Adding upstream version 86.0.1.upstream/86.0.1 upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
author: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-28 14:29:10 +0000
committer: Daniel Baumann <daniel.baumann@progress-linux.org> 2024-04-28 14:29:10 +0000
commit: 2aa4a82499d4becd2284cdb482213d541b8804dd (patch)
tree: b80bf8bf13c3766139fbacc530efd0dd9d54394c /netwerk/srtp
parent: Initial commit. (diff)
download: firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.tar.xz
firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.zip
83 files changed, 30815 insertions, 0 deletions
diff --git a/netwerk/srtp/src/LICENSE b/netwerk/srtp/src/LICENSE
new file mode 100644
index 0000000000..af0a2ac312
--- /dev/null
+++ b/netwerk/srtp/src/LICENSE
@@ -0,0 +1,35 @@
+/*
+ *	
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ * 
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ * 
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
diff --git a/netwerk/srtp/src/README.md b/netwerk/srtp/src/README.md
new file mode 100644
index 0000000000..3f1e5bbfde
--- /dev/null
+++ b/netwerk/srtp/src/README.md
@@ -0,0 +1,487 @@
+[![Build Status](https://travis-ci.org/cisco/libsrtp.svg?branch=master)](https://travis-ci.org/cisco/libsrtp)
+[![Coverity Scan Build Status](https://scan.coverity.com/projects/14274/badge.svg)](https://scan.coverity.com/projects/cisco-libsrtp)
+
+<a name="introduction-to-libsrtp"></a>
+# Introduction to libSRTP
+
+This package provides an implementation of the Secure Real-time
+Transport Protocol (SRTP), the Universal Security Transform (UST), and
+a supporting cryptographic kernel. The SRTP API is documented in include/srtp.h,
+and the library is in libsrtp2.a (after compilation).
+
+This document describes libSRTP, the Open Source Secure RTP library
+from Cisco Systems, Inc. RTP is the Real-time Transport Protocol, an
+IETF standard for the transport of real-time data such as telephony,
+audio, and video, defined by [RFC 3550](https://www.ietf.org/rfc/rfc3550.txt).
+Secure RTP (SRTP) is an RTP profile for providing confidentiality to RTP data
+and authentication to the RTP header and payload. SRTP is an IETF Standard,
+defined in [RFC 3711](https://www.ietf.org/rfc/rfc3711.txt), and was developed
+in the IETF Audio/Video Transport (AVT) Working Group. This library supports
+all of the mandatory features of SRTP, but not all of the optional features. See
+the [Supported Features](#supported-features) section for more detailed information.
+
+This document is also used to generate the documentation files in the /doc/
+folder where a more detailed reference to the libSRTP API and related functions
+can be created (requires installing doxygen.). The reference material is created
+automatically from comments embedded in some of the C header files. The
+documentation is organized into modules in order to improve its clarity. These
+modules do not directly correspond to files. An underlying cryptographic kernel
+provides much of the basic functionality of libSRTP but is mostly undocumented
+because it does its work behind the scenes.
+
+--------------------------------------------------------------------------------
+
+<a name="contact"></a>
+# Contact Us
+
+- [libsrtp@lists.packetizer.com](mailto:libsrtp@lists.packetizer.com) general mailing list for news / announcements / discussions. This is an open list, see
+[https://lists.packetizer.com/mailman/listinfo/libsrtp](https://lists.packetizer.com/mailman/listinfo/libsrtp) for singing up.
+
+- [libsrtp-security@lists.packetizer.com](mailto:libsrtp-security@lists.packetizer.com) for disclosing security issues to the libsrtp maintenance team. This is a closed list but anyone can send to it.
+
+
+--------------------------------------------------------------------------------
+
+<a name="contents"></a>
+## Contents
+
+- [Introduction to libSRTP](#introduction-to-libsrtp)
+  - [Contact Us](#contact)
+  - [Contents](#contents)
+- [License and Disclaimer](#license-and-disclaimer)
+- [libSRTP Overview](#libsrtp-overview)
+  - [Secure RTP Background](#secure-rtp-background)
+  - [Supported Features](#supported-features)
+  - [Implementation Notes](#implementation-notes)
+- [Installing and Building libSRTP](#installing-and-building-libsrtp)
+  - [Changing Build Configuration](#changing-build-configuration)
+- [Applications](#applications)
+  - [Example Code](#example-code)
+- [Credits](#credits)
+- [References](#references)
+
+--------------------------------------------------------------------------------
+
+<a name="license-and-disclaimer"></a>
+# License and Disclaimer
+
+libSRTP is distributed under the following license, which is included
+in the source code distribution. It is reproduced in the manual in
+case you got the library from another source.
+
+> Copyright (c) 2001-2017 Cisco Systems, Inc.  All rights reserved.
+>
+> Redistribution and use in source and binary forms, with or without
+> modification, are permitted provided that the following conditions
+> are met:
+>
+> - Redistributions of source code must retain the above copyright
+>   notice, this list of conditions and the following disclaimer.
+> - Redistributions in binary form must reproduce the above copyright
+>   notice, this list of conditions and the following disclaimer in
+>   the documentation and/or other materials provided with the distribution.
+> - Neither the name of the Cisco Systems, Inc. nor the names of its
+>   contributors may be used to endorse or promote products derived
+>   from this software without specific prior written permission.
+>
+> THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+> "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+> LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+> FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+> COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+> INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+> (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+> SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+> HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+> STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+> ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+> OF THE POSSIBILITY OF SUCH DAMAGE.
+
+--------------------------------------------------------------------------------
+
+<a name="libsrtp-overview"></a>
+# libSRTP Overview
+
+libSRTP provides functions for protecting RTP and RTCP.  RTP packets
+can be encrypted and authenticated (using the `srtp_protect()`
+function), turning them into SRTP packets. Similarly, SRTP packets
+can be decrypted and have their authentication verified (using the
+`srtp_unprotect()` function), turning them into RTP packets. Similar
+functions apply security to RTCP packets.
+
+The typedef `srtp_stream_t` points to a structure holding all of the
+state associated with an SRTP stream, including the keys and
+parameters for cipher and message authentication functions and the
+anti-replay data. A particular `srtp_stream_t` holds the information
+needed to protect a particular RTP and RTCP stream. This datatype
+is intentionally opaque in order to better seperate the libSRTP
+API from its implementation.
+
+Within an SRTP session, there can be multiple streams, each
+originating from a particular sender. Each source uses a distinct
+stream context to protect the RTP and RTCP stream that it is
+originating. The typedef `srtp_t` points to a structure holding all of
+the state associated with an SRTP session. There can be multiple
+stream contexts associated with a single `srtp_t`. A stream context
+cannot exist indepent from an `srtp_t`, though of course an `srtp_t` can
+be created that contains only a single stream context. A device
+participating in an SRTP session must have a stream context for each
+source in that session, so that it can process the data that it
+receives from each sender.
+
+In libSRTP, a session is created using the function `srtp_create()`.
+The policy to be implemented in the session is passed into this
+function as an `srtp_policy_t` structure. A single one of these
+structures describes the policy of a single stream. These structures
+can also be linked together to form an entire session policy. A linked
+list of `srtp_policy_t` structures is equivalent to a session policy.
+In such a policy, we refer to a single `srtp_policy_t` as an *element*.
+
+An `srtp_policy_t` strucutre contains two `crypto_policy_t` structures
+that describe the cryptograhic policies for RTP and RTCP, as well as
+the SRTP master key and the SSRC value. The SSRC describes what to
+protect (e.g. which stream), and the `crypto_policy_t` structures
+describe how to protect it. The key is contained in a policy element
+because it simplifies the interface to the library. In many cases, it
+is desirable to use the same cryptographic policies across all of the
+streams in a session, but to use a distinct key for each stream. A
+`crypto_policy_t` structure can be initialized by using either the
+`crypto_policy_set_rtp_default()` or `crypto_policy_set_rtcp_default()`
+functions, which set a crypto policy structure to the default policies
+for RTP and RTCP protection, respectively.
+
+--------------------------------------------------------------------------------
+
+<a name="secure-rtp-background"></a>
+## Secure RTP Background
+
+In this section we review SRTP and introduce some terms that are used
+in libSRTP. An RTP session is defined by a pair of destination
+transport addresses, that is, a network address plus a pair of UDP
+ports for RTP and RTCP. RTCP, the RTP control protocol, is used to
+coordinate between the participants in an RTP session, e.g. to provide
+feedback from receivers to senders. An *SRTP session* is
+similarly defined; it is just an RTP session for which the SRTP
+profile is being used. An SRTP session consists of the traffic sent
+to the SRTP or SRTCP destination transport addresses. Each
+participant in a session is identified by a synchronization source
+(SSRC) identifier. Some participants may not send any SRTP traffic;
+they are called receivers, even though they send out SRTCP traffic,
+such as receiver reports.
+
+RTP allows multiple sources to send RTP and RTCP traffic during the
+same session. The synchronization source identifier (SSRC) is used to
+distinguish these sources. In libSRTP, we call the SRTP and SRTCP
+traffic from a particular source a *stream*. Each stream has its own
+SSRC, sequence number, rollover counter, and other data. A particular
+choice of options, cryptographic mechanisms, and keys is called a
+*policy*. Each stream within a session can have a distinct policy
+applied to it. A session policy is a collection of stream policies.
+
+A single policy can be used for all of the streams in a given session,
+though the case in which a single *key* is shared across multiple
+streams requires care. When key sharing is used, the SSRC values that
+identify the streams **must** be distinct. This requirement can be
+enforced by using the convention that each SRTP and SRTCP key is used
+for encryption by only a single sender. In other words, the key is
+shared only across streams that originate from a particular device (of
+course, other SRTP participants will need to use the key for
+decryption). libSRTP supports this enforcement by detecting the case
+in which a key is used for both inbound and outbound data.
+
+--------------------------------------------------------------------------------
+
+<a name="supported-features"></a>
+## Supported Features
+
+This library supports all of the mandatory-to-implement features of
+SRTP (as defined in [RFC 3711](https://www.ietf.org/rfc/rfc3711.txt)). Some of these
+features can be selected (or de-selected) at run time by setting an
+appropriate policy; this is done using the structure `srtp_policy_t`.
+Some other behaviors of the protocol can be adapted by defining an
+approriate event handler for the exceptional events; see the SRTPevents
+section in the generated documentation.
+
+Some options that are described in the SRTP specification are not
+supported. This includes
+
+- key derivation rates other than zero,
+- the cipher F8,
+- the use of the packet index to select between master keys.
+
+The user should be aware that it is possible to misuse this libary,
+and that the result may be that the security level it provides is
+inadequate. If you are implementing a feature using this library, you
+will want to read the Security Considerations section of [RFC 3711](https://www.ietf.org/rfc/rfc3711.txt).
+In addition, it is important that you read and understand the
+terms outlined in the [License and Disclaimer](#license-and-disclaimer) section.
+
+--------------------------------------------------------------------------------
+
+<a name="implementation-notes"></a>
+## Implementation Notes
+
+  * The `srtp_protect()` function assumes that the buffer holding the
+    rtp packet has enough storage allocated that the authentication
+    tag can be written to the end of that packet. If this assumption
+    is not valid, memory corruption will ensue.
+
+  * Automated tests for the crypto functions are provided through
+    the `cipher_type_self_test()` and `auth_type_self_test()` functions.
+    These functions should be used to test each port of this code
+    to a new platform.
+
+  * Replay protection is contained in the crypto engine, and
+    tests for it are provided.
+
+  * This implementation provides calls to initialize, protect, and
+    unprotect RTP packets, and makes as few as possible assumptions
+    about how these functions will be called. For example, the
+    caller is not expected to provide packets in order (though if
+    they're called more than 65k out of sequence, synchronization
+    will be lost).
+
+  * The sequence number in the rtp packet is used as the low 16 bits
+    of the sender's local packet index. Note that RTP will start its
+    sequence number in a random place, and the SRTP layer just jumps
+    forward to that number at its first invocation. An earlier
+    version of this library used initial sequence numbers that are
+    less than 32,768; this trick is no longer required as the
+    `rdbx_estimate_index(...)` function has been made smarter.
+
+  * The replay window for (S)RTCP is hardcoded to 128 bits in length.
+
+--------------------------------------------------------------------------------
+
+<a name="installing-and-building-libsrtp"></a>
+# Installing and Building libSRTP
+
+To install libSRTP, download the latest release of the distribution
+from [https://github.com/cisco/libsrtp/releases](https://github.com/cisco/libsrtp/releases).
+You probably want to get the most recent release. Unpack the distribution and
+extract the source files; the directory into which the source files
+will go is named `libsrtp-A-B-C` where `A` is the version number, `B` is the
+major release number and `C` is the minor release number.
+
+libSRTP uses the GNU `autoconf` and `make` utilities (BSD make will not work; if
+both versions of make are on your platform, you can invoke GNU make as
+`gmake`.). In the `libsrtp` directory, run the configure script and then
+make:
+
+~~~.txt
+./configure [ options ]
+make
+~~~
+
+The configure script accepts the following options:
+
+Option                         | Description
+-------------------------------|--------------------
+\-\-help                   \-h | Display help
+\-\-enable-debug-logging       | Enable debug logging in all modules
+\-\-enable-log-stdout          | Enable logging to stdout
+\-\-enable-openssl             | Enable OpenSSL crypto engine
+\-\-enable-openssl-kdf         | Enable OpenSSL KDF algorithm
+\-\-with-log-file              | Use file for logging
+\-\-with-openssl-dir           | Location of OpenSSL installation
+
+By default there is no log output, logging can be enabled to be output to stdout
+or a given file using the configure options.
+
+This package has been tested on the following platforms: Mac OS X
+(powerpc-apple-darwin1.4), Cygwin (i686-pc-cygwin), Solaris
+(sparc-sun-solaris2.6), RedHat Linux 7.1 and 9 (i686-pc-linux), and
+OpenBSD (sparc-unknown-openbsd2.7).
+
+--------------------------------------------------------------------------------
+
+<a name="changing-build-configuration"></a>
+## Changing Build Configuration
+
+To build the `./configure` script mentioned above, libSRTP relies on the
+[automake](https://www.gnu.org/software/automake/) toolchain.  Since
+`./configure` is built from `configure.in` by automake, if you make changes in
+how `./configure` works (e.g., to add a new library dependency), you will need
+to rebuild `./configure` and commit the updated version.  In addition to
+automake itself, you will need to have the `pkgconfig` tools installed as well.
+
+For example, on macOS:
+
+```
+brew install automake pkgconfig
+# Edit configure.in
+autoremake -ivf
+```
+
+--------------------------------------------------------------------------------
+
+<a name="applications"></a>
+# Applications
+
+Several test drivers and a simple and portable srtp application are
+included in the `test/` subdirectory.
+
+Test driver     | Function tested
+---------       | -------
+kernel_driver   | crypto kernel (ciphers, auth funcs, rng)
+srtp_driver	    | srtp in-memory tests (does not use the network)
+rdbx_driver	    | rdbx (extended replay database)
+roc_driver	    | extended sequence number functions
+replay_driver	  | replay database
+cipher_driver	  | ciphers
+auth_driver	    | hash functions
+
+The app `rtpw` is a simple rtp application which reads words from
+`/usr/dict/words` and then sends them out one at a time using [s]rtp.
+Manual srtp keying uses the -k option; automated key management
+using gdoi will be added later.
+
+usage:
+~~~.txt
+rtpw [[-d <debug>]* [-k|b <key> [-a][-e <key size>][-g]] [-s | -r] dest_ip dest_port] | [-l]
+~~~
+
+Either the -s (sender) or -r (receiver) option must be chosen.  The
+values `dest_ip`, `dest_port` are the IP address and UDP port to which
+the dictionary will be sent, respectively.
+
+The options are:
+
+Option         | Description
+---------      | -------
+  -s           | (S)RTP sender - causes app to send words
+  -r           | (S)RTP receive - causes app to receive words
+  -k <key>     | use SRTP master key <key>, where the key is a hexadecimal (without the leading "0x")
+  -b <key>     | same as -k but with base64 encoded key
+  -e <keysize> | encrypt/decrypt (for data confidentiality) (requires use of -k option as well) (use 128, 192, or 256 for keysize)
+  -g           | use AES-GCM mode (must be used with -e)
+  -a           | message authentication (requires use of -k option as well)
+  -l           | list the available debug modules
+  -d <debug>   | turn on debugging for module <debug>
+
+In order to get random 30-byte values for use as key/salt pairs , you
+can use the following bash function to format the output of
+`/dev/random` (where that device is available).
+
+~~~.txt
+function randhex() {
+   cat /dev/random | od --read-bytes=32 --width=32 -x | awk '{ print $2 $3 $4 $5 $6 $7 $8 $9 $10 $11 $12 $13 $14 $15 $16 }'
+}
+~~~
+
+An example of an SRTP session using two rtpw programs follows:
+
+~~~.txt
+set k=c1eec3717da76195bb878578790af71c4ee9f859e197a414a78d5abc7451
+
+[sh1]$ test/rtpw -s -k $k -e 128 -a 0.0.0.0 9999
+Security services: confidentiality message authentication
+set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC7451
+setting SSRC to 2078917053
+sending word: A
+sending word: a
+sending word: aa
+sending word: aal
+...
+
+[sh2]$ test/rtpw -r -k $k -e 128 -a 0.0.0.0 9999
+security services: confidentiality message authentication
+set master key/salt to C1EEC3717DA76195BB878578790AF71C/4EE9F859E197A414A78D5ABC7451
+19 octets received from SSRC 2078917053 word: A
+19 octets received from SSRC 2078917053 word: a
+20 octets received from SSRC 2078917053 word: aa
+21 octets received from SSRC 2078917053 word: aal
+...
+~~~
+
+--------------------------------------------------------------------------------
+
+<a name="example-code"></a>
+## Example Code
+
+This section provides a simple example of how to use libSRTP. The
+example code lacks error checking, but is functional. Here we assume
+that the value ssrc is already set to describe the SSRC of the stream
+that we are sending, and that the functions `get_rtp_packet()` and
+`send_srtp_packet()` are available to us. The former puts an RTP packet
+into the buffer and returns the number of octets written to that
+buffer. The latter sends the RTP packet in the buffer, given the
+length as its second argument.
+
+~~~.c
+srtp_t session;
+srtp_policy_t policy;
+
+// Set key to predetermined value
+uint8_t key[30] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+                   0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+                   0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+                   0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D};
+
+// initialize libSRTP
+srtp_init();
+
+// default policy values
+memset(&policy, 0x0, sizeof(srtp_policy_t));
+
+// set policy to describe a policy for an SRTP stream
+crypto_policy_set_rtp_default(&policy.rtp);
+crypto_policy_set_rtcp_default(&policy.rtcp);
+policy.ssrc = ssrc;
+policy.key  = key;
+policy.next = NULL;
+
+// allocate and initialize the SRTP session
+srtp_create(&session, &policy);
+
+// main loop: get rtp packets, send srtp packets
+while (1) {
+  char rtp_buffer[2048];
+  unsigned len;
+
+  len = get_rtp_packet(rtp_buffer);
+  srtp_protect(session, rtp_buffer, &len);
+  send_srtp_packet(rtp_buffer, len);
+}
+~~~
+
+--------------------------------------------------------------------------------
+
+<a name="credits"></a>
+# Credits
+
+The original implementation and documentation of libSRTP was written
+by David McGrew of Cisco Systems, Inc. in order to promote the use,
+understanding, and interoperability of Secure RTP. Michael Jerris
+contributed support for building under MSVC. Andris Pavenis
+contributed many important fixes. Brian West contributed changes to
+enable dynamic linking. Yves Shumann reported documentation bugs.
+Randell Jesup contributed a working SRTCP implementation and other
+fixes. Steve Underwood contributed x86_64 portability changes. We also give
+thanks to Fredrik Thulin, Brian Weis, Mark Baugher, Jeff Chan, Bill
+Simon, Douglas Smith, Bill May, Richard Preistley, Joe Tardo and
+others for contributions, comments, and corrections.
+
+This reference material, when applicable, in this documenation was generated
+using the doxygen utility for automatic documentation of source code.
+
+Copyright 2001-2005 by David A. McGrew, Cisco Systems, Inc.
+
+--------------------------------------------------------------------------------
+
+<a name="references"></a>
+# References
+
+SRTP and ICM References
+September, 2005
+
+Secure RTP is defined in [RFC 3711](https://www.ietf.org/rfc/rfc3711.txt).
+The counter mode definition is in Section 4.1.1.
+
+SHA-1 is defined in [FIPS PUB 180-4](http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf).
+
+HMAC is defined in [RFC 2104](https://www.ietf.org/rfc/rfc2104.txt)
+and HMAC-SHA1 test vectors are available
+in [RFC 2202](https://www.ietf.org/rfc/rfc2202.txt).
+
+AES-GCM usage in SRTP is defined in [RFC 7714](https://www.ietf.org/html/rfc7714)
diff --git a/netwerk/srtp/src/VERSION b/netwerk/srtp/src/VERSION
new file mode 100644
index 0000000000..5432261487
--- /dev/null
+++ b/netwerk/srtp/src/VERSION
@@ -0,0 +1 @@
+2.2.0-pre
diff --git a/netwerk/srtp/src/crypto/Makefile.in b/netwerk/srtp/src/crypto/Makefile.in
new file mode 100644
index 0000000000..44f29ad2cf
--- /dev/null
+++ b/netwerk/srtp/src/crypto/Makefile.in
@@ -0,0 +1,119 @@
+# Makefile for crypto test suite
+#
+# David A. McGrew
+# Cisco Systems, Inc.
+
+srcdir = @srcdir@
+top_srcdir = @top_srcdir@
+top_builddir = @top_builddir@
+VPATH = @srcdir@
+
+CC	= @CC@
+INCDIR	= -Iinclude -I$(srcdir)/include -I$(top_srcdir)/include
+DEFS	= @DEFS@
+CPPFLAGS= @CPPFLAGS@
+CFLAGS	= @CFLAGS@
+LIBS	= @LIBS@
+LDFLAGS	= @LDFLAGS@ -L. -L..
+COMPILE = $(CC) $(DEFS) $(INCDIR) $(CPPFLAGS) $(CFLAGS)
+CRYPTOLIB = -lsrtp2
+CRYPTO_LIBDIR = @CRYPTO_LIBDIR@
+
+RANLIB	= @RANLIB@
+
+# Specify how tests should find shared libraries on macOS and Linux
+#
+# macOS purges DYLD_LIBRARY_PATH when spawning subprocesses, so it's
+# not possible to pass this in from the outside; we have to specify
+# it for any subprocesses we call. No support for dynamic linked
+# tests on Windows.
+ifneq ($(strip $(CRYPTO_LIBDIR)),)
+	ifneq ($(OS),Windows_NT)
+		UNAME_S = $(shell uname -s)
+		ifeq ($(UNAME_S),Linux)
+			FIND_LIBRARIES = LD_LIBRARY_PATH=$(CRYPTO_LIBDIR)
+		endif
+		ifeq ($(UNAME_S),Darwin)
+			FIND_LIBRARIES = DYLD_LIBRARY_PATH=$(CRYPTO_LIBDIR)
+		endif
+	endif
+endif
+
+# EXE defines the suffix on executables - it's .exe for cygwin, and
+# null on linux, bsd, and OS X and other OSes.  we define this so that
+# `make clean` will work on the cygwin platform
+EXE = @EXE@
+# Random source.
+USE_EXTERNAL_CRYPTO = @USE_EXTERNAL_CRYPTO@
+
+ifdef ARCH
+  DEFS += -D$(ARCH)=1
+endif
+
+ifdef sysname
+  DEFS += -D$(sysname)=1
+endif
+
+.PHONY: dummy all runtest clean superclean
+
+dummy : all runtest
+
+# test applications
+ifneq (1, $(USE_EXTERNAL_CRYPTO))
+AES_CALC = test/aes_calc$(EXE)
+endif
+
+testapp = test/cipher_driver$(EXE) test/datatypes_driver$(EXE) \
+	  test/stat_driver$(EXE) test/sha1_driver$(EXE) \
+	  test/kernel_driver$(EXE) $(AES_CALC) \
+	  test/env$(EXE)
+
+# data values used to test the aes_calc application for AES-128
+k128=000102030405060708090a0b0c0d0e0f
+p128=00112233445566778899aabbccddeeff
+c128=69c4e0d86a7b0430d8cdb78070b4c55a
+
+
+# data values used to test the aes_calc application for AES-256
+k256=000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+p256=00112233445566778899aabbccddeeff
+c256=8ea2b7ca516745bfeafc49904b496089
+
+
+runtest: $(testapp)
+	$(FIND_LIBRARIES) test/env$(EXE) # print out information on the build environment
+	@echo "running crypto test applications..."
+ifneq (1, $(USE_EXTERNAL_CRYPTO))
+	$(FIND_LIBRARIES) test `test/aes_calc $(k128) $(p128)` = $(c128)
+	$(FIND_LIBRARIES) test `test/aes_calc $(k256) $(p256)` = $(c256)
+endif
+	$(FIND_LIBRARIES) test/cipher_driver$(EXE) -v >/dev/null
+	$(FIND_LIBRARIES) test/datatypes_driver$(EXE) -v >/dev/null
+	$(FIND_LIBRARIES) test/stat_driver$(EXE) >/dev/null
+	$(FIND_LIBRARIES) test/sha1_driver$(EXE) -v >/dev/null
+	$(FIND_LIBRARIES) test/kernel_driver$(EXE) -v >/dev/null
+	@echo "crypto test applications passed."
+
+
+# the rule for making object files and test apps
+
+%.o: %.c
+	$(COMPILE) -c $< -o $@
+
+%$(EXE): %.c $(srcdir)/../test/getopt_s.c
+	$(COMPILE) $(LDFLAGS) $< $(srcdir)/../test/getopt_s.c -o $@ $(CRYPTOLIB) $(LIBS)
+
+all: $(testapp)
+
+# housekeeping functions
+
+clean:
+	rm -f $(testapp) *.o */*.o
+	for a in * .* */*; do if [ -f "$$a~" ] ; then rm $$a~; fi; done;
+	rm -f `find . -name "*.[ch]~*~"`
+	rm -rf latex
+
+superclean: clean
+	rm -f *core TAGS ktrace.out
+
+# EOF
diff --git a/netwerk/srtp/src/crypto/cipher/aes.c b/netwerk/srtp/src/crypto/cipher/aes.c
new file mode 100644
index 0000000000..c9cd774201
--- /dev/null
+++ b/netwerk/srtp/src/crypto/cipher/aes.c
@@ -0,0 +1,2189 @@
+/*
+ * aes.c
+ *
+ * An implemnetation of the AES block cipher.
