Fixed a bug that caused TLS renegotiation to be skipped in some

configurations (#34).

Author: anthony-tuininga

doc/src/release_notes.rst

@@ -23,6 +23,9 @@ Thin Mode Changes
 #)  When using the connection parameter `https_proxy` while using protocol
     `tcp`, a more meaningful exception is now raised:
     `DPY-2029: https_proxy requires use of the tcps protocol`.
+#)  Fixed a bug that caused TLS renegotiation to be skipped in some
+    configurations
+    (https://github.com/oracle/python-oracledb/discussions/34).
 #)  Internally make use of the `TCP_NODELAY` socket option to remove delays
     in socket reads.
 

src/oracledb/impl/thin/buffer.pyx

@@ -324,14 +324,14 @@ cdef class ReadBuffer:
         """
         cdef:
             ssize_t num_bytes_left, num_bytes_split, max_split_data
+            uint8_t packet_type, packet_flags
             const char_type *source_ptr
-            uint8_t packet_type
             char_type *dest_ptr
 
         # if no bytes are left in the buffer, a new packet needs to be fetched
         # before anything else can take place
         if self._offset == self._size:
-            self.receive_packet(&packet_type)
+            self.receive_packet(&packet_type, &packet_flags)
             self.skip_raw_bytes(2)          # skip data flags
 
         # if there is enough room in the buffer to satisfy the number of bytes
@@ -367,7 +367,7 @@ cdef class ReadBuffer:
         while num_bytes > 0:
 
             # acquire new packet
-            self.receive_packet(&packet_type)
+            self.receive_packet(&packet_type, &packet_flags)
             self.skip_raw_bytes(2)          # skip data flags
 
             # copy data into the chunked buffer or split buffer, as appropriate
@@ -405,7 +405,8 @@ cdef class ReadBuffer:
                 errors._raise_err(errors.ERR_UNSUPPORTED_INBAND_NOTIFICATION,
                                   err_num=error_num)
 
-    cdef int _receive_packet_helper(self, uint8_t *packet_type) except -1:
+    cdef int _receive_packet_helper(self, uint8_t *packet_type,
+                                    uint8_t *packet_flags) except -1:
         """
         Receives a packet and updates the pointers appropriately. Note that
         multiple packets may be received if they are small enough or a portion
@@ -475,7 +476,8 @@ cdef class ReadBuffer:
         if self._caps.protocol_version < TNS_VERSION_MIN_LARGE_SDU:
             self.skip_raw_bytes(2)      # skip packet checksum
         self.read_ub1(packet_type)
-        self.skip_raw_bytes(3)          # skip reserved byte, header checksum
+        self.read_ub1(packet_flags)
+        self.skip_raw_bytes(2)          # header checksum
 
         # display packet if requested
         if DEBUG_PACKETS:
@@ -1079,14 +1081,15 @@ cdef class ReadBuffer:
 
         return bytes(output_value).decode()
 
-    cdef int receive_packet(self, uint8_t *packet_type) except -1:
+    cdef int receive_packet(self, uint8_t *packet_type,
+                            uint8_t *packet_flags) except -1:
         """
         Calls _receive_packet_helper() and checks the packet type. If a
         control packet is received, it is processed and the next packet is
         received.
         """
         while True:
-            self._receive_packet_helper(packet_type)
+            self._receive_packet_helper(packet_type, packet_flags)
             if packet_type[0] == TNS_PACKET_TYPE_CONTROL:
                 self._process_control_packet()
                 continue

src/oracledb/impl/thin/constants.pxi

@@ -39,6 +39,9 @@ DEF TNS_PACKET_TYPE_MARKER = 12
 DEF TNS_PACKET_TYPE_CONTROL = 14
 DEF TNS_PACKET_TYPE_REDIRECT = 5
 
+# packet flags
+DEF TNS_PACKET_FLAG_TLS_RENEG = 0x08
+
 # marker types
 DEF TNS_MARKER_TYPE_BREAK = 1
 DEF TNS_MARKER_TYPE_RESET = 2

src/oracledb/impl/thin/crypto.pyx

@@ -117,6 +117,14 @@ def get_ssl_socket(sock, ConnectParamsImpl params, Description description,
         ssl_context.load_verify_locations(pem_file_name)
         ssl_context.load_cert_chain(pem_file_name,
                                     password=params._get_wallet_password())
+    return perform_tls_negotiation(sock, ssl_context, description, address)
+
+
+def perform_tls_negotiation(sock, ssl_context, Description description,
+                            Address address):
+    """
+    Peforms TLS negotiation.
+    """
     if description.ssl_server_dn_match \
             and description.ssl_server_cert_dn is None:
         sock = ssl_context.wrap_socket(sock, server_hostname=address.host)

src/oracledb/impl/thin/messages.pyx

@@ -51,6 +51,7 @@ cdef class Message:
         uint32_t call_status
         uint16_t end_to_end_seq_num
         uint8_t packet_type
+        uint8_t packet_flags
         bint error_occurred
         bint flush_out_binds
         bint processed_error
@@ -1543,7 +1544,7 @@ cdef class ConnectMessage(Message):
             const char_type *redirect_data
         if self.packet_type == TNS_PACKET_TYPE_REDIRECT:
             buf.read_uint16(&redirect_data_length)
-            buf.receive_packet(&self.packet_type)
+            buf.receive_packet(&self.packet_type, &self.packet_flags)
             buf.skip_raw_bytes(2)           # skip data flags
             redirect_data = buf._get_raw(redirect_data_length)
             self.redirect_data = \

src/oracledb/impl/thin/protocol.pyx

@@ -157,17 +157,16 @@ cdef class Protocol:
             if connect_message.packet_type == TNS_PACKET_TYPE_ACCEPT:
                 break
 
-            # for TCPS connections, OOB processing is not supported; if a
-            # wallet is required, the socket must be rewrapped in order to
-            # be usable; disable the check on the host name, however, as that
-            # has already been done successfully
+            # for TCPS connections, OOB processing is not supported; if the
+            # packet flags indicate that TLS renegotiation is required, this is
+            # performed now
             if address.protocol == "tcps":
                 self._caps.supports_oob = False
-                if description.wallet_location is not None:
+                if connect_message.packet_flags & TNS_PACKET_FLAG_TLS_RENEG:
                     ssl_context = self._socket.context
-                    ssl_context.check_hostname = False
                     sock = socket.socket(fileno=self._socket.detach())
-                    sock = ssl_context.wrap_socket(sock)
+                    sock = perform_tls_negotiation(sock, ssl_context,
+                                                   description, address)
                     self._set_socket(sock)
 
     cdef int _connect_phase_two(self, ThinConnImpl conn_impl,
@@ -306,7 +305,7 @@ cdef class Protocol:
 
     cdef int _receive_packet(self, Message message) except -1:
         cdef ReadBuffer buf = self._read_buf
-        buf.receive_packet(&message.packet_type)
+        buf.receive_packet(&message.packet_type, &message.packet_flags)
         if message.packet_type == TNS_PACKET_TYPE_MARKER:
             self._reset(message)
         elif message.packet_type == TNS_PACKET_TYPE_REFUSE:
@@ -342,15 +341,17 @@ cdef class Protocol:
                 self._read_buf.read_ub1(&marker_type)
                 if marker_type == TNS_MARKER_TYPE_RESET:
                     break
-            self._read_buf.receive_packet(&message.packet_type)
+            self._read_buf.receive_packet(&message.packet_type,
+                                          &message.packet_flags)
 
         # read error packet; first skip as many marker packets as may be sent
         # by the server; if the server doesn't handle out-of-band breaks
         # properly, some quit immediately and others send multiple reset
         # markers (this addresses both situations without resulting in strange
         # errors)
         while message.packet_type == TNS_PACKET_TYPE_MARKER:
-            self._read_buf.receive_packet(&message.packet_type)
+            self._read_buf.receive_packet(&message.packet_type,
+                                          &message.packet_flags)
         self._break_in_progress = False
 
     cdef int _send_marker(self, WriteBuffer buf, uint8_t marker_type):