feat(fips): disallow non-compliant crypto in fingerprint processor

[kruskall]

Proposed commit message

do not allow md5 and sha1 config values in fingerprint processor

Checklist

• My code follows the style guidelines of this project
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

Disruptive User Impact

Author's Checklist

• [ ]

How to test this PR locally

Related issues

Use cases

Screenshots

Logs

[botelastic]

This pull request doesn't have a Team:<team> label.

[mergify]

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @kruskall? 🙏.
For such, you'll need to label your PR with:

• The upcoming major version of the Elastic Stack
• The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

[leehinman]

Nit.

Could we maybe move to where we have 2 slices, one FIPS approved and one Non-FIPS approved. Then something in a build tag that controls merging them into a slice with the correct values. What I've seen in previous FIPS approved products, keeping 2 separate lists in 2 separate files makes it very easy for them to get out of sync.

Even better if we could have one place in libbeat to update the list of approved hashes functions.

[kruskall]

mmh, that's the point. The two slices should be separate, they should never/not be synced. Any addition of a new hash method should not be automatically added in fips mode. It must be a manual process/decision.

[leehinman]

I was thinking of something like this:

// hash.go
// no build tag

var hashes = map[string]namedHashMethod{}

var fipsApprovedHashes = []namedHashMethod{
	{Name: "sha512", Hash: sha512.New},
}

//hash_fips.go
////go:build requirefips

func init() {
	for _, h := range fipsApprovedHashes {
		hashes[h.Name] = h
	}
}

//hash_nofips.go
//go:build !requirefips

var nonFipsApprovedHashes = []namedHashMethod{
	{Name: "md5", Hash: md5.New},
}

func init() {
	for _, h := range fipsApprovedHashes {
		hashes[h.Name] = h
	}
	for _, h := range nonFipsApprovedHashes {
		hashes[h.Name] = h
	}
}

FIPS
hashes = fipsApprovedHashes

NonFips
hashes = fipsApprovedHashes + nonFipsApprovedHashes