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "aes.h"
+#include "err.h"
+
+/*
+ * we use the tables T0, T1, T2, T3, and T4 to compute AES, and
+ * the tables U0, U1, U2, and U4 to compute its inverse
+ *
+ * different tables are used on little-endian (Intel, VMS) and
+ * big-endian processors (everything else)
+ *
+ * these tables are computed using the program tables/aes_tables; use
+ * this program to generate different tables for porting or
+ * optimization on a different platform
+ */
+
+#ifndef WORDS_BIGENDIAN
+/* clang-format off */
+static const uint32_t T0[256] = {
+    0xa56363c6, 0x847c7cf8,  0x997777ee,  0x8d7b7bf6,
+    0xdf2f2ff,  0xbd6b6bd6,  0xb16f6fde,  0x54c5c591,
+    0x50303060, 0x3010102,   0xa96767ce,  0x7d2b2b56,
+    0x19fefee7, 0x62d7d7b5,  0xe6abab4d,  0x9a7676ec,
+    0x45caca8f, 0x9d82821f,  0x40c9c989,  0x877d7dfa,
+    0x15fafaef, 0xeb5959b2,  0xc947478e,  0xbf0f0fb,
+    0xecadad41, 0x67d4d4b3,  0xfda2a25f,  0xeaafaf45,
+    0xbf9c9c23, 0xf7a4a453,  0x967272e4,  0x5bc0c09b,
+    0xc2b7b775, 0x1cfdfde1,  0xae93933d,  0x6a26264c,
+    0x5a36366c, 0x413f3f7e,  0x2f7f7f5,   0x4fcccc83,
+    0x5c343468, 0xf4a5a551,  0x34e5e5d1,  0x8f1f1f9,
+    0x937171e2, 0x73d8d8ab,  0x53313162,  0x3f15152a,
+    0xc040408,  0x52c7c795,  0x65232346,  0x5ec3c39d,
+    0x28181830, 0xa1969637,  0xf05050a,   0xb59a9a2f,
+    0x907070e,  0x36121224,  0x9b80801b,  0x3de2e2df,
+    0x26ebebcd, 0x6927274e,  0xcdb2b27f,  0x9f7575ea,
+    0x1b090912, 0x9e83831d,  0x742c2c58,  0x2e1a1a34,
+    0x2d1b1b36, 0xb26e6edc,  0xee5a5ab4,  0xfba0a05b,
+    0xf65252a4, 0x4d3b3b76,  0x61d6d6b7,  0xceb3b37d,
+    0x7b292952, 0x3ee3e3dd,  0x712f2f5e,  0x97848413,
+    0xf55353a6, 0x68d1d1b9,  0x0,         0x2cededc1,
+    0x60202040, 0x1ffcfce3,  0xc8b1b179,  0xed5b5bb6,
+    0xbe6a6ad4, 0x46cbcb8d,  0xd9bebe67,  0x4b393972,
+    0xde4a4a94, 0xd44c4c98,  0xe85858b0,  0x4acfcf85,
+    0x6bd0d0bb, 0x2aefefc5,  0xe5aaaa4f,  0x16fbfbed,
+    0xc5434386, 0xd74d4d9a,  0x55333366,  0x94858511,
+    0xcf45458a, 0x10f9f9e9,  0x6020204,   0x817f7ffe,
+    0xf05050a0, 0x443c3c78,  0xba9f9f25,  0xe3a8a84b,
+    0xf35151a2, 0xfea3a35d,  0xc0404080,  0x8a8f8f05,
+    0xad92923f, 0xbc9d9d21,  0x48383870,  0x4f5f5f1,
+    0xdfbcbc63, 0xc1b6b677,  0x75dadaaf,  0x63212142,
+    0x30101020, 0x1affffe5,  0xef3f3fd,   0x6dd2d2bf,
+    0x4ccdcd81, 0x140c0c18,  0x35131326,  0x2fececc3,
+    0xe15f5fbe, 0xa2979735,  0xcc444488,  0x3917172e,
+    0x57c4c493, 0xf2a7a755,  0x827e7efc,  0x473d3d7a,
+    0xac6464c8, 0xe75d5dba,  0x2b191932,  0x957373e6,
+    0xa06060c0, 0x98818119,  0xd14f4f9e,  0x7fdcdca3,
+    0x66222244, 0x7e2a2a54,  0xab90903b,  0x8388880b,
+    0xca46468c, 0x29eeeec7,  0xd3b8b86b,  0x3c141428,
+    0x79dedea7, 0xe25e5ebc,  0x1d0b0b16,  0x76dbdbad,
+    0x3be0e0db, 0x56323264,  0x4e3a3a74,  0x1e0a0a14,
+    0xdb494992, 0xa06060c,   0x6c242448,  0xe45c5cb8,
+    0x5dc2c29f, 0x6ed3d3bd,  0xefacac43,  0xa66262c4,
+    0xa8919139, 0xa4959531,  0x37e4e4d3,  0x8b7979f2,
+    0x32e7e7d5, 0x43c8c88b,  0x5937376e,  0xb76d6dda,
+    0x8c8d8d01, 0x64d5d5b1,  0xd24e4e9c,  0xe0a9a949,
+    0xb46c6cd8, 0xfa5656ac,  0x7f4f4f3,   0x25eaeacf,
+    0xaf6565ca, 0x8e7a7af4,  0xe9aeae47,  0x18080810,
+    0xd5baba6f, 0x887878f0,  0x6f25254a,  0x722e2e5c,
+    0x241c1c38, 0xf1a6a657,  0xc7b4b473,  0x51c6c697,
+    0x23e8e8cb, 0x7cdddda1,  0x9c7474e8,  0x211f1f3e,
+    0xdd4b4b96, 0xdcbdbd61,  0x868b8b0d,  0x858a8a0f,
+    0x907070e0, 0x423e3e7c,  0xc4b5b571,  0xaa6666cc,
+    0xd8484890, 0x5030306,   0x1f6f6f7,   0x120e0e1c,
+    0xa36161c2, 0x5f35356a,  0xf95757ae,  0xd0b9b969,
+    0x91868617, 0x58c1c199,  0x271d1d3a,  0xb99e9e27,
+    0x38e1e1d9, 0x13f8f8eb,  0xb398982b,  0x33111122,
+    0xbb6969d2, 0x70d9d9a9,  0x898e8e07,  0xa7949433,
+    0xb69b9b2d, 0x221e1e3c,  0x92878715,  0x20e9e9c9,
+    0x49cece87, 0xff5555aa,  0x78282850,  0x7adfdfa5,
+    0x8f8c8c03, 0xf8a1a159,  0x80898909,  0x170d0d1a,
+    0xdabfbf65, 0x31e6e6d7,  0xc6424284,  0xb86868d0,
+    0xc3414182, 0xb0999929,  0x772d2d5a,  0x110f0f1e,
+    0xcbb0b07b, 0xfc5454a8,  0xd6bbbb6d,  0x3a16162c,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t T1[256] = {
+    0x6363c6a5, 0x7c7cf884,  0x7777ee99,  0x7b7bf68d,
+    0xf2f2ff0d, 0x6b6bd6bd,  0x6f6fdeb1,  0xc5c59154,
+    0x30306050, 0x1010203,   0x6767cea9,  0x2b2b567d,
+    0xfefee719, 0xd7d7b562,  0xabab4de6,  0x7676ec9a,
+    0xcaca8f45, 0x82821f9d,  0xc9c98940,  0x7d7dfa87,
+    0xfafaef15, 0x5959b2eb,  0x47478ec9,  0xf0f0fb0b,
+    0xadad41ec, 0xd4d4b367,  0xa2a25ffd,  0xafaf45ea,
+    0x9c9c23bf, 0xa4a453f7,  0x7272e496,  0xc0c09b5b,
+    0xb7b775c2, 0xfdfde11c,  0x93933dae,  0x26264c6a,
+    0x36366c5a, 0x3f3f7e41,  0xf7f7f502,  0xcccc834f,
+    0x3434685c, 0xa5a551f4,  0xe5e5d134,  0xf1f1f908,
+    0x7171e293, 0xd8d8ab73,  0x31316253,  0x15152a3f,
+    0x404080c,  0xc7c79552,  0x23234665,  0xc3c39d5e,
+    0x18183028, 0x969637a1,  0x5050a0f,   0x9a9a2fb5,
+    0x7070e09,  0x12122436,  0x80801b9b,  0xe2e2df3d,
+    0xebebcd26, 0x27274e69,  0xb2b27fcd,  0x7575ea9f,
+    0x909121b,  0x83831d9e,  0x2c2c5874,  0x1a1a342e,
+    0x1b1b362d, 0x6e6edcb2,  0x5a5ab4ee,  0xa0a05bfb,
+    0x5252a4f6, 0x3b3b764d,  0xd6d6b761,  0xb3b37dce,
+    0x2929527b, 0xe3e3dd3e,  0x2f2f5e71,  0x84841397,
+    0x5353a6f5, 0xd1d1b968,  0x00000000,  0xededc12c,
+    0x20204060, 0xfcfce31f,  0xb1b179c8,  0x5b5bb6ed,
+    0x6a6ad4be, 0xcbcb8d46,  0xbebe67d9,  0x3939724b,
+    0x4a4a94de, 0x4c4c98d4,  0x5858b0e8,  0xcfcf854a,
+    0xd0d0bb6b, 0xefefc52a,  0xaaaa4fe5,  0xfbfbed16,
+    0x434386c5, 0x4d4d9ad7,  0x33336655,  0x85851194,
+    0x45458acf, 0xf9f9e910,  0x2020406,   0x7f7ffe81,
+    0x5050a0f0, 0x3c3c7844,  0x9f9f25ba,  0xa8a84be3,
+    0x5151a2f3, 0xa3a35dfe,  0x404080c0,  0x8f8f058a,
+    0x92923fad, 0x9d9d21bc,  0x38387048,  0xf5f5f104,
+    0xbcbc63df, 0xb6b677c1,  0xdadaaf75,  0x21214263,
+    0x10102030, 0xffffe51a,  0xf3f3fd0e,  0xd2d2bf6d,
+    0xcdcd814c, 0xc0c1814,   0x13132635,  0xececc32f,
+    0x5f5fbee1, 0x979735a2,  0x444488cc,  0x17172e39,
+    0xc4c49357, 0xa7a755f2,  0x7e7efc82,  0x3d3d7a47,
+    0x6464c8ac, 0x5d5dbae7,  0x1919322b,  0x7373e695,
+    0x6060c0a0, 0x81811998,  0x4f4f9ed1,  0xdcdca37f,
+    0x22224466, 0x2a2a547e,  0x90903bab,  0x88880b83,
+    0x46468cca, 0xeeeec729,  0xb8b86bd3,  0x1414283c,
+    0xdedea779, 0x5e5ebce2,  0xb0b161d,   0xdbdbad76,
+    0xe0e0db3b, 0x32326456,  0x3a3a744e,  0xa0a141e,
+    0x494992db, 0x6060c0a,   0x2424486c,  0x5c5cb8e4,
+    0xc2c29f5d, 0xd3d3bd6e,  0xacac43ef,  0x6262c4a6,
+    0x919139a8, 0x959531a4,  0xe4e4d337,  0x7979f28b,
+    0xe7e7d532, 0xc8c88b43,  0x37376e59,  0x6d6ddab7,
+    0x8d8d018c, 0xd5d5b164,  0x4e4e9cd2,  0xa9a949e0,
+    0x6c6cd8b4, 0x5656acfa,  0xf4f4f307,  0xeaeacf25,
+    0x6565caaf, 0x7a7af48e,  0xaeae47e9,  0x8081018,
+    0xbaba6fd5, 0x7878f088,  0x25254a6f,  0x2e2e5c72,
+    0x1c1c3824, 0xa6a657f1,  0xb4b473c7,  0xc6c69751,
+    0xe8e8cb23, 0xdddda17c,  0x7474e89c,  0x1f1f3e21,
+    0x4b4b96dd, 0xbdbd61dc,  0x8b8b0d86,  0x8a8a0f85,
+    0x7070e090, 0x3e3e7c42,  0xb5b571c4,  0x6666ccaa,
+    0x484890d8, 0x3030605,   0xf6f6f701,  0xe0e1c12,
+    0x6161c2a3, 0x35356a5f,  0x5757aef9,  0xb9b969d0,
+    0x86861791, 0xc1c19958,  0x1d1d3a27,  0x9e9e27b9,
+    0xe1e1d938, 0xf8f8eb13,  0x98982bb3,  0x11112233,
+    0x6969d2bb, 0xd9d9a970,  0x8e8e0789,  0x949433a7,
+    0x9b9b2db6, 0x1e1e3c22,  0x87871592,  0xe9e9c920,
+    0xcece8749, 0x5555aaff,  0x28285078,  0xdfdfa57a,
+    0x8c8c038f, 0xa1a159f8,  0x89890980,  0xd0d1a17,
+    0xbfbf65da, 0xe6e6d731,  0x424284c6,  0x6868d0b8,
+    0x414182c3, 0x999929b0,  0x2d2d5a77,  0xf0f1e11,
+    0xb0b07bcb, 0x5454a8fc,  0xbbbb6dd6,  0x16162c3a,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t T2[256] = {
+    0x63c6a563, 0x7cf8847c,  0x77ee9977,  0x7bf68d7b,
+    0xf2ff0df2, 0x6bd6bd6b,  0x6fdeb16f,  0xc59154c5,
+    0x30605030, 0x1020301,   0x67cea967,  0x2b567d2b,
+    0xfee719fe, 0xd7b562d7,  0xab4de6ab,  0x76ec9a76,
+    0xca8f45ca, 0x821f9d82,  0xc98940c9,  0x7dfa877d,
+    0xfaef15fa, 0x59b2eb59,  0x478ec947,  0xf0fb0bf0,
+    0xad41ecad, 0xd4b367d4,  0xa25ffda2,  0xaf45eaaf,
+    0x9c23bf9c, 0xa453f7a4,  0x72e49672,  0xc09b5bc0,
+    0xb775c2b7, 0xfde11cfd,  0x933dae93,  0x264c6a26,
+    0x366c5a36, 0x3f7e413f,  0xf7f502f7,  0xcc834fcc,
+    0x34685c34, 0xa551f4a5,  0xe5d134e5,  0xf1f908f1,
+    0x71e29371, 0xd8ab73d8,  0x31625331,  0x152a3f15,
+    0x4080c04,  0xc79552c7,  0x23466523,  0xc39d5ec3,
+    0x18302818, 0x9637a196,  0x50a0f05,   0x9a2fb59a,
+    0x70e0907,  0x12243612,  0x801b9b80,  0xe2df3de2,
+    0xebcd26eb, 0x274e6927,  0xb27fcdb2,  0x75ea9f75,
+    0x9121b09,  0x831d9e83,  0x2c58742c,  0x1a342e1a,
+    0x1b362d1b, 0x6edcb26e,  0x5ab4ee5a,  0xa05bfba0,
+    0x52a4f652, 0x3b764d3b,  0xd6b761d6,  0xb37dceb3,
+    0x29527b29, 0xe3dd3ee3,  0x2f5e712f,  0x84139784,
+    0x53a6f553, 0xd1b968d1,  0x0,         0xedc12ced,
+    0x20406020, 0xfce31ffc,  0xb179c8b1,  0x5bb6ed5b,
+    0x6ad4be6a, 0xcb8d46cb,  0xbe67d9be,  0x39724b39,
+    0x4a94de4a, 0x4c98d44c,  0x58b0e858,  0xcf854acf,
+    0xd0bb6bd0, 0xefc52aef,  0xaa4fe5aa,  0xfbed16fb,
+    0x4386c543, 0x4d9ad74d,  0x33665533,  0x85119485,
+    0x458acf45, 0xf9e910f9,  0x2040602,   0x7ffe817f,
+    0x50a0f050, 0x3c78443c,  0x9f25ba9f,  0xa84be3a8,
+    0x51a2f351, 0xa35dfea3,  0x4080c040,  0x8f058a8f,
+    0x923fad92, 0x9d21bc9d,  0x38704838,  0xf5f104f5,
+    0xbc63dfbc, 0xb677c1b6,  0xdaaf75da,  0x21426321,
+    0x10203010, 0xffe51aff,  0xf3fd0ef3,  0xd2bf6dd2,
+    0xcd814ccd, 0xc18140c,   0x13263513,  0xecc32fec,
+    0x5fbee15f, 0x9735a297,  0x4488cc44,  0x172e3917,
+    0xc49357c4, 0xa755f2a7,  0x7efc827e,  0x3d7a473d,
+    0x64c8ac64, 0x5dbae75d,  0x19322b19,  0x73e69573,
+    0x60c0a060, 0x81199881,  0x4f9ed14f,  0xdca37fdc,
+    0x22446622, 0x2a547e2a,  0x903bab90,  0x880b8388,
+    0x468cca46, 0xeec729ee,  0xb86bd3b8,  0x14283c14,
+    0xdea779de, 0x5ebce25e,  0xb161d0b,   0xdbad76db,
+    0xe0db3be0, 0x32645632,  0x3a744e3a,  0xa141e0a,
+    0x4992db49, 0x60c0a06,   0x24486c24,  0x5cb8e45c,
+    0xc29f5dc2, 0xd3bd6ed3,  0xac43efac,  0x62c4a662,
+    0x9139a891, 0x9531a495,  0xe4d337e4,  0x79f28b79,
+    0xe7d532e7, 0xc88b43c8,  0x376e5937,  0x6ddab76d,
+    0x8d018c8d, 0xd5b164d5,  0x4e9cd24e,  0xa949e0a9,
+    0x6cd8b46c, 0x56acfa56,  0xf4f307f4,  0xeacf25ea,
+    0x65caaf65, 0x7af48e7a,  0xae47e9ae,  0x8101808,
+    0xba6fd5ba, 0x78f08878,  0x254a6f25,  0x2e5c722e,
+    0x1c38241c, 0xa657f1a6,  0xb473c7b4,  0xc69751c6,
+    0xe8cb23e8, 0xdda17cdd,  0x74e89c74,  0x1f3e211f,
+    0x4b96dd4b, 0xbd61dcbd,  0x8b0d868b,  0x8a0f858a,
+    0x70e09070, 0x3e7c423e,  0xb571c4b5,  0x66ccaa66,
+    0x4890d848, 0x3060503,   0xf6f701f6,  0xe1c120e,
+    0x61c2a361, 0x356a5f35,  0x57aef957,  0xb969d0b9,
+    0x86179186, 0xc19958c1,  0x1d3a271d,  0x9e27b99e,
+    0xe1d938e1, 0xf8eb13f8,  0x982bb398,  0x11223311,
+    0x69d2bb69, 0xd9a970d9,  0x8e07898e,  0x9433a794,
+    0x9b2db69b, 0x1e3c221e,  0x87159287,  0xe9c920e9,
+    0xce8749ce, 0x55aaff55,  0x28507828,  0xdfa57adf,
+    0x8c038f8c, 0xa159f8a1,  0x89098089,  0xd1a170d,
+    0xbf65dabf, 0xe6d731e6,  0x4284c642,  0x68d0b868,
+    0x4182c341, 0x9929b099,  0x2d5a772d,  0xf1e110f,
+    0xb07bcbb0, 0x54a8fc54,  0xbb6dd6bb,  0x162c3a16,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t T3[256] = {
+    0xc6a56363, 0xf8847c7c,  0xee997777,  0xf68d7b7b,
+    0xff0df2f2, 0xd6bd6b6b,  0xdeb16f6f,  0x9154c5c5,
+    0x60503030, 0x2030101,   0xcea96767,  0x567d2b2b,
+    0xe719fefe, 0xb562d7d7,  0x4de6abab,  0xec9a7676,
+    0x8f45caca, 0x1f9d8282,  0x8940c9c9,  0xfa877d7d,
+    0xef15fafa, 0xb2eb5959,  0x8ec94747,  0xfb0bf0f0,
+    0x41ecadad, 0xb367d4d4,  0x5ffda2a2,  0x45eaafaf,
+    0x23bf9c9c, 0x53f7a4a4,  0xe4967272,  0x9b5bc0c0,
+    0x75c2b7b7, 0xe11cfdfd,  0x3dae9393,  0x4c6a2626,
+    0x6c5a3636, 0x7e413f3f,  0xf502f7f7,  0x834fcccc,
+    0x685c3434, 0x51f4a5a5,  0xd134e5e5,  0xf908f1f1,
+    0xe2937171, 0xab73d8d8,  0x62533131,  0x2a3f1515,
+    0x80c0404,  0x9552c7c7,  0x46652323,  0x9d5ec3c3,
+    0x30281818, 0x37a19696,  0xa0f0505,   0x2fb59a9a,
+    0xe090707,  0x24361212,  0x1b9b8080,  0xdf3de2e2,
+    0xcd26ebeb, 0x4e692727,  0x7fcdb2b2,  0xea9f7575,
+    0x121b0909, 0x1d9e8383,  0x58742c2c,  0x342e1a1a,
+    0x362d1b1b, 0xdcb26e6e,  0xb4ee5a5a,  0x5bfba0a0,
+    0xa4f65252, 0x764d3b3b,  0xb761d6d6,  0x7dceb3b3,
+    0x527b2929, 0xdd3ee3e3,  0x5e712f2f,  0x13978484,
+    0xa6f55353, 0xb968d1d1,  0x0,         0xc12ceded,
+    0x40602020, 0xe31ffcfc,  0x79c8b1b1,  0xb6ed5b5b,
+    0xd4be6a6a, 0x8d46cbcb,  0x67d9bebe,  0x724b3939,
+    0x94de4a4a, 0x98d44c4c,  0xb0e85858,  0x854acfcf,
+    0xbb6bd0d0, 0xc52aefef,  0x4fe5aaaa,  0xed16fbfb,
+    0x86c54343, 0x9ad74d4d,  0x66553333,  0x11948585,
+    0x8acf4545, 0xe910f9f9,  0x4060202,   0xfe817f7f,
+    0xa0f05050, 0x78443c3c,  0x25ba9f9f,  0x4be3a8a8,
+    0xa2f35151, 0x5dfea3a3,  0x80c04040,  0x58a8f8f,
+    0x3fad9292, 0x21bc9d9d,  0x70483838,  0xf104f5f5,
+    0x63dfbcbc, 0x77c1b6b6,  0xaf75dada,  0x42632121,
+    0x20301010, 0xe51affff,  0xfd0ef3f3,  0xbf6dd2d2,
+    0x814ccdcd, 0x18140c0c,  0x26351313,  0xc32fecec,
+    0xbee15f5f, 0x35a29797,  0x88cc4444,  0x2e391717,
+    0x9357c4c4, 0x55f2a7a7,  0xfc827e7e,  0x7a473d3d,
+    0xc8ac6464, 0xbae75d5d,  0x322b1919,  0xe6957373,
+    0xc0a06060, 0x19988181,  0x9ed14f4f,  0xa37fdcdc,
+    0x44662222, 0x547e2a2a,  0x3bab9090,  0xb838888,
+    0x8cca4646, 0xc729eeee,  0x6bd3b8b8,  0x283c1414,
+    0xa779dede, 0xbce25e5e,  0x161d0b0b,  0xad76dbdb,
+    0xdb3be0e0, 0x64563232,  0x744e3a3a,  0x141e0a0a,
+    0x92db4949, 0xc0a0606,   0x486c2424,  0xb8e45c5c,
+    0x9f5dc2c2, 0xbd6ed3d3,  0x43efacac,  0xc4a66262,
+    0x39a89191, 0x31a49595,  0xd337e4e4,  0xf28b7979,
+    0xd532e7e7, 0x8b43c8c8,  0x6e593737,  0xdab76d6d,
+    0x18c8d8d,  0xb164d5d5,  0x9cd24e4e,  0x49e0a9a9,
+    0xd8b46c6c, 0xacfa5656,  0xf307f4f4,  0xcf25eaea,
+    0xcaaf6565, 0xf48e7a7a,  0x47e9aeae,  0x10180808,
+    0x6fd5baba, 0xf0887878,  0x4a6f2525,  0x5c722e2e,
+    0x38241c1c, 0x57f1a6a6,  0x73c7b4b4,  0x9751c6c6,
+    0xcb23e8e8, 0xa17cdddd,  0xe89c7474,  0x3e211f1f,
+    0x96dd4b4b, 0x61dcbdbd,  0xd868b8b,   0xf858a8a,
+    0xe0907070, 0x7c423e3e,  0x71c4b5b5,  0xccaa6666,
+    0x90d84848, 0x6050303,   0xf701f6f6,  0x1c120e0e,
+    0xc2a36161, 0x6a5f3535,  0xaef95757,  0x69d0b9b9,
+    0x17918686, 0x9958c1c1,  0x3a271d1d,  0x27b99e9e,
+    0xd938e1e1, 0xeb13f8f8,  0x2bb39898,  0x22331111,
+    0xd2bb6969, 0xa970d9d9,  0x7898e8e,   0x33a79494,
+    0x2db69b9b, 0x3c221e1e,  0x15928787,  0xc920e9e9,
+    0x8749cece, 0xaaff5555,  0x50782828,  0xa57adfdf,
+    0x38f8c8c,  0x59f8a1a1,  0x9808989,   0x1a170d0d,
+    0x65dabfbf, 0xd731e6e6,  0x84c64242,  0xd0b86868,
+    0x82c34141, 0x29b09999,  0x5a772d2d,  0x1e110f0f,
+    0x7bcbb0b0, 0xa8fc5454,  0x6dd6bbbb,  0x2c3a1616,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U0[256] = {
+    0x50a7f451, 0x5365417e,  0xc3a4171a,  0x965e273a,
+    0xcb6bab3b, 0xf1459d1f,  0xab58faac,  0x9303e34b,
+    0x55fa3020, 0xf66d76ad,  0x9176cc88,  0x254c02f5,
+    0xfcd7e54f, 0xd7cb2ac5,  0x80443526,  0x8fa362b5,
+    0x495ab1de, 0x671bba25,  0x980eea45,  0xe1c0fe5d,
+    0x2752fc3,  0x12f04c81,  0xa397468d,  0xc6f9d36b,
+    0xe75f8f03, 0x959c9215,  0xeb7a6dbf,  0xda595295,
+    0x2d83bed4, 0xd3217458,  0x2969e049,  0x44c8c98e,
+    0x6a89c275, 0x78798ef4,  0x6b3e5899,  0xdd71b927,
+    0xb64fe1be, 0x17ad88f0,  0x66ac20c9,  0xb43ace7d,
+    0x184adf63, 0x82311ae5,  0x60335197,  0x457f5362,
+    0xe07764b1, 0x84ae6bbb,  0x1ca081fe,  0x942b08f9,
+    0x58684870, 0x19fd458f,  0x876cde94,  0xb7f87b52,
+    0x23d373ab, 0xe2024b72,  0x578f1fe3,  0x2aab5566,
+    0x728ebb2,  0x3c2b52f,   0x9a7bc586,  0xa50837d3,
+    0xf2872830, 0xb2a5bf23,  0xba6a0302,  0x5c8216ed,
+    0x2b1ccf8a, 0x92b479a7,  0xf0f207f3,  0xa1e2694e,
+    0xcdf4da65, 0xd5be0506,  0x1f6234d1,  0x8afea6c4,
+    0x9d532e34, 0xa055f3a2,  0x32e18a05,  0x75ebf6a4,
+    0x39ec830b, 0xaaef6040,  0x69f715e,   0x51106ebd,
+    0xf98a213e, 0x3d06dd96,  0xae053edd,  0x46bde64d,
+    0xb58d5491, 0x55dc471,   0x6fd40604,  0xff155060,
+    0x24fb9819, 0x97e9bdd6,  0xcc434089,  0x779ed967,
+    0xbd42e8b0, 0x888b8907,  0x385b19e7,  0xdbeec879,
+    0x470a7ca1, 0xe90f427c,  0xc91e84f8,  0x0,
+    0x83868009, 0x48ed2b32,  0xac70111e,  0x4e725a6c,
+    0xfbff0efd, 0x5638850f,  0x1ed5ae3d,  0x27392d36,
+    0x64d90f0a, 0x21a65c68,  0xd1545b9b,  0x3a2e3624,
+    0xb1670a0c, 0xfe75793,   0xd296eeb4,  0x9e919b1b,
+    0x4fc5c080, 0xa220dc61,  0x694b775a,  0x161a121c,
+    0xaba93e2,  0xe52aa0c0,  0x43e0223c,  0x1d171b12,
+    0xb0d090e,  0xadc78bf2,  0xb9a8b62d,  0xc8a91e14,
+    0x8519f157, 0x4c0775af,  0xbbdd99ee,  0xfd607fa3,
+    0x9f2601f7, 0xbcf5725c,  0xc53b6644,  0x347efb5b,
+    0x7629438b, 0xdcc623cb,  0x68fcedb6,  0x63f1e4b8,
+    0xcadc31d7, 0x10856342,  0x40229713,  0x2011c684,
+    0x7d244a85, 0xf83dbbd2,  0x1132f9ae,  0x6da129c7,
+    0x4b2f9e1d, 0xf330b2dc,  0xec52860d,  0xd0e3c177,
+    0x6c16b32b, 0x99b970a9,  0xfa489411,  0x2264e947,
+    0xc48cfca8, 0x1a3ff0a0,  0xd82c7d56,  0xef903322,
+    0xc74e4987, 0xc1d138d9,  0xfea2ca8c,  0x360bd498,
+    0xcf81f5a6, 0x28de7aa5,  0x268eb7da,  0xa4bfad3f,
+    0xe49d3a2c, 0xd927850,   0x9bcc5f6a,  0x62467e54,
+    0xc2138df6, 0xe8b8d890,  0x5ef7392e,  0xf5afc382,
+    0xbe805d9f, 0x7c93d069,  0xa92dd56f,  0xb31225cf,
+    0x3b99acc8, 0xa77d1810,  0x6e639ce8,  0x7bbb3bdb,
+    0x97826cd,  0xf418596e,  0x1b79aec,   0xa89a4f83,
+    0x656e95e6, 0x7ee6ffaa,  0x8cfbc21,   0xe6e815ef,
+    0xd99be7ba, 0xce366f4a,  0xd4099fea,  0xd67cb029,
+    0xafb2a431, 0x31233f2a,  0x3094a5c6,  0xc066a235,
+    0x37bc4e74, 0xa6ca82fc,  0xb0d090e0,  0x15d8a733,
+    0x4a9804f1, 0xf7daec41,  0xe50cd7f,   0x2ff69117,
+    0x8dd64d76, 0x4db0ef43,  0x544daacc,  0xdf0496e4,
+    0xe3b5d19e, 0x1b886a4c,  0xb81f2cc1,  0x7f516546,
+    0x4ea5e9d,  0x5d358c01,  0x737487fa,  0x2e410bfb,
+    0x5a1d67b3, 0x52d2db92,  0x335610e9,  0x1347d66d,
+    0x8c61d79a, 0x7a0ca137,  0x8e14f859,  0x893c13eb,
+    0xee27a9ce, 0x35c961b7,  0xede51ce1,  0x3cb1477a,
+    0x59dfd29c, 0x3f73f255,  0x79ce1418,  0xbf37c773,
+    0xeacdf753, 0x5baafd5f,  0x146f3ddf,  0x86db4478,
+    0x81f3afca, 0x3ec468b9,  0x2c342438,  0x5f40a3c2,
+    0x72c31d16, 0xc25e2bc,   0x8b493c28,  0x41950dff,
+    0x7101a839, 0xdeb30c08,  0x9ce4b4d8,  0x90c15664,
+    0x6184cb7b, 0x70b632d5,  0x745c6c48,  0x4257b8d0,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U1[256] = {
+    0xa7f45150, 0x65417e53,  0xa4171ac3,  0x5e273a96,
+    0x6bab3bcb, 0x459d1ff1,  0x58faacab,  0x3e34b93,
+    0xfa302055, 0x6d76adf6,  0x76cc8891,  0x4c02f525,
+    0xd7e54ffc, 0xcb2ac5d7,  0x44352680,  0xa362b58f,
+    0x5ab1de49, 0x1bba2567,  0xeea4598,   0xc0fe5de1,
+    0x752fc302, 0xf04c8112,  0x97468da3,  0xf9d36bc6,
+    0x5f8f03e7, 0x9c921595,  0x7a6dbfeb,  0x595295da,
+    0x83bed42d, 0x217458d3,  0x69e04929,  0xc8c98e44,
+    0x89c2756a, 0x798ef478,  0x3e58996b,  0x71b927dd,
+    0x4fe1beb6, 0xad88f017,  0xac20c966,  0x3ace7db4,
+    0x4adf6318, 0x311ae582,  0x33519760,  0x7f536245,
+    0x7764b1e0, 0xae6bbb84,  0xa081fe1c,  0x2b08f994,
+    0x68487058, 0xfd458f19,  0x6cde9487,  0xf87b52b7,
+    0xd373ab23, 0x24b72e2,   0x8f1fe357,  0xab55662a,
+    0x28ebb207, 0xc2b52f03,  0x7bc5869a,  0x837d3a5,
+    0x872830f2, 0xa5bf23b2,  0x6a0302ba,  0x8216ed5c,
+    0x1ccf8a2b, 0xb479a792,  0xf207f3f0,  0xe2694ea1,
+    0xf4da65cd, 0xbe0506d5,  0x6234d11f,  0xfea6c48a,
+    0x532e349d, 0x55f3a2a0,  0xe18a0532,  0xebf6a475,
+    0xec830b39, 0xef6040aa,  0x9f715e06,  0x106ebd51,
+    0x8a213ef9, 0x6dd963d,   0x53eddae,   0xbde64d46,
+    0x8d5491b5, 0x5dc47105,  0xd406046f,  0x155060ff,
+    0xfb981924, 0xe9bdd697,  0x434089cc,  0x9ed96777,
+    0x42e8b0bd, 0x8b890788,  0x5b19e738,  0xeec879db,
+    0xa7ca147,  0xf427ce9,   0x1e84f8c9,  0x0,
+    0x86800983, 0xed2b3248,  0x70111eac,  0x725a6c4e,
+    0xff0efdfb, 0x38850f56,  0xd5ae3d1e,  0x392d3627,
+    0xd90f0a64, 0xa65c6821,  0x545b9bd1,  0x2e36243a,
+    0x670a0cb1, 0xe757930f,  0x96eeb4d2,  0x919b1b9e,
+    0xc5c0804f, 0x20dc61a2,  0x4b775a69,  0x1a121c16,
+    0xba93e20a, 0x2aa0c0e5,  0xe0223c43,  0x171b121d,
+    0xd090e0b,  0xc78bf2ad,  0xa8b62db9,  0xa91e14c8,
+    0x19f15785, 0x775af4c,   0xdd99eebb,  0x607fa3fd,
+    0x2601f79f, 0xf5725cbc,  0x3b6644c5,  0x7efb5b34,
+    0x29438b76, 0xc623cbdc,  0xfcedb668,  0xf1e4b863,
+    0xdc31d7ca, 0x85634210,  0x22971340,  0x11c68420,
+    0x244a857d, 0x3dbbd2f8,  0x32f9ae11,  0xa129c76d,
+    0x2f9e1d4b, 0x30b2dcf3,  0x52860dec,  0xe3c177d0,
+    0x16b32b6c, 0xb970a999,  0x489411fa,  0x64e94722,
+    0x8cfca8c4, 0x3ff0a01a,  0x2c7d56d8,  0x903322ef,
+    0x4e4987c7, 0xd138d9c1,  0xa2ca8cfe,  0xbd49836,
+    0x81f5a6cf, 0xde7aa528,  0x8eb7da26,  0xbfad3fa4,
+    0x9d3a2ce4, 0x9278500d,  0xcc5f6a9b,  0x467e5462,
+    0x138df6c2, 0xb8d890e8,  0xf7392e5e,  0xafc382f5,
+    0x805d9fbe, 0x93d0697c,  0x2dd56fa9,  0x1225cfb3,
+    0x99acc83b, 0x7d1810a7,  0x639ce86e,  0xbb3bdb7b,
+    0x7826cd09, 0x18596ef4,  0xb79aec01,  0x9a4f83a8,
+    0x6e95e665, 0xe6ffaa7e,  0xcfbc2108,  0xe815efe6,
+    0x9be7bad9, 0x366f4ace,  0x99fead4,   0x7cb029d6,
+    0xb2a431af, 0x233f2a31,  0x94a5c630,  0x66a235c0,
+    0xbc4e7437, 0xca82fca6,  0xd090e0b0,  0xd8a73315,
+    0x9804f14a, 0xdaec41f7,  0x50cd7f0e,  0xf691172f,
+    0xd64d768d, 0xb0ef434d,  0x4daacc54,  0x496e4df,
+    0xb5d19ee3, 0x886a4c1b,  0x1f2cc1b8,  0x5165467f,
+    0xea5e9d04, 0x358c015d,  0x7487fa73,  0x410bfb2e,
+    0x1d67b35a, 0xd2db9252,  0x5610e933,  0x47d66d13,
+    0x61d79a8c, 0xca1377a,   0x14f8598e,  0x3c13eb89,
+    0x27a9ceee, 0xc961b735,  0xe51ce1ed,  0xb1477a3c,
+    0xdfd29c59, 0x73f2553f,  0xce141879,  0x37c773bf,
+    0xcdf753ea, 0xaafd5f5b,  0x6f3ddf14,  0xdb447886,
+    0xf3afca81, 0xc468b93e,  0x3424382c,  0x40a3c25f,
+    0xc31d1672, 0x25e2bc0c,  0x493c288b,  0x950dff41,
+    0x1a83971,  0xb30c08de,  0xe4b4d89c,  0xc1566490,
+    0x84cb7b61, 0xb632d570,  0x5c6c4874,  0x57b8d042,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U2[256] = {
+    0xf45150a7, 0x417e5365,  0x171ac3a4,  0x273a965e,
+    0xab3bcb6b, 0x9d1ff145,  0xfaacab58,  0xe34b9303,
+    0x302055fa, 0x76adf66d,  0xcc889176,  0x2f5254c,
+    0xe54ffcd7, 0x2ac5d7cb,  0x35268044,  0x62b58fa3,
+    0xb1de495a, 0xba25671b,  0xea45980e,  0xfe5de1c0,
+    0x2fc30275, 0x4c8112f0,  0x468da397,  0xd36bc6f9,
+    0x8f03e75f, 0x9215959c,  0x6dbfeb7a,  0x5295da59,
+    0xbed42d83, 0x7458d321,  0xe0492969,  0xc98e44c8,
+    0xc2756a89, 0x8ef47879,  0x58996b3e,  0xb927dd71,
+    0xe1beb64f, 0x88f017ad,  0x20c966ac,  0xce7db43a,
+    0xdf63184a, 0x1ae58231,  0x51976033,  0x5362457f,
+    0x64b1e077, 0x6bbb84ae,  0x81fe1ca0,  0x8f9942b,
+    0x48705868, 0x458f19fd,  0xde94876c,  0x7b52b7f8,
+    0x73ab23d3, 0x4b72e202,  0x1fe3578f,  0x55662aab,
+    0xebb20728, 0xb52f03c2,  0xc5869a7b,  0x37d3a508,
+    0x2830f287, 0xbf23b2a5,  0x302ba6a,   0x16ed5c82,
+    0xcf8a2b1c, 0x79a792b4,  0x7f3f0f2,   0x694ea1e2,
+    0xda65cdf4, 0x506d5be,   0x34d11f62,  0xa6c48afe,
+    0x2e349d53, 0xf3a2a055,  0x8a0532e1,  0xf6a475eb,
+    0x830b39ec, 0x6040aaef,  0x715e069f,  0x6ebd5110,
+    0x213ef98a, 0xdd963d06,  0x3eddae05,  0xe64d46bd,
+    0x5491b58d, 0xc471055d,  0x6046fd4,   0x5060ff15,
+    0x981924fb, 0xbdd697e9,  0x4089cc43,  0xd967779e,
+    0xe8b0bd42, 0x8907888b,  0x19e7385b,  0xc879dbee,
+    0x7ca1470a, 0x427ce90f,  0x84f8c91e,  0x0,
+    0x80098386, 0x2b3248ed,  0x111eac70,  0x5a6c4e72,
+    0xefdfbff,  0x850f5638,  0xae3d1ed5,  0x2d362739,
+    0xf0a64d9,  0x5c6821a6,  0x5b9bd154,  0x36243a2e,
+    0xa0cb167,  0x57930fe7,  0xeeb4d296,  0x9b1b9e91,
+    0xc0804fc5, 0xdc61a220,  0x775a694b,  0x121c161a,
+    0x93e20aba, 0xa0c0e52a,  0x223c43e0,  0x1b121d17,
+    0x90e0b0d,  0x8bf2adc7,  0xb62db9a8,  0x1e14c8a9,
+    0xf1578519, 0x75af4c07,  0x99eebbdd,  0x7fa3fd60,
+    0x1f79f26,  0x725cbcf5,  0x6644c53b,  0xfb5b347e,
+    0x438b7629, 0x23cbdcc6,  0xedb668fc,  0xe4b863f1,
+    0x31d7cadc, 0x63421085,  0x97134022,  0xc6842011,
+    0x4a857d24, 0xbbd2f83d,  0xf9ae1132,  0x29c76da1,
+    0x9e1d4b2f, 0xb2dcf330,  0x860dec52,  0xc177d0e3,
+    0xb32b6c16, 0x70a999b9,  0x9411fa48,  0xe9472264,
+    0xfca8c48c, 0xf0a01a3f,  0x7d56d82c,  0x3322ef90,
+    0x4987c74e, 0x38d9c1d1,  0xca8cfea2,  0xd498360b,
+    0xf5a6cf81, 0x7aa528de,  0xb7da268e,  0xad3fa4bf,
+    0x3a2ce49d, 0x78500d92,  0x5f6a9bcc,  0x7e546246,
+    0x8df6c213, 0xd890e8b8,  0x392e5ef7,  0xc382f5af,
+    0x5d9fbe80, 0xd0697c93,  0xd56fa92d,  0x25cfb312,
+    0xacc83b99, 0x1810a77d,  0x9ce86e63,  0x3bdb7bbb,
+    0x26cd0978, 0x596ef418,  0x9aec01b7,  0x4f83a89a,
+    0x95e6656e, 0xffaa7ee6,  0xbc2108cf,  0x15efe6e8,
+    0xe7bad99b, 0x6f4ace36,  0x9fead409,  0xb029d67c,
+    0xa431afb2, 0x3f2a3123,  0xa5c63094,  0xa235c066,
+    0x4e7437bc, 0x82fca6ca,  0x90e0b0d0,  0xa73315d8,
+    0x4f14a98,  0xec41f7da,  0xcd7f0e50,  0x91172ff6,
+    0x4d768dd6, 0xef434db0,  0xaacc544d,  0x96e4df04,
+    0xd19ee3b5, 0x6a4c1b88,  0x2cc1b81f,  0x65467f51,
+    0x5e9d04ea, 0x8c015d35,  0x87fa7374,  0xbfb2e41,
+    0x67b35a1d, 0xdb9252d2,  0x10e93356,  0xd66d1347,
+    0xd79a8c61, 0xa1377a0c,  0xf8598e14,  0x13eb893c,
+    0xa9ceee27, 0x61b735c9,  0x1ce1ede5,  0x477a3cb1,
+    0xd29c59df, 0xf2553f73,  0x141879ce,  0xc773bf37,
+    0xf753eacd, 0xfd5f5baa,  0x3ddf146f,  0x447886db,
+    0xafca81f3, 0x68b93ec4,  0x24382c34,  0xa3c25f40,
+    0x1d1672c3, 0xe2bc0c25,  0x3c288b49,  0xdff4195,
+    0xa8397101, 0xc08deb3,   0xb4d89ce4,  0x566490c1,
+    0xcb7b6184, 0x32d570b6,  0x6c48745c,  0xb8d04257,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U3[256] = {
+    0x5150a7f4, 0x7e536541,  0x1ac3a417,  0x3a965e27,
+    0x3bcb6bab, 0x1ff1459d,  0xacab58fa,  0x4b9303e3,
+    0x2055fa30, 0xadf66d76,  0x889176cc,  0xf5254c02,
+    0x4ffcd7e5, 0xc5d7cb2a,  0x26804435,  0xb58fa362,
+    0xde495ab1, 0x25671bba,  0x45980eea,  0x5de1c0fe,
+    0xc302752f, 0x8112f04c,  0x8da39746,  0x6bc6f9d3,
+    0x3e75f8f,  0x15959c92,  0xbfeb7a6d,  0x95da5952,
+    0xd42d83be, 0x58d32174,  0x492969e0,  0x8e44c8c9,
+    0x756a89c2, 0xf478798e,  0x996b3e58,  0x27dd71b9,
+    0xbeb64fe1, 0xf017ad88,  0xc966ac20,  0x7db43ace,
+    0x63184adf, 0xe582311a,  0x97603351,  0x62457f53,
+    0xb1e07764, 0xbb84ae6b,  0xfe1ca081,  0xf9942b08,
+    0x70586848, 0x8f19fd45,  0x94876cde,  0x52b7f87b,
+    0xab23d373, 0x72e2024b,  0xe3578f1f,  0x662aab55,
+    0xb20728eb, 0x2f03c2b5,  0x869a7bc5,  0xd3a50837,
+    0x30f28728, 0x23b2a5bf,  0x2ba6a03,   0xed5c8216,
+    0x8a2b1ccf, 0xa792b479,  0xf3f0f207,  0x4ea1e269,
+    0x65cdf4da, 0x6d5be05,   0xd11f6234,  0xc48afea6,
+    0x349d532e, 0xa2a055f3,  0x532e18a,   0xa475ebf6,
+    0xb39ec83,  0x40aaef60,  0x5e069f71,  0xbd51106e,
+    0x3ef98a21, 0x963d06dd,  0xddae053e,  0x4d46bde6,
+    0x91b58d54, 0x71055dc4,  0x46fd406,   0x60ff1550,
+    0x1924fb98, 0xd697e9bd,  0x89cc4340,  0x67779ed9,
+    0xb0bd42e8, 0x7888b89,   0xe7385b19,  0x79dbeec8,
+    0xa1470a7c, 0x7ce90f42,  0xf8c91e84,  0x0,
+    0x9838680,  0x3248ed2b,  0x1eac7011,  0x6c4e725a,
+    0xfdfbff0e, 0xf563885,   0x3d1ed5ae,  0x3627392d,
+    0xa64d90f,  0x6821a65c,  0x9bd1545b,  0x243a2e36,
+    0xcb1670a,  0x930fe757,  0xb4d296ee,  0x1b9e919b,
+    0x804fc5c0, 0x61a220dc,  0x5a694b77,  0x1c161a12,
+    0xe20aba93, 0xc0e52aa0,  0x3c43e022,  0x121d171b,
+    0xe0b0d09,  0xf2adc78b,  0x2db9a8b6,  0x14c8a91e,
+    0x578519f1, 0xaf4c0775,  0xeebbdd99,  0xa3fd607f,
+    0xf79f2601, 0x5cbcf572,  0x44c53b66,  0x5b347efb,
+    0x8b762943, 0xcbdcc623,  0xb668fced,  0xb863f1e4,
+    0xd7cadc31, 0x42108563,  0x13402297,  0x842011c6,
+    0x857d244a, 0xd2f83dbb,  0xae1132f9,  0xc76da129,
+    0x1d4b2f9e, 0xdcf330b2,  0xdec5286,   0x77d0e3c1,
+    0x2b6c16b3, 0xa999b970,  0x11fa4894,  0x472264e9,
+    0xa8c48cfc, 0xa01a3ff0,  0x56d82c7d,  0x22ef9033,
+    0x87c74e49, 0xd9c1d138,  0x8cfea2ca,  0x98360bd4,
+    0xa6cf81f5, 0xa528de7a,  0xda268eb7,  0x3fa4bfad,
+    0x2ce49d3a, 0x500d9278,  0x6a9bcc5f,  0x5462467e,
+    0xf6c2138d, 0x90e8b8d8,  0x2e5ef739,  0x82f5afc3,
+    0x9fbe805d, 0x697c93d0,  0x6fa92dd5,  0xcfb31225,
+    0xc83b99ac, 0x10a77d18,  0xe86e639c,  0xdb7bbb3b,
+    0xcd097826, 0x6ef41859,  0xec01b79a,  0x83a89a4f,
+    0xe6656e95, 0xaa7ee6ff,  0x2108cfbc,  0xefe6e815,
+    0xbad99be7, 0x4ace366f,  0xead4099f,  0x29d67cb0,
+    0x31afb2a4, 0x2a31233f,  0xc63094a5,  0x35c066a2,
+    0x7437bc4e, 0xfca6ca82,  0xe0b0d090,  0x3315d8a7,
+    0xf14a9804, 0x41f7daec,  0x7f0e50cd,  0x172ff691,
+    0x768dd64d, 0x434db0ef,  0xcc544daa,  0xe4df0496,
+    0x9ee3b5d1, 0x4c1b886a,  0xc1b81f2c,  0x467f5165,
+    0x9d04ea5e, 0x15d358c,   0xfa737487,  0xfb2e410b,
+    0xb35a1d67, 0x9252d2db,  0xe9335610,  0x6d1347d6,
+    0x9a8c61d7, 0x377a0ca1,  0x598e14f8,  0xeb893c13,
+    0xceee27a9, 0xb735c961,  0xe1ede51c,  0x7a3cb147,
+    0x9c59dfd2, 0x553f73f2,  0x1879ce14,  0x73bf37c7,
+    0x53eacdf7, 0x5f5baafd,  0xdf146f3d,  0x7886db44,
+    0xca81f3af, 0xb93ec468,  0x382c3424,  0xc25f40a3,
+    0x1672c31d, 0xbc0c25e2,  0x288b493c,  0xff41950d,
+    0x397101a8, 0x8deb30c,   0xd89ce4b4,  0x6490c156,
+    0x7b6184cb, 0xd570b632,  0x48745c6c,  0xd04257b8,
+};
+/* clang-format on */
+
+#else /* assume big endian */
+/* clang-format off */
+static const uint32_t T0[256] = {
+    0xc66363a5, 0xf87c7c84,  0xee777799,  0xf67b7b8d,
+    0xfff2f20d, 0xd66b6bbd,  0xde6f6fb1,  0x91c5c554,
+    0x60303050, 0x2010103,   0xce6767a9,  0x562b2b7d,
+    0xe7fefe19, 0xb5d7d762,  0x4dababe6,  0xec76769a,
+    0x8fcaca45, 0x1f82829d,  0x89c9c940,  0xfa7d7d87,
+    0xeffafa15, 0xb25959eb,  0x8e4747c9,  0xfbf0f00b,
+    0x41adadec, 0xb3d4d467,  0x5fa2a2fd,  0x45afafea,
+    0x239c9cbf, 0x53a4a4f7,  0xe4727296,  0x9bc0c05b,
+    0x75b7b7c2, 0xe1fdfd1c,  0x3d9393ae,  0x4c26266a,
+    0x6c36365a, 0x7e3f3f41,  0xf5f7f702,  0x83cccc4f,
+    0x6834345c, 0x51a5a5f4,  0xd1e5e534,  0xf9f1f108,
+    0xe2717193, 0xabd8d873,  0x62313153,  0x2a15153f,
+    0x804040c,  0x95c7c752,  0x46232365,  0x9dc3c35e,
+    0x30181828, 0x379696a1,  0xa05050f,   0x2f9a9ab5,
+    0xe070709,  0x24121236,  0x1b80809b,  0xdfe2e23d,
+    0xcdebeb26, 0x4e272769,  0x7fb2b2cd,  0xea75759f,
+    0x1209091b, 0x1d83839e,  0x582c2c74,  0x341a1a2e,
+    0x361b1b2d, 0xdc6e6eb2,  0xb45a5aee,  0x5ba0a0fb,
+    0xa45252f6, 0x763b3b4d,  0xb7d6d661,  0x7db3b3ce,
+    0x5229297b, 0xdde3e33e,  0x5e2f2f71,  0x13848497,
+    0xa65353f5, 0xb9d1d168,  0x0,         0xc1eded2c,
+    0x40202060, 0xe3fcfc1f,  0x79b1b1c8,  0xb65b5bed,
+    0xd46a6abe, 0x8dcbcb46,  0x67bebed9,  0x7239394b,
+    0x944a4ade, 0x984c4cd4,  0xb05858e8,  0x85cfcf4a,
+    0xbbd0d06b, 0xc5efef2a,  0x4faaaae5,  0xedfbfb16,
+    0x864343c5, 0x9a4d4dd7,  0x66333355,  0x11858594,
+    0x8a4545cf, 0xe9f9f910,  0x4020206,   0xfe7f7f81,
+    0xa05050f0, 0x783c3c44,  0x259f9fba,  0x4ba8a8e3,
+    0xa25151f3, 0x5da3a3fe,  0x804040c0,  0x58f8f8a,
+    0x3f9292ad, 0x219d9dbc,  0x70383848,  0xf1f5f504,
+    0x63bcbcdf, 0x77b6b6c1,  0xafdada75,  0x42212163,
+    0x20101030, 0xe5ffff1a,  0xfdf3f30e,  0xbfd2d26d,
+    0x81cdcd4c, 0x180c0c14,  0x26131335,  0xc3ecec2f,
+    0xbe5f5fe1, 0x359797a2,  0x884444cc,  0x2e171739,
+    0x93c4c457, 0x55a7a7f2,  0xfc7e7e82,  0x7a3d3d47,
+    0xc86464ac, 0xba5d5de7,  0x3219192b,  0xe6737395,
+    0xc06060a0, 0x19818198,  0x9e4f4fd1,  0xa3dcdc7f,
+    0x44222266, 0x542a2a7e,  0x3b9090ab,  0xb888883,
+    0x8c4646ca, 0xc7eeee29,  0x6bb8b8d3,  0x2814143c,
+    0xa7dede79, 0xbc5e5ee2,  0x160b0b1d,  0xaddbdb76,
+    0xdbe0e03b, 0x64323256,  0x743a3a4e,  0x140a0a1e,
+    0x924949db, 0xc06060a,   0x4824246c,  0xb85c5ce4,
+    0x9fc2c25d, 0xbdd3d36e,  0x43acacef,  0xc46262a6,
+    0x399191a8, 0x319595a4,  0xd3e4e437,  0xf279798b,
+    0xd5e7e732, 0x8bc8c843,  0x6e373759,  0xda6d6db7,
+    0x18d8d8c,  0xb1d5d564,  0x9c4e4ed2,  0x49a9a9e0,
+    0xd86c6cb4, 0xac5656fa,  0xf3f4f407,  0xcfeaea25,
+    0xca6565af, 0xf47a7a8e,  0x47aeaee9,  0x10080818,
+    0x6fbabad5, 0xf0787888,  0x4a25256f,  0x5c2e2e72,
+    0x381c1c24, 0x57a6a6f1,  0x73b4b4c7,  0x97c6c651,
+    0xcbe8e823, 0xa1dddd7c,  0xe874749c,  0x3e1f1f21,
+    0x964b4bdd, 0x61bdbddc,  0xd8b8b86,   0xf8a8a85,
+    0xe0707090, 0x7c3e3e42,  0x71b5b5c4,  0xcc6666aa,
+    0x904848d8, 0x6030305,   0xf7f6f601,  0x1c0e0e12,
+    0xc26161a3, 0x6a35355f,  0xae5757f9,  0x69b9b9d0,
+    0x17868691, 0x99c1c158,  0x3a1d1d27,  0x279e9eb9,
+    0xd9e1e138, 0xebf8f813,  0x2b9898b3,  0x22111133,
+    0xd26969bb, 0xa9d9d970,  0x78e8e89,   0x339494a7,
+    0x2d9b9bb6, 0x3c1e1e22,  0x15878792,  0xc9e9e920,
+    0x87cece49, 0xaa5555ff,  0x50282878,  0xa5dfdf7a,
+    0x38c8c8f,  0x59a1a1f8,  0x9898980,   0x1a0d0d17,
+    0x65bfbfda, 0xd7e6e631,  0x844242c6,  0xd06868b8,
+    0x824141c3, 0x299999b0,  0x5a2d2d77,  0x1e0f0f11,
+    0x7bb0b0cb, 0xa85454fc,  0x6dbbbbd6,  0x2c16163a,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t T1[256] = {
+    0xa5c66363, 0x84f87c7c,  0x99ee7777,  0x8df67b7b,
+    0xdfff2f2,  0xbdd66b6b,  0xb1de6f6f,  0x5491c5c5,
+    0x50603030, 0x3020101,   0xa9ce6767,  0x7d562b2b,
+    0x19e7fefe, 0x62b5d7d7,  0xe64dabab,  0x9aec7676,
+    0x458fcaca, 0x9d1f8282,  0x4089c9c9,  0x87fa7d7d,
+    0x15effafa, 0xebb25959,  0xc98e4747,  0xbfbf0f0,
+    0xec41adad, 0x67b3d4d4,  0xfd5fa2a2,  0xea45afaf,
+    0xbf239c9c, 0xf753a4a4,  0x96e47272,  0x5b9bc0c0,
+    0xc275b7b7, 0x1ce1fdfd,  0xae3d9393,  0x6a4c2626,
+    0x5a6c3636, 0x417e3f3f,  0x2f5f7f7,   0x4f83cccc,
+    0x5c683434, 0xf451a5a5,  0x34d1e5e5,  0x8f9f1f1,
+    0x93e27171, 0x73abd8d8,  0x53623131,  0x3f2a1515,
+    0xc080404,  0x5295c7c7,  0x65462323,  0x5e9dc3c3,
+    0x28301818, 0xa1379696,  0xf0a0505,   0xb52f9a9a,
+    0x90e0707,  0x36241212,  0x9b1b8080,  0x3ddfe2e2,
+    0x26cdebeb, 0x694e2727,  0xcd7fb2b2,  0x9fea7575,
+    0x1b120909, 0x9e1d8383,  0x74582c2c,  0x2e341a1a,
+    0x2d361b1b, 0xb2dc6e6e,  0xeeb45a5a,  0xfb5ba0a0,
+    0xf6a45252, 0x4d763b3b,  0x61b7d6d6,  0xce7db3b3,
+    0x7b522929, 0x3edde3e3,  0x715e2f2f,  0x97138484,
+    0xf5a65353, 0x68b9d1d1,  0x0,         0x2cc1eded,
+    0x60402020, 0x1fe3fcfc,  0xc879b1b1,  0xedb65b5b,
+    0xbed46a6a, 0x468dcbcb,  0xd967bebe,  0x4b723939,
+    0xde944a4a, 0xd4984c4c,  0xe8b05858,  0x4a85cfcf,
+    0x6bbbd0d0, 0x2ac5efef,  0xe54faaaa,  0x16edfbfb,
+    0xc5864343, 0xd79a4d4d,  0x55663333,  0x94118585,
+    0xcf8a4545, 0x10e9f9f9,  0x6040202,   0x81fe7f7f,
+    0xf0a05050, 0x44783c3c,  0xba259f9f,  0xe34ba8a8,
+    0xf3a25151, 0xfe5da3a3,  0xc0804040,  0x8a058f8f,
+    0xad3f9292, 0xbc219d9d,  0x48703838,  0x4f1f5f5,
+    0xdf63bcbc, 0xc177b6b6,  0x75afdada,  0x63422121,
+    0x30201010, 0x1ae5ffff,  0xefdf3f3,   0x6dbfd2d2,
+    0x4c81cdcd, 0x14180c0c,  0x35261313,  0x2fc3ecec,
+    0xe1be5f5f, 0xa2359797,  0xcc884444,  0x392e1717,
+    0x5793c4c4, 0xf255a7a7,  0x82fc7e7e,  0x477a3d3d,
+    0xacc86464, 0xe7ba5d5d,  0x2b321919,  0x95e67373,
+    0xa0c06060, 0x98198181,  0xd19e4f4f,  0x7fa3dcdc,
+    0x66442222, 0x7e542a2a,  0xab3b9090,  0x830b8888,
+    0xca8c4646, 0x29c7eeee,  0xd36bb8b8,  0x3c281414,
+    0x79a7dede, 0xe2bc5e5e,  0x1d160b0b,  0x76addbdb,
+    0x3bdbe0e0, 0x56643232,  0x4e743a3a,  0x1e140a0a,
+    0xdb924949, 0xa0c0606,   0x6c482424,  0xe4b85c5c,
+    0x5d9fc2c2, 0x6ebdd3d3,  0xef43acac,  0xa6c46262,
+    0xa8399191, 0xa4319595,  0x37d3e4e4,  0x8bf27979,
+    0x32d5e7e7, 0x438bc8c8,  0x596e3737,  0xb7da6d6d,
+    0x8c018d8d, 0x64b1d5d5,  0xd29c4e4e,  0xe049a9a9,
+    0xb4d86c6c, 0xfaac5656,  0x7f3f4f4,   0x25cfeaea,
+    0xafca6565, 0x8ef47a7a,  0xe947aeae,  0x18100808,
+    0xd56fbaba, 0x88f07878,  0x6f4a2525,  0x725c2e2e,
+    0x24381c1c, 0xf157a6a6,  0xc773b4b4,  0x5197c6c6,
+    0x23cbe8e8, 0x7ca1dddd,  0x9ce87474,  0x213e1f1f,
+    0xdd964b4b, 0xdc61bdbd,  0x860d8b8b,  0x850f8a8a,
+    0x90e07070, 0x427c3e3e,  0xc471b5b5,  0xaacc6666,
+    0xd8904848, 0x5060303,   0x1f7f6f6,   0x121c0e0e,
+    0xa3c26161, 0x5f6a3535,  0xf9ae5757,  0xd069b9b9,
+    0x91178686, 0x5899c1c1,  0x273a1d1d,  0xb9279e9e,
+    0x38d9e1e1, 0x13ebf8f8,  0xb32b9898,  0x33221111,
+    0xbbd26969, 0x70a9d9d9,  0x89078e8e,  0xa7339494,
+    0xb62d9b9b, 0x223c1e1e,  0x92158787,  0x20c9e9e9,
+    0x4987cece, 0xffaa5555,  0x78502828,  0x7aa5dfdf,
+    0x8f038c8c, 0xf859a1a1,  0x80098989,  0x171a0d0d,
+    0xda65bfbf, 0x31d7e6e6,  0xc6844242,  0xb8d06868,
+    0xc3824141, 0xb0299999,  0x775a2d2d,  0x111e0f0f,
+    0xcb7bb0b0, 0xfca85454,  0xd66dbbbb,  0x3a2c1616,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t T2[256] = {
+    0x63a5c663, 0x7c84f87c,  0x7799ee77,  0x7b8df67b,
+    0xf20dfff2, 0x6bbdd66b,  0x6fb1de6f,  0xc55491c5,
+    0x30506030, 0x1030201,   0x67a9ce67,  0x2b7d562b,
+    0xfe19e7fe, 0xd762b5d7,  0xabe64dab,  0x769aec76,
+    0xca458fca, 0x829d1f82,  0xc94089c9,  0x7d87fa7d,
+    0xfa15effa, 0x59ebb259,  0x47c98e47,  0xf00bfbf0,
+    0xadec41ad, 0xd467b3d4,  0xa2fd5fa2,  0xafea45af,
+    0x9cbf239c, 0xa4f753a4,  0x7296e472,  0xc05b9bc0,
+    0xb7c275b7, 0xfd1ce1fd,  0x93ae3d93,  0x266a4c26,
+    0x365a6c36, 0x3f417e3f,  0xf702f5f7,  0xcc4f83cc,
+    0x345c6834, 0xa5f451a5,  0xe534d1e5,  0xf108f9f1,
+    0x7193e271, 0xd873abd8,  0x31536231,  0x153f2a15,
+    0x40c0804,  0xc75295c7,  0x23654623,  0xc35e9dc3,
+    0x18283018, 0x96a13796,  0x50f0a05,   0x9ab52f9a,
+    0x7090e07,  0x12362412,  0x809b1b80,  0xe23ddfe2,
+    0xeb26cdeb, 0x27694e27,  0xb2cd7fb2,  0x759fea75,
+    0x91b1209,  0x839e1d83,  0x2c74582c,  0x1a2e341a,
+    0x1b2d361b, 0x6eb2dc6e,  0x5aeeb45a,  0xa0fb5ba0,
+    0x52f6a452, 0x3b4d763b,  0xd661b7d6,  0xb3ce7db3,
+    0x297b5229, 0xe33edde3,  0x2f715e2f,  0x84971384,
+    0x53f5a653, 0xd168b9d1,  0x0,         0xed2cc1ed,
+    0x20604020, 0xfc1fe3fc,  0xb1c879b1,  0x5bedb65b,
+    0x6abed46a, 0xcb468dcb,  0xbed967be,  0x394b7239,
+    0x4ade944a, 0x4cd4984c,  0x58e8b058,  0xcf4a85cf,
+    0xd06bbbd0, 0xef2ac5ef,  0xaae54faa,  0xfb16edfb,
+    0x43c58643, 0x4dd79a4d,  0x33556633,  0x85941185,
+    0x45cf8a45, 0xf910e9f9,  0x2060402,   0x7f81fe7f,
+    0x50f0a050, 0x3c44783c,  0x9fba259f,  0xa8e34ba8,
+    0x51f3a251, 0xa3fe5da3,  0x40c08040,  0x8f8a058f,
+    0x92ad3f92, 0x9dbc219d,  0x38487038,  0xf504f1f5,
+    0xbcdf63bc, 0xb6c177b6,  0xda75afda,  0x21634221,
+    0x10302010, 0xff1ae5ff,  0xf30efdf3,  0xd26dbfd2,
+    0xcd4c81cd, 0xc14180c,   0x13352613,  0xec2fc3ec,
+    0x5fe1be5f, 0x97a23597,  0x44cc8844,  0x17392e17,
+    0xc45793c4, 0xa7f255a7,  0x7e82fc7e,  0x3d477a3d,
+    0x64acc864, 0x5de7ba5d,  0x192b3219,  0x7395e673,
+    0x60a0c060, 0x81981981,  0x4fd19e4f,  0xdc7fa3dc,
+    0x22664422, 0x2a7e542a,  0x90ab3b90,  0x88830b88,
+    0x46ca8c46, 0xee29c7ee,  0xb8d36bb8,  0x143c2814,
+    0xde79a7de, 0x5ee2bc5e,  0xb1d160b,   0xdb76addb,
+    0xe03bdbe0, 0x32566432,  0x3a4e743a,  0xa1e140a,
+    0x49db9249, 0x60a0c06,   0x246c4824,  0x5ce4b85c,
+    0xc25d9fc2, 0xd36ebdd3,  0xacef43ac,  0x62a6c462,
+    0x91a83991, 0x95a43195,  0xe437d3e4,  0x798bf279,
+    0xe732d5e7, 0xc8438bc8,  0x37596e37,  0x6db7da6d,
+    0x8d8c018d, 0xd564b1d5,  0x4ed29c4e,  0xa9e049a9,
+    0x6cb4d86c, 0x56faac56,  0xf407f3f4,  0xea25cfea,
+    0x65afca65, 0x7a8ef47a,  0xaee947ae,  0x8181008,
+    0xbad56fba, 0x7888f078,  0x256f4a25,  0x2e725c2e,
+    0x1c24381c, 0xa6f157a6,  0xb4c773b4,  0xc65197c6,
+    0xe823cbe8, 0xdd7ca1dd,  0x749ce874,  0x1f213e1f,
+    0x4bdd964b, 0xbddc61bd,  0x8b860d8b,  0x8a850f8a,
+    0x7090e070, 0x3e427c3e,  0xb5c471b5,  0x66aacc66,
+    0x48d89048, 0x3050603,   0xf601f7f6,  0xe121c0e,
+    0x61a3c261, 0x355f6a35,  0x57f9ae57,  0xb9d069b9,
+    0x86911786, 0xc15899c1,  0x1d273a1d,  0x9eb9279e,
+    0xe138d9e1, 0xf813ebf8,  0x98b32b98,  0x11332211,
+    0x69bbd269, 0xd970a9d9,  0x8e89078e,  0x94a73394,
+    0x9bb62d9b, 0x1e223c1e,  0x87921587,  0xe920c9e9,
+    0xce4987ce, 0x55ffaa55,  0x28785028,  0xdf7aa5df,
+    0x8c8f038c, 0xa1f859a1,  0x89800989,  0xd171a0d,
+    0xbfda65bf, 0xe631d7e6,  0x42c68442,  0x68b8d068,
+    0x41c38241, 0x99b02999,  0x2d775a2d,  0xf111e0f,
+    0xb0cb7bb0, 0x54fca854,  0xbbd66dbb,  0x163a2c16,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t T3[256] = {
+    0x6363a5c6, 0x7c7c84f8,  0x777799ee,  0x7b7b8df6,
+    0xf2f20dff, 0x6b6bbdd6,  0x6f6fb1de,  0xc5c55491,
+    0x30305060, 0x1010302,   0x6767a9ce,  0x2b2b7d56,
+    0xfefe19e7, 0xd7d762b5,  0xababe64d,  0x76769aec,
+    0xcaca458f, 0x82829d1f,  0xc9c94089,  0x7d7d87fa,
+    0xfafa15ef, 0x5959ebb2,  0x4747c98e,  0xf0f00bfb,
+    0xadadec41, 0xd4d467b3,  0xa2a2fd5f,  0xafafea45,
+    0x9c9cbf23, 0xa4a4f753,  0x727296e4,  0xc0c05b9b,
+    0xb7b7c275, 0xfdfd1ce1,  0x9393ae3d,  0x26266a4c,
+    0x36365a6c, 0x3f3f417e,  0xf7f702f5,  0xcccc4f83,
+    0x34345c68, 0xa5a5f451,  0xe5e534d1,  0xf1f108f9,
+    0x717193e2, 0xd8d873ab,  0x31315362,  0x15153f2a,
+    0x4040c08,  0xc7c75295,  0x23236546,  0xc3c35e9d,
+    0x18182830, 0x9696a137,  0x5050f0a,   0x9a9ab52f,
+    0x707090e,  0x12123624,  0x80809b1b,  0xe2e23ddf,
+    0xebeb26cd, 0x2727694e,  0xb2b2cd7f,  0x75759fea,
+    0x9091b12,  0x83839e1d,  0x2c2c7458,  0x1a1a2e34,
+    0x1b1b2d36, 0x6e6eb2dc,  0x5a5aeeb4,  0xa0a0fb5b,
+    0x5252f6a4, 0x3b3b4d76,  0xd6d661b7,  0xb3b3ce7d,
+    0x29297b52, 0xe3e33edd,  0x2f2f715e,  0x84849713,
+    0x5353f5a6, 0xd1d168b9,  0x0,         0xeded2cc1,
+    0x20206040, 0xfcfc1fe3,  0xb1b1c879,  0x5b5bedb6,
+    0x6a6abed4, 0xcbcb468d,  0xbebed967,  0x39394b72,
+    0x4a4ade94, 0x4c4cd498,  0x5858e8b0,  0xcfcf4a85,
+    0xd0d06bbb, 0xefef2ac5,  0xaaaae54f,  0xfbfb16ed,
+    0x4343c586, 0x4d4dd79a,  0x33335566,  0x85859411,
+    0x4545cf8a, 0xf9f910e9,  0x2020604,   0x7f7f81fe,
+    0x5050f0a0, 0x3c3c4478,  0x9f9fba25,  0xa8a8e34b,
+    0x5151f3a2, 0xa3a3fe5d,  0x4040c080,  0x8f8f8a05,
+    0x9292ad3f, 0x9d9dbc21,  0x38384870,  0xf5f504f1,
+    0xbcbcdf63, 0xb6b6c177,  0xdada75af,  0x21216342,
+    0x10103020, 0xffff1ae5,  0xf3f30efd,  0xd2d26dbf,
+    0xcdcd4c81, 0xc0c1418,   0x13133526,  0xecec2fc3,
+    0x5f5fe1be, 0x9797a235,  0x4444cc88,  0x1717392e,
+    0xc4c45793, 0xa7a7f255,  0x7e7e82fc,  0x3d3d477a,
+    0x6464acc8, 0x5d5de7ba,  0x19192b32,  0x737395e6,
+    0x6060a0c0, 0x81819819,  0x4f4fd19e,  0xdcdc7fa3,
+    0x22226644, 0x2a2a7e54,  0x9090ab3b,  0x8888830b,
+    0x4646ca8c, 0xeeee29c7,  0xb8b8d36b,  0x14143c28,
+    0xdede79a7, 0x5e5ee2bc,  0xb0b1d16,   0xdbdb76ad,
+    0xe0e03bdb, 0x32325664,  0x3a3a4e74,  0xa0a1e14,
+    0x4949db92, 0x6060a0c,   0x24246c48,  0x5c5ce4b8,
+    0xc2c25d9f, 0xd3d36ebd,  0xacacef43,  0x6262a6c4,
+    0x9191a839, 0x9595a431,  0xe4e437d3,  0x79798bf2,
+    0xe7e732d5, 0xc8c8438b,  0x3737596e,  0x6d6db7da,
+    0x8d8d8c01, 0xd5d564b1,  0x4e4ed29c,  0xa9a9e049,
+    0x6c6cb4d8, 0x5656faac,  0xf4f407f3,  0xeaea25cf,
+    0x6565afca, 0x7a7a8ef4,  0xaeaee947,  0x8081810,
+    0xbabad56f, 0x787888f0,  0x25256f4a,  0x2e2e725c,
+    0x1c1c2438, 0xa6a6f157,  0xb4b4c773,  0xc6c65197,
+    0xe8e823cb, 0xdddd7ca1,  0x74749ce8,  0x1f1f213e,
+    0x4b4bdd96, 0xbdbddc61,  0x8b8b860d,  0x8a8a850f,
+    0x707090e0, 0x3e3e427c,  0xb5b5c471,  0x6666aacc,
+    0x4848d890, 0x3030506,   0xf6f601f7,  0xe0e121c,
+    0x6161a3c2, 0x35355f6a,  0x5757f9ae,  0xb9b9d069,
+    0x86869117, 0xc1c15899,  0x1d1d273a,  0x9e9eb927,
+    0xe1e138d9, 0xf8f813eb,  0x9898b32b,  0x11113322,
+    0x6969bbd2, 0xd9d970a9,  0x8e8e8907,  0x9494a733,
+    0x9b9bb62d, 0x1e1e223c,  0x87879215,  0xe9e920c9,
+    0xcece4987, 0x5555ffaa,  0x28287850,  0xdfdf7aa5,
+    0x8c8c8f03, 0xa1a1f859,  0x89898009,  0xd0d171a,
+    0xbfbfda65, 0xe6e631d7,  0x4242c684,  0x6868b8d0,
+    0x4141c382, 0x9999b029,  0x2d2d775a,  0xf0f111e,
+    0xb0b0cb7b, 0x5454fca8,  0xbbbbd66d,  0x16163a2c,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U0[256] = {
+    0x51f4a750, 0x7e416553,  0x1a17a4c3,  0x3a275e96,
+    0x3bab6bcb, 0x1f9d45f1,  0xacfa58ab,  0x4be30393,
+    0x2030fa55, 0xad766df6,  0x88cc7691,  0xf5024c25,
+    0x4fe5d7fc, 0xc52acbd7,  0x26354480,  0xb562a38f,
+    0xdeb15a49, 0x25ba1b67,  0x45ea0e98,  0x5dfec0e1,
+    0xc32f7502, 0x814cf012,  0x8d4697a3,  0x6bd3f9c6,
+    0x38f5fe7,  0x15929c95,  0xbf6d7aeb,  0x955259da,
+    0xd4be832d, 0x587421d3,  0x49e06929,  0x8ec9c844,
+    0x75c2896a, 0xf48e7978,  0x99583e6b,  0x27b971dd,
+    0xbee14fb6, 0xf088ad17,  0xc920ac66,  0x7dce3ab4,
+    0x63df4a18, 0xe51a3182,  0x97513360,  0x62537f45,
+    0xb16477e0, 0xbb6bae84,  0xfe81a01c,  0xf9082b94,
+    0x70486858, 0x8f45fd19,  0x94de6c87,  0x527bf8b7,
+    0xab73d323, 0x724b02e2,  0xe31f8f57,  0x6655ab2a,
+    0xb2eb2807, 0x2fb5c203,  0x86c57b9a,  0xd33708a5,
+    0x302887f2, 0x23bfa5b2,  0x2036aba,   0xed16825c,
+    0x8acf1c2b, 0xa779b492,  0xf307f2f0,  0x4e69e2a1,
+    0x65daf4cd, 0x605bed5,   0xd134621f,  0xc4a6fe8a,
+    0x342e539d, 0xa2f355a0,  0x58ae132,   0xa4f6eb75,
+    0xb83ec39,  0x4060efaa,  0x5e719f06,  0xbd6e1051,
+    0x3e218af9, 0x96dd063d,  0xdd3e05ae,  0x4de6bd46,
+    0x91548db5, 0x71c45d05,  0x406d46f,   0x605015ff,
+    0x1998fb24, 0xd6bde997,  0x894043cc,  0x67d99e77,
+    0xb0e842bd, 0x7898b88,   0xe7195b38,  0x79c8eedb,
+    0xa17c0a47, 0x7c420fe9,  0xf8841ec9,  0x0,
+    0x9808683,  0x322bed48,  0x1e1170ac,  0x6c5a724e,
+    0xfd0efffb, 0xf853856,   0x3daed51e,  0x362d3927,
+    0xa0fd964,  0x685ca621,  0x9b5b54d1,  0x24362e3a,
+    0xc0a67b1,  0x9357e70f,  0xb4ee96d2,  0x1b9b919e,
+    0x80c0c54f, 0x61dc20a2,  0x5a774b69,  0x1c121a16,
+    0xe293ba0a, 0xc0a02ae5,  0x3c22e043,  0x121b171d,
+    0xe090d0b,  0xf28bc7ad,  0x2db6a8b9,  0x141ea9c8,
+    0x57f11985, 0xaf75074c,  0xee99ddbb,  0xa37f60fd,
+    0xf701269f, 0x5c72f5bc,  0x44663bc5,  0x5bfb7e34,
+    0x8b432976, 0xcb23c6dc,  0xb6edfc68,  0xb8e4f163,
+    0xd731dcca, 0x42638510,  0x13972240,  0x84c61120,
+    0x854a247d, 0xd2bb3df8,  0xaef93211,  0xc729a16d,
+    0x1d9e2f4b, 0xdcb230f3,  0xd8652ec,   0x77c1e3d0,
+    0x2bb3166c, 0xa970b999,  0x119448fa,  0x47e96422,
+    0xa8fc8cc4, 0xa0f03f1a,  0x567d2cd8,  0x223390ef,
+    0x87494ec7, 0xd938d1c1,  0x8ccaa2fe,  0x98d40b36,
+    0xa6f581cf, 0xa57ade28,  0xdab78e26,  0x3fadbfa4,
+    0x2c3a9de4, 0x5078920d,  0x6a5fcc9b,  0x547e4662,
+    0xf68d13c2, 0x90d8b8e8,  0x2e39f75e,  0x82c3aff5,
+    0x9f5d80be, 0x69d0937c,  0x6fd52da9,  0xcf2512b3,
+    0xc8ac993b, 0x10187da7,  0xe89c636e,  0xdb3bbb7b,
+    0xcd267809, 0x6e5918f4,  0xec9ab701,  0x834f9aa8,
+    0xe6956e65, 0xaaffe67e,  0x21bccf08,  0xef15e8e6,
+    0xbae79bd9, 0x4a6f36ce,  0xea9f09d4,  0x29b07cd6,
+    0x31a4b2af, 0x2a3f2331,  0xc6a59430,  0x35a266c0,
