werift 0.22.8 → 0.23.0

package/lib/index.mjs

@@ -229,6 +229,105 @@ var BitStream = class {
   }
 };
 
+// ../common/src/crc.ts
+var POLY_CRC32 = 3988292384;
+var POLY_CRC32C = 2197175160;
+function isBufferLike(input) {
+  return typeof input !== "string";
+}
+function generateCRCTable(polynomial) {
+  const table = new Array(256);
+  let c = 0;
+  for (let n = 0; n < 256; ++n) {
+    c = n;
+    c = c & 1 ? polynomial ^ c >>> 1 : c >>> 1;
+    c = c & 1 ? polynomial ^ c >>> 1 : c >>> 1;
+    c = c & 1 ? polynomial ^ c >>> 1 : c >>> 1;
+    c = c & 1 ? polynomial ^ c >>> 1 : c >>> 1;
+    c = c & 1 ? polynomial ^ c >>> 1 : c >>> 1;
+    c = c & 1 ? polynomial ^ c >>> 1 : c >>> 1;
+    c = c & 1 ? polynomial ^ c >>> 1 : c >>> 1;
+    c = c & 1 ? polynomial ^ c >>> 1 : c >>> 1;
+    table[n] = c;
+  }
+  return new Int32Array(table);
+}
+function generateSliceBy16Tables(table0) {
+  const table = new Int32Array(4096);
+  let c = 0;
+  let v = 0;
+  let n = 0;
+  for (n = 0; n < 256; ++n) table[n] = table0[n];
+  for (n = 0; n < 256; ++n) {
+    v = table0[n];
+    for (c = 256 + n; c < 4096; c += 256) {
+      v = table[c] = v >>> 8 ^ table0[v & 255];
+    }
+  }
+  const out = [];
+  for (n = 1; n < 16; ++n) {
+    out[n - 1] = table.subarray(n * 256, n * 256 + 256);
+  }
+  return out;
+}
+function crcGenericString(value, seed, table0) {
+  let crc = seed ^ -1;
+  let i = 0;
+  const len = value.length;
+  let c = 0;
+  let d = 0;
+  while (i < len) {
+    c = value.charCodeAt(i++);
+    if (c < 128) {
+      crc = crc >>> 8 ^ table0[(crc ^ c) & 255];
+    } else if (c < 2048) {
+      crc = crc >>> 8 ^ table0[(crc ^ (192 | c >> 6 & 31)) & 255];
+      crc = crc >>> 8 ^ table0[(crc ^ (128 | c & 63)) & 255];
+    } else if (c >= 55296 && c < 57344) {
+      c = (c & 1023) + 64;
+      d = value.charCodeAt(i++) & 1023;
+      crc = crc >>> 8 ^ table0[(crc ^ (240 | c >> 8 & 7)) & 255];
+      crc = crc >>> 8 ^ table0[(crc ^ (128 | c >> 2 & 63)) & 255];
+      crc = crc >>> 8 ^ table0[(crc ^ (128 | d >> 6 & 15 | (c & 3) << 4)) & 255];
+      crc = crc >>> 8 ^ table0[(crc ^ (128 | d & 63)) & 255];
+    } else {
+      crc = crc >>> 8 ^ table0[(crc ^ (224 | c >> 12 & 15)) & 255];
+      crc = crc >>> 8 ^ table0[(crc ^ (128 | c >> 6 & 63)) & 255];
+      crc = crc >>> 8 ^ table0[(crc ^ (128 | c & 63)) & 255];
+    }
+  }
+  return ~crc >>> 0;
+}
+function crcBuffer(value, seed, table0, tables16) {
+  const [t1, t2, t3, t4, t5, t6, t7, t8, t9, ta, tb, tc, td, te, tf] = tables16;
+  let crc = seed ^ -1;
+  let i = 0;
+  let len = value.length - 15;
+  while (i < len) {
+    crc = tf[value[i++] ^ crc & 255] ^ te[value[i++] ^ crc >>> 8 & 255] ^ td[value[i++] ^ crc >>> 16 & 255] ^ tc[value[i++] ^ crc >>> 24] ^ tb[value[i++]] ^ ta[value[i++]] ^ t9[value[i++]] ^ t8[value[i++]] ^ t7[value[i++]] ^ t6[value[i++]] ^ t5[value[i++]] ^ t4[value[i++]] ^ t3[value[i++]] ^ t2[value[i++]] ^ t1[value[i++]] ^ table0[value[i++]];
+  }
+  for (len += 15; i < len; ) {
+    crc = crc >>> 8 ^ table0[(crc ^ value[i++]) & 255];
+  }
+  return ~crc >>> 0;
+}
+var table32 = generateCRCTable(POLY_CRC32);
+var tables32By16 = generateSliceBy16Tables(table32);
+var table32c = generateCRCTable(POLY_CRC32C);
+var tables32cBy16 = generateSliceBy16Tables(table32c);
+function crc32(input, seed = 0) {
+  if (isBufferLike(input)) {
+    return crcBuffer(input, seed, table32, tables32By16);
+  }
+  return crcGenericString(input, seed, table32);
+}
+function crc32c(input, seed = 0) {
+  if (isBufferLike(input)) {
+    return crcBuffer(input, seed, table32c, tables32cBy16);
+  }
+  return crcGenericString(input, seed, table32c);
+}
+
 // ../common/src/number.ts
 function uint8Add(a, b) {
   return a + b & 255;
@@ -4547,7 +4646,12 @@ import { createHmac as createHmac3 } from "crypto";
 import AES from "aes-js";
 
 // ../rtp/src/srtp/cipher/ctr.ts
-import { createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2, createHmac as createHmac2 } from "crypto";
+import {
+  createCipheriv as createCipheriv2,
+  createDecipheriv as createDecipheriv2,
+  createHmac as createHmac2,
+  timingSafeEqual
+} from "crypto";
 
 // ../rtp/src/srtp/cipher/index.ts
 var CipherAesBase = class {
@@ -4560,7 +4664,7 @@ var CipherAesBase = class {
   encryptRtp(header, payload, rolloverCounter) {
     return Buffer.from([]);
   }
-  decryptRtp(cipherText, rolloverCounter) {
+  decryptRtp(cipherText, rolloverCounter, header) {
     return [];
   }
   encryptRTCP(rawRtcp, srtcpIndex) {
@@ -4571,6 +4675,74 @@ var CipherAesBase = class {
   }
 };
 
+// ../rtp/src/srtp/error.ts
+var SrtpAuthenticationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "SrtpAuthenticationError";
+  }
+};
+
+// ../rtp/src/srtp/packet.ts
+var minRtpHeaderSize = 12;
+var minRtcpPacketSize = 8;
+function parseSrtpRtpHeader(packet, authTagLength, message = "Failed to authenticate SRTP packet") {
+  const authTagOffset = packet.length - authTagLength;
+  assertAuthenticatedPacketLength(
+    packet.length >= minRtpHeaderSize + authTagLength,
+    message
+  );
+  const header = wrapAuthenticationError(
+    () => RtpHeader.deSerialize(packet.subarray(0, authTagOffset)),
+    message
+  );
+  header.paddingSize = 0;
+  assertAuthenticatedPacketLength(
+    header.payloadOffset >= minRtpHeaderSize && header.payloadOffset <= authTagOffset,
+    message
+  );
+  return header;
+}
+function parseSrtcpHeader(packet, authTagLength, srtcpIndexSize3, message = "Failed to authenticate SRTCP packet") {
+  assertAuthenticatedPacketLength(
+    packet.length >= minRtcpPacketSize + authTagLength + srtcpIndexSize3,
+    message
+  );
+  return wrapAuthenticationError(
+    () => RtcpHeader.deSerialize(packet.subarray(0, RTCP_HEADER_SIZE)),
+    message
+  );
+}
+function assertAuthenticatedPacketLength(condition, message) {
+  if (!condition) {
+    throw new SrtpAuthenticationError(message);
+  }
+}
+function wrapAuthenticationError(parse, message) {
+  try {
+    return parse();
+  } catch {
+    throw new SrtpAuthenticationError(message);
+  }
+}
+function finalizeSrtpRtpHeader(header, packet, message = "Failed to authenticate SRTP packet") {
+  if (!header.padding) {
+    header.paddingSize = 0;
+    return header;
+  }
+  assertAuthenticatedPacketLength(
+    packet.length > header.payloadOffset,
+    message
+  );
+  const paddingSize = packet[packet.length - 1];
+  assertAuthenticatedPacketLength(
+    paddingSize > 0 && paddingSize <= packet.length - header.payloadOffset,
+    message
+  );
+  header.paddingSize = paddingSize;
+  return header;
+}
+
 // ../rtp/src/srtp/cipher/ctr.ts
 var CipherAesCtr = class extends CipherAesBase {
   constructor(srtpSessionKey, srtpSessionSalt, srtcpSessionKey, srtcpSessionSalt, srtpSessionAuthTag, srtcpSessionAuthTag) {
@@ -4596,10 +4768,20 @@ var CipherAesCtr = class extends CipherAesBase {
     );
     return Buffer.concat([headerBuffer, enc, authTag]);
   }
-  decryptRtp(cipherText, rolloverCounter) {
-    const header = RtpHeader.deSerialize(cipherText);
-    const size = cipherText.length - this.authTagLength;
-    cipherText = cipherText.subarray(0, cipherText.length - this.authTagLength);
+  decryptRtp(cipherText, rolloverCounter, header = parseSrtpRtpHeader(cipherText, this.authTagLength)) {
+    const authTagOffset = cipherText.length - this.authTagLength;
+    const encryptedPacket = cipherText.subarray(0, authTagOffset);
+    const actualAuthTag = cipherText.subarray(authTagOffset);
+    const expectedAuthTag = this.generateSrtpAuthTag(
+      rolloverCounter,
+      encryptedPacket.subarray(0, header.payloadOffset),
+      encryptedPacket.subarray(header.payloadOffset)
+    );
+    assertAuthTag(
+      actualAuthTag,
+      expectedAuthTag,
+      "Failed to authenticate SRTP packet"
+    );
     const counter = this.generateCounter(
       header.sequenceNumber,
       rolloverCounter,
@@ -4611,14 +4793,16 @@ var CipherAesCtr = class extends CipherAesBase {
       this.srtpSessionKey,
       counter
     );
-    const payload = cipherText.subarray(header.payloadOffset);
+    const payload = encryptedPacket.subarray(header.payloadOffset);
     const buf = cipher.update(payload);
     const dst = Buffer.concat([
-      cipherText.subarray(0, header.payloadOffset),
-      buf,
-      Buffer.alloc(size - header.payloadOffset - buf.length)
+      encryptedPacket.subarray(0, header.payloadOffset),
+      buf
     ]);
-    return [dst, header];
+    return [
+      dst,
+      finalizeSrtpRtpHeader(header, dst, "Failed to authenticate SRTP packet")
+    ];
   }
   encryptRTCP(rtcpPacket, srtcpIndex) {
     let out = Buffer.from(rtcpPacket);
@@ -4640,15 +4824,29 @@ var CipherAesCtr = class extends CipherAesBase {
     return out;
   }
   decryptRTCP(encrypted) {
-    const header = RtcpHeader.deSerialize(encrypted);
+    const header = parseSrtcpHeader(
+      encrypted,
+      this.authTagLength,
+      srtcpIndexSize
+    );
     const tailOffset = encrypted.length - (this.authTagLength + srtcpIndexSize);
+    const authenticatedPortion = encrypted.subarray(
+      0,
+      encrypted.length - this.authTagLength
+    );
+    const actualTag = encrypted.subarray(encrypted.length - this.authTagLength);
+    const expectedTag = this.generateSrtcpAuthTag(authenticatedPortion);
+    assertAuthTag(
+      actualTag,
+      expectedTag,
+      "Failed to authenticate SRTCP packet"
+    );
     const out = Buffer.from(encrypted).slice(0, tailOffset);
-    const isEncrypted = encrypted[tailOffset] >> 7;
+    const isEncrypted = encrypted[tailOffset] >>> 7;
     if (isEncrypted === 0) return [out, header];
     let srtcpIndex = encrypted.readUInt32BE(tailOffset);
     srtcpIndex &= ~(1 << 31);
     const ssrc = encrypted.readUInt32BE(4);
-    const actualTag = encrypted.subarray(encrypted.length - 10);
     const counter = this.generateCounter(
       srtcpIndex & 65535,
       srtcpIndex >> 16,
@@ -4689,6 +4887,11 @@ var CipherAesCtr = class extends CipherAesBase {
   }
 };
 var srtcpIndexSize = 4;
+function assertAuthTag(actual, expected, message) {
+  if (actual.length !== expected.length || !timingSafeEqual(actual, expected)) {
+    throw new SrtpAuthenticationError(message);
+  }
+}
 
 // ../rtp/src/srtp/cipher/gcm.ts
 import { createCipheriv as createCipheriv3, createDecipheriv as createDecipheriv3 } from "crypto";
@@ -4711,20 +4914,25 @@ var CipherAesGcm = class extends CipherAesBase {
     const dst = Buffer.concat([hdr, enc, authTag]);
     return dst;
   }
-  decryptRtp(cipherText, rolloverCounter) {
-    const header = RtpHeader.deSerialize(cipherText);
+  decryptRtp(cipherText, rolloverCounter, header = parseSrtpRtpHeader(cipherText, this.aeadAuthTagLen)) {
+    const headerBuffer = cipherText.subarray(0, header.payloadOffset);
+    const authTagOffset = cipherText.length - this.aeadAuthTagLen;
+    const authTag = cipherText.subarray(authTagOffset);
     let dst = Buffer.from([]);
     dst = growBufferSize(dst, cipherText.length - this.aeadAuthTagLen);
-    cipherText.slice(0, header.payloadOffset).copy(dst);
+    headerBuffer.copy(dst);
     const iv = this.rtpInitializationVector(header, rolloverCounter);
-    const enc = cipherText.slice(
-      header.payloadOffset,
-      cipherText.length - this.aeadAuthTagLen
-    );
-    const cipher = createDecipheriv3("aes-128-gcm", this.srtpSessionKey, iv);
-    const dec = cipher.update(enc);
+    const enc = cipherText.slice(header.payloadOffset, authTagOffset);
+    const decipher = createDecipheriv3("aes-128-gcm", this.srtpSessionKey, iv);
+    decipher.setAAD(headerBuffer);
+    decipher.setAuthTag(authTag);
+    const dec = decipher.update(enc);
+    finalizeAuthenticatedDecryption(decipher, "SRTP");
     dec.copy(dst, header.payloadOffset);
-    return [dst, header];
+    return [
+      dst,
+      finalizeSrtpRtpHeader(header, dst, "Failed to authenticate SRTP packet")
+    ];
   }
   encryptRTCP(rtcpPacket, srtcpIndex) {
     const ssrc = rtcpPacket.readUInt32BE(4);
@@ -4745,19 +4953,38 @@ var CipherAesGcm = class extends CipherAesBase {
     return dst;
   }
   decryptRTCP(encrypted) {
-    const header = RtcpHeader.deSerialize(encrypted);
-    const aadPos = encrypted.length - srtcpIndexSize2;
-    const dst = Buffer.alloc(aadPos - this.aeadAuthTagLen);
-    encrypted.slice(0, 8).copy(dst);
+    const header = parseSrtcpHeader(
+      encrypted,
+      this.aeadAuthTagLen,
+      srtcpIndexSize2
+    );
+    const srtcpIndexOffset = encrypted.length - srtcpIndexSize2;
+    const authTagOffset = srtcpIndexOffset - this.aeadAuthTagLen;
     const ssrc = encrypted.readUInt32BE(4);
-    let srtcpIndex = encrypted.readUInt32BE(encrypted.length - 4);
-    srtcpIndex &= ~(rtcpEncryptionFlag << 24);
+    const encodedSrtcpIndex = encrypted.readUInt32BE(srtcpIndexOffset);
+    const isEncrypted = encodedSrtcpIndex >>> 31 === 1;
+    const srtcpIndex = encodedSrtcpIndex & ~(rtcpEncryptionFlag << 24);
     const iv = this.rtcpInitializationVector(ssrc, srtcpIndex);
-    const aad = this.rtcpAdditionalAuthenticatedData(encrypted, srtcpIndex);
-    const cipher = createDecipheriv3("aes-128-gcm", this.srtcpSessionKey, iv);
-    cipher.setAAD(aad);
-    const dec = cipher.update(encrypted.slice(8, aadPos));
-    dec.copy(dst, 8);
+    const aad = isEncrypted ? Buffer.concat([
+      encrypted.subarray(0, 8),
+      encrypted.subarray(srtcpIndexOffset)
+    ]) : Buffer.concat([
+      encrypted.subarray(0, authTagOffset),
+      encrypted.subarray(srtcpIndexOffset)
+    ]);
+    const cipherText = isEncrypted ? encrypted.slice(8, authTagOffset) : Buffer.alloc(0);
+    const dst = isEncrypted ? Buffer.alloc(authTagOffset) : Buffer.from(encrypted.subarray(0, authTagOffset));
+    if (isEncrypted) {
+      encrypted.slice(0, 8).copy(dst);
+    }
+    const decipher = createDecipheriv3("aes-128-gcm", this.srtcpSessionKey, iv);
+    decipher.setAAD(aad);
+    decipher.setAuthTag(encrypted.subarray(authTagOffset, srtcpIndexOffset));
+    const dec = decipher.update(cipherText);
+    finalizeAuthenticatedDecryption(decipher, "SRTCP");
+    if (isEncrypted) {
+      dec.copy(dst, 8);
+    }
     return [dst, header];
   }
   // https://tools.ietf.org/html/rfc7714#section-8.1
@@ -4793,6 +5020,15 @@ var CipherAesGcm = class extends CipherAesBase {
 };
 var srtcpIndexSize2 = 4;
 var rtcpEncryptionFlag = 128;
+function finalizeAuthenticatedDecryption(decipher, packetType) {
+  try {
+    decipher.final();
+  } catch {
+    throw new SrtpAuthenticationError(
+      `Failed to authenticate ${packetType} packet`
+    );
+  }
+}
 
 // ../rtp/src/srtp/context/context.ts
 var Context = class {
@@ -5050,12 +5286,29 @@ var SrtpContext2 = class extends Context {
     return enc;
   }
   decryptRtp(cipherText) {
-    const header = RtpHeader.deSerialize(cipherText);
-    const s = this.getSrtpSsrcState(header.ssrc);
-    this.updateRolloverCount(header.sequenceNumber, s);
-    const dec = this.cipher.decryptRtp(cipherText, s.rolloverCounter);
+    const header = parseSrtpRtpHeader(cipherText, this.rtpAuthTagLength);
+    const existingState = this.srtpSSRCStates[header.ssrc];
+    const nextState = existingState ? { ...existingState } : {
+      ssrc: header.ssrc,
+      rolloverCounter: 0,
+      lastSequenceNumber: 0
+    };
+    this.updateRolloverCount(header.sequenceNumber, nextState);
+    const dec = this.cipher.decryptRtp(
+      cipherText,
+      nextState.rolloverCounter,
+      header
+    );
+    if (existingState) {
+      Object.assign(existingState, nextState);
+    } else {
+      this.srtpSSRCStates[header.ssrc] = nextState;
+    }
     return dec;
   }
+  get rtpAuthTagLength() {
+    return this.profile === ProtectionProfileAeadAes128Gcm ? 16 : 10;
+  }
 };
 
 // ../rtp/src/srtp/srtp.ts
@@ -5797,6 +6050,9 @@ var DtlsSocket = class {
       this.sessionType === SessionType.CLIENT
     );
   }
+  get remoteCertificate() {
+    return this.cipher.remoteCertificate;
+  }
 };
 
 // ../dtls/src/client.ts
@@ -6185,6 +6441,16 @@ handlers2[16 /* client_key_exchange_16 */] = ({ cipher, dtls }) => (message) =>
   );
   log16(dtls.sessionId, "setup cipher", cipher.cipher.summary);
 };
+handlers2[11 /* certificate_11 */] = ({ cipher, dtls }) => (message) => {
+  log16(dtls.sessionId, "handshake certificate", message);
+  cipher.remoteCertificate = message.certificateList[0];
+};
+handlers2[15 /* certificate_verify_15 */] = ({ cipher, dtls }) => (message) => {
+  if (!cipher.remoteCertificate) {
+    throw new Error("client certificate missing before certificate verify");
+  }
+  log16(dtls.sessionId, "certificate_verify", message.algorithm);
+};
 handlers2[20 /* finished_20 */] = ({ dtls }) => (message) => {
   log16(dtls.sessionId, "finished", message);
 };
@@ -6251,7 +6517,14 @@ var DtlsServer = class extends DtlsSocket {
           {
             await this.waitForReady(() => !!this.flight6);
             this.flight6?.handleHandshake(handshake);
-            await this.waitForReady(() => this.dtls.checkHandshakesExist([16]));
+            const requiredHandshakes = [
+              16,
+              this.options.certificateRequest && 11,
+              this.options.certificateRequest && 15
+            ].filter((type) => typeof type === "number");
+            await this.waitForReady(
+              () => this.dtls.checkHandshakesExist(requiredHandshakes)
+            );
             await this.flight6?.exec();
             this.connected = true;
             this.onConnect.execute();
@@ -6320,7 +6593,6 @@ var methods = /* @__PURE__ */ ((methods2) => {
 
 // ../ice/src/stun/message.ts
 import { createHmac as createHmac4 } from "crypto";
-import crc32 from "buffer-crc32";
 
 // ../ice/src/helper.ts
 import { randomBytes as randomBytes5 } from "crypto";
@@ -6330,19 +6602,6 @@ function randomString(length) {
 function randomTransactionId() {
   return randomBytes5(12);
 }
-function bufferXor2(a, b) {
-  if (a.length !== b.length) {
-    throw new TypeError(
-      "[webrtc-stun] You can not XOR buffers which length are different"
-    );
-  }
-  const length = a.length;
-  const buffer2 = Buffer.allocUnsafe(length);
-  for (let i = 0; i < length; i++) {
-    buffer2[i] = a[i] ^ b[i];
-  }
-  return buffer2;
-}
 var PQueue = class {
   queue = [];
   wait = new Event();
@@ -6676,11 +6935,7 @@ function messageFingerprint(data) {
     data,
     data.length - HEADER_LENGTH + FINGERPRINT_LENGTH
   );
-  const crc32Buf = crc32(checkData);
-  const xorBuf = Buffer.alloc(4);
-  xorBuf.writeInt32BE(FINGERPRINT_XOR, 0);
-  const fingerprint2 = bufferXor2(crc32Buf, xorBuf);
-  return fingerprint2.readUInt32BE(0);
+  return (crc32(checkData) ^ FINGERPRINT_XOR) >>> 0;
 }
 function messageIntegrity(data, key) {
   const checkData = setBodyLength(
@@ -8519,6 +8774,9 @@ var EventTarget = class extends EventEmitter {
 
