crypto/rand: use BCryptGenRandom instead of CryptGenRandom on Windows

The existing function that is used is CryptGenRandom. This function and the whole underling API is deprecated. Use the function BCryptGenRandom from the new recommended API called "Cryptography API: Next Generation (CNG)". Preload and use the BCRYPT_RNG_ALGORITHM provider. It follows the standards: FIPS 186-2, FIPS 140-2, NIST SP 800-90 Fixes #33542
golang · Sep 6, 2020 · c7fb621 · c7fb621
1 parent 5cc030a
commit c7fb621
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 9 deletions.
diff --git a/src/crypto/rand/rand.go b/src/crypto/rand/rand.go
@@ -14,7 +14,7 @@ import "io"
 // On Linux and FreeBSD, Reader uses getrandom(2) if available, /dev/urandom otherwise.
 // On OpenBSD, Reader uses getentropy(2).
 // On other Unix-like systems, Reader reads from /dev/urandom.
-// On Windows systems, Reader uses the CryptGenRandom API.
+// On Windows systems, Reader uses the BCryptGenRandom API with provider BCRYPT_RNG_ALGORITHM.
 // On Wasm, Reader uses the Web Crypto API.
 var Reader io.Reader
 

diff --git a/src/crypto/rand/rand_windows.go b/src/crypto/rand/rand_windows.go
@@ -8,6 +8,7 @@
 package rand
 
 import (
+	"internal/syscall/windows"
 	"os"
 	"sync"
 	"sync/atomic"
@@ -35,22 +36,28 @@ func (r *rngReader) Read(b []byte) (n int, err error) {
 	}
 	r.mu.Lock()
 	if r.prov == 0 {
-		const provType = syscall.PROV_RSA_FULL
-		const flags = syscall.CRYPT_VERIFYCONTEXT | syscall.CRYPT_SILENT
-		err := syscall.CryptAcquireContext(&r.prov, nil, nil, provType, flags)
+		// BCRYPT_RNG_ALGORITHM is defined here:
+		// https://docs.microsoft.com/en-us/windows/win32/seccng/cng-algorithm-identifiers
+		// Standard: FIPS 186-2, FIPS 140-2, NIST SP 800-90
+		algID, err := syscall.UTF16PtrFromString(windows.BCRYPT_RNG_ALGORITHM)
 		if err != nil {
 			r.mu.Unlock()
-			return 0, os.NewSyscallError("CryptAcquireContext", err)
+			return 0, err
+		}
+		status := windows.BCryptOpenAlgorithmProvider(&r.prov, algID, nil, 0)
+		if status != 0 {
+			r.mu.Unlock()
+			return 0, os.NewSyscallError("BCryptOpenAlgorithmProvider", syscall.Errno(status))
 		}
 	}
 	r.mu.Unlock()
 
 	if len(b) == 0 {
 		return 0, nil
 	}
-	err = syscall.CryptGenRandom(r.prov, uint32(len(b)), &b[0])
-	if err != nil {
-		return 0, os.NewSyscallError("CryptGenRandom", err)
+	status := windows.BCryptGenRandom(r.prov, &b[0], uint32(len(b)), 0)
+	if status != 0 {
+		return 0, os.NewSyscallError("BCryptGenRandom", syscall.Errno(status))
 	}
-	return len(b), nil
+	return int(uint32(len(b))), nil
 }
diff --git a/src/internal/syscall/windows/syscall_windows.go b/src/internal/syscall/windows/syscall_windows.go
@@ -145,6 +145,13 @@ const (
 //sys	GetComputerNameEx(nameformat uint32, buf *uint16, n *uint32) (err error) = GetComputerNameExW
 //sys	MoveFileEx(from *uint16, to *uint16, flags uint32) (err error) = MoveFileExW
 //sys	GetModuleFileName(module syscall.Handle, fn *uint16, len uint32) (n uint32, err error) = kernel32.GetModuleFileNameW
+//sys	BCryptOpenAlgorithmProvider(algHandle *syscall.Handle, algID *uint16, impl *uint16, flags uint32) (status int32) = bcrypt.BCryptOpenAlgorithmProvider
+//sys	BCryptGenRandom(algHandle syscall.Handle, buf *byte, buflen uint32, flags uint32) (status int32) = bcrypt.BCryptGenRandom
+
+const (
+	// bcrypt.h
+	BCRYPT_RNG_ALGORITHM = "RNG"
+)
 
 const (
 	WSA_FLAG_OVERLAPPED        = 0x01

diff --git a/src/internal/syscall/windows/zsyscall_windows.go b/src/internal/syscall/windows/zsyscall_windows.go