+    0x744ebc37, 0xfc82caa6,  0xe090d0b0,  0x33a7d815,
+    0xf104984a, 0x41ecdaf7,  0x7fcd500e,  0x1791f62f,
+    0x764dd68d, 0x43efb04d,  0xccaa4d54,  0xe49604df,
+    0x9ed1b5e3, 0x4c6a881b,  0xc12c1fb8,  0x4665517f,
+    0x9d5eea04, 0x18c355d,   0xfa877473,  0xfb0b412e,
+    0xb3671d5a, 0x92dbd252,  0xe9105633,  0x6dd64713,
+    0x9ad7618c, 0x37a10c7a,  0x59f8148e,  0xeb133c89,
+    0xcea927ee, 0xb761c935,  0xe11ce5ed,  0x7a47b13c,
+    0x9cd2df59, 0x55f2733f,  0x1814ce79,  0x73c737bf,
+    0x53f7cdea, 0x5ffdaa5b,  0xdf3d6f14,  0x7844db86,
+    0xcaaff381, 0xb968c43e,  0x3824342c,  0xc2a3405f,
+    0x161dc372, 0xbce2250c,  0x283c498b,  0xff0d9541,
+    0x39a80171, 0x80cb3de,   0xd8b4e49c,  0x6456c190,
+    0x7bcb8461, 0xd532b670,  0x486c5c74,  0xd0b85742
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U1[256] = {
+    0x5051f4a7, 0x537e4165,  0xc31a17a4,  0x963a275e,
+    0xcb3bab6b, 0xf11f9d45,  0xabacfa58,  0x934be303,
+    0x552030fa, 0xf6ad766d,  0x9188cc76,  0x25f5024c,
+    0xfc4fe5d7, 0xd7c52acb,  0x80263544,  0x8fb562a3,
+    0x49deb15a, 0x6725ba1b,  0x9845ea0e,  0xe15dfec0,
+    0x2c32f75,  0x12814cf0,  0xa38d4697,  0xc66bd3f9,
+    0xe7038f5f, 0x9515929c,  0xebbf6d7a,  0xda955259,
+    0x2dd4be83, 0xd3587421,  0x2949e069,  0x448ec9c8,
+    0x6a75c289, 0x78f48e79,  0x6b99583e,  0xdd27b971,
+    0xb6bee14f, 0x17f088ad,  0x66c920ac,  0xb47dce3a,
+    0x1863df4a, 0x82e51a31,  0x60975133,  0x4562537f,
+    0xe0b16477, 0x84bb6bae,  0x1cfe81a0,  0x94f9082b,
+    0x58704868, 0x198f45fd,  0x8794de6c,  0xb7527bf8,
+    0x23ab73d3, 0xe2724b02,  0x57e31f8f,  0x2a6655ab,
+    0x7b2eb28,  0x32fb5c2,   0x9a86c57b,  0xa5d33708,
+    0xf2302887, 0xb223bfa5,  0xba02036a,  0x5ced1682,
+    0x2b8acf1c, 0x92a779b4,  0xf0f307f2,  0xa14e69e2,
+    0xcd65daf4, 0xd50605be,  0x1fd13462,  0x8ac4a6fe,
+    0x9d342e53, 0xa0a2f355,  0x32058ae1,  0x75a4f6eb,
+    0x390b83ec, 0xaa4060ef,  0x65e719f,   0x51bd6e10,
+    0xf93e218a, 0x3d96dd06,  0xaedd3e05,  0x464de6bd,
+    0xb591548d, 0x571c45d,   0x6f0406d4,  0xff605015,
+    0x241998fb, 0x97d6bde9,  0xcc894043,  0x7767d99e,
+    0xbdb0e842, 0x8807898b,  0x38e7195b,  0xdb79c8ee,
+    0x47a17c0a, 0xe97c420f,  0xc9f8841e,  0x0,
+    0x83098086, 0x48322bed,  0xac1e1170,  0x4e6c5a72,
+    0xfbfd0eff, 0x560f8538,  0x1e3daed5,  0x27362d39,
+    0x640a0fd9, 0x21685ca6,  0xd19b5b54,  0x3a24362e,
+    0xb10c0a67, 0xf9357e7,   0xd2b4ee96,  0x9e1b9b91,
+    0x4f80c0c5, 0xa261dc20,  0x695a774b,  0x161c121a,
+    0xae293ba,  0xe5c0a02a,  0x433c22e0,  0x1d121b17,
+    0xb0e090d,  0xadf28bc7,  0xb92db6a8,  0xc8141ea9,
+    0x8557f119, 0x4caf7507,  0xbbee99dd,  0xfda37f60,
+    0x9ff70126, 0xbc5c72f5,  0xc544663b,  0x345bfb7e,
+    0x768b4329, 0xdccb23c6,  0x68b6edfc,  0x63b8e4f1,
+    0xcad731dc, 0x10426385,  0x40139722,  0x2084c611,
+    0x7d854a24, 0xf8d2bb3d,  0x11aef932,  0x6dc729a1,
+    0x4b1d9e2f, 0xf3dcb230,  0xec0d8652,  0xd077c1e3,
+    0x6c2bb316, 0x99a970b9,  0xfa119448,  0x2247e964,
+    0xc4a8fc8c, 0x1aa0f03f,  0xd8567d2c,  0xef223390,
+    0xc787494e, 0xc1d938d1,  0xfe8ccaa2,  0x3698d40b,
+    0xcfa6f581, 0x28a57ade,  0x26dab78e,  0xa43fadbf,
+    0xe42c3a9d, 0xd507892,   0x9b6a5fcc,  0x62547e46,
+    0xc2f68d13, 0xe890d8b8,  0x5e2e39f7,  0xf582c3af,
+    0xbe9f5d80, 0x7c69d093,  0xa96fd52d,  0xb3cf2512,
+    0x3bc8ac99, 0xa710187d,  0x6ee89c63,  0x7bdb3bbb,
+    0x9cd2678,  0xf46e5918,  0x1ec9ab7,   0xa8834f9a,
+    0x65e6956e, 0x7eaaffe6,  0x821bccf,   0xe6ef15e8,
+    0xd9bae79b, 0xce4a6f36,  0xd4ea9f09,  0xd629b07c,
+    0xaf31a4b2, 0x312a3f23,  0x30c6a594,  0xc035a266,
+    0x37744ebc, 0xa6fc82ca,  0xb0e090d0,  0x1533a7d8,
+    0x4af10498, 0xf741ecda,  0xe7fcd50,   0x2f1791f6,
+    0x8d764dd6, 0x4d43efb0,  0x54ccaa4d,  0xdfe49604,
+    0xe39ed1b5, 0x1b4c6a88,  0xb8c12c1f,  0x7f466551,
+    0x49d5eea,  0x5d018c35,  0x73fa8774,  0x2efb0b41,
+    0x5ab3671d, 0x5292dbd2,  0x33e91056,  0x136dd647,
+    0x8c9ad761, 0x7a37a10c,  0x8e59f814,  0x89eb133c,
+    0xeecea927, 0x35b761c9,  0xede11ce5,  0x3c7a47b1,
+    0x599cd2df, 0x3f55f273,  0x791814ce,  0xbf73c737,
+    0xea53f7cd, 0x5b5ffdaa,  0x14df3d6f,  0x867844db,
+    0x81caaff3, 0x3eb968c4,  0x2c382434,  0x5fc2a340,
+    0x72161dc3, 0xcbce225,   0x8b283c49,  0x41ff0d95,
+    0x7139a801, 0xde080cb3,  0x9cd8b4e4,  0x906456c1,
+    0x617bcb84, 0x70d532b6,  0x74486c5c,  0x42d0b857
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U2[256] = {
+    0xa75051f4, 0x65537e41,  0xa4c31a17,  0x5e963a27,
+    0x6bcb3bab, 0x45f11f9d,  0x58abacfa,  0x3934be3,
+    0xfa552030, 0x6df6ad76,  0x769188cc,  0x4c25f502,
+    0xd7fc4fe5, 0xcbd7c52a,  0x44802635,  0xa38fb562,
+    0x5a49deb1, 0x1b6725ba,  0xe9845ea,   0xc0e15dfe,
+    0x7502c32f, 0xf012814c,  0x97a38d46,  0xf9c66bd3,
+    0x5fe7038f, 0x9c951592,  0x7aebbf6d,  0x59da9552,
+    0x832dd4be, 0x21d35874,  0x692949e0,  0xc8448ec9,
+    0x896a75c2, 0x7978f48e,  0x3e6b9958,  0x71dd27b9,
+    0x4fb6bee1, 0xad17f088,  0xac66c920,  0x3ab47dce,
+    0x4a1863df, 0x3182e51a,  0x33609751,  0x7f456253,
+    0x77e0b164, 0xae84bb6b,  0xa01cfe81,  0x2b94f908,
+    0x68587048, 0xfd198f45,  0x6c8794de,  0xf8b7527b,
+    0xd323ab73, 0x2e2724b,   0x8f57e31f,  0xab2a6655,
+    0x2807b2eb, 0xc2032fb5,  0x7b9a86c5,  0x8a5d337,
+    0x87f23028, 0xa5b223bf,  0x6aba0203,  0x825ced16,
+    0x1c2b8acf, 0xb492a779,  0xf2f0f307,  0xe2a14e69,
+    0xf4cd65da, 0xbed50605,  0x621fd134,  0xfe8ac4a6,
+    0x539d342e, 0x55a0a2f3,  0xe132058a,  0xeb75a4f6,
+    0xec390b83, 0xefaa4060,  0x9f065e71,  0x1051bd6e,
+    0x8af93e21, 0x63d96dd,   0x5aedd3e,   0xbd464de6,
+    0x8db59154, 0x5d0571c4,  0xd46f0406,  0x15ff6050,
+    0xfb241998, 0xe997d6bd,  0x43cc8940,  0x9e7767d9,
+    0x42bdb0e8, 0x8b880789,  0x5b38e719,  0xeedb79c8,
+    0xa47a17c,  0xfe97c42,   0x1ec9f884,  0x0,
+    0x86830980, 0xed48322b,  0x70ac1e11,  0x724e6c5a,
+    0xfffbfd0e, 0x38560f85,  0xd51e3dae,  0x3927362d,
+    0xd9640a0f, 0xa621685c,  0x54d19b5b,  0x2e3a2436,
+    0x67b10c0a, 0xe70f9357,  0x96d2b4ee,  0x919e1b9b,
+    0xc54f80c0, 0x20a261dc,  0x4b695a77,  0x1a161c12,
+    0xba0ae293, 0x2ae5c0a0,  0xe0433c22,  0x171d121b,
+    0xd0b0e09,  0xc7adf28b,  0xa8b92db6,  0xa9c8141e,
+    0x198557f1, 0x74caf75,   0xddbbee99,  0x60fda37f,
+    0x269ff701, 0xf5bc5c72,  0x3bc54466,  0x7e345bfb,
+    0x29768b43, 0xc6dccb23,  0xfc68b6ed,  0xf163b8e4,
+    0xdccad731, 0x85104263,  0x22401397,  0x112084c6,
+    0x247d854a, 0x3df8d2bb,  0x3211aef9,  0xa16dc729,
+    0x2f4b1d9e, 0x30f3dcb2,  0x52ec0d86,  0xe3d077c1,
+    0x166c2bb3, 0xb999a970,  0x48fa1194,  0x642247e9,
+    0x8cc4a8fc, 0x3f1aa0f0,  0x2cd8567d,  0x90ef2233,
+    0x4ec78749, 0xd1c1d938,  0xa2fe8cca,  0xb3698d4,
+    0x81cfa6f5, 0xde28a57a,  0x8e26dab7,  0xbfa43fad,
+    0x9de42c3a, 0x920d5078,  0xcc9b6a5f,  0x4662547e,
+    0x13c2f68d, 0xb8e890d8,  0xf75e2e39,  0xaff582c3,
+    0x80be9f5d, 0x937c69d0,  0x2da96fd5,  0x12b3cf25,
+    0x993bc8ac, 0x7da71018,  0x636ee89c,  0xbb7bdb3b,
+    0x7809cd26, 0x18f46e59,  0xb701ec9a,  0x9aa8834f,
+    0x6e65e695, 0xe67eaaff,  0xcf0821bc,  0xe8e6ef15,
+    0x9bd9bae7, 0x36ce4a6f,  0x9d4ea9f,   0x7cd629b0,
+    0xb2af31a4, 0x23312a3f,  0x9430c6a5,  0x66c035a2,
+    0xbc37744e, 0xcaa6fc82,  0xd0b0e090,  0xd81533a7,
+    0x984af104, 0xdaf741ec,  0x500e7fcd,  0xf62f1791,
+    0xd68d764d, 0xb04d43ef,  0x4d54ccaa,  0x4dfe496,
+    0xb5e39ed1, 0x881b4c6a,  0x1fb8c12c,  0x517f4665,
+    0xea049d5e, 0x355d018c,  0x7473fa87,  0x412efb0b,
+    0x1d5ab367, 0xd25292db,  0x5633e910,  0x47136dd6,
+    0x618c9ad7, 0xc7a37a1,   0x148e59f8,  0x3c89eb13,
+    0x27eecea9, 0xc935b761,  0xe5ede11c,  0xb13c7a47,
+    0xdf599cd2, 0x733f55f2,  0xce791814,  0x37bf73c7,
+    0xcdea53f7, 0xaa5b5ffd,  0x6f14df3d,  0xdb867844,
+    0xf381caaf, 0xc43eb968,  0x342c3824,  0x405fc2a3,
+    0xc372161d, 0x250cbce2,  0x498b283c,  0x9541ff0d,
+    0x17139a8,  0xb3de080c,  0xe49cd8b4,  0xc1906456,
+    0x84617bcb, 0xb670d532,  0x5c74486c,  0x5742d0b8
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U3[256] = {
+    0xf4a75051, 0x4165537e,  0x17a4c31a,  0x275e963a,
+    0xab6bcb3b, 0x9d45f11f,  0xfa58abac,  0xe303934b,
+    0x30fa5520, 0x766df6ad,  0xcc769188,  0x24c25f5,
+    0xe5d7fc4f, 0x2acbd7c5,  0x35448026,  0x62a38fb5,
+    0xb15a49de, 0xba1b6725,  0xea0e9845,  0xfec0e15d,
+    0x2f7502c3, 0x4cf01281,  0x4697a38d,  0xd3f9c66b,
+    0x8f5fe703, 0x929c9515,  0x6d7aebbf,  0x5259da95,
+    0xbe832dd4, 0x7421d358,  0xe0692949,  0xc9c8448e,
+    0xc2896a75, 0x8e7978f4,  0x583e6b99,  0xb971dd27,
+    0xe14fb6be, 0x88ad17f0,  0x20ac66c9,  0xce3ab47d,
+    0xdf4a1863, 0x1a3182e5,  0x51336097,  0x537f4562,
+    0x6477e0b1, 0x6bae84bb,  0x81a01cfe,  0x82b94f9,
+    0x48685870, 0x45fd198f,  0xde6c8794,  0x7bf8b752,
+    0x73d323ab, 0x4b02e272,  0x1f8f57e3,  0x55ab2a66,
+    0xeb2807b2, 0xb5c2032f,  0xc57b9a86,  0x3708a5d3,
+    0x2887f230, 0xbfa5b223,  0x36aba02,   0x16825ced,
+    0xcf1c2b8a, 0x79b492a7,  0x7f2f0f3,   0x69e2a14e,
+    0xdaf4cd65, 0x5bed506,   0x34621fd1,  0xa6fe8ac4,
+    0x2e539d34, 0xf355a0a2,  0x8ae13205,  0xf6eb75a4,
+    0x83ec390b, 0x60efaa40,  0x719f065e,  0x6e1051bd,
+    0x218af93e, 0xdd063d96,  0x3e05aedd,  0xe6bd464d,
+    0x548db591, 0xc45d0571,  0x6d46f04,   0x5015ff60,
+    0x98fb2419, 0xbde997d6,  0x4043cc89,  0xd99e7767,
+    0xe842bdb0, 0x898b8807,  0x195b38e7,  0xc8eedb79,
+    0x7c0a47a1, 0x420fe97c,  0x841ec9f8,  0x0,
+    0x80868309, 0x2bed4832,  0x1170ac1e,  0x5a724e6c,
+    0xefffbfd,  0x8538560f,  0xaed51e3d,  0x2d392736,
+    0xfd9640a,  0x5ca62168,  0x5b54d19b,  0x362e3a24,
+    0xa67b10c,  0x57e70f93,  0xee96d2b4,  0x9b919e1b,
+    0xc0c54f80, 0xdc20a261,  0x774b695a,  0x121a161c,
+    0x93ba0ae2, 0xa02ae5c0,  0x22e0433c,  0x1b171d12,
+    0x90d0b0e,  0x8bc7adf2,  0xb6a8b92d,  0x1ea9c814,
+    0xf1198557, 0x75074caf,  0x99ddbbee,  0x7f60fda3,
+    0x1269ff7,  0x72f5bc5c,  0x663bc544,  0xfb7e345b,
+    0x4329768b, 0x23c6dccb,  0xedfc68b6,  0xe4f163b8,
+    0x31dccad7, 0x63851042,  0x97224013,  0xc6112084,
+    0x4a247d85, 0xbb3df8d2,  0xf93211ae,  0x29a16dc7,
+    0x9e2f4b1d, 0xb230f3dc,  0x8652ec0d,  0xc1e3d077,
+    0xb3166c2b, 0x70b999a9,  0x9448fa11,  0xe9642247,
+    0xfc8cc4a8, 0xf03f1aa0,  0x7d2cd856,  0x3390ef22,
+    0x494ec787, 0x38d1c1d9,  0xcaa2fe8c,  0xd40b3698,
+    0xf581cfa6, 0x7ade28a5,  0xb78e26da,  0xadbfa43f,
+    0x3a9de42c, 0x78920d50,  0x5fcc9b6a,  0x7e466254,
+    0x8d13c2f6, 0xd8b8e890,  0x39f75e2e,  0xc3aff582,
+    0x5d80be9f, 0xd0937c69,  0xd52da96f,  0x2512b3cf,
+    0xac993bc8, 0x187da710,  0x9c636ee8,  0x3bbb7bdb,
+    0x267809cd, 0x5918f46e,  0x9ab701ec,  0x4f9aa883,
+    0x956e65e6, 0xffe67eaa,  0xbccf0821,  0x15e8e6ef,
+    0xe79bd9ba, 0x6f36ce4a,  0x9f09d4ea,  0xb07cd629,
+    0xa4b2af31, 0x3f23312a,  0xa59430c6,  0xa266c035,
+    0x4ebc3774, 0x82caa6fc,  0x90d0b0e0,  0xa7d81533,
+    0x4984af1,  0xecdaf741,  0xcd500e7f,  0x91f62f17,
+    0x4dd68d76, 0xefb04d43,  0xaa4d54cc,  0x9604dfe4,
+    0xd1b5e39e, 0x6a881b4c,  0x2c1fb8c1,  0x65517f46,
+    0x5eea049d, 0x8c355d01,  0x877473fa,  0xb412efb,
+    0x671d5ab3, 0xdbd25292,  0x105633e9,  0xd647136d,
+    0xd7618c9a, 0xa10c7a37,  0xf8148e59,  0x133c89eb,
+    0xa927eece, 0x61c935b7,  0x1ce5ede1,  0x47b13c7a,
+    0xd2df599c, 0xf2733f55,  0x14ce7918,  0xc737bf73,
+    0xf7cdea53, 0xfdaa5b5f,  0x3d6f14df,  0x44db8678,
+    0xaff381ca, 0x68c43eb9,  0x24342c38,  0xa3405fc2,
+    0x1dc37216, 0xe2250cbc,  0x3c498b28,  0xd9541ff,
+    0xa8017139, 0xcb3de08,   0xb4e49cd8,  0x56c19064,
+    0xcb84617b, 0x32b670d5,  0x6c5c7448,  0xb85742d0
+};
+/* clang-format on */
+#endif
+
+/*
+ * the following tables (aes_sbox, aes_inv_sbox, T4, U4) are
+ * endian-neutral
+ */
+/* clang-format off */
+static const uint8_t aes_sbox[256] = {
+    0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5,
+    0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
+    0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0,
+    0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
+    0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc,
+    0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
+    0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a,
+    0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
+    0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0,
+    0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
+    0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b,
+    0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
+    0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85,
+    0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
+    0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5,
+    0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
+    0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17,
+    0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
+    0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88,
+    0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
+    0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c,
+    0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
+    0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9,
+    0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
+    0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6,
+    0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
+    0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e,
+    0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
+    0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94,
+    0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
+    0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68,
+    0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
+};
+/* clang-format on */
+
+#ifndef CPU_RISC
+/* clang-format off */
+static const uint8_t aes_inv_sbox[256] = {
+    0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38,
+    0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
+    0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87,
+    0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
+    0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d,
+    0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
+    0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2,
+    0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
+    0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16,
+    0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
+    0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda,
+    0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
+    0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a,
+    0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
+    0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02,
+    0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
+    0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea,
+    0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
+    0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85,
+    0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
+    0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89,
+    0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
+    0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20,
+    0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
+    0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31,
+    0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
+    0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d,
+    0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
+    0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0,
+    0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
+    0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26,
+    0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
+};
+/* clang-format on */
+#endif /* ! CPU_RISC */
+
+#ifdef CPU_RISC
+/* clang-format off */
+static const uint32_t T4[256] = {
+    0x63636363, 0x7c7c7c7c, 0x77777777, 0x7b7b7b7b,
+    0xf2f2f2f2, 0x6b6b6b6b, 0x6f6f6f6f, 0xc5c5c5c5,
+    0x30303030, 0x01010101, 0x67676767, 0x2b2b2b2b,
+    0xfefefefe, 0xd7d7d7d7, 0xabababab, 0x76767676,
+    0xcacacaca, 0x82828282, 0xc9c9c9c9, 0x7d7d7d7d,
+    0xfafafafa, 0x59595959, 0x47474747, 0xf0f0f0f0,
+    0xadadadad, 0xd4d4d4d4, 0xa2a2a2a2, 0xafafafaf,
+    0x9c9c9c9c, 0xa4a4a4a4, 0x72727272, 0xc0c0c0c0,
+    0xb7b7b7b7, 0xfdfdfdfd, 0x93939393, 0x26262626,
+    0x36363636, 0x3f3f3f3f, 0xf7f7f7f7, 0xcccccccc,
+    0x34343434, 0xa5a5a5a5, 0xe5e5e5e5, 0xf1f1f1f1,
+    0x71717171, 0xd8d8d8d8, 0x31313131, 0x15151515,
+    0x04040404, 0xc7c7c7c7, 0x23232323, 0xc3c3c3c3,
+    0x18181818, 0x96969696, 0x05050505, 0x9a9a9a9a,
+    0x07070707, 0x12121212, 0x80808080, 0xe2e2e2e2,
+    0xebebebeb, 0x27272727, 0xb2b2b2b2, 0x75757575,
+    0x09090909, 0x83838383, 0x2c2c2c2c, 0x1a1a1a1a,
+    0x1b1b1b1b, 0x6e6e6e6e, 0x5a5a5a5a, 0xa0a0a0a0,
+    0x52525252, 0x3b3b3b3b, 0xd6d6d6d6, 0xb3b3b3b3,
+    0x29292929, 0xe3e3e3e3, 0x2f2f2f2f, 0x84848484,
+    0x53535353, 0xd1d1d1d1, 0x00000000, 0xedededed,
+    0x20202020, 0xfcfcfcfc, 0xb1b1b1b1, 0x5b5b5b5b,
+    0x6a6a6a6a, 0xcbcbcbcb, 0xbebebebe, 0x39393939,
+    0x4a4a4a4a, 0x4c4c4c4c, 0x58585858, 0xcfcfcfcf,
+    0xd0d0d0d0, 0xefefefef, 0xaaaaaaaa, 0xfbfbfbfb,
+    0x43434343, 0x4d4d4d4d, 0x33333333, 0x85858585,
+    0x45454545, 0xf9f9f9f9, 0x02020202, 0x7f7f7f7f,
+    0x50505050, 0x3c3c3c3c, 0x9f9f9f9f, 0xa8a8a8a8,
+    0x51515151, 0xa3a3a3a3, 0x40404040, 0x8f8f8f8f,
+    0x92929292, 0x9d9d9d9d, 0x38383838, 0xf5f5f5f5,
+    0xbcbcbcbc, 0xb6b6b6b6, 0xdadadada, 0x21212121,
+    0x10101010, 0xffffffff, 0xf3f3f3f3, 0xd2d2d2d2,
+    0xcdcdcdcd, 0x0c0c0c0c, 0x13131313, 0xecececec,
+    0x5f5f5f5f, 0x97979797, 0x44444444, 0x17171717,
+    0xc4c4c4c4, 0xa7a7a7a7, 0x7e7e7e7e, 0x3d3d3d3d,
+    0x64646464, 0x5d5d5d5d, 0x19191919, 0x73737373,
+    0x60606060, 0x81818181, 0x4f4f4f4f, 0xdcdcdcdc,
+    0x22222222, 0x2a2a2a2a, 0x90909090, 0x88888888,
+    0x46464646, 0xeeeeeeee, 0xb8b8b8b8, 0x14141414,
+    0xdededede, 0x5e5e5e5e, 0x0b0b0b0b, 0xdbdbdbdb,
+    0xe0e0e0e0, 0x32323232, 0x3a3a3a3a, 0x0a0a0a0a,
+    0x49494949, 0x06060606, 0x24242424, 0x5c5c5c5c,
+    0xc2c2c2c2, 0xd3d3d3d3, 0xacacacac, 0x62626262,
+    0x91919191, 0x95959595, 0xe4e4e4e4, 0x79797979,
+    0xe7e7e7e7, 0xc8c8c8c8, 0x37373737, 0x6d6d6d6d,
+    0x8d8d8d8d, 0xd5d5d5d5, 0x4e4e4e4e, 0xa9a9a9a9,
+    0x6c6c6c6c, 0x56565656, 0xf4f4f4f4, 0xeaeaeaea,
+    0x65656565, 0x7a7a7a7a, 0xaeaeaeae, 0x08080808,
+    0xbabababa, 0x78787878, 0x25252525, 0x2e2e2e2e,
+    0x1c1c1c1c, 0xa6a6a6a6, 0xb4b4b4b4, 0xc6c6c6c6,
+    0xe8e8e8e8, 0xdddddddd, 0x74747474, 0x1f1f1f1f,
+    0x4b4b4b4b, 0xbdbdbdbd, 0x8b8b8b8b, 0x8a8a8a8a,
+    0x70707070, 0x3e3e3e3e, 0xb5b5b5b5, 0x66666666,
+    0x48484848, 0x03030303, 0xf6f6f6f6, 0x0e0e0e0e,
+    0x61616161, 0x35353535, 0x57575757, 0xb9b9b9b9,
+    0x86868686, 0xc1c1c1c1, 0x1d1d1d1d, 0x9e9e9e9e,
+    0xe1e1e1e1, 0xf8f8f8f8, 0x98989898, 0x11111111,
+    0x69696969, 0xd9d9d9d9, 0x8e8e8e8e, 0x94949494,
+    0x9b9b9b9b, 0x1e1e1e1e, 0x87878787, 0xe9e9e9e9,
+    0xcececece, 0x55555555, 0x28282828, 0xdfdfdfdf,
+    0x8c8c8c8c, 0xa1a1a1a1, 0x89898989, 0x0d0d0d0d,
+    0xbfbfbfbf, 0xe6e6e6e6, 0x42424242, 0x68686868,
+    0x41414141, 0x99999999, 0x2d2d2d2d, 0x0f0f0f0f,
+    0xb0b0b0b0, 0x54545454, 0xbbbbbbbb, 0x16161616
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint32_t U4[256] = {
+    0x52525252, 0x9090909,   0x6a6a6a6a,  0xd5d5d5d5,
+    0x30303030, 0x36363636,  0xa5a5a5a5,  0x38383838,
+    0xbfbfbfbf, 0x40404040,  0xa3a3a3a3,  0x9e9e9e9e,
+    0x81818181, 0xf3f3f3f3,  0xd7d7d7d7,  0xfbfbfbfb,
+    0x7c7c7c7c, 0xe3e3e3e3,  0x39393939,  0x82828282,
+    0x9b9b9b9b, 0x2f2f2f2f,  0xffffffff,  0x87878787,
+    0x34343434, 0x8e8e8e8e,  0x43434343,  0x44444444,
+    0xc4c4c4c4, 0xdededede,  0xe9e9e9e9,  0xcbcbcbcb,
+    0x54545454, 0x7b7b7b7b,  0x94949494,  0x32323232,
+    0xa6a6a6a6, 0xc2c2c2c2,  0x23232323,  0x3d3d3d3d,
+    0xeeeeeeee, 0x4c4c4c4c,  0x95959595,  0xb0b0b0b,
+    0x42424242, 0xfafafafa,  0xc3c3c3c3,  0x4e4e4e4e,
+    0x8080808,  0x2e2e2e2e,  0xa1a1a1a1,  0x66666666,
+    0x28282828, 0xd9d9d9d9,  0x24242424,  0xb2b2b2b2,
+    0x76767676, 0x5b5b5b5b,  0xa2a2a2a2,  0x49494949,
+    0x6d6d6d6d, 0x8b8b8b8b,  0xd1d1d1d1,  0x25252525,
+    0x72727272, 0xf8f8f8f8,  0xf6f6f6f6,  0x64646464,
+    0x86868686, 0x68686868,  0x98989898,  0x16161616,
+    0xd4d4d4d4, 0xa4a4a4a4,  0x5c5c5c5c,  0xcccccccc,
+    0x5d5d5d5d, 0x65656565,  0xb6b6b6b6,  0x92929292,
+    0x6c6c6c6c, 0x70707070,  0x48484848,  0x50505050,
+    0xfdfdfdfd, 0xedededed,  0xb9b9b9b9,  0xdadadada,
+    0x5e5e5e5e, 0x15151515,  0x46464646,  0x57575757,
+    0xa7a7a7a7, 0x8d8d8d8d,  0x9d9d9d9d,  0x84848484,
+    0x90909090, 0xd8d8d8d8,  0xabababab,  0x0,
+    0x8c8c8c8c, 0xbcbcbcbc,  0xd3d3d3d3,  0xa0a0a0a,
+    0xf7f7f7f7, 0xe4e4e4e4,  0x58585858,  0x5050505,
+    0xb8b8b8b8, 0xb3b3b3b3,  0x45454545,  0x6060606,
+    0xd0d0d0d0, 0x2c2c2c2c,  0x1e1e1e1e,  0x8f8f8f8f,
+    0xcacacaca, 0x3f3f3f3f,  0xf0f0f0f,   0x2020202,
+    0xc1c1c1c1, 0xafafafaf,  0xbdbdbdbd,  0x3030303,
+    0x1010101,  0x13131313,  0x8a8a8a8a,  0x6b6b6b6b,
+    0x3a3a3a3a, 0x91919191,  0x11111111,  0x41414141,
+    0x4f4f4f4f, 0x67676767,  0xdcdcdcdc,  0xeaeaeaea,
+    0x97979797, 0xf2f2f2f2,  0xcfcfcfcf,  0xcececece,
+    0xf0f0f0f0, 0xb4b4b4b4,  0xe6e6e6e6,  0x73737373,
+    0x96969696, 0xacacacac,  0x74747474,  0x22222222,
+    0xe7e7e7e7, 0xadadadad,  0x35353535,  0x85858585,
+    0xe2e2e2e2, 0xf9f9f9f9,  0x37373737,  0xe8e8e8e8,
+    0x1c1c1c1c, 0x75757575,  0xdfdfdfdf,  0x6e6e6e6e,
+    0x47474747, 0xf1f1f1f1,  0x1a1a1a1a,  0x71717171,
+    0x1d1d1d1d, 0x29292929,  0xc5c5c5c5,  0x89898989,
+    0x6f6f6f6f, 0xb7b7b7b7,  0x62626262,  0xe0e0e0e,
+    0xaaaaaaaa, 0x18181818,  0xbebebebe,  0x1b1b1b1b,
+    0xfcfcfcfc, 0x56565656,  0x3e3e3e3e,  0x4b4b4b4b,
+    0xc6c6c6c6, 0xd2d2d2d2,  0x79797979,  0x20202020,
+    0x9a9a9a9a, 0xdbdbdbdb,  0xc0c0c0c0,  0xfefefefe,
+    0x78787878, 0xcdcdcdcd,  0x5a5a5a5a,  0xf4f4f4f4,
+    0x1f1f1f1f, 0xdddddddd,  0xa8a8a8a8,  0x33333333,
+    0x88888888, 0x7070707,   0xc7c7c7c7,  0x31313131,
+    0xb1b1b1b1, 0x12121212,  0x10101010,  0x59595959,
+    0x27272727, 0x80808080,  0xecececec,  0x5f5f5f5f,
+    0x60606060, 0x51515151,  0x7f7f7f7f,  0xa9a9a9a9,
+    0x19191919, 0xb5b5b5b5,  0x4a4a4a4a,  0xd0d0d0d,
+    0x2d2d2d2d, 0xe5e5e5e5,  0x7a7a7a7a,  0x9f9f9f9f,
+    0x93939393, 0xc9c9c9c9,  0x9c9c9c9c,  0xefefefef,
+    0xa0a0a0a0, 0xe0e0e0e0,  0x3b3b3b3b,  0x4d4d4d4d,
+    0xaeaeaeae, 0x2a2a2a2a,  0xf5f5f5f5,  0xb0b0b0b0,
+    0xc8c8c8c8, 0xebebebeb,  0xbbbbbbbb,  0x3c3c3c3c,
+    0x83838383, 0x53535353,  0x99999999,  0x61616161,
+    0x17171717, 0x2b2b2b2b,  0x4040404,   0x7e7e7e7e,
+    0xbabababa, 0x77777777,  0xd6d6d6d6,  0x26262626,
+    0xe1e1e1e1, 0x69696969,  0x14141414,  0x63636363,
+    0x55555555, 0x21212121,  0xc0c0c0c,   0x7d7d7d7d
+};
+/* clang-format on */
+#endif /* CPU_RISC */
+
+#define gf2_8_field_polynomial 0x1B
+/*
+ * gf2_8_shift(z) returns the result of the GF(2^8) 'multiply by x'
+ * operation, using the field representation from AES; that is, the
+ * next gf2_8 value in the cyclic representation of that field.  The
+ * value z should be an uint8_t.
