+ return srtp_crypt (s, buf, len);
+}
+
+
+/** AES-CM for RTCP (salt = 14 bytes + 2 nul bytes) */
+static int
+rtcp_crypt (gcry_cipher_hd_t hd, uint32_t ssrc, uint32_t index,
+ const uint32_t *salt, uint8_t *data, size_t len)
+{
+ return rtp_crypt (hd, ssrc, index >> 16, index & 0xffff, salt, data, len);
+}
+
+
+/** Message Authentication and Integrity for RTCP */
+static const uint8_t *
+rtcp_digest (gcry_md_hd_t md, const void *data, size_t len)
+{
+ gcry_md_reset (md);
+ gcry_md_write (md, data, len);
+ return gcry_md_read (md, 0);
+}
+
+
+/**
+ * Encrypts/decrypts a RTCP packet and updates SRTCP context
+ * (CTR block cypher mode of operation has identical encryption and
+ * decryption function).
+ *
+ * @param buf RTCP packet to be en-/decrypted
+ * @param len RTCP packet length
+ *
+ * @return 0 on success, in case of error:
+ * EINVAL malformatted RTCP packet
+ */
+static int srtcp_crypt (srtp_session_t *s, uint8_t *buf, size_t len)
+{
+ assert (s != NULL);
+
+ /* 8-bytes unencrypted header, and 4-bytes unencrypted footer */
+ if ((len < 12) || ((buf[0] >> 6) != 2))
+ return EINVAL;
+
+ uint32_t index;
+ memcpy (&index, buf + len, 4);
+ index = ntohl (index);
+ if (((index >> 31) != 0) != ((s->flags & SRTCP_UNENCRYPTED) == 0))
+ return EINVAL; // E-bit mismatch
+
+ index &= ~(1 << 31); // clear E-bit for counter
+
+ /* Updates SRTCP index (safe here) */
+ int32_t diff = index - s->rtcp_index;
+ if (diff > 0)
+ {
+ /* Packet in the future, good */
+ s->rtcp.window = s->rtcp.window << diff;
+ s->rtcp.window |= 1;
+ s->rtcp_index = index;
+ }
+ else
+ {
+ /* Packet in the past/present, bad */
+ diff = -diff;
+ if ((diff >= 64) || ((s->rtcp.window >> diff) & 1))
+ return EACCES; // replay attack!
+ s->rtp.window |= 1 << diff;
+ }
+
+ /* Crypts SRTCP */
+ if (s->flags & SRTCP_UNENCRYPTED)
+ return 0;
+
+ uint32_t ssrc;
+ memcpy (&ssrc, buf + 4, 4);
+
+ if (rtcp_crypt (s->rtcp.cipher, ssrc, index, s->rtp.salt,
+ buf + 8, len - 8))
+ return EINVAL;
+ return 0;
+}
+
+
+/**
+ * Turns a RTCP packet into a SRTCP packet: encrypt it, then computes
+ * the authentication tag and appends it.
+ *
+ * @param buf RTCP packet to be encrypted/digested
+ * @param lenp pointer to the RTCP packet length on entry,
+ * set to the SRTCP length on exit (undefined in case of error)
+ * @param bufsize size (bytes) of the packet buffer
+ *
+ * @return 0 on success, in case of error:
+ * EINVAL malformatted RTCP packet or internal error
+ * ENOSPC bufsize is too small (to add index and authentication tag)
+ */
+int
+srtcp_send (srtp_session_t *s, uint8_t *buf, size_t *lenp, size_t bufsize)
+{
+ size_t len = *lenp;
+ if (bufsize < (len + 4 + s->tag_len))
+ return ENOSPC;
+
+ uint32_t index = ++s->rtcp_index;
+ if (index >> 31)
+ s->rtcp_index = index = 0; /* 31-bit wrap */
+
+ if ((s->flags & SRTCP_UNENCRYPTED) == 0)
+ index |= 0x80000000; /* Set Encrypted bit */
+ memcpy (buf + len, &(uint32_t){ htonl (index) }, 4);
+
+ int val = srtcp_crypt (s, buf, len);
+ if (val)
+ return val;
+
+ len += 4; /* Digests SRTCP index too */
+
+ const uint8_t *tag = rtcp_digest (s->rtp.mac, buf, len);
+ memcpy (buf + len, tag, s->tag_len);
+ *lenp = len + s->tag_len;
+ return 0;
+}
+
+
+/**
+ * Turns a SRTCP packet into a RTCP packet: authenticates the packet,
+ * then decrypts it.
+ *
+ * @param buf RTCP packet to be digested/decrypted
+ * @param lenp pointer to the SRTCP packet length on entry,
+ * set to the RTCP length on exit (undefined in case of error)
+ *
+ * @return 0 on success, in case of error:
+ * EINVAL malformatted SRTCP packet
+ * EACCES authentication failed (spoofed packet or out-of-sync)
+ */
+int
+srtcp_recv (srtp_session_t *s, uint8_t *buf, size_t *lenp)
+{
+ size_t len = *lenp;
+
+ if (len < (4u + s->tag_len))
+ return EINVAL;
+ len -= s->tag_len;
+
+ const uint8_t *tag = rtcp_digest (s->rtp.mac, buf, len);
+ if (memcmp (buf + len, tag, s->tag_len))
+ return EACCES;