Webpack / babel / asset compilation is broken when FIPS mode is enabled
Summary
Webpack and babel use FIPS-forbidden hashing algorithms while doing their work, including MD4 and MD5. Node is dynamically linked to OpenSSL, so when FIPS mode is enabled, attempts to calculate those hashes fail.
This breaks all forms of asset compilation and serving in GDK, making it difficult to investigate further FIPS-related issues in the application.
Steps to reproduce
- Have a RHEL 8 installation with FIPS mode enabled (
fips-mode-setup --enable
) - Install the GDK in that installation
- Visit the GDK installation in a web browser
What is the current bug behavior?
Webpack fails to compile the assets with an error like this:
internal/crypto/hash.js:46
this[kHandle] = new _Hash(algorithm, xofLen);
^
Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
at new Hash (internal/crypto/hash.js:46:19)
at Object.createHash (crypto.js:115:10)
at module.exports (/home/nick/gitlab-development-kit/gitlab/node_modules/webpack/lib/util/createHash.js:135:53)
at NormalModule._initBuildHash (/home/nick/gitlab-development-kit/gitlab/node_modules/webpack/lib/NormalModule.js:417:16)
at handleParseError (/home/nick/gitlab-development-kit/gitlab/node_modules/webpack/lib/NormalModule.js:471:10)
at /home/nick/gitlab-development-kit/gitlab/node_modules/webpack/lib/NormalModule.js:503:5
at /home/nick/gitlab-development-kit/gitlab/node_modules/webpack/lib/NormalModule.js:358:12
at /home/nick/gitlab-development-kit/gitlab/node_modules/loader-runner/lib/LoaderRunner.js:373:3
at iterateNormalLoaders (/home/nick/gitlab-development-kit/gitlab/node_modules/loader-runner/lib/LoaderRunner.js:214:10)
at Array.<anonymous> (/home/nick/gitlab-development-kit/gitlab/node_modules/loader-runner/lib/LoaderRunner.js:205:4)
at Storage.finished (/home/nick/gitlab-development-kit/gitlab/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:55:16)
at /home/nick/gitlab-development-kit/gitlab/node_modules/enhanced-resolve/lib/CachedInputFileSystem.js:91:9
at /home/nick/gitlab-development-kit/gitlab/node_modules/graceful-fs/graceful-fs.js:123:16
at FSReqCallback.readFileAfterClose [as oncomplete] (internal/fs/read_file_context.js:63:3) {
library: 'digital envelope routines',
function: 'EVP_DigestInit_ex',
reason: 'disabled for FIPS',
code: 'ERR_OSSL_EVP_DISABLED_FOR_FIPS'
}
A similar error is issued if you attempt to run rake gitlab:assets:compile
What is the expected correct behavior?
We should be able to compile and serve assets on a FIPS-enabled system. This is a prerequisite for building out FIPS support more generally - it's much easier to work on the application in the environment you're developing for. It will also be important for packaging the application.
Relevant logs and/or screenshots
Possible fixes
Webpack does allow the output hashFunction
to be configured: https://webpack.js.org/configuration/output/#outputhashfunction
However, adding this to gitlab/config/webpack.config.js
+ gitlab/config/webpack.vendor.config.js
didn't get webpack working. There are also at least a couple of other sites within webpack itself that unconditionally use the md4
hashing algorithm.
Hardcoding them all to use sha256 instead got me to similar-looking errors in babel-loader
and monaco
packages, among hundreds of others. I didn't look any further into those. It's possible they're all coming from similar code being used in babel-loader, but it's also possible that we use lots of node packages for compilation that just don't work when we're in FIPS mode.
2021-02-23_17:42:46.82355 webpack : ERROR in ./pages/dashboard/groups/index/index.js
2021-02-23_17:42:46.82355 webpack : Module build failed (from /home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/index.js):
2021-02-23_17:42:46.82356 webpack : Error: error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
2021-02-23_17:42:46.82356 webpack : at new Hash (internal/crypto/hash.js:46:19)
2021-02-23_17:42:46.82357 webpack : at Object.createHash (crypto.js:115:10)
2021-02-23_17:42:46.82358 webpack : at filename (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:94:23)
2021-02-23_17:42:46.82359 webpack : at /home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:120:39
2021-02-23_17:42:46.82362 webpack : at Generator.next (<anonymous>)
2021-02-23_17:42:46.82363 webpack : at asyncGeneratorStep (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:3:103)
2021-02-23_17:42:46.82363 webpack : at _next (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:5:194)
2021-02-23_17:42:46.82364 webpack : at /home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:5:364
2021-02-23_17:42:46.82364 webpack : at new Promise (<anonymous>)
2021-02-23_17:42:46.82366 webpack : at /home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:5:97
2021-02-23_17:42:46.82366 webpack : at handleCache (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:159:18)
2021-02-23_17:42:46.82367 webpack : at /home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:204:18
2021-02-23_17:42:46.82367 webpack : at Generator.next (<anonymous>)
2021-02-23_17:42:46.82367 webpack : at asyncGeneratorStep (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:3:103)
2021-02-23_17:42:46.82370 webpack : at _next (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:5:194)
2021-02-23_17:42:46.82370 webpack : at /home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:5:364
2021-02-23_17:42:46.82371 webpack : at new Promise (<anonymous>)
2021-02-23_17:42:46.82371 webpack : at /home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:5:97
2021-02-23_17:42:46.82371 webpack : at /home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/cache.js:208:18
2021-02-23_17:42:46.82372 webpack : at Object.<anonymous> (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/index.js:191:24)
2021-02-23_17:42:46.82372 webpack : at Generator.next (<anonymous>)
2021-02-23_17:42:46.82373 webpack : at asyncGeneratorStep (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/index.js:3:103)
2021-02-23_17:42:46.82373 webpack : at _next (/home/nick/gitlab-development-kit/gitlab/node_modules/babel-loader/lib/index.js:5:194)
2021-02-23_17:42:46.82374 webpack : @ multi ./main ee/pages/dashboard/index.js ./pages/dashboard/groups/index/index.js pages.dashboard.groups.index[2]
2021-02-23_17:42:46.82374 webpack :
2021-02-23_17:42:46.82374 webpack : ERROR in error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
2021-02-23_17:42:46.82375 webpack : Child vs/editor/editor:
2021-02-23_17:42:46.82377 webpack : Entrypoint main =
2021-02-23_17:42:46.82377 webpack : [uE4I] (webpack)/buildin/global.js 472 bytes {main} [built]
2021-02-23_17:42:46.82378 webpack : + 35 hidden modules
2021-02-23_17:42:46.82378 webpack :
2021-02-23_17:42:46.82378 webpack : ERROR in chunk main [entry]
2021-02-23_17:42:46.82379 webpack : editor.worker.js
2021-02-23_17:42:46.82379 webpack : /home/nick/gitlab-development-kit/gitlab/node_modules/monaco-editor/esm/vs/editor/common/core/range.js
2021-02-23_17:42:46.82380 webpack : error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
2021-02-23_17:42:46.82380 webpack : Child vs/language/css/cssWorker:
2021-02-23_17:42:46.82381 webpack : Entrypoint main =
2021-02-23_17:42:46.82381 webpack : [uE4I] (webpack)/buildin/global.js 472 bytes {main} [built]
2021-02-23_17:42:46.82382 webpack : + 77 hidden modules
2021-02-23_17:42:46.82382 webpack :
2021-02-23_17:42:46.82382 webpack : ERROR in chunk main [entry]
2021-02-23_17:42:46.82383 webpack : css.worker.js
2021-02-23_17:42:46.82383 webpack : /home/nick/gitlab-development-kit/gitlab/node_modules/monaco-editor/esm/vs/language/css/_deps/vscode-css-languageservice/services/lintUtil.js
2021-02-23_17:42:46.82383 webpack : error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
2021-02-23_17:42:46.82384 webpack : Child vs/language/html/htmlWorker:
2021-02-23_17:42:46.82386 webpack : Entrypoint main =
2021-02-23_17:42:46.82386 webpack : [uE4I] (webpack)/buildin/global.js 472 bytes {main} [built]
2021-02-23_17:42:46.82387 webpack : + 68 hidden modules
2021-02-23_17:42:46.82387 webpack :
2021-02-23_17:42:46.82388 webpack : ERROR in chunk main [entry]
2021-02-23_17:42:46.82388 webpack : html.worker.js
2021-02-23_17:42:46.82388 webpack : /home/nick/gitlab-development-kit/gitlab/node_modules/monaco-editor/esm/vs/editor/common/core/range.js
2021-02-23_17:42:46.82393 webpack : error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS
2021-02-23_17:42:46.82394 webpack : Child vs/language/json/jsonWorker:
2021-02-23_17:42:46.82394 webpack : Entrypoint main =
2021-02-23_17:42:46.82395 webpack : [uE4I] (webpack)/buildin/global.js 472 bytes {main} [built]
2021-02-23_17:42:46.82395 webpack : + 61 hidden modules