AnsweredAssumed Answered

SCRAM-SHA-1 authentication bug in Smack 4.1.8: c-nonce possible contains invalid whitespace character

Question asked by Giuseppe Moscarella on Oct 20, 2016
Latest reply on Oct 20, 2016 by Giuseppe Moscarella



I can't find a way to create an issue for smack, so i write here.


It seems that SCRAM auth is broken as I found with the help of Tigase server staff. Please see the original issue at It contains also a link to the test code.


In particular it seems that smack sends the illegal 0x20 space character in the _nonce_ part. See for legal characters.


For example:


n,,n=alice,r=D3Nqf7meC 8g'Hey*v>d!}$k5bUjyh<%


When this happens the login with valid credentials fails.