How do I modify the defaults for Antiforgery to make it FIPS-compliant

[thanhos]

I'm working on a system that has FIPS-compliant enabled and am wondering is there a way to change the Antiforgery defaults to make it compliant. If someone could provide some direction or feedback that would appreciated.

Thanks

[thanhos]

Creating a new ASP.NET Core Web Application using .NET Core works fine. Creating one using the .NET Framework with FIPS enabled doesn't work.

[rynowak]

/cc @blowdart

[blowdart]

Strange.

What OS, and do you have a stack trace?

@rynowak This may end up being deep in data protection. There's a fun bug in creating SHA signing pieces where you tell it to use FIPS algorithms and it doesn't. nuget had the same problem,

[thanhos]

I'm on Windows 10.0 (Build 10240).

Here's the stack trace:

fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[0]
      An unhandled exception has occurred while executing the request
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.SHA256Managed..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
   at System.Security.Cryptography.SHA256.Create()
   at Microsoft.AspNetCore.Antiforgery.Internal.AntiforgeryOptionsSetup.ComputeCookieName(String applicationId)
   at Microsoft.AspNetCore.Antiforgery.Internal.AntiforgeryOptionsSetup.ConfigureOptions(AntiforgeryOptions options, DataProtectionOptions dataProtectionOptions)
   at Microsoft.Extensions.Options.OptionsCache`1.CreateOptions()
   at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
   at Microsoft.Extensions.Options.OptionsCache`1.get_Value()
   at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgeryTokenStore..ctor(IOptions`1 optionsAccessor)
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ConstructorCallSite.Invoke(ServiceProvider provider)
   at Microsoft.Extensions.DependencyInjection.ServiceProvider.ScopedCallSite.Invoke(ServiceProvider provider)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ConstructorCallSite.Invoke(ServiceProvider provider)
   at Microsoft.Extensions.DependencyInjection.ServiceProvider.ScopedCallSite.Invoke(ServiceProvider provider)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ConstructorCallSite.Invoke(ServiceProvider provider)
   at Microsoft.Extensions.DependencyInjection.ServiceProvider.ScopedCallSite.Invoke(ServiceProvider provider)
   at Microsoft.Extensions.DependencyInjection.ServiceLookup.ConstructorCallSite.Invoke(ServiceProvider provider)
   at Microsoft.Extensions.DependencyInjection.ServiceProvider.TransientCallSite.Invoke(ServiceProvider provider)
   at Microsoft.Extensions.DependencyInjection.ServiceProviderServiceExtensions.GetRequiredService(IServiceProvider provider, Type serviceType)
   at Microsoft.AspNetCore.Mvc.Razor.RazorPageActivator.<>c__DisplayClass16_0.<CreateActivateInfo>b__1(ViewContext context)
   at Microsoft.Extensions.Internal.PropertyActivator`1.Activate(Object instance, TContext context)
   at Microsoft.AspNetCore.Mvc.Razor.RazorPageActivator.Activate(IRazorPage page, ViewContext context)
   at Microsoft.AspNetCore.Mvc.Razor.RazorView.<RenderViewStartsAsync>d__16.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Razor.RazorView.<RenderPageAsync>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Razor.RazorView.<RenderAsync>d__13.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.ViewFeatures.ViewExecutor.<ExecuteAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.ViewResult.<ExecuteResultAsync>d__26.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeResultAsync>d__32.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeResultFilterAsync>d__31.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeAllResultFiltersAsync>d__29.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeResourceFilterAsync>d__23.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker.<InvokeAsync>d__18.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Builder.RouterMiddleware.<Invoke>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.<Invoke>d__6.MoveNext()
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 3966.2482ms 500 text/html; charset=utf-8

[rynowak]

Thanks for providing this.

This callstack is using Sha256Managed to compute a unique application cookie name. We'll have to do something to address this. https://github.com/aspnet/Antiforgery/blob/dev/src/Microsoft.AspNetCore.Antiforgery/Internal/AntiforgeryOptionsSetup.cs

Can you try the following workaround:

services.Insert(0, ServiceDescriptor.Singleton(
    typeof(IConfigureOptions<AntiforgeryOptions>), 
    new ConfigureOptions<AntiforgeryOptions>(options => options.CookieName = "<choose a name>")));

The purpose of the random cookie name is just to avoid colliding with other applications using our antiforgery system when using shared hosting. If you have your own domain name then there's no risk of collision.

