Use arc4random_buf() instead of RAND_bytes() or RAND_pseudo_bytes().

arc4random_buf() is guaranteed to always succeed - it is worth noting
that a number of the replaced function calls were already missing return
value checks.

ok deraadt@

54 files changed, 202 insertions, 260 deletions

diff --git a/src/lib/libcrypto/asn1/asn_mime.c b/src/lib/libcrypto/asn1/asn_mime.c
index c153deca1e..afa0abd696 100644
--- a/src/lib/libcrypto/asn1/asn_mime.c
+++ b/src/lib/libcrypto/asn1/asn_mime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_mime.c,v 1.22 2014/07/13 16:03:09 beck Exp $ */
+/* $OpenBSD: asn_mime.c,v 1.23 2014/10/22 13:02:03 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -54,12 +54,12 @@
 
 #include <ctype.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #include "asn1_locl.h"
@@ -298,7 +298,7 @@ SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags,
         if ((flags & SMIME_DETACHED) && data) {
                 /* We want multipart/signed */
                 /* Generate a random boundary */
-                RAND_pseudo_bytes((unsigned char *)bound, 32);
+                arc4random_buf(bound, 32);
                 for (i = 0; i < 32; i++) {
                         c = bound[i] & 0xf;
                         if (c < 10)
diff --git a/src/lib/libcrypto/asn1/p5_pbe.c b/src/lib/libcrypto/asn1/p5_pbe.c
index ba892b185c..44fbb648be 100644
--- a/src/lib/libcrypto/asn1/p5_pbe.c
+++ b/src/lib/libcrypto/asn1/p5_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbe.c,v 1.16 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: p5_pbe.c,v 1.17 2014/10/22 13:02:03 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -57,11 +57,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/asn1t.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 /* PKCS#5 password based encryption structure */
@@ -104,8 +104,8 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
         sstr = ASN1_STRING_data(pbe->salt);
         if (salt)
                 memcpy(sstr, salt, saltlen);
-        else if (RAND_pseudo_bytes(sstr, saltlen) < 0)
-                goto err;
+        else
+                arc4random_buf(sstr, saltlen);
 
         if (!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str)) {
                 ASN1err(ASN1_F_PKCS5_PBE_SET0_ALGOR, ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libcrypto/asn1/p5_pbev2.c b/src/lib/libcrypto/asn1/p5_pbev2.c
index 8085aba453..0947965219 100644
--- a/src/lib/libcrypto/asn1/p5_pbev2.c
+++ b/src/lib/libcrypto/asn1/p5_pbev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbev2.c,v 1.17 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: p5_pbev2.c,v 1.18 2014/10/22 13:02:03 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -57,11 +57,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/asn1t.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 /* PKCS#5 v2.0 password based encryption structures */
@@ -121,9 +121,8 @@ PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
         if (EVP_CIPHER_iv_length(cipher)) {
                 if (aiv)
                         memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
-                else if (RAND_pseudo_bytes(iv,
-                    EVP_CIPHER_iv_length(cipher)) < 0)
-                        goto err;
+                else
+                        arc4random_buf(iv, EVP_CIPHER_iv_length(cipher));
         }
 
         EVP_CIPHER_CTX_init(&ctx);
@@ -227,8 +226,8 @@ PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid,
 
         if (salt)
                 memcpy (osalt->data, salt, saltlen);
-        else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0)
-                goto merr;
+        else
+                arc4random_buf(osalt->data, saltlen);
 
         if (iter <= 0)
                 iter = PKCS5_DEFAULT_ITER;
diff --git a/src/lib/libcrypto/bio/bf_nbio.c b/src/lib/libcrypto/bio/bf_nbio.c
index 86a13a8bc8..a86feb49c2 100644
--- a/src/lib/libcrypto/bio/bf_nbio.c
+++ b/src/lib/libcrypto/bio/bf_nbio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bf_nbio.c,v 1.17 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: bf_nbio.c,v 1.18 2014/10/22 13:02:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,9 +58,9 @@
 
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 
 #include <openssl/bio.h>
-#include <openssl/rand.h>
 
 /* BIO_put and BIO_get both add to the digest,
  * BIO_gets returns the digest */
@@ -142,7 +142,7 @@ nbiof_read(BIO *b, char *out, int outl)
 
         BIO_clear_retry_flags(b);
 #if 1
-        RAND_pseudo_bytes(&n, 1);
+        arc4random_buf(&n, 1);
         num = (n & 0x07);
 
         if (outl > num)
@@ -182,7 +182,7 @@ nbiof_write(BIO *b, const char *in, int inl)
                 num = nt->lwn;
                 nt->lwn = 0;
         } else {
-                RAND_pseudo_bytes(&n, 1);
+                arc4random_buf(&n, 1);
                 num = (n&7);
         }
 
diff --git a/src/lib/libcrypto/bn/bn.h b/src/lib/libcrypto/bn/bn.h
index 155adf4fe0..10414dc339 100644
--- a/src/lib/libcrypto/bn/bn.h
+++ b/src/lib/libcrypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.24 2014/06/27 06:07:35 deraadt Exp $ */
+/* $OpenBSD: bn.h,v 1.25 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -125,9 +125,11 @@
 #ifndef HEADER_BN_H
 #define HEADER_BN_H
 
+#include <stdio.h>
+#include <stdlib.h>
+
 #include <openssl/opensslconf.h>
 
-#include <stdio.h> /* FILE */
 #include <openssl/ossl_typ.h>
 #include <openssl/crypto.h>
 
@@ -673,11 +675,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
 #include <assert.h>
 
 #ifdef BN_DEBUG_RAND
-/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
-#ifndef RAND_pseudo_bytes
-int RAND_pseudo_bytes(unsigned char *buf, int num);
-#define BN_DEBUG_TRIX
-#endif
 #define bn_pollute(a) \
         do { \
                 const BIGNUM *_bnum1 = (a); \
@@ -688,17 +685,15 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
                          * wouldn't be constructed with top!=dmax. */ \
                         BN_ULONG *_not_const; \
                         memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
-                        RAND_pseudo_bytes(&_tmp_char, 1); \
+                        arc4random_buf(&_tmp_char, 1); \
                         memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
                                 (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
                 } \
         } while(0)
-#ifdef BN_DEBUG_TRIX
-#undef RAND_pseudo_bytes
-#endif
 #else
 #define bn_pollute(a)
 #endif
+
 #define bn_check_top(a) \
         do { \
                 const BIGNUM *_bnum2 = (a); \
diff --git a/src/lib/libcrypto/bn/bn_rand.c b/src/lib/libcrypto/bn/bn_rand.c
index acb17882ef..334c65dd57 100644
--- a/src/lib/libcrypto/bn/bn_rand.c
+++ b/src/lib/libcrypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.15 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.16 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -110,10 +110,10 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <time.h>
 
 #include <openssl/err.h>
-#include <openssl/rand.h>
 
 #include "bn_lcl.h"
 
@@ -139,14 +139,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
         }
 
         /* make a random number and set the top and bottom bits */
-
-        if (pseudorand) {
-                if (RAND_pseudo_bytes(buf, bytes) == -1)
-                        goto err;
-        } else {
-                if (RAND_bytes(buf, bytes) <= 0)
-                        goto err;
-        }
+        arc4random_buf(buf, bytes);
 
 #if 1
         if (pseudorand == 2) {
@@ -156,7 +149,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
                 unsigned char c;
 
                 for (i = 0; i < bytes; i++) {
-                        RAND_pseudo_bytes(&c, 1);
+                        arc4random_buf(&c, 1);
                         if (c >= 128 && i > 0)
                                 buf[i] = buf[i - 1];
                         else if (c < 42)
diff --git a/src/lib/libcrypto/cms/cms_enc.c b/src/lib/libcrypto/cms/cms_enc.c
index efe19a3131..f97e4d5f34 100644
--- a/src/lib/libcrypto/cms/cms_enc.c
+++ b/src/lib/libcrypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_enc.c,v 1.5 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: cms_enc.c,v 1.6 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -51,11 +51,12 @@
  * ====================================================================
  */
 
+#include <stdlib.h>
+
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
 #include "cms_lcl.h"
@@ -119,8 +120,7 @@ cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
                 /* Generate a random IV if we need one */
                 ivlen = EVP_CIPHER_CTX_iv_length(ctx);
                 if (ivlen > 0) {
-                        if (RAND_pseudo_bytes(iv, ivlen) <= 0)
-                                goto err;
+                        arc4random_buf(iv, ivlen);
                         piv = iv;
                 }
         } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) {
diff --git a/src/lib/libcrypto/cms/cms_ess.c b/src/lib/libcrypto/cms/cms_ess.c
index e3b7e7da4c..fca62e0627 100644
--- a/src/lib/libcrypto/cms/cms_ess.c
+++ b/src/lib/libcrypto/cms/cms_ess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_ess.c,v 1.6 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: cms_ess.c,v 1.7 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -51,11 +51,12 @@
  * ====================================================================
  */
 
+#include <stdlib.h>
+
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
 #include "cms_lcl.h"
@@ -105,9 +106,7 @@ CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst,
         else {
                 if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32))
                         goto merr;
-                if (RAND_pseudo_bytes(rr->signedContentIdentifier->data, 32)
-                        <= 0)
-                        goto err;
+                arc4random_buf(rr->signedContentIdentifier->data, 32);
         }
 
         sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free);
diff --git a/src/lib/libcrypto/cms/cms_pwri.c b/src/lib/libcrypto/cms/cms_pwri.c
index b7c3038027..89f7925938 100644
--- a/src/lib/libcrypto/cms/cms_pwri.c
+++ b/src/lib/libcrypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.7 2014/07/11 15:42:34 miod Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.8 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -51,12 +51,13 @@
  * ====================================================================
  */
 
+#include <stdlib.h>
+
 #include <openssl/aes.h>
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_locl.h"
@@ -130,8 +131,7 @@ CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter, int wrap_nid,
         ivlen = EVP_CIPHER_CTX_iv_length(&ctx);
 
         if (ivlen > 0) {
-                if (RAND_pseudo_bytes(iv, ivlen) <= 0)
-                        goto err;
+                arc4random_buf(iv, ivlen);
                 if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) {
                         CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
                             ERR_R_EVP_LIB);
@@ -297,7 +297,7 @@ kek_wrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
                 memcpy(out + 4, in, inlen);
                 /* Add random padding to end */
                 if (olen > inlen + 4)
-                        RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen);
+                        arc4random_buf(out + 4 + inlen, olen - 4 - inlen);
                 /* Encrypt twice */
                 EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
                 EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
diff --git a/src/lib/libcrypto/des/enc_writ.c b/src/lib/libcrypto/des/enc_writ.c
index a7049ff44e..0130c2c6d9 100644
--- a/src/lib/libcrypto/des/enc_writ.c
+++ b/src/lib/libcrypto/des/enc_writ.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc_writ.c,v 1.12 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: enc_writ.c,v 1.13 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,12 +58,11 @@
 
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <time.h>
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/rand.h>
-
 #include "des_locl.h"
 
 /*
@@ -136,7 +135,7 @@ int DES_enc_write(int fd, const void *_buf, int len,
                 {
                 cp=shortbuf;
                 memcpy(shortbuf,buf,len);
-                RAND_pseudo_bytes(shortbuf+len, 8-len);
+                arc4random_buf(shortbuf+len, 8-len);
                 rnum=8;
                 }
         else
diff --git a/src/lib/libcrypto/des/rand_key.c b/src/lib/libcrypto/des/rand_key.c
index 727d36f488..7abb811df4 100644
--- a/src/lib/libcrypto/des/rand_key.c
+++ b/src/lib/libcrypto/des/rand_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand_key.c,v 1.7 2014/07/22 18:09:20 miod Exp $ */
+/* $OpenBSD: rand_key.c,v 1.8 2014/10/22 13:02:04 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
  *
@@ -53,15 +53,15 @@
  *
  */
 
+#include <stdlib.h>
+
 #include <openssl/des.h>
-#include <openssl/rand.h>
 
 int
 DES_random_key(DES_cblock *ret)
 {
         do {
-                if (RAND_bytes((unsigned char *)ret, sizeof(DES_cblock)) != 1)
-                        return (0);
+                arc4random_buf(ret, sizeof(DES_cblock));
                 DES_set_odd_parity(ret);
         } while (DES_is_weak_key(ret));
         return (1);
diff --git a/src/lib/libcrypto/dsa/dsa_gen.c b/src/lib/libcrypto/dsa/dsa_gen.c
index a3d07b901a..296a544c31 100644
--- a/src/lib/libcrypto/dsa/dsa_gen.c
+++ b/src/lib/libcrypto/dsa/dsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_gen.c,v 1.16 2014/07/12 16:03:37 miod Exp $ */
+/* $OpenBSD: dsa_gen.c,v 1.17 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,11 +61,11 @@
 #ifndef OPENSSL_NO_SHA
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 #include <openssl/sha.h>
 
 #include "dsa_locl.h"
@@ -169,7 +169,7 @@ dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
                                 goto err;
 
                         if (!seed_len) {
-                                RAND_pseudo_bytes(seed, qsize);
+                                arc4random_buf(seed, qsize);
                                 seed_is_random = 1;
                         } else {
                                 seed_is_random = 0;
diff --git a/src/lib/libcrypto/engine/eng_lib.c b/src/lib/libcrypto/engine/eng_lib.c
index 118fa6cb9c..b3b9213d87 100644
--- a/src/lib/libcrypto/engine/eng_lib.c
+++ b/src/lib/libcrypto/engine/eng_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eng_lib.c,v 1.9 2014/07/10 13:58:22 jsing Exp $ */
+/* $OpenBSD: eng_lib.c,v 1.10 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
  * project 2000.
  */
@@ -58,9 +58,10 @@
 
