Can you provide full, verbose client logs? Including stanza exchange? We have tested SCRAM implementation and it works for us.

You could try following options to limit enabled mechanisms:

sess-man/plugins-conf/enabled-mechanisms=PLAIN,DIGEST-MD5

It would be also good to provide version of used Smack and babbler library, so we could use same versions to replicate this issue.

I've created a maven integration test with both babbler and smack. You can clone it from https://github.com/bytecodeguru/tigase-scram-test.

It also contains the packets captured with ngrep during my local tests.

I'm now trying your proposed workaround sess-man/plugins-conf/enabled-mechanisms=PLAIN,DIGEST-MD5 and will let you know if it works asap.

I'm now trying your proposed workaround sess-man/plugins-conf/enabled-mechanisms=PLAIN,DIGEST-MD5 and will let you know if it works asap.

I can confirm that the suggested workaround configuration works in my test environment, thank you. Perhaps it would be useful to add it to the administration doc.

Please let me know if I can help further to investigate the SCRAM authentication issue.

Bartek, please take a look.

Short version

Tigase Server works fine, Smack library is broken.

Longer version

As you can see in "RFC- 5802 attribute r (nonce) described as "this attribute specifies a sequence of random printable ASCII characters excluding ','" and formally defined as:

nonce           = "r=" c-nonce [s-nonce]
                     ;; Second part provided by server.

c-nonce         = printable

s-nonce         = printable

printable       = %x21-2B / %x2D-7E
                     ;; Printable ASCII except ",".
                     ;; Note that any "printable" is also
                     ;; a valid "value".

cannot contains space (@x20@) character.

But Smack sends for example:

n,,n=alice,r=9/g!s~0u%e:k5`x1 s/i{!i`BSJ#Sa>[

n,,n=alice,r= lMs?0>qPY%XLVIFf6.wn"N..?;eC@f}

n,,n=alice,r=D3Nqf7meC 8g'Hey*v>d!}$k5bUjyh<%

n,,n=alice,r=D3Nqf7meC 8g'Hey*v>d!}$k5bUjyh<%

In this case, Server rejects those request as invalid.

I set your test @ SmackScramIT@ to connect to tigase.org server. I limited it only to SCRAM mechanism.

It failed 14 times per 36 runs. Each failed test contains x20 character in @nonce@.

Sample failed test:

Using SCRAM auth.
Connecting to t2.tigase.org:5222
03:09:42 PM SENT (0): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' xml:lang='en'>
03:09:42 PM RECV (0): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='ed37310f-4809-43b4-a00e-16577b95655a' version='1.0' xml:lang='en'>
03:09:42 PM RECV (0): <stream:features><sm xmlns="urn:xmpp:sm:3"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/><ver xmlns="urn:xmpp:features:rosterver"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
03:09:42 PM SENT (0): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
03:09:43 PM RECV (0): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
03:09:44 PM SENT (0): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' xml:lang='en'>
03:09:44 PM RECV (0): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='ed37310f-4809-43b4-a00e-16577b95655a' version='1.0' xml:lang='en'>
03:09:44 PM RECV (0): <stream:features><sm xmlns="urn:xmpp:sm:3"/><auth xmlns="http://jabber.org/features/iq-auth"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>SCRAM-SHA-1-PLUS</mechanism><mechanism>SCRAM-SHA-1</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><ver xmlns="urn:xmpp:features:rosterver"/><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
Connected. Trying to login.
03:09:44 PM SENT (0): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SCRAM-SHA-1'>biwsbj10dXJ0bGVib3Qscj10Znd8bnxPZ0Q0OyhFUEIkNCliNShnPlNkckYgM1ExOA==</auth>
03:09:44 PM RECV (0): <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>
03:09:44 PM SENT (0): <presence id='GbcYJ-3' type='unavailable'></presence>
03:09:44 PM SENT (0): </stream:stream>

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized

	at org.jivesoftware.smack.SASLAuthentication.authenticationFailed(SASLAuthentication.java:365)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.parsePackets(XMPPTCPConnection.java:1052)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader.access$300(XMPPTCPConnection.java:956)
	at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketReader$1.run(XMPPTCPConnection.java:971)
	at java.lang.Thread.run(Thread.java:745)

Sample success test:

