[thirdparty/man-pages.git] / man2 / getrandom.2

.\" Copyright (C) 2014, Theodore Ts'o <tytso@mit.edu>
.\" Copyright (C) 2014,2015 Heinrich Schuchardt <xypron.glpk@gmx.de>
.\" Copyright (C) 2015, Michael Kerrisk <mtk.manpages@gmail.com>
.\"
.\" %%%LICENSE_START(VERBATIM)
.\" Permission is granted to make and distribute verbatim copies of this
.\" manual provided the copyright notice and this permission notice are
.\" preserved on all copies.
.\"
.\" Permission is granted to copy and distribute modified versions of
.\" this manual under the conditions for verbatim copying, provided that
.\" the entire resulting derived work is distributed under the terms of
.\" a permission notice identical to this one.
.\"
.\" Since the Linux kernel and libraries are constantly changing, this
.\" manual page may be incorrect or out-of-date.  The author(s) assume.
.\" no responsibility for errors or omissions, or for damages resulting.
.\" from the use of the information contained herein.  The author(s) may.
.\" not have taken the same level of care in the production of this.
.\" manual, which is licensed free of charge, as they might when working.
.\" professionally.
.\"
.\" Formatted or processed versions of this manual, if unaccompanied by
.\" the source, must acknowledge the copyright and authors of this work.
.\" %%%LICENSE_END
.\"
.TH GETRANDOM 2 2016-10-08 "Linux" "Linux Programmer's Manual"
.SH NAME
getrandom \- obtain a series of random bytes
.SH SYNOPSIS
.B #include <linux/random.h>
.sp
.BI "int getrandom(void *"buf ", size_t " buflen ", unsigned int " flags );
.SH DESCRIPTION
The
.BR getrandom ()
system call fills the buffer pointed to by
.I buf
with up to
.I buflen
random bytes.
These bytes can be used to seed user-space random number generators
or for cryptographic purposes.

By default,
.BR getrandom ()
draws entropy from the
.I urandom
source (i.e., the same source as the
.IR /dev/urandom
device).
This behavior can be changed via the
.I flags
argument.

If the
.I urandom
source has been initialized,
reads of up to 256 bytes will always return as many bytes as
requested and will not be interrupted by signals.
No such guarantees apply for larger buffer sizes.
For example, if the call is interrupted by a signal handler,
it may return a partially filled buffer, or fail with the error
.BR EINTR .

If the
.I urandom
source has not yet been initialized, then
.BR getrandom ()
will block, unless
.B GRND_NONBLOCK
is specified in
.IR flags .

The
.I flags
argument is a bit mask that can contain zero or more of the following values
ORed together:
.TP
.B GRND_RANDOM
If this bit is set, then random bytes are drawn from the
.I random
source
(i.e., the same source as the 
.IR /dev/random
device)
instead of the
.I urandom
source.
The
.I random
source is limited based on the entropy that can be obtained from environmental
noise.
If the number of available bytes in the
.I random
source is less than requested in
.IR buflen ,
the call returns just the available random bytes.
If no random bytes are available, the behavior depends on the presence of
.B GRND_NONBLOCK
in the
.I flags
argument.
.TP
.B GRND_NONBLOCK
By default, when reading from the
.IR random
source,
.BR getrandom ()
blocks if no random bytes are available,
and when reading from the
.IR urandom
source, it blocks if the entropy pool has not yet been initialized.
If the
.B GRND_NONBLOCK
flag is set, then
.BR getrandom ()
does not block in these cases, but instead immediately returns \-1 with
.I errno
set to
.BR EAGAIN .
.SH RETURN VALUE
On success,
.BR getrandom ()
returns the number of bytes that were copied to the buffer
.IR buf .
This may be less than the number of bytes requested via
.I buflen
if either
.BR GRND_RANDOM
was specified in
.IR flags
and insufficient entropy was present in the
.IR random
source or the system call was interrupted by a signal.
.PP
On error, \-1 is returned, and
.I errno
is set appropriately.
.SH ERRORS
.TP
.B EAGAIN
The requested entropy was not available, and
.BR getrandom ()
would have blocked if the
.B GRND_NONBLOCK
flag was not set.
.TP
.B EFAULT
The address referred to by
.I buf
is outside the accessible address space.
.TP
.B EINTR
The call was interrupted by a signal
handler; see the description of how interrupted
.BR read (2)
calls on "slow" devices are handled with and without the
.B SA_RESTART
flag in the
.BR signal (7)
man page.
.TP
.B EINVAL
An invalid flag was specified in
.IR flags .
.SH VERSIONS
.BR getrandom ()
was introduced in version 3.17 of the Linux kernel.
.SH CONFORMING TO
This system call is Linux-specific.
.SH NOTES
For an overview and comparison of the various interfaces that
can be used to obtain randomness, see
.BR random (7).

