Skip to content

Change uses of NewGCM to NewGCMWithRandomNonce#12599

Draft
michel-laterman wants to merge 1 commit intoelastic:mainfrom
michel-laterman:enhancement/newgcmwithrandomnonce
Draft

Change uses of NewGCM to NewGCMWithRandomNonce#12599
michel-laterman wants to merge 1 commit intoelastic:mainfrom
michel-laterman:enhancement/newgcmwithrandomnonce

Conversation

@michel-laterman
Copy link
Contributor

@michel-laterman michel-laterman commented Feb 4, 2026

What does this PR do?

Replace uses of cipher.NewGCM with cipher.NewGCMWithRandomNonce in internal/pkg/crypto and internal/pkg/agent/vault/aesgcm, and remove all fipsutils.SkipIfFIPSOnly calls in tests that would skip the test if GODEBUG=fips140=only was set.

The replacement in internal/pkg/agent/vault/aesgcm is basically a drop in replacement as the GCM created with cipher.NewGCMWithRandomNonce prepends the nonce (iv) for us automatically.

The replacement in internal/pkg/crypto was a little more involved as having the nonce prepended automatically breaks our implementation; specifically we assume our encrypted data block headers have IV | UINT32 | ENCRYPTED-DATA. We have to manually recreate this type of header from the output of Seal, and handle managing the input to Open in order to ensure no breaking changes.

Why is it important?

Using cipher.NewGCMWithRandomNonce allows a path forward for using go's FIPS crypto module which is currently being certified.

Checklist

  • I have read and understood the pull request guidelines of this project.
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in ./changelog/fragments using the changelog tool
  • I have added an integration test or an E2E test

Disruptive User Impact

N/A

How to test this PR locally

Enroll an agent in fleet, then upgrade/downgrade

Related issues

@mergify
Copy link
Contributor

mergify bot commented Feb 4, 2026

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
  • backport-active-all is the label that automatically backports to all active branches.
  • backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
  • backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

@michel-laterman michel-laterman force-pushed the enhancement/newgcmwithrandomnonce branch 2 times, most recently from 1030f1b to e6b5bf9 Compare February 4, 2026 20:03
@michel-laterman michel-laterman force-pushed the enhancement/newgcmwithrandomnonce branch from e6b5bf9 to a34afd5 Compare February 4, 2026 22:31
@michel-laterman michel-laterman changed the title Change uses of NewGCM to NewGCMWithRandomNonce, remove fipsonly skips Change uses of NewGCM to NewGCMWithRandomNonce Feb 4, 2026
@michel-laterman michel-laterman added enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team labels Feb 4, 2026
@michel-laterman
Copy link
Contributor Author

Blocked by #10156

@elasticmachine
Copy link
Contributor

elasticmachine commented Feb 4, 2026

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request Team:Elastic-Agent-Control-Plane Label for the Agent Control Plane team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Switch to crypto.NewGCMWithRandomNonce when go version >= 1.25.0

2 participants