FIPS complaint agent file vault (#7360) (#7498)

Add elastic file vault seed implementation to allow variable length salt sizes.
FIPS distributions will strictly use the new .seedV2 format with the salt size set to 16 for FIPS compliance.
When not in FIPS only the (V1) .seed file is used.

(cherry picked from commit 1d5a294)

Co-authored-by: Michel Laterman <[email protected]>

Author: mergify[bot]

changelog/fragments/1741808763-FIPS-Compliant-agent-file-vault.yaml

@@ -0,0 +1,35 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# Change summary; a 80ish characters long description of the change.
+summary: FIPS Compliant agent file vault
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+description: |
+  Change elastic file vault implementation to allow variable length salt sizes
+  only in FIPS enabled agents.  Increase default salt size to 16 for FIPS
+  compliance. Non-FIPS agents are unchanged.
+
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: elastic-agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/7360
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+#issue:

internal/pkg/agent/vault/seed.go

@@ -5,7 +5,7 @@
 package vault
 
 import (
-	"errors"
+	"encoding/binary"
 	"fmt"
 	"io/fs"
 	"os"
@@ -16,62 +16,68 @@ import (
 )
 
 const (
-	seedFile = ".seed"
+	// seedFile is len(aesgcm.AES256) and contains only the random seed
+	// A default salt size of 8 is used with this seed file
+	seedFile     = ".seed"
+	seedFileSize = int(aesgcm.AES256)
+	// seedFileV2 is len(aesgcm.AES256)+4 and contains the random seed followed by a non-zero salt size (little endian uint32)
+	seedFileV2     = ".seedV2"
+	seedFileV2Size = seedFileSize + 4
+)
+
+const (
+	saltSizeV1        = 8
+	defaultSaltSizeV2 = 16
 )
 
 var (
 	mxSeed sync.Mutex
 )
 
-func getSeed(path string) ([]byte, error) {
+// getSeedV1 will read the V1 .seed file
+// Will return fs.ErrNotExists if the bytecount does not match
+func getSeedV1(path string) ([]byte, error) {
 	fp := filepath.Join(path, seedFile)
 
-	mxSeed.Lock()
-	defer mxSeed.Unlock()
-
 	b, err := os.ReadFile(fp)
 	if err != nil {
 		return nil, fmt.Errorf("could not read seed file: %w", err)
 	}
 
-	// return fs.ErrNotExists if invalid length of bytes returned
-	if len(b) != int(aesgcm.AES256) {
-		return nil, fmt.Errorf("invalid seed length, expected: %v, got: %v: %w", int(aesgcm.AES256), len(b), fs.ErrNotExist)
+	// return fs.ErrNotExist if invalid length of bytes returned
+	if len(b) != seedFileSize {
+		return nil, fmt.Errorf("invalid seed length, expected: %v, got: %v: %w", seedFileSize, len(b), fs.ErrNotExist)
 	}
 	return b, nil
 }
 
-func createSeedIfNotExists(path string) ([]byte, error) {
-	fp := filepath.Join(path, seedFile)
-
-	mxSeed.Lock()
-	defer mxSeed.Unlock()
+// getSeedV2 will read a seedV2 file and return the passphrase and saltSize
+// Will return fs.ErrNotExists if the byte count does not match, or saltSize is 0
+// when in FIPS mode will return fs.ErrUnsupported when saltSize is non-zero but less then 16
+func getSeedV2(path string) ([]byte, int, error) {
+	fp := filepath.Join(path, seedFileV2)
 
 	b, err := os.ReadFile(fp)
 	if err != nil {
-		if !errors.Is(err, os.ErrNotExist) {
-			return nil, err
-		}
+		return nil, 0, fmt.Errorf("could not read seed file: %w", err)
 	}
 
