Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

Committer:
andrewboyson
Date:
Sat Apr 24 09:51:26 2021 +0000
Revision:
159:bda5b89e8c19
Parent:
141:1dac268a197d
Added HttpAddTextN to allow a length limited addition.; Updated HttpQueryValueAsInt and HttpQueryUnencode to mot fail if passed a NUL.

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 130:9a5b8fe308f1 1 #include <stdbool.h>
andrewboyson 130:9a5b8fe308f1 2 #include <stdarg.h>
andrewboyson 130:9a5b8fe308f1 3 #include <stdint.h>
andrewboyson 130:9a5b8fe308f1 4 #include <time.h>
andrewboyson 130:9a5b8fe308f1 5
andrewboyson 130:9a5b8fe308f1 6 #define HTTP_WAIT 0
andrewboyson 130:9a5b8fe308f1 7 #define HTTP_FINISHED 1
andrewboyson 130:9a5b8fe308f1 8 #define HTTP_HAVE_SOMETHING_TO_SEND 2
andrewboyson 130:9a5b8fe308f1 9
andrewboyson 130:9a5b8fe308f1 10 extern void HttpReset (int connectionId);
andrewboyson 130:9a5b8fe308f1 11 extern bool HttpAdd (int connectionId, int* pWindowSize, char* pWindow, uint32_t windowPositionInStream); //returns true if finished; false if not
andrewboyson 130:9a5b8fe308f1 12 extern int HttpPoll (int connectionId, bool clientFinished); //returns true if something to send; false if not
andrewboyson 130:9a5b8fe308f1 13 extern void HttpRequest (int connectionId, int windowSize, char* pWindow, uint32_t windowPositionInStream);
andrewboyson 130:9a5b8fe308f1 14
andrewboyson 130:9a5b8fe308f1 15 extern bool HttpGetTrace(void);
andrewboyson 130:9a5b8fe308f1 16
andrewboyson 130:9a5b8fe308f1 17 extern void HttpAddStart (uint32_t position, int mss, char *pData);
andrewboyson 130:9a5b8fe308f1 18 extern int HttpAddLength (void);
andrewboyson 130:9a5b8fe308f1 19 extern bool HttpAddFilled (void);
andrewboyson 130:9a5b8fe308f1 20
andrewboyson 130:9a5b8fe308f1 21 extern void HttpAddChar (char c);
andrewboyson 130:9a5b8fe308f1 22 extern void HttpAddFillChar (char c, int length);
andrewboyson 130:9a5b8fe308f1 23 extern int HttpAddText (const char* text);
andrewboyson 159:bda5b89e8c19 24 extern int HttpAddTextN (const char* text, int length);
andrewboyson 130:9a5b8fe308f1 25 extern int HttpAddV (char *fmt, va_list argptr);
andrewboyson 130:9a5b8fe308f1 26 extern int HttpAddF (char *fmt, ...);
andrewboyson 130:9a5b8fe308f1 27 extern void HttpAddData (const char* data, int length);
andrewboyson 130:9a5b8fe308f1 28 extern void HttpAddStream (void (*startFunction)(void), int (*enumerateFunction)(void));
andrewboyson 130:9a5b8fe308f1 29 extern void HttpAddNibbleAsHex (int value);
andrewboyson 130:9a5b8fe308f1 30 extern void HttpAddByteAsHex (int value);
andrewboyson 130:9a5b8fe308f1 31 extern void HttpAddInt12AsHex (int value);
andrewboyson 130:9a5b8fe308f1 32 extern void HttpAddInt16AsHex (int value);
andrewboyson 130:9a5b8fe308f1 33 extern void HttpAddInt32AsHex (int value);
andrewboyson 130:9a5b8fe308f1 34 extern void HttpAddInt64AsHex (int64_t value);
andrewboyson 130:9a5b8fe308f1 35 extern void HttpAddBytesAsHex (const uint8_t* value, int size);
andrewboyson 130:9a5b8fe308f1 36 extern void HttpAddBytesAsHexRev(const uint8_t* value, int size);
andrewboyson 130:9a5b8fe308f1 37 extern void HttpAddTm (struct tm* ptm);
andrewboyson 130:9a5b8fe308f1 38
andrewboyson 130:9a5b8fe308f1 39 extern void HttpOk(const char* contentType, const char* cacheControl, const char* lastModifiedDate, const char* lastModifiedTime);
andrewboyson 130:9a5b8fe308f1 40 extern char* HttpOkCookieName;
andrewboyson 130:9a5b8fe308f1 41 extern char* HttpOkCookieValue;
andrewboyson 130:9a5b8fe308f1 42 extern int HttpOkCookieMaxAge;
andrewboyson 130:9a5b8fe308f1 43
andrewboyson 130:9a5b8fe308f1 44 extern void HttpNotFound (void);
andrewboyson 130:9a5b8fe308f1 45 extern void HttpNotModified (void);
andrewboyson 130:9a5b8fe308f1 46
andrewboyson 130:9a5b8fe308f1 47 extern int HttpRequestRead(char *p, int len, char** ppMethod, char** ppPath, char** ppQuery, char** ppLastModified, char** ppCookies, int* pContentLength);
andrewboyson 130:9a5b8fe308f1 48
andrewboyson 141:1dac268a197d 49 extern char* HttpCookiesSplit (char* pCookies, char** ppName, char** ppValue);
andrewboyson 141:1dac268a197d 50 extern char* HttpQuerySplit (char* pQuery, char** ppName, char** ppValue);
andrewboyson 141:1dac268a197d 51 extern int HttpQueryValueAsInt (char* pValue);
andrewboyson 141:1dac268a197d 52 extern double HttpQueryValueAsDouble(char* pValue);
andrewboyson 141:1dac268a197d 53 extern void HttpQueryUnencode (char* pValue);
andrewboyson 130:9a5b8fe308f1 54
andrewboyson 130:9a5b8fe308f1 55 extern void HttpDateFromDateTime(const char* date, const char *ptime, char* ptext);
andrewboyson 130:9a5b8fe308f1 56 extern void HttpDateFromNow(char* pText);
andrewboyson 130:9a5b8fe308f1 57
andrewboyson 130:9a5b8fe308f1 58 extern bool HttpSameStr (const char* pa, const char* pb);
andrewboyson 130:9a5b8fe308f1 59 extern bool HttpSameStrCaseInsensitive(const char* pa, const char* pb);
andrewboyson 130:9a5b8fe308f1 60 extern bool HttpSameDate (const char* date, const char* time, const char* pOtherDate);
andrewboyson 130:9a5b8fe308f1 61
andrewboyson 130:9a5b8fe308f1 62 #define HTTP_DATE_LENGTH 30
andrewboyson 130:9a5b8fe308f1 63