21 files changed, 21 insertions, 431 deletions
diff --git a/lib/libcrypto/asn1/a_pkey.c b/lib/libcrypto/asn1/a_pkey.c
index 6e715d4f9eb..1e8ebc913fc 100644
--- a/lib/libcrypto/asn1/a_pkey.c
+++ b/lib/libcrypto/asn1/a_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_pkey.c,v 1.6 2023/07/07 19:37:52 beck Exp $ */
+/* $OpenBSD: a_pkey.c,v 1.7 2023/11/19 15:46:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -67,10 +67,6 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "asn1_local.h"
 #include "evp_local.h"
 
@@ -87,10 +83,6 @@ d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length)
 		}
 	} else {
 		ret = *a;
-#ifndef OPENSSL_NO_ENGINE
-		ENGINE_finish(ret->engine);
-		ret->engine = NULL;
-#endif
 	}
 
 	if (!EVP_PKEY_set_type(ret, type)) {
diff --git a/lib/libcrypto/asn1/ameth_lib.c b/lib/libcrypto/asn1/ameth_lib.c
index 153ad21a812..42f2f6fd52f 100644
--- a/lib/libcrypto/asn1/ameth_lib.c
+++ b/lib/libcrypto/asn1/ameth_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ameth_lib.c,v 1.32 2023/07/07 19:37:52 beck Exp $ */
+/* $OpenBSD: ameth_lib.c,v 1.33 2023/11/19 15:46:09 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -64,10 +64,6 @@
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "asn1_local.h"
 #include "evp_local.h"
 
@@ -170,15 +166,6 @@ EVP_PKEY_asn1_find(ENGINE **pe, int type)
 		type = mp->pkey_base_id;
 	}
 	if (pe) {
-#ifndef OPENSSL_NO_ENGINE
-		ENGINE *e;
-		/* type will contain the final unaliased type */
-		e = ENGINE_get_pkey_asn1_meth_engine(type);
-		if (e) {
-			*pe = e;
-			return ENGINE_get_pkey_asn1_meth(e, type);
-		}
-#endif
 		*pe = NULL;
 	}
 	return mp;
@@ -193,20 +180,6 @@ EVP_PKEY_asn1_find_str(ENGINE **pe, const char *str, int len)
 	if (len == -1)
 		len = strlen(str);
 	if (pe) {
-#ifndef OPENSSL_NO_ENGINE
-		ENGINE *e;
-		ameth = ENGINE_pkey_asn1_find_str(&e, str, len);
-		if (ameth) {
-			/* Convert structural into
-			 * functional reference
-			 */
-			if (!ENGINE_init(e))
-				ameth = NULL;
-			ENGINE_free(e);
-			*pe = e;
-			return ameth;
-		}
-#endif
 		*pe = NULL;
 	}
 	for (i = EVP_PKEY_asn1_get_count() - 1; i >= 0; i--) {
diff --git a/lib/libcrypto/conf/conf_mall.c b/lib/libcrypto/conf/conf_mall.c
index 18631b3ba81..e2a1d2db076 100644
--- a/lib/libcrypto/conf/conf_mall.c
+++ b/lib/libcrypto/conf/conf_mall.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_mall.c,v 1.9 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: conf_mall.c,v 1.10 2023/11/19 15:46:09 tb Exp $ */
 /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -65,10 +65,6 @@
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 /* Load all OpenSSL builtin modules */
 
 void
@@ -76,7 +72,4 @@ OPENSSL_load_builtin_modules(void)
 {
 	/* Add builtin modules here */
 	ASN1_add_oid_module();
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_add_conf_module();
-#endif
 }
diff --git a/lib/libcrypto/conf/conf_sap.c b/lib/libcrypto/conf/conf_sap.c
index 827cf96e742..689b7a325d2 100644
--- a/lib/libcrypto/conf/conf_sap.c
+++ b/lib/libcrypto/conf/conf_sap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_sap.c,v 1.14 2018/03/19 03:56:08 beck Exp $ */
+/* $OpenBSD: conf_sap.c,v 1.15 2023/11/19 15:46:09 tb Exp $ */
 /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -67,10 +67,6 @@
 #include <openssl/err.h>
 #include <openssl/x509.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 /* This is the automatic configuration loader: it is called automatically by
  * OpenSSL when any of a number of standard initialisation functions are called,
  * unless this is overridden by calling OPENSSL_no_config()
@@ -84,10 +80,6 @@ static void
 OPENSSL_config_internal(void)
 {
 	OPENSSL_load_builtin_modules();
-#ifndef OPENSSL_NO_ENGINE
-	/* Need to load ENGINEs */
-	ENGINE_load_builtin_engines();
-#endif
 	/* Add others here? */
 
 	ERR_clear_error();
diff --git a/lib/libcrypto/crypto_init.c b/lib/libcrypto/crypto_init.c
index a2c1c786c35..2b39d2604bc 100644
--- a/lib/libcrypto/crypto_init.c
+++ b/lib/libcrypto/crypto_init.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: crypto_init.c,v 1.11 2023/07/08 08:28:23 beck Exp $ */
+/*	$OpenBSD: crypto_init.c,v 1.12 2023/11/19 15:46:09 tb Exp $ */
 /*
  * Copyright (c) 2018 Bob Beck <beck@openbsd.org>
  *
@@ -22,9 +22,6 @@
 
 #include <openssl/asn1.h>
 #include <openssl/conf.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
@@ -84,9 +81,6 @@ OPENSSL_cleanup(void)
 	ERR_free_strings();
 
 	CRYPTO_cleanup_all_ex_data();
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_cleanup();
-#endif
 	EVP_cleanup();
 
 	ASN1_STRING_TABLE_cleanup();
diff --git a/lib/libcrypto/dh/dh_lib.c b/lib/libcrypto/dh/dh_lib.c
index 8d63787689c..90ce7625c61 100644
--- a/lib/libcrypto/dh/dh_lib.c
+++ b/lib/libcrypto/dh/dh_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_lib.c,v 1.41 2023/08/13 12:09:14 tb Exp $ */
+/* $OpenBSD: dh_lib.c,v 1.42 2023/11/19 15:46:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -65,10 +65,6 @@
 #include <openssl/dh.h>
 #include <openssl/err.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "dh_local.h"
 
 static const DH_METHOD *default_DH_method = NULL;
@@ -101,10 +97,6 @@ DH_set_method(DH *dh, const DH_METHOD *meth)
 	mtmp = dh->meth;
 	if (mtmp->finish)
 		mtmp->finish(dh);
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(dh->engine);
-	dh->engine = NULL;
-#endif
 	dh->meth = meth;
 	if (meth->init)
 		meth->init(dh);
@@ -133,24 +125,6 @@ DH_new_method(ENGINE *engine)
 	dh->flags = dh->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW;
 	dh->references = 1;
 
-#ifndef OPENSSL_NO_ENGINE
-	if (engine != NULL) {
-		if (!ENGINE_init(engine)) {
-			DHerror(ERR_R_ENGINE_LIB);
-			goto err;
-		}
-		dh->engine = engine;
-	} else
-		dh->engine = ENGINE_get_default_DH();
-	if (dh->engine != NULL) {
-		if ((dh->meth = ENGINE_get_DH(dh->engine)) == NULL) {
-			DHerror(ERR_R_ENGINE_LIB);
-			goto err;
-		}
-		dh->flags = dh->meth->flags & ~DH_FLAG_NON_FIPS_ALLOW;
-	}
-#endif
-
 	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, dh, &dh->ex_data))
 		goto err;
 	if (dh->meth->init != NULL && !dh->meth->init(dh))
@@ -178,9 +152,6 @@ DH_free(DH *r)
 
 	if (r->meth != NULL && r->meth->finish != NULL)
 		r->meth->finish(r);
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(r->engine);
-#endif
 
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data);
 
diff --git a/lib/libcrypto/dsa/dsa_lib.c b/lib/libcrypto/dsa/dsa_lib.c
index a9d2179aeb2..5c01c202559 100644
--- a/lib/libcrypto/dsa/dsa_lib.c
+++ b/lib/libcrypto/dsa/dsa_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_lib.c,v 1.44 2023/08/12 06:14:36 tb Exp $ */
+/* $OpenBSD: dsa_lib.c,v 1.45 2023/11/19 15:46:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -70,9 +70,6 @@
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 
 #include "dh_local.h"
 #include "dsa_local.h"
@@ -113,10 +110,6 @@ DSA_set_method(DSA *dsa, const DSA_METHOD *meth)
 	mtmp = dsa->meth;
 	if (mtmp->finish)
 		mtmp->finish(dsa);
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(dsa->engine);
-	dsa->engine = NULL;
-#endif
 	dsa->meth = meth;
 	if (meth->init)
 		meth->init(dsa);
@@ -138,24 +131,6 @@ DSA_new_method(ENGINE *engine)
 	dsa->flags = dsa->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
 	dsa->references = 1;
 
-#ifndef OPENSSL_NO_ENGINE
-	if (engine) {
-		if (!ENGINE_init(engine)) {
-			DSAerror(ERR_R_ENGINE_LIB);
-			goto err;
-		}
-		dsa->engine = engine;
-	} else
-		dsa->engine = ENGINE_get_default_DSA();
-	if (dsa->engine != NULL) {
-		if ((dsa->meth = ENGINE_get_DSA(dsa->engine)) == NULL) {
-			DSAerror(ERR_R_ENGINE_LIB);
-			goto err;
-		}
-		dsa->flags = dsa->meth->flags & ~DSA_FLAG_NON_FIPS_ALLOW;
-	}
-#endif
-
 	if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, dsa, &dsa->ex_data))
 		goto err;
 	if (dsa->meth->init != NULL && !dsa->meth->init(dsa))
@@ -184,9 +159,6 @@ DSA_free(DSA *r)
 
 	if (r->meth != NULL && r->meth->finish != NULL)
 		r->meth->finish(r);
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(r->engine);
-#endif
 
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data);
 
diff --git a/lib/libcrypto/ec/ec_key.c b/lib/libcrypto/ec/ec_key.c
index d9ddd5d7973..2716db6dd09 100644
--- a/lib/libcrypto/ec/ec_key.c
+++ b/lib/libcrypto/ec/ec_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_key.c,v 1.37 2023/08/03 18:53:56 tb Exp $ */
+/* $OpenBSD: ec_key.c,v 1.38 2023/11/19 15:46:09 tb Exp $ */
 /*
  * Written by Nils Larsch for the OpenSSL project.
  */
@@ -65,9 +65,6 @@
 
 #include <openssl/opensslconf.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 #include <openssl/err.h>
 
 #include "bn_local.h"
@@ -115,9 +112,6 @@ EC_KEY_free(EC_KEY *r)
 	if (r->meth != NULL && r->meth->finish != NULL)
 		r->meth->finish(r);
 
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(r->engine);
-#endif
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data);
 
 	EC_GROUP_free(r->group);
@@ -138,11 +132,6 @@ EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 	if (src->meth != dest->meth) {
 		if (dest->meth != NULL && dest->meth->finish != NULL)
 			dest->meth->finish(dest);
-#ifndef OPENSSL_NO_ENGINE
-		if (ENGINE_finish(dest->engine) == 0)
-			return 0;
-		dest->engine = NULL;
-#endif
 	}
 	/* copy the parameters */
 	if (src->group) {
@@ -186,11 +175,6 @@ EC_KEY_copy(EC_KEY *dest, const EC_KEY *src)
 		return NULL;
 
 	if (src->meth != dest->meth) {
-#ifndef OPENSSL_NO_ENGINE
-		if (src->engine != NULL && ENGINE_init(src->engine) == 0)
-			return 0;
-		dest->engine = src->engine;
-#endif
 		dest->meth = src->meth;
 	}
 
diff --git a/lib/libcrypto/ec/ec_kmeth.c b/lib/libcrypto/ec/ec_kmeth.c
index 38aca0028e4..856afc89dc0 100644
--- a/lib/libcrypto/ec/ec_kmeth.c
+++ b/lib/libcrypto/ec/ec_kmeth.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ec_kmeth.c,v 1.12 2023/07/28 09:28:37 tb Exp $	*/
+/*	$OpenBSD: ec_kmeth.c,v 1.13 2023/11/19 15:46:09 tb Exp $	*/
 /*
  * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
@@ -53,9 +53,6 @@
  */
 
 #include <openssl/ec.h>
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 #include <openssl/err.h>
 
 #include "bn_local.h"
@@ -126,11 +123,6 @@ EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth)
 	if (finish != NULL)
 		finish(key);
 
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(key->engine);
-	key->engine = NULL;
-#endif
-
 	key->meth = meth;
 	if (meth->init != NULL)
 		return meth->init(key);
@@ -148,23 +140,6 @@ EC_KEY_new_method(ENGINE *engine)
 		return NULL;
 	}
 	ret->meth = EC_KEY_get_default_method();
-#ifndef OPENSSL_NO_ENGINE
-	if (engine != NULL) {
-		if (!ENGINE_init(engine)) {
-			ECerror(ERR_R_ENGINE_LIB);
-			goto err;
-		}
-		ret->engine = engine;
-	} else
-		ret->engine = ENGINE_get_default_EC();
-	if (ret->engine) {
-		ret->meth = ENGINE_get_EC(ret->engine);
-		if (ret->meth == NULL) {
-			ECerror(ERR_R_ENGINE_LIB);
-			goto err;
-		}
-	}
-#endif
 	ret->version = 1;
 	ret->flags = 0;
 	ret->group = NULL;
diff --git a/lib/libcrypto/engine/engine_stubs.c b/lib/libcrypto/engine/engine_stubs.c
index 3621da80ef8..b2bd8f007a6 100644
--- a/lib/libcrypto/engine/engine_stubs.c
+++ b/lib/libcrypto/engine/engine_stubs.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: engine_stubs.c,v 1.1 2023/07/21 09:04:23 tb Exp $ */
+/*	$OpenBSD: engine_stubs.c,v 1.2 2023/11/19 15:46:09 tb Exp $ */
 
 /*
  * Written by Theo Buehler. Public domain.
@@ -6,8 +6,6 @@
 
 #include <openssl/engine.h>
 
-#ifdef OPENSSL_NO_ENGINE
-
 void
 ENGINE_load_builtin_engines(void)
 {
@@ -121,5 +119,3 @@ ENGINE_load_public_key(ENGINE *engine, const char *key_id,
 {
 	return NULL;
 }
-
-#endif
diff --git a/lib/libcrypto/err/err_all.c b/lib/libcrypto/err/err_all.c
index 2c8a273f17e..4829e46a1a2 100644
--- a/lib/libcrypto/err/err_all.c
+++ b/lib/libcrypto/err/err_all.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: err_all.c,v 1.32 2023/07/28 09:46:36 tb Exp $ */
+/* $OpenBSD: err_all.c,v 1.33 2023/11/19 15:46:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -91,9 +91,6 @@
 #ifndef OPENSSL_NO_EC
 #include <openssl/ec.h>
 #endif
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 #ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
 #endif
@@ -130,9 +127,6 @@ ERR_load_crypto_strings_internal(void)
 #ifndef OPENSSL_NO_EC
 	ERR_load_EC_strings();
 #endif
-#ifndef OPENSSL_NO_ENGINE
-	ERR_load_ENGINE_strings();
-#endif
 	ERR_load_EVP_strings();
 #ifndef OPENSSL_NO_GOST
 	ERR_load_GOST_strings();
diff --git a/lib/libcrypto/evp/digest.c b/lib/libcrypto/evp/digest.c
index ca3fb219cde..9a2a304250a 100644
--- a/lib/libcrypto/evp/digest.c
+++ b/lib/libcrypto/evp/digest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest.c,v 1.38 2023/07/07 19:37:53 beck Exp $ */
+/* $OpenBSD: digest.c,v 1.39 2023/11/19 15:46:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,10 +118,6 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "evp_local.h"
 
 int
@@ -136,49 +132,6 @@ EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 {
 	EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED);
 
