@agentdance/node-webrtc-srtp 1.0.0

package/dist/protect.js

@@ -0,0 +1,129 @@
+import { ProtectionProfile } from './types.js';
+import { aes128cmKeystream, computeSrtpIv, computeSrtcpIv } from './cipher.js';
+import { computeSrtpAuthTag, computeSrtcpAuthTag } from './auth.js';
+import { gcmSrtpProtect } from './gcm.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+/** Number of authentication-tag bytes for a given profile. */
+function tagLength(profile) {
+    return profile === ProtectionProfile.AES_128_CM_HMAC_SHA1_32 ? 4 : 10;
+}
+/** Parse the minimum fixed RTP header fields we need. */
+function parseRtpHeader(pkt) {
+    if (pkt.length < 12)
+        throw new RangeError('RTP packet too short (< 12 bytes)');
+    const cc = pkt[0] & 0x0f;
+    const x = (pkt[0] & 0x10) !== 0;
+    let headerLen = 12 + cc * 4;
+    if (x) {
+        if (pkt.length < headerLen + 4)
+            throw new RangeError('RTP extension header truncated');
+        const extLen = pkt.readUInt16BE(headerLen + 2);
+        headerLen += 4 + extLen * 4;
+    }
+    return {
+        seq: pkt.readUInt16BE(2),
+        ssrc: pkt.readUInt32BE(8),
+        headerLen,
+    };
+}
+/** Parse the minimum fixed RTCP header fields. */
+function parseRtcpHeader(pkt) {
+    if (pkt.length < 8)
+        throw new RangeError('RTCP packet too short (< 8 bytes)');
+    return { ssrc: pkt.readUInt32BE(4) };
+}
+/**
+ * Advance the packet index (and ROC) for a sender-side protect call.
+ * The index increments monotonically; ROC increments whenever the 16-bit
+ * sequence counter wraps.
+ */
+function nextSrtpIndex(ctx, seq) {
+    if (ctx.lastSeq === -1) {
+        // First packet
+        return BigInt(ctx.rolloverCounter) << 16n | BigInt(seq);
+    }
+    const roc = BigInt(ctx.rolloverCounter);
+    const lastSeq = ctx.lastSeq;
+    // Detect forward wrap-around (65535 → 0)
+    if (seq < lastSeq && lastSeq - seq > 0x8000) {
+        return (roc + 1n) << 16n | BigInt(seq);
+    }
+    return roc << 16n | BigInt(seq);
+}
+// ---------------------------------------------------------------------------
+// SRTP protect (RFC 3711 §3.1)
+// ---------------------------------------------------------------------------
+/**
+ * Protect (encrypt + authenticate) an RTP packet.
+ *
+ * Output layout:
+ *   RTP Header (unchanged) | Encrypted Payload | Auth Tag (10 or 4 bytes)
+ *
+ * GCM profiles are handled by delegating to `gcmSrtpProtect`.
+ */
+export function srtpProtect(ctx, rtpPacket) {
+    if (ctx.profile === ProtectionProfile.AES_128_GCM ||
+        ctx.profile === ProtectionProfile.AES_256_GCM) {
+        return gcmSrtpProtect(ctx, rtpPacket);
+    }
+    const { seq, ssrc, headerLen } = parseRtpHeader(rtpPacket);
+    const index = nextSrtpIndex(ctx, seq);
+    const header = rtpPacket.subarray(0, headerLen);
+    const payload = rtpPacket.subarray(headerLen);
+    // 1. Encrypt the payload with AES-128-CM
+    const iv = computeSrtpIv(ctx.sessionSaltKey, ssrc, index);
+    const keystream = aes128cmKeystream(ctx.sessionEncKey, iv, payload.length);
+    const encryptedPayload = Buffer.allocUnsafe(payload.length);
+    for (let i = 0; i < payload.length; i++) {
+        encryptedPayload[i] = payload[i] ^ keystream[i];
+    }
+    // 2. Compute HMAC-SHA1 auth tag over header || encrypted_payload || ROC
+    const roc = Number(index >> 16n) >>> 0;
+    const tag = computeSrtpAuthTag(ctx.sessionAuthKey, header, encryptedPayload, roc, tagLength(ctx.profile));
+    // 3. Update context state
+    ctx.index = index;
+    ctx.rolloverCounter = roc;
+    ctx.lastSeq = seq;
+    return Buffer.concat([header, encryptedPayload, tag]);
+}
+// ---------------------------------------------------------------------------
+// SRTCP protect (RFC 3711 §3.4)
+// ---------------------------------------------------------------------------
+/**
+ * Protect (encrypt + authenticate) an RTCP packet.
+ *
+ * Output layout:
+ *   RTCP Header (8 bytes, unencrypted) |
+ *   Encrypted Remainder |
+ *   E (1 bit, always 1) | SRTCP Index (31 bits) |
+ *   Auth Tag (10 bytes)
+ */
+export function srtcpProtect(ctx, rtcpPacket) {
+    if (rtcpPacket.length < 8)
+        throw new RangeError('RTCP packet too short');
+    const { ssrc } = parseRtcpHeader(rtcpPacket);
+    // Increment and clamp to 31 bits
+    const index = (ctx.index + 1) & 0x7fffffff;
+    ctx.index = index;
+    // First 8 bytes of RTCP are left unencrypted (fixed header).
+    const header = rtcpPacket.subarray(0, 8);
+    const rest = rtcpPacket.subarray(8);
+    // Encrypt the rest with AES-128-CM
+    const iv = computeSrtcpIv(ctx.sessionSaltKey, ssrc, index);
+    const keystream = aes128cmKeystream(ctx.sessionEncKey, iv, rest.length);
+    const encrypted = Buffer.allocUnsafe(rest.length);
+    for (let i = 0; i < rest.length; i++) {
+        encrypted[i] = rest[i] ^ keystream[i];
+    }
+    // Build E || SRTCP_index word (E=1 means packet is encrypted)
+    const eSrtcpIndex = 0x80000000 | (index & 0x7fffffff);
+    const indexBuf = Buffer.allocUnsafe(4);
+    indexBuf.writeUInt32BE(eSrtcpIndex >>> 0, 0);
+    // Auth tag covers: header || encrypted_rest || E_SRTCP_index
+    const packetForAuth = Buffer.concat([header, encrypted]);
+    const tag = computeSrtcpAuthTag(ctx.sessionAuthKey, packetForAuth, eSrtcpIndex, tagLength(ctx.profile));
+    return Buffer.concat([header, encrypted, indexBuf, tag]);
+}
+//# sourceMappingURL=protect.js.map

package/dist/protect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"protect.js","sourceRoot":"","sources":["../src/protect.ts"],"names":[],"mappings":"AAAA,OAAO,EAA6B,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACpE,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,8DAA8D;AAC9D,SAAS,SAAS,CAAC,OAA0B;IAC3C,OAAO,OAAO,KAAK,iBAAiB,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACxE,CAAC;AAED,yDAAyD;AACzD,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE;QAAE,MAAM,IAAI,UAAU,CAAC,mCAAmC,CAAC,CAAC;IAC/E,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC;IAC1B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,SAAS,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,CAAC,EAAE,CAAC;QACN,IAAI,GAAG,CAAC,MAAM,GAAG,SAAS,GAAG,CAAC;YAAE,MAAM,IAAI,UAAU,CAAC,gCAAgC,CAAC,CAAC;QACvF,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;QAC/C,SAAS,IAAI,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO;QACL,GAAG,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QACxB,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QACzB,SAAS;KACV,CAAC;AACJ,CAAC;AAED,kDAAkD;AAClD,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,IAAI,UAAU,CAAC,mCAAmC,CAAC,CAAC;IAC9E,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,CAAC;AACvC,CAAC;AAED;;;;GAIG;AACH,SAAS,aAAa,CAAC,GAAgB,EAAE,GAAW;IAClD,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,CAAC;QACvB,eAAe;QACf,OAAO,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC1D,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACxC,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC;IAE5B,yCAAyC;IACzC,IAAI,GAAG,GAAG,OAAO,IAAI,OAAO,GAAG,GAAG,GAAG,MAAM,EAAE,CAAC;QAC5C,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC,IAAI,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,GAAG,IAAI,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;AAClC,CAAC;AAED,8EAA8E;AAC9E,+BAA+B;AAC/B,8EAA8E;AAE9E;;;;;;;GAOG;AACH,MAAM,UAAU,WAAW,CAAC,GAAgB,EAAE,SAAiB;IAC7D,IACE,GAAG,CAAC,OAAO,KAAK,iBAAiB,CAAC,WAAW;QAC7C,GAAG,CAAC,OAAO,KAAK,iBAAiB,CAAC,WAAW,EAC7C,CAAC;QACD,OAAO,cAAc,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,cAAc,CAAC,SAAS,CAAC,CAAC;IAC3D,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAEtC,MAAM,MAAM,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IAChD,MAAM,OAAO,GAAG,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAE9C,yCAAyC;IACzC,MAAM,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,iBAAiB,CAAC,GAAG,CAAC,aAAa,EAAE,EAAE,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAC3E,MAAM,gBAAgB,GAAG,MAAM,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxC,gBAAgB,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAE,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;IACpD,CAAC;IAED,wEAAwE;IACxE,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,GAAG,GAAG,kBAAkB,CAC5B,GAAG,CAAC,cAAc,EAClB,MAAM,EACN,gBAAgB,EAChB,GAAG,EACH,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CACvB,CAAC;IAEF,0BAA0B;IAC1B,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC;IAClB,GAAG,CAAC,eAAe,GAAG,GAAG,CAAC;IAC1B,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC;IAElB,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,gBAAgB,EAAE,GAAG,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,8EAA8E;AAC9E,gCAAgC;AAChC,8EAA8E;AAE9E;;;;;;;;GAQG;AACH,MAAM,UAAU,YAAY,CAAC,GAAiB,EAAE,UAAkB;IAChE,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC;QAAE,MAAM,IAAI,UAAU,CAAC,uBAAuB,CAAC,CAAC;IAEzE,MAAM,EAAE,IAAI,EAAE,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;IAE7C,iCAAiC;IACjC,MAAM,KAAK,GAAG,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,CAAC,GAAG,UAAU,CAAC;IAC3C,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC;IAElB,6DAA6D;IAC7D,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACzC,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IAEpC,mCAAmC;IACnC,MAAM,EAAE,GAAG,cAAc,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAC3D,MAAM,SAAS,GAAG,iBAAiB,CAAC,GAAG,CAAC,aAAa,EAAE,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IACxE,MAAM,SAAS,GAAG,MAAM,CAAC,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,SAAS,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAE,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;IAC1C,CAAC;IAED,8DAA8D;IAC9D,MAAM,WAAW,GAAG,UAAU,GAAG,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC;IACtD,MAAM,QAAQ,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;IACvC,QAAQ,CAAC,aAAa,CAAC,WAAW,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC;IAE7C,6DAA6D;IAC7D,MAAM,aAAa,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC,CAAC;IACzD,MAAM,GAAG,GAAG,mBAAmB,CAC7B,GAAG,CAAC,cAAc,EAClB,aAAa,EACb,WAAW,EACX,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CACvB,CAAC;IAEF,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,QAAQ,EAAE,GAAG,CAAC,CAAC,CAAC;AAC3D,CAAC"}