 // src/dataChannel.ts
 var log23 = debug("werift:packages/webrtc/src/dataChannel.ts");
+function getDataChannelMessageSize(data) {
+  return Buffer.isBuffer(data) ? data.length : Buffer.byteLength(data);
+}
 var RTCDataChannel = class extends EventTarget {
   constructor(sctp, parameters, sendOpen = true) {
     super();
@@ -8624,10 +8882,9 @@ var RTCDataChannel = class extends EventTarget {
     }
   }
   send(data) {
-    const size = Buffer.isBuffer(data) ? data.length : Buffer.byteLength(data);
+    const size = this.sctp.datachannelSend(this, data);
     this.messagesSent++;
     this.bytesSent += size;
-    this.sctp.datachannelSend(this, data);
   }
   close() {
     this.sctp.dataChannelClose(this);
@@ -9082,6 +9339,24 @@ function fingerprint(file, hashName) {
   const hash2 = createHash4(hashName).update(file).digest("hex");
   return colon(upper(hash2));
 }
+var fingerprintHashAlgorithms = {
+  sha1: "sha1",
+  "sha-1": "sha1",
+  sha224: "sha224",
+  "sha-224": "sha224",
+  sha256: "sha256",
+  "sha-256": "sha256",
+  sha384: "sha384",
+  "sha-384": "sha384",
+  sha512: "sha512",
+  "sha-512": "sha512"
+};
+function normalizeFingerprintAlgorithm(algorithm) {
+  return fingerprintHashAlgorithms[algorithm.trim().toLowerCase()];
+}
+function normalizeFingerprintValue(value) {
+  return value.replace(/[^0-9a-f]/gi, "").toLowerCase();
+}
 function isDtls(buf) {
   const firstByte = buf[0];
   return firstByte > 19 && firstByte < 64;
@@ -9538,13 +9813,18 @@ var RTCDtlsTransport = class _RTCDtlsTransport {
     return this.localCertificatePromise;
   }
   setRemoteParams(remoteParameters) {
-    this.remoteParameters = remoteParameters;
+    const fingerprints = deduplicateFingerprints([
+      ...this.remoteParameters?.fingerprints ?? [],
+      ...remoteParameters.fingerprints
+    ]);
+    const role = remoteParameters.role === "auto" && this.remoteParameters?.role ? this.remoteParameters.role : remoteParameters.role;
+    this.remoteParameters = new RTCDtlsParameters(fingerprints, role);
   }
   async start() {
     if (this.state !== "new") {
       throw new Error("state must be new");
     }
-    if (this.remoteParameters?.fingerprints.length === 0) {
+    if (!this.remoteParameters || this.remoteParameters.fingerprints.length === 0) {
       throw new Error("remote fingerprint not exist");
     }
     if (this.role === "auto") {
@@ -9563,8 +9843,8 @@ var RTCDtlsTransport = class _RTCDtlsTransport {
           signatureHash: this.localCertificate?.signatureHash,
           transport: createIceTransport(this.iceTransport.connection),
           srtpProfiles: this.srtpProfiles,
-          extendedMasterSecret: true
-          // certificateRequest: true,
+          extendedMasterSecret: true,
+          certificateRequest: true
         });
       } else {
         this.dtls = new DtlsClient({
@@ -9583,7 +9863,9 @@ var RTCDtlsTransport = class _RTCDtlsTransport {
         this.dataReceiver(buf);
       });
       this.dtls.onClose.subscribe(() => {
-        this.setState("closed");
+        if (this.state !== "failed") {
+          this.setState("closed");
+        }
       });
       this.dtls.onConnect.once(r);
       this.dtls.onError.once((error) => {
@@ -9600,16 +9882,70 @@ var RTCDtlsTransport = class _RTCDtlsTransport {
         });
       }
     });
+    try {
+      this.verifyRemoteCertificateFingerprint();
+    } catch (error) {
+      this.setState("failed");
+      this.dtls?.close();
+      throw error;
+    }
     if (this.srtpProfiles.length > 0) {
       this.startSrtp();
     }
-    this.dtls.onConnect.subscribe(() => {
-      this.updateSrtpSession();
-      this.setState("connected");
-    });
     this.setState("connected");
     log27("dtls connected");
   }
+  verifyRemoteCertificateFingerprint() {
+    if (!this.remoteParameters || this.remoteParameters.fingerprints.length === 0) {
+      throw new Error("remote fingerprint not exist");
+    }
+    const remoteCertificate = this.dtls?.remoteCertificate;
+    if (!remoteCertificate) {
+      throw new Error("remote certificate not available");
+    }
+    const supportedFingerprints = this.remoteParameters.fingerprints.flatMap(
+      ({ algorithm, value }) => {
+        const normalizedAlgorithm = normalizeFingerprintAlgorithm(algorithm);
+        if (!normalizedAlgorithm) {
+          return [];
+        }
+        const normalizedValue = normalizeFingerprintValue(value);
+        if (!normalizedValue) {
+          throw new Error("remote fingerprint value is empty");
+        }
+        return [{ normalizedAlgorithm, normalizedValue }];
+      }
+    );
+    if (supportedFingerprints.length === 0) {
+      throw new Error("no supported remote fingerprint algorithms");
+    }
+    const preferredAlgorithm = selectPreferredFingerprintAlgorithm(
+      supportedFingerprints
+    );
+    const expectedFingerprints = supportedFingerprints.filter(
+      ({ normalizedAlgorithm }) => normalizedAlgorithm === preferredAlgorithm
+    );
+    const actualFingerprints = expectedFingerprints.reduce(
+      (acc, { normalizedAlgorithm }) => {
+        if (!acc.has(normalizedAlgorithm)) {
+          acc.set(
+            normalizedAlgorithm,
+            normalizeFingerprintValue(
+              fingerprint(remoteCertificate, normalizedAlgorithm)
+            )
+          );
+        }
+        return acc;
+      },
+      /* @__PURE__ */ new Map()
+    );
+    const matched = expectedFingerprints.some(
+      ({ normalizedAlgorithm, normalizedValue }) => actualFingerprints.get(normalizedAlgorithm) === normalizedValue
+    );
+    if (!matched) {
+      throw new Error("remote certificate fingerprint mismatch");
+    }
+  }
   updateSrtpSession() {
     if (!this.dtls) throw new Error();
     const profile = this.dtls.srtp.srtpProfile;
@@ -9642,8 +9978,23 @@ var RTCDtlsTransport = class _RTCDtlsTransport {
       this.bytesReceived += data.length;
       this.packetsReceived++;
       if (isRtcp(data)) {
-        const dec = this.srtcp.decrypt(data);
-        const rtcpPackets = RtcpPacketConverter.deSerialize(dec);
+        let dec;
+        try {
+          dec = this.srtcp.decrypt(data);
+        } catch (error) {
+          if (error instanceof SrtpAuthenticationError) {
+            log27("dropping invalid SRTCP packet", error);
+            return;
+          }
+          throw error;
+        }
+        let rtcpPackets;
+        try {
+          rtcpPackets = RtcpPacketConverter.deSerialize(dec);
+        } catch (error) {
+          log27("dropping malformed SRTCP packet", error);
+          return;
+        }
         for (const rtcp of rtcpPackets) {
           try {
             this.onRtcp.execute(rtcp);
@@ -9652,8 +10003,23 @@ var RTCDtlsTransport = class _RTCDtlsTransport {
           }
         }
       } else {
-        const dec = this.srtp.decrypt(data);
-        const rtp = RtpPacket.deSerialize(dec);
+        let dec;
+        try {
+          dec = this.srtp.decrypt(data);
+        } catch (error) {
+          if (error instanceof SrtpAuthenticationError) {
+            log27("dropping invalid SRTP packet", error);
+            return;
+          }
+          throw error;
+        }
+        let rtp;
+        try {
+          rtp = RtpPacket.deSerialize(dec);
+        } catch (error) {
+          log27("dropping malformed SRTP packet", error);
+          return;
+        }
         try {
           this.onRtp.execute(rtp);
         } catch (error) {
@@ -9806,6 +10172,31 @@ var RTCDtlsParameters = class {
     this.role = role;
   }
 };
+var deduplicateFingerprints = (fingerprints) => {
+  const seen = /* @__PURE__ */ new Set();
+  return fingerprints.filter(({ algorithm, value }) => {
+    const key = `${normalizeFingerprintAlgorithm(algorithm) ?? algorithm.trim().toLowerCase()}:${normalizeFingerprintValue(value)}`;
+    if (seen.has(key)) {
+      return false;
+    }
+    seen.add(key);
+    return true;
+  });
+};
+var preferredFingerprintAlgorithms = [
+  "sha512",
+  "sha384",
+  "sha256",
+  "sha224",
+  "sha1"
+];
+var selectPreferredFingerprintAlgorithm = (fingerprints) => {
+  return preferredFingerprintAlgorithms.find(
+    (algorithm) => fingerprints.some(
+      ({ normalizedAlgorithm }) => normalizedAlgorithm === algorithm
+    )
+  ) ?? fingerprints[0].normalizedAlgorithm;
+};
 var IceTransport = class {
   constructor(ice) {
     this.ice = ice;
@@ -10173,7 +10564,6 @@ import { createHmac as createHmac5, randomBytes as randomBytes7 } from "crypto";
 import { jspack as jspack5 } from "@shinyoshiaki/jspack";
 
 // ../sctp/src/chunk.ts
-import crc32c from "turbo-crc32/crc32c.js";
 var Chunk = class _Chunk {
   constructor(flags = 0, _body = Buffer.from("")) {
     this.flags = flags;
@@ -10737,6 +11127,8 @@ var SCTP_RTO_INITIAL = 3;
 var SCTP_RTO_MIN = 1;
 var SCTP_RTO_MAX = 60;
 var SCTP_TSN_MODULO = 2 ** 32;
+var SCTP_SACK_DELAY_MS = 200;
+var SCTP_HEARTBEAT_INTERVAL = 30;
 var RECONFIG_MAX_STREAMS = 135;
 var SCTP_STATE_COOKIE = 7;
 var SCTP_SUPPORTED_CHUNK_EXT = 32776;
@@ -10768,6 +11160,8 @@ var SCTP = class _SCTP {
   started = false;
   state = "new";
   isServer = true;
+  isStopping = false;
+  isClosed = false;
   hmacKey = randomBytes7(16);
   localPartialReliability = true;
   localPort;
@@ -10779,6 +11173,10 @@ var SCTP = class _SCTP {
   // inbound
   advertisedRwnd = 1024 * 1024;
   // Receiver Window
+  peerAdvertisedRwnd = this.advertisedRwnd;
+  get peerRwnd() {
+    return Math.max(0, this.peerAdvertisedRwnd - this.flightSize);
+  }
   inboundStreams = {};
   _inboundStreamsCount = 0;
   _inboundStreamsMax = MAX_STREAMS;
@@ -10787,6 +11185,9 @@ var SCTP = class _SCTP {
   sackDuplicates = [];
   sackMisOrdered = /* @__PURE__ */ new Set();
   sackNeeded = false;
+  sackPacketCount = 0;
+  sackHasNewDataInPacket = false;
+  sackImmediate = false;
   sackTimeout;
   // # outbound
   cwnd = 3 * USERDATA_MAX_LENGTH;
@@ -10805,6 +11206,8 @@ var SCTP = class _SCTP {
   // acknowledgement
   partialBytesAcked = 0;
   sentQueue = [];
+  transmitting = false;
+  transmitRequested = false;
   // # reconfiguration
   /**初期TSNと同じ値に初期化される単調に増加する数です. これは、新しいre-configuration requestパラメーターを送信するたびに1ずつ増加します */
   reconfigRequestSeq = this.localTsn;
@@ -10830,8 +11233,13 @@ var SCTP = class _SCTP {
   /**Re-configuration Timer */
   timerReconfigHandle;
   timerReconfigFailures = 0;
+  timerHeartbeatHandle;
+  heartbeatInterval = SCTP_HEARTBEAT_INTERVAL;
   // etc
   ssthresh;
+  get isStopped() {
+    return this.isStopping || this.isClosed;
+  }
   get maxChannels() {
     if (this._inboundStreamsCount > 0) {
       return Math.min(this._inboundStreamsCount, this._outboundStreamsCount);
@@ -10850,6 +11258,7 @@ var SCTP = class _SCTP {
   }
   // call from dtls transport
   async handleData(data) {
+    if (this.isStopped) return;
     let expectedTag;
     const [, , verificationTag, chunks] = parsePacket2(data);
     const initChunk = chunks.filter((v) => v.type === InitChunk.type).length;
@@ -10864,17 +11273,41 @@ var SCTP = class _SCTP {
     if (verificationTag !== expectedTag) {
       return;
     }
+    this.sackHasNewDataInPacket = false;
     for (const chunk of chunks) {
       await this.receiveChunk(chunk);
     }
     if (this.sackNeeded) {
+      if (this.sackHasNewDataInPacket) {
+        this.sackPacketCount++;
+      }
+      if (this.sackPacketCount >= 2) {
+        this.sackImmediate = true;
+      }
+      await this.scheduleSack();
+    }
+  }
+  async scheduleSack() {
+    if (this.isStopped) return;
+    if (!this.sackNeeded) return;
+    if (this.sackImmediate) {
+      if (this.sackTimeout) {
+        clearTimeout(this.sackTimeout);
+        this.sackTimeout = void 0;
+      }
       await this.sendSack();
+      return;
     }
+    if (this.sackTimeout) return;
+    this.sackTimeout = setTimeout(() => {
+      this.sackTimeout = void 0;
+      this.sendSack().catch((err5) => {
+        log29("send delayed sack failed", err5.message);
+      });
+    }, SCTP_SACK_DELAY_MS);
   }
   async sendSack() {
-    if (this.sackTimeout) return;
-    await new Promise((r) => this.sackTimeout = setImmediate(r));
-    this.sackTimeout = void 0;
+    if (this.isStopped) return;
     if (!this.sackNeeded) return;
     const gaps = [];
     let gapNext;
@@ -10897,6 +11330,8 @@ var SCTP = class _SCTP {
     });
     this.sackDuplicates = [];
     this.sackNeeded = false;
+    this.sackPacketCount = 0;
+    this.sackImmediate = false;
   }
   async receiveChunk(chunk) {
     switch (chunk.type) {
@@ -10914,6 +11349,7 @@ var SCTP = class _SCTP {
           this.reconfigResponseSeq = tsnMinusOne(init.initialTsn);
           this.remoteVerificationTag = init.initiateTag;
           this.ssthresh = init.advertisedRwnd;
+          this.peerAdvertisedRwnd = init.advertisedRwnd;
           this.getExtensions(init.params);
           this._inboundStreamsCount = Math.min(
             init.outboundStreams,
@@ -10952,6 +11388,7 @@ var SCTP = class _SCTP {
           this.reconfigResponseSeq = tsnMinusOne(initAck.initialTsn);
           this.remoteVerificationTag = initAck.initiateTag;
           this.ssthresh = initAck.advertisedRwnd;
+          this.peerAdvertisedRwnd = initAck.advertisedRwnd;
           this.getExtensions(initAck.params);
           this._inboundStreamsCount = Math.min(
             initAck.outboundStreams,
@@ -11149,7 +11586,18 @@ var SCTP = class _SCTP {
   }
   receiveDataChunk(chunk) {
     this.sackNeeded = true;
-    if (this.markReceived(chunk.tsn)) return;
+    if (this.markReceived(chunk.tsn)) {
+      this.sackImmediate = true;
+      return;
+    }
+    this.sackHasNewDataInPacket = true;
+    this.sackImmediate = true;
+    if ((chunk.flags & SCTP_DATA_LAST_FRAG) === 0) {
+      this.sackImmediate = true;
+    }
+    if (this.sackMisOrdered.size > 0) {
+      this.sackImmediate = true;
+    }
     const inboundStream = this.getInboundStream(chunk.streamId);
     inboundStream.addChunk(chunk);
     this.advertisedRwnd -= chunk.userData.length;
@@ -11248,12 +11696,14 @@ var SCTP = class _SCTP {
     } else if (done > 0) {
       this.timer3Restart();
     }
+    this.peerAdvertisedRwnd = chunk.advertisedRwnd;
     this.updateAdvancedPeerAckPoint();
     await this.onSackReceived();
     await this.transmit();
   }
   receiveForwardTsnChunk(chunk) {
     this.sackNeeded = true;
+    this.sackImmediate = true;
     if (uint32Gte(this.lastReceivedTsn, chunk.cumulativeTsn)) {
       return;
     }
@@ -11360,17 +11810,29 @@ var SCTP = class _SCTP {
     if (ordered) {
       this.outboundStreamSeq[streamId] = uint16Add(streamSeqNum, 1);
     }
-    if (!this.timer3Handle) {
-      await this.transmit();
-    } else {
-      if (this.outboundQueue.length) {
-        await this.flush.asPromise();
-      } else {
-        await new Promise((r) => setImmediate(r));
-      }
+    await this.transmit();
+    while (this.outboundQueue.length) {
+      await this.flush.asPromise();
     }
   };
   async transmit() {
+    if (this.isStopped) return;
+    if (this.transmitting) {
+      this.transmitRequested = true;
+      return;
+    }
+    this.transmitting = true;
+    try {
+      do {
+        this.transmitRequested = false;
+        await this.transmitOnce();
+      } while (this.transmitRequested);
+    } finally {
+      this.transmitting = false;
+    }
+  }
+  async transmitOnce() {
+    if (this.isStopped) return;
     if (this.forwardTsnChunk) {
       await this.sendChunk(this.forwardTsnChunk).catch((err5) => {
         log29("send forwardTsn failed", err5.message);
@@ -11388,7 +11850,7 @@ var SCTP = class _SCTP {
         if (this.fastRecoveryTransmit) {
           this.fastRecoveryTransmit = false;
         } else if (this.flightSize >= cwnd) {
-          return;
+          break;
         }
         this.flightSizeIncrease(dataChunk);
         dataChunk.misses = 0;
@@ -11403,9 +11865,13 @@ var SCTP = class _SCTP {
       }
       retransmitEarliest = false;
     }
-    while (this.outboundQueue.length > 0) {
+    while (this.outboundQueue.length > 0 && this.flightSize < cwnd && this.peerRwnd > 0) {
       const chunk = this.outboundQueue.shift();
-      if (!chunk) return;
+      if (!chunk) break;
+      if (chunk.bookSize > this.peerRwnd && this.flightSize > 0) {
+        this.outboundQueue.unshift(chunk);
+        break;
+      }
       this.sentQueue.push(chunk);
       this.flightSizeIncrease(chunk);
       chunk.sentCount++;
@@ -11417,7 +11883,9 @@ var SCTP = class _SCTP {
         this.timer3Start();
       }
     }
-    this.outboundQueue = [];
+    if (!this.outboundQueue.length) {
+      this.outboundQueue = [];
+    }
     this.flush.execute();
   }
   async transmitReconfigRequest() {
@@ -11470,16 +11938,19 @@ var SCTP = class _SCTP {
     this.timer1Handle = setTimeout(this.timer1Expired, this.rto * 1e3);
   }
   timer1Expired = () => {
+    if (this.isStopped) return;
     this.timer1Failures++;
     this.timer1Handle = void 0;
     if (this.timer1Failures > SCTP_MAX_INIT_RETRANS) {
       this.setState(1 /* CLOSED */);
     } else {
       setImmediate(() => {
+        if (this.isStopped) return;
         this.sendChunk(this.timer1Chunk).catch((err5) => {
           log29("send timer1 chunk failed", err5.message);
         });
       });
+      if (this.isStopped) return;
       this.timer1Handle = setTimeout(this.timer1Expired, this.rto * 1e3);
     }
   };
@@ -11498,16 +11969,19 @@ var SCTP = class _SCTP {
     this.timer2Handle = setTimeout(this.timer2Expired, this.rto * 1e3);
   }
   timer2Expired = () => {
+    if (this.isStopped) return;
     this.timer2Failures++;
     this.timer2Handle = void 0;
     if (this.timer2Failures > SCTP_MAX_ASSOCIATION_RETRANS) {
       this.setState(1 /* CLOSED */);
     } else {
       setImmediate(() => {
+        if (this.isStopped) return;
         this.sendChunk(this.timer2Chunk).catch((err5) => {
           log29("send timer2Chunk failed", err5.message);
         });
       });
+      if (this.isStopped) return;
       this.timer2Handle = setTimeout(this.timer2Expired, this.rto * 1e3);
     }
   };
@@ -11520,14 +11994,17 @@ var SCTP = class _SCTP {
   }
   /**t3 is wait for data sack */
   timer3Start() {
+    if (this.isStopped) return;
     if (this.timer3Handle) throw new Error();
     this.timer3Handle = setTimeout(this.timer3Expired, this.rto * 1e3);
   }
   timer3Restart() {
+    if (this.isStopped) return;
     this.timer3Cancel();
-    this.timer3Handle = setTimeout(this.timer3Expired, this.rto);
+    this.timer3Handle = setTimeout(this.timer3Expired, this.rto * 1e3);
   }
   timer3Expired = () => {
+    if (this.isStopped) return;
     this.timer3Handle = void 0;
     this.sentQueue.forEach((chunk) => {
       if (!this.maybeAbandon(chunk)) {
@@ -11553,6 +12030,7 @@ var SCTP = class _SCTP {
   }
   /**Re-configuration Timer */
   timerReconfigHandleStart() {
+    if (this.isStopped) return;
     if (this.timerReconfigHandle) return;
     log29("timerReconfigHandleStart", { rto: this.rto });
     this.timerReconfigFailures = 0;
@@ -11562,6 +12040,7 @@ var SCTP = class _SCTP {
     );
   }
   timerReconfigHandleExpired = async () => {
+    if (this.isStopped) return;
     this.timerReconfigFailures++;
     this.rto = Math.ceil(this.rto * 1.5);
     if (this.timerReconfigFailures > SCTP_MAX_ASSOCIATION_RETRANS) {
@@ -11571,6 +12050,7 @@ var SCTP = class _SCTP {
     } else if (this.reconfigRequest) {
       log29("timerReconfigHandleExpired", this.timerReconfigFailures, this.rto);
       await this.sendReconfigParam(this.reconfigRequest);
+      if (this.isStopped) return;
       this.timerReconfigHandle = setTimeout(
         this.timerReconfigHandleExpired,
         this.rto * 1e3
@@ -11585,6 +12065,47 @@ var SCTP = class _SCTP {
       this.timerReconfigFailures = 0;
     }
   }
+  heartbeatStart() {
+    if (this.timerHeartbeatHandle || this.associationState !== 4 /* ESTABLISHED */) {
+      return;
+    }
+    this.timerHeartbeatHandle = setTimeout(
+      this.timerHeartbeatExpired,
+      (this.rto + this.heartbeatInterval) * 1e3
+    );
+  }
+  heartbeatRestart() {
+    this.heartbeatCancel();
+    this.heartbeatStart();
+  }
+  heartbeatCancel() {
+    if (this.timerHeartbeatHandle) {
+      clearTimeout(this.timerHeartbeatHandle);
+      this.timerHeartbeatHandle = void 0;
+    }
+  }
+  timerHeartbeatExpired = async () => {
+    this.timerHeartbeatHandle = void 0;
+    if (this.associationState !== 4 /* ESTABLISHED */) return;
+    if (this.flightSize === 0 && this.outboundQueue.length === 0) {
+      const heartbeat = new HeartbeatChunk();
+      heartbeat.params.push([
+        1,
+        Buffer.from(jspack5.Pack("!L", [Math.floor(Date.now() / 1e3)]))
+      ]);
+      await this.sendChunk(heartbeat).catch((err5) => {
+        log29("send heartbeat failed", err5.message);
+      });
+    }
+    this.heartbeatStart();
+  };
+  setHeartbeatInterval(interval) {
+    if (interval <= 0) {
+      throw new Error("heartbeat interval must be > 0");
+    }
+    this.heartbeatInterval = interval;
+    this.heartbeatRestart();
+  }
   updateAdvancedPeerAckPoint() {
     if (uint32Gt(this.lastSackedTsn, this.advancedPeerAckTsn)) {
       this.advancedPeerAckTsn = this.lastSackedTsn;
@@ -11696,12 +12217,21 @@ var SCTP = class _SCTP {
       this.associationState = state;
     }
     if (state === 4 /* ESTABLISHED */) {
+      this.isStopping = false;
+      this.isClosed = false;
       this.setConnectionState("connected");
+      this.heartbeatStart();
     } else if (state === 1 /* CLOSED */) {
+      this.isClosed = true;
       this.timer1Cancel();
       this.timer2Cancel();
       this.timer3Cancel();
       this.timerReconfigCancel();
+      this.heartbeatCancel();
+      if (this.sackTimeout) {
+        clearTimeout(this.sackTimeout);
+        this.sackTimeout = void 0;
+      }
       this.setConnectionState("closed");
       this.removeAllListeners();
     }
@@ -11712,6 +12242,16 @@ var SCTP = class _SCTP {
     this.stateChanged[state].execute();
   }
   async stop() {
+    if (this.isStopped) {
+      this.setState(1 /* CLOSED */);
+      return;
+    }
+    this.isStopping = true;
+    this.transport.onData = void 0;
+    if (this.sackTimeout) {
+      clearTimeout(this.sackTimeout);
+      this.sackTimeout = void 0;
+    }
     if (this.associationState !== 1 /* CLOSED */) {
       await this.abort();
     }
@@ -11720,6 +12260,8 @@ var SCTP = class _SCTP {
     clearTimeout(this.timer2Handle);
     clearTimeout(this.timer3Handle);
     clearTimeout(this.timerReconfigHandle);
+    clearTimeout(this.timerHeartbeatHandle);
+    clearTimeout(this.sackTimeout);
   }
   async abort() {
     const abort = new AbortChunk();
@@ -11832,9 +12374,11 @@ function tsnPlusOne(a) {
 