 #include <string.h>
 
-#include "eng_int.h"
 #include <openssl/rand.h>
 
+#include "eng_int.h"
+
 /* The "new"/"free" stuff first */
 
 ENGINE *
diff --git a/src/lib/libcrypto/evp/e_aes.c b/src/lib/libcrypto/evp/e_aes.c
index f96a15f19c..bb3b420a3b 100644
--- a/src/lib/libcrypto/evp/e_aes.c
+++ b/src/lib/libcrypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.25 2014/07/12 19:31:03 miod Exp $ */
+/* $OpenBSD: e_aes.c,v 1.26 2014/10/22 13:02:04 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -50,6 +50,7 @@
  */
 
 #include <assert.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -58,7 +59,6 @@
 #include <openssl/aes.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 
 #include "evp_locl.h"
 #include "modes_lcl.h"
@@ -769,9 +769,8 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
                         return 0;
                 if (arg)
                         memcpy(gctx->iv, ptr, arg);
-                if (c->encrypt &&
-                    RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
-                        return 0;
+                if (c->encrypt)
+                        arc4random_buf(gctx->iv + arg, gctx->ivlen - arg);
                 gctx->iv_gen = 1;
                 return 1;
 
diff --git a/src/lib/libcrypto/evp/evp_enc.c b/src/lib/libcrypto/evp/evp_enc.c
index 4333e4dff8..49ceacefad 100644
--- a/src/lib/libcrypto/evp/evp_enc.c
+++ b/src/lib/libcrypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.24 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.25 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,13 +57,13 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -613,8 +613,7 @@ EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
 {
         if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
                 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
-        if (RAND_bytes(key, ctx->key_len) <= 0)
-                return 0;
+        arc4random_buf(key, ctx->key_len);
         return 1;
 }
 
diff --git a/src/lib/libcrypto/evp/p_seal.c b/src/lib/libcrypto/evp/p_seal.c
index 4f8417ae64..8b9740fbcd 100644
--- a/src/lib/libcrypto/evp/p_seal.c
+++ b/src/lib/libcrypto/evp/p_seal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_seal.c,v 1.13 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: p_seal.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,12 +57,12 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 
 #include <openssl/opensslconf.h>
 
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_RSA
@@ -86,7 +86,7 @@ EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek,
         if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
                 return 0;
         if (EVP_CIPHER_CTX_iv_length(ctx))
-                RAND_pseudo_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx));
+                arc4random_buf(iv, EVP_CIPHER_CTX_iv_length(ctx));
 
         if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
                 return 0;
diff --git a/src/lib/libcrypto/ocsp/ocsp_ext.c b/src/lib/libcrypto/ocsp/ocsp_ext.c
index c7b9d817ac..6318e1718b 100644
--- a/src/lib/libcrypto/ocsp/ocsp_ext.c
+++ b/src/lib/libcrypto/ocsp/ocsp_ext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_ext.c,v 1.11 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: ocsp_ext.c,v 1.12 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  * project. */
 
@@ -62,11 +62,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/objects.h>
 #include <openssl/ocsp.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -389,7 +389,7 @@ ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
         if (val)
                 memcpy(tmpval, val, len);
         else
-                RAND_pseudo_bytes(tmpval, len);
+                arc4random_buf(tmpval, len);
         if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
             X509V3_ADD_REPLACE))
                 goto err;
diff --git a/src/lib/libcrypto/pem/pem_lib.c b/src/lib/libcrypto/pem/pem_lib.c
index 26b1876f36..1ebae53e74 100644
--- a/src/lib/libcrypto/pem/pem_lib.c
+++ b/src/lib/libcrypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.34 2014/07/23 20:43:56 miod Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.35 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,6 +58,7 @@
 
 #include <ctype.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -67,7 +68,6 @@
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_DES
@@ -390,8 +390,7 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
                         kstr = (unsigned char *)buf;
                 }
                 OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
-                if (RAND_pseudo_bytes(iv, enc->iv_len) < 0) /* Generate a salt */
-                        goto err;
+                arc4random_buf(iv, enc->iv_len); /* Generate a salt */
                 /* The 'iv' is used as the iv and as a salt.  It is
                  * NOT taken from the BytesToKey function */
                 if (!EVP_BytesToKey(enc, EVP_md5(), iv, kstr, klen, 1,
diff --git a/src/lib/libcrypto/pem/pvkfmt.c b/src/lib/libcrypto/pem/pvkfmt.c
index ca7e908c29..2009c9db80 100644
--- a/src/lib/libcrypto/pem/pvkfmt.c
+++ b/src/lib/libcrypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.11 2014/07/12 16:03:37 miod Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.12 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -60,6 +60,7 @@
  * and PRIVATEKEYBLOB).
  */
 
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -67,7 +68,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
 #include <openssl/dsa.h>
@@ -869,8 +869,7 @@ i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb,
         write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
         write_ledword(&p, pklen);
         if (enclevel) {
-                if (RAND_bytes(p, PVK_SALTLEN) <= 0)
-                        goto error;
+                arc4random_buf(p, PVK_SALTLEN);
                 salt = p;
                 p += PVK_SALTLEN;
         }
diff --git a/src/lib/libcrypto/pkcs12/p12_mutl.c b/src/lib/libcrypto/pkcs12/p12_mutl.c
index 453d30d65f..0c49bf96fd 100644
--- a/src/lib/libcrypto/pkcs12/p12_mutl.c
+++ b/src/lib/libcrypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.17 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.18 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -66,7 +67,6 @@
 #include <openssl/err.h>
 #include <openssl/hmac.h>
 #include <openssl/pkcs12.h>
-#include <openssl/rand.h>
 
 /* Generate a MAC */
 int
@@ -193,10 +193,9 @@ PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
                 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
                 return 0;
         }
-        if (!salt) {
-                if (RAND_pseudo_bytes (p12->mac->salt->data, saltlen) < 0)
-                        return 0;
-        } else
+        if (!salt)
+                arc4random_buf(p12->mac->salt->data, saltlen);
+        else
                 memcpy (p12->mac->salt->data, salt, saltlen);
         p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
         if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
diff --git a/src/lib/libcrypto/pkcs7/pk7_doit.c b/src/lib/libcrypto/pkcs7/pk7_doit.c
index 8f1e393635..d69aff8f41 100644
--- a/src/lib/libcrypto/pkcs7/pk7_doit.c
+++ b/src/lib/libcrypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.29 2014/07/25 06:05:32 doug Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.30 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,11 +57,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/err.h>
 #include <openssl/objects.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -324,8 +324,7 @@ PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                 ivlen = EVP_CIPHER_iv_length(evp_cipher);
                 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
                 if (ivlen > 0)
-                        if (RAND_pseudo_bytes(iv, ivlen) <= 0)
-                                goto err;
+                        arc4random_buf(iv, ivlen);
                 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL,
                     NULL, 1) <= 0)
                         goto err;
diff --git a/src/lib/libcrypto/rand/rand_lib.c b/src/lib/libcrypto/rand/rand_lib.c
index 2b2c827740..8342a55f05 100644
--- a/src/lib/libcrypto/rand/rand_lib.c
+++ b/src/lib/libcrypto/rand/rand_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand_lib.c,v 1.19 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rand_lib.c,v 1.20 2014/10/22 13:02:04 jsing Exp $ */
 /*
  * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
  *
@@ -15,12 +15,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <stdlib.h>
+
 #include <openssl/opensslconf.h>
 
