1

I have a relatively large WinForms application that has been developed under Visual Studio 2013. I recently upgraded to Visual Studio 2015 on another computer and have been trying to get the project working under it.

My first issue/concern is that when I open the project for the first time in Visual Studio 2015 it does not ask me to "upgrade" the solution to Visual Studio 2015, it happily just opens the solution. I am used to having Visual Studio ask to "upgrade" the solution and create a new .sln file that is recognized as a, for example, Visual Studio 2013 solution instead of the old VS10 solution.

The actual issue I am facing is ~10 errors that seem to deal with cryptography. From what I can guess this has to do with the solution itself and what microsoft does with it in the background seeing as the most cryptography I use in the project is generating Guid.

An image of the errors enter image description here

The one other issue I have is that, as I am not used to, I cannot double click on the errors them self to be lead to where Visual Studio thinks they are occurring. Thus I am not sure what is generating them or where to go from here.

Any suggestions?

This is a Windows 7 installation on an older model Lenovo Thinkpad. I do not have admin privileges on this computer either.

EDIT: So far I have tried to add <enforceFIPSPolicy enabled="false"/> to the file Visual Studio 15 settings at C\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Devenv.exe.config, though whenever I try to edit it (even after a fresh restart) the file is "always" opened by another program. So it seems I cannot edit the file to turn off FIPS for Visual Studio 15.

I am still open to suggestions or clues.

EDIT2: I have managed to get <enforceFIPSPolicy enabled="false"/> into the IDE settings with the help of IT (Using this article). Though this seems to do absolutely nothing, it seems that it is being ignored.

Another issue/clue here is that even if I create a brand new C# project in Visual Studio, when I try to compile I receive the same errors. So I have to assume that Visual Studio is using the SHA256 class somewhere "in the background". If I did have control over its usage I would try to implement @Kevin 's answer below.

I have found another possible solution on the web though I am not sure of its validity

VS 2012 now builds C# projects in a separate process that runs msbuild. The entry you added to devenv.exe.config (that worked for VS 2010) won't be seen by this process. You should add the same entry, namely to the config file for msbuild; typically that's found at c:\Windows\Microsoft.Net\Framework\v4.0.30319\msbuild.exe.config"

I will try to get this done when I have time for the .NET 4.5+ msbuild.exe.config files and report back.

KDecker
  • 6,928
  • 8
  • 40
  • 81
  • Do you mean Visual Studio 2015 or VS15? They're different products. VS15 is the one that's only available as a preview at the moment. I *suspect* you mean Visual Studio 2015... – Jon Skeet May 10 '16 at 19:06
  • 2
    Since VS 2012, the solution and project files have been backwards compatible, so there is no need to "upgrade" it. It may, upon saving, alter the file to add some metadata, but in general they are completely interchangeable. – Erik Funkenbusch May 10 '16 at 19:06
  • Ohh, I never realized there was a difference. Yes "VS15", moveover "VS" should be read as "Visual Studio" – KDecker May 10 '16 at 19:07
  • The error is clear in the message. If you had posted the actual text I could have quoted it - which is why not to use images – stuartd May 10 '16 at 19:07
  • @stuartd I do usually type them out. But.. well.. That was a bit for me. – KDecker May 10 '16 at 19:08
  • "SHA256 - The implementatoion is not part of the something something FIPS platform validated cryptographic algiorithms" – stuartd May 10 '16 at 19:09
  • Also, that's a single error, it just has a bunch of different lines in the stack trace. Are there 10 identical errors? Or are there more that are different? Or is this the entire error? – Erik Funkenbusch May 10 '16 at 19:09
  • [Related - Is there a keyed SHA256 hash algorithm that is FIPS compliant for .NET?](http://stackoverflow.com/questions/17862491/is-there-a-keyed-sha256-hash-algorithm-that-is-fips-compliant-for-net) – stuartd May 10 '16 at 19:10
  • Is this at least Windows 7 SP1? Or is it Windows 7 RTM? If not SP1, then the failure may be related the underlying platform. And having FIPS enabled. See https://support.microsoft.com/en-us/kb/811833 – Erik Funkenbusch May 10 '16 at 19:13
  • @ErikFunkenbusch I have to assume SP1 is installed, but I will need to check. – KDecker May 10 '16 at 19:15
  • @stuartd I am reading through that related question now. I do not have time right now to try to the workaround/fix mentioned, I will put and edit in the OP when I can try it out. – KDecker May 10 '16 at 19:16

2 Answers2

2

The solution I went with is outline here.

