-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: deprecate digest == null in PBKDF2 #22861
crypto: deprecate digest == null in PBKDF2 #22861
Conversation
cc @nodejs/tsc @nodejs/security-wg @nodejs/crypto |
doc/api/deprecations.md
Outdated
--> | ||
|
||
Type: End-of-Life | ||
Type: Runtime | ||
|
||
Use of the [`crypto.pbkdf2()`][] API without specifying a digest was deprecated | ||
in Node.js 6.0 because the method defaulted to using the non-recommended | ||
`'SHA1'` digest. Previously, a deprecation warning was printed. Starting in | ||
Node.js 8.0.0, calling `crypto.pbkdf2()` or `crypto.pbkdf2Sync()` with an |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
an -> a
lib/internal/crypto/pbkdf2.js
Outdated
@@ -55,6 +55,11 @@ function check(password, salt, iterations, keylen, digest, callback) { | |||
if (typeof digest !== 'string') { | |||
if (digest !== null) | |||
throw new ERR_INVALID_ARG_TYPE('digest', ['string', 'null'], digest); | |||
if (process.noDeprecation !== true) { | |||
process.emitWarning( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I'm not wrong this is emitted every time check()
is called, is this wanted?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
check
is called once per crypto.pbkdf2
/ crypto.pbkdf2Sync
call. Would you prefer to only warn once throughout the whole execution?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I think it's better. As is it may create too much noise.
@lpinca I rewrote it to use the CI: https://ci.nodejs.org/job/node-test-pull-request/17234/ |
I assume that permitting digest === null was unintentional when digest === undefined was deprecated since their behavior was equivalent. The sha1 default for digest === null has somehow made it through refactoring of the PBKDF2 module multiple times, even though digest === undefined has been EOL for some time now. This change deprecates setting digest to null so we can fix the behavior in Node.js 12 or so.
3aef5e5
to
6bcfb6f
Compare
Rebased on top of #22858. New CI: https://ci.nodejs.org/job/node-test-pull-request/17288/ |
Landed in 19ad6b8, thanks for reviewing. |
I assume that permitting digest === null was unintentional when digest === undefined was deprecated since their behavior was equivalent. The sha1 default for digest === null has somehow made it through refactoring of the PBKDF2 module multiple times, even though digest === undefined has been EOL for some time now. This change deprecates setting digest to null so we can fix the behavior in Node.js 12 or so. PR-URL: #22861 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
I assume that permitting
digest === null
was unintentional whendigest === undefined
was deprecated since their behavior was equivalent. Thesha1
default fordigest === null
has somehow made it through refactoring of the PBKDF2 module multiple times, even thoughdigest === undefined
has been EOL for some time now.This change deprecates setting
digest
tonull
so we can fix the behavior in Node.js 12 or so.Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes