explicit_params     ?      3_0_0   EXIST::FUNCTION:DEPRECATEDIN_3_0,EC
 EVP_KEM_free                            ?      3_0_0   EXIST::FUNCTION:
 EVP_KEM_up_ref                          ?      3_0_0   EXIST::FUNCTION:
 EVP_KEM_provider                        ?      3_0_0   EXIST::FUNCTION: