Using a different algorithm for JWT authentication causes ejabberd_c2s to restart

[sloonz]

Environment

• ejabberd version: current master (cfc8746)
• Erlang version: Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 13.0.3
• OS: Linux (Arch)
• Installed from: source

Errors from error.log/crash.log

2022-08-30 18:01:36.679347+02:00 [error] SUPERVISOR REPORT:
    supervisor: {local,ejabberd_c2s_sup}
    errorContext: child_terminated
    reason: {function_clause,
                [{jose_jwk_kty_okp_ed25519,verify,
                     [<<"eyJhbGciOiJSUzI1NiJ9.eyJqaWQiOiJ6ZXJnMUBsb2NhbGhvc3QiLCJpYXQiOjE2NjE4NzUyOTQsImV4cCI6MTY2MTg4MjQ5NH0">>,
                      'RS256',
                      <<100,2,4,7,124,138,145,102,9,39,51,24,98,232,225,82,48,
                        241,28,161,132,235,8,25,102,81,249,180,235,104,219,45,
                        74,24,189,143,66,183,223,89,99,226,189,63,116,11,52,
                        207,203,60,212,110,133,228,57,137,77,111,92,89,29,139,
                        228,51,1,118,180,13,191,98,4,159,146,230,74,85,142,181,
                        47,179,130,252,119,0,205,236,51,76,241,195,159,152,13,
                        78,222,221,95,45,47,190,153,189,168,165,64,120,202,246,
                        148,38,193,135,222,108,229,158,227,113,222,95,205,33,
                        52,138,38,254,98,58,20,229,154,95,43,24,51,26,56,39,97,
                        6,9,135,55,253,150,169,114,115,94,84,204,171,45,89,36,
                        253,61,107,221,1,36,158,73,63,229,166,251,232,238,33,
                        202,33,98,156,119,226,166,181,146,16,89,8,200,172,71,
                        59,138,12,34,141,104,195,112,185,92,177,35,199,56,32,
                        233,255,76,120,7,94,141,114,2,101,141,229,207,18,59,
                        111,20,185,94,185,90,90,243,10,150,35,98,207,135,245,
                        244,152,115,180,16,198,155,144,96,36,44,191,35,37,250,
                        37,196,134,100,229,42,249,137,189,123,108>>,
                      <<40,152,223,215,229,51,235,14,91,158,77,67,227,239,194,
                        148,107,233,247,24,115,31,49,111,136,90,40,19,163,9,
                        247,47>>],
                     [{file,
                          "/home/sloonz/workspace/ejabberd/_build/default/lib/jose/src/jwk/jose_jwk_kty_okp_ed25519.erl"},
                      {line,151}]},
                 {jose_jws,verify,2,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/_build/default/lib/jose/src/jws/jose_jws.erl"},
                      {line,379}]},
                 {jose_jwt,verify,2,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/_build/default/lib/jose/src/jwt/jose_jwt.erl"},
                      {line,189}]},
                 {ejabberd_auth_jwt,check_jwt_token,3,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/src/ejabberd_auth_jwt.erl"},
                      {line,124}]},
                 {ejabberd_auth_jwt,check_password,4,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/src/ejabberd_auth_jwt.erl"},
                      {line,76}]},
                 {ejabberd_auth,db_check_password,7,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/src/ejabberd_auth.erl"},
                      {line,691}]},
                 {ejabberd_auth,'-check_password_with_authmodule/6-fun-0-',8,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/src/ejabberd_auth.erl"},
                      {line,248}]},
                 {lists,foldl,3,[{file,"lists.erl"},{line,1350}]},
                 {ejabberd_auth,check_password_with_authmodule,6,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/src/ejabberd_auth.erl"},
                      {line,246}]},
                 {xmpp_sasl_plain,mech_step,2,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/_build/default/lib/xmpp/src/xmpp_sasl_plain.erl"},
                      {line,42}]},
                 {xmpp_sasl,server_step,2,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/_build/default/lib/xmpp/src/xmpp_sasl.erl"},
                      {line,125}]},
                 {xmpp_stream_in,process_sasl_request,2,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/_build/default/lib/xmpp/src/xmpp_stream_in.erl"},
                      {line,906}]},
                 {xmpp_stream_in,handle_info,2,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/_build/default/lib/xmpp/src/xmpp_stream_in.erl"},
                      {line,411}]},
                 {p1_server,handle_msg,8,
                     [{file,
                          "/home/sloonz/workspace/ejabberd/_build/default/lib/p1_utils/src/p1_server.erl"},
                      {line,696}]},
                 {proc_lib,init_p_do_apply,3,
                     [{file,"proc_lib.erl"},{line,240}]}]}
    offender: [{pid,<0.6776.0>},
               {id,undefined},
               {mfargs,{ejabberd_c2s,start_link,undefined}},
               {restart_type,temporary},
               {significant,false},
               {shutdown,5000},
               {child_type,worker}]

Bug description

If there is a discrepancy between the key algorithm (in my case, EdDSA with Ed25519) configured in auth_method and the jwt algorithm sent by the client (here, RS256), ejabberd_c2s crashes (see error above) and closes the connection instead of properly sending a not-authorized error.

[badlop]

Looking at

ejabberd/src/ejabberd_auth_jwt.erl

Line 124 in fba6518

try jose_jwt:verify(JWK, Token) of

ejabberd calls jose inside a try ... catch. I'd say this should catch the crash from jose, but it only catches error:{badarg, _}

You could try a patch like this, to check if ejabberd is able to catch those crashes. In that case, it should be possible to catch it and return some nice response:

diff --git a/src/ejabberd_auth_jwt.erl b/src/ejabberd_auth_jwt.erl
index f38600bc7..884cf3d8d 100644
--- a/src/ejabberd_auth_jwt.erl
+++ b/src/ejabberd_auth_jwt.erl
@@ -147,5 +147,9 @@ check_jwt_token(User, Server, Token) ->
             false
     catch
         error:{badarg, _} ->
+            false;
+        A:B ->
+            ?INFO_MSG("jose_jwt:verify failed ~n for: ~p~n with: ~p",
+                      [{JWK, Token}, {A, B}]),
             false
     end.

[sloonz]

I already fixed the issue locally by replacing error:{badarg, _} by error:_,

[badlop]

Ok, I've applied a similar change upstream, but logging the problems at debug level.