Additions to cross-layer interfaces according to the ETSI standards

tools/benchmark/cases/security/signing.cpp

@@ -50,6 +50,7 @@ int SecuritySigningCase::execute()
         EncapRequest initial_encap_request;
         initial_encap_request.plaintext_payload = packet;
         initial_encap_request.its_aid = aid::CA;
+        initial_encap_request.permissions = ByteBuffer { 1, 0, 0 };
         security_entity.encapsulate_packet(std::move(initial_encap_request));
     }
 
@@ -68,8 +69,10 @@ int SecuritySigningCase::execute()
         EncapRequest encap_request;
         encap_request.plaintext_payload = packet;
         encap_request.its_aid = aid::CA;
+        encap_request.permissions = ByteBuffer { 1, 0, 0 };
 
         EncapConfirm encap_confirm = security_entity.encapsulate_packet(std::move(encap_request));
+        assert(encap_confirm.sec_packet);
     }
 
     std::cout << "[Done]" << std::endl;

tools/benchmark/cases/security/validation.cpp

@@ -68,6 +68,7 @@ int SecurityValidationCase::execute()
         EncapRequest initial_encap_request;
         initial_encap_request.plaintext_payload = packet;
         initial_encap_request.its_aid = aid::CA;
+        initial_encap_request.permissions = ByteBuffer { 1, 0, 0 };
         entities[0]->encapsulate_packet(std::move(initial_encap_request));
     }
 
@@ -81,10 +82,12 @@ int SecurityValidationCase::execute()
         EncapRequest encap_request;
         encap_request.plaintext_payload = packet;
         encap_request.its_aid = aid::CA;
+        encap_request.permissions = ByteBuffer { 1, 0, 0 };
 
         EncapConfirm encap_confirm = entities[i]->encapsulate_packet(std::move(encap_request));
-        secured_messages[i] = encap_confirm.sec_packet;
-        auto signer_info = encap_confirm.sec_packet.header_field<HeaderFieldType::Signer_Info>();
+        assert(encap_confirm.sec_packet);
+        secured_messages[i] = *encap_confirm.sec_packet;
+        auto signer_info = encap_confirm.sec_packet->header_field<HeaderFieldType::Signer_Info>();
 
         if (signer_info_type == "hash") {
             assert(signer_info && get_type(*signer_info) == SignerInfoType::Certificate_Digest_With_SHA256);

tools/socktap/application.cpp

@@ -34,10 +34,15 @@ void initialize_request(const Application::DataRequest& generic, geonet::DataReq
 {
     geonet.upper_protocol = geonet::UpperProtocol::BTP_B;
     geonet.communication_profile = generic.communication_profile;
+    geonet.security_profile = generic.security_profile;
     geonet.its_aid = generic.its_aid;
+    geonet.permissions = generic.permissions;
     if (generic.maximum_lifetime) {
         geonet.maximum_lifetime = generic.maximum_lifetime.get();
     }
+    if (generic.maximum_hop_limit) {
+        geonet.max_hop_limit = generic.maximum_hop_limit.get();
+    }
     geonet.repetition = generic.repetition;
     geonet.traffic_class = generic.traffic_class;
 }

tools/socktap/cam_application.cpp

@@ -2,6 +2,7 @@
 #include <vanetza/btp/ports.hpp>
 #include <vanetza/asn1/cam.hpp>
 #include <vanetza/asn1/packet_visitor.hpp>
+#include <vanetza/common/byte_buffer.hpp>
 #include <vanetza/facilities/cam_functions.hpp>
 #include <boost/units/cmath.hpp>
 #include <boost/units/systems/si/prefixes.hpp>
@@ -125,6 +126,8 @@ void CamApplication::on_timer(Clock::time_point)
 
     DataRequest request;
     request.its_aid = aid::CA;
+    request.permissions = ByteBuffer {1, 0, 0};
+    request.security_profile = security::SecurityProfile::Default;
     request.transport_type = geonet::TransportType::SHB;
     request.communication_profile = geonet::CommunicationProfile::ITS_G5;
 

vanetza/btp/data_indication.cpp

@@ -14,24 +14,32 @@ DataIndication::DataIndication()
 DataIndication::DataIndication(const geonet::DataIndication& ind, const HeaderA& btp) :
     source_port(btp.source_port),
     destination_port(btp.destination_port),
+    transport_type(ind.transport_type),
     destination(ind.destination),
+    security_report(ind.security_report),
+    certificate_id(ind.certificate_id),
     its_aid(ind.its_aid),
     permissions(ind.permissions),
     source_position(ind.source_position),
     traffic_class(ind.traffic_class),
-    remaining_packet_lifetime(ind.remaining_packet_lifetime)
+    remaining_packet_lifetime(ind.remaining_packet_lifetime),
+    remaining_hop_limit(ind.remaining_hop_limit)
 {
 }
 
 DataIndication::DataIndication(const geonet::DataIndication& ind, const HeaderB& btp) :
     destination_port(btp.destination_port),
     destination_port_info(btp.destination_port_info),
+    transport_type(ind.transport_type),
     destination(ind.destination),
+    security_report(ind.security_report),
+    certificate_id(ind.certificate_id),
     its_aid(ind.its_aid),
     permissions(ind.permissions),
     source_position(ind.source_position),
     traffic_class(ind.traffic_class),
-    remaining_packet_lifetime(ind.remaining_packet_lifetime)
+    remaining_packet_lifetime(ind.remaining_packet_lifetime),
+    remaining_hop_limit(ind.remaining_hop_limit)
 {
 }
 

vanetza/btp/data_indication.hpp

@@ -8,6 +8,7 @@
 #include <vanetza/geonet/lifetime.hpp>
 #include <vanetza/geonet/position_vector.hpp>
 #include <vanetza/geonet/traffic_class.hpp>
+#include <vanetza/security/decap_confirm.hpp>
 #include <boost/optional.hpp>
 #include <boost/variant.hpp>
 
@@ -25,12 +26,16 @@ struct DataIndication
     boost::optional<port_type> source_port;
     port_type destination_port;
     boost::optional<decltype(HeaderB::destination_port_info)> destination_port_info;
+    decltype(geonet::DataIndication::transport_type) transport_type;
     decltype(geonet::DataIndication::destination) destination;
+    decltype(geonet::DataIndication::security_report) security_report;
+    decltype(geonet::DataIndication::certificate_id) certificate_id;
     decltype(geonet::DataIndication::its_aid) its_aid;
     decltype(geonet::DataIndication::permissions) permissions;
-    geonet::ShortPositionVector source_position;
+    geonet::LongPositionVector source_position;
     geonet::TrafficClass traffic_class;
     boost::optional<geonet::Lifetime> remaining_packet_lifetime;
+    boost::optional<unsigned> remaining_hop_limit;
 };
 
 } // namespace btp

vanetza/btp/data_request.hpp

@@ -2,6 +2,7 @@
 #define DATA_REQUEST_HPP_BSJC1VFV
 
 #include <vanetza/btp/header.hpp>
+#include <vanetza/common/byte_buffer.hpp>
 #include <vanetza/common/its_aid.hpp>
 #include <vanetza/geonet/data_request.hpp>
 #include <vanetza/geonet/destination_variant.hpp>
@@ -19,7 +20,11 @@ struct DataRequestGeoNetParams
     geonet::TransportType transport_type;
     geonet::DestinationVariant destination;
     geonet::CommunicationProfile communication_profile;
+    decltype(geonet::DataRequest::security_profile) security_profile;
     ItsAid its_aid;
+    boost::optional<ByteBuffer> permissions;
+    // TODO: Security context information (optional), Security target ID list (optional):
+    // Encryption is currently not supported
     boost::optional<geonet::Lifetime> maximum_lifetime;
     boost::optional<unsigned> maximum_hop_limit;
     boost::optional<geonet::DataRequest::Repetition> repetition;

vanetza/btp/tests/data_indication.cpp

@@ -24,6 +24,7 @@ TEST(BtpDataIndication, construct_from_header_b) {
     EXPECT_FALSE(btp_ind.source_port);
     EXPECT_EQ(hdr.destination_port, btp_ind.destination_port);
     EXPECT_EQ(hdr.destination_port_info, btp_ind.destination_port_info);
+    EXPECT_EQ(gn_ind.transport_type, btp_ind.transport_type);
     EXPECT_EQ(boost::get<geonet::Address>(gn_ind.destination),
             boost::get<geonet::Address>(btp_ind.destination));
     EXPECT_EQ(gn_ind.source_position, btp_ind.source_position);

vanetza/geonet/data_indication.hpp

@@ -6,6 +6,7 @@
 #include <vanetza/geonet/destination_variant.hpp>
 #include <vanetza/geonet/interface.hpp>
 #include <vanetza/geonet/position_vector.hpp>
+#include <vanetza/security/basic_elements.hpp>
 #include <vanetza/security/decap_confirm.hpp>
 #include <boost/optional.hpp>
 
@@ -19,11 +20,11 @@ struct DataIndication
     UpperProtocol upper_protocol;
     TransportType transport_type;
     DestinationVariant destination;
-    ShortPositionVector source_position;
-    security::DecapReport security_report;
+    LongPositionVector source_position;
+    boost::optional<security::DecapReport> security_report;
     boost::optional<ItsAid> its_aid;
     boost::optional<ByteBuffer> permissions;
-    // TODO: certificate id is missing (optional)
+    boost::optional<security::HashedId8> certificate_id;
     TrafficClass traffic_class;
     boost::optional<Lifetime> remaining_packet_lifetime;
     boost::optional<unsigned> remaining_hop_limit;

vanetza/geonet/data_request.cpp

@@ -56,7 +56,9 @@ void copy_request_parameters(const btp::DataRequestB& btp, DataRequest& gn)
 {
     gn.upper_protocol = geonet::UpperProtocol::BTP_B;
     gn.communication_profile = btp.gn.communication_profile;
+    gn.security_profile = btp.gn.security_profile;
     gn.its_aid = btp.gn.its_aid;
+    gn.permissions = btp.gn.permissions;
     if (btp.gn.maximum_lifetime) {
         gn.maximum_lifetime = *btp.gn.maximum_lifetime;
     }

vanetza/geonet/data_request.hpp

@@ -1,13 +1,15 @@
 #ifndef DATA_REQUEST_HPP_3JYISVXB
 #define DATA_REQUEST_HPP_3JYISVXB
 
+#include <vanetza/common/byte_buffer.hpp>
 #include <vanetza/common/its_aid.hpp>
 #include <vanetza/geonet/address.hpp>
 #include <vanetza/geonet/areas.hpp>
 #include <vanetza/geonet/interface.hpp>
 #include <vanetza/geonet/lifetime.hpp>
 #include <vanetza/geonet/mib.hpp>
 #include <vanetza/geonet/traffic_class.hpp>
+#include <vanetza/security/encap_request.hpp>
 #include <vanetza/units/time.hpp>
 #include <boost/optional.hpp>
 #include <boost/variant.hpp>
@@ -40,7 +42,11 @@ struct DataRequest
 
     UpperProtocol upper_protocol;
     CommunicationProfile communication_profile;
+    decltype(security::EncapRequest::sec_services) security_profile;
     ItsAid its_aid;
+    boost::optional<ByteBuffer> permissions;
+    // TODO: Security context information (optional), Security target ID list (optional):
+    // Encryption is currently not supported
     Lifetime maximum_lifetime;
     boost::optional<Repetition> repetition;
     unsigned max_hop_limit;

vanetza/geonet/router.cpp

@@ -1,5 +1,6 @@
 #include <vanetza/btp/data_indication.hpp>
 #include <vanetza/btp/data_request.hpp>
+#include <vanetza/common/byte_buffer.hpp>
 #include <vanetza/common/its_aid.hpp>
 #include <vanetza/common/position_fix.hpp>
 #include <vanetza/common/runtime.hpp>
@@ -23,6 +24,7 @@
 #include <vanetza/geonet/transport_interface.hpp>
 #include <vanetza/geonet/extended_pdu.hpp>
 #include <vanetza/geonet/secured_pdu.hpp>
+#include <boost/optional.hpp>
 #include <boost/units/cmath.hpp>
 #include <functional>
 #include <stdexcept>
@@ -40,10 +42,14 @@ struct ControlInfo
 {
     ControlInfo(const DataRequest request) :
         communication_profile(request.communication_profile),
-        its_aid(request.its_aid) {}
+        security_profile(request.security_profile),
+        its_aid(request.its_aid),
+        permissions(request.permissions) {}
 
     const CommunicationProfile communication_profile;
+    const decltype(security::EncapRequest::sec_services) security_profile;
     const ItsAid its_aid;
+    const boost::optional<ByteBuffer> permissions;
 };
 
 template<typename PDU>
@@ -229,8 +235,14 @@ DataConfirm Router::request(const ShbDataRequest& request, DownPacketPtr payload
             pdu->extended().source_position = m_local_position_vector;
 
             // step 2: encapsulate packet by security
-            if (m_mib.itsGnSecurity) {
-                payload = encap_packet(ctrl.its_aid, *pdu, std::move(payload));
+            if (m_mib.itsGnSecurity && ctrl.security_profile) {
+                auto encap_result = encap_packet(ctrl.security_profile, ctrl.its_aid, *ctrl.permissions, *pdu, std::move(payload));
+                if (encap_result) {
+                    payload = std::move(encap_result.get());
+                } else {
+                    // TODO: How to throw an error here?
+                    return;
+                }
             }
 
             // step 5: execute media-dependent procedures
@@ -293,9 +305,15 @@ DataConfirm Router::request(const GbcDataRequest& request, DownPacketPtr payload
         pdu->extended().source_position = m_local_position_vector;
 
         // step 5: apply security
-        if (m_mib.itsGnSecurity) {
+        if (m_mib.itsGnSecurity && ctrl.security_profile) {
             assert(pdu->basic().next_header == NextHeaderBasic::Secured);
-            payload = encap_packet(ctrl.its_aid, *pdu, std::move(payload));
+            auto encap_result = encap_packet(ctrl.security_profile, ctrl.its_aid, *ctrl.permissions, *pdu, std::move(payload));
+            if (encap_result) {
+                payload = std::move(encap_result.get());
+            } else {
+                // TODO: How to throw an error here?
+                return;
+            }
         }
 
         // step 6: repetition is already set-up before
@@ -398,7 +416,6 @@ void Router::indicate_basic(IndicationContextBasic& ctx)
             indicate_secured(ctx, *basic);
         } else if (basic->next_header == NextHeaderBasic::Common) {
             if (!m_mib.itsGnSecurity || SecurityDecapHandling::Non_Strict == m_mib.itsGnSnDecapResultHandling) {
-                indication.security_report = security::DecapReport::Unsigned_Message,
                 indicate_common(ctx, *basic);
             } else {
                 packet_dropped(PacketDropReason::Decap_Unsuccessful_Strict);
@@ -486,6 +503,7 @@ void Router::indicate_secured(IndicationContextBasic& ctx, const BasicHeader& ba
         ctx.service_primitive().security_report = decap_confirm.report;
         ctx.service_primitive().its_aid = decap_confirm.its_aid;
         ctx.service_primitive().permissions = decap_confirm.permissions;
+        ctx.service_primitive().certificate_id = decap_confirm.certificate_id;
         secured_payload_visitor visitor(*this, ctx, basic);
 
         // check whether the received packet is valid
@@ -537,7 +555,7 @@ void Router::indicate_extended(IndicationContext& ctx, const CommonHeader& commo
         {
             DataIndication& indication = m_context.service_primitive();
             indication.transport_type = TransportType::SHB;
-            indication.source_position = static_cast<ShortPositionVector>(shb.source_position);
+            indication.source_position = shb.source_position;
 
             auto& pdu = m_context.pdu();
             ExtendedPduConstRefs<ShbHeader> shb_pdu(pdu.basic(), pdu.common(), shb, pdu.secured());
@@ -549,7 +567,7 @@ void Router::indicate_extended(IndicationContext& ctx, const CommonHeader& commo
         {
             DataIndication& indication = m_context.service_primitive();
             indication.transport_type = TransportType::GBC;
-            indication.source_position = static_cast<ShortPositionVector>(gbc.source_position);
+            indication.source_position = gbc.source_position;
             indication.destination = gbc.destination(m_context.pdu().common().header_type);
 
             auto& pdu = m_context.pdu();
@@ -707,10 +725,19 @@ void Router::on_beacon_timer_expired()
     // Beacons originate in GeoNet layer, therefore no upper layer payload
     DownPacketPtr payload { new DownPacket() };
     auto pdu = create_beacon_pdu();
+    // GN-MGMT has no SSP defined
+    auto permissions = ByteBuffer {};
 
     if (m_mib.itsGnSecurity) {
         pdu->basic().next_header = NextHeaderBasic::Secured;
-        payload = encap_packet(aid::GN_MGMT, *pdu, std::move(payload));
+        // Use default security profile for beacons, see ETSI EN 302 636-4-1 v1.2.1, table 22
+        auto encap_result = encap_packet(security::SecurityProfile::Default, aid::GN_MGMT, permissions, *pdu, std::move(payload));
+        if (!encap_result) {
+            // TODO: Throw an error here? If so, how?
+            return;
+        } else {
+            payload = std::move(encap_result.get());
+        }
     } else {
         pdu->basic().next_header = NextHeaderBasic::Common;
     }
@@ -1209,26 +1236,32 @@ std::unique_ptr<GbcPdu> Router::create_gbc_pdu(const GbcDataRequest& request)
     return pdu;
 }
 
-Router::DownPacketPtr Router::encap_packet(ItsAid its_aid, Pdu& pdu, DownPacketPtr packet)
+boost::optional<Router::DownPacketPtr> Router::encap_packet(boost::optional<security::SecurityProfile> security_profile, ItsAid its_aid, ByteBuffer permissions, Pdu& pdu, DownPacketPtr packet)
 {
     security::EncapRequest encap_request;
 
     DownPacket sec_payload;
     sec_payload[OsiLayer::Network] = SecuredPdu(pdu);
     sec_payload.merge(*packet, OsiLayer::Transport, max_osi_layer());
     encap_request.plaintext_payload = std::move(sec_payload);
+    encap_request.sec_services = security_profile;
     encap_request.its_aid = its_aid;
+    encap_request.permissions = permissions;
 
     if (m_security_entity) {
         security::EncapConfirm confirm = m_security_entity->encapsulate_packet(std::move(encap_request));
-        pdu.secured(std::move(confirm.sec_packet));
+        if (confirm.sec_packet) {
+            pdu.secured(std::move(*confirm.sec_packet));
+        } else {
+            return boost::none;
+        }
     } else {
         throw std::runtime_error("security entity unavailable");
     }
 
     assert(size(*packet, OsiLayer::Transport, max_osi_layer()) == 0);
     assert(pdu.basic().next_header == NextHeaderBasic::Secured);
-    return packet;
+    return std::move(packet);
 }
 
 std::string stringify(Router::PacketDropReason pdr)