charon
The charon daemon was built from scratch to implement the IKEv2 protocol for
the strongSwan project. Most of its code is located in the libcharon library
making the IKE daemon core available to other programs such as
charon-systemd,
charon-svc,
charon-cmd or the
Android app.
Architecture
+---------------------------------+ +----------------------------+
| Credentials | | Backends |
+---------------------------------+ +----------------------------+
+------------+ +-----------+ +------+ +----------+
| receiver | | | | | +------+ | CHILD_SA |
+----+-------+ | Scheduler | | IKE- | | IKE- |--+----------+
| | | | SA |--| SA | | CHILD_SA |
+-------+--+ +-----------+ | | +------+ +----------+
<->| socket | | | Man- |
+-------+--+ +-----------+ | ager | +------+ +----------+
| | | | | | IKE- |--| CHILD_SA |
+----+-------+ | Processor |--------| |--| SA | +----------+
| sender | | | | | +------+
+------------+ +-----------+ +------+
+---------------------------------+ +----------------------------+
| Bus | | Kernel Interface |
+---------------------------------+ +----------------------------+
| | |
+-------------+ +-------------+ V
| File-Logger | | Sys-Logger | //////
+-------------+ +-------------+
Processor |
The threading is realized with the help of a thread pool (called processor) which contains a fixed amount of precreated threads. All threads in the daemon originate from the processor. To delegate work to a thread, jobs are queued to the processor for asynchronous execution |
Scheduler |
The scheduler is responsible to execute timed events. Jobs may be queued to the scheduler to get executed at a defined time (e.g. rekeying). The scheduler does not execute the jobs itself, it queues them to the processor |
IKE_SA Manager |
The IKE_SA manager manages all IKE_SAs. It further handles the synchronization: Each IKE_SA must be checked out strictly and checked in again after use. The manager guarantees that only one thread may check out a single IKE_SA. This allows us to write the (complex) IKE_SAs routines as non-threadsave |
IKE_SA |
The IKE_SA contain the state and the logic of each IKE_SA and handle the messages |
CHILD_SA |
The CHILD_SA contains state about an IPsec security association and manages them. An IKE_SA may have multiple CHILD_SAs. Communication to the kernel takes place here through the kernel interface |
Kernel Interface |
The kernel interface installs IPsec security associations, policies, routes and virtual addresses. It further provides methods to enumerate interfaces and may notify the daemon about state changes at lower layers |
Bus |
The bus receives signals from the different threads and relays them to interested listeners. Debugging signals, but also important state changes or error messages are sent over the bus |
Controller |
The controller provides a simple API for plugins to control the daemon (e.g. initiate IKE_SA, close IKE_SA, …) |
Backends |
Backends are pluggable modules which provide configuration. They have to implement an API which the daemon core uses to get configuration |
Credentials |
Provides trustchain verification and credential serving using registered plugins |
Plugins
The daemon loads plugins at startup. These implement the
plugin_t interface (src/libstrongswan/plugins/plugin.h).
Each plugin registers itself with the daemon to hook in its functionality.
+-------------------------------------+ | charon +---+ +-----+------+ | | | | vici | | | | +-----+------+ | +-------------+ | | +-----+------+ | | bus | ----> | p | | stroke | | +-------------+ | l | +-----+------+ | +-------------+ <---- | u | +-----+------+ | | controller | | g | | sql | | +-------------+ ----> | i | +-----+------+ | +-------------+ | n | +-----+------+ | | credentials | <---- | | | eap_aka | | +-------------+ | l | +-----+------+ | +-------------+ ----> | o | +-----+------+ | | backends | | a | | eap_sim | | +-------------+ <---- | d | +-----+------+ | +-------------+ | e | +-----+------+ | | eap | ----> | r | | eap_md5 | | +-------------+ | | +-----+------+ | | | +-----+------+ | | | |eap_identity| | +---+ +-----+------+ +-------------------------------------+