 #include <openssl/rand.h>
 
-#include <stdlib.h>
-
 /*
  * The useful functions in this file are at the bottom.
  */
diff --git a/src/lib/libcrypto/rand/randfile.c b/src/lib/libcrypto/rand/randfile.c
index dca49b10aa..e54a009420 100644
--- a/src/lib/libcrypto/rand/randfile.c
+++ b/src/lib/libcrypto/rand/randfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: randfile.c,v 1.39 2014/07/14 00:01:39 deraadt Exp $ */
+/* $OpenBSD: randfile.c,v 1.40 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,8 +118,7 @@ RAND_write_file(const char *file)
         for (;;) {
                 i = (n > BUFSIZE) ? BUFSIZE : n;
                 n -= BUFSIZE;
-                if (RAND_bytes(buf, i) <= 0)
-                        rand_err = 1;
+                arc4random_buf(buf, i);
                 i = fwrite(buf, 1, i, out);
                 if (i <= 0) {
                         ret = 0;
diff --git a/src/lib/libcrypto/rsa/rsa_oaep.c b/src/lib/libcrypto/rsa/rsa_oaep.c
index 9be0f9be31..8585d7c3aa 100644
--- a/src/lib/libcrypto/rsa/rsa_oaep.c
+++ b/src/lib/libcrypto/rsa/rsa_oaep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_oaep.c,v 1.23 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rsa_oaep.c,v 1.24 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Ulf Moeller. This software is distributed on an "AS IS"
    basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
 
@@ -19,6 +19,7 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -28,7 +29,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 
@@ -65,8 +65,7 @@ RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
             emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
         db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
         memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, flen);
-        if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
-                return 0;
+        arc4random_buf(seed, SHA_DIGEST_LENGTH);
 
         dbmask = malloc(emlen - SHA_DIGEST_LENGTH);
         if (dbmask == NULL) {
diff --git a/src/lib/libcrypto/rsa/rsa_pk1.c b/src/lib/libcrypto/rsa/rsa_pk1.c
index 4f82bf6768..6c3e7fb846 100644
--- a/src/lib/libcrypto/rsa/rsa_pk1.c
+++ b/src/lib/libcrypto/rsa/rsa_pk1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pk1.c,v 1.13 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rsa_pk1.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,12 +57,12 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/rsa.h>
-#include <openssl/rand.h>
 
 int
 RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
@@ -167,13 +167,10 @@ RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
         /* pad out with non-zero random data */
         j = tlen - 3 - flen;
 
-        if (RAND_bytes(p, j) <= 0)
-                return 0;
+        arc4random_buf(p, j);
         for (i = 0; i < j; i++) {
-                while (*p == '\0') {
-                        if (RAND_bytes(p, 1) <= 0)
-                                return 0;
-                }
+                while (*p == '\0')
+                        arc4random_buf(p, 1);
                 p++;
         }
 
diff --git a/src/lib/libcrypto/rsa/rsa_pss.c b/src/lib/libcrypto/rsa/rsa_pss.c
index f841b2f8a3..5e137a3090 100644
--- a/src/lib/libcrypto/rsa/rsa_pss.c
+++ b/src/lib/libcrypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pss.c,v 1.10 2014/07/13 12:53:46 miod Exp $ */
+/* $OpenBSD: rsa_pss.c,v 1.11 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -57,12 +57,12 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 
@@ -243,8 +243,7 @@ RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
-                if (RAND_bytes(salt, sLen) <= 0)
-                        goto err;
+                arc4random_buf(salt, sLen);
         }
         maskedDBLen = emLen - hLen - 1;
         H = EM + maskedDBLen;
diff --git a/src/lib/libcrypto/rsa/rsa_ssl.c b/src/lib/libcrypto/rsa/rsa_ssl.c
index a5fe5004b1..73262f29c1 100644
--- a/src/lib/libcrypto/rsa/rsa_ssl.c
+++ b/src/lib/libcrypto/rsa/rsa_ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ssl.c,v 1.13 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rsa_ssl.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,11 +57,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/rsa.h>
 
 int
@@ -85,13 +85,10 @@ RSA_padding_add_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
         /* pad out with non-zero random data */
         j = tlen - 3 - 8 - flen;
 
-        if (RAND_bytes(p, j) <= 0)
-                return 0;
+        arc4random_buf(p, j);
         for (i = 0; i < j; i++) {
-                while (*p == '\0') {
-                        if (RAND_bytes(p, 1) <= 0)
-                                return 0;
-                }
+                while (*p == '\0')
+                        arc4random_buf(p, 1);
                 p++;
         }
 
diff --git a/src/lib/libssl/src/crypto/asn1/asn_mime.c b/src/lib/libssl/src/crypto/asn1/asn_mime.c
index c153deca1e..afa0abd696 100644
--- a/src/lib/libssl/src/crypto/asn1/asn_mime.c
+++ b/src/lib/libssl/src/crypto/asn1/asn_mime.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn_mime.c,v 1.22 2014/07/13 16:03:09 beck Exp $ */
+/* $OpenBSD: asn_mime.c,v 1.23 2014/10/22 13:02:03 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -54,12 +54,12 @@
 
 #include <ctype.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #include "asn1_locl.h"
@@ -298,7 +298,7 @@ SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags,
         if ((flags & SMIME_DETACHED) && data) {
                 /* We want multipart/signed */
                 /* Generate a random boundary */
-                RAND_pseudo_bytes((unsigned char *)bound, 32);
+                arc4random_buf(bound, 32);
                 for (i = 0; i < 32; i++) {
                         c = bound[i] & 0xf;
                         if (c < 10)
diff --git a/src/lib/libssl/src/crypto/asn1/p5_pbe.c b/src/lib/libssl/src/crypto/asn1/p5_pbe.c
index ba892b185c..44fbb648be 100644
--- a/src/lib/libssl/src/crypto/asn1/p5_pbe.c
+++ b/src/lib/libssl/src/crypto/asn1/p5_pbe.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbe.c,v 1.16 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: p5_pbe.c,v 1.17 2014/10/22 13:02:03 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -57,11 +57,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/asn1t.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 /* PKCS#5 password based encryption structure */
@@ -104,8 +104,8 @@ PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter,
         sstr = ASN1_STRING_data(pbe->salt);
         if (salt)
                 memcpy(sstr, salt, saltlen);
-        else if (RAND_pseudo_bytes(sstr, saltlen) < 0)
-                goto err;
+        else
+                arc4random_buf(sstr, saltlen);
 
