Remove deprecated functions and constants.

Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
diff --git a/ChangeLog.d/issue4282.txt b/ChangeLog.d/issue4282.txt
new file mode 100644
index 0000000..27d9a28
--- /dev/null
+++ b/ChangeLog.d/issue4282.txt
@@ -0,0 +1,2 @@
+Removals
+   * Remove deprecated functions and constants. Fix #4282
diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h
index 5635e98..91fee97 100644
--- a/configs/config-psa-crypto.h
+++ b/configs/config-psa-crypto.h
@@ -400,8 +400,8 @@
  * \note Because of a signature change, the core AES encryption and decryption routines are
  *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
  *       respectively. When setting up alternative implementations, these functions should
- *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
- *       must stay untouched.
+ *       be overridden, but the wrapper functions mbedtls_internal_aes_decrypt and
+ *       mbedtls_internal_aes_encrypt must stay untouched.
  *
  * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
  *       MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index 052f47c..183367c 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h
@@ -617,44 +617,6 @@
                                   const unsigned char input[16],
                                   unsigned char output[16] );
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief           Deprecated internal AES block encryption function
- *                  without return value.
- *
- * \deprecated      Superseded by mbedtls_internal_aes_encrypt()
- *
- * \param ctx       The AES context to use for encryption.
- * \param input     Plaintext block.
- * \param output    Output (ciphertext) block.
- */
-MBEDTLS_DEPRECATED void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
-                                             const unsigned char input[16],
-                                             unsigned char output[16] );
-
-/**
- * \brief           Deprecated internal AES block decryption function
- *                  without return value.
- *
- * \deprecated      Superseded by mbedtls_internal_aes_decrypt()
- *
- * \param ctx       The AES context to use for decryption.
- * \param input     Ciphertext block.
- * \param output    Output (plaintext) block.
- */
-MBEDTLS_DEPRECATED void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
-                                             const unsigned char input[16],
-                                             unsigned char output[16] );
-
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
-
 #if defined(MBEDTLS_SELF_TEST)
 /**
  * \brief          Checkup routine.
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 637360e..073b4a4 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -904,37 +904,6 @@
 int mbedtls_mpi_inv_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
                          const mbedtls_mpi *N );
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED      __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief          Perform a Miller-Rabin primality test with error
- *                 probability of 2<sup>-80</sup>.
- *
- * \deprecated     Superseded by mbedtls_mpi_is_prime_ext() which allows
- *                 specifying the number of Miller-Rabin rounds.
- *
- * \param X        The MPI to check for primality.
- *                 This must point to an initialized MPI.
- * \param f_rng    The RNG function to use. This must not be \c NULL.
- * \param p_rng    The RNG parameter to be passed to \p f_rng.
- *                 This may be \c NULL if \p f_rng doesn't use a
- *                 context parameter.
- *
- * \return         \c 0 if successful, i.e. \p X is probably prime.
- * \return         #MBEDTLS_ERR_MPI_ALLOC_FAILED if a memory allocation failed.
- * \return         #MBEDTLS_ERR_MPI_NOT_ACCEPTABLE if \p X is not prime.
- * \return         Another negative error code on other kinds of failure.
- */
-MBEDTLS_DEPRECATED int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
-                          int (*f_rng)(void *, unsigned char *, size_t),
-                          void *p_rng );
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief          Miller-Rabin primality test.
  *
diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index 1cafa6e..82e8c41 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -470,8 +470,8 @@
  * \param cipher_info   The cipher to use.
  * \param taglen        For AEAD ciphers, the length in bytes of the
  *                      authentication tag to use. Subsequent uses of
- *                      mbedtls_cipher_auth_encrypt() or
- *                      mbedtls_cipher_auth_decrypt() must provide
+ *                      mbedtls_cipher_auth_encrypt_ext() or
+ *                      mbedtls_cipher_auth_decrypt_ext() must provide
  *                      the same tag length.
  *                      For non-AEAD ciphers, the value must be \c 0.
  *
@@ -856,129 +856,6 @@
                   const unsigned char *input, size_t ilen,
                   unsigned char *output, size_t *olen );
 
-#if defined(MBEDTLS_CIPHER_MODE_AEAD)
-#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_WARNING */
-/**
- * \brief               The generic authenticated encryption (AEAD) function.
- *
- * \deprecated          Superseded by mbedtls_cipher_auth_encrypt_ext().
- *
- * \note                This function only supports AEAD algorithms, not key
- *                      wrapping algorithms such as NIST_KW; for this, see
- *                      mbedtls_cipher_auth_encrypt_ext().
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key associated with an AEAD algorithm.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and must not be \c NULL.
- * \param iv_len        The length of the nonce. This must satisfy the
- *                      constraints imposed by the AEAD cipher used.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
- * \param ad_len        The length of \p ad.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p ilen Bytes, and must
- *                      not be \c NULL.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag           The buffer for the authentication tag. This must be a
- *                      writable buffer of at least \p tag_len Bytes. See note
- *                      below regarding restrictions with PSA-based contexts.
- * \param tag_len       The desired length of the authentication tag. This
- *                      must match the constraints imposed by the AEAD cipher
- *                      used, and in particular must not be \c 0.
- *
- * \note                If the context is based on PSA (that is, it was set up
- *                      with mbedtls_cipher_setup_psa()), then it is required
- *                      that \c tag == output + ilen. That is, the tag must be
- *                      appended to the ciphertext as recommended by RFC 5116.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
-                         const unsigned char *iv, size_t iv_len,
-                         const unsigned char *ad, size_t ad_len,
-                         const unsigned char *input, size_t ilen,
-                         unsigned char *output, size_t *olen,
-                         unsigned char *tag, size_t tag_len )
-                         MBEDTLS_DEPRECATED;
-
-/**
- * \brief               The generic authenticated decryption (AEAD) function.
- *
- * \deprecated          Superseded by mbedtls_cipher_auth_decrypt_ext().
- *
- * \note                This function only supports AEAD algorithms, not key
- *                      wrapping algorithms such as NIST_KW; for this, see
- *                      mbedtls_cipher_auth_decrypt_ext().
- *
- * \note                If the data is not authentic, then the output buffer
- *                      is zeroed out to prevent the unauthentic plaintext being
- *                      used, making this interface safer.
- *
- * \param ctx           The generic cipher context. This must be initialized and
- *                      bound to a key associated with an AEAD algorithm.
- * \param iv            The nonce to use. This must be a readable buffer of
- *                      at least \p iv_len Bytes and must not be \c NULL.
- * \param iv_len        The length of the nonce. This must satisfy the
- *                      constraints imposed by the AEAD cipher used.
- * \param ad            The additional data to authenticate. This must be a
- *                      readable buffer of at least \p ad_len Bytes, and may
- *                      be \c NULL is \p ad_len is \c 0.
- * \param ad_len        The length of \p ad.
- * \param input         The buffer holding the input data. This must be a
- *                      readable buffer of at least \p ilen Bytes, and may be
- *                      \c NULL if \p ilen is \c 0.
- * \param ilen          The length of the input data.
- * \param output        The buffer for the output data. This must be a
- *                      writable buffer of at least \p ilen Bytes, and must
- *                      not be \c NULL.
- * \param olen          This will be filled with the actual number of Bytes
- *                      written to the \p output buffer. This must point to a
- *                      writable object of type \c size_t.
- * \param tag           The buffer for the authentication tag. This must be a
- *                      readable buffer of at least \p tag_len Bytes. See note
- *                      below regarding restrictions with PSA-based contexts.
- * \param tag_len       The length of the authentication tag. This must match
- *                      the constraints imposed by the AEAD cipher used, and in
- *                      particular must not be \c 0.
- *
- * \note                If the context is based on PSA (that is, it was set up
- *                      with mbedtls_cipher_setup_psa()), then it is required
- *                      that \c tag == input + len. That is, the tag must be
- *                      appended to the ciphertext as recommended by RFC 5116.
- *
- * \return              \c 0 on success.
- * \return              #MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA on
- *                      parameter-verification failure.
- * \return              #MBEDTLS_ERR_CIPHER_AUTH_FAILED if data is not authentic.
- * \return              A cipher-specific error code on failure.
- */
-int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
-                         const unsigned char *iv, size_t iv_len,
-                         const unsigned char *ad, size_t ad_len,
-                         const unsigned char *input, size_t ilen,
-                         unsigned char *output, size_t *olen,
-                         const unsigned char *tag, size_t tag_len )
-                         MBEDTLS_DEPRECATED;
-#undef MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_CIPHER_MODE_AEAD */
-
 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
 /**
  * \brief               The authenticated encryption (AEAD/NIST_KW) function.
diff --git a/include/mbedtls/compat-1.3.h b/include/mbedtls/compat-1.3.h
index c423812..00597f2 100644
--- a/include/mbedtls/compat-1.3.h
+++ b/include/mbedtls/compat-1.3.h
@@ -998,12 +998,6 @@
 #define POLARSSL_DECRYPT MBEDTLS_DECRYPT
 #define POLARSSL_DES_H MBEDTLS_DES_H
 #define POLARSSL_DHM_H MBEDTLS_DHM_H
-#define POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G
-#define POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P
-#define POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G
-#define POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P
-#define POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G
-#define POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P
 #define POLARSSL_ECDH_H MBEDTLS_ECDH_H
 #define POLARSSL_ECDH_OURS MBEDTLS_ECDH_OURS
 #define POLARSSL_ECDH_THEIRS MBEDTLS_ECDH_THEIRS
@@ -1786,8 +1780,6 @@
 #define ccm_free mbedtls_ccm_free
 #define ccm_init mbedtls_ccm_init
 #define ccm_self_test mbedtls_ccm_self_test
-#define cipher_auth_decrypt mbedtls_cipher_auth_decrypt
-#define cipher_auth_encrypt mbedtls_cipher_auth_encrypt
 #define cipher_base_t mbedtls_cipher_base_t
 #define cipher_check_tag mbedtls_cipher_check_tag
 #define cipher_context_t mbedtls_cipher_context_t
@@ -1831,7 +1823,6 @@
 #define ctr_drbg_set_entropy_len mbedtls_ctr_drbg_set_entropy_len
 #define ctr_drbg_set_prediction_resistance mbedtls_ctr_drbg_set_prediction_resistance
 #define ctr_drbg_set_reseed_interval mbedtls_ctr_drbg_set_reseed_interval
-#define ctr_drbg_update mbedtls_ctr_drbg_update
 #define ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file
 #define ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file
 #define debug_print_buf mbedtls_debug_print_buf
@@ -1892,10 +1883,8 @@
 #define ecdsa_init mbedtls_ecdsa_init
 #define ecdsa_read_signature mbedtls_ecdsa_read_signature
 #define ecdsa_sign mbedtls_ecdsa_sign
-#define ecdsa_sign_det mbedtls_ecdsa_sign_det
 #define ecdsa_verify mbedtls_ecdsa_verify
 #define ecdsa_write_signature mbedtls_ecdsa_write_signature
-#define ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det
 #define eckey_info mbedtls_eckey_info
 #define eckeydh_info mbedtls_eckeydh_info
 #define ecp_check_privkey mbedtls_ecp_check_privkey
@@ -1967,7 +1956,6 @@
 #define hmac_drbg_set_entropy_len mbedtls_hmac_drbg_set_entropy_len
 #define hmac_drbg_set_prediction_resistance mbedtls_hmac_drbg_set_prediction_resistance
 #define hmac_drbg_set_reseed_interval mbedtls_hmac_drbg_set_reseed_interval
-#define hmac_drbg_update mbedtls_hmac_drbg_update
 #define hmac_drbg_update_seed_file mbedtls_hmac_drbg_update_seed_file
 #define hmac_drbg_write_seed_file mbedtls_hmac_drbg_write_seed_file
 #define hr_time mbedtls_timing_hr_time
@@ -2053,7 +2041,6 @@
 #define mpi_grow mbedtls_mpi_grow
 #define mpi_init mbedtls_mpi_init
 #define mpi_inv_mod mbedtls_mpi_inv_mod
-#define mpi_is_prime mbedtls_mpi_is_prime
 #define mpi_lsb mbedtls_mpi_lsb
 #define mpi_lset mbedtls_mpi_lset
 #define mpi_mod_int mbedtls_mpi_mod_int
@@ -2352,7 +2339,6 @@
 #define ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
 #define ssl_set_curves mbedtls_ssl_conf_curves
 #define ssl_set_dbg mbedtls_ssl_conf_dbg
-#define ssl_set_dh_param mbedtls_ssl_conf_dh_param
 #define ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
 #define ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
 #define ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 46941e2..e2a65e8 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -424,8 +424,8 @@
  * \note Because of a signature change, the core AES encryption and decryption routines are
  *       currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
  *       respectively. When setting up alternative implementations, these functions should
- *       be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
- *       must stay untouched.
+ *       be overridden, but the wrapper functions mbedtls_internal_aes_decrypt and
+ *       mbedtls_internal_aes_encrypt must stay untouched.
  *
  * \note If you use the AES_xxx_ALT macros, then is is recommended to also set
  *       MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
@@ -446,8 +446,8 @@
  *            the ephemeral key and nothing else. If this is not possible, then
  *            MBEDTLS_ECDSA_DETERMINISTIC should be disabled and an alternative
  *            implementation should be provided for mbedtls_ecdsa_sign_det_ext()
- *            (and for mbedtls_ecdsa_sign_det() too if backward compatibility is
- *            desirable).
+ *            (and for mbedtls_ecdsa_sign_det_ext() too if backward compatibility
+ *            is desirable).
  *
  */
 //#define MBEDTLS_MD2_PROCESS_ALT
diff --git a/include/mbedtls/ctr_drbg.h b/include/mbedtls/ctr_drbg.h
index 7f1d232..b84ab83 100644
--- a/include/mbedtls/ctr_drbg.h
+++ b/include/mbedtls/ctr_drbg.h
@@ -487,35 +487,6 @@
 int mbedtls_ctr_drbg_random( void *p_rng,
                      unsigned char *output, size_t output_len );
 
-
-#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief              This function updates the state of the CTR_DRBG context.
- *
- * \deprecated         Superseded by mbedtls_ctr_drbg_update_ret()
- *                     in 2.16.0.
- *
- * \note               If \p add_len is greater than
- *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT, only the first
- *                     #MBEDTLS_CTR_DRBG_MAX_SEED_INPUT Bytes are used.
- *                     The remaining Bytes are silently discarded.
- *
- * \param ctx          The CTR_DRBG context.
- * \param additional   The data to update the state with.
- * \param add_len      Length of \p additional data.
- */
-MBEDTLS_DEPRECATED void mbedtls_ctr_drbg_update(
-    mbedtls_ctr_drbg_context *ctx,
-    const unsigned char *additional,
-    size_t add_len );
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 #if defined(MBEDTLS_FS_IO)
 /**
  * \brief               This function writes a seed file.
diff --git a/include/mbedtls/dhm.h b/include/mbedtls/dhm.h
index c7830b9..16dd165 100644
--- a/include/mbedtls/dhm.h
+++ b/include/mbedtls/dhm.h
@@ -386,161 +386,6 @@
  *
  */
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-
-/**
- * \warning The origin of the primes in RFC 5114 is not documented and
- *          their use therefore constitutes a security risk!
- *
- * \deprecated The hex-encoded primes from RFC 5114 are deprecated and are
- *             likely to be removed in a future version of the library without
- *             replacement.
- */
-
-/**
- * The hexadecimal presentation of the prime underlying the
- * 2048-bit MODP Group with 224-bit Prime Order Subgroup, as defined
- * in <em>RFC-5114: Additional Diffie-Hellman Groups for Use with
- * IETF Standards</em>.
- */
-#define MBEDTLS_DHM_RFC5114_MODP_2048_P                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
-        "AD107E1E9123A9D0D660FAA79559C51FA20D64E5683B9FD1"      \
-        "B54B1597B61D0A75E6FA141DF95A56DBAF9A3C407BA1DF15"      \
-        "EB3D688A309C180E1DE6B85A1274A0A66D3F8152AD6AC212"      \
-        "9037C9EDEFDA4DF8D91E8FEF55B7394B7AD5B7D0B6C12207"      \
-        "C9F98D11ED34DBF6C6BA0B2C8BBC27BE6A00E0A0B9C49708"      \
-        "B3BF8A317091883681286130BC8985DB1602E714415D9330"      \
-        "278273C7DE31EFDC7310F7121FD5A07415987D9ADC0A486D"      \
-        "CDF93ACC44328387315D75E198C641A480CD86A1B9E587E8"      \
-        "BE60E69CC928B2B9C52172E413042E9B23F10B0E16E79763"      \
-        "C9B53DCF4BA80A29E3FB73C16B8E75B97EF363E2FFA31F71"      \
-        "CF9DE5384E71B81C0AC4DFFE0C10E64F" )
-
-/**
- * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
- * Group with 224-bit Prime Order Subgroup, as defined in <em>RFC-5114:
- * Additional Diffie-Hellman Groups for Use with IETF Standards</em>.
- */
-#define MBEDTLS_DHM_RFC5114_MODP_2048_G                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
-        "AC4032EF4F2D9AE39DF30B5C8FFDAC506CDEBE7B89998CAF"      \
-        "74866A08CFE4FFE3A6824A4E10B9A6F0DD921F01A70C4AFA"      \
-        "AB739D7700C29F52C57DB17C620A8652BE5E9001A8D66AD7"      \
-        "C17669101999024AF4D027275AC1348BB8A762D0521BC98A"      \
-        "E247150422EA1ED409939D54DA7460CDB5F6C6B250717CBE"      \
-        "F180EB34118E98D119529A45D6F834566E3025E316A330EF"      \
-        "BB77A86F0C1AB15B051AE3D428C8F8ACB70A8137150B8EEB"      \
-        "10E183EDD19963DDD9E263E4770589EF6AA21E7F5F2FF381"      \
-        "B539CCE3409D13CD566AFBB48D6C019181E1BCFE94B30269"      \
-        "EDFE72FE9B6AA4BD7B5A0F1C71CFFF4C19C418E1F6EC0179"      \
-        "81BC087F2A7065B384B890D3191F2BFA" )
-
-/**
- * The hexadecimal presentation of the prime underlying the 2048-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- *
- * \deprecated The hex-encoded primes from RFC 3625 are deprecated and
- *             superseded by the corresponding macros providing them as
- *             binary constants. Their hex-encoded constants are likely
- *             to be removed in a future version of the library.
- *
- */
-#define MBEDTLS_DHM_RFC3526_MODP_2048_P                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
-        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
-        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
-        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
-        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
-        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
-        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
-        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
-        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
-        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
-        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
-        "15728E5A8AACAA68FFFFFFFFFFFFFFFF" )
-
-/**
- * The hexadecimal presentation of the chosen generator of the 2048-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_2048_G                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
-
-/**
- * The hexadecimal presentation of the prime underlying the 3072-bit MODP
- * Group, as defined in <em>RFC-3072: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_3072_P                         \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                         \
-        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"      \
-        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"      \
-        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"      \
-        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"      \
-        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"      \
-        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"      \
-        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"      \
-        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"      \
-        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"      \
-        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"      \
-        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"      \
-        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"      \
-        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"      \
-        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"      \
-        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"      \
-        "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF" )
-
-/**
- * The hexadecimal presentation of the chosen generator of the 3072-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_3072_G                      \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
-
-/**
- * The hexadecimal presentation of the prime underlying the 4096-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_4096_P                      \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT(                      \
-        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1"   \
-        "29024E088A67CC74020BBEA63B139B22514A08798E3404DD"   \
-        "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245"   \
-        "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED"   \
-        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D"   \
-        "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F"   \
-        "83655D23DCA3AD961C62F356208552BB9ED529077096966D"   \
-        "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B"   \
-        "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9"   \
-        "DE2BCBF6955817183995497CEA956AE515D2261898FA0510"   \
-        "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64"   \
-        "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7"   \
-        "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B"   \
-        "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C"   \
-        "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31"   \
-        "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7"   \
-        "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA"   \
-        "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6"   \
-        "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED"   \
-        "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9"   \
-        "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199"   \
-        "FFFFFFFFFFFFFFFF" )
-
-/**
- * The hexadecimal presentation of the chosen generator of the 4096-bit MODP
- * Group, as defined in <em>RFC-3526: More Modular Exponential (MODP)
- * Diffie-Hellman groups for Internet Key Exchange (IKE)</em>.
- */
-#define MBEDTLS_DHM_RFC3526_MODP_4096_G                      \
-    MBEDTLS_DEPRECATED_STRING_CONSTANT( "02" )
-
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 /*
  * Trustworthy DHM parameters in binary form
  */
diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index 264a638..525de5d 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@@ -138,7 +138,7 @@
  *                  previously-hashed message.
  *
  * \note            The deterministic version implemented in
- *                  mbedtls_ecdsa_sign_det() is usually preferred.
+ *                  mbedtls_ecdsa_sign_det_ext() is usually preferred.
  *
  * \note            If the bitlength of the message hash is larger than the
  *                  bitlength of the group order, then the hash is truncated
@@ -174,67 +174,6 @@
                 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng );
 