-#ifndef OPENSSL_NO_ENGINE
-	/* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
-	 * so this context may already have an ENGINE! Try to avoid releasing
-	 * the previous handle, re-querying for an ENGINE, and having a
-	 * reinitialisation, when it may all be unnecessary. */
-	if (ctx->engine && ctx->digest && (!type ||
-	    (type && (type->type == ctx->digest->type))))
-		goto skip_to_init;
-	if (type) {
-		/* Ensure an ENGINE left lying around from last time is cleared
-		 * (the previous check attempted to avoid this if the same
-		 * ENGINE and EVP_MD could be used). */
-		ENGINE_finish(ctx->engine);
-		if (impl != NULL) {
-			if (!ENGINE_init(impl)) {
-				EVPerror(EVP_R_INITIALIZATION_ERROR);
-				return 0;
-			}
-		} else
-			/* Ask if an ENGINE is reserved for this job */
-			impl = ENGINE_get_digest_engine(type->type);
-		if (impl != NULL) {
-			/* There's an ENGINE for this job ... (apparently) */
-			const EVP_MD *d = ENGINE_get_digest(impl, type->type);
-			if (d == NULL) {
-				/* Same comment from evp_enc.c */
-				EVPerror(EVP_R_INITIALIZATION_ERROR);
-				ENGINE_finish(impl);
-				return 0;
-			}
-			/* We'll use the ENGINE's private digest definition */
-			type = d;
-			/* Store the ENGINE functional reference so we know
-			 * 'type' came from an ENGINE and we need to release
-			 * it when done. */
-			ctx->engine = impl;
-		} else
-			ctx->engine = NULL;
-	} else if (!ctx->digest) {
-		EVPerror(EVP_R_NO_DIGEST_SET);
-		return 0;
-	}
-#endif
 	if (ctx->digest != type) {
 		if (ctx->digest && ctx->digest->ctx_size && ctx->md_data &&
 		    !EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_REUSE)) {
@@ -197,9 +150,6 @@ EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl)
 			}
 		}
 	}
-#ifndef OPENSSL_NO_ENGINE
-skip_to_init:
-#endif
 	if (ctx->pctx) {
 		int r;
 		r = EVP_PKEY_CTX_ctrl(ctx->pctx, -1, EVP_PKEY_OP_TYPE_SIG,
@@ -266,13 +216,6 @@ EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
 		EVPerror(EVP_R_INPUT_NOT_INITIALIZED);
 		return 0;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	/* Make sure it's safe to copy a digest context using an ENGINE */
-	if (in->engine && !ENGINE_init(in->engine)) {
-		EVPerror(ERR_R_ENGINE_LIB);
-		return 0;
-	}
-#endif
 
 	if (out->digest == in->digest) {
 		tmp_buf = out->md_data;
@@ -397,9 +340,6 @@ EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx)
 	 */
 	if (!EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_KEEP_PKEY_CTX))
 		EVP_PKEY_CTX_free(ctx->pctx);
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(ctx->engine);
-#endif
 	memset(ctx, 0, sizeof(*ctx));
 
 	return 1;
diff --git a/lib/libcrypto/evp/evp_enc.c b/lib/libcrypto/evp/evp_enc.c
index eb279b23784..172d8b40193 100644
--- a/lib/libcrypto/evp/evp_enc.c
+++ b/lib/libcrypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.54 2023/11/18 09:37:15 tb Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.55 2023/11/19 15:46:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -68,10 +68,6 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "evp_local.h"
 
 int
@@ -94,15 +90,6 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
 			enc = 1;
 		ctx->encrypt = enc;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	/* Whether it's nice or not, "Inits" can be used on "Final"'d contexts
-	 * so this context may already have an ENGINE! Try to avoid releasing
-	 * the previous handle, re-querying for an ENGINE, and having a
-	 * reinitialisation, when it may all be unnecessary. */
-	if (ctx->engine && ctx->cipher &&
-	    (!cipher || (cipher && (cipher->nid == ctx->cipher->nid))))
-		goto skip_to_init;
-#endif
 	if (cipher) {
 		/* Ensure a context left lying around from last time is cleared
 		 * (the previous check attempted to avoid this if the same
@@ -114,32 +101,6 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
 			ctx->encrypt = enc;
 			ctx->flags = flags;
 		}
-#ifndef OPENSSL_NO_ENGINE
-		if (impl) {
-			if (!ENGINE_init(impl)) {
-				EVPerror(EVP_R_INITIALIZATION_ERROR);
-				return 0;
-			}
-		} else
-			/* Ask if an ENGINE is reserved for this job */
-			impl = ENGINE_get_cipher_engine(cipher->nid);
-		if (impl) {
-			/* There's an ENGINE for this job ... (apparently) */
-			const EVP_CIPHER *c =
-			    ENGINE_get_cipher(impl, cipher->nid);
-			if (!c) {
-				EVPerror(EVP_R_INITIALIZATION_ERROR);
-				return 0;
-			}
-			/* We'll use the ENGINE's private cipher definition */
-			cipher = c;
-			/* Store the ENGINE functional reference so we know
-			 * 'cipher' came from an ENGINE and we need to release
-			 * it when done. */
-			ctx->engine = impl;
-		} else
-			ctx->engine = NULL;
-#endif
 
