40 files changed, 184 insertions, 1726 deletions
diff --git a/src/usr.bin/openssl/Makefile b/src/usr.bin/openssl/Makefile
index 04a24c8c59..db3364b16f 100644
--- a/src/usr.bin/openssl/Makefile
+++ b/src/usr.bin/openssl/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.5 2015/02/10 15:29:34 jsing Exp $
+#       $OpenBSD: Makefile,v 1.6 2015/09/11 14:30:23 bcook Exp $
 PROG=   openssl
 LDADD=  -lssl -lcrypto
@@ -19,7 +19,7 @@ CFLAGS+= -DLIBRESSL_INTERNAL
 SRCS=   apps.c apps_posix.c asn1pars.c ca.c certhash.c ciphers.c cms.c crl.c \
        crl2p7.c dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c \
-        engine.c errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c \
+        errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c \
        openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c \
        pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c s_client.c \
        s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c spkac.c ts.c \
diff --git a/src/usr.bin/openssl/apps.c b/src/usr.bin/openssl/apps.c
index acd95abc7f..f8cad1a703 100644
--- a/src/usr.bin/openssl/apps.c
+++ b/src/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.c,v 1.34 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: apps.c,v 1.35 2015/09/11 14:30:23 bcook Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -146,10 +146,6 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 #include <openssl/rsa.h>
 typedef struct {
@@ -190,8 +186,6 @@ str2fmt(char *s)
            (strcmp(s, "PKCS12") == 0) || (strcmp(s, "pkcs12") == 0) ||
            (strcmp(s, "P12") == 0) || (strcmp(s, "p12") == 0))
                return (FORMAT_PKCS12);
-        else if ((*s == 'E') || (*s == 'e'))
-                return (FORMAT_ENGINE);
        else if ((*s == 'P') || (*s == 'p')) {
                if (s[1] == 'V' || s[1] == 'v')
                        return FORMAT_PVK;
@@ -626,7 +620,7 @@ die:
 }
 X509 *
-load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e,
+load_cert(BIO *err, const char *file, int format, const char *pass,
    const char *cert_descrip)
 {
        X509 *x = NULL;
@@ -690,7 +684,7 @@ end:
 EVP_PKEY *
 load_key(BIO *err, const char *file, int format, int maybe_stdin,
-    const char *pass, ENGINE *e, const char *key_descrip)
+    const char *pass, const char *key_descrip)
 {
        BIO *key = NULL;
        EVP_PKEY *pkey = NULL;
@@ -699,26 +693,10 @@ load_key(BIO *err, const char *file, int format, int maybe_stdin,
        cb_data.password = pass;
        cb_data.prompt_info = file;
-        if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
+        if (file == NULL && (!maybe_stdin)) {
                BIO_printf(err, "no keyfile specified\n");
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        if (format == FORMAT_ENGINE) {
-                if (!e)
-                        BIO_printf(err, "no engine specified\n");
-                else {
-                        pkey = ENGINE_load_private_key(e, file,
-                            ui_method, &cb_data);
-                        if (!pkey) {
-                                BIO_printf(err, "cannot load %s from engine\n",
-                                    key_descrip);
-                                ERR_print_errors(err);
-                        }
-                }
-                goto end;
-        }
-#endif
        key = BIO_new(BIO_s_file());
        if (key == NULL) {
                ERR_print_errors(err);
@@ -769,7 +747,7 @@ end:
 EVP_PKEY *
 load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
-    const char *pass, ENGINE *e, const char *key_descrip)
+    const char *pass, const char *key_descrip)
 {
        BIO *key = NULL;
        EVP_PKEY *pkey = NULL;
@@ -778,20 +756,10 @@ load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
        cb_data.password = pass;
        cb_data.prompt_info = file;
-        if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
+        if (file == NULL && !maybe_stdin) {
                BIO_printf(err, "no keyfile specified\n");
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        if (format == FORMAT_ENGINE) {
-                if (!e)
-                        BIO_printf(bio_err, "no engine specified\n");
-                else
-                        pkey = ENGINE_load_public_key(e, file,
-                            ui_method, &cb_data);
-                goto end;
-        }
-#endif
        key = BIO_new(BIO_s_file());
        if (key == NULL) {
                ERR_print_errors(err);
@@ -899,7 +867,7 @@ error:
 static int
 load_certs_crls(BIO *err, const char *file, int format, const char *pass,
-    ENGINE *e, const char *desc, STACK_OF(X509) **pcerts,
+    const char *desc, STACK_OF(X509) **pcerts,
    STACK_OF(X509_CRL) **pcrls)
 {
        int i;
@@ -983,22 +951,22 @@ end:
 STACK_OF(X509) *
 load_certs(BIO *err, const char *file, int format, const char *pass,
-    ENGINE *e, const char *desc)
+    const char *desc)
 {
        STACK_OF(X509) *certs;
-        if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
+        if (!load_certs_crls(err, file, format, pass, desc, &certs, NULL))
                return NULL;
        return certs;
 }
 STACK_OF(X509_CRL) *
-load_crls(BIO *err, const char *file, int format, const char *pass, ENGINE *e,
+load_crls(BIO *err, const char *file, int format, const char *pass,
    const char *desc)
 {
        STACK_OF(X509_CRL) *crls;
-        if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
+        if (!load_certs_crls(err, file, format, pass, desc, NULL, &crls))
                return NULL;
        return crls;
 }
@@ -1248,55 +1216,6 @@ end:
        return NULL;
 }
-#ifndef OPENSSL_NO_ENGINE
-ENGINE *
-setup_engine(BIO *err, const char *engine, int debug)
-{
-        ENGINE *e = NULL;
-        if (engine) {
-                if (strcmp(engine, "auto") == 0) {
-                        BIO_printf(err, "enabling auto ENGINE support\n");
-                        ENGINE_register_all_complete();
-                        return NULL;
-                }
-                if ((e = ENGINE_by_id(engine)) == NULL) {
-                        BIO_printf(err, "invalid engine \"%s\"\n", engine);
-                        ERR_print_errors(err);
-                        return NULL;
-                }
-                if (debug) {
-                        if (ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
-                            0, err, 0) <= 0) {
-                                BIO_printf(err, "Cannot set logstream for "
-                                    "engine \"%s\"\n", engine);
-                                ERR_print_errors(err);
-                                ENGINE_free(e);
-                                return NULL;
-                        }
-                }
-                if (!ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1)) {
-                        BIO_printf(err, "can't set user interface\n");
-                        ERR_print_errors(err);
-                        ENGINE_free(e);
-                        return NULL;
-                }
-                if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-                        BIO_printf(err, "can't use that engine\n");
-                        ERR_print_errors(err);
-                        ENGINE_free(e);
-                        return NULL;
-                }
-                BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));
-                /* Free our "structural" reference. */
-                ENGINE_free(e);
-        }
-        return e;
-}
-#endif
 int
 load_config(BIO *err, CONF *cnf)
 {
diff --git a/src/usr.bin/openssl/apps.h b/src/usr.bin/openssl/apps.h
index f6e0a8ce19..f63079179d 100644
--- a/src/usr.bin/openssl/apps.h
+++ b/src/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.14 2015/07/15 13:54:34 jsing Exp $ */
+/* $OpenBSD: apps.h,v 1.15 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -121,10 +121,6 @@
 #include <openssl/txt_db.h>
 #include <openssl/x509.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 #ifndef OPENSSL_NO_OCSP
 #include <openssl/ocsp.h>
 #endif
@@ -166,19 +162,16 @@ int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
 int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
-    const char *pass, ENGINE *e, const char *cert_descrip);
+    const char *pass, const char *cert_descrip);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
-    const char *pass, ENGINE *e, const char *key_descrip);
+    const char *pass, const char *key_descrip);
 EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
-    const char *pass, ENGINE *e, const char *key_descrip);
+    const char *pass, const char *key_descrip);
 STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
-    const char *pass, ENGINE *e, const char *cert_descrip);
+    const char *pass, const char *cert_descrip);
 STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
-    const char *pass, ENGINE *e, const char *cert_descrip);
+    const char *pass, const char *cert_descrip);
 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
-#ifndef OPENSSL_NO_ENGINE
-ENGINE *setup_engine(BIO *err, const char *engine, int debug);
-#endif
 #ifndef OPENSSL_NO_OCSP
 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
@@ -236,7 +229,7 @@ int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
 void policies_print(BIO *out, X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
-int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e,
+int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname,
    int do_param);
 int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
    STACK_OF(OPENSSL_STRING) *sigopts);
@@ -254,7 +247,7 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #define FORMAT_NETSCAPE 4
 #define FORMAT_PKCS12   5
 #define FORMAT_SMIME    6
-#define FORMAT_ENGINE   7
 #define FORMAT_IISSGC   8       /* XXX this stupid macro helps us to avoid
                                 * adding yet another param to load_*key() */
 #define FORMAT_PEMRSA   9       /* PEM RSAPubicKey format */
diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c
index 8645128e42..254d551aa5 100644
--- a/src/usr.bin/openssl/ca.c
+++ b/src/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.11 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: ca.c,v 1.12 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -135,7 +135,7 @@ static const char *ca_usage[] = {
        " -md arg         - md to use, one of md2, md5, sha or sha1\n",
        " -policy arg     - The CA 'policy' to support\n",
        " -keyfile arg    - private key file\n",
-        " -keyform arg    - private key file format (PEM or ENGINE)\n",
+        " -keyform arg    - private key file format (PEM)\n",
        " -key arg        - key to decode the private key if it is encrypted\n",
        " -cert file      - The CA certificate\n",
        " -selfsign       - sign a certificate with the key associated with it\n",
@@ -156,9 +156,6 @@ static const char *ca_usage[] = {
        " -extensions ..  - Extension section (override value in config file)\n",
        " -extfile file   - Configuration file with X509v3 extentions to add\n",
        " -crlexts ..     - CRL extension section (override value in config file)\n",
-#ifndef OPENSSL_NO_ENGINE
-        " -engine e       - use engine e, possibly a hardware device.\n",
-#endif
        " -status serial  - Shows certificate status given the serial number\n",
        " -updatedb       - Updates db for expired certificates\n",
        NULL
@@ -178,7 +175,7 @@ static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, int batch, char *ext_sect, CONF * conf,
    int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
-    int ext_copy, ENGINE * e);
+    int ext_copy);
 static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
    X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
    STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
@@ -213,7 +210,6 @@ static int msie_hack = 0;
 int
 ca_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        char *key = NULL, *passargin = NULL;
        int create_ser = 0;
        int free_key = 0;
@@ -286,9 +282,6 @@ ca_main(int argc, char **argv)
        STACK_OF(OPENSSL_STRING) * sigopts = NULL;
 #define BUFLEN 256
        char buf[3][BUFLEN];
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        char *tofree = NULL;
        const char *errstr = NULL;
        DB_ATTR db_attr;
@@ -478,13 +471,6 @@ ca_main(int argc, char **argv)
                        rev_arg = *(++argv);
                        rev_type = REV_CA_COMPROMISE;
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*argv, "-engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        engine = *(++argv);
-                }
-#endif
                else {
 bad:
                        if (errstr)
@@ -536,10 +522,6 @@ bad:
        free(tofree);
        tofree = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        /* Lets get the config section we are using */
        if (section == NULL) {
                section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
@@ -639,7 +621,7 @@ bad:
                        goto err;
                }
        }
-        pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key");
+        pkey = load_key(bio_err, keyfile, keyform, 0, key, "CA private key");
        if (key)
                explicit_bzero(key, strlen(key));
        if (pkey == NULL) {
@@ -655,7 +637,7 @@ bad:
                        lookup_fail(section, ENV_CERTIFICATE);
                        goto err;
                }
-                x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
+                x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL,
                    "CA certificate");
                if (x509 == NULL)
                        goto err;
@@ -1028,7 +1010,7 @@ bad:
                            sigopts, attribs, db, serial, subj, chtype,
                            multirdn, email_dn, startdate, enddate, days, batch,
                            extensions, conf, verbose, certopt, nameopt,
-                            default_op, ext_copy, e);
+                            default_op, ext_copy);
                        if (j < 0)
                                goto err;
                        if (j > 0) {
@@ -1314,7 +1296,7 @@ bad:
                } else {
                        X509 *revcert;
                        revcert = load_cert(bio_err, infile, FORMAT_PEM,
-                            NULL, e, infile);
+                            NULL, infile);
                        if (revcert == NULL)
                                goto err;
                        j = do_revoke(revcert, db, rev_type, rev_arg);
@@ -1446,14 +1428,14 @@ certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
    unsigned long chtype, int multirdn, int email_dn, char *startdate,
    char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
    int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
-    int ext_copy, ENGINE * e)
+    int ext_copy)
 {
        X509 *req = NULL;
        X509_REQ *rreq = NULL;
        EVP_PKEY *pktmp = NULL;
        int ok = -1, i;
-        if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e,
+        if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL,
            infile)) == NULL)
                goto err;
        if (verbose)
diff --git a/src/usr.bin/openssl/cms.c b/src/usr.bin/openssl/cms.c
index c6e662ab33..fccac23db7 100644
--- a/src/usr.bin/openssl/cms.c
+++ b/src/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.2 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: cms.c,v 1.3 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -99,7 +99,6 @@ int verify_err = 0;
 int
 cms_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        int operation = 0;
        int ret = 0;
        char **args;
@@ -128,9 +127,6 @@ cms_main(int argc, char **argv)
        const EVP_MD *sign_md = NULL;
        int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
        int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        unsigned char *secret_key = NULL, *secret_keyid = NULL;
        unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
        size_t secret_keylen = 0, secret_keyidlen = 0;
@@ -310,13 +306,6 @@ cms_main(int argc, char **argv)
                                goto argerr;
                        }
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (!strcmp(*args, "-engine")) {
-                        if (!args[1])
-                                goto argerr;
-                        engine = *++args;
-                }
-#endif
                else if (!strcmp(*args, "-passin")) {
                        if (!args[1])
                                goto argerr;
@@ -526,7 +515,7 @@ argerr:
                BIO_printf(bio_err, "-in file       input file\n");
                BIO_printf(bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
                BIO_printf(bio_err, "-inkey file    input private key (if not signer or recipient)\n");
-                BIO_printf(bio_err, "-keyform arg   input private key format (PEM or ENGINE)\n");
+                BIO_printf(bio_err, "-keyform arg   input private key format (PEM)\n");
                BIO_printf(bio_err, "-out file      output file\n");
                BIO_printf(bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
                BIO_printf(bio_err, "-content file  supply or override content for detached signature\n");
@@ -538,16 +527,10 @@ argerr:
                BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
                BIO_printf(bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
                BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, "-engine e      use engine e, possibly a hardware device.\n");
-#endif
                BIO_printf(bio_err, "-passin arg    input file pass phrase source\n");
                BIO_printf(bio_err, "cert.pem       recipient certificate(s) for encryption\n");
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
                BIO_printf(bio_err, "Error getting password\n");
diff --git a/src/usr.bin/openssl/dgst.c b/src/usr.bin/openssl/dgst.c
index d442bba266..94d98ac6a4 100644
--- a/src/usr.bin/openssl/dgst.c
