Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

Committer:
andrewboyson
Date:
Tue Apr 30 12:45:08 2019 +0000
Revision:
110:8ab752842d25
Child:
152:edbf676b08ca
Tidied. About to rename to web.

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 110:8ab752842d25 1 #include "web-add.h"
andrewboyson 110:8ab752842d25 2 #include "web-nav-base.h"
andrewboyson 110:8ab752842d25 3 #include "http.h"
andrewboyson 110:8ab752842d25 4
andrewboyson 110:8ab752842d25 5 void WebTraceHtml()
andrewboyson 110:8ab752842d25 6 {
andrewboyson 110:8ab752842d25 7 HttpOk("text/html; charset=UTF-8", "no-cache", NULL, NULL);
andrewboyson 110:8ab752842d25 8 WebAddHeader("Net Trace", "settings.css", "trace.js");
andrewboyson 110:8ab752842d25 9 WebAddNav(TRACE_PAGE);
andrewboyson 110:8ab752842d25 10 WebAddH1("Net Trace");
andrewboyson 110:8ab752842d25 11
andrewboyson 110:8ab752842d25 12 WebAddH2("General");
andrewboyson 110:8ab752842d25 13 WebAddAjaxInput ("Trace host" , 5 , "ajax-trace-net-host" , "set-trace-net-host" );
andrewboyson 110:8ab752842d25 14 WebAddAjaxInputToggle("Trace stack" , "ajax-trace-net-stack" , "chg-trace-net-stack" );
andrewboyson 110:8ab752842d25 15 WebAddAjaxInputToggle("Trace new line" , "ajax-trace-net-newline", "chg-trace-net-newline");
andrewboyson 110:8ab752842d25 16 WebAddAjaxInputToggle("Trace verbose" , "ajax-trace-net-verbose", "chg-trace-net-verbose");
andrewboyson 110:8ab752842d25 17 WebAddH2("Net");
andrewboyson 110:8ab752842d25 18 WebAddAjaxInputToggle("MAC" , "ajax-trace-link" , "chg-trace-link" );
andrewboyson 110:8ab752842d25 19 WebAddAjaxInputToggle("Ip4 filtered" , "ajax-trace-ip4" , "chg-trace-ip4" );
andrewboyson 110:8ab752842d25 20 WebAddAjaxInputToggle("Ip6 filtered" , "ajax-trace-ip6" , "chg-trace-ip6" );
andrewboyson 110:8ab752842d25 21 WebAddAjaxInputToggle("Udp filtered" , "ajax-trace-udp" , "chg-trace-udp" );
andrewboyson 110:8ab752842d25 22 WebAddAjaxInputToggle("Tcp filtered" , "ajax-trace-tcp" , "chg-trace-tcp" );
andrewboyson 110:8ab752842d25 23 WebAddAjaxInputToggle("Echo4 (ping4)" , "ajax-trace-echo4" , "chg-trace-echo4" );
andrewboyson 110:8ab752842d25 24 WebAddAjaxInputToggle("Echo6 (ping6)" , "ajax-trace-echo6" , "chg-trace-echo6" );
andrewboyson 110:8ab752842d25 25 WebAddAjaxInputToggle("Dest6 unreacheable" , "ajax-trace-dest6" , "chg-trace-dest6" );
andrewboyson 110:8ab752842d25 26 WebAddAjaxInputToggle("HTTP" , "ajax-trace-http" , "chg-trace-http" );
andrewboyson 110:8ab752842d25 27 WebAddAjaxInputToggle("TFTP" , "ajax-trace-tftp" , "chg-trace-tftp" );
andrewboyson 110:8ab752842d25 28 WebAddH2("Send requests via IPv4");
andrewboyson 110:8ab752842d25 29 WebAddAjaxInputToggle("DNS request via IPv4" , "ajax-trace-dns-ip4" , "chg-send-dns-ip4" );
andrewboyson 110:8ab752842d25 30 WebAddAjaxInputToggle("NTP request via IPv4" , "ajax-trace-ntp-ip4" , "chg-send-ntp-ip4" );
andrewboyson 110:8ab752842d25 31 WebAddAjaxInputToggle("TFTP request via IPv4", "ajax-trace-tftp-ip4" , "chg-send-tftp-ip4" );
andrewboyson 110:8ab752842d25 32 WebAddH2("Router Resolution");
andrewboyson 110:8ab752842d25 33 WebAddAjaxInputToggle("Router advertise" , "ajax-trace-ra" , "chg-trace-ra" );
andrewboyson 110:8ab752842d25 34 WebAddAjaxInputToggle("Router solicit" , "ajax-trace-rs" , "chg-trace-rs" );
andrewboyson 110:8ab752842d25 35 WebAddAjaxInputToggle("DHCP" , "ajax-trace-dhcp" , "chg-trace-dhcp" );
andrewboyson 110:8ab752842d25 36 WebAddH2("Address Resolution");
andrewboyson 110:8ab752842d25 37 WebAddAjaxInputToggle("IP4 cache" , "ajax-trace-ar4" , "chg-trace-ar4" );
andrewboyson 110:8ab752842d25 38 WebAddAjaxInputToggle("IP6 cache" , "ajax-trace-ar6" , "chg-trace-ar6" );
andrewboyson 110:8ab752842d25 39 WebAddAjaxInputToggle("ARP" , "ajax-trace-arp" , "chg-trace-arp" );
andrewboyson 110:8ab752842d25 40 WebAddAjaxInputToggle("NS server" , "ajax-trace-ns-recv-sol", "chg-trace-ns-recv-sol");
andrewboyson 110:8ab752842d25 41 WebAddAjaxInputToggle("NS client reply" , "ajax-trace-ns-recv-adv", "chg-trace-ns-recv-adv");
andrewboyson 110:8ab752842d25 42 WebAddAjaxInputToggle("NS client query" , "ajax-trace-ns-send-sol", "chg-trace-ns-send-sol");
andrewboyson 110:8ab752842d25 43 WebAddH2("Name Resolution");
andrewboyson 110:8ab752842d25 44 WebAddAjaxInputToggle("IP4 cache" , "ajax-trace-nr4" , "chg-trace-nr4" );
andrewboyson 110:8ab752842d25 45 WebAddAjaxInputToggle("IP6 cache" , "ajax-trace-nr6" , "chg-trace-nr6" );
andrewboyson 110:8ab752842d25 46 WebAddAjaxInputToggle("DNS name" , "ajax-trace-dns-name" , "chg-trace-dns-name" );
andrewboyson 110:8ab752842d25 47 WebAddAjaxInputToggle("DNS client query" , "ajax-trace-dns-query" , "chg-trace-dns-query" );
andrewboyson 110:8ab752842d25 48 WebAddAjaxInputToggle("DNS client reply" , "ajax-trace-dns-reply" , "chg-trace-dns-reply" );
andrewboyson 110:8ab752842d25 49 WebAddAjaxInputToggle("DNS server" , "ajax-trace-dns-server" , "chg-trace-dns-server" );
andrewboyson 110:8ab752842d25 50 WebAddH2("NTP");
andrewboyson 110:8ab752842d25 51 WebAddAjaxInputToggle("NTP" , "ajax-trace-ntp" , "chg-trace-ntp" );
andrewboyson 110:8ab752842d25 52 WebAddAjaxInputToggle("NTP client" , "ajax-trace-ntp-client" , "chg-trace-ntp-client" );
andrewboyson 110:8ab752842d25 53
andrewboyson 110:8ab752842d25 54 WebAddEnd();
andrewboyson 110:8ab752842d25 55 }