mediasoup 3.20.4 → 3.20.6

package/worker/src/RTC/DirectTransport.cpp

@@ -15,7 +15,10 @@ namespace RTC
 	  const std::string& id,
 	  RTC::Transport::Listener* listener,
 	  const FBS::DirectTransport::DirectTransportOptions* options)
-	  : RTC::Transport::Transport(shared, id, listener, options->base())
+	  // DirectTransport doesn't support SCTP, so State Cookie authentication is
+	  // irrelevant here.
+	  : RTC::Transport::Transport(
+	      shared, id, listener, options->base(), /*requireSctpStateCookieAuthentication*/ false)
 	{
 		MS_TRACE();
 

package/worker/src/RTC/PipeProducerStreamManager.cpp

@@ -0,0 +1,266 @@
+#define MS_CLASS "RTC::PipeProducerStreamManager"
+// #define MS_LOG_DEV_LEVEL 3
+
+#include "RTC/PipeProducerStreamManager.hpp"
+#include "Logger.hpp"
+
+namespace RTC
+{
+	/* Instance methods. */
+
+	PipeProducerStreamManager::PipeProducerStreamManager(
+	  const std::vector<RTC::RtpEncodingParameters>& consumableRtpEncodings,
+	  const RTC::ConsumerTypes::VideoLayers& preferredLayers,
+	  std::unique_ptr<RTC::RTP::Codecs::EncodingContext> encodingContext,
+	  RTC::Media::Kind kind,
+	  bool keyFrameSupported,
+	  Listener* listener,
+	  SharedInterface* shared)
+	  : ProducerStreamManager(
+	      consumableRtpEncodings,
+	      preferredLayers,
+	      std::move(encodingContext),
+	      kind,
+	      keyFrameSupported,
+	      listener,
+	      shared)
+	{
+		MS_TRACE();
+
+		// Initialize per-stream sync state for each consumable encoding.
+		for (const auto& encoding : this->consumableRtpEncodings)
+		{
+			this->mapMappedSsrcSyncRequired[encoding.ssrc] = false;
+		}
+	}
+
+	bool PipeProducerStreamManager::IsActive() const
+	{
+		MS_TRACE();
+
+		return this->listener->IsActive();
+	}
+
+	void PipeProducerStreamManager::ProducerRtpStream(
+	  RTC::RTP::RtpStreamRecv* /*rtpStream*/, uint32_t /*mappedSsrc*/)
+	{
+		MS_TRACE();
+
+		// Do nothing.
+	}
+
+	void PipeProducerStreamManager::ProducerNewRtpStream(
+	  RTC::RTP::RtpStreamRecv* /*rtpStream*/, uint32_t /*mappedSsrc*/)
+	{
+		MS_TRACE();
+
+		// Do nothing.
+	}
+
+	void PipeProducerStreamManager::ProducerRtpStreamScore(
+	  RTC::RTP::RtpStreamRecv* /*rtpStream*/, uint8_t /*score*/, uint8_t /*previousScore*/)
+	{
+		MS_TRACE();
+
+		// Do nothing.
+	}
+
+	void PipeProducerStreamManager::ProducerRtcpSenderReport(
+	  RTC::RTP::RtpStreamRecv* /*rtpStream*/, bool /*first*/)
+	{
+		MS_TRACE();
+
+		// Do nothing.
+	}
+
+	uint32_t PipeProducerStreamManager::IncreaseLayer(
+	  uint32_t /*bitrate*/, bool /*considerLoss*/, float /*lossPercentage*/, uint64_t /*nowMs*/)
+	{
+		MS_TRACE();
+
+		// Pipe does not play the BWE game.
+		return 0u;
+	}
+
+	void PipeProducerStreamManager::ApplyLayers(uint64_t /*rtpStreamActiveMs*/)
+	{
+		MS_TRACE();
+
+		// Pipe does not play the BWE game.
+	}
+
+	uint32_t PipeProducerStreamManager::GetDesiredBitrate(uint64_t /*nowMs*/) const
+	{
+		MS_TRACE();
+
+		// Pipe does not play the BWE game.
+		return 0u;
+	}
+
+	ProducerStreamManager::RtpPacketProcessResult PipeProducerStreamManager::ProcessRtpPacket(
+	  RTC::RTP::Packet* packet,
+	  bool /*lastSentPacketHasMarker*/,
+	  uint32_t /*clockRate*/,
+	  uint32_t /*maxPacketTs*/)
+	{
+		MS_TRACE();
+
+		RtpPacketProcessResult result;
+
