1: /*
2: * Copyright (C) 2006-2017 Tobias Brunner
3: * Copyright (C) 2005-2009 Martin Willi
4: * Copyright (C) 2006 Daniel Roethlisberger
5: * Copyright (C) 2005 Jan Hutter
6: * HSR Hochschule fuer Technik Rapperswil
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: /*
20: * Copyright (C) 2016 secunet Security Networks AG
21: * Copyright (C) 2016 Thomas Egerer
22: *
23: * Permission is hereby granted, free of charge, to any person obtaining a copy
24: * of this software and associated documentation files (the "Software"), to deal
25: * in the Software without restriction, including without limitation the rights
26: * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
27: * copies of the Software, and to permit persons to whom the Software is
28: * furnished to do so, subject to the following conditions:
29: *
30: * The above copyright notice and this permission notice shall be included in
31: * all copies or substantial portions of the Software.
32: *
33: * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
34: * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
35: * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
36: * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
37: * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
38: * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
39: * THE SOFTWARE.
40: */
41:
42: /**
43: * @defgroup libcharon libcharon
44: *
45: * @defgroup attributes attributes
46: * @ingroup libcharon
47: *
48: * @defgroup bus bus
49: * @ingroup libcharon
50: *
51: * @defgroup listeners listeners
52: * @ingroup bus
53: *
54: * @defgroup config config
55: * @ingroup libcharon
56: *
57: * @defgroup control control
58: * @ingroup libcharon
59: *
60: * @defgroup encoding encoding
61: * @ingroup libcharon
62: *
63: * @defgroup payloads payloads
64: * @ingroup encoding
65: *
66: * @defgroup kernel kernel
67: * @ingroup libcharon
68: *
69: * @defgroup network network
70: * @ingroup libcharon
71: *
72: * @defgroup cplugins plugins
73: * @ingroup libcharon
74: *
75: * @defgroup cprocessing processing
76: * @ingroup libcharon
77: *
78: * @defgroup cjobs jobs
79: * @ingroup cprocessing
80: *
81: * @defgroup sa sa
82: * @ingroup libcharon
83: *
84: * @defgroup ikev1 ikev1
85: * @ingroup sa
86: *
87: * @defgroup ikev2 ikev2
88: * @ingroup sa
89: *
90: * @defgroup authenticators_v1 authenticators
91: * @ingroup ikev1
92: *
93: * @defgroup authenticators_v2 authenticators
94: * @ingroup ikev2
95: *
96: * @defgroup eap eap
97: * @ingroup sa
98: *
99: * @defgroup xauth xauth
100: * @ingroup sa
101: *
102: * @defgroup tasks_v1 tasks
103: * @ingroup ikev1
104: *
105: * @defgroup tasks_v2 tasks
106: * @ingroup ikev2
107: *
108: * @addtogroup libcharon
109: * @{
110: *
111: * IKEv2 keying daemon.
112: *
113: * All IKEv2 stuff is handled in charon. It uses a newer and more flexible
114: * architecture than pluto. Charon uses a thread-pool (called processor),
115: * which allows parallel execution SA-management. All threads originate
116: * from the processor. Work is delegated to the processor by queueing jobs
117: * to it.
118: @verbatim
119:
120: +---------------------------------+ +----------------------------+
121: | controller | | config |
122: +---------------------------------+ +----------------------------+
123: | | | ^ ^ ^
124: V V V | | |
125:
126: +----------+ +-----------+ +------+ +----------+ +----+
127: | receiver | | | | | +------+ | CHILD_SA | | K |
128: +---+------+ | Scheduler | | IKE- | | IKE- |--+----------+ | e |
129: | | | | SA |--| SA | | CHILD_SA | | r |
130: +------+---+ +-----------+ | | +------+ +----------+ | n |
131: <->| socket | | | Man- | | e |
132: +------+---+ +-----------+ | ager | +------+ +----------+ | l |
133: | | | | | | IKE- |--| CHILD_SA | | - |
134: +---+------+ | Processor |---| |--| SA | +----------+ | I |
135: | sender | | | | | +------+ | f |
136: +----------+ +-----------+ +------+ +----+
137:
138: | | | | | |
139: V V V V V V
140: +---------------------------------+ +----------------------------+
141: | Bus | | credentials |
142: +---------------------------------+ +----------------------------+
143:
144: @endverbatim
145: * The scheduler is responsible to execute timed events. Jobs may be queued to
146: * the scheduler to get executed at a defined time (e.g. rekeying). The
147: * scheduler does not execute the jobs itself, it queues them to the processor.
