Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

http/http.h@130:9a5b8fe308f1, 2019-09-24 (annotated)

Committer:
andrewboyson
Date:
Tue Sep 24 18:16:47 2019 +0000
Revision:
130:9a5b8fe308f1
Child:
135:c1490f7e95be
Added http

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 130:9a5b8fe308f1 1 #include <stdbool.h>
andrewboyson 130:9a5b8fe308f1 2 #include <stdarg.h>
andrewboyson 130:9a5b8fe308f1 3 #include <stdint.h>
andrewboyson 130:9a5b8fe308f1 4 #include <time.h>
andrewboyson 130:9a5b8fe308f1 5
andrewboyson 130:9a5b8fe308f1 6 #define HTTP_WAIT 0
andrewboyson 130:9a5b8fe308f1 7 #define HTTP_FINISHED 1
andrewboyson 130:9a5b8fe308f1 8 #define HTTP_HAVE_SOMETHING_TO_SEND 2
andrewboyson 130:9a5b8fe308f1 9
andrewboyson 130:9a5b8fe308f1 10 extern void HttpReset (int connectionId);
andrewboyson 130:9a5b8fe308f1 11 extern bool HttpResponse(int connectionId, bool clientFinished, int* pWindowSize, char* pWindow, uint32_t windowPositionInStream);
andrewboyson 130:9a5b8fe308f1 12 extern bool HttpAdd (int connectionId, int* pWindowSize, char* pWindow, uint32_t windowPositionInStream); //returns true if finished; false if not
andrewboyson 130:9a5b8fe308f1 13 extern int HttpPoll (int connectionId, bool clientFinished); //returns true if something to send; false if not
andrewboyson 130:9a5b8fe308f1 14 extern void HttpRequest (int connectionId, int windowSize, char* pWindow, uint32_t windowPositionInStream);
andrewboyson 130:9a5b8fe308f1 15
andrewboyson 130:9a5b8fe308f1 16 extern bool HttpGetTrace(void);
andrewboyson 130:9a5b8fe308f1 17
andrewboyson 130:9a5b8fe308f1 18 extern void HttpAddStart (uint32_t position, int mss, char *pData);
andrewboyson 130:9a5b8fe308f1 19 extern int HttpAddLength (void);
andrewboyson 130:9a5b8fe308f1 20 extern bool HttpAddFilled (void);
andrewboyson 130:9a5b8fe308f1 21
andrewboyson 130:9a5b8fe308f1 22 extern void HttpAddChar (char c);
andrewboyson 130:9a5b8fe308f1 23 extern void HttpAddFillChar (char c, int length);
andrewboyson 130:9a5b8fe308f1 24 extern int HttpAddText (const char* text);
andrewboyson 130:9a5b8fe308f1 25 extern int HttpAddV (char *fmt, va_list argptr);
andrewboyson 130:9a5b8fe308f1 26 extern int HttpAddF (char *fmt, ...);
andrewboyson 130:9a5b8fe308f1 27 extern void HttpAddData (const char* data, int length);
andrewboyson 130:9a5b8fe308f1 28 extern void HttpAddStream (void (*startFunction)(void), int (*enumerateFunction)(void));
andrewboyson 130:9a5b8fe308f1 29 extern void HttpAddNibbleAsHex (int value);
andrewboyson 130:9a5b8fe308f1 30 extern void HttpAddByteAsHex (int value);
andrewboyson 130:9a5b8fe308f1 31 extern void HttpAddInt12AsHex (int value);
andrewboyson 130:9a5b8fe308f1 32 extern void HttpAddInt16AsHex (int value);
andrewboyson 130:9a5b8fe308f1 33 extern void HttpAddInt32AsHex (int value);
andrewboyson 130:9a5b8fe308f1 34 extern void HttpAddInt64AsHex (int64_t value);
andrewboyson 130:9a5b8fe308f1 35 extern void HttpAddBytesAsHex (const uint8_t* value, int size);
andrewboyson 130:9a5b8fe308f1 36 extern void HttpAddBytesAsHexRev(const uint8_t* value, int size);
andrewboyson 130:9a5b8fe308f1 37 extern void HttpAddTm (struct tm* ptm);
andrewboyson 130:9a5b8fe308f1 38
andrewboyson 130:9a5b8fe308f1 39 extern void HttpOk(const char* contentType, const char* cacheControl, const char* lastModifiedDate, const char* lastModifiedTime);
andrewboyson 130:9a5b8fe308f1 40 extern char* HttpOkCookieName;
andrewboyson 130:9a5b8fe308f1 41 extern char* HttpOkCookieValue;
andrewboyson 130:9a5b8fe308f1 42 extern int HttpOkCookieMaxAge;
andrewboyson 130:9a5b8fe308f1 43
andrewboyson 130:9a5b8fe308f1 44 extern void HttpNotFound (void);
andrewboyson 130:9a5b8fe308f1 45 extern void HttpNotModified (void);
andrewboyson 130:9a5b8fe308f1 46
andrewboyson 130:9a5b8fe308f1 47 extern int HttpRequestRead(char *p, int len, char** ppMethod, char** ppPath, char** ppQuery, char** ppLastModified, char** ppCookies, int* pContentLength);
andrewboyson 130:9a5b8fe308f1 48
andrewboyson 130:9a5b8fe308f1 49 extern char* HttpCookiesSplit (char* pCookies, char** ppName, char** ppValue);
andrewboyson 130:9a5b8fe308f1 50 extern char* HttpQuerySplit (char* pQuery, char** ppName, char** ppValue);
andrewboyson 130:9a5b8fe308f1 51 extern int HttpQueryValueAsInt(char* pValue);
andrewboyson 130:9a5b8fe308f1 52 extern void HttpQueryUnencode (char* pValue);
andrewboyson 130:9a5b8fe308f1 53
andrewboyson 130:9a5b8fe308f1 54 extern void HttpDateFromDateTime(const char* date, const char *ptime, char* ptext);
andrewboyson 130:9a5b8fe308f1 55 extern void HttpDateFromNow(char* pText);
andrewboyson 130:9a5b8fe308f1 56
andrewboyson 130:9a5b8fe308f1 57 extern bool HttpSameStr (const char* pa, const char* pb);
andrewboyson 130:9a5b8fe308f1 58 extern bool HttpSameStrCaseInsensitive(const char* pa, const char* pb);
andrewboyson 130:9a5b8fe308f1 59 extern bool HttpSameDate (const char* date, const char* time, const char* pOtherDate);
andrewboyson 130:9a5b8fe308f1 60
andrewboyson 130:9a5b8fe308f1 61 #define HTTP_DATE_LENGTH 30
andrewboyson 130:9a5b8fe308f1 62