+		auto it = this->mapMappedSsrcSyncRequired.find(packet->GetSsrc());
+
+		MS_ASSERT(it != this->mapMappedSsrcSyncRequired.end(), "unknown mapped SSRC");
+
+		bool& syncRequired = it->second;
+
+		// If sync required and key frames supported, buffer non-key-frame packets.
+		if (syncRequired && this->keyFrameSupported && !packet->IsKeyFrame())
+		{
+			result.type = RtpPacketProcessResult::Type::BUFFER;
+
+#ifdef MS_RTC_LOGGER_RTP
+			packet->logger.Discarded(RTC::RtcLogger::RtpPacket::DiscardReason::NOT_A_KEYFRAME);
+#endif
+
+			return result;
+		}
+
+		// Packets with only padding are not forwarded.
+		if (packet->GetPayloadLength() == 0)
+		{
+			result.type = RtpPacketProcessResult::Type::DROP;
+
+#ifdef MS_RTC_LOGGER_RTP
+			packet->logger.Discarded(RTC::RtcLogger::RtpPacket::DiscardReason::EMPTY_PAYLOAD);
+#endif
+
+			return result;
+		}
+
+		// Whether this is the first packet after re-sync.
+		const bool isSyncPacket = syncRequired;
+
+		if (isSyncPacket)
+		{
+			if (packet->IsKeyFrame())
+			{
+				MS_DEBUG_TAG(
+				  rtp,
+				  "sync key frame received [ssrc:%" PRIu32 ", seq:%" PRIu16 ", ts:%" PRIu32 "]",
+				  packet->GetSsrc(),
+				  packet->GetSequenceNumber(),
+				  packet->GetTimestamp());
+
+				result.sendBufferedPackets = true;
+			}
+
+			result.isSyncPacket = true;
+			result.syncSeqValue = packet->GetSequenceNumber() - 1;
+
+			syncRequired = false;
+		}
+
+		// Pipe passes timestamp and marker through unchanged.
+		result.type     = RtpPacketProcessResult::Type::FORWARD;
+		result.tsOffset = 0u;
+		result.marker   = packet->HasMarker();
+
+		return result;
+	}
+
+	void PipeProducerStreamManager::RequestKeyFrame()
+	{
+		MS_TRACE();
+
+		if (this->kind != RTC::Media::Kind::VIDEO)
+		{
+			return;
+		}
+
+		for (const auto& encoding : this->consumableRtpEncodings)
+		{
+			this->listener->OnProducerStreamManagerKeyFrameRequested(encoding.ssrc);
+		}
+	}
+
+	void PipeProducerStreamManager::RequestKeyFrameForTargetSpatialLayer()
+	{
+		MS_TRACE();
+
+		RequestKeyFrame();
+	}
+
+	void PipeProducerStreamManager::RequestKeyFrameForCurrentSpatialLayer()
+	{
+		MS_TRACE();
+
+		RequestKeyFrame();
+	}
+
+	void PipeProducerStreamManager::UpdateTargetLayers(int16_t /*spatial*/, int16_t /*temporal*/)
+	{
+		MS_TRACE();
+
+		// No layer management for pipe.
+	}
+
+	bool PipeProducerStreamManager::RecalculateTargetLayers(
+	  RTC::ConsumerTypes::VideoLayers& /*newTargetLayers*/) const
+	{
+		MS_TRACE();
+
+		// No layer changes for pipe.
+		return false;
+	}
+
+	void PipeProducerStreamManager::OnTransportConnected()
+	{
+		MS_TRACE();
+
+		for (auto& kv : this->mapMappedSsrcSyncRequired)
+		{
+			kv.second = true;
+		}
+
+		if (IsActive())
+		{
+			RequestKeyFrame();
+		}
+	}
+
+	void PipeProducerStreamManager::OnTransportDisconnected()
+	{
+		MS_TRACE();
+
+		for (auto& kv : this->mapMappedSsrcSyncRequired)
+		{
+			kv.second = false;
+		}
+	}
+
+	void PipeProducerStreamManager::OnPaused()
+	{
+		MS_TRACE();
+
+		for (auto& kv : this->mapMappedSsrcSyncRequired)
+		{
+			kv.second = false;
+		}
+	}
+
+	void PipeProducerStreamManager::OnResumed()
+	{
+		MS_TRACE();
+
+		for (auto& kv : this->mapMappedSsrcSyncRequired)
+		{
+			kv.second = true;
+		}
+
+		if (IsActive())
+		{
+			RequestKeyFrame();
+		}
+	}
+
+} // namespace RTC

package/worker/src/RTC/PipeTransport.cpp

@@ -29,7 +29,10 @@ namespace RTC
 	  const std::string& id,
 	  RTC::Transport::Listener* listener,
 	  const FBS::PipeTransport::PipeTransportOptions* options)
-	  : RTC::Transport::Transport(shared, id, listener, options->base())
+	  // SCTP over PipeTransport is not protected by DTLS, so received State
+	  // Cookies must be authenticated to prevent forgery (RFC 9260 section 5.1.3).
+	  : RTC::Transport::Transport(
+	      shared, id, listener, options->base(), /*requireSctpStateCookieAuthentication*/ true)
 	{
 		MS_TRACE();
 

package/worker/src/RTC/PlainTransport.cpp

@@ -37,7 +37,10 @@ namespace RTC
 	  const std::string& id,
 	  RTC::Transport::Listener* listener,
 	  const FBS::PlainTransport::PlainTransportOptions* options)
-	  : RTC::Transport::Transport(shared, id, listener, options->base())
+	  // SCTP over PlainTransport is not protected by DTLS, so received State
+	  // Cookies must be authenticated to prevent forgery (RFC 9260 section 5.1.3).
+	  : RTC::Transport::Transport(
+	      shared, id, listener, options->base(), /*requireSctpStateCookieAuthentication*/ true)
 	{
 		MS_TRACE();
 

package/worker/src/RTC/SCTP/association/Association.cpp

@@ -7,6 +7,7 @@
 #include "RTC/SCTP/packet/errorCauses/NoUserDataErrorCause.hpp"
 #include "RTC/SCTP/packet/errorCauses/OutOfResourceErrorCause.hpp"
 #include "RTC/SCTP/packet/errorCauses/ProtocolViolationErrorCause.hpp"
+#include "RTC/SCTP/packet/errorCauses/StaleCookieErrorCause.hpp"
 #include "RTC/SCTP/packet/errorCauses/UnrecognizedChunkTypeErrorCause.hpp"
 #include "RTC/SCTP/packet/errorCauses/UserInitiatedAbortErrorCause.hpp"
 #include "RTC/SCTP/packet/parameters/ForwardTsnSupportedParameter.hpp"
@@ -83,6 +84,15 @@ namespace RTC
 		    mayConnectOnReceivedSctpData(mayConnectOnReceivedSctpData)
 		{
 			MS_TRACE();
+
+			// Generate the per-association secret used to authenticate the State
+			// Cookies we generate.
+			//
+			// @see RFC 9260 section 5.1.3.
+			if (this->sctpOptions.requireAuthenticatedCookie)
+			{
+				Utils::Crypto::WriteRandomBytes(this->stateCookieSecret, Association::StateCookieSecretLength);
+			}
 		}
 
 		Association::~Association()
@@ -1057,6 +1067,32 @@ namespace RTC
 		{
 			MS_TRACE();
 
+			// https://datatracker.ietf.org/doc/html/rfc9653#section-5.3
+			//
+			// "If an endpoint has sent the Zero Checksum Acceptable Chunk Parameter
+			// indicating the support of an alternate error detection method in an INIT
+			// or INIT ACK chunk, in addition to SCTP packets containing the correct
+			// CRC32c checksum value it MUST accept SCTP packets that have an incorrect
+			// checksum value of zero [...]"
+			const bool acceptZeroChecksum =
+			  this->sctpOptions.zeroChecksumAlternateErrorDetectionMethod !=
+			  ZeroChecksumAcceptableParameter::AlternateErrorDetectionMethod::NONE;
+
+			// Validate the CRC32c checksum unless this is a zero checksum packet that we
+			// announced we are willing to accept.
+			if (!acceptZeroChecksum || receivedPacket->GetChecksum() != 0)
+			{
+				if (!receivedPacket->ValidateCRC32cChecksum())
+				{
+					MS_WARN_TAG(sctp, "invalid CRC32c checksum, packet discarded");
+
+					this->associationListenerDeferrer.OnAssociationError(
+					  Types::ErrorKind::PARSE_FAILED, "invalid CRC32c checksum");
+
+					return false;
+				}
+			}
+
 			const uint32_t localVerificationTag = this->tcb ? this->tcb->GetLocalVerificationTag() : 0;
 
 			// https://datatracker.ietf.org/doc/html/rfc9260#section-8.5.1
@@ -1462,7 +1498,9 @@ namespace RTC
 
 				case State::CLOSED:
 				{
-					MS_WARN_TAG(sctp, "ignoring INIT chunk received in CLOSED state)");
+					MS_WARN_TAG(sctp, "ignoring INIT chunk received in CLOSED state");
+
+					return;
 				}
 
 				// https://datatracker.ietf.org/doc/html/rfc9260#section-5.2.1
@@ -1535,6 +1573,12 @@ namespace RTC
 			const auto negotiatedCapabilities =
 			  NegotiatedCapabilities::Factory(this->sctpOptions, receivedInitChunk);
 
+			// When authentication is enabled, generate an authenticated cookie with a
+			// creation timestamp and a MAC keyed with our per-association secret.
+			//
+			// @see RFC 9260 section 5.1.3.
+			const bool authenticateCookie = this->sctpOptions.requireAuthenticatedCookie;
+
 			// Write the StateCookie in place in the parameter.
 			stateCookieParameter->WriteStateCookieInPlace(
 			  localVerificationTag,
@@ -1543,7 +1587,10 @@ namespace RTC
 			  receivedInitChunk->GetInitialTsn(),
 			  receivedInitChunk->GetAdvertisedReceiverWindowCredit(),
 			  tieTag,
-			  negotiatedCapabilities);
+			  negotiatedCapabilities,
+			  /*creationTimestampMs*/ authenticateCookie ? this->shared->GetTimeMs() : 0,
+			  /*macKey*/ authenticateCookie ? this->stateCookieSecret : nullptr,
+			  /*macKeyLength*/ authenticateCookie ? Association::StateCookieSecretLength : 0);
 
 			stateCookieParameter->Consolidate();
 
@@ -1676,6 +1723,18 @@ namespace RTC
 				return;
 			}
 
+			// When authentication is enabled, verify that the cookie was generated by
+			// us (valid MAC) and is not stale before trusting any of its contents.
+			//
+			// @see RFC 9260 section 5.1.4.
+			if (this->sctpOptions.requireAuthenticatedCookie)
+			{
+				if (!VerifyReceivedStateCookie(cookie.get()))
+				{
+					return;
+				}
+			}
+
 			if (this->tcb)
 			{
 				if (!HandleReceivedCookieEchoChunkWithTcb(receivedPacket, cookie.get()))
@@ -1812,7 +1871,7 @@ namespace RTC
 			else if (
 			  receivedPacket->GetVerificationTag() != this->tcb->GetLocalVerificationTag() &&
 			  cookie->GetRemoteVerificationTag() == this->tcb->GetRemoteVerificationTag() &&
-			  cookie->GetTieTag() == this->tcb->GetTieTag())
+			  cookie->GetTieTag() == 0)
 			{
 				MS_DEBUG_DEV("received COOKIE-ECHO indicating a late COOKIE-ECHO, discarding");
 