         if (!ASN1_item_pack(pbe, ASN1_ITEM_rptr(PBEPARAM), &pbe_str)) {
                 ASN1err(ASN1_F_PKCS5_PBE_SET0_ALGOR, ERR_R_MALLOC_FAILURE);
diff --git a/src/lib/libssl/src/crypto/asn1/p5_pbev2.c b/src/lib/libssl/src/crypto/asn1/p5_pbev2.c
index 8085aba453..0947965219 100644
--- a/src/lib/libssl/src/crypto/asn1/p5_pbev2.c
+++ b/src/lib/libssl/src/crypto/asn1/p5_pbev2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p5_pbev2.c,v 1.17 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: p5_pbev2.c,v 1.18 2014/10/22 13:02:03 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999-2004.
  */
@@ -57,11 +57,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/asn1t.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 /* PKCS#5 v2.0 password based encryption structures */
@@ -121,9 +121,8 @@ PKCS5_pbe2_set_iv(const EVP_CIPHER *cipher, int iter, unsigned char *salt,
         if (EVP_CIPHER_iv_length(cipher)) {
                 if (aiv)
                         memcpy(iv, aiv, EVP_CIPHER_iv_length(cipher));
-                else if (RAND_pseudo_bytes(iv,
-                    EVP_CIPHER_iv_length(cipher)) < 0)
-                        goto err;
+                else
+                        arc4random_buf(iv, EVP_CIPHER_iv_length(cipher));
         }
 
         EVP_CIPHER_CTX_init(&ctx);
@@ -227,8 +226,8 @@ PKCS5_pbkdf2_set(int iter, unsigned char *salt, int saltlen, int prf_nid,
 
         if (salt)
                 memcpy (osalt->data, salt, saltlen);
-        else if (RAND_pseudo_bytes (osalt->data, saltlen) < 0)
-                goto merr;
+        else
+                arc4random_buf(osalt->data, saltlen);
 
         if (iter <= 0)
                 iter = PKCS5_DEFAULT_ITER;
diff --git a/src/lib/libssl/src/crypto/bio/bf_nbio.c b/src/lib/libssl/src/crypto/bio/bf_nbio.c
index 86a13a8bc8..a86feb49c2 100644
--- a/src/lib/libssl/src/crypto/bio/bf_nbio.c
+++ b/src/lib/libssl/src/crypto/bio/bf_nbio.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bf_nbio.c,v 1.17 2014/07/11 08:44:47 jsing Exp $ */
+/* $OpenBSD: bf_nbio.c,v 1.18 2014/10/22 13:02:03 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,9 +58,9 @@
 
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 
 #include <openssl/bio.h>
-#include <openssl/rand.h>
 
 /* BIO_put and BIO_get both add to the digest,
  * BIO_gets returns the digest */
@@ -142,7 +142,7 @@ nbiof_read(BIO *b, char *out, int outl)
 
         BIO_clear_retry_flags(b);
 #if 1
-        RAND_pseudo_bytes(&n, 1);
+        arc4random_buf(&n, 1);
         num = (n & 0x07);
 
         if (outl > num)
@@ -182,7 +182,7 @@ nbiof_write(BIO *b, const char *in, int inl)
                 num = nt->lwn;
                 nt->lwn = 0;
         } else {
-                RAND_pseudo_bytes(&n, 1);
+                arc4random_buf(&n, 1);
                 num = (n&7);
         }
 
diff --git a/src/lib/libssl/src/crypto/bn/bn.h b/src/lib/libssl/src/crypto/bn/bn.h
index 155adf4fe0..10414dc339 100644
--- a/src/lib/libssl/src/crypto/bn/bn.h
+++ b/src/lib/libssl/src/crypto/bn/bn.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn.h,v 1.24 2014/06/27 06:07:35 deraadt Exp $ */
+/* $OpenBSD: bn.h,v 1.25 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -125,9 +125,11 @@
 #ifndef HEADER_BN_H
 #define HEADER_BN_H
 
+#include <stdio.h>
+#include <stdlib.h>
+
 #include <openssl/opensslconf.h>
 
-#include <stdio.h> /* FILE */
 #include <openssl/ossl_typ.h>
 #include <openssl/crypto.h>
 
@@ -673,11 +675,6 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */
 #include <assert.h>
 
 #ifdef BN_DEBUG_RAND
-/* To avoid "make update" cvs wars due to BN_DEBUG, use some tricks */
-#ifndef RAND_pseudo_bytes
-int RAND_pseudo_bytes(unsigned char *buf, int num);
-#define BN_DEBUG_TRIX
-#endif
 #define bn_pollute(a) \
         do { \
                 const BIGNUM *_bnum1 = (a); \
@@ -688,17 +685,15 @@ int RAND_pseudo_bytes(unsigned char *buf, int num);
                          * wouldn't be constructed with top!=dmax. */ \
                         BN_ULONG *_not_const; \
                         memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \
-                        RAND_pseudo_bytes(&_tmp_char, 1); \
+                        arc4random_buf(&_tmp_char, 1); \
                         memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \
                                 (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \
                 } \
         } while(0)
-#ifdef BN_DEBUG_TRIX
-#undef RAND_pseudo_bytes
-#endif
 #else
 #define bn_pollute(a)
 #endif
+
 #define bn_check_top(a) \
         do { \
                 const BIGNUM *_bnum2 = (a); \
diff --git a/src/lib/libssl/src/crypto/bn/bn_rand.c b/src/lib/libssl/src/crypto/bn/bn_rand.c
index acb17882ef..334c65dd57 100644
--- a/src/lib/libssl/src/crypto/bn/bn_rand.c
+++ b/src/lib/libssl/src/crypto/bn/bn_rand.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_rand.c,v 1.15 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: bn_rand.c,v 1.16 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -110,10 +110,10 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <time.h>
 
 #include <openssl/err.h>
-#include <openssl/rand.h>
 
 #include "bn_lcl.h"
 
@@ -139,14 +139,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
         }
 
         /* make a random number and set the top and bottom bits */
-
-        if (pseudorand) {
-                if (RAND_pseudo_bytes(buf, bytes) == -1)
-                        goto err;
-        } else {
-                if (RAND_bytes(buf, bytes) <= 0)
-                        goto err;
-        }
+        arc4random_buf(buf, bytes);
 
 #if 1
         if (pseudorand == 2) {
@@ -156,7 +149,7 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
                 unsigned char c;
 
                 for (i = 0; i < bytes; i++) {
-                        RAND_pseudo_bytes(&c, 1);
+                        arc4random_buf(&c, 1);
                         if (c >= 128 && i > 0)
                                 buf[i] = buf[i - 1];
                         else if (c < 42)
diff --git a/src/lib/libssl/src/crypto/cms/cms_enc.c b/src/lib/libssl/src/crypto/cms/cms_enc.c
index efe19a3131..f97e4d5f34 100644
--- a/src/lib/libssl/src/crypto/cms/cms_enc.c
+++ b/src/lib/libssl/src/crypto/cms/cms_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_enc.c,v 1.5 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: cms_enc.c,v 1.6 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -51,11 +51,12 @@
  * ====================================================================
  */
 
