crypto/rand: use BCryptGenRandom instead of CryptGenRandom on Windows

The existing function that is used is CryptGenRandom. This function
and the whole underling API is deprecated.

Use the function BCryptGenRandom from the new recommended
API called "Cryptography API: Next Generation (CNG)".

Preload and use the BCRYPT_RNG_ALGORITHM provider.
It follows the standards: FIPS 186-2, FIPS 140-2, NIST SP 800-90

Fixes #33542

Author: neolit123

src/crypto/rand/rand.go

@@ -14,7 +14,7 @@ import "io"
 // On Linux and FreeBSD, Reader uses getrandom(2) if available, /dev/urandom otherwise.
 // On OpenBSD, Reader uses getentropy(2).
 // On other Unix-like systems, Reader reads from /dev/urandom.
-// On Windows systems, Reader uses the CryptGenRandom API.
+// On Windows systems, Reader uses the BCryptGenRandom API with provider BCRYPT_RNG_ALGORITHM.
 // On Wasm, Reader uses the Web Crypto API.
 var Reader io.Reader
 

src/crypto/rand/rand_windows.go

@@ -8,6 +8,7 @@
 package rand
 
 import (
+	"internal/syscall/windows"
 	"os"
 	"sync"
 	"sync/atomic"
@@ -35,22 +36,28 @@ func (r *rngReader) Read(b []byte) (n int, err error) {
 	}
 	r.mu.Lock()
 	if r.prov == 0 {
-		const provType = syscall.PROV_RSA_FULL
-		const flags = syscall.CRYPT_VERIFYCONTEXT | syscall.CRYPT_SILENT
-		err := syscall.CryptAcquireContext(&r.prov, nil, nil, provType, flags)
+		// BCRYPT_RNG_ALGORITHM is defined here:
+		// https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers
+		// Standard: FIPS 186-2, FIPS 140-2, NIST SP 800-90
+		algID, err := syscall.UTF16PtrFromString(windows.BCRYPT_RNG_ALGORITHM)
 		if err != nil {
 			r.mu.Unlock()
-			return 0, os.NewSyscallError("CryptAcquireContext", err)
+			return 0, err
+		}
+		status := windows.BCryptOpenAlgorithmProvider(&r.prov, algID, nil, 0)
+		if status != 0 {
+			r.mu.Unlock()
+			return 0, os.NewSyscallError("BCryptOpenAlgorithmProvider", syscall.Errno(status))
 		}
 	}
 	r.mu.Unlock()
 
 	if len(b) == 0 {
 		return 0, nil
 	}
-	err = syscall.CryptGenRandom(r.prov, uint32(len(b)), &b[0])
-	if err != nil {
-		return 0, os.NewSyscallError("CryptGenRandom", err)
+	status := windows.BCryptGenRandom(r.prov, &b[0], uint32(len(b)), 0)
+	if status != 0 {
+		return 0, os.NewSyscallError("BCryptGenRandom", syscall.Errno(status))
 	}
-	return len(b), nil
+	return int(uint32(len(b))), nil
 }

src/internal/syscall/windows/syscall_windows.go

@@ -145,6 +145,13 @@ const (
 //sys	GetComputerNameEx(nameformat uint32, buf *uint16, n *uint32) (err error) = GetComputerNameExW
 //sys	MoveFileEx(from *uint16, to *uint16, flags uint32) (err error) = MoveFileExW
 //sys	GetModuleFileName(module syscall.Handle, fn *uint16, len uint32) (n uint32, err error) = kernel32.GetModuleFileNameW
+//sys	BCryptOpenAlgorithmProvider(algHandle *syscall.Handle, algID *uint16, impl *uint16, flags uint32) (status int32) = bcrypt.BCryptOpenAlgorithmProvider
+//sys	BCryptGenRandom(algHandle syscall.Handle, buf *byte, buflen uint32, flags uint32) (status int32) = bcrypt.BCryptGenRandom
+
+const (
+	// bcrypt.h
+	BCRYPT_RNG_ALGORITHM = "RNG"
+)
 
 const (
 	WSA_FLAG_OVERLAPPED        = 0x01