From 1245e423fabeb04cc493b3eaddbd2625f7331b7f Mon Sep 17 00:00:00 2001
From: Bart de Water <bartdewater@gmail.com>
Date: Sun, 28 Jun 2020 12:51:51 -0400
Subject: [PATCH] Stop using deprecated OpenSSL constants

---
 .rubocop.yml                | 3 +++
 CHANGELOG.md                | 1 +
 lib/rack/session/cookie.rb  | 4 ++--
 test/spec_session_cookie.rb | 4 ++--
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/.rubocop.yml b/.rubocop.yml
index e759a2790..0533cc501 100644
--- a/.rubocop.yml
+++ b/.rubocop.yml
@@ -55,3 +55,6 @@ Layout/IndentationStyle:
 
 Layout/TrailingWhitespace:
   Enabled: true
+
+Lint/DeprecatedOpenSSLConstant:
+  Enabled: true
diff --git a/CHANGELOG.md b/CHANGELOG.md
index e91cafde4..14ddf82dc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@ All notable changes to this project will be documented in this file. For info on
 - Relax validations around `Rack::Request#host` and `Rack::Request#hostname`. ([#1606](https://github.com/rack/rack/issues/1606), [@pvande](https://github.com/pvande))
 - Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. ([#1658](https://github.com/rack/rack/pull/1658), [@ioquatix](https://github.com/ioquatix))
 - Removed options from `Rack::Builder.parse_file` and `Rack::Builder.load_file`. ([#1663](https://github.com/rack/rack/pull/1663), [@ioquatix](https://github.com/ioquatix))
+- HMAC argument for `Rack::Session::Cookie` doesn't accept a class constant anymore, but only a string recognized by OpenSSL (e.g. `"SHA256"`) or compatible instance (e.g. `OpenSSL::Digest.new("SHA256")`) ([#1676](https://github.com/rack/rack/pull/1676), [@bdewater](https://github.com/bdewater))
 
 ### Fixed
 
diff --git a/lib/rack/session/cookie.rb b/lib/rack/session/cookie.rb
index 737c0b33b..773d0b8f9 100644
--- a/lib/rack/session/cookie.rb
+++ b/lib/rack/session/cookie.rb
@@ -107,7 +107,7 @@ def decode(str); str; end
 
       def initialize(app, options = {})
         @secrets = options.values_at(:secret, :old_secret).compact
-        @hmac = options.fetch(:hmac, OpenSSL::Digest::SHA1)
+        @hmac = options.fetch(:hmac, "SHA1")
 
         warn <<-MSG unless secure?(options)
         SECURITY WARNING: No secret option provided to Rack::Session::Cookie.
@@ -191,7 +191,7 @@ def digest_match?(data, digest)
       end
 
       def generate_hmac(data, secret)
-        OpenSSL::HMAC.hexdigest(@hmac.new, secret, data)
+        OpenSSL::HMAC.hexdigest(@hmac, secret, data)
       end
 
       def secure?(options)
diff --git a/test/spec_session_cookie.rb b/test/spec_session_cookie.rb
index ce85ba321..875c883ec 100644
--- a/test/spec_session_cookie.rb
+++ b/test/spec_session_cookie.rb
@@ -333,8 +333,8 @@ def decode(str); @calls << :decode; str; end
     response.body.must_equal '{"counter"=>2}'
   end
 
-  it "supports custom digest class" do
-    app = [incrementor, { secret: "test", hmac: OpenSSL::Digest::SHA256 }]
+  it "supports custom digest instance" do
+    app = [incrementor, { secret: "test", hmac: OpenSSL::Digest.new("SHA256") }]
 
     response = response_for(app: app)
     response = response_for(app: app, cookie: response)