+#include <stdlib.h>
+
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
 #include "cms_lcl.h"
@@ -119,8 +120,7 @@ cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec)
                 /* Generate a random IV if we need one */
                 ivlen = EVP_CIPHER_CTX_iv_length(ctx);
                 if (ivlen > 0) {
-                        if (RAND_pseudo_bytes(iv, ivlen) <= 0)
-                                goto err;
+                        arc4random_buf(iv, ivlen);
                         piv = iv;
                 }
         } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) {
diff --git a/src/lib/libssl/src/crypto/cms/cms_ess.c b/src/lib/libssl/src/crypto/cms/cms_ess.c
index e3b7e7da4c..fca62e0627 100644
--- a/src/lib/libssl/src/crypto/cms/cms_ess.c
+++ b/src/lib/libssl/src/crypto/cms/cms_ess.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_ess.c,v 1.6 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: cms_ess.c,v 1.7 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -51,11 +51,12 @@
  * ====================================================================
  */
 
+#include <stdlib.h>
+
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
 #include "cms_lcl.h"
@@ -105,9 +106,7 @@ CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst,
         else {
                 if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32))
                         goto merr;
-                if (RAND_pseudo_bytes(rr->signedContentIdentifier->data, 32)
-                        <= 0)
-                        goto err;
+                arc4random_buf(rr->signedContentIdentifier->data, 32);
         }
 
         sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free);
diff --git a/src/lib/libssl/src/crypto/cms/cms_pwri.c b/src/lib/libssl/src/crypto/cms/cms_pwri.c
index b7c3038027..89f7925938 100644
--- a/src/lib/libssl/src/crypto/cms/cms_pwri.c
+++ b/src/lib/libssl/src/crypto/cms/cms_pwri.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_pwri.c,v 1.7 2014/07/11 15:42:34 miod Exp $ */
+/* $OpenBSD: cms_pwri.c,v 1.8 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project.
  */
@@ -51,12 +51,13 @@
  * ====================================================================
  */
 
+#include <stdlib.h>
+
 #include <openssl/aes.h>
 #include <openssl/asn1t.h>
 #include <openssl/cms.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 #include <openssl/x509v3.h>
 
 #include "asn1_locl.h"
@@ -130,8 +131,7 @@ CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter, int wrap_nid,
         ivlen = EVP_CIPHER_CTX_iv_length(&ctx);
 
         if (ivlen > 0) {
-                if (RAND_pseudo_bytes(iv, ivlen) <= 0)
-                        goto err;
+                arc4random_buf(iv, ivlen);
                 if (EVP_EncryptInit_ex(&ctx, NULL, NULL, NULL, iv) <= 0) {
                         CMSerr(CMS_F_CMS_ADD0_RECIPIENT_PASSWORD,
                             ERR_R_EVP_LIB);
@@ -297,7 +297,7 @@ kek_wrap_key(unsigned char *out, size_t *outlen, const unsigned char *in,
                 memcpy(out + 4, in, inlen);
                 /* Add random padding to end */
                 if (olen > inlen + 4)
-                        RAND_pseudo_bytes(out + 4 + inlen, olen - 4 - inlen);
+                        arc4random_buf(out + 4 + inlen, olen - 4 - inlen);
                 /* Encrypt twice */
                 EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
                 EVP_EncryptUpdate(ctx, out, &dummy, out, olen);
diff --git a/src/lib/libssl/src/crypto/des/enc_writ.c b/src/lib/libssl/src/crypto/des/enc_writ.c
index a7049ff44e..0130c2c6d9 100644
--- a/src/lib/libssl/src/crypto/des/enc_writ.c
+++ b/src/lib/libssl/src/crypto/des/enc_writ.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc_writ.c,v 1.12 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: enc_writ.c,v 1.13 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,12 +58,11 @@
 
 #include <errno.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <time.h>
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/rand.h>
-
 #include "des_locl.h"
 
 /*
@@ -136,7 +135,7 @@ int DES_enc_write(int fd, const void *_buf, int len,
                 {
                 cp=shortbuf;
                 memcpy(shortbuf,buf,len);
-                RAND_pseudo_bytes(shortbuf+len, 8-len);
+                arc4random_buf(shortbuf+len, 8-len);
                 rnum=8;
                 }
         else
diff --git a/src/lib/libssl/src/crypto/des/rand_key.c b/src/lib/libssl/src/crypto/des/rand_key.c
index 727d36f488..7abb811df4 100644
--- a/src/lib/libssl/src/crypto/des/rand_key.c
+++ b/src/lib/libssl/src/crypto/des/rand_key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand_key.c,v 1.7 2014/07/22 18:09:20 miod Exp $ */
+/* $OpenBSD: rand_key.c,v 1.8 2014/10/22 13:02:04 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
  *
@@ -53,15 +53,15 @@
  *
  */
 
+#include <stdlib.h>
+
 #include <openssl/des.h>
-#include <openssl/rand.h>
 
 int
 DES_random_key(DES_cblock *ret)
 {
         do {
-                if (RAND_bytes((unsigned char *)ret, sizeof(DES_cblock)) != 1)
-                        return (0);
+                arc4random_buf(ret, sizeof(DES_cblock));
                 DES_set_odd_parity(ret);
         } while (DES_is_weak_key(ret));
         return (1);
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_gen.c b/src/lib/libssl/src/crypto/dsa/dsa_gen.c
index a3d07b901a..296a544c31 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_gen.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_gen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_gen.c,v 1.16 2014/07/12 16:03:37 miod Exp $ */
+/* $OpenBSD: dsa_gen.c,v 1.17 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,11 +61,11 @@
 #ifndef OPENSSL_NO_SHA
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 #include <openssl/sha.h>
 
 #include "dsa_locl.h"
@@ -169,7 +169,7 @@ dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd,
                                 goto err;
 
                         if (!seed_len) {
-                                RAND_pseudo_bytes(seed, qsize);
+                                arc4random_buf(seed, qsize);
                                 seed_is_random = 1;
                         } else {
                                 seed_is_random = 0;
diff --git a/src/lib/libssl/src/crypto/engine/eng_lib.c b/src/lib/libssl/src/crypto/engine/eng_lib.c
index 118fa6cb9c..b3b9213d87 100644
--- a/src/lib/libssl/src/crypto/engine/eng_lib.c
+++ b/src/lib/libssl/src/crypto/engine/eng_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: eng_lib.c,v 1.9 2014/07/10 13:58:22 jsing Exp $ */
+/* $OpenBSD: eng_lib.c,v 1.10 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL
  * project 2000.
  */
@@ -58,9 +58,10 @@
 
