Consider using SHA-256 over MD5 for the config file

Question

Consider using SHA-256 over MD5 for the config file

silverwind opened this issue 4 years ago · comments

https://github.com/gulpjs/v8flags/blob/master/index.js#L19 contains a MD5 usage. When Node.js is built with FIPS compliance, that line triggers below error because MD5 is disabled in those builds:

Error: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
    at new Hash (internal/crypto/hash.js:48:19)
    at Object.createHash (crypto.js:109:10)
    at Object.<anonymous> (node_modules/v8flags/index.js:19:89)

Consider using something more collision-resistant like SHA-256 instead.

silverwind commented 4 years ago

#57

Blaine Bublitz · Answer 1 · Thu Jun 11 2020 02:49:38 GMT+0800 (China Standard Time)

@silverwind I'm down for that. I also assume our cacheing is fragile here because we are supposed to continue even if a cache error occurs, but that's a different problem.

silverwind · Answer 2 · Thu Jun 11 2020 03:07:58 GMT+0800 (China Standard Time)

It should be a simple swap of createHash('md5') to createHash('sha256'). SHA-256 hashes are a bit longer but you could just trim it down to the same size of MD5 if necessary using .substring(0,32) or similar.

contra · Answer 3 · Fri Jun 12 2020 01:23:51 GMT+0800 (China Standard Time)

This seems like a reasonable request - want to send a PR @silverwind ? Should be non-breaking.

Thomas Fletcher · Answer 4 · Fri Feb 19 2021 00:54:00 GMT+0800 (China Standard Time)

Bump, I could really use this fix in a project. It is breaking the project when enforcing FIPS when enforcing FIPS because MD5 is not FIPS compliant @silverwind @phated