Remove GOST and STREEBOG support from libssl.

This version of GOST is old and not anywhere close to compliant with
modern GOST standards. It is also very intrusive in libssl and
makes a mess everywhere.  Efforts to entice a suitably minded anyone
to care about it have been unsuccessful.

At this point it is probably best to remove this, and if someone
ever showed up who truly needed a working version, it should be
a clean implementation from scratch, and have it use something
closer to the typical API in libcrypto so it would integrate less
painfully here.

This removes it from libssl in preparation for it's removal from
libcrypto with a future major bump

ok tb@

2 files changed, 4 insertions, 26 deletions

diff --git a/regress/lib/libssl/interop/Makefile.inc b/regress/lib/libssl/interop/Makefile.inc
index 4a66390cbd8..fa22fb8514c 100644
--- a/regress/lib/libssl/interop/Makefile.inc
+++ b/regress/lib/libssl/interop/Makefile.inc
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile.inc,v 1.9 2023/10/18 19:14:32 anton Exp $
+# $OpenBSD: Makefile.inc,v 1.10 2024/02/03 15:58:34 beck Exp $
 
 .PATH:			${.CURDIR}/..
 
@@ -39,7 +39,7 @@ run-self-client-server: client server 127.0.0.1.crt
 CLEANFILES +=		127.0.0.1.{crt,key} \
 			ca.{crt,key,srl} fake-ca.{crt,key} \
 			{client,server}.{req,crt,key} \
-			{dsa,ec,gost,rsa}.{key,req,crt} \
+			{dsa,ec,rsa}.{key,req,crt} \
 			dh.param
 
 127.0.0.1.crt:
@@ -70,10 +70,6 @@ dsa.key:
 ec.key:
 	openssl ecparam -genkey -name secp256r1 -out $@
 
-gost.key:
-	openssl genpkey -algorithm gost2001 \
-	    -pkeyopt paramset:A -pkeyopt dgst:md_gost94 -out $@
-
 rsa.key:
 	openssl genrsa -out $@ 2048
 
@@ -82,11 +78,6 @@ dsa.req ec.req rsa.req: ${@:R}.key
 	    -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
 	    -nodes -key ${@:R}.key -out $@
 
-gost.req: ${@:R}.key
-	openssl req -batch -new -md_gost94 \
-	    -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
-	    -nodes -key ${@:R}.key -out $@
-
-dsa.crt ec.crt gost.crt rsa.crt: ca.crt ${@:R}.req
+dsa.crt ec.crt rsa.crt: ca.crt ${@:R}.req
 	openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
 	    -req -in ${@:R}.req -out $@
diff --git a/regress/lib/libssl/interop/cipher/Makefile b/regress/lib/libssl/interop/cipher/Makefile
index 627cfc8f9f0..3a116d5ed59 100644
--- a/regress/lib/libssl/interop/cipher/Makefile
+++ b/regress/lib/libssl/interop/cipher/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.13 2023/10/30 17:15:21 tb Exp $
+# $OpenBSD: Makefile,v 1.14 2024/02/03 15:58:34 beck Exp $
 
 # Connect a client to a server.  Both can be current libressl, or
 # openssl 1.1 or 3.0.  Create lists of supported ciphers
@@ -6,17 +6,6 @@
 # certificate with compatible type.  Check that client and server
 # have used correct cipher by grepping in their session print out.
 
-run-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
-run-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl \
-client-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
-client-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
-server-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl.out \
-server-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl.out \
-check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl \
-check-cipher-GOST2012256-GOST89-GOST89-client-libressl-server-libressl:
-	# gost does not work with libressl TLS 1.3 right now
-	@echo DISABLED
-
 LIBRARIES =		libressl
 .if exists(/usr/local/bin/eopenssl11)
 LIBRARIES +=		openssl11
@@ -96,8 +85,6 @@ LEVEL_openssl30 = ,@SECLEVEL=0
 TYPE_${cipher} =	dsa
 .elif "${cipher:M*-ECDSA-*}" != ""
 TYPE_${cipher} =	ec
-.elif "${cipher:M*-GOST89-*}" != ""
-TYPE_${cipher} =	gost
 .elif "${cipher:M*-RSA-*}" != ""
 TYPE_${cipher} =	rsa
 .else