Unlike
.IR /dev/random
and
.IR /dev/random ,
.BR getrandom ()
does not involve the use of pathnames or file descriptors.
Thus,
.BR getrandom ()
can be useful in cases where
.BR chroot (2)
makes
.I /dev
pathnames invisible,
and where an application (e.g., a daemon during start-up)
closes a file descriptor for one of these files
that was opened by a library.
.\"
.SS Maximum number of bytes returned
As of Linux 3.19 the following limits apply:
.IP * 3
When reading from the
.IR urandom
source, a maximum of 33554431 bytes is returned by a single call to
.BR getrandom ()
on systems where
.I int
has a size of 32 bits.
.IP *
When reading from the
.IR random
source, a maximum of 512 bytes is returned.
.SS Interruption by a signal handler
When reading from the
.I urandom
source
.RB ( GRND_RANDOM
is not set),
.BR getrandom ()
will block until the entropy pool has been initialized
(unless the
.BR GRND_NONBLOCK
flag was specified).
If a request is made to read a large number of bytes (more than 256),
.BR getrandom ()
will block until those bytes have been generated and transferred
from kernel memory to
.IR buf .
When reading from the
.I random
source
.RB ( GRND_RANDOM
is set),
.BR getrandom ()
will block until some random bytes become available
(unless the
.BR GRND_NONBLOCK
flag was specified).

The behavior when a call to
.BR getrandom ()
that is blocked while reading from the
.I urandom
source is interrupted by a signal handler
depends on the initialization state of the entropy buffer
and on the request size,
.IR buflen .
If the entropy is not yet initialized, then the call will fail with the
.B EINTR
error.
If the entropy pool has been initialized
and the request size is large
.RI ( buflen "\ >\ 256),"
the call either succeeds, returning a partially filled buffer,
or fails with the error
.BR EINTR.
If the entropy pool has been initialized and the request size is small
.RI ( buflen "\ <=\ 256),"
then
.BR getrandom ()
will not fail with
.BR EINTR .
Instead, it will return all of the bytes that have been requested.

When reading from the
.IR random
source, blocking requests of any size can be interrupted by a signal handler
(the call fails with the error
.BR EINTR ).

Using
.BR getrandom ()
to read small buffers (<=\ 256 bytes) from the
.I urandom
source is the preferred mode of usage.

The special treatment of small values of
.I buflen
was designed for compatibility with
OpenBSD's
.BR getentropy ()
system call.
.PP
The user of
.BR getrandom ()
.I must
always check the return value,
to determine whether either an error occurred
or fewer bytes than requested were returned.
In the case where
.B GRND_RANDOM
is not specified and
.I buflen
is less than or equal to 256,
a return of fewer bytes than requested should never happen,
but the careful programmer will check for this anyway!
.\"
.SS Emulating OpenBSD's getentropy()
The
.BR getentropy ()
system call in OpenBSD can be emulated using the following
function:

.in +4n
.nf
int
getentropy(void *buf, size_t buflen)
{
    int ret;

