From: Pauli <paul.dale@oracle.com>
Date: Tue, 20 Oct 2020 03:32:57 +0000 (+1000)
Subject: dsa: provider and library deprecation changes
X-Git-Tag: openssl-3.0.0-alpha10~32
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=52c8535a73c575e5ac5f742c35b4fa65ed5df0dc

dsa: provider and library deprecation changes

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13638)
---

diff --git a/crypto/dsa/dsa_backend.c b/crypto/dsa/dsa_backend.c
index 461cb187dd..4809b3100b 100644
--- a/crypto/dsa/dsa_backend.c
+++ b/crypto/dsa/dsa_backend.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/core_names.h>
 #include "crypto/dsa.h"
 
diff --git a/crypto/dsa/dsa_check.c b/crypto/dsa/dsa_check.c
index 0d38340840..9a1b129df8 100644
--- a/crypto/dsa/dsa_check.c
+++ b/crypto/dsa/dsa_check.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
diff --git a/crypto/dsa/dsa_meth.c b/crypto/dsa/dsa_meth.c
index b811bf2c33..2f0a0bf460 100644
--- a/crypto/dsa/dsa_meth.c
+++ b/crypto/dsa/dsa_meth.c
@@ -8,12 +8,10 @@
  */
 
 /*
- * Licensed under the Apache License 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * https://www.openssl.org/source/license.html
- * or in the file LICENSE in the source distribution.
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
  */
+#include "internal/deprecated.h"
 
 #include "dsa_local.h"
 #include <string.h>
diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h
index 8b4696fabc..681058597b 100644
--- a/include/openssl/dsa.h
+++ b/include/openssl/dsa.h
@@ -58,6 +58,14 @@ int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
 
 #  define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024
 
+typedef struct DSA_SIG_st DSA_SIG;
+DSA_SIG *DSA_SIG_new(void);
+void DSA_SIG_free(DSA_SIG *a);
+DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA_SIG, DSA_SIG)
+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+
+
 #  ifndef OPENSSL_NO_DEPRECATED_1_1_0
 /*
  * Does nothing. Previously this switched off constant time behaviour.
@@ -85,103 +93,97 @@ int EVP_PKEY_CTX_set_dsa_paramgen_md(EVP_PKEY_CTX *ctx, const EVP_MD *md);
 
 #   define DSA_FLAG_NON_FIPS_ALLOW                 0x0400
 #   define DSA_FLAG_FIPS_CHECKED                   0x0800
-#  endif    /* OPENSSL_NO_DEPRECATED_3_0 */
 
 /* Already defined in ossl_typ.h */
 /* typedef struct dsa_st DSA; */
 /* typedef struct dsa_method DSA_METHOD; */
 
-typedef struct DSA_SIG_st DSA_SIG;
-
 /*
  * TODO(3.0): consider removing the ASN.1 encoding and decoding when
  * deserialization is completed elsewhere.
  */
-#  define d2i_DSAparams_fp(fp, x) \
+#   define d2i_DSAparams_fp(fp, x) \
         (DSA *)ASN1_d2i_fp((char *(*)())DSA_new, \
                            (char *(*)())d2i_DSAparams, (fp), \
                            (unsigned char **)(x))
-#  define i2d_DSAparams_fp(fp, x) \
+#   define i2d_DSAparams_fp(fp, x) \
         ASN1_i2d_fp(i2d_DSAparams, (fp), (unsigned char *)(x))
-#  define d2i_DSAparams_bio(bp, x) \
+#   define d2i_DSAparams_bio(bp, x) \
         ASN1_d2i_bio_of(DSA, DSA_new, d2i_DSAparams, bp, x)
-#  define i2d_DSAparams_bio(bp, x) \
+#   define i2d_DSAparams_bio(bp, x) \
         ASN1_i2d_bio_of(DSA, i2d_DSAparams, bp, x)
 
-DECLARE_ASN1_DUP_FUNCTION_name(DSA, DSAparams)
-DSA_SIG *DSA_SIG_new(void);
-void DSA_SIG_free(DSA_SIG *a);
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA_SIG, DSA_SIG)
-void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-
-DEPRECATEDIN_3_0(DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen,
-                                      DSA *dsa))
-DEPRECATEDIN_3_0(int DSA_do_verify(const unsigned char *dgst, int dgst_len,
-                                   DSA_SIG *sig, DSA *dsa))
+DECLARE_ASN1_DUP_FUNCTION_name_attr(OSSL_DEPRECATEDIN_3_0, DSA, DSAparams)
+OSSL_DEPRECATEDIN_3_0 DSA_SIG *DSA_do_sign(const unsigned char *dgst, int dlen,
+                                           DSA *dsa);
+OSSL_DEPRECATEDIN_3_0 int DSA_do_verify(const unsigned char *dgst, int dgst_len,
+                                        DSA_SIG *sig, DSA *dsa);
 
-DEPRECATEDIN_3_0(const DSA_METHOD *DSA_OpenSSL(void))
+OSSL_DEPRECATEDIN_3_0 const DSA_METHOD *DSA_OpenSSL(void);
 
-DEPRECATEDIN_3_0(void DSA_set_default_method(const DSA_METHOD *))
-DEPRECATEDIN_3_0(const DSA_METHOD *DSA_get_default_method(void))
-DEPRECATEDIN_3_0(int DSA_set_method(DSA *dsa, const DSA_METHOD *))
-DEPRECATEDIN_3_0(const DSA_METHOD *DSA_get_method(DSA *d))
+OSSL_DEPRECATEDIN_3_0 void DSA_set_default_method(const DSA_METHOD *);
+OSSL_DEPRECATEDIN_3_0 const DSA_METHOD *DSA_get_default_method(void);
+OSSL_DEPRECATEDIN_3_0 int DSA_set_method(DSA *dsa, const DSA_METHOD *);
+OSSL_DEPRECATEDIN_3_0 const DSA_METHOD *DSA_get_method(DSA *d);
 
-DSA *DSA_new(void);
-DEPRECATEDIN_3_0(DSA *DSA_new_method(ENGINE *engine))
-void DSA_free(DSA *r);
+OSSL_DEPRECATEDIN_3_0 DSA *DSA_new(void);
+OSSL_DEPRECATEDIN_3_0 DSA *DSA_new_method(ENGINE *engine);
+OSSL_DEPRECATEDIN_3_0 void DSA_free(DSA *r);
 /* "up" the DSA object's reference count */
-int DSA_up_ref(DSA *r);
-DEPRECATEDIN_3_0(int DSA_size(const DSA *))
-int DSA_bits(const DSA *d);
-DEPRECATEDIN_3_0(int DSA_security_bits(const DSA *d))
+OSSL_DEPRECATEDIN_3_0 int DSA_up_ref(DSA *r);
+OSSL_DEPRECATEDIN_3_0 int DSA_size(const DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_bits(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 int DSA_security_bits(const DSA *d);
         /* next 4 return -1 on error */
-DEPRECATEDIN_3_0(int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp,
-                                    BIGNUM **rp))
-DEPRECATEDIN_3_0(int DSA_sign(int type, const unsigned char *dgst, int dlen,
-                              unsigned char *sig, unsigned int *siglen,
-                              DSA *dsa))
-DEPRECATEDIN_3_0(int DSA_verify(int type, const unsigned char *dgst,
-                                int dgst_len, const unsigned char *sigbuf,
-                                int siglen, DSA *dsa))
-#  ifndef OPENSSL_NO_DEPRECATED_3_0
+OSSL_DEPRECATEDIN_3_0 int DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in,
+                                         BIGNUM **kinvp, BIGNUM **rp);
+OSSL_DEPRECATEDIN_3_0 int DSA_sign(int type, const unsigned char *dgst,
+                                   int dlen, unsigned char *sig,
+                                   unsigned int *siglen, DSA *dsa);
+OSSL_DEPRECATEDIN_3_0 int DSA_verify(int type, const unsigned char *dgst,
+                                     int dgst_len, const unsigned char *sigbuf,
+                                     int siglen, DSA *dsa);
+
 #   define DSA_get_ex_new_index(l, p, newf, dupf, freef) \
         CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_DSA, l, p, newf, dupf, freef)
+OSSL_DEPRECATEDIN_3_0 int DSA_set_ex_data(DSA *d, int idx, void *arg);
+OSSL_DEPRECATEDIN_3_0 void *DSA_get_ex_data(const DSA *d, int idx);
+
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,
+                                        DSA, DSAPublicKey)
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,
+                                        DSA, DSAPrivateKey)
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,
+                                        DSA, DSAparams)
 #  endif
-DEPRECATEDIN_3_0(int DSA_set_ex_data(DSA *d, int idx, void *arg))
-DEPRECATEDIN_3_0(void *DSA_get_ex_data(const DSA *d, int idx))
-
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSAPublicKey)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSAPrivateKey)
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSAparams)
 
+#  ifndef OPENSSL_NO_DEPRECATED_0_9_8
 /* Deprecated version */
-DEPRECATEDIN_0_9_8(DSA *DSA_generate_parameters(int bits,
-                                                unsigned char *seed,
-                                                int seed_len,
-                                                int *counter_ret,
-                                                unsigned long *h_ret, void
-                                                 (*callback) (int, int,
-                                                              void *),
-                                                void *cb_arg))
-
-/* New version */
-DEPRECATEDIN_3_0(int DSA_generate_parameters_ex(DSA *dsa, int bits,
-                                                const unsigned char *seed,
-                                                int seed_len, int *counter_ret,
-                                                unsigned long *h_ret,
-                                                BN_GENCB *cb))
-
-DEPRECATEDIN_3_0(int DSA_generate_key(DSA *a))
-
-DEPRECATEDIN_3_0(int DSAparams_print(BIO *bp, const DSA *x))
-DEPRECATEDIN_3_0(int DSA_print(BIO *bp, const DSA *x, int off))
-#  ifndef OPENSSL_NO_STDIO
-DEPRECATEDIN_3_0(int DSAparams_print_fp(FILE *fp, const DSA *x))
-DEPRECATEDIN_3_0(int DSA_print_fp(FILE *bp, const DSA *x, int off))
+OSSL_DEPRECATEDIN_0_9_8
+DSA *DSA_generate_parameters(int bits, unsigned char *seed, int seed_len,
+                             int *counter_ret, unsigned long *h_ret,
+                             void (*callback) (int, int, void *),
+                             void *cb_arg);
 #  endif
 
 #  ifndef OPENSSL_NO_DEPRECATED_3_0
+/* New version */
+OSSL_DEPRECATEDIN_3_0 int DSA_generate_parameters_ex(DSA *dsa, int bits,
+                                                     const unsigned char *seed,
+                                                     int seed_len,
+                                                     int *counter_ret,
+                                                     unsigned long *h_ret,
+                                                     BN_GENCB *cb);
+
+OSSL_DEPRECATEDIN_3_0 int DSA_generate_key(DSA *a);
+
+OSSL_DEPRECATEDIN_3_0 int DSAparams_print(BIO *bp, const DSA *x);
+OSSL_DEPRECATEDIN_3_0 int DSA_print(BIO *bp, const DSA *x, int off);
+#   ifndef OPENSSL_NO_STDIO
+OSSL_DEPRECATEDIN_3_0 int DSAparams_print_fp(FILE *fp, const DSA *x);
+OSSL_DEPRECATEDIN_3_0 int DSA_print_fp(FILE *bp, const DSA *x, int off);
+#   endif
+
 #   define DSS_prime_checks 64
 /*
  * Primality test according to FIPS PUB 186-4, Appendix C.3. Since we only
@@ -191,79 +193,85 @@ DEPRECATEDIN_3_0(int DSA_print_fp(FILE *bp, const DSA *x, int off))
  */
 #   define DSA_is_prime(n, callback, cb_arg) \
             BN_is_prime(n, DSS_prime_checks, callback, NULL, cb_arg)
-#  endif
 
