src/libcharon/daemon.h

   1 /*
   2  * Copyright (C) 2006-2010 Tobias Brunner
   3  * Copyright (C) 2005-2009 Martin Willi
   4  * Copyright (C) 2006 Daniel Roethlisberger
   5  * Copyright (C) 2005 Jan Hutter
   6  * Hochschule fuer Technik Rapperswil
   7  *
   8  * This program is free software; you can redistribute it and/or modify it
   9  * under the terms of the GNU General Public License as published by the
  10  * Free Software Foundation; either version 2 of the License, or (at your
  11  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  12  *
  13  * This program is distributed in the hope that it will be useful, but
  14  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  15  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  16  * for more details.
  17  */
  18
  19 /**
  20  * @defgroup libcharon libcharon
  21  *
  22  * @defgroup bus bus
  23  * @ingroup libcharon
  24  *
  25  * @defgroup listeners listeners
  26  * @ingroup bus
  27  *
  28  * @defgroup config config
  29  * @ingroup libcharon
  30  *
  31  * @defgroup control control
  32  * @ingroup libcharon
  33  *
  34  * @defgroup encoding encoding
  35  * @ingroup libcharon
  36  *
  37  * @defgroup payloads payloads
  38  * @ingroup encoding
  39  *
  40  * @defgroup ckernel kernel
  41  * @ingroup libcharon
  42  *
  43  * @defgroup network network
  44  * @ingroup libcharon
  45  *
  46  * @defgroup cplugins plugins
  47  * @ingroup libcharon
  48  *
  49  * @defgroup cprocessing processing
  50  * @ingroup libcharon
  51  *
  52  * @defgroup cjobs jobs
  53  * @ingroup cprocessing
  54  *
  55  * @defgroup sa sa
  56  * @ingroup libcharon
  57  *
  58  * @defgroup authenticators authenticators
  59  * @ingroup sa
  60  *
  61  * @defgroup eap eap
  62  * @ingroup authenticators
  63  *
  64  * @defgroup tasks tasks
  65  * @ingroup sa
  66  *
  67  * @defgroup tnc tnc
  68  * @ingroup libcharon
  69  *
  70  * @addtogroup libcharon
  71  * @{
  72  *
  73  * IKEv2 keying daemon.
  74  *
  75  * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
  76  * architecture than pluto. Charon uses a thread-pool (called processor),
  77  * which allows parallel execution SA-management. All threads originate
  78  * from the processor. Work is delegated to the processor by queueing jobs
  79  * to it.
  80    @verbatim
  81
  82       +---------------------------------+       +----------------------------+
  83       |           controller            |       |          config            |
  84       +---------------------------------+       +----------------------------+
  85                |      |      |                           ^     ^    ^
  86                V      V      V                           |     |    |
  87
  88        +----------+  +-----------+   +------+            +----------+    +----+
  89        | receiver |  |           |   |      |  +------+  | CHILD_SA |    | K  |
  90        +---+------+  | Scheduler |   | IKE- |  | IKE- |--+----------+    | e  |
  91            |         |           |   | SA   |--| SA   |  | CHILD_SA |    | r  |
  92     +------+---+     +-----------+   |      |  +------+  +----------+    | n  |
  93  <->|  socket  |           |         | Man- |                            | e  |
  94     +------+---+     +-----------+   | ager |  +------+  +----------+    | l  |
  95            |         |           |   |      |  | IKE- |--| CHILD_SA |    | -  |
  96        +---+------+  | Processor |---|      |--| SA   |  +----------+    | I  |
  97        |  sender  |  |           |   |      |  +------+                  | f  |
  98        +----------+  +-----------+   +------+                            +----+
  99
 100                |      |      |                        |      |      |
 101                V      V      V                        V      V      V
 102       +---------------------------------+       +----------------------------+
 103       |               Bus               |       |         credentials        |
 104       +---------------------------------+       +----------------------------+
 105
 106    @endverbatim
 107  * The scheduler is responsible to execute timed events. Jobs may be queued to
 108  * the scheduler to get executed at a defined time (e.g. rekeying). The
 109  * scheduler does not execute the jobs itself, it queues them to the processor.
 110  *
 111  * The IKE_SA manager managers all IKE_SA. It further handles the
 112  * synchronization:
 113  * Each IKE_SA must be checked out strictly and checked in again after use. The
 114  * manager guarantees that only one thread may check out a single IKE_SA. This
 115  * allows us to write the (complex) IKE_SAs routines non-threadsave.
 116  * The IKE_SA contain the state and the logic of each IKE_SA and handle the
 117  * messages.
 118  *
 119  * The CHILD_SA contains state about a IPsec security association and manages
 120  * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
 121  * takes place here through the kernel interface.
 122  *
 123  * The kernel interface installs IPsec security associations, policies, routes
 124  * and virtual addresses. It further provides methods to enumerate interfaces
 125  * and may notify the daemon about state changes at lower layers.
 126  *
 127  * The bus receives signals from the different threads and relays them to
 128  * interested listeners. Debugging signals, but also important state changes or
 129  * error messages are sent over the bus.
 130  * Its listeners are not only for logging, but also to track the state of an
 131  * IKE_SA.
 132  *
 133  * The controller, credential_manager, bus and backend_manager (config) are
 134  * places where a plugin ca register itself to privide information or observe
 135  * and control the daemon.
 136  */
 137
 138 #ifndef DAEMON_H_
 139 #define DAEMON_H_
 140
 141 typedef struct daemon_t daemon_t;
 142
 143 #include <network/sender.h>
 144 #include <network/receiver.h>
 145 #include <network/socket_manager.h>
 146 #include <control/controller.h>
 147 #include <bus/bus.h>
 148 #include <bus/listeners/file_logger.h>
 149 #include <bus/listeners/sys_logger.h>
 150 #include <sa/ike_sa_manager.h>
 151 #include <sa/trap_manager.h>
 152 #include <sa/shunt_manager.h>
 153 #include <config/backend_manager.h>
 154 #include <sa/authenticators/eap/eap_manager.h>
 155 #include <tnc/imc/imc_manager.h>
 156 #include <tnc/imv/imv_manager.h>
 157 #include <tnc/tnccs/tnccs_manager.h>
 158
 159 #ifdef ME
 160 #include <sa/connect_manager.h>
 161 #include <sa/mediation_manager.h>
 162 #endif /* ME */
 163
 164 /**
 165  * Number of threads in the thread pool, if not specified in config.
 166  */
 167 #define DEFAULT_THREADS 16
 168
 169 /**
 170  * UDP Port on which the daemon will listen for incoming traffic.
 171  */
 172 #define IKEV2_UDP_PORT 500
 173
 174 /**
 175  * UDP Port to which the daemon will float to if NAT is detected.
 176  */
 177 #define IKEV2_NATT_PORT 4500
 178
 179 /**
 180  * Main class of daemon, contains some globals.
 181  */
 182 struct daemon_t {
 183
 184         /**
 185          * Socket manager instance
 186          */
 187         socket_manager_t *socket;
 188
 189         /**
 190          * A ike_sa_manager_t instance.
 191          */
 192         ike_sa_manager_t *ike_sa_manager;
 193
 194         /**
 195          * Manager for triggering policies, called traps
 196          */
 197         trap_manager_t *traps;
 198
 199         /**
 200          * Manager for shunt PASS|DROP policies
 201          */
 202         shunt_manager_t *shunts;
 203
 204         /**
 205          * Manager for the different configuration backends.
 206          */
 207         backend_manager_t *backends;
 208
 209         /**
 210          * The Sender-Thread.
 211          */
 212         sender_t *sender;
 213
 214         /**
 215          * The Receiver-Thread.
 216          */
 217         receiver_t *receiver;
 218
 219         /**
 220          * The signaling bus.
 221          */
 222         bus_t *bus;
 223
 224         /**
 225          * A list of installed file_logger_t's
 226          */
 227         linked_list_t *file_loggers;
 228
 229         /**
 230          * A list of installed sys_logger_t's
 231          */
 232         linked_list_t *sys_loggers;
 233
 234         /**
 235          * Controller to control the daemon
 236          */
 237         controller_t *controller;
 238
 239         /**
 240          * EAP manager to maintain registered EAP methods
 241          */
 242         eap_manager_t *eap;
 243
 244         /**
 245          * TNC IMC manager controlling Integrity Measurement Collectors
 246          */
 247         imc_manager_t *imcs;
 248
 249         /**
 250          * TNC IMV manager controlling Integrity Measurement Verifiers
 251          */
 252         imv_manager_t *imvs;
 253
 254         /**
 255          * TNCCS manager to maintain registered TNCCS protocols
 256          */
 257         tnccs_manager_t *tnccs;
 258
 259 #ifdef ME
 260         /**
 261          * Connect manager
 262          */
 263         connect_manager_t *connect_manager;
 264
 265         /**
 266          * Mediation manager
 267          */
 268         mediation_manager_t *mediation_manager;
 269 #endif /* ME */
 270
 271         /**
 272          * User ID the daemon will user after initialization
 273          */
 274         uid_t uid;
 275
 276         /**
 277          * Group ID the daemon will use after initialization
 278          */
 279         gid_t gid;
 280
 281         /**
 282          * Do not drop a given capability after initialization.
 283          *
 284          * Some plugins might need additional capabilites. They tell the daemon
 285          * during plugin initialization which one they need, the daemon won't
 286          * drop these.
 287          */
 288         void (*keep_cap)(daemon_t *this, u_int cap);
 289
 290         /**
 291          * Drop all capabilities of the current process.
 292          *
 293          * Drops all capabalities, excect those exlcuded using keep_cap().
 294          * This should be called after the initialization of the daemon because
 295          * some plugins require the process to keep additional capabilities.
 296          *
 297          * @return              TRUE if successful, FALSE otherwise
 298          */
 299         bool (*drop_capabilities)(daemon_t *this);
 300
 301         /**
 302          * Initialize the daemon.
 303          */
 304         bool (*initialize)(daemon_t *this);
 305
 306         /**
 307          * Starts the daemon, i.e. spawns the threads of the thread pool.
 308          */
 309         void (*start)(daemon_t *this);
 310
 311 };
 312
 313 /**
 314  * The one and only instance of the daemon.
 315  *
 316  * Set between libcharon_init() and libcharon_deinit() calls.
 317  */
 318 extern daemon_t *charon;
 319
 320 /**
 321  * Initialize libcharon and create the "charon" instance of daemon_t.
 322  *
 323  * This function initializes the bus, listeners can be registered before
 324  * calling initialize().
 325  *
 326  * @return              FALSE if integrity check failed
 327  */
 328 bool libcharon_init();
 329
 330 /**
 331  * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
 332  */
 333 void libcharon_deinit();
 334
 335 #endif /** DAEMON_H_ @}*/