5 files changed, 5 insertions, 69 deletions

diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index acde94c749..4ef6f6df7f 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.230 2022/12/26 07:31:44 jmc Exp $ */
+/* $OpenBSD: ssl.h,v 1.231 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -610,9 +610,6 @@ void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx,
     int (*client_cert_cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey));
 int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL *ssl, X509 **x509,
     EVP_PKEY **pkey);
-#ifndef OPENSSL_NO_ENGINE
-int SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e);
-#endif
 void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
     int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie,
     unsigned int *cookie_len));
diff --git a/src/lib/libssl/ssl_ciph.c b/src/lib/libssl/ssl_ciph.c
index b735cd7b30..38ebea1629 100644
--- a/src/lib/libssl/ssl_ciph.c
+++ b/src/lib/libssl/ssl_ciph.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_ciph.c,v 1.136 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_ciph.c,v 1.137 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -145,10 +145,6 @@
 #include <openssl/objects.h>
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "ssl_local.h"
 
 #define CIPHER_ADD      1
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 0ac393f73c..9e65095c6c 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.314 2023/09/19 01:22:31 tb Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.315 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -154,10 +154,6 @@
 #include <openssl/opensslconf.h>
 #include <openssl/x509v3.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "bytestring.h"
 #include "dtls_local.h"
 #include "ssl_local.h"
@@ -2164,26 +2160,6 @@ SSL_CTX_new(const SSL_METHOD *meth)
         ret->tlsext_status_cb = 0;
         ret->tlsext_status_arg = NULL;
 
-#ifndef OPENSSL_NO_ENGINE
-        ret->client_cert_engine = NULL;
-#ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO
-#define eng_strx(x)     #x
-#define eng_str(x)      eng_strx(x)
-        /* Use specific client engine automatically... ignore errors */
-        {
-                ENGINE *eng;
-                eng = ENGINE_by_id(eng_str(OPENSSL_SSL_CLIENT_ENGINE_AUTO));
-                if (!eng) {
-                        ERR_clear_error();
-                        ENGINE_load_builtin_engines();
-                        eng = ENGINE_by_id(eng_str(
-                            OPENSSL_SSL_CLIENT_ENGINE_AUTO));
-                }
-                if (!eng || !SSL_CTX_set_client_cert_engine(ret, eng))
-                        ERR_clear_error();
-        }
-#endif
-#endif
         /*
          * Default is to connect to non-RI servers. When RI is more widely
          * deployed might change this.
@@ -2241,10 +2217,6 @@ SSL_CTX_free(SSL_CTX *ctx)
                 sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles);
 #endif
 
-#ifndef OPENSSL_NO_ENGINE
-        ENGINE_finish(ctx->client_cert_engine);
-#endif
-
         free(ctx->tlsext_ecpointformatlist);
         free(ctx->tlsext_supportedgroups);
 
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h
index 9666f3882a..dd8895f018 100644
--- a/src/lib/libssl/ssl_local.h
+++ b/src/lib/libssl/ssl_local.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.7 2023/07/06 07:56:32 beck Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.8 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -865,12 +865,6 @@ struct ssl_ctx_st {
          */
         unsigned int max_send_fragment;
 
-#ifndef OPENSSL_NO_ENGINE
-        /* Engine to pass requests for client certs to
-         */
-        ENGINE *client_cert_engine;
-#endif
-
         /* RFC 4507 session ticket keys */
         unsigned char tlsext_tick_key_name[16];
         unsigned char tlsext_tick_hmac_key[16];
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c
index aa6b08eae6..ae7532d1ad 100644
--- a/src/lib/libssl/ssl_sess.c
+++ b/src/lib/libssl/ssl_sess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.122 2023/07/08 16:40:13 beck Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.123 2023/11/19 15:51:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -138,10 +138,6 @@
 #include <openssl/lhash.h>
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "ssl_local.h"
 
 static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
@@ -1320,25 +1316,6 @@ int
 }
 LSSL_ALIAS(SSL_CTX_get_client_cert_cb);
 
-#ifndef OPENSSL_NO_ENGINE
-int
-SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e)
-{
-        if (!ENGINE_init(e)) {
-                SSLerrorx(ERR_R_ENGINE_LIB);
-                return 0;
-        }
-        if (!ENGINE_get_ssl_client_cert_function(e)) {
-                SSLerrorx(SSL_R_NO_CLIENT_CERT_METHOD);
-                ENGINE_finish(e);
-                return 0;
-        }
-        ctx->client_cert_engine = e;
-        return 1;
-}
-LSSL_ALIAS(SSL_CTX_set_client_cert_engine);
-#endif
-
 void
 SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx,
     int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len))