-#  ifndef OPENSSL_NO_DH
+#   ifndef OPENSSL_NO_DH
 /*
  * Convert DSA structure (key or just parameters) into DH structure (be
  * careful to avoid small subgroup attacks when using this!)
  */
-DEPRECATEDIN_3_0(DH *DSA_dup_DH(const DSA *r))
-#  endif
-
-void DSA_get0_pqg(const DSA *d,
-                  const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
-int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-void DSA_get0_key(const DSA *d,
-                  const BIGNUM **pub_key, const BIGNUM **priv_key);
-int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
-const BIGNUM *DSA_get0_p(const DSA *d);
-const BIGNUM *DSA_get0_q(const DSA *d);
-const BIGNUM *DSA_get0_g(const DSA *d);
-const BIGNUM *DSA_get0_pub_key(const DSA *d);
-const BIGNUM *DSA_get0_priv_key(const DSA *d);
-void DSA_clear_flags(DSA *d, int flags);
-int DSA_test_flags(const DSA *d, int flags);
-void DSA_set_flags(DSA *d, int flags);
-DEPRECATEDIN_3_0(ENGINE *DSA_get0_engine(DSA *d))
-
-DEPRECATEDIN_3_0(DSA_METHOD *DSA_meth_new(const char *name, int flags))
-DEPRECATEDIN_3_0(void DSA_meth_free(DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(DSA_METHOD *DSA_meth_dup(const DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(const char *DSA_meth_get0_name(const DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(int DSA_meth_set1_name(DSA_METHOD *dsam, const char *name))
-DEPRECATEDIN_3_0(int DSA_meth_get_flags(const DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(int DSA_meth_set_flags(DSA_METHOD *dsam, int flags))
-DEPRECATEDIN_3_0(void *DSA_meth_get0_app_data(const DSA_METHOD *dsam))
-DEPRECATEDIN_3_0(int DSA_meth_set0_app_data(DSA_METHOD *dsam, void *app_data))
-DEPRECATEDIN_3_0(DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam))
-        (const unsigned char *, int, DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_sign(DSA_METHOD *dsam,
-                       DSA_SIG *(*sign) (const unsigned char *, int, DSA *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam))
-        (DSA *, BN_CTX *, BIGNUM **, BIGNUM **))
-DEPRECATEDIN_3_0(int DSA_meth_set_sign_setup(DSA_METHOD *dsam,
-        int (*sign_setup) (DSA *, BN_CTX *, BIGNUM **, BIGNUM **)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_verify(const DSA_METHOD *dsam))
-        (const unsigned char *, int, DSA_SIG *, DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_verify(DSA_METHOD *dsam,
-    int (*verify) (const unsigned char *, int, DSA_SIG *, DSA *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam))
+OSSL_DEPRECATEDIN_3_0 DH *DSA_dup_DH(const DSA *r);
+#   endif
+
+OSSL_DEPRECATEDIN_3_0 void DSA_get0_pqg(const DSA *d, const BIGNUM **p,
+                                        const BIGNUM **q, const BIGNUM **g);
+OSSL_DEPRECATEDIN_3_0 int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+OSSL_DEPRECATEDIN_3_0 void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
+                                        const BIGNUM **priv_key);
+OSSL_DEPRECATEDIN_3_0 int DSA_set0_key(DSA *d, BIGNUM *pub_key,
+                                       BIGNUM *priv_key);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_p(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_q(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_g(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_pub_key(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 const BIGNUM *DSA_get0_priv_key(const DSA *d);
+OSSL_DEPRECATEDIN_3_0 void DSA_clear_flags(DSA *d, int flags);
+OSSL_DEPRECATEDIN_3_0 int DSA_test_flags(const DSA *d, int flags);
+OSSL_DEPRECATEDIN_3_0 void DSA_set_flags(DSA *d, int flags);
+OSSL_DEPRECATEDIN_3_0 ENGINE *DSA_get0_engine(DSA *d);
+
+OSSL_DEPRECATEDIN_3_0 DSA_METHOD *DSA_meth_new(const char *name, int flags);
+OSSL_DEPRECATEDIN_3_0 void DSA_meth_free(DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 DSA_METHOD *DSA_meth_dup(const DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 const char *DSA_meth_get0_name(const DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set1_name(DSA_METHOD *dsam,
+                                             const char *name);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_get_flags(const DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_flags(DSA_METHOD *dsam, int flags);
