Remove engine command and parameters from openssl(1).

We do not have any builtin or dynamic engines, meaning openssl(1) has
no way to use the engine command or parameters at all.

ok jsing@

40 files changed, 184 insertions, 1726 deletions

diff --git a/usr.bin/openssl/Makefile b/usr.bin/openssl/Makefile
index 04a24c8c59b..db3364b16fd 100644
--- a/usr.bin/openssl/Makefile
+++ b/usr.bin/openssl/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.5 2015/02/10 15:29:34 jsing Exp $
+#	$OpenBSD: Makefile,v 1.6 2015/09/11 14:30:23 bcook Exp $
 
 PROG=	openssl
 LDADD=	-lssl -lcrypto
@@ -19,7 +19,7 @@ CFLAGS+= -DLIBRESSL_INTERNAL
 
 SRCS=	apps.c apps_posix.c asn1pars.c ca.c certhash.c ciphers.c cms.c crl.c \
 	crl2p7.c dgst.c dh.c dhparam.c dsa.c dsaparam.c ec.c ecparam.c enc.c \
-	engine.c errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c \
+	errstr.c gendh.c gendsa.c genpkey.c genrsa.c nseq.c ocsp.c \
 	openssl.c passwd.c pkcs12.c pkcs7.c pkcs8.c pkey.c pkeyparam.c \
 	pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c s_cb.c s_client.c \
 	s_server.c s_socket.c s_time.c sess_id.c smime.c speed.c spkac.c ts.c \
diff --git a/usr.bin/openssl/apps.c b/usr.bin/openssl/apps.c
index acd95abc7f6..f8cad1a703d 100644
--- a/usr.bin/openssl/apps.c
+++ b/usr.bin/openssl/apps.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.c,v 1.34 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: apps.c,v 1.35 2015/09/11 14:30:23 bcook Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -146,10 +146,6 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include <openssl/rsa.h>
 
 typedef struct {
@@ -190,8 +186,6 @@ str2fmt(char *s)
 	    (strcmp(s, "PKCS12") == 0) || (strcmp(s, "pkcs12") == 0) ||
 	    (strcmp(s, "P12") == 0) || (strcmp(s, "p12") == 0))
 		return (FORMAT_PKCS12);
-	else if ((*s == 'E') || (*s == 'e'))
-		return (FORMAT_ENGINE);
 	else if ((*s == 'P') || (*s == 'p')) {
 		if (s[1] == 'V' || s[1] == 'v')
 			return FORMAT_PVK;
@@ -626,7 +620,7 @@ die:
 }
 
 X509 *
-load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e,
+load_cert(BIO *err, const char *file, int format, const char *pass,
     const char *cert_descrip)
 {
 	X509 *x = NULL;
@@ -690,7 +684,7 @@ end:
 
 EVP_PKEY *
 load_key(BIO *err, const char *file, int format, int maybe_stdin,
-    const char *pass, ENGINE *e, const char *key_descrip)
+    const char *pass, const char *key_descrip)
 {
 	BIO *key = NULL;
 	EVP_PKEY *pkey = NULL;
@@ -699,26 +693,10 @@ load_key(BIO *err, const char *file, int format, int maybe_stdin,
 	cb_data.password = pass;
 	cb_data.prompt_info = file;
 
-	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
+	if (file == NULL && (!maybe_stdin)) {
 		BIO_printf(err, "no keyfile specified\n");
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	if (format == FORMAT_ENGINE) {
-		if (!e)
-			BIO_printf(err, "no engine specified\n");
-		else {
-			pkey = ENGINE_load_private_key(e, file,
-			    ui_method, &cb_data);
-			if (!pkey) {
-				BIO_printf(err, "cannot load %s from engine\n",
-				    key_descrip);
-				ERR_print_errors(err);
-			}
-		}
-		goto end;
-	}
-#endif
 	key = BIO_new(BIO_s_file());
 	if (key == NULL) {
 		ERR_print_errors(err);
@@ -769,7 +747,7 @@ end:
 
 EVP_PKEY *
 load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
-    const char *pass, ENGINE *e, const char *key_descrip)
+    const char *pass, const char *key_descrip)
 {
 	BIO *key = NULL;
 	EVP_PKEY *pkey = NULL;
@@ -778,20 +756,10 @@ load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
 	cb_data.password = pass;
 	cb_data.prompt_info = file;
 
-	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE)) {
+	if (file == NULL && !maybe_stdin) {
 		BIO_printf(err, "no keyfile specified\n");
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	if (format == FORMAT_ENGINE) {
-		if (!e)
-			BIO_printf(bio_err, "no engine specified\n");
-		else
-			pkey = ENGINE_load_public_key(e, file,
-			    ui_method, &cb_data);
-		goto end;
-	}
-#endif
 	key = BIO_new(BIO_s_file());
 	if (key == NULL) {
 		ERR_print_errors(err);
@@ -899,7 +867,7 @@ error:
 
 static int
 load_certs_crls(BIO *err, const char *file, int format, const char *pass,
-    ENGINE *e, const char *desc, STACK_OF(X509) **pcerts,
+    const char *desc, STACK_OF(X509) **pcerts,
     STACK_OF(X509_CRL) **pcrls)
 {
 	int i;
@@ -983,22 +951,22 @@ end:
 
 STACK_OF(X509) *
 load_certs(BIO *err, const char *file, int format, const char *pass,
-    ENGINE *e, const char *desc)
+    const char *desc)
 {
 	STACK_OF(X509) *certs;
 
-	if (!load_certs_crls(err, file, format, pass, e, desc, &certs, NULL))
+	if (!load_certs_crls(err, file, format, pass, desc, &certs, NULL))
 		return NULL;
 	return certs;
 }
 
 STACK_OF(X509_CRL) *
-load_crls(BIO *err, const char *file, int format, const char *pass, ENGINE *e,
+load_crls(BIO *err, const char *file, int format, const char *pass,
     const char *desc)
 {
 	STACK_OF(X509_CRL) *crls;
 
-	if (!load_certs_crls(err, file, format, pass, e, desc, NULL, &crls))
+	if (!load_certs_crls(err, file, format, pass, desc, NULL, &crls))
 		return NULL;
 	return crls;
 }
@@ -1248,55 +1216,6 @@ end:
 	return NULL;
 }
 
-#ifndef OPENSSL_NO_ENGINE
-
-ENGINE *
-setup_engine(BIO *err, const char *engine, int debug)
-{
-	ENGINE *e = NULL;
-
-	if (engine) {
-		if (strcmp(engine, "auto") == 0) {
-			BIO_printf(err, "enabling auto ENGINE support\n");
-			ENGINE_register_all_complete();
-			return NULL;
-		}
-		if ((e = ENGINE_by_id(engine)) == NULL) {
-			BIO_printf(err, "invalid engine \"%s\"\n", engine);
-			ERR_print_errors(err);
-			return NULL;
-		}
-		if (debug) {
-			if (ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
-			    0, err, 0) <= 0) {
-				BIO_printf(err, "Cannot set logstream for "
-				    "engine \"%s\"\n", engine);
-				ERR_print_errors(err);
-				ENGINE_free(e);
-				return NULL;
-			}
-		}
-		if (!ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1)) {
-			BIO_printf(err, "can't set user interface\n");
-			ERR_print_errors(err);
-			ENGINE_free(e);
-			return NULL;
-		}
-		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-			BIO_printf(err, "can't use that engine\n");
-			ERR_print_errors(err);
-			ENGINE_free(e);
-			return NULL;
-		}
-		BIO_printf(err, "engine \"%s\" set.\n", ENGINE_get_id(e));
-
-		/* Free our "structural" reference. */
-		ENGINE_free(e);
-	}
-	return e;
-}
-#endif
-
 int
 load_config(BIO *err, CONF *cnf)
 {
diff --git a/usr.bin/openssl/apps.h b/usr.bin/openssl/apps.h
index f6e0a8ce196..f63079179d8 100644
--- a/usr.bin/openssl/apps.h
+++ b/usr.bin/openssl/apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: apps.h,v 1.14 2015/07/15 13:54:34 jsing Exp $ */
+/* $OpenBSD: apps.h,v 1.15 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -121,10 +121,6 @@
 #include <openssl/txt_db.h>
 #include <openssl/x509.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #ifndef OPENSSL_NO_OCSP
 #include <openssl/ocsp.h>
 #endif
@@ -166,19 +162,16 @@ int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
 int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
-    const char *pass, ENGINE *e, const char *cert_descrip);
+    const char *pass, const char *cert_descrip);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
-    const char *pass, ENGINE *e, const char *key_descrip);
+    const char *pass, const char *key_descrip);
 EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
-    const char *pass, ENGINE *e, const char *key_descrip);
+    const char *pass, const char *key_descrip);
 STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
-    const char *pass, ENGINE *e, const char *cert_descrip);
+    const char *pass, const char *cert_descrip);
 STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
-    const char *pass, ENGINE *e, const char *cert_descrip);
+    const char *pass, const char *cert_descrip);
 X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
-#ifndef OPENSSL_NO_ENGINE
-ENGINE *setup_engine(BIO *err, const char *engine, int debug);
-#endif
 
 #ifndef OPENSSL_NO_OCSP
 OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
@@ -236,7 +229,7 @@ int args_verify(char ***pargs, int *pargc, int *badarg, BIO *err,
 void policies_print(BIO *out, X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
-int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname, ENGINE *e,
+int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx, const char *algname,
     int do_param);
 int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
     STACK_OF(OPENSSL_STRING) *sigopts);
@@ -254,7 +247,7 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #define FORMAT_NETSCAPE 4
 #define FORMAT_PKCS12   5
 #define FORMAT_SMIME    6
-#define FORMAT_ENGINE   7
+
 #define FORMAT_IISSGC	8	/* XXX this stupid macro helps us to avoid
 				 * adding yet another param to load_*key() */
 #define FORMAT_PEMRSA	9	/* PEM RSAPubicKey format */
diff --git a/usr.bin/openssl/ca.c b/usr.bin/openssl/ca.c
index 8645128e420..254d551aa5b 100644
--- a/usr.bin/openssl/ca.c
+++ b/usr.bin/openssl/ca.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ca.c,v 1.11 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: ca.c,v 1.12 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -135,7 +135,7 @@ static const char *ca_usage[] = {
 	" -md arg         - md to use, one of md2, md5, sha or sha1\n",
 	" -policy arg     - The CA 'policy' to support\n",
 	" -keyfile arg    - private key file\n",
-	" -keyform arg    - private key file format (PEM or ENGINE)\n",
+	" -keyform arg    - private key file format (PEM)\n",
 	" -key arg        - key to decode the private key if it is encrypted\n",
 	" -cert file      - The CA certificate\n",
 	" -selfsign       - sign a certificate with the key associated with it\n",
@@ -156,9 +156,6 @@ static const char *ca_usage[] = {
 	" -extensions ..  - Extension section (override value in config file)\n",
 	" -extfile file   - Configuration file with X509v3 extentions to add\n",
 	" -crlexts ..     - CRL extension section (override value in config file)\n",
-#ifndef OPENSSL_NO_ENGINE
-	" -engine e       - use engine e, possibly a hardware device.\n",
-#endif
 	" -status serial  - Shows certificate status given the serial number\n",
 	" -updatedb       - Updates db for expired certificates\n",
 	NULL
@@ -178,7 +175,7 @@ static int certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey,
     unsigned long chtype, int multirdn, int email_dn, char *startdate,
     char *enddate, long days, int batch, char *ext_sect, CONF * conf,
     int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
-    int ext_copy, ENGINE * e);
+    int ext_copy);
 static int certify_spkac(X509 ** xret, char *infile, EVP_PKEY * pkey,
     X509 * x509, const EVP_MD * dgst, STACK_OF(OPENSSL_STRING) * sigopts,
     STACK_OF(CONF_VALUE) * policy, CA_DB * db, BIGNUM * serial, char *subj,
@@ -213,7 +210,6 @@ static int msie_hack = 0;
 int
 ca_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	char *key = NULL, *passargin = NULL;
 	int create_ser = 0;
 	int free_key = 0;
@@ -286,9 +282,6 @@ ca_main(int argc, char **argv)
 	STACK_OF(OPENSSL_STRING) * sigopts = NULL;
 #define BUFLEN 256
 	char buf[3][BUFLEN];
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	char *tofree = NULL;
 	const char *errstr = NULL;
 	DB_ATTR db_attr;
@@ -478,13 +471,6 @@ ca_main(int argc, char **argv)
 			rev_arg = *(++argv);
 			rev_type = REV_CA_COMPROMISE;
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			engine = *(++argv);
-		}
-#endif
 		else {
 bad:
 			if (errstr)
@@ -536,10 +522,6 @@ bad:
 	free(tofree);
 	tofree = NULL;
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
-
 	/* Lets get the config section we are using */
 	if (section == NULL) {
 		section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_CA);
@@ -639,7 +621,7 @@ bad:
 			goto err;
 		}
 	}
-	pkey = load_key(bio_err, keyfile, keyform, 0, key, e, "CA private key");
+	pkey = load_key(bio_err, keyfile, keyform, 0, key, "CA private key");
 	if (key)
 		explicit_bzero(key, strlen(key));
 	if (pkey == NULL) {
@@ -655,7 +637,7 @@ bad:
 			lookup_fail(section, ENV_CERTIFICATE);
 			goto err;
 		}
-		x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL, e,
+		x509 = load_cert(bio_err, certfile, FORMAT_PEM, NULL,
 		    "CA certificate");
 		if (x509 == NULL)
 			goto err;
@@ -1028,7 +1010,7 @@ bad:
 			    sigopts, attribs, db, serial, subj, chtype,
 			    multirdn, email_dn, startdate, enddate, days, batch,
 			    extensions, conf, verbose, certopt, nameopt,
-			    default_op, ext_copy, e);
+			    default_op, ext_copy);
 			if (j < 0)
 				goto err;
 			if (j > 0) {
@@ -1314,7 +1296,7 @@ bad:
 		} else {
 			X509 *revcert;
 			revcert = load_cert(bio_err, infile, FORMAT_PEM,
-			    NULL, e, infile);
+			    NULL, infile);
 			if (revcert == NULL)
 				goto err;
 			j = do_revoke(revcert, db, rev_type, rev_arg);
@@ -1446,14 +1428,14 @@ certify_cert(X509 ** xret, char *infile, EVP_PKEY * pkey, X509 * x509,
     unsigned long chtype, int multirdn, int email_dn, char *startdate,
     char *enddate, long days, int batch, char *ext_sect, CONF * lconf,
     int verbose, unsigned long certopt, unsigned long nameopt, int default_op,
-    int ext_copy, ENGINE * e)
+    int ext_copy)
 {
 	X509 *req = NULL;
 	X509_REQ *rreq = NULL;
 	EVP_PKEY *pktmp = NULL;
 	int ok = -1, i;
 
