ipsec stroke rereadaacerts|rereadacerts supported
[strongswan.git] / src / charon / daemon.h
1 /**
2 * @file daemon.h
3 *
4 * @brief Interface of daemon_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #ifndef DAEMON_H_
26 #define DAEMON_H_
27
28 typedef struct daemon_t daemon_t;
29
30 #include <credential_store.h>
31
32 #include <network/sender.h>
33 #include <network/receiver.h>
34 #include <network/socket.h>
35 #include <processing/scheduler.h>
36 #include <processing/processor.h>
37 #include <kernel/kernel_interface.h>
38 #include <control/interface_manager.h>
39 #include <bus/bus.h>
40 #include <bus/listeners/file_logger.h>
41 #include <bus/listeners/sys_logger.h>
42 #include <sa/ike_sa_manager.h>
43 #include <config/backend_manager.h>
44
45 /**
46 * @defgroup charon charon
47 *
48 * @brief IKEv2 keying daemon.
49 *
50 * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
51 * architecture than pluto. Charon uses a thread-pool (called processor),
52 * which allows parallel execution SA-management. All threads originate
53 * from the processor. Work is delegated to the processor by queueing jobs
54 * to it.
55 @verbatim
56
57 +--------+ +-------+ +--------+ +-----------+ +-----------+
58 | Stroke | | XML | | DBUS | | Local | | SQLite |
59 +--------+ +-------+ +--------+ +-----------+ +-----------+
60 | | | | |
61 +---------------------------------+ +----------------------------+
62 | Interfaces | | Backends |
63 +---------------------------------+ +----------------------------+
64
65
66 +------------+ +-----------+ +------+ +----------+
67 | receiver | | | | | +------+ | CHILD_SA |
68 +----+-------+ | Scheduler | | IKE- | | IKE- |--+----------+
69 | | | | SA |--| SA | | CHILD_SA |
70 +-------+--+ +-----------+ | | +------+ +----------+
71 <->| socket | | | Man- |
72 +-------+--+ +-----------+ | ager | +------+ +----------+
73 | | | | | | IKE- |--| CHILD_SA |
74 +----+-------+ | Processor |--------| |--| SA | +----------+
75 | sender | | | | | +------+
76 +------------+ +-----------+ +------+
77
78
79 +---------------------------------+ +----------------------------+
80 | Bus | | Kernel Interface |
81 +---------------------------------+ +----------------------------+
82 | | |
83 +-------------+ +-------------+ V
84 | File-Logger | | Sys-Logger | //////
85 +-------------+ +-------------+
86
87
88 @endverbatim
89 * The scheduler is responsible to execute timed events. Jobs may be queued to
90 * the scheduler to get executed at a defined time (e.g. rekeying). The scheduler
91 * does not execute the jobs itself, it queues them to the processor.
92 *
93 * The IKE_SA manager managers all IKE_SA. It further handles the synchronization:
94 * Each IKE_SA must be checked out strictly and checked in again after use. The
95 * manager guarantees that only one thread may check out a single IKE_SA. This allows
96 * us to write the (complex) IKE_SAs routines non-threadsave.
97 * The IKE_SA contain the state and the logic of each IKE_SA and handle the messages.
98 *
99 * The CHILD_SA contains state about a IPsec security association and manages them.
100 * An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place
101 * here through the kernel interface.
102 *
103 * The kernel interface installs IPsec security associations, policies routes and
104 * virtual addresses. It further provides methods to enumerate interfaces and may notify
105 * the daemon about state changes at lower layers.
106 *
107 * The bus receives signals from the different threads and relais them to interested
108 * listeners. Debugging signals, but also important state changes or error messages are
109 * sent over the bus.
110 * It's listeners are not only for logging, but also to track the state of an IKE_SA.
111 *
112 * The interface manager loads pluggable controlling interfaces. These are written to control
113 * the daemon from external inputs (e.g. initiate IKE_SA, close IKE_SA, ...). The interface
114 * manager further provides a simple API to establish these tasks.
115 * Backends are pluggable modules which provide configuration. They have to implement an API
116 * which the daemon core uses to get configuration.
117 */
118
119 /**
120 * @defgroup bus bus
121 *
122 * Signaling bus and its listeners.
123 *
124 * @ingroup charon
125 */
126
127 /**
128 * @defgroup config config
129 *
130 * Classes implementing configuration related things.
131 *
132 * @ingroup charon
133 */
134
135 /**
136 * @defgroup backends backends
137 *
138 * Classes implementing configuration backends.
139 *
140 * @ingroup config
141 */
142
143 /**
144 * @defgroup credentials credentials
145 *
146 * Trust chain verification and certificate store.
147 *
148 * @ingroup config
149 */
150
151 /**
152 * @defgroup control control
153 *
154 * Handling of loadable control interface modules.
155 *
156 * @ingroup charon
157 */
158
159 /**
160 * @defgroup interfaces interfaces
161 *
162 * Classes which control the daemon using IPC mechanisms.
163 *
164 * @ingroup control
165 */
166
167 /**
168 * @defgroup encoding encoding
169 *
170 * Classes used to encode and decode IKEv2 messages.
171 *
172 * @ingroup charon
173 */
174
175 /**
176 * @defgroup payloads payloads
177 *
178 * Classes representing specific IKEv2 payloads.
179 *
180 * @ingroup encoding
181 */
182
183 /**
184 * @defgroup kernel kernel
185 *
186 * Classes to configure and query the kernel.
187 *
188 * @ingroup charon
189 */
190
191 /**
192 * @defgroup network network
193 *
194 * Classes for sending and receiving UDP packets over the network.