-	if len(b) != 0 {
-		return b, nil
+	// return fs.ErrNotExist if invalid length of bytes returned
+	if len(b) != seedFileV2Size {
+		return nil, 0, fmt.Errorf("invalid seed length, expected: %v, got: %v: %w", seedFileV2Size, len(b), fs.ErrNotExist)
 	}
-
-	seed, err := aesgcm.NewKey(aesgcm.AES256)
-	if err != nil {
-		return nil, err
+	pass := b[0:seedFileSize]
+	saltSize := binary.LittleEndian.Uint32(b[seedFileSize:])
+	if saltSize == 0 {
+		return nil, 0, fmt.Errorf("salt size 0 detected: %w", fs.ErrNotExist)
 	}
-
-	err = os.WriteFile(fp, seed, 0600)
-	if err != nil {
-		return nil, err
+	if err := checkSalt(int(saltSize)); err != nil {
+		return nil, 0, err
 	}
-
-	return seed, nil
+	return pass, int(saltSize), nil
 }
 
-func getOrCreateSeed(path string, readonly bool) ([]byte, error) {
+func getOrCreateSeed(path string, readonly bool) ([]byte, int, error) {
 	if readonly {
 		return getSeed(path)
 	}

internal/pkg/agent/vault/seed_fips.go

@@ -0,0 +1,70 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build requirefips
+
+package vault
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/vault/aesgcm"
+)
+
+// getSeed returns the seed and salt size from the V2 seed file.
+// If the byte count does not match, or a 0 length salt is detected fs.ErrNotExist will be returned.
+func getSeed(path string) ([]byte, int, error) {
+	mxSeed.Lock()
+	defer mxSeed.Unlock()
+
+	// FIPS only supports V2
+	b, saltSize, err := getSeedV2(path)
+	if err != nil {
+		return nil, 0, err
+	}
+	return b, saltSize, nil
+}
+
+// checkSalt ensures the salt size is at least 16 bytes.
+func checkSalt(size int) error {
+	if size < defaultSaltSizeV2 {
+		return fmt.Errorf("expected salt to be at least %d: %w", defaultSaltSizeV2, errors.ErrUnsupported)
+	}
+	return nil
+}
+
+// createSeedIfNotExists returns the seed and salt size from the V2 seed file.
+// If the seed file does not exist it will create and write a new V2 seed file with a salt size of 16.
+func createSeedIfNotExists(path string) ([]byte, int, error) {
+	mxSeed.Lock()
+	defer mxSeed.Unlock()
+
+	pass, saltSize, err := getSeedV2(path)
+	if err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return nil, 0, err
+		}
+	}
+	if len(pass) != 0 {
+		return pass, saltSize, nil
+	}
+
+	seed, err := aesgcm.NewKey(aesgcm.AES256)
+	if err != nil {
+		return nil, 0, err
+	}
+	l := make([]byte, 4)
+	binary.LittleEndian.PutUint32(l, uint32(defaultSaltSizeV2))
+
+	err = os.WriteFile(filepath.Join(path, seedFileV2), append(seed, l...), 0600)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return seed, defaultSaltSizeV2, nil
+}

internal/pkg/agent/vault/seed_fips_test.go

@@ -0,0 +1,110 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build requirefips
+
+package vault
+
+import (
+	"encoding/binary"
+	"errors"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/vault/aesgcm"
+)
+
+func TestGetSeedFailsV1File(t *testing.T) {
+	dir := t.TempDir()
+	fp := filepath.Join(dir, seedFile)
+
+	if _, err := os.Stat(fp); !errors.Is(err, os.ErrNotExist) {
+		t.Fatal(err)
+	}
+	seed, err := aesgcm.NewKey(aesgcm.AES256)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	err = os.WriteFile(fp, seed, 0600)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_, _, err = getSeed(dir)
+	if !errors.Is(err, os.ErrNotExist) {
+		t.Fatalf("FIPS mode must not read v1 seeds. expected error %v to be os.ErrNotExist", err)
+	}
+}
+
+func TestGetSeedV2File(t *testing.T) {
+	dir := t.TempDir()
+	fp := filepath.Join(dir, seedFileV2)
+
+	if _, err := os.Stat(fp); !errors.Is(err, os.ErrNotExist) {
+		t.Fatal(err)
+	}
+	seed, err := aesgcm.NewKey(aesgcm.AES256)
+	if err != nil {
+		t.Fatal(err)
+	}
+	l := make([]byte, 4)
+	binary.LittleEndian.PutUint32(l, uint32(defaultSaltSizeV2))
+
+	err = os.WriteFile(fp, append(seed, l...), 0600)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	b, saltSize, err := getSeed(dir)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if saltSize != defaultSaltSizeV2 {
+		t.Errorf("expected salt size to be %d, got: %d", defaultSaltSizeV2, saltSize)
+	}
+	diff := cmp.Diff(seed, b)
+	if diff != "" {
+		t.Error(diff)
+	}
+}
+
+func TestCreateSeedIfNotExists(t *testing.T) {
+	dir := t.TempDir()
+
+	fp := filepath.Join(dir, seedFile)
+	fpV2 := filepath.Join(dir, seedFileV2)
+
+	if _, err := os.Stat(fp); !errors.Is(err, os.ErrNotExist) {
+		t.Fatal(err)
+	}
+	if _, err := os.Stat(fpV2); !errors.Is(err, os.ErrNotExist) {
+		t.Fatal(err)
+	}
+
+	b, saltSize, err := createSeedIfNotExists(dir)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// V2 file should exist
+	if _, err := os.Stat(fpV2); err != nil {
+		t.Fatal(err)
+	}
+	// V1 file should not exist
+	if _, err := os.Stat(fp); !errors.Is(err, os.ErrNotExist) {
+		t.Fatal(err)
+	}
+
+	diff := cmp.Diff(seedFileSize, len(b))
+	if diff != "" {
+		t.Error(diff)
+	}
+	if saltSize != defaultSaltSizeV2 {
+		t.Errorf("expected salt size: %d got: %d", defaultSaltSizeV2, saltSize)
+	}
+}

internal/pkg/agent/vault/seed_nofips.go

@@ -0,0 +1,62 @@
+// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+// or more contributor license agreements. Licensed under the Elastic License 2.0;
+// you may not use this file except in compliance with the Elastic License 2.0.
+
+//go:build !requirefips
+
+package vault
+
+import (
+	"errors"
+	"os"
+	"path/filepath"
+
+	"github.com/elastic/elastic-agent/internal/pkg/agent/vault/aesgcm"
+)
+
+// getSeed returns the seed from the v1 .seed file
+// or fs.ErrNotExist if the bytecount does not match
+func getSeed(path string) ([]byte, int, error) {
+	mxSeed.Lock()
+	defer mxSeed.Unlock()
+
+	// Non fips only supports V1 seed
+	b, err := getSeedV1(path)
+	if err != nil {
+		return nil, 0, err
+	}
+	return b, saltSizeV1, nil
+}
+
+// checkSalt is a nop as V2 seeds are disabled for non-FIPS agents
+func checkSalt(_ int) error {
+	return nil
+}
+
+// createSeedIfNotExists returns the seed from the v1 .seed file
+// If the seed file does not exist it will create and write a new v1 seed file.
+func createSeedIfNotExists(path string) ([]byte, int, error) {
+	mxSeed.Lock()
+	defer mxSeed.Unlock()
+
+	pass, err := getSeedV1(path)
+	if err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return nil, 0, err
+		}
+	}
+	if len(pass) != 0 {
+		return pass, saltSizeV1, nil
+	}
+
+	seed, err := aesgcm.NewKey(aesgcm.AES256)
+	if err != nil {
+		return nil, 0, err
+	}
+	err = os.WriteFile(filepath.Join(path, seedFile), seed, 0600)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return seed, saltSizeV1, nil
+}