# HG changeset patch
# User Daniel Atallah <daniel.atallah@gmail.com>
# Date 1274239598 0
# Node ID 7eeb5a9d1d809b227c690eeda7f37849739f4fd3
# Parent  62f0988c666c51400edc46dfadc8dac78ed0fa20# Parent  6c148063fdfdf2cac8f3a891ae4d820e8aed7512
merge of '45c13cbd9c56429c7ed3b9a147b1d76692f3968d'
     and '55f17462bcdf93474447c4505853b919e1247311'

diff -r 62f0988c666c -r 7eeb5a9d1d80 libpurple/protocols/jabber/auth_cyrus.c
--- a/libpurple/protocols/jabber/auth_cyrus.c	Wed May 19 03:26:05 2010 +0000
+++ b/libpurple/protocols/jabber/auth_cyrus.c	Wed May 19 03:26:38 2010 +0000
@@ -252,6 +252,25 @@
 					g_free(msg);
 					return JABBER_SASL_STATE_CONTINUE;
 
+				} else
+					js->auth_fail_count++;
+
+				if (js->auth_fail_count == 1 &&
+					(js->sasl_mechs->str && g_str_equal(js->sasl_mechs->str, "GSSAPI"))) {
+					/* If we tried GSSAPI first, it failed, and it was the only method we had to try, try jabber:iq:auth
+					 * for compatibility with iChat 10.5 Server and other jabberd based servers.
+					 *
+					 * iChat Server 10.5 and certain other corporate servers offer SASL GSSAPI by default, which is often
+					 * not configured on the client side, and expects a fallback to jabber:iq:auth when it (predictably) fails.
+					 *
+					 * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure is wrong. However,
+					 * I believe this refers to actual authentication failure, not a simple lack of concordant mechanisms.
+					 * Doing otherwise means that simply compiling with SASL support renders the client unable to connect to servers
+					 * which would connect without issue otherwise. -evands
+					 */
+					js->auth_mech = NULL;
+					jabber_auth_start_old(js);
+					return JABBER_SASL_STATE_CONTINUE;					
 				}
 
 				break;
@@ -266,6 +285,8 @@
 			default:
 				purple_debug_info("sasl", "sasl_state is %d, failing the mech and trying again\n", js->sasl_state);
 
+				js->auth_fail_count++;
+
 				/*
 				 * DAA: is this right?
 				 * The manpage says that "mech" will contain the chosen mechanism on success.
@@ -522,9 +543,9 @@
 		} else if ((js->auth_fail_count == 1) && 
 				   (js->current_mech && g_str_equal(js->current_mech, "GSSAPI"))) {
 			/* If we tried GSSAPI first, it failed, and it was the only method we had to try, try jabber:iq:auth
-			 * for compatibility with iChat 10.5 Server.
+			 * for compatibility with iChat 10.5 Server and other jabberd based servers.
 			 *
-			 * iChat Server 10.5  offers SASL GSSAPI by default, which is often
+			 * iChat Server 10.5 and certain other corporate servers offer SASL GSSAPI by default, which is often
 			 * not configured on the client side, and expects a fallback to jabber:iq:auth when it (predictably) fails.
 			 *
 			 * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure is wrong. However,