# HG changeset patch
# User Evan Schoenberg <evan.s@dreskin.net>
# Date 1274156921 0
# Node ID 6c148063fdfdf2cac8f3a891ae4d820e8aed7512
# Parent  9de98679c02bb835cbe826a8d7f74a63944a7269
applied changes from bf4b720f9231b395fb51bf1e27440328d46bceb5
             through 5d1cd42e92b6d03e3c1556c107bf4e6174743813

diff -r 9de98679c02b -r 6c148063fdfd libpurple/protocols/jabber/auth_cyrus.c
--- a/libpurple/protocols/jabber/auth_cyrus.c	Mon May 17 16:00:10 2010 +0000
+++ b/libpurple/protocols/jabber/auth_cyrus.c	Tue May 18 04:28:41 2010 +0000
@@ -252,6 +252,25 @@
 					g_free(msg);
 					return JABBER_SASL_STATE_CONTINUE;
 
+				} else
+					js->auth_fail_count++;
+
+				if (js->auth_fail_count == 1 &&
+					(js->sasl_mechs->str && g_str_equal(js->sasl_mechs->str, "GSSAPI"))) {
+					/* If we tried GSSAPI first, it failed, and it was the only method we had to try, try jabber:iq:auth
+					 * for compatibility with iChat 10.5 Server and other jabberd based servers.
+					 *
+					 * iChat Server 10.5 and certain other corporate servers offer SASL GSSAPI by default, which is often
+					 * not configured on the client side, and expects a fallback to jabber:iq:auth when it (predictably) fails.
+					 *
+					 * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure is wrong. However,
+					 * I believe this refers to actual authentication failure, not a simple lack of concordant mechanisms.
+					 * Doing otherwise means that simply compiling with SASL support renders the client unable to connect to servers
+					 * which would connect without issue otherwise. -evands
+					 */
+					js->auth_mech = NULL;
+					jabber_auth_start_old(js);
+					return JABBER_SASL_STATE_CONTINUE;					
 				}
 
 				break;
@@ -266,6 +285,8 @@
 			default:
 				purple_debug_info("sasl", "sasl_state is %d, failing the mech and trying again\n", js->sasl_state);
 
+				js->auth_fail_count++;
+
 				/*
 				 * DAA: is this right?
 				 * The manpage says that "mech" will contain the chosen mechanism on success.
@@ -522,9 +543,9 @@
 		} else if ((js->auth_fail_count == 1) && 
 				   (js->current_mech && g_str_equal(js->current_mech, "GSSAPI"))) {
 			/* If we tried GSSAPI first, it failed, and it was the only method we had to try, try jabber:iq:auth
-			 * for compatibility with iChat 10.5 Server.
+			 * for compatibility with iChat 10.5 Server and other jabberd based servers.
 			 *
-			 * iChat Server 10.5  offers SASL GSSAPI by default, which is often
+			 * iChat Server 10.5 and certain other corporate servers offer SASL GSSAPI by default, which is often
 			 * not configured on the client side, and expects a fallback to jabber:iq:auth when it (predictably) fails.
 			 *
 			 * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure is wrong. However,