nquic_stateless_reset (nquic v1.0.0)

View Source

Stateless reset token generation and detection per RFC 9000 Section 10.3.

Stateless reset allows an endpoint to terminate a connection when it has lost state. The token is an HMAC-SHA256 of the connection ID, truncated to 16 bytes. Reset packets look like short header packets to avoid identification.

Summary

Functions

build_packet(Token)

Build a stateless reset packet that looks like a short header packet.

detect/2

Check whether a packet is a stateless reset by comparing the last 16 bytes. Comparison is constant-time (RFC 9000 Section 10.3.1: "An endpoint MUST use a comparison that is constant-time with respect to the contents of the token") to avoid timing side channels.

generate_token(StaticKey, CID)

Generate a stateless reset token from a static key and connection ID.

Functions

build_packet(Token)

-spec build_packet(binary()) -> binary().

Build a stateless reset packet that looks like a short header packet.

detect/2

-spec detect(binary(), binary()) -> boolean().

Check whether a packet is a stateless reset by comparing the last 16 bytes. Comparison is constant-time (RFC 9000 Section 10.3.1: "An endpoint MUST use a comparison that is constant-time with respect to the contents of the token") to avoid timing side channels.

generate_token(StaticKey, CID)

-spec generate_token(binary(), binary()) -> binary().

Generate a stateless reset token from a static key and connection ID.