crypto/rand: use BCryptGenRandom instead of CryptGenRandom on Windows

The existing function that is used is CryptGenRandom. This function
and the whole underling API is deprecated.

Use the function BCryptGenRandom from the new recommended
API called "Cryptography API: Next Generation (CNG)".

Fixes golang#33542

Author: neolit123

src/crypto/rand/rand.go

@@ -14,7 +14,7 @@ import "io"
 // On Linux and FreeBSD, Reader uses getrandom(2) if available, /dev/urandom otherwise.
 // On OpenBSD, Reader uses getentropy(2).
 // On other Unix-like systems, Reader reads from /dev/urandom.
-// On Windows systems, Reader uses the CryptGenRandom API.
+// On Windows systems, Reader uses the BCryptGenRandom API.
 // On Wasm, Reader uses the Web Crypto API.
 var Reader io.Reader
 

src/crypto/rand/rand_windows.go

@@ -9,48 +9,22 @@ package rand
 
 import (
 	"os"
-	"sync"
-	"sync/atomic"
 	"syscall"
-	"time"
 )
 
-// Implemented by using Windows CryptoAPI 2.0.
+// Implemented by using the Cryptography Next Generation (CNG) API.
 
 func init() { Reader = &rngReader{} }
 
-// A rngReader satisfies reads by reading from the Windows CryptGenRandom API.
-type rngReader struct {
-	used int32 // atomic; whether this rngReader has been used
-	prov syscall.Handle
-	mu   sync.Mutex
-}
+type rngReader struct{}
 
 func (r *rngReader) Read(b []byte) (n int, err error) {
-	if atomic.CompareAndSwapInt32(&r.used, 0, 1) {
-		// First use of randomness. Start timer to warn about
-		// being blocked on entropy not being available.
-		t := time.AfterFunc(60*time.Second, warnBlocked)
-		defer t.Stop()
-	}
-	r.mu.Lock()
-	if r.prov == 0 {
-		const provType = syscall.PROV_RSA_FULL
-		const flags = syscall.CRYPT_VERIFYCONTEXT | syscall.CRYPT_SILENT
-		err := syscall.CryptAcquireContext(&r.prov, nil, nil, provType, flags)
-		if err != nil {
-			r.mu.Unlock()
-			return 0, os.NewSyscallError("CryptAcquireContext", err)
-		}
-	}
-	r.mu.Unlock()
-
 	if len(b) == 0 {
 		return 0, nil
 	}
-	err = syscall.CryptGenRandom(r.prov, uint32(len(b)), &b[0])
+	err = syscall.BCryptGenRandom(0, &b[0], uint32(len(b)), syscall.BCRYPT_USE_SYSTEM_PREFERRED_RNG)
 	if err != nil {
-		return 0, os.NewSyscallError("CryptGenRandom", err)
+		return 0, os.NewSyscallError("BCryptGenRandom", err)
 	}
-	return len(b), nil
+	return int(uint32(len(b))), nil
 }

src/syscall/syscall_windows.go

@@ -234,6 +234,7 @@ func NewCallbackCDecl(fn interface{}) uintptr {
 //sys	CryptAcquireContext(provhandle *Handle, container *uint16, provider *uint16, provtype uint32, flags uint32) (err error) = advapi32.CryptAcquireContextW
 //sys	CryptReleaseContext(provhandle Handle, flags uint32) (err error) = advapi32.CryptReleaseContext
 //sys	CryptGenRandom(provhandle Handle, buflen uint32, buf *byte) (err error) = advapi32.CryptGenRandom
+//sys   BCryptGenRandom(algorithmhandle Handle, buf *byte, buflen uint32, flags uint32) (err error) [failretval!=0] = bcrypt.BCryptGenRandom
 //sys	GetEnvironmentStrings() (envs *uint16, err error) [failretval==nil] = kernel32.GetEnvironmentStringsW
 //sys	FreeEnvironmentStrings(envs *uint16) (err error) = kernel32.FreeEnvironmentStringsW
 //sys	GetEnvironmentVariable(name *uint16, buffer *uint16, size uint32) (n uint32, err error) = kernel32.GetEnvironmentVariableW

src/syscall/types_windows.go

@@ -214,6 +214,11 @@ const (
 	FILE_ACTION_RENAMED_NEW_NAME
 )
 
+const (
+	// bcrypt.h
+	BCRYPT_USE_SYSTEM_PREFERRED_RNG = 0x00000002
+)
+
 const (
 	// wincrypt.h
 	PROV_RSA_FULL                    = 1