+++ b/src/usr.bin/openssl/dgst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dgst.c,v 1.5 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: dgst.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -101,7 +101,6 @@ list_md_fn(const EVP_MD * m, const char *from, const char *to, void *arg)
 int
 dgst_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        unsigned char *buf = NULL;
        int i, err = 1;
        const EVP_MD *md = NULL, *m;
@@ -120,9 +119,6 @@ dgst_main(int argc, char **argv)
        unsigned char *sigbuf = NULL;
        int siglen = 0;
        char *passargin = NULL, *passin = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        char *hmac_key = NULL;
        char *mac_name = NULL;
        STACK_OF(OPENSSL_STRING) * sigopts = NULL, *macopts = NULL;
@@ -178,14 +174,6 @@ dgst_main(int argc, char **argv)
                                break;
                        keyform = str2fmt(*(++argv));
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*argv, "-engine") == 0) {
-                        if (--argc < 1)
-                                break;
-                        engine = *(++argv);
-                        e = setup_engine(bio_err, engine, 0);
-                }
-#endif
                else if (strcmp(*argv, "-hex") == 0)
                        out_bin = 0;
                else if (strcmp(*argv, "-binary") == 0)
@@ -238,16 +226,13 @@ dgst_main(int argc, char **argv)
                BIO_printf(bio_err, "-sign   file    sign digest using private key in file\n");
                BIO_printf(bio_err, "-verify file    verify a signature using public key in file\n");
                BIO_printf(bio_err, "-prverify file  verify a signature using private key in file\n");
-                BIO_printf(bio_err, "-keyform arg    key file format (PEM or ENGINE)\n");
+                BIO_printf(bio_err, "-keyform arg    key file format (PEM)\n");
                BIO_printf(bio_err, "-out filename   output to filename rather than stdout\n");
                BIO_printf(bio_err, "-signature file signature to verify\n");
                BIO_printf(bio_err, "-sigopt nm:v    signature parameter\n");
                BIO_printf(bio_err, "-hmac key       create hashed MAC with key\n");
                BIO_printf(bio_err, "-mac algorithm  create MAC (not neccessarily HMAC)\n");
                BIO_printf(bio_err, "-macopt nm:v    MAC algorithm parameters or key\n");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-#endif
                EVP_MD_do_all_sorted(list_md_fn, bio_err);
                goto end;
@@ -298,10 +283,10 @@ dgst_main(int argc, char **argv)
        if (keyfile) {
                if (want_pub)
                        sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
-                            e, "key file");
+                            "key file");
                else
                        sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
-                            e, "key file");
+                            "key file");
                if (!sigkey) {
                        /*
                         * load_[pub]key() has already printed an appropriate
@@ -313,7 +298,7 @@ dgst_main(int argc, char **argv)
        if (mac_name) {
                EVP_PKEY_CTX *mac_ctx = NULL;
                int r = 0;
-                if (!init_gen_str(bio_err, &mac_ctx, mac_name, e, 0))
+                if (!init_gen_str(bio_err, &mac_ctx, mac_name, 0))
                        goto mac_end;
                if (macopts) {
                        char *macopt;
@@ -341,7 +326,7 @@ mac_end:
                        goto end;
        }
        if (hmac_key) {
-                sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
+                sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
                    (unsigned char *) hmac_key, -1);
                if (!sigkey)
                        goto end;
diff --git a/src/usr.bin/openssl/dh.c b/src/usr.bin/openssl/dh.c
index ed86428258..f4112e87c2 100644
--- a/src/usr.bin/openssl/dh.c
+++ b/src/usr.bin/openssl/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: dh.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -77,9 +77,6 @@
 static struct {
        int C;
        int check;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        char *infile;
        int informat;
        int noout;
@@ -101,15 +98,6 @@ static struct option dh_options[] = {
                .type = OPTION_FLAG,
                .opt.flag = &dh_config.check,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &dh_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -157,7 +145,7 @@ static void
 dh_usage(void)
 {
        fprintf(stderr,
-            "usage: dh [-C] [-check] [-engine id] [-in file] [-inform format]\n"
+            "usage: dh [-C] [-check] [-in file] [-inform format]\n"
            "    [-noout] [-out file] [-outform format] [-text]\n\n");
        options_usage(dh_options);
 }
@@ -180,10 +168,6 @@ dh_main(int argc, char **argv)
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, dh_config.engine, 0);
-#endif
        in = BIO_new(BIO_s_file());
        out = BIO_new(BIO_s_file());
        if (in == NULL || out == NULL) {
diff --git a/src/usr.bin/openssl/dhparam.c b/src/usr.bin/openssl/dhparam.c
index 5757b906b1..158a07a572 100644
--- a/src/usr.bin/openssl/dhparam.c
+++ b/src/usr.bin/openssl/dhparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dhparam.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: dhparam.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -135,9 +135,6 @@ struct {
        int C;
        int check;
        int dsaparam;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        int g;
        char *infile;
        int informat;
@@ -181,15 +178,6 @@ struct option dhparam_options[] = {
                .type = OPTION_FLAG,
                .opt.flag = &dhparam_config.dsaparam,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &dhparam_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -237,7 +225,7 @@ static void
 dhparam_usage()
 {
        fprintf(stderr,
-            "usage: dhparam [-2 | -5] [-C] [-check] [-dsaparam] [-engine id]\n"
+            "usage: dhparam [-2 | -5] [-C] [-check] [-dsaparam]\n"
            "    [-in file] [-inform DER | PEM] [-noout] [-out file]\n"
            "    [-outform DER | PEM] [-text] [numbits]\n\n");
        options_usage(dhparam_options);
@@ -273,10 +261,6 @@ dhparam_main(int argc, char **argv)
                }
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, dhparam_config.engine, 0);
-#endif
        if (dhparam_config.g && !num)
                num = DEFBITS;
diff --git a/src/usr.bin/openssl/dsa.c b/src/usr.bin/openssl/dsa.c
index 2b6bff29f3..813e163662 100644
--- a/src/usr.bin/openssl/dsa.c
+++ b/src/usr.bin/openssl/dsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: dsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -76,9 +76,6 @@
 static struct {
        const EVP_CIPHER *enc;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        char *infile;
        int informat;
        int modulus;
@@ -110,15 +107,6 @@ dsa_opt_enc(int argc, char **argv, int *argsused)
 }
 static struct option dsa_options[] = {
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &dsa_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -231,7 +219,7 @@ static void
 dsa_usage(void)
 {
        fprintf(stderr,
-            "usage: dsa [-engine id] [-in file] [-inform format] [-noout]\n"
+            "usage: dsa [-in file] [-inform format] [-noout]\n"
            "    [-out file] [-outform format] [-passin src] [-passout src]\n"
            "    [-pubin] [-pubout] [-pvk-none | -pvk-strong | -pvk-weak]\n"
            "    [-text] [-ciphername]\n\n");
@@ -246,7 +234,6 @@ dsa_usage(void)
 int
 dsa_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        int ret = 1;
        DSA *dsa = NULL;
        int i;
@@ -264,10 +251,6 @@ dsa_main(int argc, char **argv)
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, dsa_config.engine, 0);
-#endif
        if (!app_passwd(bio_err, dsa_config.passargin, dsa_config.passargout,
            &passin, &passout)) {
                BIO_printf(bio_err, "Error getting passwords\n");
@@ -296,10 +279,10 @@ dsa_main(int argc, char **argv)
                if (dsa_config.pubin)
                        pkey = load_pubkey(bio_err, dsa_config.infile,
-                            dsa_config.informat, 1, passin, e, "Public Key");
+                            dsa_config.informat, 1, passin, "Public Key");
                else
                        pkey = load_key(bio_err, dsa_config.infile,
-                            dsa_config.informat, 1, passin, e, "Private Key");
+                            dsa_config.informat, 1, passin, "Private Key");
                if (pkey) {
                        dsa = EVP_PKEY_get1_DSA(pkey);
diff --git a/src/usr.bin/openssl/dsaparam.c b/src/usr.bin/openssl/dsaparam.c
index 66cacbb3a9..0cdd5c1d51 100644
--- a/src/usr.bin/openssl/dsaparam.c
+++ b/src/usr.bin/openssl/dsaparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsaparam.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: dsaparam.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -81,9 +81,6 @@
 static struct {
        int C;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        int genkey;
        char *infile;
        int informat;
@@ -100,15 +97,6 @@ static struct option dsaparam_options[] = {
                .type = OPTION_FLAG,
                .opt.flag = &dsaparam_config.C,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &dsaparam_config.engine,
-        },
-#endif
        {
                .name = "genkey",
                .desc = "Generate a DSA key",
@@ -162,7 +150,7 @@ static void
 dsaparam_usage(void)
 {
        fprintf(stderr,
-            "usage: dsaparam [-C] [-engine id] [-genkey] [-in file]\n"
+            "usage: dsaparam [-C] [-genkey] [-in file]\n"
            "    [-inform format] [-noout] [-out file] [-outform format]\n"
            "    [-text] [numbits]\n\n");
        options_usage(dsaparam_options);
@@ -222,10 +210,6 @@ dsaparam_main(int argc, char **argv)
                }
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, dsaparam_config.engine, 0);
-#endif
        if (numbits > 0) {
                BN_GENCB cb;
                BN_GENCB_set(&cb, dsa_cb, bio_err);
diff --git a/src/usr.bin/openssl/ec.c b/src/usr.bin/openssl/ec.c
index b593e2b4a1..d5fe68f0d8 100644
--- a/src/usr.bin/openssl/ec.c
+++ b/src/usr.bin/openssl/ec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: ec.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -75,9 +75,6 @@
 static struct {
        int asn1_flag;
        const EVP_CIPHER *enc;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        point_conversion_form_t form;
        char *infile;
        int informat;
@@ -153,15 +150,6 @@ static struct option ec_options[] = {
                .type = OPTION_ARG_FUNC,
                .opt.argfunc = ec_opt_form,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &ec_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -266,7 +254,7 @@ static void
 ec_usage(void)
 {
        fprintf(stderr,
-            "usage: ec [-conv_form form] [-engine id] [-in file]\n"
+            "usage: ec [-conv_form form] [-in file]\n"
            "    [-inform format] [-noout] [-out file] [-outform format]\n"
            "    [-param_enc type] [-param_out] [-passin file]\n"
            "    [-passout file] [-pubin] [-pubout] [-text] [-ciphername]\n\n");
@@ -301,10 +289,6 @@ ec_main(int argc, char **argv)
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, ec_config.engine, 0);
-#endif
        if (!app_passwd(bio_err, ec_config.passargin, ec_config.passargout,
            &passin, &passout)) {
                BIO_printf(bio_err, "Error getting passwords\n");
diff --git a/src/usr.bin/openssl/ecparam.c b/src/usr.bin/openssl/ecparam.c
index b0b46a145d..6adac863d5 100644
--- a/src/usr.bin/openssl/ecparam.c
+++ b/src/usr.bin/openssl/ecparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecparam.c,v 1.12 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: ecparam.c,v 1.13 2015/09/11 14:30:23 bcook Exp $ */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -95,7 +95,6 @@ static struct {
        int asn1_flag;
        int check;
        char *curve_name;
-        char *engine;
        point_conversion_form_t form;
        int genkey;
        char *infile;
@@ -161,15 +160,6 @@ struct option ecparam_options[] = {
                .type = OPTION_ARG_FUNC,
                .opt.argfunc = ecparam_opt_form,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &ecparam_config.engine,
-        },
-#endif
        {
                .name = "genkey",
                .desc = "Generate an EC private key using the specified "
@@ -252,7 +242,7 @@ static void
 ecparam_usage(void)
 {
        fprintf(stderr, "usage: ecparam [-C] [-check] [-conv_form arg] "
-            "[-engine id] [-genkey]\n"
+            " [-genkey]\n"
            "    [-in file] [-inform DER | PEM] [-list_curves] [-name arg]\n"
            "    [-no_seed] [-noout] [-out file] [-outform DER | PEM]\n"
            "    [-param_enc arg] [-text]\n\n");
@@ -303,10 +293,6 @@ ecparam_main(int argc, char **argv)
                }
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, ecparam_config.engine, 0);
-#endif
        if (ecparam_config.list_curves) {
                EC_builtin_curve *curves = NULL;
                size_t crv_len = 0;
diff --git a/src/usr.bin/openssl/enc.c b/src/usr.bin/openssl/enc.c
index 3ba774053d..6eb804fd49 100644
--- a/src/usr.bin/openssl/enc.c
+++ b/src/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc.c,v 1.6 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: enc.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -85,9 +85,6 @@ static struct {
        int do_zlib;
 #endif
        int enc;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        char *hiv;
        char *hkey;
        char *hsalt;
@@ -171,15 +168,6 @@ static struct option enc_options[] = {
                .opt.value = &enc_config.enc,
                .value = 1,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &enc_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -317,7 +305,7 @@ enc_usage(void)
 {
        fprintf(stderr, "usage: enc -ciphername [-AadePp] [-base64] "
            "[-bufsize number] [-debug]\n"
-            "    [-engine id] [-in file] [-iv IV] [-K key] [-k password]\n"
+            "    [-in file] [-iv IV] [-K key] [-k password]\n"
            "    [-kfile file] [-md digest] [-none] [-nopad] [-nosalt]\n"
            "    [-out file] [-pass arg] [-S salt] [-salt]\n\n");
        options_usage(enc_options);
@@ -413,10 +401,6 @@ enc_main(int argc, char **argv)
                enc_config.keystr = buf;
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, enc_config.engine, 0);
-#endif
        if (enc_config.md != NULL &&
            (dgst = EVP_get_digestbyname(enc_config.md)) == NULL) {
                BIO_printf(bio_err,
diff --git a/src/usr.bin/openssl/engine.c b/src/usr.bin/openssl/engine.c
deleted file mode 100644
index 0dc3043887..0000000000
--- a/src/usr.bin/openssl/engine.c
+++ /dev/null
@@ -1,493 +0,0 @@
-/* $OpenBSD: engine.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
-/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
- * project 2000.
- */
-/* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "apps.h"
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-static const char *engine_usage[] = {
-        "usage: engine opts [engine ...]\n",
-        " -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
-        "               -vv will additionally display each command's description\n",
-        "               -vvv will also add the input flags for each command\n",
-        "               -vvvv will also show internal input flags\n",
-        " -c          - for each engine, also list the capabilities\n",
-        " -t[t]       - for each engine, check that they are really available\n",
-        "               -tt will display error trace for unavailable engines\n",
-        " -pre <cmd>  - runs command 'cmd' against the ENGINE before any attempts\n",
-        "               to load it (if -t is used)\n",
-        " -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
-        "               (only used if -t is also provided)\n",
-        " NB: -pre and -post will be applied to all ENGINEs supplied on the command\n",
-        " line, or all supported ENGINEs if none are specified.\n",
-        " Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n",
-        " argument \"/lib/libdriver.so\".\n",
-        NULL
-};
-static void
-identity(char *ptr)
-{
-        return;
-}
-static int
-append_buf(char **buf, const char *s, int *size, int step)
-{
-        if (*buf == NULL) {
-                *size = step;
-                *buf = malloc(*size);
-                if (*buf == NULL)
-                        return 0;
-                **buf = '\0';
-        }
-        if (strlen(*buf) + strlen(s) >= (unsigned int) *size) {
-                *size += step;
-                *buf = realloc(*buf, *size);
-        }
-        if (*buf == NULL)
-                return 0;
-        if (**buf != '\0')
-                strlcat(*buf, ", ", *size);
-        strlcat(*buf, s, *size);
-        return 1;
-}
-static int
-util_flags(BIO * bio_out, unsigned int flags, const char *indent)
-{
-        int started = 0, err = 0;
-        /* Indent before displaying input flags */
-        BIO_printf(bio_out, "%s%s(input flags): ", indent, indent);
-        if (flags == 0) {
-                BIO_printf(bio_out, "<no flags>\n");
-                return 1;
-        }
-        /*
-         * If the object is internal, mark it in a way that shows instead of
-         * having it part of all the other flags, even if it really is.
-         */
-        if (flags & ENGINE_CMD_FLAG_INTERNAL) {
-                BIO_printf(bio_out, "[Internal] ");
-        }
-        if (flags & ENGINE_CMD_FLAG_NUMERIC) {
-                BIO_printf(bio_out, "NUMERIC");
-                started = 1;
-        }
-        /*
-         * Now we check that no combinations of the mutually exclusive
-         * NUMERIC, STRING, and NO_INPUT flags have been used. Future flags
-         * that can be OR'd together with these would need to added after
-         * these to preserve the testing logic.
-         */
-        if (flags & ENGINE_CMD_FLAG_STRING) {
-                if (started) {
-                        BIO_printf(bio_out, "|");
-                        err = 1;
-                }
-                BIO_printf(bio_out, "STRING");
-                started = 1;
-        }
-        if (flags & ENGINE_CMD_FLAG_NO_INPUT) {
-                if (started) {
-                        BIO_printf(bio_out, "|");
-                        err = 1;
-                }
-                BIO_printf(bio_out, "NO_INPUT");
-                started = 1;
-        }
-        /* Check for unknown flags */
-        flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
-            ~ENGINE_CMD_FLAG_STRING &
-            ~ENGINE_CMD_FLAG_NO_INPUT &
-            ~ENGINE_CMD_FLAG_INTERNAL;
-        if (flags) {
-                if (started)
-                        BIO_printf(bio_out, "|");
-                BIO_printf(bio_out, "<0x%04X>", flags);
-        }
-        if (err)
-                BIO_printf(bio_out, "  <illegal flags!>");
-        BIO_printf(bio_out, "\n");
-        return 1;
-}
-static int
-util_verbose(ENGINE * e, int verbose, BIO * bio_out, const char *indent)
-{
-        static const int line_wrap = 78;
-        int num;
-        int ret = 0;
-        char *name = NULL;
-        char *desc = NULL;
-        int flags;
-        int xpos = 0;
-        STACK_OF(OPENSSL_STRING) * cmds = NULL;
-        if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
-            ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
-                        0, NULL, NULL)) <= 0)) {
-                return 1;
-        }
-        cmds = sk_OPENSSL_STRING_new_null();
-        if (!cmds)
-                goto err;
-        do {
-                int len;
-                /* Get the command input flags */
-                if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
-                            NULL, NULL)) < 0)
-                        goto err;
-                if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) {
-                        /* Get the command name */
-                        if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
-                                    NULL, NULL)) <= 0)
-                                goto err;
-                        if ((name = malloc(len + 1)) == NULL)
-                                goto err;
-                        if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
-                                NULL) <= 0)
-                                goto err;
-                        /* Get the command description */
-                        if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
-                                    NULL, NULL)) < 0)
-                                goto err;
-                        if (len > 0) {
-                                if ((desc = malloc(len + 1)) == NULL)
-                                        goto err;
-                                if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
-                                        NULL) <= 0)
-                                        goto err;
-                        }
-                        /* Now decide on the output */
-                        if (xpos == 0)
-                                /* Do an indent */
-                                xpos = BIO_puts(bio_out, indent);
-                        else
-                                /* Otherwise prepend a ", " */
-                                xpos += BIO_printf(bio_out, ", ");
-                        if (verbose == 1) {
-                                /* We're just listing names, comma-delimited */
-                                if ((xpos > (int) strlen(indent)) &&
-                                    (xpos + (int) strlen(name) > line_wrap)) {
-                                        BIO_printf(bio_out, "\n");
-                                        xpos = BIO_puts(bio_out, indent);
-                                }
-                                xpos += BIO_printf(bio_out, "%s", name);
-                        } else {
-                                /* We're listing names plus descriptions */
-                                BIO_printf(bio_out, "%s: %s\n", name,
-                                    (desc == NULL) ? "<no description>" : desc);
-                                /* ... and sometimes input flags */
-                                if ((verbose >= 3) && !util_flags(bio_out, flags,
-                                        indent))
-                                        goto err;
-                                xpos = 0;
-                        }
-                }
-                free(name);
-                name = NULL;
-                free(desc);
-                desc = NULL;
-                /* Move to the next command */
-                num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE,
-                    num, NULL, NULL);
-        } while (num > 0);
-        if (xpos > 0)
-                BIO_printf(bio_out, "\n");
-        ret = 1;
-err:
-        if (cmds)
-                sk_OPENSSL_STRING_pop_free(cmds, identity);
-        free(name);
-        free(desc);
-        return ret;
-}
-static void
-util_do_cmds(ENGINE * e, STACK_OF(OPENSSL_STRING) * cmds,
-    BIO * bio_out, const char *indent)
-{
-        int loop, res, num = sk_OPENSSL_STRING_num(cmds);
-        if (num < 0) {
-                BIO_printf(bio_out, "[Error]: internal stack error\n");
-                return;
-        }
-        for (loop = 0; loop < num; loop++) {
-                char buf[256];
-                const char *cmd, *arg;
-                cmd = sk_OPENSSL_STRING_value(cmds, loop);
-                res = 1;        /* assume success */
-                /* Check if this command has no ":arg" */
-                if ((arg = strstr(cmd, ":")) == NULL) {
-                        if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
-                                res = 0;
-                } else {
-                        if ((int) (arg - cmd) > 254) {
-                                BIO_printf(bio_out, "[Error]: command name too long\n");
-                                return;
-                        }
-                        memcpy(buf, cmd, (int) (arg - cmd));
-                        buf[arg - cmd] = '\0';
-                        arg++;  /* Move past the ":" */
-                        /* Call the command with the argument */
-                        if (!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
-                                res = 0;
-                }
-                if (res)
-                        BIO_printf(bio_out, "[Success]: %s\n", cmd);
-                else {
-                        BIO_printf(bio_out, "[Failure]: %s\n", cmd);
-                        ERR_print_errors(bio_out);
-                }
-        }
-}
-int
-engine_main(int argc, char **argv)
-{
-        int ret = 1, i;
-        const char **pp;
-        int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0;
-        ENGINE *e;
-        STACK_OF(OPENSSL_STRING) * engines = sk_OPENSSL_STRING_new_null();
-        STACK_OF(OPENSSL_STRING) * pre_cmds = sk_OPENSSL_STRING_new_null();
-        STACK_OF(OPENSSL_STRING) * post_cmds = sk_OPENSSL_STRING_new_null();
-        int badops = 1;
-        BIO *bio_out = NULL;
-        const char *indent = "     ";
-        bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
-        argc--;
-        argv++;
-        while (argc >= 1) {
-                if (strncmp(*argv, "-v", 2) == 0) {
-                        if (strspn(*argv + 1, "v") < strlen(*argv + 1))
-                                goto skip_arg_loop;
-                        if ((verbose = strlen(*argv + 1)) > 4)
-                                goto skip_arg_loop;
-                } else if (strcmp(*argv, "-c") == 0)
-                        list_cap = 1;
-                else if (strncmp(*argv, "-t", 2) == 0) {
-                        test_avail = 1;
-                        if (strspn(*argv + 1, "t") < strlen(*argv + 1))
-                                goto skip_arg_loop;
-                        if ((test_avail_noise = strlen(*argv + 1) - 1) > 1)
-                                goto skip_arg_loop;
-                } else if (strcmp(*argv, "-pre") == 0) {
-                        argc--;
-                        argv++;
-                        if (argc == 0)
-                                goto skip_arg_loop;
-                        sk_OPENSSL_STRING_push(pre_cmds, *argv);
-                } else if (strcmp(*argv, "-post") == 0) {
-                        argc--;
-                        argv++;
-                        if (argc == 0)
-                                goto skip_arg_loop;
-                        sk_OPENSSL_STRING_push(post_cmds, *argv);
-                } else if ((strncmp(*argv, "-h", 2) == 0) ||
-                    (strcmp(*argv, "-?") == 0))
-                        goto skip_arg_loop;
-                else
-                        sk_OPENSSL_STRING_push(engines, *argv);
-                argc--;
-                argv++;
-        }
-        /* Looks like everything went OK */
-        badops = 0;
-skip_arg_loop:
-        if (badops) {
-                for (pp = engine_usage; (*pp != NULL); pp++)
-                        BIO_printf(bio_err, "%s", *pp);
-                goto end;
-        }
-        if (sk_OPENSSL_STRING_num(engines) == 0) {
-                for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
-                        sk_OPENSSL_STRING_push(engines, (char *) ENGINE_get_id(e));
-                }
-        }
-        for (i = 0; i < sk_OPENSSL_STRING_num(engines); i++) {
-                const char *id = sk_OPENSSL_STRING_value(engines, i);
-                if ((e = ENGINE_by_id(id)) != NULL) {
-                        const char *name = ENGINE_get_name(e);
-                        /* Do "id" first, then "name". Easier to auto-parse. */
-                        BIO_printf(bio_out, "(%s) %s\n", id, name);
-                        util_do_cmds(e, pre_cmds, bio_out, indent);
-                        if (strcmp(ENGINE_get_id(e), id) != 0) {
-                                BIO_printf(bio_out, "Loaded: (%s) %s\n",
-                                    ENGINE_get_id(e), ENGINE_get_name(e));
-                        }
-                        if (list_cap) {
-                                int cap_size = 256;
-                                char *cap_buf = NULL;
-                                int k, n;
-                                const int *nids;
-                                ENGINE_CIPHERS_PTR fn_c;
-                                ENGINE_DIGESTS_PTR fn_d;
-                                ENGINE_PKEY_METHS_PTR fn_pk;
-                                if (ENGINE_get_RSA(e) != NULL
-                                    && !append_buf(&cap_buf, "RSA",
-                                        &cap_size, 256))
-                                        goto end;
-                                if (ENGINE_get_DSA(e) != NULL
-                                    && !append_buf(&cap_buf, "DSA",
-                                        &cap_size, 256))
-                                        goto end;
-                                if (ENGINE_get_DH(e) != NULL
-                                    && !append_buf(&cap_buf, "DH",
-                                        &cap_size, 256))
-                                        goto end;
-                                if (ENGINE_get_RAND(e) != NULL
-                                    && !append_buf(&cap_buf, "RAND",
-                                        &cap_size, 256))
-                                        goto end;
-                                fn_c = ENGINE_get_ciphers(e);
-                                if (!fn_c)
-                                        goto skip_ciphers;
-                                n = fn_c(e, NULL, &nids, 0);
-                                for (k = 0; k < n; ++k)
-                                        if (!append_buf(&cap_buf,
-                                                OBJ_nid2sn(nids[k]),
-                                                &cap_size, 256))
-                                                goto end;
-                skip_ciphers:
-                                fn_d = ENGINE_get_digests(e);
-                                if (!fn_d)
-                                        goto skip_digests;
-                                n = fn_d(e, NULL, &nids, 0);
-                                for (k = 0; k < n; ++k)
-                                        if (!append_buf(&cap_buf,
-                                                OBJ_nid2sn(nids[k]),
-                                                &cap_size, 256))
-                                                goto end;
-                skip_digests:
-                                fn_pk = ENGINE_get_pkey_meths(e);
-                                if (!fn_pk)
-                                        goto skip_pmeths;
-                                n = fn_pk(e, NULL, &nids, 0);
-                                for (k = 0; k < n; ++k)
-                                        if (!append_buf(&cap_buf,
-                                                OBJ_nid2sn(nids[k]),
-                                                &cap_size, 256))
-                                                goto end;
-                skip_pmeths:
-                                if (cap_buf && (*cap_buf != '\0'))
-                                        BIO_printf(bio_out, " [%s]\n", cap_buf);
-                                free(cap_buf);
-                        }
-                        if (test_avail) {
-                                BIO_printf(bio_out, "%s", indent);
-                                if (ENGINE_init(e)) {
-                                        BIO_printf(bio_out, "[ available ]\n");
-                                        util_do_cmds(e, post_cmds, bio_out, indent);
-                                        /*
-                                         * XXX hell lacks a place for people who write functions with
-                                         * XXX unusable return semantics.
-                                         */
-                                        if (ENGINE_finish(e) != 0 ||
-                                            ERR_GET_REASON(ERR_peek_last_error()) ==
-                                            ENGINE_R_FINISH_FAILED)
-                                                e = NULL;
-                                } else {
-                                        BIO_printf(bio_out, "[ unavailable ]\n");
-                                        if (test_avail_noise)
-                                                ERR_print_errors_fp(stdout);
-                                        ERR_clear_error();
-                                }
-                        }
-                        if ((verbose > 0) && e != NULL &&
-                            !util_verbose(e, verbose, bio_out, indent))
-                                goto end;
-                        ENGINE_free(e);
-                } else
-                        ERR_print_errors(bio_err);
-        }
-        ret = 0;
-end:
-        ERR_print_errors(bio_err);
-        sk_OPENSSL_STRING_pop_free(engines, identity);
-        sk_OPENSSL_STRING_pop_free(pre_cmds, identity);
-        sk_OPENSSL_STRING_pop_free(post_cmds, identity);
-        if (bio_out != NULL)
-                BIO_free_all(bio_out);
-        return (ret);
-}
-#endif
diff --git a/src/usr.bin/openssl/gendh.c b/src/usr.bin/openssl/gendh.c
index 38186f0307..208906e24c 100644
--- a/src/usr.bin/openssl/gendh.c
+++ b/src/usr.bin/openssl/gendh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendh.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: gendh.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -87,9 +87,6 @@
 static int dh_cb(int p, int n, BN_GENCB * cb);
 static struct {
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        int g;
        char *outfile;
 } gendh_config;
@@ -110,15 +107,6 @@ static struct option gendh_options[] = {
                .value = 5,
                .opt.value = &gendh_config.g,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &gendh_config.engine,
-        },
-#endif
        {
                .name = "out",
                .argname = "file",
@@ -133,7 +121,7 @@ static void
 gendh_usage(void)
 {
        fprintf(stderr,
-            "usage: gendh [-2 | -5] [-engine id] [-out file] [numbits]\n\n");
+            "usage: gendh [-2 | -5] [-out file] [numbits]\n\n");
        options_usage(gendh_options);
 }
@@ -166,10 +154,6 @@ gendh_main(int argc, char **argv)
                }
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, gendh_config.engine, 0);
-#endif
        out = BIO_new(BIO_s_file());
        if (out == NULL) {
                ERR_print_errors(bio_err);
diff --git a/src/usr.bin/openssl/gendsa.c b/src/usr.bin/openssl/gendsa.c
index 4fbd0dce31..ee2d6ba1b6 100644
--- a/src/usr.bin/openssl/gendsa.c
+++ b/src/usr.bin/openssl/gendsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendsa.c,v 1.3 2015/09/10 02:17:17 lteo Exp $ */
+/* $OpenBSD: gendsa.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -84,9 +84,6 @@ gendsa_main(int argc, char **argv)
        char *passargout = NULL, *passout = NULL;
        BIO *out = NULL, *in = NULL;
        const EVP_CIPHER *enc = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        argv++;
        argc--;
@@ -102,13 +99,6 @@ gendsa_main(int argc, char **argv)
                                goto bad;
                        passargout = *(++argv);
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*argv, "-engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        engine = *(++argv);
-                }
-#endif
                else if (strcmp(*argv, "-") == 0)
                        goto bad;
 #ifndef OPENSSL_NO_DES
@@ -164,17 +154,10 @@ bad:
                BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
                BIO_printf(bio_err, "                 encrypt PEM output with cbc camellia\n");
 #endif
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, " -engine e - use engine e, possibly a hardware device.\n");
-#endif
                BIO_printf(bio_err, " dsaparam-file\n");
                BIO_printf(bio_err, "           - a DSA parameter file as generated by the dsaparam command\n");
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, engine, 0);
-#endif
        if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
                BIO_printf(bio_err, "Error getting password\n");
                goto end;
diff --git a/src/usr.bin/openssl/genpkey.c b/src/usr.bin/openssl/genpkey.c
index 1ebc4e7d3c..d76e2febd8 100644
--- a/src/usr.bin/openssl/genpkey.c
+++ b/src/usr.bin/openssl/genpkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genpkey.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: genpkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006
 */
@@ -65,19 +65,13 @@
 #include <openssl/evp.h>
 #include <openssl/pem.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 static int
-init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, const char *file,
+init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, const char *file);
-    ENGINE * e);
 static int genpkey_cb(EVP_PKEY_CTX * ctx);
 int
 genpkey_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        char **args, *outfile = NULL;
        char *passarg = NULL;
        BIO *in = NULL, *out = NULL;
@@ -107,20 +101,13 @@ genpkey_main(int argc, char **argv)
                                goto bad;
                        passarg = *(++args);
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*args, "-engine") == 0) {
-                        if (!args[1])
-                                goto bad;
-                        e = setup_engine(bio_err, *(++args), 0);
-                }
-#endif
                else if (!strcmp(*args, "-paramfile")) {
                        if (!args[1])
                                goto bad;
                        args++;
                        if (do_param == 1)
                                goto bad;
-                        if (!init_keygen_file(bio_err, &ctx, *args, e))
+                        if (!init_keygen_file(bio_err, &ctx, *args))
                                goto end;
                } else if (!strcmp(*args, "-out")) {
                        if (args[1]) {
@@ -131,7 +118,7 @@ genpkey_main(int argc, char **argv)
                } else if (strcmp(*args, "-algorithm") == 0) {
                        if (!args[1])
                                goto bad;
-                        if (!init_gen_str(bio_err, &ctx, *(++args), e, do_param))
+                        if (!init_gen_str(bio_err, &ctx, *(++args), do_param))
                                goto end;
                } else if (strcmp(*args, "-pkeyopt") == 0) {
                        if (!args[1])
@@ -174,9 +161,6 @@ bad:
                BIO_printf(bio_err, "-outform X         output format (DER or PEM)\n");
                BIO_printf(bio_err, "-pass arg          output file pass phrase source\n");
                BIO_printf(bio_err, "-<cipher>          use cipher <cipher> to encrypt the key\n");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, "-engine e          use engine e, possibly a hardware device.\n");
-#endif
                BIO_printf(bio_err, "-paramfile file    parameters file\n");
                BIO_printf(bio_err, "-algorithm alg     the public key algorithm\n");
                BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n"
@@ -261,7 +245,7 @@ end:
 static int
 init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx,
-    const char *file, ENGINE * e)
+    const char *file)
 {
        BIO *pbio;
        EVP_PKEY *pkey = NULL;
@@ -282,7 +266,7 @@ init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx,
                BIO_printf(bio_err, "Error reading parameter file %s\n", file);
                return 0;
        }
-        ctx = EVP_PKEY_CTX_new(pkey, e);
+        ctx = EVP_PKEY_CTX_new(pkey, NULL);
        if (!ctx)
                goto err;
        if (EVP_PKEY_keygen_init(ctx) <= 0)
@@ -304,23 +288,17 @@ err:
 int
 init_gen_str(BIO * err, EVP_PKEY_CTX ** pctx,
-    const char *algname, ENGINE * e, int do_param)
+    const char *algname, int do_param)
 {
        EVP_PKEY_CTX *ctx = NULL;
        const EVP_PKEY_ASN1_METHOD *ameth;
-        ENGINE *tmpeng = NULL;
        int pkey_id;
        if (*pctx) {
                BIO_puts(err, "Algorithm already set!\n");
                return 0;
        }
-        ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
+        ameth = EVP_PKEY_asn1_find_str(NULL, algname, -1);
-#ifndef OPENSSL_NO_ENGINE
-        if (!ameth && e)
-                ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
-#endif
        if (!ameth) {
                BIO_printf(bio_err, "Algorithm %s not found\n", algname);
@@ -329,11 +307,7 @@ init_gen_str(BIO * err, EVP_PKEY_CTX ** pctx,
        ERR_clear_error();
        EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
-#ifndef OPENSSL_NO_ENGINE
+        ctx = EVP_PKEY_CTX_new_id(pkey_id, NULL);
-        if (tmpeng)
-                ENGINE_finish(tmpeng);
-#endif
-        ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
        if (!ctx)
                goto err;
diff --git a/src/usr.bin/openssl/genrsa.c b/src/usr.bin/openssl/genrsa.c
index 99f2bf3641..9f78f0d65d 100644
--- a/src/usr.bin/openssl/genrsa.c
+++ b/src/usr.bin/openssl/genrsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genrsa.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: genrsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -89,9 +89,6 @@ int
 genrsa_main(int argc, char **argv)
 {
        BN_GENCB cb;
-#ifndef OPENSSL_NO_ENGINE
-        ENGINE *e = NULL;
-#endif
        int ret = 1;
        int i, num = DEFBITS;
        long l;
@@ -99,9 +96,6 @@ genrsa_main(int argc, char **argv)
        unsigned long f4 = RSA_F4;
        char *outfile = NULL;
        char *passargout = NULL, *passout = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        BIO *out = NULL;
        BIGNUM *bn = BN_new();
        RSA *rsa = NULL;
@@ -128,13 +122,6 @@ genrsa_main(int argc, char **argv)
                        f4 = 3;
                else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
                        f4 = RSA_F4;
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*argv, "-engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        engine = *(++argv);
-                }
-#endif
 #ifndef OPENSSL_NO_DES
                else if (strcmp(*argv, "-des") == 0)
                        enc = EVP_des_cbc();
@@ -190,9 +177,6 @@ bad:
                BIO_printf(bio_err, " -passout arg    output file pass phrase source\n");
                BIO_printf(bio_err, " -f4             use F4 (0x10001) for the E value\n");
                BIO_printf(bio_err, " -3              use 3 for the E value\n");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, " -engine e       use engine e, possibly a hardware device.\n");
-#endif
                goto err;
        }
@@ -200,9 +184,6 @@ bad:
                BIO_printf(bio_err, "Error getting password\n");
                goto err;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (outfile == NULL) {
                BIO_set_fp(out, stdout, BIO_NOCLOSE);
@@ -215,11 +196,7 @@ bad:
        BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
            num);
-#ifdef OPENSSL_NO_ENGINE
        rsa = RSA_new();
-#else
-        rsa = RSA_new_method(e);
-#endif
        if (!rsa)
                goto err;
diff --git a/src/usr.bin/openssl/ocsp.c b/src/usr.bin/openssl/ocsp.c
index ab5a755713..39000328b6 100644
--- a/src/usr.bin/openssl/ocsp.c
+++ b/src/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.3 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: ocsp.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -105,7 +105,6 @@ static OCSP_RESPONSE *query_responder(BIO * err, BIO * cbio, char *path,
 int
 ocsp_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        char **args;
        char *host = NULL, *port = NULL, *path = "/";
        char *reqin = NULL, *respin = NULL;
@@ -335,7 +334,7 @@ ocsp_main(int argc, char **argv)
                                args++;
                                X509_free(issuer);
                                issuer = load_cert(bio_err, *args, FORMAT_PEM,
-                                    NULL, e, "issuer certificate");
+                                    NULL, "issuer certificate");
                                if (!issuer)
                                        goto end;
                        } else
@@ -345,7 +344,7 @@ ocsp_main(int argc, char **argv)
                                args++;
                                X509_free(cert);
                                cert = load_cert(bio_err, *args, FORMAT_PEM,
-                                    NULL, e, "certificate");
+                                    NULL, "certificate");
                                if (!cert)
                                        goto end;
                                if (!cert_id_md)
@@ -531,20 +530,20 @@ ocsp_main(int argc, char **argv)
                if (!rkeyfile)
                        rkeyfile = rsignfile;
                rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
-                    NULL, e, "responder certificate");
+                    NULL, "responder certificate");
                if (!rsigner) {
                        BIO_printf(bio_err, "Error loading responder certificate\n");
                        goto end;
                }
                rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
-                    NULL, e, "CA certificate");
+                    NULL, "CA certificate");
                if (rcertfile) {
                        rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
-                            NULL, e, "responder other certificates");
+                            NULL, "responder other certificates");
                        if (!rother)
                                goto end;
                }
-                rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
+                rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL,
                    "responder private key");
                if (!rkey)
                        goto end;
@@ -574,18 +573,18 @@ redo_accept:
                if (!keyfile)
                        keyfile = signfile;
                signer = load_cert(bio_err, signfile, FORMAT_PEM,
-                    NULL, e, "signer certificate");
+                    NULL, "signer certificate");
                if (!signer) {
                        BIO_printf(bio_err, "Error loading signer certificate\n");
                        goto end;
                }
                if (sign_certfile) {
                        sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
-                            NULL, e, "signer certificates");
+                            NULL, "signer certificates");
                        if (!sign_other)
                                goto end;
                }
-                key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
+                key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL,
                    "signer private key");
                if (!key)
                        goto end;
@@ -690,7 +689,7 @@ done_resp:
                goto end;
        if (verify_certfile) {
                verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
-                    NULL, e, "validator certificate");
+                    NULL, "validator certificate");
                if (!verify_other)
                        goto end;
        }
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 89b1979e2e..7e4937207d 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.21 2015/09/11 06:43:05 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.22 2015/09/11 14:30:23 bcook Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -284,8 +284,6 @@ Elliptic curve (EC) key processing.
 EC parameter manipulation and generation.
 .It Cm enc
 Encoding with ciphers.
-.It Cm engine
-Engine (loadable module) information and manipulation.
 .It Cm errstr
 Error number to error string conversion.
 .It Cm gendh
@@ -703,7 +701,6 @@ The output of some ASN.1 types is not well handled
 .Op Fl crlhours Ar hours
 .Op Fl days Ar arg
 .Op Fl enddate Ar date
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl extfile Ar section
 .Op Fl gencrl
@@ -711,7 +708,7 @@ The output of some ASN.1 types is not well handled
 .Op Fl infiles
 .Op Fl key Ar keyfile
 .Op Fl keyfile Ar arg
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl md Ar arg
 .Op Fl msie_hack
 .Op Fl name Ar section
@@ -757,14 +754,6 @@ The number of days to certify the certificate for.
 This allows the expiry date to be explicitly set.
 The format of the date is YYMMDDHHMMSSZ
 .Pq the same as an ASN1 UTCTime structure .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ca
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl extensions Ar section
 The section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to
@@ -800,7 +789,7 @@ with the
 utility) this option should be used with caution.
 .It Fl keyfile Ar file
 The private key to sign requests with.
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Private key file format.
 .It Fl md Ar alg
 The message digest to use.
@@ -1811,10 +1800,9 @@ install user certificates and CAs in MSIE using the Xenroll control.
 .Oc
 .Op Fl binary
 .Op Fl cd
-.Op Fl engine Ar id
 .Op Fl hex
 .Op Fl hmac Ar key
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl mac Ar algorithm
 .Op Fl macopt Ar nm : Ns Ar v
 .Op Fl out Ar file
@@ -1853,16 +1841,6 @@ Print out the digest in two-digit groups separated by colons; only relevant if
 format output is used.
 .It Fl d
 Print out BIO debugging information.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dgst
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
-This engine is not used as a source for digest algorithms
-unless it is also specified in the configuration file.
 .It Fl hex
 Digest is to be output as a hex dump.
 This is the default case for a
@@ -1871,7 +1849,7 @@ digest as opposed to a digital signature.
 .It Fl hmac Ar key
 Create a hashed MAC using
 .Ar key .
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Specifies the key format to sign the digest with.
 .It Fl mac Ar algorithm
 Create a keyed Message Authentication Code (MAC).
@@ -1963,7 +1941,6 @@ below.
 .Op Fl C
 .Op Fl check
 .Op Fl dsaparam
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -2008,14 +1985,6 @@ which makes DH key exchange more efficient.
 Beware that with such DSA-style DH parameters,
 a fresh DH key should be created for each use to
 avoid small-subgroup attacks that may be possible otherwise.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dhparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -2109,7 +2078,6 @@ option was added in
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl modulus
@@ -2154,14 +2122,6 @@ remove the pass phrase from a key,
 or by setting the encryption options it can be use to add or change
 the pass phrase.
 These options can only be used with PEM format output files.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -2267,7 +2227,6 @@ To just output the public part of a private key:
 .Nm "openssl dsaparam"
 .Bk -words
 .Op Fl C
-.Op Fl engine Ar id
 .Op Fl genkey
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -2290,14 +2249,6 @@ This option converts the parameters into C code.
 The parameters can then be loaded by calling the
 .Cm get_dsa Ns Ar XXX Ns Li ()
 function.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dsaparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genkey
 This option will generate a DSA either using the specified or generated
 parameters.
@@ -2362,7 +2313,6 @@ DSA parameters is often used to generate several distinct keys.
 .Op Fl conv_form Ar arg
 .Op Fl des
 .Op Fl des3
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -2428,14 +2378,6 @@ encryption option can be used to remove the pass phrase from a key,
 or by setting the encryption options
 it can be use to add or change the pass phrase.
 These options can only be used with PEM format output files.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ec
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read a key from,
 or standard input if this option is not specified.
@@ -2567,7 +2509,6 @@ command was first introduced in
 .Op Fl C
 .Op Fl check
 .Op Fl conv_form Ar arg
-.Op Fl engine Ar id
 .Op Fl genkey
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -2611,14 +2552,6 @@ option is disabled by default for binary curves
 and can be enabled by defining the preprocessor macro
 .Ar OPENSSL_EC_BIN_PT_COMP
 at compile time.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ecparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genkey
 Generate an EC private key using the specified parameters.
 .It Fl in Ar file
@@ -2736,7 +2669,6 @@ command was first introduced in
 .Op Fl base64
 .Op Fl bufsize Ar number
 .Op Fl debug
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl iv Ar IV
 .Op Fl K Ar key
@@ -2779,14 +2711,6 @@ Decrypt the input data.
 Debug the BIOs used for I/O.
 .It Fl e
 Encrypt the input data: this is the default.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm enc
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 The input
 .Ar file ;
@@ -2918,25 +2842,6 @@ The program can be called either as
 .Nm openssl ciphername
 or
 .Nm openssl enc -ciphername .
-But the first form doesn't work with engine-provided ciphers,
-because this form is processed before the
-configuration file is read and any engines loaded.
-.Pp
-Engines which provide entirely new encryption algorithms
-should be configured in the configuration file.
-Engines, specified on the command line using the
-.Fl engine
-option,
-can only be used for hardware-assisted implementations of ciphers,
-supported by
-.Nm OpenSSL
-core, or by other engines specified in the configuration file.
-.Pp
-When
-.Nm enc
-lists supported ciphers,
-ciphers provided by engines specified in the configuration files
-are listed too.
 .Pp
 A password will be prompted for to derive the
 .Ar key
@@ -3077,56 +2982,6 @@ program only supports a fixed number of algorithms with certain parameters.
 Therefore it is not possible to use RC2 with a 76-bit key
 or RC4 with an 84-bit key with this program.
 .\"
-.\" ENGINE
-.\"
-.Sh ENGINE
-.Nm openssl engine
-.Op Fl ctv
-.Op Fl post Ar cmd
-.Op Fl pre Ar cmd
-.Op Ar engine ...
-.Pp
-The
-.Nm engine
-command provides loadable module information and manipulation
-of various engines.
-Any options are applied to all engines supplied on the command line,
-or all supported engines if none are specified.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl c
-For each engine, also list the capabilities.
-.It Fl post Ar cmd
-Run command
-.Ar cmd
-against the engine after loading it
-(only used if
-.Fl t
-is also provided).
-.It Fl pre Ar cmd
-Run command
-.Ar cmd
-against the engine before any attempts
-to load it
-(only used if
-.Fl t
-is also provided).
-.It Fl t
-For each engine, check that they are really available.
-.Fl tt
-will display an error trace for unavailable engines.
-.It Fl v
-Verbose mode.
-For each engine, list its 'control commands'.
-.Fl vv
-will additionally display each command's description.
-.Fl vvv
-will also add the input flags for each command.
-.Fl vvvv
-will also show internal input flags.
-.El
-.\"
 .\" ERRSTR
 .\"
 .Sh ERRSTR
@@ -3192,7 +3047,6 @@ above.
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl out Ar file
 .Op Ar paramfile
 .Ek
@@ -3215,14 +3069,6 @@ These options encrypt the private key with the AES, DES,
 or the triple DES ciphers, respectively, before outputting it.
 A pass phrase is prompted for.
 If none of these options are specified, no encryption is used.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm gendsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl out Ar file
 The output
 .Ar file .
@@ -3246,7 +3092,6 @@ much quicker than RSA key generation, for example.
 .Bk -words
 .Op Fl algorithm Ar alg
 .Op Ar cipher
-.Op Fl engine Ar id
 .Op Fl genparam
 .Op Fl out Ar file
 .Op Fl outform Ar DER | PEM
@@ -3262,8 +3107,7 @@ The
 command generates private keys.
 The use of this
 program is encouraged over the algorithm specific utilities
-because additional algorithm options
+because additional algorithm options can be used.
-and engine-provided algorithms can be used.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -3284,14 +3128,6 @@ Any algorithm name accepted by
 .Fn EVP_get_cipherbyname
 is acceptable, such as
 .Cm des3 .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm genpkey
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genparam
 Generate a set of parameters instead of a private key.
 If used this option must precede any
@@ -3422,7 +3258,6 @@ $ openssl genpkey -paramfile dhp.pem -out dhkey.pem
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl out Ar file
 .Op Fl passout Ar arg
 .Op Ar numbits
@@ -3449,14 +3284,6 @@ If encryption is used, a pass phrase is prompted for,
 if it is not supplied via the
 .Fl passout
 option.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm genrsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl out Ar file
 The output
 .Ar file .
@@ -4129,7 +3956,6 @@ prints
 .nr nS 1
 .Nm "openssl pkcs7"
 .Bk -words
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -4146,14 +3972,6 @@ command processes PKCS#7 files in DER or PEM format.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs7
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -4218,7 +4036,6 @@ They cannot currently parse, for example, the new CMS as described in RFC 2630.
 .Nm "openssl pkcs8"
 .Bk -words
 .Op Fl embed
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl nocrypt
@@ -4254,14 +4071,6 @@ In this form the OCTET STRING contains an ASN1 SEQUENCE consisting of
 two structures:
 a SEQUENCE containing the parameters and an ASN1 INTEGER containing
 the private key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs8
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -4484,7 +4293,6 @@ compatibility, several of the utilities use the old format at present.
 .Op Fl clcerts
 .Op Fl CSP Ar name
 .Op Fl descert
-.Op Fl engine Ar id
 .Op Fl export
 .Op Fl in Ar file
 .Op Fl info
@@ -4631,14 +4439,6 @@ file unreadable by some
 software.
 By default, the private key is encrypted using triple DES and the
 certificate using 40-bit RC2.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs12
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl export
 This option specifies that a PKCS#12 file will be created rather than
 parsed.
@@ -4844,7 +4644,6 @@ $ openssl -in keycerts.pem -export -name "My PKCS#12 file" \e
 .Nm "openssl pkey"
 .Bk -words
 .Op Ar cipher
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -4873,14 +4672,6 @@ Any algorithm name accepted by
 .Fn EVP_get_cipherbyname
 is acceptable, such as
 .Cm des3 .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkey
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read a key from,
 or standard input if this option is not specified.
@@ -4966,7 +4757,6 @@ $ openssl pkey -in key.pem -pubout -out pubkey.pem
 .\"
 .Sh PKEYPARAM
 .Cm openssl pkeyparam
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl noout
 .Op Fl out Ar file
@@ -4979,14 +4769,6 @@ They can be converted between various forms and their components printed out.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkeyparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read parameters from,
 or standard input if this option is not specified.
@@ -5022,14 +4804,13 @@ because the key type is determined by the PEM headers.
 .Op Fl decrypt
 .Op Fl derive
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl hexdump
 .Op Fl in Ar file
 .Op Fl inkey Ar file
-.Op Fl keyform Ar DER | ENGINE | PEM
+.Op Fl keyform Ar DER | PEM
 .Op Fl out Ar file
 .Op Fl passin Ar arg
-.Op Fl peerform Ar DER | ENGINE | PEM
+.Op Fl peerform Ar DER | PEM
 .Op Fl peerkey Ar file
 .Op Fl pkeyopt Ar opt : Ns Ar value
 .Op Fl pubin
@@ -5061,14 +4842,6 @@ Decrypt the input data using a private key.
 Derive a shared secret using the peer key.
 .It Fl encrypt
 Encrypt the input data using a public key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkeyutl
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hexdump
 Hex dump the output data.
 .It Fl in Ar file
@@ -5077,8 +4850,8 @@ or standard input if this option is not specified.
 .It Fl inkey Ar file
 The input key file.
 By default it should be a private key.
-.It Fl keyform Ar DER | ENGINE | PEM
+.It Fl keyform Ar DER | PEM
-The key format DER, ENGINE, or PEM.
+The key format DER or PEM.
 .It Fl out Ar file
 Specify the output filename to write to,
 or standard output by default.
@@ -5089,8 +4862,8 @@ For more information about the format of
 see the
 .Sx PASS PHRASE ARGUMENTS
 section above.
-.It Fl peerform Ar DER | ENGINE | PEM
+.It Fl peerform Ar DER | PEM
-The peer key format DER, ENGINE, or PEM.
+The peer key format DER or PEM.
 .It Fl peerkey Ar file
 The peer key file, used by key derivation (agreement) operations.
 .It Fl pkeyopt Ar opt : Ns Ar value
@@ -5271,7 +5044,6 @@ is prime.
 .nr nS 1
 .Nm "openssl rand"
 .Op Fl base64
-.Op Fl engine Ar id
 .Op Fl hex
 .Op Fl out Ar file
 .Ar num
@@ -5289,14 +5061,6 @@ The options are as follows:
 Perform
 .Em base64
 encoding on the output.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rand
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hex
 Specify hexadecimal output.
 .It Fl out Ar file
@@ -5315,7 +5079,6 @@ instead of standard output.
 .Op Fl batch
 .Op Fl config Ar file
 .Op Fl days Ar n
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -5392,14 +5155,6 @@ When the
 option is being used, this specifies the number of
 days to certify the certificate for.
 The default is 30 days.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm req
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl extensions Ar section , Fl reqexts Ar section
 These options specify alternative sections to include certificate
 extensions (if the
@@ -6067,7 +5822,6 @@ should be input by the user.
 .Fl des | des3
 .Oc
 .Op Fl check
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | NET | PEM
 .Op Fl modulus
@@ -6114,14 +5868,6 @@ it can be used to add or change the pass phrase.
 These options can only be used with PEM format output files.
 .It Fl check
 This option checks the consistency of an RSA private key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -6264,7 +6010,6 @@ without having to manually edit them.
 .Op Fl certin
 .Op Fl decrypt
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl hexdump
 .Op Fl in Ar file
 .Op Fl inkey Ar file
@@ -6294,14 +6039,6 @@ The input is a certificate containing an RSA public key.
 Decrypt the input data using an RSA private key.
 .It Fl encrypt
 Encrypt the input data using an RSA public key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rsautl
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hexdump
 Hex dump the output data.
 .It Fl in Ar file
@@ -6458,7 +6195,6 @@ which it can be seen agrees with the recovered value above.
 .Op Fl crl_check_all
 .Op Fl crlf
 .Op Fl debug
-.Op Fl engine Ar id
 .Op Fl extended_crl
 .Op Fl ign_eof
 .Op Fl ignore_critical
@@ -6570,14 +6306,6 @@ This option translates a line feed from the terminal into CR+LF as required
 by some servers.
 .It Fl debug
 Print extensive debugging information including a hex dump of all traffic.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm s_client
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl ign_eof
 Inhibit shutting down the connection when end of file is reached in the
 input.
@@ -6782,7 +6510,6 @@ We should really report information whenever a session is renegotiated.
 .Op Fl debug
 .Op Fl dhparam Ar file
 .Op Fl dkey Ar file
-.Op Fl engine Ar id
 .Op Fl hack
 .Op Fl HTTP
 .Op Fl id_prefix Ar arg
@@ -6897,14 +6624,6 @@ load the parameters from the server certificate file.
 If this fails, a static set of parameters hard coded into the
 .Nm s_server
 program will be used.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm s_server
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hack
 This option enables a further workaround for some early Netscape
 SSL code
@@ -7386,7 +7105,6 @@ The cipher and start time should be printed out in human readable form.
 .Op Fl crl_check_all
 .Op Fl decrypt
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl extended_crl
 .Op Fl from Ar addr
 .Op Fl ignore_critical
@@ -7395,7 +7113,7 @@ The cipher and start time should be printed out in human readable form.
 .Op Fl inform Ar DER | PEM | SMIME
 .Op Fl inkey Ar file
 .Op Fl issuer_checks
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl md Ar digest
 .Op Fl noattr
 .Op Fl nocerts
@@ -7542,14 +7260,6 @@ This option will override any content if the input format is
 and it uses the multipart/signed
 .Em MIME
 content type.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm smime
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Xo
 .Fl from Ar addr ,
 .Fl subject Ar s ,
@@ -7605,7 +7315,7 @@ or
 file.
 When signing,
 this option can be used multiple times to specify successive keys.
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Input private key format.
 .It Fl md Ar digest
 The digest algorithm to use when signing or resigning.
@@ -7968,7 +7678,6 @@ command were first added in
 .Op Cm sha1
 .Op Fl decrypt
 .Op Fl elapsed
-.Op Fl engine Ar id
 .Op Fl evp Ar e
 .Op Fl mr
 .Op Fl multi Ar number
@@ -7986,14 +7695,6 @@ tests those algorithms, otherwise all of the above are tested.
 .It Fl decrypt
 Time decryption instead of encryption
 .Pq only EVP .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm speed
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl elapsed
 Measure time in real time instead of CPU user time.
 .It Fl evp Ar e
@@ -8033,7 +7734,6 @@ benchmarks in parallel.
 .Fl reply
 .Op Fl chain Ar certs_file.pem
 .Op Fl config Ar configfile
-.Op Fl engine Ar id
 .Op Fl in Ar response.tsr
 .Op Fl inkey Ar private.pem
 .Op Fl out Ar response.tsr
@@ -8194,14 +7894,6 @@ environment variable.
 See
 .Sx TS CONFIGURATION FILE OPTIONS
 for configurable variables.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ts
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar response.tsr
 Specifies a previously created time stamp response or time stamp token, if
 .Fl token_in
@@ -8379,11 +8071,6 @@ This number is incremented by 1 for each response.
 If the file does not exist at the time of response
 generation a new file is created with serial number 1.
 This parameter is mandatory.
-.It Cm crypto_device
-Specifies the
-.Nm OpenSSL
-engine that will be set as the default for
-all available algorithms.
 .It Cm signer_cert
 TSA signing certificate, in PEM format.
 The same as the
@@ -8611,7 +8298,6 @@ OpenTSA project
 .Nm "openssl spkac"
 .Bk -words
 .Op Fl challenge Ar string
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl key Ar keyfile
 .Op Fl noout
@@ -8636,14 +8322,6 @@ The options are as follows:
 .Bl -tag -width Ds
 .It Fl challenge Ar string
 Specifies the challenge string if an SPKAC is being created.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm spkac
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -8743,7 +8421,6 @@ to be used in a
 .Op Fl check_ss_sig
 .Op Fl crl_check
 .Op Fl crl_check_all
-.Op Fl engine Ar id
 .Op Fl explicit_policy
 .Op Fl extended_crl
 .Op Fl help
@@ -8800,14 +8477,6 @@ If a valid CRL cannot be found an error occurs.
 .It Fl crl_check_all
 Checks the validity of all certificates in the chain by attempting
 to look up valid CRLs.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm verify
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl explicit_policy
 Set policy variable require-explicit-policy (see RFC 3280 et al).
 .It Fl extended_crl
@@ -9181,7 +8850,6 @@ option was added in
 .Op Fl days Ar arg
 .Op Fl email
 .Op Fl enddate
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl extfile Ar file
 .Op Fl fingerprint
@@ -9230,14 +8898,6 @@ Since there are a large number of options, they are split up into
 various sections.
 .Sh X509 INPUT, OUTPUT, AND GENERAL PURPOSE OPTIONS
 .Bl -tag -width "XXXX"
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm x509
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
diff --git a/src/usr.bin/openssl/openssl.c b/src/usr.bin/openssl/openssl.c
index 97321f0cac..c85a807d29 100644
--- a/src/usr.bin/openssl/openssl.c
+++ b/src/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.6 2015/09/10 16:43:06 jsing Exp $ */
+/* $OpenBSD: openssl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -126,10 +126,6 @@
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 #include "progs.h"
 #include "s_apps.h"
@@ -162,9 +158,6 @@ FUNCTION functions[] = {
        { FUNC_TYPE_GENERAL, "crl", crl_main },
        { FUNC_TYPE_GENERAL, "dgst", dgst_main },
        { FUNC_TYPE_GENERAL, "enc", enc_main },
-#ifndef OPENSSL_NO_ENGINE
-        { FUNC_TYPE_GENERAL, "engine", engine_main },
-#endif
        { FUNC_TYPE_GENERAL, "errstr", errstr_main },
        { FUNC_TYPE_GENERAL, "genpkey", genpkey_main },
        { FUNC_TYPE_GENERAL, "nseq", nseq_main },
@@ -419,10 +412,6 @@ openssl_startup(void)
        SSL_library_init();
        SSL_load_error_strings();
-#ifndef OPENSSL_NO_ENGINE
-        ENGINE_load_builtin_engines();
-#endif
        setup_ui_method();
 }
@@ -433,11 +422,6 @@ openssl_shutdown(void)
        destroy_ui_method();
        OBJ_cleanup();
        EVP_cleanup();
-#ifndef OPENSSL_NO_ENGINE
-        ENGINE_cleanup();
-#endif
        CRYPTO_cleanup_all_ex_data();
        ERR_remove_thread_state(NULL);
        ERR_free_strings();
diff --git a/src/usr.bin/openssl/pkcs12.c b/src/usr.bin/openssl/pkcs12.c
index 901ddc05f3..eaa7bcceac 100644
--- a/src/usr.bin/openssl/pkcs12.c
+++ b/src/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.c,v 1.3 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkcs12.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -95,7 +95,6 @@ static int set_pbe(BIO * err, int *ppbe, const char *str);
 int
 pkcs12_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        char *infile = NULL, *outfile = NULL, *keyname = NULL;
        char *certfile = NULL;
        BIO *in = NULL, *out = NULL;
@@ -124,9 +123,6 @@ pkcs12_main(int argc, char **argv)
        char *passin = NULL, *passout = NULL;
        char *macalg = NULL;
        char *CApath = NULL, *CAfile = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
@@ -285,14 +281,6 @@ pkcs12_main(int argc, char **argv)
                                        CAfile = *args;
                                } else
                                        badarg = 1;
-#ifndef OPENSSL_NO_ENGINE
-                        } else if (!strcmp(*args, "-engine")) {
-                                if (args[1]) {
-                                        args++;
-                                        engine = *args;
-                                } else
-                                        badarg = 1;
-#endif
                        } else
                                badarg = 1;
@@ -349,16 +337,10 @@ pkcs12_main(int argc, char **argv)
                BIO_printf(bio_err, "-password p   set import/export password source\n");
                BIO_printf(bio_err, "-passin p     input file pass phrase source\n");
                BIO_printf(bio_err, "-passout p    output file pass phrase source\n");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, "-engine e     use engine e, possibly a hardware device.\n");
-#endif
                BIO_printf(bio_err, "-CSP name     Microsoft CSP name\n");
                BIO_printf(bio_err, "-LMK          Add local machine keyset attribute to private key\n");
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (passarg) {
                if (export_cert)
@@ -428,14 +410,14 @@ pkcs12_main(int argc, char **argv)
                if (!(options & NOKEYS)) {
                        key = load_key(bio_err, keyname ? keyname : infile,
-                            FORMAT_PEM, 1, passin, e, "private key");
+                            FORMAT_PEM, 1, passin, "private key");
                        if (!key)
                                goto export_end;
                }
                /* Load in all certs in input file */
                if (!(options & NOCERTS)) {
-                        certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
+                        certs = load_certs(bio_err, infile, FORMAT_PEM, NULL,
                            "certificates");
                        if (!certs)
                                goto export_end;
@@ -465,8 +447,7 @@ pkcs12_main(int argc, char **argv)
                if (certfile) {
                        STACK_OF(X509) * morecerts = NULL;
                        if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
-                                    NULL, e,
+                            NULL, "certificates from certfile")))
-                                    "certificates from certfile")))
                                goto export_end;
                        while (sk_X509_num(morecerts) > 0)
                                sk_X509_push(certs, sk_X509_shift(morecerts));
diff --git a/src/usr.bin/openssl/pkcs7.c b/src/usr.bin/openssl/pkcs7.c
index 3180f357f1..717928d27b 100644
--- a/src/usr.bin/openssl/pkcs7.c
+++ b/src/usr.bin/openssl/pkcs7.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs7.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkcs7.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -71,9 +71,6 @@
 #include <openssl/x509.h>
 static struct {
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        char *infile;
        int informat;
        int noout;
@@ -85,15 +82,6 @@ static struct {
 } pkcs7_config;
 static struct option pkcs7_options[] = {
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &pkcs7_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -152,7 +140,7 @@ static struct option pkcs7_options[] = {
 static void
 pkcs7_usage()
 {
-        fprintf(stderr, "usage: pkcs7 [-engine id] [-in file] "
+        fprintf(stderr, "usage: pkcs7 [-in file] "
            "[-inform DER | PEM] [-noout]\n"
            "    [-out file] [-outform DER | PEM] [-print_certs] [-text]\n\n");
        options_usage(pkcs7_options);
@@ -176,10 +164,6 @@ pkcs7_main(int argc, char **argv)
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, pkcs7_config.engine, 0);
-#endif
        in = BIO_new(BIO_s_file());
        out = BIO_new(BIO_s_file());
        if ((in == NULL) || (out == NULL)) {
diff --git a/src/usr.bin/openssl/pkcs8.c b/src/usr.bin/openssl/pkcs8.c
index 7e590aa41d..b3ccd1966e 100644
--- a/src/usr.bin/openssl/pkcs8.c
+++ b/src/usr.bin/openssl/pkcs8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs8.c,v 1.5 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: pkcs8.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999-2004.
 */
@@ -69,9 +69,6 @@
 static struct {
        const EVP_CIPHER *cipher;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        char *infile;
        int informat;
        int iter;
@@ -115,15 +112,6 @@ static struct option pkcs8_options[] = {
                .value = PKCS8_EMBEDDED_PARAM,
                .opt.value = &pkcs8_config.p8_broken,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &pkcs8_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -220,7 +208,7 @@ static struct option pkcs8_options[] = {
 static void
 pkcs8_usage()
 {
-        fprintf(stderr, "usage: pkcs8 [-embed] [-engine id] [-in file] "
+        fprintf(stderr, "usage: pkcs8 [-embed] [-in file] "
            "[-inform fmt] [-nocrypt]\n"
            "    [-noiter] [-nooct] [-nsdb] [-out file] [-outform fmt] "
            "[-passin src]\n"
@@ -231,7 +219,6 @@ pkcs8_usage()
 int
 pkcs8_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        BIO *in = NULL, *out = NULL;
        X509_SIG *p8 = NULL;
        PKCS8_PRIV_KEY_INFO *p8inf = NULL;
@@ -252,10 +239,6 @@ pkcs8_main(int argc, char **argv)
                return (1);
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, pkcs8_config.engine, 0);
-#endif
        if (!app_passwd(bio_err, pkcs8_config.passargin,
            pkcs8_config.passargout, &passin, &passout)) {
                BIO_printf(bio_err, "Error getting passwords\n");
@@ -285,7 +268,7 @@ pkcs8_main(int argc, char **argv)
        }
        if (pkcs8_config.topk8) {
                pkey = load_key(bio_err, pkcs8_config.infile,
-                    pkcs8_config.informat, 1, passin, e, "key");
+                    pkcs8_config.informat, 1, passin, "key");
                if (!pkey)
                        goto end;
                if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey,
diff --git a/src/usr.bin/openssl/pkey.c b/src/usr.bin/openssl/pkey.c
index be6bffa001..72c03181f6 100644
--- a/src/usr.bin/openssl/pkey.c
+++ b/src/usr.bin/openssl/pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkey.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006
 */
@@ -68,7 +68,6 @@
 int
 pkey_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        char **args, *infile = NULL, *outfile = NULL;
        char *passargin = NULL, *passargout = NULL;
        BIO *in = NULL, *out = NULL;
@@ -78,9 +77,6 @@ pkey_main(int argc, char **argv)
        EVP_PKEY *pkey = NULL;
        char *passin = NULL, *passout = NULL;
        int badarg = 0;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        int ret = 1;
        informat = FORMAT_PEM;
@@ -109,13 +105,6 @@ pkey_main(int argc, char **argv)
                                goto bad;
                        passargout = *(++args);
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*args, "-engine") == 0) {
-                        if (!args[1])
-                                goto bad;
-                        engine = *(++args);
-                }
-#endif
                else if (!strcmp(*args, "-in")) {
                        if (args[1]) {
                                args++;
@@ -162,14 +151,8 @@ bad:
                BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
                BIO_printf(bio_err, "-out file       output file\n");
                BIO_printf(bio_err, "-passout arg    output file pass phrase source\n");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-#endif
                return 1;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
                BIO_printf(bio_err, "Error getting passwords\n");
@@ -187,10 +170,9 @@ bad:
        if (pubin)
                pkey = load_pubkey(bio_err, infile, informat, 1,
-                    passin, e, "Public Key");
+                    passin, "Public Key");
        else
-                pkey = load_key(bio_err, infile, informat, 1,
+                pkey = load_key(bio_err, infile, informat, 1, passin, "key");
-                    passin, e, "key");
        if (!pkey)
                goto end;
diff --git a/src/usr.bin/openssl/pkeyparam.c b/src/usr.bin/openssl/pkeyparam.c
index e5152dfbf9..8f4d3a53f4 100644
--- a/src/usr.bin/openssl/pkeyparam.c
+++ b/src/usr.bin/openssl/pkeyparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkeyparam.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkeyparam.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006
 */
@@ -66,9 +66,6 @@
 #include <openssl/pem.h>
 struct {
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        char *infile;
        int noout;
        char *outfile;
@@ -76,15 +73,6 @@ struct {
 } pkeyparam_config;
 struct option pkeyparam_options[] = {
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &pkeyparam_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -118,7 +106,7 @@ static void
 pkeyparam_usage()
 {
        fprintf(stderr,
-            "usage: pkeyparam [-engine id] [-in file] [-noout] [-out file] "
+            "usage: pkeyparam [-in file] [-noout] [-out file] "
            "[-text]\n");
        options_usage(pkeyparam_options);
 }
@@ -137,10 +125,6 @@ pkeyparam_main(int argc, char **argv)
                return (1);
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, pkeyparam_config.engine, 0);
-#endif
        if (pkeyparam_config.infile) {
                if (!(in = BIO_new_file(pkeyparam_config.infile, "r"))) {
                        BIO_printf(bio_err, "Can't open input file %s\n",
diff --git a/src/usr.bin/openssl/pkeyutl.c b/src/usr.bin/openssl/pkeyutl.c
index 0529b97798..2caa61e282 100644
--- a/src/usr.bin/openssl/pkeyutl.c
+++ b/src/usr.bin/openssl/pkeyutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkeyutl.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkeyutl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -72,7 +72,7 @@ static void usage(void);
 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
    char *keyfile, int keyform, int key_type,
-    char *passargin, int pkey_op, ENGINE * e);
+    char *passargin, int pkey_op);
 static int setup_peer(BIO * err, EVP_PKEY_CTX * ctx, int peerform,
    const char *file);
@@ -86,7 +86,6 @@ pkeyutl_main(int argc, char **argv)
 {
        BIO *in = NULL, *out = NULL;
        char *infile = NULL, *outfile = NULL, *sigfile = NULL;
-        ENGINE *e = NULL;
        int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
        int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
        char badarg = 0, rev = 0;
@@ -126,7 +125,7 @@ pkeyutl_main(int argc, char **argv)
                        else {
                                ctx = init_ctx(&keysize,
                                    *(++argv), keyform, key_type,
-                                    passargin, pkey_op, e);
+                                    passargin, pkey_op);
                                if (!ctx) {
                                        BIO_puts(bio_err,
                                            "Error initializing context\n");
@@ -155,14 +154,6 @@ pkeyutl_main(int argc, char **argv)
                        else
                                keyform = str2fmt(*(++argv));
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (!strcmp(*argv, "-engine")) {
-                        if (--argc < 1)
-                                badarg = 1;
-                        else
-                                e = setup_engine(bio_err, *(++argv), 0);
-                }
-#endif
                else if (!strcmp(*argv, "-pubin"))
                        key_type = KEY_PUBKEY;
                else if (!strcmp(*argv, "-certin"))
@@ -342,9 +333,6 @@ usage()
        BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
        BIO_printf(bio_err, "-derive         derive shared secret\n");
        BIO_printf(bio_err, "-hexdump        hex dump output\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-#endif
        BIO_printf(bio_err, "-passin arg     pass phrase source\n");
 }
@@ -352,7 +340,7 @@ usage()
 static EVP_PKEY_CTX *
 init_ctx(int *pkeysize,
    char *keyfile, int keyform, int key_type,
-    char *passargin, int pkey_op, ENGINE * e)
+    char *passargin, int pkey_op)
 {
        EVP_PKEY *pkey = NULL;
        EVP_PKEY_CTX *ctx = NULL;
@@ -372,17 +360,17 @@ init_ctx(int *pkeysize,
        switch (key_type) {
        case KEY_PRIVKEY:
                pkey = load_key(bio_err, keyfile, keyform, 0,
-                    passin, e, "Private Key");
+                    passin, "Private Key");
                break;
        case KEY_PUBKEY:
                pkey = load_pubkey(bio_err, keyfile, keyform, 0,
-                    NULL, e, "Public Key");
+                    NULL, "Public Key");
                break;
        case KEY_CERT:
                x = load_cert(bio_err, keyfile, keyform,
-                    NULL, e, "Certificate");
+                    NULL, "Certificate");
                if (x) {
                        pkey = X509_get_pubkey(x);
                        X509_free(x);
@@ -396,7 +384,7 @@ init_ctx(int *pkeysize,
        if (!pkey)
                goto end;
-        ctx = EVP_PKEY_CTX_new(pkey, e);
+        ctx = EVP_PKEY_CTX_new(pkey, NULL);
        EVP_PKEY_free(pkey);
@@ -452,7 +440,7 @@ setup_peer(BIO * err, EVP_PKEY_CTX * ctx, int peerform,
                BIO_puts(err, "-peerkey command before -inkey\n");
                return 0;
        }
-        peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
+        peer = load_pubkey(bio_err, file, peerform, 0, NULL, "Peer Key");
        if (!peer) {
                BIO_printf(bio_err, "Error reading peer key %s\n", file);
diff --git a/src/usr.bin/openssl/progs.h b/src/usr.bin/openssl/progs.h
index c1b0c62752..a771b2c7de 100644
--- a/src/usr.bin/openssl/progs.h
+++ b/src/usr.bin/openssl/progs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: progs.h,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: progs.h,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Public domain */
 int asn1parse_main(int argc, char **argv);
@@ -16,7 +16,6 @@ int dsaparam_main(int argc, char **argv);
 int ec_main(int argc, char **argv);
 int ecparam_main(int argc, char **argv);
 int enc_main(int argc, char **argv);
-int engine_main(int argc, char **argv);
 int errstr_main(int argc, char **argv);
 int gendh_main(int argc, char **argv);
 int gendsa_main(int argc, char **argv);
diff --git a/src/usr.bin/openssl/rand.c b/src/usr.bin/openssl/rand.c
index b021b4ec7c..b0df4eb1b5 100644
--- a/src/usr.bin/openssl/rand.c
+++ b/src/usr.bin/openssl/rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand.c,v 1.7 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: rand.c,v 1.8 2015/09/11 14:30:23 bcook Exp $ */
 /* ====================================================================
 * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
 *
@@ -64,7 +64,6 @@
 struct {
        int base64;
-        char *engine;
        int hex;
        char *outfile;
 } rand_config;
@@ -76,15 +75,6 @@ struct option rand_options[] = {
                .type = OPTION_FLAG,
                .opt.flag = &rand_config.base64,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &rand_config.engine,
-        },
-#endif
        {
                .name = "hex",
                .desc = "Hexadecimal output",
@@ -105,7 +95,7 @@ static void
 rand_usage()
 {
        fprintf(stderr,
-            "usage: rand [-base64 | -hex] [-engine id] [-out file] num\n");
+            "usage: rand [-base64 | -hex] [-out file] num\n");
        options_usage(rand_options);
 }
@@ -141,10 +131,6 @@ rand_main(int argc, char **argv)
                goto err;
        }
-#ifndef OPENSSL_NO_ENGINE
-        setup_engine(bio_err, rand_config.engine, 0);
-#endif
        out = BIO_new(BIO_s_file());
        if (out == NULL)
                goto err;
diff --git a/src/usr.bin/openssl/req.c b/src/usr.bin/openssl/req.c
index 4e1a4757dd..5ed658bfb1 100644
--- a/src/usr.bin/openssl/req.c
+++ b/src/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: req.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -140,15 +140,13 @@ static int genpkey_cb(EVP_PKEY_CTX * ctx);
 static int req_check_len(int len, int n_min, int n_max);
 static int check_end(const char *str, const char *end);
 static EVP_PKEY_CTX *set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
-    long *pkeylen, char **palgnam,
+    long *pkeylen, char **palgnam);
-    ENGINE * keygen_engine);
 static CONF *req_conf = NULL;
 static int batch = 0;
 int
 req_main(int argc, char **argv)
 {
-        ENGINE *e = NULL, *gen_eng = NULL;
        unsigned long nmflag = 0, reqflag = 0;
        int ex = 1, x509 = 0, days = 30;
        X509 *x509ss = NULL;
@@ -165,9 +163,6 @@ req_main(int argc, char **argv)
        int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
        char *infile, *outfile, *prog, *keyfile = NULL, *template = NULL,
        *keyout = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        char *extensions = NULL;
        char *req_exts = NULL;
        const EVP_CIPHER *cipher = NULL;
@@ -203,21 +198,6 @@ req_main(int argc, char **argv)
                                goto bad;
                        outformat = str2fmt(*(++argv));
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*argv, "-engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        engine = *(++argv);
-                } else if (strcmp(*argv, "-keygen_engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        gen_eng = ENGINE_by_id(*(++argv));
-                        if (gen_eng == NULL) {
-                                BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
-                                goto end;
-                        }
-                }
-#endif
                else if (strcmp(*argv, "-key") == 0) {
                        if (--argc < 1)
                                goto bad;
@@ -366,9 +346,6 @@ bad:
                BIO_printf(bio_err, " -verify        verify signature on REQ\n");
                BIO_printf(bio_err, " -modulus       RSA modulus\n");
                BIO_printf(bio_err, " -nodes         don't encrypt the output key\n");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, " -engine e      use engine e, possibly a hardware device\n");
-#endif
                BIO_printf(bio_err, " -subject       output the request's subject\n");
                BIO_printf(bio_err, " -passin        private key password source\n");
                BIO_printf(bio_err, " -key file      use the private key contained in file\n");
@@ -520,12 +497,8 @@ bad:
        if ((in == NULL) || (out == NULL))
                goto end;
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (keyfile != NULL) {
-                pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
+                pkey = load_key(bio_err, keyfile, keyform, 0, passin,
                    "Private Key");
                if (!pkey) {
                        /*
@@ -541,7 +514,7 @@ bad:
                }
                if (keyalg) {
                        genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
-                            &keyalgstr, gen_eng);
+                            &keyalgstr);
                        if (!genctx)
                                goto end;
                }
@@ -552,7 +525,7 @@ bad:
                }
                if (!genctx) {
                        genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey,
-                            &keyalgstr, gen_eng);
+                            &keyalgstr);
                        if (!genctx)
                                goto end;
                }
@@ -893,10 +866,6 @@ end:
                sk_OPENSSL_STRING_free(pkeyopts);
        if (sigopts)
                sk_OPENSSL_STRING_free(sigopts);
-#ifndef OPENSSL_NO_ENGINE
-        if (gen_eng)
-                ENGINE_free(gen_eng);
-#endif
        free(keyalgstr);
        X509_REQ_free(req);
        X509_free(x509ss);
@@ -1370,8 +1339,7 @@ check_end(const char *str, const char *end)
 static EVP_PKEY_CTX *
 set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
-    long *pkeylen, char **palgnam,
+    long *pkeylen, char **palgnam)
-    ENGINE * keygen_engine)
 {
        EVP_PKEY_CTX *gctx = NULL;
        EVP_PKEY *param = NULL;
@@ -1396,19 +1364,14 @@ set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
        else {
                const char *p = strchr(gstr, ':');
                int len;
-                ENGINE *tmpeng;
                const EVP_PKEY_ASN1_METHOD *ameth;
                if (p)
                        len = p - gstr;
                else
                        len = strlen(gstr);
-                /*
-                 * The lookup of a the string will cover all engines so keep
-                 * a note of the implementation.
-                 */
-                ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
+                ameth = EVP_PKEY_asn1_find_str(NULL, gstr, len);
                if (!ameth) {
                        BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr);
@@ -1416,10 +1379,6 @@ set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
                }
                EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL,
                    ameth);
-#ifndef OPENSSL_NO_ENGINE
-                if (tmpeng)
-                        ENGINE_finish(tmpeng);
-#endif
                if (*pkey_type == EVP_PKEY_RSA) {
                        if (p) {
                                keylen = strtonum(p + 1, 0, LONG_MAX, &errstr);
@@ -1470,26 +1429,21 @@ set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
        }
        if (palgnam) {
                const EVP_PKEY_ASN1_METHOD *ameth;
-                ENGINE *tmpeng;
                const char *anam;
-                ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
+                ameth = EVP_PKEY_asn1_find(NULL, *pkey_type);
                if (!ameth) {
                        BIO_puts(err, "Internal error: can't find key algorithm\n");
                        return NULL;
                }
                EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
                *palgnam = strdup(anam);
-#ifndef OPENSSL_NO_ENGINE
-                if (tmpeng)
-                        ENGINE_finish(tmpeng);
-#endif
        }
        if (param) {
-                gctx = EVP_PKEY_CTX_new(param, keygen_engine);
+                gctx = EVP_PKEY_CTX_new(param, NULL);
                *pkeylen = EVP_PKEY_bits(param);
                EVP_PKEY_free(param);
        } else
-                gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
+                gctx = EVP_PKEY_CTX_new_id(*pkey_type, NULL);
        if (!gctx) {
                BIO_puts(err, "Error allocating keygen context\n");
diff --git a/src/usr.bin/openssl/rsa.c b/src/usr.bin/openssl/rsa.c
index 55b6f7399f..708332a8d1 100644
--- a/src/usr.bin/openssl/rsa.c
+++ b/src/usr.bin/openssl/rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.c,v 1.4 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: rsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -77,9 +77,6 @@
 static struct {
        int check;
        const EVP_CIPHER *enc;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        char *infile;
        int informat;
        int modulus;
@@ -119,15 +116,6 @@ static struct option rsa_options[] = {
                .type = OPTION_FLAG,
                .opt.flag = &rsa_config.check,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &rsa_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -258,7 +246,7 @@ static void
 rsa_usage()
 {
        fprintf(stderr,
-            "usage: rsa [-ciphername] [-check] [-engine id] [-in file] "
+            "usage: rsa [-ciphername] [-check] [-in file] "
            "[-inform fmt]\n"
            "    [-modulus] [-noout] [-out file] [-outform fmt] "
            "[-passin src]\n"
@@ -274,7 +262,6 @@ rsa_usage()
 int
 rsa_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        int ret = 1;
        RSA *rsa = NULL;
        int i;
@@ -291,10 +278,6 @@ rsa_main(int argc, char **argv)
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, rsa_config.engine, 0);
-#endif
        if (!app_passwd(bio_err, rsa_config.passargin, rsa_config.passargout,
            &passin, &passout)) {
                BIO_printf(bio_err, "Error getting passwords\n");
@@ -323,12 +306,12 @@ rsa_main(int argc, char **argv)
                                tmpformat = rsa_config.informat;
                        pkey = load_pubkey(bio_err, rsa_config.infile,
-                            tmpformat, 1, passin, e, "Public Key");
+                            tmpformat, 1, passin, "Public Key");
                } else
                        pkey = load_key(bio_err, rsa_config.infile,
                            (rsa_config.informat == FORMAT_NETSCAPE &&
                            rsa_config.sgckey ? FORMAT_IISSGC :
-                            rsa_config.informat), 1, passin, e, "Private Key");
+                            rsa_config.informat), 1, passin, "Private Key");
                if (pkey != NULL)
                        rsa = EVP_PKEY_get1_RSA(pkey);
diff --git a/src/usr.bin/openssl/rsautl.c b/src/usr.bin/openssl/rsautl.c
index 5f395e2245..2e9793297b 100644
--- a/src/usr.bin/openssl/rsautl.c
+++ b/src/usr.bin/openssl/rsautl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsautl.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: rsautl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2000.
 */
@@ -81,12 +81,8 @@ static void usage(void);
 int
 rsautl_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        BIO *in = NULL, *out = NULL;
        char *infile = NULL, *outfile = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        char *keyfile = NULL;
        char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
        int keyform = FORMAT_PEM;
@@ -133,13 +129,6 @@ rsautl_main(int argc, char **argv)
                                badarg = 1;
                        else
                                keyform = str2fmt(*(++argv));
-#ifndef OPENSSL_NO_ENGINE
-                } else if (!strcmp(*argv, "-engine")) {
-                        if (--argc < 1)
-                                badarg = 1;
-                        else
-                                engine = *(++argv);
-#endif
                } else if (!strcmp(*argv, "-pubin")) {
                        key_type = KEY_PUBKEY;
                } else if (!strcmp(*argv, "-certin")) {
@@ -184,9 +173,6 @@ rsautl_main(int argc, char **argv)
                BIO_printf(bio_err, "A private key is needed for this operation\n");
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
                BIO_printf(bio_err, "Error getting password\n");
                goto end;
@@ -195,17 +181,17 @@ rsautl_main(int argc, char **argv)
        switch (key_type) {
        case KEY_PRIVKEY:
                pkey = load_key(bio_err, keyfile, keyform, 0,
-                    passin, e, "Private Key");
+                    passin, "Private Key");
                break;
        case KEY_PUBKEY:
                pkey = load_pubkey(bio_err, keyfile, keyform, 0,
-                    NULL, e, "Public Key");
+                    NULL, "Public Key");
                break;
        case KEY_CERT:
                x = load_cert(bio_err, keyfile, keyform,
-                    NULL, e, "Certificate");
+                    NULL, "Certificate");
                if (x) {
                        pkey = X509_get_pubkey(x);
                        X509_free(x);
@@ -336,10 +322,4 @@ usage()
        BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
        BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
        BIO_printf(bio_err, "-hexdump        hex dump output\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-        BIO_printf(bio_err, "-passin arg    pass phrase source\n");
-#endif
 }
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index f118672abb..aca9bbfc9e 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.18 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: s_client.c,v 1.19 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -238,9 +238,6 @@ sc_usage(void)
        BIO_printf(bio_err, "                 only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
        BIO_printf(bio_err, "                 are supported.\n");
        BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on the xmpp server\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err, " -engine id    - Initialise and use the specified engine\n");
-#endif
        BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n");
        BIO_printf(bio_err, " -sess_in arg  - file to read SSL session from\n");
        BIO_printf(bio_err, " -servername host  - Set TLS extension servername in ClientHello\n");
@@ -356,12 +353,6 @@ s_client_main(int argc, char **argv)
        int mbuf_len = 0;
        struct timeval timeout;
        const char *errstr = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine_id = NULL;
-        char *ssl_client_engine_id = NULL;
-        ENGINE *ssl_client_engine = NULL;
-#endif
-        ENGINE *e = NULL;
        char *servername = NULL;
        tlsextctx tlsextcbp =
        {NULL, 0};
@@ -578,17 +569,6 @@ s_client_main(int argc, char **argv)
                        else
                                goto bad;
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*argv, "-engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        engine_id = *(++argv);
-                } else if (strcmp(*argv, "-ssl_client_engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        ssl_client_engine_id = *(++argv);
-                }
-#endif
                else if (strcmp(*argv, "-4") == 0) {
                        af = AF_INET;
                } else if (strcmp(*argv, "-6") == 0) {
@@ -654,17 +634,6 @@ bad:
        } else
                next_proto.data = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine_id, 1);
-        if (ssl_client_engine_id) {
-                ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
-                if (!ssl_client_engine) {
-                        BIO_printf(bio_err,
-                            "Error getting client auth engine\n");
-                        goto end;
-                }
-        }
-#endif
        if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
                BIO_printf(bio_err, "Error getting password\n");
                goto end;
@@ -675,7 +644,7 @@ bad:
        if (key_file) {
-                key = load_key(bio_err, key_file, key_format, 0, pass, e,
+                key = load_key(bio_err, key_file, key_format, 0, pass,
                    "client certificate private key file");
                if (!key) {
                        ERR_print_errors(bio_err);
@@ -684,7 +653,7 @@ bad:
        }
        if (cert_file) {
                cert = load_cert(bio_err, cert_file, cert_format,
-                    NULL, e, "client certificate file");
+                    NULL, "client certificate file");
                if (!cert) {
                        ERR_print_errors(bio_err);
@@ -708,18 +677,6 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
-#ifndef OPENSSL_NO_ENGINE
-        if (ssl_client_engine) {
-                if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
-                        BIO_puts(bio_err, "Error setting client auth engine\n");
-                        ERR_print_errors(bio_err);
-                        ENGINE_free(ssl_client_engine);
-                        goto end;
-                }
-                ENGINE_free(ssl_client_engine);
-        }
-#endif
 #ifndef OPENSSL_NO_SRTP
        if (srtp_profiles != NULL)
                SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 0272abe43b..5989e0db90 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.16 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: s_server.c,v 1.17 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -226,9 +226,6 @@ static int s_quiet = 0;
 static char *keymatexportlabel = NULL;
 static int keymatexportlen = 20;
-#ifndef OPENSSL_NO_ENGINE
-static char *engine_id = NULL;
-#endif
 static const char *session_id_prefix = NULL;
 static int enable_timeouts = 0;
@@ -262,9 +259,6 @@ s_server_init(void)
        s_debug = 0;
        s_msg = 0;
        s_quiet = 0;
-#ifndef OPENSSL_NO_ENGINE
-        engine_id = NULL;
-#endif
 }
 static void
@@ -286,12 +280,12 @@ sv_usage(void)
        BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n");
        BIO_printf(bio_err, " -key arg      - Private Key file to use, in cert file if\n");
        BIO_printf(bio_err, "                 not specified (default is %s)\n", TEST_CERT);
-        BIO_printf(bio_err, " -keyform arg  - key format (PEM, DER or ENGINE) PEM default\n");
+        BIO_printf(bio_err, " -keyform arg  - key format (PEM or DER) PEM default\n");
        BIO_printf(bio_err, " -pass arg     - private key file pass phrase source\n");
        BIO_printf(bio_err, " -dcert arg    - second certificate file to use (usually for DSA)\n");
        BIO_printf(bio_err, " -dcertform x  - second certificate format (PEM or DER) PEM default\n");
        BIO_printf(bio_err, " -dkey arg     - second private key file to use (usually for DSA)\n");
-        BIO_printf(bio_err, " -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
+        BIO_printf(bio_err, " -dkeyform arg - second key format (PEM or DER) PEM default\n");
        BIO_printf(bio_err, " -dpass arg    - second private key file pass phrase source\n");
        BIO_printf(bio_err, " -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
        BIO_printf(bio_err, "                 or a default set of parameters is used\n");
@@ -331,9 +325,6 @@ sv_usage(void)
        BIO_printf(bio_err, " -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
        BIO_printf(bio_err, " -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
        BIO_printf(bio_err, "                 with the assumption it contains a complete HTTP response.\n");
-#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err, " -engine id    - Initialise and use the specified engine\n");
-#endif
        BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
        BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n");
        BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
@@ -598,7 +589,6 @@ s_server_main(int argc, char *argv[])
        int state = 0;
        const SSL_METHOD *meth = NULL;
        int socket_type = SOCK_STREAM;
-        ENGINE *e = NULL;
        int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
        char *passarg = NULL, *pass = NULL;
        char *dpassarg = NULL, *dpass = NULL;
@@ -832,13 +822,6 @@ s_server_main(int argc, char *argv[])
                                goto bad;
                        session_id_prefix = *(++argv);
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*argv, "-engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        engine_id = *(++argv);
-                }
-#endif
                else if (strcmp(*argv, "-servername") == 0) {
                        if (--argc < 1)
                                goto bad;
@@ -899,10 +882,6 @@ bad:
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine_id, 1);
-#endif
        if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
                BIO_printf(bio_err, "Error getting password\n");
                goto end;
@@ -913,28 +892,28 @@ bad:
                s_key_file2 = s_cert_file2;
        if (nocert == 0) {
-                s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
+                s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass,
                    "server certificate private key file");
                if (!s_key) {
                        ERR_print_errors(bio_err);
                        goto end;
                }
                s_cert = load_cert(bio_err, s_cert_file, s_cert_format,
-                    NULL, e, "server certificate file");
+                    NULL, "server certificate file");
                if (!s_cert) {
                        ERR_print_errors(bio_err);
                        goto end;
                }
                if (tlsextcbp.servername) {
-                        s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
+                        s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass,
                            "second server certificate private key file");
                        if (!s_key2) {
                                ERR_print_errors(bio_err);
                                goto end;
                        }
                        s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format,
-                            NULL, e, "second server certificate file");
+                            NULL, "second server certificate file");
                        if (!s_cert2) {
                                ERR_print_errors(bio_err);
@@ -966,14 +945,13 @@ bad:
                        s_dkey_file = s_dcert_file;
                s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
-                    0, dpass, e,
+                    0, dpass, "second certificate private key file");
-                    "second certificate private key file");
                if (!s_dkey) {
                        ERR_print_errors(bio_err);
                        goto end;
                }
                s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format,
-                    NULL, e, "second server certificate file");
+                    NULL, "second server certificate file");
                if (!s_dcert) {
                        ERR_print_errors(bio_err);
diff --git a/src/usr.bin/openssl/smime.c b/src/usr.bin/openssl/smime.c
index e1c54bf225..d981335179 100644
--- a/src/usr.bin/openssl/smime.c
+++ b/src/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.3 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: smime.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project.