 // src/transport/sctp.ts
 var log30 = debug("werift:packages/webrtc/src/transport/sctp.ts");
-var RTCSctpTransport = class {
-  constructor(port = 5e3) {
+var DEFAULT_MAX_MESSAGE_SIZE = 65536;
+var RTCSctpTransport = class _RTCSctpTransport {
+  constructor(port = 5e3, maxMessageSize = DEFAULT_MAX_MESSAGE_SIZE) {
     this.port = port;
+    this.maxMessageSize = maxMessageSize;
   }
   dtlsTransport;
   sctp;
@@ -11844,6 +12388,7 @@ var RTCSctpTransport = class {
   mLineIndex;
   bundled = false;
   dataChannels = {};
+  remoteMaxMessageSize = DEFAULT_MAX_MESSAGE_SIZE;
   dataChannelQueue = [];
   dataChannelId;
   eventDisposer = [];
@@ -12045,7 +12590,6 @@ var RTCSctpTransport = class {
   }
   async dataChannelFlush() {
     if (this.sctp.associationState != 4 /* ESTABLISHED */) return;
-    if (this.sctp.outboundQueue.length > 0) return;
     while (this.dataChannelQueue.length > 0) {
       const [channel, protocol, userData] = this.dataChannelQueue.shift();
       let streamId = channel.id;
@@ -12073,18 +12617,35 @@ var RTCSctpTransport = class {
     }
     this.dataChannelQueue = [];
   }
+  assertSendableMessageSize(size) {
+    if (this.remoteMaxMessageSize !== 0 && size > this.remoteMaxMessageSize) {
+      throw new Error(
+        `max-message-size exceeded: ${size} > ${this.remoteMaxMessageSize}`
+      );
+    }
+  }
   datachannelSend = (channel, data) => {
-    channel.addBufferedAmount(data.length);
+    const userData = Buffer.isBuffer(data) ? data : Buffer.from(data);
+    const size = getDataChannelMessageSize(data);
+    this.assertSendableMessageSize(size);
+    channel.addBufferedAmount(size);
     this.dataChannelQueue.push(
-      typeof data === "string" ? [channel, WEBRTC_STRING, Buffer.from(data)] : [channel, WEBRTC_BINARY, data]
+      typeof data === "string" ? [channel, WEBRTC_STRING, userData] : [channel, WEBRTC_BINARY, userData]
     );
     if (this.sctp.associationState !== 4 /* ESTABLISHED */) {
       log30("sctp not established", this.sctp.associationState);
     }
     this.dataChannelFlush();
+    return size;
   };
-  static getCapabilities() {
-    return new RTCSctpCapabilities2(65536);
+  getCapabilities() {
+    return _RTCSctpTransport.getCapabilities(this.maxMessageSize);
+  }
+  static getCapabilities(maxMessageSize = DEFAULT_MAX_MESSAGE_SIZE) {
+    return new RTCSctpCapabilities2(maxMessageSize);
+  }
+  setRemoteMaxMessageSize(maxMessageSize) {
+    this.remoteMaxMessageSize = maxMessageSize ?? DEFAULT_MAX_MESSAGE_SIZE;
   }
   setRemotePort(port) {
     this.sctp.setRemotePort(port);
@@ -13775,8 +14336,8 @@ var SctpTransportManager = class {
   onDataChannel = new Event();
   constructor() {
   }
-  createSctpTransport() {
-    const sctp = new RTCSctpTransport();
+  createSctpTransport(maxMessageSize) {
+    const sctp = new RTCSctpTransport(5e3, maxMessageSize);
     sctp.mid = void 0;
     sctp.onDataChannel.subscribe((channel) => {
       this.dataChannelsOpened++;
@@ -13834,6 +14395,9 @@ var SctpTransportManager = class {
     if (!this.sctpTransport) {
       return;
     }
+    this.sctpTransport.setRemoteMaxMessageSize(
+      remoteMedia.sctpCapabilities?.maxMessageSize
+    );
     this.sctpRemotePort = remoteMedia.sctpPort;
     if (!this.sctpRemotePort) {
       throw new Error("sctpRemotePort not exist");
@@ -13974,7 +14538,7 @@ var SDPManager = class {
     );
     media.sctpPort = sctp.port;
     media.rtp.muxId = sctp.mid;
-    media.sctpCapabilities = RTCSctpTransport.getCapabilities();
+    media.sctpCapabilities = sctp.getCapabilities();
     this.addTransportDescription(media, sctp.dtlsTransport);
     return media;
   }
@@ -14112,7 +14676,7 @@ var SDPManager = class {
       description.media.push(this.createMediaDescriptionForSctp(sctpTransport));
     }
     if (this.bundlePolicy !== "disable") {
-      const mids = description.media.map((m) => m.direction !== "inactive" ? m.rtp.muxId : void 0).filter((v) => v);
+      const mids = description.media.map((m) => m.rtp.muxId).filter((v) => v);
       if (mids.length) {
         const bundle = new GroupDescription("BUNDLE", mids);
         description.group.push(bundle);
@@ -14182,7 +14746,7 @@ var SDPManager = class {
     if (this.bundlePolicy !== "disable") {
       const bundle = new GroupDescription("BUNDLE", []);
       for (const media of description.media) {
-        if (media.direction !== "inactive") {
+        if (media.rtp.muxId) {
           bundle.items.push(media.rtp.muxId);
         }
       }
@@ -14307,7 +14871,9 @@ var SecureTransportManager = class {
     );
   }
   createTransport() {
-    const [existing] = this.iceTransports;
+    const existing = this.iceTransports.find(
+      (transport) => transport.state !== "closed"
+    );
     const iceGatherer = new RTCIceGatherer({
       ...parseIceServers(this.config.iceServers),
       forceTurn: this.config.iceTransportPolicy === "relay",