-	if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL, e,
+	if ((req = load_cert(bio_err, infile, FORMAT_PEM, NULL,
 	    infile)) == NULL)
 		goto err;
 	if (verbose)
diff --git a/usr.bin/openssl/cms.c b/usr.bin/openssl/cms.c
index c6e662ab33e..fccac23db74 100644
--- a/usr.bin/openssl/cms.c
+++ b/usr.bin/openssl/cms.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms.c,v 1.2 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: cms.c,v 1.3 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -99,7 +99,6 @@ int verify_err = 0;
 int
 cms_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	int operation = 0;
 	int ret = 0;
 	char **args;
@@ -128,9 +127,6 @@ cms_main(int argc, char **argv)
 	const EVP_MD *sign_md = NULL;
 	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
 	int rctformat = FORMAT_SMIME, keyform = FORMAT_PEM;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	unsigned char *secret_key = NULL, *secret_keyid = NULL;
 	unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
 	size_t secret_keylen = 0, secret_keyidlen = 0;
@@ -310,13 +306,6 @@ cms_main(int argc, char **argv)
 				goto argerr;
 			}
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (!strcmp(*args, "-engine")) {
-			if (!args[1])
-				goto argerr;
-			engine = *++args;
-		}
-#endif
 		else if (!strcmp(*args, "-passin")) {
 			if (!args[1])
 				goto argerr;
@@ -526,7 +515,7 @@ argerr:
 		BIO_printf(bio_err, "-in file       input file\n");
 		BIO_printf(bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
 		BIO_printf(bio_err, "-inkey file    input private key (if not signer or recipient)\n");
-		BIO_printf(bio_err, "-keyform arg   input private key format (PEM or ENGINE)\n");
+		BIO_printf(bio_err, "-keyform arg   input private key format (PEM)\n");
 		BIO_printf(bio_err, "-out file      output file\n");
 		BIO_printf(bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
 		BIO_printf(bio_err, "-content file  supply or override content for detached signature\n");
@@ -538,16 +527,10 @@ argerr:
 		BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
 		BIO_printf(bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, "-engine e      use engine e, possibly a hardware device.\n");
-#endif
 		BIO_printf(bio_err, "-passin arg    input file pass phrase source\n");
 		BIO_printf(bio_err, "cert.pem       recipient certificate(s) for encryption\n");
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
 
 	if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
diff --git a/usr.bin/openssl/dgst.c b/usr.bin/openssl/dgst.c
index d442bba266f..94d98ac6a4c 100644
--- a/usr.bin/openssl/dgst.c
+++ b/usr.bin/openssl/dgst.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dgst.c,v 1.5 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: dgst.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -101,7 +101,6 @@ list_md_fn(const EVP_MD * m, const char *from, const char *to, void *arg)
 int
 dgst_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	unsigned char *buf = NULL;
 	int i, err = 1;
 	const EVP_MD *md = NULL, *m;
@@ -120,9 +119,6 @@ dgst_main(int argc, char **argv)
 	unsigned char *sigbuf = NULL;
 	int siglen = 0;
 	char *passargin = NULL, *passin = NULL;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	char *hmac_key = NULL;
 	char *mac_name = NULL;
 	STACK_OF(OPENSSL_STRING) * sigopts = NULL, *macopts = NULL;
@@ -178,14 +174,6 @@ dgst_main(int argc, char **argv)
 				break;
 			keyform = str2fmt(*(++argv));
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				break;
-			engine = *(++argv);
-			e = setup_engine(bio_err, engine, 0);
-		}
-#endif
 		else if (strcmp(*argv, "-hex") == 0)
 			out_bin = 0;
 		else if (strcmp(*argv, "-binary") == 0)
@@ -238,16 +226,13 @@ dgst_main(int argc, char **argv)
 		BIO_printf(bio_err, "-sign   file    sign digest using private key in file\n");
 		BIO_printf(bio_err, "-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err, "-prverify file  verify a signature using private key in file\n");
-		BIO_printf(bio_err, "-keyform arg    key file format (PEM or ENGINE)\n");
+		BIO_printf(bio_err, "-keyform arg    key file format (PEM)\n");
 		BIO_printf(bio_err, "-out filename   output to filename rather than stdout\n");
 		BIO_printf(bio_err, "-signature file signature to verify\n");
 		BIO_printf(bio_err, "-sigopt nm:v    signature parameter\n");
 		BIO_printf(bio_err, "-hmac key       create hashed MAC with key\n");
 		BIO_printf(bio_err, "-mac algorithm  create MAC (not neccessarily HMAC)\n");
 		BIO_printf(bio_err, "-macopt nm:v    MAC algorithm parameters or key\n");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-#endif
 
 		EVP_MD_do_all_sorted(list_md_fn, bio_err);
 		goto end;
@@ -298,10 +283,10 @@ dgst_main(int argc, char **argv)
 	if (keyfile) {
 		if (want_pub)
 			sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
-			    e, "key file");
+			    "key file");
 		else
 			sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
-			    e, "key file");
+			    "key file");
 		if (!sigkey) {
 			/*
 			 * load_[pub]key() has already printed an appropriate
@@ -313,7 +298,7 @@ dgst_main(int argc, char **argv)
 	if (mac_name) {
 		EVP_PKEY_CTX *mac_ctx = NULL;
 		int r = 0;
-		if (!init_gen_str(bio_err, &mac_ctx, mac_name, e, 0))
+		if (!init_gen_str(bio_err, &mac_ctx, mac_name, 0))
 			goto mac_end;
 		if (macopts) {
 			char *macopt;
@@ -341,7 +326,7 @@ mac_end:
 			goto end;
 	}
 	if (hmac_key) {
-		sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
+		sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
 		    (unsigned char *) hmac_key, -1);
 		if (!sigkey)
 			goto end;
diff --git a/usr.bin/openssl/dh.c b/usr.bin/openssl/dh.c
index ed86428258e..f4112e87c21 100644
--- a/usr.bin/openssl/dh.c
+++ b/usr.bin/openssl/dh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: dh.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -77,9 +77,6 @@
 static struct {
 	int C;
 	int check;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	char *infile;
 	int informat;
 	int noout;
@@ -101,15 +98,6 @@ static struct option dh_options[] = {
 		.type = OPTION_FLAG,
 		.opt.flag = &dh_config.check,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &dh_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -157,7 +145,7 @@ static void
 dh_usage(void)
 {
 	fprintf(stderr,
-	    "usage: dh [-C] [-check] [-engine id] [-in file] [-inform format]\n"
+	    "usage: dh [-C] [-check] [-in file] [-inform format]\n"
 	    "    [-noout] [-out file] [-outform format] [-text]\n\n");
 	options_usage(dh_options);
 }
@@ -180,10 +168,6 @@ dh_main(int argc, char **argv)
 		goto end;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, dh_config.engine, 0);
-#endif
-
 	in = BIO_new(BIO_s_file());
 	out = BIO_new(BIO_s_file());
 	if (in == NULL || out == NULL) {
diff --git a/usr.bin/openssl/dhparam.c b/usr.bin/openssl/dhparam.c
index 5757b906b16..158a07a5725 100644
--- a/usr.bin/openssl/dhparam.c
+++ b/usr.bin/openssl/dhparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dhparam.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: dhparam.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -135,9 +135,6 @@ struct {
 	int C;
 	int check;
 	int dsaparam;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	int g;
 	char *infile;
 	int informat;
@@ -181,15 +178,6 @@ struct option dhparam_options[] = {
 		.type = OPTION_FLAG,
 		.opt.flag = &dhparam_config.dsaparam,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &dhparam_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -237,7 +225,7 @@ static void
 dhparam_usage()
 {
 	fprintf(stderr,
-	    "usage: dhparam [-2 | -5] [-C] [-check] [-dsaparam] [-engine id]\n"
+	    "usage: dhparam [-2 | -5] [-C] [-check] [-dsaparam]\n"
 	    "    [-in file] [-inform DER | PEM] [-noout] [-out file]\n"
 	    "    [-outform DER | PEM] [-text] [numbits]\n\n");
 	options_usage(dhparam_options);
@@ -273,10 +261,6 @@ dhparam_main(int argc, char **argv)
 		}
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, dhparam_config.engine, 0);
-#endif
-
 	if (dhparam_config.g && !num)
 		num = DEFBITS;
 
diff --git a/usr.bin/openssl/dsa.c b/usr.bin/openssl/dsa.c
index 2b6bff29f3a..813e163662c 100644
--- a/usr.bin/openssl/dsa.c
+++ b/usr.bin/openssl/dsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: dsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -76,9 +76,6 @@
 
 static struct {
 	const EVP_CIPHER *enc;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	char *infile;
 	int informat;
 	int modulus;
@@ -110,15 +107,6 @@ dsa_opt_enc(int argc, char **argv, int *argsused)
 }
 
 static struct option dsa_options[] = {
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &dsa_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -231,7 +219,7 @@ static void
 dsa_usage(void)
 {
 	fprintf(stderr,
-	    "usage: dsa [-engine id] [-in file] [-inform format] [-noout]\n"
+	    "usage: dsa [-in file] [-inform format] [-noout]\n"
 	    "    [-out file] [-outform format] [-passin src] [-passout src]\n"
 	    "    [-pubin] [-pubout] [-pvk-none | -pvk-strong | -pvk-weak]\n"
 	    "    [-text] [-ciphername]\n\n");
@@ -246,7 +234,6 @@ dsa_usage(void)
 int
 dsa_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	int ret = 1;
 	DSA *dsa = NULL;
 	int i;
@@ -264,10 +251,6 @@ dsa_main(int argc, char **argv)
 		goto end;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, dsa_config.engine, 0);
-#endif
-
 	if (!app_passwd(bio_err, dsa_config.passargin, dsa_config.passargout,
 	    &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
@@ -296,10 +279,10 @@ dsa_main(int argc, char **argv)
 
 		if (dsa_config.pubin)
 			pkey = load_pubkey(bio_err, dsa_config.infile,
-			    dsa_config.informat, 1, passin, e, "Public Key");
+			    dsa_config.informat, 1, passin, "Public Key");
 		else
 			pkey = load_key(bio_err, dsa_config.infile,
-			    dsa_config.informat, 1, passin, e, "Private Key");
+			    dsa_config.informat, 1, passin, "Private Key");
 
 		if (pkey) {
 			dsa = EVP_PKEY_get1_DSA(pkey);
diff --git a/usr.bin/openssl/dsaparam.c b/usr.bin/openssl/dsaparam.c
index 66cacbb3a9c..0cdd5c1d51d 100644
--- a/usr.bin/openssl/dsaparam.c
+++ b/usr.bin/openssl/dsaparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsaparam.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: dsaparam.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -81,9 +81,6 @@
 
