Bump Go version to 1.25.1 (#5562)

* Bump Go version to 1.25.1

* Update CHANGELOG entry

* Bump the version of golangci-lint

* Remove references to the ms_tls13kdf build tag

* Download go module dependencies before GODEBUG=fips140=only is set

* Exclude X25519 curve types when testing in FIPS-140 mode

* Stricter check

* Add missing license header

* Exclude X25519 curve types when testing in FIPS-140-only mode

* Use stricter check

* Update NOTICE files

* Remove IsFIPS140Only helper function

* Set GODEBUG=tlsmlkem=0 for FIPS140-only unit tests

* Remove replace directive from go.mod

* Try not pre-downloading dependencies

Author: ycombinator

.github/workflows/golangci-lint.yml

@@ -39,7 +39,7 @@ jobs:
         uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9  # v8.0.0
         with:
           # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-          version: v2.1.0
+          version: v2.5.0
 
           # Give the job more time to execute.
           # Regarding `--whole-files`, the linter is supposed to support linting of changed a patch only but,

.go-version

@@ -1 +1 @@
-1.24.7
+1.25.1

.golangci.yml

@@ -4,7 +4,7 @@ run:
   timeout: 1m
   build-tags:
     - integration
-  go: "1.24.7"
+  go: "1.25.1"
 
 issues:
   # Maximum count of issues with the same text.

changelog/fragments/1758819869-bump-golang-1.25.1.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update Go to v1.25.1
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/fleet-server/pull/5562
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234

dev-tools/go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/dev-tools
 
-go 1.24.7
+go 1.25.1
 
 tool (
 	github.com/elastic/go-json-schema-generate/cmd/schema-generate

docs/fips.md

@@ -12,12 +12,12 @@ This toolchain must be present for local compilation.
 
 As we are using micrsoft/go as a base we follow their conventions.
 
-Our FIPS changes require the `requirefips` and `ms_tls13kdf` buildtags.
+Our FIPS changes require the `requirefips` build tag.
 When compiling `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` must be set.
 Additionally the `MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0` env var is set to disable telemetry for [microsoft/go](https://github.com/microsoft/go).
 
 The `FIPS=true` env var is used by our magefile as the FIPS toggle.
-This env var applies to all targets, at a minimum the `requirefips` and `ms_tls13kdf` tags will be set.
+This env var applies to all targets, at a minimum the `requirefips` tag will be set.
 For targets that compile binaries, the `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` env vars are set.
 
 For developer conveniance, running `FIPS=true mage multipass` will provision a multipass VM with the Microsoft/go toolchain.

go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/v7
 
-go 1.24.7
+go 1.25.1
 
 require (
 	github.com/Pallinder/go-randomdata v1.2.0

magefile.go

@@ -326,7 +326,7 @@ var (
 			tags = append(tags, "snapshot")
 		}
 		if isFIPS() {
-			tags = append(tags, "requirefips", "ms_tls13kdf")
+			tags = append(tags, "requirefips")
 		}
 		return strings.Join(tags, ",")
 	})
@@ -486,7 +486,7 @@ func (Check) Notice() {
 // DetectFIPSCryptoImports will do a best effort attempt to ensure that the imports list for FIPS compatible artifacts does not contain any external crypto libraries.
 // Specifically it will fail if the modules list contains an entry with: "crypto", "gokrb5", or "pbkdf2"
 func (Check) DetectFIPSCryptoImports() error {
-	tags := []string{"requirefips", "ms_tls13kdf"}
+	tags := []string{"requirefips"}
 	mods, err := getModules(tags...)
 	if err != nil {
 		return err
@@ -514,7 +514,7 @@ func genNotice(fips bool) error {
 	outFile := "NOTICE.txt"
 	if fips {
 		log.Println("Generating NOTICE-fips.txt.")
-		tags = append(tags, "requirefips", "ms_tls13kdf")
+		tags = append(tags, "requirefips")
 		outFile = "NOTICE-fips.txt"
 	} else {
 		log.Println("Generating NOTICE.txt.")
@@ -1202,7 +1202,7 @@ func (Docker) CustomAgentImage() error {
 // Unit runs unit tests.
 // Produces a unit test output file, and test coverage file in the build directory.
 // SNAPSHOT adds the snapshot build tag.
-// FIPS adds the requirefips and ms_tls13kdf build tags.
+// FIPS adds the requirefips build tag.
 func (Test) Unit() error {
 	mg.Deps(mg.F(mkDir, "build"))
 	output, err := teeCommand(environMap(), "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...")
@@ -1214,19 +1214,26 @@ func (Test) Unit() error {
 // This is done because mage may have issues when running with fips140=only set.
 // Produces a unit test output file, and test coverage file in the build directory.
 // SNAPSHOT adds the snapshot build tag.
-// FIPS adds the requirefips and ms_tls13kdf build tags.
+// FIPS adds the requirefips build tag.
 func (Test) UnitFIPSOnly() error {
 	mg.Deps(mg.F(mkDir, "build"))
+
+	// We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key
+	// exchange mechanism; without this setting and with the GODEBUG=fips140=only
+	// setting, we get errors in tests like so:
+	// Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
+	// Note that we are only disabling this TLS key exchange mechanism in tests!
 	env := environMap()
-	env["GODEBUG"] = "fips140=only"
+	env["GODEBUG"] = "fips140=only,tlsmlkem=0"
+
 	output, err := teeCommand(env, "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...")
 	err = errors.Join(err, os.WriteFile(filepath.Join("build", "test-unit-fipsonly-"+runtime.GOOS+".out"), output, 0o644))
 	return err
 }
 
 // Integration provisions the integration test environment with docker compose, runs the integration tests, then destroys the environment.
 // SNAPSHOT runs integration tests with the snapshot build tag.
-// FIPS runs the integration tests the requirefips and ms_tls13kdf build tags.
+// FIPS runs the integration tests the requirefips build tag.
 func (Test) Integration() {
 	mg.SerialDeps(mg.F(mkDir, "build"), Test.IntegrationUp, Test.IntegrationRun, Test.IntegrationDown)
 }
@@ -1240,7 +1247,7 @@ func (Test) IntegrationUp() error {
 // Assumes that the integration test environment is up.
 // Produces an integration test output file in the build directory.
 // SNAPSHOT runs integration tests with the snapshot build tag.
-// FIPS runs the integration tests the requirefips and ms_tls13kdf build tags.
+// FIPS runs the integration tests the requirefips build tag.
 func (Test) IntegrationRun(ctx context.Context) error {
 	env, err := readEnvFile(filepath.Join("dev-tools", "integration", ".env"))
 	if err != nil {
@@ -1592,9 +1599,6 @@ func checkFIPSBinary(path string) error {
 			if !strings.Contains(setting.Value, "requirefips") {
 				return fmt.Errorf("requirefips tag not found in %s", setting.Value)
 			}
-			if !strings.Contains(setting.Value, "ms_tls13kdf") {
-				return fmt.Errorf("requirefips tag not found in %s", setting.Value)
-			}
 			continue
 		case "GOEXPERIMENT":
 			foundExperiment = true
@@ -1665,15 +1669,15 @@ func (Test) JunitReport() error {
 
 // All runs unit and integration tests and produces junit reports for all the tests.
 // SNAPSHOT adds the snapshot build tag.
-// FIPS adds the requirefips and ms_tls13kdf build tags.
+// FIPS adds the requirefips build tag.
 func (Test) All() {
 	mg.SerialDeps(mg.F(mkDir, "build"), Test.Unit, Test.Integration, Test.JunitReport)
 }
 
 // Benchmark runs the included benchmarks
 // Produces a benchmark file in the build directory.
 // SNAPSHOT adds the snapshot build tag.
-// FIPS adds the requirefips and ms_tls13kdf build tags.
+// FIPS adds the requirefips build tag.
 // BENCHMARK_FILTER can be used to filter what benchmarks run.
 // BENCHMARK_ARGS can be used to change what is being benchmarked. Default: -count=10 -benchtime=3s -benchmem.
 // BENCH_BASE can be used to change the output file name.

testing/go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/testing
 
-go 1.24.7
+go 1.25.1
 
 replace (
 	github.com/elastic/fleet-server/pkg/api => ../pkg/api