 #include <string.h>
 
-#include "eng_int.h"
 #include <openssl/rand.h>
 
+#include "eng_int.h"
+
 /* The "new"/"free" stuff first */
 
 ENGINE *
diff --git a/src/lib/libssl/src/crypto/evp/e_aes.c b/src/lib/libssl/src/crypto/evp/e_aes.c
index f96a15f19c..bb3b420a3b 100644
--- a/src/lib/libssl/src/crypto/evp/e_aes.c
+++ b/src/lib/libssl/src/crypto/evp/e_aes.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: e_aes.c,v 1.25 2014/07/12 19:31:03 miod Exp $ */
+/* $OpenBSD: e_aes.c,v 1.26 2014/10/22 13:02:04 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 2001-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -50,6 +50,7 @@
  */
 
 #include <assert.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -58,7 +59,6 @@
 #include <openssl/aes.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 
 #include "evp_locl.h"
 #include "modes_lcl.h"
@@ -769,9 +769,8 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr)
                         return 0;
                 if (arg)
                         memcpy(gctx->iv, ptr, arg);
-                if (c->encrypt &&
-                    RAND_bytes(gctx->iv + arg, gctx->ivlen - arg) <= 0)
-                        return 0;
+                if (c->encrypt)
+                        arc4random_buf(gctx->iv + arg, gctx->ivlen - arg);
                 gctx->iv_gen = 1;
                 return 1;
 
diff --git a/src/lib/libssl/src/crypto/evp/evp_enc.c b/src/lib/libssl/src/crypto/evp/evp_enc.c
index 4333e4dff8..49ceacefad 100644
--- a/src/lib/libssl/src/crypto/evp/evp_enc.c
+++ b/src/lib/libssl/src/crypto/evp/evp_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_enc.c,v 1.24 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: evp_enc.c,v 1.25 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,13 +57,13 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
 
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -613,8 +613,7 @@ EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key)
 {
         if (ctx->cipher->flags & EVP_CIPH_RAND_KEY)
                 return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_RAND_KEY, 0, key);
-        if (RAND_bytes(key, ctx->key_len) <= 0)
-                return 0;
+        arc4random_buf(key, ctx->key_len);
         return 1;
 }
 
diff --git a/src/lib/libssl/src/crypto/evp/p_seal.c b/src/lib/libssl/src/crypto/evp/p_seal.c
index 4f8417ae64..8b9740fbcd 100644
--- a/src/lib/libssl/src/crypto/evp/p_seal.c
+++ b/src/lib/libssl/src/crypto/evp/p_seal.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p_seal.c,v 1.13 2014/07/11 08:44:48 jsing Exp $ */
+/* $OpenBSD: p_seal.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,12 +57,12 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 
 #include <openssl/opensslconf.h>
 
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_RSA
@@ -86,7 +86,7 @@ EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, unsigned char **ek,
         if (EVP_CIPHER_CTX_rand_key(ctx, key) <= 0)
                 return 0;
         if (EVP_CIPHER_CTX_iv_length(ctx))
-                RAND_pseudo_bytes(iv, EVP_CIPHER_CTX_iv_length(ctx));
+                arc4random_buf(iv, EVP_CIPHER_CTX_iv_length(ctx));
 
         if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
                 return 0;
diff --git a/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c b/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c
index c7b9d817ac..6318e1718b 100644
--- a/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c
+++ b/src/lib/libssl/src/crypto/ocsp/ocsp_ext.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_ext.c,v 1.11 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: ocsp_ext.c,v 1.12 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
  * project. */
 
@@ -62,11 +62,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/objects.h>
 #include <openssl/ocsp.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -389,7 +389,7 @@ ocsp_add1_nonce(STACK_OF(X509_EXTENSION) **exts, unsigned char *val, int len)
         if (val)
                 memcpy(tmpval, val, len);
         else
-                RAND_pseudo_bytes(tmpval, len);
+                arc4random_buf(tmpval, len);
         if (!X509V3_add1_i2d(exts, NID_id_pkix_OCSP_Nonce, &os, 0,
             X509V3_ADD_REPLACE))
                 goto err;
diff --git a/src/lib/libssl/src/crypto/pem/pem_lib.c b/src/lib/libssl/src/crypto/pem/pem_lib.c
index 26b1876f36..1ebae53e74 100644
--- a/src/lib/libssl/src/crypto/pem/pem_lib.c
+++ b/src/lib/libssl/src/crypto/pem/pem_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_lib.c,v 1.34 2014/07/23 20:43:56 miod Exp $ */
+/* $OpenBSD: pem_lib.c,v 1.35 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -58,6 +58,7 @@
 
 #include <ctype.h>
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -67,7 +68,6 @@
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 
 #ifndef OPENSSL_NO_DES
@@ -390,8 +390,7 @@ PEM_ASN1_write_bio(i2d_of_void *i2d, const char *name, BIO *bp, void *x,
                         kstr = (unsigned char *)buf;
                 }
                 OPENSSL_assert(enc->iv_len <= (int)sizeof(iv));
-                if (RAND_pseudo_bytes(iv, enc->iv_len) < 0) /* Generate a salt */
-                        goto err;
+                arc4random_buf(iv, enc->iv_len); /* Generate a salt */
                 /* The 'iv' is used as the iv and as a salt.  It is
                  * NOT taken from the BytesToKey function */
                 if (!EVP_BytesToKey(enc, EVP_md5(), iv, kstr, klen, 1,
diff --git a/src/lib/libssl/src/crypto/pem/pvkfmt.c b/src/lib/libssl/src/crypto/pem/pvkfmt.c
index ca7e908c29..2009c9db80 100644
--- a/src/lib/libssl/src/crypto/pem/pvkfmt.c
+++ b/src/lib/libssl/src/crypto/pem/pvkfmt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pvkfmt.c,v 1.11 2014/07/12 16:03:37 miod Exp $ */
+/* $OpenBSD: pvkfmt.c,v 1.12 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -60,6 +60,7 @@
  * and PRIVATEKEYBLOB).
  */
 
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -67,7 +68,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/rand.h>
 
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_DSA)
 #include <openssl/dsa.h>
@@ -869,8 +869,7 @@ i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb,
         write_ledword(&p, enclevel ? PVK_SALTLEN : 0);
         write_ledword(&p, pklen);
         if (enclevel) {
-                if (RAND_bytes(p, PVK_SALTLEN) <= 0)
-                        goto error;
+                arc4random_buf(p, PVK_SALTLEN);
                 salt = p;
                 p += PVK_SALTLEN;
         }
diff --git a/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c b/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
index 453d30d65f..0c49bf96fd 100644
--- a/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
+++ b/src/lib/libssl/src/crypto/pkcs12/p12_mutl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: p12_mutl.c,v 1.17 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: p12_mutl.c,v 1.18 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 1999.
  */
@@ -57,6 +57,7 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -66,7 +67,6 @@
 #include <openssl/err.h>
 #include <openssl/hmac.h>
 #include <openssl/pkcs12.h>
-#include <openssl/rand.h>
 
