adium.1-4: 8b659042: applied changes from 82175cfc320b7c83151...
evands at pidgin.im
evands at pidgin.im
Mon May 3 22:15:34 EDT 2010
-----------------------------------------------------------------
Revision: 8b6590428d8180cc466c8916f81aec2c8961fbd1
Ancestor: 2fcd834324b05d3becf6878db8ce1c474578e720
Author: evands at pidgin.im
Date: 2010-05-04T01:55:20
Branch: im.pidgin.adium.1-4
URL: http://d.pidgin.im/viewmtn/revision/info/8b6590428d8180cc466c8916f81aec2c8961fbd1
Modified files:
libpurple/protocols/jabber/auth_cyrus.c
ChangeLog:
applied changes from 82175cfc320b7c831512ecc2a00beec2a86b7a2a
through ce00ec5bb0ec76da8360bd2098fb23cf7ba3e0ad
Improve on a hack I commited in 12/2007 which allows connection via XMPP to iChat Server 10.5 when CYRUS-SASL is compiled with GSSAPI support but no GSSAPI credentials are valid to connect to the server. Instead of always trying jabber:iq:auth if all SASL mechs fail, we now only do so in the specific case of a single mech having been attempted and that mech being GSSAPI. In general, this means that we now gracefully fail authentication with SASL rather than getting ourselves booted from servers not expecting a jabber:iq:auth stanza.
applied changes from ce00ec5bb0ec76da8360bd2098fb23cf7ba3e0ad
through 4074575d1418097eacac79c9b2cbef96cb788265
If SASL authentication fails, we generally shouldn't be setting an error
message, as the actual error was communicated via the
"urn:ietf:params:xml:ns:xmpp-sasl" failure stanza. Setting an error means that
jabber_auth_handle_failure() won't ever call jabber_parse_error() to extract
the actual error message and interpretation.
For example, if authentication fails, previously we would show "SASL
authentication failed" and think it was a PURPLE_CONNECTION_ERROR_NETWORK_ERROR
which is incorrect. Now, jabber_parse_error() gets a chance to return
"Not Authorized", clear the saved password, and return
PURPLE_CONNECTION_ERROR_AUTHENTICATION_FAILED.
We should still set this error message if there is an internal SASL failure
leading to SASL_BADPARAM or SASL_NOMEM.
-------------- next part --------------
============================================================
--- libpurple/protocols/jabber/auth_cyrus.c aafb75c25acb032db5f51eff65172776e5b3ed17
+++ libpurple/protocols/jabber/auth_cyrus.c 7b18f7eac5d6e59383b4811501fcc55dcfe738e8
@@ -253,13 +253,13 @@ jabber_auth_start_cyrus(JabberStream *js
return JABBER_SASL_STATE_CONTINUE;
}
-
- /* not reached */
+
break;
/* Fatal errors. Give up and go home */
case SASL_BADPARAM:
case SASL_NOMEM:
+ *error = g_strdup(_("SASL authentication failed"));
break;
/* For everything else, fail the mechanism and try again */
@@ -299,8 +299,11 @@ jabber_auth_start_cyrus(JabberStream *js
xmlnode_set_namespace(auth, NS_XMPP_SASL);
xmlnode_set_attrib(auth, "mechanism", js->current_mech);
- xmlnode_set_attrib(auth, "xmlns:ga", "http://www.google.com/talk/protocol/auth");
- xmlnode_set_attrib(auth, "ga:client-uses-full-bind-result", "true");
+ if (g_str_equal(js->user->domain, "gmail.com") ||
+ g_str_equal(js->user->domain, "googlemail.com")) {
+ xmlnode_set_attrib(auth, "xmlns:ga", "http://www.google.com/talk/protocol/auth");
+ xmlnode_set_attrib(auth, "ga:client-uses-full-bind-result", "true");
+ }
if (clientout) {
if (coutlen == 0) {
@@ -332,7 +335,6 @@ jabber_auth_start_cyrus(JabberStream *js
*reply = auth;
return JABBER_SASL_STATE_CONTINUE;
} else {
- *error = g_strdup(_("SASL authentication failed"));
return JABBER_SASL_STATE_FAIL;
}
}
@@ -406,11 +408,13 @@ jabber_cyrus_start(JabberStream *js, xml
continue;
}
- /* Don't include Google Talk's X-GOOGLE-TOKEN mechanism, as we will not
- * support it and including it gives a false fall-back to other mechs offerred,
- * leading to incorrect error handling.
+ /* Don't include Google Talk's X-GOOGLE-TOKEN mechanism
+ * or Facebook Chat's X-FACEBOOK-PLATFORM mechansim,
+ * as we will not support them and including them gives a false fall-back
+ * to other mechs offerred, leading to incorrect error handling.
*/
- if (g_str_equal(mech_name, "X-GOOGLE-TOKEN")) {
+ if (g_str_equal(mech_name, "X-GOOGLE-TOKEN")
+ || g_str_equal(mech_name, "X-FACEBOOK-PLATFORM") ) {
g_free(mech_name);
continue;
}
@@ -527,10 +531,6 @@ jabber_cyrus_handle_failure(JabberStream
xmlnode **reply, char **error)
{
if (js->auth_fail_count++ < 5) {
- gboolean tried_gssapi_first = FALSE;
-
- tried_gssapi_first = (js->auth_fail_count == 1 && g_str_equal(js->current_mech, "GSSAPI"));
-
if (js->current_mech && *js->current_mech) {
char *pos;
if ((pos = strstr(js->sasl_mechs->str, js->current_mech))) {
@@ -546,8 +546,10 @@ jabber_cyrus_handle_failure(JabberStream
sasl_dispose(&js->sasl);
return jabber_auth_start_cyrus(js, reply, error);
- } else if (tried_gssapi_first) {
- /* If we tried GSSAPI first, it failed, and it was our only shot, try jabber:iq:auth
+
+ } else if ((js->auth_fail_count == 1) &&
+ (js->current_mech && g_str_equal(js->current_mech, "GSSAPI"))) {
+ /* If we tried GSSAPI first, it failed, and it was the only method we had to try, try jabber:iq:auth
* for compatibility with iChat 10.5 Server.
*
* iChat Server 10.5 offers SASL GSSAPI by default, which is often
@@ -558,11 +560,11 @@ jabber_cyrus_handle_failure(JabberStream
* Doing otherwise means that simply compiling with SASL support renders the client unable to connect to servers
* which would connect without issue otherwise. -evands
*/
- sasl_dispose(&js->sasl);
- js->sasl = NULL;
- js->auth_mech = NULL;
- jabber_auth_start_old(js);
- return JABBER_SASL_STATE_CONTINUE;
+ sasl_dispose(&js->sasl);
+ js->sasl = NULL;
+ js->auth_mech = NULL;
+ jabber_auth_start_old(js);
+ return JABBER_SASL_STATE_CONTINUE;
}
}
More information about the Commits
mailing list