@@ -2430,6 +2489,86 @@ namespace RTC
 			return !skipProcessing;
 		}
 
+		bool Association::VerifyReceivedStateCookie(const StateCookie* cookie)
+		{
+			MS_TRACE();
+
+			// https://datatracker.ietf.org/doc/html/rfc9260#section-5.1.4
+			//
+			// "Authenticate the State Cookie as one that it previously generated by
+			// comparing the computed MAC against the one carried in the State Cookie.
+			// If this comparison fails, the SCTP packet, including the COOKIE ECHO and
+			// any DATA chunks, should be silently discarded."
+			//
+			// NOTE: The Verification Tag check (RFC 9260 section 5.1.4) is not done
+			// here but in the COOKIE-ECHO handling logic (with and without TCB), which
+			// is performed regardless of whether authentication is enabled.
+			if (!StateCookie::VerifyMac(
+			      cookie->GetBuffer(),
+			      cookie->GetLength(),
+			      this->stateCookieSecret,
+			      Association::StateCookieSecretLength))
+			{
+				MS_WARN_TAG(
+				  sctp,
+				  "received COOKIE-ECHO chunk with State Cookie that failed MAC authentication, discarding");
+
+				this->associationListenerDeferrer.OnAssociationError(
+				  Types::ErrorKind::PARSE_FAILED,
+				  "received COOKIE-ECHO chunk with unauthenticated State Cookie");
+
+				return false;
+			}
+
+			// https://datatracker.ietf.org/doc/html/rfc9260#section-5.1.4
+			//
+			// "Compare the creation timestamp in the State Cookie to the current local
+			// time. If the elapsed time is longer than the lifespan carried in the
+			// State Cookie, then the packet, including the COOKIE ECHO and any attached
+			// DATA chunks, SHOULD be discarded, and the endpoint MUST transmit an ERROR
+			// chunk with a 'Stale Cookie' error cause to the peer endpoint."
+			const uint64_t nowMs      = this->shared->GetTimeMs();
+			const uint64_t creationMs = cookie->GetCreationTimestampMs();
+
+			if (nowMs > creationMs && nowMs - creationMs > StateCookie::ValidCookieLifeMs)
+			{
+				const uint64_t stalenessMs = nowMs - creationMs - StateCookie::ValidCookieLifeMs;
+
+				MS_WARN_TAG(
+				  sctp,
+				  "received COOKIE-ECHO chunk with stale State Cookie, sending Stale Cookie error [staleness:%" PRIu64
+				  "ms]",
+				  stalenessMs);
+
+				// Respond with an ERROR chunk carrying a Stale Cookie error cause. The
+				// packet must use the verification tag the peer expects (the remote
+				// verification tag stored in the cookie we generated).
+				auto packet = CreatePacketWithVerificationTag(cookie->GetRemoteVerificationTag());
+				auto* operationErrorChunk = packet->BuildChunkInPlace<OperationErrorChunk>();
+				auto* staleCookieErrorCause =
+				  operationErrorChunk->BuildErrorCauseInPlace<StaleCookieErrorCause>();
+
+				// The Measure of Staleness is expressed in microseconds.
+				const uint64_t stalenessUs = stalenessMs * 1000;
+
+				staleCookieErrorCause->SetMeasureOfStaleness(
+				  stalenessUs > std::numeric_limits<uint32_t>::max() ? std::numeric_limits<uint32_t>::max()
+				                                                     : static_cast<uint32_t>(stalenessUs));
+
+				staleCookieErrorCause->Consolidate();
+				operationErrorChunk->Consolidate();
+
+				this->packetSender.SendPacket(packet.get());
+
+				this->associationListenerDeferrer.OnAssociationError(
+				  Types::ErrorKind::WRONG_SEQUENCE, "received COOKIE-ECHO chunk with stale State Cookie");
+
+				return false;
+			}
+
+			return true;
+		}
+
 		void Association::OnT1InitTimer(uint64_t& /*baseTimeoutMs*/, bool& /*stop*/)
 		{
 			MS_TRACE();

