Update to go v1.24.0 (#4543)

Update to go v1.24.0, change golang.org/x/crypto/pbkdf2 to crypto/pbkdf2

(cherry picked from commit c2b8d66)

# Conflicts:
#	NOTICE.txt
#	go.mod
#	testing/go.mod

Author: michel-laterman

.buildkite/pipeline.yml

@@ -1,7 +1,7 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 
 env:
-  SETUP_GVM_VERSION: "v0.5.0"
+  SETUP_GVM_VERSION: "v0.5.1"
   DOCKER_COMPOSE_VERSION: "1.25.5"
   DOCKER_REGISTRY: "docker.elastic.co"
   DOCKER_IMAGE: "${DOCKER_REGISTRY}/observability-ci/fleet-server" # needs to rename for rollback

.buildkite/scripts/local_build.sh

@@ -3,6 +3,7 @@
 set -euo pipefail
 
 source .buildkite/scripts/common.sh
+
 add_bin_path
 with_go
 

.go-version

@@ -1 +1 @@
-1.23.6
+1.24.0

.golangci.yml

@@ -4,7 +4,7 @@ run:
   timeout: 1m
   build-tags:
     - integration
-  go: "1.23.6"
+  go: "1.24.0"
 
 issues:
   # Maximum count of issues with the same text.

NOTICE.txt

@@ -5034,6 +5034,7 @@ THE SOFTWARE.
 
 
 --------------------------------------------------------------------------------
+<<<<<<< HEAD
 Dependency : golang.org/x/crypto
 Version: v0.32.0
 Licence type (autodetected): BSD-3-Clause
@@ -5071,6 +5072,8 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 
 --------------------------------------------------------------------------------
+=======
+>>>>>>> c2b8d66 (Update to go v1.24.0 (#4543))
 Dependency : golang.org/x/sync
 Version: v0.10.0
 Licence type (autodetected): BSD-3-Clause
@@ -20082,6 +20085,43 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 
+--------------------------------------------------------------------------------
+Dependency : golang.org/x/crypto
+Version: v0.33.0
+Licence type (autodetected): BSD-3-Clause
+--------------------------------------------------------------------------------
+
+Contents of probable licence file $GOMODCACHE/golang.org/x/crypto@v0.33.0/LICENSE:
+
+Copyright 2009 The Go Authors.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google LLC nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
 --------------------------------------------------------------------------------
 Dependency : golang.org/x/mod
 Version: v0.20.0

changelog/fragments/1741109055-Update-to-go-v1.24.0.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update to go v1.24.0
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/fleet-server/pull/4543
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234

go.mod

@@ -1,8 +1,12 @@
 module github.com/elastic/fleet-server/v7
 
+<<<<<<< HEAD
 go 1.22.10
 
 toolchain go1.23.3
+=======
+go 1.24
+>>>>>>> c2b8d66 (Update to go v1.24.0 (#4543))
 
 require (
 	github.com/Pallinder/go-randomdata v1.2.0
@@ -37,8 +41,12 @@ require (
 	go.elastic.co/apm/v2 v2.6.3
 	go.elastic.co/ecszerolog v0.2.0
 	go.uber.org/zap v1.27.0
+<<<<<<< HEAD
 	golang.org/x/crypto v0.32.0
 	golang.org/x/sync v0.10.0
+=======
+	golang.org/x/sync v0.11.0
+>>>>>>> c2b8d66 (Update to go v1.24.0 (#4543))
 	golang.org/x/time v0.5.0
 	google.golang.org/grpc v1.63.2
 	google.golang.org/protobuf v1.33.0
@@ -91,11 +99,20 @@ require (
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+<<<<<<< HEAD
 	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/tools v0.24.0 // indirect
+=======
+	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/mod v0.23.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/tools v0.30.0 // indirect
+>>>>>>> c2b8d66 (Update to go v1.24.0 (#4543))
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240415180920-8c6c420018be // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	howett.net/plist v1.0.1 // indirect

internal/pkg/api/handleEnroll.go

@@ -7,6 +7,7 @@ package api
 import (
 	"context"
 	"crypto/hmac"
+	"crypto/pbkdf2"
 	"crypto/rand"
 	"crypto/sha512"
 	"encoding/base64"
@@ -20,7 +21,6 @@ import (
 	"time"
 
 	"go.elastic.co/apm/v2"
-	"golang.org/x/crypto/pbkdf2"
 
 	"github.com/elastic/elastic-agent-libs/str"
 	"github.com/elastic/fleet-server/v7/internal/pkg/apikey"
@@ -745,7 +745,11 @@ func compareHashAndToken(zlog zerolog.Logger, hash string, token string, cfg con
 		zlog.Error().Err(err).Msg("replace_token hash failed to base64 decode encoded")
 		return false, ErrAgentCorrupted
 	}
-	key := pbkdf2.Key([]byte(token), salt, iterations, cfg.KeyLength, sha512.New)
+	key, err := pbkdf2.Key(sha512.New, token, salt, iterations, cfg.KeyLength)
+	if err != nil {
+		zlog.Error().Err(err).Msg("pbkdf2 key creation failed")
+		return false, ErrAgentCorrupted
+	}
 	// use `hmac.Equal` vs `bytes.Equal` to not leak timing information for comparison
 	return hmac.Equal(key, encoded), nil
 }
@@ -757,7 +761,10 @@ func hashReplaceToken(token string, cfg config.PBKDF2) (string, error) {
 	if err != nil {
 		return "", errors.New("failed to generate random salt")
 	}
-	key := pbkdf2.Key([]byte(token), r, cfg.Iterations, cfg.KeyLength, sha512.New)
+	key, err := pbkdf2.Key(sha512.New, token, r, cfg.Iterations, cfg.KeyLength)
+	if err != nil {
+		return "", fmt.Errorf("failed to create pbkdf2 key: %w", err)
+	}
 	salt := base64.RawStdEncoding.EncodeToString(r)
 	encoded := base64.RawStdEncoding.EncodeToString(key)
 	// format of stored replace_token

testing/go.mod

@@ -1,8 +1,14 @@
 module github.com/elastic/fleet-server/testing
 
+<<<<<<< HEAD
 go 1.22.10
 
 toolchain go1.23.3
+=======
+go 1.24
+
+toolchain go1.24.0
+>>>>>>> c2b8d66 (Update to go v1.24.0 (#4543))
 
 replace (
 	github.com/elastic/fleet-server/pkg/api => ../pkg/api