Fixed bug validating the database host during connection.

Author: anthony-tuininga

doc/src/release_notes.rst

@@ -23,6 +23,7 @@ Thin Mode Changes
     types :attr:`oracledb.DB_TYPE_TIMESTAMP`,
     :attr:`oracledb.DB_TYPE_TIMESTAMP_TZ` and
     :attr:`oracledb.DB_TYPE_TIMESTAMP_LTZ`.
+#)  Fixed bug validating the database host during connection.
 #)  Internal change: refactor encoding of Oracle data types.
 #)  Internal change: small performance improvement sending bytes on the
     network transport.

src/oracledb/errors.py

@@ -363,6 +363,7 @@ def _raise_not_supported(feature: str) -> None:
 ERR_INVALID_SSL_VERSION = 4032
 ERR_EXCEEDED_IDLE_TIME = 4033
 ERR_INVALID_PASSWORD_TYPE = 4034
+ERR_INVALID_SERVER_RESPONSE = 4035
 
 # error numbers that result in InternalError
 ERR_MESSAGE_TYPE_UNKNOWN = 5000
@@ -674,6 +675,9 @@ def _raise_not_supported(feature: str) -> None:
         "The name on the server certificate does not match the expected "
         'value: "{expected_name}"'
     ),
+    ERR_INVALID_SERVER_RESPONSE: (
+        "invalid server response to connection request"
+    ),
     ERR_INVALID_SERVER_TYPE: "invalid server_type: {server_type}",
     ERR_INVALID_SERVICE_NAME: (
         'Service "{service_name}" is not registered with the listener at '

src/oracledb/impl/thin/capabilities.pyx

@@ -106,7 +106,8 @@ cdef class Capabilities:
                 TNS_CCAP_O7LOGON | TNS_CCAP_O8LOGON_LONG_IDENTIFIER | \
                 TNS_CCAP_O9LOGON_LONG_PASSWORD
         self.compile_caps[TNS_CCAP_FEATURE_BACKPORT] = \
-                TNS_CCAP_CTB_IMPLICIT_POOL
+                TNS_CCAP_CTB_IMPLICIT_POOL | \
+                TNS_CCAP_CTB_OAUTH_MSG_ON_ERR
         self.compile_caps[TNS_CCAP_FIELD_VERSION] = self.ttc_field_version
         self.compile_caps[TNS_CCAP_SERVER_DEFINE_CONV] = 1
         self.compile_caps[TNS_CCAP_DEQUEUE_WITH_SELECTOR] = 1

src/oracledb/impl/thin/constants.pxi

@@ -455,6 +455,7 @@ cdef enum:
     TNS_CCAP_O8LOGON_LONG_IDENTIFIER = 64
     TNS_CCAP_O9LOGON_LONG_PASSWORD = 0x80
     TNS_CCAP_CTB_IMPLICIT_POOL = 0x08
+    TNS_CCAP_CTB_OAUTH_MSG_ON_ERR = 0x10
     TNS_CCAP_END_OF_CALL_STATUS = 0x01
     TNS_CCAP_IND_RCD = 0x08
     TNS_CCAP_FAST_BVEC = 0x20

src/oracledb/impl/thin/messages/auth.pyx

@@ -206,6 +206,7 @@ cdef class AuthMessage(Message):
 
     cdef int _process_return_parameters(self, ReadBuffer buf) except -1:
         cdef:
+            bytes encoded_response, response
             uint16_t num_params, i
             str key, value
         buf.read_ub2(&num_params)
@@ -222,26 +223,15 @@ cdef class AuthMessage(Message):
         if self.function_code == TNS_FUNC_AUTH_PHASE_ONE:
             self.function_code = TNS_FUNC_AUTH_PHASE_TWO
         elif not self.change_password:
-            self.conn_impl._session_id = \
-                    <uint32_t> int(self.session_data["AUTH_SESSION_ID"])
-            self.conn_impl._serial_num = \
-                    <uint16_t> int(self.session_data["AUTH_SERIAL_NUM"])
-            self.conn_impl._db_domain = \
-                    self.session_data.get("AUTH_SC_DB_DOMAIN")
-            self.conn_impl._db_name = \
-                    self.session_data.get("AUTH_SC_DBUNIQUE_NAME")
-            self.conn_impl._max_open_cursors = \
-                    int(self.session_data.get("AUTH_MAX_OPEN_CURSORS", 0))
-            self.conn_impl._service_name = \
-                    self.session_data.get("AUTH_SC_SERVICE_NAME")
-            self.conn_impl._instance_name = \
-                    self.session_data.get("AUTH_INSTANCENAME")
-            self.conn_impl._max_identifier_length = \
-                    int(self.session_data.get("AUTH_MAX_IDEN_LENGTH", 30))
-            self.conn_impl.server_version = self._get_version_tuple(buf)
-            self.conn_impl.supports_bool = \
-                    buf._caps.ttc_field_version >= TNS_CCAP_FIELD_VERSION_23_1
-            self.conn_impl._edition = self.edition
+            response = None
+            value = self.session_data.get("AUTH_SVR_RESPONSE")
+            if value is not None:
+                encoded_response = bytes.fromhex(value)
+                response = decrypt_cbc(
+                    self.conn_impl._combo_key, encoded_response
+                )
+            if response is None or response[16:32] != b"SERVER_TO_CLIENT":
+                errors._raise_err(errors.ERR_INVALID_SERVER_RESPONSE)
 
     cdef int _set_params(self, ConnectParamsImpl params,
                          Description description) except -1:

src/oracledb/impl/thin/protocol.pyx

@@ -176,8 +176,27 @@ cdef class BaseProtocol:
         the packet may indicate EOF for the initial connection that is
         established.
         """
+        cdef:
+            dict session_data = auth_message.session_data
+            ReadBuffer buf = self._read_buf
+        conn_impl._session_id = \
+                <uint32_t> int(session_data["AUTH_SESSION_ID"])
+        conn_impl._serial_num = \
+                <uint16_t> int(session_data["AUTH_SERIAL_NUM"])
+        conn_impl._db_domain = session_data.get("AUTH_SC_DB_DOMAIN")
+        conn_impl._db_name = session_data.get("AUTH_SC_DBUNIQUE_NAME")
+        conn_impl._max_open_cursors = \
+                int(session_data.get("AUTH_MAX_OPEN_CURSORS", 0))
+        conn_impl._service_name = session_data.get("AUTH_SC_SERVICE_NAME")
+        conn_impl._instance_name = session_data.get("AUTH_INSTANCENAME")
+        conn_impl._max_identifier_length = \
+                int(session_data.get("AUTH_MAX_IDEN_LENGTH", 30))
+        conn_impl.server_version = auth_message._get_version_tuple(buf)
+        conn_impl.supports_bool = \
+                buf._caps.ttc_field_version >= TNS_CCAP_FIELD_VERSION_23_1
+        conn_impl._edition = auth_message.edition
         conn_impl.warning = auth_message.warning
-        self._read_buf._pending_error_num = 0
+        buf._pending_error_num = 0
         self._in_connect = False
 
     cdef int _send_marker(self, WriteBuffer buf, uint8_t marker_type):