Migrated eap_simaka_reauth_provider_t to INIT/METHOD macros.
[strongswan.git] / src / libcharon / daemon.h
1 /*
2 * Copyright (C) 2006-2010 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup libcharon libcharon
21 *
22 * @defgroup bus bus
23 * @ingroup libcharon
24 *
25 * @defgroup listeners listeners
26 * @ingroup bus
27 *
28 * @defgroup config config
29 * @ingroup libcharon
30 *
31 * @defgroup control control
32 * @ingroup libcharon
33 *
34 * @defgroup encoding encoding
35 * @ingroup libcharon
36 *
37 * @defgroup payloads payloads
38 * @ingroup encoding
39 *
40 * @defgroup ckernel kernel
41 * @ingroup libcharon
42 *
43 * @defgroup network network
44 * @ingroup libcharon
45 *
46 * @defgroup cplugins plugins
47 * @ingroup libcharon
48 *
49 * @defgroup cprocessing processing
50 * @ingroup libcharon
51 *
52 * @defgroup cjobs jobs
53 * @ingroup cprocessing
54 *
55 * @defgroup sa sa
56 * @ingroup libcharon
57 *
58 * @defgroup authenticators authenticators
59 * @ingroup sa
60 *
61 * @defgroup eap eap
62 * @ingroup authenticators
63 *
64 * @defgroup tasks tasks
65 * @ingroup sa
66 *
67 * @defgroup tnc tnc
68 * @ingroup libcharon
69 *
70 * @addtogroup libcharon
71 * @{
72 *
73 * IKEv2 keying daemon.
74 *
75 * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
76 * architecture than pluto. Charon uses a thread-pool (called processor),
77 * which allows parallel execution SA-management. All threads originate
78 * from the processor. Work is delegated to the processor by queueing jobs
79 * to it.
80 @verbatim
81
82 +---------------------------------+ +----------------------------+
83 | controller | | config |
84 +---------------------------------+ +----------------------------+
85 | | | ^ ^ ^
86 V V V | | |
87
88 +----------+ +-----------+ +------+ +----------+ +----+
89 | receiver | | | | | +------+ | CHILD_SA | | K |
90 +---+------+ | Scheduler | | IKE- | | IKE- |--+----------+ | e |
91 | | | | SA |--| SA | | CHILD_SA | | r |
92 +------+---+ +-----------+ | | +------+ +----------+ | n |
93 <->| socket | | | Man- | | e |
94 +------+---+ +-----------+ | ager | +------+ +----------+ | l |
95 | | | | | | IKE- |--| CHILD_SA | | - |
96 +---+------+ | Processor |---| |--| SA | +----------+ | I |
97 | sender | | | | | +------+ | f |
98 +----------+ +-----------+ +------+ +----+
99
100 | | | | | |
101 V V V V V V
102 +---------------------------------+ +----------------------------+
103 | Bus | | credentials |
104 +---------------------------------+ +----------------------------+
105
106 @endverbatim
107 * The scheduler is responsible to execute timed events. Jobs may be queued to
108 * the scheduler to get executed at a defined time (e.g. rekeying). The
109 * scheduler does not execute the jobs itself, it queues them to the processor.
110 *
111 * The IKE_SA manager managers all IKE_SA. It further handles the
112 * synchronization:
113 * Each IKE_SA must be checked out strictly and checked in again after use. The
114 * manager guarantees that only one thread may check out a single IKE_SA. This
115 * allows us to write the (complex) IKE_SAs routines non-threadsave.
116 * The IKE_SA contain the state and the logic of each IKE_SA and handle the
117 * messages.
118 *
119 * The CHILD_SA contains state about a IPsec security association and manages
120 * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
121 * takes place here through the kernel interface.
122 *
123 * The kernel interface installs IPsec security associations, policies, routes
124 * and virtual addresses. It further provides methods to enumerate interfaces
125 * and may notify the daemon about state changes at lower layers.
126 *
127 * The bus receives signals from the different threads and relays them to
128 * interested listeners. Debugging signals, but also important state changes or
129 * error messages are sent over the bus.
130 * Its listeners are not only for logging, but also to track the state of an
131 * IKE_SA.
132 *
133 * The controller, credential_manager, bus and backend_manager (config) are
134 * places where a plugin ca register itself to privide information or observe
135 * and control the daemon.
136 */
137
138 #ifndef DAEMON_H_
139 #define DAEMON_H_
140
141 typedef struct daemon_t daemon_t;
142
143 #include <network/sender.h>
144 #include <network/receiver.h>
145 #include <network/socket_manager.h>
146 #include <control/controller.h>
147 #include <bus/bus.h>
148 #include <bus/listeners/file_logger.h>
149 #include <bus/listeners/sys_logger.h>
150 #include <sa/ike_sa_manager.h>
151 #include <sa/trap_manager.h>
152 #include <sa/shunt_manager.h>
153 #include <config/backend_manager.h>
154 #include <sa/authenticators/eap/eap_manager.h>
155 #include <tnc/imc/imc_manager.h>
156 #include <tnc/imv/imv_manager.h>
157 #include <tnc/tnccs/tnccs_manager.h>
158
159 #ifdef ME
160 #include <sa/connect_manager.h>
161 #include <sa/mediation_manager.h>
162 #endif /* ME */
163
164 /**
165 * Number of threads in the thread pool, if not specified in config.
166 */
167 #define DEFAULT_THREADS 16
168
169 /**
170 * UDP Port on which the daemon will listen for incoming traffic.
171 */
172 #define IKEV2_UDP_PORT 500
173
174 /**
175 * UDP Port to which the daemon will float to if NAT is detected.
176 */
177 #define IKEV2_NATT_PORT 4500
178
179 /**
180 * Main class of daemon, contains some globals.
181 */
182 struct daemon_t {
183
184 /**
185 * Socket manager instance
186 */
187 socket_manager_t *socket;
188
189 /**
190 * A ike_sa_manager_t instance.
191 */
192 ike_sa_manager_t *ike_sa_manager;
193
194 /**
195 * Manager for triggering policies, called traps
196 */
197 trap_manager_t *traps;
198
199 /**
200 * Manager for shunt PASS|DROP policies
201 */
202 shunt_manager_t *shunts;
203
204 /**
205 * Manager for the different configuration backends.
206 */
207 backend_manager_t *backends;
208
209 /**
210 * The Sender-Thread.
211 */
212 sender_t *sender;
213
214 /**
215 * The Receiver-Thread.
216 */
217 receiver_t *receiver;
218
219 /**
220 * The signaling bus.
221 */
222 bus_t *bus;
223
224 /**
225 * A list of installed file_logger_t's
226 */
227 linked_list_t *file_loggers;
228
229 /**
230 * A list of installed sys_logger_t's
231 */
232 linked_list_t *sys_loggers;
233
234 /**
235 * Controller to control the daemon
236 */
237 controller_t *controller;
238
239 /**
240 * EAP manager to maintain registered EAP methods
241 */
242 eap_manager_t *eap;
243
244 /**
245 * TNC IMC manager controlling Integrity Measurement Collectors
246 */
247 imc_manager_t *imcs;
248
249 /**
250 * TNC IMV manager controlling Integrity Measurement Verifiers
251 */
252 imv_manager_t *imvs;
253
254 /**
255 * TNCCS manager to maintain registered TNCCS protocols
256 */
257 tnccs_manager_t *tnccs;
258
259 #ifdef ME
260 /**
261 * Connect manager
262 */
263 connect_manager_t *connect_manager;
264
265 /**
266 * Mediation manager
267 */
268 mediation_manager_t *mediation_manager;
269 #endif /* ME */
270
271 /**
272 * User ID the daemon will user after initialization
273 */
274 uid_t uid;
275
276 /**
277 * Group ID the daemon will use after initialization
278 */
279 gid_t gid;
280
281 /**
282 * Do not drop a given capability after initialization.
283 *
284 * Some plugins might need additional capabilites. They tell the daemon
285 * during plugin initialization which one they need, the daemon won't
286 * drop these.
287 */
288 void (*keep_cap)(daemon_t *this, u_int cap);
289
290 /**
291 * Drop all capabilities of the current process.
292 *
293 * Drops all capabalities, excect those exlcuded using keep_cap().
294 * This should be called after the initialization of the daemon because
295 * some plugins require the process to keep additional capabilities.
296 *
297 * @return TRUE if successful, FALSE otherwise
298 */
299 bool (*drop_capabilities)(daemon_t *this);
300
301 /**
302 * Initialize the daemon.
303 */
304 bool (*initialize)(daemon_t *this);
305
306 /**
307 * Starts the daemon, i.e. spawns the threads of the thread pool.
308 */
309 void (*start)(daemon_t *this);
310
311 };
312
313 /**
314 * The one and only instance of the daemon.
315 *
316 * Set between libcharon_init() and libcharon_deinit() calls.
317 */
318 extern daemon_t *charon;
319
320 /**
321 * Initialize libcharon and create the "charon" instance of daemon_t.
322 *
323 * This function initializes the bus, listeners can be registered before
324 * calling initialize().
325 *
326 * @return FALSE if integrity check failed
327 */
328 bool libcharon_init();
329
330 /**
331 * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
332 */
333 void libcharon_deinit();
334
335 #endif /** DAEMON_H_ @}*/