diff --git a/ChangeLog b/ChangeLog
index c37eff0cb9a3b365bf85fca5e23903721ad4be46..83e96789f76bf48d3d6061c04084b3beffb5bab9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,21 @@
 2018-08-09  Niels Möller  <nisse@lysator.liu.se>
 
+	* rsa-internal.h (_rsa_blind, _rsa_unblind): Mark with
+	_NETTLE_ATTRIBUTE_DEPRECATED.
+
+	* nettle-types.h (_NETTLE_ATTRIBUTE_PURE)
+	(_NETTLE_ATTRIBUTE_DEPRECATED): New macros, for gcc and
+	lookalikes.
+	* ecc-curve.h: Include nettle-types.h, and use
+	_NETTLE_ATTRIBUTE_PURE instead of local definition.
+	* nettle-meta.h: Use _NETTLE_ATTRIBUTE_PURE, instead of explicit
+	#ifdefs.
+
+	* aes.h: Mark functions using struct aes_ctx interface as
+	deprecated. Add #undef _NETTLE_ATTRIBUTE_DEPRECATED in files where
+	the functions are implemented or tested.
+	* gcm.h: Similarly mark functions using gcm_aes_ctx as deprecated.
+
 	* nettle-internal.c (des_set_key_wrapper, des3_set_key_wrapper)
 	(blowfish128_set_key_wrapper): Wrapper functions, to avoid cast
 	between incompatible function types (which gcc-8 warns about).
diff --git a/aes-set-decrypt-key.c b/aes-set-decrypt-key.c
index ffbb1898d29202eaba938deb7004eb5a871f1355..20214eaba701773e38dd9ed535e8e43d0da24f64 100644
--- a/aes-set-decrypt-key.c
+++ b/aes-set-decrypt-key.c
@@ -36,6 +36,9 @@
 # include "config.h"
 #endif
 
+/* This file implements and uses deprecated functions */
+#define _NETTLE_ATTRIBUTE_DEPRECATED
+
 #include "aes-internal.h"
 
 void
diff --git a/aes.h b/aes.h
index 5a0545c81d1113c21c9ce5908d84bc3f1eda405e..333ec52fc8591f930b2f5cb2d7d75965d225db52 100644
--- a/aes.h
+++ b/aes.h
@@ -76,7 +76,8 @@ extern "C" {
 #define AES_MIN_KEY_SIZE AES128_KEY_SIZE
 #define AES_MAX_KEY_SIZE AES256_KEY_SIZE
 
-/* Older nettle-2.7 interface */
+/* The older nettle-2.7 AES interface is deprecated, please migrate to
+   the newer interface where each algorithm has a fixed key size. */
 
 #define AES_KEY_SIZE 32
 
@@ -88,24 +89,27 @@ struct aes_ctx
 
 void
 aes_set_encrypt_key(struct aes_ctx *ctx,
-		    size_t length, const uint8_t *key);
+		    size_t length, const uint8_t *key)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
 
 void
 aes_set_decrypt_key(struct aes_ctx *ctx,
-		   size_t length, const uint8_t *key);
+		   size_t length, const uint8_t *key)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
 
 void
 aes_invert_key(struct aes_ctx *dst,
-	       const struct aes_ctx *src);
+	       const struct aes_ctx *src)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
 
 void
 aes_encrypt(const struct aes_ctx *ctx,
 	    size_t length, uint8_t *dst,
-	    const uint8_t *src);
+	    const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED;
 void
 aes_decrypt(const struct aes_ctx *ctx,
 	    size_t length, uint8_t *dst,
-	    const uint8_t *src);
+	    const uint8_t *src) _NETTLE_ATTRIBUTE_DEPRECATED;
 
 struct aes128_ctx
 {
diff --git a/ecc-curve.h b/ecc-curve.h
index 8af75fddb37cb8b09a531dc394ba7a289802d3a2..76024a19d24fc4048bae77a03f0bfe06927f7fd9 100644
--- a/ecc-curve.h
+++ b/ecc-curve.h
@@ -34,6 +34,8 @@
 #ifndef NETTLE_ECC_CURVE_H_INCLUDED
 #define NETTLE_ECC_CURVE_H_INCLUDED
 
+#include "nettle-types.h"
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -41,19 +43,11 @@ extern "C" {
 /* The contents of this struct is internal. */
 struct ecc_curve;
 