package/dist/replay.d.ts

@@ -0,0 +1,22 @@
+/**
+ * RFC 3711 Section 3.3.2 – Sliding window replay protection.
+ * The window tracks the highest received index and a bitmask of the
+ * WINDOW_SIZE packets below it.
+ */
+export declare class ReplayWindow {
+    private top;
+    private bitmask;
+    private readonly windowSize;
+    constructor(windowSize?: bigint);
+    /**
+     * Returns true if the packet index is acceptable (not replayed, inside window
+     * or ahead of it).
+     */
+    check(index: bigint): boolean;
+    /**
+     * Mark index as received and advance the window top if necessary.
+     * Must only be called after a successful auth-tag check.
+     */
+    update(index: bigint): void;
+}
+//# sourceMappingURL=replay.d.ts.map

package/dist/replay.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"replay.d.ts","sourceRoot":"","sources":["../src/replay.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,GAAG,CAAe;IAC1B,OAAO,CAAC,OAAO,CAAc;IAC7B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;gBAExB,UAAU,GAAE,MAAY;IAIpC;;;OAGG;IACH,KAAK,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAmB7B;;;OAGG;IACH,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;CAe5B"}

package/dist/replay.js

@@ -0,0 +1,56 @@
+/**
+ * RFC 3711 Section 3.3.2 – Sliding window replay protection.
+ * The window tracks the highest received index and a bitmask of the
+ * WINDOW_SIZE packets below it.
+ */
+export class ReplayWindow {
+    top = -1n;
+    bitmask = 0n;
+    windowSize;
+    constructor(windowSize = 64n) {
+        this.windowSize = windowSize;
+    }
+    /**
+     * Returns true if the packet index is acceptable (not replayed, inside window
+     * or ahead of it).
+     */
+    check(index) {
+        if (this.top === -1n) {
+            // Window not yet initialised – accept any packet.
+            return true;
+        }
+        if (index > this.top) {
+            // Ahead of the window – always accept.
+            return true;
+        }
+        const diff = this.top - index;
+        if (diff >= this.windowSize) {
+            // Too old – outside the window.
+            return false;
+        }
+        // Inside the window – accept only if not already seen.
+        const bit = 1n << diff;
+        return (this.bitmask & bit) === 0n;
+    }
+    /**
+     * Mark index as received and advance the window top if necessary.
+     * Must only be called after a successful auth-tag check.
+     */
+    update(index) {
+        if (index > this.top) {
+            // Advance the window.
+            const shift = index - this.top;
+            this.bitmask = (this.bitmask << shift) | 1n;
+            this.top = index;
+        }
+        else {
+            const diff = this.top - index;
+            const bit = 1n << diff;
+            this.bitmask |= bit;
+        }
+        // Keep bitmask bounded to windowSize bits.
+        const mask = (1n << this.windowSize) - 1n;
+        this.bitmask &= mask;
+    }
+}
+//# sourceMappingURL=replay.js.map

package/dist/replay.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"replay.js","sourceRoot":"","sources":["../src/replay.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,OAAO,YAAY;IACf,GAAG,GAAW,CAAC,EAAE,CAAC;IAClB,OAAO,GAAW,EAAE,CAAC;IACZ,UAAU,CAAS;IAEpC,YAAY,aAAqB,GAAG;QAClC,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;IAED;;;OAGG;IACH,KAAK,CAAC,KAAa;QACjB,IAAI,IAAI,CAAC,GAAG,KAAK,CAAC,EAAE,EAAE,CAAC;YACrB,kDAAkD;YAClD,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACrB,uCAAuC;YACvC,OAAO,IAAI,CAAC;QACd,CAAC;QACD,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC;QAC9B,IAAI,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAC5B,gCAAgC;YAChC,OAAO,KAAK,CAAC;QACf,CAAC;QACD,uDAAuD;QACvD,MAAM,GAAG,GAAG,EAAE,IAAI,IAAI,CAAC;QACvB,OAAO,CAAC,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,KAAK,EAAE,CAAC;IACrC,CAAC;IAED;;;OAGG;IACH,MAAM,CAAC,KAAa;QAClB,IAAI,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACrB,sBAAsB;YACtB,MAAM,KAAK,GAAG,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC;YAC/B,IAAI,CAAC,OAAO,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,KAAK,CAAC,GAAG,EAAE,CAAC;YAC5C,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC;QACnB,CAAC;aAAM,CAAC;YACN,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,GAAG,KAAK,CAAC;YAC9B,MAAM,GAAG,GAAG,EAAE,IAAI,IAAI,CAAC;YACvB,IAAI,CAAC,OAAO,IAAI,GAAG,CAAC;QACtB,CAAC;QACD,2CAA2C;QAC3C,MAAM,IAAI,GAAG,CAAC,EAAE,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QAC1C,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC;IACvB,CAAC;CACF"}

package/dist/types.d.ts

@@ -0,0 +1,40 @@
+import { ReplayWindow } from './replay.js';
+export declare enum ProtectionProfile {
+    AES_128_CM_HMAC_SHA1_80 = 1,
+    AES_128_CM_HMAC_SHA1_32 = 2,
+    AES_128_GCM = 7,
+    AES_256_GCM = 8
+}
+export interface SrtpKeyingMaterial {
+    /** 16 bytes for AES-128 profiles; 32 bytes for AES-256 */
+    masterKey: Buffer;
+    /** 14 bytes */
+    masterSalt: Buffer;
+    profile: ProtectionProfile;
+}
+export interface SrtpContext {
+    profile: ProtectionProfile;
+    /** AES session encryption key */
+    sessionEncKey: Buffer;
+    /** HMAC-SHA1 authentication key – 20 bytes */
+    sessionAuthKey: Buffer;
+    /** 14-byte session salt used to compute the IV */
+    sessionSaltKey: Buffer;
+    /** Full 48-bit packet index: (ROC << 16) | SEQ */
+    index: bigint;
+    /** Roll-Over Counter */
+    rolloverCounter: number;
+    /** Last observed RTP sequence number */
+    lastSeq: number;
+    replayWindow: ReplayWindow;
+}
+export interface SrtcpContext {
+    profile: ProtectionProfile;
+    sessionEncKey: Buffer;
+    sessionAuthKey: Buffer;
+    sessionSaltKey: Buffer;
+    /** 31-bit SRTCP packet index (starts at 1 on first protect call) */
+    index: number;
+    replayWindow: ReplayWindow;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAM3C,oBAAY,iBAAiB;IAC3B,uBAAuB,IAAS;IAChC,uBAAuB,IAAS;IAChC,WAAW,IAAS;IACpB,WAAW,IAAS;CACrB;AAMD,MAAM,WAAW,kBAAkB;IACjC,0DAA0D;IAC1D,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,iBAAiB,CAAC;CAC5B;AAMD,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,iBAAiB,CAAC;IAC3B,iCAAiC;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,8CAA8C;IAC9C,cAAc,EAAE,MAAM,CAAC;IACvB,kDAAkD;IAClD,cAAc,EAAE,MAAM,CAAC;IACvB,kDAAkD;IAClD,KAAK,EAAE,MAAM,CAAC;IACd,wBAAwB;IACxB,eAAe,EAAE,MAAM,CAAC;IACxB,wCAAwC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,YAAY,CAAC;CAC5B;AAED,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,iBAAiB,CAAC;IAC3B,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;IACvB,oEAAoE;IACpE,KAAK,EAAE,MAAM,CAAC;IACd,YAAY,EAAE,YAAY,CAAC;CAC5B"}

package/dist/types.js

@@ -0,0 +1,11 @@
+// ---------------------------------------------------------------------------
+// Protection profiles
+// ---------------------------------------------------------------------------
+export var ProtectionProfile;
+(function (ProtectionProfile) {
+    ProtectionProfile[ProtectionProfile["AES_128_CM_HMAC_SHA1_80"] = 1] = "AES_128_CM_HMAC_SHA1_80";
+    ProtectionProfile[ProtectionProfile["AES_128_CM_HMAC_SHA1_32"] = 2] = "AES_128_CM_HMAC_SHA1_32";
+    ProtectionProfile[ProtectionProfile["AES_128_GCM"] = 7] = "AES_128_GCM";
+    ProtectionProfile[ProtectionProfile["AES_256_GCM"] = 8] = "AES_256_GCM";
+})(ProtectionProfile || (ProtectionProfile = {}));
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAEA,8EAA8E;AAC9E,sBAAsB;AACtB,8EAA8E;AAE9E,MAAM,CAAN,IAAY,iBAKX;AALD,WAAY,iBAAiB;IAC3B,+FAAgC,CAAA;IAChC,+FAAgC,CAAA;IAChC,uEAAoB,CAAA;IACpB,uEAAoB,CAAA;AACtB,CAAC,EALW,iBAAiB,KAAjB,iBAAiB,QAK5B"}

package/dist/unprotect.d.ts

@@ -0,0 +1,14 @@
+import { SrtpContext, SrtcpContext } from './types.js';
+/**
+ * Authenticate and decrypt an SRTP packet.
+ *
+ * @returns Plaintext RTP packet, or `null` if auth fails / replay detected.
+ */
+export declare function srtpUnprotect(ctx: SrtpContext, srtpPacket: Buffer): Buffer | null;
+/**
+ * Authenticate and decrypt an SRTCP packet.
+ *
+ * @returns Plaintext RTCP packet, or `null` if auth fails / replay detected.
+ */
+export declare function srtcpUnprotect(ctx: SrtcpContext, srtcpPacket: Buffer): Buffer | null;
+//# sourceMappingURL=unprotect.d.ts.map

package/dist/unprotect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unprotect.d.ts","sourceRoot":"","sources":["../src/unprotect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAqB,MAAM,YAAY,CAAC;AAkE1E;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA+CjF;AAMD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CA4CpF"}

package/dist/unprotect.js

@@ -0,0 +1,156 @@
+import { ProtectionProfile } from './types.js';
+import { aes128cmKeystream, computeSrtpIv, computeSrtcpIv } from './cipher.js';
+import { computeSrtpAuthTag, computeSrtcpAuthTag } from './auth.js';
+import { gcmSrtpUnprotect } from './gcm.js';
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+function tagLength(profile) {
+    return profile === ProtectionProfile.AES_128_CM_HMAC_SHA1_32 ? 4 : 10;
+}
+function timingSafeEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    let result = 0;
+    for (let i = 0; i < a.length; i++) {
+        result |= a[i] ^ b[i];
+    }
+    return result === 0;
+}
+/** Parse the minimum fixed RTP header fields. */
+function parseRtpHeader(pkt) {
+    if (pkt.length < 12)
+        return { seq: 0, ssrc: 0, headerLen: 0 };
+    const cc = pkt[0] & 0x0f;
+    const x = (pkt[0] & 0x10) !== 0;
+    let headerLen = 12 + cc * 4;
+    if (x && pkt.length >= headerLen + 4) {
+        const extLen = pkt.readUInt16BE(headerLen + 2);
+        headerLen += 4 + extLen * 4;
+    }
+    return {
+        seq: pkt.readUInt16BE(2),
+        ssrc: pkt.readUInt32BE(8),
+        headerLen,
+    };
+}
+/**
+ * RFC 3711 §3.3.1 – estimate the full 48-bit packet index from a received
+ * 16-bit sequence number and the current context state.
+ */
+function estimateSrtpIndex(ctx, seq) {
+    if (ctx.lastSeq === -1) {
+        // No previous packet; accept as-is with the current ROC.
+        return BigInt(ctx.rolloverCounter) << 16n | BigInt(seq);
+    }
+    const v = BigInt(ctx.rolloverCounter);
+    const diff = seq - ctx.lastSeq;
+    if (diff > 0x8000) {
+        // seq is much higher than lastSeq → previous ROC (seq wrapped backwards)
+        return (v === 0n ? 0n : v - 1n) << 16n | BigInt(seq);
+    }
+    else if (diff < -0x8000) {
+        // seq is much lower than lastSeq → ROC has incremented (forward wrap)
+        return (v + 1n) << 16n | BigInt(seq);
+    }
+    return v << 16n | BigInt(seq);
+}
+// ---------------------------------------------------------------------------
+// SRTP unprotect (RFC 3711 §3.1)
+// ---------------------------------------------------------------------------
+/**
+ * Authenticate and decrypt an SRTP packet.
+ *
+ * @returns Plaintext RTP packet, or `null` if auth fails / replay detected.
+ */
+export function srtpUnprotect(ctx, srtpPacket) {
+    if (ctx.profile === ProtectionProfile.AES_128_GCM ||
+        ctx.profile === ProtectionProfile.AES_256_GCM) {
+        return gcmSrtpUnprotect(ctx, srtpPacket);
+    }
+    const tl = tagLength(ctx.profile);
+    if (srtpPacket.length < 12 + tl)
+        return null;
+    const { seq, ssrc, headerLen } = parseRtpHeader(srtpPacket);
+    if (headerLen === 0)
+        return null;
+    if (srtpPacket.length < headerLen + tl)
+        return null;
+    // 1. Estimate packet index (handles ROC)
+    const index = estimateSrtpIndex(ctx, seq);
+    // 2. Replay check (before expensive crypto)
+    if (!ctx.replayWindow.check(index))
+        return null;
+    // 3. Split the packet
+    const header = srtpPacket.subarray(0, headerLen);
+    const encryptedPayload = srtpPacket.subarray(headerLen, srtpPacket.length - tl);
+    const receivedTag = srtpPacket.subarray(srtpPacket.length - tl);
+    // 4. Verify auth tag
+    const roc = Number(index >> 16n) >>> 0;
+    const expectedTag = computeSrtpAuthTag(ctx.sessionAuthKey, header, encryptedPayload, roc, tl);
+    if (!timingSafeEqual(expectedTag, receivedTag))
+        return null;
+    // 5. Decrypt payload (AES-128-CM is symmetric: XOR with keystream)
+    const iv = computeSrtpIv(ctx.sessionSaltKey, ssrc, index);
+    const keystream = aes128cmKeystream(ctx.sessionEncKey, iv, encryptedPayload.length);
+    const payload = Buffer.allocUnsafe(encryptedPayload.length);
+    for (let i = 0; i < encryptedPayload.length; i++) {
+        payload[i] = encryptedPayload[i] ^ keystream[i];
+    }
+    // 6. Update state
+    ctx.replayWindow.update(index);
+    ctx.index = index;
+    ctx.rolloverCounter = roc;
+    ctx.lastSeq = seq;
+    return Buffer.concat([header, payload]);
+}
+// ---------------------------------------------------------------------------
+// SRTCP unprotect (RFC 3711 §3.4)
+// ---------------------------------------------------------------------------
+/**
+ * Authenticate and decrypt an SRTCP packet.
+ *
+ * @returns Plaintext RTCP packet, or `null` if auth fails / replay detected.
+ */
+export function srtcpUnprotect(ctx, srtcpPacket) {
+    const tl = tagLength(ctx.profile);
+    // Minimum: 8 bytes RTCP header + 4 bytes E|index + tl bytes tag
+    if (srtcpPacket.length < 8 + 4 + tl)
+        return null;
+    // 1. Extract E || SRTCP_index (4 bytes before the auth tag)
+    const eSrtcpIndexOffset = srtcpPacket.length - tl - 4;
+    const eSrtcpIndex = srtcpPacket.readUInt32BE(eSrtcpIndexOffset);
+    const encrypted = (eSrtcpIndex & 0x80000000) !== 0;
+    const index = eSrtcpIndex & 0x7fffffff;
+    // 2. Replay check
+    if (!ctx.replayWindow.check(BigInt(index)))
+        return null;
+    // 3. Auth tag verification
+    // Auth input = packet bytes (everything except the tag itself)
+    const packetForAuth = srtcpPacket.subarray(0, eSrtcpIndexOffset); // header + encrypted body
+    const receivedTag = srtcpPacket.subarray(srtcpPacket.length - tl);
+    const expectedTag = computeSrtcpAuthTag(ctx.sessionAuthKey, packetForAuth, eSrtcpIndex, tl);
+    if (!timingSafeEqual(expectedTag, receivedTag))
+        return null;
+    // 4. Decrypt
+    const header = srtcpPacket.subarray(0, 8);
+    const encryptedRest = srtcpPacket.subarray(8, eSrtcpIndexOffset);
+    let decryptedRest;
+    if (encrypted) {
+        const ssrc = srtcpPacket.readUInt32BE(4);
+        const iv = computeSrtcpIv(ctx.sessionSaltKey, ssrc, index);
+        const keystream = aes128cmKeystream(ctx.sessionEncKey, iv, encryptedRest.length);
+        decryptedRest = Buffer.allocUnsafe(encryptedRest.length);
+        for (let i = 0; i < encryptedRest.length; i++) {
+            decryptedRest[i] = encryptedRest[i] ^ keystream[i];
+        }
+    }
+    else {
+        decryptedRest = encryptedRest;
+    }
+    // 5. Update state
+    ctx.replayWindow.update(BigInt(index));
+    ctx.index = index;
+    return Buffer.concat([header, decryptedRest]);
+}
+//# sourceMappingURL=unprotect.js.map

