THIS IS A WORK IN PROGRESS...
Simple Server to securely control GPIO on RPi Hardware. I use this to open my garage door at home. Used together with gdo-client but also provides a rudimentary web interface to use as standalone.
I use an old Raspberry Pi model B that I have hooked up to my remote control for the garage door. I run Apache2 on it together with mod_wsgi to run my server software, that enables clients to connect and activate the GPIO pin that is being used to activate the remote for the garage.
Trying to stay "safe"
Since I really don't want anyone else opening my garage door, I tried to implement a couple of safe guards to prevent common attacks:
- I'm using letsencrypt to encrypt web traffic.
- A pin can only be activated with a passphrase (don't worry it isn't the one found on this repo... I use a crazy long one irl.)
- The server provides 64 bytes of
saltthat is valid for 60 seconds and can only be used once. (The
/dev/urandomand the server waits for a random fraction of a second before sending the
salt, to make it more robust against timing attacks)
SHA3-512is being used together with the
saltfor transmitting the salted and hashed passphrase.
Those are the safeguards I was able to come up with, but as it stands with cryptography, usually something believed to be safe in reality ever so often isn't, so fingers crossed.