Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

base/web-pages-base.h@110:8ab752842d25, 2019-04-30 (annotated)

Committer:
andrewboyson
Date:
Tue Apr 30 12:45:08 2019 +0000
Revision:
110:8ab752842d25
Child:
114:900e33dfa460
Tidied. About to rename to web.

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 110:8ab752842d25 1 #include <stdint.h>
andrewboyson 110:8ab752842d25 2 #include <stdbool.h>
andrewboyson 110:8ab752842d25 3
andrewboyson 110:8ab752842d25 4 extern void WebLoginHtml (void);
andrewboyson 110:8ab752842d25 5 extern void WebLoginQuery (char* pQuery);
andrewboyson 110:8ab752842d25 6 extern bool WebLoginQueryPasswordOk;
andrewboyson 110:8ab752842d25 7 extern int WebLoginOriginalToDo;
andrewboyson 110:8ab752842d25 8 extern bool WebLoginCookiesContainValidSessionId(char* pCookies);
andrewboyson 110:8ab752842d25 9 extern char* WebLoginSessionNameGet(void);
andrewboyson 110:8ab752842d25 10 extern int WebLoginSessionNameLife(void);
andrewboyson 110:8ab752842d25 11 extern char* WebLoginSessionIdGet(void);
andrewboyson 110:8ab752842d25 12 extern void WebLoginSessionIdNew(void);
andrewboyson 110:8ab752842d25 13 extern bool WebLoginSessionIdIsSet(void);
andrewboyson 110:8ab752842d25 14 extern void WebLoginInit(void);
andrewboyson 110:8ab752842d25 15
andrewboyson 110:8ab752842d25 16 extern void WebFavicon (void);
andrewboyson 110:8ab752842d25 17 extern const char* WebFaviconDate;
andrewboyson 110:8ab752842d25 18 extern const char* WebFaviconTime;
andrewboyson 110:8ab752842d25 19 extern const int WebFaviconSize;
andrewboyson 110:8ab752842d25 20
andrewboyson 110:8ab752842d25 21 extern void WebBaseCss (void);
andrewboyson 110:8ab752842d25 22 extern const char* WebBaseCssDate;
andrewboyson 110:8ab752842d25 23 extern const char* WebBaseCssTime;
andrewboyson 110:8ab752842d25 24 extern void WebNavCss (void);
andrewboyson 110:8ab752842d25 25 extern const char* WebNavCssDate;
andrewboyson 110:8ab752842d25 26 extern const char* WebNavCssTime;
andrewboyson 110:8ab752842d25 27
andrewboyson 110:8ab752842d25 28 extern void WebClockHtml (void);
andrewboyson 110:8ab752842d25 29 extern void WebClockScript (void);
andrewboyson 110:8ab752842d25 30 extern const char* WebClockScriptDate;
andrewboyson 110:8ab752842d25 31 extern const char* WebClockScriptTime;
andrewboyson 110:8ab752842d25 32 extern void WebClockAjax (void);
andrewboyson 110:8ab752842d25 33 extern void WebClockQuery (char* pQuery);
andrewboyson 110:8ab752842d25 34
andrewboyson 110:8ab752842d25 35 extern void WebLogHtml (void);
andrewboyson 110:8ab752842d25 36 extern void WebLogQuery (char* pQuery);
andrewboyson 110:8ab752842d25 37
andrewboyson 110:8ab752842d25 38 extern void WebTraceHtml (void);
andrewboyson 110:8ab752842d25 39 extern void WebTraceScript (void);
andrewboyson 110:8ab752842d25 40 extern const char* WebTraceScriptDate;
andrewboyson 110:8ab752842d25 41 extern const char* WebTraceScriptTime;
andrewboyson 110:8ab752842d25 42 extern void WebTraceAjax (void);
andrewboyson 110:8ab752842d25 43 extern void WebTraceQuery (char* pQuery);
andrewboyson 110:8ab752842d25 44
andrewboyson 110:8ab752842d25 45 extern void WebNetHtml (void);
andrewboyson 110:8ab752842d25 46 extern void WebNet4Html (void);
andrewboyson 110:8ab752842d25 47 extern void WebNet4Script (void);
andrewboyson 110:8ab752842d25 48 extern const char* WebNet4ScriptDate;
andrewboyson 110:8ab752842d25 49 extern const char* WebNet4ScriptTime;
andrewboyson 110:8ab752842d25 50 extern void WebNet4Ajax (void);
andrewboyson 110:8ab752842d25 51 extern void WebNet6Html (void);
andrewboyson 110:8ab752842d25 52 extern void WebNet6Script (void);
andrewboyson 110:8ab752842d25 53 extern const char* WebNet6ScriptDate;
andrewboyson 110:8ab752842d25 54 extern const char* WebNet6ScriptTime;
andrewboyson 110:8ab752842d25 55 extern void WebNet6Ajax (void);
andrewboyson 110:8ab752842d25 56
andrewboyson 110:8ab752842d25 57 extern void WebFaultHtml (void);
andrewboyson 110:8ab752842d25 58 extern void WebFaultQuery (char* pQuery);
andrewboyson 110:8ab752842d25 59
andrewboyson 110:8ab752842d25 60 extern void WebFirmwareHtml (void);
andrewboyson 110:8ab752842d25 61 extern void WebFirmwareScript(void);
andrewboyson 110:8ab752842d25 62 extern const char* WebFirmwareScriptDate;
andrewboyson 110:8ab752842d25 63 extern const char* WebFirmwareScriptTime;
andrewboyson 110:8ab752842d25 64 extern void WebFirmwareQuery (char* pQuery);
andrewboyson 110:8ab752842d25 65 extern int WebFirmwareTargetLength;
andrewboyson 110:8ab752842d25 66 extern int WebFirmwareActualLength;
andrewboyson 110:8ab752842d25 67 extern char* WebFirmwareFileName;
andrewboyson 110:8ab752842d25 68 extern void WebFirmwarePost (int contentLength, int contentStart, int size, char* pRequestStream, uint32_t positionInRequestStream, bool* pComplete);
andrewboyson 110:8ab752842d25 69 extern void WebFirmwareAjax (void);