Webpack Hash is not FIPS-Compliant

[BurntCoffee543]

Bug report

What is the current behavior?
Building on a FIPS-enabled system, the digest "md4" is not supported (and furthermore is not FIPS-compliant). Upon building, the following error is thrown...

UnhandledPromiseRejectionWarning: Error: Digest method not supported
    at new Hash (internal/crypto/hash.js:46:19)
    at Object.createHash (crypto.js:115:10)
    at module.exports (omitted_root_path/node_modules/webpack/lib/util/createHash.js:135:53)
    at ConcatenatedModule._createIdentifier (omitted_root_path/node_modules/webpack/lib/optimize/ConcatenatedModule.js:563:16)
    at new ConcatenatedModule (omitted_root_path/node_modules/webpack/lib/optimize/ConcatenatedModule.js:445:27)

The issue is that some of the modules have "md4" hardcoded in (unconfigurable) such as the ConcatenatedModule.

If the current behavior is a bug, please provide the steps to reproduce.
I cannot easily link a StackBlitz or GitHub repo as fips has to be enabled on the Node distribution. The following is the custom-webpack config...

const webpack = require('webpack');
 
module.exports = {
  output: {
    hashFunction: 'sha256'
  },
  plugins: [
    new webpack.HashedModuleIdsPlugin({
      hashFunction: 'sha256'
    })
  ]
};

What is the expected behavior?
For any use of a hash, there should be option to configure the underlying algorithm via the custom-webpack config. This StackOverflow post suggests a workaround of disabling the ConcatenatedModule, but any hardcoded hashing algorithm should be configurable so that they can run on FIPS-enabled systems.

Other relevant information:
webpack version: 4.44.2
Node.js version: 14.16.0
Operating System: RHEL

[alexander-akait]

Please update webpack to v5

[BurntCoffee543]

@alexander-akait I definitely plan to in the future, but I am currently limited by Angular 11 and @angular-builders/custom-webpack 11 which use Webpack 4 as its underlying dependency. Any advice for handling this?

[alexander-akait]

Only monkey patching webpack

[BurntCoffee543]

@alexander-akait We recently upgraded to Webpack 5.40.0 and are running into issues with the md4 hash in ChunkGraph.js and FileSystemInfo.js. Any way to handle this? Thanks!

[alexander-akait]

I want to say you need md4 support to work with webpack

[martinpitt]

This is an issue with the very latest webpack 5.53.0 as well. Fedora Rawhide/CentOS 9 stream/upcoming RHEL 9 switched to OpenSSL 3.0, which does not offer md4. So instead of thousands of projects figuring out the output.hashFunction hack by themselves, maybe it's time to just switch the default to sha256?

[martinpitt]

Also, merely setting output.hashFunction does not suffice at all. grep -r createHash.*md4 node_modules/webpack shows no less than 21 (!) places which hardcode an md4 hash. For example, in https://github.com/cockpit-project/starter-kit I get a crash in ChunkGraph:

node:internal/crypto/hash:67
  this[kHandle] = new _Hash(algorithm, xofLen);
                  ^

Error: error:0308010C:digital envelope routines::unsupported
    at new Hash (node:internal/crypto/hash:67:19)
    at Object.createHash (node:crypto:130:10)
    at BulkUpdateDecorator.hashFactory (/src/node_modules/webpack/lib/util/createHash.js:145:18)
    at BulkUpdateDecorator.digest (/src/node_modules/webpack/lib/util/createHash.js:80:21)
    at /src/node_modules/webpack/lib/ChunkGraph.js:1494:51
    at RuntimeSpecMap.provide (/src/node_modules/webpack/lib/util/runtime.js:495:33)
    at ChunkGraph._getModuleGraphHashBigInt (/src/node_modules/webpack/lib/ChunkGraph.js:1489:37)
    at /src/node_modules/webpack/lib/ChunkGraph.js:1517:27
    at RuntimeSpecMap.provide (/src/node_modules/webpack/lib/util/runtime.js:495:33)
    at ChunkGraph._getModuleGraphHashWithConnections (/src/node_modules/webpack/lib/ChunkGraph.js:1516:41) {
  opensslErrorStack: [ 'error:03000086:digital envelope routines::initialization error' ],
  library: 'digital envelope routines',
  reason: 'unsupported',
  code: 'ERR_OSSL_EVP_UNSUPPORTED'

[alexander-akait]

@martinpitt I see, PR welcome, should not hard

[alexander-akait]

Ideally we should respect hashFunction

[martinpitt]

In case someone else is blocked by this: I just added a hack to monkey-patch crypto.createHash() in webpack.config.js, which has the advantage that no static patches to node_modules/ are necessary:

const crypto = require("crypto");
const crypto_orig_createHash = crypto.createHash;
crypto.createHash = algorithm => crypto_orig_createHash(algorithm == "md4" ? "sha256" : algorithm);

This is an ugly, but working crutch until webpack gets updated.