[thirdparty/strongswan.git] / src / libcharon / daemon.h

/*
 * Copyright (C) 2006-2010 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2006 Daniel Roethlisberger
 * Copyright (C) 2005 Jan Hutter
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup libcharon libcharon
 *
 * @defgroup bus bus
 * @ingroup libcharon
 *
 * @defgroup listeners listeners
 * @ingroup bus
 *
 * @defgroup config config
 * @ingroup libcharon
 *
 * @defgroup control control
 * @ingroup libcharon
 *
 * @defgroup encoding encoding
 * @ingroup libcharon
 *
 * @defgroup payloads payloads
 * @ingroup encoding
 *
 * @defgroup ckernel kernel
 * @ingroup libcharon
 *
 * @defgroup network network
 * @ingroup libcharon
 *
 * @defgroup cplugins plugins
 * @ingroup libcharon
 *
 * @defgroup cprocessing processing
 * @ingroup libcharon
 *
 * @defgroup cjobs jobs
 * @ingroup cprocessing
 *
 * @defgroup sa sa
 * @ingroup libcharon
 *
 * @defgroup authenticators authenticators
 * @ingroup sa
 *
 * @defgroup eap eap
 * @ingroup authenticators
 *
 * @defgroup tasks tasks
 * @ingroup sa
 *
 * @addtogroup libcharon
 * @{
 *
 * IKEv2 keying daemon.
 *
 * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
 * architecture than pluto. Charon uses a thread-pool (called processor),
 * which allows parallel execution SA-management. All threads originate
 * from the processor. Work is delegated to the processor by queueing jobs
 * to it.
   @verbatim

      +---------------------------------+       +----------------------------+
      |           controller            |       |          config            |
      +---------------------------------+       +----------------------------+
               |      |      |                           ^     ^    ^
               V      V      V                           |     |    |

       +----------+  +-----------+   +------+            +----------+    +----+
       | receiver |  |           |   |      |  +------+  | CHILD_SA |    | K  |
       +---+------+  | Scheduler |   | IKE- |  | IKE- |--+----------+    | e  |
           |         |           |   | SA   |--| SA   |  | CHILD_SA |    | r  |
    +------+---+     +-----------+   |      |  +------+  +----------+    | n  |
 <->|  socket  |           |         | Man- |                            | e  |
    +------+---+     +-----------+   | ager |  +------+  +----------+    | l  |
           |         |           |   |      |  | IKE- |--| CHILD_SA |    | -  |
       +---+------+  | Processor |---|      |--| SA   |  +----------+    | I  |
       |  sender  |  |           |   |      |  +------+                  | f  |
       +----------+  +-----------+   +------+                            +----+

               |      |      |                        |      |      |
               V      V      V                        V      V      V
      +---------------------------------+       +----------------------------+
      |               Bus               |       |         credentials        |
      +---------------------------------+       +----------------------------+

   @endverbatim
 * The scheduler is responsible to execute timed events. Jobs may be queued to
 * the scheduler to get executed at a defined time (e.g. rekeying). The
 * scheduler does not execute the jobs itself, it queues them to the processor.
 *
 * The IKE_SA manager managers all IKE_SA. It further handles the
 * synchronization:
 * Each IKE_SA must be checked out strictly and checked in again after use. The
 * manager guarantees that only one thread may check out a single IKE_SA. This
 * allows us to write the (complex) IKE_SAs routines non-threadsave.
 * The IKE_SA contain the state and the logic of each IKE_SA and handle the
 * messages.
 *
 * The CHILD_SA contains state about a IPsec security association and manages
 * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
 * takes place here through the kernel interface.
 *
 * The kernel interface installs IPsec security associations, policies, routes
 * and virtual addresses. It further provides methods to enumerate interfaces
 * and may notify the daemon about state changes at lower layers.
 *
 * The bus receives signals from the different threads and relays them to
 * interested listeners. Debugging signals, but also important state changes or
 * error messages are sent over the bus.
 * Its listeners are not only for logging, but also to track the state of an
 * IKE_SA.
 *
 * The controller, credential_manager, bus and backend_manager (config) are
 * places where a plugin ca register itself to privide information or observe
 * and control the daemon.
 */

#ifndef DAEMON_H_
#define DAEMON_H_

typedef struct daemon_t daemon_t;

#include <network/sender.h>
#include <network/receiver.h>
#include <network/socket_manager.h>
#include <control/controller.h>
#include <bus/bus.h>
#include <bus/listeners/file_logger.h>
#include <bus/listeners/sys_logger.h>
#include <sa/ike_sa_manager.h>
#include <sa/trap_manager.h>
#include <sa/shunt_manager.h>
#include <config/backend_manager.h>
#include <sa/authenticators/eap/eap_manager.h>
#include <sa/authenticators/eap/sim_manager.h>
#include <tnc/imc/imc_manager.h>
#include <tnc/imv/imv_manager.h>
#include <tnc/tnccs/tnccs_manager.h>

#ifdef ME
#include <sa/connect_manager.h>
#include <sa/mediation_manager.h>
#endif /* ME */

/**
 * Number of threads in the thread pool, if not specified in config.
 */
#define DEFAULT_THREADS 16

/**
 * UDP Port on which the daemon will listen for incoming traffic.
 */
#define IKEV2_UDP_PORT 500

/**
 * UDP Port to which the daemon will float to if NAT is detected.
 */
#define IKEV2_NATT_PORT 4500

/**
 * Main class of daemon, contains some globals.
 */
struct daemon_t {

	/**
	 * Socket manager instance
	 */
	socket_manager_t *socket;

	/**
	 * A ike_sa_manager_t instance.
	 */
	ike_sa_manager_t *ike_sa_manager;

	/**
	 * Manager for triggering policies, called traps
	 */
	trap_manager_t *traps;

	/**
	 * Manager for shunt PASS|DROP policies
	 */
	shunt_manager_t *shunts;

	/**
	 * Manager for the different configuration backends.
	 */
	backend_manager_t *backends;

	/**
	 * The Sender-Thread.
	 */
	sender_t *sender;

	/**
	 * The Receiver-Thread.
	 */
	receiver_t *receiver;

	/**
	 * The signaling bus.
	 */
	bus_t *bus;

	/**
	 * A list of installed file_logger_t's
	 */
	linked_list_t *file_loggers;

	/**
	 * A list of installed sys_logger_t's
	 */
	linked_list_t *sys_loggers;

	/**
	 * Controller to control the daemon
	 */
	controller_t *controller;

	/**
	 * EAP manager to maintain registered EAP methods
	 */
	eap_manager_t *eap;

	/**
	 * SIM manager to maintain (U)SIM cards/providers
	 */
	sim_manager_t *sim;

	/**
	 * TNC IMC manager controlling Integrity Measurement Collectors
	 */
	imc_manager_t *imcs;

	/**
	 * TNC IMV manager controlling Integrity Measurement Verifiers
	 */
	imv_manager_t *imvs;

	/**
	 * TNCCS manager to maintain registered TNCCS protocols
	 */
	tnccs_manager_t *tnccs;

#ifdef ME
	/**
	 * Connect manager
	 */
	connect_manager_t *connect_manager;

	/**
	 * Mediation manager
	 */
	mediation_manager_t *mediation_manager;
#endif /* ME */

	/**
	 * User ID the daemon will user after initialization
	 */
	uid_t uid;

	/**
	 * Group ID the daemon will use after initialization
	 */
	gid_t gid;

	/**
	 * Do not drop a given capability after initialization.
	 *
	 * Some plugins might need additional capabilites. They tell the daemon
	 * during plugin initialization which one they need, the daemon won't
	 * drop these.
	 */
	void (*keep_cap)(daemon_t *this, u_int cap);

	/**
	 * Drop all capabilities of the current process.
	 *
	 * Drops all capabalities, excect those exlcuded using keep_cap().
	 * This should be called after the initialization of the daemon because
	 * some plugins require the process to keep additional capabilities.
	 *
	 * @return		TRUE if successful, FALSE otherwise
	 */
	bool (*drop_capabilities)(daemon_t *this);

	/**
	 * Initialize the daemon.
	 */
	bool (*initialize)(daemon_t *this);

	/**
	 * Starts the daemon, i.e. spawns the threads of the thread pool.
	 */
	void (*start)(daemon_t *this);

};

/**
 * The one and only instance of the daemon.
 *
 * Set between libcharon_init() and libcharon_deinit() calls.
 */
extern daemon_t *charon;

/**
 * Initialize libcharon and create the "charon" instance of daemon_t.
 *
 * This function initializes the bus, listeners can be registered before
 * calling initialize().
 *
 * @return		FALSE if integrity check failed
 */
bool libcharon_init();

/**
 * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
 */
void libcharon_deinit();

#endif /** DAEMON_H_ @}*/
Commit	Line	Data
cf274de2	1	/*
bd3f8ea3	2	* Copyright (C) 2006-2010 Tobias Brunner
8c99451a	3	* Copyright (C) 2005-2009 Martin Willi
d5cc1758	4	* Copyright (C) 2006 Daniel Roethlisberger
c71d53ba	5	* Copyright (C) 2005 Jan Hutter
cf274de2 JH	6	* Hochschule fuer Technik Rapperswil
	7	*
	8	* This program is free software; you can redistribute it and/or modify it
	9	* under the terms of the GNU General Public License as published by the
	10	* Free Software Foundation; either version 2 of the License, or (at your
	11	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	12	*
	13	* This program is distributed in the hope that it will be useful, but
	14	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	15	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	16	* for more details.
	17	*/
	18
68621281	19	/**
bd3f8ea3	20	* @defgroup libcharon libcharon
68621281	21	*
3b138b84	22	* @defgroup bus bus
bd3f8ea3	23	* @ingroup libcharon
484a06bc	24	*
552cc11b MW	25	* @defgroup listeners listeners
552cc11b MW	26	* @ingroup bus
fcfeb322	27	*
552cc11b	28	* @defgroup config config
bd3f8ea3	29	* @ingroup libcharon
3b138b84	30	*
3b138b84	31	* @defgroup control control
bd3f8ea3	32	* @ingroup libcharon
a84fb01b	33	*
fcfeb322	34	* @defgroup encoding encoding
bd3f8ea3	35	* @ingroup libcharon
fcfeb322	36	*
552cc11b	37	* @defgroup payloads payloads
fcfeb322	38	* @ingroup encoding
fcfeb322	39	*
6f449d2e	40	* @defgroup ckernel kernel
bd3f8ea3	41	* @ingroup libcharon
fcfeb322	42	*
552cc11b	43	* @defgroup network network
bd3f8ea3	44	* @ingroup libcharon
fcfeb322	45	*
552cc11b	46	* @defgroup cplugins plugins
bd3f8ea3	47	* @ingroup libcharon
fcfeb322	48	*
222a64d8	49	* @defgroup cprocessing processing
bd3f8ea3	50	* @ingroup libcharon
fcfeb322	51	*
222a64d8 TB	52	* @defgroup cjobs jobs
222a64d8 TB	53	* @ingroup cprocessing
fcfeb322	54	*
552cc11b	55	* @defgroup sa sa
bd3f8ea3	56	* @ingroup libcharon
552cc11b	57	*
e691a5c4	58	* @defgroup authenticators authenticators
552cc11b	59	* @ingroup sa
e691a5c4	60	*
552cc11b MW	61	* @defgroup eap eap
552cc11b MW	62	* @ingroup authenticators
e691a5c4	63	*
552cc11b	64	* @defgroup tasks tasks
e691a5c4	65	* @ingroup sa
f27f6296	66	*
bd3f8ea3	67	* @addtogroup libcharon
552cc11b	68	* @{
f27f6296	69	*
552cc11b	70	* IKEv2 keying daemon.
47f50278	71	*
552cc11b MW	72	* All IKEv2 stuff is handled in charon. It uses a newer and more flexible
	73	* architecture than pluto. Charon uses a thread-pool (called processor),
	74	* which allows parallel execution SA-management. All threads originate
	75	* from the processor. Work is delegated to the processor by queueing jobs
	76	* to it.
	77	@verbatim
484a06bc	78
552cc11b MW	79	+---------------------------------+ +----------------------------+
552cc11b MW	80	\| controller \| \| config \|
484a06bc TB	81	+---------------------------------+ +----------------------------+
	82	\| \| \| ^ ^ ^
	83	V V V \| \| \|
	84
552cc11b MW	85	+----------+ +-----------+ +------+ +----------+ +----+
	86	\| receiver \| \| \| \| \| +------+ \| CHILD_SA \| \| K \|
	87	+---+------+ \| Scheduler \| \| IKE- \| \| IKE- \|--+----------+ \| e \|
	88	\| \| \| \| SA \|--\| SA \| \| CHILD_SA \| \| r \|
	89	+------+---+ +-----------+ \| \| +------+ +----------+ \| n \|
	90	<->\| socket \| \| \| Man- \| \| e \|
	91	+------+---+ +-----------+ \| ager \| +------+ +----------+ \| l \|
	92	\| \| \| \| \| \| IKE- \|--\| CHILD_SA \| \| - \|
	93	+---+------+ \| Processor \|---\| \|--\| SA \| +----------+ \| I \|
484a06bc	94	\| sender \| \| \| \| \| +------+ \| f \|
552cc11b	95	+----------+ +-----------+ +------+ +----+
484a06bc TB	96
	97	\| \| \| \| \| \|
	98	V V V V V V
	99	+---------------------------------+ +----------------------------+
	100	\| Bus \| \| credentials \|
	101	+---------------------------------+ +----------------------------+
552cc11b MW	102
552cc11b MW	103	@endverbatim
484a06bc TB	104	* The scheduler is responsible to execute timed events. Jobs may be queued to
484a06bc TB	105	* the scheduler to get executed at a defined time (e.g. rekeying). The
552cc11b	106	* scheduler does not execute the jobs itself, it queues them to the processor.
484a06bc TB	107	*
484a06bc TB	108	* The IKE_SA manager managers all IKE_SA. It further handles the
552cc11b	109	* synchronization:
484a06bc TB	110	* Each IKE_SA must be checked out strictly and checked in again after use. The
484a06bc TB	111	* manager guarantees that only one thread may check out a single IKE_SA. This
552cc11b	112	* allows us to write the (complex) IKE_SAs routines non-threadsave.
484a06bc	113	* The IKE_SA contain the state and the logic of each IKE_SA and handle the
552cc11b	114	* messages.
484a06bc	115	*
552cc11b	116	* The CHILD_SA contains state about a IPsec security association and manages
484a06bc	117	* them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
552cc11b	118	* takes place here through the kernel interface.
484a06bc	119	*
552cc11b	120	* The kernel interface installs IPsec security associations, policies, routes
484a06bc	121	* and virtual addresses. It further provides methods to enumerate interfaces
552cc11b	122	* and may notify the daemon about state changes at lower layers.
484a06bc TB	123	*
	124	* The bus receives signals from the different threads and relays them to
	125	* interested listeners. Debugging signals, but also important state changes or
	126	* error messages are sent over the bus.
	127	* Its listeners are not only for logging, but also to track the state of an
552cc11b	128	* IKE_SA.
47f50278	129	*
484a06bc	130	* The controller, credential_manager, bus and backend_manager (config) are
552cc11b MW	131	* places where a plugin ca register itself to privide information or observe
552cc11b MW	132	* and control the daemon.
47f50278 MW	133	*/
47f50278 MW	134
552cc11b MW	135	#ifndef DAEMON_H_
	136	#define DAEMON_H_
	137
	138	typedef struct daemon_t daemon_t;
	139
	140	#include <network/sender.h>
	141	#include <network/receiver.h>
dab05604	142	#include <network/socket_manager.h>
552cc11b MW	143	#include <control/controller.h>
	144	#include <bus/bus.h>
	145	#include <bus/listeners/file_logger.h>
	146	#include <bus/listeners/sys_logger.h>
	147	#include <sa/ike_sa_manager.h>
8c99451a	148	#include <sa/trap_manager.h>
f8799170	149	#include <sa/shunt_manager.h>
552cc11b	150	#include <config/backend_manager.h>
552cc11b	151	#include <sa/authenticators/eap/eap_manager.h>
79a87846	152	#include <sa/authenticators/eap/sim_manager.h>
b2563331 AS	153	#include <tnc/imc/imc_manager.h>
b2563331 AS	154	#include <tnc/imv/imv_manager.h>
1888dd6b	155	#include <tnc/tnccs/tnccs_manager.h>
552cc11b	156
dc04b7c7	157	#ifdef ME
552cc11b MW	158	#include <sa/connect_manager.h>
552cc11b MW	159	#include <sa/mediation_manager.h>
dc04b7c7	160	#endif /* ME */
552cc11b	161
0e96f7d8	162	/**
6af29ccf	163	* Number of threads in the thread pool, if not specified in config.
0e96f7d8	164	*/
6af29ccf	165	#define DEFAULT_THREADS 16
db715454	166
0e96f7d8	167	/**
347fd4e2	168	* UDP Port on which the daemon will listen for incoming traffic.
0e96f7d8	169	*/
409d0101	170	#define IKEV2_UDP_PORT 500
d60a48f9	171
1396815a MW	172	/**
1396815a MW	173	* UDP Port to which the daemon will float to if NAT is detected.
1396815a MW	174	*/
	175	#define IKEV2_NATT_PORT 4500
	176
13e4a62f	177	/**
552cc11b	178	* Main class of daemon, contains some globals.
382b4817	179	*/
0e96f7d8	180	struct daemon_t {
7daf5226	181
0e96f7d8	182	/**
dab05604	183	* Socket manager instance
0e96f7d8	184	*/
dab05604	185	socket_manager_t *socket;
7daf5226	186
0e96f7d8	187	/**
347fd4e2	188	* A ike_sa_manager_t instance.
0e96f7d8 MW	189	*/
0e96f7d8 MW	190	ike_sa_manager_t *ike_sa_manager;
7daf5226	191
8c99451a MW	192	/**
	193	* Manager for triggering policies, called traps
	194	*/
	195	trap_manager_t *traps;
7daf5226	196
f8799170 AS	197	/**
	198	* Manager for shunt PASS\|DROP policies
	199	*/
	200	shunt_manager_t *shunts;
	201
16b9a73c	202	/**
a84fb01b	203	* Manager for the different configuration backends.
16b9a73c	204	*/
a84fb01b	205	backend_manager_t *backends;
7daf5226	206
0e96f7d8	207	/**
347fd4e2	208	* The Sender-Thread.
7b3814f7	209	*/
0e96f7d8	210	sender_t *sender;
7daf5226	211
0e96f7d8	212	/**
347fd4e2	213	* The Receiver-Thread.
0e96f7d8 MW	214	*/
0e96f7d8 MW	215	receiver_t *receiver;
7daf5226	216
47f50278 MW	217	/**
	218	* The signaling bus.
	219	*/
	220	bus_t *bus;
7daf5226	221
47f50278	222	/**
42529388	223	* A list of installed file_logger_t's
47f50278	224	*/
42529388	225	linked_list_t *file_loggers;
7daf5226	226
47f50278	227	/**
42529388	228	* A list of installed sys_logger_t's
47f50278	229	*/
42529388	230	linked_list_t *sys_loggers;
7daf5226	231
217e985b	232	/**
552cc11b MW	233	* Controller to control the daemon
	234	*/
	235	controller_t *controller;
7daf5226	236
552cc11b MW	237	/**
552cc11b MW	238	* EAP manager to maintain registered EAP methods
16b9a73c	239	*/
552cc11b	240	eap_manager_t *eap;
7daf5226	241
79a87846	242	/**
073e7dc0	243	* SIM manager to maintain (U)SIM cards/providers
79a87846 MW	244	*/
79a87846 MW	245	sim_manager_t *sim;
7daf5226	246
4e8e74fc	247	/**
b2563331	248	* TNC IMC manager controlling Integrity Measurement Collectors
4e8e74fc	249	*/
b2563331	250	imc_manager_t *imcs;
4e8e74fc	251
1888dd6b	252	/**
b2563331	253	* TNC IMV manager controlling Integrity Measurement Verifiers
1888dd6b	254	*/
b2563331	255	imv_manager_t *imvs;
1888dd6b AS	256
1888dd6b AS	257	/**
b2563331	258	* TNCCS manager to maintain registered TNCCS protocols
1888dd6b	259	*/
b2563331	260	tnccs_manager_t *tnccs;
1888dd6b	261
dc04b7c7	262	#ifdef ME
d5cc1758 TB	263	/**
	264	* Connect manager
	265	*/
	266	connect_manager_t *connect_manager;
7daf5226	267
d5cc1758 TB	268	/**
	269	* Mediation manager
	270	*/
	271	mediation_manager_t *mediation_manager;
dc04b7c7	272	#endif /* ME */
7daf5226	273
25b12c69 MW	274	/**
	275	* User ID the daemon will user after initialization
	276	*/
	277	uid_t uid;
	278
	279	/**
	280	* Group ID the daemon will use after initialization
	281	*/
	282	gid_t gid;
7daf5226	283
e609b1cd MW	284	/**
	285	* Do not drop a given capability after initialization.
	286	*
	287	* Some plugins might need additional capabilites. They tell the daemon
	288	* during plugin initialization which one they need, the daemon won't
	289	* drop these.
	290	*/
	291	void (keep_cap)(daemon_t this, u_int cap);
bd3f8ea3 TB	292
bd3f8ea3 TB	293	/**
89bf11d2	294	* Drop all capabilities of the current process.
bd3f8ea3	295	*
89bf11d2	296	* Drops all capabalities, excect those exlcuded using keep_cap().
bd3f8ea3 TB	297	* This should be called after the initialization of the daemon because
	298	* some plugins require the process to keep additional capabilities.
	299	*
	300	* @return TRUE if successful, FALSE otherwise
	301	*/
	302	bool (drop_capabilities)(daemon_t this);
	303
	304	/**
	305	* Initialize the daemon.
	306	*/
84f89634	307	bool (initialize)(daemon_t this);
bd3f8ea3 TB	308
	309	/**
	310	* Starts the daemon, i.e. spawns the threads of the thread pool.
	311	*/
	312	void (start)(daemon_t this);
	313
0e96f7d8 MW	314	};
	315
	316	/**
89bf11d2 MW	317	* The one and only instance of the daemon.
	318	*
	319	* Set between libcharon_init() and libcharon_deinit() calls.
0e96f7d8 MW	320	*/
0e96f7d8 MW	321	extern daemon_t *charon;
cf274de2	322
bd3f8ea3 TB	323	/**
bd3f8ea3 TB	324	* Initialize libcharon and create the "charon" instance of daemon_t.
89bf11d2	325	*
84f89634 MW	326	* This function initializes the bus, listeners can be registered before
	327	* calling initialize().
	328	*
bd3f8ea3 TB	329	* @return FALSE if integrity check failed
	330	*/
	331	bool libcharon_init();
	332
	333	/**
	334	* Deinitialize libcharon and destroy the "charon" instance of daemon_t.
	335	*/
	336	void libcharon_deinit();
	337
1490ff4d	338	#endif /** DAEMON_H_ @}*/