lidgren / lidgren-network-gen3

Lidgren Network Library
https://groups.google.com/forum/#!forum/lidgren-network-gen3
MIT License
1.2k stars 333 forks source link

Crash because SHA256 is not FIPS-compliant #26

Open aienabled opened 9 years ago

aienabled commented 9 years ago

Hello! One of our users reported that the application is not working for him because of this exception in Lidgren network library: System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms. at System.Security.Cryptography.SHA256.Create() at Lidgren.Network.NetUtility..cctor()

It seems he has a security policy enforced to allow only FIPS-compliant crypto-providers: http://blog.aggregatedintelligence.com/2007/10/fips-validated-cryptographic-algorithms.html

aienabled commented 9 years ago

We've resolved this by using SHA256Cng. It works on Mono also (it just wraps SHA256Managed). However, we afraid that some versions of Mono (Unity3D?) may not contains SHA256Cng implementation so we're using this code:

static NetUtility()
{
    s_sha = MonoHelper.IsMono ? new SHA256Managed() : (HashAlgorithm)new SHA256Cng();
    // ...
}

public static class MonoHelper
{
    public static bool IsMono
    {
        get
        {
            return Type.GetType("Mono.Runtime") != null;
        }
    }
}

However using SHA256Cng may be slower... there is a good article about it http://blogs.technet.com/b/secguide/archive/2014/04/07/why-we-re-not-recommending-fips-mode-anymore.aspx So maybe a better solution is to use try-catch and fallback to SHA256Cng only when required:

try
{
    s_sha = new SHA256Managed();
}
catch (InvalidOperationException)
{
    // FIPS policy enforced?
    s_sha = new SHA256Cng();
}
lidgren commented 9 years ago

"new SHA256Managed()" isn't used anywhere in the library; only SHA256.Create() - what does it return on mono?

aienabled commented 9 years ago

I just checked it on Mono 4.0.2 for Windows - SHA256.Create() returns an instance of type System.Security.Cryptography.SHA256Managed.