Andrew Boyson / web

Common stuff for all my devices' web server pages: css, login, log, ipv4, ipv6, firmware update, clock, reset info etc.

Dependents:   oldheating gps motorhome heating

Security

A password has to be set whenever there has been a software reset. Resets following faults or power on do not require a new password as the hash is restored from the RTC GPREG register.

The password is not saved on the device; instead a 32 bit hash of the password is saved. It would take 2^31 attempts to brute force the password: this could be done in under a month if an attempt were possible every millisecond. To prevent this a 200 ms delay is introduced in the reply to the login form, that gives a more reasonable 13 years to brute force the password.

Once the password is accepted a random session id is created. This is 36 bit to give six base 64 characters but without an extra delay. If an attempt could be made every ms then this would still take over a year to brute force.

The most likely attack would to use a dictionary with, say, 10 million entries against the password which would still take 20 days to do.

Changes

RevisionDateWhoCommit message
160:daa94b75b94c 2021-05-11 andrewboyson CSS modified to not change the text colour when hovering over a disabled button: it still does for buttons which are enabled. default tip
159:bda5b89e8c19 2021-04-24 andrewboyson Added HttpAddTextN to allow a length limited addition.; Updated HttpQueryValueAsInt and HttpQueryUnencode to mot fail if passed a NUL.
158:80441390de93 2021-02-01 andrewboyson Modified firmware module to disable the restart button until the file upload had completed successfully.
157:57bd76aa5e97 2021-02-01 andrewboyson Updated firmware page to align bytes sent.
156:005785e4740e 2021-01-24 andrewboyson Changed firmware to distinguish between the upload and the file save on the device.; Changed ajax to give a quick update a second after a name value has been sent to give a chance for the device to have reacted.
155:4df4ed4b65a2 2021-01-24 andrewboyson Modified to allow name resolution testing over IPv6 and IPv4 with DNS, MDNS or LLMNR.
154:306e328871ee 2021-01-21 andrewboyson Sent dns tests to DnsTest module
153:eaee18d970c4 2021-01-21 andrewboyson Added button to test resolution of a name from an address.
152:edbf676b08ca 2021-01-19 andrewboyson Tidied up the Trace Nr6 and Nr4 to be just the NR cache
151:10db7ff62b82 2021-01-18 andrewboyson Updated in line with net changes
150:f676c14793fc 2021-01-17 andrewboyson Tidied the Firmware upload message to warn the user (me) against restarting before the file has been saved ok.
149:24365666d28d 2021-01-17 andrewboyson Modified firmware page to give upload progress.
148:3d685db9fdd3 2021-01-17 andrewboyson Net js modified to not show address when empty (it did show whatever had been there before)
147:ea6f647725a1 2021-01-10 andrewboyson Added ability for the user to resolve a name.
146:6bc151bd7063 2021-01-04 andrewboyson Modified Name and address resolution to include vendor names
145:d2bd78be00b2 2020-12-27 andrewboyson Made the display of ip addresses in name resolution both ip6 ad ip4
144:7106252b7abf 2020-12-26 andrewboyson Moved name resolution web info from IPv4 and IPv6 pages to general net page.
143:cc2e148cb96a 2020-12-26 andrewboyson First part of moving DNs from ipv6 to net
142:b472ba95b018 2020-12-23 andrewboyson Added parameters for the change to the net RA (Link unique prefixes)
141:1dac268a197d 2020-06-09 andrewboyson Added routine to parse a float (double) value from a query.
140:8951a8b45289 2020-06-03 andrewboyson Changed home brewed query encode function to use encodeURIComponent instead.
139:e189c6669983 2020-06-02 andrewboyson Corrected a javascript error with the wrong function name.
138:44d84506b2f6 2020-06-02 andrewboyson Modified AjaxRequest to AjaxSendNameValue in order to be able to encode '=' and '?' correctly
137:3b6632374855 2020-06-02 andrewboyson Found that an ajax input would nor send a '%' so modified encoding to convert '%' to '%25'. '+'s were already encoded to %2B.
136:be1d42268b5d 2020-04-02 andrewboyson Modified the IPv4 and IPv6 pages to display the resolution indexes for cross referencing against the TCP page
135:c1490f7e95be 2020-04-02 andrewboyson Made HTTP module callable from https (TLS) or from httpv (vanilla).
134:3d0abf4cd097 2020-03-31 andrewboyson Http nor returns finished if client has sent finished and there is no http connection
133:98c6bf14bc37 2020-03-11 andrewboyson Addewd more fields to TCP connections
132:5b2df69a4f17 2020-03-11 andrewboyson Include TCP monitor
131:a9793a9721c7 2020-02-27 andrewboyson When the user adjusts the UTC offset in the clock web page the UTC time remains the same; previously it would change as the TAI time was not adjusted to suit.
130:9a5b8fe308f1 2019-09-24 andrewboyson Added http
129:6d9bffc72676 2019-09-01 andrewboyson Tidied up connection checks
128:fc9708e1d17c 2019-08-28 andrewboyson Added connection status
127:bd6dd135009d 2019-07-31 andrewboyson Amalgamated Reply into Poll function
126:6b547c86da6e 2019-05-27 andrewboyson Updated login module following change to random module.
125:772948168e4f 2019-05-17 andrewboyson Updated net library
124:a2de6c22f85e 2019-05-14 andrewboyson Corrected spelling of governer to governor.
123:06de83222fda 2019-05-14 andrewboyson Updated http module in the net library
122:cd3f391ac8aa 2019-05-12 andrewboyson Updated http
121:811adea8a6a4 2019-05-09 andrewboyson Changed nav padding to 0.4 from 0.5
120:85a4d8f7517d 2019-05-09 andrewboyson Updated Last Reset page
119:794e5985d6c8 2019-05-09 andrewboyson Restart module in lpc1768 library updated
118:53430a2a2595 2019-05-08 andrewboyson Updated lpc1768 library
117:4f1fe03715ca 2019-05-03 andrewboyson Updated fault module
116:e2f4bf715af7 2019-05-03 andrewboyson Updated Fault module
115:24cb6e84ddd6 2019-05-03 andrewboyson Changed firmware reset to call the new restart routine rather than directly calling the semihost reset.
114:900e33dfa460 2019-05-02 andrewboyson Added ability to force a new password
113:23507d14f927 2019-05-01 andrewboyson Renamed 'core' to 'common'
112:f29bb9b99059 2019-05-01 andrewboyson Changed all names from 'derived' to 'this'
111:aaa858678e34 2019-05-01 andrewboyson Corrected bug where postComplete was not set true in the event of there not being a post.
110:8ab752842d25 2019-04-30 andrewboyson Tidied. About to rename to web.
109:3e82f62c7e1f 2019-04-29 andrewboyson Tidied names from http to web
108:91bfb40e7487 2019-04-28 andrewboyson Renamed WebBaseInit to WebInit
107:8ce0c528e2e5 2019-04-28 andrewboyson Tidied after merge
106:7cff473be687 2019-04-28 andrewboyson Tidied
105:43ef124233cd 2019-04-28 andrewboyson Removed Server name
104:40097d08edd5 2019-04-28 andrewboyson Renamed WebServerDerived to WebServer
103:91194cc19bbb 2019-04-27 andrewboyson Renamed everything from Http to Web
102:ce6770cb3488 2019-04-27 andrewboyson Moved http module to the net library
101:07234e772d31 2019-04-26 andrewboyson Removed unnecessary reference to 1-wire library's DS18B20.h module.