From a1bbefc9e3b947ead9567a6daa150a1c21fd5ce6 Mon Sep 17 00:00:00 2001
From: Florian Schmaus <flo@geekplace.eu>
Date: Sat, 30 Jul 2016 10:39:38 +0200
Subject: [PATCH 1/4] Smack 4.1.9-SNAPSHOT

---
 version.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/version.gradle b/version.gradle
index 41a5580b6..2919ff247 100644
--- a/version.gradle
+++ b/version.gradle
@@ -1,7 +1,7 @@
 allprojects {
 	ext {
-		shortVersion = '4.1.8'
-		isSnapshot = false
+		shortVersion = '4.1.9'
+		isSnapshot = true
 		jxmppVersion = '0.4.2'
 		smackMinAndroidSdk = 8
 	}

From fca2f59e08da2936f6d899a95fb0f6ed9aa07f0c Mon Sep 17 00:00:00 2001
From: Florian Schmaus <flo@geekplace.eu>
Date: Thu, 20 Oct 2016 16:57:06 +0200
Subject: [PATCH 2/4] Fix SCRAM-SHA1 mechanism creating invalid c-nonce

Because of the condition "c >= 32", Smack would possible return a
c-nonce containing ASCII whitespace characters (32d, 0x20), which are
not allowed in the c-nonce as per RFC 5802.

This commit applies the correct condition: "c > 32".

Fixes SMACK-735.
---
 .../org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java b/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java
index 217ace4e9..4d15a8f91 100644
--- a/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java
+++ b/smack-core/src/main/java/org/jivesoftware/smack/sasl/core/SCRAMSHA1Mechanism.java
@@ -257,7 +257,10 @@ public class SCRAMSHA1Mechanism extends SASLMechanism {
         if (c == ',') {
             return false;
         }
-        return c >= 32 && c < 127;
+        // RFC 5802 § 7. 'printable': Contains all chars within 0x21 (33d) to 0x2b (43d) and 0x2d (45d) to 0x7e (126)
+        // aka. "Printable ASCII except ','". Since we already filter the ASCII ',' (0x2c, 44d) above, we only have to
+        // ensure that c is within [33, 126].
+        return c > 32 && c < 127;
     }
 
     /**

From 059ee99ba0d5ff7758829acf5a9aeede09ec820b Mon Sep 17 00:00:00 2001
From: Florian Schmaus <flo@geekplace.eu>
Date: Sat, 12 Nov 2016 11:12:50 +0100
Subject: [PATCH 3/4] Move TLS Required check at the end of connect()

It was a *very* bad idea to perform the SecurityMode.Required check in
the connection's reader thread and not at the end of
AbstractXMPPConnectin's connect(). :/

This behavior dates back to 8e750912a765f77a4f178a4f307a8b42c2afb5ae

Fixes SMACK-739
---
 .../smack/AbstractXMPPConnection.java         |  1 +
 .../smack/tcp/XMPPTCPConnection.java          | 20 +++++++++----------
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java b/smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java
index 7b680b1a3..df1acef66 100644
--- a/smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java
+++ b/smack-core/src/main/java/org/jivesoftware/smack/AbstractXMPPConnection.java
@@ -362,6 +362,7 @@ public abstract class AbstractXMPPConnection implements XMPPConnection {
 
         // Perform the actual connection to the XMPP service
         connectInternal();
+
         return this;
     }
 
diff --git a/smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java b/smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java
index d0ca18bf2..4d21f6fc6 100644
--- a/smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java
+++ b/smack-tcp/src/main/java/org/jivesoftware/smack/tcp/XMPPTCPConnection.java
@@ -28,10 +28,9 @@ import org.jivesoftware.smack.SmackException.AlreadyConnectedException;
 import org.jivesoftware.smack.SmackException.AlreadyLoggedInException;
 import org.jivesoftware.smack.SmackException.NoResponseException;
 import org.jivesoftware.smack.SmackException.NotConnectedException;
-import org.jivesoftware.smack.SmackException.ConnectionException;
 import org.jivesoftware.smack.SmackException.SecurityRequiredByClientException;
+import org.jivesoftware.smack.SmackException.ConnectionException;
 import org.jivesoftware.smack.SmackException.SecurityRequiredByServerException;
-import org.jivesoftware.smack.SmackException.SecurityRequiredException;
 import org.jivesoftware.smack.SynchronizationPoint;
 import org.jivesoftware.smack.XMPPException.StreamErrorException;
 import org.jivesoftware.smack.XMPPConnection;
@@ -857,6 +856,14 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
         // Wait with SASL auth until the SASL mechanisms have been received
         saslFeatureReceived.checkIfSuccessOrWaitOrThrow();
 
+        // If TLS is required but the server doesn't offer it, disconnect
+        // from the server and throw an error. First check if we've already negotiated TLS
+        // and are secure, however (features get parsed a second time after TLS is established).
+        if (!isSecureConnection() && getConfiguration().getSecurityMode() == SecurityMode.required) {
+            shutdown();
+            throw new SecurityRequiredByClientException();
+        }
+
         // Make note of the fact that we're now connected.
         connected = true;
         callConnectionConnectedListener();
@@ -897,7 +904,7 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
     }
 
     @Override
-    protected void afterFeaturesReceived() throws SecurityRequiredException, NotConnectedException {
+    protected void afterFeaturesReceived() throws NotConnectedException {
         StartTls startTlsFeature = getFeature(StartTls.ELEMENT, StartTls.NAMESPACE);
         if (startTlsFeature != null) {
             if (startTlsFeature.required() && config.getSecurityMode() == SecurityMode.disabled) {
@@ -909,13 +916,6 @@ public class XMPPTCPConnection extends AbstractXMPPConnection {
                 send(new StartTls());
             }
         }
-        // If TLS is required but the server doesn't offer it, disconnect
-        // from the server and throw an error. First check if we've already negotiated TLS
-        // and are secure, however (features get parsed a second time after TLS is established).
-        if (!isSecureConnection() && startTlsFeature == null
-                        && getConfiguration().getSecurityMode() == SecurityMode.required) {
-            throw new SecurityRequiredByClientException();
-        }
 
         if (getSASLAuthentication().authenticationSuccessful()) {
             // If we have received features after the SASL has been successfully completed, then we

From af6e80deccb7f587c8339272e4a7e8449edb7fdf Mon Sep 17 00:00:00 2001
From: Florian Schmaus <flo@geekplace.eu>
Date: Sat, 19 Nov 2016 14:34:29 +0100
Subject: [PATCH 4/4] Smack 4.1.9

---
 resources/releasedocs/changelog.html | 12 ++++++++++++
 version.gradle                       |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/resources/releasedocs/changelog.html b/resources/releasedocs/changelog.html
index 01c8a003b..cb513e360 100644
--- a/resources/releasedocs/changelog.html
+++ b/resources/releasedocs/changelog.html
@@ -141,6 +141,18 @@ hr {
 
 	<div id="pageBody">
 
+
+<h2>4.1.9 -- <span style="font-weight: normal;">2016-11-19</span></h2>
+
+<h2>        Bug
+</h2>
+<ul>
+<li>[<a href='https://issues.igniterealtime.org/browse/SMACK-739'>SMACK-739</a>] -         Smack starts SASL step without TLS in case STARTTLS is stripped even if SecurityMode.Required is used
+</li>
+<li>[<a href='https://issues.igniterealtime.org/browse/SMACK-735'>SMACK-735</a>] -         Smack sometimes sends invalid SCRAM-SHA1 nonce
+</li>
+</ul>
+
 <h2>4.1.8 -- <span style="font-weight: normal;">2016-07-30</span></h2>
 
 <h2>        Bug
diff --git a/version.gradle b/version.gradle
index 2919ff247..e767541d8 100644
--- a/version.gradle
+++ b/version.gradle
@@ -1,7 +1,7 @@
 allprojects {
 	ext {
 		shortVersion = '4.1.9'
-		isSnapshot = true
+		isSnapshot = false
 		jxmppVersion = '0.4.2'
 		smackMinAndroidSdk = 8
 	}