Skip to content

Instantly share code, notes, and snippets.

@pburkholder

pburkholder/Findings.md

Last active March 30, 2017 19:29
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save pburkholder/01214219f89c794a4740c7a59d1846ff to your computer and use it in GitHub Desktop.
Save pburkholder/01214219f89c794a4740c7a59d1846ff to your computer and use it in GitHub Desktop.
Download ZIP
FIPS-mode not working properly on Win2016
Raw
Findings.md

I have to conclude the FIPS-mode enforcement for .NET is broken on Win2016/Win10annivEdition.

The SHA256Managed code, https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,32 reads:

#if FEATURE_CRYPTO
            if (CryptoConfig.AllowOnlyFipsAlgorithms)
                throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
            Contract.EndContractBlock();
#endif // FEATURE_CRYPTO

which clearly means that we get an exception if both the following are true:

  • a) the build includes FEATURE_CRYPTO
  • b) the value of CryptoConfig.AllowOnlyFipsAlgorithms is true

Further, according to FIPS 140 Validation TechNet article, dated Feb 2017, the "cryptographic classes whose names end in 'Managed'" should never be allowed when running in FIPS-mode.

Test setup

To test this I have two systems, Win2016 and Win2012R2, as described and configured below . For this, I want both systems to:

  • Have Powershell 5.1
  • .NET framwork 4.6 (4.0.30319.42000)
  • Have FIPS -mode enabled by setting the appropriate registry-key and rebooting.

Update: 2017-03-30 I should have noted that I used AWS us-east for the Windows2016 and Windows2012R2 instances.

iwr https://chocolatey.org/install.ps | Invoke-Expression
choco install powershell

And on both systems:

Set-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy -Name Enabled -Value 1
Restart-Computer

Now let's test FIPS-mode:

Run the function Miguel Lopez provided

> Get-FIPSEnabled # from test function above

Directly make the system call from https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,35

> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms

Call two unaccredited crypto algorithms, including SHA256Managed::Create method as used in AzureRM module at https://github.com/Azure/azure-powershell/blob/master/src/Common/Commands.Common/MetricHelper.cs#L210

$md5    = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
$sha256 = [System.Security.Cryptography.SHA256Managed]::Create()

Expected results:

The two tests of FIPS-enablement should return true, and the two calls to unaccredited crypto functions should fail:

PS C:\Users\Administrator> Get-FIPSEnabled
True
PS C:\Users\Administrator>  [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms
True

PS C:\Users\Administrator> $md5    = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At line:1 char:1
+ $md5    = [System.Security.Cryptography.MD5CryptoServiceProvider]::Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

PS C:\Users\Administrator> $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."
At line:1 char:1
+ $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

Unexpected Results - Win2016/Win10annivEdition

PS C:\Users\Administrator> Get-FIPSEnabled
True
PS C:\Users\Administrator> [System.Security.Cryptography.Cryptoconfig]::AllowOnlyFipsAlgorithms
True

PS C:\Users\Administrator> $md5    = [System.Security.Cryptography.MD5CryptoServiceProvider]::Create()
Exception calling "Create" with "0" argument(s): "This implementation is not part of the Windows Platform FIPS
validated cryptographic algorithms."
At line:1 char:1
+ $md5    = [System.Security.Cryptography.MD5CryptoServiceProvider]::Cr ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : InvalidOperationException

PS C:\Users\Administrator>
PS C:\Users\Administrator>
PS C:\Users\Administrator> $sha256 = [System.Security.Cryptography.SHA256Managed]::Create()

Oh wow! No exception for SHA256Manged!! What the hell?

Let's look at the $sha256 object:

PS C:\Users\Administrator> $sha256


HashSize                   : 256
Hash                       :
InputBlockSize             : 1
OutputBlockSize            : 1
CanTransformMultipleBlocks : True
CanReuseTransform          : True

It's legit! and you can further demonstrate this for your pleasure but running AzureRM modules on Win2016...

Conclusion

Powershell + .NET 4.6.0 does not properly enforce FIPS-mode on Win2016/Win10annivEdition.

System INfo

1. AWS EC2 Win2012R2

PS C:\Users\Administrator> systeminfo | clip.exe


Host Name:                 WIN-ADUHNJ9ED5K
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          EC2
Registered Organization:   Amazon.com
Product ID:                00252-70000-00000-AA535
Original Install Date:     3/23/2017, 12:11:31 PM
System Boot Time:          3/23/2017, 1:54:00 PM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2394 Mhz
BIOS Version:              Xen 4.2.amazon, 2/16/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     8,192 MB
Available Physical Memory: 7,356 MB
Virtual Memory: Max Size:  16,384 MB
Virtual Memory: Available: 15,567 MB
Virtual Memory: In Use:    817 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\WIN-ADUHNJ9ED5K
Hotfix(s):                 227 Hotfix(s) Installed.
                           [01]: KB3191564
                           [02]: KB2894856
                           [03]: KB2896496
                           [04]: KB2919355
                           [05]: KB2919442
                           [06]: KB2920189
                           [07]: KB2934520
                           [08]: KB2938066
                           [09]: KB2938772
                           [10]: KB2949621
                           [11]: KB2954879
                           [12]: KB2955164
                           [13]: KB2959626
                           [14]: KB2965500
                           [15]: KB2967917
                           [16]: KB2969339
                           [17]: KB2971203
                           [18]: KB2973351
                           [19]: KB2973448
                           [20]: KB2975061
                           [21]: KB2975719
                           [22]: KB2976627
                           [23]: KB2977765
                           [24]: KB2978041
                           [25]: KB2978126
                           [26]: KB2984006
                           [27]: KB2987107
                           [28]: KB2989647
                           [29]: KB2989930
                           [30]: KB2993100
                           [31]: KB2995004
                           [32]: KB2995388
                           [33]: KB2996799
                           [34]: KB2998174
                           [35]: KB2999226
                           [36]: KB3000483
                           [37]: KB3000850
                           [38]: KB3003057
                           [39]: KB3004361
                           [40]: KB3004365
                           [41]: KB3004545
                           [42]: KB3008923
                           [43]: KB3012199
                           [44]: KB3012702
                           [45]: KB3013172
                           [46]: KB3013769
                           [47]: KB3013791
                           [48]: KB3013816
                           [49]: KB3014442
                           [50]: KB3019978
                           [51]: KB3021910
                           [52]: KB3021952
                           [53]: KB3022345
                           [54]: KB3022777
                           [55]: KB3023222
                           [56]: KB3023266
                           [57]: KB3024751
                           [58]: KB3024755
                           [59]: KB3029603
                           [60]: KB3030377
                           [61]: KB3030947
                           [62]: KB3032359
                           [63]: KB3032663
                           [64]: KB3033446
                           [65]: KB3035126
                           [66]: KB3036612
                           [67]: KB3037579
                           [68]: KB3037924
                           [69]: KB3038002
                           [70]: KB3038314
                           [71]: KB3038701
                           [72]: KB3041857
                           [73]: KB3042085
                           [74]: KB3044374
                           [75]: KB3044673
                           [76]: KB3045634
                           [77]: KB3045685
                           [78]: KB3045717
                           [79]: KB3045719
                           [80]: KB3045755
                           [81]: KB3045992
                           [82]: KB3045999
                           [83]: KB3046017
                           [84]: KB3046737
                           [85]: KB3048043
                           [86]: KB3049563
                           [87]: KB3054169
                           [88]: KB3054203
                           [89]: KB3054256
                           [90]: KB3054464
                           [91]: KB3055323
                           [92]: KB3055343
                           [93]: KB3055642
                           [94]: KB3059316
                           [95]: KB3059317
                           [96]: KB3060681
                           [97]: KB3060793
                           [98]: KB3061512
                           [99]: KB3063843
                           [100]: KB3064209
                           [101]: KB3068708
                           [102]: KB3071756
                           [103]: KB3074228
                           [104]: KB3074548
                           [105]: KB3075220
                           [106]: KB3075853
                           [107]: KB3077715
                           [108]: KB3078071
                           [109]: KB3078405
                           [110]: KB3078676
                           [111]: KB3080042
                           [112]: KB3080149
                           [113]: KB3082089
                           [114]: KB3083325
                           [115]: KB3083711
                           [116]: KB3083992
                           [117]: KB3084135
                           [118]: KB3084905
                           [119]: KB3086255
                           [120]: KB3087038
                           [121]: KB3087041
                           [122]: KB3087137
                           [123]: KB3091297
                           [124]: KB3092601
                           [125]: KB3092627
                           [126]: KB3093983
                           [127]: KB3094486
                           [128]: KB3095701
                           [129]: KB3096433
                           [130]: KB3097997
                           [131]: KB3098779
                           [132]: KB3099834
                           [133]: KB3100473
                           [134]: KB3100773
                           [135]: KB3100956
                           [136]: KB3102429
                           [137]: KB3102467
                           [138]: KB3102812
                           [139]: KB3103616
                           [140]: KB3103696
                           [141]: KB3103709
                           [142]: KB3104002
                           [143]: KB3109103
                           [144]: KB3109976
                           [145]: KB3110329
                           [146]: KB3112148
                           [147]: KB3112336
                           [148]: KB3115224
                           [149]: KB3118401
                           [150]: KB3121255
                           [151]: KB3121261
                           [152]: KB3121461
                           [153]: KB3121918
                           [154]: KB3122654
                           [155]: KB3123242
                           [156]: KB3123245
                           [157]: KB3124275
                           [158]: KB3125424
                           [159]: KB3126033
                           [160]: KB3126434
                           [161]: KB3126587
                           [162]: KB3126593
                           [163]: KB3127226
                           [164]: KB3128650
                           [165]: KB3133043
                           [166]: KB3133681
                           [167]: KB3133690
                           [168]: KB3133924
                           [169]: KB3134179
                           [170]: KB3134814
                           [171]: KB3134815
                           [172]: KB3135449
                           [173]: KB3135456
                           [174]: KB3137061
                           [175]: KB3137725
                           [176]: KB3137728
                           [177]: KB3138602
                           [178]: KB3138615
                           [179]: KB3139164
                           [180]: KB3139398
                           [181]: KB3139914
                           [182]: KB3139929
                           [183]: KB3140219
                           [184]: KB3140234
                           [185]: KB3141092
                           [186]: KB3145384
                           [187]: KB3145432
                           [188]: KB3146604
                           [189]: KB3146723
                           [190]: KB3146751
                           [191]: KB3146963
                           [192]: KB3147071
                           [193]: KB3148198
                           [194]: KB3148851
                           [195]: KB3149090
                           [196]: KB3153704
                           [197]: KB3154070
                           [198]: KB3155784
                           [199]: KB3156017
                           [200]: KB3156019
                           [201]: KB3156059
                           [202]: KB3156418
                           [203]: KB3159398
                           [204]: KB3160005
                           [205]: KB3161949
                           [206]: KB3161958
                           [207]: KB3162343
                           [208]: KB3162835
                           [209]: KB3164294
                           [210]: KB3169704
                           [211]: KB3170455
                           [212]: KB3172614
                           [213]: KB3172729
                           [214]: KB3173424
                           [215]: KB3174644
                           [216]: KB3175024
                           [217]: KB3175443
                           [218]: KB3177186
                           [219]: KB3178539
                           [220]: KB3179574
                           [221]: KB3179948
                           [222]: KB3184122
                           [223]: KB3184943
                           [224]: KB3185319
                           [225]: KB3195387
                           [226]: KB3210135
                           [227]: KB3205401
Network Card(s):           1 NIC(s) Installed.
                           [01]: AWS PV Network Device
                                 Connection Name: Ethernet
                                 DHCP Enabled:    Yes
                                 DHCP Server:     172.31.0.1
                                 IP address(es)
                                 [01]: 172.31.9.151
                                 [02]: fe80::b912:aa84:b2fb:c82a
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Also:

PS C:\Users\Administrator> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14409.1005
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14409.1005
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1


PS C:\Users\Administrator> [environment]::version

Major  Minor  Build  Revision
-----  -----  -----  --------
4      0      30319  42000

2. AWS Win2016

PS C:\Users\Administrator> systeminfo | clip.exe

Host Name:                 EC2AMAZ-I5LDISB
OS Name:                   Microsoft Windows Server 2016 Datacenter
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          EC2
Registered Organization:   Amazon.com
Product ID:                00376-40000-00000-AA918
Original Install Date:     3/23/2017, 11:22:33 AM
System Boot Time:          3/23/2017, 1:54:07 PM
System Manufacturer:       Xen
System Model:              HVM domU
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~2400 Mhz
BIOS Version:              Xen 4.2.amazon, 2/16/2017
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC) Coordinated Universal Time
Total Physical Memory:     8,192 MB
Available Physical Memory: 7,131 MB
Virtual Memory: Max Size:  10,112 MB
Virtual Memory: Available: 9,162 MB
Virtual Memory: In Use:    950 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\EC2AMAZ-I5LDISB
Hotfix(s):                 5 Hotfix(s) Installed.
                           [01]: KB3176936
                           [02]: KB3192137
                           [03]: KB3199209
                           [04]: KB3199986
                           [05]: KB3213986
Network Card(s):           1 NIC(s) Installed.
                           [01]: AWS PV Network Device
                                 Connection Name: Ethernet 2
                                 DHCP Enabled:    Yes
                                 DHCP Server:     172.31.0.1
                                 IP address(es)
                                 [01]: 172.31.13.102
                                 [02]: fe80::b07c:8f30:631a:e51c
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Also:

PS C:\Users\Administrator> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.14393.693
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.693
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1


PS C:\Users\Administrator> [environment]::version

Major  Minor  Build  Revision
-----  -----  -----  --------
4      0      30319  42000
Raw
get-fipsenabled.ps1
function Get-FIPSEnabled {
process {
$retVal = $false
if([System.Environment]::OSVersion.Version.Major -ge 6) {
$type = [System.Type]::GetType("Microsoft.Win32.Win32Native")
$bindingFlags = [System.Reflection.BindingFlags]::Static -bor [System.Reflection.BindingFlags]::NonPublic
$method = [System.Reflection.MethodInfo]$type.GetMethod("BCryptGetFipsAlgorithmMode", $bindingFlags)
$parameters = @($null)
$policyReadStatus = $method.Invoke($null, $parameters)
$readPolicy = $policyReadStatus -eq 0x00000000 -or $policyReadStatus -eq 0xC0000034
$retval = (-not $readPolicy -or $parameters[0])
}
else {
try {
$fipsKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("System\CurrentControlSet\Control\Lsa", $false)
try {
if($fipsKey -eq $null) {
$retVal = $false
}
else {
$regdata = $fipsKey.GetValue("FIPSAlgorithmPolicy")
if($regdata -eq $null) {
$retVal = $false
}
elseif ($fipsKey.GetValueKind("FIPSAlgorithmPolicy") -ne 4) {
$retVal = $true
} else {
$retVal = ([System.Int32]$regdata -ne 0)
}
}
}
finally {
if($fipsKey -ne $null) {
$fipsKey.Close();
$fipsKey.dispose();
}
}
}
catch [System.Security.SecurityException] {
$retVal = $true
}
}
return $retVal
}
}
Raw
Notes.md

A member of Microsoft support suggested I try the following workaround:

Create a file named powershell.exe.config and place this file where the PowerShell.exe executable is located. It is in %WinDir%\system32\WindowsPowerShell\v1.0 in my computer. The content of this file should look as follows:

<?xml version="1.0" encoding="utf-8" ?> 
<configuration>
     <runtime>
           <enforceFIPSPolicy enabled="false" />
     </runtime>
</configuration>

While attempting to evaluate the workaround on yet another lab machine, I was unable to reproduce the issue in question. To wit:

  • Tested that Login-AzureRMAccount and Get-AzureRMResource both worked
  • Set the FIPS RegistryKey and restarted
  • Login-AzureRMAccount

But then, when I expected Get-AzureRMResource to fail - it didn't!

