SCRAM-SHA-1 authentication bug in Smack 4.1.8: c-nonce possible contains invalid whitespace character

Giuseppe_Moscarella · October 20, 2016, 2:31pm

Hi,

I can’t find a way to create an issue for smack, so i write here.

It seems that SCRAM auth is broken as I found with the help of Tigase server staff. Please see the original issue at https://projects.tigase.org/issues/4678. It contains also a link to the test code.

In particular it seems that smack sends the illegal 0x20 space character in the nonce part. See https://tools.ietf.org/html/rfc5802#section-7 for legal characters.

For example:

n,,n=alice,r=D3Nqf7meC 8g'Hey*v>d!}$k5bUjyh<%

When this happens the login with valid credentials fails.

Flow · October 20, 2016, 3:02pm

Created SMACK-735 and uploaded Smack 4.1.9-SNAPSHOT. Thanks for reporting this! And thanks to the Tigase guys for providing a detailed analysis.

Giuseppe_Moscarella · October 20, 2016, 3:49pm

Thank you for your quick feedback. I’ll try 4.1.9-SNAPSHOT asap.