1

I'm doing some testing regarding FIPS validation with an application that currently isn't. I am able to disable FIPS so the application can startup, and then I enable FIPS while using the application.

The thing is, some of the functionality that I would expect not to work is working - so I am wondering why is this? Are the classes that use FIPS not validated if they were already instantiated when FIPS was disabled?

jww
  • 97,681
  • 90
  • 411
  • 885
Eton B.
  • 6,121
  • 5
  • 31
  • 43

2 Answers2

3

At least for classes in System.Security.Cryptography, the check for FIPS policy enforcement happens at object instantiation time.

Sean U
  • 6,730
  • 1
  • 24
  • 43
  • Thanks, that's what I was leaning towards. Do you have a source you can link? – Eton B. Dec 05 '11 at 22:56
  • @EtonB. - [reference sourcecode](http://referencesource.microsoft.com/netframework.aspx) – ordag Dec 05 '11 at 23:05
  • @Sean U, I'm agree with your answer. Do you know if is possible that the Garbage collector isn't disposing those instances? – celerno Dec 05 '11 at 22:55
  • @ETon B. It's in the docs. e.g., [MD5CryptoServiceProvider](http://msdn.microsoft.com/en-us/library/system.security.cryptography.md5cryptoserviceprovider.aspx) mentions FIPS in its ctor's exception list, but not in the exception lists for its other methods. – Sean U Dec 05 '11 at 23:18
0

As @Sean U said, that validation happens at instantiation time, but, as i said, after you create an instance of one of these objects this validation is not happening anymore.

I'm not sure if is because of GC or a static value set to these crypto classes inside .Net

celerno
  • 1,367
  • 11
  • 30