+ return srtp_crypt (s, buf, len);
+}
+
+
+/** AES-CM for RTCP (salt = 14 bytes + 2 nul bytes) */
+static int
+rtcp_crypt (gcry_cipher_hd_t hd, uint32_t ssrc, uint32_t index,
+ const uint32_t *salt, uint8_t *data, size_t len)
+{
+ return rtp_crypt (hd, ssrc, index >> 16, index & 0xffff, salt, data, len);
+}
+
+
+/** Message Authentication and Integrity for RTCP */
+static const uint8_t *
+rtcp_digest (gcry_md_hd_t md, const void *data, size_t len)
+{
+ gcry_md_reset (md);
+ gcry_md_write (md, data, len);
+ return gcry_md_read (md, 0);
+}
+
+
+/**
+ * Encrypts/decrypts a RTCP packet and updates SRTCP context
+ * (CTR block cypher mode of operation has identical encryption and
+ * decryption function).
+ *
+ * @param buf RTCP packet to be en-/decrypted
+ * @param len RTCP packet length
+ *
+ * @return 0 on success, in case of error:
+ * EINVAL malformatted RTCP packet
+ */
+static int srtcp_crypt (srtp_session_t *s, uint8_t *buf, size_t len)
+{
+ assert (s != NULL);
+
+ /* 8-bytes unencrypted header, and 4-bytes unencrypted footer */
+ if ((len < 12) || ((buf[0] >> 6) != 2))
+ return EINVAL;
+
+ uint32_t index = s->rtcp_index++;
+ if (index == 0x7fffffff)
+ s->rtcp_index = 0; /* 31-bit wrap */
+
+ if (s->flags & SRTCP_UNENCRYPTED)
+ return 0;
+
+ uint32_t ssrc;
+ memcpy (&ssrc, buf + 4, 4);
+
+ if (rtcp_crypt (s->rtcp.cipher, ssrc, index, s->rtp.salt,
+ buf + 8, len - 8))
+ return EINVAL;
+ return 0;
+}
+
+
+/**
+ * Turns a RTCP packet into a SRTCP packet: encrypt it, then computes
+ * the authentication tag and appends it.
+ *
+ * @param buf RTCP packet to be encrypted/digested
+ * @param lenp pointer to the RTCP packet length on entry,
+ * set to the SRTCP length on exit (undefined in case of error)
+ * @param bufsize size (bytes) of the packet buffer
+ *
+ * @return 0 on success, in case of error:
+ * EINVAL malformatted RTCP packet or internal error
+ * ENOSPC bufsize is too small (to add index and authentication tag)
+ */
+int
+srtcp_send (srtp_session_t *s, uint8_t *buf, size_t *lenp, size_t bufsize)
+{
+ size_t len = *lenp;
+ if (bufsize < (len + 4 + s->tag_len))
+ return ENOSPC;
+
+ uint32_t index = s->rtcp_index;
+ if ((s->flags & SRTCP_UNENCRYPTED) == 0)
+ index |= 0x80000000; /* Set Encrypted bit */
+ memcpy (buf + len, &(uint32_t){ htonl (index) }, 4);
+
+ int val = srtcp_crypt (s, buf, len);
+ if (val)
+ return val;
+
+ len += 4; /* Digest SRTCP index too */
+
+ const uint8_t *tag = rtcp_digest (s->rtp.mac, buf, len);
+ memcpy (buf + len, tag, s->tag_len);
+ *lenp = len + s->tag_len;
+ return 0;
+}
+
+
+/**
+ * Turns a SRTCP packet into a RTCP packet: authenticates the packet,
+ * then decrypts it.
+ *
+ * @param buf RTCP packet to be digested/decrypted
+ * @param lenp pointer to the SRTCP packet length on entry,
+ * set to the RTCP length on exit (undefined in case of error)
+ *
+ * @return 0 on success, in case of error:
+ * EINVAL malformatted SRTCP packet
+ * EACCES authentication failed (spoofed packet or out-of-sync)
+ */
+int
+srtcp_recv (srtp_session_t *s, uint8_t *buf, size_t *lenp)
+{
+ size_t len = *lenp;
+ /* FIXME: anti-replay ?? */
+
+ if (len < (4u + s->tag_len))
+ return EINVAL;
+ len -= s->tag_len;
+
+ const uint8_t *tag = rtcp_digest (s->rtp.mac, buf, len);
+ if (memcmp (buf + len, tag, s->tag_len))
+ return EACCES;
+
+ len -= 4; /* Remove SRTCP index befor decryption */
+ *lenp = len;