 /* Generate a MAC */
 int
@@ -193,10 +193,9 @@ PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen,
                 PKCS12err(PKCS12_F_PKCS12_SETUP_MAC, ERR_R_MALLOC_FAILURE);
                 return 0;
         }
-        if (!salt) {
-                if (RAND_pseudo_bytes (p12->mac->salt->data, saltlen) < 0)
-                        return 0;
-        } else
+        if (!salt)
+                arc4random_buf(p12->mac->salt->data, saltlen);
+        else
                 memcpy (p12->mac->salt->data, salt, saltlen);
         p12->mac->dinfo->algor->algorithm = OBJ_nid2obj(EVP_MD_type(md_type));
         if (!(p12->mac->dinfo->algor->parameter = ASN1_TYPE_new())) {
diff --git a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
index 8f1e393635..d69aff8f41 100644
--- a/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
+++ b/src/lib/libssl/src/crypto/pkcs7/pk7_doit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk7_doit.c,v 1.29 2014/07/25 06:05:32 doug Exp $ */
+/* $OpenBSD: pk7_doit.c,v 1.30 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,11 +57,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/err.h>
 #include <openssl/objects.h>
-#include <openssl/rand.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -324,8 +324,7 @@ PKCS7_dataInit(PKCS7 *p7, BIO *bio)
                 ivlen = EVP_CIPHER_iv_length(evp_cipher);
                 xalg->algorithm = OBJ_nid2obj(EVP_CIPHER_type(evp_cipher));
                 if (ivlen > 0)
-                        if (RAND_pseudo_bytes(iv, ivlen) <= 0)
-                                goto err;
+                        arc4random_buf(iv, ivlen);
                 if (EVP_CipherInit_ex(ctx, evp_cipher, NULL, NULL,
                     NULL, 1) <= 0)
                         goto err;
diff --git a/src/lib/libssl/src/crypto/rand/rand_lib.c b/src/lib/libssl/src/crypto/rand/rand_lib.c
index 2b2c827740..8342a55f05 100644
--- a/src/lib/libssl/src/crypto/rand/rand_lib.c
+++ b/src/lib/libssl/src/crypto/rand/rand_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand_lib.c,v 1.19 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rand_lib.c,v 1.20 2014/10/22 13:02:04 jsing Exp $ */
 /*
  * Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
  *
@@ -15,12 +15,12 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#include <stdlib.h>
+
 #include <openssl/opensslconf.h>
 
 #include <openssl/rand.h>
 
-#include <stdlib.h>
-
 /*
  * The useful functions in this file are at the bottom.
  */
diff --git a/src/lib/libssl/src/crypto/rand/randfile.c b/src/lib/libssl/src/crypto/rand/randfile.c
index dca49b10aa..e54a009420 100644
--- a/src/lib/libssl/src/crypto/rand/randfile.c
+++ b/src/lib/libssl/src/crypto/rand/randfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: randfile.c,v 1.39 2014/07/14 00:01:39 deraadt Exp $ */
+/* $OpenBSD: randfile.c,v 1.40 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -118,8 +118,7 @@ RAND_write_file(const char *file)
         for (;;) {
                 i = (n > BUFSIZE) ? BUFSIZE : n;
                 n -= BUFSIZE;
-                if (RAND_bytes(buf, i) <= 0)
-                        rand_err = 1;
+                arc4random_buf(buf, i);
                 i = fwrite(buf, 1, i, out);
                 if (i <= 0) {
                         ret = 0;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_oaep.c b/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
index 9be0f9be31..8585d7c3aa 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_oaep.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_oaep.c,v 1.23 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rsa_oaep.c,v 1.24 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Ulf Moeller. This software is distributed on an "AS IS"
    basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */
 
@@ -19,6 +19,7 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/opensslconf.h>
@@ -28,7 +29,6 @@
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 
@@ -65,8 +65,7 @@ RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
             emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
         db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
         memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, flen);
-        if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
-                return 0;
+        arc4random_buf(seed, SHA_DIGEST_LENGTH);
 
         dbmask = malloc(emlen - SHA_DIGEST_LENGTH);
         if (dbmask == NULL) {
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
index 4f82bf6768..6c3e7fb846 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pk1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pk1.c,v 1.13 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rsa_pk1.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,12 +57,12 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/rsa.h>
-#include <openssl/rand.h>
 
 int
 RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen,
@@ -167,13 +167,10 @@ RSA_padding_add_PKCS1_type_2(unsigned char *to, int tlen,
         /* pad out with non-zero random data */
         j = tlen - 3 - flen;
 
-        if (RAND_bytes(p, j) <= 0)
-                return 0;
+        arc4random_buf(p, j);
         for (i = 0; i < j; i++) {
-                while (*p == '\0') {
-                        if (RAND_bytes(p, 1) <= 0)
-                                return 0;
-                }
+                while (*p == '\0')
+                        arc4random_buf(p, 1);
                 p++;
         }
 
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_pss.c b/src/lib/libssl/src/crypto/rsa/rsa_pss.c
index f841b2f8a3..5e137a3090 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_pss.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_pss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_pss.c,v 1.10 2014/07/13 12:53:46 miod Exp $ */
+/* $OpenBSD: rsa_pss.c,v 1.11 2014/10/22 13:02:04 jsing Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2005.
  */
@@ -57,12 +57,12 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#include <openssl/rand.h>
 #include <openssl/rsa.h>
 #include <openssl/sha.h>
 
@@ -243,8 +243,7 @@ RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM,
                             ERR_R_MALLOC_FAILURE);
                         goto err;
                 }
-                if (RAND_bytes(salt, sLen) <= 0)
-                        goto err;
+                arc4random_buf(salt, sLen);
         }
         maskedDBLen = emLen - hLen - 1;
         H = EM + maskedDBLen;
diff --git a/src/lib/libssl/src/crypto/rsa/rsa_ssl.c b/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
index a5fe5004b1..73262f29c1 100644
--- a/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
+++ b/src/lib/libssl/src/crypto/rsa/rsa_ssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_ssl.c,v 1.13 2014/07/11 08:44:49 jsing Exp $ */
+/* $OpenBSD: rsa_ssl.c,v 1.14 2014/10/22 13:02:04 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -57,11 +57,11 @@
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <string.h>
 
 #include <openssl/bn.h>
 #include <openssl/err.h>
-#include <openssl/rand.h>
 #include <openssl/rsa.h>
 
 int
@@ -85,13 +85,10 @@ RSA_padding_add_SSLv23(unsigned char *to, int tlen, const unsigned char *from,
         /* pad out with non-zero random data */
         j = tlen - 3 - 8 - flen;
 
-        if (RAND_bytes(p, j) <= 0)
-                return 0;
+        arc4random_buf(p, j);
         for (i = 0; i < j; i++) {
-                while (*p == '\0') {
-                        if (RAND_bytes(p, 1) <= 0)
-                                return 0;
-                }
+                while (*p == '\0')
+                        arc4random_buf(p, 1);
                 p++;
         }