+OSSL_DEPRECATEDIN_3_0 void *DSA_meth_get0_app_data(const DSA_METHOD *dsam);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set0_app_data(DSA_METHOD *dsam,
+                                                 void *app_data);
+OSSL_DEPRECATEDIN_3_0 DSA_SIG *(*DSA_meth_get_sign(const DSA_METHOD *dsam))
+        (const unsigned char *, int, DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_sign(DSA_METHOD *dsam,
+                       DSA_SIG *(*sign) (const unsigned char *, int, DSA *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_sign_setup(const DSA_METHOD *dsam))
+        (DSA *, BN_CTX *, BIGNUM **, BIGNUM **);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_sign_setup(DSA_METHOD *dsam,
+        int (*sign_setup) (DSA *, BN_CTX *, BIGNUM **, BIGNUM **));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_verify(const DSA_METHOD *dsam))
+        (const unsigned char *, int, DSA_SIG *, DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_verify(DSA_METHOD *dsam,
+    int (*verify) (const unsigned char *, int, DSA_SIG *, DSA *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_mod_exp(const DSA_METHOD *dsam))
         (DSA *, BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
-         const BIGNUM *, const BIGNUM *, BN_CTX *, BN_MONT_CTX *))
-DEPRECATEDIN_3_0(int DSA_meth_set_mod_exp(DSA_METHOD *dsam,
+         const BIGNUM *, const BIGNUM *, BN_CTX *, BN_MONT_CTX *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_mod_exp(DSA_METHOD *dsam,
     int (*mod_exp) (DSA *, BIGNUM *, const BIGNUM *, const BIGNUM *,
                     const BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *,
-                    BN_MONT_CTX *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam))
+                    BN_MONT_CTX *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_bn_mod_exp(const DSA_METHOD *dsam))
     (DSA *, BIGNUM *, const BIGNUM *, const BIGNUM *, const BIGNUM *,
-     BN_CTX *, BN_MONT_CTX *))
-DEPRECATEDIN_3_0(int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam,
+     BN_CTX *, BN_MONT_CTX *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_bn_mod_exp(DSA_METHOD *dsam,
     int (*bn_mod_exp) (DSA *, BIGNUM *, const BIGNUM *, const BIGNUM *,
-                       const BIGNUM *, BN_CTX *, BN_MONT_CTX *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_init(DSA_METHOD *dsam, int (*init)(DSA *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_finish(const DSA_METHOD *dsam)) (DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_finish(DSA_METHOD *dsam, int (*finish) (DSA *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam))
+                       const BIGNUM *, BN_CTX *, BN_MONT_CTX *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_init(const DSA_METHOD *dsam))(DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_init(DSA_METHOD *dsam,
+                                            int (*init)(DSA *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_finish(const DSA_METHOD *dsam))(DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_finish(DSA_METHOD *dsam,
+                                              int (*finish)(DSA *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_paramgen(const DSA_METHOD *dsam))
         (DSA *, int, const unsigned char *, int, int *, unsigned long *,
-         BN_GENCB *))
-DEPRECATEDIN_3_0(int DSA_meth_set_paramgen(DSA_METHOD *dsam,
+         BN_GENCB *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_paramgen(DSA_METHOD *dsam,
         int (*paramgen) (DSA *, int, const unsigned char *, int, int *,
-                         unsigned long *, BN_GENCB *)))
-DEPRECATEDIN_3_0(int (*DSA_meth_get_keygen(const DSA_METHOD *dsam)) (DSA *))
-DEPRECATEDIN_3_0(int DSA_meth_set_keygen(DSA_METHOD *dsam, int (*keygen) (DSA *)))
+                         unsigned long *, BN_GENCB *));
+OSSL_DEPRECATEDIN_3_0 int (*DSA_meth_get_keygen(const DSA_METHOD *dsam))(DSA *);
+OSSL_DEPRECATEDIN_3_0 int DSA_meth_set_keygen(DSA_METHOD *dsam,
+                                              int (*keygen) (DSA *));
 