 static struct {
 	int C;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	int genkey;
 	char *infile;
 	int informat;
@@ -100,15 +97,6 @@ static struct option dsaparam_options[] = {
 		.type = OPTION_FLAG,
 		.opt.flag = &dsaparam_config.C,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &dsaparam_config.engine,
-	},
-#endif
 	{
 		.name = "genkey",
 		.desc = "Generate a DSA key",
@@ -162,7 +150,7 @@ static void
 dsaparam_usage(void)
 {
 	fprintf(stderr,
-	    "usage: dsaparam [-C] [-engine id] [-genkey] [-in file]\n"
+	    "usage: dsaparam [-C] [-genkey] [-in file]\n"
 	    "    [-inform format] [-noout] [-out file] [-outform format]\n"
 	    "    [-text] [numbits]\n\n");
 	options_usage(dsaparam_options);
@@ -222,10 +210,6 @@ dsaparam_main(int argc, char **argv)
 		}
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, dsaparam_config.engine, 0);
-#endif
-
 	if (numbits > 0) {
 		BN_GENCB cb;
 		BN_GENCB_set(&cb, dsa_cb, bio_err);
diff --git a/usr.bin/openssl/ec.c b/usr.bin/openssl/ec.c
index b593e2b4a12..d5fe68f0d84 100644
--- a/usr.bin/openssl/ec.c
+++ b/usr.bin/openssl/ec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: ec.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -75,9 +75,6 @@
 static struct {
 	int asn1_flag;
 	const EVP_CIPHER *enc;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	point_conversion_form_t form;
 	char *infile;
 	int informat;
@@ -153,15 +150,6 @@ static struct option ec_options[] = {
 		.type = OPTION_ARG_FUNC,
 		.opt.argfunc = ec_opt_form,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &ec_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -266,7 +254,7 @@ static void
 ec_usage(void)
 {
 	fprintf(stderr,
-	    "usage: ec [-conv_form form] [-engine id] [-in file]\n"
+	    "usage: ec [-conv_form form] [-in file]\n"
 	    "    [-inform format] [-noout] [-out file] [-outform format]\n"
 	    "    [-param_enc type] [-param_out] [-passin file]\n"
 	    "    [-passout file] [-pubin] [-pubout] [-text] [-ciphername]\n\n");
@@ -301,10 +289,6 @@ ec_main(int argc, char **argv)
 		goto end;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, ec_config.engine, 0);
-#endif
-
 	if (!app_passwd(bio_err, ec_config.passargin, ec_config.passargout,
 	    &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
diff --git a/usr.bin/openssl/ecparam.c b/usr.bin/openssl/ecparam.c
index b0b46a145d4..6adac863d5c 100644
--- a/usr.bin/openssl/ecparam.c
+++ b/usr.bin/openssl/ecparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ecparam.c,v 1.12 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: ecparam.c,v 1.13 2015/09/11 14:30:23 bcook Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -95,7 +95,6 @@ static struct {
 	int asn1_flag;
 	int check;
 	char *curve_name;
-	char *engine;
 	point_conversion_form_t form;
 	int genkey;
 	char *infile;
@@ -161,15 +160,6 @@ struct option ecparam_options[] = {
 		.type = OPTION_ARG_FUNC,
 		.opt.argfunc = ecparam_opt_form,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &ecparam_config.engine,
-	},
-#endif
 	{
 		.name = "genkey",
 		.desc = "Generate an EC private key using the specified "
@@ -252,7 +242,7 @@ static void
 ecparam_usage(void)
 {
 	fprintf(stderr, "usage: ecparam [-C] [-check] [-conv_form arg] "
-	    "[-engine id] [-genkey]\n"
+	    " [-genkey]\n"
 	    "    [-in file] [-inform DER | PEM] [-list_curves] [-name arg]\n"
 	    "    [-no_seed] [-noout] [-out file] [-outform DER | PEM]\n"
 	    "    [-param_enc arg] [-text]\n\n");
@@ -303,10 +293,6 @@ ecparam_main(int argc, char **argv)
 		}
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, ecparam_config.engine, 0);
-#endif
-
 	if (ecparam_config.list_curves) {
 		EC_builtin_curve *curves = NULL;
 		size_t crv_len = 0;
diff --git a/usr.bin/openssl/enc.c b/usr.bin/openssl/enc.c
index 3ba774053da..6eb804fd49c 100644
--- a/usr.bin/openssl/enc.c
+++ b/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc.c,v 1.6 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: enc.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -85,9 +85,6 @@ static struct {
 	int do_zlib;
 #endif
 	int enc;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	char *hiv;
 	char *hkey;
 	char *hsalt;
@@ -171,15 +168,6 @@ static struct option enc_options[] = {
 		.opt.value = &enc_config.enc,
 		.value = 1,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &enc_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -317,7 +305,7 @@ enc_usage(void)
 {
 	fprintf(stderr, "usage: enc -ciphername [-AadePp] [-base64] "
 	    "[-bufsize number] [-debug]\n"
-	    "    [-engine id] [-in file] [-iv IV] [-K key] [-k password]\n"
+	    "    [-in file] [-iv IV] [-K key] [-k password]\n"
 	    "    [-kfile file] [-md digest] [-none] [-nopad] [-nosalt]\n"
 	    "    [-out file] [-pass arg] [-S salt] [-salt]\n\n");
 	options_usage(enc_options);
@@ -413,10 +401,6 @@ enc_main(int argc, char **argv)
 		enc_config.keystr = buf;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, enc_config.engine, 0);
-#endif
-
 	if (enc_config.md != NULL &&
 	    (dgst = EVP_get_digestbyname(enc_config.md)) == NULL) {
 		BIO_printf(bio_err,
diff --git a/usr.bin/openssl/engine.c b/usr.bin/openssl/engine.c
deleted file mode 100644
index 0dc30438873..00000000000
--- a/usr.bin/openssl/engine.c
+++ /dev/null
@@ -1,493 +0,0 @@
-/* $OpenBSD: engine.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
-/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
- * project 2000.
- */
-/* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing@OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include "apps.h"
-
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#include <openssl/err.h>
-#include <openssl/ssl.h>
-
-static const char *engine_usage[] = {
-	"usage: engine opts [engine ...]\n",
-	" -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
-	"               -vv will additionally display each command's description\n",
-	"               -vvv will also add the input flags for each command\n",
-	"               -vvvv will also show internal input flags\n",
-	" -c          - for each engine, also list the capabilities\n",
-	" -t[t]       - for each engine, check that they are really available\n",
-	"               -tt will display error trace for unavailable engines\n",
-	" -pre <cmd>  - runs command 'cmd' against the ENGINE before any attempts\n",
-	"               to load it (if -t is used)\n",
-	" -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
-	"               (only used if -t is also provided)\n",
-	" NB: -pre and -post will be applied to all ENGINEs supplied on the command\n",
-	" line, or all supported ENGINEs if none are specified.\n",
-	" Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n",
-	" argument \"/lib/libdriver.so\".\n",
-	NULL
-};
-
-static void
-identity(char *ptr)
-{
-	return;
-}
-
-static int
-append_buf(char **buf, const char *s, int *size, int step)
-{
-	if (*buf == NULL) {
-		*size = step;
-		*buf = malloc(*size);
-		if (*buf == NULL)
-			return 0;
-		**buf = '\0';
-	}
-
-	if (strlen(*buf) + strlen(s) >= (unsigned int) *size) {
-		*size += step;
-		*buf = realloc(*buf, *size);
-	}
-	if (*buf == NULL)
-		return 0;
-
-	if (**buf != '\0')
-		strlcat(*buf, ", ", *size);
-	strlcat(*buf, s, *size);
-
-	return 1;
-}
-
-static int
-util_flags(BIO * bio_out, unsigned int flags, const char *indent)
-{
-	int started = 0, err = 0;
-	/* Indent before displaying input flags */
-	BIO_printf(bio_out, "%s%s(input flags): ", indent, indent);
-	if (flags == 0) {
-		BIO_printf(bio_out, "<no flags>\n");
-		return 1;
-	}
-	/*
-	 * If the object is internal, mark it in a way that shows instead of
-	 * having it part of all the other flags, even if it really is.
-	 */
-	if (flags & ENGINE_CMD_FLAG_INTERNAL) {
-		BIO_printf(bio_out, "[Internal] ");
-	}
-	if (flags & ENGINE_CMD_FLAG_NUMERIC) {
-		BIO_printf(bio_out, "NUMERIC");
-		started = 1;
-	}
-	/*
-	 * Now we check that no combinations of the mutually exclusive
-	 * NUMERIC, STRING, and NO_INPUT flags have been used. Future flags
-	 * that can be OR'd together with these would need to added after
-	 * these to preserve the testing logic.
-	 */
-	if (flags & ENGINE_CMD_FLAG_STRING) {
-		if (started) {
-			BIO_printf(bio_out, "|");
-			err = 1;
-		}
-		BIO_printf(bio_out, "STRING");
-		started = 1;
-	}
-	if (flags & ENGINE_CMD_FLAG_NO_INPUT) {
-		if (started) {
-			BIO_printf(bio_out, "|");
-			err = 1;
-		}
-		BIO_printf(bio_out, "NO_INPUT");
-		started = 1;
-	}
-	/* Check for unknown flags */
-	flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
-	    ~ENGINE_CMD_FLAG_STRING &
-	    ~ENGINE_CMD_FLAG_NO_INPUT &
-	    ~ENGINE_CMD_FLAG_INTERNAL;
-	if (flags) {
-		if (started)
-			BIO_printf(bio_out, "|");
-		BIO_printf(bio_out, "<0x%04X>", flags);
-	}
-	if (err)
-		BIO_printf(bio_out, "  <illegal flags!>");
-	BIO_printf(bio_out, "\n");
-	return 1;
-}
-
-static int
-util_verbose(ENGINE * e, int verbose, BIO * bio_out, const char *indent)
-{
-	static const int line_wrap = 78;
-	int num;
-	int ret = 0;
-	char *name = NULL;
-	char *desc = NULL;
-	int flags;
-	int xpos = 0;
-	STACK_OF(OPENSSL_STRING) * cmds = NULL;
-	if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
-	    ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
-			0, NULL, NULL)) <= 0)) {
-		return 1;
-	}
-	cmds = sk_OPENSSL_STRING_new_null();
-
-	if (!cmds)
-		goto err;
-	do {
-		int len;
-		/* Get the command input flags */
-		if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
-			    NULL, NULL)) < 0)
-			goto err;
-		if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) {
-			/* Get the command name */
-			if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
-				    NULL, NULL)) <= 0)
-				goto err;
-			if ((name = malloc(len + 1)) == NULL)
-				goto err;
-			if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
-				NULL) <= 0)
-				goto err;
-			/* Get the command description */
-			if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
-				    NULL, NULL)) < 0)
-				goto err;
-			if (len > 0) {
-				if ((desc = malloc(len + 1)) == NULL)
-					goto err;
-				if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
-					NULL) <= 0)
-					goto err;
-			}
-			/* Now decide on the output */
-			if (xpos == 0)
-				/* Do an indent */
-				xpos = BIO_puts(bio_out, indent);
-			else
-				/* Otherwise prepend a ", " */
-				xpos += BIO_printf(bio_out, ", ");
-			if (verbose == 1) {
-				/* We're just listing names, comma-delimited */
-				if ((xpos > (int) strlen(indent)) &&
-				    (xpos + (int) strlen(name) > line_wrap)) {
-					BIO_printf(bio_out, "\n");
-					xpos = BIO_puts(bio_out, indent);
-				}
-				xpos += BIO_printf(bio_out, "%s", name);
-			} else {
-				/* We're listing names plus descriptions */
-				BIO_printf(bio_out, "%s: %s\n", name,
-				    (desc == NULL) ? "<no description>" : desc);
-				/* ... and sometimes input flags */
-				if ((verbose >= 3) && !util_flags(bio_out, flags,
-					indent))
-					goto err;
-				xpos = 0;
-			}
-		}
-		free(name);
-		name = NULL;
-		free(desc);
-		desc = NULL;
-
-		/* Move to the next command */
-		num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE,
-		    num, NULL, NULL);
-	} while (num > 0);
-	if (xpos > 0)
-		BIO_printf(bio_out, "\n");
-	ret = 1;
-err:
-	if (cmds)
-		sk_OPENSSL_STRING_pop_free(cmds, identity);
-	free(name);
-	free(desc);
-	return ret;
-}
-
-static void
-util_do_cmds(ENGINE * e, STACK_OF(OPENSSL_STRING) * cmds,
-    BIO * bio_out, const char *indent)
-{
-	int loop, res, num = sk_OPENSSL_STRING_num(cmds);
-
-	if (num < 0) {
-		BIO_printf(bio_out, "[Error]: internal stack error\n");
-		return;
-	}
-	for (loop = 0; loop < num; loop++) {
-		char buf[256];
-		const char *cmd, *arg;
-		cmd = sk_OPENSSL_STRING_value(cmds, loop);
-		res = 1;	/* assume success */
-		/* Check if this command has no ":arg" */
-		if ((arg = strstr(cmd, ":")) == NULL) {
-			if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
-				res = 0;
-		} else {
-			if ((int) (arg - cmd) > 254) {
-				BIO_printf(bio_out, "[Error]: command name too long\n");
-				return;
-			}
-			memcpy(buf, cmd, (int) (arg - cmd));
-			buf[arg - cmd] = '\0';
-			arg++;	/* Move past the ":" */
-			/* Call the command with the argument */
-			if (!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
-				res = 0;
-		}
-		if (res)
-			BIO_printf(bio_out, "[Success]: %s\n", cmd);
-		else {
-			BIO_printf(bio_out, "[Failure]: %s\n", cmd);
-			ERR_print_errors(bio_out);
-		}
-	}
-}
-
-int
-engine_main(int argc, char **argv)
-{
-	int ret = 1, i;
-	const char **pp;
-	int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0;
-	ENGINE *e;
-	STACK_OF(OPENSSL_STRING) * engines = sk_OPENSSL_STRING_new_null();
-	STACK_OF(OPENSSL_STRING) * pre_cmds = sk_OPENSSL_STRING_new_null();
-	STACK_OF(OPENSSL_STRING) * post_cmds = sk_OPENSSL_STRING_new_null();
-	int badops = 1;
-	BIO *bio_out = NULL;
-	const char *indent = "     ";
-
-	bio_out = BIO_new_fp(stdout, BIO_NOCLOSE);
-
-	argc--;
-	argv++;
-	while (argc >= 1) {
-		if (strncmp(*argv, "-v", 2) == 0) {
-			if (strspn(*argv + 1, "v") < strlen(*argv + 1))
-				goto skip_arg_loop;
-			if ((verbose = strlen(*argv + 1)) > 4)
-				goto skip_arg_loop;
-		} else if (strcmp(*argv, "-c") == 0)
-			list_cap = 1;
-		else if (strncmp(*argv, "-t", 2) == 0) {
-			test_avail = 1;
-			if (strspn(*argv + 1, "t") < strlen(*argv + 1))
-				goto skip_arg_loop;
-			if ((test_avail_noise = strlen(*argv + 1) - 1) > 1)
-				goto skip_arg_loop;
-		} else if (strcmp(*argv, "-pre") == 0) {
-			argc--;
-			argv++;
-			if (argc == 0)
-				goto skip_arg_loop;
-			sk_OPENSSL_STRING_push(pre_cmds, *argv);
-		} else if (strcmp(*argv, "-post") == 0) {
-			argc--;
-			argv++;
-			if (argc == 0)
-				goto skip_arg_loop;
-			sk_OPENSSL_STRING_push(post_cmds, *argv);
-		} else if ((strncmp(*argv, "-h", 2) == 0) ||
-		    (strcmp(*argv, "-?") == 0))
-			goto skip_arg_loop;
-		else
-			sk_OPENSSL_STRING_push(engines, *argv);
-		argc--;
-		argv++;
-	}
-	/* Looks like everything went OK */
-	badops = 0;
-skip_arg_loop:
-
-	if (badops) {
-		for (pp = engine_usage; (*pp != NULL); pp++)
-			BIO_printf(bio_err, "%s", *pp);
-		goto end;
-	}
-	if (sk_OPENSSL_STRING_num(engines) == 0) {
-		for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
-			sk_OPENSSL_STRING_push(engines, (char *) ENGINE_get_id(e));
-		}
-	}
-	for (i = 0; i < sk_OPENSSL_STRING_num(engines); i++) {
-		const char *id = sk_OPENSSL_STRING_value(engines, i);
-		if ((e = ENGINE_by_id(id)) != NULL) {
-			const char *name = ENGINE_get_name(e);
-			/* Do "id" first, then "name". Easier to auto-parse. */
-			BIO_printf(bio_out, "(%s) %s\n", id, name);
-			util_do_cmds(e, pre_cmds, bio_out, indent);
-			if (strcmp(ENGINE_get_id(e), id) != 0) {
-				BIO_printf(bio_out, "Loaded: (%s) %s\n",
-				    ENGINE_get_id(e), ENGINE_get_name(e));
-			}
-			if (list_cap) {
-				int cap_size = 256;
-				char *cap_buf = NULL;
-				int k, n;
-				const int *nids;
-				ENGINE_CIPHERS_PTR fn_c;
-				ENGINE_DIGESTS_PTR fn_d;
-				ENGINE_PKEY_METHS_PTR fn_pk;
-
-				if (ENGINE_get_RSA(e) != NULL
-				    && !append_buf(&cap_buf, "RSA",
-					&cap_size, 256))
-					goto end;
-				if (ENGINE_get_DSA(e) != NULL
-				    && !append_buf(&cap_buf, "DSA",
-					&cap_size, 256))
-					goto end;
-				if (ENGINE_get_DH(e) != NULL
-				    && !append_buf(&cap_buf, "DH",
-					&cap_size, 256))
-					goto end;
-				if (ENGINE_get_RAND(e) != NULL
-				    && !append_buf(&cap_buf, "RAND",
-					&cap_size, 256))
-					goto end;
-
-				fn_c = ENGINE_get_ciphers(e);
-				if (!fn_c)
-					goto skip_ciphers;
-				n = fn_c(e, NULL, &nids, 0);
-				for (k = 0; k < n; ++k)
-					if (!append_buf(&cap_buf,
-						OBJ_nid2sn(nids[k]),
-						&cap_size, 256))
-						goto end;
-
-		skip_ciphers:
-				fn_d = ENGINE_get_digests(e);
-				if (!fn_d)
-					goto skip_digests;
-				n = fn_d(e, NULL, &nids, 0);
-				for (k = 0; k < n; ++k)
-					if (!append_buf(&cap_buf,
-						OBJ_nid2sn(nids[k]),
-						&cap_size, 256))
-						goto end;
-
-		skip_digests:
-				fn_pk = ENGINE_get_pkey_meths(e);
-				if (!fn_pk)
-					goto skip_pmeths;
-				n = fn_pk(e, NULL, &nids, 0);
-				for (k = 0; k < n; ++k)
-					if (!append_buf(&cap_buf,
-						OBJ_nid2sn(nids[k]),
-						&cap_size, 256))
-						goto end;
-		skip_pmeths:
-				if (cap_buf && (*cap_buf != '\0'))
-					BIO_printf(bio_out, " [%s]\n", cap_buf);
-
-				free(cap_buf);
-			}
-			if (test_avail) {
-				BIO_printf(bio_out, "%s", indent);
-				if (ENGINE_init(e)) {
-					BIO_printf(bio_out, "[ available ]\n");
-					util_do_cmds(e, post_cmds, bio_out, indent);
-					/*
-					 * XXX hell lacks a place for people who write functions with
-					 * XXX unusable return semantics.
-					 */
-					if (ENGINE_finish(e) != 0 ||
-					    ERR_GET_REASON(ERR_peek_last_error()) ==
-					    ENGINE_R_FINISH_FAILED)
-						e = NULL;
-				} else {
-					BIO_printf(bio_out, "[ unavailable ]\n");
-					if (test_avail_noise)
-						ERR_print_errors_fp(stdout);
-					ERR_clear_error();
-				}
-			}
-			if ((verbose > 0) && e != NULL &&
-			    !util_verbose(e, verbose, bio_out, indent))
-				goto end;
-			ENGINE_free(e);
-		} else
-			ERR_print_errors(bio_err);
-	}
-
-	ret = 0;
-end:
-
-	ERR_print_errors(bio_err);
-	sk_OPENSSL_STRING_pop_free(engines, identity);
-	sk_OPENSSL_STRING_pop_free(pre_cmds, identity);
-	sk_OPENSSL_STRING_pop_free(post_cmds, identity);
-	if (bio_out != NULL)
-		BIO_free_all(bio_out);
-
-	return (ret);
-}
-#endif
diff --git a/usr.bin/openssl/gendh.c b/usr.bin/openssl/gendh.c
index 38186f03075..208906e24c2 100644
--- a/usr.bin/openssl/gendh.c
+++ b/usr.bin/openssl/gendh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendh.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: gendh.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -87,9 +87,6 @@
 static int dh_cb(int p, int n, BN_GENCB * cb);
 
 static struct {
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	int g;
 	char *outfile;
 } gendh_config;
@@ -110,15 +107,6 @@ static struct option gendh_options[] = {
 		.value = 5,
 		.opt.value = &gendh_config.g,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &gendh_config.engine,
-	},
-#endif
 	{
 		.name = "out",
 		.argname = "file",
@@ -133,7 +121,7 @@ static void
 gendh_usage(void)
 {
 	fprintf(stderr,
-	    "usage: gendh [-2 | -5] [-engine id] [-out file] [numbits]\n\n");
+	    "usage: gendh [-2 | -5] [-out file] [numbits]\n\n");
 	options_usage(gendh_options);
 }
 
@@ -166,10 +154,6 @@ gendh_main(int argc, char **argv)
 		}
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, gendh_config.engine, 0);
-#endif
-
 	out = BIO_new(BIO_s_file());
 	if (out == NULL) {
 		ERR_print_errors(bio_err);
diff --git a/usr.bin/openssl/gendsa.c b/usr.bin/openssl/gendsa.c
index 4fbd0dce31c..ee2d6ba1b63 100644
--- a/usr.bin/openssl/gendsa.c
+++ b/usr.bin/openssl/gendsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gendsa.c,v 1.3 2015/09/10 02:17:17 lteo Exp $ */
+/* $OpenBSD: gendsa.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -84,9 +84,6 @@ gendsa_main(int argc, char **argv)
 	char *passargout = NULL, *passout = NULL;
 	BIO *out = NULL, *in = NULL;
 	const EVP_CIPHER *enc = NULL;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 
 	argv++;
 	argc--;
@@ -102,13 +99,6 @@ gendsa_main(int argc, char **argv)
 				goto bad;
 			passargout = *(++argv);
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			engine = *(++argv);
-		}
-#endif
 		else if (strcmp(*argv, "-") == 0)
 			goto bad;
 #ifndef OPENSSL_NO_DES
@@ -164,17 +154,10 @@ bad:
 		BIO_printf(bio_err, " -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err, "                 encrypt PEM output with cbc camellia\n");
 #endif
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, " -engine e - use engine e, possibly a hardware device.\n");
-#endif
 		BIO_printf(bio_err, " dsaparam-file\n");
 		BIO_printf(bio_err, "           - a DSA parameter file as generated by the dsaparam command\n");
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, engine, 0);
-#endif
-
 	if (!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
diff --git a/usr.bin/openssl/genpkey.c b/usr.bin/openssl/genpkey.c
index 1ebc4e7d3cf..d76e2febd89 100644
--- a/usr.bin/openssl/genpkey.c
+++ b/usr.bin/openssl/genpkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genpkey.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: genpkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -65,19 +65,13 @@
 #include <openssl/evp.h>
 #include <openssl/pem.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 static int
-init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, const char *file,
-    ENGINE * e);
+init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx, const char *file);
 static int genpkey_cb(EVP_PKEY_CTX * ctx);
 
 int
 genpkey_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	char **args, *outfile = NULL;
 	char *passarg = NULL;
 	BIO *in = NULL, *out = NULL;
@@ -107,20 +101,13 @@ genpkey_main(int argc, char **argv)
 				goto bad;
 			passarg = *(++args);
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*args, "-engine") == 0) {
-			if (!args[1])
-				goto bad;
-			e = setup_engine(bio_err, *(++args), 0);
-		}
-#endif
 		else if (!strcmp(*args, "-paramfile")) {
 			if (!args[1])
 				goto bad;
 			args++;
 			if (do_param == 1)
 				goto bad;
-			if (!init_keygen_file(bio_err, &ctx, *args, e))
+			if (!init_keygen_file(bio_err, &ctx, *args))
 				goto end;
 		} else if (!strcmp(*args, "-out")) {
 			if (args[1]) {
@@ -131,7 +118,7 @@ genpkey_main(int argc, char **argv)
 		} else if (strcmp(*args, "-algorithm") == 0) {
 			if (!args[1])
 				goto bad;
-			if (!init_gen_str(bio_err, &ctx, *(++args), e, do_param))
+			if (!init_gen_str(bio_err, &ctx, *(++args), do_param))
 				goto end;
 		} else if (strcmp(*args, "-pkeyopt") == 0) {
 			if (!args[1])
@@ -174,9 +161,6 @@ bad:
 		BIO_printf(bio_err, "-outform X         output format (DER or PEM)\n");
 		BIO_printf(bio_err, "-pass arg          output file pass phrase source\n");
 		BIO_printf(bio_err, "-<cipher>          use cipher <cipher> to encrypt the key\n");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, "-engine e          use engine e, possibly a hardware device.\n");
-#endif
 		BIO_printf(bio_err, "-paramfile file    parameters file\n");
 		BIO_printf(bio_err, "-algorithm alg     the public key algorithm\n");
 		BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n"
@@ -261,7 +245,7 @@ end:
 
 static int
 init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx,
-    const char *file, ENGINE * e)
+    const char *file)
 {
 	BIO *pbio;
 	EVP_PKEY *pkey = NULL;
@@ -282,7 +266,7 @@ init_keygen_file(BIO * err, EVP_PKEY_CTX ** pctx,
 		BIO_printf(bio_err, "Error reading parameter file %s\n", file);
 		return 0;
 	}
-	ctx = EVP_PKEY_CTX_new(pkey, e);
+	ctx = EVP_PKEY_CTX_new(pkey, NULL);
 	if (!ctx)
 		goto err;
 	if (EVP_PKEY_keygen_init(ctx) <= 0)
@@ -304,23 +288,17 @@ err:
 
 int
 init_gen_str(BIO * err, EVP_PKEY_CTX ** pctx,
-    const char *algname, ENGINE * e, int do_param)
+    const char *algname, int do_param)
 {
 	EVP_PKEY_CTX *ctx = NULL;
 	const EVP_PKEY_ASN1_METHOD *ameth;
-	ENGINE *tmpeng = NULL;
 	int pkey_id;
 
 	if (*pctx) {
 		BIO_puts(err, "Algorithm already set!\n");
 		return 0;
 	}
-	ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
-
-#ifndef OPENSSL_NO_ENGINE
-	if (!ameth && e)
-		ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
-#endif
+	ameth = EVP_PKEY_asn1_find_str(NULL, algname, -1);
 
 	if (!ameth) {
 		BIO_printf(bio_err, "Algorithm %s not found\n", algname);
@@ -329,11 +307,7 @@ init_gen_str(BIO * err, EVP_PKEY_CTX ** pctx,
 	ERR_clear_error();
 
 	EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
-#ifndef OPENSSL_NO_ENGINE
-	if (tmpeng)
-		ENGINE_finish(tmpeng);
-#endif
-	ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
+	ctx = EVP_PKEY_CTX_new_id(pkey_id, NULL);
 
 	if (!ctx)
 		goto err;
diff --git a/usr.bin/openssl/genrsa.c b/usr.bin/openssl/genrsa.c
index 99f2bf36418..9f78f0d65d8 100644
--- a/usr.bin/openssl/genrsa.c
+++ b/usr.bin/openssl/genrsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genrsa.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: genrsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -89,9 +89,6 @@ int
 genrsa_main(int argc, char **argv)
 {
 	BN_GENCB cb;
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE *e = NULL;
-#endif
 	int ret = 1;
 	int i, num = DEFBITS;
 	long l;
@@ -99,9 +96,6 @@ genrsa_main(int argc, char **argv)
 	unsigned long f4 = RSA_F4;
 	char *outfile = NULL;
 	char *passargout = NULL, *passout = NULL;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	BIO *out = NULL;
 	BIGNUM *bn = BN_new();
 	RSA *rsa = NULL;
@@ -128,13 +122,6 @@ genrsa_main(int argc, char **argv)
 			f4 = 3;
 		else if (strcmp(*argv, "-F4") == 0 || strcmp(*argv, "-f4") == 0)
 			f4 = RSA_F4;
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			engine = *(++argv);
-		}
-#endif
 #ifndef OPENSSL_NO_DES
 		else if (strcmp(*argv, "-des") == 0)
 			enc = EVP_des_cbc();
@@ -190,9 +177,6 @@ bad:
 		BIO_printf(bio_err, " -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err, " -f4             use F4 (0x10001) for the E value\n");
 		BIO_printf(bio_err, " -3              use 3 for the E value\n");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, " -engine e       use engine e, possibly a hardware device.\n");
-#endif
 		goto err;
 	}
 
@@ -200,9 +184,6 @@ bad:
 		BIO_printf(bio_err, "Error getting password\n");
 		goto err;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
 
 	if (outfile == NULL) {
 		BIO_set_fp(out, stdout, BIO_NOCLOSE);
@@ -215,11 +196,7 @@ bad:
 
 	BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
 	    num);
-#ifdef OPENSSL_NO_ENGINE
 	rsa = RSA_new();
-#else
-	rsa = RSA_new_method(e);
-#endif
 	if (!rsa)
 		goto err;
 
diff --git a/usr.bin/openssl/ocsp.c b/usr.bin/openssl/ocsp.c
index ab5a7557130..39000328b63 100644
--- a/usr.bin/openssl/ocsp.c
+++ b/usr.bin/openssl/ocsp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp.c,v 1.3 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: ocsp.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -105,7 +105,6 @@ static OCSP_RESPONSE *query_responder(BIO * err, BIO * cbio, char *path,
 int
 ocsp_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	char **args;
 	char *host = NULL, *port = NULL, *path = "/";
 	char *reqin = NULL, *respin = NULL;
@@ -335,7 +334,7 @@ ocsp_main(int argc, char **argv)
 				args++;
 				X509_free(issuer);
 				issuer = load_cert(bio_err, *args, FORMAT_PEM,
-				    NULL, e, "issuer certificate");
+				    NULL, "issuer certificate");
 				if (!issuer)
 					goto end;
 			} else
@@ -345,7 +344,7 @@ ocsp_main(int argc, char **argv)
 				args++;
 				X509_free(cert);
 				cert = load_cert(bio_err, *args, FORMAT_PEM,
-				    NULL, e, "certificate");
+				    NULL, "certificate");
 				if (!cert)
 					goto end;
 				if (!cert_id_md)
@@ -531,20 +530,20 @@ ocsp_main(int argc, char **argv)
 		if (!rkeyfile)
 			rkeyfile = rsignfile;
 		rsigner = load_cert(bio_err, rsignfile, FORMAT_PEM,
-		    NULL, e, "responder certificate");
+		    NULL, "responder certificate");
 		if (!rsigner) {
 			BIO_printf(bio_err, "Error loading responder certificate\n");
 			goto end;
 		}
 		rca_cert = load_cert(bio_err, rca_filename, FORMAT_PEM,
-		    NULL, e, "CA certificate");
+		    NULL, "CA certificate");
 		if (rcertfile) {
 			rother = load_certs(bio_err, rcertfile, FORMAT_PEM,
-			    NULL, e, "responder other certificates");
+			    NULL, "responder other certificates");
 			if (!rother)
 				goto end;
 		}
-		rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL, NULL,
+		rkey = load_key(bio_err, rkeyfile, FORMAT_PEM, 0, NULL,
 		    "responder private key");
 		if (!rkey)
 			goto end;
@@ -574,18 +573,18 @@ redo_accept:
 		if (!keyfile)
 			keyfile = signfile;
 		signer = load_cert(bio_err, signfile, FORMAT_PEM,
-		    NULL, e, "signer certificate");
+		    NULL, "signer certificate");
 		if (!signer) {
 			BIO_printf(bio_err, "Error loading signer certificate\n");
 			goto end;
 		}
 		if (sign_certfile) {
 			sign_other = load_certs(bio_err, sign_certfile, FORMAT_PEM,
-			    NULL, e, "signer certificates");
+			    NULL, "signer certificates");
 			if (!sign_other)
 				goto end;
 		}
-		key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL, NULL,
+		key = load_key(bio_err, keyfile, FORMAT_PEM, 0, NULL,
 		    "signer private key");
 		if (!key)
 			goto end;
@@ -690,7 +689,7 @@ done_resp:
 		goto end;
 	if (verify_certfile) {
 		verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
-		    NULL, e, "validator certificate");
+		    NULL, "validator certificate");
 		if (!verify_other)
 			goto end;
 	}
diff --git a/usr.bin/openssl/openssl.1 b/usr.bin/openssl/openssl.1
index 89b1979e2e6..7e4937207d3 100644
--- a/usr.bin/openssl/openssl.1
+++ b/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.21 2015/09/11 06:43:05 jmc Exp $
+.\" $OpenBSD: openssl.1,v 1.22 2015/09/11 14:30:23 bcook Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -284,8 +284,6 @@ Elliptic curve (EC) key processing.
 EC parameter manipulation and generation.
 .It Cm enc
 Encoding with ciphers.
-.It Cm engine
-Engine (loadable module) information and manipulation.
 .It Cm errstr
 Error number to error string conversion.
 .It Cm gendh
@@ -703,7 +701,6 @@ The output of some ASN.1 types is not well handled
 .Op Fl crlhours Ar hours
 .Op Fl days Ar arg
 .Op Fl enddate Ar date
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl extfile Ar section
 .Op Fl gencrl
@@ -711,7 +708,7 @@ The output of some ASN.1 types is not well handled
 .Op Fl infiles
 .Op Fl key Ar keyfile
 .Op Fl keyfile Ar arg
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl md Ar arg
 .Op Fl msie_hack
 .Op Fl name Ar section
@@ -757,14 +754,6 @@ The number of days to certify the certificate for.
 This allows the expiry date to be explicitly set.
 The format of the date is YYMMDDHHMMSSZ
 .Pq the same as an ASN1 UTCTime structure .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ca
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl extensions Ar section
 The section of the configuration file containing certificate extensions
 to be added when a certificate is issued (defaults to
@@ -800,7 +789,7 @@ with the
 utility) this option should be used with caution.
 .It Fl keyfile Ar file
 The private key to sign requests with.
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Private key file format.
 .It Fl md Ar alg
 The message digest to use.
@@ -1811,10 +1800,9 @@ install user certificates and CAs in MSIE using the Xenroll control.
 .Oc
 .Op Fl binary
 .Op Fl cd
-.Op Fl engine Ar id
 .Op Fl hex
 .Op Fl hmac Ar key
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl mac Ar algorithm
 .Op Fl macopt Ar nm : Ns Ar v
 .Op Fl out Ar file
@@ -1853,16 +1841,6 @@ Print out the digest in two-digit groups separated by colons; only relevant if
 format output is used.
 .It Fl d
 Print out BIO debugging information.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dgst
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
-This engine is not used as a source for digest algorithms
-unless it is also specified in the configuration file.
 .It Fl hex
 Digest is to be output as a hex dump.
 This is the default case for a
@@ -1871,7 +1849,7 @@ digest as opposed to a digital signature.
 .It Fl hmac Ar key
 Create a hashed MAC using
 .Ar key .
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Specifies the key format to sign the digest with.
 .It Fl mac Ar algorithm
 Create a keyed Message Authentication Code (MAC).
@@ -1963,7 +1941,6 @@ below.
 .Op Fl C
 .Op Fl check
 .Op Fl dsaparam
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -2008,14 +1985,6 @@ which makes DH key exchange more efficient.
 Beware that with such DSA-style DH parameters,
 a fresh DH key should be created for each use to
 avoid small-subgroup attacks that may be possible otherwise.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dhparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -2109,7 +2078,6 @@ option was added in
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl modulus
@@ -2154,14 +2122,6 @@ remove the pass phrase from a key,
 or by setting the encryption options it can be use to add or change
 the pass phrase.
 These options can only be used with PEM format output files.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -2267,7 +2227,6 @@ To just output the public part of a private key:
 .Nm "openssl dsaparam"
 .Bk -words
 .Op Fl C
-.Op Fl engine Ar id
 .Op Fl genkey
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -2290,14 +2249,6 @@ This option converts the parameters into C code.
 The parameters can then be loaded by calling the
 .Cm get_dsa Ns Ar XXX Ns Li ()
 function.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm dsaparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genkey
 This option will generate a DSA either using the specified or generated
 parameters.
@@ -2362,7 +2313,6 @@ DSA parameters is often used to generate several distinct keys.
 .Op Fl conv_form Ar arg
 .Op Fl des
 .Op Fl des3
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -2428,14 +2378,6 @@ encryption option can be used to remove the pass phrase from a key,
 or by setting the encryption options
 it can be use to add or change the pass phrase.
 These options can only be used with PEM format output files.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ec
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read a key from,
 or standard input if this option is not specified.
@@ -2567,7 +2509,6 @@ command was first introduced in
 .Op Fl C
 .Op Fl check
 .Op Fl conv_form Ar arg
-.Op Fl engine Ar id
 .Op Fl genkey
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -2611,14 +2552,6 @@ option is disabled by default for binary curves
 and can be enabled by defining the preprocessor macro
 .Ar OPENSSL_EC_BIN_PT_COMP
 at compile time.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ecparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genkey
 Generate an EC private key using the specified parameters.
 .It Fl in Ar file
@@ -2736,7 +2669,6 @@ command was first introduced in
 .Op Fl base64
 .Op Fl bufsize Ar number
 .Op Fl debug
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl iv Ar IV
 .Op Fl K Ar key
@@ -2779,14 +2711,6 @@ Decrypt the input data.
 Debug the BIOs used for I/O.
 .It Fl e
 Encrypt the input data: this is the default.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm enc
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 The input
 .Ar file ;
@@ -2918,25 +2842,6 @@ The program can be called either as
 .Nm openssl ciphername
 or
 .Nm openssl enc -ciphername .
-But the first form doesn't work with engine-provided ciphers,
-because this form is processed before the
-configuration file is read and any engines loaded.
-.Pp
-Engines which provide entirely new encryption algorithms
-should be configured in the configuration file.
-Engines, specified on the command line using the
-.Fl engine
-option,
-can only be used for hardware-assisted implementations of ciphers,
-supported by
-.Nm OpenSSL
-core, or by other engines specified in the configuration file.
-.Pp
-When
-.Nm enc
-lists supported ciphers,
-ciphers provided by engines specified in the configuration files
-are listed too.
 .Pp
 A password will be prompted for to derive the
 .Ar key
@@ -3077,56 +2982,6 @@ program only supports a fixed number of algorithms with certain parameters.
 Therefore it is not possible to use RC2 with a 76-bit key
 or RC4 with an 84-bit key with this program.
 .\"
-.\" ENGINE
-.\"
-.Sh ENGINE
-.Nm openssl engine
-.Op Fl ctv
-.Op Fl post Ar cmd
-.Op Fl pre Ar cmd
-.Op Ar engine ...
-.Pp
-The
-.Nm engine
-command provides loadable module information and manipulation
-of various engines.
-Any options are applied to all engines supplied on the command line,
-or all supported engines if none are specified.
-.Pp
-The options are as follows:
-.Bl -tag -width Ds
-.It Fl c
-For each engine, also list the capabilities.
-.It Fl post Ar cmd
-Run command
-.Ar cmd
-against the engine after loading it
-(only used if
-.Fl t
-is also provided).
-.It Fl pre Ar cmd
-Run command
-.Ar cmd
-against the engine before any attempts
-to load it
-(only used if
-.Fl t
-is also provided).
-.It Fl t
-For each engine, check that they are really available.
-.Fl tt
-will display an error trace for unavailable engines.
-.It Fl v
-Verbose mode.
-For each engine, list its 'control commands'.
-.Fl vv
-will additionally display each command's description.
-.Fl vvv
-will also add the input flags for each command.
-.Fl vvvv
-will also show internal input flags.
-.El
-.\"
 .\" ERRSTR
 .\"
 .Sh ERRSTR
@@ -3192,7 +3047,6 @@ above.
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl out Ar file
 .Op Ar paramfile
 .Ek
@@ -3215,14 +3069,6 @@ These options encrypt the private key with the AES, DES,
 or the triple DES ciphers, respectively, before outputting it.
 A pass phrase is prompted for.
 If none of these options are specified, no encryption is used.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm gendsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl out Ar file
 The output
 .Ar file .
@@ -3246,7 +3092,6 @@ much quicker than RSA key generation, for example.
 .Bk -words
 .Op Fl algorithm Ar alg
 .Op Ar cipher
-.Op Fl engine Ar id
 .Op Fl genparam
 .Op Fl out Ar file
 .Op Fl outform Ar DER | PEM
@@ -3262,8 +3107,7 @@ The
 command generates private keys.
 The use of this
 program is encouraged over the algorithm specific utilities
-because additional algorithm options
-and engine-provided algorithms can be used.
+because additional algorithm options can be used.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
@@ -3284,14 +3128,6 @@ Any algorithm name accepted by
 .Fn EVP_get_cipherbyname
 is acceptable, such as
 .Cm des3 .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm genpkey
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl genparam
 Generate a set of parameters instead of a private key.
 If used this option must precede any
@@ -3422,7 +3258,6 @@ $ openssl genpkey -paramfile dhp.pem -out dhkey.pem
 .Fl aes128 | aes192 | aes256 |
 .Fl des | des3
 .Oc
-.Op Fl engine Ar id
 .Op Fl out Ar file
 .Op Fl passout Ar arg
 .Op Ar numbits
@@ -3449,14 +3284,6 @@ If encryption is used, a pass phrase is prompted for,
 if it is not supplied via the
 .Fl passout
 option.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm genrsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl out Ar file
 The output
 .Ar file .
@@ -4129,7 +3956,6 @@ prints
 .nr nS 1
 .Nm "openssl pkcs7"
 .Bk -words
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -4146,14 +3972,6 @@ command processes PKCS#7 files in DER or PEM format.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs7
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -4218,7 +4036,6 @@ They cannot currently parse, for example, the new CMS as described in RFC 2630.
 .Nm "openssl pkcs8"
 .Bk -words
 .Op Fl embed
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl nocrypt
@@ -4254,14 +4071,6 @@ In this form the OCTET STRING contains an ASN1 SEQUENCE consisting of
 two structures:
 a SEQUENCE containing the parameters and an ASN1 INTEGER containing
 the private key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs8
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -4484,7 +4293,6 @@ compatibility, several of the utilities use the old format at present.
 .Op Fl clcerts
 .Op Fl CSP Ar name
 .Op Fl descert
-.Op Fl engine Ar id
 .Op Fl export
 .Op Fl in Ar file
 .Op Fl info
@@ -4631,14 +4439,6 @@ file unreadable by some
 software.
 By default, the private key is encrypted using triple DES and the
 certificate using 40-bit RC2.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkcs12
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl export
 This option specifies that a PKCS#12 file will be created rather than
 parsed.
@@ -4844,7 +4644,6 @@ $ openssl -in keycerts.pem -export -name "My PKCS#12 file" \e
 .Nm "openssl pkey"
 .Bk -words
 .Op Ar cipher
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
 .Op Fl noout
@@ -4873,14 +4672,6 @@ Any algorithm name accepted by
 .Fn EVP_get_cipherbyname
 is acceptable, such as
 .Cm des3 .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkey
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read a key from,
 or standard input if this option is not specified.
@@ -4966,7 +4757,6 @@ $ openssl pkey -in key.pem -pubout -out pubkey.pem
 .\"
 .Sh PKEYPARAM
 .Cm openssl pkeyparam
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl noout
 .Op Fl out Ar file
@@ -4979,14 +4769,6 @@ They can be converted between various forms and their components printed out.
 .Pp
 The options are as follows:
 .Bl -tag -width Ds
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkeyparam
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input filename to read parameters from,
 or standard input if this option is not specified.
@@ -5022,14 +4804,13 @@ because the key type is determined by the PEM headers.
 .Op Fl decrypt
 .Op Fl derive
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl hexdump
 .Op Fl in Ar file
 .Op Fl inkey Ar file
-.Op Fl keyform Ar DER | ENGINE | PEM
+.Op Fl keyform Ar DER | PEM
 .Op Fl out Ar file
 .Op Fl passin Ar arg
-.Op Fl peerform Ar DER | ENGINE | PEM
+.Op Fl peerform Ar DER | PEM
 .Op Fl peerkey Ar file
 .Op Fl pkeyopt Ar opt : Ns Ar value
 .Op Fl pubin
@@ -5061,14 +4842,6 @@ Decrypt the input data using a private key.
 Derive a shared secret using the peer key.
 .It Fl encrypt
 Encrypt the input data using a public key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm pkeyutl
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hexdump
 Hex dump the output data.
 .It Fl in Ar file
@@ -5077,8 +4850,8 @@ or standard input if this option is not specified.
 .It Fl inkey Ar file
 The input key file.
 By default it should be a private key.
-.It Fl keyform Ar DER | ENGINE | PEM
-The key format DER, ENGINE, or PEM.
+.It Fl keyform Ar DER | PEM
+The key format DER or PEM.
 .It Fl out Ar file
 Specify the output filename to write to,
 or standard output by default.
@@ -5089,8 +4862,8 @@ For more information about the format of
 see the
 .Sx PASS PHRASE ARGUMENTS
 section above.
-.It Fl peerform Ar DER | ENGINE | PEM
-The peer key format DER, ENGINE, or PEM.
+.It Fl peerform Ar DER | PEM
+The peer key format DER or PEM.
 .It Fl peerkey Ar file
 The peer key file, used by key derivation (agreement) operations.
 .It Fl pkeyopt Ar opt : Ns Ar value
@@ -5271,7 +5044,6 @@ is prime.
 .nr nS 1
 .Nm "openssl rand"
 .Op Fl base64
-.Op Fl engine Ar id
 .Op Fl hex
 .Op Fl out Ar file
 .Ar num
@@ -5289,14 +5061,6 @@ The options are as follows:
 Perform
 .Em base64
 encoding on the output.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rand
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hex
 Specify hexadecimal output.
 .It Fl out Ar file
@@ -5315,7 +5079,6 @@ instead of standard output.
 .Op Fl batch
 .Op Fl config Ar file
 .Op Fl days Ar n
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl in Ar file
 .Op Fl inform Ar DER | PEM
@@ -5392,14 +5155,6 @@ When the
 option is being used, this specifies the number of
 days to certify the certificate for.
 The default is 30 days.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm req
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl extensions Ar section , Fl reqexts Ar section
 These options specify alternative sections to include certificate
 extensions (if the
@@ -6067,7 +5822,6 @@ should be input by the user.
 .Fl des | des3
 .Oc
 .Op Fl check
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl inform Ar DER | NET | PEM
 .Op Fl modulus
@@ -6114,14 +5868,6 @@ it can be used to add or change the pass phrase.
 These options can only be used with PEM format output files.
 .It Fl check
 This option checks the consistency of an RSA private key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rsa
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -6264,7 +6010,6 @@ without having to manually edit them.
 .Op Fl certin
 .Op Fl decrypt
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl hexdump
 .Op Fl in Ar file
 .Op Fl inkey Ar file
@@ -6294,14 +6039,6 @@ The input is a certificate containing an RSA public key.
 Decrypt the input data using an RSA private key.
 .It Fl encrypt
 Encrypt the input data using an RSA public key.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm rsautl
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hexdump
 Hex dump the output data.
 .It Fl in Ar file
@@ -6458,7 +6195,6 @@ which it can be seen agrees with the recovered value above.
 .Op Fl crl_check_all
 .Op Fl crlf
 .Op Fl debug
-.Op Fl engine Ar id
 .Op Fl extended_crl
 .Op Fl ign_eof
 .Op Fl ignore_critical
@@ -6570,14 +6306,6 @@ This option translates a line feed from the terminal into CR+LF as required
 by some servers.
 .It Fl debug
 Print extensive debugging information including a hex dump of all traffic.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm s_client
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl ign_eof
 Inhibit shutting down the connection when end of file is reached in the
 input.
@@ -6782,7 +6510,6 @@ We should really report information whenever a session is renegotiated.
 .Op Fl debug
 .Op Fl dhparam Ar file
 .Op Fl dkey Ar file
-.Op Fl engine Ar id
 .Op Fl hack
 .Op Fl HTTP
 .Op Fl id_prefix Ar arg
@@ -6897,14 +6624,6 @@ load the parameters from the server certificate file.
 If this fails, a static set of parameters hard coded into the
 .Nm s_server
 program will be used.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm s_server
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl hack
 This option enables a further workaround for some early Netscape
 SSL code
@@ -7386,7 +7105,6 @@ The cipher and start time should be printed out in human readable form.
 .Op Fl crl_check_all
 .Op Fl decrypt
 .Op Fl encrypt
-.Op Fl engine Ar id
 .Op Fl extended_crl
 .Op Fl from Ar addr
 .Op Fl ignore_critical
@@ -7395,7 +7113,7 @@ The cipher and start time should be printed out in human readable form.
 .Op Fl inform Ar DER | PEM | SMIME
 .Op Fl inkey Ar file
 .Op Fl issuer_checks
-.Op Fl keyform Ar ENGINE | PEM
+.Op Fl keyform Ar PEM
 .Op Fl md Ar digest
 .Op Fl noattr
 .Op Fl nocerts
@@ -7542,14 +7260,6 @@ This option will override any content if the input format is
 and it uses the multipart/signed
 .Em MIME
 content type.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm smime
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Xo
 .Fl from Ar addr ,
 .Fl subject Ar s ,
@@ -7605,7 +7315,7 @@ or
 file.
 When signing,
 this option can be used multiple times to specify successive keys.
-.It Fl keyform Ar ENGINE | PEM
+.It Fl keyform Ar PEM
 Input private key format.
 .It Fl md Ar digest
 The digest algorithm to use when signing or resigning.
@@ -7968,7 +7678,6 @@ command were first added in
 .Op Cm sha1
 .Op Fl decrypt
 .Op Fl elapsed
-.Op Fl engine Ar id
 .Op Fl evp Ar e
 .Op Fl mr
 .Op Fl multi Ar number
@@ -7986,14 +7695,6 @@ tests those algorithms, otherwise all of the above are tested.
 .It Fl decrypt
 Time decryption instead of encryption
 .Pq only EVP .
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm speed
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl elapsed
 Measure time in real time instead of CPU user time.
 .It Fl evp Ar e
@@ -8033,7 +7734,6 @@ benchmarks in parallel.
 .Fl reply
 .Op Fl chain Ar certs_file.pem
 .Op Fl config Ar configfile
-.Op Fl engine Ar id
 .Op Fl in Ar response.tsr
 .Op Fl inkey Ar private.pem
 .Op Fl out Ar response.tsr
@@ -8194,14 +7894,6 @@ environment variable.
 See
 .Sx TS CONFIGURATION FILE OPTIONS
 for configurable variables.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm ts
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar response.tsr
 Specifies a previously created time stamp response or time stamp token, if
 .Fl token_in
@@ -8379,11 +8071,6 @@ This number is incremented by 1 for each response.
 If the file does not exist at the time of response
 generation a new file is created with serial number 1.
 This parameter is mandatory.
-.It Cm crypto_device
-Specifies the
-.Nm OpenSSL
-engine that will be set as the default for
-all available algorithms.
 .It Cm signer_cert
 TSA signing certificate, in PEM format.
 The same as the
@@ -8611,7 +8298,6 @@ OpenTSA project
 .Nm "openssl spkac"
 .Bk -words
 .Op Fl challenge Ar string
-.Op Fl engine Ar id
 .Op Fl in Ar file
 .Op Fl key Ar keyfile
 .Op Fl noout
@@ -8636,14 +8322,6 @@ The options are as follows:
 .Bl -tag -width Ds
 .It Fl challenge Ar string
 Specifies the challenge string if an SPKAC is being created.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm spkac
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
@@ -8743,7 +8421,6 @@ to be used in a
 .Op Fl check_ss_sig
 .Op Fl crl_check
 .Op Fl crl_check_all
-.Op Fl engine Ar id
 .Op Fl explicit_policy
 .Op Fl extended_crl
 .Op Fl help
@@ -8800,14 +8477,6 @@ If a valid CRL cannot be found an error occurs.
 .It Fl crl_check_all
 Checks the validity of all certificates in the chain by attempting
 to look up valid CRLs.
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm verify
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl explicit_policy
 Set policy variable require-explicit-policy (see RFC 3280 et al).
 .It Fl extended_crl
@@ -9181,7 +8850,6 @@ option was added in
 .Op Fl days Ar arg
 .Op Fl email
 .Op Fl enddate
-.Op Fl engine Ar id
 .Op Fl extensions Ar section
 .Op Fl extfile Ar file
 .Op Fl fingerprint
@@ -9230,14 +8898,6 @@ Since there are a large number of options, they are split up into
 various sections.
 .Sh X509 INPUT, OUTPUT, AND GENERAL PURPOSE OPTIONS
 .Bl -tag -width "XXXX"
-.It Fl engine Ar id
-Specifying an engine (by its unique
-.Ar id
-string) will cause
-.Nm x509
-to attempt to obtain a functional reference to the specified engine,
-thus initialising it if needed.
-The engine will then be set as the default for all available algorithms.
 .It Fl in Ar file
 This specifies the input
 .Ar file
diff --git a/usr.bin/openssl/openssl.c b/usr.bin/openssl/openssl.c
index 97321f0cac5..c85a807d29c 100644
--- a/usr.bin/openssl/openssl.c
+++ b/usr.bin/openssl/openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: openssl.c,v 1.6 2015/09/10 16:43:06 jsing Exp $ */
+/* $OpenBSD: openssl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -126,10 +126,6 @@
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "progs.h"
 #include "s_apps.h"
 
@@ -162,9 +158,6 @@ FUNCTION functions[] = {
 	{ FUNC_TYPE_GENERAL, "crl", crl_main },
 	{ FUNC_TYPE_GENERAL, "dgst", dgst_main },
 	{ FUNC_TYPE_GENERAL, "enc", enc_main },
-#ifndef OPENSSL_NO_ENGINE
-	{ FUNC_TYPE_GENERAL, "engine", engine_main },
-#endif
 	{ FUNC_TYPE_GENERAL, "errstr", errstr_main },
 	{ FUNC_TYPE_GENERAL, "genpkey", genpkey_main },
 	{ FUNC_TYPE_GENERAL, "nseq", nseq_main },
@@ -419,10 +412,6 @@ openssl_startup(void)
 	SSL_library_init();
 	SSL_load_error_strings();
 
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_load_builtin_engines();
-#endif
-
 	setup_ui_method();
 }
 
@@ -433,11 +422,6 @@ openssl_shutdown(void)
 	destroy_ui_method();
 	OBJ_cleanup();
 	EVP_cleanup();
-
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_cleanup();
-#endif
-
 	CRYPTO_cleanup_all_ex_data();
 	ERR_remove_thread_state(NULL);
 	ERR_free_strings();
diff --git a/usr.bin/openssl/pkcs12.c b/usr.bin/openssl/pkcs12.c
index 901ddc05f35..eaa7bcceac9 100644
--- a/usr.bin/openssl/pkcs12.c
+++ b/usr.bin/openssl/pkcs12.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs12.c,v 1.3 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkcs12.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -95,7 +95,6 @@ static int set_pbe(BIO * err, int *ppbe, const char *str);
 int
 pkcs12_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	char *infile = NULL, *outfile = NULL, *keyname = NULL;
 	char *certfile = NULL;
 	BIO *in = NULL, *out = NULL;
@@ -124,9 +123,6 @@ pkcs12_main(int argc, char **argv)
 	char *passin = NULL, *passout = NULL;
 	char *macalg = NULL;
 	char *CApath = NULL, *CAfile = NULL;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 
 	cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
 
@@ -285,14 +281,6 @@ pkcs12_main(int argc, char **argv)
 					CAfile = *args;
 				} else
 					badarg = 1;
-#ifndef OPENSSL_NO_ENGINE
-			} else if (!strcmp(*args, "-engine")) {
-				if (args[1]) {
-					args++;
-					engine = *args;
-				} else
-					badarg = 1;
-#endif
 			} else
 				badarg = 1;
 
@@ -349,16 +337,10 @@ pkcs12_main(int argc, char **argv)
 		BIO_printf(bio_err, "-password p   set import/export password source\n");
 		BIO_printf(bio_err, "-passin p     input file pass phrase source\n");
 		BIO_printf(bio_err, "-passout p    output file pass phrase source\n");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, "-engine e     use engine e, possibly a hardware device.\n");
-#endif
 		BIO_printf(bio_err, "-CSP name     Microsoft CSP name\n");
 		BIO_printf(bio_err, "-LMK          Add local machine keyset attribute to private key\n");
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
 
 	if (passarg) {
 		if (export_cert)
@@ -428,14 +410,14 @@ pkcs12_main(int argc, char **argv)
 
 		if (!(options & NOKEYS)) {
 			key = load_key(bio_err, keyname ? keyname : infile,
-			    FORMAT_PEM, 1, passin, e, "private key");
+			    FORMAT_PEM, 1, passin, "private key");
 			if (!key)
 				goto export_end;
 		}
 
