path: root/manual/html_node/Re_002dauthentication.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- This manual is last updated 4 March 2015 for version
3.5.3 of GnuTLS.

Copyright (C) 2001-2015 Free Software Foundation, Inc.\\
Copyright (C) 2001-2015 Nikos Mavrogiannopoulos

Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License, Version 1.3 or
any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.  A
copy of the license is included in the section entitled "GNU Free
Documentation License". -->
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>GnuTLS 3.5.3: Re-authentication</title>

<meta name="description" content="GnuTLS 3.5.3: Re-authentication">
<meta name="keywords" content="GnuTLS 3.5.3: Re-authentication">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="Function-and-Data-Index.html#Function-and-Data-Index" rel="index" title="Function and Data Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Advanced-topics.html#Advanced-topics" rel="up" title="Advanced topics">
<link href="Parameter-generation.html#Parameter-generation" rel="next" title="Parameter generation">
<link href="Certificate-verification.html#Certificate-verification" rel="prev" title="Certificate verification">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
body { 
	margin: 2%;
	padding: 0 5%;
	background: #ffffff;
}
h1,h2,h3,h4,h5 {
    font-weight: bold;
    padding: 5px 5px 5px 5px;
    background-color: #c2e0ff;
    color: #336699;
}
h1 {
    padding: 2em 2em 2em 5%;
    color: white;
    background: #336699;
    text-align: center;
    letter-spacing: 3px;
}
h2 { text-decoration: underline; }
pre {
  margin: 0 5%;
  padding: 0.5em;
}
pre.example,pre.verbatim {
  padding-bottom: 1em;

  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 1px 1px 1px 5px;
  margin: 1em auto;
  width: 90%;
}

div.node {
  margin: 0 -5% 0 -2%;
  padding: 0.5em 0.5em;
  margin-top: 0.5em;
  margin-bottom: 0.5em;
  font-weight: bold;
}
dd, li {
  padding-top: 0.1em;
  padding-bottom: 0.1em;
}
div.float {

  margin-bottom: 0.5em;
  text-align: center;
}

table {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  border-spacing: 7px;
  width: 50%;
}

th {
  padding: 0;
  color: #336699;
  background-color: #c2e0ff;
  border: solid #000000;
  border-width: 0px;
  margin: 1em auto;
  text-align: center;
  margin-left:auto;
  margin-right:auto;
}

td {
  padding: 0;
  border: solid #000000;
  background-color: #f0faff;
  border-width: 0px;
  margin: 1em auto;
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  padding-left: 1em;
}

dl {
  text-align: left;
  margin-left:auto;
  margin-right:auto;
  width: 50%;

  padding-left: 1em;
  border: solid #c2e0ff;
  background: #f0faff;
  border-width: 5px 1px 1px 1px;
  margin: 1em auto;
}

-->
</style>


</head>

<body lang="en">
<a name="Re_002dauthentication"></a>
<div class="header">
<p>
Next: <a href="Parameter-generation.html#Parameter-generation" accesskey="n" rel="next">Parameter generation</a>, Previous: <a href="Certificate-verification.html#Certificate-verification" accesskey="p" rel="prev">Certificate verification</a>, Up: <a href="Advanced-topics.html#Advanced-topics" accesskey="u" rel="up">Advanced topics</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Re_002dauthentication-1"></a>
<h4 class="subsection">6.12.3 Re-authentication</h4>
<a name="index-renegotiation-1"></a>
<a name="index-reauthentication"></a>

<p>In TLS there is no distinction between rekey, re-authentication, and re-negotiation.
All of these use cases are handled by the TLS&rsquo; rehandshake process. For that reason
in GnuTLS rehandshake is not transparent to the application, and the application
must explicitly take control of that process. In addition GnuTLS since version 3.5.0 will not
allow the peer to switch identities during a rehandshake.
The threat addressed by that behavior depends on the application protocol,
but primarily it protects applications from being misled
by a rehandshake which switches the peer&rsquo;s identity. Applications can
disable this protection by using the <code>GNUTLS_ALLOW_ID_CHANGE</code> flag in
<a href="Core-TLS-API.html#gnutls_005finit">gnutls_init</a>.
</p>
<p>The following paragraphs explain how to safely use the rehandshake process.
</p>
<a name="Client-side"></a>
<h4 class="subsubsection">6.12.3.1 Client side</h4>

<p>According to the TLS specification a client may initiate a rehandshake at any
time. That can be achieved by calling <a href="Core-TLS-API.html#gnutls_005fhandshake">gnutls_handshake</a> and rely on its
return value for the outcome of the handshake (the server may deny a rehandshake).
If a server requests a re-handshake, then a call to <a href="Core-TLS-API.html#gnutls_005frecord_005frecv">gnutls_record_recv</a> will
return GNUTLS_E_REHANDSHAKE in the client, instructing it to call <a href="Core-TLS-API.html#gnutls_005fhandshake">gnutls_handshake</a>.
To deny a rehandshake request by the server it is recommended to send a warning alert
of type GNUTLS_A_NO_RENEGOTIATION.
</p>
<p>Due to limitations of early protocol versions, it is required to check whether
safe renegotiation is in place, i.e., using <a href="Core-TLS-API.html#gnutls_005fsafe_005frenegotiation_005fstatus">gnutls_safe_renegotiation_status</a>,
which ensures that the server remains the same as the initial.
</p>




<dl>
<dt><a name="index-gnutls_005fsafe_005frenegotiation_005fstatus"></a>Function: <em>int</em> <strong>gnutls_safe_renegotiation_status</strong> <em>(gnutls_session_t <var>session</var>)</em></dt>
<dd><p><var>session</var>: is a <code>gnutls_session_t</code>  type.
</p>
<p>Can be used to check whether safe renegotiation is being used
in the current session.
</p>
<p><strong>Returns:</strong> 0 when safe renegotiation is not used and non (0) when
safe renegotiation is used.
</p>
<p><strong>Since:</strong> 2.10.0
</p></dd></dl>

<a name="Server-side"></a>
<h4 class="subsubsection">6.12.3.2 Server side</h4>

<p>A server which wants to instruct the client to re-authenticate, should call
<a href="Core-TLS-API.html#gnutls_005frehandshake">gnutls_rehandshake</a> and wait for the client to re-authenticate.
It is recommended to only request re-handshake when safe renegotiation is
enabled for that session (see <a href="Core-TLS-API.html#gnutls_005fsafe_005frenegotiation_005fstatus">gnutls_safe_renegotiation_status</a> and
the discussion in <a href="Safe-renegotiation.html#Safe-renegotiation">Safe renegotiation</a>).
</p>




<dl>
<dt><a name="index-gnutls_005frehandshake"></a>Function: <em>int</em> <strong>gnutls_rehandshake</strong> <em>(gnutls_session_t <var>session</var>)</em></dt>
<dd><p><var>session</var>: is a <code>gnutls_session_t</code>  type.
</p>
<p>This function will renegotiate security parameters with the
client.  This should only be called in case of a server.
</p>
<p>This message informs the peer that we want to renegotiate
parameters (perform a handshake).
</p>
<p>If this function succeeds (returns 0), you must call the
<code>gnutls_handshake()</code>  function in order to negotiate the new
parameters.
</p>
<p>Since TLS is full duplex some application data might have been
sent during peer&rsquo;s processing of this message. In that case
one should call <code>gnutls_record_recv()</code>  until GNUTLS_E_REHANDSHAKE
is returned to clear any pending data. Care must be taken, if
rehandshake is mandatory, to terminate if it does not start after
some threshold.
</p>
<p>If the client does not wish to renegotiate parameters he 
should reply with an alert message, thus the return code will be
<code>GNUTLS_E_WARNING_ALERT_RECEIVED</code>  and the alert will be
<code>GNUTLS_A_NO_RENEGOTIATION</code> .  A client may also choose to ignore
this message.
</p>
<p><strong>Returns:</strong> <code>GNUTLS_E_SUCCESS</code>  on success, otherwise a negative error code.
</p></dd></dl>

<hr>
<div class="header">
<p>
Next: <a href="Parameter-generation.html#Parameter-generation" accesskey="n" rel="next">Parameter generation</a>, Previous: <a href="Certificate-verification.html#Certificate-verification" accesskey="p" rel="prev">Certificate verification</a>, Up: <a href="Advanced-topics.html#Advanced-topics" accesskey="u" rel="up">Advanced topics</a> &nbsp; [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="Function-and-Data-Index.html#Function-and-Data-Index" title="Index" rel="index">Index</a>]</p>
</div>



</body>
</html>