Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

Committer:
andrewboyson
Date:
Tue May 11 11:00:00 2021 +0000
Revision:
160:daa94b75b94c
Parent:
130:9a5b8fe308f1
CSS modified to not change the text colour when hovering over a disabled button: it still does for buttons which are enabled.

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 130:9a5b8fe308f1 1 #include <stdbool.h>
andrewboyson 130:9a5b8fe308f1 2 #include <ctype.h>
andrewboyson 130:9a5b8fe308f1 3 #include "http.h"
andrewboyson 130:9a5b8fe308f1 4
andrewboyson 130:9a5b8fe308f1 5 bool HttpSameStr(const char* pa, const char* pb)
andrewboyson 130:9a5b8fe308f1 6 {
andrewboyson 130:9a5b8fe308f1 7 if (!pa || !pb) return false; //Handle NULL references
andrewboyson 130:9a5b8fe308f1 8
andrewboyson 130:9a5b8fe308f1 9 while(true)
andrewboyson 130:9a5b8fe308f1 10 {
andrewboyson 130:9a5b8fe308f1 11 if ( *pa != *pb) return false; //If they are not the same return false
andrewboyson 130:9a5b8fe308f1 12 if (!*pa) return true; //If finished return true;
andrewboyson 130:9a5b8fe308f1 13 pa++;
andrewboyson 130:9a5b8fe308f1 14 pb++;
andrewboyson 130:9a5b8fe308f1 15 }
andrewboyson 130:9a5b8fe308f1 16 }
andrewboyson 130:9a5b8fe308f1 17 bool HttpSameStrCaseInsensitive(const char* pa, const char* pb)
andrewboyson 130:9a5b8fe308f1 18 {
andrewboyson 130:9a5b8fe308f1 19 if (!pa || !pb) return false; //Handle NULL references
andrewboyson 130:9a5b8fe308f1 20
andrewboyson 130:9a5b8fe308f1 21 while(true)
andrewboyson 130:9a5b8fe308f1 22 {
andrewboyson 130:9a5b8fe308f1 23 if ( toupper(*pa) != toupper(*pb)) return false; //If they are not the same return false
andrewboyson 130:9a5b8fe308f1 24 if (!*pa) return true; //If finished return true;
andrewboyson 130:9a5b8fe308f1 25 pa++;
andrewboyson 130:9a5b8fe308f1 26 pb++;
andrewboyson 130:9a5b8fe308f1 27 }
andrewboyson 130:9a5b8fe308f1 28 }
andrewboyson 130:9a5b8fe308f1 29 bool HttpSameDate(const char* date, const char* time, const char* pOtherDate)
andrewboyson 130:9a5b8fe308f1 30 {
andrewboyson 130:9a5b8fe308f1 31 if (!pOtherDate) return false; //Not the same if no lastModified
andrewboyson 130:9a5b8fe308f1 32
andrewboyson 130:9a5b8fe308f1 33 char pFileDate[HTTP_DATE_LENGTH];
andrewboyson 130:9a5b8fe308f1 34 HttpDateFromDateTime(date, time, pFileDate);
andrewboyson 130:9a5b8fe308f1 35
andrewboyson 130:9a5b8fe308f1 36 return HttpSameStr(pFileDate, pOtherDate);
andrewboyson 130:9a5b8fe308f1 37 }