package/worker/src/RTC/SCTP/association/StateCookie.cpp

@@ -4,6 +4,8 @@
 #include "RTC/SCTP/association/StateCookie.hpp"
 #include "Logger.hpp"
 #include "MediaSoupErrors.hpp"
+#include <cstring> // std::memcpy(), std::memcmp()
+#include <string_view>
 
 namespace RTC
 {
@@ -11,31 +13,6 @@ namespace RTC
 	{
 		/* Class methods. */
 
-		bool StateCookie::IsMediasoupStateCookie(const uint8_t* buffer, size_t bufferLength)
-		{
-			MS_TRACE();
-
-			if (bufferLength != StateCookie::StateCookieLength)
-			{
-				return false;
-			}
-
-			if (Utils::Byte::Get8Bytes(buffer, 0) != StateCookie::Magic1)
-			{
-				return false;
-			}
-
-			auto* negotiatedCapabilitiesField = reinterpret_cast<NegotiatedCapabilitiesField*>(
-			  const_cast<uint8_t*>(buffer) + StateCookie::NegotiatedCapabilitiesOffset);
-
-			if (ntohs(negotiatedCapabilitiesField->magic2) != StateCookie::Magic2)
-			{
-				return false;
-			}
-
-			return true;
-		}
-
 		StateCookie* StateCookie::Parse(const uint8_t* buffer, size_t bufferLength)
 		{
 			MS_TRACE();
@@ -61,7 +38,10 @@ namespace RTC
 		  uint32_t remoteInitialTsn,
 		  uint32_t remoteAdvertisedReceiverWindowCredit,
 		  uint64_t tieTag,
-		  const NegotiatedCapabilities& negotiatedCapabilities)
+		  const NegotiatedCapabilities& negotiatedCapabilities,
+		  uint64_t creationTimestampMs,
+		  const uint8_t* macKey,
+		  size_t macKeyLength)
 		{
 			MS_TRACE();
 
@@ -75,9 +55,15 @@ namespace RTC
 			  remoteInitialTsn,
 			  remoteAdvertisedReceiverWindowCredit,
 			  tieTag,
-			  negotiatedCapabilities);
+			  negotiatedCapabilities,
+			  creationTimestampMs,
+			  macKey,
+			  macKeyLength);
+
+			const size_t cookieLength = macKey != nullptr ? StateCookie::AuthenticatedStateCookieLength
+			                                              : StateCookie::StateCookieLength;
 
-			return new StateCookie(buffer, StateCookie::StateCookieLength);
+			return new StateCookie(buffer, cookieLength);
 		}
 
 		void StateCookie::Write(
@@ -89,11 +75,18 @@ namespace RTC
 		  uint32_t remoteInitialTsn,
 		  uint32_t remoteAdvertisedReceiverWindowCredit,
 		  uint64_t tieTag,
-		  const NegotiatedCapabilities& negotiatedCapabilities)
+		  const NegotiatedCapabilities& negotiatedCapabilities,
+		  uint64_t creationTimestampMs,
+		  const uint8_t* macKey,
+		  size_t macKeyLength)
 		{
 			MS_TRACE();
 
-			if (bufferLength < StateCookie::StateCookieLength)
+			const bool authenticate = macKey != nullptr;
+			const size_t cookieLength =
+			  authenticate ? StateCookie::AuthenticatedStateCookieLength : StateCookie::StateCookieLength;
+
+			if (bufferLength < cookieLength)
 			{
 				MS_THROW_TYPE_ERROR("buffer too small");
 			}
@@ -119,6 +112,65 @@ namespace RTC
 			  htons(negotiatedCapabilities.negotiatedMaxOutboundStreams);
 			negotiatedCapabilitiesField->negotiatedMaxInboundStreams =
 			  htons(negotiatedCapabilities.negotiatedMaxInboundStreams);
+
+			if (!authenticate)
+			{
+				return;
+			}
+
+			// Append the creation timestamp and the MAC computed over all preceding
+			// bytes (including the timestamp).
+			//
+			// @see RFC 9260 section 5.1.3.
+			Utils::Byte::Set8Bytes(buffer, StateCookie::TimestampOffset, creationTimestampMs);
+
+			const uint8_t* mac = Utils::Crypto::GetHmacSha1(
+			  reinterpret_cast<const char*>(macKey), macKeyLength, buffer, StateCookie::MacOffset);
+
+			std::memcpy(buffer + StateCookie::MacOffset, mac, StateCookie::MacLength);
+		}
+
+		bool StateCookie::IsMediasoupStateCookie(const uint8_t* buffer, size_t bufferLength)
+		{
+			MS_TRACE();
+
+			if (bufferLength != StateCookie::StateCookieLength && bufferLength != StateCookie::AuthenticatedStateCookieLength)
+			{
+				return false;
+			}
+
+			if (Utils::Byte::Get8Bytes(buffer, 0) != StateCookie::Magic1)
+			{
+				return false;
+			}
+
+			auto* negotiatedCapabilitiesField = reinterpret_cast<NegotiatedCapabilitiesField*>(
+			  const_cast<uint8_t*>(buffer) + StateCookie::NegotiatedCapabilitiesOffset);
+
+			if (ntohs(negotiatedCapabilitiesField->magic2) != StateCookie::Magic2)
+			{
+				return false;
+			}
+
+			return true;
+		}
+
+		bool StateCookie::VerifyMac(
+		  const uint8_t* buffer, size_t bufferLength, const uint8_t* macKey, size_t macKeyLength)
+		{
+			MS_TRACE();
+
+			// An authenticated cookie has a fixed length.
+			if (bufferLength != StateCookie::AuthenticatedStateCookieLength)
+			{
+				return false;
+			}
+
+			// Recompute the MAC over all bytes preceding the MAC field.
+			const uint8_t* expectedMac = Utils::Crypto::GetHmacSha1(
+			  reinterpret_cast<const char*>(macKey), macKeyLength, buffer, StateCookie::MacOffset);
+
+			return std::memcmp(buffer + StateCookie::MacOffset, expectedMac, StateCookie::MacLength) == 0;
 		}
 
 		Types::SctpImplementation StateCookie::DetermineSctpImplementation(
@@ -158,7 +210,13 @@ namespace RTC
 		{
 			MS_TRACE();
 
-			SetLength(StateCookie::StateCookieLength);
+			// The cookie length is determined by whether it carries a MAC. When the
+			// cookie is cloned into a larger buffer, `CloneInto()` will set the
+			// proper length afterwards.
+			SetLength(
+			  bufferLength == StateCookie::AuthenticatedStateCookieLength
+			    ? StateCookie::AuthenticatedStateCookieLength
+			    : StateCookie::StateCookieLength);
 		}
 
 		StateCookie::~StateCookie()
@@ -183,6 +241,13 @@ namespace RTC
 			  "  remote advertised receiver window credit: %" PRIu32,
 			  GetRemoteAdvertisedReceiverWindowCredit());
 			MS_DUMP_CLEAN(indentation, "  tie-tag: %" PRIu64, GetTieTag());
+			MS_DUMP_CLEAN(indentation, "  authenticated: %s", IsAuthenticated() ? "yes" : "no");
+
+			if (IsAuthenticated())
+			{
+				MS_DUMP_CLEAN(indentation, "  creation timestamp (ms): %" PRIu64, GetCreationTimestampMs());
+			}
+
 			negotiatedCapabilities.Dump(indentation + 1);
 			MS_DUMP_CLEAN(indentation, "</SCTP::StateCookie>");
 		}

package/worker/src/RTC/SCTP/association/StreamResetHandler.cpp

@@ -376,6 +376,10 @@ namespace RTC
 				  ReconfigurationResponseParameter::Result::SUCCESS_NOTHING_TO_DO);
 
 				reconfigurationResponseParameter->Consolidate();
+
+				this->lastProcessedReqSeqNbr = requestSn;
+				this->lastProcessedReqResult =
+				  ReconfigurationResponseParameter::Result::SUCCESS_NOTHING_TO_DO;
 			}
 			else
 			{