Merge branch 'master' of git://git.psyced.org/git/psyced

2011-08-02 16:43:57 +02:00 · 2011-08-02 16:43:57 +02:00 · 7840f73c91
parent 8d9cc4b1f5 3c20b2cd37
commit 7840f73c91
21 changed files with 243 additions and 138 deletions
--- a/world/net/include/net.h
+++ b/world/net/include/net.h
@ -135,12 +135,16 @@
 #endif

 #ifdef MUD
-# define	NO_NEWBIES
+# define	_flag_disable_authorization
+#endif
+
+#ifdef REGISTERED_USERS_ONLY
+# echo Please fix your #define REGISTERED_USERS_ONLY
+# define _flag_disable_unauthenticated_users
 #endif

 #ifdef RELAY
-# define	NO_NEWBIES	// same as REGISTERED_USERS_ONLY ?
-				// anyway, chance for some ifdef optimizations TODO
+# define	_flag_disable_authorization
 # define	IRCGATE_NICK		"PSYC.EU"
 # undef		DEFAULT_USER_OBJECT
 # define	DEFAULT_USER_OBJECT	IRC_PATH "ghost"
--- a/world/net/include/person.h
+++ b/world/net/include/person.h
@ -39,7 +39,7 @@
 # define ONLINE	(ME && (interactive(ME) || (member(v("locations"), 0) && sizeof(v("locations")[0]))))
 #endif

-#ifdef NO_NEWBIES
+#ifdef _flag_disable_authorization
 # define IS_NEWBIE	0
 #else
 # define IS_NEWBIE	(!v("password"))
--- a/world/net/jabber/active.c
+++ b/world/net/jabber/active.c
@ -315,7 +315,7 @@ tls_logon(result) {
 	mixed cert = tls_certificate(ME, 0);
 	P3(("active::certinfo %O\n", cert))
 	if (mappingp(cert)) {
-	    unless (certificate_check_jabbername(hostname, cert)) {
+	    unless (certificate_check_name(hostname, cert, "xmpp-server")) {
 #ifdef _flag_report_bogus_certificates
 		monitor_report("_error_invalid_certificate_identity",
 			       sprintf("%O presented a certificate that "
--- a/world/net/jabber/common.c
+++ b/world/net/jabber/common.c
@ -393,6 +393,7 @@ xmpp_error(node, xmpperror) {
    return 0;
 }

+// deprecated - use certificate_check_name from library/tls.c instead
 #ifdef WANT_S2S_TLS
 certificate_check_jabbername(name, cert) {
    mixed t;
--- a/world/net/jabber/disco.c
+++ b/world/net/jabber/disco.c
@ -18,7 +18,7 @@
 disco_info_root(vars) {
    string featurelist;
    featurelist = "<feature var='http://jabber.org/protocol/muc'/>"
-#ifndef REGISTERED_USERS_ONLY
+#ifndef _flag_disable_unauthenticated_users
 # ifndef _flag_disable_registration
 #  ifndef _flag_disable_registration_XMPP
 		"<feature var='jabber:iq:register'/>"
--- a/world/net/jabber/gateway.c
+++ b/world/net/jabber/gateway.c
@ -291,13 +291,14 @@ jabberMsg(XMLNode node) {
 	// paranoia note: as with XEP 0178 we might want to check dns anyway to
 	// 	protect against stolen certificates
 	if (mappingp(certinfo) && certinfo[0] == 0 
-	    && node["@from"] && certificate_check_jabbername(node["@from"], certinfo)) {
-		P0(("dialback without dialback %O\n", certinfo))
+	    && node["@from"] && certificate_check_name(node["@from"], certinfo, "xmpp-server")) {
+		P2(("dialback without dialback %O\n", certinfo))
 		verify_connection(node["@to"], node["@from"], "valid"); 
 	} else {
 		sendmsg(origin,
 			"_dialback_request_verify", 0,
 			([ "_INTERNAL_target_jabber" : source,
+		// we shouldnt have to NAMEPREP a static string.. FIXME
 			   "_INTERNAL_source_jabber" : NAMEPREP(_host_XMPP),
 			   "_dialback_key" : node[Cdata],
 			   "_tag" : streamid
@ -413,7 +414,7 @@ jabberMsg(XMLNode node) {
 		 */
 		int success = 0;

-		success = certificate_check_jabbername(t, certinfo);
+		success = certificate_check_name(t, certinfo, "xmpp-server");
 		if (success) {
 		    emitraw("<success xmlns='" NS_XMPP "xmpp-sasl'/>");
 		    P2(("successful sasl external authentication with "
@ -541,8 +542,8 @@ open_stream(XMLNode node) {
 		    // sasl external if we know that it will succeed
 		    // later on
 		    if (node["@from"] &&
-			    certificate_check_jabbername(node["@from"],
-						     certinfo)) {
+			    certificate_check_name(node["@from"],
+						     certinfo, "xmpp-server")) {
 			packet += "<mechanisms xmlns='" NS_XMPP "xmpp-sasl'>";
 			packet += "<mechanism>EXTERNAL</mechanism>";
 			packet += "</mechanisms>";
--- a/world/net/jabber/jabber.h
+++ b/world/net/jabber/jabber.h
@ -86,6 +86,7 @@ virtual inherit JABBER_PATH "common";

 // net/jabber is not ready for regular is_localhost
 #define is_localhost(a) (lower_case(a)) == _host_XMPP
+// but.. what about NAMEPREP here?


 #define JABSOURCE "_INTERNAL_source_jabber"
--- a/world/net/jabber/server.c
+++ b/world/net/jabber/server.c
@ -187,7 +187,7 @@ jabberMsg(XMLNode node) {
 	    case "jabber:iq:register":
 		if (node["@type"] == "get"){
 		    string packet;
-#if defined(REGISTERED_USERS_ONLY) || defined(_flag_disable_registration) || defined(_flag_disable_registration_XMPP)
+#if defined(_flag_disable_unauthenticated_users) || defined(_flag_disable_registration) || defined(_flag_disable_registration_XMPP)
 		    // super dirty.. this should all be in textdb
 		    packet = sprintf("<iq type='result' id='%s'>"
 				     "<query xmlns='jabber:iq:register'/>"
@ -234,7 +234,7 @@ jabberMsg(XMLNode node) {
 			emit(packet);
 			// QUIT
 		    } else {
-#if defined(REGISTERED_USERS_ONLY) || defined(_flag_disable_registration) || defined(_flag_disable_registration_XMPP)
+#if defined(_flag_disable_unauthenticated_users) || defined(_flag_disable_registration) || defined(_flag_disable_registration_XMPP)
 			// TODO: generate some error as above
 #else
 			user -> vSet("password", t[Cdata]);
@ -358,7 +358,7 @@ jabberMsg(XMLNode node) {
 # endif
 		break;
 #endif
-#ifndef REGISTERED_USERS_ONLY
+#ifndef _flag_disable_unauthenticated_users
 	    case "ANONYMOUS":
 		unless(node[Cdata]) {
 		    SASL_ERROR("incorrect-encoding")
@ -481,10 +481,12 @@ open_stream(XMLNode node) {
 		      "<mechanism>DIGEST-MD5</mechanism>"
 #endif
 		      "<mechanism>PLAIN</mechanism>";
-#ifndef REGISTERED_USERS_ONLY
+#ifndef _flag_disable_unauthenticated_users
 		    // sasl anonymous
 		      "<mechanism>ANONYMOUS</mechanism>";
 #endif
+		// here it makes sense to use check_jabbername 
+		// but that is currently unused anyway
 #if __EFUN_DEFINED__(tls_available)
 		if (tls_available() && tls_query_connection_state(ME) > 0
 			&& mappingp(certinfo) && certinfo[0] == 0
@ -494,7 +496,7 @@ open_stream(XMLNode node) {
 #endif
 		features += "</mechanisms>";
 		features += "<auth xmlns='http://jabber.org/features/iq-auth'/>";
-#ifndef REGISTERED_USERS_ONLY
+#ifndef _flag_disable_unauthenticated_users
 		features += "<register xmlns='http://jabber.org/features/iq-register'/>";
 #endif
 	    }
--- a/world/net/jabber/user.c
+++ b/world/net/jabber/user.c
@ -277,6 +277,7 @@ logon() {
 #endif
    nodeHandler = #'jabberMsg;
    set_prompt("");
+    // we shouldn't have to NAMEPREP our SERVER_HOST for each new user.. FIXME
    myjid = NODEPREP(MYLOWERNICK) +"@" + NAMEPREP(SERVER_HOST);
    myjidresource = myjid +"/"+ RESOURCEPREP(resource);
    P2(("%O ready to rumble (%O)\n", myjidresource, ME))
@ -626,7 +627,7 @@ iq(XMLNode node) {
 	    break;
 	}
 	break;
-#if !defined(REGISTERED_USERS_ONLY) && !defined(_flag_disable_registration) && !defined(_flag_disable_registration_XMPP)
+#if !defined(_flag_disable_unauthenticated_users) && !defined(_flag_disable_registration) && !defined(_flag_disable_registration_XMPP)
    case "jabber:iq:register":
 	switch(node["@type"]) {
 	case "get":
--- a/world/net/library.i
+++ b/world/net/library.i
@ -132,6 +132,8 @@ static varargs void ready_freddie(vamixed ip) {

 static void create() {
 	PROTECT("CREATE")
+	string t;
+
 #ifndef __PIKE__
        master = previous_object();
 	restore_object(DATA_PATH "library");
@ -194,7 +196,7 @@ static void create() {
 #ifdef VOLATILE
 	D("VOLATILE flag set: Server will not save any data.\n");
 #endif
-	myLowerCaseHost = lower_case(SERVER_HOST);
+	myLowerCaseHost = NAMEPREP(SERVER_HOST);
 	register_localhost(myLowerCaseHost);
 #ifdef __PIKE__
        //debug_write("Creating psyced library in Pike.\n");
@ -259,9 +261,10 @@ static void create() {
 #ifdef JABBER_PATH
 	register_target("xmpp:"+ myLowerCaseHost);
 # ifdef _host_XMPP
-        register_localhost(lower_case(_host_XMPP));
-	register_target(lower_case(_host_XMPP));
-	register_target("xmpp:"+ lower_case(_host_XMPP));
+	t = NAMEPREP(_host_XMPP);
+        register_localhost(t);
+	register_target(t);
+	register_target("xmpp:"+ t);
 # endif
 #endif
 	// base64decode("test2000");
--- a/world/net/library/tls.c
+++ b/world/net/library/tls.c
@ -82,3 +82,78 @@ mapping tls_certificate(object who, int longnames) {
    P2(("cert is %O\n", cert))
    return cert;
 }
+
+// generalized variant of the old certificate_check_jabbername
+// RFC 6125 describes the process in more detail
+int certificate_check_name(string name, mixed cert, string scheme) {
+    mixed t;
+    string idn;
+    // FIXME: should probably be more careful about internationalized
+    // domain names - need testcases
+#define WILDCARD_MATCH(thing) (strlen(thing) > 2 && thing[0] == '*' && thing[1] == '.' && trail(thing[2..], name))
+    /* this does not support wildcards if there is more than one
+     * id-on-xmppAddr/CN
+     * API Note: name MUST be an utf8 string
+     */
+    unless(name && cert && mappingp(cert)) return 0;
+
+    name = NAMEPREP(name);
+
+    // subjectAlternativeName - dNSName
+    if ((t = cert["2.5.29.17:dNSName"])) { 
+	if (stringp(t)) t = ({ t });
+	foreach(string t2 : t) {
+	    t2 = NAMEPREP(t2);
+	    if (name == t2 || WILDCARD_MATCH(t2))
+		return 1;
+	}
+    } 
+
+    // subjectAlternativeName - SRV ID - FIXME
+    // unfortunately, the only ones I have encountered so far were ... unusable
+    if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.7"])) {
+	    P2(("encountered SRVName, please tell fippo: %O\n", t))
+    }
+
+    // URI ID  - FIXME
+    // not seen yet
+    
+#if 0
+    // id-on-xmppAddr - have not seen them issued by anyone but 
+    // startcom and those usually include dnsname, too
+    if ((t = cert["2.5.29.17:1.3.6.1.5.5.7.8.5"])) { 
+	if (pointerp(t)) {
+	    if (member(t, name) != -1) return 1;
+	    foreach(string cn : t) {
+		if (NAMEPREP(cn) == name) return 1;
+	    }
+	} 
+	else if (name == NAMEPREP(t))
+	    return 1;
+    } 
+#endif
+
+    // commonName - deprecated to put the host here but...
+    // this is only to be checked if no subjectAlternativeName is present
+    if (!cert["2.5.29.17"] && (t = cert["2.5.4.3"])) { // common name
+	if (pointerp(t)) { // does that happen?! I don't think so...
+	    // fast way - works for traditional hostnames
+	    if (member(t, name) != -1) return 1;
+
+	    // look for idn encoded stuff
+	    foreach(string cn : t) {
+		idn = NAMEPREP(idna_to_unicode(cn));
+		if (idn == name) return 1;
+	    }
+	    return 0;
+	} 
+#ifdef __IDNA__
+	idn = NAMEPREP(idna_to_unicode(t));
+#else
+	idn = NAMEPREP(t);
+#endif
+	if (idn == name || WILDCARD_MATCH(idn))
+	    return 1;
+    }
+    return 0;
+}
--- a/world/net/person.c
+++ b/world/net/person.c
@ -756,7 +756,7 @@ checkPassword(try, method, salt, args, cb, varargs cbargs) {
 #endif
 	// why here?
 	//while (remove_call_out(#'quit) != -1);
-#ifndef REGISTERED_USERS_ONLY
+#ifndef _flag_disable_unauthenticated_users
 # ifdef AUTH_HMAC_SECRET
        if (IS_NEWBIE && method != "hmac-sha1-shared") ARETURN(1)
 # else
--- a/world/net/psyc/circuit.c
+++ b/world/net/psyc/circuit.c