@@ -14562,6 +15128,7 @@ var RTCPeerConnection = class extends EventTarget {
   secureManager;
   isClosed = false;
   shouldNegotiationneeded = false;
+  remoteBundleNegotiated = false;
   iceGatheringStateChange = new Event();
   iceConnectionStateChange = new Event();
   signalingStateChange = new Event();
@@ -14711,6 +15278,12 @@ var RTCPeerConnection = class extends EventTarget {
       if (min === max) throw new Error("should not be same value");
       if (min >= max) throw new Error("The min must be less than max");
     }
+    if (!Number.isInteger(this.config.maxMessageSize) || this.config.maxMessageSize < 0) {
+      throw new Error("maxMessageSize must be a non-negative integer");
+    }
+    if (this.sctpManager?.sctpTransport) {
+      this.sctpManager.sctpTransport.maxMessageSize = this.config.maxMessageSize;
+    }
     for (const [i, codecParams] of enumerate2([
       ...this.config.codecs.audio || [],
       ...this.config.codecs.video || []
@@ -14767,7 +15340,9 @@ var RTCPeerConnection = class extends EventTarget {
     return description.toJSON();
   }
   createSctpTransport() {
-    const sctp = this.sctpManager.createSctpTransport();
+    const sctp = this.sctpManager.createSctpTransport(
+      this.config.maxMessageSize
+    );
     const dtlsTransport = this.findOrCreateTransport();
     sctp.setDtlsTransport(dtlsTransport);
     return sctp;
@@ -14804,10 +15379,13 @@ var RTCPeerConnection = class extends EventTarget {
     });
   };
   findOrCreateTransport() {
-    const [existing] = this.iceTransports;
-    if (this.sdpManager.bundlePolicy === "max-bundle" || this.sdpManager.bundlePolicy !== "disable" && this.remoteIsBundled) {
-      if (existing) {
-        return this.dtlsTransports[0];
+    const existingDtlsTransport = this.dtlsTransports.find(
+      (transport) => transport.state !== "closed"
+    );
+    const existing = existingDtlsTransport?.iceTransport;
+    if (this.sdpManager.bundlePolicy === "max-bundle" || this.sdpManager.bundlePolicy !== "disable" && (this.remoteIsBundled || this.remoteBundleNegotiated)) {
+      if (existingDtlsTransport) {
+        return existingDtlsTransport;
       }
     }
     const dtlsTransport = this.secureManager.createTransport();
@@ -14979,6 +15557,11 @@ var RTCPeerConnection = class extends EventTarget {
       sessionDescription,
       this.signalingState
     );
+    if (remoteSdp.group.some(
+      (group) => group.semantic === "BUNDLE" && group.items.length > 0
+    )) {
+      this.remoteBundleNegotiated = true;
+    }
     let bundleTransport;
     const matchTransceiverWithMedia = (transceiver, media) => transceiver.kind === media.kind && [void 0, media.rtp.muxId].includes(transceiver.mid);
     let transports = remoteSdp.media.map((remoteMedia, i) => {
@@ -15196,7 +15779,8 @@ function generateDefaultPeerConfig() {
     bundlePolicy: "max-compat",
     debug: {},
     midSuffix: false,
-    forceTurnTCP: false
+    forceTurnTCP: false,
+    maxMessageSize: DEFAULT_MAX_MESSAGE_SIZE
   };
 }
 var defaultPeerConfig = generateDefaultPeerConfig();
@@ -15249,14 +15833,15 @@ var TransceiverManager = class {
     newTransceiver.options = options;
     this.router.registerRtpSender(newTransceiver.sender);
     const inactiveTransceiverIndex = this.transceivers.findIndex(
-      (t) => t.currentDirection === "inactive"
+      (t) => t.currentDirection === "inactive" && !t.usedForSender
     );
     const inactiveTransceiver = this.transceivers.find(
-      (t) => t.currentDirection === "inactive"
+      (t) => t.currentDirection === "inactive" && !t.usedForSender
     );
     if (inactiveTransceiverIndex > -1 && inactiveTransceiver) {
       this.replaceTransceiver(newTransceiver, inactiveTransceiverIndex);
       newTransceiver.mLineIndex = inactiveTransceiver.mLineIndex;
+      newTransceiver.mid = inactiveTransceiver.mid;
       inactiveTransceiver.setCurrentDirection(void 0);
     } else {
       this.pushTransceiver(newTransceiver);
@@ -15543,6 +16128,7 @@ export {
   Connection,
   ConnectionStates,
   CurveType,
+  DEFAULT_MAX_MESSAGE_SIZE,
   DePacketizerBase,
   Directions,
   DtlsClient,
@@ -15646,6 +16232,7 @@ export {
   SourceDescriptionChunk,
   SourceDescriptionItem,
   SrtcpSession,
+  SrtpAuthenticationError,
   SrtpContext,
   SrtpSession,
   SsrcDescription,
@@ -15680,6 +16267,8 @@ export {
   codecParametersFromString,
   codecParametersToString,
   compactNtp,
+  crc32,
+  crc32c,
   createBufferWriter,
   createSelfSignedCertificate,
   createStunOverTurnClient,
@@ -15702,6 +16291,7 @@ export {
   fingerprint,
   generateStatsId,
   getBit,
+  getDataChannelMessageSize,
   getGlobalIp,
   getHostAddresses,
   getStatsTimestamp,
@@ -15720,6 +16310,8 @@ export {
   milliTime,
   nodeIpAddress,
   normalizeFamilyNodeV18,
+  normalizeFingerprintAlgorithm,
+  normalizeFingerprintValue,
   ntpTime,
   ntpTime2Sec,
   paddingBits,