148: *
149: * The IKE_SA manager managers all IKE_SA. It further handles the
150: * synchronization:
151: * Each IKE_SA must be checked out strictly and checked in again after use. The
152: * manager guarantees that only one thread may check out a single IKE_SA. This
153: * allows us to write the (complex) IKE_SAs routines non-threadsafe.
154: * The IKE_SA contain the state and the logic of each IKE_SA and handle the
155: * messages.
156: *
157: * The CHILD_SA contains state about a IPsec security association and manages
158: * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
159: * takes place here through the kernel interface.
160: *
161: * The kernel interface installs IPsec security associations, policies, routes
162: * and virtual addresses. It further provides methods to enumerate interfaces
163: * and may notify the daemon about state changes at lower layers.
164: *
165: * The bus receives signals from the different threads and relays them to
166: * interested listeners. Debugging signals, but also important state changes or
167: * error messages are sent over the bus.
168: * Its listeners are not only for logging, but also to track the state of an
169: * IKE_SA.
170: *
171: * The controller, credential_manager, bus and backend_manager (config) are
172: * places where a plugin ca register itself to provide information or observe
173: * and control the daemon.
174: */
175:
176: #ifndef DAEMON_H_
177: #define DAEMON_H_
178:
179: typedef struct daemon_t daemon_t;
180:
181: #include <attributes/attribute_manager.h>
182: #include <kernel/kernel_interface.h>
183: #include <network/sender.h>
184: #include <network/receiver.h>
185: #include <network/socket_manager.h>
186: #include <control/controller.h>
187: #include <bus/bus.h>
188: #include <bus/listeners/custom_logger.h>
189: #include <sa/ike_sa_manager.h>
190: #include <sa/child_sa_manager.h>
191: #include <sa/trap_manager.h>
192: #include <sa/shunt_manager.h>
193: #include <sa/redirect_manager.h>
194: #include <config/backend_manager.h>
195: #include <sa/eap/eap_manager.h>
196: #include <sa/xauth/xauth_manager.h>
197:
198: #ifdef ME
199: #include <sa/ikev2/connect_manager.h>
200: #include <sa/ikev2/mediation_manager.h>
201: #endif /* ME */
202:
203: /**
204: * Number of threads in the thread pool, if not specified in config.
205: */
206: #define DEFAULT_THREADS 16
207:
208: /**
209: * Primary UDP port used by IKE.
210: */
211: #define IKEV2_UDP_PORT 500
212:
213: /**
214: * UDP port defined for use in case a NAT is detected.
215: */
216: #define IKEV2_NATT_PORT 4500
217:
218: /**
219: * UDP port on which the daemon will listen for incoming traffic (also used as
220: * source port for outgoing traffic).
221: */
222: #ifndef CHARON_UDP_PORT
223: #define CHARON_UDP_PORT IKEV2_UDP_PORT
224: #endif
225:
226: /**
227: * UDP port used by the daemon in case a NAT is detected.
228: */
229: #ifndef CHARON_NATT_PORT
230: #define CHARON_NATT_PORT IKEV2_NATT_PORT
231: #endif
232:
233: /**
234: * Main class of daemon, contains some globals.
235: */
236: struct daemon_t {
237:
238: /**
239: * Socket manager instance
240: */
241: socket_manager_t *socket;
242:
243: /**
244: * Kernel interface to communicate with kernel
245: */
246: kernel_interface_t *kernel;
247:
248: /**
249: * A ike_sa_manager_t instance.
250: */
251: ike_sa_manager_t *ike_sa_manager;
252:
253: /**
254: * A child_sa_manager_t instance.
