Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

base/web-server-base.c@133:98c6bf14bc37, 2020-03-11 (annotated)

Committer:
andrewboyson
Date:
Wed Mar 11 16:00:21 2020 +0000
Revision:
133:98c6bf14bc37
Parent:
132:5b2df69a4f17
Child:
147:ea6f647725a1
Addewd more fields to TCP connections

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 110:8ab752842d25 1 #include "http.h"
andrewboyson 110:8ab752842d25 2 #include "web.h"
andrewboyson 110:8ab752842d25 3 #include "web-pages-base.h"
andrewboyson 110:8ab752842d25 4
andrewboyson 110:8ab752842d25 5 #define DO_FAVICON DO_BASE + 1
andrewboyson 110:8ab752842d25 6 #define DO_BASE_CSS DO_BASE + 2
andrewboyson 110:8ab752842d25 7 #define DO_NAV_CSS DO_BASE + 3
andrewboyson 110:8ab752842d25 8 #define DO_CLOCK_HTML DO_BASE + 4
andrewboyson 110:8ab752842d25 9 #define DO_CLOCK_AJAX DO_BASE + 5
andrewboyson 110:8ab752842d25 10 #define DO_CLOCK_SCRIPT DO_BASE + 6
andrewboyson 110:8ab752842d25 11 #define DO_NET_HTML DO_BASE + 7
andrewboyson 132:5b2df69a4f17 12 #define DO_NET_AJAX DO_BASE + 8
andrewboyson 132:5b2df69a4f17 13 #define DO_NET_SCRIPT DO_BASE + 9
andrewboyson 132:5b2df69a4f17 14 #define DO_NET4_HTML DO_BASE + 10
andrewboyson 132:5b2df69a4f17 15 #define DO_NET4_AJAX DO_BASE + 11
andrewboyson 132:5b2df69a4f17 16 #define DO_NET4_SCRIPT DO_BASE + 12
andrewboyson 132:5b2df69a4f17 17 #define DO_NET6_HTML DO_BASE + 13
andrewboyson 132:5b2df69a4f17 18 #define DO_NET6_AJAX DO_BASE + 14
andrewboyson 132:5b2df69a4f17 19 #define DO_NET6_SCRIPT DO_BASE + 15
andrewboyson 132:5b2df69a4f17 20 #define DO_TRACE_HTML DO_BASE + 16
andrewboyson 132:5b2df69a4f17 21 #define DO_TRACE_AJAX DO_BASE + 17
andrewboyson 132:5b2df69a4f17 22 #define DO_TRACE_SCRIPT DO_BASE + 18
andrewboyson 132:5b2df69a4f17 23 #define DO_LOG_HTML DO_BASE + 19
andrewboyson 132:5b2df69a4f17 24 #define DO_RESET_HTML DO_BASE + 20
andrewboyson 132:5b2df69a4f17 25 #define DO_FIRMWARE_HTML DO_BASE + 21
andrewboyson 132:5b2df69a4f17 26 #define DO_FIRMWARE_AJAX DO_BASE + 22
andrewboyson 132:5b2df69a4f17 27 #define DO_FIRMWARE_SCRIPT DO_BASE + 23
andrewboyson 110:8ab752842d25 28
andrewboyson 110:8ab752842d25 29 int WebServerBaseDecideWhatToDo(char *pPath, char* pLastModified)
andrewboyson 110:8ab752842d25 30 {
andrewboyson 110:8ab752842d25 31 if (HttpSameStr(pPath, "/clock" )) return DO_CLOCK_HTML;
andrewboyson 110:8ab752842d25 32 if (HttpSameStr(pPath, "/clock-ajax" )) return DO_CLOCK_AJAX;
andrewboyson 110:8ab752842d25 33 if (HttpSameStr(pPath, "/net" )) return DO_NET_HTML;
andrewboyson 132:5b2df69a4f17 34 if (HttpSameStr(pPath, "/net-ajax" )) return DO_NET_AJAX;
andrewboyson 110:8ab752842d25 35 if (HttpSameStr(pPath, "/net4" )) return DO_NET4_HTML;
andrewboyson 110:8ab752842d25 36 if (HttpSameStr(pPath, "/net4-ajax" )) return DO_NET4_AJAX;
andrewboyson 110:8ab752842d25 37 if (HttpSameStr(pPath, "/net6" )) return DO_NET6_HTML;
andrewboyson 110:8ab752842d25 38 if (HttpSameStr(pPath, "/net6-ajax" )) return DO_NET6_AJAX;
andrewboyson 110:8ab752842d25 39 if (HttpSameStr(pPath, "/log" )) return DO_LOG_HTML;
andrewboyson 110:8ab752842d25 40 if (HttpSameStr(pPath, "/trace" )) return DO_TRACE_HTML;
andrewboyson 110:8ab752842d25 41 if (HttpSameStr(pPath, "/trace-ajax" )) return DO_TRACE_AJAX;
andrewboyson 120:85a4d8f7517d 42 if (HttpSameStr(pPath, "/reset" )) return DO_RESET_HTML;
andrewboyson 110:8ab752842d25 43 if (HttpSameStr(pPath, "/firmware" )) return DO_FIRMWARE_HTML;
andrewboyson 110:8ab752842d25 44 if (HttpSameStr(pPath, "/firmware-ajax")) return DO_FIRMWARE_AJAX;
andrewboyson 110:8ab752842d25 45
andrewboyson 110:8ab752842d25 46 if (HttpSameStr(pPath, "/favicon.ico" )) return HttpSameDate(WebFaviconDate, WebFaviconTime, pLastModified) ? DO_NOT_MODIFIED : DO_FAVICON;
andrewboyson 110:8ab752842d25 47 if (HttpSameStr(pPath, "/base.css" )) return HttpSameDate(WebBaseCssDate, WebBaseCssTime, pLastModified) ? DO_NOT_MODIFIED : DO_BASE_CSS;
andrewboyson 110:8ab752842d25 48 if (HttpSameStr(pPath, "/settings.css" )) return HttpSameDate(WebNavCssDate, WebNavCssTime, pLastModified) ? DO_NOT_MODIFIED : DO_NAV_CSS;
andrewboyson 132:5b2df69a4f17 49 if (HttpSameStr(pPath, "/net.js" )) return HttpSameDate(WebNetScriptDate, WebNetScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_NET_SCRIPT;
andrewboyson 110:8ab752842d25 50 if (HttpSameStr(pPath, "/net4.js" )) return HttpSameDate(WebNet4ScriptDate, WebNet4ScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_NET4_SCRIPT;
andrewboyson 110:8ab752842d25 51 if (HttpSameStr(pPath, "/net6.js" )) return HttpSameDate(WebNet6ScriptDate, WebNet6ScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_NET6_SCRIPT;
andrewboyson 110:8ab752842d25 52 if (HttpSameStr(pPath, "/trace.js" )) return HttpSameDate(WebTraceScriptDate, WebTraceScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_TRACE_SCRIPT;
andrewboyson 110:8ab752842d25 53 if (HttpSameStr(pPath, "/clock.js" )) return HttpSameDate(WebClockScriptDate, WebClockScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_CLOCK_SCRIPT;
andrewboyson 110:8ab752842d25 54 if (HttpSameStr(pPath, "/firmware.js" )) return HttpSameDate(WebFirmwareScriptDate, WebFirmwareScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_FIRMWARE_SCRIPT;
andrewboyson 110:8ab752842d25 55
andrewboyson 110:8ab752842d25 56 return DO_NOT_FOUND;
andrewboyson 110:8ab752842d25 57 }
andrewboyson 110:8ab752842d25 58
andrewboyson 110:8ab752842d25 59 bool WebServerBaseHandleQuery(int todo, char* pQuery)
andrewboyson 110:8ab752842d25 60 {
andrewboyson 110:8ab752842d25 61 switch (todo)
andrewboyson 110:8ab752842d25 62 {
andrewboyson 110:8ab752842d25 63 case DO_TRACE_AJAX: WebTraceQuery (pQuery); return true;
andrewboyson 110:8ab752842d25 64 case DO_CLOCK_AJAX: WebClockQuery (pQuery); return true;
andrewboyson 110:8ab752842d25 65 case DO_CLOCK_HTML: WebClockQuery (pQuery); return true;
andrewboyson 110:8ab752842d25 66 case DO_LOG_HTML: WebLogQuery (pQuery); return true;
andrewboyson 120:85a4d8f7517d 67 case DO_RESET_HTML: WebResetQuery (pQuery); return true;
andrewboyson 110:8ab752842d25 68 case DO_FIRMWARE_HTML: WebFirmwareQuery(pQuery); return true;
andrewboyson 110:8ab752842d25 69 case DO_FIRMWARE_AJAX: WebFirmwareQuery(pQuery); return true;
andrewboyson 110:8ab752842d25 70 }
andrewboyson 110:8ab752842d25 71 return false;
andrewboyson 110:8ab752842d25 72 }
andrewboyson 110:8ab752842d25 73 bool WebServerBasePost(int todo, int contentLength, int contentStart, int size, char* pRequestStream, uint32_t positionInRequestStream, bool* pComplete)
andrewboyson 110:8ab752842d25 74 {
andrewboyson 110:8ab752842d25 75 switch (todo)
andrewboyson 110:8ab752842d25 76 {
andrewboyson 110:8ab752842d25 77 case DO_FIRMWARE_AJAX: WebFirmwarePost(contentLength, contentStart, size, pRequestStream, positionInRequestStream, pComplete); return true;
andrewboyson 110:8ab752842d25 78 }
andrewboyson 110:8ab752842d25 79 return false;
andrewboyson 110:8ab752842d25 80 }
andrewboyson 110:8ab752842d25 81 bool WebServerBaseReply(int todo)
andrewboyson 110:8ab752842d25 82 {
andrewboyson 110:8ab752842d25 83 switch (todo)
andrewboyson 110:8ab752842d25 84 {
andrewboyson 110:8ab752842d25 85 case DO_FAVICON: WebFavicon (); return true;
andrewboyson 110:8ab752842d25 86 case DO_BASE_CSS: WebBaseCss (); return true;
andrewboyson 110:8ab752842d25 87 case DO_NAV_CSS: WebNavCss (); return true;
andrewboyson 110:8ab752842d25 88 case DO_TRACE_HTML: WebTraceHtml (); return true;
andrewboyson 110:8ab752842d25 89 case DO_TRACE_AJAX: WebTraceAjax (); return true;
andrewboyson 110:8ab752842d25 90 case DO_TRACE_SCRIPT: WebTraceScript (); return true;
andrewboyson 110:8ab752842d25 91 case DO_CLOCK_HTML: WebClockHtml (); return true;
andrewboyson 110:8ab752842d25 92 case DO_CLOCK_AJAX: WebClockAjax (); return true;
andrewboyson 110:8ab752842d25 93 case DO_CLOCK_SCRIPT: WebClockScript (); return true;
andrewboyson 110:8ab752842d25 94 case DO_NET_HTML: WebNetHtml (); return true;
andrewboyson 132:5b2df69a4f17 95 case DO_NET_AJAX: WebNetAjax (); return true;
andrewboyson 132:5b2df69a4f17 96 case DO_NET_SCRIPT: WebNetScript (); return true;
andrewboyson 110:8ab752842d25 97 case DO_NET4_HTML: WebNet4Html (); return true;
andrewboyson 110:8ab752842d25 98 case DO_NET4_AJAX: WebNet4Ajax (); return true;
andrewboyson 110:8ab752842d25 99 case DO_NET4_SCRIPT: WebNet4Script (); return true;
andrewboyson 110:8ab752842d25 100 case DO_NET6_HTML: WebNet6Html (); return true;
andrewboyson 110:8ab752842d25 101 case DO_NET6_AJAX: WebNet6Ajax (); return true;
andrewboyson 110:8ab752842d25 102 case DO_NET6_SCRIPT: WebNet6Script (); return true;
andrewboyson 110:8ab752842d25 103 case DO_LOG_HTML: WebLogHtml (); return true;
andrewboyson 120:85a4d8f7517d 104 case DO_RESET_HTML: WebResetHtml (); return true;
andrewboyson 110:8ab752842d25 105 case DO_FIRMWARE_HTML: WebFirmwareHtml (); return true;
andrewboyson 110:8ab752842d25 106 case DO_FIRMWARE_AJAX: WebFirmwareAjax (); return true;
andrewboyson 110:8ab752842d25 107 case DO_FIRMWARE_SCRIPT: WebFirmwareScript(); return true;
andrewboyson 110:8ab752842d25 108 }
andrewboyson 110:8ab752842d25 109 return false;
andrewboyson 110:8ab752842d25 110 }