package/dist/unprotect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unprotect.js","sourceRoot":"","sources":["../src/unprotect.ts"],"names":[],"mappings":"AAAA,OAAO,EAA6B,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC/E,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAE5C,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,SAAS,CAAC,OAA0B;IAC3C,OAAO,OAAO,KAAK,iBAAiB,CAAC,uBAAuB,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AACxE,CAAC;AAED,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,IAAI,MAAM,GAAG,CAAC,CAAC;IACf,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,MAAM,IAAI,CAAC,CAAC,CAAC,CAAE,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IAC1B,CAAC;IACD,OAAO,MAAM,KAAK,CAAC,CAAC;AACtB,CAAC;AAED,iDAAiD;AACjD,SAAS,cAAc,CAAC,GAAW;IACjC,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE;QAAE,OAAO,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC;IAC9D,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC;IAC1B,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAE,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC;IACjC,IAAI,SAAS,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAC;IAC5B,IAAI,CAAC,IAAI,GAAG,CAAC,MAAM,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;QACrC,MAAM,MAAM,GAAG,GAAG,CAAC,YAAY,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;QAC/C,SAAS,IAAI,CAAC,GAAG,MAAM,GAAG,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO;QACL,GAAG,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QACxB,IAAI,EAAE,GAAG,CAAC,YAAY,CAAC,CAAC,CAAC;QACzB,SAAS;KACV,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,SAAS,iBAAiB,CAAC,GAAgB,EAAE,GAAW;IACtD,IAAI,GAAG,CAAC,OAAO,KAAK,CAAC,CAAC,EAAE,CAAC;QACvB,yDAAyD;QACzD,OAAO,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,IAAI,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAC1D,CAAC;IAED,MAAM,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC;IAE/B,IAAI,IAAI,GAAG,MAAM,EAAE,CAAC;QAClB,yEAAyE;QACzE,OAAO,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACvD,CAAC;SAAM,IAAI,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;QAC1B,sEAAsE;QACtE,OAAO,CAAC,CAAC,GAAG,EAAE,CAAC,IAAI,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IACvC,CAAC;IACD,OAAO,CAAC,IAAI,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;AAChC,CAAC;AAED,8EAA8E;AAC9E,iCAAiC;AACjC,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,GAAgB,EAAE,UAAkB;IAChE,IACE,GAAG,CAAC,OAAO,KAAK,iBAAiB,CAAC,WAAW;QAC7C,GAAG,CAAC,OAAO,KAAK,iBAAiB,CAAC,WAAW,EAC7C,CAAC;QACD,OAAO,gBAAgB,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,EAAE,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAElC,IAAI,UAAU,CAAC,MAAM,GAAG,EAAE,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IAE7C,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,cAAc,CAAC,UAAU,CAAC,CAAC;IAC5D,IAAI,SAAS,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACjC,IAAI,UAAU,CAAC,MAAM,GAAG,SAAS,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IAEpD,yCAAyC;IACzC,MAAM,KAAK,GAAG,iBAAiB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAE1C,4CAA4C;IAC5C,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAEhD,sBAAsB;IACtB,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACjD,MAAM,gBAAgB,GAAG,UAAU,CAAC,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAChF,MAAM,WAAW,GAAG,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAEhE,qBAAqB;IACrB,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC;IACvC,MAAM,WAAW,GAAG,kBAAkB,CAAC,GAAG,CAAC,cAAc,EAAE,MAAM,EAAE,gBAAgB,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC9F,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5D,mEAAmE;IACnE,MAAM,EAAE,GAAG,aAAa,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,iBAAiB,CAAC,GAAG,CAAC,aAAa,EAAE,EAAE,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC;IACpF,MAAM,OAAO,GAAG,MAAM,CAAC,WAAW,CAAC,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAC5D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,gBAAgB,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACjD,OAAO,CAAC,CAAC,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAE,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;IACpD,CAAC;IAED,kBAAkB;IAClB,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC/B,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC;IAClB,GAAG,CAAC,eAAe,GAAG,GAAG,CAAC;IAC1B,GAAG,CAAC,OAAO,GAAG,GAAG,CAAC;IAElB,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;AAC1C,CAAC;AAED,8EAA8E;AAC9E,kCAAkC;AAClC,8EAA8E;AAE9E;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,GAAiB,EAAE,WAAmB;IACnE,MAAM,EAAE,GAAG,SAAS,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAElC,gEAAgE;IAChE,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE;QAAE,OAAO,IAAI,CAAC;IAEjD,4DAA4D;IAC5D,MAAM,iBAAiB,GAAG,WAAW,CAAC,MAAM,GAAG,EAAE,GAAG,CAAC,CAAC;IACtD,MAAM,WAAW,GAAG,WAAW,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;IAChE,MAAM,SAAS,GAAG,CAAC,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IACnD,MAAM,KAAK,GAAG,WAAW,GAAG,UAAU,CAAC;IAEvC,kBAAkB;IAClB,IAAI,CAAC,GAAG,CAAC,YAAY,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAExD,2BAA2B;IAC3B,+DAA+D;IAC/D,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC,CAAC,0BAA0B;IAC5F,MAAM,WAAW,GAAG,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC;IAClE,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,CAAC,cAAc,EAAE,aAAa,EAAE,WAAW,EAAE,EAAE,CAAC,CAAC;IAC5F,IAAI,CAAC,eAAe,CAAC,WAAW,EAAE,WAAW,CAAC;QAAE,OAAO,IAAI,CAAC;IAE5D,aAAa;IACb,MAAM,MAAM,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IAC1C,MAAM,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI,aAAqB,CAAC;IAC1B,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,IAAI,GAAG,WAAW,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACzC,MAAM,EAAE,GAAG,cAAc,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QAC3D,MAAM,SAAS,GAAG,iBAAiB,CAAC,GAAG,CAAC,aAAa,EAAE,EAAE,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;QACjF,aAAa,GAAG,MAAM,CAAC,WAAW,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QACzD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,aAAa,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9C,aAAa,CAAC,CAAC,CAAC,GAAG,aAAa,CAAC,CAAC,CAAE,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QACvD,CAAC;IACH,CAAC;SAAM,CAAC;QACN,aAAa,GAAG,aAAa,CAAC;IAChC,CAAC;IAED,kBAAkB;IAClB,GAAG,CAAC,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IACvC,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC;IAElB,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC,CAAC;AAChD,CAAC"}

