EmberZNet security API. See Security for documentation.

License#

Copyright 2018 Silicon Laboratories Inc. www.silabs.com

The licensor of this software is Silicon Laboratories Inc. Your use of this software is governed by the terms of Silicon Labs Master Software License Agreement (MSLA) available at www.silabs.com/about-us/legal/master-software-license-agreement. This software is distributed to you in Source Code format and is governed by the sections of the MSLA applicable to Source Code.

/***************************************************************************/
#ifndef SILABS_SECURITY_H
#define SILABS_SECURITY_H

#include "stack/include/trust-center.h"

 #define SECURITY_BLOCK_SIZE         16 // Key, Nonce, and standalone block size

EmberStatus emberSetInitialSecurityState(EmberInitialSecurityState* state);

EmberStatus emberSetExtendedSecurityBitmask(EmberExtendedSecurityBitmask mask);

EmberStatus emberGetExtendedSecurityBitmask(EmberExtendedSecurityBitmask* mask);

#define EMBER_JOIN_NO_PRECONFIG_KEY_BITMASK \
  (EMBER_STANDARD_SECURITY_MODE             \
   | EMBER_GET_LINK_KEY_WHEN_JOINING)

#define EMBER_JOIN_PRECONFIG_KEY_BITMASK \
  (EMBER_STANDARD_SECURITY_MODE          \
   | EMBER_HAVE_PRECONFIGURED_KEY        \
   | EMBER_REQUIRE_ENCRYPTED_KEY)

EmberStatus emberGetCurrentSecurityState(EmberCurrentSecurityState* state);

#ifndef DOXYGEN_SHOULD_SKIP_THIS
extern uint8_t emberKeyTableSize;
extern uint32_t sli_zigbee_incoming_aps_frame_counters[];
#endif

EmberStatus emberGenerateRandomKey(EmberKeyData* keyAddress);

void emberSwitchNetworkKeyHandler(uint8_t sequenceNumber);

EmberStatus emberRequestLinkKey(EmberEUI64 partner);

EmberStatus emberUpdateTcLinkKey(uint8_t maxAttempts);

void emberZigbeeKeyEstablishmentHandler(EmberEUI64 partner, EmberKeyStatus status);

uint8_t emberFindKeyTableEntry(EmberEUI64 address,
                               bool linkKey);

EmberStatus emberEraseKeyTableEntry(uint8_t index);

EmberStatus emberClearKeyTable(void);

EmberStatus emberStopWritingStackTokens(void);

EmberStatus emberStartWritingStackTokens(void);

bool emberWritingStackTokensEnabled(void);

EmberStatus emberApsCryptMessage(bool encrypt,
                                 EmberMessageBuffer *buffer,
                                 uint8_t apsHeaderEndIndex,
                                 EmberEUI64 remoteEui64);

EmberStatus emberGetMfgSecurityConfig(EmberMfgSecurityStruct* settings);

EmberStatus emberSetMfgSecurityConfig(uint32_t magicNumber,
                                      const EmberMfgSecurityStruct* settings);

#if defined DOXYGEN_SHOULD_SKIP_THIS
EmberStatus emberSetOutgoingNwkFrameCounter(uint32_t desiredValue);
#else
  #define emberSetOutgoingNwkFrameCounter(desiredValue) \
  sli_zigbee_set_frame_counter(EMBER_CURRENT_NETWORK_KEY, desiredValue)
#endif

#if defined DOXYGEN_SHOULD_SKIP_THIS
EmberStatus emberSetOutgoingApsFrameCounter(uint32_t desiredValue);
#else
  #define emberSetOutgoingApsFrameCounter(desiredValue) \
  sli_zigbee_set_frame_counter(EMBER_TRUST_CENTER_LINK_KEY, desiredValue)

EmberStatus sli_zigbee_set_frame_counter(EmberKeyType keyType,
                                         uint32_t desiredValue);
#endif

void emberClearTransientLinkKeys(void);

extern uint16_t emberTransientKeyTimeoutS;

/* @brief Keyed hash function for message authentication
 * This is HMAC (see FIPS PUB 198) using the AES hash. HMAC is a
 * method for computing a hash from a key and a data message using
 * a message-only hash function.
 */

void emberHmacAesHash(const uint8_t *key,
                      const uint8_t *data,
                      uint8_t dataLength,
                      uint8_t *result);

/*
 * @brief Return the current rejoin policy, which can either allow no rejoin
 * at all, allow rejoin only with non-default link keys, or allow all kinds of rejoins.
 * There are no EZSP/NCP implementations for this function.
 *
 *  @return NO_REJOIN, REJOIN_ANY_LINK_KEY, REJOIN_NON_DEFAULT_LINK_KEY.
 */
EmberApsRejoinMode emberGetRejoinMode(void);

/*
 * @brief Set the current rejoin policy, which can either allow no rejoin
 * at all, allow rejoin only with non-default link keys, or allow all kinds of
 * rejoins.
 *
 * @param NO_REJOIN, REJOIN_ANY_LINK_KEY, REJOIN_NON_DEFAULT_LINK_KEY.
 *
 * There are no EZSP/NCP implementations for this function.
 */
void emberSetRejoinMode(EmberApsRejoinMode mode);

/* return the (security framecounter) */
uint32_t emberGetSecurityFrameCounter(void);
uint32_t emberGetApsFrameCounter(void);
uint32_t emberGetIncomingTcLinkKeyFrameCounter(void);
void emberSetIncomingTcLinkKeyFrameCounter(uint32_t frameCounter);
// @} END addtogroup

#endif // SILABS_SECURITY_H

Macros#

#define

The block size in bytes of the encryption cypher (AES-MMO-128).

#define

A non-trust center device configuration bitmask example. There is no Preconfigured Link Key, so the NWK key is expected to be sent in-the-clear. The device will request a Trust Center Link key after getting the Network Key.

#define

A non-trust center device configuration bitmask example. The device has a Preconfigured Link Key and expects to receive a NWK Key encrypted at the APS Layer. A NWK key sent in-the-clear will be rejected.

Variables#

uint16_t

The length of time, in seconds, that a trust center will store a transient link key that a device can use to join its network. A transient key is added with a call to sl_zb_sec_man_import_transient_key. After the transient key is added, it will be removed once this amount of time has passed. A joining device will not be able to use that key to join until it is added again on the trust center. The default value is 300 seconds, i.e., 5 minutes.

Functions#

emberSetInitialSecurityState(EmberInitialSecurityState *state)

Set the initial security state that will be used by the device when it forms or joins a network. If security is enabled, this function must be called prior to forming or joining the network. It must also be called if the device left the network and wishes to form or join another network.

emberSetExtendedSecurityBitmask(EmberExtendedSecurityBitmask mask)

Set the extended initial security bitmask.

emberGetExtendedSecurityBitmask(EmberExtendedSecurityBitmask *mask)

Get the extended security bitmask that is used by a device.

emberGetCurrentSecurityState(EmberCurrentSecurityState *state)

Get the security state that is used by a device joined into the Network. We can still get current security state by calling this function and the return value can be EMBER_NOT_JOINED or EMBER_SUCCESS.

emberGenerateRandomKey(EmberKeyData *keyAddress)

Generate a Random Key (link, network, or master) and returns the result.

void
emberSwitchNetworkKeyHandler(uint8_t sequenceNumber)

Inform the application that the Network Key has been updated and the node has been switched over to use the new key. The actual key being used is not passed up, but the sequence number is.

emberRequestLinkKey(EmberEUI64 partner)

Request a Link Key from the Trust Center with another device device on the Network (which could be the Trust Center). A Link Key with the Trust Center is possible but the requesting device can't be the Trust Center. Link Keys are optional in ZigBee Standard Security. Therefore, the stack can't know whether the other device supports them.

emberUpdateTcLinkKey(uint8_t maxAttempts)

Request a new link link key from the Trust Center. This function starts by sending a Node Descriptor request to the Trust Center to verify its R21+ stack version compliance. A Request Key message will then be sent, followed by a Verify Key Confirm message.

void
emberZigbeeKeyEstablishmentHandler(EmberEUI64 partner, EmberKeyStatus status)

Notify the application about the status of the request for a Link Key. The application should define EMBER_APPLICATION_HAS_ZIGBEE_KEY_ESTABLISHMENT_HANDLER to implement its own handler.

uint8_t
emberFindKeyTableEntry(EmberEUI64 address, bool linkKey)

Search the key table to find an entry matching the specified IEEE address and key type.

Clear a single entry in the key table.

Clear the key table of the current network.

Suppress normal write operations of the stack tokens. This is only done in rare circumstances when the device already has network parameters but needs to conditionally rejoin a network in order to perform a security message exchange (i.e., key establishment). If the network is not authenticated properly, it needs to forget any stack data it used and return to the old network. By suppressing writing of the stack tokens the device will not have stored any persistent data about the network and a reboot will clear the RAM copies. The Smart Energy profile feature Trust Center Swap-out uses this to securely replace the Trust Center and re-authenticate to it.

Immediately write the value of stack tokens and then resume normal network operation by writing the stack tokens at appropriate intervals or changes in state. It has no effect unless a previous call was made to emberStopWritingStackTokens().

bool

Determine whether stack tokens will be written to persistent storage when they change. By default, it is set to true meaning the stack will update its internal tokens via HAL calls when the associated RAM values change.

emberApsCryptMessage(bool encrypt, EmberMessageBuffer *buffer, uint8_t apsHeaderEndIndex, EmberEUI64 remoteEui64)

Perform APS encryption/decryption of messages directly. Normally, the stack handles all APS encryption/decryption automatically and there is no need to call this function. If APS data is sent or received via some other means (such as over interpan), APS encryption/decryption must be done manually. If the decryption is performed, the Auxiliary security header and MIC will be removed from the message. If encrypting, the auxiliary header and MIC will be added to the message. This is only available on SOC platforms.

emberGetMfgSecurityConfig(EmberMfgSecurityStruct *settings)

Retrieve the security configuration stored in manufacturing tokens. It is only available on the 35x series. See emberSetMfgSecurityConfig() for more details.

emberSetMfgSecurityConfig(uint32_t magicNumber, const EmberMfgSecurityStruct *settings)

Set the security configuration to be stored in manufacturing tokens. It is only available on the 35x series. This API must be called with care. Once set, a manufacturing token CANNOT BE UNSET without using the ISA3 tools and connecting the chip via JTAG. Additionally, a chip with read protection enabled cannot have its configuration changed without a full chip erase. Therefore, this provides a way to disallow access to the keys at runtime that cannot be undone.

emberSetOutgoingNwkFrameCounter(uint32_t desiredValue)

Set the NWK layer outgoing frame counter (intended for device restoration purposes). Caveats:

emberSetOutgoingApsFrameCounter(uint32_t desiredValue)

Set the APS layer outgoing frame counter for Trust Center Link Key (intended for device restoration purposes). Caveats:

void

Clear all transient link keys from RAM.

void
emberHmacAesHash(const uint8_t *key, const uint8_t *data, uint8_t dataLength, uint8_t *result)
void
emberSetRejoinMode(EmberApsRejoinMode mode)
void

Macro Definition Documentation#

SECURITY_BLOCK_SIZE#

#define SECURITY_BLOCK_SIZE
Value:
16

The block size in bytes of the encryption cypher (AES-MMO-128).


Definition at line 43 of file stack/include/security.h

EMBER_JOIN_NO_PRECONFIG_KEY_BITMASK#

#define EMBER_JOIN_NO_PRECONFIG_KEY_BITMASK
Value:
(EMBER_STANDARD_SECURITY_MODE \
| EMBER_GET_LINK_KEY_WHEN_JOINING)

A non-trust center device configuration bitmask example. There is no Preconfigured Link Key, so the NWK key is expected to be sent in-the-clear. The device will request a Trust Center Link key after getting the Network Key.


Definition at line 108 of file stack/include/security.h

EMBER_JOIN_PRECONFIG_KEY_BITMASK#

#define EMBER_JOIN_PRECONFIG_KEY_BITMASK
Value:
(EMBER_STANDARD_SECURITY_MODE \
| EMBER_HAVE_PRECONFIGURED_KEY \
| EMBER_REQUIRE_ENCRYPTED_KEY)

A non-trust center device configuration bitmask example. The device has a Preconfigured Link Key and expects to receive a NWK Key encrypted at the APS Layer. A NWK key sent in-the-clear will be rejected.


Definition at line 118 of file stack/include/security.h

Variable Documentation#

emberTransientKeyTimeoutS#

uint16_t emberTransientKeyTimeoutS

The length of time, in seconds, that a trust center will store a transient link key that a device can use to join its network. A transient key is added with a call to sl_zb_sec_man_import_transient_key. After the transient key is added, it will be removed once this amount of time has passed. A joining device will not be able to use that key to join until it is added again on the trust center. The default value is 300 seconds, i.e., 5 minutes.


Definition at line 451 of file stack/include/security.h

Function Documentation#

emberSetInitialSecurityState#

EmberStatus emberSetInitialSecurityState (EmberInitialSecurityState * state)

Set the initial security state that will be used by the device when it forms or joins a network. If security is enabled, this function must be called prior to forming or joining the network. It must also be called if the device left the network and wishes to form or join another network.

Parameters
N/Astate

The security configuration to be set.

This call should not be used when restoring prior network operation from saved state via emberNetworkInit because this will cause saved security settings and keys table from the prior network to be erased, resulting in improper keys and/or frame counter values being used, which will prevent proper communication with other devices in the network. Calling emberNetworkInit is sufficient to restore all saved security settings after a reboot and re-enter the network.

The call may be used by either the Trust Center or non Trust Center devices, the options that are set are different depending on which role the device will assume. See the EmberInitialSecurityState structure for more explanation about the various security settings.

The function will return EMBER_SECURITY_CONFIGURATION_INVALID in the following cases:

  • Distributed Trust Center Mode was enabled with Hashed Link Keys.

Returns


Definition at line 80 of file stack/include/security.h

emberSetExtendedSecurityBitmask#

EmberStatus emberSetExtendedSecurityBitmask (EmberExtendedSecurityBitmask mask)

Set the extended initial security bitmask.

Parameters
N/Amask

An object of type EmberExtendedSecurityBitmask that indicates what the extended security bitmask should be set to.

Returns


Definition at line 90 of file stack/include/security.h

emberGetExtendedSecurityBitmask#

EmberStatus emberGetExtendedSecurityBitmask (EmberExtendedSecurityBitmask * mask)

Get the extended security bitmask that is used by a device.

Parameters
N/Amask

A pointer to an EmberExtendedSecurityBitmask value into which the extended security bitmask will be copied.

Returns


Definition at line 100 of file stack/include/security.h

emberGetCurrentSecurityState#

EmberStatus emberGetCurrentSecurityState (EmberCurrentSecurityState * state)

Get the security state that is used by a device joined into the Network. We can still get current security state by calling this function and the return value can be EMBER_NOT_JOINED or EMBER_SUCCESS.

Parameters
N/Astate

A pointer to an EmberCurrentSecurityState value into which the security configuration will be copied.

Returns


Definition at line 133 of file stack/include/security.h

emberGenerateRandomKey#

EmberStatus emberGenerateRandomKey (EmberKeyData * keyAddress)

Generate a Random Key (link, network, or master) and returns the result.

Parameters
N/AkeyAddress

A pointer to the location in which to copy the generated key.

It copies the key into the array that result points to. This is an time-expensive operation as it needs to obtain truly random numbers.

Returns


Definition at line 153 of file stack/include/security.h

emberSwitchNetworkKeyHandler#

void emberSwitchNetworkKeyHandler (uint8_t sequenceNumber)

Inform the application that the Network Key has been updated and the node has been switched over to use the new key. The actual key being used is not passed up, but the sequence number is.

Parameters
N/AsequenceNumber

The sequence number of the new network key.


Definition at line 162 of file stack/include/security.h

emberRequestLinkKey#

EmberStatus emberRequestLinkKey (EmberEUI64 partner)

Request a Link Key from the Trust Center with another device device on the Network (which could be the Trust Center). A Link Key with the Trust Center is possible but the requesting device can't be the Trust Center. Link Keys are optional in ZigBee Standard Security. Therefore, the stack can't know whether the other device supports them.

Parameters
N/Apartner

The IEEE address of the partner device. If NULL is passed in, the Trust Center IEEE Address is assumed.

If the partner device is the Trust Center, only that device needs to request the key. The Trust Center will immediately respond to those requests and send the key back to the device.

If the partner device is not the Trust Center, both devices must request an Application Link Key with each other. The requests will be sent to the Trust Center for it to answer. The Trust Center will store the first request and wait EMBER_REQUEST_KEY_TIMEOUT for the second request to be received. The Trust Center only supports one outstanding Application key request at a time and therefore will ignore other requests that are not associated with the first request.

Sleepy devices should poll at a higher rate until a response is received or the request times out.

The success or failure of the request is returned via ::emberZigbeeKeyEstablishmentHandler(...)

Returns

  • EMBER_SUCCESS if the call succeeds, or EMBER_NO_BUFFERS.


Definition at line 193 of file stack/include/security.h

emberUpdateTcLinkKey#

EmberStatus emberUpdateTcLinkKey (uint8_t maxAttempts)

Request a new link link key from the Trust Center. This function starts by sending a Node Descriptor request to the Trust Center to verify its R21+ stack version compliance. A Request Key message will then be sent, followed by a Verify Key Confirm message.

Parameters
N/AmaxAttempts

The maximum number of attempts a node should make when sending the Node Decriptor, Request Key, and Verify Key Confirm messages. The number of attempts resets for each message type sent (e.g., if maxAttempts is 3, up to 3 Node Descriptors are sent, up to 3 Request Keys, and up to 3 Verify Key Confirm messages are sent).

Returns

  • EMBER_ERR_FATAL is the Security Core Library is not included. EMBER_INVALID_CALL if already requesting a key from TC, not on network, or if local node is Trust Center. EMBER_SECURITY_CONFIGURATION_INVALID if the Trust Center's EUI is unknown. Otherwise, the return status from sending the initial Node Descriptor is returned.


Definition at line 213 of file stack/include/security.h

emberZigbeeKeyEstablishmentHandler#

void emberZigbeeKeyEstablishmentHandler (EmberEUI64 partner, EmberKeyStatus status)

Notify the application about the status of the request for a Link Key. The application should define EMBER_APPLICATION_HAS_ZIGBEE_KEY_ESTABLISHMENT_HANDLER to implement its own handler.

Parameters
N/Apartner

The IEEE address of the partner device or all zeros if the Key establishment failed.

N/Astatus

The status of the key establishment.


Definition at line 224 of file stack/include/security.h

emberFindKeyTableEntry#

uint8_t emberFindKeyTableEntry (EmberEUI64 address, bool linkKey)

Search the key table to find an entry matching the specified IEEE address and key type.

Parameters
N/Aaddress

The IEEE Address of the partner device that shares the key. To find the first empty entry, pass in an address of all zeros.

N/AlinkKey

A bool indicating whether to search for an entry containing a Link or Master Key.

Returns

  • The index that matches the search criteria, or 0xFF if no matching entry was found.


Definition at line 237 of file stack/include/security.h

emberEraseKeyTableEntry#

EmberStatus emberEraseKeyTableEntry (uint8_t index)

Clear a single entry in the key table.

Parameters
N/Aindex

The index in the key table of the entry to erase.

Returns


Definition at line 248 of file stack/include/security.h

emberClearKeyTable#

EmberStatus emberClearKeyTable (void )

Clear the key table of the current network.

Parameters
N/A

Returns


Definition at line 256 of file stack/include/security.h

emberStopWritingStackTokens#

EmberStatus emberStopWritingStackTokens (void )

Suppress normal write operations of the stack tokens. This is only done in rare circumstances when the device already has network parameters but needs to conditionally rejoin a network in order to perform a security message exchange (i.e., key establishment). If the network is not authenticated properly, it needs to forget any stack data it used and return to the old network. By suppressing writing of the stack tokens the device will not have stored any persistent data about the network and a reboot will clear the RAM copies. The Smart Energy profile feature Trust Center Swap-out uses this to securely replace the Trust Center and re-authenticate to it.

Parameters
N/A

Returns


Definition at line 272 of file stack/include/security.h

emberStartWritingStackTokens#

EmberStatus emberStartWritingStackTokens (void )

Immediately write the value of stack tokens and then resume normal network operation by writing the stack tokens at appropriate intervals or changes in state. It has no effect unless a previous call was made to emberStopWritingStackTokens().

Parameters
N/A

Returns


Definition at line 284 of file stack/include/security.h

emberWritingStackTokensEnabled#

bool emberWritingStackTokensEnabled (void )

Determine whether stack tokens will be written to persistent storage when they change. By default, it is set to true meaning the stack will update its internal tokens via HAL calls when the associated RAM values change.

Parameters
N/A

Returns

  • True if the device will update the persistent storage for tokens when values in RAM change. False otherwise.


Definition at line 294 of file stack/include/security.h

emberApsCryptMessage#

EmberStatus emberApsCryptMessage (bool encrypt, EmberMessageBuffer * buffer, uint8_t apsHeaderEndIndex, EmberEUI64 remoteEui64)

Perform APS encryption/decryption of messages directly. Normally, the stack handles all APS encryption/decryption automatically and there is no need to call this function. If APS data is sent or received via some other means (such as over interpan), APS encryption/decryption must be done manually. If the decryption is performed, the Auxiliary security header and MIC will be removed from the message. If encrypting, the auxiliary header and MIC will be added to the message. This is only available on SOC platforms.

Parameters
N/Aencrypt

A bool indicating whether perform encryption (true) or decryption (false).

N/Abuffer

An EmberMessageBuffer containing the APS frame to decrypt or encrypt.

N/AapsHeaderEndIndex

The index in the buffer where the APS header ends. If encryption is being performed, this should point to the APS payload, where an Auxiliary header will be inserted. If decryption is being performed, this should point to the start of the Auxiliary header frame.

N/AremoteEui64

the ::EmberEUI64 of the remote device the message was received from (decryption) or being sent to (encryption).

Returns


Definition at line 323 of file stack/include/security.h

emberGetMfgSecurityConfig#

EmberStatus emberGetMfgSecurityConfig (EmberMfgSecurityStruct * settings)

Retrieve the security configuration stored in manufacturing tokens. It is only available on the 35x series. See emberSetMfgSecurityConfig() for more details.

Parameters
N/Asettings

A pointer to the EmberMfgSecurityStruct variable that will contain the returned data.

Returns


Definition at line 338 of file stack/include/security.h

emberSetMfgSecurityConfig#

EmberStatus emberSetMfgSecurityConfig (uint32_t magicNumber, const EmberMfgSecurityStruct * settings)

Set the security configuration to be stored in manufacturing tokens. It is only available on the 35x series. This API must be called with care. Once set, a manufacturing token CANNOT BE UNSET without using the ISA3 tools and connecting the chip via JTAG. Additionally, a chip with read protection enabled cannot have its configuration changed without a full chip erase. Therefore, this provides a way to disallow access to the keys at runtime that cannot be undone.

Parameters
N/AmagicNumber

A 32-bit value that must correspond to EMBER_MFG_SECURITY_CONFIG_MAGIC_NUMBER, otherwise EMBER_INVALID_CALL will be returned.

N/Asettings

The security settings that are intended to be set by the application and written to manufacturing token.

To call this API, the magic number must be passed in corresponding to EMBER_MFG_SECURITY_CONFIG_MAGIC_NUMBER. This prevents accidental calls to this function when emberGetMfgSecurityConfig() was actually intended.

This function will disable external access to the actual key data used for decryption/encryption outside the stack. Attempts to export the key will return the metadata if applicable (e.g., sequence number, associated EUI64, frame counters) but the key value may be modified, see below.

The stack always has access to the actual key data.

If the EmberKeySettings within the EmberMfgSecurityStruct are set to EMBER_KEY_PERMISSIONS_NONE, the key value will be set to zero when sl_zb_sec_man_export_key() or similar functions are called. If the EmberKeySettings within the EmberMfgSecurityStruct are set to EMBER_KEY_PERMISSIONS_HASHING_ALLOWED, the AES-MMO hash of the key will replace the actual key data when calls to functions like sl_zb_sec_man_export_key() are made. If the EmberKeySettings within the EmberMfgSecurityStruct are set to EMBER_KEY_PERMISSIONS_READING_ALLOWED, the actual key data is returned. This is the default value of the token.

Returns


Definition at line 384 of file stack/include/security.h

emberSetOutgoingNwkFrameCounter#

EmberStatus emberSetOutgoingNwkFrameCounter (uint32_t desiredValue)

Set the NWK layer outgoing frame counter (intended for device restoration purposes). Caveats:

Parameters
N/AdesiredValue

The desired outgoing NWK frame counter value. This needs to be less than MAX_INT32U_VALUE to ensure that rollover does not occur on the next encrypted transmission.

  • Can only be called before NetworkInit / FormNetwork / JoinNetwork, when emberNetworkState()==EMBER_NO_NETWORK.

  • This function should be called before emberSetInitialSecurityState, and the EMBER_NO_FRAME_COUNTER_RESET bitmask should be added to the initial security bitmask when ::emberSetInitialSecuritState is called.

  • If used in multi-network context, emberSetCurrentNetwork() must be called prior to calling this function.

Returns


Definition at line 406 of file stack/include/security.h

emberSetOutgoingApsFrameCounter#

EmberStatus emberSetOutgoingApsFrameCounter (uint32_t desiredValue)

Set the APS layer outgoing frame counter for Trust Center Link Key (intended for device restoration purposes). Caveats:

Parameters
N/AdesiredValue

The desired outgoing APS frame counter value. This needs to be less than MAX_INT32U_VALUE to ensure that rollover does not occur on the next encrypted transmission.

  • Can only be called before NetworkInit / FormNetwork / JoinNetwork, when emberNetworkState()==EMBER_NO_NETWORK.

  • This function should be called before emberSetInitialSecurityState, and the EMBER_NO_FRAME_COUNTER_RESET bitmask should be added to the initial security bitmask when ::emberSetInitialSecuritState is called.

  • If used in multi-network context, call emberSetCurrentNetwork() prior to calling this function.

Returns


Definition at line 431 of file stack/include/security.h

emberClearTransientLinkKeys#

void emberClearTransientLinkKeys (void )

Clear all transient link keys from RAM.

Parameters
N/A

Definition at line 441 of file stack/include/security.h

emberHmacAesHash#

void emberHmacAesHash (const uint8_t * key, const uint8_t * data, uint8_t dataLength, uint8_t * result)
Parameters
N/Akey
N/Adata
N/AdataLength
N/Aresult

Definition at line 459 of file stack/include/security.h

emberGetRejoinMode#

EmberApsRejoinMode emberGetRejoinMode (void )
Parameters
N/A

Definition at line 471 of file stack/include/security.h

emberSetRejoinMode#

void emberSetRejoinMode (EmberApsRejoinMode mode)
Parameters
N/Amode

Definition at line 482 of file stack/include/security.h

emberGetSecurityFrameCounter#

uint32_t emberGetSecurityFrameCounter (void )
Parameters
N/A

Definition at line 485 of file stack/include/security.h

emberGetApsFrameCounter#

uint32_t emberGetApsFrameCounter (void )
Parameters
N/A

Definition at line 486 of file stack/include/security.h

emberGetIncomingTcLinkKeyFrameCounter#

uint32_t emberGetIncomingTcLinkKeyFrameCounter (void )
Parameters
N/A

Definition at line 487 of file stack/include/security.h

emberSetIncomingTcLinkKeyFrameCounter#

void emberSetIncomingTcLinkKeyFrameCounter (uint32_t frameCounter)
Parameters
N/AframeCounter

Definition at line 488 of file stack/include/security.h