@ -225,8 +225,8 @@ int logon(int neverfails) {
 		P1(("%O believing dNSName %O\n", ME, m))
 		// probably also: register_target?
 		// but be careful never to register_target wildcards
-		if (stringp(m)) sAuthenticated(NAMEPREP(m));
-		else foreach(t : m) sAuthenticated(NAMEPREP(t));
+		if (stringp(m)) sAuthenticated(m);
+		else foreach(t : m) sAuthenticated(t);
 	    }
 //#ifdef _flag_allow_certificate_name_common	// to be switched this year
 # ifndef _flag_disallow_certificate_name_common
@ -235,7 +235,7 @@ int logon(int neverfails) {
 	    // note: CN is deprecated for good reasons.
 	    else if (t = cert["2.5.4.3"]) {
 		P1(("%O believing CN %O\n", ME, t))
-		sAuthenticated(NAMEPREP(t));
+		sAuthenticated(t);
 	    }
 # endif
 	    if (m = tls_query_connection_info(ME)) {
--- a/world/net/psyc/library.i
+++ b/world/net/psyc/library.i
@ -343,6 +343,9 @@ int psyc_sendmsg(mixed target, string mc, mixed data, mapping vars,
 		    // nothing else is possible, but some clients may
 		    // no longer be able to connect to you...
 		}
+#ifdef USE_SPYC
+		o -> sender_verification(SERVER_UNIFORM, u[URoot]);
+#endif
 		register_target($4, o);
 		register_target(psychopo, o);
 		register_target(psycippo, o);
--- a/world/net/psyc/parse.i
+++ b/world/net/psyc/parse.i
@ -598,7 +598,7 @@ vamixed getdata(string a) {
 #else
 # ifdef PSYC_TCP
 		// Authenticated
-		} else if (qAuthenticated(NAMEPREP(u[UHost]))) {
+		} else if (qAuthenticated(u[UHost])) {
 			if (u[UTransport] && (u[UTransport] !=
 #  if __EFUN_DEFINED__(tls_query_connection_state)
 			    tls_query_connection_state() ? "s" :
@ -997,17 +997,34 @@ protected int deliver(mixed ip, string host, string mc, string buffer, mapping c
                            }
                            P1(("RELAYING denied from %O to %O (%O)\n",
                                source, t, ME))
-#if 0
 			    monitor_report("_warning_unsupported_relay",
 				  S("%O is trying to find %O here. Relaying denied.\n", ME, t));
 			    croak("_failure_unsupported_relay",
 				//"Well done mate, you crashed me.");
 				"Relaying denied: [_host] is not a hostname of ours.",
 				    ([ "_host": u[UHost] ]));
+#if 0
 			    // TODO: we quit here to not do the same hash-lookup
 			    // in rootmsg again.
 			    // (didn't get it? nevermind.. it's just el's sick humor)
 			    QUIT
+#else
+			    // we do not QUIT here as an evil attacker may
+			    // CNAME his evil.com to us and try to disrupt
+			    // our communications with some popular server
+			    // by making us drop an otherwise very popular
+			    // circuit. then again, what if a sender SHOULD
+			    // not send to us with any other hostname but
+			    // the one we announced ourselves as _source
+			    // when we sent our first greeting() ? then we
+			    // could just dump "illegal" transmissions.
+			    // well, we don't need to be so harsh against
+			    // multi domain hosters really: relaying is
+			    // denied by default so the attacker needs to
+			    // be a user on the sending server. in the end
+			    // it's a question of trust: don't let zero
+			    // trust users send funny amounts of data.
+			    return 1;
 #endif
 			}
 			// .. yes.. add is_localhost check here, but without callback
--- a/world/net/root.c
+++ b/world/net/root.c
@ -55,7 +55,7 @@ msg(source, mc, data, vars, showingLog, target) {
 				       	"version",    // _tab
 					"time", "lasttime"
 #endif
-#if !defined(REGISTERED_USERS_ONLY) && !defined(_flag_disable_registration) &&!defined(_flag_disable_registration_XMPP)
+#if !defined(_flag_disable_unauthenticated_users) && !defined(_flag_disable_registration) &&!defined(_flag_disable_registration_XMPP)
 					"registration",
 #endif
 #ifndef VOLATILE
--- a/world/net/server.c
+++ b/world/net/server.c
@ -81,7 +81,7 @@ hello(ni, elm, try, method, salt) {
 				     ni, try, elm);
 }

-#ifdef REGISTERED_USERS_ONLY	// TODO: rename into a _flag
+#ifdef _flag_disable_unauthenticated_users
 ohYeah(whatever) {
 	input_to(#'ohYeah, input_to_settings);
 	// input ignore warning? inverting mc's is really a good idea!
@ -120,7 +120,7 @@ authChecked(int result, ni, try, elm) {
 //			    return;
 //		    }
 		}
-#ifdef REGISTERED_USERS_ONLY
+#ifdef _flag_disable_unauthenticated_users
 		else {
 			if (user -> isNewbie()) {
 #ifdef PSYC_SYNCHRONIZE
@ -157,7 +157,7 @@ authChecked(int result, ni, try, elm) {
 		return promptForPassword(user);
 #endif
 	}
-#ifndef REGISTERED_USERS_ONLY
+#ifndef _flag_disable_unauthenticated_users
 	// added user->isNewbie() check for ircers
 	if (user->online() && user->isNewbie()
 #ifdef _flag_log_hosts
--- a/world/net/spyc/circuit.c
+++ b/world/net/spyc/circuit.c
@ -38,6 +38,7 @@ mapping outstate;

 mapping legal_senders;

+array(mixed) verify_queue = ({ });

 volatile int flags = 0;

@ -74,24 +75,26 @@ varargs mixed croak(string mc, string data, vamapping vars, vamixed source) {
    return 0;
 }

-#ifdef USE_VERIFICATION
 // request sender authentication and/or target acknowledgement 
 // from the remote side
-void sender_verification(array(string) sourcehosts, array(string) targethosts)
+void sender_verification(string sourcehost, mixed targethost)
 {
-    // FIXME: wrong variables here
-    mapping vars = ([ "_list_sources_hosts" : sourcehosts,
-		    "_list_targets_hosts" : targethosts,
-		    "_tag" : RANDHEXSTRING ]);
-    // assumption: we have already resolved all targethosts and 
-    // they point to the remote ip
-    foreach(string ho : targethosts) {
-	sAuthenticated(ho);
+    unless(interactive()) {
+	    verify_queue += ({ ({ sourcehost, targethost }) });
+	    return;
    }
-
-    msg(0, "_request_verification", 0, vars);
+    mapping vars = ([ "_uniform_source" : sourcehost,
+		    "_uniform_target" : targethost,
+		    "_tag" : RANDHEXSTRING ]);
+    P0(("sender_verification(%O, %O)\n", sourcehost, targethost))
+    // since we send packets to them we should trust them to
+    // send packets to us, eh?
+    if (stringp(targethost)) {
+	    targethost = parse_uniform(targethost);
+    }
+    sAuthenticated(targethost[UHost]);
+    msg(0, "_request_authorization", 0, vars);
 }
-#endif

 // gets called during socket logon
 int logon(int failure) {
@ -117,10 +120,10 @@ int logon(int failure) {
 	    // probably also: register_target?
 	    // but be careful never to register_target wildcards
 	    if (stringp(m)) 
-		sAuthenticated(NAMEPREP(m));
+		sAuthenticated(m);
 	    else 
 		foreach(t : m) 
-		    sAuthenticated(NAMEPREP(t));
+		    sAuthenticated(t);
 	}
 //#ifdef _flag_allow_certificate_name_common	// to be switched this year
 #ifndef _flag_disallow_certificate_name_common
@ -129,7 +132,7 @@ int logon(int failure) {
 	// note: CN is deprecated for good reasons.
 	else if (t = cert["2.5.4.3"]) {
 	    P1(("%O believing CN %O\n", ME, t))
-	    sAuthenticated(NAMEPREP(t));
+	    sAuthenticated(t);
 	}
 #endif
 	if (m = tls_query_connection_info(ME)) {
@ -161,20 +164,12 @@ int logon(int failure) {
    // FIXME
    unless(isServer()) {
 	emit("|\n"); // initial greeting
-#ifdef USE_FEATURES
-	// we have no features to request or offer
-	msg(0, "_request_features", 0);
-#else
-# ifdef USE_VERIFICATION
-	// start hostname verification
-	// rather: look at Q and look for the hostnames we need
-	sender_verification(({ SERVER_HOST }), ({ peerhost }));
-# else
-	if (function_exists("runQ")) {
-	    runQ();
+	if (sizeof(verify_queue)) {
+	    foreach(mixed t : verify_queue) {
+		sender_verification(t[0], t[1]);
+	    }
+	    verify_queue = ({ });
 	}
-# endif
-#endif
    }
    return 1;
 }
@ -209,74 +204,66 @@ first_response() {
 // receives a msg from the remote side
 // note: this is circuit-messaging
 void circuit_msg(string mc, mapping vars, string data) {
+    mapping rv = ([ ]);
+    mixed *u;
    switch(mc) {
-    case "_request_verification":
-	if (tls_query_connection_state(ME) == 0) {
-	    array(string) targethosts = ({ });
-	    foreach(string ho : vars["_list_targets_hosts"]) {
-		if (is_localhost(ho)) {
-		    targethosts += ({ ho });
-		}
-	    }
-	    if (sizeof(vars["_list_sources_hosts"]) == 1) {
-		// doing multiple resolutions in parallel is more complicated
-		string ho = vars["_list_sources_hosts"][0];
-		if (qAuthenticated(ho)) {
-		    P0(("warning: trying to reverify authenticated host %O",ho))
-		} else {
-		    dns_resolve(ho, (: 
-			// FIXME: psyc/parse::deliver is much better here
-			mixed rv = (["_list_targets_accepted_hosts":targethosts]);
+    case "_request_authorization":
+	if (vars["_tag"]) {
+		rv["_tag_relay"] = vars["_tag"];
+	}
+	if (!vars["_uniform_source"] && vars["_uniform_target"]) {
+		CIRCUITERROR("_request_authorization without uniform source and/or target?!");
+	}

