Null SASL responses are not being padded
The JEP for SASL auth says that null responses need to be padded. RFC3920 (XMPP core) section 6.1, rule 5 refers to RCF 3548 (BASE64). In that RFC, section 2.2 says padding is required because the size of the transported data cannot be assumed.
Thanks to Jay Kline.