    if (buflen > 256)
        goto failure;
    ret = getrandom(buf, buflen, 0);
    if (ret < 0)
        return ret;
    if (ret == buflen)
        return 0;
failure:
    errno = EIO;
    return \-1;
}
.fi
.in
.SH BUGS
As of Linux 3.19, the following bug exists:
.\" FIXME patch proposed https://lkml.org/lkml/2014/11/29/16
.IP * 3
Depending on CPU load,
.BR getrandom ()
does not react to interrupts before reading all bytes requested.
.SH SEE ALSO
.BR random (4),
.BR urandom (4),
.BR random (7),
.BR signal (7)
Commit	Line	Data
18647599	1	.\" Copyright (C) 2014, Theodore Ts'o <tytso@mit.edu>
3907aed3	2	.\" Copyright (C) 2014,2015 Heinrich Schuchardt <xypron.glpk@gmx.de>
35800487	3	.\" Copyright (C) 2015, Michael Kerrisk <mtk.manpages@gmail.com>
18647599 HS	4	.\"
	5	.\" %%%LICENSE_START(VERBATIM)
	6	.\" Permission is granted to make and distribute verbatim copies of this
	7	.\" manual provided the copyright notice and this permission notice are
	8	.\" preserved on all copies.
	9	.\"
	10	.\" Permission is granted to copy and distribute modified versions of
	11	.\" this manual under the conditions for verbatim copying, provided that
	12	.\" the entire resulting derived work is distributed under the terms of
	13	.\" a permission notice identical to this one.
	14	.\"
	15	.\" Since the Linux kernel and libraries are constantly changing, this
	16	.\" manual page may be incorrect or out-of-date. The author(s) assume.
	17	.\" no responsibility for errors or omissions, or for damages resulting.
	18	.\" from the use of the information contained herein. The author(s) may.
	19	.\" not have taken the same level of care in the production of this.
	20	.\" manual, which is licensed free of charge, as they might when working.
	21	.\" professionally.
	22	.\"
	23	.\" Formatted or processed versions of this manual, if unaccompanied by
	24	.\" the source, must acknowledge the copyright and authors of this work.
	25	.\" %%%LICENSE_END
cc5ba920	26	.\"
b8efb414	27	.TH GETRANDOM 2 2016-10-08 "Linux" "Linux Programmer's Manual"
18647599 HS	28	.SH NAME
	29	getrandom \- obtain a series of random bytes
	30	.SH SYNOPSIS
	31	.B #include <linux/random.h>
	32	.sp
	33	.BI "int getrandom(void *"buf ", size_t " buflen ", unsigned int " flags );
	34	.SH DESCRIPTION
81d43c50	35	The
18647599	36	.BR getrandom ()
81d43c50	37	system call fills the buffer pointed to by
18647599 HS	38	.I buf
	39	with up to
	40	.I buflen
	41	random bytes.
077e532d	42	These bytes can be used to seed user-space random number generators
473844a1	43	or for cryptographic purposes.
7028ce50	44
7028ce50 MK	45	By default,
	46	.BR getrandom ()
	47	draws entropy from the
e196d319	48	.I urandom
dce6b796	49	source (i.e., the same source as the
7028ce50	50	.IR /dev/urandom
e196d319	51	device).
7028ce50 MK	52	This behavior can be changed via the
	53	.I flags
	54	argument.
b4a9630f	55
e14ee946	56	If the
e196d319	57	.I urandom
dce6b796	58	source has been initialized,
053e5e69 MK	59	reads of up to 256 bytes will always return as many bytes as
	60	requested and will not be interrupted by signals.
	61	No such guarantees apply for larger buffer sizes.
	62	For example, if the call is interrupted by a signal handler,
	63	it may return a partially filled buffer, or fail with the error
	64	.BR EINTR .
e196d319 MK	65
	66	If the
	67	.I urandom
dce6b796	68	source has not yet been initialized, then
e196d319 MK	69	.BR getrandom ()
e196d319 MK	70	will block, unless
0594459d	71	.B GRND_NONBLOCK
973ff2fc MK	72	is specified in
973ff2fc MK	73	.IR flags .
7028ce50	74
18647599 HS	75	The
	76	.I flags
	77	argument is a bit mask that can contain zero or more of the following values
	78	ORed together:
	79	.TP
	80	.B GRND_RANDOM
	81	If this bit is set, then random bytes are drawn from the
e196d319	82	.I random
dce6b796	83	source
e196d319 MK	84	(i.e., the same source as the
	85	.IR /dev/random
	86	device)
	87	instead of the