package/package.json

@@ -0,0 +1,57 @@
+{
+  "name": "@agentdance/node-webrtc-srtp",
+  "version": "1.0.0",
+  "description": "RFC 3711 SRTP/SRTCP — AES-128-CM-HMAC-SHA1-80/32 and AES-128-GCM, RFC-verified key derivation, 64-bit replay window. Part of the @agentdance/node-webrtc stack.",
+  "keywords": [
+    "webrtc",
+    "srtp",
+    "srtcp",
+    "rfc3711",
+    "aes",
+    "hmac",
+    "typescript",
+    "node"
+  ],
+  "license": "MIT",
+  "homepage": "https://github.com/agent-dance/node-webrtc#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/agent-dance/node-webrtc.git",
+    "directory": "packages/srtp"
+  },
+  "bugs": {
+    "url": "https://github.com/agent-dance/node-webrtc/issues"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    }
+  },
+  "files": [
+    "dist",
+    "src"
+  ],
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "devDependencies": {
+    "typescript": "*",
+    "vitest": "*",
+    "@types/node": "*"
+  },
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "typecheck": "tsc --noEmit",
+    "clean": "rm -rf dist"
+  }
+}

package/src/auth.ts

@@ -0,0 +1,61 @@
+import { createHmac } from 'node:crypto';
+
+// ---------------------------------------------------------------------------
+// HMAC-SHA1 authentication tags  (RFC 3711 §4.2)
+// ---------------------------------------------------------------------------
+
+/**
+ * Compute the SRTP authentication tag.
+ *
+ * auth_tag = first `tagLength` bytes of
+ *            HMAC-SHA1(k_a, RTP_header || RTP_payload || ROC_be32)
+ *
+ * @param authKey    20-byte HMAC-SHA1 session authentication key
+ * @param rtpHeader  The full RTP header (variable length)
+ * @param rtpPayload The plain RTP payload (pre-encryption for sender,
+ *                   already encrypted on sender side per RFC 3711 §3.1)
+ * @param roc        Roll-Over Counter (big-endian 32-bit appended)
+ * @param tagLength  10 for 80-bit profile, 4 for 32-bit profile
+ */
+export function computeSrtpAuthTag(
+  authKey: Buffer,
+  rtpHeader: Buffer,
+  rtpPayload: Buffer,
+  roc: number,
+  tagLength: 10 | 4,
+): Buffer {
+  const rocBuf = Buffer.allocUnsafe(4);
+  rocBuf.writeUInt32BE(roc >>> 0, 0);
+
+  const hmac = createHmac('sha1', authKey);
+  hmac.update(rtpHeader);
+  hmac.update(rtpPayload);
+  hmac.update(rocBuf);
+  return hmac.digest().subarray(0, tagLength);
+}
+
+/**
+ * Compute the SRTCP authentication tag.
+ *
+ * auth_tag = first `tagLength` bytes of
+ *            HMAC-SHA1(k_a, RTCP_packet || E_SRTCP_index_be32)
+ *
+ * @param authKey       20-byte HMAC-SHA1 session authentication key
+ * @param rtcpPacket    The full (partially encrypted) RTCP packet bytes
+ * @param eSrtcpIndex   The 32-bit word: E(1) || SRTCP_index(31)
+ * @param tagLength     10 for 80-bit profile, 4 for 32-bit profile
+ */
+export function computeSrtcpAuthTag(
+  authKey: Buffer,
+  rtcpPacket: Buffer,
+  eSrtcpIndex: number,
+  tagLength: 10 | 4,
+): Buffer {
+  const indexBuf = Buffer.allocUnsafe(4);
+  indexBuf.writeUInt32BE(eSrtcpIndex >>> 0, 0);
+
+  const hmac = createHmac('sha1', authKey);
+  hmac.update(rtcpPacket);
+  hmac.update(indexBuf);
+  return hmac.digest().subarray(0, tagLength);
+}

package/src/cipher.ts

@@ -0,0 +1,68 @@
+import { createCipheriv } from 'node:crypto';
+
+// ---------------------------------------------------------------------------
+// AES-128-CM keystream  (RFC 3711 §4.1.1)
+// ---------------------------------------------------------------------------
+
+/**
+ * Generate `length` bytes of AES-128-CM (Counter Mode) keystream.
+ *
+ * @param key    16-byte AES key
+ * @param iv     16-byte IV (the initial counter block, lower 16 bits = 0)
+ * @param length Number of keystream bytes to return
+ */
+export function aes128cmKeystream(key: Buffer, iv: Buffer, length: number): Buffer {
+  if (key.length !== 16) throw new RangeError('AES-128-CM requires a 16-byte key');
+  if (iv.length !== 16) throw new RangeError('AES-128-CM IV must be 16 bytes');
+
+  // Encrypt a zero plaintext; CTR mode emits the keystream directly.
+  const plaintext = Buffer.alloc(length, 0);
+  const cipher = createCipheriv('aes-128-ctr', key, iv);
+  const ks = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+  return ks.subarray(0, length);
+}
+
+// ---------------------------------------------------------------------------
+// IV computation for SRTP  (RFC 3711 §4.1)
+// ---------------------------------------------------------------------------
+
+/**
+ * Compute the 128-bit SRTP IV:
+ *   IV = (k_s * 2^16) XOR (SSRC * 2^64) XOR (index * 2^16)
+ *
+ * Bit-position reference (big-endian 128-bit / 16-byte buffer):
+ *   k_s  * 2^16  → salt (14 bytes) placed at buffer bytes [2..15]
+ *   SSRC * 2^64  → SSRC (4 bytes)  placed at buffer bytes [4..7]
+ *   i    * 2^16  → index (6 bytes) placed at buffer bytes [8..13]
+ */
+export function computeSrtpIv(salt: Buffer, ssrc: number, index: bigint): Buffer {
+  if (salt.length !== 14) throw new RangeError('SRTP salt must be 14 bytes');
+
+  // Start from all zeros; copy salt into bytes [2..15].
+  const iv = Buffer.alloc(16, 0);
+  salt.copy(iv, 2);
+
+  // XOR SSRC into bytes [4..7].
+  iv.writeUInt32BE((iv.readUInt32BE(4) ^ (ssrc >>> 0)) >>> 0, 4);
+
+  // XOR 48-bit index into bytes [8..13].
+  // index high 32 bits → bytes [8..11], index low 16 bits → bytes [12..13].
+  const idxHi = Number((index >> 16n) & 0xffffffffn);
+  const idxLo = Number(index & 0xffffn);
+  iv.writeUInt32BE((iv.readUInt32BE(8) ^ idxHi) >>> 0, 8);
+  iv.writeUInt16BE((iv.readUInt16BE(12) ^ idxLo) & 0xffff, 12);
+
+  return iv;
+}
+
+// ---------------------------------------------------------------------------
+// IV computation for SRTCP  (RFC 3711 §4.1)
+// ---------------------------------------------------------------------------
+
+/**
+ * Compute the 128-bit SRTCP IV.
+ * Identical formula to SRTP; the SRTCP index is 31-bit.
+ */
+export function computeSrtcpIv(salt: Buffer, ssrc: number, index: number): Buffer {
+  return computeSrtpIv(salt, ssrc, BigInt(index));
+}