 		/* Load in all certs in input file */
 		if (!(options & NOCERTS)) {
-			certs = load_certs(bio_err, infile, FORMAT_PEM, NULL, e,
+			certs = load_certs(bio_err, infile, FORMAT_PEM, NULL,
 			    "certificates");
 			if (!certs)
 				goto export_end;
@@ -465,8 +447,7 @@ pkcs12_main(int argc, char **argv)
 		if (certfile) {
 			STACK_OF(X509) * morecerts = NULL;
 			if (!(morecerts = load_certs(bio_err, certfile, FORMAT_PEM,
-				    NULL, e,
-				    "certificates from certfile")))
+			    NULL, "certificates from certfile")))
 				goto export_end;
 			while (sk_X509_num(morecerts) > 0)
 				sk_X509_push(certs, sk_X509_shift(morecerts));
diff --git a/usr.bin/openssl/pkcs7.c b/usr.bin/openssl/pkcs7.c
index 3180f357f1a..717928d27b0 100644
--- a/usr.bin/openssl/pkcs7.c
+++ b/usr.bin/openssl/pkcs7.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs7.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkcs7.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -71,9 +71,6 @@
 #include <openssl/x509.h>
 
 static struct {
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	char *infile;
 	int informat;
 	int noout;
@@ -85,15 +82,6 @@ static struct {
 } pkcs7_config;
 
 static struct option pkcs7_options[] = {
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &pkcs7_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -152,7 +140,7 @@ static struct option pkcs7_options[] = {
 static void
 pkcs7_usage()
 {
-	fprintf(stderr, "usage: pkcs7 [-engine id] [-in file] "
+	fprintf(stderr, "usage: pkcs7 [-in file] "
 	    "[-inform DER | PEM] [-noout]\n"
 	    "    [-out file] [-outform DER | PEM] [-print_certs] [-text]\n\n");
         options_usage(pkcs7_options);
@@ -176,10 +164,6 @@ pkcs7_main(int argc, char **argv)
 		goto end;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, pkcs7_config.engine, 0);
-#endif
-
 	in = BIO_new(BIO_s_file());
 	out = BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL)) {
diff --git a/usr.bin/openssl/pkcs8.c b/usr.bin/openssl/pkcs8.c
index 7e590aa41d6..b3ccd1966ef 100644
--- a/usr.bin/openssl/pkcs8.c
+++ b/usr.bin/openssl/pkcs8.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs8.c,v 1.5 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: pkcs8.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -69,9 +69,6 @@
 
 static struct {
 	const EVP_CIPHER *cipher;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	char *infile;
 	int informat;
 	int iter;
@@ -115,15 +112,6 @@ static struct option pkcs8_options[] = {
 		.value = PKCS8_EMBEDDED_PARAM,
 		.opt.value = &pkcs8_config.p8_broken,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &pkcs8_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -220,7 +208,7 @@ static struct option pkcs8_options[] = {
 static void
 pkcs8_usage()
 {
-	fprintf(stderr, "usage: pkcs8 [-embed] [-engine id] [-in file] "
+	fprintf(stderr, "usage: pkcs8 [-embed] [-in file] "
 	    "[-inform fmt] [-nocrypt]\n"
 	    "    [-noiter] [-nooct] [-nsdb] [-out file] [-outform fmt] "
 	    "[-passin src]\n"
@@ -231,7 +219,6 @@ pkcs8_usage()
 int
 pkcs8_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	BIO *in = NULL, *out = NULL;
 	X509_SIG *p8 = NULL;
 	PKCS8_PRIV_KEY_INFO *p8inf = NULL;
@@ -252,10 +239,6 @@ pkcs8_main(int argc, char **argv)
 		return (1);
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, pkcs8_config.engine, 0);
-#endif
-
 	if (!app_passwd(bio_err, pkcs8_config.passargin,
 	    pkcs8_config.passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
@@ -285,7 +268,7 @@ pkcs8_main(int argc, char **argv)
 	}
 	if (pkcs8_config.topk8) {
 		pkey = load_key(bio_err, pkcs8_config.infile,
-		    pkcs8_config.informat, 1, passin, e, "key");
+		    pkcs8_config.informat, 1, passin, "key");
 		if (!pkey)
 			goto end;
 		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey,
diff --git a/usr.bin/openssl/pkey.c b/usr.bin/openssl/pkey.c
index be6bffa001c..72c03181f68 100644
--- a/usr.bin/openssl/pkey.c
+++ b/usr.bin/openssl/pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkey.c,v 1.4 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkey.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -68,7 +68,6 @@
 int
 pkey_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
 	BIO *in = NULL, *out = NULL;
@@ -78,9 +77,6 @@ pkey_main(int argc, char **argv)
 	EVP_PKEY *pkey = NULL;
 	char *passin = NULL, *passout = NULL;
 	int badarg = 0;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	int ret = 1;
 
 	informat = FORMAT_PEM;
@@ -109,13 +105,6 @@ pkey_main(int argc, char **argv)
 				goto bad;
 			passargout = *(++args);
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*args, "-engine") == 0) {
-			if (!args[1])
-				goto bad;
-			engine = *(++args);
-		}
-#endif
 		else if (!strcmp(*args, "-in")) {
 			if (args[1]) {
 				args++;
@@ -162,14 +151,8 @@ bad:
 		BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
 		BIO_printf(bio_err, "-out file       output file\n");
 		BIO_printf(bio_err, "-passout arg    output file pass phrase source\n");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-#endif
 		return 1;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
 
 	if (!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
@@ -187,10 +170,9 @@ bad:
 
 	if (pubin)
 		pkey = load_pubkey(bio_err, infile, informat, 1,
-		    passin, e, "Public Key");
+		    passin, "Public Key");
 	else
-		pkey = load_key(bio_err, infile, informat, 1,
-		    passin, e, "key");
+		pkey = load_key(bio_err, infile, informat, 1, passin, "key");
 	if (!pkey)
 		goto end;
 
diff --git a/usr.bin/openssl/pkeyparam.c b/usr.bin/openssl/pkeyparam.c
index e5152dfbf96..8f4d3a53f42 100644
--- a/usr.bin/openssl/pkeyparam.c
+++ b/usr.bin/openssl/pkeyparam.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkeyparam.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkeyparam.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006
  */
@@ -66,9 +66,6 @@
 #include <openssl/pem.h>
 
 struct {
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	char *infile;
 	int noout;
 	char *outfile;
@@ -76,15 +73,6 @@ struct {
 } pkeyparam_config;
 
 struct option pkeyparam_options[] = {
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &pkeyparam_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -118,7 +106,7 @@ static void
 pkeyparam_usage()
 {
 	fprintf(stderr,
-	    "usage: pkeyparam [-engine id] [-in file] [-noout] [-out file] "
+	    "usage: pkeyparam [-in file] [-noout] [-out file] "
 	    "[-text]\n");
 	options_usage(pkeyparam_options);
 }
@@ -137,10 +125,6 @@ pkeyparam_main(int argc, char **argv)
 		return (1);
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, pkeyparam_config.engine, 0);
-#endif
-
 	if (pkeyparam_config.infile) {
 		if (!(in = BIO_new_file(pkeyparam_config.infile, "r"))) {
 			BIO_printf(bio_err, "Can't open input file %s\n",
diff --git a/usr.bin/openssl/pkeyutl.c b/usr.bin/openssl/pkeyutl.c
index 0529b977985..2caa61e282c 100644
--- a/usr.bin/openssl/pkeyutl.c
+++ b/usr.bin/openssl/pkeyutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkeyutl.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: pkeyutl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -72,7 +72,7 @@ static void usage(void);
 
 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
     char *keyfile, int keyform, int key_type,
-    char *passargin, int pkey_op, ENGINE * e);
+    char *passargin, int pkey_op);
 
 static int setup_peer(BIO * err, EVP_PKEY_CTX * ctx, int peerform,
     const char *file);
@@ -86,7 +86,6 @@ pkeyutl_main(int argc, char **argv)
 {
 	BIO *in = NULL, *out = NULL;
 	char *infile = NULL, *outfile = NULL, *sigfile = NULL;
-	ENGINE *e = NULL;
 	int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
 	int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
 	char badarg = 0, rev = 0;
@@ -126,7 +125,7 @@ pkeyutl_main(int argc, char **argv)
 			else {
 				ctx = init_ctx(&keysize,
 				    *(++argv), keyform, key_type,
-				    passargin, pkey_op, e);
+				    passargin, pkey_op);
 				if (!ctx) {
 					BIO_puts(bio_err,
 					    "Error initializing context\n");
@@ -155,14 +154,6 @@ pkeyutl_main(int argc, char **argv)
 			else
 				keyform = str2fmt(*(++argv));
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (!strcmp(*argv, "-engine")) {
-			if (--argc < 1)
-				badarg = 1;
-			else
-				e = setup_engine(bio_err, *(++argv), 0);
-		}
-#endif
 		else if (!strcmp(*argv, "-pubin"))
 			key_type = KEY_PUBKEY;
 		else if (!strcmp(*argv, "-certin"))
@@ -342,9 +333,6 @@ usage()
 	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
 	BIO_printf(bio_err, "-derive         derive shared secret\n");
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
-#ifndef OPENSSL_NO_ENGINE
-	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-#endif
 	BIO_printf(bio_err, "-passin arg     pass phrase source\n");
 
 }
@@ -352,7 +340,7 @@ usage()
 static EVP_PKEY_CTX *
 init_ctx(int *pkeysize,
     char *keyfile, int keyform, int key_type,
-    char *passargin, int pkey_op, ENGINE * e)
+    char *passargin, int pkey_op)
 {
 	EVP_PKEY *pkey = NULL;
 	EVP_PKEY_CTX *ctx = NULL;
@@ -372,17 +360,17 @@ init_ctx(int *pkeysize,
 	switch (key_type) {
 	case KEY_PRIVKEY:
 		pkey = load_key(bio_err, keyfile, keyform, 0,
-		    passin, e, "Private Key");
+		    passin, "Private Key");
 		break;
 
 	case KEY_PUBKEY:
 		pkey = load_pubkey(bio_err, keyfile, keyform, 0,
-		    NULL, e, "Public Key");
+		    NULL, "Public Key");
 		break;
 
 	case KEY_CERT:
 		x = load_cert(bio_err, keyfile, keyform,
-		    NULL, e, "Certificate");
+		    NULL, "Certificate");
 		if (x) {
 			pkey = X509_get_pubkey(x);
 			X509_free(x);
@@ -396,7 +384,7 @@ init_ctx(int *pkeysize,
 	if (!pkey)
 		goto end;
 
-	ctx = EVP_PKEY_CTX_new(pkey, e);
+	ctx = EVP_PKEY_CTX_new(pkey, NULL);
 
 	EVP_PKEY_free(pkey);
 
@@ -452,7 +440,7 @@ setup_peer(BIO * err, EVP_PKEY_CTX * ctx, int peerform,
 		BIO_puts(err, "-peerkey command before -inkey\n");
 		return 0;
 	}
-	peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
+	peer = load_pubkey(bio_err, file, peerform, 0, NULL, "Peer Key");
 
 	if (!peer) {
 		BIO_printf(bio_err, "Error reading peer key %s\n", file);
diff --git a/usr.bin/openssl/progs.h b/usr.bin/openssl/progs.h
index c1b0c62752a..a771b2c7dee 100644
--- a/usr.bin/openssl/progs.h
+++ b/usr.bin/openssl/progs.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: progs.h,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: progs.h,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Public domain */
 
 int asn1parse_main(int argc, char **argv);
@@ -16,7 +16,6 @@ int dsaparam_main(int argc, char **argv);
 int ec_main(int argc, char **argv);
 int ecparam_main(int argc, char **argv);
 int enc_main(int argc, char **argv);
-int engine_main(int argc, char **argv);
 int errstr_main(int argc, char **argv);
 int gendh_main(int argc, char **argv);
 int gendsa_main(int argc, char **argv);
diff --git a/usr.bin/openssl/rand.c b/usr.bin/openssl/rand.c
index b021b4ec7c6..b0df4eb1b53 100644
--- a/usr.bin/openssl/rand.c
+++ b/usr.bin/openssl/rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand.c,v 1.7 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: rand.c,v 1.8 2015/09/11 14:30:23 bcook Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
  *
@@ -64,7 +64,6 @@
 
 struct {
 	int base64;
-	char *engine;
 	int hex;
 	char *outfile;
 } rand_config;
@@ -76,15 +75,6 @@ struct option rand_options[] = {
 		.type = OPTION_FLAG,
 		.opt.flag = &rand_config.base64,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &rand_config.engine,
-	},
-#endif
 	{
 		.name = "hex",
 		.desc = "Hexadecimal output",
@@ -105,7 +95,7 @@ static void
 rand_usage()
 {
 	fprintf(stderr,
-	    "usage: rand [-base64 | -hex] [-engine id] [-out file] num\n");
+	    "usage: rand [-base64 | -hex] [-out file] num\n");
 	options_usage(rand_options);
 }
 
@@ -141,10 +131,6 @@ rand_main(int argc, char **argv)
 		goto err;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	setup_engine(bio_err, rand_config.engine, 0);
-#endif
-
 	out = BIO_new(BIO_s_file());
 	if (out == NULL)
 		goto err;
diff --git a/usr.bin/openssl/req.c b/usr.bin/openssl/req.c
index 4e1a4757dda..5ed658bfb1f 100644
--- a/usr.bin/openssl/req.c
+++ b/usr.bin/openssl/req.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: req.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: req.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -140,15 +140,13 @@ static int genpkey_cb(EVP_PKEY_CTX * ctx);
 static int req_check_len(int len, int n_min, int n_max);
 static int check_end(const char *str, const char *end);
 static EVP_PKEY_CTX *set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
-    long *pkeylen, char **palgnam,
-    ENGINE * keygen_engine);
+    long *pkeylen, char **palgnam);
 static CONF *req_conf = NULL;
 static int batch = 0;
 
 int
 req_main(int argc, char **argv)
 {
-	ENGINE *e = NULL, *gen_eng = NULL;
 	unsigned long nmflag = 0, reqflag = 0;
 	int ex = 1, x509 = 0, days = 30;
 	X509 *x509ss = NULL;
@@ -165,9 +163,6 @@ req_main(int argc, char **argv)
 	int nodes = 0, kludge = 0, newhdr = 0, subject = 0, pubkey = 0;
 	char *infile, *outfile, *prog, *keyfile = NULL, *template = NULL,
 	*keyout = NULL;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	char *extensions = NULL;
 	char *req_exts = NULL;
 	const EVP_CIPHER *cipher = NULL;
@@ -203,21 +198,6 @@ req_main(int argc, char **argv)
 				goto bad;
 			outformat = str2fmt(*(++argv));
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			engine = *(++argv);
-		} else if (strcmp(*argv, "-keygen_engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			gen_eng = ENGINE_by_id(*(++argv));
-			if (gen_eng == NULL) {
-				BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv);
-				goto end;
-			}
-		}
-#endif
 		else if (strcmp(*argv, "-key") == 0) {
 			if (--argc < 1)
 				goto bad;
@@ -366,9 +346,6 @@ bad:
 		BIO_printf(bio_err, " -verify        verify signature on REQ\n");
 		BIO_printf(bio_err, " -modulus       RSA modulus\n");
 		BIO_printf(bio_err, " -nodes         don't encrypt the output key\n");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, " -engine e      use engine e, possibly a hardware device\n");
-#endif
 		BIO_printf(bio_err, " -subject       output the request's subject\n");
 		BIO_printf(bio_err, " -passin        private key password source\n");
 		BIO_printf(bio_err, " -key file      use the private key contained in file\n");
@@ -520,12 +497,8 @@ bad:
 	if ((in == NULL) || (out == NULL))
 		goto end;
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
-
 	if (keyfile != NULL) {
-		pkey = load_key(bio_err, keyfile, keyform, 0, passin, e,
+		pkey = load_key(bio_err, keyfile, keyform, 0, passin,
 		    "Private Key");
 		if (!pkey) {
 			/*
@@ -541,7 +514,7 @@ bad:
 		}
 		if (keyalg) {
 			genctx = set_keygen_ctx(bio_err, keyalg, &pkey_type, &newkey,
-			    &keyalgstr, gen_eng);
+			    &keyalgstr);
 			if (!genctx)
 				goto end;
 		}
@@ -552,7 +525,7 @@ bad:
 		}
 		if (!genctx) {
 			genctx = set_keygen_ctx(bio_err, NULL, &pkey_type, &newkey,
-			    &keyalgstr, gen_eng);
+			    &keyalgstr);
 			if (!genctx)
 				goto end;
 		}
@@ -893,10 +866,6 @@ end:
 		sk_OPENSSL_STRING_free(pkeyopts);
 	if (sigopts)
 		sk_OPENSSL_STRING_free(sigopts);
-#ifndef OPENSSL_NO_ENGINE
-	if (gen_eng)
-		ENGINE_free(gen_eng);
-#endif
 	free(keyalgstr);
 	X509_REQ_free(req);
 	X509_free(x509ss);
@@ -1370,8 +1339,7 @@ check_end(const char *str, const char *end)
 
 static EVP_PKEY_CTX *
 set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
-    long *pkeylen, char **palgnam,
-    ENGINE * keygen_engine)
+    long *pkeylen, char **palgnam)
 {
 	EVP_PKEY_CTX *gctx = NULL;
 	EVP_PKEY *param = NULL;
@@ -1396,19 +1364,14 @@ set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
 	else {
 		const char *p = strchr(gstr, ':');
 		int len;
-		ENGINE *tmpeng;
 		const EVP_PKEY_ASN1_METHOD *ameth;
 
 		if (p)
 			len = p - gstr;
 		else
 			len = strlen(gstr);
-		/*
-		 * The lookup of a the string will cover all engines so keep
-		 * a note of the implementation.
-		 */
 
-		ameth = EVP_PKEY_asn1_find_str(&tmpeng, gstr, len);
+		ameth = EVP_PKEY_asn1_find_str(NULL, gstr, len);
 
 		if (!ameth) {
 			BIO_printf(err, "Unknown algorithm %.*s\n", len, gstr);
@@ -1416,10 +1379,6 @@ set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
 		}
 		EVP_PKEY_asn1_get0_info(NULL, pkey_type, NULL, NULL, NULL,
 		    ameth);
-#ifndef OPENSSL_NO_ENGINE
-		if (tmpeng)
-			ENGINE_finish(tmpeng);
-#endif
 		if (*pkey_type == EVP_PKEY_RSA) {
 			if (p) {
 				keylen = strtonum(p + 1, 0, LONG_MAX, &errstr);
@@ -1470,26 +1429,21 @@ set_keygen_ctx(BIO * err, const char *gstr, int *pkey_type,
 	}
 	if (palgnam) {
 		const EVP_PKEY_ASN1_METHOD *ameth;
-		ENGINE *tmpeng;
 		const char *anam;
-		ameth = EVP_PKEY_asn1_find(&tmpeng, *pkey_type);
+		ameth = EVP_PKEY_asn1_find(NULL, *pkey_type);
 		if (!ameth) {
 			BIO_puts(err, "Internal error: can't find key algorithm\n");
 			return NULL;
 		}
 		EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
 		*palgnam = strdup(anam);
-#ifndef OPENSSL_NO_ENGINE
-		if (tmpeng)
-			ENGINE_finish(tmpeng);
-#endif
 	}
 	if (param) {
-		gctx = EVP_PKEY_CTX_new(param, keygen_engine);
+		gctx = EVP_PKEY_CTX_new(param, NULL);
 		*pkeylen = EVP_PKEY_bits(param);
 		EVP_PKEY_free(param);
 	} else
-		gctx = EVP_PKEY_CTX_new_id(*pkey_type, keygen_engine);
+		gctx = EVP_PKEY_CTX_new_id(*pkey_type, NULL);
 
 	if (!gctx) {
 		BIO_puts(err, "Error allocating keygen context\n");
diff --git a/usr.bin/openssl/rsa.c b/usr.bin/openssl/rsa.c
index 55b6f7399f7..708332a8d11 100644
--- a/usr.bin/openssl/rsa.c
+++ b/usr.bin/openssl/rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.c,v 1.4 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: rsa.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -77,9 +77,6 @@
 static struct {
 	int check;
 	const EVP_CIPHER *enc;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	char *infile;
 	int informat;
 	int modulus;
@@ -119,15 +116,6 @@ static struct option rsa_options[] = {
 		.type = OPTION_FLAG,
 		.opt.flag = &rsa_config.check,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &rsa_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -258,7 +246,7 @@ static void
 rsa_usage()
 {
 	fprintf(stderr,
-	    "usage: rsa [-ciphername] [-check] [-engine id] [-in file] "
+	    "usage: rsa [-ciphername] [-check] [-in file] "
 	    "[-inform fmt]\n"
 	    "    [-modulus] [-noout] [-out file] [-outform fmt] "
 	    "[-passin src]\n"
@@ -274,7 +262,6 @@ rsa_usage()
 int
 rsa_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	int ret = 1;
 	RSA *rsa = NULL;
 	int i;
@@ -291,10 +278,6 @@ rsa_main(int argc, char **argv)
 		goto end;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, rsa_config.engine, 0);
-#endif
-
 	if (!app_passwd(bio_err, rsa_config.passargin, rsa_config.passargout,
 	    &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
@@ -323,12 +306,12 @@ rsa_main(int argc, char **argv)
 				tmpformat = rsa_config.informat;
 
 			pkey = load_pubkey(bio_err, rsa_config.infile,
-			    tmpformat, 1, passin, e, "Public Key");
+			    tmpformat, 1, passin, "Public Key");
 		} else
 			pkey = load_key(bio_err, rsa_config.infile,
 			    (rsa_config.informat == FORMAT_NETSCAPE &&
 			    rsa_config.sgckey ? FORMAT_IISSGC :
-			    rsa_config.informat), 1, passin, e, "Private Key");
+			    rsa_config.informat), 1, passin, "Private Key");
 
 		if (pkey != NULL)
 			rsa = EVP_PKEY_get1_RSA(pkey);
diff --git a/usr.bin/openssl/rsautl.c b/usr.bin/openssl/rsautl.c
index 5f395e2245f..2e9793297bd 100644
--- a/usr.bin/openssl/rsautl.c
+++ b/usr.bin/openssl/rsautl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsautl.c,v 1.6 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: rsautl.c,v 1.7 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2000.
  */
@@ -81,12 +81,8 @@ static void usage(void);
 int
 rsautl_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	BIO *in = NULL, *out = NULL;
 	char *infile = NULL, *outfile = NULL;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	char *keyfile = NULL;
 	char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
 	int keyform = FORMAT_PEM;
@@ -133,13 +129,6 @@ rsautl_main(int argc, char **argv)
 				badarg = 1;
 			else
 				keyform = str2fmt(*(++argv));
-#ifndef OPENSSL_NO_ENGINE
-		} else if (!strcmp(*argv, "-engine")) {
-			if (--argc < 1)
-				badarg = 1;
-			else
-				engine = *(++argv);
-#endif
 		} else if (!strcmp(*argv, "-pubin")) {
 			key_type = KEY_PUBKEY;
 		} else if (!strcmp(*argv, "-certin")) {
@@ -184,9 +173,6 @@ rsautl_main(int argc, char **argv)
 		BIO_printf(bio_err, "A private key is needed for this operation\n");
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
 	if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -195,17 +181,17 @@ rsautl_main(int argc, char **argv)
 	switch (key_type) {
 	case KEY_PRIVKEY:
 		pkey = load_key(bio_err, keyfile, keyform, 0,
-		    passin, e, "Private Key");
+		    passin, "Private Key");
 		break;
 
 	case KEY_PUBKEY:
 		pkey = load_pubkey(bio_err, keyfile, keyform, 0,
-		    NULL, e, "Public Key");
+		    NULL, "Public Key");
 		break;
 
 	case KEY_CERT:
 		x = load_cert(bio_err, keyfile, keyform,
-		    NULL, e, "Certificate");
+		    NULL, "Certificate");
 		if (x) {
 			pkey = X509_get_pubkey(x);
 			X509_free(x);
@@ -336,10 +322,4 @@ usage()
 	BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
 	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
-#ifndef OPENSSL_NO_ENGINE
-	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-	BIO_printf(bio_err, "-passin arg    pass phrase source\n");
-#endif
-
 }
-
diff --git a/usr.bin/openssl/s_client.c b/usr.bin/openssl/s_client.c
index f118672abb5..aca9bbfc9e8 100644
--- a/usr.bin/openssl/s_client.c
+++ b/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.18 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: s_client.c,v 1.19 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -238,9 +238,6 @@ sc_usage(void)
 	BIO_printf(bio_err, "                 only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n");
 	BIO_printf(bio_err, "                 are supported.\n");
 	BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on the xmpp server\n");
-#ifndef OPENSSL_NO_ENGINE
-	BIO_printf(bio_err, " -engine id    - Initialise and use the specified engine\n");
-#endif
 	BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n");
 	BIO_printf(bio_err, " -sess_in arg  - file to read SSL session from\n");
 	BIO_printf(bio_err, " -servername host  - Set TLS extension servername in ClientHello\n");
@@ -356,12 +353,6 @@ s_client_main(int argc, char **argv)
 	int mbuf_len = 0;
 	struct timeval timeout;
 	const char *errstr = NULL;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine_id = NULL;
-	char *ssl_client_engine_id = NULL;
-	ENGINE *ssl_client_engine = NULL;
-#endif
-	ENGINE *e = NULL;
 	char *servername = NULL;
 	tlsextctx tlsextcbp =
 	{NULL, 0};
@@ -578,17 +569,6 @@ s_client_main(int argc, char **argv)
 			else
 				goto bad;
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			engine_id = *(++argv);
-		} else if (strcmp(*argv, "-ssl_client_engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			ssl_client_engine_id = *(++argv);
-		}
-#endif
 		else if (strcmp(*argv, "-4") == 0) {
 			af = AF_INET;
 		} else if (strcmp(*argv, "-6") == 0) {
@@ -654,17 +634,6 @@ bad:
 	} else
 		next_proto.data = NULL;
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine_id, 1);
-	if (ssl_client_engine_id) {
-		ssl_client_engine = ENGINE_by_id(ssl_client_engine_id);
-		if (!ssl_client_engine) {
-			BIO_printf(bio_err,
-			    "Error getting client auth engine\n");
-			goto end;
-		}
-	}
-#endif
 	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -675,7 +644,7 @@ bad:
 
 	if (key_file) {
 
-		key = load_key(bio_err, key_file, key_format, 0, pass, e,
+		key = load_key(bio_err, key_file, key_format, 0, pass,
 		    "client certificate private key file");
 		if (!key) {
 			ERR_print_errors(bio_err);
@@ -684,7 +653,7 @@ bad:
 	}
 	if (cert_file) {
 		cert = load_cert(bio_err, cert_file, cert_format,
-		    NULL, e, "client certificate file");
+		    NULL, "client certificate file");
 
 		if (!cert) {
 			ERR_print_errors(bio_err);
@@ -708,18 +677,6 @@ bad:
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);
 
-#ifndef OPENSSL_NO_ENGINE
-	if (ssl_client_engine) {
-		if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
-			BIO_puts(bio_err, "Error setting client auth engine\n");
-			ERR_print_errors(bio_err);
-			ENGINE_free(ssl_client_engine);
-			goto end;
-		}
-		ENGINE_free(ssl_client_engine);
-	}
-#endif
-
 #ifndef OPENSSL_NO_SRTP
 	if (srtp_profiles != NULL)
 		SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c
index 0272abe43bf..5989e0db909 100644
--- a/usr.bin/openssl/s_server.c
+++ b/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.16 2015/09/10 16:01:06 jsing Exp $ */
+/* $OpenBSD: s_server.c,v 1.17 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -226,9 +226,6 @@ static int s_quiet = 0;
 static char *keymatexportlabel = NULL;
 static int keymatexportlen = 20;
 
-#ifndef OPENSSL_NO_ENGINE
-static char *engine_id = NULL;
-#endif
 static const char *session_id_prefix = NULL;
 
 static int enable_timeouts = 0;
@@ -262,9 +259,6 @@ s_server_init(void)
 	s_debug = 0;
 	s_msg = 0;
 	s_quiet = 0;
-#ifndef OPENSSL_NO_ENGINE
-	engine_id = NULL;
-#endif
 }
 
 static void
@@ -286,12 +280,12 @@ sv_usage(void)
 	BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n");
 	BIO_printf(bio_err, " -key arg      - Private Key file to use, in cert file if\n");
 	BIO_printf(bio_err, "                 not specified (default is %s)\n", TEST_CERT);
-	BIO_printf(bio_err, " -keyform arg  - key format (PEM, DER or ENGINE) PEM default\n");
+	BIO_printf(bio_err, " -keyform arg  - key format (PEM or DER) PEM default\n");
 	BIO_printf(bio_err, " -pass arg     - private key file pass phrase source\n");
 	BIO_printf(bio_err, " -dcert arg    - second certificate file to use (usually for DSA)\n");
 	BIO_printf(bio_err, " -dcertform x  - second certificate format (PEM or DER) PEM default\n");
 	BIO_printf(bio_err, " -dkey arg     - second private key file to use (usually for DSA)\n");
-	BIO_printf(bio_err, " -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
+	BIO_printf(bio_err, " -dkeyform arg - second key format (PEM or DER) PEM default\n");
 	BIO_printf(bio_err, " -dpass arg    - second private key file pass phrase source\n");
 	BIO_printf(bio_err, " -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
 	BIO_printf(bio_err, "                 or a default set of parameters is used\n");
@@ -331,9 +325,6 @@ sv_usage(void)
 	BIO_printf(bio_err, " -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
 	BIO_printf(bio_err, " -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
 	BIO_printf(bio_err, "                 with the assumption it contains a complete HTTP response.\n");
-#ifndef OPENSSL_NO_ENGINE
-	BIO_printf(bio_err, " -engine id    - Initialise and use the specified engine\n");
-#endif
 	BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
 	BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n");
 	BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
@@ -598,7 +589,6 @@ s_server_main(int argc, char *argv[])
 	int state = 0;
 	const SSL_METHOD *meth = NULL;
 	int socket_type = SOCK_STREAM;
-	ENGINE *e = NULL;
 	int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
 	char *passarg = NULL, *pass = NULL;
 	char *dpassarg = NULL, *dpass = NULL;
@@ -832,13 +822,6 @@ s_server_main(int argc, char *argv[])
 				goto bad;
 			session_id_prefix = *(++argv);
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			engine_id = *(++argv);
-		}
-#endif
 		else if (strcmp(*argv, "-servername") == 0) {
 			if (--argc < 1)
 				goto bad;
@@ -899,10 +882,6 @@ bad:
 		goto end;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine_id, 1);
-#endif
-
 	if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -913,28 +892,28 @@ bad:
 		s_key_file2 = s_cert_file2;
 
 	if (nocert == 0) {
-		s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
+		s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass,
 		    "server certificate private key file");
 		if (!s_key) {
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 		s_cert = load_cert(bio_err, s_cert_file, s_cert_format,
-		    NULL, e, "server certificate file");
+		    NULL, "server certificate file");
 
 		if (!s_cert) {
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 		if (tlsextcbp.servername) {
-			s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
+			s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass,
 			    "second server certificate private key file");
 			if (!s_key2) {
 				ERR_print_errors(bio_err);
 				goto end;
 			}
 			s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format,
-			    NULL, e, "second server certificate file");
+			    NULL, "second server certificate file");
 
 			if (!s_cert2) {
 				ERR_print_errors(bio_err);
@@ -966,14 +945,13 @@ bad:
 			s_dkey_file = s_dcert_file;
 
 		s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
-		    0, dpass, e,
-		    "second certificate private key file");
+		    0, dpass, "second certificate private key file");
 		if (!s_dkey) {
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 		s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format,
-		    NULL, e, "second server certificate file");
+		    NULL, "second server certificate file");
 
 		if (!s_dcert) {
 			ERR_print_errors(bio_err);
diff --git a/usr.bin/openssl/smime.c b/usr.bin/openssl/smime.c
index e1c54bf2251..d9813351798 100644
--- a/usr.bin/openssl/smime.c
+++ b/usr.bin/openssl/smime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: smime.c,v 1.3 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: smime.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -85,7 +85,6 @@ static int smime_cb(int ok, X509_STORE_CTX * ctx);
 int
 smime_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	int operation = 0;
 	int ret = 0;
 	char **args;
@@ -110,9 +109,6 @@ smime_main(int argc, char **argv)
 	const EVP_MD *sign_md = NULL;
 	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
 	int keyform = FORMAT_PEM;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 
 	X509_VERIFY_PARAM *vpm = NULL;
 
@@ -192,13 +188,6 @@ smime_main(int argc, char **argv)
 			flags |= PKCS7_NOOLDMIMETYPE;
 		else if (!strcmp(*args, "-crlfeol"))
 			flags |= PKCS7_CRLFEOL;
-#ifndef OPENSSL_NO_ENGINE
-		else if (!strcmp(*args, "-engine")) {
-			if (!args[1])
-				goto argerr;
-			engine = *++args;
-		}
-#endif
 		else if (!strcmp(*args, "-passin")) {
 			if (!args[1])
 				goto argerr;
@@ -384,7 +373,7 @@ argerr:
 		BIO_printf(bio_err, "-in file       input file\n");
 		BIO_printf(bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
 		BIO_printf(bio_err, "-inkey file    input private key (if not signer or recipient)\n");
-		BIO_printf(bio_err, "-keyform arg   input private key format (PEM or ENGINE)\n");
+		BIO_printf(bio_err, "-keyform arg   input private key format (PEM)\n");
 		BIO_printf(bio_err, "-out file      output file\n");
 		BIO_printf(bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
 		BIO_printf(bio_err, "-content file  supply or override content for detached signature\n");
@@ -396,16 +385,10 @@ argerr:
 		BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
 		BIO_printf(bio_err, "-crl_check     check revocation status of signer's certificate using CRLs\n");
 		BIO_printf(bio_err, "-crl_check_all check revocation status of signer's certificate chain using CRLs\n");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, "-engine e      use engine e, possibly a hardware device.\n");
-#endif
 		BIO_printf(bio_err, "-passin arg    input file pass phrase source\n");
 		BIO_printf(bio_err, "cert.pem       recipient certificate(s) for encryption\n");
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
 
 	if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
@@ -444,7 +427,7 @@ argerr:
 		encerts = sk_X509_new_null();
 		while (*args) {
 			if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
-			    NULL, e, "recipient certificate file"))) {
+			    NULL, "recipient certificate file"))) {
 				goto end;
 			}
 			sk_X509_push(encerts, cert);
@@ -454,14 +437,14 @@ argerr:
 	}
 	if (certfile) {
 		if (!(other = load_certs(bio_err, certfile, FORMAT_PEM, NULL,
-			    e, "certificate file"))) {
+		    "certificate file"))) {
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	}
 	if (recipfile && (operation == SMIME_DECRYPT)) {
 		if (!(recip = load_cert(bio_err, recipfile, FORMAT_PEM, NULL,
-			    e, "recipient certificate file"))) {
+		    "recipient certificate file"))) {
 			ERR_print_errors(bio_err);
 			goto end;
 		}
@@ -476,7 +459,7 @@ argerr:
 		keyfile = NULL;
 
 	if (keyfile) {
-		key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+		key = load_key(bio_err, keyfile, keyform, 0, passin,
 		    "signing key file");
 		if (!key)
 			goto end;
@@ -559,10 +542,10 @@ argerr:
 			signerfile = sk_OPENSSL_STRING_value(sksigners, i);
 			keyfile = sk_OPENSSL_STRING_value(skkeys, i);
 			signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
-			    e, "signer certificate");
+			    "signer certificate");
 			if (!signer)
 				goto end;
-			key = load_key(bio_err, keyfile, keyform, 0, passin, e,
+			key = load_key(bio_err, keyfile, keyform, 0, passin,
 			    "signing key file");
 			if (!key)
 				goto end;
diff --git a/usr.bin/openssl/speed.c b/usr.bin/openssl/speed.c
index 935d9556e74..2c3dd8d6c66 100644
--- a/usr.bin/openssl/speed.c
+++ b/usr.bin/openssl/speed.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: speed.c,v 1.10 2015/09/11 09:38:30 deraadt Exp $ */
+/* $OpenBSD: speed.c,v 1.11 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -538,24 +538,6 @@ speed_main(int argc, char **argv)
 			j--;	/* Otherwise, -elapsed gets confused with an
 				 * algorithm. */
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if ((argc > 0) && (strcmp(*argv, "-engine") == 0)) {
-			argc--;
-			argv++;
-			if (argc == 0) {
-				BIO_printf(bio_err, "no engine given\n");
-				goto end;
-			}
-			setup_engine(bio_err, *argv, 0);
-			/*
-			 * j will be increased again further down.  We just
-			 * don't want speed to confuse an engine with an
-			 * algorithm, especially when none is given (which
-			 * means all of them should be run)
-			 */
-			j--;
-		}
-#endif
 		else if ((argc > 0) && (strcmp(*argv, "-multi") == 0)) {
 			argc--;
 			argv++;
@@ -933,9 +915,6 @@ speed_main(int argc, char **argv)
 			BIO_printf(bio_err, "\n");
 			BIO_printf(bio_err, "Available options:\n");
 			BIO_printf(bio_err, "-elapsed        measure time in real time instead of CPU user time.\n");
-#ifndef OPENSSL_NO_ENGINE
-			BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
-#endif
 			BIO_printf(bio_err, "-evp e          use EVP e.\n");
 			BIO_printf(bio_err, "-decrypt        time decryption instead of encryption (only EVP).\n");
 			BIO_printf(bio_err, "-mr             produce machine readable output.\n");
diff --git a/usr.bin/openssl/spkac.c b/usr.bin/openssl/spkac.c
index b5ce764eae1..b635b5e3b28 100644
--- a/usr.bin/openssl/spkac.c
+++ b/usr.bin/openssl/spkac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: spkac.c,v 1.4 2015/08/19 18:25:31 deraadt Exp $ */
+/* $OpenBSD: spkac.c,v 1.5 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999. Based on an original idea by Massimiliano Pala
  * (madwolf@openca.org).
@@ -75,9 +75,6 @@
 
 static struct {
 	char *challenge;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine;
-#endif
 	char *infile;
 	char *keyfile;
 	int noout;
@@ -97,15 +94,6 @@ static struct option spkac_options[] = {
 		.type = OPTION_ARG,
 		.opt.arg = &spkac_config.challenge,
 	},
-#ifndef OPENSSL_NO_ENGINE
-	{
-		.name = "engine",
-		.argname = "id",
-		.desc = "Use the engine specified by the given identifier",
-		.type = OPTION_ARG,
-		.opt.arg = &spkac_config.engine,
-	},
-#endif
 	{
 		.name = "in",
 		.argname = "file",
@@ -174,7 +162,7 @@ static void
 spkac_usage(void)
 {
 	fprintf(stderr,
-	    "usage: spkac [-challenge string] [-engine id] [-in file] "
+	    "usage: spkac [-challenge string] [-in file] "
 	    "[-key file] [-noout]\n"
 	    "    [-out file] [-passin src] [-pubkey] [-spkac name] "
 	    "[-spksect section]\n"
@@ -185,7 +173,6 @@ spkac_usage(void)
 int
 spkac_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	int i, ret = 1;
 	BIO *in = NULL, *out = NULL;
 	char *passin = NULL;
@@ -207,14 +194,11 @@ spkac_main(int argc, char **argv)
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, spkac_config.engine, 0);
-#endif
 
 	if (spkac_config.keyfile) {
 		pkey = load_key(bio_err,
 		    strcmp(spkac_config.keyfile, "-") ? spkac_config.keyfile
-		    : NULL, FORMAT_PEM, 1, passin, e, "private key");
+		    : NULL, FORMAT_PEM, 1, passin, "private key");
 		if (!pkey) {
 			goto end;
 		}
diff --git a/usr.bin/openssl/ts.c b/usr.bin/openssl/ts.c
index ae7dfff6151..e958d0aaffd 100644
--- a/usr.bin/openssl/ts.c
+++ b/usr.bin/openssl/ts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: ts.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -92,13 +92,13 @@ static int create_digest(BIO * input, char *digest,
 static ASN1_INTEGER *create_nonce(int bits);
 
 /* Reply related functions. */
-static int reply_command(CONF * conf, char *section, char *engine,
+static int reply_command(CONF * conf, char *section,
     char *queryfile, char *passin, char *inkey,
     char *signer, char *chain, const char *policy,
     char *in, int token_in, char *out, int token_out,
     int text);
 static TS_RESP *read_PKCS7(BIO * in_bio);
-static TS_RESP *create_response(CONF * conf, const char *section, char *engine,
+static TS_RESP *create_response(CONF * conf, const char *section,
     char *queryfile, char *passin, char *inkey,
     char *signer, char *chain, const char *policy);
 static ASN1_INTEGER *serial_cb(TS_RESP_CTX * ctx, void *data);
@@ -144,7 +144,6 @@ ts_main(int argc, char **argv)
 	char *ca_path = NULL;
 	char *ca_file = NULL;
 	char *untrusted = NULL;
-	char *engine = NULL;
 	/* Input is ContentInfo instead of TimeStampResp. */
 	int token_in = 0;
 	/* Output is ContentInfo instead of TimeStampResp. */
@@ -233,10 +232,6 @@ ts_main(int argc, char **argv)
 			if (argc-- < 1)
 				goto usage;
 			untrusted = *++argv;
-		} else if (strcmp(*argv, "-engine") == 0) {
-			if (argc-- < 1)
-				goto usage;
-			engine = *++argv;
 		} else if ((md = EVP_get_digestbyname(*argv + 1)) != NULL) {
 			/* empty. */
 		} else
@@ -282,7 +277,7 @@ ts_main(int argc, char **argv)
 				goto usage;
 		}
 
-		ret = !reply_command(conf, section, engine, queryfile,
+		ret = !reply_command(conf, section, queryfile,
 		    password, inkey, signer, chain, policy,
 		    in, token_in, out, token_out, text);
 		break;
@@ -312,7 +307,7 @@ usage:
 	    "[-signer tsa_cert.pem] [-inkey private_key.pem] "
 	    "[-chain certs_file.pem] [-policy object_id] "
 	    "[-in response.tsr] [-token_in] "
-	    "[-out response.tsr] [-token_out] [-text] [-engine id]\n");
+	    "[-out response.tsr] [-token_out] [-text]\n");
 	BIO_printf(bio_err, "or\n"
 	    "ts -verify [-data file_to_hash] [-digest digest_bytes] "
 	    "[-queryfile request.tsq] "
@@ -615,7 +610,7 @@ err:
  */
 
 static int
-reply_command(CONF * conf, char *section, char *engine, char *queryfile,
+reply_command(CONF * conf, char *section, char *queryfile,
     char *passin, char *inkey, char *signer, char *chain, const char *policy,
     char *in, int token_in, char *out, int token_out, int text)
 {
@@ -642,7 +637,7 @@ reply_command(CONF * conf, char *section, char *engine, char *queryfile,
 			response = d2i_TS_RESP_bio(in_bio, NULL);
 		}
 	} else {
-		response = create_response(conf, section, engine, queryfile,
+		response = create_response(conf, section, queryfile,
 		    passin, inkey, signer, chain,
 		    policy);
 		if (response)
@@ -740,7 +735,7 @@ end:
 }
 
 static TS_RESP *
-create_response(CONF * conf, const char *section, char *engine,
+create_response(CONF * conf, const char *section,
     char *queryfile, char *passin, char *inkey,
     char *signer, char *chain, const char *policy)
 {
@@ -763,11 +758,6 @@ create_response(CONF * conf, const char *section, char *engine,
 	/* Setting serial number provider callback. */
 	if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
 		goto end;
-#ifndef OPENSSL_NO_ENGINE
-	/* Setting default OpenSSL engine. */
-	if (!TS_CONF_set_crypto_device(conf, section, engine))
-		goto end;
-#endif
 
 	/* Setting TSA signer certificate. */
 	if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
diff --git a/usr.bin/openssl/verify.c b/usr.bin/openssl/verify.c
index ec27275d794..62ca63f01b1 100644
--- a/usr.bin/openssl/verify.c
+++ b/usr.bin/openssl/verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: verify.c,v 1.3 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: verify.c,v 1.4 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,13 +70,12 @@
 
 static int cb(int ok, X509_STORE_CTX * ctx);
 static int check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
-    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e);
+    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls);
 static int v_verbose = 0, vflags = 0;
 
 int
 verify_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	int i, ret = 1, badarg = 0;
 	char *CApath = NULL, *CAfile = NULL;
 	char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
@@ -85,9 +84,6 @@ verify_main(int argc, char **argv)
 	X509_STORE *cert_ctx = NULL;
 	X509_LOOKUP *lookup = NULL;
 	X509_VERIFY_PARAM *vpm = NULL;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 
 	cert_ctx = X509_STORE_new();
 	if (cert_ctx == NULL)
@@ -124,13 +120,6 @@ verify_main(int argc, char **argv)
 					goto end;
 				crlfile = *(++argv);
 			}
-#ifndef OPENSSL_NO_ENGINE
-			else if (strcmp(*argv, "-engine") == 0) {
-				if (--argc < 1)
-					goto end;
-				engine = *(++argv);
-			}
-#endif
 			else if (strcmp(*argv, "-help") == 0)
 				goto end;
 			else if (strcmp(*argv, "-verbose") == 0)
@@ -145,10 +134,6 @@ verify_main(int argc, char **argv)
 			break;
 	}
 
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
-
 	if (vpm)
 		X509_STORE_set1_param(cert_ctx, vpm);
 
@@ -182,30 +167,30 @@ verify_main(int argc, char **argv)
 
 	if (untfile) {
 		untrusted = load_certs(bio_err, untfile, FORMAT_PEM,
-		    NULL, e, "untrusted certificates");
+		    NULL, "untrusted certificates");
 		if (!untrusted)
 			goto end;
 	}
 	if (trustfile) {
 		trusted = load_certs(bio_err, trustfile, FORMAT_PEM,
-		    NULL, e, "trusted certificates");
+		    NULL, "trusted certificates");
 		if (!trusted)
 			goto end;
 	}
 	if (crlfile) {
 		crls = load_crls(bio_err, crlfile, FORMAT_PEM,
-		    NULL, e, "other CRLs");
+		    NULL, "other CRLs");
 		if (!crls)
 			goto end;
 	}
 	ret = 0;
 	if (argc < 1) {
-		if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
+		if (1 != check(cert_ctx, NULL, untrusted, trusted, crls))
 			ret = -1;
 	} else {
 		for (i = 0; i < argc; i++)
 			if (1 != check(cert_ctx, argv[i], untrusted, trusted,
-			    crls, e))
+			    crls))
 				ret = -1;
 	}
 
@@ -213,9 +198,6 @@ end:
 	if (ret == 1) {
 		BIO_printf(bio_err, "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
 		BIO_printf(bio_err, " [-attime timestamp]");
-#ifndef OPENSSL_NO_ENGINE
-		BIO_printf(bio_err, " [-engine e]");
-#endif
 		BIO_printf(bio_err, " cert1 cert2 ...\n");
 
 		BIO_printf(bio_err, "recognized usages:\n");
@@ -240,13 +222,13 @@ end:
 
 static int
 check(X509_STORE * ctx, char *file, STACK_OF(X509) * uchain,
-    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls, ENGINE * e)
+    STACK_OF(X509) * tchain, STACK_OF(X509_CRL) * crls)
 {
 	X509 *x = NULL;
 	int i = 0, ret = 0;
 	X509_STORE_CTX *csc;
 
-	x = load_cert(bio_err, file, FORMAT_PEM, NULL, e, "certificate file");
+	x = load_cert(bio_err, file, FORMAT_PEM, NULL, "certificate file");
 	if (x == NULL)
 		goto end;
 	fprintf(stdout, "%s: ", (file == NULL) ? "stdin" : file);
diff --git a/usr.bin/openssl/x509.c b/usr.bin/openssl/x509.c
index 0e5594372ba..a8812f7e749 100644
--- a/usr.bin/openssl/x509.c
+++ b/usr.bin/openssl/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.5 2015/08/22 16:36:05 jsing Exp $ */
+/* $OpenBSD: x509.c,v 1.6 2015/09/11 14:30:23 bcook Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -140,9 +140,6 @@ static const char *x509_usage[] = {
 	" -extensions     - section from config file with X509V3 extensions to add\n",
 	" -clrext         - delete extensions before signing and input certificate\n",
 	" -nameopt arg    - various certificate name options\n",
-#ifndef OPENSSL_NO_ENGINE
-	" -engine e       - use engine e, possibly a hardware device.\n",
-#endif
 	" -certopt arg    - various certificate text options\n",
 	NULL
 };
@@ -160,7 +157,6 @@ static int reqfile = 0;
 int
 x509_main(int argc, char **argv)
 {
-	ENGINE *e = NULL;
 	int ret = 1;
 	X509_REQ *req = NULL;
 	X509 *x = NULL, *xca = NULL;
@@ -200,9 +196,6 @@ x509_main(int argc, char **argv)
 	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
 	int checkend = 0, checkoffset = 0;
 	unsigned long nmflag = 0, certflag = 0;
-#ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
-#endif
 	const char *errstr = NULL;
 
 	reqfile = 0;
@@ -345,13 +338,6 @@ x509_main(int argc, char **argv)
 			if (!set_name_ex(&nmflag, *(++argv)))
 				goto bad;
 		}
-#ifndef OPENSSL_NO_ENGINE
-		else if (strcmp(*argv, "-engine") == 0) {
-			if (--argc < 1)
-				goto bad;
-			engine = *(++argv);
-		}
-#endif
 		else if (strcmp(*argv, "-C") == 0)
 			C = ++num;
 		else if (strcmp(*argv, "-email") == 0)
@@ -441,9 +427,6 @@ bad:
 			BIO_printf(bio_err, "%s", *pp);
 		goto end;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
 
 	if (!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
@@ -575,12 +558,12 @@ bad:
 		X509_set_pubkey(x, pkey);
 		EVP_PKEY_free(pkey);
 	} else
-		x = load_cert(bio_err, infile, informat, NULL, e, "Certificate");
+		x = load_cert(bio_err, infile, informat, NULL, "Certificate");
 
 	if (x == NULL)
 		goto end;
 	if (CA_flag) {
-		xca = load_cert(bio_err, CAfile, CAformat, NULL, e, "CA Certificate");
+		xca = load_cert(bio_err, CAfile, CAformat, NULL, "CA Certificate");
 		if (xca == NULL)
 			goto end;
 	}
@@ -813,7 +796,7 @@ bad:
 				if (Upkey == NULL) {
 					Upkey = load_key(bio_err,
 					    keyfile, keyformat, 0,
-					    passin, e, "Private key");
+					    passin, "Private key");
 					if (Upkey == NULL)
 						goto end;
 				}
@@ -825,8 +808,7 @@ bad:
 				if (CAkeyfile != NULL) {
 					CApkey = load_key(bio_err,
 					    CAkeyfile, CAkeyformat,
-					    0, passin, e,
-					    "CA Private Key");
+					    0, passin, "CA Private Key");
 					if (CApkey == NULL)
 						goto end;
 				}
@@ -845,7 +827,7 @@ bad:
 				} else {
 					pk = load_key(bio_err,
 					    keyfile, keyformat, 0,
-					    passin, e, "request key");
+					    passin, "request key");
 					if (pk == NULL)
 						goto end;
 				}