crypto: deprecate digest == null in PBKDF2 #22861
Conversation
tniessen
added
the
semver-major
nodejs-github-bot
added
the
crypto
|
cc @nodejs/tsc @nodejs/security-wg @nodejs/crypto |
doc/api/deprecations.md
Outdated
| --> | ||
|
|
||
| Type: End-of-Life | ||
| Type: Runtime | ||
|
|
||
| Use of the [`crypto.pbkdf2()`][] API without specifying a digest was deprecated | ||
| in Node.js 6.0 because the method defaulted to using the non-recommended | ||
| `'SHA1'` digest. Previously, a deprecation warning was printed. Starting in | ||
| Node.js 8.0.0, calling `crypto.pbkdf2()` or `crypto.pbkdf2Sync()` with an |
lib/internal/crypto/pbkdf2.js
Outdated
| @@ -55,6 +55,11 @@ function check(password, salt, iterations, keylen, digest, callback) { | |||
| if (typeof digest !== 'string') { | |||
| if (digest !== null) | |||
| throw new ERR_INVALID_ARG_TYPE('digest', ['string', 'null'], digest); | |||
| if (process.noDeprecation !== true) { | |||
| process.emitWarning( | |||
There was a problem hiding this comment.
If I'm not wrong this is emitted every time check() is called, is this wanted?
There was a problem hiding this comment.
check is called once per crypto.pbkdf2 / crypto.pbkdf2Sync call. Would you prefer to only warn once throughout the whole execution?
There was a problem hiding this comment.
Yes, I think it's better. As is it may create too much noise.
|
@lpinca I rewrote it to use the CI: https://ci.nodejs.org/job/node-test-pull-request/17234/ |
I assume that permitting digest === null was unintentional when digest === undefined was deprecated since their behavior was equivalent. The sha1 default for digest === null has somehow made it through refactoring of the PBKDF2 module multiple times, even though digest === undefined has been EOL for some time now. This change deprecates setting digest to null so we can fix the behavior in Node.js 12 or so.
tniessen
force-pushed
the
crypto-fix-pbkdf2-behavior-for-digest-null
branch
from
3aef5e5
to
6bcfb6f
Compare
|
Rebased on top of #22858. New CI: https://ci.nodejs.org/job/node-test-pull-request/17288/ |
|
Landed in 19ad6b8, thanks for reviewing. |
I assume that permitting digest === null was unintentional when digest === undefined was deprecated since their behavior was equivalent. The sha1 default for digest === null has somehow made it through refactoring of the PBKDF2 module multiple times, even though digest === undefined has been EOL for some time now. This change deprecates setting digest to null so we can fix the behavior in Node.js 12 or so. PR-URL: #22861 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
I assume that permitting
digest === nullwas unintentional whendigest === undefinedwas deprecated since their behavior was equivalent. Thesha1default fordigest === nullhas somehow made it through refactoring of the PBKDF2 module multiple times, even thoughdigest === undefinedhas been EOL for some time now.This change deprecates setting
digesttonullso we can fix the behavior in Node.js 12 or so.Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes