Stop using deprecated OpenSSL constants

rack · Jun 29, 2020 · 1245e42 · 1245e42
1 parent 1f5763d
commit 1245e42
Show file tree

Hide file tree

Showing 4 changed files with 8 additions and 4 deletions.
diff --git a/.rubocop.yml b/.rubocop.yml
@@ -55,3 +55,6 @@ Layout/IndentationStyle:
 
 Layout/TrailingWhitespace:
   Enabled: true
+
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file. For info on
 - Relax validations around `Rack::Request#host` and `Rack::Request#hostname`. ([#1606](https://github.com/rack/rack/issues/1606), [@pvande](https://github.com/pvande))
 - Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. ([#1658](https://github.com/rack/rack/pull/1658), [@ioquatix](https://github.com/ioquatix))
 - Removed options from `Rack::Builder.parse_file` and `Rack::Builder.load_file`. ([#1663](https://github.com/rack/rack/pull/1663), [@ioquatix](https://github.com/ioquatix))
+- HMAC argument for `Rack::Session::Cookie` doesn't accept a class constant anymore, but only a string recognized by OpenSSL (e.g. `"SHA256"`) or compatible instance (e.g. `OpenSSL::Digest.new("SHA256")`) ([#1676](https://github.com/rack/rack/pull/1676), [@bdewater](https://github.com/bdewater))
 
 ### Fixed
 

diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
@@ -107,7 +107,7 @@ def decode(str); str; end
 
       def initialize(app, options = {})
         @secrets = options.values_at(:secret, :old_secret).compact
-        @hmac = options.fetch(:hmac, OpenSSL::Digest::SHA1)
+        @hmac = options.fetch(:hmac, "SHA1")
 
         warn <<-MSG unless secure?(options)
         SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
@@ -191,7 +191,7 @@ def digest_match?(data, digest)
       end
 
       def generate_hmac(data, secret)
-        OpenSSL::HMAC.hexdigest(@hmac.new, secret, data)
+        OpenSSL::HMAC.hexdigest(@hmac, secret, data)
       end
 
       def secure?(options)

diff --git a/test/spec_session_cookie.rb b/test/spec_session_cookie.rb
@@ -333,8 +333,8 @@ def decode(str); @calls << :decode; str; end
     response.body.must_equal '{"counter"=>2}'
   end
 
-  it "supports custom digest class" do
-    app = [incrementor, { secret: "test", hmac: OpenSSL::Digest::SHA256 }]
+  it "supports custom digest instance" do
+    app = [incrementor, { secret: "test", hmac: OpenSSL::Digest.new("SHA256") }]
 
     response = response_for(app: app)
     response = response_for(app: app, cookie: response)