trusts/trusts_policy.c

   1 #include <stdio.h>
   2 #include <stdlib.h>
   3 #include <stdarg.h>
   4 #include <unistd.h>
   5 #include <sys/types.h>
   6 #include <sys/socket.h>
   7 #include <netinet/in.h>
   8
   9 #ifndef __USE_MISC
  10 #define __USE_MISC /* inet_aton */
  11 #endif
  12
  13 #include <arpa/inet.h>
  14 #include <sys/un.h>
  15 #include <sys/poll.h>
  16 #include <errno.h>
  17 #include <fcntl.h>
  18
  19 #include "../lib/version.h"
  20 #include "../lib/hmac.h"
  21 #include "../core/events.h"
  22 #include "../core/schedule.h"
  23 #include "../core/nsmalloc.h"
  24 #include "../core/hooks.h"
  25 #include "../core/config.h"
  26 #include "../control/control.h"
  27 #include "../lib/irc_string.h"
  28 #include "../irc/irc.h"
  29 #include "../glines/glines.h"
  30 #include "trusts.h"
  31
  32 MODULE_VERSION("");
  33
  34 static int countext, enforcepolicy_irc, enforcepolicy_auth;
  35
  36 #define TRUSTBUFSIZE 8192
  37 #define TRUSTPASSLEN 128
  38 #define NONCELEN 16
  39
  40 typedef struct trustsocket {
  41   int fd;
  42   int authed;
  43   char authuser[SERVERLEN+1];
  44   char buf[TRUSTBUFSIZE];
  45   unsigned char nonce[NONCELEN];
  46   int size;
  47   time_t connected;
  48   time_t timeout;
  49   int accepted;
  50   int rejected;
  51
  52   struct trustsocket *next;
  53 } trustsocket;
  54
  55 static trustsocket *tslist;
  56 static int listenerfd = -1;
  57 static FILE *urandom;
  58
  59 typedef struct trustaccount {
  60   int used;
  61   char server[SERVERLEN+1];
  62   char password[TRUSTPASSLEN+1];
  63 } trustaccount;
  64
  65 trustaccount trustaccounts[MAXSERVERS];
  66
  67 static int checkconnectionth(const char *username, struct irc_in_addr *ip, trusthost *th, int hooknum, int usercountadjustment, char *message, size_t messagelen) {
  68   trustgroup *tg;
  69
  70   if(messagelen>0)
  71     message[0] = '\0';
  72
  73   if(!th || !trustsdbloaded || irc_in_addr_is_loopback(ip))
  74     return POLICY_SUCCESS;
  75
  76   tg = th->group;
  77
  78   /*
  79    * the purpose of this logic is to avoid spam like this:
  80    * WARNING: tgX exceeded limit: 11 connected vs 10 max
  81    * (goes back down to 10)
  82    * WARNING: tgX exceeded limit: 11 connected vs 10 max
  83    */
  84
  85   if(hooknum == HOOK_TRUSTS_NEWNICK) {
  86     patricia_node_t *node;
  87     int nodecount = 0;
  88
  89     node = refnode(iptree, ip, th->nodebits);
  90     nodecount = node->usercount;
  91     derefnode(iptree, node);
  92
  93     if(th->maxpernode && nodecount + usercountadjustment > th->maxpernode) {
  94       controlwall(NO_OPER, NL_CLONING, "Hard connection limit exceeded on subnet: %s (group: %s): %d connected, %d max.", CIDRtostr(*ip, th->nodebits), tg->name->content, nodecount + usercountadjustment, th->maxpernode);
  95       snprintf(message, messagelen, "Too many connections from your host (%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ip));
  96       return POLICY_FAILURE_NODECOUNT;
  97     }
  98
  99     if(tg->trustedfor && tg->count + usercountadjustment > tg->trustedfor) {
 100       if(tg->count > (long)tg->exts[countext]) {
 101         tg->exts[countext] = (void *)(long)tg->count;
 102
 103         controlwall(NO_OPER, NL_CLONING, "Hard connection limit exceeded (group %s): %d connected, %d max.", tg->name->content, tg->count + usercountadjustment, tg->trustedfor);
 104         snprintf(message, messagelen, "Too many connections from your trust (%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ip));
 105       }
 106
 107       snprintf(message, messagelen, "Too many connections from your trust (%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ip));
 108       return POLICY_FAILURE_GROUPCOUNT;
 109     }
 110
 111     if((tg->flags & TRUST_ENFORCE_IDENT) && (username[0] == '~')) {
 112       controlwall(NO_OPER, NL_CLONING, "Ident required: %s@%s (group: %s).", username, IPtostr(*ip), tg->name->content);
 113       snprintf(message, messagelen, "IDENTD required from your host (%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", IPtostr(*ip));
 114       return POLICY_FAILURE_IDENTD;
 115     }
 116
 117     if(tg->maxperident > 0) {
 118       int identcount = 0;
 119       trusthost *th2;
 120       nick *tnp;
 121
 122       for(th2=tg->hosts;th2;th2=th2->next) {
 123         for(tnp=th2->users;tnp;tnp=nextbytrust(tnp)) {
 124           if(!ircd_strcmp(tnp->ident, username))
 125             identcount++;
 126         }
 127       }
 128
 129       if(identcount + usercountadjustment > tg->maxperident) {
 130         controlwall(NO_OPER, NL_CLONING, "Hard ident limit exceeded: %s@%s (group: %s): %d connected, %d max.", username, IPtostr(*ip), tg->name->content, identcount + usercountadjustment, tg->maxperident);
 131         snprintf(message, messagelen, "Too many connections from your username (%s@%s) - see https://www.quakenet.org/help/trusts/connection-limit for details.", username, IPtostr(*ip));
 132         return POLICY_FAILURE_IDENTCOUNT;
 133       }
 134     }
 135   } else {
 136     if(tg->count < tg->maxusage)
 137       tg->exts[countext] = (void *)(long)tg->count;
 138   }
 139
 140   if(tg->trustedfor > 0)
 141     snprintf(message, messagelen, "Trust has %d out of %d allowed connections.", tg->count + usercountadjustment, tg->trustedfor);
 142
 143   return POLICY_SUCCESS;
 144 }
 145
 146 static int checkconnection(const char *username, struct irc_in_addr *ip, int hooknum, int cloneadjustment, char *message, size_t messagelen) {
 147   struct irc_in_addr ip_canonicalized;
 148   ip_canonicalize_tunnel(&ip_canonicalized, ip);
 149
 150   return checkconnectionth(username, &ip_canonicalized, th_getbyhost(&ip_canonicalized), hooknum, cloneadjustment, message, messagelen);
 151 }
 152
 153 static int trustdowrite(trustsocket *sock, char *format, ...) {
 154   char buf[1024];
 155   va_list va;
 156   int r;
 157
 158   va_start(va, format);
 159   r = vsnprintf(buf, sizeof(buf), format, va);
 160   va_end(va);
 161
 162   if(r >= sizeof(buf))
 163     r = sizeof(buf) - 1;
 164
 165   buf[r] = '\n';
 166
 167   if(write(sock->fd, buf, r + 1) != r + 1)
 168     return 0;
 169   return 1;
 170 }
 171
 172 static int policycheck_auth(trustsocket *sock, const char *sequence_id, const char *username, const char *host) {
 173   char message[512];
 174   int verdict;
 175   struct irc_in_addr ip;
 176   unsigned char bits;
 177
 178   if(!ipmask_parse(host, &ip, &bits)) {
 179     sock->accepted++;
 180     return trustdowrite(sock, "PASS %s", sequence_id);
 181   }
 182
 183   verdict = checkconnection(username, &ip, HOOK_TRUSTS_NEWNICK, 1, message, sizeof(message));
 184
 185   if(!enforcepolicy_auth)
 186     verdict = POLICY_SUCCESS;
 187
 188   if (verdict == POLICY_SUCCESS) {
 189     sock->accepted++;
 190
 191     if(message[0])
 192       return trustdowrite(sock, "PASS %s %s", sequence_id, message);
 193     else
 194       return trustdowrite(sock, "PASS %s", sequence_id);
 195   } else {
 196     sock->rejected++;
 197
 198     controlwall(NO_OPER, NL_CLONING, "Rejected connection from %s@%s using IAuth: %s", username, host, message);
 199     return trustdowrite(sock, "KILL %s %s", sequence_id, message);
 200   }
 201 }
 202
 203 static int trustkillconnection(trustsocket *sock, char *reason) {
 204   trustdowrite(sock, "QUIT %s", reason);
 205   return 0;
 206 }
 207
 208 static void trustfreeconnection(trustsocket *sock, int unlink) {
 209   trustsocket **pnext, *ts;
 210
 211   if(!unlink) {
 212     controlwall(NO_OPER, NL_TRUSTS, "Lost connection on policy socket for '%s'.", sock->authed?sock->authuser:"<unauthenticated connection>");
 213
 214     deregisterhandler(sock->fd, 1);
 215     nsfree(POOL_TRUSTS, sock);
 216     return;
 217   }
 218
 219   pnext = &tslist;
 220
 221   for(ts=*pnext;*pnext;pnext=&((*pnext)->next)) {
 222     if(ts == sock) {
 223       *pnext = sock->next;
 224       trustfreeconnection(sock, 0);
 225       break;
 226     }
 227   }
 228 }
 229
 230 static int handletrustauth(trustsocket *sock, char *server_name, char *mac) {
 231   int i;
 232   char *password = NULL;
 233   unsigned char digest[16];
 234   char noncehexbuf[NONCELEN * 2 + 1];
 235   char hexbuf[sizeof(digest) * 2 + 1];
 236
 237   for(i=0;i<MAXSERVERS;i++) {
 238     if(trustaccounts[i].used && strcmp(trustaccounts[i].server, server_name) == 0) {
 239       password = trustaccounts[i].password;
 240       break;
 241     }
 242   }
 243
 244   if (!password) {
 245     controlwall(NO_OPER, NL_TRUSTS, "Invalid servername for policy socket: '%s'", server_name);
 246     return trustkillconnection(sock, "Invalid servername.");
 247   }
 248
 249   hmacmd5 h;
 250   hmacmd5_init(&h, (unsigned char *)password, strlen(password));
 251   hmacmd5_update(&h, (unsigned char *)hmac_printhex(sock->nonce, noncehexbuf, NONCELEN), NONCELEN * 2);
 252   hmacmd5_final(&h, digest);
 253   if(hmac_strcmp(mac, hmac_printhex(digest, hexbuf, sizeof(digest)))) {
 254     controlwall(NO_OPER, NL_TRUSTS, "Invalid password for policy socket with servername '%s'.", server_name);
 255     return trustkillconnection(sock, "Bad MAC.");
 256   }
 257
 258   sock->authed = 1;
 259   strncpy(sock->authuser, server_name, SERVERLEN);
 260
 261   controlwall(NO_OPER, NL_TRUSTS, "Successful authentication for policy socket with servername '%s'.", server_name);
 262   return trustdowrite(sock, "AUTHOK");
 263 }
 264
 265 #define MAXTOKENS 10
 266 static int handletrustline(trustsocket *sock, char *line) {
 267   char *command, *p, *lastpos;
 268   char *tokens[MAXTOKENS];
 269   int tokensfound = -1;
 270
 271   for(command=lastpos=p=line;*p;p++) {
 272     if(*p == ' ') {
 273       *p = '\0';
 274       if(tokensfound == MAXTOKENS)
 275         return trustkillconnection(sock, "too many tokens");
 276
 277       if(tokensfound >= 0) {
 278         tokens[tokensfound++] = lastpos;
 279       } else {
 280         tokensfound++;
 281       }
 282       lastpos = p + 1;
 283     }
 284   }
 285   if(lastpos != p) {
 286     if(tokensfound == MAXTOKENS)
 287       return trustkillconnection(sock, "too many tokens");
 288     tokens[tokensfound++] = lastpos;
 289   }
 290
 291   if(!sock->authed && !strcmp("AUTH", command)) {
 292     if(tokensfound != 2)
 293       return trustkillconnection(sock, "incorrect arg count for command.");
 294
 295     return handletrustauth(sock, tokens[0], tokens[1]);
 296   } else if(sock->authed && !strcmp("CHECK", command)) {
 297     if(tokensfound != 3)
 298       return trustkillconnection(sock, "incorrect arg count for command.");
 299
 300     policycheck_auth(sock, tokens[0], tokens[1], tokens[2]);
 301     return 1;
 302   } else if(!strcmp("VERSION", command)) {
 303     /* Ignore this command for now. */
 304     return 1;
 305   } else {
 306     Error("trusts_policy", ERR_WARNING, "Bad command: %s", command);
 307     return 0;
 308   }
 309 }
 310
 311 static trustsocket *findtrustsocketbyfd(int fd) {
 312   for(trustsocket *ts=tslist;ts;ts=ts->next)
 313     if(ts->fd==fd)
 314       return ts;
 315
 316   return NULL;
 317 }
 318
 319 static int handletrustclient(trustsocket *sock) {
 320   int r, remaining = TRUSTBUFSIZE - sock->size, i;
 321   char *lastpos, *c;
 322
 323   if(!remaining) {
 324     trustkillconnection(sock, "Buffer overflow.");
 325     return 0;
 326   }
 327
 328   r = read(sock->fd, sock->buf + sock->size, remaining);
 329   if(r <= 0)
 330     return 0;
 331
 332   sock->size+=r;
 333   lastpos = sock->buf;
 334
 335   for(c=sock->buf,i=0;i<sock->size;i++,c++) {
 336     if(*c != '\n')
 337       continue;
 338     *c = '\0';
 339     if(!handletrustline(sock, lastpos))
 340       return 0;
 341
 342     lastpos = c + 1; /* is this ok? */
 343   }
 344   sock->size-=lastpos - sock->buf;
 345   memmove(sock->buf, lastpos, sock->size);
 346
 347   return 1;
 348 }
 349
 350 static void processtrustclient(int fd, short events) {
 351   trustsocket *sock = findtrustsocketbyfd(fd);
 352
 353   if(!sock)
 354     return;
 355
 356   if (events & (POLLPRI | POLLERR | POLLHUP | POLLNVAL)) {
 357     trustfreeconnection(sock, 1);
 358     return;
 359   }
 360
 361   if(events & POLLIN)
 362     if(!handletrustclient(sock))
 363       trustfreeconnection(sock, 1);
 364 }
 365
 366 static void trustdotimeout(void *arg) {
 367   time_t t = time(NULL);
 368   trustsocket **pnext, *sock;
 369
 370   pnext = &tslist;
 371
 372   for(sock=*pnext;*pnext;pnext=&((*pnext)->next)) {
 373     if(!sock->authed && t >= sock->timeout) {
 374       trustkillconnection(sock, "Auth timeout.");
 375       *pnext = sock->next;
 376       trustfreeconnection(sock, 0);
 377     }
 378   }
 379 }
 380
 381 static void processtrustlistener(int fd, short events) {
 382   if(events & POLLIN) {
 383     trustsocket *sock;
 384     char buf[NONCELEN * 2 + 1];
 385
 386     int newfd = accept(fd, NULL, NULL), flags;
 387     if(newfd == -1)
 388       return;
 389
 390     flags = fcntl(newfd, F_GETFL, 0);
 391     if(flags < 0) {
 392       Error("trusts_policy", ERR_WARNING, "Unable to set socket non-blocking.");
 393       close(newfd);
 394       return;
 395     }
 396
 397     if(fcntl(fd, F_SETFL, flags|O_NONBLOCK) < 0) {
 398       Error("trusts_policy", ERR_WARNING, "Unable to set socket non-blocking.");
 399       close(newfd);
 400       return;
 401     }
 402
 403     registerhandler(newfd, POLLIN|POLLERR|POLLHUP, processtrustclient);
 404
 405     sock = nsmalloc(POOL_TRUSTS, sizeof(trustsocket));
 406     if(!sock) {
 407       deregisterhandler(newfd, 1);
 408       return;
 409     }
 410
 411     sock->fd = newfd;
 412     sock->next = tslist;
 413     tslist = sock;
 414
 415     if(fread((char *)sock->nonce, 1, NONCELEN, urandom) != NONCELEN) {
 416       Error("trusts_policy", ERR_WARNING, "Error getting random bytes.");
 417       deregisterhandler(newfd, 1);
 418       tslist = sock->next;
 419       nsfree(POOL_TRUSTS, sock);
 420     } else {
 421       sock->authed = 0;
 422       sock->size = 0;
 423       sock->connected = time(NULL);
 424       sock->timeout = time(NULL) + 30;
 425       sock->accepted = 0;
 426       sock->rejected = 0;
 427       if(!trustdowrite(sock, "AUTH %s", hmac_printhex(sock->nonce, buf, NONCELEN))) {
 428         Error("trusts_policy", ERR_WARNING, "Error writing auth to fd %d.", newfd);
 429         deregisterhandler(newfd, 1);
 430         tslist = sock->next;
 431         nsfree(POOL_TRUSTS, sock);
 432         return;
 433       }
 434     }
 435   }
 436 }
 437
 438 static int createlistenersock(int port) {
 439   struct sockaddr_in s;
 440   int fd;
 441   int optval;
 442
 443   memset(&s, 0, sizeof(struct sockaddr_in));
 444   s.sin_family = AF_INET;
 445   s.sin_addr.s_addr = INADDR_ANY;
 446   s.sin_port = htons(port);
 447
 448   fd = socket(PF_INET, SOCK_STREAM, 0);
 449   if(fd < 0) {
 450     Error("trusts_policy", ERR_WARNING, "Unable to get socket for trustfd.");
 451     return -1;
 452   }
 453
 454   optval = 1;
 455   setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &optval, sizeof(optval));
 456
 457   if(bind(fd, (struct sockaddr *)&s, sizeof(struct sockaddr_in)) < 0) {
 458     Error("trusts_policy", ERR_WARNING, "Unable to bind trustfd.");
 459     close(fd);
 460     return -1;
 461   }
 462
 463   if(listen(fd, 5) < 0) {
 464     Error("trusts_policy", ERR_WARNING, "Unable to listen on trustfd.");
 465     close(fd);
 466     return -1;
 467   }
 468
 469   registerhandler(fd, POLLIN, processtrustlistener);
 470
 471   return fd;
 472 }
 473
 474 static void policycheck_irc(int hooknum, void *arg) {
 475   void **args = arg;
 476   nick *np = args[0];
 477   long moving = (long)args[1];
 478   char message[512];
 479   int verdict;
 480   struct irc_in_addr ipaddress_canonical;
 481
 482   if(moving)
 483     return;
 484
 485   ip_canonicalize_tunnel(&ipaddress_canonical, &np->ipaddress);
 486
 487   verdict = checkconnectionth(np->ident, &ipaddress_canonical, gettrusthost(np), hooknum, 0, message, sizeof(message));
 488
 489   if(!enforcepolicy_irc)
 490     verdict = POLICY_SUCCESS;
 491
 492   switch (verdict) {
 493     case POLICY_FAILURE_NODECOUNT:
 494       glinebynick(np, POLICY_GLINE_DURATION, message, GLINE_IGNORE_TRUST, "trusts_policy");
 495       break;
 496     case POLICY_FAILURE_IDENTD:
 497       glinebyip("~*", &np->ipaddress, 128, POLICY_GLINE_DURATION, message, GLINE_ALWAYS_USER|GLINE_IGNORE_TRUST, "trusts_policy");
 498       break;
 499     case POLICY_FAILURE_IDENTCOUNT:
 500       glinebynick(np, POLICY_GLINE_DURATION, message, GLINE_ALWAYS_USER|GLINE_IGNORE_TRUST, "trusts_policy");
 501       break;
 502   }
 503 }
 504
 505 static int trusts_cmdtrustpolicyirc(void *source, int cargc, char **cargv) {
 506   nick *sender = source;
 507
 508   if(cargc < 1) {
 509     controlreply(sender, "Use of glines for trust policy enforcement is currently %s.", enforcepolicy_irc?"enabled":"disabled");
 510     return CMD_OK;
 511   }
 512
 513   enforcepolicy_irc = atoi(cargv[0]);
 514   controlwall(NO_OPER, NL_TRUSTS, "%s %s use of glines for trust policy enforcement.", controlid(sender), enforcepolicy_irc?"enabled":"disabled");
 515   controlreply(sender, "Use of glines for trust policy enforcement is now %s.", enforcepolicy_irc?"enabled":"disabled");
 516
 517   return CMD_OK;
 518 }
 519
 520 static int trusts_cmdtrustpolicyauth(void *source, int cargc, char **cargv) {
 521   nick *sender = source;
 522
 523   if(cargc < 1) {
 524     controlreply(sender, "Trust policy enforcement with IAuth is currently %s.", enforcepolicy_auth?"enabled":"disabled");
 525     return CMD_OK;
 526   }
 527
 528   enforcepolicy_auth = atoi(cargv[0]);
 529   controlwall(NO_OPER, NL_TRUSTS, "%s %s trust policy enforcement with IAuth.", controlid(sender), enforcepolicy_auth?"enabled":"disabled");
 530   controlreply(sender, "Trust policy enforcement with IAuth is now %s.", enforcepolicy_auth?"enabled":"disabled");
 531
 532   return CMD_OK;
 533 }
 534
 535
 536 static int trusts_cmdtrustsockets(void *source, int cargc, char **cargv) {
 537   nick *sender = source;
 538   time_t now;
 539   trustsocket *sock;
 540
 541   time(&now);
 542
 543   controlreply(sender, "Server                              Connected for        Accepted        Rejected");
 544
 545   for(sock=tslist;sock;sock=sock->next)
 546     controlreply(sender, "%-35s %-20s %-15d %-15d", sock->authed?sock->authuser:"<unauthenticated connection>", longtoduration(now - sock->connected, 0), sock->accepted, sock->rejected);
 547
 548   controlreply(sender, "-- End of list.");
 549   return CMD_OK;
 550 }
 551
 552 void loadtrustaccounts(void) {
 553   array *accts;
 554
 555   memset(trustaccounts, 0, sizeof(trustaccounts));
 556
 557   accts = getconfigitems("trusts_policy", "server");
 558   if(!accts) {
 559     Error("trusts_policy", ERR_INFO, "No servers added.");
 560   } else {
 561     sstring **servers = (sstring **)(accts->content);
 562     int i;
 563     for(i=0;i<accts->cursi;i++) {
 564       char server[512];
 565       char *pos;
 566
 567       if(i>=MAXSERVERS) {
 568         Error("trusts_policy", ERR_INFO, "Too many servers specified.");
 569         break;
 570       }
 571
 572       strncpy(server, servers[i]->content, sizeof(server));
 573
 574       pos = strchr(server, ',');
 575
 576       if(!pos) {
 577         Error("trusts_policy", ERR_INFO, "Server line is missing password: %s", server);
 578         continue;
 579       }
 580
 581       *pos = '\0';
 582
 583       trustaccounts[i].used = 1;
 584       strncpy(trustaccounts[i].server, server, SERVERLEN);
 585       strncpy(trustaccounts[i].password, pos+1, TRUSTPASSLEN);
 586     }
 587   }
 588 }
 589
 590 static void trustaccounts_rehash(int hooknum, void *arg) {
 591   loadtrustaccounts();
 592 }
 593
 594 void _init(void) {
 595   sstring *m;
 596   int trustport;
 597
 598   countext = registertgext("count");
 599   if(countext == -1)
 600     return;
 601
 602   m = getconfigitem("trusts_policy", "enforcepolicy_irc");
 603   if(m)
 604     enforcepolicy_irc = atoi(m->content);
 605
 606   m = getconfigitem("trusts_policy", "enforcepolicy_auth");
 607   if(m)
 608     enforcepolicy_auth = atoi(m->content);
 609
 610   m = getconfigitem("trusts_policy", "trustport");
 611   if(m)
 612     trustport = atoi(m->content);
 613   else
 614     trustport = DEFAULT_TRUSTPORT;
 615
 616   if(trustport)
 617     listenerfd = createlistenersock(trustport);
 618
 619   loadtrustaccounts();
 620
 621   registerhook(HOOK_TRUSTS_NEWNICK, policycheck_irc);
 622   registerhook(HOOK_TRUSTS_LOSTNICK, &policycheck_irc);
 623   registerhook(HOOK_CORE_REHASH, trustaccounts_rehash);
 624
 625   registercontrolhelpcmd("trustpolicyirc", NO_DEVELOPER, 1, trusts_cmdtrustpolicyirc, "Usage: trustpolicyirc ?1|0?\nEnables or disables policy enforcement (IRC). Shows current status when no parameter is specified.");
 626   registercontrolhelpcmd("trustpolicyauth", NO_DEVELOPER, 1, trusts_cmdtrustpolicyauth, "Usage: trustpolicyauth ?1|0?\nEnables or disables policy enforcement (IAuth). Shows current status when no parameter is specified.");
 627   registercontrolhelpcmd("trustsockets", NO_DEVELOPER, 0, trusts_cmdtrustsockets, "Usage: trustsockets\nLists all currently active TRUST sockets.");
 628
 629   schedulerecurring(time(NULL)+1, 0, 5, trustdotimeout, NULL);
 630
 631   urandom = fopen("/dev/urandom", "rb");
 632   if(!urandom)
 633     Error("trusts_policy", ERR_ERROR, "Couldn't open /dev/urandom.");
 634 }
 635
 636 void _fini(void) {
 637   trustsocket *sock, *next;
 638
 639   if(countext == -1)
 640     return;
 641
 642   releasetgext(countext);
 643
 644   deregisterhook(HOOK_TRUSTS_NEWNICK, policycheck_irc);
 645   deregisterhook(HOOK_TRUSTS_LOSTNICK, policycheck_irc);
 646   deregisterhook(HOOK_CORE_REHASH, trustaccounts_rehash);
 647
 648   deregistercontrolcmd("trustpolicyirc", trusts_cmdtrustpolicyirc);
 649   deregistercontrolcmd("trustpolicyauth", trusts_cmdtrustpolicyauth);
 650   deregistercontrolcmd("trustsockets", trusts_cmdtrustsockets);
 651
 652   deleteallschedules(trustdotimeout);
 653
 654   if (urandom)
 655     fclose(urandom);
 656
 657   if (listenerfd != -1)
 658     deregisterhandler(listenerfd, 1);
 659
 660   for(sock=tslist;sock;) {
 661     next = sock->next;
 662
 663     trustkillconnection(sock, "Unloading module.");
 664     trustfreeconnection(sock, 0);
 665
 666     sock = next;
 667   }
 668 }