 */
@@ -85,7 +85,6 @@ static int smime_cb(int ok, X509_STORE_CTX * ctx);
 int
 smime_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        int operation = 0;
        int ret = 0;
        char **args;
@@ -110,9 +109,6 @@ smime_main(int argc, char **argv)
        const EVP_MD *sign_md = NULL;
        int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
        int keyform = FORMAT_PEM;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        X509_VERIFY_PARAM *vpm = NULL;
@@ -192,13 +188,6 @@ smime_main(int argc, char **argv)
                        flags |= PKCS7_NOOLDMIMETYPE;
                else if (!strcmp(*args, "-crlfeol"))
                        flags |= PKCS7_CRLFEOL;
-#ifndef OPENSSL_NO_ENGINE
-                else if (!strcmp(*args, "-engine")) {
-                        if (!args[1])
-                                goto argerr;
-                        engine = *++args;
-                }
-#endif
                else if (!strcmp(*args, "-passin")) {
                        if (!args[1])
                                goto argerr;
@@ -384,7 +373,7 @@ argerr:
                BIO_printf(bio_err, "-in file       input file\n");
                BIO_printf(bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
                BIO_printf(bio_err, "-inkey file    input private key (if not signer or recipient)\n");
-                BIO_printf(bio_err, "-keyform arg   input private key format (PEM or ENGINE)\n");
+                BIO_printf(bio_err, "-keyform arg   input private key format (PEM)\n");
                BIO_printf(bio_err, "-out file      output file\n");
                BIO_printf(bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
                BIO_printf(bio_err, "-content file  supply or override content for detached signature\n");
@@ -396,16 +385,10 @@ argerr:
                BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
                BIO_printf(bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
                BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, "-engine e      use engine e, possibly a hardware device.\n");
-#endif
                BIO_printf(bio_err, "-passin arg    input file pass phrase source\n");
                BIO_printf(bio_err, "cert.pem       recipient certificate(s) for encryption\n");
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
                BIO_printf(bio_err, "Error getting password\n");
@@ -444,7 +427,7 @@ argerr:
                encerts = sk_X509_new_null();
                while (*args) {
                        if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
-                            NULL, e, "recipient certificate file"))) {
+                            NULL, "recipient certificate file"))) {
                                goto end;
                        }
                        sk_X509_push(encerts, cert);
@@ -454,14 +437,14 @@ argerr:
        }
        if (certfile) {
                if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL,
-                            e, "certificate file"))) {
+                    "certificate file"))) {
                        ERR_print_errors(bio_err);
                        goto end;
                }
        }
        if (recipfile && (operation == SMIME_DECRYPT)) {
                if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL,
-                            e, "recipient certificate file"))) {
+                    "recipient certificate file"))) {
                        ERR_print_errors(bio_err);
                        goto end;
                }
@@ -476,7 +459,7 @@ argerr:
                keyfile = NULL;
        if (keyfile) {
-                key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+                key = load_key(bio_err, keyfile, keyform, 0, passin,
                    "signing key file");
                if (!key)
                        goto end;
@@ -559,10 +542,10 @@ argerr:
                        signerfile = sk_OPENSSL_STRING_value(sksigners, i);
                        keyfile = sk_OPENSSL_STRING_value(skkeys, i);
                        signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
-                            e, "signer certificate");
+                            "signer certificate");
                        if (!signer)
                                goto end;
-                        key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+                        key = load_key(bio_err, keyfile, keyform, 0, passin,
                            "signing key file");
                        if (!key)
                                goto end;
diff --git a/src/usr.bin/openssl/speed.c b/src/usr.bin/openssl/speed.c
index 935d9556e7..2c3dd8d6c6 100644
--- a/src/usr.bin/openssl/speed.c
+++ b/src/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.10 2015/09/11 09:38:30 deraadt Exp $ */
+/* $OpenBSD: speed.c,v 1.11 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -538,24 +538,6 @@ speed_main(int argc, char **argv)
                        j--;    /* Otherwise, -elapsed gets confused with an
                                 * algorithm. */
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if ((argc > 0) && (strcmp(*argv, "-engine") == 0)) {
-                        argc--;
-                        argv++;
-                        if (argc == 0) {
-                                BIO_printf(bio_err, "no engine given\n");
-                                goto end;
-                        }
-                        setup_engine(bio_err, *argv, 0);
-                        /*
-                         * j will be increased again further down.  We just
-                         * don't want speed to confuse an engine with an
-                         * algorithm, especially when none is given (which
-                         * means all of them should be run)
-                         */
-                        j--;
-                }
-#endif
                else if ((argc > 0) && (strcmp(*argv, "-multi") == 0)) {
                        argc--;
                        argv++;
@@ -933,9 +915,6 @@ speed_main(int argc, char **argv)
                        BIO_printf(bio_err, "\n");
                        BIO_printf(bio_err, "Available options:\n");
                        BIO_printf(bio_err, "-elapsed        measure time in real time instead of CPU user time.\n");
-#ifndef OPENSSL_NO_ENGINE
-                        BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-#endif
                        BIO_printf(bio_err, "-evp e          use EVP e.\n");
                        BIO_printf(bio_err, "-decrypt        time decryption instead of encryption (only EVP).\n");
                        BIO_printf(bio_err, "-mr             produce machine readable output.\n");
diff --git a/src/usr.bin/openssl/spkac.c b/src/usr.bin/openssl/spkac.c
index b5ce764eae..b635b5e3b2 100644
--- a/src/usr.bin/openssl/spkac.c
+++ b/src/usr.bin/openssl/spkac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: spkac.c,v 1.4 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: spkac.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 1999. Based on an original idea by Massimiliano Pala
 * (madwolf@openca.org).
@@ -75,9 +75,6 @@
 static struct {
        char *challenge;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine;
-#endif
        char *infile;
        char *keyfile;
        int noout;
@@ -97,15 +94,6 @@ static struct option spkac_options[] = {
                .type = OPTION_ARG,
                .opt.arg = &spkac_config.challenge,
        },
-#ifndef OPENSSL_NO_ENGINE
-        {
-                .name = "engine",
-                .argname = "id",
-                .desc = "Use the engine specified by the given identifier",
-                .type = OPTION_ARG,
-                .opt.arg = &spkac_config.engine,
-        },
-#endif
        {
                .name = "in",
                .argname = "file",
@@ -174,7 +162,7 @@ static void
 spkac_usage(void)
 {
        fprintf(stderr,
-            "usage: spkac [-challenge string] [-engine id] [-in file] "
+            "usage: spkac [-challenge string] [-in file] "
            "[-key file] [-noout]\n"
            "    [-out file] [-passin src] [-pubkey] [-spkac name] "
            "[-spksect section]\n"
@@ -185,7 +173,6 @@ spkac_usage(void)
 int
 spkac_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        int i, ret = 1;
        BIO *in = NULL, *out = NULL;
        char *passin = NULL;
@@ -207,14 +194,11 @@ spkac_main(int argc, char **argv)
                BIO_printf(bio_err, "Error getting password\n");
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, spkac_config.engine, 0);
-#endif
        if (spkac_config.keyfile) {
                pkey = load_key(bio_err,
                    strcmp(spkac_config.keyfile, "-") ? spkac_config.keyfile
-                    : NULL, FORMAT_PEM, 1, passin, e, "private key");
+                    : NULL, FORMAT_PEM, 1, passin, "private key");
                if (!pkey) {
                        goto end;
                }
diff --git a/src/usr.bin/openssl/ts.c b/src/usr.bin/openssl/ts.c
index ae7dfff615..e958d0aaff 100644
--- a/src/usr.bin/openssl/ts.c
+++ b/src/usr.bin/openssl/ts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: ts.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -92,13 +92,13 @@ static int create_digest(BIO * input, char *digest,
 static ASN1_INTEGER *create_nonce(int bits);
 /* Reply related functions. */
-static int reply_command(CONF * conf, char *section, char *engine,
+static int reply_command(CONF * conf, char *section,
    char *queryfile, char *passin, char *inkey,
    char *signer, char *chain, const char *policy,
    char *in, int token_in, char *out, int token_out,
    int text);
 static TS_RESP *read_PKCS7(BIO * in_bio);
-static TS_RESP *create_response(CONF * conf, const char *section, char *engine,
+static TS_RESP *create_response(CONF * conf, const char *section,
    char *queryfile, char *passin, char *inkey,
    char *signer, char *chain, const char *policy);
 static ASN1_INTEGER *serial_cb(TS_RESP_CTX * ctx, void *data);
@@ -144,7 +144,6 @@ ts_main(int argc, char **argv)
        char *ca_path = NULL;
        char *ca_file = NULL;
        char *untrusted = NULL;
-        char *engine = NULL;
        /* Input is ContentInfo instead of TimeStampResp. */
        int token_in = 0;
        /* Output is ContentInfo instead of TimeStampResp. */
@@ -233,10 +232,6 @@ ts_main(int argc, char **argv)
                        if (argc-- < 1)
                                goto usage;
                        untrusted = *++argv;
-                } else if (strcmp(*argv, "-engine") == 0) {
-                        if (argc-- < 1)
-                                goto usage;
-                        engine = *++argv;
                } else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) {
                        /* empty. */
                } else
@@ -282,7 +277,7 @@ ts_main(int argc, char **argv)
                                goto usage;
                }
-                ret = !reply_command(conf, section, engine, queryfile,
+                ret = !reply_command(conf, section, queryfile,
                    password, inkey, signer, chain, policy,
                    in, token_in, out, token_out, text);
                break;
@@ -312,7 +307,7 @@ usage:
            "[-signer tsa_cert.pem] [-inkey private_key.pem] "
            "[-chain certs_file.pem] [-policy object_id] "
            "[-in response.tsr] [-token_in] "
-            "[-out response.tsr] [-token_out] [-text] [-engine id]\n");
+            "[-out response.tsr] [-token_out] [-text]\n");
        BIO_printf(bio_err, "or\n"
            "ts -verify [-data file_to_hash] [-digest digest_bytes] "
            "[-queryfile request.tsq] "
@@ -615,7 +610,7 @@ err:
 */
 static int
-reply_command(CONF * conf, char *section, char *engine, char *queryfile,
+reply_command(CONF * conf, char *section, char *queryfile,
    char *passin, char *inkey, char *signer, char *chain, const char *policy,
    char *in, int token_in, char *out, int token_out, int text)
 {
@@ -642,7 +637,7 @@ reply_command(CONF * conf, char *section, char *engine, char *queryfile,
                        response = d2i_TS_RESP_bio(in_bio, NULL);
                }
        } else {
-                response = create_response(conf, section, engine, queryfile,
+                response = create_response(conf, section, queryfile,
                    passin, inkey, signer, chain,
                    policy);
                if (response)
@@ -740,7 +735,7 @@ end:
 }
 static TS_RESP *
-create_response(CONF * conf, const char *section, char *engine,
+create_response(CONF * conf, const char *section,
    char *queryfile, char *passin, char *inkey,
    char *signer, char *chain, const char *policy)
 {
@@ -763,11 +758,6 @@ create_response(CONF * conf, const char *section, char *engine,
        /* Setting serial number provider callback. */
        if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
                goto end;
-#ifndef OPENSSL_NO_ENGINE
-        /* Setting default OpenSSL engine. */
-        if (!TS_CONF_set_crypto_device(conf, section, engine))
-                goto end;
-#endif
        /* Setting TSA signer certificate. */
        if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
diff --git a/src/usr.bin/openssl/verify.c b/src/usr.bin/openssl/verify.c
index ec27275d79..62ca63f01b 100644
--- a/src/usr.bin/openssl/verify.c
+++ b/src/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.3 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: verify.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -70,13 +70,12 @@
 static int cb(int ok, X509_STORE_CTX * ctx);
 static int check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
-    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e);
+    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls);
 static int v_verbose = 0, vflags = 0;
 int
 verify_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        int i, ret = 1, badarg = 0;
        char *CApath = NULL, *CAfile = NULL;
        char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
@@ -85,9 +84,6 @@ verify_main(int argc, char **argv)
        X509_STORE *cert_ctx = NULL;
        X509_LOOKUP *lookup = NULL;
        X509_VERIFY_PARAM *vpm = NULL;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        cert_ctx = X509_STORE_new();
        if (cert_ctx == NULL)
@@ -124,13 +120,6 @@ verify_main(int argc, char **argv)
                                        goto end;
                                crlfile = *(++argv);
                        }
-#ifndef OPENSSL_NO_ENGINE
-                        else if (strcmp(*argv, "-engine") == 0) {
-                                if (--argc < 1)
-                                        goto end;
-                                engine = *(++argv);
-                        }
-#endif
                        else if (strcmp(*argv, "-help") == 0)
                                goto end;
                        else if (strcmp(*argv, "-verbose") == 0)
@@ -145,10 +134,6 @@ verify_main(int argc, char **argv)
                        break;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (vpm)
                X509_STORE_set1_param(cert_ctx, vpm);
@@ -182,30 +167,30 @@ verify_main(int argc, char **argv)
        if (untfile) {
                untrusted = load_certs(bio_err, untfile, FORMAT_PEM,
-                    NULL, e, "untrusted certificates");
+                    NULL, "untrusted certificates");
                if (!untrusted)
                        goto end;
        }
        if (trustfile) {
                trusted = load_certs(bio_err, trustfile, FORMAT_PEM,
-                    NULL, e, "trusted certificates");
+                    NULL, "trusted certificates");
                if (!trusted)
                        goto end;
        }
        if (crlfile) {
                crls = load_crls(bio_err, crlfile, FORMAT_PEM,
-                    NULL, e, "other CRLs");
+                    NULL, "other CRLs");
                if (!crls)
                        goto end;
        }
        ret = 0;
        if (argc < 1) {
-                if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+                if (1 != check(cert_ctx, NULL, untrusted, trusted, crls))
                        ret = -1;
        } else {
                for (i = 0; i < argc; i++)
                        if (1 != check(cert_ctx, argv[i], untrusted, trusted,
-                            crls, e))
+                            crls))
                                ret = -1;
        }
@@ -213,9 +198,6 @@ end:
        if (ret == 1) {
                BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
                BIO_printf(bio_err, " [-attime timestamp]");
-#ifndef OPENSSL_NO_ENGINE
-                BIO_printf(bio_err, " [-engine e]");
-#endif
                BIO_printf(bio_err, " cert1 cert2 ...\n");
                BIO_printf(bio_err, "recognized usages:\n");
@@ -240,13 +222,13 @@ end:
 static int
 check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
-    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e)
+    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls)
 {
        X509 *x = NULL;
        int i = 0, ret = 0;
        X509_STORE_CTX *csc;
-        x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
+        x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file");
        if (x == NULL)
                goto end;
        fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
diff --git a/src/usr.bin/openssl/x509.c b/src/usr.bin/openssl/x509.c
index 0e5594372b..a8812f7e74 100644
--- a/src/usr.bin/openssl/x509.c
+++ b/src/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: x509.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -140,9 +140,6 @@ static const char *x509_usage[] = {
        " -extensions     - section from config file with X509V3 extensions to add\n",
        " -clrext         - delete extensions before signing and input certificate\n",
        " -nameopt arg    - various certificate name options\n",
-#ifndef OPENSSL_NO_ENGINE
-        " -engine e       - use engine e, possibly a hardware device.\n",
-#endif
        " -certopt arg    - various certificate text options\n",
        NULL
 };
@@ -160,7 +157,6 @@ static int reqfile = 0;
 int
 x509_main(int argc, char **argv)
 {
-        ENGINE *e = NULL;
        int ret = 1;
        X509_REQ *req = NULL;
        X509 *x = NULL, *xca = NULL;
@@ -200,9 +196,6 @@ x509_main(int argc, char **argv)
        char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
        int checkend = 0, checkoffset = 0;
        unsigned long nmflag = 0, certflag = 0;
-#ifndef OPENSSL_NO_ENGINE
-        char *engine = NULL;
-#endif
        const char *errstr = NULL;
        reqfile = 0;
@@ -345,13 +338,6 @@ x509_main(int argc, char **argv)
                        if (!set_name_ex(&nmflag, *(++argv)))
                                goto bad;
                }
-#ifndef OPENSSL_NO_ENGINE
-                else if (strcmp(*argv, "-engine") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        engine = *(++argv);
-                }
-#endif
                else if (strcmp(*argv, "-C") == 0)
                        C = ++num;
                else if (strcmp(*argv, "-email") == 0)
@@ -441,9 +427,6 @@ bad:
                        BIO_printf(bio_err, "%s", *pp);
                goto end;
        }
-#ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
-#endif
        if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
                BIO_printf(bio_err, "Error getting password\n");
@@ -575,12 +558,12 @@ bad:
                X509_set_pubkey(x, pkey);
                EVP_PKEY_free(pkey);
        } else
-                x = load_cert(bio_err, infile, informat, NULL, e, "Certificate");
+                x = load_cert(bio_err, infile, informat, NULL, "Certificate");
        if (x == NULL)
                goto end;
        if (CA_flag) {
-                xca = load_cert(bio_err, CAfile, CAformat, NULL, e, "CA Certificate");
+                xca = load_cert(bio_err, CAfile, CAformat, NULL, "CA Certificate");
                if (xca == NULL)
                        goto end;
        }
@@ -813,7 +796,7 @@ bad:
                                if (Upkey == NULL) {
                                        Upkey = load_key(bio_err,
                                            keyfile, keyformat, 0,
-                                            passin, e, "Private key");
+                                            passin, "Private key");
                                        if (Upkey == NULL)
                                                goto end;
                                }
@@ -825,8 +808,7 @@ bad:
                                if (CAkeyfile != NULL) {
                                        CApkey = load_key(bio_err,
                                            CAkeyfile, CAkeyformat,
-                                            0, passin, e,
+                                            0, passin, "CA Private Key");
-                                            "CA Private Key");
                                        if (CApkey == NULL)
                                                goto end;
                                }
@@ -845,7 +827,7 @@ bad:
                                } else {
                                        pk = load_key(bio_err,
                                            keyfile, keyformat, 0,
-                                            passin, e, "request key");
+                                            passin, "request key");
                                        if (pk == NULL)
                                                goto end;
                                }