Skip to content

Disable identities if blake2b is not available #2379

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Disable identities if blake2b is not available #2379

wants to merge 3 commits into from

Conversation

@mivds
Copy link
Contributor

@mivds mivds commented Aug 18, 2025

Resolves #2354

@mivds mivds force-pushed the 2354/blake2b-optional branch from 653c43d to da9574d Compare August 18, 2025 19:57
@sonarqubecloud
Copy link

sonarqubecloud bot commented Aug 18, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mivds mivds mentioned this pull request Aug 18, 2025
Open
@sumit-gupta-sgt
Copy link

sumit-gupta-sgt commented Aug 18, 2025

Hi @mivds, Thank you for addressing the FIPS compatibility issue in soda-core by removing the digest_size argument from hashlib.blake2b(). This change is crucial for ensuring the library functions correctly in FIPS-enabled environments.

To further enhance compatibility and avoid potential issues with openssl_blake2b, I recommend implementing a fallback mechanism that attempts to use hashlib.blake2b() without the digest_size argument. If that fails, the system should gracefully fall back to hashlib.sha256() or return None if hashing isn't feasible. This approach ensures that the library remains functional across various environments, including those with strict cryptographic standards.

import hashlib
from typing import Optional

def get_identity(data: str, digest_size: int = 16) -> Optional[str]:
"""
Generate a FIPS-safe identity hash for the given data.

- Uses blake2b with digest_size if supported.
- Falls back to default blake2b if digest_size not supported.
- Falls back to SHA256 if blake2b is unavailable (e.g., FIPS mode).
- Returns None if no hash can be generated.
"""
encoded_data = data.encode("utf-8")

# Try blake2b with digest_size
try:
    return hashlib.blake2b(encoded_data, digest_size=digest_size).hexdigest()
except (TypeError, ValueError):
    pass  # Likely FIPS/OpenSSL restriction

# Try default blake2b
try:
    return hashlib.blake2b(encoded_data).hexdigest()
except (AttributeError, ValueError):
    pass  # Blake2b unavailable

# Fallback to SHA256 (FIPS-safe)
try:
    return hashlib.sha256(encoded_data).hexdigest()
except Exception:
    pass  # Extremely unlikely

# Return None if everything fails
return None

Implementing this fallback mechanism will enhance the robustness of soda-core in diverse environments. Please let me know if you need assistance integrating this solution or if you have any questions.

mark-boyle-sp
mark-boyle-sp reviewed Nov 12, 2025
View reviewed changes
soda/core/soda/execution/identity.py
Comment on lines +88 to +89
if blake2b is None:
return
Copy link

@mark-boyle-sp mark-boyle-sp Nov 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What is the downside to none Identity ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@mark-boyle-sp mark-boyle-sp mark-boyle-sp left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Soda Core fails in FIPS-enabled environments due to use of hashlib.blake2b

4 participants

@mivds @sumit-gupta-sgt @mark-boyle-sp