Using SCRAM auth.
Connecting to t2.tigase.org:5222
03:09:44 PM SENT (1): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' xml:lang='en'>
03:09:44 PM RECV (1): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='cc0f3241-78ee-4977-9600-fa828619c110' version='1.0' xml:lang='en'>
03:09:44 PM RECV (1): <stream:features><sm xmlns="urn:xmpp:sm:3"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/><ver xmlns="urn:xmpp:features:rosterver"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
03:09:44 PM SENT (1): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>
03:09:45 PM RECV (1): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
03:09:45 PM SENT (1): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' xml:lang='en'>
03:09:45 PM RECV (1): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='cc0f3241-78ee-4977-9600-fa828619c110' version='1.0' xml:lang='en'>
03:09:45 PM RECV (1): <stream:features><sm xmlns="urn:xmpp:sm:3"/><auth xmlns="http://jabber.org/features/iq-auth"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>SCRAM-SHA-1-PLUS</mechanism><mechanism>SCRAM-SHA-1</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><ver xmlns="urn:xmpp:features:rosterver"/><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression></stream:features>
Connected. Trying to login.
03:09:45 PM SENT (1): <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='SCRAM-SHA-1'>biwsbj10dXJ0bGVib3Qscj0jbjBeZT0yaTZzaU1aXWBrN20hbXhwTXU9YGU5SlJQdQ==</auth>
03:09:46 PM RECV (1): <challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cj0jbjBeZT0yaTZzaU1aXWBrN20hbXhwTXU9YGU5SlJQdWVJYUp0ME9VSTJLMGRQSHJiUWZSLHM9dWdKakp4elpsL3lQK3c9PSxpPTQwOTY=</challenge>
03:09:46 PM SENT (1): <response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>Yz1iaXdzLHI9I24wXmU9Mmk2c2lNWl1gazdtIW14cE11PWBlOUpSUHVlSWFKdDBPVUkySzBkUEhyYlFmUixwPWorNHVXRzZjQ1NTOTdYRmQyckgzWnMrLzNkZz0=</response>
03:09:46 PM RECV (1): <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl">dj1jaXVGNDVhK0lVK0prVjgrVXhRZnhJa0FDUnc9</success>
03:09:46 PM SENT (1): <stream:stream xmlns='jabber:client' to='tigase.org' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='turtlebot@tigase.org' id='cc0f3241-78ee-4977-9600-fa828619c110' xml:lang='en'>
03:09:46 PM RECV (1): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='tigase.org' id='cc0f3241-78ee-4977-9600-fa828619c110' version='1.0' xml:lang='en'>
03:09:46 PM RECV (1): <stream:features><sm xmlns="urn:xmpp:sm:3"/><mobile xmlns="http://tigase.org/protocol/mobile#v1"/><mobile xmlns="http://tigase.org/protocol/mobile#v2"/><csi xmlns="urn:xmpp:csi:0"/><ver xmlns="urn:xmpp:features:rosterver"/><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/><session xmlns="urn:ietf:params:xml:ns:xmpp-session"/></stream:features>
03:09:46 PM SENT (1): <iq id='GbcYJ-6' type='set'><bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'><resource>resource</resource></bind></iq>
03:09:46 PM RECV (1): <iq xmlns="jabber:client" type="result" id="GbcYJ-6" to="turtlebot@tigase.org/resource"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><jid>turtlebot@tigase.org/resource</jid></bind></iq>
03:09:46 PM SENT (1): <iq id='GbcYJ-8' type='set'><session xmlns='urn:ietf:params:xml:ns:xmpp-session'/></iq>
03:09:46 PM RECV (1): <iq xmlns="jabber:client" type="result" id="GbcYJ-8" to="turtlebot@tigase.org/resource"/>
03:09:46 PM SENT (1): <enable xmlns='urn:xmpp:sm:3' resume='true'/>
03:09:46 PM RECV (1): <enabled xmlns='urn:xmpp:sm:3' id='b1f2e325-c14b-498f-8222-8e808466e889' resume='true' max='90' location='t2.tigase.org' />
03:09:46 PM User logged (1): turtlebot@tigase.org:5222/resource
03:09:46 PM XMPPConnection authenticated (1)
03:09:46 PM SENT (1): <iq id='GbcYJ-10' type='get'><query xmlns='jabber:iq:roster'></query></iq>
Login successful. Disconnecting.

03:09:46 PM SENT (1): <presence id='GbcYJ-11'><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.igniterealtime.org/projects/smack' ver='NfJ3flI83zSdUDzCEICtbypursw='/></presence>
03:09:46 PM SENT (1): <presence id='GbcYJ-12' type='unavailable'></presence>
03:09:46 PM SENT (1): <a xmlns='urn:xmpp:sm:3' h='0'/>
03:09:46 PM SENT (1): </stream:stream>
03:09:46 PM XMPPConnection closed (1)

Babbler works fine with tigase.org and my local Server.

Bartosz Malkowski wrote:

Babbler works fine with tigase.org and my local Server.

Thank you for the detailed feedback. I will file an issue to smack devs.

However I can't get babbler working using my test credentials, the test is passing with PLAIN auth but failing every time with SCRAM. It seems for fail for a different reason than smack. Could you try using username "jenkins" password "test" on your environment?

SCRAM:

T 2016/10/20 13:54:05.592764 10.122.122.1:53532 -> 10.122.122.10:5222 [AP]
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="SCRAM-SHA-1">biwsbj1qZW5raW5zLHI9YmdId0xRSEJkNFMrK3F2VEIzZis0QT09</auth>
#
T 2016/10/20 13:54:05.606573 10.122.122.10:5222 -> 10.122.122.1:53532 [AP]
<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">cj1iZ0h3TFFIQmQ0UysrcXZUQjNmKzRBPT1lWXY4REhIMk81dHRxNlRtV3pncyxzPUZSelkraGM5TitMc0FnPT0saT00MDk2</challenge>
##
T 2016/10/20 13:54:05.748772 10.122.122.1:53532 -> 10.122.122.10:5222 [AP]
<response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">Yz1iaXdzLHI9YmdId0xRSEJkNFMrK3F2VEIzZis0QT09ZVl2OERISDJPNXR0cTZUbVd6Z3MscD1JTlpKaDljTkQyeFJlYzZBQytSYlBoRVdVakk9</response>
#
T 2016/10/20 13:54:05.750357 10.122.122.10:5222 -> 10.122.122.1:53532 [AP]
<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/><text xml:lang='en'>Password not verified</text></failure>

PLAIN:

T 2016/10/20 13:54:05.011158 10.122.122.1:53531 -> 10.122.122.10:5222 [AP]
<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AGplbmtpbnMAdGVzdA==</auth>
#
T 2016/10/20 13:54:05.020439 10.122.122.10:5222 -> 10.122.122.1:53531 [AP]
<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>

Letters in username doesn't matter.

No idea what is wrong with your server.

I'm using revision 8e20620.

Here is my config:

config-type = --gen-config-def
--virt-hosts = coffeebean.local,coffeebean2.local
--user-db=mysql
--user-db-uri=jdbc:mysql://127.0.0.1:3306/tigasedb?user=tigase_username&password=tigase_password&useUnicode=true&characterEncoding=UTF-8&autoCreateUser=true
--admins = alice@coffeebean.local
--cluster-mode = true
--debug = auth

I also checked SCRAM data you quoted in last comment. Data are OK, and my SCRAM code calculates the same values, so problem fur sure isn't in SCRAM implementation.

Bartosz Malkowski wrote:

I also checked SCRAM data you quoted in last comment. Data are OK, and my SCRAM code calculates the same values, so problem fur sure isn't in SCRAM implementation.

Thank you for your help. I can confirm that changing credentials I get the same issue. I've downloaded the latest nightly build and I am now trying to enable remote debugging to check what is really happening in my test environment.

The smack support team confirms the issue: https://issues.igniterealtime.org/browse/SMACK-735

Meanwhile I tracked down the code that refuses to authentication: it's AbstractSaslSCRAM.java in processClientLastMessage()

boolean proofMatch = Arrays.equals(clientProof, dcp);

if (proofMatch == false) {
	throw new XmppSaslException(SaslError.not_authorized, "Password not verified");
}

The arrays are equal in length but (completely) different in content. Any clue?

Nope!

It may be everything. Different salted password?

Bartosz Malkowski wrote:

Nope!

It may be everything. Different salted password?

Here are the values of the variables just before the proof match condition, I have base64 encoded byte arrays for readability:

saltedPassword: "MqWV7jbPDuXoQiy/ZdLNgb5xRb0="
clientKeyData: "Q2xpZW50IEtleQ=="

data: "c=biws,r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM,p=Mgrbqu6DPIKdiPS9h2PwOFpf0xs="

clmWithoutProof: "c=biws,r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM"
clmCb: "biws" // decoded is "n,,"
clmNonce: "xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM"
clmProof: "Mgrbqu6DPIKdiPS9h2PwOFpf0xs="

cfmGs2Header: "n,,"
calculatedCb: "n,,"
// clmCb matches calculatedCb

sfmNonce: "xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM" // matches clmNonce

cfmBareMessage: "n=jenkins2,r=xqQV/Tayn0z7ioxsm2Gc9A=="
sfmMessage: "r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM,s=VfWenT+UYflUIA==,i=4096"

authMessage: "n=jenkins2,r=xqQV/Tayn0z7ioxsm2Gc9A==,r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM,s=VfWenT+UYflUIA==,i=4096,c=biws,r=xqQV/Tayn0z7ioxsm2Gc9A==2sUG2gG4LGHjxPEDMJnM"

storedKey: "jDreacq6illlMWmAo/QgsPH0bQY="
clientSignature: "BtHvyc4Tt61VCRTx/eKJHAEI+Is="
clientKey: "DOSss8bthWpmQt6nW2mNvnmh5/s="
clientProof: "CjVDegj+MsczS8pWposEonipH3A="

salt("test", "VfWenT+UYflUIA==", 4096) is gkz3PO5XI5+CJ1q0Z2TGszYyc1s= not MqWV7jbPDuXoQiy/ZdLNgb5xRb0=

Bartosz Malkowski wrote:

salt("test", "VfWenT+UYflUIA==", 4096) is gkz3PO5XI5+CJ1q0Z2TGszYyc1s= not MqWV7jbPDuXoQiy/ZdLNgb5xRb0=

Sorry I made this debug test using different credentials "jenkins2" "test2". The column tig_users.user_pw contains "469e3aa6433370b9dfa16be36a85fb21" for user jenkins2.

Thank you for your effort, I'd like to be able to help you more than this. I'll try to find a better test case, but really I don't understand what could be the difference between your environment and mine.

salt("test2", "VfWenT+UYflUIA==", 4096) is JQg+GLuRCp/ZjnNWr1wKcdCmv6M= not MqWV7jbPDuXoQiy/ZdLNgb5xRb0=

Can you check WHAT exactly is salted? With exactly what salt? What password is got from DB?

You can start here: tigase/auth/impl/ScramCallbackHandler.java:150

I managed to print some intermediate results:

processClientFirstMessage data: n,,n=jenkins2,r=Z7E(V)0U9LGe2x7VpEeG$DS6&\1Xmzp;

pwd: 469e3aa6433370b9dfa16be36a85fb21
AbstractSaslSCRAM.normalize(pwd): NDY5ZTNhYTY0MzMzNzBiOWRmYTE2YmUzNmE4NWZiMjE=
salt: X0sIVLFGxLKJeA==
pbkd2Iterations: 4096
saltedPassword: 5ehMcvvJl/KeqkCECw9ra5AngeE=

sfmMessage: r=Z7E(V)0U9LGe2x7VpEeG$DS6&\1Xmzp;LWluEkMnyLLAXsNYs8PO,s=X0sIVLFGxLKJeA==,i=4096

processClientLastMessage data: c=biws,r=Z7E(V)0U9LGe2x7VpEeG$DS6&\1Xmzp;LWluEkMnyLLAXsNYs8PO,p=znKxGzyNdi5iEPvtiqzRAmTWBDI=

clientProof: X2ToJNuMHY2Hb4Q91943gJ3rXbs=

pwd looks like hash.

Does salt is different in each login?

Does salt is different in each login?

The password is exactly the value stored in tig_users table.

Yes the salt is different at each login attempt.

For example here is a first attempt:

processClientFirstMessage data: n,,n=jenkins2,r=4QzedGUmJmhQ8IHjUPtcyg==

pwd: 469e3aa6433370b9dfa16be36a85fb21
AbstractSaslSCRAM.normalize(pwd): NDY5ZTNhYTY0MzMzNzBiOWRmYTE2YmUzNmE4NWZiMjE=
salt: pUVj9F0qervFcA==
pbkd2Iterations: 4096
saltedPassword: S5asvzXJTBayXH/SWShbSJAR/7I=

processClientFirstMessage sfmMessage: r=4QzedGUmJmhQ8IHjUPtcyg==8GnZmmbBDpyUtSg9k4nx,s=pUVj9F0qervFcA==,i=4096
processClientLastMessage data: c=biws,r=4QzedGUmJmhQ8IHjUPtcyg==8GnZmmbBDpyUtSg9k4nx,p=gEeBzJSyzC62CMRKEUe7+84ouhk=
clientProof: ZH1rl+H5guam0S9K2Wur6Utkrds=

Here is a second attempt:

processClientFirstMessage data: n,,n=jenkins2,r=nTdnAHg9JpcemqYkaS/Jdg==

pwd: 469e3aa6433370b9dfa16be36a85fb21
AbstractSaslSCRAM.normalize(pwd): NDY5ZTNhYTY0MzMzNzBiOWRmYTE2YmUzNmE4NWZiMjE=
salt: EMwAS0gScW+Qwg==
pbkd2Iterations: 4096
saltedPassword: v9gsWrqvDhe1aiRhMoZlQcnMbYQ=

processClientFirstMessage sfmMessage: r=nTdnAHg9JpcemqYkaS/Jdg==pYrvVr6URLg14fr2WEFC,s=EMwAS0gScW+Qwg==,i=4096
processClientLastMessage data: c=biws,r=nTdnAHg9JpcemqYkaS/Jdg==pYrvVr6URLg14fr2WEFC,p=F04rDy6cm+spxk5bTkm4wr7c7SQ=
clientProof: OQx9wLr/2inzufuGSjbEs6EpKus=

Scram doesn't works with passwords hashed with md5. For Scram you have to use plain passwords or salted ones compatible with Scram (pbkd2).

Bartosz Malkowski wrote:

Scram doesn't works with passwords hashed with md5. For Scram you have to use plain passwords or salted ones compatible with Scram (pbkd2).

Thank you, this could explain everything, in fact I have this config: TigPutDBProperty('password-encoding', 'MD5-USERNAME-PASSWORD');

So, if I understand correctly, this would stop working after a simple upgrade to the latest tigase snapshot that enables scram by default. Perhaps it would be better to clarify this in the changelog.

How do I fix the situation for my existing users? Should I follow the procedure described at http://docs.tigase.org/tigase-server/snapshot/Administration_Guide/html/#hashedPasswords ? I don't think it's possible to transform hashed passwords back to plain ones without the help of the users ;-)

Moreover I don't see pbkd2 method, only plain or md5-*. Should I really revert back to plain?

I'm starting to think that at this point the only feasible solution for this situation is to disable SCRAM.

Bartosz Malkowski wrote:

h3. Short version

Tigase Server works fine, Smack library is broken.

Thanks for the detailed bug description. Just for the record. This is tracked as SMACK-735 (https://issues.igniterealtime.org/browse/SMACK-735).

May I suggest that Tigase should report a different SASL error in case c-nonce contains invalid characters (and in similar cases) instead of 'not-authorized'? A think a good candidate would be 'malformed-request' (RFC 6120 § 6.5.8.).

Giuseppe Moscarella wrote:

Bartosz Malkowski wrote:

Scram doesn't works with passwords hashed with md5. For Scram you have to use plain passwords or salted ones compatible with Scram (pbkd2).

Thank you, this could explain everything, in fact I have this config: TigPutDBProperty('password-encoding', 'MD5-USERNAME-PASSWORD');

So, if I understand correctly, this would stop working after a simple upgrade to the latest tigase snapshot that enables scram by default. Perhaps it would be better to clarify this in the changelog.

Bartek, could we make availability of SCRAM based on the password-encoding db property? Seems reasonable to disable it when there is MD5 enabled for passwords...

Florian Schmaus wrote:

Thanks for the detailed bug description. Just for the record. This is tracked as SMACK-735 (https://issues.igniterealtime.org/browse/SMACK-735).

May I suggest that Tigase should report a different SASL error in case c-nonce contains invalid characters (and in similar cases) instead of 'not-authorized'? A think a good candidate would be 'malformed-request' (RFC 6120 § 6.5.8.).

Makes sense.

Implemented

Just built and ran a build with this fix, following errors occur on startup:

2017-01-10 10:39:56.904 [WrapperSimpleAppMain]  DefaultMechanismSelector.init()  WARNING: Cannot check password-encoding
java.sql.SQLException: No suitable driver found for jdbc:default:connection
	at java.sql.DriverManager.getConnection(Unknown Source)
	at java.sql.DriverManager.getConnection(Unknown Source)
	at tigase.db.derby.StoredProcedures.tigGetDBProperty(StoredProcedures.java:332)
	at tigase.auth.DefaultMechanismSelector.init(DefaultMechanismSelector.java:60)
	at tigase.auth.MechanismSelectorFactory.create(MechanismSelectorFactory.java:19)
	at tigase.xmpp.impl.JabberIqAuth.init(JabberIqAuth.java:129)
	at tigase.server.xmppsession.SessionManager.setProperties(SessionManager.java:929)
	at tigase.cluster.SessionManagerClustered.setProperties(SessionManagerClustered.java:516)
	at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:519)
	at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:152)
	at tigase.conf.Configurator.componentAdded(Configurator.java:50)
	at tigase.conf.Configurator.componentAdded(Configurator.java:33)
	at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)
	at tigase.server.MessageRouter.addComponent(MessageRouter.java:115)
	at tigase.server.MessageRouter.addRouter(MessageRouter.java:152)
	at tigase.server.MessageRouter.setProperties(MessageRouter.java:745)
	at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:519)
	at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:152)
	at tigase.conf.Configurator.componentAdded(Configurator.java:50)
	at tigase.conf.Configurator.componentAdded(Configurator.java:33)
	at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)
	at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:138)
	at tigase.server.MessageRouter.setConfig(MessageRouter.java:644)
	at tigase.server.XMPPServer.start(XMPPServer.java:142)
	at tigase.server.XMPPServer.main(XMPPServer.java:112)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
	at java.lang.Thread.run(Unknown Source)

and

2017-01-10 10:39:56.909 [WrapperSimpleAppMain]  DefaultMechanismSelector.init()  WARNING: Cannot check password-encoding
java.sql.SQLException: No suitable driver found for jdbc:default:connection
	at java.sql.DriverManager.getConnection(Unknown Source)
	at java.sql.DriverManager.getConnection(Unknown Source)
	at tigase.db.derby.StoredProcedures.tigGetDBProperty(StoredProcedures.java:332)
	at tigase.auth.DefaultMechanismSelector.init(DefaultMechanismSelector.java:60)
	at tigase.auth.MechanismSelectorFactory.create(MechanismSelectorFactory.java:19)
	at tigase.xmpp.impl.SaslAuth.init(SaslAuth.java:155)
	at tigase.server.xmppsession.SessionManager.setProperties(SessionManager.java:929)
	at tigase.cluster.SessionManagerClustered.setProperties(SessionManagerClustered.java:516)
	at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:519)
	at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:152)
	at tigase.conf.Configurator.componentAdded(Configurator.java:50)
	at tigase.conf.Configurator.componentAdded(Configurator.java:33)
	at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)
	at tigase.server.MessageRouter.addComponent(MessageRouter.java:115)
	at tigase.server.MessageRouter.addRouter(MessageRouter.java:152)
	at tigase.server.MessageRouter.setProperties(MessageRouter.java:745)
	at tigase.conf.ConfiguratorAbstract.setup(ConfiguratorAbstract.java:519)
	at tigase.conf.ConfiguratorAbstract.componentAdded(ConfiguratorAbstract.java:152)
	at tigase.conf.Configurator.componentAdded(Configurator.java:50)
	at tigase.conf.Configurator.componentAdded(Configurator.java:33)
	at tigase.server.AbstractComponentRegistrator.addComponent(AbstractComponentRegistrator.java:116)
	at tigase.server.MessageRouter.addRegistrator(MessageRouter.java:138)
	at tigase.server.MessageRouter.setConfig(MessageRouter.java:644)
	at tigase.server.XMPPServer.start(XMPPServer.java:142)
	at tigase.server.XMPPServer.main(XMPPServer.java:112)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
	at java.lang.Thread.run(Unknown Source)

Commit reverted. I made mistake.

It cannot be done automatically because it needs a lot of changes in AuthRepository interface. We can postpone it to release 7.2.

The only way to turn off SCRAM is set list of allowed SASL mechanisms in @init.properties@.

A follow-up #4814 was created to implement checking of the DB property.