Users » andrewboyson » Code » web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents: oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

Diff: clock/http-clock-script.js

Revision:: 77:4689596a2f3f
Parent:: 46:1822fdbe6c0c
Child:: 94:d7226b2c14b6

--- a/clock/http-clock-script.js	Thu Mar 21 11:21:19 2019 +0000
+++ b/clock/http-clock-script.js	Sat Mar 23 12:26:49 2019 +0000
@@ -2,20 +2,24 @@
 
 var response        = '';
 var headers         = '';
-var msRtc           = 0;     //nibbles 0 to 3: 16 bits
+var msRtc           = 0;     //nibbles  0 to  3: 16 bits
 var msCountAtRtcSet = 0;
 var msDiff          = 0;
-var rtcIsSet        = false; //nibble  4: bit 0
-var clockIsSet      = false; //nibble  4: bit 1
-var sourceIsOk      = false; //nibble  4: bit 2
-var rateIsLocked    = false; //nibble  4: bit 3
-var timeIsLocked    = false; //nibble  5: bit 0
-var leapEnable      = false; //nibble  5: bit 1
-var leapForward     = false; //nibble  5: bit 2
-var leapmonths1970  = 0;     //nibbles 6 to 8: 12 bits
+var rtcIsSet        = false; //nibble   4      : bit 0
+var clockIsSet      = false; //nibble   4      : bit 1
+var sourceIsOk      = false; //nibble   4      : bit 2
+var rateIsLocked    = false; //nibble   4      : bit 3
+var timeIsLocked    = false; //nibble   5      : bit 0
+var leapEnable      = false; //nibble   5      : bit 1
+var leapForward     = false; //nibble   5      : bit 2
+var leapmonths1970  = 0;     //nibbles  6 to  8: 12 bits
 var leapmonth       = 0;
 var leapyear        = 0;
-var leaps           = 0;     //nibbles 9 to 12: 16 bits
+var leaps           = 0;     //nibbles  9 to 12: 16 bits
+var ppb             = 0;     //nibbles 13 to 20: 32 bits
+var scanavg         = 0;     //nibbles 21 to 28: 32 bits
+var scanmax         = 0;     //nibbles 29 to 36: 32 bits
+var scanmin         = 0;     //nibbles 37 to 44: 32 bits
 var msCount         = 0;
 
 const         TICK_MS =   100;
@@ -49,7 +53,11 @@
    leapyear        = (leapmonths1970 - leapmonth) / 12;
    leapmonth      += 1;
    leapyear       += 1970;
-   leaps           = parseInt(response.substr(9, 4), 16);
+   leaps           = parseInt(response.substr( 9, 4), 16);
+   ppb             = parseInt(response.substr(13, 8), 16);
+   scanavg         = parseInt(response.substr(21, 8), 16);
+   scanmax         = parseInt(response.substr(29, 8), 16);
+   scanmin         = parseInt(response.substr(37, 8), 16);
 }
 function displayGeneral()
 {
@@ -68,10 +76,16 @@
 
    elem = document.getElementById('ajax-leap-count'   ); if (elem) elem.value = leaps;
 
-   elem = document.getElementById('ajax-response'     ); if (elem) elem.innerHTML  = response;
-   elem = document.getElementById('ajax-headers'      ); if (elem) elem.innerHTML  = headers;
+   elem = document.getElementById('ajax-ppb'          ); if (elem) elem.value = ppb;
+
+   elem = document.getElementById('ajax-scan-avg'     ); if (elem) elem.textContent = scanavg;
+   elem = document.getElementById('ajax-scan-max'     ); if (elem) elem.textContent = scanmax;
+   elem = document.getElementById('ajax-scan-min'     ); if (elem) elem.textContent = scanmin;
+
+   elem = document.getElementById('ajax-response'     ); if (elem) elem.textContent = response;
+   elem = document.getElementById('ajax-headers'      ); if (elem) elem.textContent = headers;
    
-   elem = document.getElementById('date-diff'         ); if (elem) elem.innerHTML = msDiff;
+   elem = document.getElementById('ajax-date-diff'    ); if (elem) elem.textContent = msDiff;
 }
 
 function formatNumbers00(i)
@@ -135,11 +149,10 @@
     //Display time
     var elem;
         
-    elem = document.getElementById('date-utc');
-    if (elem) elem.innerHTML = y + '-' + n + '-' + d + ' ' + w + ' ' + h + ':' + m + ':' + s + ' TAI-UTC=' + leaps;
+    elem = document.getElementById('ajax-date-utc');
+    if (elem) elem.textContent = y + '-' + n + '-' + d + ' ' + w + ' ' + h + ':' + m + ':' + s + ' TAI-UTC=' + leaps;
 
-    elem = document.getElementById('date-pc');
-    //if (elem) elem.innerHTML = now.toString();
+    elem = document.getElementById('ajax-date-pc');
     var options = 
     {
         year:         'numeric',
@@ -151,7 +164,7 @@
         second:       '2-digit',
         timeZoneName: 'short'
     };
-    if (elem) elem.innerHTML = now.toLocaleString(undefined, options);
+    if (elem) elem.textContent = now.toLocaleString(undefined, options);
 }
 
 var ajax;

Repository toolbox

Export to desktop IDE

Repository details

Type:	Library
Created:	28 Jan 2018
Imports:	34
Forks:	0
Commits:	161
Dependents:	4
Dependencies:	0
Followers:	2

Security

Diff: clock/http-clock-script.js

Repository toolbox

Repository details

Important Information for this Arm website

Access Warning