eb97a1688a1d6f6936d2b497465b18e5c86bf19f
[strongswan.git] / src / libcharon / daemon.h
1 /*
2 * Copyright (C) 2006-2010 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup libcharon libcharon
21 *
22 * @defgroup bus bus
23 * @ingroup libcharon
24 *
25 * @defgroup listeners listeners
26 * @ingroup bus
27 *
28 * @defgroup config config
29 * @ingroup libcharon
30 *
31 * @defgroup attributes attributes
32 * @ingroup config
33 *
34 * @defgroup control control
35 * @ingroup libcharon
36 *
37 * @defgroup ccredentials credentials
38 * @ingroup libcharon
39 *
40 * @defgroup sets sets
41 * @ingroup ccredentials
42 *
43 * @defgroup encoding encoding
44 * @ingroup libcharon
45 *
46 * @defgroup payloads payloads
47 * @ingroup encoding
48 *
49 * @defgroup kernel kernel
50 * @ingroup libcharon
51 *
52 * @defgroup network network
53 * @ingroup libcharon
54 *
55 * @defgroup cplugins plugins
56 * @ingroup libcharon
57 *
58 * @defgroup processing processing
59 * @ingroup libcharon
60 *
61 * @defgroup jobs jobs
62 * @ingroup processing
63 *
64 * @defgroup sa sa
65 * @ingroup libcharon
66 *
67 * @defgroup authenticators authenticators
68 * @ingroup sa
69 *
70 * @defgroup eap eap
71 * @ingroup authenticators
72 *
73 * @defgroup tasks tasks
74 * @ingroup sa
75 *
76 * @addtogroup libcharon
77 * @{
78 *
79 * IKEv2 keying daemon.
80 *
81 * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
82 * architecture than pluto. Charon uses a thread-pool (called processor),
83 * which allows parallel execution SA-management. All threads originate
84 * from the processor. Work is delegated to the processor by queueing jobs
85 * to it.
86 @verbatim
87
88 +---------------------------------+ +----------------------------+
89 | controller | | config |
90 +---------------------------------+ +----------------------------+
91 | | | ^ ^ ^
92 V V V | | |
93
94 +----------+ +-----------+ +------+ +----------+ +----+
95 | receiver | | | | | +------+ | CHILD_SA | | K |
96 +---+------+ | Scheduler | | IKE- | | IKE- |--+----------+ | e |
97 | | | | SA |--| SA | | CHILD_SA | | r |
98 +------+---+ +-----------+ | | +------+ +----------+ | n |
99 <->| socket | | | Man- | | e |
100 +------+---+ +-----------+ | ager | +------+ +----------+ | l |
101 | | | | | | IKE- |--| CHILD_SA | | - |
102 +---+------+ | Processor |---| |--| SA | +----------+ | I |
103 | sender | | | | | +------+ | f |
104 +----------+ +-----------+ +------+ +----+
105
106 | | | | | |
107 V V V V V V
108 +---------------------------------+ +----------------------------+
109 | Bus | | credentials |
110 +---------------------------------+ +----------------------------+
111
112 @endverbatim
113 * The scheduler is responsible to execute timed events. Jobs may be queued to
114 * the scheduler to get executed at a defined time (e.g. rekeying). The
115 * scheduler does not execute the jobs itself, it queues them to the processor.
116 *
117 * The IKE_SA manager managers all IKE_SA. It further handles the
118 * synchronization:
119 * Each IKE_SA must be checked out strictly and checked in again after use. The
120 * manager guarantees that only one thread may check out a single IKE_SA. This
121 * allows us to write the (complex) IKE_SAs routines non-threadsave.
122 * The IKE_SA contain the state and the logic of each IKE_SA and handle the
123 * messages.
124 *
125 * The CHILD_SA contains state about a IPsec security association and manages
126 * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
127 * takes place here through the kernel interface.
128 *
129 * The kernel interface installs IPsec security associations, policies, routes
130 * and virtual addresses. It further provides methods to enumerate interfaces
131 * and may notify the daemon about state changes at lower layers.
132 *
133 * The bus receives signals from the different threads and relays them to
134 * interested listeners. Debugging signals, but also important state changes or
135 * error messages are sent over the bus.
136 * Its listeners are not only for logging, but also to track the state of an
137 * IKE_SA.
138 *
139 * The controller, credential_manager, bus and backend_manager (config) are
140 * places where a plugin ca register itself to privide information or observe
141 * and control the daemon.
