You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/api/QUIC_STATELESS_RETRY_CONFIG.md
+43-1Lines changed: 43 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,6 +45,48 @@ Changing `RotationMs`, `Algorithm`, or `Secret` will invalidate all retry tokens
45
45
All servers deployed in a cluster and sharing the secret must have their clocks synchronized within `RotationMs` of UTC.
46
46
A server whose clock is ahead of UTC may produce a retry token that other servers in that deployment are unable to validate.
47
47
48
+
## Stateless Retry key Generation Algorithm
49
+
50
+
The stateless retry key is generated from the above configuration parameters using the [SP800-108 rev. 1 CTR-HMAC KDF](https://csrc.nist.gov/pubs/sp/800/108/r1/upd1/final) algorithm with SHA256.
51
+
Where:
52
+
53
+
*K_in* is the `Secret` provided above.
54
+
55
+
*Label* is the string "QUIC Stateless Retry Key" without the terminating NULL character.
56
+
57
+
*Context* is the UNIX epoch timestamp in milliseconds, as an 8-byte signed integer in little-endian format, divided by `RotationMs`, rounded down.
58
+
59
+
*L* is the same as the key length for the `Algorithm`.
0 commit comments