Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

Committer:
andrewboyson
Date:
Fri May 03 10:36:38 2019 +0000
Revision:
115:24cb6e84ddd6
Parent:
114:900e33dfa460
Child:
149:24365666d28d
Changed firmware reset to call the new restart routine rather than directly calling the semihost reset.

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 50:edd44fe9320f 1 'use strict';
andrewboyson 50:edd44fe9320f 2
andrewboyson 48:4e678727c4c9 3 var file;
andrewboyson 46:1822fdbe6c0c 4 var xhr;
andrewboyson 48:4e678727c4c9 5
andrewboyson 55:3d1e52e3e9b7 6 function logUpload(text)
andrewboyson 50:edd44fe9320f 7 {
andrewboyson 55:3d1e52e3e9b7 8 document.getElementById('uploadresult').textContent = text;
andrewboyson 50:edd44fe9320f 9 }
andrewboyson 55:3d1e52e3e9b7 10 function xhrUploadResponse()
andrewboyson 51:c605b2794b44 11 {
andrewboyson 51:c605b2794b44 12 var topics = xhr.responseText.split('\f');
andrewboyson 55:3d1e52e3e9b7 13 logUpload(topics[0]);
andrewboyson 51:c605b2794b44 14 if (topics.length > 1) document.getElementById('list').textContent = topics[1];
andrewboyson 51:c605b2794b44 15 }
andrewboyson 55:3d1e52e3e9b7 16 function xhrUploadOnLoad()
andrewboyson 46:1822fdbe6c0c 17 {
andrewboyson 55:3d1e52e3e9b7 18 if (xhr.status == 200) xhrUploadResponse();
andrewboyson 55:3d1e52e3e9b7 19 else logUpload('Upload failed');
andrewboyson 46:1822fdbe6c0c 20 }
andrewboyson 55:3d1e52e3e9b7 21 function xhrUploadOnError()
andrewboyson 46:1822fdbe6c0c 22 {
andrewboyson 55:3d1e52e3e9b7 23 logUpload('Upload error');
andrewboyson 46:1822fdbe6c0c 24 }
andrewboyson 55:3d1e52e3e9b7 25 function xhrUploadStart()
andrewboyson 48:4e678727c4c9 26 {
andrewboyson 55:3d1e52e3e9b7 27 logUpload('Uploading...');
andrewboyson 48:4e678727c4c9 28
andrewboyson 48:4e678727c4c9 29 xhr = new XMLHttpRequest();
andrewboyson 48:4e678727c4c9 30
andrewboyson 55:3d1e52e3e9b7 31 xhr.onload = xhrUploadOnLoad;
andrewboyson 55:3d1e52e3e9b7 32 xhr.onerror = xhrUploadOnError;
andrewboyson 48:4e678727c4c9 33
andrewboyson 53:27d56a22a450 34 xhr.open('POST', '/firmware-ajax'); //Defaults to async=true
andrewboyson 48:4e678727c4c9 35 xhr.send(file);
andrewboyson 48:4e678727c4c9 36 }
andrewboyson 48:4e678727c4c9 37
andrewboyson 46:1822fdbe6c0c 38 function startUpload()
andrewboyson 46:1822fdbe6c0c 39 {
andrewboyson 46:1822fdbe6c0c 40 var fileInput = document.getElementById('fileInput');
andrewboyson 46:1822fdbe6c0c 41
andrewboyson 46:1822fdbe6c0c 42 if (fileInput.files.length == 0)
andrewboyson 46:1822fdbe6c0c 43 {
andrewboyson 55:3d1e52e3e9b7 44 logUpload('Please choose a file');
andrewboyson 46:1822fdbe6c0c 45 return;
andrewboyson 46:1822fdbe6c0c 46 }
andrewboyson 46:1822fdbe6c0c 47
andrewboyson 46:1822fdbe6c0c 48 if (fileInput.files.length > 1)
andrewboyson 46:1822fdbe6c0c 49 {
andrewboyson 55:3d1e52e3e9b7 50 logUpload('Please choose just one file');
andrewboyson 46:1822fdbe6c0c 51 return;
andrewboyson 46:1822fdbe6c0c 52 }
andrewboyson 48:4e678727c4c9 53
andrewboyson 48:4e678727c4c9 54 file = fileInput.files[0];
andrewboyson 47:cf7d4c34158e 55
andrewboyson 55:3d1e52e3e9b7 56 xhrUploadStart();
andrewboyson 55:3d1e52e3e9b7 57 }
andrewboyson 55:3d1e52e3e9b7 58 function logRestart(text)
andrewboyson 55:3d1e52e3e9b7 59 {
andrewboyson 55:3d1e52e3e9b7 60 document.getElementById('restartresult').textContent = text;
andrewboyson 55:3d1e52e3e9b7 61 }
andrewboyson 55:3d1e52e3e9b7 62 function redirect()
andrewboyson 55:3d1e52e3e9b7 63 {
andrewboyson 55:3d1e52e3e9b7 64 location.href = '/firmware';
andrewboyson 55:3d1e52e3e9b7 65 }
andrewboyson 55:3d1e52e3e9b7 66 function xhrRestartOnLoad()
andrewboyson 55:3d1e52e3e9b7 67 {
andrewboyson 55:3d1e52e3e9b7 68 if (xhr.status == 200) logRestart('Restart should never have returned');
andrewboyson 55:3d1e52e3e9b7 69 else logRestart('Restart failed');
andrewboyson 48:4e678727c4c9 70 }
andrewboyson 55:3d1e52e3e9b7 71 function xhrRestartStart()
andrewboyson 55:3d1e52e3e9b7 72 {
andrewboyson 55:3d1e52e3e9b7 73 logRestart('Restarting...');
andrewboyson 55:3d1e52e3e9b7 74
andrewboyson 55:3d1e52e3e9b7 75 xhr = new XMLHttpRequest();
andrewboyson 55:3d1e52e3e9b7 76
andrewboyson 55:3d1e52e3e9b7 77 xhr.onload = xhrRestartOnLoad;
andrewboyson 55:3d1e52e3e9b7 78
andrewboyson 55:3d1e52e3e9b7 79 xhr.open('GET', '/firmware-ajax?restart='); //Defaults to async=true
andrewboyson 55:3d1e52e3e9b7 80 xhr.send();
andrewboyson 55:3d1e52e3e9b7 81
andrewboyson 55:3d1e52e3e9b7 82 setTimeout(redirect, 2000);
andrewboyson 55:3d1e52e3e9b7 83 }
andrewboyson 55:3d1e52e3e9b7 84 function restart()
andrewboyson 55:3d1e52e3e9b7 85 {
andrewboyson 55:3d1e52e3e9b7 86 xhrRestartStart();
andrewboyson 55:3d1e52e3e9b7 87 }
andrewboyson 114:900e33dfa460 88