Remove support for obsoleted ECC-GOST (GOST R 34.11-94) algorithm

bin/dnssec/dnssec-cds.c

@@ -1115,7 +1115,7 @@ usage(void) {
 		program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "Options:\n"
-"    -a <algorithm>     digest algorithm (SHA-1 / SHA-256 / GOST / SHA-384)\n"
+"    -a <algorithm>     digest algorithm (SHA-1 / SHA-256 / SHA-384)\n"
 "    -c <class>         of domain (default IN)\n"
 "    -D                 prefer CDNSKEY records instead of CDS\n"
 "    -d <file|dir>      where to find parent dsset- file\n"

bin/dnssec/dnssec-cds.docbook

@@ -144,7 +144,7 @@
           </para>
           <para>
 	    The <replaceable>algorithm</replaceable> must be one of SHA-1
-	    (SHA1), SHA-256 (SHA256), GOST, or SHA-384 (SHA384). These
+	    (SHA1), SHA-256 (SHA256), or SHA-384 (SHA384). These
 	    values are case insensitive. If no algorithm is specified,
 	    the default is SHA-256.
           </para>

bin/dnssec/dnssec-dsfromkey.docbook

@@ -117,7 +117,7 @@
 	  <para>
 	    Select the digest algorithm. The value of
 	    <option>algorithm</option> must be one of SHA-1 (SHA1),
-	    SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
 	    These values are case insensitive.
 	  </para>
 	</listitem>

bin/dnssec/dnssec-dsfromkey.html

@@ -97,7 +97,7 @@
 	  <p>
 	    Select the digest algorithm. The value of
 	    <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
-	    SHA-256 (SHA256), GOST or SHA-384 (SHA384).
+	    SHA-256 (SHA256) or SHA-384 (SHA384).
 	    These values are case insensitive.
 	  </p>
 	</dd>

bin/dnssec/dnssec-keyfromlabel.c

@@ -64,7 +64,7 @@ usage(void) {
 	fprintf(stderr, "    -a algorithm: \n"
 			"        RSA | RSAMD5 | DH | DSA | RSASHA1 |\n"
 			"        NSEC3DSA | NSEC3RSASHA1 |\n"
-			"        RSASHA256 | RSASHA512 | ECCGOST |\n"
+			"        RSASHA256 | RSASHA512 |\n"
 			"        ECDSAP256SHA256 | ECDSAP384SHA384\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
@@ -427,7 +427,6 @@ main(int argc, char **argv) {
 			case DST_ALG_NSEC3RSASHA1:
 			case DST_ALG_RSASHA256:
 			case DST_ALG_RSASHA512:
-			case DST_ALG_ECCGOST:
 			case DST_ALG_ECDSA256:
 			case DST_ALG_ECDSA384:
 			case DST_ALG_ED25519:

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -106,7 +106,7 @@
 	  <para>
 	    Selects the cryptographic algorithm.  The value of
 	    <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
 	  </para>
 	  <para>

bin/dnssec/dnssec-keygen.c

@@ -79,7 +79,7 @@ usage(void) {
 	fprintf(stderr, "    -a <algorithm>:\n");
 	fprintf(stderr, "        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1"
 				" | NSEC3DSA |\n");
-	fprintf(stderr, "        RSASHA256 | RSASHA512 | ECCGOST |\n");
+	fprintf(stderr, "        RSASHA256 | RSASHA512 |\n");
 	fprintf(stderr, "        ECDSAP256SHA256 | ECDSAP384SHA384 |\n");
 	fprintf(stderr, "        ED25519 | ED448 | DH\n");
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");

bin/dnssec/dnssec-keygen.docbook

@@ -123,7 +123,7 @@
 	  <para>
 	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
 	    of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
-	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
+	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512,
 	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
 	    TKEY, the value must be DH (Diffie Hellman); specifying
 	    his value will automatically set the <option>-T KEY</option>

bin/dnssec/dnssectool.c

@@ -360,10 +360,6 @@ strtodsdigest(const char *algname) {
 		   strcasecmp(algname, "SHA-256") == 0)
 	{
 		return (DNS_DSDIGEST_SHA256);
-#if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
-	} else if (strcasecmp(algname, "GOST") == 0) {
-		return (DNS_DSDIGEST_GOST);
-#endif
 	} else if (strcasecmp(algname, "SHA384") == 0 ||
 		   strcasecmp(algname, "SHA-384") == 0)
 	{

bin/python/isc/dnskey.py.in

@@ -32,7 +32,7 @@ class dnskey:
 
     _ALGNAMES = (None, 'RSAMD5', 'DH', 'DSA', 'ECC', 'RSASHA1',
                  'NSEC3DSA', 'NSEC3RSASHA1', 'RSASHA256', None,
-                 'RSASHA512', None, 'ECCGOST', 'ECDSAP256SHA256',
+                 'RSASHA512', None, None, 'ECDSAP256SHA256',
                  'ECDSAP384SHA384', 'ED25519', 'ED448')
 
     def __init__(self, key, directory=None, keyttl=None):

bin/python/isc/policy.py.in

@@ -71,7 +71,7 @@ class PolicyLex:
         return t
 
     def t_ALGNAME(self, t):
-        r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
+        r'(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b'
         t.value = t.value.upper()
         return t
 
@@ -139,7 +139,6 @@ class Policy:
                              'NSEC3RSASHA1': [512, 4096],
                              'RSASHA256': [1024, 4096],
                              'RSASHA512': [1024, 4096],
-                             'ECCGOST': None,
                              'ECDSAP256SHA256': None,
                              'ECDSAP384SHA384': None,
                              'ED25519': None,
@@ -278,8 +277,7 @@ class Policy:
                         ('ZSK key size %d not divisible by 64 ' +
                          'as required for DSA') % self.zsk_keysize
 
-            if self.algorithm in ['ECCGOST', \
-                                  'ECDSAP256SHA256', \
+            if self.algorithm in ['ECDSAP256SHA256', \
                                   'ECDSAP384SHA384', \
                                   'ED25519', \
                                   'ED448']:
@@ -369,10 +367,6 @@ class dnssec_policy:
         self.alg_policy['RSASHA512'].algorithm = "RSASHA512"
         self.alg_policy['RSASHA512'].name = "RSASHA512"
 
-        self.alg_policy['ECCGOST'] = copy(p)
-        self.alg_policy['ECCGOST'].algorithm = "ECCGOST"
-        self.alg_policy['ECCGOST'].name = "ECCGOST"
-
         self.alg_policy['ECDSAP256SHA256'] = copy(p)
         self.alg_policy['ECDSAP256SHA256'].algorithm = "ECDSAP256SHA256"
         self.alg_policy['ECDSAP256SHA256'].name = "ECDSAP256SHA256"

bin/tests/system/conf.sh.in

@@ -76,7 +76,7 @@ KRB5_CONFIG=/dev/null
 #
 # List of tests hard-coded to use ports 5300 and 9953. For this
 # reason, these must be run sequentially.
-SEQUENTIALDIRS="ecdsa eddsa gost @PKCS11_TEST@ tkey"
+SEQUENTIALDIRS="ecdsa eddsa @PKCS11_TEST@ tkey"
 
 # List of tests that use ports assigned by caller (other than 5300
 # and 9953). Because separate blocks of ports can be used for teach

bin/tests/system/conf.sh.win32

@@ -87,7 +87,7 @@ SEQUENTIALDIRS="acl additional addzone autosign builtin \
 	 database digdelv dlv dlvauto dlz dlzexternal dname \
 	 dns64 dnssec @DNSTAP@ dscp dsdigest dyndb ecdsa eddsa \
 	 ednscompliance emptyzones \
-	 fetchlimit filter-aaaa formerr forward geoip glue gost idna inline ixfr \
+	 fetchlimit filter-aaaa formerr forward geoip glue idna inline ixfr \
 	 keepalive @KEYMGR@ legacy limits logfileconfig masterfile \
 	 masterformat metadata mkeys names notify nslookup nsupdate \
 	 nzd2nzf padding pending pipelined @PKCS11_TEST@ reclimit \

bin/tests/system/dsdigest/ns2/sign.sh

@@ -37,7 +37,6 @@ $DSFROMKEY -a SHA-256 $keyname22 > $DSFILENAME2
 
 supported=`cat ../supported`
 case "$supported" in
-    gost) algo=GOST ;;
     *) algo=SHA-384 ;;
 esac
 

bin/tests/system/dsdigest/ns3/named.conf.in

@@ -26,7 +26,7 @@ options {
 	dnssec-validation yes;
 	dnssec-must-be-secure . yes;
 	/* only SHA-256 is enabled */
-	disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; };
+	disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
 
 };
 

bin/tests/system/dsdigest/ns4/named.conf.in

@@ -25,7 +25,7 @@ options {
 	dnssec-enable yes;
 	dnssec-validation yes;
 	/* only SHA-256 is enabled */
-	disable-ds-digests . { SHA-1; GOST; SHA-384; 5; 6; 7; 8; 9; };
+	disable-ds-digests . { SHA-1; SHA-384; 5; 6; 7; 8; 9; };
 };
 
 zone "." {

bin/tests/system/dsdigest/prereq.sh

@@ -12,17 +12,12 @@
 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
 
-gostfail=0 ecdsafail=0
-$SHELL ../testcrypto.sh -q gost || gostfail=1
+ecdsafail=0
 $SHELL ../testcrypto.sh -q ecdsa || ecdsafail=1
 
-if [ $gostfail = 0 -a $ecdsafail = 0 ]; then
-	echo both > supported
-elif [ $gostfail = 1 -a $ecdsafail = 1 ]; then
-	echo_i "This test requires support for ECDSA or GOST cryptography." >&2
+if [ $ecdsafail = 1 ]; then
+	echo_i "This test requires support for ECDSA cryptography." >&2
 	exit 255
-elif [ $gostfail = 0 ]; then
-	echo gost > supported
 else
         echo ecdsa > supported
 fi

bin/tests/system/gost/clean.sh

-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-rm -f */K* */dsset-* */*.signed */trusted.conf
-rm -f ns1/root.db
-rm -f ns1/signer.err
-rm -f dig.out*
-rm -f */named.run
-rm -f */named.memstats
-rm -f ns*/named.lock
-rm -f ns*/managed-keys.bind*

bin/tests/system/gost/ns1/named.conf

-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS1
-
-controls { /* empty */ };
-
-options {
-	query-source address 10.53.0.1;
-	notify-source 10.53.0.1;
-	transfer-source 10.53.0.1;
-	port 5300;
-	pid-file "named.pid";
-	listen-on { 10.53.0.1; };
-	listen-on-v6 { none; };
-	recursion no;
-	notify yes;
-	dnssec-enable yes;
-	dnssec-validation yes;
-};
-
-zone "." {
-	type master;
-	file "root.db.signed";
-};
-
-include "trusted.conf";

bin/tests/system/gost/ns1/root.db.in

-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, You can obtain one at http://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 300
-. 			IN SOA	marka.isc.org. a.root.servers.nil. (
-				2010121600   	; serial
-				600         	; refresh
-				600         	; retry
-				1200    	; expire
-				600       	; minimum
-				)
-.			NS	a.root-servers.nil.
-a.root-servers.nil.	A	10.53.0.1

bin/tests/system/gost/ns1/sign.sh

-#!/bin/sh -e
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=../..
-. $SYSTEMTESTTOP/conf.sh
-
-zone=.
-infile=root.db.in
-zonefile=root.db
-
-key1=`$KEYGEN -q -a ECCGOST -n zone $zone`
-key2=`$KEYGEN -q -a ECCGOST -n zone -f KSK $zone`
-$DSFROMKEY -a gost $key2.key > dsset-gost
-
-cat $infile $key1.key $key2.key > $zonefile
-
-$SIGNER -P -g -o $zone $zonefile > /dev/null 2> signer.err || cat signer.err
-
-# Configure the resolving server with a trusted key.
-
-cat $key1.key | grep -v '^; ' | $PERL -n -e '
-local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
-local $key = join("", @rest);
-print <<EOF
-trusted-keys {
-    "$dn" $flags $proto $alg "$key";
-};
-EOF
-' > trusted.conf
-cp trusted.conf ../ns2/trusted.conf

bin/tests/system/gost/ns2/named.conf

-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS2
-
-controls { /* empty */ };
-
-options {
-	query-source address 10.53.0.2;
-	notify-source 10.53.0.2;
-	transfer-source 10.53.0.2;
-	port 5300;
-	pid-file "named.pid";
-	listen-on { 10.53.0.2; };
-	listen-on-v6 { none; };
-	recursion yes;
-	notify yes;
-	dnssec-enable yes;
-	dnssec-validation yes;
-};
-
-zone "." {
-	type hint;
-	file "../../common/root.hint";
-};
-
-include "trusted.conf";

bin/tests/system/gost/prereq.sh

-#!/bin/sh -e
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-exec $SHELL ../testcrypto.sh gost

bin/tests/system/gost/setup.sh

-#!/bin/sh -e
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-cd ns1 && $SHELL sign.sh

bin/tests/system/gost/tests.sh

-#!/bin/sh
-#
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-SYSTEMTESTTOP=..
-. $SYSTEMTESTTOP/conf.sh
-
-status=0
-n=0
-
-rm -f dig.out.*
-
-DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
-
-# Check the example. domain
-
-echo "I:checking that positive validation works ($n)"
-ret=0
-$DIG $DIGOPTS . @10.53.0.1 soa > dig.out.ns1.test$n || ret=1
-$DIG $DIGOPTS . @10.53.0.2 soa > dig.out.ns2.test$n || ret=1
-$PERL ../digcomp.pl dig.out.ns1.test$n dig.out.ns2.test$n || ret=1
-grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
-n=`expr $n + 1`
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-echo "I:exit status: $status"
-[ $status -eq 0 ] || exit 1