The main difference between this machine and the other machines initially seemed to be different versions of AzureRM. Namely, the working-with-FIPS machine (hereafter "LabMachine") had AzureRM 3.5.0 and AzureRM.profile 2.5.0. But downgrading my Workstation to that version had no effect.

Instead the impact of enabling FIPS is different between different systems.That is:

foreach ($class in "HMACSHA256", "HMACSHA1", "MD5CryptoServiceProvider", "SHA256CryptoServiceProvider", "SHA256Managed") {
   Write-Host -NoNewline "| $class | "
   try {
     $hasher = New-Object System.Security.Cryptography.$class 
     Write-Host -NoNewline "ok  "
   } catch {
     Write-Host -NoNewLine "FAIL"
   }

   $c = "[System.Security.Cryptography.$class]"
   try { 
       (iex $c)::Create() > $null
       Write-Host "| ok |" 
   } catch { Write-Host "| FAIL |" }
}

Results:

Windows 10.0.10586

Algo New-Obj Create
HMACSHA256 ok ok
HMACSHA1 ok ok
MD5CryptoServiceProvider FAIL FAIL
SHA256CryptoServiceProvider ok FAIL
SHA256Managed FAIL FAIL

Windows 10.0.14393

Algo New-Obj Create
HMACSHA256 ok ok
HMACSHA1 ok ok
MD5CryptoServiceProvider FAIL FAIL
SHA256CryptoServiceProvider ok ok
SHA256Managed FAIL ok

The difference seems to be that Workstation is Windows 10, 10.0.10586, and LabSystem is 10.0.14393 and they have different FIPS implementations.

https://technet.microsoft.com/en-us/library/cc750357.aspx

@pburkholder
Copy link
Author

pburkholder commented Mar 22, 2017
edited 

 [01]: KB3150513
 [02]: KB3176936
 [03]: KB3199209
 [04]: KB3199986
 [05]: KB3211320
 [06]: KB4010250
 [07]: KB4013418
 [08]: KB4014329

@pburkholder
Copy link
Author 

| HMACSHA256 | ok  | ok |
| HMACSHA1 | ok  | ok |
| MD5CryptoServiceProvider | FAIL| FAIL |
| SHA256CryptoServiceProvider | ok  | ok |
| SHA256Managed | FAIL| ok |

@pburkholder
Copy link
Author

According to https://technet.microsoft.com/en-us/library/cc750357.aspx#IDCYAL it shouldn't be this way....

@pburkholder
Copy link
Author 

PS C:\Users\Administrator> Get-AzureRmResource
Get-AzureRmResource : Object reference not set to an instance of an object.
At line:1 char:1
+ Get-AzureRmResource
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureRmResource], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet

PS C:\Users\Administrator> Resolve-Error


PSMessageDetails      :
Exception             : System.NullReferenceException: Object reference not set to an instance of an object.
                           at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet.RunCmdlet() in
                        D:\workspace\powershell-sign\src\ResourceManager\Resources\Commands.ResourceManager\Cmdlets\Implementation\Resource\GetAzureResourceCmdlet.cs:line 222
                           at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.EndProcessing() in
                        D:\workspace\powershell-sign\src\ResourceManager\Resources\Commands.ResourceManager\Cmdlets\Implementation\CmdletBase\ResourceManagerCmdletBase.cs:line 145
                        --- End of stack trace from previous location where exception was thrown ---
                           at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.HandleException(ExceptionDispatchInfo capturedException)
                        in D:\workspace\powershell-sign\src\ResourceManager\Resources\Commands.ResourceManager\Cmdlets\Implementation\CmdletBase\ResourceManagerCmdletBase.cs:line
                        445
                           at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.EndProcessing() in
                        D:\workspace\powershell-sign\src\ResourceManager\Resources\Commands.ResourceManager\Cmdlets\Implementation\CmdletBase\ResourceManagerCmdletBase.cs:line 156
                           at System.Management.Automation.CommandProcessorBase.Complete()
TargetObject          :
CategoryInfo          : NotSpecified: (:) [Get-AzureRmResource], NullReferenceException
FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}





MyCommand             : Get-AzureRmResource
BoundParameters       : {}
UnboundArguments      : {}
ScriptLineNumber      : 1
OffsetInLine          : 1
HistoryId             : 10
ScriptName            :
Line                  : Get-AzureRmResource
PositionMessage       : At line:1 char:1
                        + Get-AzureRmResource
                        + ~~~~~~~~~~~~~~~~~~~
PSScriptRoot          :
PSCommandPath         :
InvocationName        : Get-AzureRmResource
PipelineLength        : 0
PipelinePosition      : 0
ExpectingInput        : False
CommandOrigin         : Internal
DisplayScriptPosition :



00000000000000000000000000000000000000000000000000000000000000000000000000000000


Message        : Object reference not set to an instance of an object.
Data           : {}
InnerException :
TargetSite     : Void RunCmdlet()
StackTrace     :    at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.GetAzureResourceCmdlet.RunCmdlet() in
                 D:\workspace\powershell-sign\src\ResourceManager\Resources\Commands.ResourceManager\Cmdlets\Implementation\Resource\GetAzureResourceCmdlet.cs:line 222
                    at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.EndProcessing() in
                 D:\workspace\powershell-sign\src\ResourceManager\Resources\Commands.ResourceManager\Cmdlets\Implementation\CmdletBase\ResourceManagerCmdletBase.cs:line 145
                 --- End of stack trace from previous location where exception was thrown ---
                    at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.HandleException(ExceptionDispatchInfo capturedException) in
                 D:\workspace\powershell-sign\src\ResourceManager\Resources\Commands.ResourceManager\Cmdlets\Implementation\CmdletBase\ResourceManagerCmdletBase.cs:line 445
                    at Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.ResourceManagerCmdletBase.EndProcessing() in
                 D:\workspace\powershell-sign\src\ResourceManager\Resources\Commands.ResourceManager\Cmdlets\Implementation\CmdletBase\ResourceManagerCmdletBase.cs:line 156
                    at System.Management.Automation.CommandProcessorBase.Complete()
HelpLink       :
Source         : Microsoft.Azure.Commands.ResourceManager.Cmdlets
HResult        : -2147467261

@pburkholder
Copy link
Author

pburkholder commented Mar 24, 2017
edited

https://meet.tsa.dhs.gov/sajai.raj/F581SS15

Hello Peter,

I find the information interesting. Here’s a bit of information as to why:

• The error, as documented on the GitHub issue states as follows:

Message        : Exception has been thrown by the target of an invocation.
Data           : {}
InnerException : System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS 
                 validated cryptographic algorithms.
                    at System.Security.Cryptography.SHA256Managed..ctor()
TargetSite     : System.Object InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
StackTrace     :    at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, 
                 Boolean constructor)
                    at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, 
                 Object[] parameters, CultureInfo culture)
                    at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
                    at System.Security.Cryptography.SHA256.Create()
                    at Microsoft.WindowsAzure.Commands.Common.MetricHelper.GenerateSha256HashString(String originInput)
                    at Microsoft.Azure.Commands.ResourceManager.Common.AzureRMCmdlet.InitializeQosEvent()
                    at Microsoft.WindowsAzure.Commands.Utilities.Common.AzurePSCmdlet.BeginProcessing()
                    at Microsoft.Azure.Commands.Profile.GetAzureRMSubscriptionCommand.BeginProcessing()
                    at System.Management.Automation.Cmdlet.DoBeginProcessing()
                    at System.Management.Automation.CommandProcessorBase.DoBegin()