<enforceFIPSPolicy enabled="false"/> was added to a few files, namely

C:\Program Files (x86)\MSBuild\12.0\Bin\msbuild.exe.config
C:\Windows\Microsoft.Net\Framework\v4.0.30319\msbuild.exe.config
C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\IDE\Devenv.exe.config

Though I think the one that actually made it work was the first file.

KDecker
  • 6,928
  • 8
  • 40
  • 81
-1

You can't double click on the error and have it go to where the error is being thrown because it is being thrown inside the SHA256 class. If the FIPS compliance bit is set, any non-FIPS compliant .NET cryptography classes throw this error.

You have two choices to fix this...

First, you can just turn off the FIPS compliance bit on the machine where you are trying to run the app (not recommended).

Otherwise, you can update the code to use the FIPS compliant version of SHA256 (SHA256CryptoServiceProvider). This will require .NET Framework 3.5 or greater.

Kevin
  • 1,462
  • 9
  • 9
  • I am confused as to the second solution you offer. The machine in question has up to .NET 4.6.1 installed and the project itself targets .NET 4.5. I assume from that, that I am already using .NET 3.5 or greater. // As far as the first solution do you mean telling Visual Studio to ignore the issue (as outlined in this SO answer http://stackoverflow.com/questions/5034526/how-do-you-use-fips-validated-cryptographic-algorithms-with-visual-studio-2010-a/5034993#5034993) or to literally turn off FIPS compliance on the entire machine (which I am not sure how to do)? – KDecker May 11 '16 at 12:56
  • The first solution tells the OS not to raise the error in the first place (you are allowing execution of cryptography classes that do not use algorithms that are NIST certified as FIPS compliant). This is not recommended. The second solution is telling you to stop using the SHA256 class (which is not NIST certified as FIPS compliant) and, instead, use SHA256CryptoServiceProvider class which is NIST certified FIPS compliant. The reason I mentioned Framework 3.5 is that is when the FIPS compliant class became available in the .NET Framework. – Kevin May 11 '16 at 20:24
  • As a side note, the SHA256CryptoServiceProvider class in and of itself is not certified, it is a wrapper to the Windows CryptoAPI which is the only NIST certified FIPS 140-2 compliant set of cryptography algorithms available on a Windows OS. – Kevin May 11 '16 at 20:30
  • You are correct, the first solution is not an option. Though as for the second I am not the one using the SHA class, it seems to be Visual Studio in the background. If I create a brand new C# project it will not compile as a result of the same errors. From that I have to assume it is Visual Studio, but I have no idea where. // Can I replace the algorithms used apart from Visual Studio? – KDecker May 12 '16 at 12:38
  • Looking closer at the stacklist, it seems that CodeAnalysis is calling SHA256Managed, which is in turn calling SHA256. Try turning off CodeAnalysis in your MSBuild script and see if it compiles. – Kevin May 12 '16 at 12:57
  • I also see the build script is calling ExecuteTool, it could be the tool that is called that is calling SHA256. – Kevin May 12 '16 at 13:02
  • Hmm, I will have to try that out. I also made another edit to the OP if you could comment on the other possible solution that I've found? – KDecker May 12 '16 at 13:10
  • It seems that should work. Essentially by putting the FIPS disable in the config for MSBuild it only temporarily disables it for that specific run of MSBuild. Make sure you read to the end of the comments, the next to the last one seems to be the key to fixing the problem. – Kevin May 12 '16 at 13:54
  • Another thing you might try, here we went from VS2010 to VS2013 and never had the problem. If it is available to you, you could go ahead and upgrade to VS2013. – Kevin May 12 '16 at 13:57
  • I currently am using VS2013 upgrading to VS2015. – KDecker May 12 '16 at 14:10
  • The error is coming from somewhere in MSBuild or an executable called by it. You can't just rebuild all that to be FIPS compliant. -1. Also, VS causes MSBuild to call the Code Analysis tool regardless of whether it's off in the project or not. – jpmc26 Jul 29 '16 at 16:54