adium.1-4: 5d1cd42e: Keep track of auth failures from mechani...

Fri May 14 09:06:56 EDT 2010

-----------------------------------------------------------------
Revision: 5d1cd42e92b6d03e3c1556c107bf4e6174743813
Ancestor: bf4b720f9231b395fb51bf1e27440328d46bceb5
Author: evands at pidgin.im
Date: 2010-05-14T13:00:13
Branch: im.pidgin.adium.1-4
URL: http://d.pidgin.im/viewmtn/revision/info/5d1cd42e92b6d03e3c1556c107bf4e6174743813

Modified files:
        libpurple/protocols/jabber/auth_cyrus.c

ChangeLog: 

Keep track of auth failures from mechanisms failing for any reason. If we hit 'no mech' with only one mech tried, and that one mech is GSSAPI, we should still do the jabber:iq:auth fallback. This is apparently needed beyond just iChat 10.5 server; several corporate users noted immediate failure to connect without it in Adium's #13975

-------------- next part --------------
============================================================

--- libpurple/protocols/jabber/auth_cyrus.c	7cfaf24c96ed114247da8ca081ca1d4a77644bd6
+++ libpurple/protocols/jabber/auth_cyrus.c	bf18f3031be45708a2382b17c500d60c682d1178
@@ -252,6 +252,25 @@ jabber_auth_start_cyrus(JabberStream *js
 					g_free(msg);
 					return JABBER_SASL_STATE_CONTINUE;
 
+				} else
+					js->auth_fail_count++;
+
+				if (js->auth_fail_count == 1 &&
+					(js->sasl_mechs->str && g_str_equal(js->sasl_mechs->str, "GSSAPI"))) {
+					/* If we tried GSSAPI first, it failed, and it was the only method we had to try, try jabber:iq:auth
+					 * for compatibility with iChat 10.5 Server and other jabberd based servers.
+					 *
+					 * iChat Server 10.5 and certain other corporate servers offer SASL GSSAPI by default, which is often
+					 * not configured on the client side, and expects a fallback to jabber:iq:auth when it (predictably) fails.
+					 *
+					 * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure is wrong. However,
+					 * I believe this refers to actual authentication failure, not a simple lack of concordant mechanisms.
+					 * Doing otherwise means that simply compiling with SASL support renders the client unable to connect to servers
+					 * which would connect without issue otherwise. -evands
+					 */
+					js->auth_mech = NULL;
+					jabber_auth_start_old(js);
+					return JABBER_SASL_STATE_CONTINUE;					
 				}
 
 				break;
@@ -266,6 +285,8 @@ jabber_auth_start_cyrus(JabberStream *js
 			default:
 				purple_debug_info("sasl", "sasl_state is %d, failing the mech and trying again\n", js->sasl_state);
 
+				js->auth_fail_count++;
+
 				/*
 				 * DAA: is this right?
 				 * The manpage says that "mech" will contain the chosen mechanism on success.
@@ -539,9 +560,9 @@ jabber_cyrus_handle_failure(JabberStream
 		} else if ((js->auth_fail_count == 1) && 
 				   (js->current_mech && g_str_equal(js->current_mech, "GSSAPI"))) {
 			/* If we tried GSSAPI first, it failed, and it was the only method we had to try, try jabber:iq:auth
-			 * for compatibility with iChat 10.5 Server.
+			 * for compatibility with iChat 10.5 Server and other jabberd based servers.
 			 *
-			 * iChat Server 10.5  offers SASL GSSAPI by default, which is often
+			 * iChat Server 10.5 and certain other corporate servers offer SASL GSSAPI by default, which is often
 			 * not configured on the client side, and expects a fallback to jabber:iq:auth when it (predictably) fails.
 			 *
 			 * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure is wrong. However,