[rynowak]

/cc @blowdart - see above, it looks like we have to do something about this, but it's local to antiforgery

[blowdart]

Oh dear. This is a bug in the desktop framework. SHA256.Create should create a FIPS compliant CSP, but doesn't in some circumstances. nuget had the same problem (NuGet/Home#2335)

Switch from SHA256.Create() to (HashAlgorithm)new SHA256CryptoServiceProvider()

[Eilon]

Prospectively putting this in the 1.0.1 milestone, but will need to get approval for it.

[thanhos]

I tried the workaround above and it seems like it's no longer failing in Antiforgery but in the TagHelpers. Looks like a general bug. Where should I redirect this issue to? Here's the stack trace.

fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[0]
      An unhandled exception has occurred while executing the request
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
   at System.Security.Cryptography.SHA256Managed..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
   at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
   at System.Security.Cryptography.SHA256.Create()
   at Microsoft.AspNetCore.Mvc.TagHelpers.Internal.FileVersionProvider.GetHashForFile(IFileInfo fileInfo)
   at Microsoft.AspNetCore.Mvc.TagHelpers.Internal.FileVersionProvider.AddFileVersionToPath(String path)
   at Microsoft.AspNetCore.Mvc.TagHelpers.ScriptTagHelper.Process(TagHelperContext context, TagHelperOutput output)
   at Microsoft.AspNetCore.Razor.TagHelpers.TagHelper.ProcessAsync(TagHelperContext context, TagHelperOutput output)
   at Microsoft.AspNetCore.Razor.Runtime.TagHelpers.TagHelperRunner.<RunAsync>d__0.MoveNext()

[blowdart]

@NTaylorMullen ...

[blowdart]

@thanhos I have a work around for you.

Firstly my apologies. This is a bug in the .NET framework, and it's fixed in 4.6.2 but I presume because you have FIPS enabled that upgrading when that drops is probably painful. I'm currently creating a new FIPS VM to check this.

What you can do is in program.cs, add the following line at the beginning;

CryptoConfig.AddAlgorithm(typeof(SHA256Cng), "SHA256")

You'll need to add the following reference

using System.Security.Cryptography;

If you're targeting .NET Core the error won't occur, we got rid of all the managed crypto packages, so everything is left to the underlying platform, thus no FIPS concerns. We'll also get the code adjusted as well.

[thanhos]

Thanks for the feedback so far @blowdart

I tried the suggestion above and still received the same error.

[blowdart]

Darn I was so hopefully. It's probably too late in the initialization process then (I'm still attempting to get a FIPS machine up and running)

[blowdart]

I know it's a lot to ask, but could you try installing 4.6.2 beta on a machine and see if that works? It's likely 4.6.2 will drop before we officially release a patch for this.

[thanhos]

Sure, I'll give that a try and see how it goes.

[blowdart]

Thanks. Apologies for forcing a beta on you.

[thanhos]

No worries. I installed the 4.6.2 Preview and still getting the same exceptions.

[blowdart]

Darn. Emailing some folks.

[kevinchalet]

FWIW, an ASOS user experienced the same thing and this snippet worked:

// Make sure to replace both "SHA256" and "System.Security.Cryptography.SHA256"
CryptoConfig.AddAlgorithm(typeof(SHA256Cng), typeof(SHA256).Name, typeof(SHA256).FullName);

I presume @blowdart's snippet doesn't work because it doesn't override "System.Security.Cryptography.SHA256".

[bartonjs]

grumble grumble. That's my bad, I advised him without looking at the implementation on referencesource. Aes.Create() queries for "AES", so for some reason I assumed SHA256 queried for "SHA256". How absurd of me 😄.

Installing 4.6.2 preview should've worked. At least, it's in the public changelog (with a terrible description):

The factory method now returns SHA256Cng in FIPS-only mode. [163804]

Guess that's something for me to dig into.

[kevinchalet]

The factory method now returns SHA256Cng in FIPS-only mode. [163804]

Hahaha, guys who use SHA256.Create() and abusively cast the returned instance to SHA256Managed will have a nice surprise 😄

[bartonjs]

@PinpointTownes Nah, you missed "in FIPS-only mode". Since the ctor of SHA256Managed is what throws SHA256.Create() never exited in that case; so we've changed an exceptional case to a passing case. Non-FIPS mode is left as-was, for precisely that bad pattern.

[kevinchalet]

@bartonjs ah yeah good point 😄

On a related note, is there a plan to change the default key size used by RSACryptoServiceProvider in the future?

[bartonjs]

@PinpointTownes That's a hard argument with compat (but one I'll have at some point). But hopefully https://github.com/dotnet/corefx/issues/8688 will take the sting off.

[thanhos]

@PinpointTownes 's suggestion worked. Thanks!

I'll have to investigate as to why installing 4.6.2 didn't work on my machine.

Thanks for the help everyone.

[dougbu]

FYI Antiforgery and MVC use SHA256.Create() a couple more times than were hit above:

• AntiforgerySerializationContext in Antiforgery
• CacheTagKey in MVC

[Eilon]

FYI, I logged aspnet/Mvc#5103 for the MVC issues.

[kevinchalet]

@Eilon is this really a MVC issue? It already does the right thing by calling SHA256.Create() instead of trying to use a specific implementation like SHA256Managed.

The fact you don't get a FIPS-compliant instance on .NET Desktop < 4.6.2 is another story, but I'm not sure there's anything you can do in MVC.

[Eilon]

@PinpointTownes to be honest, not sure - but MVC's code looks the same as anti-forgery's, so wouldn't it be the same issue?

[kevinchalet]

Well, IMHO, there's no bug in Antiforgery or MVC, as they both correctly use SHA256.Create().

The "bug" (by design?) was more caused by CryptoConfig, that used to blindly register SHA256Managed as the default implementation without checking whether FIPS was enabled first in < .NET 4.6.2: http://referencesource.microsoft.com/#mscorlib/system/security/cryptography/cryptoconfig.cs,261

I guess the right thing to do is to document that somewhere. People who need FIPS support on .NET Desktop should either migrate to .NET 4.6.2 or override the default SHA-256 implementation to use CAPI (SHA256CryptoServiceProvider) or CNG (SHA256Cng), that both support FIPS: #95 (comment)

[Eilon]

@PinpointTownes yeah I think it boils down to: the system as a whole doesn't work on FIPS-enabled machines, so we want to do whatever we can reasonably do to make it work, regardless of where the actual root bug is. So if we need to just work around bugs in our own codebase (while that codebase is getting the "real" fix), then we'll try to do that. Does that make sense?

[kevinchalet]

Does that make sense?

It does. I'm just concerned by the the fact your workaround might break cross-platform scenarios:

• SHA256Cng is based on Windows CNG and only works there (I'm not even sure the type exists on Mono).
• SHA256CryptoServiceProvider relies on CryptoAPI, which is also a Windows-only API. It should work on Mono as the type is there (but it uses a managed implementation internally) but will break everywhere else.

I guess one viable option might be to call CryptoConfig.AllowOnlyFipsAlgorithms to determine whether FIPS was enforced and replace the instance returned by SHA256.Create() by a SHA256Cng instance on .NET Desktop, but you'll break Mono harder 😄

Is it really worth it? IMHO, the "right" fix is something people should add in their entry point depending on their own needs:

// Make sure to replace both "SHA256" and "System.Security.Cryptography.SHA256"
CryptoConfig.AddAlgorithm(typeof(SHA256Cng), typeof(SHA256).Name, typeof(SHA256).FullName);

[bartonjs]

@thanhos 4.6.2 (final) released today: https://blogs.msdn.microsoft.com/dotnet/2016/08/02/announcing-net-framework-4-6-2/. I very much hope/expect that the CryptoConfig issue would be resolved for you with that build installed. The CryptoConfig change is only conditional on the FIPS setting, so it doesn't require changing your calling executable to be explicitly compiled against 4.6.2. (Though, like many things with the FIPS setting, it reads it once at startup and never again, in case your scenario flipped the bit after app start)

[blowdart]

@PinpointTownes Having people jump through hoops isn't the right answer. The right answer is making it work on our supported platforms.

[NTaylorMullen]

PR is ready to go in. Waiting for patch-approved. Once in, will need to work out changes to templates to ensure they reference 1.0.1 Antiforgery.

[NTaylorMullen]

cdf84eb