195 *
196 * @ingroup charon
197 */
198
199 /**
200 * @defgroup processing processing
201 *
202 * Queueing, scheduling and processing of jobs
203 *
204 * @ingroup charon
205 */
206
207 /**
208 * @defgroup jobs jobs
209 *
210 * Jobs to queue, schedule and process.
211 *
212 * @ingroup processing
213 */
214
215 /**
216 * @defgroup sa sa
217 *
218 * Security associations for IKE and IPSec, and its helper classes.
219 *
220 * @ingroup charon
221 */
222
223 /**
224 * @defgroup authenticators authenticators
225 *
226 * Authenticator classes to prove identity of a peer.
227 *
228 * @ingroup sa
229 */
230
231 /**
232 * @defgroup eap eap
233 *
234 * EAP module loader, interface and it's implementations.
235 *
236 * @ingroup authenticators
237 */
238
239 /**
240 * @defgroup tasks tasks
241 *
242 * Tasks process and build message payloads. They are used to create
243 * and process multiple exchanges.
244 *
245 * @ingroup sa
246 */
247
248 /**
249 * Name of the daemon.
250 *
251 * @ingroup charon
252 */
253 #define DAEMON_NAME "charon"
254
255 /**
256 * @brief Number of threads in the thread pool.
257 *
258 * @ingroup charon
259 */
260 #define WORKER_THREADS 16
261
262 /**
263 * UDP Port on which the daemon will listen for incoming traffic.
264 *
265 * @ingroup charon
266 */
267 #define IKEV2_UDP_PORT 500
268
269 /**
270 * UDP Port to which the daemon will float to if NAT is detected.
271 *
272 * @ingroup charon
273 */
274 #define IKEV2_NATT_PORT 4500
275
276 /**
277 * PID file, in which charon stores its process id
278 *
279 * @ingroup charon
280 */
281 #define PID_FILE IPSEC_PIDDIR "/charon.pid"
282
283 /**
284 * Configuration directory
285 *
286 * @ingroup charon
287 */
288 #define CONFIG_DIR IPSEC_CONFDIR
289
290 /**
291 * Directory of IPsec relevant files
292 *
293 * @ingroup charon
294 */
295 #define IPSEC_D_DIR CONFIG_DIR "/ipsec.d"
296
297 /**
298 * Default directory for private keys
299 *
300 * @ingroup charon
301 */
302 #define PRIVATE_KEY_DIR IPSEC_D_DIR "/private"
303
304 /**
305 * Default directory for end entity certificates
306 *
307 * @ingroup charon
308 */
309 #define CERTIFICATE_DIR IPSEC_D_DIR "/certs"
310
311 /**
312 * Default directory for trusted Certification Authority certificates
313 *
314 * @ingroup charon
315 */
316 #define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts"
317
318 /**
319 * Default directory for Authorization Authority certificates
320 *
321 * @ingroup charon
322 */
323 #define AA_CERTIFICATE_DIR IPSEC_D_DIR "/aacerts"
324
325 /**
326 * Default directory for Attribute certificates
327 *
328 * @ingroup charon
329 */
330 #define ATTR_CERTIFICATE_DIR IPSEC_D_DIR "/acerts"
331
332 /**
333 * Default directory for OCSP signing certificates
334 *
335 * @ingroup charon
336 */
337 #define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts"
338
339 /**
340 * Default directory for CRLs
341 *
342 * @ingroup charon
343 */
344 #define CRL_DIR IPSEC_D_DIR "/crls"
345
346 /**
347 * Secrets files
348 *
349 * @ingroup charon
350 */
351 #define SECRETS_FILE CONFIG_DIR "/ipsec.secrets"
352
353 /**
354 * @brief Main class of daemon, contains some globals.
355 *
356 * @ingroup charon
357 */
358 struct daemon_t {
359
360 /**
361 * A socket_t instance.
362 */
363 socket_t *socket;
364
365 /**
366 * A ike_sa_manager_t instance.
367 */
368 ike_sa_manager_t *ike_sa_manager;
369
370 /**
371 * Manager for the different configuration backends.
372 */
373 backend_manager_t *backends;
374
375 /**
376 * A credential_store_t instance.
377 */
378 credential_store_t *credentials;
379
380 /**
381 * The Sender-Thread.
382 */
383 sender_t *sender;
384
385 /**
386 * The Receiver-Thread.
387 */
388 receiver_t *receiver;
389
390 /**
391 * The Scheduler-Thread.
392 */
393 scheduler_t *scheduler;
394
395 /**
396 * Job processing using a thread pool.
397 */
398 processor_t *processor;
399
400 /**
401 * The signaling bus.
402 */
403 bus_t *bus;
404
405 /**
406 * A bus listener logging to stdout
407 */
408 file_logger_t *outlog;
409
410 /**
411 * A bus listener logging to syslog
412 */
413 sys_logger_t *syslog;
414
415 /**
416 * A bus listener logging most important events
417 */
418 sys_logger_t *authlog;
419
420 /**
421 * Kernel Interface to communicate with kernel
422 */
423 kernel_interface_t *kernel_interface;
424
425 /**
426 * Interfaces for IPC
427 */
428 interface_manager_t *interfaces;
429
430 /**
431 * @brief Shut down the daemon.
432 *
433 * @param this the daemon to kill
434 * @param reason describtion why it will be killed
435 */
436 void (*kill) (daemon_t *this, char *reason);
437 };
438
439 /**
440 * The one and only instance of the daemon.
441 */
442 extern daemon_t *charon;
443
444 #endif /*DAEMON_H_*/