On Mon, 26 Dec 2022, Andrew Haines wrote:
On 12/26/22 8:48 AM, Michael Van Canneyt via fpc-pascal wrote:
Please make a version of your program that does not use the LCL.
Then I'll test that too.
2 reasons for this request: - I don't have a working version of Lazarus
with FPC trunk.
- I want to exclude the problems of dealing with the main application
message loop.
I attached a console version. It uses threads. If this is useful at all
please feel free to add it to the examples and modify it however you want.
I found the problem. First was the problem of no data being read, which you
fixed by changing the inheritance. But the second problem is that the
OutgoingFrameMask value was not being used. In the rfc section 5.2 it states
in the Mask bit explanation that all frames sent from a client must be
masked. Unfortunately the echo server was not giving a close frame with a
protocol error which would have been useful.
Hm.
I can say with certainty then that not all server implementations check this :)
In the attached patch there are 3 hunks that include the OutgoingFrameMask
with the payload. The rest of the patch is about handling a connection that
encounters an error sending data. I added an exception and also a flag that
ignores the exception and tries to close gracefully.
You can compile the console client I sent without applying the patch to see
how it was failing before. There are default servers to choose from.
Indeed, I can confirm the problem, and that your patch fixes it.
Maybe in the client, the constructor should pick a mask at random by default
since all frames from the client are supposed to be masked anyway.
Good suggestion. I will add this.
Section
5.3 has some strong language about the random mask having a strong entropy
source. It actually says each frame should have a new unique mask so I'm not
sure the OutgoingFrameMask property really makes sense since the mask is
given to the connection only once when the connection is created. I doubt
most server implementations care about this.
Indeed, see above.
The whole mask idea is shaky anyway.
The mask is sent in the frame, so that's pretty useless for security, which
begs the question why it was needed in the first place. If one wants secure
connections, one should use the wss protocol. Probably the reason why most
servers don't care too much about it.
Anyway: I have applied the patch, and added your example with some minor
modifications. Thank you for both !
Michael.
_______________________________________________
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
https://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