+#  endif
 # endif
 # ifdef  __cplusplus
 }
diff --git a/include/openssl/pem.h b/include/openssl/pem.h
index bb6955297e..37e9666b8f 100644
--- a/include/openssl/pem.h
+++ b/include/openssl/pem.h
@@ -450,10 +450,12 @@ DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, RSAPublicKey, RSA)
 DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, RSA_PUBKEY, RSA)
 #  endif
 # endif
-# ifndef OPENSSL_NO_DSA
-DECLARE_PEM_rw_cb(DSAPrivateKey, DSA)
-DECLARE_PEM_rw(DSA_PUBKEY, DSA)
-DECLARE_PEM_rw(DSAparams, DSA)
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_DSA
+DECLARE_PEM_rw_cb_attr(OSSL_DEPRECATEDIN_3_0, DSAPrivateKey, DSA)
+DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DSA_PUBKEY, DSA)
+DECLARE_PEM_rw_attr(OSSL_DEPRECATEDIN_3_0, DSAparams, DSA)
+#  endif
 # endif
 # ifndef OPENSSL_NO_EC
 DECLARE_PEM_rw(ECPKParameters, EC_GROUP)
diff --git a/include/openssl/types.h b/include/openssl/types.h
index 6cb5a663cc..d44eb03a7c 100644
--- a/include/openssl/types.h
+++ b/include/openssl/types.h
@@ -133,8 +133,10 @@ typedef struct hmac_ctx_st HMAC_CTX;
 typedef struct dh_st DH;
 typedef struct dh_method DH_METHOD;
 
+# ifndef OPENSSL_NO_DEPRECATED_3_0
 typedef struct dsa_st DSA;
 typedef struct dsa_method DSA_METHOD;
+# endif
 
 # ifndef OPENSSL_NO_DEPRECATED_3_0
 typedef struct rsa_st RSA;
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 5a3a4eedd7..0418d41f9a 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -424,11 +424,13 @@ OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_fp(FILE *fp, RSA **rsa);
 OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_fp(FILE *fp, const RSA *rsa);
 #   endif
 #  endif
-#  ifndef OPENSSL_NO_DSA
-DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
-int i2d_DSA_PUBKEY_fp(FILE *fp, const DSA *dsa);
-DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
-int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa);
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   ifndef OPENSSL_NO_DSA
+OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSA_PUBKEY_fp(FILE *fp, DSA **dsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_DSA_PUBKEY_fp(FILE *fp, const DSA *dsa);
+OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_fp(FILE *fp, const DSA *dsa);
+#   endif
 #  endif
 #  ifndef OPENSSL_NO_EC
 EC_KEY *d2i_EC_PUBKEY_fp(FILE *fp, EC_KEY **eckey);
@@ -468,11 +470,13 @@ OSSL_DEPRECATEDIN_3_0 RSA *d2i_RSA_PUBKEY_bio(BIO *bp, RSA **rsa);
 OSSL_DEPRECATEDIN_3_0 int i2d_RSA_PUBKEY_bio(BIO *bp, const RSA *rsa);
 #   endif
 #  endif
-#  ifndef OPENSSL_NO_DSA
-DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
-int i2d_DSA_PUBKEY_bio(BIO *bp, const DSA *dsa);
-DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
-int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa);
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   ifndef OPENSSL_NO_DSA
+OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSA_PUBKEY_bio(BIO *bp, DSA **dsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_DSA_PUBKEY_bio(BIO *bp, const DSA *dsa);
+OSSL_DEPRECATEDIN_3_0 DSA *d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa);
+OSSL_DEPRECATEDIN_3_0 int i2d_DSAPrivateKey_bio(BIO *bp, const DSA *dsa);
+#   endif
 #  endif
 #  ifndef OPENSSL_NO_EC
 EC_KEY *d2i_EC_PUBKEY_bio(BIO *bp, EC_KEY **eckey);
@@ -552,8 +556,10 @@ EVP_PKEY *d2i_PUBKEY_ex(EVP_PKEY **a, const unsigned char **pp, long length,
 DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,RSA, RSA_PUBKEY)
 #  endif
 # endif
-# ifndef OPENSSL_NO_DSA
-DECLARE_ASN1_ENCODE_FUNCTIONS_only(DSA, DSA_PUBKEY)
+# ifndef OPENSSL_NO_DEPRECATED_3_0
+#  ifndef OPENSSL_NO_DSA
+DECLARE_ASN1_ENCODE_FUNCTIONS_only_attr(OSSL_DEPRECATEDIN_3_0,DSA, DSA_PUBKEY)
+#  endif
 # endif
 # ifndef OPENSSL_NO_EC
 DECLARE_ASN1_ENCODE_FUNCTIONS_only(EC_KEY, EC_PUBKEY)
diff --git a/providers/common/der/der_dsa_gen.c.in b/providers/common/der/der_dsa_gen.c.in
index 95f1f5cdd1..33ea5fa90b 100644
--- a/providers/common/der/der_dsa_gen.c.in
+++ b/providers/common/der/der_dsa_gen.c.in
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include "prov/der_dsa.h"
 
 /* Well known OIDs precompiled */
diff --git a/providers/common/der/der_dsa_key.c b/providers/common/der/der_dsa_key.c
index 1a369faa81..dc7b2fe8fa 100644
--- a/providers/common/der/der_dsa_key.c
+++ b/providers/common/der/der_dsa_key.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/obj_mac.h>
 #include "internal/packet.h"
 #include "prov/der_dsa.h"
diff --git a/providers/common/der/der_dsa_sig.c b/providers/common/der/der_dsa_sig.c
index 37ee5f459d..07225b7b11 100644
--- a/providers/common/der/der_dsa_sig.c
+++ b/providers/common/der/der_dsa_sig.c
@@ -7,6 +7,12 @@
  * https://www.openssl.org/source/license.html
  */
 
+/*
+ * DSA low level APIs are deprecated for public use, but still ok for
+ * internal use.
+ */
+#include "internal/deprecated.h"
+
 #include <openssl/obj_mac.h>
 #include "internal/packet.h"
 #include "prov/der_dsa.h"
diff --git a/providers/common/digest_to_nid.c b/providers/common/digest_to_nid.c
index 99633c150c..496d814173 100644
--- a/providers/common/digest_to_nid.c
+++ b/providers/common/digest_to_nid.c
@@ -7,6 +7,8 @@
  * https://www.openssl.org/source/license.html
  */
 
+#include "internal/deprecated.h"
+
 #include <openssl/objects.h>
 #include <openssl/core_names.h>
 #include <openssl/evp.h>