Use ProcessPrng on Windows

[josephlr]

Use ProcessPrng on Windows 10 and up, and use RtlGenRandom on older legacy Windows versions. Don't use BCryptGenRandom due to stability issues.

[briansmith]

Besides the lines I commented on, I didn't review the rest.

[josephlr]

@briansmith the above are really good point w.r.t. sandboxing. I think that it would be good to have general documentation along the lines of "before starting a sandbox, you should first successfully call getrandom() on a non-empty buffer". That should be good platform-agnostic advice, and will handle things like LoadLibrary and libc::dlsym.

More generally, this won't work inside many sandboxes, including Chromium's.

I think that this won't cause issues in some sandboxes provided that ProcessPRNG is already loaded. IIRC the sandbox only complains on loading a new dll, not upon looking up a symbol from an already loaded DLL. Regardless, having specific documentation will be good here.

[josephlr]

@newpavlov and @briansmith this is now ready for review!

[newpavlov]

Other than the two minor nits, it looks good to me. But as I noted in the issue, I would prefer if we released this change as v0.3.

[briansmith]

It's unfortunate to have this ugliness without the program that generated it to confirm that it actually created this ugliness. However, I also think it's fine because of how repr(transparent) works so it isn't the end of the world.

[josephlr]

I think this is a good point. For both APIs I didn't directly use the output of windows-bindgen, but instead took that output as a starting point, then deleted lines until I got code that looked decent.

I think that referencing windows-bindgen in the comments at all was misleading, so I changed the comments to just reference the API metadata names directly. Given that, I also changed the BOOL/BOOLEAN types to just be typedefs (which is more honest IMO).

[josephlr]

For reference, here's the full output for running windows-bindgen with the following arguments:

// Bindings generated by `windows-bindgen` 0.56.0

#![allow(
    non_snake_case,
    non_upper_case_globals,
    non_camel_case_types,
    dead_code,
    clippy::all
)]
#[inline]
pub unsafe fn RtlGenRandom(
    randombuffer: *mut core::ffi::c_void,
    randombufferlength: u32,
) -> BOOLEAN {
    windows_targets::link!("advapi32.dll" "system" "SystemFunction036" fn RtlGenRandom(randombuffer : *mut core::ffi::c_void, randombufferlength : u32) -> BOOLEAN);
    RtlGenRandom(randombuffer, randombufferlength)
}
#[inline]
pub unsafe fn ProcessPrng(pbdata: &mut [u8]) -> BOOL {
    windows_targets::link!("bcryptprimitives.dll" "system" fn ProcessPrng(pbdata : *mut u8, cbdata : usize) -> BOOL);
    ProcessPrng(
        core::mem::transmute(pbdata.as_ptr()),
        pbdata.len().try_into().unwrap(),
    )
}
#[repr(transparent)]
#[derive(PartialEq, Eq)]
pub struct BOOL(pub i32);
impl Default for BOOL {
    fn default() -> Self {
        unsafe { core::mem::zeroed() }
    }
}
impl Clone for BOOL {
    fn clone(&self) -> Self {
        *self
    }
}
impl Copy for BOOL {}
impl core::fmt::Debug for BOOL {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        f.debug_tuple("BOOL").field(&self.0).finish()
    }
}
impl windows_core::TypeKind for BOOL {
    type TypeKind = windows_core::CopyType;
}
#[repr(transparent)]
#[derive(PartialEq, Eq)]
pub struct BOOLEAN(pub u8);
impl Default for BOOLEAN {
    fn default() -> Self {
        unsafe { core::mem::zeroed() }
    }
}
impl Clone for BOOLEAN {
    fn clone(&self) -> Self {
        *self
    }
}
impl Copy for BOOLEAN {}
impl core::fmt::Debug for BOOLEAN {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        f.debug_tuple("BOOLEAN").field(&self.0).finish()
    }
}
impl windows_core::TypeKind for BOOLEAN {
    type TypeKind = windows_core::CopyType;
}
pub const TRUE: BOOL = BOOL(1i32);