Invoking jwt_verify causing TLS termination

[obarash]

Description

When invoking jwt_verify with an expired JWT, it causes TLS termination with log print from the tls_server and tls_util.

While trying to debug the issue, I tried to give the method an invalid key path.
I got the following log (as expected):

failed to read key file

Then the flow continued just fine (fallback to proxy_authorization).

When I gave it a correct file path, but the content is wrong, the problem still occurred.
This makes me think the problem is in the method :

static int ki_jwt_verify_key(sip_msg_t* msg, str *key, str *alg, str *claims,
		str *jwtval)

Troubleshooting

Reproduction

Use an expired JWT

Log Messages

May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: INFO: {1 13605 INVITE 71a5d88a-b485-43c0-bac4-a2723333efeb} <script>: request_route: method [INVITE] from [sip:1234@barash.com] to [sip:pre-arranged-conf-factory@barash.com]
May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: {1 13605 INVITE 71a5d88a-b485-43c0-bac4-a2723333efeb} jwt [jwt_mod.c:514]: ki_jwt_verify(): failed to decode jwt value
May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: INFO: {1 13605 INVITE 71a5d88a-b485-43c0-bac4-a2723333efeb} <script>: route[AUTH] failed to verify jwt token.
May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_server.c:1330]: tls_h_read_f(): protocol level error
May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_util.h:51]: tls_err_ret(): TLS read:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding (sni: dev-proxy.barash.com)
May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_util.h:51]: tls_err_ret(): TLS read:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed (sni: dev-proxy.barash.com)
May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_server.c:1334]: tls_h_read_f(): src addr: 172.19.140.11:37188
May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: tls [tls_server.c:1337]: tls_h_read_f(): dst addr: 172.19.140.70:5061
May  4 12:52:37 kamailio01 /usr/sbin/kamailio[21921]: ERROR: <core> [core/tcp_read.c:1478]: tcp_read_req(): ERROR: tcp_read_req: error reading - c: 0x7f731ec677f8 r: 0x7f731ec67920 (-1)

Additional Information

• Kamailio Version - output of kamailio -v

version: kamailio 5.6.4 (x86_64/linux) a004cf
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES, TLS_PTHREAD_MUTEX_SHARED
ADAPTIVE_WAIT_LOOPS 1024, MAX_RECV_BUFFER_SIZE 262144, MAX_URI_SIZE 1024, BUF_SIZE 65535, DEFAULT PKG_SIZE 8MB
poll method support: poll, epoll_lt, epoll_et, sigio_rt, select.
id: a004cf
compiled on 09:56:56 Mar 22 2023 with gcc 8.3.0

• Operating System:

No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster


Linux kamailio01.dev.wb.internal 4.19.0-23-amd64 #1 SMP Debian 4.19.269-1 (2022-12-20) x86_64 GNU/Linux

[miconda]

Probably it is because of closing tcp connection on negative return code of config execution, which can be controlled with:

• https://www.kamailio.org/wikidocs/cookbooks/5.6.x/core/#tcp_script_mode

If not, email to sr-users@lists.kamailio.org to figure out what could be wrong there and then an issue can be opened with the proper details for the problem.