	88	.I urandom
dce6b796	89	source.
18647599	90	The
e196d319	91	.I random
dce6b796	92	source is limited based on the entropy that can be obtained from environmental
4f69e06a	93	noise.
e196d319 MK	94	If the number of available bytes in the
e196d319 MK	95	.I random
dce6b796	96	source is less than requested in
18647599	97	.IR buflen ,
e8009a53	98	the call returns just the available random bytes.
973ff2fc	99	If no random bytes are available, the behavior depends on the presence of
18647599 HS	100	.B GRND_NONBLOCK
	101	in the
	102	.I flags
	103	argument.
	104	.TP
	105	.B GRND_NONBLOCK
e196d319 MK	106	By default, when reading from the
e196d319 MK	107	.IR random
dce6b796	108	source,
18647599	109	.BR getrandom ()
0646abd6	110	blocks if no random bytes are available,
e196d319 MK	111	and when reading from the
e196d319 MK	112	.IR urandom
dce6b796	113	source, it blocks if the entropy pool has not yet been initialized.
18647599 HS	114	If the
18647599 HS	115	.B GRND_NONBLOCK
d2a1b46b	116	flag is set, then
18647599	117	.BR getrandom ()
0646abd6	118	does not block in these cases, but instead immediately returns \-1 with
d2a1b46b MK	119	.I errno
	120	set to
	121	.BR EAGAIN .
18647599 HS	122	.SH RETURN VALUE
	123	On success,
	124	.BR getrandom ()
	125	returns the number of bytes that were copied to the buffer
	126	.IR buf .
01a64074	127	This may be less than the number of bytes requested via
18647599	128	.I buflen
e196d319	129	if either
973ff2fc MK	130	.BR GRND_RANDOM
	131	was specified in
	132	.IR flags
	133	and insufficient entropy was present in the
e196d319	134	.IR random
dce6b796	135	source or the system call was interrupted by a signal.
18647599	136	.PP
81d43c50	137	On error, \-1 is returned, and
18647599 HS	138	.I errno
	139	is set appropriately.
	140	.SH ERRORS
	141	.TP
18647599 HS	142	.B EAGAIN
	143	The requested entropy was not available, and
	144	.BR getrandom ()
	145	would have blocked if the
	146	.B GRND_NONBLOCK
	147	flag was not set.
	148	.TP
26c04bd0 MK	149	.B EFAULT
	150	The address referred to by
	151	.I buf
	152	is outside the accessible address space.
	153	.TP
18647599	154	.B EINTR
3426471b	155	The call was interrupted by a signal
18647599 HS	156	handler; see the description of how interrupted
	157	.BR read (2)
	158	calls on "slow" devices are handled with and without the
	159	.B SA_RESTART
	160	flag in the
	161	.BR signal (7)
	162	man page.
26c04bd0 MK	163	.TP
	164	.B EINVAL
	165	An invalid flag was specified in
	166	.IR flags .
18647599 HS	167	.SH VERSIONS
	168	.BR getrandom ()
	169	was introduced in version 3.17 of the Linux kernel.
	170	.SH CONFORMING TO
	171	This system call is Linux-specific.
	172	.SH NOTES
9eaf7500 MK	173	For an overview and comparison of the various interfaces that
	174	can be used to obtain randomness, see
	175	.BR random (7).
	176
c35966b1 MK	177	Unlike
	178	.IR /dev/random
	179	and
	180	.IR /dev/random ,
	181	.BR getrandom ()
	182	does not involve the use of pathnames or file descriptors.
	183	Thus,
	184	.BR getrandom ()
	185	can be useful in cases where
	186	.BR chroot (2)
	187	makes
	188	.I /dev
	189	pathnames invisible,
	190	and where an application (e.g., a daemon during start-up)
	191	closes a file descriptor for one of these files
	192	that was opened by a library.
	193	.\"
11353d7b HS	194	.SS Maximum number of bytes returned
	195	As of Linux 3.19 the following limits apply:
	196	.IP * 3
e196d319 MK	197	When reading from the
e196d319 MK	198	.IR urandom
dce6b796	199	source, a maximum of 33554431 bytes is returned by a single call to
11353d7b	200	.BR getrandom ()
724d21bb	201	on systems where
11353d7b HS	202	.I int
	203	has a size of 32 bits.
	204	.IP *
e196d319 MK	205	When reading from the
e196d319 MK	206	.IR random
dce6b796	207	source, a maximum of 512 bytes is returned.
18647599	208	.SS Interruption by a signal handler
e196d319 MK	209	When reading from the
e196d319 MK	210	.I urandom
dce6b796	211	source
e14ee946	212	.RB ( GRND_RANDOM
3851c7aa	213	is not set),
3426471b MK	214	.BR getrandom ()
	215	will block until the entropy pool has been initialized
	216	(unless the
	217	.BR GRND_NONBLOCK
	218	flag was specified).
e196d319	219	If a request is made to read a large number of bytes (more than 256),
3426471b MK	220	.BR getrandom ()
	221	will block until those bytes have been generated and transferred
	222	from kernel memory to
	223	.IR buf .
e196d319 MK	224	When reading from the
e196d319 MK	225	.I random
dce6b796	226	source
e14ee946	227	.RB ( GRND_RANDOM
3851c7aa	228	is set),
3426471b MK	229	.BR getrandom ()
	230	will block until some random bytes become available
	231	(unless the
	232	.BR GRND_NONBLOCK
	233	flag was specified).
e14ee946	234
978323c7	235	The behavior when a call to
18647599	236	.BR getrandom ()
e196d319 MK	237	that is blocked while reading from the
e196d319 MK	238	.I urandom
dce6b796	239	source is interrupted by a signal handler
18647599	240	depends on the initialization state of the entropy buffer
81d43c50	241	and on the request size,
18647599	242	.IR buflen .
05e4d7af	243	If the entropy is not yet initialized, then the call will fail with the
18647599	244	.B EINTR
81d43c50	245	error.
05e4d7af MK	246	If the entropy pool has been initialized
	247	and the request size is large
	248	.RI ( buflen "\ >\ 256),"
	249	the call either succeeds, returning a partially filled buffer,
	250	or fails with the error
	251	.BR EINTR.
01a64074 MK	252	If the entropy pool has been initialized and the request size is small
01a64074 MK	253	.RI ( buflen "\ <=\ 256),"
81d43c50	254	then
18647599	255	.BR getrandom ()
81d43c50	256	will not fail with
18647599 HS	257	.BR EINTR .
18647599 HS	258	Instead, it will return all of the bytes that have been requested.
652febf0	259
e196d319 MK	260	When reading from the
e196d319 MK	261	.IR random
dce6b796	262	source, blocking requests of any size can be interrupted by a signal handler
652febf0 MK	263	(the call fails with the error
	264	.BR EINTR ).
	265
e196d319	266	Using
18647599	267	.BR getrandom ()
e196d319 MK	268	to read small buffers (<=\ 256 bytes) from the
e196d319 MK	269	.I urandom
dce6b796	270	source is the preferred mode of usage.
e196d319	271
18647599 HS	272	The special treatment of small values of
	273	.I buflen
	274	was designed for compatibility with
	275	OpenBSD's
	276	.BR getentropy ()
	277	system call.
	278	.PP
	279	The user of
	280	.BR getrandom ()
	281	.I must
01a64074 MK	282	always check the return value,
	283	to determine whether either an error occurred
	284	or fewer bytes than requested were returned.
18647599 HS	285	In the case where
	286	.B GRND_RANDOM
	287	is not specified and
	288	.I buflen
	289	is less than or equal to 256,
	290	a return of fewer bytes than requested should never happen,
28ef3452	291	but the careful programmer will check for this anyway!
2e1f8bfa	292	.\"
18647599 HS	293	.SS Emulating OpenBSD's getentropy()
	294	The
	295	.BR getentropy ()
	296	system call in OpenBSD can be emulated using the following
	297	function:
	298
	299	.in +4n
	300	.nf
	301	int
	302	getentropy(void *buf, size_t buflen)
	303	{
	304	int ret;
	305
	306	if (buflen > 256)
	307	goto failure;
	308	ret = getrandom(buf, buflen, 0);
	309	if (ret < 0)
	310	return ret;
	311	if (ret == buflen)
	312	return 0;
	313	failure:
	314	errno = EIO;
81d43c50	315	return \-1;
18647599 HS	316	}
	317	.fi
	318	.in
16199698 HS	319	.SH BUGS
16199698 HS	320	As of Linux 3.19, the following bug exists:
16199698	321	.\" FIXME patch proposed https://lkml.org/lkml/2014/11/29/16
81d43c50 MK	322	.IP * 3
81d43c50 MK	323	Depending on CPU load,
16199698 HS	324	.BR getrandom ()
16199698 HS	325	does not react to interrupts before reading all bytes requested.
18647599 HS	326	.SH SEE ALSO
18647599 HS	327	.BR random (4),
2cc7c11a	328	.BR urandom (4),
9eaf7500	329	.BR random (7),
2cc7c11a	330	.BR signal (7)