-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: deprecate useless authentication tag APIs #22126
crypto: deprecate useless authentication tag APIs #22126
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I wonder how these crept in 😅
@nodejs/security-wg |
ddfff1e
to
e1d7616
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
doesn't look like we'll be breaking major modules, though I was able to find some dependents on it (i.e: https://github.com/garbados/comdb) |
@lirantal Are you sure? Why do you think they depend on these functions? |
I spotted this https://github.com/garbados/comdb/blob/9d36dd730bd70de71ebcb1986db51595f967f786/lib/crypt.js#L77 I did a simple github code search for it and there are a few occurrences but probably not a big deal. |
@lirantal There are two |
@tniessen wasn't very clear on that, thanks. |
Are those going to be affected? Some of those (if not all) might be using |
@ChALkeR The functions which will be deprecated by this PR will throw every time they are called, so it is unlikely that someone uses them (for legitimate reasons). The occurrences you listed should be unaffected. |
The APIs were probably exposed by accident. getAuthTag and setAuthTag are not a usual getter/setter pair: Getting the authentication tag only makes sense in the context of encryption, setting it only makes sense in the context of decryption. Currently, both functions throw. Neither has been documented publicly.
e1d7616
to
24bace5
Compare
Rebased, old HEAD was e1d76163029d403aeddb83c38883c730675a906f. |
PR-URL: nodejs#22126 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
The APIs were probably exposed by accident. getAuthTag and setAuthTag are not a usual getter/setter pair: Getting the authentication tag only makes sense in the context of encryption, setting it only makes sense in the context of decryption. Currently, both functions throw. Neither has been documented publicly. PR-URL: nodejs#22126 Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
These APIs were probably exposed by accident (maybe
Cipher
andDecipher
had the same prototype at some point?).getAuthTag
andsetAuthTag
are not a usual getter/setter pair: Getting the authentication tag only makes sense in the context of encryption, setting it only makes sense in the context of encryption. Currently, both functions throw. Neither has been documented publicly.It seems appropriate to skip a documentation-only deprecation here since the functions have never been documented, at least not on these classes, and using them will only throw an error. The deprecation warning is triggered on property access, not just when calling the function, to make sure that people don't rely on the mere existence of the functions.
cc @nodejs/crypto @nodejs/security @nodejs/tsc
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes