Bump elastic-agent-libs and enforce fips140=on at runtime for FIPS builds#7332
Bump elastic-agent-libs and enforce fips140=on at runtime for FIPS builds#7332macdewee wants to merge 3 commits into
Conversation
|
This pull request does not have a backport label. Could you fix it @macdewee? 🙏
|
…ilds elastic-agent-libs v0.46.0 enforces FIPS 140-3 peer-cert key-type checks across all TLS verification modes, closing a gap where FIPS builds could accept non-compliant TLS certificates. Also embed DefaultGODEBUG=fips140=on in FIPS binaries via a requirefips-gated go:debug directive, and have checkFIPSBinary verify it's present so FIPS binaries actually enforce FIPS mode at runtime, not just compile with the module available. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
This pull request is now in conflicts. Could you fix it @macdewee? 🙏 |
This comment has been minimized.
This comment has been minimized.
6df8352 to
825e357
Compare
TL;DRThe two FIPS unit-test jobs are failing because the PR intentionally turns on FIPS behavior and bumps Remediation
Investigation detailsRoot CauseThis is a test expectation failure caused by the PR's FIPS/runtime behavior changes, not infrastructure. The PR adds
Evidence
No existing VerificationReproduced in a disposable copy with: What is this? | From workflow: PR Buildkite Detective Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not. |
| return fmt.Errorf("GOFIPS140 is empty") | ||
| } | ||
| case "DefaultGODEBUG": | ||
| if strings.Contains(setting.Value, "fips140=on") { |
There was a problem hiding this comment.
This would also catch fips140=only, which we probably don't want since that could lead to unexpected panics at runtime for FIPS-140 non-compliant uses. Consider a more structured approach like so:
case "DefaultGODEBUG":
for _, entry := range strings.Split(setting.Value, ",") {
if key, val, ok := strings.Cut(entry, "="); ok && key == "fips140" && val == "on" {
foundFIPSDefault = true
break
}
}There was a problem hiding this comment.
good catch, I will fix it in beats and agent as well
|
Thanks for enforcing Line 59 in 7caed5a This form of enforcement was, of course, only limited to Docker images since our goal at the time was FRH environment deployments in ESS. All that said, the change in this PR is better as it enforces this now regardless of the packaging artifact used for deployment. Maybe we could remove the Dockerfile line now. Or we could leave it as-is for defense in depth. WDYT? |
strings.Contains(value, "fips140=on") also matched "fips140=only" since "on" is a prefix of "only", so a fips140=only binary would incorrectly pass the check meant to verify fips140=on enforcement. Parse comma separated key=value entries and compare exactly instead. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
elastic-agent-libs v0.46.0 now installs a VerifyConnection callback on FIPS builds regardless of GODEBUG=fips140=on vs only, since the check is gated by the requirefips build tag rather than runtime enforcement level. Update the affected tests accordingly: - TestToESConfig: ignore VerifyConnection when comparing TLS configs, same as the existing handling for Proxy. - TestConnectionTLS: switch from fips140.Enforced() (true only under fips140=only) to fips140.Enabled() (true under fips140=on or only), matching when the library's FIPS enforcement is actually active. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
I would leave it. It is not a cost and gives as additional defense in depth |
What is the problem this PR solves?
Fleet Server's FIPS builds already moved to Go's native FIPS 140-3 support (
GOFIPS140), but two gaps remained compared to the same migration done in beats/elastic-agent:elastic-agent-libswas still pinned to v0.44.0, which predates a fix enforcing FIPS 140-3 peer-certificate key-type checks across all TLS verification modes. Fleet Server uses this library'stlscommon/httpcommonpackages for all of its TLS configuration, so FIPS builds could accept non-compliant TLS certificates (e.g. RSA keys below 2048 bits).fips140=onat runtime by default —checkFIPSBinaryonly verified the binary was compiled withGOFIPS140available, not that it enforces FIPS mode when run.How does this PR solve the problem?
elastic-agent-libsto v0.46.0 ingo.modandtesting/go.mod, regeneratingNOTICE.txt/NOTICE-fips.txt.//go:debug fips140=ondirective in a newrequirefips-gated file (godebug_fips.go), so FIPS binaries embedDefaultGODEBUG=fips140=onand enforce FIPS mode by default at runtime.checkFIPSBinaryinmagefile.goto fail if a FIPS binary's build info doesn't showDefaultGODEBUGcontainingfips140=on.How to test this PR locally
Confirm
DefaultGODEBUG=fips140=onis present, and that a non-FIPS build (mage build:localwithoutFIPS=true) shows none of these markers.mage test:unitandmage check:imports check:headers check:fix check:noticeall pass.Design Checklist
Checklist
./changelog/fragmentsusing the changelog toolRelated issues