Change uses of NewGCM to NewGCMWithRandomNonce

[michel-laterman]

What does this PR do?

Replace uses of cipher.NewGCM with cipher.NewGCMWithRandomNonce in internal/pkg/crypto and internal/pkg/agent/vault/aesgcm, and remove all fipsutils.SkipIfFIPSOnly calls in tests that would skip the test if GODEBUG=fips140=only was set.

The replacement in internal/pkg/agent/vault/aesgcm is basically a drop in replacement as the GCM created with cipher.NewGCMWithRandomNonce prepends the nonce (iv) for us automatically.

The replacement in internal/pkg/crypto was a little more involved as having the nonce prepended automatically breaks our implementation; specifically we assume our encrypted data block headers have IV | UINT32 | ENCRYPTED-DATA. We have to manually recreate this type of header from the output of Seal, and handle managing the input to Open in order to ensure no breaking changes.

Why is it important?

Using cipher.NewGCMWithRandomNonce allows a path forward for using go's FIPS crypto module which is currently being certified.

Checklist

• I have read and understood the pull request guidelines of this project.
• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool
• I have added an integration test or an E2E test

Disruptive User Impact

N/A

How to test this PR locally

Enroll an agent in fleet, then upgrade/downgrade

Related issues

• Closes Switch to crypto.NewGCMWithRandomNonce when go version >= 1.25.0 #8926

[mergify]

This pull request does not have a backport label. Could you fix it @michel-laterman? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-./d./d is the label that automatically backports to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[michel-laterman]

Blocked by #10156

[elasticmachine]

💔 Build Failed

• Buildkite Build
• Commit: a34afd5

Failed CI Steps

• Start ESS stack for FIPS integration tests
• Start ESS stack for FIPS integration tests

History

• 💔 Build #34252 failed e6b5bf9
• 💔 Build #34251 failed 1030f1b
• 💔 Build #34250 failed 20f29aa

cc @michel-laterman