Skip to content

Replace MD5 with SHA-256 for FIPS 140 compatibility#26

Merged
abhinavdangeti merged 2 commits intodepsfrom
fips
Jan 22, 2026
Merged

Replace MD5 with SHA-256 for FIPS 140 compatibility#26
abhinavdangeti merged 2 commits intodepsfrom
fips

Conversation

@CascadingRadium
Copy link
Copy Markdown
Member

@CascadingRadium CascadingRadium commented Jan 22, 2026
edited
Loading

Copilot AI reviewed Jan 22, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR replaces the MD5 hashing algorithm with SHA-256 to achieve FIPS 140 compliance in the levenshtein package. The change affects internal hashing logic used for deduplicating MultiState objects during DFA construction.

Changes:

  • Updated import from crypto/md5 to crypto/sha256
  • Modified hash map key size from [16]byte to [32]byte to accommodate SHA-256's 32-byte output
  • Replaced md5.Sum() with sha256.Sum256() and updated variable naming for clarity

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@CascadingRadium CascadingRadium changed the base branch from master to deps January 22, 2026 18:07
@CascadingRadium
Copy link
Copy Markdown
Member Author

CascadingRadium commented Jan 22, 2026

hi @abhinavdangeti, this as well - for the new vellum tag.

@abhinavdangeti
Copy link
Copy Markdown
Member

abhinavdangeti commented Jan 22, 2026

Would this work for in-place upgrades? Any API changes downstream on account of this?

@CascadingRadium
Copy link
Copy Markdown
Member Author

CascadingRadium commented Jan 22, 2026
edited
Loading

Hi @abhinavdangeti, I don't think this will cause any issue. We basically use the md5 library to calculate a hash for an FST path. The hash struct is basically an in-memory cache.

@abhinavdangeti abhinavdangeti merged commit 5decd2c into deps Jan 22, 2026
9 checks passed
@abhinavdangeti abhinavdangeti deleted the fips branch January 22, 2026 18:24
@abhinavdangeti abhinavdangeti mentioned this pull request Jan 22, 2026
Merged
abhinavdangeti added a commit that referenced this pull request Jan 22, 2026
@CascadingRadium @abhinavdangeti
Upgrade dependencies, pivot to crypto/sha256 for FIPS 140 compliance (
686aa63 
#25)

- Remove legacy vendor directory
- Upgrade dependencies - `bits-and-blooms/bitset`,
`blevesearch/mmap-go`, `spf13/cobra`
    - Requires: blevesearch/mmap-go#6 
- Fix README badges
- Replace `crypto/md5` with `crypto/sha256` for FIPS 140 compatibility
(#26)

---------

Co-authored-by: Abhinav Dangeti <abhinav@couchbase.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@abhinavdangeti abhinavdangeti Awaiting requested review from abhinavdangeti

@Thejas-bhat Thejas-bhat Awaiting requested review from Thejas-bhat

@Likith101 Likith101 Awaiting requested review from Likith101

@capemox capemox Awaiting requested review from capemox

@maneuvertomars maneuvertomars Awaiting requested review from maneuvertomars

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Go 1.24 FIPS-only mode panics

3 participants

@CascadingRadium @abhinavdangeti