crypto: upgrade pbkdf2 without digest to an error

Commit a116358 added a deprecation warning when pbkdf2 was called without an
explicit `digest` argument. This was because the default digest is `sha1`,
which is not-recommended from a security point of view. This upgrades it
to a runtime error when `digest` is undefined per the plan discussed in
the original issue.

Ref: a116358

PR-URL: #11305
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: Jeremiah Senkpiel <[email protected]>

Author: jasnell

doc/api/deprecations.md

@@ -115,10 +115,13 @@ to the `constants` property exposed by the relevant module. For instance,
 <a id="DEP0009"></a>
 ### DEP0009: crypto.pbkdf2 without digest
 
-Type: Runtime
+Type: End-of-life
 
-Use of the [`crypto.pbkdf2()`][] API without specifying a digest is deprecated.
-Please specify a digest.
+Use of the [`crypto.pbkdf2()`][] API without specifying a digest was deprecated
+in Node.js 6.0 because the method defaulted to using the non-recommendend
+`'SHA1'` digest. Previously, a deprecation warning was printed. Starting in
+Node.js 8.0.0, calling `crypto.pbkdf2()` or `crypto.pbkdf2Sync()` with an
+undefined `digest` will throw a `TypeError`.
 
 <a id="DEP0010"></a>
 ### DEP0010: crypto.createCredentials

lib/crypto.js

@@ -537,11 +537,6 @@ ECDH.prototype.getPublicKey = function getPublicKey(encoding, format) {
 };
 
 
-const pbkdf2DeprecationWarning =
-    internalUtil.deprecate(() => {}, 'crypto.pbkdf2 without specifying' +
-      ' a digest is deprecated. Please specify a digest', 'DEP0009');
-
-
 exports.pbkdf2 = function(password,
                           salt,
                           iterations,
@@ -551,7 +546,6 @@ exports.pbkdf2 = function(password,
   if (typeof digest === 'function') {
     callback = digest;
     digest = undefined;
-    pbkdf2DeprecationWarning();
   }
 
   if (typeof callback !== 'function')
@@ -562,15 +556,17 @@ exports.pbkdf2 = function(password,
 
 
 exports.pbkdf2Sync = function(password, salt, iterations, keylen, digest) {
-  if (typeof digest === 'undefined') {
-    digest = undefined;
-    pbkdf2DeprecationWarning();
-  }
   return pbkdf2(password, salt, iterations, keylen, digest);
 };
 
 
 function pbkdf2(password, salt, iterations, keylen, digest, callback) {
+
+  if (digest === undefined) {
+    throw new TypeError(
+        'The "digest" argument is required and must not be undefined');
+  }
+
   password = toBuf(password);
   salt = toBuf(salt);
 

test/parallel/test-crypto-domains.js

@@ -19,7 +19,7 @@ d.run(function() {
   one();
 
   function one() {
-    crypto.pbkdf2('a', 'b', 1, 8, function() {
+    crypto.pbkdf2('a', 'b', 1, 8, 'sha1', function() {
       two();
       throw new Error('pbkdf2');
     });

test/parallel/test-crypto-pbkdf2.js

@@ -96,3 +96,11 @@ assert.doesNotThrow(() => {
     assert.ifError(e);
   }));
 });
+
+assert.throws(() => {
+  crypto.pbkdf2('password', 'salt', 8, 8, function() {});
+}, /^TypeError: The "digest" argument is required and must not be undefined$/);
+
+assert.throws(() => {
+  crypto.pbkdf2Sync('password', 'salt', 8, 8);
+}, /^TypeError: The "digest" argument is required and must not be undefined$/);

test/parallel/test-domain-crypto.js

@@ -19,4 +19,4 @@ crypto.randomBytes(8);
 crypto.randomBytes(8, function() {});
 crypto.pseudoRandomBytes(8);
 crypto.pseudoRandomBytes(8, function() {});
-crypto.pbkdf2('password', 'salt', 8, 8, function() {});
+crypto.pbkdf2('password', 'salt', 8, 8, 'sha1', function() {});