Bump Go version to 1.25.1 (#5562)

* Bump Go version to 1.25.1

* Update CHANGELOG entry

* Bump the version of golangci-lint

* Remove references to the ms_tls13kdf build tag

* Download go module dependencies before GODEBUG=fips140=only is set

* Exclude X25519 curve types when testing in FIPS-140 mode

* Stricter check

* Add missing license header

* Exclude X25519 curve types when testing in FIPS-140-only mode

* Use stricter check

* Update NOTICE files

* Remove IsFIPS140Only helper function

* Set GODEBUG=tlsmlkem=0 for FIPS140-only unit tests

* Remove replace directive from go.mod

* Try not pre-downloading dependencies

(cherry picked from commit 15b8c8a)

Author: ycombinator

.go-version

@@ -1 +1 @@
-1.24.7
+1.25.1

.golangci.yml

@@ -4,7 +4,7 @@ run:
   timeout: 1m
   build-tags:
     - integration
-  go: "1.24.7"
+  go: "1.25.1"
 
 issues:
   # Maximum count of issues with the same text.

changelog/fragments/1758819869-bump-golang-1.25.1.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update Go to v1.25.1
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/fleet-server/pull/5562
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234

dev-tools/go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/dev-tools
 
-go 1.24.7
+go 1.25.1
 
 tool (
 	github.com/elastic/go-json-schema-generate/cmd/schema-generate

docs/fips.md

@@ -0,0 +1,97 @@
+# FIPS support
+
+**NOTE: FIPS Support is in-progress**
+
+The fleet-server can be built in a FIPS capable mode.
+This forces the use of a FIPS provider to handle any cryptographic calls.
+
+Currently FIPS is provided by compiling with the [microsoft/go](https://github.com/microsoft/go) distribution.
+This toolchain must be present for local compilation.
+
+## Build changes
+
+As we are using micrsoft/go as a base we follow their conventions.
+
+Our FIPS changes require the `requirefips` build tag.
+When compiling `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` must be set.
+Additionally the `MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0` env var is set to disable telemetry for [microsoft/go](https://github.com/microsoft/go).
+
+The `FIPS=true` env var is used by our magefile as the FIPS toggle.
+This env var applies to all targets, at a minimum the `requirefips` tag will be set.
+For targets that compile binaries, the `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` env vars are set.
+
+For developer conveniance, running `FIPS=true mage multipass` will provision a multipass VM with the Microsoft/go toolchain.
+See [Multipass VM Usage](#multipass-vm-usage) for additional details.
+
+### Multipass VM Usage
+
+A Multipass VM created with `FIPS=true mage multipass` is able to compile FIPS enabled golang programs, but is not able to run them.
+When you try to run one the following error occurs:
+```
+GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
+panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider
+
+goroutine 1 [running]:
+crypto/internal/backend.init.1()
+	/usr/local/go/src/crypto/internal/backend/openssl_linux.go:85 +0x210
+```
+
+In order to be  able to run a FIPS enabled binary, openssl must have a fips provider.
+Openssl [provides instructions on how to do this](https://github.com/openssl/openssl/blob/master/README-FIPS.md).
+
+A TLDR for our multipass container is:
+
+1. Download and compile the FIPS provider for openssl in the VM by running:
+```
+wget https://github.com/openssl/openssl/releases/download/openssl-3.0.13/openssl-3.0.13.tar.gz
+tar -xzf openssl-3.0.13.tar.gz
+cd openssl-3.0.13
+./Configure enable-fips
+make test
+sudo make install_fips
+sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so
+```
+
+2. Copy the `fips.so` module to the system library, in order to find the location run:
+```
+openssl version -m
+```
+
+On my VM I would copy the `fips.so` module with:
+```
+sudo cp /usr/local/lib/ossl-modules/fips.so /usr/lib/aarch64-linux-gnu/ossl-modules/fips.so
+```
+
+3. Create an openssl.cnf for the program to use with the contents:
+```
+config_diagnostics = 1
+openssl_conf = openssl_init
+
+.include /usr/local/ssl/fipsmodule.cnf
+
+[openssl_init]
+providers = provider_sect
+alg_section = algorithm_sect
+
+[provider_sect]
+fips = fips_sect
+base = base_sect
+
+[base_sect]
+activate = 1
+
+[algorithm_sect]
+default_properties = fips=yes
+```
+
+4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e.,
+```
+OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml
+23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0
+i...
+```
+
+## Usage
+
+Binaries produced with the `FIPS=true` env var will panic on startup if they cannot find a FIPS provider.
+The system/image is required to have a FIPS provider available.

go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/v7
 
-go 1.24.7
+go 1.25.1
 
 require (
 	github.com/Pallinder/go-randomdata v1.2.0

magefile.go

@@ -309,6 +309,12 @@ var (
 		if isSnapshot() {
 			tags = append(tags, "snapshot")
 		}
+<<<<<<< HEAD
+=======
+		if isFIPS() {
+			tags = append(tags, "requirefips")
+		}
+>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562))
 		return strings.Join(tags, ",")
 	})
 
@@ -453,11 +459,50 @@ func (Check) Notice() {
 	mg.SerialDeps(mg.F(genNotice))
 }
 
+<<<<<<< HEAD
 // genNotice generates the NOTICE.txt
 func genNotice() error {
 	tags := []string{}
 	outFile := "NOTICE.txt"
 	log.Println("Generating NOTICE.txt.")
+=======
+// DetectFIPSCryptoImports will do a best effort attempt to ensure that the imports list for FIPS compatible artifacts does not contain any external crypto libraries.
+// Specifically it will fail if the modules list contains an entry with: "crypto", "gokrb5", or "pbkdf2"
+func (Check) DetectFIPSCryptoImports() error {
+	tags := []string{"requirefips"}
+	mods, err := getModules(tags...)
+	if err != nil {
+		return err
+	}
+
+	args := append([]string{"list", "-m"}, mods...)
+	output, err := sh.Output("go", args...)
+	if err != nil {
+		return err
+	}
+	for _, line := range strings.Split(output, "\n") {
+		// keywords are crypto for x/crypto imports, gokrb5 for kerberos, and pbkdf2 for pbkdf2 generation
+		for _, keyword := range []string{"crypto", "gokrb5", "pbkdf2"} {
+			if strings.Contains(line, keyword) {
+				err = errors.Join(err, fmt.Errorf("Detected import %s may implement crypto functionality", line))
+			}
+		}
+	}
+	return err
+}
+
+// genNotice generates the NOTICE.txt or the NOTICE-fips.txt file.
+func genNotice(fips bool) error {
+	tags := []string{}
+	outFile := "NOTICE.txt"
+	if fips {
+		log.Println("Generating NOTICE-fips.txt.")
+		tags = append(tags, "requirefips")
+		outFile = "NOTICE-fips.txt"
+	} else {
+		log.Println("Generating NOTICE.txt.")
+	}
+>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562))
 
 	// Clean up modfile and download all needed files before building NOTICE
 	err := sh.Run("go", "mod", "tidy")
@@ -1072,15 +1117,46 @@ func (Docker) CustomAgentImage() error {
 // Unit runs unit tests.
 // Produces a unit test output file, and test coverage file in the build directory.
 // SNAPSHOT adds the snapshot build tag.
+<<<<<<< HEAD
+=======
+// FIPS adds the requirefips build tag.
+>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562))
 func (Test) Unit() error {
 	mg.Deps(mg.F(mkDir, "build"))
 	output, err := teeCommand(environMap(), "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...")
 	err = errors.Join(err, os.WriteFile(filepath.Join("build", "test-unit-"+runtime.GOOS+".out"), output, 0o644))
 	return err
 }
 
+<<<<<<< HEAD
 // Integration provisions the integration test environment with docker compose, runs the integration tests, then destroys the environment.
 // SNAPSHOT runs integration tests with the snapshot build tag.
+=======
+// UnitFIPSOnly runs unit tests and injects GODEBUG=fips140=only into the environment.
+// This is done because mage may have issues when running with fips140=only set.
+// Produces a unit test output file, and test coverage file in the build directory.
+// SNAPSHOT adds the snapshot build tag.
+// FIPS adds the requirefips build tag.
+func (Test) UnitFIPSOnly() error {
+	mg.Deps(mg.F(mkDir, "build"))
+
+	// We also set GODEBUG=tlsmlkem=0 to disable the X25519MLKEM768 TLS key
+	// exchange mechanism; without this setting and with the GODEBUG=fips140=only
+	// setting, we get errors in tests like so:
+	// Failed to connect: crypto/ecdh: use of X25519 is not allowed in FIPS 140-only mode
+	// Note that we are only disabling this TLS key exchange mechanism in tests!
+	env := environMap()
+	env["GODEBUG"] = "fips140=only,tlsmlkem=0"
+
+	output, err := teeCommand(env, "go", "test", "-tags="+getTagsString(), "-v", "-race", "-coverprofile="+filepath.Join("build", "coverage-"+runtime.GOOS+".out"), "./...")
+	err = errors.Join(err, os.WriteFile(filepath.Join("build", "test-unit-fipsonly-"+runtime.GOOS+".out"), output, 0o644))
+	return err
+}
+
+// Integration provisions the integration test environment with docker compose, runs the integration tests, then destroys the environment.
+// SNAPSHOT runs integration tests with the snapshot build tag.
+// FIPS runs the integration tests the requirefips build tag.
+>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562))
 func (Test) Integration() {
 	mg.SerialDeps(mg.F(mkDir, "build"), Test.IntegrationUp, Test.IntegrationRun, Test.IntegrationDown)
 }
@@ -1094,6 +1170,10 @@ func (Test) IntegrationUp() error {
 // Assumes that the integration test environment is up.
 // Produces an integration test output file in the build directory.
 // SNAPSHOT runs integration tests with the snapshot build tag.
+<<<<<<< HEAD
+=======
+// FIPS runs the integration tests the requirefips build tag.
+>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562))
 func (Test) IntegrationRun(ctx context.Context) error {
 	env, err := readEnvFile(filepath.Join("dev-tools", "integration", ".env"))
 	if err != nil {
@@ -1419,6 +1499,59 @@ func unzip(sourceFile, destinationDir string) error {
 	return nil
 }
 
+<<<<<<< HEAD
+=======
+// checkFIPSBinary ensures the binary located at path has fips capable markers set.
+func checkFIPSBinary(path string) error {
+	log.Printf("Verifiying binary in %q for FIPS capable markers.", path)
+	info, err := buildinfo.ReadFile(path)
+	if err != nil {
+		return fmt.Errorf("unable to read buildinfo: %w", err)
+	}
+	var checkLinks, foundTags, foundExperiment bool
+
+	for _, setting := range info.Settings {
+		switch setting.Key {
+		case "-tags":
+			foundTags = true
+			if !strings.Contains(setting.Value, "requirefips") {
+				return fmt.Errorf("requirefips tag not found in %s", setting.Value)
+			}
+			continue
+		case "GOEXPERIMENT":
+			foundExperiment = true
+			if !strings.Contains(setting.Value, "systemcrypto") {
+				return fmt.Errorf("did not find GOEXPIRIMENT=systemcrypto")
+			}
+			continue
+		case "-ldflags":
+			if !strings.Contains(setting.Value, "-s") {
+				checkLinks = true
+				continue
+			}
+		}
+	}
+
+	if !foundTags {
+		return fmt.Errorf("did not find build tags")
+	}
+	if !foundExperiment {
+		return fmt.Errorf("did not find GOEXPERIMENT")
+	}
+	if checkLinks {
+		log.Println("Binary is not stripped, checking symbols table.")
+		output, err := sh.Output("go", "tool", "nm", path)
+		if err != nil {
+			return fmt.Errorf("go tool nm failed: %w", err)
+		}
+		if runtime.GOOS == "linux" && !strings.Contains(output, "OpenSSL_version") { // TODO may need different check for windows/darwin
+			return fmt.Errorf("failed to find OpenSSL symbol links within binary")
+		}
+	}
+	return nil
+}
+
+>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562))
 // JunitReport produces junit report files from test-output files in the build dir.
 func (Test) JunitReport() error {
 	return filepath.WalkDir("build", func(name string, d fs.DirEntry, err error) error {
@@ -1455,13 +1588,21 @@ func (Test) JunitReport() error {
 
 // All runs unit and integration tests and produces junit reports for all the tests.
 // SNAPSHOT adds the snapshot build tag.
+<<<<<<< HEAD
+=======
+// FIPS adds the requirefips build tag.
+>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562))
 func (Test) All() {
 	mg.SerialDeps(mg.F(mkDir, "build"), Test.Unit, Test.Integration, Test.JunitReport)
 }
 
 // Benchmark runs the included benchmarks
 // Produces a benchmark file in the build directory.
 // SNAPSHOT adds the snapshot build tag.
+<<<<<<< HEAD
+=======
+// FIPS adds the requirefips build tag.
+>>>>>>> 15b8c8a (Bump Go version to 1.25.1 (#5562))
 // BENCHMARK_FILTER can be used to filter what benchmarks run.
 // BENCHMARK_ARGS can be used to change what is being benchmarked. Default: -count=10 -benchtime=3s -benchmem.
 // BENCH_BASE can be used to change the output file name.

testing/go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/testing
 
-go 1.24.7
+go 1.25.1
 
 replace (
 	github.com/elastic/fleet-server/pkg/api => ../pkg/api