Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to install when FIPS enabled. #171

Closed
krishKM opened this issue Sep 18, 2020 · 4 comments · Fixed by #180
Closed

Unable to install when FIPS enabled. #171

krishKM opened this issue Sep 18, 2020 · 4 comments · Fixed by #180

Comments

@krishKM
Copy link

krishKM commented Sep 18, 2020

Steps to reproduce:

When installing nuget package, i'm getting below error and I think because net.r_eg.MvsSln.Extensions module is using an unsupported hashing algorithm by FIPS standard.

My laptop has FIPS enabled thus complaining about your code. Replacing MD5.Create() with any SHA in net.r_eg.MvsSln.Extensions would work for me and any FIPS enabled system out there.

Alternatives to MD5

Hoping to see a fix soon. Saves me time buil

. . .

  • DllExport -version: 1.7.3
  • Used Visual Studio 2017. MSBuild 2015 + 2017 installed

Information from Data tab or log data:

Unhandled Exception: System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.MD5CryptoServiceProvider..ctor()
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)

at System.Security.Cryptography.MD5.Create()

at net.r_eg.MvsSln.Extensions.StringExtension.Guid(String str)
at net.r_eg.MvsSln.Core.XProject..ctor(ISlnResult data, ProjectItemCfg pItem, Project prj)
at net.r_eg.DllExport.Wizard.UI.Controls.ProjectItemsControl.<.ctor>b__24_0()
at System.Lazy1.CreateValue() at System.Lazy1.LazyInitValue()
at net.r_eg.DllExport.Wizard.UI.Controls.ProjectItemsControl.Dispose(Boolean disposing)
at System.ComponentModel.Component.Finalize()
. . .


@krishKM krishKM added the bug label Sep 18, 2020
@3F
Copy link
Owner

3F commented Oct 2, 2020

Thanks for the report!

Unfortunately I'm not sure when I personally be ready to fix something because of https://twitter.com/GitHub3F/status/1302228682870841345

Anyone can open PR. Here and/or for MvsSln project because this part is located there as you can see. But there is possible compatibility issue for GUID cmp in some places if we are talking about MvsSln fixes. I don't really remember an actual coverage for this feature, thus more like it can be approved only for planned 3.0 version.

But we can also just try to fix this usage in DllExport project before MvsSln.

I can try to coordinate some workflow if someone be ready for something. Let me know. Thanks.

@3F 3F added this to the 1.7.4 milestone Dec 8, 2020
@3F
Copy link
Owner

3F commented Dec 29, 2020

I've started review this task. So, what we will do...

FIPS ... well, I would never agree* to do it voluntarily but if you work for any government agency, well, ok, I'll try to find some solution for the FIPS case.

*- because you have to understand that this actually does not add security by itself. And the restriction of md5 itself is incorrect in my opinion when you're working with hashing just to represent a most unique stamp for some id in some nodes. The cases that are close to Object.GetHashCode (you must know why and where it's used if we're talking about .NET/clr). Means when you don't need a security, only performance at minimal uniques for a specific length.

I'll try to provide some solution anyway because MvsSln operates mainly only GUIDs and MD5 was just for a quick hashing of the any data from strings (but I don't actually remember where it was needed :)).

I think I will at least temporarily distribute a special edition for this project in a separate branch.
Let me know your alternatives while I'm thinking.

3F added a commit to 3F/MvsSln that referenced this issue Dec 30, 2020
3F added a commit that referenced this issue Dec 30, 2020
@3F
Copy link
Owner

3F commented Dec 30, 2020

You can test the changes before release

DllExport -force -pkg-link https://ci.appveyor.com/api/buildjobs/n3iwyesqv6uf0vlk/artifacts/bin/Release/DllExport.1.7.3.nupkg

@3F 3F closed this as completed in #180 Jan 1, 2021
3F added a commit that referenced this issue Jan 1, 2021
3F added a commit that referenced this issue Jan 2, 2021
* FIXED: Basic project integration stuck on adding property message. Issue #175.
         Modern VS/MSBuild 16.8+

* FIXED: Fixed integration with Conari and merging modules via ILMerge. Issue #170.

* FIXED: double.NaN leads to errors for non exported methods. Issue #174.
         ```
         syntax error at token '-' in: IL_0029: ldc.r8 -nan(ind)
         ```

* NEW: Manager. Implemented `-no-mgr` key:
        - Do not use manager for automatic restore the remote package.

* CHANGED: FIPS compliant algorithms.
           Unable to install when FIPS enabled. Issue #171.

* CHANGED: Improved the searching paths logic for RootPath and PkgPath,
            to be more loyal when no keys for some reason. Part of #175.

* CHANGED: Updated MvsSln 2.5.3
           https://github.com/3F/MvsSln/releases/tag/2.5.3

* CHANGED: Use special edition for DllExport project. Part of issue #171.
           https://github.com/3F/MvsSln
           branch: edition/DllExport
@3F
Copy link
Owner

3F commented Jun 9, 2024

It has been changed to Huid implementation (Fnv-1a-128 (via LX4Cnh)) for future releases starting with 1d66cba

Please note,
DllExport doesn't use any weak algorithms (md5, Fnv1a, LX4Cnh, sha1, ...) for security related purposes. Only for UUID related things.

Read more about here 3F/MvsSln#51

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants