lib/rack/session/smart_cookie.rb in rack-session-smart_cookie-0.1.3 vs lib/rack/session/smart_cookie.rb in rack-session-smart_cookie-0.1.4

@@ -1,17 +1,17 @@
 # frozen_string_literal: true
 require 'rack/session/smart_cookie/version'
 
 require 'base64'
 require 'msgpack'
-require 'openssl'
+require 'openssl/digest'
 require 'rack/session/cookie'
 
 module Rack
   module Session
     class SmartCookie < Cookie
-      BAD_DIGESTS = %w[MD2 MD4 MD5 SHA SHA1].freeze
+      BAD_DIGESTS = %w[MD2 MD4 MD5 SHA].freeze
       DEFAULT_DIGEST = 'SHA256'
       SECRET_MIN_BYTESIZE = 16
 
       class Base64
         if ::Base64.respond_to?(:urlsafe_encode64) && ::Base64.method(:urlsafe_encode64).arity.abs >= 2
@@ -31,20 +31,11 @@
           end
 
           def self.decode(str)
             return unless str
 
-            num_pad_chars =
-              case str.bytesize % 4
-              when 0 then 0
-              when 2 then 2
-              when 3 then 1
-              else
-                fail 'Invalid Base64-encoded string!'
-              end
-
-            ::Base64.urlsafe_decode64(str + '=' * num_pad_chars)
+            ::Base64.urlsafe_decode64(str + '=' * (-str.bytesize % 4))
           rescue
           end
         end
       end
 
@@ -77,11 +68,11 @@
         end
       end
 
       def initialize(app, options={})
         options[:coder] ||= MessagePack.new
-        options[:hmac] = OpenSSL::Digest.const_get(DEFAULT_DIGEST) unless options.key?(:hmac)
+        options[:hmac] = OpenSSL::Digest(DEFAULT_DIGEST) unless options.key?(:hmac)
 
         super
 
         if @secrets.any?
           hmac = options[:hmac].new
@@ -89,13 +80,13 @@
           warn <<-MSG if BAD_DIGESTS.include?(hmac.name)
         SECURITY WARNING: You have elected to use an old and insecure message
         digest algorithm (#{hmac.class}).
 
         Such algorithms are generally considered to be effectively broken. It
-        is strongly recommended that you elect to use a message digest algorithm
-        from the SHA2 family: SHA224, SHA256, SHA384, or SHA512, or one of the
-        derivatives such as SHA512/256. This will help prevent exploits that
-        may be possible from crafted cookies.
+        is strongly recommended that you elect to use a message digest
+        algorithm from the SHA2 family: SHA224, SHA256, SHA384, or SHA512, or
+        one of the derivatives such as SHA512/256. This will help prevent
+        exploits that may be possible from crafted cookies.
 
         Called from: #{caller[0]}.
           MSG
 
           unless (SECRET_MIN_BYTESIZE..hmac.block_length).cover?(@secrets.first.bytesize)