bin/tests/system/inline/clean.sh

@@ -114,7 +114,7 @@ rm -f ns3/test-?.bk
 rm -f ns3/test-?.bk.signed
 rm -f ns3/test-?.bk.signed.jnl
 rm -f import.key Kimport*
-rm -f checkgost checkdsa checkecdsa
+rm -f checkdsa checkecdsa
 rm -f ns3/a-file
 rm -f ns*/named.lock
 rm -f dig.out.*

bin/tests/system/inline/ns3/sign.sh

@@ -125,20 +125,13 @@ zone=externalkey
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
 
-for alg in ECCGOST ECDSAP256SHA256 NSEC3RSASHA1 DSA
+for alg in ECDSAP256SHA256 NSEC3RSASHA1 DSA
 do
     case $alg in
         DSA)
             $SHELL ../checkdsa.sh 2> /dev/null || continue
             checkfile=../checkdsa
             touch $checkfile ;;
-        ECCGOST) 
-            fail=0
-            $KEYGEN -q -a eccgost test > /dev/null 2>&1 || fail=1
-            rm -f Ktest*
-            [ $fail != 0 ] && continue
-            checkfile=../checkgost
-            touch $checkfile ;;
         ECDSAP256SHA256)
             fail=0
             $KEYGEN -q -a ecdsap256sha256 test > /dev/null 2>&1 || fail=1

bin/tests/system/inline/tests.sh

@@ -897,16 +897,14 @@ n=`expr $n + 1`
 echo_i "testing adding external keys to a inline zone ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.3 dnskey externalkey > dig.out.ns3.test$n
-for alg in 3 7 12 13
+for alg in 3 7 13
 do
    [ $alg = 3 -a ! -f checkdsa ] && continue;
-   [ $alg = 12 -a ! -f checkgost ] && continue;
    [ $alg = 13 -a ! -f checkecdsa ] && continue;
 
    case $alg in
    3) echo_i "checking DSA";;
    7) echo_i "checking NSEC3RSASHA1";;
-   12) echo_i "checking GOST";;
    13) echo_i "checking ECDSAP256SHA256";;
    *) echo_i "checking $alg";;
    esac

bin/tests/system/testcrypto.sh

@@ -30,11 +30,6 @@ while test "$#" -gt 0; do
                 alg="-a RSASHA1"
                 msg1="RSA cryptography"
                 ;;
-        gost|GOST)
-                alg="-a eccgost"
-                msg1="GOST cryptography"
-                msg2="--with-gost"
-                ;;
         ecdsa|ECDSA)
                 alg="-a ecdsap256sha256"
                 msg1="ECDSA cryptography"

config.h.in

@@ -395,9 +395,6 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if your OpenSSL version supports EVP AES */
 #undef HAVE_OPENSSL_EVP_AES
 
-/* Define if your OpenSSL version supports GOST. */
-#undef HAVE_OPENSSL_GOST
-
 /* Define if native PKCS#11 is used as cryptographic library provider */
 #undef HAVE_PKCS11
 
@@ -410,9 +407,6 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define if your PKCS11 provider supports Ed448. */
 #undef HAVE_PKCS11_ED448
 
-/* Define if your PKCS11 provider supports GOST. */
-#undef HAVE_PKCS11_GOST
-
 /* Support for PTHREAD_MUTEX_ADAPTIVE_NP */
 #undef HAVE_PTHREAD_MUTEX_ADAPTIVE_NP
 
@@ -604,9 +598,6 @@ int sigwait(const unsigned int *set, int *sig);
    (O_NDELAY/O_NONBLOCK). */
 #undef PORT_NONBLOCK
 
-/* Define if GOST private keys are encoded in ASN.1. */
-#undef PREFER_GOSTASN1
-
 /* The size of `void *', as computed by sizeof. */
 #undef SIZEOF_VOID_P
 

config.h.win32

@@ -327,9 +327,6 @@ typedef __int64 off_t;
 /* Define if OpenSSL includes Ed448 support */
 @HAVE_OPENSSL_ED448@
 
-/* Define if your OpenSSL version supports GOST. */
-@HAVE_OPENSSL_GOST@
-
 /* Define if your OpenSSL version supports DH functions. */
 @HAVE_DH_GET0_KEY@
 
@@ -354,12 +351,6 @@ typedef __int64 off_t;
 /* Define if your PKCS11 provider supports Ed448. */
 @HAVE_PKCS11_ED448@
 
