introducing TLS requirement for IRC users

world/net/include/place.gen

@@ -613,10 +613,15 @@ htget(prot, query, headers, qs) {
 #ifdef CHALLENGE_MATCH
 #include <sys/regexp.h>
 
+#define CHALOG(verb)	log_file("CHALLENGE", "%s %s %O A:%O P:%O C:%O\n", \
+		 MYNICK, verb, query_ip_name(), \
+		 query["answer"], query["parameters"], headers["cookie"])
+
 // maybe this all belongs into archetype.gen.. chesmo!
 htget(prot, query, headers, qs, data, noprocess) {
 	if (stringp(headers["cookie"]) && regmatch(headers["cookie"],
 		 "challenge=complete&answer="+ md5(CHALLENGE_MATCH))) {
+		CHALOG("completes");
 		htnotify(query, headers, "_accomplished_web",
 		    "Challenge accomplished in [_nick_place] by [_web_on] coming from [_web_from].");
 # ifdef CHALLENGE_REDIRECT
@@ -638,6 +643,7 @@ htget(prot, query, headers, qs, data, noprocess) {
 		string nu = stringp(query["parameters"]) &&
 			     strlen(query["parameters"]) ?
 			 item +"?"+ query["parameters"] : item;
+		CHALOG("reloads");
 		htredirect(prot, nu, "Reload, please", 0, "Set-Cookie: psycplace=\"challenge=complete&answer="+ md5(CHALLENGE_MATCH) +"\"; path="+ item +";\n");
 		return 1;
 	}
@@ -646,6 +652,7 @@ htget(prot, query, headers, qs, data, noprocess) {
 	// url that allows other people to bypass the challenge.
 	// could add a timeout here...
 	htok3(prot, 0, "Set-Cookie: psycplace=\"challenge=given\"; path="+ item +";\n");
+	CHALOG("challenges");
 	w("_PAGES_group_challenge", 0,
 	    ([ "_challenge" : htquote(CHALLENGE_QUESTION),
 		    // if the user failed the challenge,
@@ -655,6 +662,7 @@ htget(prot, query, headers, qs, data, noprocess) {
 	// printf("%O vs %O\n", query, headers);
 	htnotify(query, headers, "_challenged_web",
 	    "[_nick_place] challenges [_web_on] coming from [_web_from].");
+	    //	(query [_web_query], cookie [_web_cookie]).");
 	return 1;
 }
 #endif

world/net/irc/server.c

@@ -38,6 +38,12 @@ createUser(nick) {
 	return named_clone(IRC_PATH "user", nick);
 }
 
+#ifndef _flag_enable_unencrypted_users
+ignorance(a) {
+	if (ME) next_input_to(#'ignorance);
+}
+#endif
+
 parse(a) {
 	::parse(a);
 	if (ME) next_input_to(#'parse);
@@ -158,15 +164,26 @@ tls_logon(a) {
 
 logon(failure) {
 	if (this_interactive()) set_prompt(""); // case of failure?
-	next_input_to(#'parse);
 #if __EFUN_DEFINED__(tls_query_connection_state)
+# ifdef _flag_enable_unencrypted_users
 	if (tls_query_connection_state(ME) == 0) {
 	    // DONT ::logon if this is to be done by tls_logon
 	    ::logon(failure);
 	}
+# else
+	if (probably_private(ME) <= PRIVACY_SURVEILLED) {
+		log_file("IRCPLAIN", "[%s] %O(%O)\n", ctime(),
+			 query_ip_number(), query_ip_name());
+		w("_error_mandatory_encryption", "Your connection does not satisfy our privacy requirements. Please fix your configuration.");
+		next_input_to(#'ignorance);
+		write("\n"); // why is this needed?
+		return 1;
+	}
+# endif
 #else
 	::logon(failure);
 #endif
+	next_input_to(#'parse);
 #ifdef _flag_log_sockets_IRC
 	log_file("RAW_IRC", "\nnew connection %O from %O\n",
 		 ME,

world/net/library/dns.c

@@ -33,7 +33,7 @@ inherit NET_PATH "queue";
 // this mapping has to be *volatile* or it will carry old hostnames
 // that may no longer be valid, then cause wild illogical behaviour
 volatile mapping localhosts = ([
-   "localhost":	"127.0.0.1",
+   "localhost":	"127.0.0.1",        // what if remote hosts dns-resolve to "localhost" ?
    "127.0.0.1":	"localhost",
    // unusual but valid syntax for localhost
    // then again usually any 127.* leads to localhost so it's

world/net/library/tls.c

@@ -203,6 +203,7 @@ int probably_private(object source) {
 		// LPC variable, so it is fine we call it often
              || query_ip_number(source) == __HOST_IP_NUMBER__
 #  ifdef SECURE_IP_NUMBER
+// problem: apparently this macro isn't defined when library is compiled
              || SECURE_IP_NUMBER(query_ip_number(source))
 #  endif
 	// People coming from localhost have either made it