 		ctx->cipher = cipher;
 		if (ctx->cipher->ctx_size) {
@@ -163,9 +124,6 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl,
 		EVPerror(EVP_R_NO_CIPHER_SET);
 		return 0;
 	}
-#ifndef OPENSSL_NO_ENGINE
-skip_to_init:
-#endif
 	/* we assume block size is a power of 2 in *cryptUpdate */
 	if (ctx->cipher->block_size != 1 &&
 	    ctx->cipher->block_size != 8 &&
@@ -614,10 +572,6 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c)
 	/* XXX - store size of cipher_data so we can always freezero(). */
 	free(c->cipher_data);
 
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(c->engine);
-#endif
-
 	explicit_bzero(c, sizeof(EVP_CIPHER_CTX));
 
 	return 1;
@@ -688,13 +642,6 @@ EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in)
 		EVPerror(EVP_R_INPUT_NOT_INITIALIZED);
 		return 0;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	/* Make sure it's safe to copy a cipher context using an ENGINE */
-	if (in->engine && !ENGINE_init(in->engine)) {
-		EVPerror(ERR_R_ENGINE_LIB);
-		return 0;
-	}
-#endif
 
 	EVP_CIPHER_CTX_cleanup(out);
 	memcpy(out, in, sizeof *out);
diff --git a/lib/libcrypto/evp/p_lib.c b/lib/libcrypto/evp/p_lib.c
index 23ec8e6031e..eaeb456cbbe 100644
--- a/lib/libcrypto/evp/p_lib.c
+++ b/lib/libcrypto/evp/p_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_lib.c,v 1.37 2023/09/10 17:32:17 tb Exp $ */
+/* $OpenBSD: p_lib.c,v 1.38 2023/11/19 15:46:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -77,10 +77,6 @@
 #include <openssl/rsa.h>
 #endif
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "asn1_local.h"
 #include "evp_local.h"
 
@@ -245,19 +241,11 @@ pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str, int len)
 		 */
 		if ((type == pkey->save_type) && pkey->ameth)
 			return 1;
-#ifndef OPENSSL_NO_ENGINE
-		ENGINE_finish(pkey->engine);
-		pkey->engine = NULL;
-#endif
 	}
 	if (str)
 		ameth = EVP_PKEY_asn1_find_str(eptr, str, len);
 	else
 		ameth = EVP_PKEY_asn1_find(eptr, type);
-#ifndef OPENSSL_NO_ENGINE
-	if (pkey == NULL && eptr != NULL)
-		ENGINE_finish(e);
-#endif
 	if (!ameth) {
 		EVPerror(EVP_R_UNSUPPORTED_ALGORITHM);
 		return 0;
@@ -583,9 +571,6 @@ EVP_PKEY_type(int type)
 		ret = ameth->pkey_id;
 	else
 		ret = NID_undef;
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(e);
-#endif
 	return ret;
 }
 
@@ -626,10 +611,6 @@ EVP_PKEY_free_it(EVP_PKEY *x)
 		x->ameth->pkey_free(x);
 		x->pkey.ptr = NULL;
 	}
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(x->engine);
-	x->engine = NULL;
-#endif
 }
 
 static int
diff --git a/lib/libcrypto/pem/pem_lib.c b/lib/libcrypto/pem/pem_lib.c
index 3f23a0131b7..db0e75518bb 100644
--- a/lib/libcrypto/pem/pem_lib.c
+++ b/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.53 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.54 2023/11/19 15:46:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -74,9 +74,6 @@
 #ifndef OPENSSL_NO_DES
 #include <openssl/des.h>
 #endif
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
 