-#ifdef __GNUC__
-#define NETTLE_PURE __attribute__((pure))
-#else
-#define NETTLE_PURE
-#endif
-
-const struct ecc_curve * NETTLE_PURE nettle_get_secp_192r1(void);
-const struct ecc_curve * NETTLE_PURE nettle_get_secp_224r1(void);
-const struct ecc_curve * NETTLE_PURE nettle_get_secp_256r1(void);
-const struct ecc_curve * NETTLE_PURE nettle_get_secp_384r1(void);
-const struct ecc_curve * NETTLE_PURE nettle_get_secp_521r1(void);
-
-#undef NETTLE_PURE
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_192r1(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_224r1(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_256r1(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_384r1(void);
+const struct ecc_curve * _NETTLE_ATTRIBUTE_PURE nettle_get_secp_521r1(void);
 
 #ifdef __cplusplus
 }
diff --git a/gcm-aes.c b/gcm-aes.c
index 9c67355a0b7fe824f492dbcb5402d4fe34a1157c..477eeb6e3e413ff32174d9ae8db03fb96581a561 100644
--- a/gcm-aes.c
+++ b/gcm-aes.c
@@ -35,6 +35,9 @@
 # include "config.h"
 #endif
 
+/* This file implements and uses deprecated functions */
+#define _NETTLE_ATTRIBUTE_DEPRECATED
+
 #include "gcm.h"
 
 void
diff --git a/gcm.h b/gcm.h
index 766019ae1d74b1736756639226159db704cf98dd..96578530619c98f86ca99b2d058c3b66f78e69a9 100644
--- a/gcm.h
+++ b/gcm.h
@@ -261,31 +261,34 @@ void
 gcm_aes256_digest(struct gcm_aes256_ctx *ctx,
 		  size_t length, uint8_t *digest);
 
-/* Old aes interface, for backwards compatibility */
+/* Old deprecated aes interface, for backwards compatibility */
 struct gcm_aes_ctx GCM_CTX(struct aes_ctx);
 
 void
 gcm_aes_set_key(struct gcm_aes_ctx *ctx,
-		size_t length, const uint8_t *key);
+		size_t length, const uint8_t *key) _NETTLE_ATTRIBUTE_DEPRECATED;
 
 void
 gcm_aes_set_iv(struct gcm_aes_ctx *ctx,
-	       size_t length, const uint8_t *iv);
+	       size_t length, const uint8_t *iv) _NETTLE_ATTRIBUTE_DEPRECATED;
 
 void
 gcm_aes_update(struct gcm_aes_ctx *ctx,
-	       size_t length, const uint8_t *data);
+	       size_t length, const uint8_t *data) _NETTLE_ATTRIBUTE_DEPRECATED;
 
 void
 gcm_aes_encrypt(struct gcm_aes_ctx *ctx,
-		size_t length, uint8_t *dst, const uint8_t *src);
+		size_t length, uint8_t *dst, const uint8_t *src)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
 
 void
 gcm_aes_decrypt(struct gcm_aes_ctx *ctx,
-		size_t length, uint8_t *dst, const uint8_t *src);
+		size_t length, uint8_t *dst, const uint8_t *src)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
 
 void
-gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest);
+gcm_aes_digest(struct gcm_aes_ctx *ctx, size_t length, uint8_t *digest)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
 
 
 struct gcm_camellia128_ctx GCM_CTX(struct camellia128_ctx);
diff --git a/nettle-meta.h b/nettle-meta.h
index 8fe1cf84651b91afdbb2d2d409f7f294cc5f8da1..74e50e59cd2ecef0f412504ebd97e0b75b8be821 100644
--- a/nettle-meta.h
+++ b/nettle-meta.h
@@ -61,10 +61,7 @@ struct nettle_cipher
 };
 
 /* null-terminated list of ciphers implemented by this version of nettle */
-const struct nettle_cipher * const *
-#ifdef __GNUC__
-__attribute__((pure))
-#endif
+const struct nettle_cipher * const * _NETTLE_ATTRIBUTE_PURE
 nettle_get_ciphers (void);
 
 #define nettle_ciphers (nettle_get_ciphers())
@@ -121,10 +118,7 @@ struct nettle_hash
 } 
 
