search

oven-sh / bun

Incredibly fast JavaScript runtime, bundler, test runner, and package manager – all in one
https://bun.sh
Other
73.01k stars 2.66k forks source link

FIPS Support #4869

Open andymac4182 opened 12 months ago

andymac4182 commented 12 months ago

What is the problem this feature would solve?

More and more customers are looking for the better security guarantees of FIPS modes.

It would be great if Bun could support FIPS mode.

What is the feature you are proposing to solve the problem?

A FIPS complaint build using BoringSSL with FIPS mode turned on

What alternatives have you considered?

Building a fork with BoringSSL with FIPS mode but would be a lot of work to maintain.

Elzair commented 12 months ago

I notice that bun seems to use OpenSSL, which can be FIPS compliant (depending on the system). Is there a way to configure bun to use the system's OpenSSL implementation?

Nevermind, bun just uses boringssl, which is a fork of OpenSSL, which is why the keyword "openssl" is littered throughout the codebase.

billywhizz commented 9 months ago

somewhat related. am i correct in my understanding that this is current ssl used by bun? this seems to be a fork of boringssl from a year ago. :thinking:

also, google strongly recommend not using boringssl on their landing page mostly because they reserve right to introduce breaking changes. i am not well up on these issues. is it a good idea to use boringssl at all? what are the benefits? perf?

also, related.

giraffesyo commented 6 months ago

Also would like to see setFips, getFips, and —force-fips implemented.

In node one benefit is you can use OpenSSL provider model and you don’t need to recompile node to use FIPS crypto.

On the topic of boring, in the golang compiler they have a compile flag you can set which enables you to import import _ "crypto/tls/fipsonly" and will also allow you to use the bundled boringssl with the compiler.

Doing either of those doesn’t prove you’re using validated modules though, and you can only ensure you are by compiling the go toolset with the specific commit of boring that has the validation listed in CMVP security policy for boring.

This may be a route for bun, where to have fips compliant software you just use a flag (e.g. the existing node.js —force-fips flag) or if you need a fips validated implementation you compile bun with the specific boring ssl/ boring crypto which has been validated.

Alternatively, if OpenSSL 3 is supported people can use the provider model there too. I’m not sure if Boring has the concept of providers haven’t dug into that.