-/* Define if your PKCS11 provider supports GOST. */
-@HAVE_PKCS11_GOST@
-
-/* Define if GOST private keys are encoded in ASN.1. */
-@PREFER_GOSTASN1@
-
 /* Define if OpenSSL is used as cryptographic library provider. */
 @HAVE_OPENSSL@
 

configure

@@ -800,7 +800,6 @@ NZDSRCS
 NZD_TOOLS
 PKCS11_TEST
 PKCS11_ED25519
-PKCS11_GOST
 PKCS11_ECDSA
 PKCS11LINKSRCS
 PKCS11LINKOBJS
@@ -820,13 +819,10 @@ ISC_OPENSSL_LIBS
 ISC_OPENSSL_INC
 ISC_PLATFORM_OPENSSLHASH
 ISC_PLATFORM_WANTAES
-OPENSSL_GOST
 OPENSSL_ED25519
 OPENSSL_ECDSA
 OPENSSLLINKSRCS
 OPENSSLLINKOBJS
-OPENSSLGOSTLINKSRCS
-OPENSSLGOSTLINKOBJS
 OPENSSLEDDSALINKSRCS
 OPENSSLEDDSALINKOBJS
 OPENSSLECDSALINKSRCS
@@ -1001,7 +997,6 @@ enable_native_pkcs11
 with_openssl
 with_pkcs11
 with_ecdsa
-with_gost
 with_eddsa
 with_aes
 with_cc_alg
@@ -1747,7 +1742,6 @@ Optional Packages:
   --with-pkcs11=PATH      Build with PKCS11 support [yes|no|path] (PATH is for
                           the PKCS11 provider)
   --with-ecdsa            Crypto ECDSA
-  --with-gost             Crypto GOST [yes|no|raw|asn1].
   --with-eddsa            Crypto EDDSA [yes|all|no].
   --with-aes              Crypto AES
   --with-cc-alg=ALG       choose the algorithm for Client Cookie
@@ -16150,7 +16144,7 @@ fi
 
 
 #
-# were --with-ecdsa, --with-gost, --with-eddsa, --with-aes specified
+# were --with-ecdsa, --with-eddsa, --with-aes specified
 #
 
 # Check whether --with-ecdsa was given.
@@ -16161,14 +16155,6 @@ else
 fi
 
 
-# Check whether --with-gost was given.
-if test "${with_gost+set}" = set; then :
-  withval=$with_gost; with_gost="$withval"
-else
-  with_gost="auto"
-fi
-
-
 # Check whether --with-eddsa was given.
 if test "${with_eddsa+set}" = set; then :
   withval=$with_eddsa; with_eddsa="$withval"
@@ -16245,26 +16231,7 @@ then
 	done
 fi
 OPENSSL_ECDSA=""
-OPENSSL_GOST=""
 OPENSSL_ED25519=""
-gosttype="raw"
-case "$with_gost" in
-	raw)
-		with_gost="yes"
-		;;
-	asn1)
-
-$as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h
-
-		gosttype="asn1"
-		with_gost="yes"
-		;;
-	auto|yes|no)
-		;;
-	*)
-		as_fn_error $? "unknown GOST private key encoding" "$LINENO" 5
-		;;
-esac
 
 case "$use_openssl" in
 	native_pkcs11)
@@ -16277,8 +16244,6 @@ $as_echo "disabled because of native PKCS11" >&6; }
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
 		OPENSSLEDDSALINKSRCS=""
-		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 
@@ -16295,8 +16260,6 @@ $as_echo "no" >&6; }
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
 		OPENSSLEDDSALINKSRCS=""
-		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		;;
@@ -16308,8 +16271,6 @@ $as_echo "no" >&6; }
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
 		OPENSSLEDDSALINKSRCS=""
-		OPENSSLGOSTLINKOBJS=""
-		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
 		as_fn_error $? "OpenSSL was not found in any of $openssldirs; use --with-openssl=/path
@@ -16663,89 +16624,6 @@ $as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h
 		;;
 	esac
 
-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5
-$as_echo_n "checking for OpenSSL GOST support... " >&6; }
-	have_gost=""
-	case "$use_pkcs11" in
-		auto|no)
-			;;
-		*)
-			if $use_threads; then
-				CC="$CC -pthread"
-			fi
-			;;
-	esac
-	if test "$cross_compiling" = yes; then :
-  { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5
-$as_echo "using --with-gost" >&6; }
-else
-  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-#include <openssl/conf.h>
-#include <openssl/engine.h>
-int main() {
-#if !defined(LIBRESSL_VERSION_NUMB