Skip to content

Fix: Replace blake2b with FIPS-compatible hash fallback to support secure environments #2357

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix: Replace blake2b with FIPS-compatible hash fallback to support secure environments #2357

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
005f296
soda connect to trino using a self-signed certificate
Jul 25, 2025
8ee3d7a
Fix: FIPS-safe fallback for blake2b
Jul 31, 2025
51c1031
[pre-commit.ci] auto fixes from pre-commit.com hooks
pre-commit-ci[bot] Jul 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions soda/core/soda/common/hash_utils.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
import hashlib


def fips_safe_hasher(digest_size: int):
"""
Returns a hash object that mimics hashlib.blake2b.
Falls back to hashlib.sha256 with truncation if blake2b is unavailable (e.g., in FIPS mode).
"""
try:
return hashlib.blake2b(digest_size=digest_size)
except (TypeError, ValueError, AttributeError):

class TruncatedSHA256:
def __init__(self):
self._hasher = hashlib.sha256()
self.digest_size = digest_size

def update(self, data):
self._hasher.update(data)

def digest(self):
return self._hasher.digest()[: self.digest_size]

def hexdigest(self):
return self._hasher.hexdigest()[: self.digest_size * 2]

return TruncatedSHA256()
5 changes: 4 additions & 1 deletion soda/core/soda/execution/identity.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@
from numbers import Number
from typing import Optional

from soda.common.hash_utils import fips_safe_hasher


class Identity:
@staticmethod
Expand Down Expand Up @@ -63,7 +65,8 @@ def __init__(self, hash_string_length: int = 8):
def get_blake2b(self) -> blake2b:
# Lazy initialization of blake2b in order to return None in the self.get_hash(self) in case nothing was added
if self.blake2b is None:
self.blake2b = blake2b(digest_size=int(self.hash_string_length / 2))
# self.blake2b = blake2b(digest_size=int(self.hash_string_length / 2))
self.blake2b = fips_safe_hasher(digest_size=int(self.hash_string_length / 2))
return self.blake2b

def add(self, value: Optional[str]):
Expand Down
2 changes: 2 additions & 0 deletions soda/trino/soda/data_sources/trino_data_source.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,7 @@ def __init__(self, logs: Logs, data_source_name: str, data_source_properties: di
self.source = data_source_properties.get("source", trino.constants.DEFAULT_SOURCE)
self.http_headers = data_source_properties.get("http_headers", None)
self.client_tags = data_source_properties.get("client_tags", None)
self.verify_ssl = data_source_properties.get("verify_ssl", None)

def connect(self):
# Default to BasicAuthentication so we don't break current users.
Expand All @@ -96,6 +97,7 @@ def connect(self):
http_headers=self.http_headers,
source=self.source,
client_tags=self.client_tags,
verify=self.verify_ssl,
)

def regex_replace_flags(self) -> str:
Expand Down