Change hashing algorithm in webpack

Webpack internally defaults to md4 hashing because it is fast. Similarly some loaders (e.g. cache-loader) use md5. This is generally no problem because they are mainly used for file hashes and nothing cryptography related. Unfortunately FIPS enabled versions of node do not allow to use these hasing algorithms because they are considered broken by cryptographic standards. All of these cryptographic functions come from openssl. So if one uses md4 or md5 on a FIPS enabled system, the webpack process will error. Luckily we can just monkey-patch the createHash function in node in order to use another algorithm. Thanks to this comment: https://github.com/webpack/webpack/issues/13572#issuecomment-923736472 See also: https://gitlab.com/gitlab-org/gitlab/-/issues/322883 Changelog: changed

Change hashing algorithm in webpack
Webpack internally defaults to md4 hashing because it is fast. Similarly some loaders (e.g. cache-loader) use md5. This is generally no problem because they are mainly used for file hashes and nothing cryptography related. Unfortunately FIPS enabled versions of node do not allow to use these hasing algorithms because they are considered broken by cryptographic standards. All of these cryptographic functions come from openssl. So if one uses md4 or md5 on a FIPS enabled system, the webpack process will error. Luckily we can just monkey-patch the createHash function in node in order to use another algorithm. Thanks to this comment: https://github.com/webpack/webpack/issues/13572#issuecomment-923736472 See also: https://gitlab.com/gitlab-org/gitlab/-/issues/322883 Changelog: changed
8d42ec95 · Lukas 'Eipi' Eipert · Mike Greiling · f8040dc5 · 8d42ec95 · 8d42ec95
Commit 8d42ec95 authored Jan 19, 2022 by Lukas 'Eipi' Eipert Committed by Mike Greiling Jan 19, 2022
Showing with 27 additions and 3 deletions

config/helpers/patched_crypto.js config/helpers/patched_crypto.js +22 -0

config/helpers/vendor_dll_hash.js config/helpers/vendor_dll_hash.js +2 -2

config/webpack.config.js config/webpack.config.js +3 -1

No files found.
--- a/config/helpers/patched_crypto.js
+++ b/config/helpers/patched_crypto.js
+/**
+ * Webpack 4 uses md4 internally because it is fast.
+ * Some loaders also use md5 directly.
+ * It is not available systems with FIPS enabled node.
+ *
+ * This is a hack to monkey patch the crypto function to use
+ * another algorithm if md4 or md5 is expected.
+ *
+ * https://github.com/webpack/webpack/issues/13572#issuecomment-923736472
+ *
+ * This hack can be removed once we upgrade to webpack v5 as
+ * it includes native support for configuring hash options:
+ * https://github.com/webpack/webpack/pull/14306
+ */
+const crypto = require('crypto');
+
+const cryptoHashOriginal = crypto.createHash;
+
+crypto.createHash = (algorithm) =>
+  cryptoHashOriginal(['md4', 'md5'].includes(algorithm) ? 'sha256' : algorithm);
+
+module.exports = crypto;
--- a/config/helpers/vendor_dll_hash.js
+++ b/config/helpers/vendor_dll_hash.js
-const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
+const crypto = require('./patched_crypto');

 const CACHE_PATHS = [
  './config/webpack.config.js',
@@ -11,7 +11,7 @@ const CACHE_PATHS = [

 const resolvePath = (file) => path.resolve(__dirname, '../..', file);
 const readFile = (file) => fs.readFileSync(file);
-const fileHash = (buffer) => crypto.createHash('md5').update(buffer).digest('hex');
+const fileHash = (buffer) => crypto.createHash('sha256').update(buffer).digest('hex');

 module.exports = () => {
  const fileBuffers = CACHE_PATHS.map(resolvePath).map(readFile);

--- a/config/webpack.config.js
+++ b/config/webpack.config.js
-const crypto = require('crypto');
+// eslint-disable-next-line import/order
+const crypto = require('./helpers/patched_crypto');
+
 const fs = require('fs');
 const path = require('path');