Update to go v1.24.0 (#4543)

Update to go v1.24.0, change golang.org/x/crypto/pbkdf2 to crypto/pbkdf2

Author: michel-laterman

.buildkite/pipeline.yml

@@ -1,7 +1,7 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/buildkite/pipeline-schema/main/schema.json
 
 env:
-  SETUP_GVM_VERSION: "v0.5.0"
+  SETUP_GVM_VERSION: "v0.5.1"
   DOCKER_COMPOSE_VERSION: "1.25.5"
   DOCKER_REGISTRY: "docker.elastic.co"
   DOCKER_IMAGE: "${DOCKER_REGISTRY}/observability-ci/fleet-server" # needs to rename for rollback

.buildkite/scripts/local_build.sh

@@ -3,6 +3,7 @@
 set -euo pipefail
 
 source .buildkite/scripts/common.sh
+
 add_bin_path
 with_go
 

.go-version

@@ -1 +1 @@
-1.23.6
+1.24.0

.golangci.yml

@@ -4,7 +4,7 @@ run:
   timeout: 1m
   build-tags:
     - integration
-  go: "1.23.6"
+  go: "1.24.0"
 
 issues:
   # Maximum count of issues with the same text.

NOTICE.txt

@@ -5033,43 +5033,6 @@ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
 
---------------------------------------------------------------------------------
-Dependency : golang.org/x/crypto
-Version: v0.33.0
-Licence type (autodetected): BSD-3-Clause
---------------------------------------------------------------------------------
-
-Contents of probable licence file $GOMODCACHE/golang.org/x/crypto@v0.33.0/LICENSE:
-
-Copyright 2009 The Go Authors.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-   * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-   * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-   * Neither the name of Google LLC nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
 --------------------------------------------------------------------------------
 Dependency : golang.org/x/sync
 Version: v0.11.0
@@ -20082,6 +20045,43 @@ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 
+--------------------------------------------------------------------------------
+Dependency : golang.org/x/crypto
+Version: v0.33.0
+Licence type (autodetected): BSD-3-Clause
+--------------------------------------------------------------------------------
+
+Contents of probable licence file $GOMODCACHE/golang.org/x/crypto@v0.33.0/LICENSE:
+
+Copyright 2009 The Go Authors.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google LLC nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
 --------------------------------------------------------------------------------
 Dependency : golang.org/x/mod
 Version: v0.23.0

changelog/fragments/1741109055-Update-to-go-v1.24.0.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: Update to go v1.24.0
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: fleet-server
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/fleet-server/pull/4543
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue: https://github.com/owner/repo/1234

go.mod

@@ -1,6 +1,6 @@
 module github.com/elastic/fleet-server/v7
 
-go 1.23
+go 1.24
 
 require (
 	github.com/Pallinder/go-randomdata v1.2.0
@@ -35,7 +35,6 @@ require (
 	go.elastic.co/apm/v2 v2.6.3
 	go.elastic.co/ecszerolog v0.2.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/crypto v0.33.0
 	golang.org/x/sync v0.11.0
 	golang.org/x/time v0.5.0
 	google.golang.org/grpc v1.63.2
@@ -89,6 +88,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.28.0 // indirect
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
 	golang.org/x/mod v0.23.0 // indirect
 	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect

internal/pkg/api/handleEnroll.go

@@ -7,6 +7,7 @@ package api
 import (
 	"context"
 	"crypto/hmac"
+	"crypto/pbkdf2"
 	"crypto/rand"
 	"crypto/sha512"
 	"encoding/base64"
@@ -20,7 +21,6 @@ import (
 	"time"
 
 	"go.elastic.co/apm/v2"
-	"golang.org/x/crypto/pbkdf2"
 
 	"github.com/elastic/elastic-agent-libs/str"
 	"github.com/elastic/fleet-server/v7/internal/pkg/apikey"
@@ -745,7 +745,11 @@ func compareHashAndToken(zlog zerolog.Logger, hash string, token string, cfg con
 		zlog.Error().Err(err).Msg("replace_token hash failed to base64 decode encoded")
 		return false, ErrAgentCorrupted
 	}
-	key := pbkdf2.Key([]byte(token), salt, iterations, cfg.KeyLength, sha512.New)
+	key, err := pbkdf2.Key(sha512.New, token, salt, iterations, cfg.KeyLength)
+	if err != nil {
+		zlog.Error().Err(err).Msg("pbkdf2 key creation failed")
+		return false, ErrAgentCorrupted
+	}
 	// use `hmac.Equal` vs `bytes.Equal` to not leak timing information for comparison
 	return hmac.Equal(key, encoded), nil
 }
@@ -757,7 +761,10 @@ func hashReplaceToken(token string, cfg config.PBKDF2) (string, error) {
 	if err != nil {
 		return "", errors.New("failed to generate random salt")
 	}
-	key := pbkdf2.Key([]byte(token), r, cfg.Iterations, cfg.KeyLength, sha512.New)
+	key, err := pbkdf2.Key(sha512.New, token, r, cfg.Iterations, cfg.KeyLength)
+	if err != nil {
+		return "", fmt.Errorf("failed to create pbkdf2 key: %w", err)
+	}
 	salt := base64.RawStdEncoding.EncodeToString(r)
 	encoded := base64.RawStdEncoding.EncodeToString(key)
 	// format of stored replace_token

testing/go.mod

@@ -1,8 +1,8 @@
 module github.com/elastic/fleet-server/testing
 
-go 1.23
+go 1.24
 
-toolchain go1.23.2
+toolchain go1.24.0
 
 replace (
 	github.com/elastic/fleet-server/pkg/api => ../pkg/api