1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
|
/*
* Copyright (C) 2006-2012 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/*
* Copyright (C) 2016 secunet Security Networks AG
* Copyright (C) 2016 Thomas Egerer
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
* THE SOFTWARE.
*/
/**
* @defgroup libcharon libcharon
*
* @defgroup attributes attributes
* @ingroup libcharon
*
* @defgroup bus bus
* @ingroup libcharon
*
* @defgroup listeners listeners
* @ingroup bus
*
* @defgroup config config
* @ingroup libcharon
*
* @defgroup control control
* @ingroup libcharon
*
* @defgroup encoding encoding
* @ingroup libcharon
*
* @defgroup payloads payloads
* @ingroup encoding
*
* @defgroup kernel kernel
* @ingroup libcharon
*
* @defgroup network network
* @ingroup libcharon
*
* @defgroup cplugins plugins
* @ingroup libcharon
*
* @defgroup cprocessing processing
* @ingroup libcharon
*
* @defgroup cjobs jobs
* @ingroup cprocessing
*
* @defgroup sa sa
* @ingroup libcharon
*
* @defgroup ikev1 ikev1
* @ingroup sa
*
* @defgroup ikev2 ikev2
* @ingroup sa
*
* @defgroup authenticators_v1 authenticators
* @ingroup ikev1
*
* @defgroup authenticators_v2 authenticators
* @ingroup ikev2
*
* @defgroup eap eap
* @ingroup sa
*
* @defgroup xauth xauth
* @ingroup sa
*
* @defgroup tasks_v1 tasks
* @ingroup ikev1
*
* @defgroup tasks_v2 tasks
* @ingroup ikev2
*
* @addtogroup libcharon
* @{
*
* IKEv2 keying daemon.
*
* All IKEv2 stuff is handled in charon. It uses a newer and more flexible
* architecture than pluto. Charon uses a thread-pool (called processor),
* which allows parallel execution SA-management. All threads originate
* from the processor. Work is delegated to the processor by queueing jobs
* to it.
@verbatim
+---------------------------------+ +----------------------------+
| controller | | config |
+---------------------------------+ +----------------------------+
| | | ^ ^ ^
V V V | | |
+----------+ +-----------+ +------+ +----------+ +----+
| receiver | | | | | +------+ | CHILD_SA | | K |
+---+------+ | Scheduler | | IKE- | | IKE- |--+----------+ | e |
| | | | SA |--| SA | | CHILD_SA | | r |
+------+---+ +-----------+ | | +------+ +----------+ | n |
<->| socket | | | Man- | | e |
+------+---+ +-----------+ | ager | +------+ +----------+ | l |
| | | | | | IKE- |--| CHILD_SA | | - |
+---+------+ | Processor |---| |--| SA | +----------+ | I |
| sender | | | | | +------+ | f |
+----------+ +-----------+ +------+ +----+
| | | | | |
V V V V V V
+---------------------------------+ +----------------------------+
| Bus | | credentials |
+---------------------------------+ +----------------------------+
@endverbatim
* The scheduler is responsible to execute timed events. Jobs may be queued to
* the scheduler to get executed at a defined time (e.g. rekeying). The
* scheduler does not execute the jobs itself, it queues them to the processor.
*
* The IKE_SA manager managers all IKE_SA. It further handles the
* synchronization:
* Each IKE_SA must be checked out strictly and checked in again after use. The
* manager guarantees that only one thread may check out a single IKE_SA. This
* allows us to write the (complex) IKE_SAs routines non-threadsave.
* The IKE_SA contain the state and the logic of each IKE_SA and handle the
* messages.
*
* The CHILD_SA contains state about a IPsec security association and manages
* them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel
* takes place here through the kernel interface.
*
* The kernel interface installs IPsec security associations, policies, routes
* and virtual addresses. It further provides methods to enumerate interfaces
* and may notify the daemon about state changes at lower layers.
*
* The bus receives signals from the different threads and relays them to
* interested listeners. Debugging signals, but also important state changes or
* error messages are sent over the bus.
* Its listeners are not only for logging, but also to track the state of an
* IKE_SA.
*
* The controller, credential_manager, bus and backend_manager (config) are
* places where a plugin ca register itself to privide information or observe
* and control the daemon.
*/
#ifndef DAEMON_H_
#define DAEMON_H_
typedef struct daemon_t daemon_t;
#include <attributes/attribute_manager.h>
#include <kernel/kernel_interface.h>
#include <network/sender.h>
#include <network/receiver.h>
#include <network/socket_manager.h>
#include <control/controller.h>
#include <bus/bus.h>
#include <bus/listeners/custom_logger.h>
#include <sa/ike_sa_manager.h>
#include <sa/child_sa_manager.h>
#include <sa/trap_manager.h>
#include <sa/shunt_manager.h>
#include <config/backend_manager.h>
#include <sa/eap/eap_manager.h>
#include <sa/xauth/xauth_manager.h>
#ifdef ME
#include <sa/ikev2/connect_manager.h>
#include <sa/ikev2/mediation_manager.h>
#endif /* ME */
/**
* Number of threads in the thread pool, if not specified in config.
*/
#define DEFAULT_THREADS 16
/**
* Primary UDP port used by IKE.
*/
#define IKEV2_UDP_PORT 500
/**
* UDP port defined for use in case a NAT is detected.
*/
#define IKEV2_NATT_PORT 4500
/**
* UDP port on which the daemon will listen for incoming traffic (also used as
* source port for outgoing traffic).
*/
#ifndef CHARON_UDP_PORT
#define CHARON_UDP_PORT IKEV2_UDP_PORT
#endif
/**
* UDP port used by the daemon in case a NAT is detected.
*/
#ifndef CHARON_NATT_PORT
#define CHARON_NATT_PORT IKEV2_NATT_PORT
#endif
/**
* Main class of daemon, contains some globals.
*/
struct daemon_t {
/**
* Socket manager instance
*/
socket_manager_t *socket;
/**
* Kernel interface to communicate with kernel
*/
kernel_interface_t *kernel;
/**
* A ike_sa_manager_t instance.
*/
ike_sa_manager_t *ike_sa_manager;
/**
* A child_sa_manager_t instance.
*/
child_sa_manager_t *child_sa_manager;
/**
* Manager for triggering policies, called traps
*/
trap_manager_t *traps;
/**
* Manager for shunt PASS|DROP policies
*/
shunt_manager_t *shunts;
/**
* Manager for the different configuration backends.
*/
backend_manager_t *backends;
/**
* The Sender-Thread.
*/
sender_t *sender;
/**
* The Receiver-Thread.
*/
receiver_t *receiver;
/**
* Manager for IKE configuration attributes
*/
attribute_manager_t *attributes;
/**
* The signaling bus.
*/
bus_t *bus;
/**
* Controller to control the daemon
*/
controller_t *controller;
/**
* EAP manager to maintain registered EAP methods
*/
eap_manager_t *eap;
/**
* XAuth manager to maintain registered XAuth methods
*/
xauth_manager_t *xauth;
#ifdef ME
/**
* Connect manager
*/
connect_manager_t *connect_manager;
/**
* Mediation manager
*/
mediation_manager_t *mediation_manager;
#endif /* ME */
/**
* Initialize the daemon.
*
* @param plugins list of plugins to load
* @return TRUE, if successful
*/
bool (*initialize)(daemon_t *this, char *plugins);
/**
* Starts the daemon, i.e. spawns the threads of the thread pool.
*/
void (*start)(daemon_t *this);
/**
* Load/Reload loggers defined in strongswan.conf
*
* @param levels optional debug levels used to create default loggers
* if none are defined in strongswan.conf
* @param to_stderr TRUE to log to stderr/stdout if no loggers are defined
* in strongswan.conf
*/
void (*load_loggers)(daemon_t *this, level_t levels[DBG_MAX],
bool to_stderr);
/**
* Set the log level for the given log group for all configured file-,
* syslog and custom-loggers.
*
* @param group log group
* @param level log level
*/
void (*set_level)(daemon_t *this, debug_t group, level_t level);
};
/**
* The one and only instance of the daemon.
*
* Set between libcharon_init() and libcharon_deinit() calls.
*/
extern daemon_t *charon;
/**
* Initialize libcharon and create the "charon" instance of daemon_t.
*
* This function initializes the bus, listeners can be registered before
* calling initialize().
*
* libcharon_init() may be called multiple times in a single process, but each
* caller must call libcharon_deinit() for each call to libcharon_init().
*
* @return FALSE if integrity check failed
*/
bool libcharon_init();
/**
* Deinitialize libcharon and destroy the "charon" instance of daemon_t.
*/
void libcharon_deinit();
/**
* Register a custom logger constructor.
*
* To be called from __attribute__((constructor)) functions.
*
* @param name name of the logger (also used for loglevel config)
* @param constructor constructor to create custom logger
*/
void register_custom_logger(char *name,
custom_logger_constructor_t constructor);
#endif /** DAEMON_H_ @}*/
|