Security functions

The ZDO Security functions are used to set up network security (at the ‘standard’ level), including the keys used in the encryption/decryption of network communications.

The functions are listed below.

Function page

  1. ZPS_vAplSecSetInitialSecurityState

  2. ZPS_eAplZdoTransportNwkKey

  3. ZPS_eAplZdoSwitchKeyReq

  4. ZPS_eAplZdoRequestKeyReq

  5. ZPS_eAplZdoAddReplaceLinkKey

  6. ZPS_eAplZdoAddReplaceInstallCodes

  7. ZPS_eAplZdoRemoveLinkKey

  8. ZPS_eAplZdoRemoveDeviceReq

  9. ZPS_eAplZdoSetDevicePermission

  10. ZPS_bAplZdoTrustCenterSetDevicePermissions

  11. ZPS_bAplZdoTrustCenterGetDevicePermissions

  12. ZPS_bAplZdoTrustCenterRemoveDevice

  13. ZPS_vTcInitFlash

  14. ZPS_vSetTCLockDownOverride

  15. ZPS_psGetActiveKey

  16. ZPS_vTCSetCallback

Note:

  1. Before using the above functions on a node, security must be enabled on the node via the device parameter Security Enabled in the ZPS Configuration Editor (security is enabled by default).

  2. Enabling security also enables many-to-one routing toward the Trust Centre, which then becomes a network concentrator. You must set the maximum number of nodes to be serviced by the Trust Centre using its network parameter Route Record Table Size in the ZPS Configuration Editor (the default number is 4).

  3. Many of the security settings and keys that are set up using the above functions can alternatively be pre-configured via the ZPS Configuration Editor.

Parent topic:Security functions

ZPS_vAplSecSetInitialSecurityState

ZPS_teStatus ZPS_vAplSecSetInitialSecurityState(
    ZPS_teZdoNwkKeyState eState,
    uint8 *pu8Key,
    uint8 u8KeySeqNum
    ZPS_teApsLinkKeyType eKeyType);

Description

This function is used to configure the initial state of ZigBee security on the local node. This requires a security key to be specified that is used in setting up network-level security.

Note: Before using this function, security must be enabled on the node via the device parameter Security Enabled in the ZPS Configuration Editor.

You must provide a pointer to an initial link key of one of the following types:

  • Pre-configured global link key

  • Pre-configured unique link key

These key types are described in Section 6.8.2. The network key randomly generated by the Trust Centre is communicated to the local node in encrypted form using the specified link key.

Parameters

  • eState: The state of the link key, one of:

    • ZPS_ZDO_PRECONFIGURED_LINK_KEY

    • ZPS_ZDO_ZLL_LINK_KEY

  • pu8Key: Pointer to pre-configured link key

  • u8KeySeqNum: Not used when specifying a link key - ignore this parameter

  • eKeyType: Type of link key, one of:

    • ZPS_APS_UNIQUE_LINK_KEY

    • ZPS_APS_GLOBAL_LINK_KEY

Parent topic:ZPS_vAplSecSetInitialSecurityState

Returns

  • ZPS_E_SUCCESS (security state successfully initialized)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_vAplSecSetInitialSecurityState

Parent topic:Security functions

ZPS_eAplZdoTransportNwkKey

ZPS\_teStatus ZPS\_eAplZdoTransportNwkKey\(
   uint8 u8DstAddrMode,
   ZPS\_tuAddress uDstAddress,
   uint8 au8Key[ZPS_SEC_KEY_LENGTH],
   uint8 u8KeySeqNum,
   bool bUseParent,
   uint64 u64ParentAddr);

Description

This function can be used on the Trust Centre to send the network key to one or multiple nodes. On reaching the target node(s), the key is only stored but can be subsequently designated the active network key using the function ZPS_eAplZdoSwitchKeyReq().

The target node can be specified by means of its network address or IEEE/MAC address. A broadcast to multiple nodes in the network can be achieved by specifying a special network address or IEEE/MAC address - see Section 9.3.

If the destination is a single node, it is possible to send the key to the parent of the destination node.

Note: This function also resets the frame counter on the target node(s).

Parent topic:ZPS_eAplZdoTransportNwkKey

Parameters

  • u8DstAddrMode Type of destination address:

    • ZPS_E_ADDR_MODE_SHORT - 16-bit network address.

    • ZPS_E_ADDR_MODE_IEEE - 64-bit IEEE/MAC address.

    • All other values are reserved.

  • uDstAddress: Destination address (address type as specified through u8DstAddrMode) - special broadcast addresses are detailed in Section 9.3

  • au8Key[]: Array containing the network key to be transported. This array has a length equal to ZPS_SEC_KEY_LENGTH

  • u8KeySeqNum: Sequence number of the specified key

  • bUseParent: Indicates whether to send key to parent of target node:

    • TRUE - send to parent

    • FALSE - do not send to parent

  • u64ParentAddr: 64-bit IEEE/MAC address of parent (if used).

Parent topic:ZPS_eAplZdoTransportNwkKey

Returns

  • ZPS_E_SUCCESS (key successfully sent)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_eAplZdoTransportNwkKey

Parent topic:Security functions

ZPS_eAplZdoSwitchKeyReq

ZPS_teStatus ZPS_eAplZdoSwitchKeyReq(
         uint8 u8DstAddrMode,
         ZPS_tuAddress uDstAddress,
         uint8 u8KeySeqNum);

Description

This function can be used (normally by the Trust Centre) to request one or multiple nodes to switch to a different active network key. The new network key is specified using its unique sequence number and the key must have been pre-loaded into the target node(s) using the function ZPS_eAplZdoTransportNwkKey() or ZPS_eAplZdoRequestKeyReq().

The target node can be specified by means of its network address or IEEE/MAC address. A broadcast to multiple nodes in the network can be achieved by specifying a special network address or IEEE/MAC address - see Section 9.3.

Parent topic:ZPS_eAplZdoSwitchKeyReq

Parameters

  • u8DstAddrMode Type of destination address:

    • ZPS_E_ADDR_MODE_SHORT - 16-bit network address.

    • ZPS_E_ADDR_MODE_IEEE - 64-bit IEEE/MAC address.

    • All other values are reserved.

  • uDstAddress Destination address (address type as specified through u8DstAddrMode) - special broadcast addresses are detailed in Section 9.3.

  • u8KeySeqNum Sequence number of new network key to adopt.

Parent topic:ZPS_eAplZdoSwitchKeyReq

Returns

  • ZPS_E_SUCCESS (request successfully sent)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_eAplZdoSwitchKeyReq

Parent topic:Security functions

ZPS_eAplZdoRequestKeyReq

ZPS_teStatus ZPS_eAplZdoRequestKeyReq(
                    uint8 u8KeyType,
                    uint64 u64IeeePartnerAddr);

Description

This function can be used to request a link key from the Trust Centre for application-level security. The possible key types that can be requested are:

  • Application link key: This key is used to encrypt/decrypt communications with another ‘partner node’. The IEEE/MAC address of this partner node must be specified as part of the function call. The Trust Centre responds by sending the application link key to both the local node and the partner node. When it arrives, the stack automatically saves this key. Also, the event ZPS_EVENT_ZDO_LINK_KEY is generated once the link key has been installed and is ready for use.

  • Trust Centre Link Key (TCLK): This key is used to encrypt/decrypt communications between the Trust Centre and the local node. The Trust Centre responds by sending the TCLK to the requesting node.

While requesting a TCLK, the function parameter u64IeeePartnerAddris ignored.

For more information on requesting link keys, refer to Section 6.8.3.2.

Parent topic:ZPS_eAplZdoRequestKeyReq

Parameters

  • u8KeyType Type of key to request:

    • 2 - application link key

    • 4 - Trust Centre Link Key (TCLK)

    • All other values reserved

  • u64IeeePartnerAddr IEEE/MAC address of partner node (for application link key)

Parent topic:ZPS_eAplZdoRequestKeyReq

Returns

  • ZPS_E_SUCCESS (request successfully sent)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_eAplZdoRequestKeyReq

Parent topic:Security functions

ZPS_eAplZdoAddReplaceLinkKey

ZPS_teStatus ZPS_eAplZdoAddReplaceLinkKey(
                        uint64 u64IeeeAddr,
                        uint8 au8Key[ZPS_SEC_KEY_LENGTH],
                        ZPS_teApsLinkKeyType eKeyType);

Description

This function can be used to introduce or replace the application link key on the local node, where this key is used to encrypt and decrypt communications with the specified ‘partner node’. If an application link key already exists, then it is replaced.

The function must be called on both the local node and the partner node. Note that the Trust Centre’s record of the application link key for this pair of nodes remains unchanged.

If the JCU Non-Volatile Memory Manager (NVM) module is enabled, this function also saves the application link key to Non-Volatile Memory. This allows the key to be automatically recovered during a subsequent cold start (for example, following a power failure).

The eKeyType parameter of this function can be used to specify ‘unique’ or ‘global’. This does not relate to the type of key being added or replaced, which is always a unique key.

  • Setting this parameter to ‘unique’ means that the node only ever uses the unique key.

  • Setting the parameter to ‘global’ means that the node uses the unique key, where appropriate, and also the pre-configured global link key, where appropriate. For example, the global key would be used when another node joins the network via the local node.

Parent topic:ZPS_eAplZdoAddReplaceLinkKey

Parameters

  • u64IeeeAddr: 64-bit IEEE/MAC address of partner node for which the specified link key is valid.

  • au8Key[]: Array containing the link key to be added/replaced. This array has a length equal to ZPS_SEC_KEY_LENGTH.

  • eKeyType: Type of the key to be used by the node (see above), one of the below:

    • ZPS_APS_UNIQUE_LINK_KEY, or

    • ZPS_APS_GLOBAL_LINK_KEY.

Parent topic:ZPS_eAplZdoAddReplaceLinkKey

Returns

  • ZPS_E_SUCCESS (link key successfully installed)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_eAplZdoAddReplaceLinkKey

Parent topic:Security functions

ZPS_eAplZdoAddReplaceInstallCodes

ZPS_teStatus ZPS_eAplZdoAddReplaceInstallCodes(
        uint64 u64IeeeAddr,
        uint8 au8InstallCode[ZPS_INSTALL_CODE_LENGTH],
        uint8 u8InstallCodeSize,
        ZPS_teApsLinkKeyType eKeyType);

Description

This function can be used on the Trust Centre to generate a pre-configured unique link key from an install code, where this key is used to encrypt and decrypt communications between the Trust Centre and the specified node (install codes are described in the ZigBee Devices User Guide (JNUG3131)). If a pre-configured link key already exists for the node then it will be replaced.

The function must be called on the Trust Centre only. The other node will have the relevant pre-configured unique link key factory-installed.

If the JCU Non-Volatile Memory Manager (NVM) module is enabled, this function also saves the link key to Non-Volatile Memory. This allows the key to be automatically recovered during a subsequent cold start (for example, following a power failure).

The eKeyTypeparameter of this function can be used to specify ‘unique’ or ‘global’. This does not relate to the type of key being added or replaced, which is always a unique key.

  • Setting this parameter to ‘unique’ means that the Trust Centre only, ever uses the unique key with this node.

  • Setting the parameter to ‘global’ means that the Trust Centre uses the pre-configured global link key (if available) when there is no unique link key for the node.

Parent topic:ZPS_eAplZdoAddReplaceInstallCodes

Parameters

  • u64IeeeAddr 64-bit IEEE/MAC address of node for which the generated link key is valid.

  • au8InstallCode[] Array containing the install code - the array length ZPS_INSTALL_CODE_LENGTH is given below in u8InstallCodeSize.

  • u8InstallCodeSize Number of characters in the install code - this is the size of the array au8InstallCode[].

  • eKeyType Type of the key to be used by the node (see above), one of the below:

    • ZPS_APS_UNIQUE_LINK_KEY

    • ZPS_APS_GLOBAL_LINK_KEY

Parent topic:ZPS_eAplZdoAddReplaceInstallCodes

Returns

  • ZPS_E_SUCCESS (permissions successfully obtained)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_eAplZdoAddReplaceInstallCodes

Parent topic:Security functions

ZPS_eAplZdoRemoveLinkKey

ZPS_teStatus ZPS_eAplZdoRemoveLinkKey(
                    uint64 u64IeeeAddr);

Description

This function can be used to remove the current application link key that is used to encrypt and decrypt communications between the local node and the specified ‘partner node’.

The function must be called on both the local node and the partner node. Note that the Trust Centre’s record of the application link key for this pair of nodes remains unchanged.

In the absence of an application link key, communications between these nodes is subsequently secured using the network key.

Parent topic:ZPS_eAplZdoRemoveLinkKey

Parameters

u64IeeeAddr: 64-bit IEEE/MAC address of partner node for which the link key is to be removed.

Parent topic:ZPS_eAplZdoRemoveLinkKey

Returns

  • ZPS_E_SUCCESS (permissions successfully removed)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_eAplZdoRemoveLinkKey

Parent topic:Security functions

ZPS_eAplZdoRemoveDeviceReq

ZPS_teStatus ZPS_eAplZdoRemoveDeviceReq(
                    uint64 u64ParentAddr,
                    uint64 u64ChildAddr);

Description

This function can be used (normally by the Coordinator/Trust Centre) to request another node (such as a Router) to remove one of its children from the network (for example, if the child node does not satisfy security requirements).

The Router receiving this request ignores the request unless it has originated from the Trust Centre or is a request to remove itself. If the request was sent without APS layer encryption, the device ignores the request. If APS layer security is not in use, the alternative function ZPS_eAplZdoLeaveNetwork() should be used.

Parent topic:ZPS_eAplZdoRemoveDeviceReq

Parameters

  • u64ParentAddr 64-bit IEEE/MAC address of parent to be instructed.

  • u64ChildAddr 64-bit IEEE/MAC address of child node to be removed.

Parent topic:ZPS_eAplZdoRemoveDeviceReq

Returns

  • ZPS_E_SUCCESS (request successfully sent)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_eAplZdoRemoveDeviceReq

Parent topic:Security functions

ZPS_eAplZdoSetDevicePermission

void ZPS_eAplZdoSetDevicePermission(
        ZPS_teDevicePermissions u8DevicePermissions);

Description

This function can be used on any device to set the permissions for certain requests from other nodes. The possible settings are:

  • Allow all requests from all other nodes (ALL_PERMITED)

  • Do not allow join requests from all other nodes (JOIN_DISALLOWED)

  • Do not allow data requests from all other nodes (DATA_REQUEST_DISALLOWED)

The function is particularly useful in disabling the generation of APS (end-to-end) acknowledgments, using DATA_REQUEST_DISALLOWED.

Parent topic:ZPS_eAplZdoSetDevicePermission

Parameters

u8DevicePermissions: Bitmap of permissions to be set, constructed using the following enumerations:

  • ZPS_DEVICE_PERMISSIONS_ALL_PERMITED

  • ZPS_DEVICE_PERMISSIONS_JOIN_DISALLOWED

  • ZPS_DEVICE_PERMISSIONS_DATA_REQUEST_DISALLOWED

Parent topic:ZPS_eAplZdoSetDevicePermission

Returns

  • ZPS_E_SUCCESS (permissions successfully set)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_eAplZdoSetDevicePermission

Parent topic:Security functions

ZPS_bAplZdoTrustCenterSetDevicePermissions

ZPS_teStatus
ZPS_bAplZdoTrustCenterSetDevicePermissions(
  uint64 u64DeviceAddr,
  ZPS_teTCDevicePermissions u8DevicePermissions);

Description

This function can be used by the Trust Centre to set the permissions for certain requests from a particular node. The possible settings are:

  • Allow all requests from the specified node (ALL_PERMITED)

  • Do not allow join requests from the specified node (JOIN_DISALLOWED)

  • Do not allow data requests from the specified node (DATA_REQUEST_DISALLOWED)

Parent topic:ZPS_bAplZdoTrustCenterSetDevicePermissions

Parameters

  • u64DeviceAddr: 64-bit IEEE/MAC address of node for which permissions are to be set

  • u8DevicePermissions: Bitmap of permissions to be set, constructed using the following enumerations:

    • ZPS_TRUST_CENTER_ALL_PERMITED

    • ZPS_TRUST_CENTER_JOIN_DISALLOWED

    • ZPS_TRUST_CENTER_DATA_REQUEST_DISALLOWED

Parent topic:ZPS_bAplZdoTrustCenterSetDevicePermissions

Returns

  • ZPS_E_SUCCESS (permissions successfully set)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_bAplZdoTrustCenterSetDevicePermissions

Parent topic:Security functions

ZPS_bAplZdoTrustCenterGetDevicePermissions

ZPS_teStatus
ZPS_bAplZdoTrustCenterGetDevicePermissions(
   uint64 u64DeviceAddr,
   ZPS_teTCDevicePermissions *pu8DevicePermissions);

Description

This function can be used by the Trust Centre to obtain its own permissions for certain requests from a particular node. The possible settings are:

  • Allow all requests from the specified node.

  • Do not allow join requests from the specified node.

  • Do not allow data requests from the specified node.

Parent topic:ZPS_bAplZdoTrustCenterGetDevicePermissions

Parameters

  • u64DeviceAddr: 64-bit IEEE/MAC address of node for which permissions are to be obtained.

  • pu8DevicePermissions: Pointer to bitmap containing permissions obtained, where:

    • 0 indicates all requests allowed.

    • 1 indicates join requests disallowed.

    • 2 indicates data requests disallowed.

    • 3 indicates data and join requests disallowed.

    • Higher bits are reserved for future use

Parent topic:ZPS_bAplZdoTrustCenterGetDevicePermissions

Returns

  • ZPS_E_SUCCESS (permissions successfully obtained)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_bAplZdoTrustCenterGetDevicePermissions

Parent topic:Security functions

ZPS_bAplZdoTrustCenterRemoveDevice

ZPS_teStatus ZPS_bAplZdoTrustCenterRemoveDevice(
                            uint64 u64DeviceAddr);

Description

This function can be used by the Trust Centre to delete a node in its information base.

Parent topic:ZPS_bAplZdoTrustCenterRemoveDevice

Parameters

u64DeviceAddr : It is the 64-bit IEEE/MAC address of the node to be removed from the list.

Parent topic:ZPS_bAplZdoTrustCenterRemoveDevice

Returns

  • ZPS_E_SUCCESS (node successfully removed from list)

  • APS return codes, listed and described in Section 11.2.2

  • NWK return codes, listed and described in Section 11.2.3

  • MAC return codes, listed and described in Section 11.2.4

Parent topic:ZPS_bAplZdoTrustCenterRemoveDevice

Parent topic:Security functions

ZPS_vTcInitFlash

void ZPS_vTcInitFlash(
    ZPS_tsAfFlashInfoSet *psFlashInfoSet,
    ZPS_TclkDescriptorEntry *psTclkStruct);

Description

This function can be used on the network Coordinator/Trust Centre to enable the persistent storage of the Trust Centre Link Keys (TCLKs) for all nodes in the network.

Each of these keys is a unique application-level link key for a node. The key is used to encrypt/decrypt communications between Trust Centre and the node during the commissioning of the node into the network (and is issued by the Trust Centre to replace the pre-configured unique link key).

The function allows these link keys to be stored in devices Flash memory.

  • Information about the Flash memory sector to be used to store the link keys is specified in a ZPS_tsAfFlashInfoSetstructure.

  • Information about an individual link key is stored in RAM in a read-only ZPS_TclkDescriptorEntrystructure, which is for internal use by the stack. An array of these structures must be allocated in RAM, with one element for each node in the network - for example, if there are up to 250 nodes in the network, the required allocation would be:

ZPS_TclkDescriptorEntry sData[250];

The application can determine at any time whether this feature is enabled by reading the Boolean variable bSetTclkFlashFeature, which reads as TRUE if the feature is enabled and as FALSE if it is disabled.

When a new Trust Centre Link Key has been negotiated for a node, the stack on the Trust Centre notifies the application by means of a ZPS_EVENT_TC_STATUS event. The application can discover the IEEE/MAC address of the corresponding node by calling ZPS_u64GetFlashMappedIeeeAddress() with the value of u16ExtAddrLkupfrom the key descriptor passed in the event.

Please note that when the key table is held in RAM, ZPS_u64NwkNibGetMappedIeeeAddr() would be called instead.

Parent topic:ZPS_vTcInitFlash

Parameters

  • psFlashInfoSet Pointer to a structure containing information about the Flash memory sector to be used to store the link keys for the network nodes (see Section 8.2.3.8)

  • psTclkStruct Pointer to a structure in RAM that is used to hold information about the storage of one link key in Flash memory (see Section 8.2.3.9)

Parent topic:ZPS_vTcInitFlash

Returns

None

Parent topic:ZPS_vTcInitFlash

Parent topic:Security functions

ZPS_vSetTCLockDownOverride

void ZPS_vSetTCLockDownOverride(
    void* pvApl,
    bool_t u8RemoteOverride,
    bool_t bDisableAuthentications);

Description

This function can be called on the network Coordinator to disable Trust Centre functionality on the device.

The function provides two configuration options:

  • Allows remote devices to over-ride the Trust Centre policy.

  • Disables authentication of network joins (any transport key is also disabled).

Parent topic:ZPS_vSetTCLockDownOverride

Parameters

  • pvApl: Handle for the relevant Application layer instance.

  • u8RemoteOverride: Boolean specifying whether remote overrides of Trust Centre policy are to be permitted:

    • TRUE - Does not allow remote over-rides; stack does not allow the permit join remotely sent to change its local state.

    • FALSE - Allows remote over-rides; stack accepts permit join requests coming in and obeys them.

  • bDisableAuthentications: Boolean specifying whether network join authentications are to be disabled:

    • TRUE - Disable authentications

    • FALSE - Do not disable authentications

      When this flag is set to TRUE, permit join is not accepted remotely and the TC does not transport a key to any joiner.

Parent topic:ZPS_vSetTCLockDownOverride

Returns

None

Parent topic:ZPS_vSetTCLockDownOverride

Parent topic:Security functions

ZPS_psGetActiveKey

ZPS_tsAplApsKeyDescriptorEntry *ZPS_psGetActiveKey(
                                uint64 u64IeeeAddress,
                                uint32* pu32Index);

Description

This function can be used on the Trust Centre to obtain the Pre-configured Unique Link Key for the node with the specified IEEE/MAC address. The function searches the local Key Descriptor Table for an entry corresponding to the specified address. If it finds a relevant entry, it returns the entry as well as the index number of the entry in the table. The required key is in the returned table entry.

Parent topic:ZPS_psGetActiveKey

Parameters

  • u64IeeeAddress: IEEE/MAC address of the node of interest

  • pu32Index: Pointer to a location to receive the index number of the relevant Key Descriptor Table entry

Parent topic:ZPS_psGetActiveKey

Returns

Pointer to requested Key Descriptor Table entry (for structure, see Section 8.2.3.6).

Parent topic:ZPS_psGetActiveKey

Parent topic:Security functions

ZPS_vTCSetCallback

void ZPS_vTCSetCallback(void *pCallbackFn);

Description

This function can be used to register a user-defined callback function on the Trust Centre, where this callback function allows the application to react to a notification from another network node - for example, to decide whether to permit a node to join that may or may not be known to the Trust Centre application.

The prototype of the user-defined callback function is:

bool bTransportKeyDecider (uint16 u16ShortAddress,
                            uint64 u64DeviceAddress,
                            uint64 u64ParentAddress,
                            uint8 u8Status,
                            uint16 u16Interface);

where:

  • u16ShortAddr is the network address of the relevant node.

  • u64DeviceAddress is the IEEE/MAC address of the relevant node.

  • u64ParentAddress is the IEEE/MAC address of the parent that sent the notification.

  • u8Status is the nature of the notification:

    • 0: Secure rejoin

    • 1: Unsecure join (association)

    • 2: Leave

    • 3: Unsecure rejoin

    • 4: Leave with a rejoin

  • u16Interface is the MAC interface this join has happened on. If it is 2.4 G only the value is always 0. If it is a MultiMAC device 2.4 G interface, it will return value 0 and sub Gig will return value 1.

To disallow the notified action (for example, a join), the callback function should return FALSE.

If the callback function is not registered or returns TRUE, the Trust Centre will allow the notified action. In the case of a join, the Trust Centre will send the network key in a ‘transport key’ command to the node, either:

  • encrypted with the node’s pre-configured link key, if this key is known to the Trust Centre, or

  • encrypted with the Trust Centre’s default pre-configured link key otherwise (in this case, the joining node will only be able to decrypt the ‘transport key’ command and complete the join if it also has the Trust Centre’s default pre-configured link key)

Registration of this callback function may be useful in controlling rejoins. A node can initially join a network using its pre-configured link key (which is also known by the Trust Centre), but this key may subsequently be replaced on the Trust Centre by an application link key (shared only by the node and the Trust Centre). If the node later leaves the network and loses its context data (including the application link key), it may attempt to rejoin the network using its pre-configured link key again. The callback function can allow the application to decide whether to permit such a rejoin. If the rejoin is to be allowed, the callback function must replace the stored application link key with the pre-configured link key on the Trust Centre before returning TRUE.

Parent topic:ZPS_vTCSetCallback

Parameters

pCallbackFn Pointer to user-defined callback function.

Parent topic:ZPS_vTCSetCallback

Returns

None

Parent topic:ZPS_vTCSetCallback

Parent topic:Security functions

Parent topic:ZDO API functions