142 */
143
144 #ifndef DAEMON_H_
145 #define DAEMON_H_
146
147 typedef struct daemon_t daemon_t;
148
149 #include <network/sender.h>
150 #include <network/receiver.h>
151 #include <network/socket_manager.h>
152 #include <processing/scheduler.h>
153 #include <processing/processor.h>
154 #include <kernel/kernel_interface.h>
155 #include <control/controller.h>
156 #include <bus/bus.h>
157 #include <bus/listeners/file_logger.h>
158 #include <bus/listeners/sys_logger.h>
159 #include <sa/ike_sa_manager.h>
160 #include <sa/trap_manager.h>
161 #include <config/backend_manager.h>
162 #include <credentials/credential_manager.h>
163 #include <sa/authenticators/eap/eap_manager.h>
164 #include <sa/authenticators/eap/sim_manager.h>
165
166 #ifdef ME
167 #include <sa/connect_manager.h>
168 #include <sa/mediation_manager.h>
169 #endif /* ME */
170
171 /**
172 * Number of threads in the thread pool, if not specified in config.
173 */
174 #define DEFAULT_THREADS 16
175
176 /**
177 * UDP Port on which the daemon will listen for incoming traffic.
178 */
179 #define IKEV2_UDP_PORT 500
180
181 /**
182 * UDP Port to which the daemon will float to if NAT is detected.
183 */
184 #define IKEV2_NATT_PORT 4500
185
186 /**
187 * Main class of daemon, contains some globals.
188 */
189 struct daemon_t {
190
191 /**
192 * Socket manager instance
193 */
194 socket_manager_t *socket;
195
196 /**
197 * A ike_sa_manager_t instance.
198 */
199 ike_sa_manager_t *ike_sa_manager;
200
201 /**
202 * Manager for triggering policies, called traps
203 */
204 trap_manager_t *traps;
205
206 /**
207 * Manager for the different configuration backends.
208 */
209 backend_manager_t *backends;
210
211 /**
212 * Manager for the credential backends
213 */
214 credential_manager_t *credentials;
215
216 /**
217 * The Sender-Thread.
218 */
219 sender_t *sender;
220
221 /**
222 * The Receiver-Thread.
223 */
224 receiver_t *receiver;
225
226 /**
227 * The Scheduler-Thread.
228 */
229 scheduler_t *scheduler;
230
231 /**
232 * Job processing using a thread pool.
233 */
234 processor_t *processor;
235
236 /**
237 * The signaling bus.
238 */
239 bus_t *bus;
240
241 /**
242 * A list of installed file_logger_t's
243 */
244 linked_list_t *file_loggers;
245
246 /**
247 * A list of installed sys_logger_t's
248 */
249 linked_list_t *sys_loggers;
250
251 /**
252 * Kernel Interface to communicate with kernel
253 */
254 kernel_interface_t *kernel_interface;
255
256 /**
257 * Controller to control the daemon
258 */
259 controller_t *controller;
260
261 /**
262 * EAP manager to maintain registered EAP methods
263 */
264 eap_manager_t *eap;
265
266 /**
267 * SIM manager to maintain (U)SIM cards/providers
268 */
269 sim_manager_t *sim;
270
271 #ifdef ME
272 /**
273 * Connect manager
274 */
275 connect_manager_t *connect_manager;
276
277 /**
278 * Mediation manager
279 */
280 mediation_manager_t *mediation_manager;
281 #endif /* ME */
282
283 /**
284 * User ID the daemon will user after initialization
285 */
286 uid_t uid;
287
288 /**
289 * Group ID the daemon will use after initialization
290 */
291 gid_t gid;
292
293 /**
294 * Do not drop a given capability after initialization.
295 *
296 * Some plugins might need additional capabilites. They tell the daemon
297 * during plugin initialization which one they need, the daemon won't
298 * drop these.
299 */
300 void (*keep_cap)(daemon_t *this, u_int cap);
301
302 /**
303 * Drop all capabilities of the current process, but keep those that have
304 * been set with a call to keep_cap.
305 *
306 * This should be called after the initialization of the daemon because
307 * some plugins require the process to keep additional capabilities.
308 *
309 * @return TRUE if successful, FALSE otherwise
310 */
311 bool (*drop_capabilities)(daemon_t *this);
312
313 /**
314 * Initialize the daemon.
315 */
316 bool (*initialize)(daemon_t *this, bool syslog, level_t levels[]);
317
318 /**
319 * Starts the daemon, i.e. spawns the threads of the thread pool.
320 */
321 void (*start)(daemon_t *this);
322
323 };
324
325 /**
326 * The one and only instance of the daemon. Set between libcharon_init() and
327 * libcharon_deinit() calls.
328 */
329 extern daemon_t *charon;
330
331 /**
332 * Initialize libcharon and create the "charon" instance of daemon_t.
333 * @return FALSE if integrity check failed
334 */
335 bool libcharon_init();
336
337 /**
338 * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
339 */
340 void libcharon_deinit();
341
342 #endif /** DAEMON_H_ @}*/