AnsweredAssumed Answered

SCRAM-SHA-1 authentication bug in Smack 4.1.8: c-nonce possible contains invalid whitespace character

Question asked by Giuseppe Moscarella on Oct 20, 2016
Latest reply on Oct 20, 2016 by Giuseppe Moscarella

Hi,

 

I can't find a way to create an issue for smack, so i write here.

 

It seems that SCRAM auth is broken as I found with the help of Tigase server staff. Please see the original issue at https://projects.tigase.org/issues/4678. It contains also a link to the test code.

 

In particular it seems that smack sends the illegal 0x20 space character in the _nonce_ part. See https://tools.ietf.org/html/rfc5802#section-7 for legal characters.

 

For example:

 

n,,n=alice,r=D3Nqf7meC 8g'Hey*v>d!}$k5bUjyh<%

 

When this happens the login with valid credentials fails.

Outcomes