/* * check a provided hash value (at_hash|c_hash) against a corresponding hash calculated for a specified value and algorithm */ static apr_byte_t oidc_proto_validate_hash(request_rec *r, const char *alg, const char *hash, const char *value, const char *type) { /* hash the provided access_token */ char *calc = NULL; unsigned int hash_len = 0; apr_jws_hash_string(r->pool, alg, value, &calc, &hash_len); /* calculate the base64url-encoded value of the hash */ char *encoded = NULL; oidc_base64url_encode(r, &encoded, calc, apr_jws_hash_length(alg) / 2, 1); /* compare the calculated hash against the provided hash */ if ((apr_strnatcmp(encoded, hash) != 0)) { oidc_error(r, "provided \"%s\" hash value (%s) does not match the calculated value (%s)", type, hash, encoded); return FALSE; } oidc_debug(r, "successfully validated the provided \"%s\" hash value (%s) against the calculated value (%s)", type, hash, encoded); return TRUE; }
/* * check a provided hash value (at_hash|c_hash) against a corresponding hash calculated for a specified value and algorithm */ static apr_byte_t oidc_proto_validate_hash(request_rec *r, const char *alg, const char *hash, const char *value, const char *type) { /* hash the provided access_token */ char *calc = NULL; unsigned int hash_len = 0; apr_jws_hash_string(r->pool, alg, value, &calc, &hash_len); /* calculate the base64url-encoded value of the hash */ char *encoded = NULL; int enc_len = oidc_base64url_encode(r, &encoded, calc, apr_jws_hash_length(alg) / 2); /* remove /0 and padding */ enc_len--; if (encoded[enc_len - 1] == ',') enc_len--; if (encoded[enc_len - 1] == ',') enc_len--; /* compare the calculated hash against the provided hash */ if ((strncmp(encoded, hash, enc_len) != 0)) { ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "oidc_proto_validate_hash: provided \"%s\" hash value (%s) does not match the calculated value (%s)", type, hash, encoded); return FALSE; } ap_log_rerror(APLOG_MARK, OIDC_DEBUG, 0, r, "oidc_proto_validate_hash: successfully validated the provided \"%s\" hash value (%s) against the calculated value (%s)", type, hash, encoded); return TRUE; }