OIDC Session decoding fails when OIDCSessionType client-cookie

[zandbelt]

Discussed in #1045

^{Originally posted by oss-aimoto April 13, 2023}
Occurred version: 2.4.13.2

In an environment configured with OIDCSessionType client-cookie, access after login failed to validate the session and redirected to OP.
The following is output to the Apache error log.

[Thu Apr 13 10:04:09.117394 2023] [auth_openidc:error] [pid 103699] [client 172.16.17.21:51280] oidc_util_jwt_verify: parsing JWT failed: [src/jose.c:901: oidc_jose_zlib_uncompress]: inflate failed
[Thu Apr 13 10:04:09.117493 2023] [auth_openidc:error] [pid 103699] [client 172.16.17.21:51280] oidc_session_decode: could not verify secure JWT: cache value possibly corrupted

I'm using zlib for session compression in my environment. I checked and found that the return value of inflate function on line 900 is -5(Z_BUF_ERROR).

 899         inflateInit(&zlib);
 900         if (inflate(&zlib, Z_FINISH) != Z_STREAM_END) {
 901                 oidc_jose_error(err, "inflate failed");
 902                 return FALSE;
 903         }

The buffer size is fixed at input data × 4. Z_BUF_ERROR is returned if the uncompressed data is larger than 4 times the input data.

 896         zlib.avail_out = (uInt) (input_len * 4);

May I send a pull request?
master...oss-aimoto:mod_auth_openidc:fix_uncompress_buffer