• SHA256Managed is class that implements SHA256 within .NET code. This algorithm wasn’t submitted to pass FIPS validation.
• Hence the error above states that the constructor threw exception.
• The source code be reviewed here: https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,32
• If checks for a property called AllowOnlyFipsAlgorithms and if true, throws that exception.
• The source code for that property can be seen here: https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/cryptoconfig.cs,60dba5f3579c03b5
• For OS’s with Major version greater than 6, it will call bcrypt32.dll’s BCryptGetFipsAlgorithmMode (documented here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa375460(v=vs.85).aspx)
• Because this algorithm is a .NET algorithm, the algorithm will be the same for any Operating System as long as the .NET versions are identical on the servers compared.
• Basically SHA256Managed’s implementation is not entirely OS dependent except for the initial OSVersion check.
• On our FIPS 140-2 documentation (https://technet.microsoft.com/en-us/library/cc750357.aspx) we state that for Windows Server 2008 R2 and later we maintain FIPS 140-2 validation on bcryptprimitives.dll and cng.sys modules. This includes Server 2016.
• This means that the modules validated for FIPS 140-2 Server 2012 R2 are the same for Server 2016.
• I tried my best to mimic that check (except for the enforceFipsPolicy in the following PowerShell
• Is there a chance you run this in both environments and verify its return value? (After running the code above in PowerShell, run Get-FIPSEnabled)
• I haven’t tried this on a FIPS-enabled OS yet, but if it returns True for the non-working environment, I may save this cmdlet for future use.

function Get-FIPSEnabled {
    process {

        $retVal = $false

        if([System.Environment]::OSVersion.Version.Major -ge 6) {

            $type = [System.Type]::GetType("Microsoft.Win32.Win32Native")
            $bindingFlags = [System.Reflection.BindingFlags]::Static -bor [System.Reflection.BindingFlags]::NonPublic
            $method = [System.Reflection.MethodInfo]$type.GetMethod("BCryptGetFipsAlgorithmMode", $bindingFlags)
            
            $parameters = @($null)
            $policyReadStatus = $method.Invoke($null, $parameters)
            $readPolicy = $policyReadStatus -eq 0x00000000 -or $policyReadStatus -eq 0xC0000034

            $retval = (-not $readPolicy -or $parameters[0])
        }
        else {
            try {
                $fipsKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey("System\CurrentControlSet\Control\Lsa", $false)
                try {
                   if($fipsKey -eq $null) {
                        $retVal = $false
                   }
                   else {
                        $regdata = $fipsKey.GetValue("FIPSAlgorithmPolicy")
                        if($regdata -eq $null) {
                            $retVal = $false
                        }
                        elseif ($fipsKey.GetValueKind("FIPSAlgorithmPolicy") -ne 4) {
                            $retVal = $true
                        } else {
                            $retVal = ([System.Int32]$regdata -ne 0)
                        }
                   }
                }
                finally {
                    if($fipsKey -ne $null) {
                        $fipsKey.Close();
                        $fipsKey.dispose();
                    }
                }
            }
            catch [System.Security.SecurityException] {
                $retVal = $true
            }
        }

        return $retVal
    }
}

@pburkholder
Copy link
Author

I have to conclude the FIPS-mode enforcement is broken on Window2016/Win10Anniv edition.

The SHA256Managed code, https://referencesource.microsoft.com/#mscorlib/system/security/cryptography/sha256managed.cs,32 reads:

#if FEATURE_CRYPTO
            if (CryptoConfig.AllowOnlyFipsAlgorithms)
                throw new InvalidOperationException(Environment.GetResourceString("Cryptography_NonCompliantFIPSAlgorithm"));
            Contract.EndContractBlock();
#endif // FEATURE_CRYPTO

@thecapacity
Copy link

@pburkholder - I can't speak to the techie stuff but this may help; https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment