]>
Commit | Line | Data |
---|---|---|
cf274de2 | 1 | /* |
bd3f8ea3 | 2 | * Copyright (C) 2006-2010 Tobias Brunner |
8c99451a | 3 | * Copyright (C) 2005-2009 Martin Willi |
d5cc1758 | 4 | * Copyright (C) 2006 Daniel Roethlisberger |
c71d53ba | 5 | * Copyright (C) 2005 Jan Hutter |
cf274de2 JH |
6 | * Hochschule fuer Technik Rapperswil |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
17 | */ | |
18 | ||
68621281 | 19 | /** |
bd3f8ea3 | 20 | * @defgroup libcharon libcharon |
68621281 | 21 | * |
3b138b84 | 22 | * @defgroup bus bus |
bd3f8ea3 | 23 | * @ingroup libcharon |
484a06bc | 24 | * |
552cc11b MW |
25 | * @defgroup listeners listeners |
26 | * @ingroup bus | |
fcfeb322 | 27 | * |
552cc11b | 28 | * @defgroup config config |
bd3f8ea3 | 29 | * @ingroup libcharon |
3b138b84 | 30 | * |
3b138b84 | 31 | * @defgroup control control |
bd3f8ea3 | 32 | * @ingroup libcharon |
a84fb01b | 33 | * |
fcfeb322 | 34 | * @defgroup encoding encoding |
bd3f8ea3 | 35 | * @ingroup libcharon |
fcfeb322 | 36 | * |
552cc11b | 37 | * @defgroup payloads payloads |
fcfeb322 | 38 | * @ingroup encoding |
fcfeb322 | 39 | * |
6f449d2e | 40 | * @defgroup ckernel kernel |
bd3f8ea3 | 41 | * @ingroup libcharon |
fcfeb322 | 42 | * |
552cc11b | 43 | * @defgroup network network |
bd3f8ea3 | 44 | * @ingroup libcharon |
fcfeb322 | 45 | * |
552cc11b | 46 | * @defgroup cplugins plugins |
bd3f8ea3 | 47 | * @ingroup libcharon |
fcfeb322 | 48 | * |
222a64d8 | 49 | * @defgroup cprocessing processing |
bd3f8ea3 | 50 | * @ingroup libcharon |
fcfeb322 | 51 | * |
222a64d8 TB |
52 | * @defgroup cjobs jobs |
53 | * @ingroup cprocessing | |
fcfeb322 | 54 | * |
552cc11b | 55 | * @defgroup sa sa |
bd3f8ea3 | 56 | * @ingroup libcharon |
552cc11b | 57 | * |
e691a5c4 | 58 | * @defgroup authenticators authenticators |
552cc11b | 59 | * @ingroup sa |
e691a5c4 | 60 | * |
552cc11b MW |
61 | * @defgroup eap eap |
62 | * @ingroup authenticators | |
e691a5c4 | 63 | * |
552cc11b | 64 | * @defgroup tasks tasks |
e691a5c4 | 65 | * @ingroup sa |
f27f6296 | 66 | * |
bd3f8ea3 | 67 | * @addtogroup libcharon |
552cc11b | 68 | * @{ |
f27f6296 | 69 | * |
552cc11b | 70 | * IKEv2 keying daemon. |
47f50278 | 71 | * |
552cc11b MW |
72 | * All IKEv2 stuff is handled in charon. It uses a newer and more flexible |
73 | * architecture than pluto. Charon uses a thread-pool (called processor), | |
74 | * which allows parallel execution SA-management. All threads originate | |
75 | * from the processor. Work is delegated to the processor by queueing jobs | |
76 | * to it. | |
77 | @verbatim | |
484a06bc | 78 | |
552cc11b MW |
79 | +---------------------------------+ +----------------------------+ |
80 | | controller | | config | | |
484a06bc TB |
81 | +---------------------------------+ +----------------------------+ |
82 | | | | ^ ^ ^ | |
83 | V V V | | | | |
84 | ||
552cc11b MW |
85 | +----------+ +-----------+ +------+ +----------+ +----+ |
86 | | receiver | | | | | +------+ | CHILD_SA | | K | | |
87 | +---+------+ | Scheduler | | IKE- | | IKE- |--+----------+ | e | | |
88 | | | | | SA |--| SA | | CHILD_SA | | r | | |
89 | +------+---+ +-----------+ | | +------+ +----------+ | n | | |
90 | <->| socket | | | Man- | | e | | |
91 | +------+---+ +-----------+ | ager | +------+ +----------+ | l | | |
92 | | | | | | | IKE- |--| CHILD_SA | | - | | |
93 | +---+------+ | Processor |---| |--| SA | +----------+ | I | | |
484a06bc | 94 | | sender | | | | | +------+ | f | |
552cc11b | 95 | +----------+ +-----------+ +------+ +----+ |
484a06bc TB |
96 | |
97 | | | | | | | | |
98 | V V V V V V | |
99 | +---------------------------------+ +----------------------------+ | |
100 | | Bus | | credentials | | |
101 | +---------------------------------+ +----------------------------+ | |
552cc11b MW |
102 | |
103 | @endverbatim | |
484a06bc TB |
104 | * The scheduler is responsible to execute timed events. Jobs may be queued to |
105 | * the scheduler to get executed at a defined time (e.g. rekeying). The | |
552cc11b | 106 | * scheduler does not execute the jobs itself, it queues them to the processor. |
484a06bc TB |
107 | * |
108 | * The IKE_SA manager managers all IKE_SA. It further handles the | |
552cc11b | 109 | * synchronization: |
484a06bc TB |
110 | * Each IKE_SA must be checked out strictly and checked in again after use. The |
111 | * manager guarantees that only one thread may check out a single IKE_SA. This | |
552cc11b | 112 | * allows us to write the (complex) IKE_SAs routines non-threadsave. |
484a06bc | 113 | * The IKE_SA contain the state and the logic of each IKE_SA and handle the |
552cc11b | 114 | * messages. |
484a06bc | 115 | * |
552cc11b | 116 | * The CHILD_SA contains state about a IPsec security association and manages |
484a06bc | 117 | * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel |
552cc11b | 118 | * takes place here through the kernel interface. |
484a06bc | 119 | * |
552cc11b | 120 | * The kernel interface installs IPsec security associations, policies, routes |
484a06bc | 121 | * and virtual addresses. It further provides methods to enumerate interfaces |
552cc11b | 122 | * and may notify the daemon about state changes at lower layers. |
484a06bc TB |
123 | * |
124 | * The bus receives signals from the different threads and relays them to | |
125 | * interested listeners. Debugging signals, but also important state changes or | |
126 | * error messages are sent over the bus. | |
127 | * Its listeners are not only for logging, but also to track the state of an | |
552cc11b | 128 | * IKE_SA. |
47f50278 | 129 | * |
484a06bc | 130 | * The controller, credential_manager, bus and backend_manager (config) are |
552cc11b MW |
131 | * places where a plugin ca register itself to privide information or observe |
132 | * and control the daemon. | |
47f50278 MW |
133 | */ |
134 | ||
552cc11b MW |
135 | #ifndef DAEMON_H_ |
136 | #define DAEMON_H_ | |
137 | ||
138 | typedef struct daemon_t daemon_t; | |
139 | ||
140 | #include <network/sender.h> | |
141 | #include <network/receiver.h> | |
dab05604 | 142 | #include <network/socket_manager.h> |
552cc11b MW |
143 | #include <control/controller.h> |
144 | #include <bus/bus.h> | |
145 | #include <bus/listeners/file_logger.h> | |
146 | #include <bus/listeners/sys_logger.h> | |
147 | #include <sa/ike_sa_manager.h> | |
8c99451a | 148 | #include <sa/trap_manager.h> |
f8799170 | 149 | #include <sa/shunt_manager.h> |
552cc11b | 150 | #include <config/backend_manager.h> |
552cc11b | 151 | #include <sa/authenticators/eap/eap_manager.h> |
79a87846 | 152 | #include <sa/authenticators/eap/sim_manager.h> |
b2563331 AS |
153 | #include <tnc/imc/imc_manager.h> |
154 | #include <tnc/imv/imv_manager.h> | |
1888dd6b | 155 | #include <tnc/tnccs/tnccs_manager.h> |
552cc11b | 156 | |
dc04b7c7 | 157 | #ifdef ME |
552cc11b MW |
158 | #include <sa/connect_manager.h> |
159 | #include <sa/mediation_manager.h> | |
dc04b7c7 | 160 | #endif /* ME */ |
552cc11b | 161 | |
0e96f7d8 | 162 | /** |
6af29ccf | 163 | * Number of threads in the thread pool, if not specified in config. |
0e96f7d8 | 164 | */ |
6af29ccf | 165 | #define DEFAULT_THREADS 16 |
db715454 | 166 | |
0e96f7d8 | 167 | /** |
347fd4e2 | 168 | * UDP Port on which the daemon will listen for incoming traffic. |
0e96f7d8 | 169 | */ |
409d0101 | 170 | #define IKEV2_UDP_PORT 500 |
d60a48f9 | 171 | |
1396815a MW |
172 | /** |
173 | * UDP Port to which the daemon will float to if NAT is detected. | |
1396815a MW |
174 | */ |
175 | #define IKEV2_NATT_PORT 4500 | |
176 | ||
13e4a62f | 177 | /** |
552cc11b | 178 | * Main class of daemon, contains some globals. |
382b4817 | 179 | */ |
0e96f7d8 | 180 | struct daemon_t { |
7daf5226 | 181 | |
0e96f7d8 | 182 | /** |
dab05604 | 183 | * Socket manager instance |
0e96f7d8 | 184 | */ |
dab05604 | 185 | socket_manager_t *socket; |
7daf5226 | 186 | |
0e96f7d8 | 187 | /** |
347fd4e2 | 188 | * A ike_sa_manager_t instance. |
0e96f7d8 MW |
189 | */ |
190 | ike_sa_manager_t *ike_sa_manager; | |
7daf5226 | 191 | |
8c99451a MW |
192 | /** |
193 | * Manager for triggering policies, called traps | |
194 | */ | |
195 | trap_manager_t *traps; | |
7daf5226 | 196 | |
f8799170 AS |
197 | /** |
198 | * Manager for shunt PASS|DROP policies | |
199 | */ | |
200 | shunt_manager_t *shunts; | |
201 | ||
16b9a73c | 202 | /** |
a84fb01b | 203 | * Manager for the different configuration backends. |
16b9a73c | 204 | */ |
a84fb01b | 205 | backend_manager_t *backends; |
7daf5226 | 206 | |
0e96f7d8 | 207 | /** |
347fd4e2 | 208 | * The Sender-Thread. |
7b3814f7 | 209 | */ |
0e96f7d8 | 210 | sender_t *sender; |
7daf5226 | 211 | |
0e96f7d8 | 212 | /** |
347fd4e2 | 213 | * The Receiver-Thread. |
0e96f7d8 MW |
214 | */ |
215 | receiver_t *receiver; | |
7daf5226 | 216 | |
47f50278 MW |
217 | /** |
218 | * The signaling bus. | |
219 | */ | |
220 | bus_t *bus; | |
7daf5226 | 221 | |
47f50278 | 222 | /** |
42529388 | 223 | * A list of installed file_logger_t's |
47f50278 | 224 | */ |
42529388 | 225 | linked_list_t *file_loggers; |
7daf5226 | 226 | |
47f50278 | 227 | /** |
42529388 | 228 | * A list of installed sys_logger_t's |
47f50278 | 229 | */ |
42529388 | 230 | linked_list_t *sys_loggers; |
7daf5226 | 231 | |
217e985b | 232 | /** |
552cc11b MW |
233 | * Controller to control the daemon |
234 | */ | |
235 | controller_t *controller; | |
7daf5226 | 236 | |
552cc11b MW |
237 | /** |
238 | * EAP manager to maintain registered EAP methods | |
16b9a73c | 239 | */ |
552cc11b | 240 | eap_manager_t *eap; |
7daf5226 | 241 | |
79a87846 | 242 | /** |
073e7dc0 | 243 | * SIM manager to maintain (U)SIM cards/providers |
79a87846 MW |
244 | */ |
245 | sim_manager_t *sim; | |
7daf5226 | 246 | |
4e8e74fc | 247 | /** |
b2563331 | 248 | * TNC IMC manager controlling Integrity Measurement Collectors |
4e8e74fc | 249 | */ |
b2563331 | 250 | imc_manager_t *imcs; |
4e8e74fc | 251 | |
1888dd6b | 252 | /** |
b2563331 | 253 | * TNC IMV manager controlling Integrity Measurement Verifiers |
1888dd6b | 254 | */ |
b2563331 | 255 | imv_manager_t *imvs; |
1888dd6b AS |
256 | |
257 | /** | |
b2563331 | 258 | * TNCCS manager to maintain registered TNCCS protocols |
1888dd6b | 259 | */ |
b2563331 | 260 | tnccs_manager_t *tnccs; |
1888dd6b | 261 | |
dc04b7c7 | 262 | #ifdef ME |
d5cc1758 TB |
263 | /** |
264 | * Connect manager | |
265 | */ | |
266 | connect_manager_t *connect_manager; | |
7daf5226 | 267 | |
d5cc1758 TB |
268 | /** |
269 | * Mediation manager | |
270 | */ | |
271 | mediation_manager_t *mediation_manager; | |
dc04b7c7 | 272 | #endif /* ME */ |
7daf5226 | 273 | |
25b12c69 MW |
274 | /** |
275 | * User ID the daemon will user after initialization | |
276 | */ | |
277 | uid_t uid; | |
278 | ||
279 | /** | |
280 | * Group ID the daemon will use after initialization | |
281 | */ | |
282 | gid_t gid; | |
7daf5226 | 283 | |
e609b1cd MW |
284 | /** |
285 | * Do not drop a given capability after initialization. | |
286 | * | |
287 | * Some plugins might need additional capabilites. They tell the daemon | |
288 | * during plugin initialization which one they need, the daemon won't | |
289 | * drop these. | |
290 | */ | |
291 | void (*keep_cap)(daemon_t *this, u_int cap); | |
bd3f8ea3 TB |
292 | |
293 | /** | |
89bf11d2 | 294 | * Drop all capabilities of the current process. |
bd3f8ea3 | 295 | * |
89bf11d2 | 296 | * Drops all capabalities, excect those exlcuded using keep_cap(). |
bd3f8ea3 TB |
297 | * This should be called after the initialization of the daemon because |
298 | * some plugins require the process to keep additional capabilities. | |
299 | * | |
300 | * @return TRUE if successful, FALSE otherwise | |
301 | */ | |
302 | bool (*drop_capabilities)(daemon_t *this); | |
303 | ||
304 | /** | |
305 | * Initialize the daemon. | |
306 | */ | |
84f89634 | 307 | bool (*initialize)(daemon_t *this); |
bd3f8ea3 TB |
308 | |
309 | /** | |
310 | * Starts the daemon, i.e. spawns the threads of the thread pool. | |
311 | */ | |
312 | void (*start)(daemon_t *this); | |
313 | ||
0e96f7d8 MW |
314 | }; |
315 | ||
316 | /** | |
89bf11d2 MW |
317 | * The one and only instance of the daemon. |
318 | * | |
319 | * Set between libcharon_init() and libcharon_deinit() calls. | |
0e96f7d8 MW |
320 | */ |
321 | extern daemon_t *charon; | |
cf274de2 | 322 | |
bd3f8ea3 TB |
323 | /** |
324 | * Initialize libcharon and create the "charon" instance of daemon_t. | |
89bf11d2 | 325 | * |
84f89634 MW |
326 | * This function initializes the bus, listeners can be registered before |
327 | * calling initialize(). | |
328 | * | |
bd3f8ea3 TB |
329 | * @return FALSE if integrity check failed |
330 | */ | |
331 | bool libcharon_init(); | |
332 | ||
333 | /** | |
334 | * Deinitialize libcharon and destroy the "charon" instance of daemon_t. | |
335 | */ | |
336 | void libcharon_deinit(); | |
337 | ||
1490ff4d | 338 | #endif /** DAEMON_H_ @}*/ |