From 36b06787433f3813fad3920712cd632647289278 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 1 Oct 2025 06:45:48 -0700 Subject: [PATCH 1/3] Bump Go version to 1.25.1 (#5562) * Bump Go version to 1.25.1 * Update CHANGELOG entry * Bump the version of golangci-lint * Remove references to the ms_tls13kdf build tag * Download go module dependencies before GODEBUG=fips140=only is set * Exclude X25519 curve types when testing in FIPS-140 mode * Stricter check * Add missing license header * Exclude X25519 curve types when testing in FIPS-140-only mode * Use stricter check * Update NOTICE files * Remove IsFIPS140Only helper function * Set GODEBUG=tlsmlkem=0 for FIPS140-only unit tests * Remove replace directive from go.mod * Try not pre-downloading dependencies (cherry picked from commit 15b8c8ac65955c68ba66e2cdd49a9c264a375d9e) --- .go-version | 2 +- .golangci.yml | 2 +- .../1758819869-bump-golang-1.25.1.yaml | 32 ++++++ dev-tools/go.mod | 2 +- docs/fips.md | 97 +++++++++++++++++++ go.mod | 2 +- testing/go.mod | 2 +- 7 files changed, 134 insertions(+), 5 deletions(-) create mode 100644 changelog/fragments/1758819869-bump-golang-1.25.1.yaml create mode 100644 docs/fips.md diff --git a/.go-version b/.go-version index 8407e26008..d905a6d1d6 100644 --- a/.go-version +++ b/.go-version @@ -1 +1 @@ -1.24.7 +1.25.1 diff --git a/.golangci.yml b/.golangci.yml index 79a5435c4d..7e6232d7d1 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -4,7 +4,7 @@ run: timeout: 1m build-tags: - integration - go: "1.24.7" + go: "1.25.1" issues: # Maximum count of issues with the same text. diff --git a/changelog/fragments/1758819869-bump-golang-1.25.1.yaml b/changelog/fragments/1758819869-bump-golang-1.25.1.yaml new file mode 100644 index 0000000000..9d7955c853 --- /dev/null +++ b/changelog/fragments/1758819869-bump-golang-1.25.1.yaml @@ -0,0 +1,32 @@ +# Kind can be one of: +# - breaking-change: a change to previously-documented behavior +# - deprecation: functionality that is being removed in a later release +# - bug-fix: fixes a problem in a previous version +# - enhancement: extends functionality but does not break or fix existing behavior +# - feature: new functionality +# - known-issue: problems that we are aware of in a given version +# - security: impacts on the security of a product or a user’s deployment. +# - upgrade: important information for someone upgrading from a prior version +# - other: does not fit into any of the other categories +kind: enhancement + +# Change summary; a 80ish characters long description of the change. +summary: Update Go to v1.25.1 + +# Long description; in case the summary is not enough to describe the change +# this field accommodate a description without length limits. +# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment. +#description: + +# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc. +component: fleet-server + +# PR URL; optional; the PR number that added the changeset. +# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added. +# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number. +# Please provide it if you are adding a fragment for a different PR. +pr: https://github.com/elastic/fleet-server/pull/5562 + +# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of). +# If not present is automatically filled by the tooling with the issue linked to the PR number. +#issue: https://github.com/owner/repo/1234 diff --git a/dev-tools/go.mod b/dev-tools/go.mod index 31d66003bc..1a81c1e55e 100644 --- a/dev-tools/go.mod +++ b/dev-tools/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/dev-tools -go 1.24.7 +go 1.25.1 tool ( github.com/elastic/go-json-schema-generate/cmd/schema-generate diff --git a/docs/fips.md b/docs/fips.md new file mode 100644 index 0000000000..c0680f035e --- /dev/null +++ b/docs/fips.md @@ -0,0 +1,97 @@ +# FIPS support + +**NOTE: FIPS Support is in-progress** + +The fleet-server can be built in a FIPS capable mode. +This forces the use of a FIPS provider to handle any cryptographic calls. + +Currently FIPS is provided by compiling with the [microsoft/go](https://github.com/microsoft/go) distribution. +This toolchain must be present for local compilation. + +## Build changes + +As we are using micrsoft/go as a base we follow their conventions. + +Our FIPS changes require the `requirefips` build tag. +When compiling `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` must be set. +Additionally the `MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0` env var is set to disable telemetry for [microsoft/go](https://github.com/microsoft/go). + +The `FIPS=true` env var is used by our magefile as the FIPS toggle. +This env var applies to all targets, at a minimum the `requirefips` tag will be set. +For targets that compile binaries, the `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` env vars are set. + +For developer conveniance, running `FIPS=true mage multipass` will provision a multipass VM with the Microsoft/go toolchain. +See [Multipass VM Usage](#multipass-vm-usage) for additional details. + +### Multipass VM Usage + +A Multipass VM created with `FIPS=true mage multipass` is able to compile FIPS enabled golang programs, but is not able to run them. +When you try to run one the following error occurs: +``` +GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml +panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider + +goroutine 1 [running]: +crypto/internal/backend.init.1() + /usr/local/go/src/crypto/internal/backend/openssl_linux.go:85 +0x210 +``` + +In order to be able to run a FIPS enabled binary, openssl must have a fips provider. +Openssl [provides instructions on how to do this](https://github.com/openssl/openssl/blob/master/README-FIPS.md). + +A TLDR for our multipass container is: + +1. Download and compile the FIPS provider for openssl in the VM by running: +``` +wget https://github.com/openssl/openssl/releases/download/openssl-3.0.13/openssl-3.0.13.tar.gz +tar -xzf openssl-3.0.13.tar.gz +cd openssl-3.0.13 +./Configure enable-fips +make test +sudo make install_fips +sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so +``` + +2. Copy the `fips.so` module to the system library, in order to find the location run: +``` +openssl version -m +``` + +On my VM I would copy the `fips.so` module with: +``` +sudo cp /usr/local/lib/ossl-modules/fips.so /usr/lib/aarch64-linux-gnu/ossl-modules/fips.so +``` + +3. Create an openssl.cnf for the program to use with the contents: +``` +config_diagnostics = 1 +openssl_conf = openssl_init + +.include /usr/local/ssl/fipsmodule.cnf + +[openssl_init] +providers = provider_sect +alg_section = algorithm_sect + +[provider_sect] +fips = fips_sect +base = base_sect + +[base_sect] +activate = 1 + +[algorithm_sect] +default_properties = fips=yes +``` + +4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e., +``` +OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml +23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0 +i... +``` + +## Usage + +Binaries produced with the `FIPS=true` env var will panic on startup if they cannot find a FIPS provider. +The system/image is required to have a FIPS provider available. diff --git a/go.mod b/go.mod index f11d90bdae..a5dde3280b 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/v7 -go 1.24.7 +go 1.25.1 require ( github.com/Pallinder/go-randomdata v1.2.0 diff --git a/testing/go.mod b/testing/go.mod index ff64f70409..bd147e5523 100644 --- a/testing/go.mod +++ b/testing/go.mod @@ -1,6 +1,6 @@ module github.com/elastic/fleet-server/testing -go 1.24.7 +go 1.25.1 replace ( github.com/elastic/fleet-server/pkg/api => ../pkg/api From d7a8eed797143d029ac87038aeb8c82860ab28e9 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 1 Oct 2025 08:19:32 -0700 Subject: [PATCH 2/3] Fixing conflicts --- docs/fips.md | 97 ---------------------------------------------------- 1 file changed, 97 deletions(-) delete mode 100644 docs/fips.md diff --git a/docs/fips.md b/docs/fips.md deleted file mode 100644 index c0680f035e..0000000000 --- a/docs/fips.md +++ /dev/null @@ -1,97 +0,0 @@ -# FIPS support - -**NOTE: FIPS Support is in-progress** - -The fleet-server can be built in a FIPS capable mode. -This forces the use of a FIPS provider to handle any cryptographic calls. - -Currently FIPS is provided by compiling with the [microsoft/go](https://github.com/microsoft/go) distribution. -This toolchain must be present for local compilation. - -## Build changes - -As we are using micrsoft/go as a base we follow their conventions. - -Our FIPS changes require the `requirefips` build tag. -When compiling `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` must be set. -Additionally the `MS_GOTOOLCHAIN_TELEMETRY_ENABLED=0` env var is set to disable telemetry for [microsoft/go](https://github.com/microsoft/go). - -The `FIPS=true` env var is used by our magefile as the FIPS toggle. -This env var applies to all targets, at a minimum the `requirefips` tag will be set. -For targets that compile binaries, the `GOEXPERIMENT=systemcrypto` and `CGO_ENABLED=1` env vars are set. - -For developer conveniance, running `FIPS=true mage multipass` will provision a multipass VM with the Microsoft/go toolchain. -See [Multipass VM Usage](#multipass-vm-usage) for additional details. - -### Multipass VM Usage - -A Multipass VM created with `FIPS=true mage multipass` is able to compile FIPS enabled golang programs, but is not able to run them. -When you try to run one the following error occurs: -``` -GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml -panic: opensslcrypto: can't enable FIPS mode for OpenSSL 3.0.13 30 Jan 2024: openssl: FIPS mode not supported by any provider - -goroutine 1 [running]: -crypto/internal/backend.init.1() - /usr/local/go/src/crypto/internal/backend/openssl_linux.go:85 +0x210 -``` - -In order to be able to run a FIPS enabled binary, openssl must have a fips provider. -Openssl [provides instructions on how to do this](https://github.com/openssl/openssl/blob/master/README-FIPS.md). - -A TLDR for our multipass container is: - -1. Download and compile the FIPS provider for openssl in the VM by running: -``` -wget https://github.com/openssl/openssl/releases/download/openssl-3.0.13/openssl-3.0.13.tar.gz -tar -xzf openssl-3.0.13.tar.gz -cd openssl-3.0.13 -./Configure enable-fips -make test -sudo make install_fips -sudo openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so -``` - -2. Copy the `fips.so` module to the system library, in order to find the location run: -``` -openssl version -m -``` - -On my VM I would copy the `fips.so` module with: -``` -sudo cp /usr/local/lib/ossl-modules/fips.so /usr/lib/aarch64-linux-gnu/ossl-modules/fips.so -``` - -3. Create an openssl.cnf for the program to use with the contents: -``` -config_diagnostics = 1 -openssl_conf = openssl_init - -.include /usr/local/ssl/fipsmodule.cnf - -[openssl_init] -providers = provider_sect -alg_section = algorithm_sect - -[provider_sect] -fips = fips_sect -base = base_sect - -[base_sect] -activate = 1 - -[algorithm_sect] -default_properties = fips=yes -``` - -4. Run the program with the `OPENSSL_CONF=openssl.cnf` and `GODEBUG=fips140=on` env vars, i.e., -``` -OPENSSL_CONF=./openssl.cnf GODEBUG=fips140=on ./bin/fleet-server -c fleet-server.yml -23:48:47.871 INF Boot fleet-server args=["-c","fleet-server.yml"] commit=55104f6f ecs.version=1.6.0 exe=./bin/fleet-server pid=65037 ppid=5642 service.name=fleet-server service.type=fleet-server version=9.0.0 -i... -``` - -## Usage - -Binaries produced with the `FIPS=true` env var will panic on startup if they cannot find a FIPS provider. -The system/image is required to have a FIPS provider available. From cc9ca519bb0f34819f1ba8f5f67945a3e4106cc4 Mon Sep 17 00:00:00 2001 From: Shaunak Kashyap Date: Wed, 1 Oct 2025 12:30:55 -0700 Subject: [PATCH 3/3] Bumping timeout --- testing/e2e/agent_container_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/testing/e2e/agent_container_test.go b/testing/e2e/agent_container_test.go index 67e744d235..f91a55edae 100644 --- a/testing/e2e/agent_container_test.go +++ b/testing/e2e/agent_container_test.go @@ -89,7 +89,7 @@ func (suite *AgentContainerSuite) TearDownTest() { // It checks the status API on the fleet-server's external port and that the agent listed in Kibana states "online" // Tests that enroll another agent explicitly need fleet-server to be online func (suite *AgentContainerSuite) FleetIsHealthy(bCtx context.Context, endpoint string) { - ctx, cancel := context.WithTimeout(bCtx, 4*time.Minute) + ctx, cancel := context.WithTimeout(bCtx, 5*time.Minute) defer cancel() suite.FleetServerStatusOK(ctx, endpoint)