 #include "asn1_local.h"
 #include "evp_local.h"
@@ -231,9 +228,6 @@ check_pem(const char *nm, const char *name)
 					r = 1;
 				else
 					r = 0;
-#ifndef OPENSSL_NO_ENGINE
-				ENGINE_finish(e);
-#endif
 				return r;
 			}
 		}
diff --git a/lib/libcrypto/pem/pem_pkey.c b/lib/libcrypto/pem/pem_pkey.c
index 29619521393..d7001c83cca 100644
--- a/lib/libcrypto/pem/pem_pkey.c
+++ b/lib/libcrypto/pem/pem_pkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_pkey.c,v 1.27 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_pkey.c,v 1.28 2023/11/19 15:46:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -69,10 +69,6 @@
 #include <openssl/pkcs12.h>
 #include <openssl/x509.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 #include "asn1_local.h"
 #include "evp_local.h"
 
diff --git a/lib/libcrypto/rand/rand.h b/lib/libcrypto/rand/rand.h
index a0e9b479697..d66d71579c3 100644
--- a/lib/libcrypto/rand/rand.h
+++ b/lib/libcrypto/rand/rand.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand.h,v 1.23 2022/07/12 14:42:50 kn Exp $ */
+/* $OpenBSD: rand.h,v 1.24 2023/11/19 15:46:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -83,9 +83,6 @@ struct rand_meth_st {
 
 int RAND_set_rand_method(const RAND_METHOD *meth);
 const RAND_METHOD *RAND_get_rand_method(void);
-#ifndef OPENSSL_NO_ENGINE
-int RAND_set_rand_engine(ENGINE *engine);
-#endif
 RAND_METHOD *RAND_SSLeay(void);
 
 #ifndef LIBRESSL_INTERNAL
diff --git a/lib/libcrypto/rand/rand_lib.c b/lib/libcrypto/rand/rand_lib.c
index 5c5df98c986..b9ef0deebe5 100644
--- a/lib/libcrypto/rand/rand_lib.c
+++ b/lib/libcrypto/rand/rand_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand_lib.c,v 1.22 2023/07/07 19:37:54 beck Exp $ */
+/* $OpenBSD: rand_lib.c,v 1.23 2023/11/19 15:46:10 tb Exp $ */
 /*
  * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
  *
@@ -45,15 +45,6 @@ RAND_SSLeay(void)
 }
 LCRYPTO_ALIAS(RAND_SSLeay);
 
-#ifndef OPENSSL_NO_ENGINE
-int
-RAND_set_rand_engine(ENGINE *engine)
-{
-	return 1;
-}
-LCRYPTO_ALIAS(RAND_set_rand_engine);
-#endif
-
 void
 RAND_cleanup(void)
 {
diff --git a/lib/libcrypto/rsa/rsa_lib.c b/lib/libcrypto/rsa/rsa_lib.c
index fbd2c2274c3..b379cddc078 100644
--- a/lib/libcrypto/rsa/rsa_lib.c
+++ b/lib/libcrypto/rsa/rsa_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_lib.c,v 1.48 2023/07/28 10:05:16 tb Exp $ */
+/* $OpenBSD: rsa_lib.c,v 1.49 2023/11/19 15:46:10 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -71,10 +71,6 @@
 #include "evp_local.h"
 #include "rsa_local.h"
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 static const RSA_METHOD *default_RSA_meth = NULL;
 
 RSA *
@@ -122,10 +118,6 @@ RSA_set_method(RSA *rsa, const RSA_METHOD *meth)
 	mtmp = rsa->meth;
 	if (mtmp->finish)
 		mtmp->finish(rsa);
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(rsa->engine);
-	rsa->engine = NULL;
-#endif
 	rsa->meth = meth;
 	if (meth->init)
 		meth->init(rsa);
@@ -145,25 +137,6 @@ RSA_new_method(ENGINE *engine)
 
 	ret->meth = RSA_get_default_method();
 
-#ifndef OPENSSL_NO_ENGINE
-	if (engine != NULL) {
-		if (!ENGINE_init(engine)) {
-			RSAerror(ERR_R_ENGINE_LIB);
-			goto err;
-		}
-		ret->engine = engine;
-	} else {
-		ret->engine = ENGINE_get_default_RSA();
-	}
-
-	if (ret->engine != NULL) {
-		if ((ret->meth = ENGINE_get_RSA(ret->engine)) == NULL) {
-			RSAerror(ERR_R_ENGINE_LIB);
-			goto err;
-		}
-	}
-#endif
-
 	ret->references = 1;
 	ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW;
 
