ASP.NET Core 10 Data Protection has cryptographic errors on Ubuntu 22.04 with FIPS enabled

[michaelwildvarian]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

ASP.NET Core applications that use the Data Protection APIs (e.g. by using the session middleware), fail with cryptographic operation errors on Ubuntu 22.04 if FIPS mode is enabled. The same code works fine with .NET 8.

Expected Behavior

The application should work and not produce cryptographic operation errors.

Steps To Reproduce

Preparation

• Install VM with Ubuntu 22.04.5 LTS. Minimal install is sufficient. Link to installer ISO: https://releases.ubuntu.com/jammy/ubuntu-22.04.5-desktop-amd64.iso
• Update the system: sudo apt update && sudo apt upgrade
• Add the .NET backports PPA: sudo add-apt-repository ppa:dotnet/backports
• Install .NET 10 SDK: sudo apt install dotnet-sdk-10.0
• Create a minimal webapi project:

  mkdir DotnetFipsIssue
  cd DotnetFipsIssue
  dotnet new webapi

• Modify Program.cs as follows:

  // Right after: var builder = WebApplication.CreateBuilder(args);
  builder.Services
    .AddDistributedMemoryCache()
    .AddSession();
  
  // SNIP ... SNAP
  
  // Right after: var app = builder.Build();
  app.UseSession();

Test without FIPS enabled

• Start the application: dotnet run --launch-profile https
• From another terminal, call: curl -k https://localhost:5000/weatherforecast
  (replace with the correct port as displayed by the dotnet run command)
• Observe that the curl command displays the weather forecast as expected and
  the application runs without errors.

Test with FIPS enabled

• Now attach the VM to Ubuntu Pro and enable FIPS mode:

  sudo pro attach --no-auto-enable
  sudo pro enable fips-updates

• Once completed successfully, reboot the VM: sudo reboot
• After the reboot, verify that FIPS mode is enabled:

  cat /proc/sys/crypto/fips_enabled

  It should return 1.
• Start the application again:

  cd DotnetFipsIssue
  dotnet run --launch-profile https

• Observe that the application displays a lot of warnings related to cryptographic operations, starting with:

  warn: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[12]
        Key {75b3f7e0-199b-439b-a57c-22ca16d0ea3e} is ineligible to be the default key because its CreateEncryptor method failed after the maximum number of retries.
        System.AggregateException: One or more errors occurred. (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.) (Error occurred during a cryptographic operation.)
         ---> System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.
           at Interop.Crypto.HmacOneShot(IntPtr type, ReadOnlySpan`1 key, ReadOnlySpan`1 source, Span`1 destination)
  # SNIP ... SNAP
  

• From another terminal, call: curl -k https://localhost:5000/weatherforecast
  (replace with the correct port as displayed by the dotnet run command)
• Observe that the curl command fails, displaying the developer error details and that the application logs show:

  fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
    An unhandled exception has occurred while executing the request.
    System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.
       at Microsoft.AspNetCore.DataProtection.SP800_108.ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(ReadOnlySpan`1 kdk, ReadOnlySpan`1 label, ReadOnlySpan`1 contextHeader, ReadOnlySpan`1 contextData, Span`1 operationSubkey, Span`1 validationSubkey, HashAlgorithm prf)
       at Microsoft.AspNetCore.DataProtection.Managed.ManagedAuthenticatedEncryptor.CreateContextHeader()
       at Microsoft.AspNetCore.DataProtection.Managed.ManagedAuthenticatedEncryptor..ctor(Secret keyDerivationKey, Func`1 symmetricAlgorithmFactory, Int32 symmetricAlgorithmKeySizeInBytes, Func`1 validationAlgorithmFactory, IManagedGenRandom genRandom)
       at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptorFactory.CreateAuthenticatedEncryptorInstance(ISecret secret, ManagedAuthenticatedEncryptorConfiguration configuration)
       at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptorFactory.CreateAuthenticatedEncryptorInstance(ISecret secret, AuthenticatedEncryptorConfiguration authenticatedConfiguration)
       at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
       at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.KeyHolder.GetEncryptorInstance(Boolean& isRevoked)
       at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.get_DefaultAuthenticatedEncryptor()
       at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
       at Microsoft.AspNetCore.Session.CookieProtection.Protect(IDataProtector protector, String data)
       at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
       at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
  

Exceptions (if any)

System.Security.Cryptography.CryptographicException: Error occurred during a cryptographic operation.
     at Microsoft.AspNetCore.DataProtection.SP800_108.ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(ReadOnlySpan`1 kdk, ReadOnlySpan`1 label, ReadOnlySpan`1 contextHeader, ReadOnlySpan`1 contextData, Span`1 operationSubkey, Span`1 validationSubkey, HashAlgorithm prf)
     at Microsoft.AspNetCore.DataProtection.Managed.ManagedAuthenticatedEncryptor.CreateContextHeader()
     at Microsoft.AspNetCore.DataProtection.Managed.ManagedAuthenticatedEncryptor..ctor(Secret keyDerivationKey, Func`1 symmetricAlgorithmFactory, Int32 symmetricAlgorithmKeySizeInBytes, Func`1 validationAlgorithmFactory, IManagedGenRandom genRandom)
     at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptorFactory.CreateAuthenticatedEncryptorInstance(ISecret secret, ManagedAuthenticatedEncryptorConfiguration configuration)
     at Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.AuthenticatedEncryptorFactory.CreateAuthenticatedEncryptorInstance(ISecret secret, AuthenticatedEncryptorConfiguration authenticatedConfiguration)
     at Microsoft.AspNetCore.DataProtection.KeyManagement.Key.CreateEncryptor()
     at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.KeyHolder.GetEncryptorInstance(Boolean& isRevoked)
     at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRing.get_DefaultAuthenticatedEncryptor()
     at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Protect(Byte[] plaintext)
     at Microsoft.AspNetCore.Session.CookieProtection.Protect(IDataProtector protector, String data)
     at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
     at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

.NET Version

10.0.100

Anything else?

• .NET SDK version: 10.0.100
• Output of dotnet --info:

  .NET SDK:
   Version:           10.0.100
   Commit:            b0f34d51fc
   Workload version:  10.0.100-manifests.4eab3e0f
   MSBuild version:   18.0.2+b0f34d51f
  
  Runtime Environment:
   OS Name:     ubuntu
   OS Version:  22.04
   OS Platform: Linux
   RID:         ubuntu.22.04-x64
   Base Path:   /usr/lib/dotnet/sdk/10.0.100/
  
  .NET workloads installed:
  There are no installed workloads to display.
  Configured to use workload sets when installing new manifests.
  No workload sets are installed. Run "dotnet workload restore" to install a workload set.
  
  Host:
    Version:      10.0.0
    Architecture: x64
    Commit:       b0f34d51fc
  
  .NET SDKs installed:
    10.0.100 [/usr/lib/dotnet/sdk]
  
  .NET runtimes installed:
    Microsoft.AspNetCore.App 10.0.0 [/usr/lib/dotnet/shared/Microsoft.AspNetCore.App]
    Microsoft.NETCore.App 10.0.0 [/usr/lib/dotnet/shared/Microsoft.NETCore.App]
  
  Other architectures found:
    None
  
  Environment variables:
    DOTNET_BUNDLE_EXTRACT_BASE_DIR           [/home/mwild/.cache/dotnet_bundle_extract]
  
  global.json file:
    Not found
  
  Learn more:
    https://aka.ms/dotnet/info
  
  Download .NET:
    https://aka.ms/dotnet/download
  

[michaelwildvarian]

Note that when explicitly specifying AES_256_GCM as encryption algorithm

builder.Services
    .AddDataProtection()
    .UseCryptographicAlgorithms(
        new AuthenticatedEncryptorConfiguration()
        {
          EncryptionAlgorithm = EncryptionAlgorithm.AES_256_GCM,
        });

things work. However, any CBC algorithm fails, no matter what validation algorithm is specified.

[DeagleGross]

I've reproduced the issue on Ubuntu with FIPS enabled, thanks for posting this @michaelwildvarian ! PR is attached, if you can try it out - let me know if you spot any problems.

[wildmichael]

Many thanks, @DeagleGross ! Unfortunately I had no spare bandwidth to try out the fix in your PR.

[DeagleGross]

Backported the fix to .NET10 - should be available in one of the next following patches.