255: */
256: child_sa_manager_t *child_sa_manager;
257:
258: /**
259: * Manager for triggering policies, called traps
260: */
261: trap_manager_t *traps;
262:
263: /**
264: * Manager for shunt PASS|DROP policies
265: */
266: shunt_manager_t *shunts;
267:
268: /**
269: * Manager for IKE redirect providers
270: */
271: redirect_manager_t *redirect;
272:
273: /**
274: * Manager for the different configuration backends.
275: */
276: backend_manager_t *backends;
277:
278: /**
279: * The Sender-Thread.
280: */
281: sender_t *sender;
282:
283: /**
284: * The Receiver-Thread.
285: */
286: receiver_t *receiver;
287:
288: /**
289: * Manager for IKE configuration attributes
290: */
291: attribute_manager_t *attributes;
292:
293: /**
294: * The signaling bus.
295: */
296: bus_t *bus;
297:
298: /**
299: * Controller to control the daemon
300: */
301: controller_t *controller;
302:
303: /**
304: * EAP manager to maintain registered EAP methods
305: */
306: eap_manager_t *eap;
307:
308: /**
309: * XAuth manager to maintain registered XAuth methods
310: */
311: xauth_manager_t *xauth;
312:
313: #ifdef ME
314: /**
315: * Connect manager
316: */
317: connect_manager_t *connect_manager;
318:
319: /**
320: * Mediation manager
321: */
322: mediation_manager_t *mediation_manager;
323: #endif /* ME */
324:
325: /**
326: * Initialize the daemon.
327: *
328: * @param plugins list of plugins to load
329: * @return TRUE, if successful
330: */
331: bool (*initialize)(daemon_t *this, char *plugins);
332:
333: /**
334: * Starts the daemon, i.e. spawns the threads of the thread pool.
335: */
336: void (*start)(daemon_t *this);
337:
338: /**
339: * Load/Reload loggers defined in strongswan.conf
340: *
341: * If none are defined in strongswan.conf default loggers configured via
342: * set_default_loggers() are loaded.
343: */
344: void (*load_loggers)(daemon_t *this);
345:
346: /**
347: * Configure default loggers if none are defined in strongswan.conf
348: *
349: * @param levels debug levels used to create default loggers if none are
350: * defined in strongswan.conf (NULL to disable)
351: * @param to_stderr TRUE to log to stderr/stdout if no loggers are defined
352: * in strongswan.conf (logging to syslog is always enabled)
353: */
354: void (*set_default_loggers)(daemon_t *this, level_t levels[DBG_MAX],
355: bool to_stderr);
356:
357: /**
358: * Set the log level for the given log group for all loaded loggers.
359: *
360: * This change is not persistent and gets reset if loggers are reloaded
361: * via load_loggers().
362: *
363: * @param group log group
364: * @param level log level
365: */
366: void (*set_level)(daemon_t *this, debug_t group, level_t level);
367: };
368:
369: /**
370: * The one and only instance of the daemon.
371: *
372: * Set between libcharon_init() and libcharon_deinit() calls.
373: */
374: extern daemon_t *charon;
375:
376: /**
377: * Initialize libcharon and create the "charon" instance of daemon_t.
378: *
379: * This function initializes the bus, listeners can be registered before
380: * calling initialize().
381: *
382: * libcharon_init() may be called multiple times in a single process, but each
383: * caller must call libcharon_deinit() for each call to libcharon_init().
384: *
385: * @return FALSE if integrity check failed
386: */
387: bool libcharon_init();
388:
389: /**
390: * Deinitialize libcharon and destroy the "charon" instance of daemon_t.
391: */
392: void libcharon_deinit();
393:
394: /**
395: * Register a custom logger constructor.
396: *
397: * To be called from __attribute__((constructor)) functions.
398: *
399: * @param name name of the logger (also used for loglevel config)
400: * @param constructor constructor to create custom logger
401: */
402: void register_custom_logger(char *name,
403: custom_logger_constructor_t constructor);
404:
405: #endif /** DAEMON_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to daemon.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon