KNX-IOT-STACK-doxygen/oc__knx__sec_8h_source.html

 /*

 // Copyright (c) 2021-2023 Cascoda Ltd

 //

 // Licensed under the Apache License, Version 2.0 (the "License");

 // you may not use this file except in compliance with the License.

 // You may obtain a copy of the License at

 //

 //      http://www.apache.org/licenses/LICENSE-2.0

 //

 // Unless required by applicable law or agreed to in writing, software

 // distributed under the License is distributed on an "AS IS" BASIS,

 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

 // See the License for the specific language governing permissions and

 // limitations under the License.

 */

 #ifndef OC_KNX_SEC_INTERNAL_H

 #define OC_KNX_SEC_INTERNAL_H


 #include <stddef.h>


 #include "oc_ri.h"


 #ifdef __cplusplus

 extern "C" {

 #endif


 typedef enum {

   OC_PROFILE_UNKNOWN = 0,

   OC_PROFILE_COAP_DTLS = 1,

   OC_PROFILE_COAP_OSCORE = 2,

   OC_PROFILE_COAP_TLS =

     254,

   OC_PROFILE_COAP_PASE = 255

 } oc_at_profile_t;


 oc_at_profile_t oc_string_to_at_profile(oc_string_t str);


 char *oc_at_profile_to_string(oc_at_profile_t at_profile);


 typedef struct oc_auth_at_t

 {

   oc_string_t id;

   oc_interface_mask_t scope;

   oc_at_profile_t

     profile;

   oc_string_t aud;

   oc_string_t sub;

   oc_string_t kid;

   oc_string_t osc_version;

   oc_string_t osc_ms;

   uint8_t osc_hkdf;

   uint8_t osc_alg;

   oc_string_t

     osc_salt;

   oc_string_t osc_contextid;

   oc_string_t osc_id;

   oc_string_t

     osc_rid;

   int nbf;

   int ga_len;

   int64_t *ga;

 } oc_auth_at_t;


 int oc_core_get_at_table_size();


 int oc_core_set_at_table(size_t device_index, int index, oc_auth_at_t entry,

                          bool store);


 int oc_core_find_at_entry_with_context_id(size_t device_index,

                                           char *context_id);


 int oc_core_find_at_entry_with_osc_id(size_t device_index, uint8_t *osc_id,

                                       size_t osc_id_len);


 int oc_core_find_at_entry_empty_slot(size_t device_index);


 void oc_oscore_set_auth_mac(char *client_senderid, int client_senderid_size,

                             char *clientrecipient_id,

                             int clientrecipient_id_size, uint8_t *shared_key,

                             int shared_key_size);


 void oc_oscore_set_auth_device(char *client_senderid, int client_senderid_size,

                                char *clientrecipient_id,

                                int clientrecipient_id_size, uint8_t *shared_key,

                                int shared_key_size);


 oc_auth_at_t *oc_get_auth_at_entry(size_t device_index, int index);


 void oc_print_auth_at_entry(size_t device_index, int index);


 void oc_delete_at_table(size_t device_index);


 void oc_reset_at_table(size_t device_index, int erase_code);


 int oc_at_delete_entry(size_t device_index, int index);


 uint64_t oc_oscore_get_rplwdo();


 uint64_t oc_oscore_get_osndelay();


 void oc_create_knx_sec_resources(size_t device);


 void oc_init_oscore(size_t device_index);


 void oc_init_oscore_from_storage(size_t device_index, bool from_storage);


 bool oc_knx_contains_interface(oc_interface_mask_t at_interface,

                                oc_interface_mask_t resource_interface);


 bool oc_if_method_allowed_according_to_mask(oc_interface_mask_t iface_mask,

                                             oc_method_t method);


 bool oc_knx_sec_check_acl(oc_method_t method, const oc_resource_t *resource,

                           oc_endpoint_t *endpoint);


 #ifdef __cplusplus

 }

 #endif


 #endif /* OC_KNX_SEC_INTERNAL_H */

oc_knx_sec_check_acl
bool oc_knx_sec_check_acl(oc_method_t method, const oc_resource_t *resource, oc_endpoint_t *endpoint)
check access control based on acl and resource interfaces

oc_get_auth_at_entry
oc_auth_at_t * oc_get_auth_at_entry(size_t device_index, int index)
retrieve auth/at entry

oc_core_get_at_table_size
int oc_core_get_at_table_size()
returns the size (amount of total entries) of the auth/at table

oc_oscore_set_auth_mac
void oc_oscore_set_auth_mac(char *client_senderid, int client_senderid_size, char *clientrecipient_id, int clientrecipient_id_size, uint8_t *shared_key, int shared_key_size)
set shared (SPAKE) key to the auth at table, on the Management Client side

oc_at_delete_entry
int oc_at_delete_entry(size_t device_index, int index)
delete the /auth/at table entry

oc_core_find_at_entry_with_osc_id
int oc_core_find_at_entry_with_osc_id(size_t device_index, uint8_t *osc_id, size_t osc_id_len)
Find an entry with a given OSCORE ID.

oc_init_oscore
void oc_init_oscore(size_t device_index)
initialize OSCORE for the device

oc_at_profile_t
oc_at_profile_t
The token profiles see section 3.5.4.2 Access Token Resource Object.
Definition: oc_knx_sec.h:36

OC_PROFILE_COAP_PASE
@ OC_PROFILE_COAP_PASE
"coap_pase" [OSCORE] with PASE credentials
Definition: oc_knx_sec.h:42

OC_PROFILE_UNKNOWN
@ OC_PROFILE_UNKNOWN
unknown profile
Definition: oc_knx_sec.h:37

OC_PROFILE_COAP_TLS
@ OC_PROFILE_COAP_TLS
coap_tls" [OSCORE] for [X.509] certificates with TLS
Definition: oc_knx_sec.h:40

OC_PROFILE_COAP_OSCORE
@ OC_PROFILE_COAP_OSCORE
"coap_oscore"
Definition: oc_knx_sec.h:39

OC_PROFILE_COAP_DTLS
@ OC_PROFILE_COAP_DTLS
"coap_dtls"
Definition: oc_knx_sec.h:38

oc_core_find_at_entry_with_context_id
int oc_core_find_at_entry_with_context_id(size_t device_index, char *context_id)
find the entry with context_id as id

oc_at_profile_to_string
char * oc_at_profile_to_string(oc_at_profile_t at_profile)
access token profile to string

oc_create_knx_sec_resources
void oc_create_knx_sec_resources(size_t device)
Creation of the KNX security resources.

oc_init_oscore_from_storage
void oc_init_oscore_from_storage(size_t device_index, bool from_storage)
initialize OSCORE for the device

oc_core_set_at_table
int oc_core_set_at_table(size_t device_index, int index, oc_auth_at_t entry, bool store)
set an entry in the auth/at table

oc_print_auth_at_entry
void oc_print_auth_at_entry(size_t device_index, int index)
print the auth/at entry

oc_core_find_at_entry_empty_slot
int oc_core_find_at_entry_empty_slot(size_t device_index)
find empty slot

oc_if_method_allowed_according_to_mask
bool oc_if_method_allowed_according_to_mask(oc_interface_mask_t iface_mask, oc_method_t method)
is the method allowed according to the interface mask

oc_oscore_get_osndelay
uint64_t oc_oscore_get_osndelay()
retrieve the oscore sequence number delay value

oc_oscore_get_rplwdo
uint64_t oc_oscore_get_rplwdo()
retrieve the replay window

oc_reset_at_table
void oc_reset_at_table(size_t device_index, int erase_code)
reset the /auth/at table will be used in reset of the device erase_code:

oc_auth_at_t
struct oc_auth_at_t oc_auth_at_t
Access Token (at) Information payload for a unicast message Example(JSON):

oc_string_to_at_profile
oc_at_profile_t oc_string_to_at_profile(oc_string_t str)
string to access token profile

oc_oscore_set_auth_device
void oc_oscore_set_auth_device(char *client_senderid, int client_senderid_size, char *clientrecipient_id, int clientrecipient_id_size, uint8_t *shared_key, int shared_key_size)
set shared (SPAKE) key to the auth at table, on the Device side

oc_knx_contains_interface
bool oc_knx_contains_interface(oc_interface_mask_t at_interface, oc_interface_mask_t resource_interface)
function to check if the at_interface is listed in the resource interfaces

oc_delete_at_table
void oc_delete_at_table(size_t device_index)
delete the /auth/at table will be used in reset of the device

oc_ri.h
resource internals

oc_method_t
oc_method_t
CoAP methods.
Definition: oc_ri.h:124

oc_interface_mask_t
oc_interface_mask_t
interface masks security access scopes defined as interfaces note that scope = 1 is not used.
Definition: oc_ri.h:261

oc_auth_at_t
Access Token (at) Information payload for a unicast message Example(JSON):
Definition: oc_knx_sec.h:132

oc_auth_at_t::osc_alg
uint8_t osc_alg
(18:4:4) OSCORE cnf:osc:alg (optional- not used) default: decimal value 10
Definition: oc_knx_sec.h:144

oc_auth_at_t::osc_salt
oc_string_t osc_salt
(18:4:5) OSCORE cnf:osc:salt (optional) empty string
Definition: oc_knx_sec.h:147

oc_auth_at_t::kid
oc_string_t kid
(8:2) DTLS (not used) cnf:kid
Definition: oc_knx_sec.h:139

oc_auth_at_t::ga_len
int ga_len
length of the group addresses (ga) in the scope
Definition: oc_knx_sec.h:156

oc_auth_at_t::osc_hkdf
uint8_t osc_hkdf
(18:4:3) OSCORE cnf:osc:hkdf (optional-not used) (decimal value)
Definition: oc_knx_sec.h:142

oc_auth_at_t::osc_id
oc_string_t osc_id
(18:4:0) OSCORE cnf:osc:id (used as SID & KID) (byte string), max 7 bytes
Definition: oc_knx_sec.h:151

oc_auth_at_t::id
oc_string_t id
(0) auth/at/{id}, encoding: HEX
Definition: oc_knx_sec.h:133

oc_auth_at_t::osc_rid
oc_string_t osc_rid
(18:4:7) OSCORE cnf:osc:rid (recipient ID) (byte string)
Definition: oc_knx_sec.h:154

oc_auth_at_t::nbf
int nbf
token not valid before (optional)
Definition: oc_knx_sec.h:155

oc_auth_at_t::profile
oc_at_profile_t profile
(38) "coap_oscore" or "coap_dtls", only oscore implemented
Definition: oc_knx_sec.h:136

oc_auth_at_t::osc_ms
oc_string_t osc_ms
(18:4:2) OSCORE cnf:osc:ms (byte string)
Definition: oc_knx_sec.h:141

oc_auth_at_t::ga
int64_t * ga
(scope) array of group addresses, for the group objects in the scope, int64_t for framing arrays
Definition: oc_knx_sec.h:157

oc_auth_at_t::scope
oc_interface_mask_t scope
(9) the scope (interfaces)
Definition: oc_knx_sec.h:134

oc_auth_at_t::aud
oc_string_t aud
not used anymore, references
Definition: oc_knx_sec.h:137

oc_auth_at_t::osc_version
oc_string_t osc_version
(18:4:1) OSCORE cnf:osc:version (optional)
Definition: oc_knx_sec.h:140

oc_auth_at_t::sub
oc_string_t sub
(2) DTLS (not used) 2 sub
Definition: oc_knx_sec.h:138

oc_auth_at_t::osc_contextid
oc_string_t osc_contextid
(18:4:6) OSCORE cnf:osc:contextid used as "kid_context" (byte string, 6 bytes)
Definition: oc_knx_sec.h:148

oc_endpoint_t
the endpoint information
Definition: oc_endpoint.h:78

oc_resource_s
resource structure
Definition: oc_ri.h:482