QUIC_STATELESS_RETRY_CONFIG structure
The structure used to configure the stateless retry feature.
Syntax
typedef struct QUIC_STATELESS_RETRY_CONFIG {
QUIC_AEAD_ALGORITHM_TYPE Algorithm;
uint32_t RotationMs;
uint32_t SecretLength;
_Field_size_bytes_(SecretLength)
const uint8_t* Secret;
} QUIC_STATELESS_RETRY_CONFIG;
Members
Algorithm
The AEAD algorithm used for protecting the retry token. Must be one of the following constants:
Constant | Key Length (bytes) |
---|---|
QUIC_AEAD_ALGORITHM_AES_128_GCM 0 |
16 |
QUIC_AEAD_ALGORITHM_AES_256_GCM 1 The default |
32 |
RotationMs
The interval to rotate the retry key. 30,000ms is the default. A token is valid for twice this interval. Zero is not allowed.
SecretLength
The length in bytes pointed to by Secret. Must match the key length of the chosen Algorithm
.
Secret
A non-NULL pointer to a buffer containing SecretLength
bytes of randomness. Used to generate the keys protecting the retry token.
Remarks
RotationMs
should be kept to a short interval, less than a minute, as retry tokens are returned immediately by clients.
Changing RotationMs
, Algorithm
, or Secret
will invalidate all retry tokens issued prior to the change.
All servers deployed in a cluster and sharing the secret must have their clocks synchronized within RotationMs
of UTC.
A server whose clock is ahead of UTC may produce a retry token that other servers in that deployment are unable to validate.