Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

base/web-server-base.c@127:bd6dd135009d, 2019-07-31 (annotated)

Committer:
andrewboyson
Date:
Wed Jul 31 15:09:15 2019 +0000
Revision:
127:bd6dd135009d
Parent:
120:85a4d8f7517d
Child:
132:5b2df69a4f17
Amalgamated Reply into Poll function

Who changed what in which revision?

UserRevisionLine numberNew contents of line
andrewboyson 110:8ab752842d25 1 #include "http.h"
andrewboyson 110:8ab752842d25 2 #include "web.h"
andrewboyson 110:8ab752842d25 3 #include "web-pages-base.h"
andrewboyson 110:8ab752842d25 4
andrewboyson 110:8ab752842d25 5 #define DO_FAVICON DO_BASE + 1
andrewboyson 110:8ab752842d25 6 #define DO_BASE_CSS DO_BASE + 2
andrewboyson 110:8ab752842d25 7 #define DO_NAV_CSS DO_BASE + 3
andrewboyson 110:8ab752842d25 8 #define DO_CLOCK_HTML DO_BASE + 4
andrewboyson 110:8ab752842d25 9 #define DO_CLOCK_AJAX DO_BASE + 5
andrewboyson 110:8ab752842d25 10 #define DO_CLOCK_SCRIPT DO_BASE + 6
andrewboyson 110:8ab752842d25 11 #define DO_NET_HTML DO_BASE + 7
andrewboyson 110:8ab752842d25 12 #define DO_NET4_HTML DO_BASE + 8
andrewboyson 110:8ab752842d25 13 #define DO_NET4_AJAX DO_BASE + 9
andrewboyson 110:8ab752842d25 14 #define DO_NET4_SCRIPT DO_BASE + 10
andrewboyson 110:8ab752842d25 15 #define DO_NET6_HTML DO_BASE + 11
andrewboyson 110:8ab752842d25 16 #define DO_NET6_AJAX DO_BASE + 12
andrewboyson 110:8ab752842d25 17 #define DO_NET6_SCRIPT DO_BASE + 13
andrewboyson 110:8ab752842d25 18 #define DO_TRACE_HTML DO_BASE + 14
andrewboyson 110:8ab752842d25 19 #define DO_TRACE_AJAX DO_BASE + 15
andrewboyson 110:8ab752842d25 20 #define DO_TRACE_SCRIPT DO_BASE + 16
andrewboyson 110:8ab752842d25 21 #define DO_LOG_HTML DO_BASE + 17
andrewboyson 120:85a4d8f7517d 22 #define DO_RESET_HTML DO_BASE + 18
andrewboyson 110:8ab752842d25 23 #define DO_FIRMWARE_HTML DO_BASE + 19
andrewboyson 110:8ab752842d25 24 #define DO_FIRMWARE_AJAX DO_BASE + 20
andrewboyson 110:8ab752842d25 25 #define DO_FIRMWARE_SCRIPT DO_BASE + 21
andrewboyson 110:8ab752842d25 26
andrewboyson 110:8ab752842d25 27 int WebServerBaseDecideWhatToDo(char *pPath, char* pLastModified)
andrewboyson 110:8ab752842d25 28 {
andrewboyson 110:8ab752842d25 29 if (HttpSameStr(pPath, "/clock" )) return DO_CLOCK_HTML;
andrewboyson 110:8ab752842d25 30 if (HttpSameStr(pPath, "/clock-ajax" )) return DO_CLOCK_AJAX;
andrewboyson 110:8ab752842d25 31 if (HttpSameStr(pPath, "/net" )) return DO_NET_HTML;
andrewboyson 110:8ab752842d25 32 if (HttpSameStr(pPath, "/net4" )) return DO_NET4_HTML;
andrewboyson 110:8ab752842d25 33 if (HttpSameStr(pPath, "/net4-ajax" )) return DO_NET4_AJAX;
andrewboyson 110:8ab752842d25 34 if (HttpSameStr(pPath, "/net6" )) return DO_NET6_HTML;
andrewboyson 110:8ab752842d25 35 if (HttpSameStr(pPath, "/net6-ajax" )) return DO_NET6_AJAX;
andrewboyson 110:8ab752842d25 36 if (HttpSameStr(pPath, "/log" )) return DO_LOG_HTML;
andrewboyson 110:8ab752842d25 37 if (HttpSameStr(pPath, "/trace" )) return DO_TRACE_HTML;
andrewboyson 110:8ab752842d25 38 if (HttpSameStr(pPath, "/trace-ajax" )) return DO_TRACE_AJAX;
andrewboyson 120:85a4d8f7517d 39 if (HttpSameStr(pPath, "/reset" )) return DO_RESET_HTML;
andrewboyson 110:8ab752842d25 40 if (HttpSameStr(pPath, "/firmware" )) return DO_FIRMWARE_HTML;
andrewboyson 110:8ab752842d25 41 if (HttpSameStr(pPath, "/firmware-ajax")) return DO_FIRMWARE_AJAX;
andrewboyson 110:8ab752842d25 42
andrewboyson 110:8ab752842d25 43 if (HttpSameStr(pPath, "/favicon.ico" )) return HttpSameDate(WebFaviconDate, WebFaviconTime, pLastModified) ? DO_NOT_MODIFIED : DO_FAVICON;
andrewboyson 110:8ab752842d25 44 if (HttpSameStr(pPath, "/base.css" )) return HttpSameDate(WebBaseCssDate, WebBaseCssTime, pLastModified) ? DO_NOT_MODIFIED : DO_BASE_CSS;
andrewboyson 110:8ab752842d25 45 if (HttpSameStr(pPath, "/settings.css" )) return HttpSameDate(WebNavCssDate, WebNavCssTime, pLastModified) ? DO_NOT_MODIFIED : DO_NAV_CSS;
andrewboyson 110:8ab752842d25 46 if (HttpSameStr(pPath, "/net4.js" )) return HttpSameDate(WebNet4ScriptDate, WebNet4ScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_NET4_SCRIPT;
andrewboyson 110:8ab752842d25 47 if (HttpSameStr(pPath, "/net6.js" )) return HttpSameDate(WebNet6ScriptDate, WebNet6ScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_NET6_SCRIPT;
andrewboyson 110:8ab752842d25 48 if (HttpSameStr(pPath, "/trace.js" )) return HttpSameDate(WebTraceScriptDate, WebTraceScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_TRACE_SCRIPT;
andrewboyson 110:8ab752842d25 49 if (HttpSameStr(pPath, "/clock.js" )) return HttpSameDate(WebClockScriptDate, WebClockScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_CLOCK_SCRIPT;
andrewboyson 110:8ab752842d25 50 if (HttpSameStr(pPath, "/firmware.js" )) return HttpSameDate(WebFirmwareScriptDate, WebFirmwareScriptTime, pLastModified) ? DO_NOT_MODIFIED : DO_FIRMWARE_SCRIPT;
andrewboyson 110:8ab752842d25 51
andrewboyson 110:8ab752842d25 52 return DO_NOT_FOUND;
andrewboyson 110:8ab752842d25 53 }
andrewboyson 110:8ab752842d25 54
andrewboyson 110:8ab752842d25 55 bool WebServerBaseHandleQuery(int todo, char* pQuery)
andrewboyson 110:8ab752842d25 56 {
andrewboyson 110:8ab752842d25 57 switch (todo)
andrewboyson 110:8ab752842d25 58 {
andrewboyson 110:8ab752842d25 59 case DO_TRACE_AJAX: WebTraceQuery (pQuery); return true;
andrewboyson 110:8ab752842d25 60 case DO_CLOCK_AJAX: WebClockQuery (pQuery); return true;
andrewboyson 110:8ab752842d25 61 case DO_CLOCK_HTML: WebClockQuery (pQuery); return true;
andrewboyson 110:8ab752842d25 62 case DO_LOG_HTML: WebLogQuery (pQuery); return true;
andrewboyson 120:85a4d8f7517d 63 case DO_RESET_HTML: WebResetQuery (pQuery); return true;
andrewboyson 110:8ab752842d25 64 case DO_FIRMWARE_HTML: WebFirmwareQuery(pQuery); return true;
andrewboyson 110:8ab752842d25 65 case DO_FIRMWARE_AJAX: WebFirmwareQuery(pQuery); return true;
andrewboyson 110:8ab752842d25 66 }
andrewboyson 110:8ab752842d25 67 return false;
andrewboyson 110:8ab752842d25 68 }
andrewboyson 110:8ab752842d25 69 bool WebServerBasePost(int todo, int contentLength, int contentStart, int size, char* pRequestStream, uint32_t positionInRequestStream, bool* pComplete)
andrewboyson 110:8ab752842d25 70 {
andrewboyson 110:8ab752842d25 71 switch (todo)
andrewboyson 110:8ab752842d25 72 {
andrewboyson 110:8ab752842d25 73 case DO_FIRMWARE_AJAX: WebFirmwarePost(contentLength, contentStart, size, pRequestStream, positionInRequestStream, pComplete); return true;
andrewboyson 110:8ab752842d25 74 }
andrewboyson 110:8ab752842d25 75 return false;
andrewboyson 110:8ab752842d25 76 }
andrewboyson 110:8ab752842d25 77 bool WebServerBaseReply(int todo)
andrewboyson 110:8ab752842d25 78 {
andrewboyson 110:8ab752842d25 79 switch (todo)
andrewboyson 110:8ab752842d25 80 {
andrewboyson 110:8ab752842d25 81 case DO_FAVICON: WebFavicon (); return true;
andrewboyson 110:8ab752842d25 82 case DO_BASE_CSS: WebBaseCss (); return true;
andrewboyson 110:8ab752842d25 83 case DO_NAV_CSS: WebNavCss (); return true;
andrewboyson 110:8ab752842d25 84 case DO_TRACE_HTML: WebTraceHtml (); return true;
andrewboyson 110:8ab752842d25 85 case DO_TRACE_AJAX: WebTraceAjax (); return true;
andrewboyson 110:8ab752842d25 86 case DO_TRACE_SCRIPT: WebTraceScript (); return true;
andrewboyson 110:8ab752842d25 87 case DO_CLOCK_HTML: WebClockHtml (); return true;
andrewboyson 110:8ab752842d25 88 case DO_CLOCK_AJAX: WebClockAjax (); return true;
andrewboyson 110:8ab752842d25 89 case DO_CLOCK_SCRIPT: WebClockScript (); return true;
andrewboyson 110:8ab752842d25 90 case DO_NET_HTML: WebNetHtml (); return true;
andrewboyson 110:8ab752842d25 91 case DO_NET4_HTML: WebNet4Html (); return true;
andrewboyson 110:8ab752842d25 92 case DO_NET4_AJAX: WebNet4Ajax (); return true;
andrewboyson 110:8ab752842d25 93 case DO_NET4_SCRIPT: WebNet4Script (); return true;
andrewboyson 110:8ab752842d25 94 case DO_NET6_HTML: WebNet6Html (); return true;
andrewboyson 110:8ab752842d25 95 case DO_NET6_AJAX: WebNet6Ajax (); return true;
andrewboyson 110:8ab752842d25 96 case DO_NET6_SCRIPT: WebNet6Script (); return true;
andrewboyson 110:8ab752842d25 97 case DO_LOG_HTML: WebLogHtml (); return true;
andrewboyson 120:85a4d8f7517d 98 case DO_RESET_HTML: WebResetHtml (); return true;
andrewboyson 110:8ab752842d25 99 case DO_FIRMWARE_HTML: WebFirmwareHtml (); return true;
andrewboyson 110:8ab752842d25 100 case DO_FIRMWARE_AJAX: WebFirmwareAjax (); return true;
andrewboyson 110:8ab752842d25 101 case DO_FIRMWARE_SCRIPT: WebFirmwareScript(); return true;
andrewboyson 110:8ab752842d25 102 }
andrewboyson 110:8ab752842d25 103 return false;
andrewboyson 110:8ab752842d25 104 }