Handle mutual authentication

[mkomitee]

Make certain that responses always pass through handle_other() to provide mutual
authentication before returning them to the user.

This fixes #35.

Since this is security related, once we get a few people to verify it doesn't break anything, we should cut a new release.

Note: It may cause requests which were succeeding to fail if users were requiring mutual authentication but servers weren't providing it.

[mkomitee]

If it's not clear, I don't have permission to merge this and it's a pretty bad security flaw. Can someone take a peek & merge if it's acceptable?

[sigmavirus24]

@mkomitee should we get a CVE identifier for this?

[mkomitee]

I have absolutely no idea what the process would be around that, or what kind of issues warrant one.

[sigmavirus24]

You said this is a security flaw. Can you explain what kind of security flaw it is?

[mkomitee]

It was explained in #35:

I noticed today that we're not actually authenticating the server responses. In handle_401 we call authenticate_user and return the resulting response to the caller, handle_response, which passes it back to the user. Under normal circumstances, we never call handle_other, which is where mutual authentication occurs.

I'm a bad person and I feel bad.

Users typically use kerberos w/ HTTP to authenticate a client to a server, but it also allows the client to verify that the server is who it claims to be, much like SSL/TLS, but without encrypting the request in transit.

This is called mutual authentication.

In designing this library, I made sure that the client could declare its intention to require the server to authenticate successfully, and defaulted it to requiring it.

This bug, however, prevented the mutual authentication code from being executed, so it's possible that users think they're talking to a trusted server, but they're not.

It's similar to bugs that prevent clients from verifying the trust of a servers SSL certificate.

... with this fix in place we begin to behave as I originally intended: by default, the caller won't even receive a response from a server that fails mutual authentication. It's rather strict, so the fix may "break" "working code".

[sigmavirus24]

So I'm going to request a CVE. I'm just waiting to hear if I should wait for the identifier before cutting a new release or if I should just cut the release and request the identifier at the same time.

[sigmavirus24]

We were assigned CVE-2014-8650