@@ -178,9 +151,6 @@ RSA_new_method(ENGINE *engine)
 	return ret;
 
  err:
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(ret->engine);
-#endif
 	free(ret);
 
 	return NULL;
@@ -201,9 +171,6 @@ RSA_free(RSA *r)
 
 	if (r->meth->finish)
 		r->meth->finish(r);
-#ifndef OPENSSL_NO_ENGINE
-	ENGINE_finish(r->engine);
-#endif
 
 	CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data);
 
diff --git a/lib/libcrypto/ts/ts.h b/lib/libcrypto/ts/ts.h
index 0d5de6223c9..5215fc05839 100644
--- a/lib/libcrypto/ts/ts.h
+++ b/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.22 2023/07/28 09:53:55 tb Exp $ */
+/* $OpenBSD: ts.h,v 1.23 2023/11/19 15:46:10 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
  * project 2002, 2003, 2004.
  */
@@ -542,11 +542,6 @@ EVP_PKEY *TS_CONF_load_key(const char *file, const char *pass);
 const char *TS_CONF_get_tsa_section(CONF *conf, const char *section);
 int TS_CONF_set_serial(CONF *conf, const char *section, TS_serial_cb cb,
     TS_RESP_CTX *ctx);
-#ifndef OPENSSL_NO_ENGINE
-int TS_CONF_set_crypto_device(CONF *conf, const char *section,
-    const char *device);
-int TS_CONF_set_default_engine(const char *name);
-#endif
 int TS_CONF_set_signer_cert(CONF *conf, const char *section,
     const char *cert, TS_RESP_CTX *ctx);
 int TS_CONF_set_certs(CONF *conf, const char *section, const char *certs,
diff --git a/lib/libcrypto/ts/ts_conf.c b/lib/libcrypto/ts/ts_conf.c
index 103d4302729..5d27a8bbc3b 100644
--- a/lib/libcrypto/ts/ts_conf.c
+++ b/lib/libcrypto/ts/ts_conf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_conf.c,v 1.12 2023/07/07 07:25:21 beck Exp $ */
+/* $OpenBSD: ts_conf.c,v 1.13 2023/11/19 15:46:10 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
  * project 2002.
  */
@@ -65,10 +65,6 @@
 #include <openssl/pem.h>
 #include <openssl/ts.h>
 
-#ifndef OPENSSL_NO_ENGINE
-#include <openssl/engine.h>
-#endif
-
 /* Macro definitions for the configuration file. */
 
 #define	BASE_SECTION			"tsa"
@@ -211,56 +207,6 @@ err:
 }
 LCRYPTO_ALIAS(TS_CONF_set_serial);
 
-#ifndef OPENSSL_NO_ENGINE
-
-int
-TS_CONF_set_crypto_device(CONF *conf, const char *section, const char *device)
-{
-	int ret = 0;
-
-	if (!device)
-		device = NCONF_get_string(conf, section, ENV_CRYPTO_DEVICE);
-
-	if (device && !TS_CONF_set_default_engine(device)) {
-		TS_CONF_invalid(section, ENV_CRYPTO_DEVICE);
-		goto err;
-	}
-	ret = 1;
-
-err:
-	return ret;
-}
-LCRYPTO_ALIAS(TS_CONF_set_crypto_device);
-
-int
-TS_CONF_set_default_engine(const char *name)
-{
-	ENGINE *e = NULL;
-	int ret = 0;
-
-	/* Leave the default if builtin specified. */
-	if (strcmp(name, "builtin") == 0)
-		return 1;
-
-	if (!(e = ENGINE_by_id(name)))
-		goto err;
-	/* All the operations are going to be carried out by the engine. */
-	if (!ENGINE_set_default(e, ENGINE_METHOD_ALL))
-		goto err;
-	ret = 1;
-
-err:
-	if (!ret) {
-		TSerror(TS_R_COULD_NOT_SET_ENGINE);
-		ERR_asprintf_error_data("engine:%s", name);
-	}
-	ENGINE_free(e);
-	return ret;
-}
-LCRYPTO_ALIAS(TS_CONF_set_default_engine);
-
-#endif
-
 int
 TS_CONF_set_signer_cert(CONF *conf, const char *section, const char *cert,
     TS_RESP_CTX *ctx)