-			if (vars["_tag"]) rv["_tag_reply"] = vars["_tag"];
-			if ($1 == peerip) {
-			    sAuthenticated(NAMEPREP(ho));
-			    rv["_list_sources_verified_hosts"] = ({ ho });
-			} else {
-			    rv["_list_sources_rejected_hosts"] = ({ ho });
-			}
-			msg(0, "_notice_verification", 0, rv);
-			return;
-		    :));
+	rv["_uniform_target"] = vars["_uniform_target"];
+	rv["_uniform_source"] = vars["_uniform_source"];
+
+	u = parse_uniform(vars["_uniform_target"]);
+	if (!(u && is_localhost(u[UHost]))) {
+		msg(0, "_error_invalid_uniform_target", "[_uniform_target] is not hosted here.", rv);
+		return;
+	}
+	u = parse_uniform(vars["_uniform_source"]);
+	// qAuthenticated does that:u[UHost] = NAMEPREP(u[UHost]);
+	if (qAuthenticated(u[UHost])) {
+		// possibly different _uniform_target only
+		if (flags & TCP_PENDING_TIMEOUT) {
+			P0(("removing call out\n"))
+					remove_call_out(#'quit);
+			flags -= TCP_PENDING_TIMEOUT;
 		}
-	    } else {
-		// FIXME!!!!
-		CIRCUITERROR("sorry, no more than one element in _list_sources_hosts currently");
-		P0(("more than one element in _list_sources_hosts: %O\n", vars["_list_sources_hosts"]))
-	    }
-	    // keep tag if present!!!
-	    // resolve all of _list_sources_hosts
-	    // look at _list_targets_hosts and determine localhostiness
+		msg(0, "_status_authorization", 0, rv);
+	// } else if (tls_query_connection_state(ME) == 1 && ...) {
+	// FIXME
 	} else {
-	    CIRCUITERROR("_request_verification is not allowed on TLS circuits.");
+		string ho = u[UHost];
+		// FIXME: this actually needs to consider srv, too...
+		dns_resolve(ho, (: 
+				 // FIXME: psyc/parse::deliver is much better here
+				 P0(("resolved %O to %O, expecting %O\n", ho, $1, peerip))
+				 if ($1 == peerip) {
+					sAuthenticated(ho);
+					if (flags & TCP_PENDING_TIMEOUT) {
+						P0(("removing call out\n"))
+						remove_call_out(#'quit);
+						flags -= TCP_PENDING_TIMEOUT;
+					}
+					msg(0, "_status_authorization", 0, rv);
+				 } else {
+				 	msg(0, "_error_invalid_uniform_source", 0, rv);
+				 }
+				 return;
+				 :));
 	}
 	break;
-    case "_notice_features":
-	// FIXME: watch for _list_using_modules
-	if (flags & TCP_PENDING_TIMEOUT) {
-	    P0(("removing call out\n"))
-	    remove_call_out(#'quit);
-	    flags -= TCP_PENDING_TIMEOUT;
-	}
-	sTextPath();
-#ifdef USE_FEATURES
-	if (tls_query_connection_state(ME) == 0) {
-# ifdef USE_VERIFICATION
-	    // start hostname verification
-	    // rather: look at Q and look for the hostnames we need
-	    sender_verification(({ SERVER_HOST }), ({ peerhost }));
-# endif
-	} else {
-	    if (function_exists("runQ")) {
-		runQ();
-	    }
-	}
-#endif
-	break;
-    case "_notice_verification":	
-	P0(("_notice verification with %O\n", vars))
+    case "_status_authorization":	
+	P0(("_status authorization with %O\n", vars))
+	// this means we can send from _uniform_source to _uniform_target
+	// we already did sAuthenticated _uniform_target before so we can't get
+	// tricked into it here
 	if (function_exists("runQ")) {
-	    runQ();
+	    runQ(); 
+	    // actually runQ(_uniform_source, _uniform_target)
 	}
 	break;
    default:
@ -290,6 +277,7 @@ varargs int msg(string source, string mc, string data,
    mapping vars, int showingLog, mixed target) {

    string buf = "";
+    mixed u;

    unless(vars) vars = ([ ]);
    buf = render_psyc(source, mc, data, vars, showingLog, target);
--- a/world/net/spyc/dispatch.i
+++ b/world/net/spyc/dispatch.i
@ -161,14 +161,12 @@ void dispatch(mapping rvars, mapping evars, mixed method, mixed body) {
        unless (u = parse_uniform(t)) {
            DISPATCHERROR("logical source is not a uniform\n")
        }
-#ifdef USE_VERIFICATION
-# ifdef PSYC_TCP
-        unless (qAuthenticated(NAMEPREP(u[UHost]))) {
+#ifdef PSYC_TCP
+        unless (qAuthenticated(u[UHost])) {
            DISPATCHERROR("non-authenticated host\n")
        }
-# else
+#else
        // TODO?
-# endif
 #endif
    }

--- a/world/net/spyc/server.c
+++ b/world/net/spyc/server.c
@ -69,6 +69,7 @@ void greet() {
 	// should be sharing code with net/psyc and do a proper greeting
 	// three separate packets follow (thus three emits)
 	//emit(S_GLYPH_PACKET_DELIMITER "\n");
+	/*
 	emit("\
 :_source\t"+ SERVER_UNIFORM +"\n\
 :_target_peer\tpsyc://"+ peeraddr +"/\n\
@ -81,6 +82,7 @@ _status_circuit\n" S_GLYPH_PACKET_DELIMITER "\n");
 #ifdef _flag_log_sockets_SPYC
 	log_file("RAW_SPYC", "« %O greeted.\n", ME);
 #endif
+	*/
 }

 static void resolved(mixed host, mixed tag) {
@ -176,20 +178,27 @@ static void resolved(mixed host, mixed tag) {
 	sTextPath();
 	greet();

-	// FIXME: determine response to greeting
-	// 	instead of this dummy
-	msg(0, "_notice_features", 0, tag ? ([ "_tag_reply" : tag ]) : 0);
+	//msg(0, "_notice_features", 0, tag ? ([ "_tag_reply" : tag ]) : 0);
 }

-void circuit_msg(string mc, mapping vars, string data) {
-    switch(mc) {
-    case "_request_features": // only servers handle _request_features
-	interrupt_parse();
-	dns_rresolve(peerip, #'resolved, vars && vars["_tag"]);
-	break;
-    default:
-	return ::circuit_msg(mc, vars, data);
-    }
+int logon(int nothing) {
+	P2(("%O accepted TCP from %O (%s:%O)\n", ME,
+	    query_ip_name(), query_ip_number(), peerport))
+	// we could set the next_input_to and reply with _failure until
+	// hostname is resolved  .. TODO  ... no, we need some form
+	// of queuing for the scripts which do not wait.. why? don't we
+	// squeeze received packets thru dns-lambdas anyway?
+	// peerport has either positive or negative value
+	//peeraddr = peerip+":"+peerport;
+	::logon(0);
+#if 0 //def EXPERIMENTAL
+	// added this because greet() happens after dns resolution and
+	// some quick clients may not be waiting that long.. then again
+	// if they do, they deserve other treatment
+	sTextPath();
+#endif
+	dns_rresolve(peerip, #'resolved);
+	return 1;   // success
 }

 #endif // LIBPSYC
--- a/world/net/trust.c
+++ b/world/net/trust.c
@ -29,12 +29,14 @@ volatile mapping authhosts;
 void sAuthenticated(string hostname) { 
    P3(("sAuthenticated: %O\n", hostname))
    unless(authhosts && mappingp(authhosts)) authhosts = ([ ]);
+    hostname = NAMEPREP(hostname);
    authhosts[hostname] = 1;
 } 

 int qAuthenticated(mixed hostname) {
    P3(("qAuthenticated %O, %O\n", hostname, authhosts))
    unless (authhosts && mappingp(authhosts)) return 0;
+    hostname = NAMEPREP(hostname);
    return member(authhosts, hostname);
 }