If SASL authentication fails, we generally shouldn't be setting an error message, as the actual error was communicated via the "urn:ietf:params:xml:ns:xmpp-sasl" failure stanza. Setting an error means that jabber_auth_handle_failure() won't ever call jabber_parse_error() to extract the actual error message and interpretation. For example, if authentication fails, previously we would show "SASL authentication failed" and think it was a PURPLE_CONNECTION_ERROR_NETWORK_ERROR which is incorrect. Now, jabber_parse_error() gets a chance to return "Not Authorized", clear the saved password, and return PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED. We should still set this error message if there is an internal SASL failure leading to SASL_BADPARAM or SASL_NOMEM.

--- a/libpurple/protocols/jabber/auth_cyrus.c	Tue May 04 01:41:28 2010 +0000
+++ b/libpurple/protocols/jabber/auth_cyrus.c	Tue May 04 01:46:40 2010 +0000
@@ -259,6 +259,7 @@
 				/* Fatal errors. Give up and go home */
 			case SASL_BADPARAM:
 			case SASL_NOMEM:
+				*error = g_strdup(_("SASL authentication failed"));
 				break;
 
 				/* For everything else, fail the mechanism and try again */
@@ -317,7 +318,6 @@
 		*reply = auth;
 		return JABBER_SASL_STATE_CONTINUE;
 	} else {
-		*error = g_strdup(_("SASL authentication failed"));
 		return JABBER_SASL_STATE_FAIL;
 	}
 }