Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

base/net/web-net4-script.js@127:bd6dd135009d, 2019-07-31 (annotated)

Committer:
andrewboyson
Date:
Wed Jul 31 15:09:15 2019 +0000
Revision:
127:bd6dd135009d
Parent:
110:8ab752842d25
Child:
136:be1d42268b5d
Amalgamated Reply into Poll function

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 96:eb2eb75bad0f 1 //Net4 script
andrewboyson 86:f3c9beec4ee7 2 'use strict';
andrewboyson 86:f3c9beec4ee7 3
andrewboyson 95:8c9dda8a0caf 4 let localIp = '';
andrewboyson 95:8c9dda8a0caf 5 let domainName = '';
andrewboyson 95:8c9dda8a0caf 6 let hostName = '';
andrewboyson 95:8c9dda8a0caf 7 let ntpIp = '';
andrewboyson 95:8c9dda8a0caf 8 let dnsIp = '';
andrewboyson 95:8c9dda8a0caf 9 let dhcpIp = '';
andrewboyson 95:8c9dda8a0caf 10 let routerIp = '';
andrewboyson 95:8c9dda8a0caf 11 let subnetMask = '';
andrewboyson 95:8c9dda8a0caf 12 let broadcastIp = '';
andrewboyson 95:8c9dda8a0caf 13 let leaseTime = '';
andrewboyson 95:8c9dda8a0caf 14 let renewalT1 = '';
andrewboyson 95:8c9dda8a0caf 15 let renewalt2 = '';
andrewboyson 95:8c9dda8a0caf 16 let elapsed = '';
andrewboyson 95:8c9dda8a0caf 17 let arp = '';
andrewboyson 95:8c9dda8a0caf 18 let dns = '';
andrewboyson 86:f3c9beec4ee7 19
andrewboyson 88:2857259fc2b4 20 function parseArpLine(line)
andrewboyson 88:2857259fc2b4 21 {
andrewboyson 88:2857259fc2b4 22 if (line.length == 0) return;
andrewboyson 95:8c9dda8a0caf 23 let minutes = parseInt(line.substr(0, 8), 16) / 1000 / 60;
andrewboyson 88:2857259fc2b4 24 arp += Math.floor(minutes).toString().padStart(4, ' ');
andrewboyson 88:2857259fc2b4 25 arp += ' ';
andrewboyson 96:eb2eb75bad0f 26 arp += Net.makeIp4(line.substr(8, 8)).padEnd(15, ' ');
andrewboyson 88:2857259fc2b4 27 arp += ' ';
andrewboyson 96:eb2eb75bad0f 28 arp += Net.makeMac(line.substr(16, 12));
andrewboyson 88:2857259fc2b4 29 arp += '\r\n';
andrewboyson 88:2857259fc2b4 30 }
andrewboyson 88:2857259fc2b4 31 function parseDnsLine(line)
andrewboyson 88:2857259fc2b4 32 {
andrewboyson 88:2857259fc2b4 33 if (line.length == 0) return;
andrewboyson 95:8c9dda8a0caf 34 let minutes = parseInt(line.substr(0, 8), 16) / 1000 / 60;
andrewboyson 88:2857259fc2b4 35 dns += Math.floor(minutes).toString().padStart(4, ' ');
andrewboyson 88:2857259fc2b4 36 dns += ' ';
andrewboyson 96:eb2eb75bad0f 37 dns += Net.makeIp4(line.substr(8, 8)).padEnd(15, ' ');
andrewboyson 88:2857259fc2b4 38 dns += ' ';
andrewboyson 88:2857259fc2b4 39 dns += line.substr(16, 1);
andrewboyson 88:2857259fc2b4 40 dns += ' ';
andrewboyson 88:2857259fc2b4 41 dns += line.substr(17);
andrewboyson 88:2857259fc2b4 42 dns += '\r\n';
andrewboyson 88:2857259fc2b4 43 }
andrewboyson 88:2857259fc2b4 44 function parseArpLines(text)
andrewboyson 88:2857259fc2b4 45 {
andrewboyson 88:2857259fc2b4 46 arp = '';
andrewboyson 88:2857259fc2b4 47 text.split('\n').forEach(parseArpLine);
andrewboyson 88:2857259fc2b4 48 }
andrewboyson 88:2857259fc2b4 49 function parseDnsLines(text)
andrewboyson 88:2857259fc2b4 50 {
andrewboyson 88:2857259fc2b4 51 dns = '';
andrewboyson 88:2857259fc2b4 52 text.split('\n').forEach(parseDnsLine);
andrewboyson 88:2857259fc2b4 53 }
andrewboyson 89:615fb951df69 54 function parseGenLines(text)
andrewboyson 89:615fb951df69 55 {
andrewboyson 95:8c9dda8a0caf 56 let lines = text.split('\n');
andrewboyson 96:eb2eb75bad0f 57 localIp = Net.makeIp4(lines[ 0]) ;
andrewboyson 96:eb2eb75bad0f 58 domainName = lines[ 1] ;
andrewboyson 96:eb2eb75bad0f 59 hostName = lines[ 2] ;
andrewboyson 96:eb2eb75bad0f 60 ntpIp = Net.makeIp4(lines[ 3]) ;
andrewboyson 96:eb2eb75bad0f 61 dnsIp = Net.makeIp4(lines[ 4]) ;
andrewboyson 96:eb2eb75bad0f 62 dhcpIp = Net.makeIp4(lines[ 5]) ;
andrewboyson 96:eb2eb75bad0f 63 routerIp = Net.makeIp4(lines[ 6]) ;
andrewboyson 96:eb2eb75bad0f 64 subnetMask = Net.makeIp4(lines[ 7]) ;
andrewboyson 96:eb2eb75bad0f 65 broadcastIp = Net.makeIp4(lines[ 8]) ;
andrewboyson 96:eb2eb75bad0f 66 leaseTime = parseInt(lines[ 9], 16);
andrewboyson 96:eb2eb75bad0f 67 renewalT1 = parseInt(lines[10], 16);
andrewboyson 96:eb2eb75bad0f 68 renewalt2 = parseInt(lines[11], 16);
andrewboyson 96:eb2eb75bad0f 69 elapsed = parseInt(lines[12], 16);
andrewboyson 89:615fb951df69 70 }
andrewboyson 95:8c9dda8a0caf 71 function parse()
andrewboyson 86:f3c9beec4ee7 72 {
andrewboyson 95:8c9dda8a0caf 73 let topics = Ajax.response.split('\f');
andrewboyson 89:615fb951df69 74 parseGenLines(topics[0]);
andrewboyson 89:615fb951df69 75 parseArpLines(topics[1]);
andrewboyson 89:615fb951df69 76 parseDnsLines(topics[2]);
andrewboyson 86:f3c9beec4ee7 77 }
andrewboyson 95:8c9dda8a0caf 78 function display()
andrewboyson 86:f3c9beec4ee7 79 {
andrewboyson 95:8c9dda8a0caf 80 let elem;
andrewboyson 86:f3c9beec4ee7 81
andrewboyson 95:8c9dda8a0caf 82 elem = Ajax.getElementOrNull('ajax-local-ip' ); if (elem) elem.textContent = localIp;
andrewboyson 95:8c9dda8a0caf 83 elem = Ajax.getElementOrNull('ajax-domain-name' ); if (elem) elem.textContent = domainName;
andrewboyson 95:8c9dda8a0caf 84 elem = Ajax.getElementOrNull('ajax-host-name' ); if (elem) elem.textContent = hostName;
andrewboyson 95:8c9dda8a0caf 85 elem = Ajax.getElementOrNull('ajax-ntp-ip' ); if (elem) elem.textContent = ntpIp;
andrewboyson 95:8c9dda8a0caf 86 elem = Ajax.getElementOrNull('ajax-dns-ip' ); if (elem) elem.textContent = dnsIp;
andrewboyson 95:8c9dda8a0caf 87 elem = Ajax.getElementOrNull('ajax-dhcp-ip' ); if (elem) elem.textContent = dhcpIp;
andrewboyson 95:8c9dda8a0caf 88 elem = Ajax.getElementOrNull('ajax-router-ip' ); if (elem) elem.textContent = routerIp;
andrewboyson 95:8c9dda8a0caf 89 elem = Ajax.getElementOrNull('ajax-subnet-mask' ); if (elem) elem.textContent = subnetMask;
andrewboyson 95:8c9dda8a0caf 90 elem = Ajax.getElementOrNull('ajax-broadcast-ip'); if (elem) elem.textContent = broadcastIp;
andrewboyson 95:8c9dda8a0caf 91 elem = Ajax.getElementOrNull('ajax-lease-time' ); if (elem) elem.textContent = leaseTime;
andrewboyson 95:8c9dda8a0caf 92 elem = Ajax.getElementOrNull('ajax-renewal-t1' ); if (elem) elem.textContent = renewalT1;
andrewboyson 95:8c9dda8a0caf 93 elem = Ajax.getElementOrNull('ajax-renewal-t2' ); if (elem) elem.textContent = renewalt2;
andrewboyson 95:8c9dda8a0caf 94 elem = Ajax.getElementOrNull('ajax-elapsed' ); if (elem) elem.textContent = elapsed;
andrewboyson 95:8c9dda8a0caf 95 elem = Ajax.getElementOrNull('ajax-arp' ); if (elem) elem.textContent = arp;
andrewboyson 95:8c9dda8a0caf 96 elem = Ajax.getElementOrNull('ajax-dns' ); if (elem) elem.textContent = dns;
andrewboyson 86:f3c9beec4ee7 97 }
andrewboyson 86:f3c9beec4ee7 98
andrewboyson 95:8c9dda8a0caf 99 Ajax.server = '/net4-ajax';
andrewboyson 95:8c9dda8a0caf 100 Ajax.onResponse = function() { parse(); display(); };
andrewboyson 95:8c9dda8a0caf 101 Ajax.init();