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief           This function computes the ECDSA signature of a
- *                  previously-hashed message, deterministic version.
- *
- *                  For more information, see <em>RFC-6979: Deterministic
- *                  Usage of the Digital Signature Algorithm (DSA) and Elliptic
- *                  Curve Digital Signature Algorithm (ECDSA)</em>.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.3, step 5.
- *
- * \warning         Since the output of the internal RNG is always the same for
- *                  the same key and message, this limits the efficiency of
- *                  blinding and leaks information through side channels. For
- *                  secure behavior use mbedtls_ecdsa_sign_det_ext() instead.
- *
- *                  (Optimally the blinding is a random value that is different
- *                  on every execution. In this case the blinding is still
- *                  random from the attackers perspective, but is the same on
- *                  each execution. This means that this blinding does not
- *                  prevent attackers from recovering secrets by combining
- *                  several measurement traces, but may prevent some attacks
- *                  that exploit relationships between secret data.)
- *
- * \see             ecp.h
- *
- * \param grp       The context for the elliptic curve to use.
- *                  This must be initialized and have group parameters
- *                  set, for example through mbedtls_ecp_group_load().
- * \param r         The MPI context in which to store the first part
- *                  the signature. This must be initialized.
- * \param s         The MPI context in which to store the second part
- *                  the signature. This must be initialized.
- * \param d         The private signing key. This must be initialized
- *                  and setup, for example through mbedtls_ecp_gen_privkey().
- * \param buf       The hashed content to be signed. This must be a readable
- *                  buffer of length \p blen Bytes. It may be \c NULL if
- *                  \p blen is zero.
- * \param blen      The length of \p buf in Bytes.
- * \param md_alg    The hash algorithm used to hash the original data.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
- *                  error code on failure.
- */
-int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
-                            mbedtls_mpi *s, const mbedtls_mpi *d,
-                            const unsigned char *buf, size_t blen,
-                            mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
-#undef MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief           This function computes the ECDSA signature of a
  *                  previously-hashed message, deterministic version.
@@ -421,64 +360,6 @@
                            void *p_rng,
                            mbedtls_ecdsa_restart_ctx *rs_ctx );
 
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
-#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief           This function computes an ECDSA signature and writes
- *                  it to a buffer, serialized as defined in <em>RFC-4492:
- *                  Elliptic Curve Cryptography (ECC) Cipher Suites for
- *                  Transport Layer Security (TLS)</em>.
- *
- *                  The deterministic version is defined in <em>RFC-6979:
- *                  Deterministic Usage of the Digital Signature Algorithm (DSA)
- *                  and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>.
- *
- * \warning         It is not thread-safe to use the same context in
- *                  multiple threads.
- *
- * \note            If the bitlength of the message hash is larger than the
- *                  bitlength of the group order, then the hash is truncated as
- *                  defined in <em>Standards for Efficient Cryptography Group
- *                  (SECG): SEC1 Elliptic Curve Cryptography</em>, section
- *                  4.1.3, step 5.
- *
- * \see             ecp.h
- *
- * \deprecated      Superseded by mbedtls_ecdsa_write_signature() in
- *                  Mbed TLS version 2.0 and later.
- *
- * \param ctx       The ECDSA context to use. This must be initialized
- *                  and have a group and private key bound to it, for example
- *                  via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair().
- * \param hash      The message hash to be signed. This must be a readable
- *                  buffer of length \p blen Bytes.
- * \param hlen      The length of the hash \p hash in Bytes.
- * \param sig       The buffer to which to write the signature. This must be a
- *                  writable buffer of length at least twice as large as the
- *                  size of the curve used, plus 9. For example, 73 Bytes if
- *                  a 256-bit curve is used. A buffer length of
- *                  #MBEDTLS_ECDSA_MAX_LEN is always safe.
- * \param slen      The address at which to store the actual length of
- *                  the signature written. Must not be \c NULL.
- * \param md_alg    The message digest that was used to hash the message.
- *
- * \return          \c 0 on success.
- * \return          An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or
- *                  \c MBEDTLS_ERR_ASN1_XXX error code on failure.
- */
-int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
-                               const unsigned char *hash, size_t hlen,
-                               unsigned char *sig, size_t *slen,
-                               mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED;
-#undef MBEDTLS_DEPRECATED
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
-
 /**
  * \brief           This function reads and verifies an ECDSA signature.
  *
diff --git a/include/mbedtls/hmac_drbg.h b/include/mbedtls/hmac_drbg.h
index 9116541..f8536e7 100644
--- a/include/mbedtls/hmac_drbg.h
+++ b/include/mbedtls/hmac_drbg.h
@@ -345,30 +345,6 @@
  */
 void mbedtls_hmac_drbg_free( mbedtls_hmac_drbg_context *ctx );
 
-#if ! defined(MBEDTLS_DEPRECATED_REMOVED)
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-/**
- * \brief               This function updates the state of the HMAC_DRBG context.
- *
- * \deprecated          Superseded by mbedtls_hmac_drbg_update_ret()
- *                      in 2.16.0.
- *
- * \param ctx           The HMAC_DRBG context.
- * \param additional    The data to update the state with.
- *                      If this is \c NULL, there is no additional data.
- * \param add_len       Length of \p additional in bytes.
- *                      Unused if \p additional is \c NULL.
- */
-MBEDTLS_DEPRECATED void mbedtls_hmac_drbg_update(
-    mbedtls_hmac_drbg_context *ctx,
-    const unsigned char *additional, size_t add_len );
-#undef MBEDTLS_DEPRECATED
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 #if defined(MBEDTLS_FS_IO)
 /**
  * \brief               This function writes a seed file.
diff --git a/include/mbedtls/net.h b/include/mbedtls/net.h
deleted file mode 100644
index 6692188..0000000
--- a/include/mbedtls/net.h
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * \file net.h
- *
- * \brief Deprecated header file that includes net_sockets.h
- *
- * \deprecated Superseded by mbedtls/net_sockets.h
- */
-/*
- *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
- */
-#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
-#else
-#include MBEDTLS_CONFIG_FILE
-#endif
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-#include "mbedtls/net_sockets.h"
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
-#endif /* MBEDTLS_DEPRECATED_WARNING */
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 7815ad9..0413196 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -2914,34 +2914,6 @@
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-
-/**
- * \brief          Set the Diffie-Hellman public P and G values,
- *                 read as hexadecimal strings (server-side only)
- *                 (Default values: MBEDTLS_DHM_RFC3526_MODP_2048_[PG])
- *
- * \param conf     SSL configuration
- * \param dhm_P    Diffie-Hellman-Merkle modulus
- * \param dhm_G    Diffie-Hellman-Merkle generator
- *
- * \deprecated     Superseded by \c mbedtls_ssl_conf_dh_param_bin.
- *
- * \return         0 if successful
- */
-MBEDTLS_DEPRECATED int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf,
-                                                  const char *dhm_P,
-                                                  const char *dhm_G );
-
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 /**
  * \brief          Set the Diffie-Hellman public P and G values
  *                 from big-endian binary presentations.
@@ -3741,32 +3713,6 @@
  * \return         Current maximum fragment length for the output buffer.
  */
 size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-
-#if defined(MBEDTLS_DEPRECATED_WARNING)
-#define MBEDTLS_DEPRECATED    __attribute__((deprecated))
-#else
-#define MBEDTLS_DEPRECATED
-#endif
-
-/**
- * \brief          This function is a deprecated approach to getting the max
- *                 fragment length. Its an alias for
- *                 \c mbedtls_ssl_get_output_max_frag_len(), as the behaviour
- *                 is the same. See \c mbedtls_ssl_get_output_max_frag_len() for
- *                 more detail.
- *
- * \sa             mbedtls_ssl_get_input_max_frag_len()
- * \sa             mbedtls_ssl_get_output_max_frag_len()
- *
- * \param ssl      SSL context
- *
- * \return         Current maximum fragment length for the output buffer.
- */
-MBEDTLS_DEPRECATED size_t mbedtls_ssl_get_max_frag_len(
-                                        const mbedtls_ssl_context *ssl );
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
 /**
diff --git a/library/aes.c b/library/aes.c
index 3f61642..165b9e7 100644
--- a/library/aes.c
+++ b/library/aes.c
@@ -921,15 +921,6 @@
 }
 #endif /* !MBEDTLS_AES_ENCRYPT_ALT */
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_aes_encrypt( mbedtls_aes_context *ctx,
-                          const unsigned char input[16],
-                          unsigned char output[16] )
-{
-    mbedtls_internal_aes_encrypt( ctx, input, output );
-}
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 /*
  * AES-ECB block decryption
  */
@@ -994,15 +985,6 @@
 }
 #endif /* !MBEDTLS_AES_DECRYPT_ALT */
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_aes_decrypt( mbedtls_aes_context *ctx,
-                          const unsigned char input[16],
-                          unsigned char output[16] )
-{
-    mbedtls_internal_aes_decrypt( ctx, input, output );
-}
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
-
 /*
  * AES-ECB block encryption/decryption
  */
diff --git a/library/bignum.c b/library/bignum.c
index 9cc5d66..aa9f0b1 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -2691,26 +2691,6 @@
     return( mpi_miller_rabin( &XX, rounds, f_rng, p_rng ) );
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/*
- * Pseudo-primality test, error probability 2^-80
- */
-int mbedtls_mpi_is_prime( const mbedtls_mpi *X,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng )
-{
-    MPI_VALIDATE_RET( X     != NULL );
-    MPI_VALIDATE_RET( f_rng != NULL );
-
-    /*
-     * In the past our key generation aimed for an error rate of at most
-     * 2^-80. Since this function is deprecated, aim for the same certainty
-     * here as well.
-     */
-    return( mbedtls_mpi_is_prime_ext( X, 40, f_rng, p_rng ) );
-}
-#endif
-
 /*
  * Prime number generation
  *
diff --git a/library/cipher.c b/library/cipher.c
index 457f8f6..eab48b8 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -1288,8 +1288,8 @@
 
 #if defined(MBEDTLS_CIPHER_MODE_AEAD)
 /*
- * Packet-oriented encryption for AEAD modes: internal function shared by
- * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
+ * Packet-oriented encryption for AEAD modes: internal function used by
+ * mbedtls_cipher_auth_encrypt_ext().
  */
 static int mbedtls_cipher_aead_encrypt( mbedtls_cipher_context_t *ctx,
                          const unsigned char *iv, size_t iv_len,
@@ -1368,8 +1368,8 @@
 }
 
 /*
- * Packet-oriented encryption for AEAD modes: internal function shared by
- * mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_encrypt_ext().
+ * Packet-oriented encryption for AEAD modes: internal function used by
+ * mbedtls_cipher_auth_encrypt_ext().
  */
 static int mbedtls_cipher_aead_decrypt( mbedtls_cipher_context_t *ctx,
                          const unsigned char *iv, size_t iv_len,
@@ -1468,54 +1468,6 @@
 
     return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
 }
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-/*
- * Packet-oriented encryption for AEAD modes: public legacy function.
- */
-int mbedtls_cipher_auth_encrypt( mbedtls_cipher_context_t *ctx,
-                         const unsigned char *iv, size_t iv_len,
-                         const unsigned char *ad, size_t ad_len,
-                         const unsigned char *input, size_t ilen,
-                         unsigned char *output, size_t *olen,
-                         unsigned char *tag, size_t tag_len )
-{
-    CIPHER_VALIDATE_RET( ctx != NULL );
-    CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
-    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
-    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
-    CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
-    CIPHER_VALIDATE_RET( olen != NULL );
-    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
-
-    return( mbedtls_cipher_aead_encrypt( ctx, iv, iv_len, ad, ad_len,
-                                         input, ilen, output, olen,
-                                         tag, tag_len ) );
-}
-
-/*
- * Packet-oriented decryption for AEAD modes: public legacy function.
- */
-int mbedtls_cipher_auth_decrypt( mbedtls_cipher_context_t *ctx,
-                         const unsigned char *iv, size_t iv_len,
-                         const unsigned char *ad, size_t ad_len,
-                         const unsigned char *input, size_t ilen,
-                         unsigned char *output, size_t *olen,
-                         const unsigned char *tag, size_t tag_len )
-{
-    CIPHER_VALIDATE_RET( ctx != NULL );
-    CIPHER_VALIDATE_RET( iv_len == 0 || iv != NULL );
-    CIPHER_VALIDATE_RET( ad_len == 0 || ad != NULL );
-    CIPHER_VALIDATE_RET( ilen == 0 || input != NULL );
-    CIPHER_VALIDATE_RET( ilen == 0 || output != NULL );
-    CIPHER_VALIDATE_RET( olen != NULL );
-    CIPHER_VALIDATE_RET( tag_len == 0 || tag != NULL );
-
-    return( mbedtls_cipher_aead_decrypt( ctx, iv, iv_len, ad, ad_len,
-                                         input, ilen, output, olen,
-                                         tag, tag_len ) );
-}
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_CIPHER_MODE_AEAD */
 
 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 3815dc7..f7998db 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -309,7 +309,7 @@
 }
 
 /* CTR_DRBG_Instantiate with derivation function (SP 800-90A &sect;10.2.1.3.2)
- * mbedtls_ctr_drbg_update(ctx, additional, add_len)
+ * mbedtls_ctr_drbg_update_ret(ctx, additional, add_len)
  * implements
  * CTR_DRBG_Instantiate(entropy_input, nonce, personalization_string,
  *                      security_strength) -> initial_working_state
@@ -340,19 +340,6 @@
     return( ret );
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_ctr_drbg_update( mbedtls_ctr_drbg_context *ctx,
-                              const unsigned char *additional,
-                              size_t add_len )
-{
-    /* MAX_INPUT would be more logical here, but we have to match
-     * block_cipher_df()'s limits since we can't propagate errors */
-    if( add_len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT )
-        add_len = MBEDTLS_CTR_DRBG_MAX_SEED_INPUT;
-    (void) mbedtls_ctr_drbg_update_ret( ctx, additional, add_len );
-}
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 /* CTR_DRBG_Reseed with derivation function (SP 800-90A &sect;10.2.1.4.2)
  * mbedtls_ctr_drbg_reseed(ctx, additional, len, nonce_len)
  * implements
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 22fb5e3..dfdd0b4 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -416,6 +416,9 @@
 #if defined(MBEDTLS_ECDSA_DETERMINISTIC)
 /*
  * Deterministic signature wrapper
+ *
+ * \note    The f_rng_blind parameter must not be \c NULL.
+ *
  */
 static int ecdsa_sign_det_restartable( mbedtls_ecp_group *grp,
                     mbedtls_mpi *r, mbedtls_mpi *s,
@@ -469,69 +472,9 @@
     ret = mbedtls_ecdsa_sign( grp, r, s, d, buf, blen,
                               mbedtls_hmac_drbg_random, p_rng );
 #else
-    if( f_rng_blind != NULL )
-        ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
-                                      mbedtls_hmac_drbg_random, p_rng,
-                                      f_rng_blind, p_rng_blind, rs_ctx );
-    else
-    {
-        mbedtls_hmac_drbg_context *p_rng_blind_det;
-
-#if !defined(MBEDTLS_ECP_RESTARTABLE)
-        /*
-         * To avoid reusing rng_ctx and risking incorrect behavior we seed a
-         * second HMAC-DRBG with the same seed. We also apply a label to avoid
-         * reusing the bits of the ephemeral key for blinding and eliminate the
-         * risk that they leak this way.
-         */
-        const char* blind_label = "BLINDING CONTEXT";
-        mbedtls_hmac_drbg_context rng_ctx_blind;
-
-        mbedtls_hmac_drbg_init( &rng_ctx_blind );
-        p_rng_blind_det = &rng_ctx_blind;
-        mbedtls_hmac_drbg_seed_buf( p_rng_blind_det, md_info,
-                                    data, 2 * grp_len );
-        ret = mbedtls_hmac_drbg_update_ret( p_rng_blind_det,
-                                            (const unsigned char*) blind_label,
-                                            strlen( blind_label ) );
-        if( ret != 0 )
-        {
-            mbedtls_hmac_drbg_free( &rng_ctx_blind );
-            goto cleanup;
-        }
-#else
-        /*
-         * In the case of restartable computations we would either need to store
-         * the second RNG in the restart context too or set it up at every
-         * restart. The first option would penalize the correct application of
-         * the function and the second would defeat the purpose of the
-         * restartable feature.
-         *
-         * Therefore in this case we reuse the original RNG. This comes with the
-         * price that the resulting signature might not be a valid deterministic
-         * ECDSA signature with a very low probability (same magnitude as
-         * successfully guessing the private key). However even then it is still
-         * a valid ECDSA signature.
-         */
-        p_rng_blind_det = p_rng;
-#endif /* MBEDTLS_ECP_RESTARTABLE */
-
-        /*
-         * Since the output of the RNGs is always the same for the same key and
-         * message, this limits the efficiency of blinding and leaks information
-         * through side channels. After mbedtls_ecdsa_sign_det() is removed NULL
-         * won't be a valid value for f_rng_blind anymore. Therefore it should
-         * be checked by the caller and this branch and check can be removed.
-         */
-        ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
-                                      mbedtls_hmac_drbg_random, p_rng,
-                                      mbedtls_hmac_drbg_random, p_rng_blind_det,
-                                      rs_ctx );
-
-#if !defined(MBEDTLS_ECP_RESTARTABLE)
-        mbedtls_hmac_drbg_free( &rng_ctx_blind );
-#endif
-    }
+	ret = ecdsa_sign_restartable( grp, r, s, d, buf, blen,
+								  mbedtls_hmac_drbg_random, p_rng,
+								  f_rng_blind, p_rng_blind, rs_ctx );
 #endif /* MBEDTLS_ECDSA_SIGN_ALT */
 
 cleanup:
@@ -544,26 +487,8 @@
 }
 
 /*
- * Deterministic signature wrappers
+ * Deterministic signature wrapper
  */
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r,
-                            mbedtls_mpi *s, const mbedtls_mpi *d,
-                            const unsigned char *buf, size_t blen,
-                            mbedtls_md_type_t md_alg )
-{
-    ECDSA_VALIDATE_RET( grp   != NULL );
-    ECDSA_VALIDATE_RET( r     != NULL );
-    ECDSA_VALIDATE_RET( s     != NULL );
-    ECDSA_VALIDATE_RET( d     != NULL );
-    ECDSA_VALIDATE_RET( buf   != NULL || blen == 0 );
-
-    return( ecdsa_sign_det_restartable( grp, r, s, d, buf, blen, md_alg,
-                                        NULL, NULL, NULL ) );
-}
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 int mbedtls_ecdsa_sign_det_ext( mbedtls_ecp_group *grp, mbedtls_mpi *r,
                                 mbedtls_mpi *s, const mbedtls_mpi *d,
                                 const unsigned char *buf, size_t blen,
@@ -750,10 +675,11 @@
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
     mbedtls_mpi r, s;
-    ECDSA_VALIDATE_RET( ctx  != NULL );
-    ECDSA_VALIDATE_RET( hash != NULL );
-    ECDSA_VALIDATE_RET( sig  != NULL );
-    ECDSA_VALIDATE_RET( slen != NULL );
+    ECDSA_VALIDATE_RET( ctx   != NULL );
+    ECDSA_VALIDATE_RET( hash  != NULL );
+    ECDSA_VALIDATE_RET( sig   != NULL );
+    ECDSA_VALIDATE_RET( slen  != NULL );
+    ECDSA_VALIDATE_RET( f_rng != NULL );
 
     mbedtls_mpi_init( &r );
     mbedtls_mpi_init( &s );
@@ -803,22 +729,6 @@
                 ctx, md_alg, hash, hlen, sig, slen, f_rng, p_rng, NULL ) );
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED) && \
-    defined(MBEDTLS_ECDSA_DETERMINISTIC)
-int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx,
-                               const unsigned char *hash, size_t hlen,
-                               unsigned char *sig, size_t *slen,
-                               mbedtls_md_type_t md_alg )
-{
-    ECDSA_VALIDATE_RET( ctx  != NULL );
-    ECDSA_VALIDATE_RET( hash != NULL );
-    ECDSA_VALIDATE_RET( sig  != NULL );
-    ECDSA_VALIDATE_RET( slen != NULL );
-    return( mbedtls_ecdsa_write_signature( ctx, md_alg, hash, hlen, sig, slen,
-                                   NULL, NULL ) );
-}
-#endif
-
 /*
  * Read and check signature
  */
diff --git a/library/hmac_drbg.c b/library/hmac_drbg.c
index 25a0225..bd14b3c 100644
--- a/library/hmac_drbg.c
+++ b/library/hmac_drbg.c
@@ -108,15 +108,6 @@
     return( ret );
 }
 
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-void mbedtls_hmac_drbg_update( mbedtls_hmac_drbg_context *ctx,
-                               const unsigned char *additional,
-                               size_t add_len )
-{
-    (void) mbedtls_hmac_drbg_update_ret( ctx, additional, add_len );
-}
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 /*
  * Simplified HMAC_DRBG initialisation (for use with deterministic ECDSA)
  */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index b7c4591..111fd59 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -3809,7 +3809,7 @@
 #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
     defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
 /* `ecp` cannot be const because `ecp->grp` needs to be non-const
- * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
+ * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det_ext()
  * (even though these functions don't modify it). */
 static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
                                     psa_algorithm_t alg,
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 72f09bb..4a694f1 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -858,7 +858,7 @@
                    &rec->data_len,
                    transform->taglen ) ) != 0 )
         {
-            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt_ext", ret );
             return( ret );
         }
         MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
@@ -1414,7 +1414,7 @@
          * explicit_iv_len Bytes preceeding data, and taglen
          * bytes following data + data_len. This justifies
          * the debug message and the invocation of
-         * mbedtls_cipher_auth_decrypt() below. */
+         * mbedtls_cipher_auth_decrypt_ext() below. */
 
         MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
         MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
@@ -1430,7 +1430,7 @@
                   data, rec->buf_len - (data - rec->buf), &olen,    /* dst */
                   transform->taglen ) ) != 0 )
         {
-            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt_ext", ret );
 
             if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 336cbea..ecdbe8e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4532,24 +4532,6 @@
 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
 
 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
-        ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
-    {
-        mbedtls_mpi_free( &conf->dhm_P );
-        mbedtls_mpi_free( &conf->dhm_G );
-        return( ret );
-    }
-
-    return( 0 );
-}
-#endif /* MBEDTLS_DEPRECATED_REMOVED */
-
 int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
                                    const unsigned char *dhm_P, size_t P_len,
                                    const unsigned char *dhm_G, size_t G_len )
@@ -5084,13 +5066,6 @@
 
     return( max_len );
 }
-
-#if !defined(MBEDTLS_DEPRECATED_REMOVED)
-size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
-{
-    return mbedtls_ssl_get_output_max_frag_len( ssl );
-}
-#endif /* !MBEDTLS_DEPRECATED_REMOVED */
 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
diff --git a/programs/test/cpp_dummy_build.cpp b/programs/test/cpp_dummy_build.cpp
index db756a1..9e32a0e 100644
--- a/programs/test/cpp_dummy_build.cpp
+++ b/programs/test/cpp_dummy_build.cpp
@@ -64,7 +64,6 @@
 #include "mbedtls/md4.h"
 #include "mbedtls/md5.h"
 #include "mbedtls/md_internal.h"
-#include "mbedtls/net.h"
 #include "mbedtls/net_sockets.h"
 #include "mbedtls/nist_kw.h"
 #include "mbedtls/oid.h"
diff --git a/scripts/data_files/rename-1.3-2.0.txt b/scripts/data_files/rename-1.3-2.0.txt
index 8fab363..c5f6738 100644
--- a/scripts/data_files/rename-1.3-2.0.txt
+++ b/scripts/data_files/rename-1.3-2.0.txt
@@ -397,14 +397,8 @@
 POLARSSL_DHM_H MBEDTLS_DHM_H
 POLARSSL_DHM_RFC2409_MODP_1024_G MBEDTLS_DHM_RFC2409_MODP_1024_G
 POLARSSL_DHM_RFC2409_MODP_1024_P MBEDTLS_DHM_RFC2409_MODP_1024_P
-POLARSSL_DHM_RFC3526_MODP_2048_G MBEDTLS_DHM_RFC3526_MODP_2048_G
-POLARSSL_DHM_RFC3526_MODP_2048_P MBEDTLS_DHM_RFC3526_MODP_2048_P
-POLARSSL_DHM_RFC3526_MODP_3072_G MBEDTLS_DHM_RFC3526_MODP_3072_G
-POLARSSL_DHM_RFC3526_MODP_3072_P MBEDTLS_DHM_RFC3526_MODP_3072_P
 POLARSSL_DHM_RFC5114_MODP_1024_G MBEDTLS_DHM_RFC5114_MODP_1024_G
 POLARSSL_DHM_RFC5114_MODP_1024_P MBEDTLS_DHM_RFC5114_MODP_1024_P
-POLARSSL_DHM_RFC5114_MODP_2048_G MBEDTLS_DHM_RFC5114_MODP_2048_G
-POLARSSL_DHM_RFC5114_MODP_2048_P MBEDTLS_DHM_RFC5114_MODP_2048_P
 POLARSSL_ECDH_C MBEDTLS_ECDH_C
 POLARSSL_ECDH_H MBEDTLS_ECDH_H
 POLARSSL_ECDH_OURS MBEDTLS_ECDH_OURS
@@ -1366,8 +1360,6 @@
 ccm_free mbedtls_ccm_free
 ccm_init mbedtls_ccm_init
 ccm_self_test mbedtls_ccm_self_test
-cipher_auth_decrypt mbedtls_cipher_auth_decrypt
-cipher_auth_encrypt mbedtls_cipher_auth_encrypt
 cipher_base_t mbedtls_cipher_base_t
 cipher_check_tag mbedtls_cipher_check_tag
 cipher_context_t mbedtls_cipher_context_t
@@ -1414,7 +1406,6 @@
 ctr_drbg_set_entropy_len mbedtls_ctr_drbg_set_entropy_len
 ctr_drbg_set_prediction_resistance mbedtls_ctr_drbg_set_prediction_resistance
 ctr_drbg_set_reseed_interval mbedtls_ctr_drbg_set_reseed_interval
-ctr_drbg_update mbedtls_ctr_drbg_update
 ctr_drbg_update_seed_file mbedtls_ctr_drbg_update_seed_file
 ctr_drbg_write_seed_file mbedtls_ctr_drbg_write_seed_file
 debug_fmt mbedtls_debug_fmt
@@ -1479,10 +1470,8 @@
 ecdsa_read_signature mbedtls_ecdsa_read_signature
 ecdsa_self_test mbedtls_ecdsa_self_test
 ecdsa_sign mbedtls_ecdsa_sign
-ecdsa_sign_det mbedtls_ecdsa_sign_det
 ecdsa_verify mbedtls_ecdsa_verify
 ecdsa_write_signature mbedtls_ecdsa_write_signature
-ecdsa_write_signature_det mbedtls_ecdsa_write_signature_det
 eckey_info mbedtls_eckey_info
 eckeydh_info mbedtls_eckeydh_info
 ecp_add mbedtls_ecp_add
@@ -1558,7 +1547,6 @@
 hmac_drbg_set_entropy_len mbedtls_hmac_drbg_set_entropy_len
 hmac_drbg_set_prediction_resistance mbedtls_hmac_drbg_set_prediction_resistance
 hmac_drbg_set_reseed_interval mbedtls_hmac_drbg_set_reseed_interval
-hmac_drbg_update mbedtls_hmac_drbg_update
 hmac_drbg_update_seed_file mbedtls_hmac_drbg_update_seed_file
 hmac_drbg_write_seed_file mbedtls_hmac_drbg_write_seed_file
 hr_time mbedtls_timing_hr_time
@@ -1994,7 +1982,6 @@
 ssl_set_client_transport_id mbedtls_ssl_set_client_transport_id
 ssl_set_curves mbedtls_ssl_conf_curves
 ssl_set_dbg mbedtls_ssl_conf_dbg
-ssl_set_dh_param mbedtls_ssl_conf_dh_param
 ssl_set_dh_param_ctx mbedtls_ssl_conf_dh_param_ctx
 ssl_set_dtls_anti_replay mbedtls_ssl_conf_dtls_anti_replay
 ssl_set_dtls_badmac_limit mbedtls_ssl_conf_dtls_badmac_limit
diff --git a/tests/src/drivers/signature.c b/tests/src/drivers/signature.c
index cea0351..0185acc 100644
--- a/tests/src/drivers/signature.c
+++ b/tests/src/drivers/signature.c
@@ -117,7 +117,7 @@
         goto cleanup;
     }
     MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign_det( &ecp.grp, &r, &s, &ecp.d,
-                                  hash, hash_length, md_alg ) );
+                                  hash, hash_length, md_alg, mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE ) );
     MBEDTLS_MPI_CHK( mbedtls_mpi_write_binary( &r,
                                                signature,
                                                curve_bytes ) );
diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function
index 76e474f..463f58d 100644
--- a/tests/suites/test_suite_cipher.function
+++ b/tests/suites/test_suite_cipher.function
@@ -422,124 +422,6 @@
                               valid_buffer, valid_size,
                               valid_buffer, NULL ) );
 
-#if defined(MBEDTLS_CIPHER_MODE_AEAD)
-    /* mbedtls_cipher_auth_encrypt() */
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_encrypt( NULL,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_encrypt( &valid_ctx,
-                                     NULL, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_encrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     NULL, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_encrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     NULL, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_encrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     NULL, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_encrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, NULL,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_encrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     NULL, valid_size ) );
-
-    /* mbedtls_cipher_auth_decrypt() */
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_decrypt( NULL,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_decrypt( &valid_ctx,
-                                     NULL, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_decrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     NULL, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_decrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     NULL, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_decrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     NULL, &size_t_var,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_decrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, NULL,
-                                     valid_buffer, valid_size ) );
-    TEST_INVALID_PARAM_RET(
-        MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA,
-        mbedtls_cipher_auth_decrypt( &valid_ctx,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, valid_size,
-                                     valid_buffer, &size_t_var,
-                                     NULL, valid_size ) );
-#endif /* defined(MBEDTLS_CIPHER_MODE_AEAD) */
-
 #if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C)
     /* mbedtls_cipher_auth_encrypt_ext */
     TEST_INVALID_PARAM_RET(
@@ -1146,13 +1028,6 @@
     unsigned char *encrypt_buf = NULL;
     size_t encrypt_buf_len = 0;
 
-#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
-    !defined(MBEDTLS_DEPRECATED_REMOVED)
-    unsigned char *tmp_tag    = NULL;
-    unsigned char *tmp_cipher = NULL;
-    unsigned char *tag_buf = NULL;
-#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */
-
     /* Null pointers are documented as valid for inputs of length 0.
      * The test framework passes non-null pointers, so set them to NULL.
      * key, cipher and tag can't be empty. */
@@ -1184,12 +1059,6 @@
                     cipher_id == MBEDTLS_CIPHER_AES_256_KW ||
                     using_nist_kw_padding;
 
-    /****************************************************************
-     *                                                              *
-     *  Part 1: non-deprecated API                                  *
-     *                                                              *
-     ****************************************************************/
-
     /*
      * Prepare context for decryption
      */
@@ -1253,7 +1122,6 @@
         ASSERT_COMPARE( decrypt_buf, outlen, clear->x, clear->len );
     }
 
-    /* Free this, but keep cipher_plus_tag for deprecated function with PSA */
     mbedtls_free( decrypt_buf );
     decrypt_buf = NULL;
 
@@ -1315,135 +1183,12 @@
         encrypt_buf = NULL;
     }
 
-    /****************************************************************
-     *                                                              *
-     *  Part 2: deprecated API                                      *
-     *                                                              *
-     ****************************************************************/
-
-#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
-    !defined(MBEDTLS_DEPRECATED_REMOVED)
-
-    /*
-     * Prepare context for decryption
-     */
-    if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key,
-                            MBEDTLS_DECRYPT ) )
-        goto exit;
-
-    /*
-     * Prepare pointers for decryption
-     */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-    if( use_psa == 1 )
-    {
-        /* PSA requires that the tag immediately follows the ciphertext.
-         * Fortunately, we already have that from testing the new API. */
-        tmp_cipher = cipher_plus_tag;
-        tmp_tag = tmp_cipher + cipher->len;
-    }
-    else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-    {
-        tmp_cipher = cipher->x;
-        tmp_tag = tag->x;
-    }
-
-    /*
-     * Authenticate and decrypt, and check result
-     */
-
-    ASSERT_ALLOC( decrypt_buf, cipher->len );
-    outlen = 0;
-    ret = mbedtls_cipher_auth_decrypt( &ctx, iv->x, iv->len, ad->x, ad->len,
-                               tmp_cipher, cipher->len, decrypt_buf, &outlen,
-                               tmp_tag, tag->len );
-
-    if( using_nist_kw )
-    {
-        /* NIST_KW with legacy API */
-        TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
-    }
-    else if( strcmp( result, "FAIL" ) == 0 )
-    {
-        /* unauthentic message */
-        TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED );
-        TEST_ASSERT( buffer_is_all_zero( decrypt_buf, cipher->len ) );
-    }
-    else
-    {
-        /* authentic message: is the plaintext correct? */
-        TEST_ASSERT( ret == 0 );
-        ASSERT_COMPARE(  decrypt_buf, outlen, clear->x, clear->len );
-    }
-
-    mbedtls_free( decrypt_buf );
-    decrypt_buf = NULL;
-    mbedtls_free( cipher_plus_tag );
-    cipher_plus_tag = NULL;
-
-    /*
-     * Encrypt back if test data was authentic
-     */
-    if( strcmp( result, "FAIL" ) != 0 )
-    {
-        /* prepare context for encryption */
-        if( ! cipher_reset_key( &ctx, cipher_id, use_psa, tag->len, key,
-                                MBEDTLS_ENCRYPT ) )
-            goto exit;
-
-        /* prepare buffers for encryption */
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
-        if( use_psa )
-        {
-            ASSERT_ALLOC( cipher_plus_tag, cipher->len + tag->len );
-            tmp_cipher = cipher_plus_tag;
-            tmp_tag = cipher_plus_tag + cipher->len;
-        }
-        else
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
-        {
-            ASSERT_ALLOC( encrypt_buf, cipher->len );
-            ASSERT_ALLOC( tag_buf, tag->len );
-            tmp_cipher = encrypt_buf;
-            tmp_tag = tag_buf;
-        }
-
-        /*
-         * Encrypt and check the result
-         */
-        outlen = 0;
-        ret = mbedtls_cipher_auth_encrypt( &ctx, iv->x, iv->len, ad->x, ad->len,
-                                   clear->x, clear->len, tmp_cipher, &outlen,
-                                   tmp_tag, tag->len );
-
-        if( using_nist_kw )
-        {
-            TEST_ASSERT( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
-        }
-        else
-        {
-            TEST_ASSERT( ret == 0 );
-
-            TEST_ASSERT( outlen == cipher->len );
-            if( cipher->len != 0 )
-                TEST_ASSERT( memcmp( tmp_cipher, cipher->x, cipher->len ) == 0 );
-            TEST_ASSERT( memcmp( tmp_tag, tag->x, tag->len ) == 0 );
-        }
-    }
-
-#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */
-
 exit:
 
     mbedtls_cipher_free( &ctx );
     mbedtls_free( decrypt_buf );
     mbedtls_free( encrypt_buf );
     mbedtls_free( cipher_plus_tag );
-#if !defined(MBEDTLS_DEPRECATED_WARNING) && \
-    !defined(MBEDTLS_DEPRECATED_REMOVED)
-    mbedtls_free( tag_buf );
-#endif /* !MBEDTLS_DEPRECATED_WARNING && !MBEDTLS_DEPRECATED_REMOVED */
 
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
     if( use_psa == 1 )
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index 280c528..84a1464 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -184,7 +184,6 @@
     <ClInclude Include="..\..\include\mbedtls\md5.h" />

     <ClInclude Include="..\..\include\mbedtls\md_internal.h" />

     <ClInclude Include="..\..\include\mbedtls\memory_buffer_alloc.h" />

-    <ClInclude Include="..\..\include\mbedtls\net.h" />

     <ClInclude Include="..\..\include\mbedtls\net_sockets.h" />

     <ClInclude Include="..\..\include\mbedtls\nist_kw.h" />

     <ClInclude Include="..\..\include\mbedtls\oid.h" />