 /* null-terminated list of digests implemented by this version of nettle */
-const struct nettle_hash * const *
-#ifdef __GNUC__
-__attribute__((pure))
-#endif
+const struct nettle_hash * const * _NETTLE_ATTRIBUTE_PURE
 nettle_get_hashes (void);
 
 #define nettle_hashes (nettle_get_hashes())
@@ -172,10 +166,7 @@ struct nettle_aead
 
 /* null-terminated list of aead constructions implemented by this
    version of nettle */
-const struct nettle_aead * const *
-#ifdef __GNUC__
-__attribute__((pure))
-#endif
+const struct nettle_aead * const * _NETTLE_ATTRIBUTE_PURE
 nettle_get_aeads (void);
 
 #define nettle_aeads (nettle_get_aeads())
@@ -238,10 +229,7 @@ struct nettle_armor
 }
 
 /* null-terminated list of armor schemes implemented by this version of nettle */
-const struct nettle_armor * const *
-#ifdef __GNUC__
-__attribute__((pure))
-#endif
+const struct nettle_armor * const * _NETTLE_ATTRIBUTE_PURE
 nettle_get_armors (void);
 
 #define nettle_armors (nettle_get_armors())
diff --git a/nettle-types.h b/nettle-types.h
index f04655d6582988d3eecaeb5f56a44e9bafa27806..4576b7c7b5b305ddb2f78461c39563dc712d5600 100644
--- a/nettle-types.h
+++ b/nettle-types.h
@@ -39,6 +39,23 @@
 #define _STDINT_HAVE_INT_FAST32_T 1
 #include "nettle-stdint.h"
 
+/* Attributes we want to use in installed header files, and hence
+   can't rely on config.h. */
+#ifdef __GNUC__
+
+#define _NETTLE_ATTRIBUTE_PURE __attribute__((pure))
+#ifndef _NETTLE_ATTRIBUTE_DEPRECATED
+/* Variant without message is supported since gcc-3.1 or so. */
+#define _NETTLE_ATTRIBUTE_DEPRECATED __attribute__((deprecated))
+#endif
+
+#else /* !__GNUC__ */
+
+#define _NETTLE_ATTRIBUTE_PURE
+#define _NETTLE_ATTRIBUTE_DEPRECATED
+
+#endif /* !__GNUC__ */
+
 #ifdef __cplusplus
 extern "C" {
 #endif
diff --git a/rsa-internal.h b/rsa-internal.h
index 1f98f95fd7e1ab34e85ac6fafb15205e47d401ff..5c97eaa13f3007f67a404f3f598965cb97958f70 100644
--- a/rsa-internal.h
+++ b/rsa-internal.h
@@ -61,8 +61,9 @@ _rsa_check_size(mpz_t n);
 void
 _rsa_blind (const struct rsa_public_key *pub,
 	    void *random_ctx, nettle_random_func *random,
-	    mpz_t c, mpz_t ri);
+	    mpz_t c, mpz_t ri) _NETTLE_ATTRIBUTE_DEPRECATED;
 void
-_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri);
+_rsa_unblind (const struct rsa_public_key *pub, mpz_t c, const mpz_t ri)
+  _NETTLE_ATTRIBUTE_DEPRECATED;
 
 #endif /* NETTLE_RSA_INTERNAL_H_INCLUDED */
diff --git a/testsuite/aes-test.c b/testsuite/aes-test.c
index 57e1eff42505101391c8bf6cbbbd327307fd0069..078bd678ea3fb658edcaf394ec70835362c1210c 100644
--- a/testsuite/aes-test.c
+++ b/testsuite/aes-test.c
@@ -1,3 +1,6 @@
+/* This file tests deprecated functions */
+#define _NETTLE_ATTRIBUTE_DEPRECATED
+
 #include "testutils.h"
 #include "aes.h"
 #include "nettle-internal.h"
diff --git a/testsuite/gcm-test.c b/testsuite/gcm-test.c
index 9595766a46fd09c2d5e9914348a5e8b8210c4d13..c81740196c6dedfc6e7ada9ccbd3289ced59efff 100644
--- a/testsuite/gcm-test.c
+++ b/testsuite/gcm-test.c
@@ -1,3 +1,6 @@
+/* This file tests deprecated functions */
+#define _NETTLE_ATTRIBUTE_DEPRECATED
+
 #include "testutils.h"
 #include "nettle-internal.h"
 #include "gcm.h"