Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP go v1.24.0 changes to crypto with FIPS settings #7148

Closed
wants to merge 2 commits into from
Closed

WIP go v1.24.0 changes to crypto with FIPS settings #7148

wants to merge 2 commits into from
+63 −31

Conversation

michel-laterman
Copy link
Contributor

What does this PR do?

WIP of changes needed for new go 1.24.0 crypto primatives with FIPS mode tested

Currently I'm able to install an agent, but if I restart the service it fails with: Error: could not load agent info: could not get agent info from store: fail to read configuration /opt/Elastic/Agent/fleet.enc for the agent: fail to decode bytes: cipher: message authentication failed

Why is it important?

Checklist

  • I have read and understood the pull request guidelines of this project.
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Disruptive User Impact

How to test this PR locally

@michel-laterman michel-laterman added enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Mar 4, 2025
@mergify Mergify
Copy link
Contributor

mergify bot commented Mar 4, 2025

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

michel-laterman
michel-laterman commented Mar 4, 2025
View reviewed changes
internal/pkg/agent/vault/vault_file_notwindows.go
"github.com/elastic/elastic-agent/internal/pkg/agent/vault/aesgcm"
"github.com/elastic/elastic-agent/pkg/utils"
)

const (
saltSize = 8
saltSize int = 128 / 8
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This gave an error message of crypto/pbkdf2: use of salts shorter than 128 bits is not allowed in FIPS 140-only mode if it was not changed.

This occurs in the crypto/pbkdf2 when it compares len(salt) < 128/8.

If we don't change to go 1.24.0, we will need to make this change for the FIPS distributions, i'm not sure if this is a change we can easily make to existing agents (as far as upgrade paths go)

internal/pkg/core/authority/ca.go
@@ -53,6 +56,7 @@ func NewCA() (*CertificateAuthority, error) {
}

privateKey, _ := rsa.GenerateKey(rand.Reader, 2048)
ca.SubjectKeyId = generateSubjectKeyID(privateKey)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we don't generate the SubjectKeyId go will attempt to use SHA1

internal/pkg/agent/vault/aesgcm/aesgcm.go
@@ -62,7 +62,7 @@ func Encrypt(key, data []byte) ([]byte, error) {
return nil, err
}

aesGCM, err := cipher.NewGCM(block)
aesGCM, err := cipher.NewGCMWithRandomNonce(block)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the very early stages of trying to use the new method (documented here).

We will probably need to do a bit more here as the returned aesGCM behaves differently then the current one.

@michel-laterman
Copy link
Contributor Author

Closing this as it was just an exploratory attempt.

Using cipher.NewGCMWithRandomNonce for our state encryption needs more engineering effort then just replacing the function call.

@elasticmachine
Copy link
Contributor

elasticmachine commented Mar 6, 2025
edited
Loading

⏳ Build in-progress, with failures

Failed CI Steps

History

cc @michel-laterman

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@michel-laterman michel-laterman

Labels
enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@michel-laterman @elasticmachine