diff options
Diffstat (limited to 'src/charon/daemon.h')
| -rw-r--r-- | src/charon/daemon.h | 434 |
1 files changed, 145 insertions, 289 deletions
diff --git a/src/charon/daemon.h b/src/charon/daemon.h index 33c63091d..5893e7332 100644 --- a/src/charon/daemon.h +++ b/src/charon/daemon.h @@ -1,14 +1,7 @@ -/** - * @file daemon.h - * - * @brief Interface of daemon_t. - * - */ - /* * Copyright (C) 2006-2007 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -21,345 +14,189 @@ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. + * + * $Id: daemon.h 3964 2008-05-15 14:01:26Z martin $ */ -#ifndef DAEMON_H_ -#define DAEMON_H_ - -typedef struct daemon_t daemon_t; - -#include <credential_store.h> - -#include <network/sender.h> -#include <network/receiver.h> -#include <network/socket.h> -#include <processing/scheduler.h> -#include <processing/processor.h> -#include <kernel/kernel_interface.h> -#include <control/interface_manager.h> -#include <bus/bus.h> -#include <bus/listeners/file_logger.h> -#include <bus/listeners/sys_logger.h> -#include <sa/ike_sa_manager.h> -#include <config/backend_manager.h> - -#ifdef P2P -#include <sa/connect_manager.h> -#include <sa/mediation_manager.h> -#endif /* P2P */ - /** * @defgroup charon charon * - * @brief IKEv2 keying daemon. - * - * All IKEv2 stuff is handled in charon. It uses a newer and more flexible - * architecture than pluto. Charon uses a thread-pool (called processor), - * which allows parallel execution SA-management. All threads originate - * from the processor. Work is delegated to the processor by queueing jobs - * to it. - @verbatim - - +--------+ +-------+ +--------+ +-----------+ +-----------+ - | Stroke | | XML | | DBUS | | Local | | SQLite | - +--------+ +-------+ +--------+ +-----------+ +-----------+ - | | | | | - +---------------------------------+ +----------------------------+ - | Interfaces | | Backends | - +---------------------------------+ +----------------------------+ - - - +------------+ +-----------+ +------+ +----------+ - | receiver | | | | | +------+ | CHILD_SA | - +----+-------+ | Scheduler | | IKE- | | IKE- |--+----------+ - | | | | SA |--| SA | | CHILD_SA | - +-------+--+ +-----------+ | | +------+ +----------+ - <->| socket | | | Man- | - +-------+--+ +-----------+ | ager | +------+ +----------+ - | | | | | | IKE- |--| CHILD_SA | - +----+-------+ | Processor |--------| |--| SA | +----------+ - | sender | | | | | +------+ - +------------+ +-----------+ +------+ - - - +---------------------------------+ +----------------------------+ - | Bus | | Kernel Interface | - +---------------------------------+ +----------------------------+ - | | | - +-------------+ +-------------+ V - | File-Logger | | Sys-Logger | ////// - +-------------+ +-------------+ - - - @endverbatim - * The scheduler is responsible to execute timed events. Jobs may be queued to - * the scheduler to get executed at a defined time (e.g. rekeying). The scheduler - * does not execute the jobs itself, it queues them to the processor. - * - * The IKE_SA manager managers all IKE_SA. It further handles the synchronization: - * Each IKE_SA must be checked out strictly and checked in again after use. The - * manager guarantees that only one thread may check out a single IKE_SA. This allows - * us to write the (complex) IKE_SAs routines non-threadsave. - * The IKE_SA contain the state and the logic of each IKE_SA and handle the messages. - * - * The CHILD_SA contains state about a IPsec security association and manages them. - * An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place - * here through the kernel interface. - * - * The kernel interface installs IPsec security associations, policies routes and - * virtual addresses. It further provides methods to enumerate interfaces and may notify - * the daemon about state changes at lower layers. - * - * The bus receives signals from the different threads and relais them to interested - * listeners. Debugging signals, but also important state changes or error messages are - * sent over the bus. - * It's listeners are not only for logging, but also to track the state of an IKE_SA. - * - * The interface manager loads pluggable controlling interfaces. These are written to control - * the daemon from external inputs (e.g. initiate IKE_SA, close IKE_SA, ...). The interface - * manager further provides a simple API to establish these tasks. - * Backends are pluggable modules which provide configuration. They have to implement an API - * which the daemon core uses to get configuration. - */ - -/** * @defgroup bus bus - * - * Signaling bus and its listeners. - * * @ingroup charon - */ - -/** - * @defgroup config config - * - * Classes implementing configuration related things. + * + * @defgroup listeners listeners + * @ingroup bus * + * @defgroup config config * @ingroup charon - */ - -/** - * @defgroup backends backends - * - * Classes implementing configuration backends. * + * @defgroup attributes attributes * @ingroup config - */ - -/** - * @defgroup credentials credentials * - * Trust chain verification and certificate store. - * - * @ingroup config - */ - -/** * @defgroup control control + * @ingroup charon * - * Handling of loadable control interface modules. - * + * @defgroup ccredentials credentials * @ingroup charon - */ - -/** - * @defgroup interfaces interfaces * - * Classes which control the daemon using IPC mechanisms. + * @defgroup sets sets + * @ingroup ccredentials * - * @ingroup control - */ - -/** * @defgroup encoding encoding - * - * Classes used to encode and decode IKEv2 messages. - * * @ingroup charon - */ - - /** - * @defgroup payloads payloads - * - * Classes representing specific IKEv2 payloads. * + * @defgroup payloads payloads * @ingroup encoding - */ - -/** - * @defgroup kernel kernel - * - * Classes to configure and query the kernel. * + * @defgroup kernel kernel * @ingroup charon - */ - -/** - * @defgroup network network - * - * Classes for sending and receiving UDP packets over the network. * + * @defgroup network network * @ingroup charon - */ - -/** - * @defgroup processing processing - * - * Queueing, scheduling and processing of jobs * + * @defgroup cplugins plugins * @ingroup charon - */ - -/** - * @defgroup jobs jobs * - * Jobs to queue, schedule and process. + * @defgroup processing processing + * @ingroup charon * + * @defgroup jobs jobs * @ingroup processing - */ - -/** - * @defgroup sa sa - * - * Security associations for IKE and IPSec, and its helper classes. * + * @defgroup sa sa * @ingroup charon - */ - -/** - * @defgroup authenticators authenticators - * - * Authenticator classes to prove identity of a peer. * + * @defgroup authenticators authenticators * @ingroup sa - */ - -/** - * @defgroup eap eap - * - * EAP module loader, interface and it's implementations. * + * @defgroup eap eap * @ingroup authenticators - */ - -/** + * * @defgroup tasks tasks + * @ingroup sa * - * Tasks process and build message payloads. They are used to create - * and process multiple exchanges. + * @addtogroup charon + * @{ * - * @ingroup sa - */ - -/** - * Name of the daemon. + * IKEv2 keying daemon. * - * @ingroup charon - */ -#define DAEMON_NAME "charon" + * All IKEv2 stuff is handled in charon. It uses a newer and more flexible + * architecture than pluto. Charon uses a thread-pool (called processor), + * which allows parallel execution SA-management. All threads originate + * from the processor. Work is delegated to the processor by queueing jobs + * to it. + @verbatim + + +---------------------------------+ +----------------------------+ + | controller | | config | + +---------------------------------+ +----------------------------+ + | | | ^ ^ ^ + V V V | | | + + +----------+ +-----------+ +------+ +----------+ +----+ + | receiver | | | | | +------+ | CHILD_SA | | K | + +---+------+ | Scheduler | | IKE- | | IKE- |--+----------+ | e | + | | | | SA |--| SA | | CHILD_SA | | r | + +------+---+ +-----------+ | | +------+ +----------+ | n | + <->| socket | | | Man- | | e | + +------+---+ +-----------+ | ager | +------+ +----------+ | l | + | | | | | | IKE- |--| CHILD_SA | | - | + +---+------+ | Processor |---| |--| SA | +----------+ | I | + | sender | | | | | +------+ | f | + +----------+ +-----------+ +------+ +----+ + + | | | | | | + V V V V V V + +---------------------------------+ +----------------------------+ + | Bus | | credentials | + +---------------------------------+ +----------------------------+ -/** - * @brief Number of threads in the thread pool. + @endverbatim + * The scheduler is responsible to execute timed events. Jobs may be queued to + * the scheduler to get executed at a defined time (e.g. rekeying). The + * scheduler does not execute the jobs itself, it queues them to the processor. * - * @ingroup charon - */ -#define WORKER_THREADS 16 - -/** - * UDP Port on which the daemon will listen for incoming traffic. + * The IKE_SA manager managers all IKE_SA. It further handles the + * synchronization: + * Each IKE_SA must be checked out strictly and checked in again after use. The + * manager guarantees that only one thread may check out a single IKE_SA. This + * allows us to write the (complex) IKE_SAs routines non-threadsave. + * The IKE_SA contain the state and the logic of each IKE_SA and handle the + * messages. * - * @ingroup charon - */ -#define IKEV2_UDP_PORT 500 - -/** - * UDP Port to which the daemon will float to if NAT is detected. - * - * @ingroup charon - */ -#define IKEV2_NATT_PORT 4500 - -/** - * PID file, in which charon stores its process id + * The CHILD_SA contains state about a IPsec security association and manages + * them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel + * takes place here through the kernel interface. * - * @ingroup charon - */ -#define PID_FILE IPSEC_PIDDIR "/charon.pid" - -/** - * Configuration directory + * The kernel interface installs IPsec security associations, policies, routes + * and virtual addresses. It further provides methods to enumerate interfaces + * and may notify the daemon about state changes at lower layers. * - * @ingroup charon + * The bus receives signals from the different threads and relais them to interested + * listeners. Debugging signals, but also important state changes or error + * messages are sent over the bus. + * It's listeners are not only for logging, but also to track the state of an + * IKE_SA. + * + * The controller, credential_manager, bus and backend_manager (config) are + * places where a plugin ca register itself to privide information or observe + * and control the daemon. */ -#define CONFIG_DIR IPSEC_CONFDIR -/** - * Directory of IPsec relevant files - * - * @ingroup charon - */ -#define IPSEC_D_DIR CONFIG_DIR "/ipsec.d" +#ifndef DAEMON_H_ +#define DAEMON_H_ -/** - * Default directory for private keys - * - * @ingroup charon - */ -#define PRIVATE_KEY_DIR IPSEC_D_DIR "/private" +typedef struct daemon_t daemon_t; -/** - * Default directory for end entity certificates - * - * @ingroup charon - */ -#define CERTIFICATE_DIR IPSEC_D_DIR "/certs" +#include <network/sender.h> +#include <network/receiver.h> +#include <network/socket.h> +#include <processing/scheduler.h> +#include <processing/processor.h> +#include <kernel/kernel_interface.h> +#include <control/controller.h> +#include <bus/bus.h> +#include <bus/listeners/file_logger.h> +#include <bus/listeners/sys_logger.h> +#include <sa/ike_sa_manager.h> +#include <config/backend_manager.h> +#include <config/attributes/attribute_manager.h> +#include <credentials/credential_manager.h> +#include <sa/authenticators/eap/eap_manager.h> -/** - * Default directory for trusted Certification Authority certificates - * - * @ingroup charon - */ -#define CA_CERTIFICATE_DIR IPSEC_D_DIR "/cacerts" +#ifdef ME +#include <sa/connect_manager.h> +#include <sa/mediation_manager.h> +#endif /* ME */ /** - * Default directory for Authorization Authority certificates - * - * @ingroup charon + * Name of the daemon. */ -#define AA_CERTIFICATE_DIR IPSEC_D_DIR "/aacerts" +#define DAEMON_NAME "charon" /** - * Default directory for Attribute certificates - * - * @ingroup charon + * Number of threads in the thread pool, if not specified in config. */ -#define ATTR_CERTIFICATE_DIR IPSEC_D_DIR "/acerts" +#define DEFAULT_THREADS 16 /** - * Default directory for OCSP signing certificates - * - * @ingroup charon + * UDP Port on which the daemon will listen for incoming traffic. */ -#define OCSP_CERTIFICATE_DIR IPSEC_D_DIR "/ocspcerts" +#define IKEV2_UDP_PORT 500 /** - * Default directory for CRLs - * - * @ingroup charon + * UDP Port to which the daemon will float to if NAT is detected. */ -#define CRL_DIR IPSEC_D_DIR "/crls" +#define IKEV2_NATT_PORT 4500 /** - * Secrets files - * - * @ingroup charon + * PID file, in which charon stores its process id */ -#define SECRETS_FILE CONFIG_DIR "/ipsec.secrets" +#define PID_FILE IPSEC_PIDDIR "/charon.pid" + /** - * @brief Main class of daemon, contains some globals. - * - * @ingroup charon + * Main class of daemon, contains some globals. */ struct daemon_t { @@ -379,9 +216,14 @@ struct daemon_t { backend_manager_t *backends; /** - * A credential_store_t instance. + * Manager IKEv2 cfg payload attributes + */ + attribute_manager_t *attributes; + + /** + * Manager for the credential backends */ - credential_store_t *credentials; + credential_manager_t *credentials; /** * The Sender-Thread. @@ -429,11 +271,16 @@ struct daemon_t { kernel_interface_t *kernel_interface; /** - * Interfaces for IPC + * Controller to control the daemon */ - interface_manager_t *interfaces; + controller_t *controller; -#ifdef P2P + /** + * EAP manager to maintain registered EAP methods + */ + eap_manager_t *eap; + +#ifdef ME /** * Connect manager */ @@ -443,12 +290,21 @@ struct daemon_t { * Mediation manager */ mediation_manager_t *mediation_manager; -#endif /* P2P */ +#endif /* ME */ + + /** + * User ID the daemon will user after initialization + */ + uid_t uid; + + /** + * Group ID the daemon will use after initialization + */ + gid_t gid; /** - * @brief Shut down the daemon. + * Shut down the daemon. * - * @param this the daemon to kill * @param reason describtion why it will be killed */ void (*kill) (daemon_t *this, char *reason); @@ -459,4 +315,4 @@ struct daemon_t { */ extern daemon_t *charon; -#endif /*DAEMON_H_*/ +#endif /*DAEMON_H_ @} */ |