+ */
+#define gf2_8_shift(z)                                                         \
+    (((z)&128) ? (((z) << 1) ^ gf2_8_field_polynomial) : ((z) << 1))
+
+/* aes internals */
+
+static void aes_128_expand_encryption_key(const uint8_t *key,
+                                          srtp_aes_expanded_key_t *expanded_key)
+{
+    int i;
+    uint8_t rc;
+
+    /* initialize round constant */
+    rc = 1;
+
+    expanded_key->num_rounds = 10;
+
+    v128_copy_octet_string(&expanded_key->round[0], key);
+
+#if 0
+    debug_print(srtp_mod_aes_icm,
+                "expanded key[0]:  %s", v128_hex_string(&expanded_key->round[0]));
+#endif
+
+    /* loop over round keys */
+    for (i = 1; i < 11; i++) {
+        /* munge first word of round key */
+        expanded_key->round[i].v8[0] =
+            aes_sbox[expanded_key->round[i - 1].v8[13]] ^ rc;
+        expanded_key->round[i].v8[1] =
+            aes_sbox[expanded_key->round[i - 1].v8[14]];
+        expanded_key->round[i].v8[2] =
+            aes_sbox[expanded_key->round[i - 1].v8[15]];
+        expanded_key->round[i].v8[3] =
+            aes_sbox[expanded_key->round[i - 1].v8[12]];
+
+        expanded_key->round[i].v32[0] ^= expanded_key->round[i - 1].v32[0];
+
+        /* set remaining 32 bit words to the exor of the one previous with
+         * the one four words previous */
+
+        expanded_key->round[i].v32[1] =
+            expanded_key->round[i].v32[0] ^ expanded_key->round[i - 1].v32[1];
+
+        expanded_key->round[i].v32[2] =
+            expanded_key->round[i].v32[1] ^ expanded_key->round[i - 1].v32[2];
+
+        expanded_key->round[i].v32[3] =
+            expanded_key->round[i].v32[2] ^ expanded_key->round[i - 1].v32[3];
+
+#if 0
+        debug_print2(srtp_mod_aes_icm,
+                     "expanded key[%d]:  %s", i, v128_hex_string(&expanded_key->round[i]));
+#endif
+
+        /* modify round constant */
+        rc = gf2_8_shift(rc);
+    }
+}
+
+static void aes_256_expand_encryption_key(const unsigned char *key,
+                                          srtp_aes_expanded_key_t *expanded_key)
+{
+    int i;
+    uint8_t rc;
+
+    /* initialize round constant */
+    rc = 1;
+
+    expanded_key->num_rounds = 14;
+
+    v128_copy_octet_string(&expanded_key->round[0], key);
+    v128_copy_octet_string(&expanded_key->round[1], key + 16);
+
+#if 0
+    debug_print(srtp_mod_aes_icm,
+                "expanded key[0]:  %s", v128_hex_string(&expanded_key->round[0]));
+    debug_print(srtp_mod_aes_icm,
+                "expanded key[1]:  %s", v128_hex_string(&expanded_key->round[1]));
+#endif
+
+    /* loop over rest of round keys */
+    for (i = 2; i < 15; i++) {
+        /* munge first word of round key */
+        if ((i & 1) == 0) {
+            expanded_key->round[i].v8[0] =
+                aes_sbox[expanded_key->round[i - 1].v8[13]] ^ rc;
+            expanded_key->round[i].v8[1] =
+                aes_sbox[expanded_key->round[i - 1].v8[14]];
+            expanded_key->round[i].v8[2] =
+                aes_sbox[expanded_key->round[i - 1].v8[15]];
+            expanded_key->round[i].v8[3] =
+                aes_sbox[expanded_key->round[i - 1].v8[12]];
+
+            /* modify round constant */
+            rc = gf2_8_shift(rc);
+        } else {
+            expanded_key->round[i].v8[0] =
+                aes_sbox[expanded_key->round[i - 1].v8[12]];
+            expanded_key->round[i].v8[1] =
+                aes_sbox[expanded_key->round[i - 1].v8[13]];
+            expanded_key->round[i].v8[2] =
+                aes_sbox[expanded_key->round[i - 1].v8[14]];
+            expanded_key->round[i].v8[3] =
+                aes_sbox[expanded_key->round[i - 1].v8[15]];
+        }
+
+        expanded_key->round[i].v32[0] ^= expanded_key->round[i - 2].v32[0];
+
+        /* set remaining 32 bit words to the exor of the one previous with
+         * the one eight words previous */
+
+        expanded_key->round[i].v32[1] =
+            expanded_key->round[i].v32[0] ^ expanded_key->round[i - 2].v32[1];
+
+        expanded_key->round[i].v32[2] =
+            expanded_key->round[i].v32[1] ^ expanded_key->round[i - 2].v32[2];
+
+        expanded_key->round[i].v32[3] =
+            expanded_key->round[i].v32[2] ^ expanded_key->round[i - 2].v32[3];
+
+#if 0
+        debug_print2(srtp_mod_aes_icm,
+                     "expanded key[%d]:  %s", i, v128_hex_string(&expanded_key->round[i]));
+#endif
+    }
+}
+
+srtp_err_status_t srtp_aes_expand_encryption_key(
+    const uint8_t *key,
+    int key_len,
+    srtp_aes_expanded_key_t *expanded_key)
+{
+    if (key_len == 16) {
+        aes_128_expand_encryption_key(key, expanded_key);
+        return srtp_err_status_ok;
+    } else if (key_len == 24) {
+        /* AES-192 not yet supported */
+        return srtp_err_status_bad_param;
+    } else if (key_len == 32) {
+        aes_256_expand_encryption_key(key, expanded_key);
+        return srtp_err_status_ok;
+    } else {
+        return srtp_err_status_bad_param;
+    }
+}
+
+srtp_err_status_t srtp_aes_expand_decryption_key(
+    const uint8_t *key,
+    int key_len,
+    srtp_aes_expanded_key_t *expanded_key)
+{
+    int i;
+    srtp_err_status_t status;
+    int num_rounds = expanded_key->num_rounds;
+
+    status = srtp_aes_expand_encryption_key(key, key_len, expanded_key);
+    if (status) {
+        return status;
+    }
+
+    /* invert the order of the round keys */
+    for (i = 0; i < num_rounds / 2; i++) {
+        v128_t tmp;
+        v128_copy(&tmp, &expanded_key->round[num_rounds - i]);
+        v128_copy(&expanded_key->round[num_rounds - i],
+                  &expanded_key->round[i]);
+        v128_copy(&expanded_key->round[i], &tmp);
+    }
+
+    /*
+     * apply the inverse mixColumn transform to the round keys (except
+     * for the first and the last)
+     *
+     * mixColumn is implemented by using the tables U0, U1, U2, U3,
+     * followed by the T4 table (which cancels out the use of the sbox
+     * in the U-tables)
+     */
+    for (i = 1; i < num_rounds; i++) {
+#ifdef CPU_RISC
+        uint32_t tmp;
+
+#ifdef WORDS_BIGENDIAN
+        /* clang-format off */
+        tmp = expanded_key->round[i].v32[0];
+        expanded_key->round[i].v32[0] =
+            U0[T4[(tmp >> 24)       ] & 0xff] ^
+            U1[T4[(tmp >> 16) & 0xff] & 0xff] ^
+            U2[T4[(tmp >> 8)  & 0xff] & 0xff] ^
+            U3[T4[(tmp)       & 0xff] & 0xff];
+
+        tmp = expanded_key->round[i].v32[1];
+        expanded_key->round[i].v32[1] =
+            U0[T4[(tmp >> 24)       ] & 0xff] ^
+            U1[T4[(tmp >> 16) & 0xff] & 0xff] ^
+            U2[T4[(tmp >> 8)  & 0xff] & 0xff] ^
+            U3[T4[(tmp)       & 0xff] & 0xff];
+
+        tmp = expanded_key->round[i].v32[2];
+        expanded_key->round[i].v32[2] =
+            U0[T4[(tmp >> 24)       ] & 0xff] ^
+            U1[T4[(tmp >> 16) & 0xff] & 0xff] ^
+            U2[T4[(tmp >> 8)  & 0xff] & 0xff] ^
+            U3[T4[(tmp)       & 0xff] & 0xff];
+
+        tmp = expanded_key->round[i].v32[3];
+        expanded_key->round[i].v32[3] =
+            U0[T4[(tmp >> 24)       ] & 0xff] ^
+            U1[T4[(tmp >> 16) & 0xff] & 0xff] ^
+            U2[T4[(tmp >> 8)  & 0xff] & 0xff] ^
+            U3[T4[(tmp)       & 0xff] & 0xff];
+#else
+        tmp = expanded_key->round[i].v32[0];
+        expanded_key->round[i].v32[0] =
+            U3[T4[(tmp >> 24)       ] & 0xff] ^
+            U2[T4[(tmp >> 16) & 0xff] & 0xff] ^
+            U1[T4[(tmp >> 8)  & 0xff] & 0xff] ^
+            U0[T4[(tmp)       & 0xff] & 0xff];
+
+        tmp = expanded_key->round[i].v32[1];
+        expanded_key->round[i].v32[1] =
+            U3[T4[(tmp >> 24)       ] & 0xff] ^
+            U2[T4[(tmp >> 16) & 0xff] & 0xff] ^
+            U1[T4[(tmp >> 8)  & 0xff] & 0xff] ^
+            U0[T4[(tmp)       & 0xff] & 0xff];
+
+        tmp = expanded_key->round[i].v32[2];
+        expanded_key->round[i].v32[2] =
+            U3[T4[(tmp >> 24)       ] & 0xff] ^
+            U2[T4[(tmp >> 16) & 0xff] & 0xff] ^
+            U1[T4[(tmp >> 8)  & 0xff] & 0xff] ^
+            U0[T4[(tmp)       & 0xff] & 0xff];
+
+        tmp = expanded_key->round[i].v32[3];
+        expanded_key->round[i].v32[3] =
+            U3[T4[(tmp >> 24)       ] & 0xff] ^
+            U2[T4[(tmp >> 16) & 0xff] & 0xff] ^
+            U1[T4[(tmp >> 8)  & 0xff] & 0xff] ^
+            U0[T4[(tmp)       & 0xff] & 0xff];
+/* clang-format on */
+#endif /* WORDS_BIGENDIAN */
+
+#else /* assume CPU_CISC */
+
+        uint32_t c0, c1, c2, c3;
+
+        c0 = U0[aes_sbox[expanded_key->round[i].v8[0]]] ^
+             U1[aes_sbox[expanded_key->round[i].v8[1]]] ^
+             U2[aes_sbox[expanded_key->round[i].v8[2]]] ^
+             U3[aes_sbox[expanded_key->round[i].v8[3]]];
+
+        c1 = U0[aes_sbox[expanded_key->round[i].v8[4]]] ^
+             U1[aes_sbox[expanded_key->round[i].v8[5]]] ^
+             U2[aes_sbox[expanded_key->round[i].v8[6]]] ^
+             U3[aes_sbox[expanded_key->round[i].v8[7]]];
+
+        c2 = U0[aes_sbox[expanded_key->round[i].v8[8]]] ^
+             U1[aes_sbox[expanded_key->round[i].v8[9]]] ^
+             U2[aes_sbox[expanded_key->round[i].v8[10]]] ^
+             U3[aes_sbox[expanded_key->round[i].v8[11]]];
+
+        c3 = U0[aes_sbox[expanded_key->round[i].v8[12]]] ^
+             U1[aes_sbox[expanded_key->round[i].v8[13]]] ^
+             U2[aes_sbox[expanded_key->round[i].v8[14]]] ^
+             U3[aes_sbox[expanded_key->round[i].v8[15]]];
+
+        expanded_key->round[i].v32[0] = c0;
+        expanded_key->round[i].v32[1] = c1;
+        expanded_key->round[i].v32[2] = c2;
+        expanded_key->round[i].v32[3] = c3;
+
+#endif
+    }
+
+    return srtp_err_status_ok;
+}
+
+#ifdef CPU_CISC
+
+static inline void aes_round(v128_t *state, const v128_t *round_key)
+{
+    uint32_t column0, column1, column2, column3;
+
+    /* compute the columns of the output square in terms of the octets
+       of state, using the tables T0, T1, T2, T3 */
+
+    column0 = T0[state->v8[0]] ^ T1[state->v8[5]] ^ T2[state->v8[10]] ^
+              T3[state->v8[15]];
+
+    column1 = T0[state->v8[4]] ^ T1[state->v8[9]] ^ T2[state->v8[14]] ^
+              T3[state->v8[3]];
+
+    column2 = T0[state->v8[8]] ^ T1[state->v8[13]] ^ T2[state->v8[2]] ^
+              T3[state->v8[7]];
+
+    column3 = T0[state->v8[12]] ^ T1[state->v8[1]] ^ T2[state->v8[6]] ^
+              T3[state->v8[11]];
+
+    state->v32[0] = column0 ^ round_key->v32[0];
+    state->v32[1] = column1 ^ round_key->v32[1];
+    state->v32[2] = column2 ^ round_key->v32[2];
+    state->v32[3] = column3 ^ round_key->v32[3];
+}
+
+static inline void aes_inv_round(v128_t *state, const v128_t *round_key)
+{
+    uint32_t column0, column1, column2, column3;
+
+    /* compute the columns of the output square in terms of the octets
+       of state, using the tables U0, U1, U2, U3 */
+
+    column0 = U0[state->v8[0]] ^ U1[state->v8[13]] ^ U2[state->v8[10]] ^
+              U3[state->v8[7]];
+
+    column1 = U0[state->v8[4]] ^ U1[state->v8[1]] ^ U2[state->v8[14]] ^
+              U3[state->v8[11]];
+
+    column2 = U0[state->v8[8]] ^ U1[state->v8[5]] ^ U2[state->v8[2]] ^
+              U3[state->v8[15]];
+
+    column3 = U0[state->v8[12]] ^ U1[state->v8[9]] ^ U2[state->v8[6]] ^
+              U3[state->v8[3]];
+
+    state->v32[0] = column0 ^ round_key->v32[0];
+    state->v32[1] = column1 ^ round_key->v32[1];
+    state->v32[2] = column2 ^ round_key->v32[2];
+    state->v32[3] = column3 ^ round_key->v32[3];
+}
+
+static inline void aes_final_round(v128_t *state, const v128_t *round_key)
+{
+    uint8_t tmp;
+
+    /* byte substitutions and row shifts */
+    /* first row - no shift */
+    state->v8[0] = aes_sbox[state->v8[0]];
+    state->v8[4] = aes_sbox[state->v8[4]];
+    state->v8[8] = aes_sbox[state->v8[8]];
+    state->v8[12] = aes_sbox[state->v8[12]];
+
+    /* second row - shift one left */
+    tmp = aes_sbox[state->v8[1]];
+    state->v8[1] = aes_sbox[state->v8[5]];
+    state->v8[5] = aes_sbox[state->v8[9]];
+    state->v8[9] = aes_sbox[state->v8[13]];
+    state->v8[13] = tmp;
+
+    /* third row - shift two left */
+    tmp = aes_sbox[state->v8[10]];
+    state->v8[10] = aes_sbox[state->v8[2]];
+    state->v8[2] = tmp;
+    tmp = aes_sbox[state->v8[14]];
+    state->v8[14] = aes_sbox[state->v8[6]];
+    state->v8[6] = tmp;
+
+    /* fourth row - shift three left */
+    tmp = aes_sbox[state->v8[15]];
+    state->v8[15] = aes_sbox[state->v8[11]];
+    state->v8[11] = aes_sbox[state->v8[7]];
+    state->v8[7] = aes_sbox[state->v8[3]];
+    state->v8[3] = tmp;
+
+    v128_xor_eq(state, round_key);
+}
+
+static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key)
+{
+    uint8_t tmp;
+
+    /* byte substitutions and row shifts */
+    /* first row - no shift */
+    state->v8[0] = aes_inv_sbox[state->v8[0]];
+    state->v8[4] = aes_inv_sbox[state->v8[4]];
+    state->v8[8] = aes_inv_sbox[state->v8[8]];
+    state->v8[12] = aes_inv_sbox[state->v8[12]];
+
+    /* second row - shift one right */
+    tmp = aes_inv_sbox[state->v8[13]];
+    state->v8[13] = aes_inv_sbox[state->v8[9]];
+    state->v8[9] = aes_inv_sbox[state->v8[5]];
+    state->v8[5] = aes_inv_sbox[state->v8[1]];
+    state->v8[1] = tmp;
+
+    /* third row - shift two right */
+    tmp = aes_inv_sbox[state->v8[2]];
+    state->v8[2] = aes_inv_sbox[state->v8[10]];
+    state->v8[10] = tmp;
+    tmp = aes_inv_sbox[state->v8[6]];
+    state->v8[6] = aes_inv_sbox[state->v8[14]];
+    state->v8[14] = tmp;
+
+    /* fourth row - shift three right */
+    tmp = aes_inv_sbox[state->v8[3]];
+    state->v8[3] = aes_inv_sbox[state->v8[7]];
+    state->v8[7] = aes_inv_sbox[state->v8[11]];
+    state->v8[11] = aes_inv_sbox[state->v8[15]];
+    state->v8[15] = tmp;
+
+    v128_xor_eq(state, round_key);
+}
+
+#elif CPU_RISC
+
+static inline void aes_round(v128_t *state, const v128_t *round_key)
+{
+    uint32_t column0, column1, column2, column3;
+
+/* compute the columns of the output square in terms of the octets
+   of state, using the tables T0, T1, T2, T3 */
+#ifdef WORDS_BIGENDIAN
+    column0 = T0[state->v32[0] >> 24] ^ T1[(state->v32[1] >> 16) & 0xff] ^
+              T2[(state->v32[2] >> 8) & 0xff] ^ T3[state->v32[3] & 0xff];
+
+    column1 = T0[state->v32[1] >> 24] ^ T1[(state->v32[2] >> 16) & 0xff] ^
+              T2[(state->v32[3] >> 8) & 0xff] ^ T3[state->v32[0] & 0xff];
+
+    column2 = T0[state->v32[2] >> 24] ^ T1[(state->v32[3] >> 16) & 0xff] ^
+              T2[(state->v32[0] >> 8) & 0xff] ^ T3[state->v32[1] & 0xff];
+
+    column3 = T0[state->v32[3] >> 24] ^ T1[(state->v32[0] >> 16) & 0xff] ^
+              T2[(state->v32[1] >> 8) & 0xff] ^ T3[state->v32[2] & 0xff];
+#else
+    column0 = T0[state->v32[0] & 0xff] ^ T1[(state->v32[1] >> 8) & 0xff] ^
+              T2[(state->v32[2] >> 16) & 0xff] ^ T3[state->v32[3] >> 24];
+
+    column1 = T0[state->v32[1] & 0xff] ^ T1[(state->v32[2] >> 8) & 0xff] ^
+              T2[(state->v32[3] >> 16) & 0xff] ^ T3[state->v32[0] >> 24];
+
+    column2 = T0[state->v32[2] & 0xff] ^ T1[(state->v32[3] >> 8) & 0xff] ^
+              T2[(state->v32[0] >> 16) & 0xff] ^ T3[state->v32[1] >> 24];
+
+    column3 = T0[state->v32[3] & 0xff] ^ T1[(state->v32[0] >> 8) & 0xff] ^
+              T2[(state->v32[1] >> 16) & 0xff] ^ T3[state->v32[2] >> 24];
+#endif /* WORDS_BIGENDIAN */
+
+    state->v32[0] = column0 ^ round_key->v32[0];
+    state->v32[1] = column1 ^ round_key->v32[1];
+    state->v32[2] = column2 ^ round_key->v32[2];
+    state->v32[3] = column3 ^ round_key->v32[3];
+}
+
+static inline void aes_inv_round(v128_t *state, const v128_t *round_key)
+{
+    uint32_t column0, column1, column2, column3;
+
+/* compute the columns of the output square in terms of the octets
+   of state, using the tables U0, U1, U2, U3 */
+
+#ifdef WORDS_BIGENDIAN
+    column0 = U0[state->v32[0] >> 24] ^ U1[(state->v32[3] >> 16) & 0xff] ^
+              U2[(state->v32[2] >> 8) & 0xff] ^ U3[state->v32[1] & 0xff];
+
+    column1 = U0[state->v32[1] >> 24] ^ U1[(state->v32[0] >> 16) & 0xff] ^
+              U2[(state->v32[3] >> 8) & 0xff] ^ U3[state->v32[2] & 0xff];
+
+    column2 = U0[state->v32[2] >> 24] ^ U1[(state->v32[1] >> 16) & 0xff] ^
+              U2[(state->v32[0] >> 8) & 0xff] ^ U3[state->v32[3] & 0xff];
+
+    column3 = U0[state->v32[3] >> 24] ^ U1[(state->v32[2] >> 16) & 0xff] ^
+              U2[(state->v32[1] >> 8) & 0xff] ^ U3[state->v32[0] & 0xff];
+#else
+    column0 = U0[state->v32[0] & 0xff] ^ U1[(state->v32[3] >> 8) & 0xff] ^
+              U2[(state->v32[2] >> 16) & 0xff] ^
+              U3[(state->v32[1] >> 24) & 0xff];
+
+    column1 = U0[state->v32[1] & 0xff] ^ U1[(state->v32[0] >> 8) & 0xff] ^
+              U2[(state->v32[3] >> 16) & 0xff] ^
+              U3[(state->v32[2] >> 24) & 0xff];
+
+    column2 = U0[state->v32[2] & 0xff] ^ U1[(state->v32[1] >> 8) & 0xff] ^
+              U2[(state->v32[0] >> 16) & 0xff] ^
+              U3[(state->v32[3] >> 24) & 0xff];
+
+    column3 = U0[state->v32[3] & 0xff] ^ U1[(state->v32[2] >> 8) & 0xff] ^
+              U2[(state->v32[1] >> 16) & 0xff] ^
+              U3[(state->v32[0] >> 24) & 0xff];
+#endif /* WORDS_BIGENDIAN */
+
+    state->v32[0] = column0 ^ round_key->v32[0];
+    state->v32[1] = column1 ^ round_key->v32[1];
+    state->v32[2] = column2 ^ round_key->v32[2];
+    state->v32[3] = column3 ^ round_key->v32[3];
+}
+
+static inline void aes_final_round(v128_t *state, const v128_t *round_key)
+{
+    uint32_t tmp0, tmp1, tmp2, tmp3;
+
+#ifdef WORDS_BIGENDIAN
+    /* clang-format off */
+    tmp0 = (T4[(state->v32[0] >> 24)]        & 0xff000000) ^
+           (T4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^
+           (T4[(state->v32[2] >>  8) & 0xff] & 0x0000ff00) ^
+           (T4[(state->v32[3]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[0];
+
+    tmp1 = (T4[(state->v32[1] >> 24)]        & 0xff000000) ^
+           (T4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^
+           (T4[(state->v32[3] >>  8) & 0xff] & 0x0000ff00) ^
+           (T4[(state->v32[0]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[1];
+
+    tmp2 = (T4[(state->v32[2] >> 24)]        & 0xff000000) ^
+           (T4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^
+           (T4[(state->v32[0] >>  8) & 0xff] & 0x0000ff00) ^
+           (T4[(state->v32[1]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[2];
+
+    tmp3 = (T4[(state->v32[3] >> 24)]        & 0xff000000) ^
+           (T4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^
+           (T4[(state->v32[1] >>  8) & 0xff] & 0x0000ff00) ^
+           (T4[(state->v32[2]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[3];
+#else
+    tmp0 = (T4[(state->v32[3] >> 24)]        & 0xff000000) ^
+           (T4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^
+           (T4[(state->v32[1] >>  8) & 0xff] & 0x0000ff00) ^
+           (T4[(state->v32[0]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[0];
+
+    tmp1 = (T4[(state->v32[0] >> 24)]        & 0xff000000) ^
+           (T4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^
+           (T4[(state->v32[2] >>  8) & 0xff] & 0x0000ff00) ^
+           (T4[(state->v32[1]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[1];
+
+    tmp2 = (T4[(state->v32[1] >> 24)]        & 0xff000000) ^
+           (T4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^
+           (T4[(state->v32[3] >>  8) & 0xff] & 0x0000ff00) ^
+           (T4[(state->v32[2]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[2];
+
+    tmp3 = (T4[(state->v32[2] >> 24)]        & 0xff000000) ^
+           (T4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^
+           (T4[(state->v32[0] >>  8) & 0xff] & 0x0000ff00) ^
+           (T4[(state->v32[3]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[3];
+/* clang-format on */
+#endif /* WORDS_BIGENDIAN */
+
+    state->v32[0] = tmp0;
+    state->v32[1] = tmp1;
+    state->v32[2] = tmp2;
+    state->v32[3] = tmp3;
+}
+
+static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key)
+{
+    uint32_t tmp0, tmp1, tmp2, tmp3;
+
+#ifdef WORDS_BIGENDIAN
+    /* clang-format off */
+    tmp0 = (U4[(state->v32[0] >> 24)]        & 0xff000000) ^
+           (U4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^
+           (U4[(state->v32[2] >>  8) & 0xff] & 0x0000ff00) ^
+           (U4[(state->v32[1]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[0];
+
+    tmp1 = (U4[(state->v32[1] >> 24)]        & 0xff000000) ^
+           (U4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^
+           (U4[(state->v32[3] >>  8) & 0xff] & 0x0000ff00) ^
+           (U4[(state->v32[2]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[1];
+
+    tmp2 = (U4[(state->v32[2] >> 24)]        & 0xff000000) ^
+           (U4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^
+           (U4[(state->v32[0] >>  8) & 0xff] & 0x0000ff00) ^
+           (U4[(state->v32[3]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[2];
+
+    tmp3 = (U4[(state->v32[3] >> 24)]        & 0xff000000) ^
+           (U4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^
+           (U4[(state->v32[1] >>  8) & 0xff] & 0x0000ff00) ^
+           (U4[(state->v32[0]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[3];
+#else
+    tmp0 = (U4[(state->v32[1] >> 24)]        & 0xff000000) ^
+           (U4[(state->v32[2] >> 16) & 0xff] & 0x00ff0000) ^
+           (U4[(state->v32[3] >>  8) & 0xff] & 0x0000ff00) ^
+           (U4[(state->v32[0]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[0];
+
+    tmp1 = (U4[(state->v32[2] >> 24)]        & 0xff000000) ^
+           (U4[(state->v32[3] >> 16) & 0xff] & 0x00ff0000) ^
+           (U4[(state->v32[0] >>  8) & 0xff] & 0x0000ff00) ^
+           (U4[(state->v32[1]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[1];
+
+    tmp2 = (U4[(state->v32[3] >> 24)]        & 0xff000000) ^
+           (U4[(state->v32[0] >> 16) & 0xff] & 0x00ff0000) ^
+           (U4[(state->v32[1] >>  8) & 0xff] & 0x0000ff00) ^
+           (U4[(state->v32[2]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[2];
+
+    tmp3 = (U4[(state->v32[0] >> 24)]        & 0xff000000) ^
+           (U4[(state->v32[1] >> 16) & 0xff] & 0x00ff0000) ^
+           (U4[(state->v32[2] >>  8) & 0xff] & 0x0000ff00) ^
+           (U4[(state->v32[3]      ) & 0xff] & 0x000000ff) ^
+           round_key->v32[3];
+/* clang-format on */
+#endif /* WORDS_BIGENDIAN */
+
+    state->v32[0] = tmp0;
+    state->v32[1] = tmp1;
+    state->v32[2] = tmp2;
+    state->v32[3] = tmp3;
+}
+
+#elif CPU_16 /* assume 16-bit word size on processor */
+
+static inline void aes_round(v128_t *state, const v128_t *round_key)
+{
+    uint32_t column0, column1, column2, column3;
+    /* compute the columns of the output square in terms of the octets
+       of state, using the tables T0, T1, T2, T3 */
+
+    column0 = T0[state->v8[0]] ^ T1[state->v8[5]] ^ T2[state->v8[10]] ^
+              T3[state->v8[15]];
+
+    column1 = T0[state->v8[4]] ^ T1[state->v8[9]] ^ T2[state->v8[14]] ^
+              T3[state->v8[3]];
+
+    column2 = T0[state->v8[8]] ^ T1[state->v8[13]] ^ T2[state->v8[2]] ^
+              T3[state->v8[7]];
+
+    column3 = T0[state->v8[12]] ^ T1[state->v8[1]] ^ T2[state->v8[6]] ^
+              T3[state->v8[11]];
+
+    state->v32[0] = column0 ^ round_key->v32[0];
+    state->v32[1] = column1 ^ round_key->v32[1];
+    state->v32[2] = column2 ^ round_key->v32[2];
+    state->v32[3] = column3 ^ round_key->v32[3];
+}
+
+static inline void aes_inv_round(v128_t *state, const v128_t *round_key)
+{
+    uint32_t column0, column1, column2, column3;
+
+    /* compute the columns of the output square in terms of the octets
+       of state, using the tables U0, U1, U2, U3 */
+
+    column0 = U0[state->v8[0]] ^ U1[state->v8[5]] ^ U2[state->v8[10]] ^
+              U3[state->v8[15]];
+
+    column1 = U0[state->v8[4]] ^ U1[state->v8[9]] ^ U2[state->v8[14]] ^
+              U3[state->v8[3]];
+
+    column2 = U0[state->v8[8]] ^ U1[state->v8[13]] ^ U2[state->v8[2]] ^
+              U3[state->v8[7]];
+
+    column3 = U0[state->v8[12]] ^ U1[state->v8[1]] ^ U2[state->v8[6]] ^
+              U3[state->v8[11]];
+
+    state->v32[0] = column0 ^ round_key->v32[0];
+    state->v32[1] = column1 ^ round_key->v32[1];
+    state->v32[2] = column2 ^ round_key->v32[2];
+    state->v32[3] = column3 ^ round_key->v32[3];
+}
+
+static inline void aes_final_round(v128_t *state, const v128_t *round_key)
+{
+    uint8_t tmp;
+
+    /* byte substitutions and row shifts */
+    /* first row - no shift */
+    state->v8[0] = aes_sbox[state->v8[0]];
+    state->v8[4] = aes_sbox[state->v8[4]];
+    state->v8[8] = aes_sbox[state->v8[8]];
+    state->v8[12] = aes_sbox[state->v8[12]];
+
+    /* second row - shift one left */
+    tmp = aes_sbox[state->v8[1]];
+    state->v8[1] = aes_sbox[state->v8[5]];
+    state->v8[5] = aes_sbox[state->v8[9]];
+    state->v8[9] = aes_sbox[state->v8[13]];
+    state->v8[13] = tmp;
+
+    /* third row - shift two left */
+    tmp = aes_sbox[state->v8[10]];
+    state->v8[10] = aes_sbox[state->v8[2]];
+    state->v8[2] = tmp;
+    tmp = aes_sbox[state->v8[14]];
+    state->v8[14] = aes_sbox[state->v8[6]];
+    state->v8[6] = tmp;
+
+    /* fourth row - shift three left */
+    tmp = aes_sbox[state->v8[15]];
+    state->v8[15] = aes_sbox[state->v8[11]];
+    state->v8[11] = aes_sbox[state->v8[7]];
+    state->v8[7] = aes_sbox[state->v8[3]];
+    state->v8[3] = tmp;
+
+    v128_xor_eq(state, round_key);
+}
+
+static inline void aes_inv_final_round(v128_t *state, const v128_t *round_key)
+{
+    uint8_t tmp;
+
+    /* byte substitutions and row shifts */
+    /* first row - no shift */
+    state->v8[0] = aes_inv_sbox[state->v8[0]];
+    state->v8[4] = aes_inv_sbox[state->v8[4]];
+    state->v8[8] = aes_inv_sbox[state->v8[8]];
+    state->v8[12] = aes_inv_sbox[state->v8[12]];
+
+    /* second row - shift one left */
+    tmp = aes_inv_sbox[state->v8[1]];
+    state->v8[1] = aes_inv_sbox[state->v8[5]];
+    state->v8[5] = aes_inv_sbox[state->v8[9]];
+    state->v8[9] = aes_inv_sbox[state->v8[13]];
+    state->v8[13] = tmp;
+
+    /* third row - shift two left */
+    tmp = aes_inv_sbox[state->v8[10]];
+    state->v8[10] = aes_inv_sbox[state->v8[2]];
+    state->v8[2] = tmp;
+    tmp = aes_inv_sbox[state->v8[14]];
+    state->v8[14] = aes_inv_sbox[state->v8[6]];
+    state->v8[6] = tmp;
+
+    /* fourth row - shift three left */
+    tmp = aes_inv_sbox[state->v8[15]];
+    state->v8[15] = aes_inv_sbox[state->v8[11]];
+    state->v8[11] = aes_inv_sbox[state->v8[7]];
+    state->v8[7] = aes_inv_sbox[state->v8[3]];
+    state->v8[3] = tmp;
+
+    v128_xor_eq(state, round_key);
+}
+
+#endif /* CPU type */
+
+void srtp_aes_encrypt(v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key)
+{
+    /* add in the subkey */
+    v128_xor_eq(plaintext, &exp_key->round[0]);
+
+    /* now do the rounds */
+    aes_round(plaintext, &exp_key->round[1]);
+    aes_round(plaintext, &exp_key->round[2]);
+    aes_round(plaintext, &exp_key->round[3]);
+    aes_round(plaintext, &exp_key->round[4]);
+    aes_round(plaintext, &exp_key->round[5]);
+    aes_round(plaintext, &exp_key->round[6]);
+    aes_round(plaintext, &exp_key->round[7]);
+    aes_round(plaintext, &exp_key->round[8]);
+    aes_round(plaintext, &exp_key->round[9]);
+    if (exp_key->num_rounds == 10) {
+        aes_final_round(plaintext, &exp_key->round[10]);
+    } else if (exp_key->num_rounds == 12) {
+        aes_round(plaintext, &exp_key->round[10]);
+        aes_round(plaintext, &exp_key->round[11]);
+        aes_final_round(plaintext, &exp_key->round[12]);
+    } else if (exp_key->num_rounds == 14) {
+        aes_round(plaintext, &exp_key->round[10]);
+        aes_round(plaintext, &exp_key->round[11]);
+        aes_round(plaintext, &exp_key->round[12]);
+        aes_round(plaintext, &exp_key->round[13]);
+        aes_final_round(plaintext, &exp_key->round[14]);
+    }
+}
+
+void srtp_aes_decrypt(v128_t *plaintext, const srtp_aes_expanded_key_t *exp_key)
+{
+    /* add in the subkey */
+    v128_xor_eq(plaintext, &exp_key->round[0]);
+
+    /* now do the rounds */
+    aes_inv_round(plaintext, &exp_key->round[1]);
+    aes_inv_round(plaintext, &exp_key->round[2]);
+    aes_inv_round(plaintext, &exp_key->round[3]);
+    aes_inv_round(plaintext, &exp_key->round[4]);
+    aes_inv_round(plaintext, &exp_key->round[5]);
+    aes_inv_round(plaintext, &exp_key->round[6]);
+    aes_inv_round(plaintext, &exp_key->round[7]);
+    aes_inv_round(plaintext, &exp_key->round[8]);
+    aes_inv_round(plaintext, &exp_key->round[9]);
+    if (exp_key->num_rounds == 10) {
+        aes_inv_final_round(plaintext, &exp_key->round[10]);
+    } else if (exp_key->num_rounds == 12) {
+        aes_inv_round(plaintext, &exp_key->round[10]);
+        aes_inv_round(plaintext, &exp_key->round[11]);
+        aes_inv_final_round(plaintext, &exp_key->round[12]);
+    } else if (exp_key->num_rounds == 14) {
+        aes_inv_round(plaintext, &exp_key->round[10]);
+        aes_inv_round(plaintext, &exp_key->round[11]);
+        aes_inv_round(plaintext, &exp_key->round[12]);
+        aes_inv_round(plaintext, &exp_key->round[13]);
+        aes_inv_final_round(plaintext, &exp_key->round[14]);
+    }
+}
diff --git a/netwerk/srtp/src/crypto/cipher/aes_gcm_nss.c b/netwerk/srtp/src/crypto/cipher/aes_gcm_nss.c
new file mode 100644
index 0000000000..2be2ce932d
--- /dev/null
+++ b/netwerk/srtp/src/crypto/cipher/aes_gcm_nss.c
@@ -0,0 +1,597 @@
+/*
+ * aes_gcm_nss.c
+ *
+ * AES Galois Counter Mode
+ *
+ * Richard L. Barnes
+ * Cisco Systems, Inc.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2013-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "aes_gcm.h"
+#include "alloc.h"
+#include "err.h" /* for srtp_debug */
+#include "crypto_types.h"
+#include "cipher_types.h"
+#include <nss.h>
+#include <secerr.h>
+#include <nspr.h>
+
+srtp_debug_module_t srtp_mod_aes_gcm = {
+    0,            /* debugging is off by default */
+    "aes gcm nss" /* printable module name       */
+};
+
+/*
+ * For now we only support 8 and 16 octet tags.  The spec allows for
+ * optional 12 byte tag, which may be supported in the future.
+ */
+#define GCM_IV_LEN 12
+#define GCM_AUTH_TAG_LEN 16
+#define GCM_AUTH_TAG_LEN_8 8
+
+/*
+ * This function allocates a new instance of this crypto engine.
+ * The key_len parameter should be one of 28 or 44 for
+ * AES-128-GCM or AES-256-GCM respectively.  Note that the
+ * key length includes the 14 byte salt value that is used when
+ * initializing the KDF.
+ */
+static srtp_err_status_t srtp_aes_gcm_nss_alloc(srtp_cipher_t **c,
+                                                int key_len,
+                                                int tlen)
+{
+    srtp_aes_gcm_ctx_t *gcm;
+
+    debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d",
+                key_len);
+    debug_print(srtp_mod_aes_gcm, "allocating cipher with tag length %d", tlen);
+
+    /*
+     * Verify the key_len is valid for one of: AES-128/256
+     */
+    if (key_len != SRTP_AES_GCM_128_KEY_LEN_WSALT &&
+        key_len != SRTP_AES_GCM_256_KEY_LEN_WSALT) {
+        return (srtp_err_status_bad_param);
+    }
+
+    if (tlen != GCM_AUTH_TAG_LEN && tlen != GCM_AUTH_TAG_LEN_8) {
+        return (srtp_err_status_bad_param);
+    }
+
+    /* Initialize NSS */
+    if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) != SECSuccess) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    /* allocate memory a cipher of type aes_gcm */
+    *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
+    if (*c == NULL) {
+        return (srtp_err_status_alloc_fail);
+    }
+
+    gcm = (srtp_aes_gcm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_gcm_ctx_t));
+    if (gcm == NULL) {
+        srtp_crypto_free(*c);
+        *c = NULL;
+        return (srtp_err_status_alloc_fail);
+    }
+
+    /* set pointers */
+    (*c)->state = gcm;
+
+    /* setup cipher attributes */
+    switch (key_len) {
+    case SRTP_AES_GCM_128_KEY_LEN_WSALT:
+        (*c)->type = &srtp_aes_gcm_128;
+        (*c)->algorithm = SRTP_AES_GCM_128;
+        gcm->key_size = SRTP_AES_128_KEY_LEN;
+        gcm->tag_size = tlen;
+        gcm->params.ulTagBits = 8 * tlen;
+        break;
+    case SRTP_AES_GCM_256_KEY_LEN_WSALT:
+        (*c)->type = &srtp_aes_gcm_256;
+        (*c)->algorithm = SRTP_AES_GCM_256;
+        gcm->key_size = SRTP_AES_256_KEY_LEN;
+        gcm->tag_size = tlen;
+        gcm->params.ulTagBits = 8 * tlen;
+        break;
+    default:
+        /* this should never hit, but to be sure... */
+        return (srtp_err_status_bad_param);
+    }
+
+    /* set key size and tag size*/
+    (*c)->key_len = key_len;
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * This function deallocates a GCM session
+ */
+static srtp_err_status_t srtp_aes_gcm_nss_dealloc(srtp_cipher_t *c)
+{
+    srtp_aes_gcm_ctx_t *ctx;
+
+    ctx = (srtp_aes_gcm_ctx_t *)c->state;
+    if (ctx) {
+        /* release NSS resources */
+        if (ctx->key) {
+            PK11_FreeSymKey(ctx->key);
+        }
+
+        /* zeroize the key material */
+        octet_string_set_to_zero(ctx, sizeof(srtp_aes_gcm_ctx_t));
+        srtp_crypto_free(ctx);
+    }
+
+    /* free memory */
+    srtp_crypto_free(c);
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * aes_gcm_nss_context_init(...) initializes the aes_gcm_context
+ * using the value in key[].
+ *
+ * the key is the secret key
+ */
+static srtp_err_status_t srtp_aes_gcm_nss_context_init(void *cv,
+                                                       const uint8_t *key)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+
+    c->dir = srtp_direction_any;
+
+    debug_print(srtp_mod_aes_gcm, "key:  %s",
+                srtp_octet_string_hex_string(key, c->key_size));
+
+    if (c->key) {
+        PK11_FreeSymKey(c->key);
+        c->key = NULL;
+    }
+
+    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_AES_GCM, NULL);
+    if (!slot) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    SECItem key_item = { siBuffer, (unsigned char *)key, c->key_size };
+    c->key = PK11_ImportSymKey(slot, CKM_AES_GCM, PK11_OriginUnwrap,
+                               CKA_ENCRYPT, &key_item, NULL);
+    PK11_FreeSlot(slot);
+
+    if (!c->key) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * aes_gcm_nss_set_iv(c, iv) sets the counter value to the exor of iv with
+ * the offset
+ */
+static srtp_err_status_t srtp_aes_gcm_nss_set_iv(
+    void *cv,
+    uint8_t *iv,
+    srtp_cipher_direction_t direction)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+
+    if (direction != srtp_direction_encrypt &&
+        direction != srtp_direction_decrypt) {
+        return (srtp_err_status_bad_param);
+    }
+    c->dir = direction;
+
+    debug_print(srtp_mod_aes_gcm, "setting iv: %s",
+                srtp_octet_string_hex_string(iv, GCM_IV_LEN));
+
+    memcpy(c->iv, iv, GCM_IV_LEN);
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * This function processes the AAD
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	aad	Additional data to process for AEAD cipher suites
+ *	aad_len	length of aad buffer
+ */
+static srtp_err_status_t srtp_aes_gcm_nss_set_aad(void *cv,
+                                                  const uint8_t *aad,
+                                                  uint32_t aad_len)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+
+    debug_print(srtp_mod_aes_gcm, "setting AAD: %s",
+                srtp_octet_string_hex_string(aad, aad_len));
+
+    if (aad_len + c->aad_size > MAX_AD_SIZE) {
+        return srtp_err_status_bad_param;
+    }
+
+    memcpy(c->aad + c->aad_size, aad, aad_len);
+    c->aad_size += aad_len;
+
+    return (srtp_err_status_ok);
+}
+
+static srtp_err_status_t srtp_aes_gcm_nss_do_crypto(void *cv,
+                                                    int encrypt,
+                                                    unsigned char *buf,
+                                                    unsigned int *enc_len)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+
+    c->params.pIv = c->iv;
+    c->params.ulIvLen = GCM_IV_LEN;
+    c->params.ulIvBits = GCM_IV_LEN * 8;
+    c->params.pAAD = c->aad;
+    c->params.ulAADLen = c->aad_size;
+
+    // Reset AAD
+    c->aad_size = 0;
+
+    int rv;
+    SECItem param = { siBuffer, (unsigned char *)&c->params,
+                      sizeof(CK_GCM_PARAMS) };
+    if (encrypt) {
+        rv = PK11_Encrypt(c->key, CKM_AES_GCM, &param, buf, enc_len,
+                          *enc_len + 16, buf, *enc_len);
+    } else {
+        rv = PK11_Decrypt(c->key, CKM_AES_GCM, &param, buf, enc_len, *enc_len,
+                          buf, *enc_len);
+    }
+
+    srtp_err_status_t status = (srtp_err_status_ok);
+    if (rv != SECSuccess) {
+        status = (srtp_err_status_cipher_fail);
+    }
+
+    return status;
+}
+
+/*
+ * This function encrypts a buffer using AES GCM mode
+ *
+ * XXX(rlb@ipv.sx): We're required to break off and cache the tag
+ * here, because the get_tag() method is separate and the tests expect
+ * encrypt() not to change the size of the plaintext.  It might be
+ * good to update the calling API so that this is cleaner.
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	buf	data to encrypt
+ *	enc_len	length of encrypt buffer
+ */
+static srtp_err_status_t srtp_aes_gcm_nss_encrypt(void *cv,
+                                                  unsigned char *buf,
+                                                  unsigned int *enc_len)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+
+    // When we get a non-NULL buffer, we know that the caller is
+    // prepared to also take the tag.  When we get a NULL buffer,
+    // even though there's no data, we need to give NSS a buffer
+    // where it can write the tag.  We can't just use c->tag because
+    // memcpy has undefined behavior on overlapping ranges.
+    unsigned char tagbuf[16];
+    unsigned char *non_null_buf = buf;
+    if (!non_null_buf && (*enc_len == 0)) {
+        non_null_buf = tagbuf;
+    } else if (!non_null_buf) {
+        return srtp_err_status_bad_param;
+    }
+
+    srtp_err_status_t status =
+        srtp_aes_gcm_nss_do_crypto(cv, 1, non_null_buf, enc_len);
+    if (status != srtp_err_status_ok) {
+        return status;
+    }
+
+    memcpy(c->tag, non_null_buf + (*enc_len - c->tag_size), c->tag_size);
+    *enc_len -= c->tag_size;
+    return srtp_err_status_ok;
+}
+
+/*
+ * This function calculates and returns the GCM tag for a given context.
+ * This should be called after encrypting the data.  The *len value
+ * is increased by the tag size.  The caller must ensure that *buf has
+ * enough room to accept the appended tag.
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	buf	data to encrypt
+ *	len	length of encrypt buffer
+ */
+static srtp_err_status_t srtp_aes_gcm_nss_get_tag(void *cv,
+                                                  uint8_t *buf,
+                                                  uint32_t *len)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+    *len = c->tag_size;
+    memcpy(buf, c->tag, c->tag_size);
+    return (srtp_err_status_ok);
+}
+
+/*
+ * This function decrypts a buffer using AES GCM mode
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	buf	data to encrypt
+ *	enc_len	length of encrypt buffer
+ */
+static srtp_err_status_t srtp_aes_gcm_nss_decrypt(void *cv,
+                                                  unsigned char *buf,
+                                                  unsigned int *enc_len)
+{
+    srtp_err_status_t status = srtp_aes_gcm_nss_do_crypto(cv, 0, buf, enc_len);
+    if (status != srtp_err_status_ok) {
+        int err = PR_GetError();
+        if (err == SEC_ERROR_BAD_DATA) {
+            status = srtp_err_status_auth_fail;
+        }
+    }
+
+    return status;
+}
+
+/*
+ * Name of this crypto engine
+ */
+static const char srtp_aes_gcm_128_nss_description[] = "AES-128 GCM using NSS";
+static const char srtp_aes_gcm_256_nss_description[] = "AES-256 GCM using NSS";
+
+/*
+ * KAT values for AES self-test.  These
+ * values we're derived from independent test code
+ * using OpenSSL.
+ */
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_0_key[SRTP_AES_GCM_128_KEY_LEN_WSALT] = {
+    0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+    0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+    0x09, 0x0a, 0x0b, 0x0c,
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_gcm_test_case_0_iv[12] = {
+    0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+    0xde, 0xca, 0xf8, 0x88
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_0_plaintext[60] =  {
+    0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+    0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+    0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+    0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+    0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+    0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+    0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+    0xba, 0x63, 0x7b, 0x39
+};
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_0_aad[20] = {
+    0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+    0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+    0xab, 0xad, 0xda, 0xd2
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_0_ciphertext[76] = {
+    0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+    0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+    0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+    0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+    0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+    0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+    0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+    0x3d, 0x58, 0xe0, 0x91,
+    /* the last 16 bytes are the tag */
+    0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+    0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47,
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0a = {
+    SRTP_AES_GCM_128_KEY_LEN_WSALT,      /* octets in key            */
+    srtp_aes_gcm_test_case_0_key,        /* key                      */
+    srtp_aes_gcm_test_case_0_iv,         /* packet index             */
+    60,                                  /* octets in plaintext      */
+    srtp_aes_gcm_test_case_0_plaintext,  /* plaintext                */
+    68,                                  /* octets in ciphertext     */
+    srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext  + tag        */
+    20,                                  /* octets in AAD            */
+    srtp_aes_gcm_test_case_0_aad,        /* AAD                      */
+    GCM_AUTH_TAG_LEN_8,                  /* */
+    NULL                                 /* pointer to next testcase */
+};
+
+static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0 = {
+    SRTP_AES_GCM_128_KEY_LEN_WSALT,      /* octets in key            */
+    srtp_aes_gcm_test_case_0_key,        /* key                      */
+    srtp_aes_gcm_test_case_0_iv,         /* packet index             */
+    60,                                  /* octets in plaintext      */
+    srtp_aes_gcm_test_case_0_plaintext,  /* plaintext                */
+    76,                                  /* octets in ciphertext     */
+    srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext  + tag        */
+    20,                                  /* octets in AAD            */
+    srtp_aes_gcm_test_case_0_aad,        /* AAD                      */
+    GCM_AUTH_TAG_LEN,                    /* */
+    &srtp_aes_gcm_test_case_0a           /* pointer to next testcase */
+};
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_1_key[SRTP_AES_GCM_256_KEY_LEN_WSALT] = {
+    0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+    0xa5, 0x59, 0x09, 0xc5, 0x54, 0x66, 0x93, 0x1c,
+    0xaf, 0xf5, 0x26, 0x9a, 0x21, 0xd5, 0x14, 0xb2,
+    0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+    0x09, 0x0a, 0x0b, 0x0c,
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_gcm_test_case_1_iv[12] = {
+    0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+    0xde, 0xca, 0xf8, 0x88
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_1_plaintext[60] =  {
+    0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+    0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+    0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+    0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+    0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+    0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+    0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+    0xba, 0x63, 0x7b, 0x39
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_1_aad[20] = {
+    0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+    0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+    0xab, 0xad, 0xda, 0xd2
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_1_ciphertext[76] = {
+    0x0b, 0x11, 0xcf, 0xaf, 0x68, 0x4d, 0xae, 0x46,
+    0xc7, 0x90, 0xb8, 0x8e, 0xb7, 0x6a, 0x76, 0x2a,
+    0x94, 0x82, 0xca, 0xab, 0x3e, 0x39, 0xd7, 0x86,
+    0x1b, 0xc7, 0x93, 0xed, 0x75, 0x7f, 0x23, 0x5a,
+    0xda, 0xfd, 0xd3, 0xe2, 0x0e, 0x80, 0x87, 0xa9,
+    0x6d, 0xd7, 0xe2, 0x6a, 0x7d, 0x5f, 0xb4, 0x80,
+    0xef, 0xef, 0xc5, 0x29, 0x12, 0xd1, 0xaa, 0x10,
+    0x09, 0xc9, 0x86, 0xc1,
+    /* the last 16 bytes are the tag */
+    0x45, 0xbc, 0x03, 0xe6, 0xe1, 0xac, 0x0a, 0x9f,
+    0x81, 0xcb, 0x8e, 0x5b, 0x46, 0x65, 0x63, 0x1d,
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1a = {
+    SRTP_AES_GCM_256_KEY_LEN_WSALT,      /* octets in key            */
+    srtp_aes_gcm_test_case_1_key,        /* key                      */
+    srtp_aes_gcm_test_case_1_iv,         /* packet index             */
+    60,                                  /* octets in plaintext      */
+    srtp_aes_gcm_test_case_1_plaintext,  /* plaintext                */
+    68,                                  /* octets in ciphertext     */
+    srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext  + tag        */
+    20,                                  /* octets in AAD            */
+    srtp_aes_gcm_test_case_1_aad,        /* AAD                      */
+    GCM_AUTH_TAG_LEN_8,                  /* */
+    NULL                                 /* pointer to next testcase */
+};
+
+static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1 = {
+    SRTP_AES_GCM_256_KEY_LEN_WSALT,      /* octets in key            */
+    srtp_aes_gcm_test_case_1_key,        /* key                      */
+    srtp_aes_gcm_test_case_1_iv,         /* packet index             */
+    60,                                  /* octets in plaintext      */
+    srtp_aes_gcm_test_case_1_plaintext,  /* plaintext                */
+    76,                                  /* octets in ciphertext     */
+    srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext  + tag        */
+    20,                                  /* octets in AAD            */
+    srtp_aes_gcm_test_case_1_aad,        /* AAD                      */
+    GCM_AUTH_TAG_LEN,                    /* */
+    &srtp_aes_gcm_test_case_1a           /* pointer to next testcase */
+};
+
+/*
+ * This is the vector function table for this crypto engine.
+ */
+/* clang-format off */
+const srtp_cipher_type_t srtp_aes_gcm_128 = {
+    srtp_aes_gcm_nss_alloc,
+    srtp_aes_gcm_nss_dealloc,
+    srtp_aes_gcm_nss_context_init,
+    srtp_aes_gcm_nss_set_aad,
+    srtp_aes_gcm_nss_encrypt,
+    srtp_aes_gcm_nss_decrypt,
+    srtp_aes_gcm_nss_set_iv,
+    srtp_aes_gcm_nss_get_tag,
+    srtp_aes_gcm_128_nss_description,
+    &srtp_aes_gcm_test_case_0,
+    SRTP_AES_GCM_128
+};
+/* clang-format on */
+
+/*
+ * This is the vector function table for this crypto engine.
+ */
+/* clang-format off */
+const srtp_cipher_type_t srtp_aes_gcm_256 = {
+    srtp_aes_gcm_nss_alloc,
+    srtp_aes_gcm_nss_dealloc,
+    srtp_aes_gcm_nss_context_init,
+    srtp_aes_gcm_nss_set_aad,
+    srtp_aes_gcm_nss_encrypt,
+    srtp_aes_gcm_nss_decrypt,
+    srtp_aes_gcm_nss_set_iv,
+    srtp_aes_gcm_nss_get_tag,
+    srtp_aes_gcm_256_nss_description,
+    &srtp_aes_gcm_test_case_1,
+    SRTP_AES_GCM_256
+};
+/* clang-format on */
diff --git a/netwerk/srtp/src/crypto/cipher/aes_gcm_ossl.c b/netwerk/srtp/src/crypto/cipher/aes_gcm_ossl.c
new file mode 100644
index 0000000000..578cad5ee9
--- /dev/null
+++ b/netwerk/srtp/src/crypto/cipher/aes_gcm_ossl.c
@@ -0,0 +1,582 @@
+/*
+ * aes_gcm_ossl.c
+ *
+ * AES Galois Counter Mode
+ *
+ * John A. Foley
+ * Cisco Systems, Inc.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2013-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <openssl/evp.h>
+#include "aes_gcm.h"
+#include "alloc.h"
+#include "err.h" /* for srtp_debug */
+#include "crypto_types.h"
+#include "cipher_types.h"
+
+srtp_debug_module_t srtp_mod_aes_gcm = {
+    0,        /* debugging is off by default */
+    "aes gcm" /* printable module name       */
+};
+
+/*
+ * For now we only support 8 and 16 octet tags.  The spec allows for
+ * optional 12 byte tag, which may be supported in the future.
+ */
+#define GCM_AUTH_TAG_LEN 16
+#define GCM_AUTH_TAG_LEN_8 8
+
+/*
+ * This function allocates a new instance of this crypto engine.
+ * The key_len parameter should be one of 28 or 44 for
+ * AES-128-GCM or AES-256-GCM respectively.  Note that the
+ * key length includes the 14 byte salt value that is used when
+ * initializing the KDF.
+ */
+static srtp_err_status_t srtp_aes_gcm_openssl_alloc(srtp_cipher_t **c,
+                                                    int key_len,
+                                                    int tlen)
+{
+    srtp_aes_gcm_ctx_t *gcm;
+
+    debug_print(srtp_mod_aes_gcm, "allocating cipher with key length %d",
+                key_len);
+    debug_print(srtp_mod_aes_gcm, "allocating cipher with tag length %d", tlen);
+
+    /*
+     * Verify the key_len is valid for one of: AES-128/256
+     */
+    if (key_len != SRTP_AES_GCM_128_KEY_LEN_WSALT &&
+        key_len != SRTP_AES_GCM_256_KEY_LEN_WSALT) {
+        return (srtp_err_status_bad_param);
+    }
+
+    if (tlen != GCM_AUTH_TAG_LEN && tlen != GCM_AUTH_TAG_LEN_8) {
+        return (srtp_err_status_bad_param);
+    }
+
+    /* allocate memory a cipher of type aes_gcm */
+    *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
+    if (*c == NULL) {
+        return (srtp_err_status_alloc_fail);
+    }
+
+    gcm = (srtp_aes_gcm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_gcm_ctx_t));
+    if (gcm == NULL) {
+        srtp_crypto_free(*c);
+        *c = NULL;
+        return (srtp_err_status_alloc_fail);
+    }
+
+    gcm->ctx = EVP_CIPHER_CTX_new();
+    if (gcm->ctx == NULL) {
+        srtp_crypto_free(gcm);
+        srtp_crypto_free(*c);
+        *c = NULL;
+        return srtp_err_status_alloc_fail;
+    }
+
+    /* set pointers */
+    (*c)->state = gcm;
+
+    /* setup cipher attributes */
+    switch (key_len) {
+    case SRTP_AES_GCM_128_KEY_LEN_WSALT:
+        (*c)->type = &srtp_aes_gcm_128;
+        (*c)->algorithm = SRTP_AES_GCM_128;
+        gcm->key_size = SRTP_AES_128_KEY_LEN;
+        gcm->tag_len = tlen;
+        break;
+    case SRTP_AES_GCM_256_KEY_LEN_WSALT:
+        (*c)->type = &srtp_aes_gcm_256;
+        (*c)->algorithm = SRTP_AES_GCM_256;
+        gcm->key_size = SRTP_AES_256_KEY_LEN;
+        gcm->tag_len = tlen;
+        break;
+    }
+
+    /* set key size        */
+    (*c)->key_len = key_len;
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * This function deallocates a GCM session
+ */
+static srtp_err_status_t srtp_aes_gcm_openssl_dealloc(srtp_cipher_t *c)
+{
+    srtp_aes_gcm_ctx_t *ctx;
+
+    ctx = (srtp_aes_gcm_ctx_t *)c->state;
+    if (ctx) {
+        EVP_CIPHER_CTX_free(ctx->ctx);
+        /* zeroize the key material */
+        octet_string_set_to_zero(ctx, sizeof(srtp_aes_gcm_ctx_t));
+        srtp_crypto_free(ctx);
+    }
+
+    /* free memory */
+    srtp_crypto_free(c);
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * aes_gcm_openssl_context_init(...) initializes the aes_gcm_context
+ * using the value in key[].
+ *
+ * the key is the secret key
+ */
+static srtp_err_status_t srtp_aes_gcm_openssl_context_init(void *cv,
+                                                           const uint8_t *key)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+    const EVP_CIPHER *evp;
+
+    c->dir = srtp_direction_any;
+
+    debug_print(srtp_mod_aes_gcm, "key:  %s",
+                srtp_octet_string_hex_string(key, c->key_size));
+
+    switch (c->key_size) {
+    case SRTP_AES_256_KEY_LEN:
+        evp = EVP_aes_256_gcm();
+        break;
+    case SRTP_AES_128_KEY_LEN:
+        evp = EVP_aes_128_gcm();
+        break;
+    default:
+        return (srtp_err_status_bad_param);
+        break;
+    }
+
+    if (!EVP_CipherInit_ex(c->ctx, evp, NULL, key, NULL, 0)) {
+        return (srtp_err_status_init_fail);
+    }
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * aes_gcm_openssl_set_iv(c, iv) sets the counter value to the exor of iv with
+ * the offset
+ */
+static srtp_err_status_t srtp_aes_gcm_openssl_set_iv(
+    void *cv,
+    uint8_t *iv,
+    srtp_cipher_direction_t direction)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+
+    if (direction != srtp_direction_encrypt &&
+        direction != srtp_direction_decrypt) {
+        return (srtp_err_status_bad_param);
+    }
+    c->dir = direction;
+
+    debug_print(srtp_mod_aes_gcm, "setting iv: %s",
+                srtp_octet_string_hex_string(iv, 12));
+
+    if (!EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_IVLEN, 12, 0)) {
+        return (srtp_err_status_init_fail);
+    }
+
+    if (!EVP_CipherInit_ex(c->ctx, NULL, NULL, NULL, iv,
+                           (c->dir == srtp_direction_encrypt ? 1 : 0))) {
+        return (srtp_err_status_init_fail);
+    }
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * This function processes the AAD
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	aad	Additional data to process for AEAD cipher suites
+ *	aad_len	length of aad buffer
+ */
+static srtp_err_status_t srtp_aes_gcm_openssl_set_aad(void *cv,
+                                                      const uint8_t *aad,
+                                                      uint32_t aad_len)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+    int rv;
+
+    debug_print(srtp_mod_aes_gcm, "setting AAD: %s",
+                srtp_octet_string_hex_string(aad, aad_len));
+
+    /*
+     * Set dummy tag, OpenSSL requires the Tag to be set before
+     * processing AAD
+     */
+
+    /*
+     * OpenSSL never write to address pointed by the last parameter of
+     * EVP_CIPHER_CTX_ctrl while EVP_CTRL_GCM_SET_TAG (in reality,
+     * OpenSSL copy its content to the context), so we can make
+     * aad read-only in this function and all its wrappers.
+     */
+    unsigned char dummy_tag[GCM_AUTH_TAG_LEN];
+    memset(dummy_tag, 0x0, GCM_AUTH_TAG_LEN);
+    EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_TAG, c->tag_len, &dummy_tag);
+
+    rv = EVP_Cipher(c->ctx, NULL, aad, aad_len);
+    if (rv != aad_len) {
+        return (srtp_err_status_algo_fail);
+    } else {
+        return (srtp_err_status_ok);
+    }
+}
+
+/*
+ * This function encrypts a buffer using AES GCM mode
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	buf	data to encrypt
+ *	enc_len	length of encrypt buffer
+ */
+static srtp_err_status_t srtp_aes_gcm_openssl_encrypt(void *cv,
+                                                      unsigned char *buf,
+                                                      unsigned int *enc_len)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+    if (c->dir != srtp_direction_encrypt && c->dir != srtp_direction_decrypt) {
+        return (srtp_err_status_bad_param);
+    }
+
+    /*
+     * Encrypt the data
+     */
+    EVP_Cipher(c->ctx, buf, buf, *enc_len);
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * This function calculates and returns the GCM tag for a given context.
+ * This should be called after encrypting the data.  The *len value
+ * is increased by the tag size.  The caller must ensure that *buf has
+ * enough room to accept the appended tag.
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	buf	data to encrypt
+ *	len	length of encrypt buffer
+ */
+static srtp_err_status_t srtp_aes_gcm_openssl_get_tag(void *cv,
+                                                      uint8_t *buf,
+                                                      uint32_t *len)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+    /*
+     * Calculate the tag
+     */
+    EVP_Cipher(c->ctx, NULL, NULL, 0);
+
+    /*
+     * Retreive the tag
+     */
+    EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_GET_TAG, c->tag_len, buf);
+
+    /*
+     * Increase encryption length by desired tag size
+     */
+    *len = c->tag_len;
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * This function decrypts a buffer using AES GCM mode
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	buf	data to encrypt
+ *	enc_len	length of encrypt buffer
+ */
+static srtp_err_status_t srtp_aes_gcm_openssl_decrypt(void *cv,
+                                                      unsigned char *buf,
+                                                      unsigned int *enc_len)
+{
+    srtp_aes_gcm_ctx_t *c = (srtp_aes_gcm_ctx_t *)cv;
+    if (c->dir != srtp_direction_encrypt && c->dir != srtp_direction_decrypt) {
+        return (srtp_err_status_bad_param);
+    }
+
+    /*
+     * Set the tag before decrypting
+     */
+    EVP_CIPHER_CTX_ctrl(c->ctx, EVP_CTRL_GCM_SET_TAG, c->tag_len,
+                        buf + (*enc_len - c->tag_len));
+    EVP_Cipher(c->ctx, buf, buf, *enc_len - c->tag_len);
+
+    /*
+     * Check the tag
+     */
+    if (EVP_Cipher(c->ctx, NULL, NULL, 0)) {
+        return (srtp_err_status_auth_fail);
+    }
+
+    /*
+     * Reduce the buffer size by the tag length since the tag
+     * is not part of the original payload
+     */
+    *enc_len -= c->tag_len;
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * Name of this crypto engine
+ */
+static const char srtp_aes_gcm_128_openssl_description[] =
+    "AES-128 GCM using openssl";
+static const char srtp_aes_gcm_256_openssl_description[] =
+    "AES-256 GCM using openssl";
+
+/*
+ * KAT values for AES self-test.  These
+ * values we're derived from independent test code
+ * using OpenSSL.
+ */
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_0_key[SRTP_AES_GCM_128_KEY_LEN_WSALT] = {
+    0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+    0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+    0x09, 0x0a, 0x0b, 0x0c,
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_gcm_test_case_0_iv[12] = {
+    0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+    0xde, 0xca, 0xf8, 0x88
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_0_plaintext[60] =  {
+    0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+    0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+    0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+    0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+    0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+    0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+    0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+    0xba, 0x63, 0x7b, 0x39
+};
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_0_aad[20] = {
+    0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+    0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+    0xab, 0xad, 0xda, 0xd2
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_0_ciphertext[76] = {
+    0x42, 0x83, 0x1e, 0xc2, 0x21, 0x77, 0x74, 0x24,
+    0x4b, 0x72, 0x21, 0xb7, 0x84, 0xd0, 0xd4, 0x9c,
+    0xe3, 0xaa, 0x21, 0x2f, 0x2c, 0x02, 0xa4, 0xe0,
+    0x35, 0xc1, 0x7e, 0x23, 0x29, 0xac, 0xa1, 0x2e,
+    0x21, 0xd5, 0x14, 0xb2, 0x54, 0x66, 0x93, 0x1c,
+    0x7d, 0x8f, 0x6a, 0x5a, 0xac, 0x84, 0xaa, 0x05,
+    0x1b, 0xa3, 0x0b, 0x39, 0x6a, 0x0a, 0xac, 0x97,
+    0x3d, 0x58, 0xe0, 0x91,
+    /* the last 16 bytes are the tag */
+    0x5b, 0xc9, 0x4f, 0xbc, 0x32, 0x21, 0xa5, 0xdb,
+    0x94, 0xfa, 0xe9, 0x5a, 0xe7, 0x12, 0x1a, 0x47,
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0a = {
+    SRTP_AES_GCM_128_KEY_LEN_WSALT,      /* octets in key            */
+    srtp_aes_gcm_test_case_0_key,        /* key                      */
+    srtp_aes_gcm_test_case_0_iv,         /* packet index             */
+    60,                                  /* octets in plaintext      */
+    srtp_aes_gcm_test_case_0_plaintext,  /* plaintext                */
+    68,                                  /* octets in ciphertext     */
+    srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext  + tag        */
+    20,                                  /* octets in AAD            */
+    srtp_aes_gcm_test_case_0_aad,        /* AAD                      */
+    GCM_AUTH_TAG_LEN_8,                  /* */
+    NULL                                 /* pointer to next testcase */
+};
+
+static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_0 = {
+    SRTP_AES_GCM_128_KEY_LEN_WSALT,      /* octets in key            */
+    srtp_aes_gcm_test_case_0_key,        /* key                      */
+    srtp_aes_gcm_test_case_0_iv,         /* packet index             */
+    60,                                  /* octets in plaintext      */
+    srtp_aes_gcm_test_case_0_plaintext,  /* plaintext                */
+    76,                                  /* octets in ciphertext     */
+    srtp_aes_gcm_test_case_0_ciphertext, /* ciphertext  + tag        */
+    20,                                  /* octets in AAD            */
+    srtp_aes_gcm_test_case_0_aad,        /* AAD                      */
+    GCM_AUTH_TAG_LEN,                    /* */
+    &srtp_aes_gcm_test_case_0a           /* pointer to next testcase */
+};
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_1_key[SRTP_AES_GCM_256_KEY_LEN_WSALT] = {
+    0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+    0xa5, 0x59, 0x09, 0xc5, 0x54, 0x66, 0x93, 0x1c,
+    0xaf, 0xf5, 0x26, 0x9a, 0x21, 0xd5, 0x14, 0xb2,
+    0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+    0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+    0x09, 0x0a, 0x0b, 0x0c,
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_gcm_test_case_1_iv[12] = {
+    0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+    0xde, 0xca, 0xf8, 0x88
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_1_plaintext[60] =  {
+    0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
+    0xa5, 0x59, 0x09, 0xc5, 0xaf, 0xf5, 0x26, 0x9a,
+    0x86, 0xa7, 0xa9, 0x53, 0x15, 0x34, 0xf7, 0xda,
+    0x2e, 0x4c, 0x30, 0x3d, 0x8a, 0x31, 0x8a, 0x72,
+    0x1c, 0x3c, 0x0c, 0x95, 0x95, 0x68, 0x09, 0x53,
+    0x2f, 0xcf, 0x0e, 0x24, 0x49, 0xa6, 0xb5, 0x25,
+    0xb1, 0x6a, 0xed, 0xf5, 0xaa, 0x0d, 0xe6, 0x57,
+    0xba, 0x63, 0x7b, 0x39
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_1_aad[20] = {
+    0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+    0xfe, 0xed, 0xfa, 0xce, 0xde, 0xad, 0xbe, 0xef,
+    0xab, 0xad, 0xda, 0xd2
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_gcm_test_case_1_ciphertext[76] = {
+    0x0b, 0x11, 0xcf, 0xaf, 0x68, 0x4d, 0xae, 0x46,
+    0xc7, 0x90, 0xb8, 0x8e, 0xb7, 0x6a, 0x76, 0x2a,
+    0x94, 0x82, 0xca, 0xab, 0x3e, 0x39, 0xd7, 0x86,
+    0x1b, 0xc7, 0x93, 0xed, 0x75, 0x7f, 0x23, 0x5a,
+    0xda, 0xfd, 0xd3, 0xe2, 0x0e, 0x80, 0x87, 0xa9,
+    0x6d, 0xd7, 0xe2, 0x6a, 0x7d, 0x5f, 0xb4, 0x80,
+    0xef, 0xef, 0xc5, 0x29, 0x12, 0xd1, 0xaa, 0x10,
+    0x09, 0xc9, 0x86, 0xc1,
+    /* the last 16 bytes are the tag */
+    0x45, 0xbc, 0x03, 0xe6, 0xe1, 0xac, 0x0a, 0x9f,
+    0x81, 0xcb, 0x8e, 0x5b, 0x46, 0x65, 0x63, 0x1d,
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1a = {
+    SRTP_AES_GCM_256_KEY_LEN_WSALT,      /* octets in key            */
+    srtp_aes_gcm_test_case_1_key,        /* key                      */
+    srtp_aes_gcm_test_case_1_iv,         /* packet index             */
+    60,                                  /* octets in plaintext      */
+    srtp_aes_gcm_test_case_1_plaintext,  /* plaintext                */
+    68,                                  /* octets in ciphertext     */
+    srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext  + tag        */
+    20,                                  /* octets in AAD            */
+    srtp_aes_gcm_test_case_1_aad,        /* AAD                      */
+    GCM_AUTH_TAG_LEN_8,                  /* */
+    NULL                                 /* pointer to next testcase */
+};
+
+static const srtp_cipher_test_case_t srtp_aes_gcm_test_case_1 = {
+    SRTP_AES_GCM_256_KEY_LEN_WSALT,      /* octets in key            */
+    srtp_aes_gcm_test_case_1_key,        /* key                      */
+    srtp_aes_gcm_test_case_1_iv,         /* packet index             */
+    60,                                  /* octets in plaintext      */
+    srtp_aes_gcm_test_case_1_plaintext,  /* plaintext                */
+    76,                                  /* octets in ciphertext     */
+    srtp_aes_gcm_test_case_1_ciphertext, /* ciphertext  + tag        */
+    20,                                  /* octets in AAD            */
+    srtp_aes_gcm_test_case_1_aad,        /* AAD                      */
+    GCM_AUTH_TAG_LEN,                    /* */
+    &srtp_aes_gcm_test_case_1a           /* pointer to next testcase */
+};
+
+/*
+ * This is the vector function table for this crypto engine.
+ */
+const srtp_cipher_type_t srtp_aes_gcm_128 = {
+    srtp_aes_gcm_openssl_alloc,
+    srtp_aes_gcm_openssl_dealloc,
+    srtp_aes_gcm_openssl_context_init,
+    srtp_aes_gcm_openssl_set_aad,
+    srtp_aes_gcm_openssl_encrypt,
+    srtp_aes_gcm_openssl_decrypt,
+    srtp_aes_gcm_openssl_set_iv,
+    srtp_aes_gcm_openssl_get_tag,
+    srtp_aes_gcm_128_openssl_description,
+    &srtp_aes_gcm_test_case_0,
+    SRTP_AES_GCM_128
+};
+
+/*
+ * This is the vector function table for this crypto engine.
+ */
+const srtp_cipher_type_t srtp_aes_gcm_256 = {
+    srtp_aes_gcm_openssl_alloc,
+    srtp_aes_gcm_openssl_dealloc,
+    srtp_aes_gcm_openssl_context_init,
+    srtp_aes_gcm_openssl_set_aad,
+    srtp_aes_gcm_openssl_encrypt,
+    srtp_aes_gcm_openssl_decrypt,
+    srtp_aes_gcm_openssl_set_iv,
+    srtp_aes_gcm_openssl_get_tag,
+    srtp_aes_gcm_256_openssl_description,
+    &srtp_aes_gcm_test_case_1,
+    SRTP_AES_GCM_256
+};
diff --git a/netwerk/srtp/src/crypto/cipher/aes_icm.c b/netwerk/srtp/src/crypto/cipher/aes_icm.c
new file mode 100644
index 0000000000..7551c75148
--- /dev/null
+++ b/netwerk/srtp/src/crypto/cipher/aes_icm.c
@@ -0,0 +1,530 @@
+/*
+ * aes_icm.c
+ *
+ * AES Integer Counter Mode
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#define ALIGN_32 0
+
+#include "aes_icm.h"
+#include "alloc.h"
+#include "cipher_types.h"
+
+srtp_debug_module_t srtp_mod_aes_icm = {
+    0,        /* debugging is off by default */
+    "aes icm" /* printable module name       */
+};
+
+/*
+ * integer counter mode works as follows:
+ *
+ * 16 bits
+ * <----->
+ * +------+------+------+------+------+------+------+------+
+ * |           nonce           |    pakcet index    |  ctr |---+
+ * +------+------+------+------+------+------+------+------+   |
+ *                                                             |
+ * +------+------+------+------+------+------+------+------+   v
+ * |                      salt                      |000000|->(+)
+ * +------+------+------+------+------+------+------+------+   |
+ *                                                             |
+ *                                                        +---------+
+ *							  | encrypt |
+ *							  +---------+
+ *							       |
+ * +------+------+------+------+------+------+------+------+   |
+ * |                    keystream block                    |<--+
+ * +------+------+------+------+------+------+------+------+
+ *
+ * All fields are big-endian
+ *
+ * ctr is the block counter, which increments from zero for
+ * each packet (16 bits wide)
+ *
+ * packet index is distinct for each packet (48 bits wide)
+ *
+ * nonce can be distinct across many uses of the same key, or
+ * can be a fixed value per key, or can be per-packet randomness
+ * (64 bits)
+ *
+ */
+
+static srtp_err_status_t srtp_aes_icm_alloc(srtp_cipher_t **c,
+                                            int key_len,
+                                            int tlen)
+{
+    srtp_aes_icm_ctx_t *icm;
+
+    debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d",
+                key_len);
+
+    /*
+     * The check for key_len = 30/46 does not apply. Our usage
+     * of aes functions with key_len = values other than 30
+     * has not broken anything. Don't know what would be the
+     * effect of skipping this check for srtp in general.
+     */
+    if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT &&
+        key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* allocate memory a cipher of type aes_icm */
+    *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
+    if (*c == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t));
+    if (icm == NULL) {
+        srtp_crypto_free(*c);
+        *c = NULL;
+        return srtp_err_status_alloc_fail;
+    }
+
+    /* set pointers */
+    (*c)->state = icm;
+
+    switch (key_len) {
+    case SRTP_AES_ICM_256_KEY_LEN_WSALT:
+        (*c)->algorithm = SRTP_AES_ICM_256;
+        (*c)->type = &srtp_aes_icm_256;
+        break;
+    default:
+        (*c)->algorithm = SRTP_AES_ICM_128;
+        (*c)->type = &srtp_aes_icm_128;
+        break;
+    }
+
+    /* set key size        */
+    icm->key_size = key_len;
+    (*c)->key_len = key_len;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_aes_icm_dealloc(srtp_cipher_t *c)
+{
+    srtp_aes_icm_ctx_t *ctx;
+
+    if (c == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    ctx = (srtp_aes_icm_ctx_t *)c->state;
+    if (ctx) {
+        /* zeroize the key material */
+        octet_string_set_to_zero(ctx, sizeof(srtp_aes_icm_ctx_t));
+        srtp_crypto_free(ctx);
+    }
+
+    /* free the cipher context */
+    srtp_crypto_free(c);
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * aes_icm_context_init(...) initializes the aes_icm_context
+ * using the value in key[].
+ *
+ * the key is the secret key
+ *
+ * the salt is unpredictable (but not necessarily secret) data which
+ * randomizes the starting point in the keystream
+ */
+
+static srtp_err_status_t srtp_aes_icm_context_init(void *cv, const uint8_t *key)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+    srtp_err_status_t status;
+    int base_key_len, copy_len;
+
+    if (c->key_size == SRTP_AES_ICM_128_KEY_LEN_WSALT ||
+        c->key_size == SRTP_AES_ICM_256_KEY_LEN_WSALT) {
+        base_key_len = c->key_size - SRTP_SALT_LEN;
+    } else {
+        return srtp_err_status_bad_param;
+    }
+
+    /*
+     * set counter and initial values to 'offset' value, being careful not to
+     * go past the end of the key buffer
+     */
+    v128_set_to_zero(&c->counter);
+    v128_set_to_zero(&c->offset);
+
+    copy_len = c->key_size - base_key_len;
+    /* force last two octets of the offset to be left zero (for srtp
+     * compatibility) */
+    if (copy_len > SRTP_SALT_LEN) {
+        copy_len = SRTP_SALT_LEN;
+    }
+
+    memcpy(&c->counter, key + base_key_len, copy_len);
+    memcpy(&c->offset, key + base_key_len, copy_len);
+
+    debug_print(srtp_mod_aes_icm, "key:  %s",
+                srtp_octet_string_hex_string(key, base_key_len));
+    debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset));
+
+    /* expand key */
+    status =
+        srtp_aes_expand_encryption_key(key, base_key_len, &c->expanded_key);
+    if (status) {
+        v128_set_to_zero(&c->counter);
+        v128_set_to_zero(&c->offset);
+        return status;
+    }
+
+    /* indicate that the keystream_buffer is empty */
+    c->bytes_in_buffer = 0;
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with
+ * the offset
+ */
+
+static srtp_err_status_t srtp_aes_icm_set_iv(void *cv,
+                                             uint8_t *iv,
+                                             srtp_cipher_direction_t direction)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+    v128_t nonce;
+
+    /* set nonce (for alignment) */
+    v128_copy_octet_string(&nonce, iv);
+
+    debug_print(srtp_mod_aes_icm, "setting iv: %s", v128_hex_string(&nonce));
+
+    v128_xor(&c->counter, &c->offset, &nonce);
+
+    debug_print(srtp_mod_aes_icm, "set_counter: %s",
+                v128_hex_string(&c->counter));
+
+    /* indicate that the keystream_buffer is empty */
+    c->bytes_in_buffer = 0;
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * aes_icm_advance(...) refills the keystream_buffer and
+ * advances the block index of the sicm_context forward by one
+ *
+ * this is an internal, hopefully inlined function
+ */
+static void srtp_aes_icm_advance(srtp_aes_icm_ctx_t *c)
+{
+    /* fill buffer with new keystream */
+    v128_copy(&c->keystream_buffer, &c->counter);
+    srtp_aes_encrypt(&c->keystream_buffer, &c->expanded_key);
+    c->bytes_in_buffer = sizeof(v128_t);
+
+    debug_print(srtp_mod_aes_icm, "counter:    %s",
+                v128_hex_string(&c->counter));
+    debug_print(srtp_mod_aes_icm, "ciphertext: %s",
+                v128_hex_string(&c->keystream_buffer));
+
+    /* clock counter forward */
+    if (!++(c->counter.v8[15])) {
+        ++(c->counter.v8[14]);
+    }
+}
+
+/*
+ * icm_encrypt deals with the following cases:
+ *
+ * bytes_to_encr < bytes_in_buffer
+ *  - add keystream into data
+ *
+ * bytes_to_encr > bytes_in_buffer
+ *  - add keystream into data until keystream_buffer is depleted
+ *  - loop over blocks, filling keystream_buffer and then
+ *    adding keystream into data
+ *  - fill buffer then add in remaining (< 16) bytes of keystream
+ */
+
+static srtp_err_status_t srtp_aes_icm_encrypt(void *cv,
+                                              unsigned char *buf,
+                                              unsigned int *enc_len)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+    unsigned int bytes_to_encr = *enc_len;
+    unsigned int i;
+    uint32_t *b;
+
+    /* check that there's enough segment left*/
+    if ((bytes_to_encr + htons(c->counter.v16[7])) > 0xffff) {
+        return srtp_err_status_terminus;
+    }
+
+    debug_print(srtp_mod_aes_icm, "block index: %d", htons(c->counter.v16[7]));
+    if (bytes_to_encr <= (unsigned int)c->bytes_in_buffer) {
+        /* deal with odd case of small bytes_to_encr */
+        for (i = (sizeof(v128_t) - c->bytes_in_buffer);
+             i < (sizeof(v128_t) - c->bytes_in_buffer + bytes_to_encr); i++) {
+            *buf++ ^= c->keystream_buffer.v8[i];
+        }
+
+        c->bytes_in_buffer -= bytes_to_encr;
+
+        /* return now to avoid the main loop */
+        return srtp_err_status_ok;
+
+    } else {
+        /* encrypt bytes until the remaining data is 16-byte aligned */
+        for (i = (sizeof(v128_t) - c->bytes_in_buffer); i < sizeof(v128_t);
+             i++) {
+            *buf++ ^= c->keystream_buffer.v8[i];
+        }
+
+        bytes_to_encr -= c->bytes_in_buffer;
+        c->bytes_in_buffer = 0;
+    }
+
+    /* now loop over entire 16-byte blocks of keystream */
+    for (i = 0; i < (bytes_to_encr / sizeof(v128_t)); i++) {
+        /* fill buffer with new keystream */
+        srtp_aes_icm_advance(c);
+
+/*
+ * add keystream into the data buffer (this would be a lot faster
+ * if we could assume 32-bit alignment!)
+ */
+
+#if ALIGN_32
+        b = (uint32_t *)buf;
+        *b++ ^= c->keystream_buffer.v32[0];
+        *b++ ^= c->keystream_buffer.v32[1];
+        *b++ ^= c->keystream_buffer.v32[2];
+        *b++ ^= c->keystream_buffer.v32[3];
+        buf = (uint8_t *)b;
+#else
+        if ((((uintptr_t)buf) & 0x03) != 0) {
+            *buf++ ^= c->keystream_buffer.v8[0];
+            *buf++ ^= c->keystream_buffer.v8[1];
+            *buf++ ^= c->keystream_buffer.v8[2];
+            *buf++ ^= c->keystream_buffer.v8[3];
+            *buf++ ^= c->keystream_buffer.v8[4];
+            *buf++ ^= c->keystream_buffer.v8[5];
+            *buf++ ^= c->keystream_buffer.v8[6];
+            *buf++ ^= c->keystream_buffer.v8[7];
+            *buf++ ^= c->keystream_buffer.v8[8];
+            *buf++ ^= c->keystream_buffer.v8[9];
+            *buf++ ^= c->keystream_buffer.v8[10];
+            *buf++ ^= c->keystream_buffer.v8[11];
+            *buf++ ^= c->keystream_buffer.v8[12];
+            *buf++ ^= c->keystream_buffer.v8[13];
+            *buf++ ^= c->keystream_buffer.v8[14];
+            *buf++ ^= c->keystream_buffer.v8[15];
+        } else {
+            b = (uint32_t *)buf;
+            *b++ ^= c->keystream_buffer.v32[0];
+            *b++ ^= c->keystream_buffer.v32[1];
+            *b++ ^= c->keystream_buffer.v32[2];
+            *b++ ^= c->keystream_buffer.v32[3];
+            buf = (uint8_t *)b;
+        }
+#endif /* #if ALIGN_32 */
+    }
+
+    /* if there is a tail end of the data, process it */
+    if ((bytes_to_encr & 0xf) != 0) {
+        /* fill buffer with new keystream */
+        srtp_aes_icm_advance(c);
+
+        for (i = 0; i < (bytes_to_encr & 0xf); i++) {
+            *buf++ ^= c->keystream_buffer.v8[i];
+        }
+
+        /* reset the keystream buffer size to right value */
+        c->bytes_in_buffer = sizeof(v128_t) - i;
+    } else {
+        /* no tail, so just reset the keystream buffer size to zero */
+        c->bytes_in_buffer = 0;
+    }
+
+    return srtp_err_status_ok;
+}
+
+static const char srtp_aes_icm_128_description[] =
+    "AES-128 integer counter mode";
+static const char srtp_aes_icm_256_description[] =
+    "AES-256 integer counter mode";
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_key[SRTP_AES_ICM_128_KEY_LEN_WSALT] = {
+    0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+    0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_icm_128_test_case_0_nonce[16] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_plaintext[32] =  {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_ciphertext[32] = {
+    0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80,
+    0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4,
+    0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7,
+    0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_icm_128_test_case_0 = {
+    SRTP_AES_ICM_128_KEY_LEN_WSALT,          /* octets in key            */
+    srtp_aes_icm_128_test_case_0_key,        /* key                      */
+    srtp_aes_icm_128_test_case_0_nonce,      /* packet index             */
+    32,                                      /* octets in plaintext      */
+    srtp_aes_icm_128_test_case_0_plaintext,  /* plaintext                */
+    32,                                      /* octets in ciphertext     */
+    srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext               */
+    0,                                       /* */
+    NULL,                                    /* */
+    0,                                       /* */
+    NULL                                     /* pointer to next testcase */
+};
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_WSALT] = {
+    0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70,
+    0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92,
+    0x2e, 0xc4, 0xcb, 0x0d, 0xc0, 0x25, 0xb5, 0x82,
+    0x72, 0x14, 0x7c, 0xc4, 0x38, 0x94, 0x4a, 0x98,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_icm_256_test_case_0_nonce[16] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_plaintext[32] =  {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_ciphertext[32] = {
+    0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25,
+    0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4,
+    0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6,
+    0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = {
+    SRTP_AES_ICM_256_KEY_LEN_WSALT,          /* octets in key            */
+    srtp_aes_icm_256_test_case_0_key,        /* key                      */
+    srtp_aes_icm_256_test_case_0_nonce,      /* packet index             */
+    32,                                      /* octets in plaintext      */
+    srtp_aes_icm_256_test_case_0_plaintext,  /* plaintext                */
+    32,                                      /* octets in ciphertext     */
+    srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext               */
+    0,                                       /* */
+    NULL,                                    /* */
+    0,                                       /* */
+    NULL,                                    /* pointer to next testcase */
+};
+
+/*
+ * note: the encrypt function is identical to the decrypt function
+ */
+
+const srtp_cipher_type_t srtp_aes_icm_128 = {
+    srtp_aes_icm_alloc,            /* */
+    srtp_aes_icm_dealloc,          /* */
+    srtp_aes_icm_context_init,     /* */
+    0,                             /* set_aad */
+    srtp_aes_icm_encrypt,          /* */
+    srtp_aes_icm_encrypt,          /* */
+    srtp_aes_icm_set_iv,           /* */
+    0,                             /* get_tag */
+    srtp_aes_icm_128_description,  /* */
+    &srtp_aes_icm_128_test_case_0, /* */
+    SRTP_AES_ICM_128               /* */
+};
+
+const srtp_cipher_type_t srtp_aes_icm_256 = {
+    srtp_aes_icm_alloc,            /* */
+    srtp_aes_icm_dealloc,          /* */
+    srtp_aes_icm_context_init,     /* */
+    0,                             /* set_aad */
+    srtp_aes_icm_encrypt,          /* */
+    srtp_aes_icm_encrypt,          /* */
+    srtp_aes_icm_set_iv,           /* */
+    0,                             /* get_tag */
+    srtp_aes_icm_256_description,  /* */
+    &srtp_aes_icm_256_test_case_0, /* */
+    SRTP_AES_ICM_256               /* */
+};
diff --git a/netwerk/srtp/src/crypto/cipher/aes_icm_nss.c b/netwerk/srtp/src/crypto/cipher/aes_icm_nss.c
new file mode 100644
index 0000000000..c64335f416
--- /dev/null
+++ b/netwerk/srtp/src/crypto/cipher/aes_icm_nss.c
@@ -0,0 +1,550 @@
+/*
+ * aes_icm_nss.c
+ *
+ * AES Integer Counter Mode
+ *
+ * Richard L. Barnes
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2013-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "aes_icm_ext.h"
+#include "crypto_types.h"
+#include "err.h" /* for srtp_debug */
+#include "alloc.h"
+#include "cipher_types.h"
+#include <nss.h>
+
+srtp_debug_module_t srtp_mod_aes_icm = {
+    0,            /* debugging is off by default */
+    "aes icm nss" /* printable module name       */
+};
+
+/*
+ * integer counter mode works as follows:
+ *
+ * 16 bits
+ * <----->
+ * +------+------+------+------+------+------+------+------+
+ * |           nonce           |    packet index    |  ctr |---+
+ * +------+------+------+------+------+------+------+------+   |
+ *                                                             |
+ * +------+------+------+------+------+------+------+------+   v
+ * |                      salt                      |000000|->(+)
+ * +------+------+------+------+------+------+------+------+   |
+ *                                                             |
+ *                                                        +---------+
+ *                                                        | encrypt |
+ *                                                        +---------+
+ *                                                             |
+ * +------+------+------+------+------+------+------+------+   |
+ * |                    keystream block                    |<--+
+ * +------+------+------+------+------+------+------+------+
+ *
+ * All fields are big-endian
+ *
+ * ctr is the block counter, which increments from zero for
+ * each packet (16 bits wide)
+ *
+ * packet index is distinct for each packet (48 bits wide)
+ *
+ * nonce can be distinct across many uses of the same key, or
+ * can be a fixed value per key, or can be per-packet randomness
+ * (64 bits)
+ *
+ */
+
+/*
+ * This function allocates a new instance of this crypto engine.
+ * The key_len parameter should be one of 30, 38, or 46 for
+ * AES-128, AES-192, and AES-256 respectively.  Note, this key_len
+ * value is inflated, as it also accounts for the 112 bit salt
+ * value.  The tlen argument is for the AEAD tag length, which
+ * isn't used in counter mode.
+ */
+static srtp_err_status_t srtp_aes_icm_nss_alloc(srtp_cipher_t **c,
+                                                int key_len,
+                                                int tlen)
+{
+    srtp_aes_icm_ctx_t *icm;
+
+    debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d",
+                key_len);
+
+    /*
+     * Verify the key_len is valid for one of: AES-128/192/256
+     */
+    if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT &&
+        key_len != SRTP_AES_ICM_192_KEY_LEN_WSALT &&
+        key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* Initialize NSS */
+    if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) != SECSuccess) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    /* allocate memory a cipher of type aes_icm */
+    *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
+    if (*c == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t));
+    if (icm == NULL) {
+        srtp_crypto_free(*c);
+        *c = NULL;
+        return srtp_err_status_alloc_fail;
+    }
+
+    icm->key = NULL;
+    icm->ctx = NULL;
+
+    /* set pointers */
+    (*c)->state = icm;
+
+    /* setup cipher parameters */
+    switch (key_len) {
+    case SRTP_AES_ICM_128_KEY_LEN_WSALT:
+        (*c)->algorithm = SRTP_AES_ICM_128;
+        (*c)->type = &srtp_aes_icm_128;
+        icm->key_size = SRTP_AES_128_KEY_LEN;
+        break;
+    case SRTP_AES_ICM_192_KEY_LEN_WSALT:
+        (*c)->algorithm = SRTP_AES_ICM_192;
+        (*c)->type = &srtp_aes_icm_192;
+        icm->key_size = SRTP_AES_192_KEY_LEN;
+        break;
+    case SRTP_AES_ICM_256_KEY_LEN_WSALT:
+        (*c)->algorithm = SRTP_AES_ICM_256;
+        (*c)->type = &srtp_aes_icm_256;
+        icm->key_size = SRTP_AES_256_KEY_LEN;
+        break;
+    }
+
+    /* set key size        */
+    (*c)->key_len = key_len;
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * This function deallocates an instance of this engine
+ */
+static srtp_err_status_t srtp_aes_icm_nss_dealloc(srtp_cipher_t *c)
+{
+    srtp_aes_icm_ctx_t *ctx;
+
+    ctx = (srtp_aes_icm_ctx_t *)c->state;
+    if (ctx) {
+        /* free any PK11 values that have been created */
+        if (ctx->key) {
+            PK11_FreeSymKey(ctx->key);
+            ctx->key = NULL;
+        }
+
+        if (ctx->ctx) {
+            PK11_DestroyContext(ctx->ctx, PR_TRUE);
+            ctx->ctx = NULL;
+        }
+
+        /* zeroize everything */
+        octet_string_set_to_zero(ctx, sizeof(srtp_aes_icm_ctx_t));
+        srtp_crypto_free(ctx);
+    }
+
+    /* free memory */
+    srtp_crypto_free(c);
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * aes_icm_nss_context_init(...) initializes the aes_icm_context
+ * using the value in key[].
+ *
+ * the key is the secret key
+ *
+ * the salt is unpredictable (but not necessarily secret) data which
+ * randomizes the starting point in the keystream
+ */
+static srtp_err_status_t srtp_aes_icm_nss_context_init(void *cv,
+                                                       const uint8_t *key)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+
+    /*
+     * set counter and initial values to 'offset' value, being careful not to
+     * go past the end of the key buffer
+     */
+    v128_set_to_zero(&c->counter);
+    v128_set_to_zero(&c->offset);
+    memcpy(&c->counter, key + c->key_size, SRTP_SALT_LEN);
+    memcpy(&c->offset, key + c->key_size, SRTP_SALT_LEN);
+
+    /* force last two octets of the offset to zero (for srtp compatibility) */
+    c->offset.v8[SRTP_SALT_LEN] = c->offset.v8[SRTP_SALT_LEN + 1] = 0;
+    c->counter.v8[SRTP_SALT_LEN] = c->counter.v8[SRTP_SALT_LEN + 1] = 0;
+
+    debug_print(srtp_mod_aes_icm, "key:  %s",
+                srtp_octet_string_hex_string(key, c->key_size));
+    debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset));
+
+    if (c->key) {
+        PK11_FreeSymKey(c->key);
+        c->key = NULL;
+    }
+
+    PK11SlotInfo *slot = PK11_GetBestSlot(CKM_AES_CTR, NULL);
+    if (!slot) {
+        return srtp_err_status_bad_param;
+    }
+
+    SECItem keyItem = { siBuffer, (unsigned char *)key, c->key_size };
+    c->key = PK11_ImportSymKey(slot, CKM_AES_CTR, PK11_OriginUnwrap,
+                               CKA_ENCRYPT, &keyItem, NULL);
+    PK11_FreeSlot(slot);
+
+    if (!c->key) {
+        return srtp_err_status_cipher_fail;
+    }
+
+    return (srtp_err_status_ok);
+}
+
+/*
+ * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with
+ * the offset
+ */
+static srtp_err_status_t srtp_aes_icm_nss_set_iv(void *cv,
+                                                 uint8_t *iv,
+                                                 srtp_cipher_direction_t dir)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+    v128_t nonce;
+
+    /* set nonce (for alignment) */
+    v128_copy_octet_string(&nonce, iv);
+
+    debug_print(srtp_mod_aes_icm, "setting iv: %s", v128_hex_string(&nonce));
+
+    v128_xor(&c->counter, &c->offset, &nonce);
+
+    debug_print(srtp_mod_aes_icm, "set_counter: %s",
+                v128_hex_string(&c->counter));
+
+    /* set up the PK11 context now that we have all the info */
+    CK_AES_CTR_PARAMS param;
+    param.ulCounterBits = 16;
+    memcpy(param.cb, &c->counter, 16);
+
+    if (!c->key) {
+        return srtp_err_status_bad_param;
+    }
+
+    if (c->ctx) {
+        PK11_DestroyContext(c->ctx, PR_TRUE);
+    }
+
+    SECItem paramItem = { siBuffer, (unsigned char *)&param,
+                          sizeof(CK_AES_CTR_PARAMS) };
+    c->ctx = PK11_CreateContextBySymKey(CKM_AES_CTR, CKA_ENCRYPT, c->key,
+                                        &paramItem);
+    if (!c->ctx) {
+        return srtp_err_status_cipher_fail;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * This function encrypts a buffer using AES CTR mode
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	buf	data to encrypt
+ *	enc_len	length of encrypt buffer
+ */
+static srtp_err_status_t srtp_aes_icm_nss_encrypt(void *cv,
+                                                  unsigned char *buf,
+                                                  unsigned int *enc_len)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+
+    if (!c->ctx) {
+        return srtp_err_status_bad_param;
+    }
+
+    int rv =
+        PK11_CipherOp(c->ctx, buf, (int *)enc_len, *enc_len, buf, *enc_len);
+
+    srtp_err_status_t status = (srtp_err_status_ok);
+    if (rv != SECSuccess) {
+        status = (srtp_err_status_cipher_fail);
+    }
+
+    return status;
+}
+
+/*
+ * Name of this crypto engine
+ */
+static const char srtp_aes_icm_128_nss_description[] =
+    "AES-128 counter mode using NSS";
+static const char srtp_aes_icm_192_nss_description[] =
+    "AES-192 counter mode using NSS";
+static const char srtp_aes_icm_256_nss_description[] =
+    "AES-256 counter mode using NSS";
+
+/*
+ * KAT values for AES self-test.  These
+ * values came from the legacy libsrtp code.
+ */
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_key[SRTP_AES_ICM_128_KEY_LEN_WSALT] = {
+    0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+    0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_icm_128_test_case_0_nonce[16] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_plaintext[32] =  {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_ciphertext[32] = {
+    0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80,
+    0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4,
+    0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7,
+    0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_icm_128_test_case_0 = {
+    SRTP_AES_ICM_128_KEY_LEN_WSALT,          /* octets in key            */
+    srtp_aes_icm_128_test_case_0_key,        /* key                      */
+    srtp_aes_icm_128_test_case_0_nonce,      /* packet index             */
+    32,                                      /* octets in plaintext      */
+    srtp_aes_icm_128_test_case_0_plaintext,  /* plaintext                */
+    32,                                      /* octets in ciphertext     */
+    srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext               */
+    0,                                       /* */
+    NULL,                                    /* */
+    0,                                       /* */
+    NULL                                     /* pointer to next testcase */
+};
+
+/*
+ * KAT values for AES-192-CTR self-test.  These
+ * values came from section 7 of RFC 6188.
+ */
+/* clang-format off */
+static const uint8_t srtp_aes_icm_192_test_case_0_key[SRTP_AES_ICM_192_KEY_LEN_WSALT] = {
+    0xea, 0xb2, 0x34, 0x76, 0x4e, 0x51, 0x7b, 0x2d,
+    0x3d, 0x16, 0x0d, 0x58, 0x7d, 0x8c, 0x86, 0x21,
+    0x97, 0x40, 0xf6, 0x5f, 0x99, 0xb6, 0xbc, 0xf7,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_icm_192_test_case_0_nonce[16] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_192_test_case_0_plaintext[32] =  {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_192_test_case_0_ciphertext[32] = {
+    0x35, 0x09, 0x6c, 0xba, 0x46, 0x10, 0x02, 0x8d,
+    0xc1, 0xb5, 0x75, 0x03, 0x80, 0x4c, 0xe3, 0x7c,
+    0x5d, 0xe9, 0x86, 0x29, 0x1d, 0xcc, 0xe1, 0x61,
+    0xd5, 0x16, 0x5e, 0xc4, 0x56, 0x8f, 0x5c, 0x9a
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_icm_192_test_case_0 = {
+    SRTP_AES_ICM_192_KEY_LEN_WSALT,          /* octets in key            */
+    srtp_aes_icm_192_test_case_0_key,        /* key                      */
+    srtp_aes_icm_192_test_case_0_nonce,      /* packet index             */
+    32,                                      /* octets in plaintext      */
+    srtp_aes_icm_192_test_case_0_plaintext,  /* plaintext                */
+    32,                                      /* octets in ciphertext     */
+    srtp_aes_icm_192_test_case_0_ciphertext, /* ciphertext               */
+    0,                                       /* */
+    NULL,                                    /* */
+    0,                                       /* */
+    NULL                                     /* pointer to next testcase */
+};
+
+/*
+ * KAT values for AES-256-CTR self-test.  These
+ * values came from section 7 of RFC 6188.
+ */
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_WSALT] = {
+    0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70,
+    0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92,
+    0x2e, 0xc4, 0xcb, 0x0d, 0xc0, 0x25, 0xb5, 0x82,
+    0x72, 0x14, 0x7c, 0xc4, 0x38, 0x94, 0x4a, 0x98,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_icm_256_test_case_0_nonce[16] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_plaintext[32] =  {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_ciphertext[32] = {
+    0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25,
+    0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4,
+    0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6,
+    0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = {
+    SRTP_AES_ICM_256_KEY_LEN_WSALT,          /* octets in key            */
+    srtp_aes_icm_256_test_case_0_key,        /* key                      */
+    srtp_aes_icm_256_test_case_0_nonce,      /* packet index             */
+    32,                                      /* octets in plaintext      */
+    srtp_aes_icm_256_test_case_0_plaintext,  /* plaintext                */
+    32,                                      /* octets in ciphertext     */
+    srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext               */
+    0,                                       /* */
+    NULL,                                    /* */
+    0,                                       /* */
+    NULL                                     /* pointer to next testcase */
+};
+
+/*
+ * This is the function table for this crypto engine.
+ * note: the encrypt function is identical to the decrypt function
+ */
+const srtp_cipher_type_t srtp_aes_icm_128 = {
+    srtp_aes_icm_nss_alloc,           /* */
+    srtp_aes_icm_nss_dealloc,         /* */
+    srtp_aes_icm_nss_context_init,    /* */
+    0,                                /* set_aad */
+    srtp_aes_icm_nss_encrypt,         /* */
+    srtp_aes_icm_nss_encrypt,         /* */
+    srtp_aes_icm_nss_set_iv,          /* */
+    0,                                /* get_tag */
+    srtp_aes_icm_128_nss_description, /* */
+    &srtp_aes_icm_128_test_case_0,    /* */
+    SRTP_AES_ICM_128                  /* */
+};
+
+/*
+ * This is the function table for this crypto engine.
+ * note: the encrypt function is identical to the decrypt function
+ */
+const srtp_cipher_type_t srtp_aes_icm_192 = {
+    srtp_aes_icm_nss_alloc,           /* */
+    srtp_aes_icm_nss_dealloc,         /* */
+    srtp_aes_icm_nss_context_init,    /* */
+    0,                                /* set_aad */
+    srtp_aes_icm_nss_encrypt,         /* */
+    srtp_aes_icm_nss_encrypt,         /* */
+    srtp_aes_icm_nss_set_iv,          /* */
+    0,                                /* get_tag */
+    srtp_aes_icm_192_nss_description, /* */
+    &srtp_aes_icm_192_test_case_0,    /* */
+    SRTP_AES_ICM_192                  /* */
+};
+
+/*
+ * This is the function table for this crypto engine.
+ * note: the encrypt function is identical to the decrypt function
+ */
+const srtp_cipher_type_t srtp_aes_icm_256 = {
+    srtp_aes_icm_nss_alloc,           /* */
+    srtp_aes_icm_nss_dealloc,         /* */
+    srtp_aes_icm_nss_context_init,    /* */
+    0,                                /* set_aad */
+    srtp_aes_icm_nss_encrypt,         /* */
+    srtp_aes_icm_nss_encrypt,         /* */
+    srtp_aes_icm_nss_set_iv,          /* */
+    0,                                /* get_tag */
+    srtp_aes_icm_256_nss_description, /* */
+    &srtp_aes_icm_256_test_case_0,    /* */
+    SRTP_AES_ICM_256                  /* */
+};
diff --git a/netwerk/srtp/src/crypto/cipher/aes_icm_ossl.c b/netwerk/srtp/src/crypto/cipher/aes_icm_ossl.c
new file mode 100644
index 0000000000..a9b14d3972
--- /dev/null
+++ b/netwerk/srtp/src/crypto/cipher/aes_icm_ossl.c
@@ -0,0 +1,540 @@
+/*
+ * aes_icm_ossl.c
+ *
+ * AES Integer Counter Mode
+ *
+ * John A. Foley
+ * Cisco Systems, Inc.
+ *
+ * 2/24/2012:  This module was modified to use CiscoSSL for AES counter
+ *             mode.  Eddy Lem contributed the code to allow this.
+ *
+ * 12/20/2012: Added support for AES-192 and AES-256.
+ */
+
+/*
+ *
+ * Copyright (c) 2013-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <openssl/evp.h>
+#include "aes_icm_ext.h"
+#include "crypto_types.h"
+#include "err.h" /* for srtp_debug */
+#include "alloc.h"
+#include "cipher_types.h"
+
+srtp_debug_module_t srtp_mod_aes_icm = {
+    0,             /* debugging is off by default */
+    "aes icm ossl" /* printable module name       */
+};
+
+/*
+ * integer counter mode works as follows:
+ *
+ * 16 bits
+ * <----->
+ * +------+------+------+------+------+------+------+------+
+ * |           nonce           |    packet index    |  ctr |---+
+ * +------+------+------+------+------+------+------+------+   |
+ *                                                             |
+ * +------+------+------+------+------+------+------+------+   v
+ * |                      salt                      |000000|->(+)
+ * +------+------+------+------+------+------+------+------+   |
+ *                                                             |
+ *                                                        +---------+
+ *							  | encrypt |
+ *							  +---------+
+ *							       |
+ * +------+------+------+------+------+------+------+------+   |
+ * |                    keystream block                    |<--+
+ * +------+------+------+------+------+------+------+------+
+ *
+ * All fields are big-endian
+ *
+ * ctr is the block counter, which increments from zero for
+ * each packet (16 bits wide)
+ *
+ * packet index is distinct for each packet (48 bits wide)
+ *
+ * nonce can be distinct across many uses of the same key, or
+ * can be a fixed value per key, or can be per-packet randomness
+ * (64 bits)
+ *
+ */
+
+/*
+ * This function allocates a new instance of this crypto engine.
+ * The key_len parameter should be one of 30, 38, or 46 for
+ * AES-128, AES-192, and AES-256 respectively.  Note, this key_len
+ * value is inflated, as it also accounts for the 112 bit salt
+ * value.  The tlen argument is for the AEAD tag length, which
+ * isn't used in counter mode.
+ */
+static srtp_err_status_t srtp_aes_icm_openssl_alloc(srtp_cipher_t **c,
+                                                    int key_len,
+                                                    int tlen)
+{
+    srtp_aes_icm_ctx_t *icm;
+
+    debug_print(srtp_mod_aes_icm, "allocating cipher with key length %d",
+                key_len);
+
+    /*
+     * Verify the key_len is valid for one of: AES-128/192/256
+     */
+    if (key_len != SRTP_AES_ICM_128_KEY_LEN_WSALT &&
+        key_len != SRTP_AES_ICM_192_KEY_LEN_WSALT &&
+        key_len != SRTP_AES_ICM_256_KEY_LEN_WSALT) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* allocate memory a cipher of type aes_icm */
+    *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
+    if (*c == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    icm = (srtp_aes_icm_ctx_t *)srtp_crypto_alloc(sizeof(srtp_aes_icm_ctx_t));
+    if (icm == NULL) {
+        srtp_crypto_free(*c);
+        *c = NULL;
+        return srtp_err_status_alloc_fail;
+    }
+
+    icm->ctx = EVP_CIPHER_CTX_new();
+    if (icm->ctx == NULL) {
+        srtp_crypto_free(icm);
+        srtp_crypto_free(*c);
+        *c = NULL;
+        return srtp_err_status_alloc_fail;
+    }
+
+    /* set pointers */
+    (*c)->state = icm;
+
+    /* setup cipher parameters */
+    switch (key_len) {
+    case SRTP_AES_ICM_128_KEY_LEN_WSALT:
+        (*c)->algorithm = SRTP_AES_ICM_128;
+        (*c)->type = &srtp_aes_icm_128;
+        icm->key_size = SRTP_AES_128_KEY_LEN;
+        break;
+    case SRTP_AES_ICM_192_KEY_LEN_WSALT:
+        (*c)->algorithm = SRTP_AES_ICM_192;
+        (*c)->type = &srtp_aes_icm_192;
+        icm->key_size = SRTP_AES_192_KEY_LEN;
+        break;
+    case SRTP_AES_ICM_256_KEY_LEN_WSALT:
+        (*c)->algorithm = SRTP_AES_ICM_256;
+        (*c)->type = &srtp_aes_icm_256;
+        icm->key_size = SRTP_AES_256_KEY_LEN;
+        break;
+    }
+
+    /* set key size        */
+    (*c)->key_len = key_len;
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * This function deallocates an instance of this engine
+ */
+static srtp_err_status_t srtp_aes_icm_openssl_dealloc(srtp_cipher_t *c)
+{
+    srtp_aes_icm_ctx_t *ctx;
+
+    if (c == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    /*
+     * Free the EVP context
+     */
+    ctx = (srtp_aes_icm_ctx_t *)c->state;
+    if (ctx != NULL) {
+        EVP_CIPHER_CTX_free(ctx->ctx);
+        /* zeroize the key material */
+        octet_string_set_to_zero(ctx, sizeof(srtp_aes_icm_ctx_t));
+        srtp_crypto_free(ctx);
+    }
+
+    /* free memory */
+    srtp_crypto_free(c);
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * aes_icm_openssl_context_init(...) initializes the aes_icm_context
+ * using the value in key[].
+ *
+ * the key is the secret key
+ *
+ * the salt is unpredictable (but not necessarily secret) data which
+ * randomizes the starting point in the keystream
+ */
+static srtp_err_status_t srtp_aes_icm_openssl_context_init(void *cv,
+                                                           const uint8_t *key)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+    const EVP_CIPHER *evp;
+
+    /*
+     * set counter and initial values to 'offset' value, being careful not to
+     * go past the end of the key buffer
+     */
+    v128_set_to_zero(&c->counter);
+    v128_set_to_zero(&c->offset);
+    memcpy(&c->counter, key + c->key_size, SRTP_SALT_LEN);
+    memcpy(&c->offset, key + c->key_size, SRTP_SALT_LEN);
+
+    /* force last two octets of the offset to zero (for srtp compatibility) */
+    c->offset.v8[SRTP_SALT_LEN] = c->offset.v8[SRTP_SALT_LEN + 1] = 0;
+    c->counter.v8[SRTP_SALT_LEN] = c->counter.v8[SRTP_SALT_LEN + 1] = 0;
+
+    debug_print(srtp_mod_aes_icm, "key:  %s",
+                srtp_octet_string_hex_string(key, c->key_size));
+    debug_print(srtp_mod_aes_icm, "offset: %s", v128_hex_string(&c->offset));
+
+    switch (c->key_size) {
+    case SRTP_AES_256_KEY_LEN:
+        evp = EVP_aes_256_ctr();
+        break;
+    case SRTP_AES_192_KEY_LEN:
+        evp = EVP_aes_192_ctr();
+        break;
+    case SRTP_AES_128_KEY_LEN:
+        evp = EVP_aes_128_ctr();
+        break;
+    default:
+        return srtp_err_status_bad_param;
+        break;
+    }
+
+    if (!EVP_EncryptInit_ex(c->ctx, evp, NULL, key, NULL)) {
+        return srtp_err_status_fail;
+    } else {
+        return srtp_err_status_ok;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * aes_icm_set_iv(c, iv) sets the counter value to the exor of iv with
+ * the offset
+ */
+static srtp_err_status_t srtp_aes_icm_openssl_set_iv(
+    void *cv,
+    uint8_t *iv,
+    srtp_cipher_direction_t dir)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+    v128_t nonce;
+
+    /* set nonce (for alignment) */
+    v128_copy_octet_string(&nonce, iv);
+
+    debug_print(srtp_mod_aes_icm, "setting iv: %s", v128_hex_string(&nonce));
+
+    v128_xor(&c->counter, &c->offset, &nonce);
+
+    debug_print(srtp_mod_aes_icm, "set_counter: %s",
+                v128_hex_string(&c->counter));
+
+    if (!EVP_EncryptInit_ex(c->ctx, NULL, NULL, NULL, c->counter.v8)) {
+        return srtp_err_status_fail;
+    } else {
+        return srtp_err_status_ok;
+    }
+}
+
+/*
+ * This function encrypts a buffer using AES CTR mode
+ *
+ * Parameters:
+ *	c	Crypto context
+ *	buf	data to encrypt
+ *	enc_len	length of encrypt buffer
+ */
+static srtp_err_status_t srtp_aes_icm_openssl_encrypt(void *cv,
+                                                      unsigned char *buf,
+                                                      unsigned int *enc_len)
+{
+    srtp_aes_icm_ctx_t *c = (srtp_aes_icm_ctx_t *)cv;
+    int len = 0;
+
+    debug_print(srtp_mod_aes_icm, "rs0: %s", v128_hex_string(&c->counter));
+
+    if (!EVP_EncryptUpdate(c->ctx, buf, &len, buf, *enc_len)) {
+        return srtp_err_status_cipher_fail;
+    }
+    *enc_len = len;
+
+    if (!EVP_EncryptFinal_ex(c->ctx, buf, &len)) {
+        return srtp_err_status_cipher_fail;
+    }
+    *enc_len += len;
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * Name of this crypto engine
+ */
+static const char srtp_aes_icm_128_openssl_description[] =
+    "AES-128 counter mode using openssl";
+static const char srtp_aes_icm_192_openssl_description[] =
+    "AES-192 counter mode using openssl";
+static const char srtp_aes_icm_256_openssl_description[] =
+    "AES-256 counter mode using openssl";
+
+/*
+ * KAT values for AES self-test.  These
+ * values came from the legacy libsrtp code.
+ */
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_key[SRTP_AES_ICM_128_KEY_LEN_WSALT] = {
+    0x2b, 0x7e, 0x15, 0x16, 0x28, 0xae, 0xd2, 0xa6,
+    0xab, 0xf7, 0x15, 0x88, 0x09, 0xcf, 0x4f, 0x3c,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_icm_128_test_case_0_nonce[16] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_plaintext[32] =  {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_128_test_case_0_ciphertext[32] = {
+    0xe0, 0x3e, 0xad, 0x09, 0x35, 0xc9, 0x5e, 0x80,
+    0xe1, 0x66, 0xb1, 0x6d, 0xd9, 0x2b, 0x4e, 0xb4,
+    0xd2, 0x35, 0x13, 0x16, 0x2b, 0x02, 0xd0, 0xf7,
+    0x2a, 0x43, 0xa2, 0xfe, 0x4a, 0x5f, 0x97, 0xab
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_icm_128_test_case_0 = {
+    SRTP_AES_ICM_128_KEY_LEN_WSALT,          /* octets in key            */
+    srtp_aes_icm_128_test_case_0_key,        /* key                      */
+    srtp_aes_icm_128_test_case_0_nonce,      /* packet index             */
+    32,                                      /* octets in plaintext      */
+    srtp_aes_icm_128_test_case_0_plaintext,  /* plaintext                */
+    32,                                      /* octets in ciphertext     */
+    srtp_aes_icm_128_test_case_0_ciphertext, /* ciphertext               */
+    0,                                       /* */
+    NULL,                                    /* */
+    0,                                       /* */
+    NULL                                     /* pointer to next testcase */
+};
+
+/*
+ * KAT values for AES-192-CTR self-test.  These
+ * values came from section 7 of RFC 6188.
+ */
+/* clang-format off */
+static const uint8_t srtp_aes_icm_192_test_case_0_key[SRTP_AES_ICM_192_KEY_LEN_WSALT] = {
+    0xea, 0xb2, 0x34, 0x76, 0x4e, 0x51, 0x7b, 0x2d,
+    0x3d, 0x16, 0x0d, 0x58, 0x7d, 0x8c, 0x86, 0x21,
+    0x97, 0x40, 0xf6, 0x5f, 0x99, 0xb6, 0xbc, 0xf7,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_icm_192_test_case_0_nonce[16] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_192_test_case_0_plaintext[32] =  {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_192_test_case_0_ciphertext[32] = {
+    0x35, 0x09, 0x6c, 0xba, 0x46, 0x10, 0x02, 0x8d,
+    0xc1, 0xb5, 0x75, 0x03, 0x80, 0x4c, 0xe3, 0x7c,
+    0x5d, 0xe9, 0x86, 0x29, 0x1d, 0xcc, 0xe1, 0x61,
+    0xd5, 0x16, 0x5e, 0xc4, 0x56, 0x8f, 0x5c, 0x9a
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_icm_192_test_case_0 = {
+    SRTP_AES_ICM_192_KEY_LEN_WSALT,          /* octets in key            */
+    srtp_aes_icm_192_test_case_0_key,        /* key                      */
+    srtp_aes_icm_192_test_case_0_nonce,      /* packet index             */
+    32,                                      /* octets in plaintext      */
+    srtp_aes_icm_192_test_case_0_plaintext,  /* plaintext                */
+    32,                                      /* octets in ciphertext     */
+    srtp_aes_icm_192_test_case_0_ciphertext, /* ciphertext               */
+    0,                                       /* */
+    NULL,                                    /* */
+    0,                                       /* */
+    NULL                                     /* pointer to next testcase */
+};
+
+/*
+ * KAT values for AES-256-CTR self-test.  These
+ * values came from section 7 of RFC 6188.
+ */
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_key[SRTP_AES_ICM_256_KEY_LEN_WSALT] = {
+    0x57, 0xf8, 0x2f, 0xe3, 0x61, 0x3f, 0xd1, 0x70,
+    0xa8, 0x5e, 0xc9, 0x3c, 0x40, 0xb1, 0xf0, 0x92,
+    0x2e, 0xc4, 0xcb, 0x0d, 0xc0, 0x25, 0xb5, 0x82,
+    0x72, 0x14, 0x7c, 0xc4, 0x38, 0x94, 0x4a, 0x98,
+    0xf0, 0xf1, 0xf2, 0xf3, 0xf4, 0xf5, 0xf6, 0xf7,
+    0xf8, 0xf9, 0xfa, 0xfb, 0xfc, 0xfd
+};
+/* clang-format on */
+
+/* clang-format off */
+static uint8_t srtp_aes_icm_256_test_case_0_nonce[16] = {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_plaintext[32] =  {
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_aes_icm_256_test_case_0_ciphertext[32] = {
+    0x92, 0xbd, 0xd2, 0x8a, 0x93, 0xc3, 0xf5, 0x25,
+    0x11, 0xc6, 0x77, 0xd0, 0x8b, 0x55, 0x15, 0xa4,
+    0x9d, 0xa7, 0x1b, 0x23, 0x78, 0xa8, 0x54, 0xf6,
+    0x70, 0x50, 0x75, 0x6d, 0xed, 0x16, 0x5b, 0xac
+};
+/* clang-format on */
+
+static const srtp_cipher_test_case_t srtp_aes_icm_256_test_case_0 = {
+    SRTP_AES_ICM_256_KEY_LEN_WSALT,          /* octets in key            */
+    srtp_aes_icm_256_test_case_0_key,        /* key                      */
+    srtp_aes_icm_256_test_case_0_nonce,      /* packet index             */
+    32,                                      /* octets in plaintext      */
+    srtp_aes_icm_256_test_case_0_plaintext,  /* plaintext                */
+    32,                                      /* octets in ciphertext     */
+    srtp_aes_icm_256_test_case_0_ciphertext, /* ciphertext               */
+    0,                                       /* */
+    NULL,                                    /* */
+    0,                                       /* */
+    NULL                                     /* pointer to next testcase */
+};
+
+/*
+ * This is the function table for this crypto engine.
+ * note: the encrypt function is identical to the decrypt function
+ */
+const srtp_cipher_type_t srtp_aes_icm_128 = {
+    srtp_aes_icm_openssl_alloc,           /* */
+    srtp_aes_icm_openssl_dealloc,         /* */
+    srtp_aes_icm_openssl_context_init,    /* */
+    0,                                    /* set_aad */
+    srtp_aes_icm_openssl_encrypt,         /* */
+    srtp_aes_icm_openssl_encrypt,         /* */
+    srtp_aes_icm_openssl_set_iv,          /* */
+    0,                                    /* get_tag */
+    srtp_aes_icm_128_openssl_description, /* */
+    &srtp_aes_icm_128_test_case_0,        /* */
+    SRTP_AES_ICM_128                      /* */
+};
+
+/*
+ * This is the function table for this crypto engine.
+ * note: the encrypt function is identical to the decrypt function
+ */
+const srtp_cipher_type_t srtp_aes_icm_192 = {
+    srtp_aes_icm_openssl_alloc,           /* */
+    srtp_aes_icm_openssl_dealloc,         /* */
+    srtp_aes_icm_openssl_context_init,    /* */
+    0,                                    /* set_aad */
+    srtp_aes_icm_openssl_encrypt,         /* */
+    srtp_aes_icm_openssl_encrypt,         /* */
+    srtp_aes_icm_openssl_set_iv,          /* */
+    0,                                    /* get_tag */
+    srtp_aes_icm_192_openssl_description, /* */
+    &srtp_aes_icm_192_test_case_0,        /* */
+    SRTP_AES_ICM_192                      /* */
+};
+
+/*
+ * This is the function table for this crypto engine.
+ * note: the encrypt function is identical to the decrypt function
+ */
+const srtp_cipher_type_t srtp_aes_icm_256 = {
+    srtp_aes_icm_openssl_alloc,           /* */
+    srtp_aes_icm_openssl_dealloc,         /* */
+    srtp_aes_icm_openssl_context_init,    /* */
+    0,                                    /* set_aad */
+    srtp_aes_icm_openssl_encrypt,         /* */
+    srtp_aes_icm_openssl_encrypt,         /* */
+    srtp_aes_icm_openssl_set_iv,          /* */
+    0,                                    /* get_tag */
+    srtp_aes_icm_256_openssl_description, /* */
+    &srtp_aes_icm_256_test_case_0,        /* */
+    SRTP_AES_ICM_256                      /* */
+};
diff --git a/netwerk/srtp/src/crypto/cipher/cipher.c b/netwerk/srtp/src/crypto/cipher/cipher.c
new file mode 100644
index 0000000000..19f00abc55
--- /dev/null
+++ b/netwerk/srtp/src/crypto/cipher/cipher.c
@@ -0,0 +1,679 @@
+/*
+ * cipher.c
+ *
+ * cipher meta-functions
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "cipher.h"
+#include "crypto_types.h"
+#include "err.h"   /* for srtp_debug */
+#include "alloc.h" /* for crypto_alloc(), crypto_free()  */
+
+srtp_debug_module_t srtp_mod_cipher = {
+    0,       /* debugging is off by default */
+    "cipher" /* printable module name       */
+};
+
+srtp_err_status_t srtp_cipher_type_alloc(const srtp_cipher_type_t *ct,
+                                         srtp_cipher_t **c,
+                                         int key_len,
+                                         int tlen)
+{
+    if (!ct || !ct->alloc) {
+        return (srtp_err_status_bad_param);
+    }
+    return ((ct)->alloc((c), (key_len), (tlen)));
+}
+
+srtp_err_status_t srtp_cipher_dealloc(srtp_cipher_t *c)
+{
+    if (!c || !c->type) {
+        return (srtp_err_status_bad_param);
+    }
+    return (((c)->type)->dealloc(c));
+}
+
+srtp_err_status_t srtp_cipher_init(srtp_cipher_t *c, const uint8_t *key)
+{
+    if (!c || !c->type || !c->state) {
+        return (srtp_err_status_bad_param);
+    }
+    return (((c)->type)->init(((c)->state), (key)));
+}
+
+srtp_err_status_t srtp_cipher_set_iv(srtp_cipher_t *c,
+                                     uint8_t *iv,
+                                     int direction)
+{
+    if (!c || !c->type || !c->state) {
+        return (srtp_err_status_bad_param);
+    }
+
+    return (((c)->type)->set_iv(((c)->state), iv, direction));
+}
+
+srtp_err_status_t srtp_cipher_output(srtp_cipher_t *c,
+                                     uint8_t *buffer,
+                                     uint32_t *num_octets_to_output)
+{
+    /* zeroize the buffer */
+    octet_string_set_to_zero(buffer, *num_octets_to_output);
+
+    /* exor keystream into buffer */
+    return (((c)->type)->encrypt(((c)->state), buffer, num_octets_to_output));
+}
+
+srtp_err_status_t srtp_cipher_encrypt(srtp_cipher_t *c,
+                                      uint8_t *buffer,
+                                      uint32_t *num_octets_to_output)
+{
+    if (!c || !c->type || !c->state) {
+        return (srtp_err_status_bad_param);
+    }
+
+    return (((c)->type)->encrypt(((c)->state), buffer, num_octets_to_output));
+}
+
+srtp_err_status_t srtp_cipher_decrypt(srtp_cipher_t *c,
+                                      uint8_t *buffer,
+                                      uint32_t *num_octets_to_output)
+{
+    if (!c || !c->type || !c->state) {
+        return (srtp_err_status_bad_param);
+    }
+
+    return (((c)->type)->decrypt(((c)->state), buffer, num_octets_to_output));
+}
+
+srtp_err_status_t srtp_cipher_get_tag(srtp_cipher_t *c,
+                                      uint8_t *buffer,
+                                      uint32_t *tag_len)
+{
+    if (!c || !c->type || !c->state) {
+        return (srtp_err_status_bad_param);
+    }
+    if (!((c)->type)->get_tag) {
+        return (srtp_err_status_no_such_op);
+    }
+
+    return (((c)->type)->get_tag(((c)->state), buffer, tag_len));
+}
+
+srtp_err_status_t srtp_cipher_set_aad(srtp_cipher_t *c,
+                                      const uint8_t *aad,
+                                      uint32_t aad_len)
+{
+    if (!c || !c->type || !c->state) {
+        return (srtp_err_status_bad_param);
+    }
+    if (!((c)->type)->set_aad) {
+        return (srtp_err_status_no_such_op);
+    }
+
+    return (((c)->type)->set_aad(((c)->state), aad, aad_len));
+}
+
+/* some bookkeeping functions */
+
+int srtp_cipher_get_key_length(const srtp_cipher_t *c)
+{
+    return c->key_len;
+}
+
+/*
+ * A trivial platform independent random source.  The random
+ * data is used for some of the cipher self-tests.
+ */
+static srtp_err_status_t srtp_cipher_rand(void *dest, uint32_t len)
+{
+#if defined(HAVE_RAND_S)
+    uint8_t *dst = (uint8_t *)dest;
+    while (len) {
+        unsigned int val;
+        errno_t err = rand_s(&val);
+
+        if (err != 0)
+            return srtp_err_status_fail;
+
+        *dst++ = val & 0xff;
+        len--;
+    }
+#else
+    /* Generic C-library (rand()) version */
+    /* This is a random source of last resort */
+    uint8_t *dst = (uint8_t *)dest;
+    while (len) {
+        int val = rand();
+        /* rand() returns 0-32767 (ugh) */
+        /* Is this a good enough way to get random bytes?
+           It is if it passes FIPS-140... */
+        *dst++ = val & 0xff;
+        len--;
+    }
+#endif
+    return srtp_err_status_ok;
+}
+
+#define SELF_TEST_BUF_OCTETS 128
+#define NUM_RAND_TESTS 128
+#define MAX_KEY_LEN 64
+/*
+ * srtp_cipher_type_test(ct, test_data) tests a cipher of type ct against
+ * test cases provided in a list test_data of values of key, salt, iv,
+ * plaintext, and ciphertext that is known to be good
+ */
+srtp_err_status_t srtp_cipher_type_test(
+    const srtp_cipher_type_t *ct,
+    const srtp_cipher_test_case_t *test_data)
+{
+    const srtp_cipher_test_case_t *test_case = test_data;
+    srtp_cipher_t *c;
+    srtp_err_status_t status;
+    uint8_t buffer[SELF_TEST_BUF_OCTETS];
+    uint8_t buffer2[SELF_TEST_BUF_OCTETS];
+    uint32_t tag_len;
+    unsigned int len;
+    int i, j, case_num = 0;
+    unsigned k = 0;
+
+    debug_print(srtp_mod_cipher, "running self-test for cipher %s",
+                ct->description);
+
+    /*
+     * check to make sure that we have at least one test case, and
+     * return an error if we don't - we need to be paranoid here
+     */
+    if (test_case == NULL) {
+        return srtp_err_status_cant_check;
+    }
+
+    /*
+     * loop over all test cases, perform known-answer tests of both the
+     * encryption and decryption functions
+     */
+    while (test_case != NULL) {
+        /* allocate cipher */
+        status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets,
+                                        test_case->tag_length_octets);
+        if (status) {
+            return status;
+        }
+
+        /*
+         * test the encrypt function
+         */
+        debug_print(srtp_mod_cipher, "testing encryption", NULL);
+
+        /* initialize cipher */
+        status = srtp_cipher_init(c, test_case->key);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        /* copy plaintext into test buffer */
+        if (test_case->ciphertext_length_octets > SELF_TEST_BUF_OCTETS) {
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_bad_param;
+        }
+        for (k = 0; k < test_case->plaintext_length_octets; k++) {
+            buffer[k] = test_case->plaintext[k];
+        }
+
+        debug_print(srtp_mod_cipher, "plaintext:    %s",
+                    srtp_octet_string_hex_string(
+                        buffer, test_case->plaintext_length_octets));
+
+        /* set the initialization vector */
+        status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx,
+                                    srtp_direction_encrypt);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        if (c->algorithm == SRTP_AES_GCM_128 ||
+            c->algorithm == SRTP_AES_GCM_256) {
+            debug_print(srtp_mod_cipher, "IV:    %s",
+                        srtp_octet_string_hex_string(test_case->idx, 12));
+
+            /*
+             * Set the AAD
+             */
+            status = srtp_cipher_set_aad(c, test_case->aad,
+                                         test_case->aad_length_octets);
+            if (status) {
+                srtp_cipher_dealloc(c);
+                return status;
+            }
+            debug_print(srtp_mod_cipher, "AAD:    %s",
+                        srtp_octet_string_hex_string(
+                            test_case->aad, test_case->aad_length_octets));
+        }
+
+        /* encrypt */
+        len = test_case->plaintext_length_octets;
+        status = srtp_cipher_encrypt(c, buffer, &len);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        if (c->algorithm == SRTP_AES_GCM_128 ||
+            c->algorithm == SRTP_AES_GCM_256) {
+            /*
+             * Get the GCM tag
+             */
+            status = srtp_cipher_get_tag(c, buffer + len, &tag_len);
+            if (status) {
+                srtp_cipher_dealloc(c);
+                return status;
+            }
+            len += tag_len;
+        }
+
+        debug_print(srtp_mod_cipher, "ciphertext:   %s",
+                    srtp_octet_string_hex_string(
+                        buffer, test_case->ciphertext_length_octets));
+
+        /* compare the resulting ciphertext with that in the test case */
+        if (len != test_case->ciphertext_length_octets) {
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_algo_fail;
+        }
+        status = srtp_err_status_ok;
+        for (k = 0; k < test_case->ciphertext_length_octets; k++) {
+            if (buffer[k] != test_case->ciphertext[k]) {
+                status = srtp_err_status_algo_fail;
+                debug_print(srtp_mod_cipher, "test case %d failed", case_num);
+                debug_print(srtp_mod_cipher, "(failure at byte %u)", k);
+                break;
+            }
+        }
+        if (status) {
+            debug_print(srtp_mod_cipher, "c computed: %s",
+                        srtp_octet_string_hex_string(
+                            buffer, 2 * test_case->plaintext_length_octets));
+            debug_print(srtp_mod_cipher, "c expected: %s",
+                        srtp_octet_string_hex_string(
+                            test_case->ciphertext,
+                            2 * test_case->plaintext_length_octets));
+
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_algo_fail;
+        }
+
+        /*
+         * test the decrypt function
+         */
+        debug_print(srtp_mod_cipher, "testing decryption", NULL);
+
+        /* re-initialize cipher for decryption */
+        status = srtp_cipher_init(c, test_case->key);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        /* copy ciphertext into test buffer */
+        if (test_case->ciphertext_length_octets > SELF_TEST_BUF_OCTETS) {
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_bad_param;
+        }
+        for (k = 0; k < test_case->ciphertext_length_octets; k++) {
+            buffer[k] = test_case->ciphertext[k];
+        }
+
+        debug_print(srtp_mod_cipher, "ciphertext:    %s",
+                    srtp_octet_string_hex_string(
+                        buffer, test_case->plaintext_length_octets));
+
+        /* set the initialization vector */
+        status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx,
+                                    srtp_direction_decrypt);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        if (c->algorithm == SRTP_AES_GCM_128 ||
+            c->algorithm == SRTP_AES_GCM_256) {
+            /*
+             * Set the AAD
+             */
+            status = srtp_cipher_set_aad(c, test_case->aad,
+                                         test_case->aad_length_octets);
+            if (status) {
+                srtp_cipher_dealloc(c);
+                return status;
+            }
+            debug_print(srtp_mod_cipher, "AAD:    %s",
+                        srtp_octet_string_hex_string(
+                            test_case->aad, test_case->aad_length_octets));
+        }
+
+        /* decrypt */
+        len = test_case->ciphertext_length_octets;
+        status = srtp_cipher_decrypt(c, buffer, &len);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        debug_print(srtp_mod_cipher, "plaintext:   %s",
+                    srtp_octet_string_hex_string(
+                        buffer, test_case->plaintext_length_octets));
+
+        /* compare the resulting plaintext with that in the test case */
+        if (len != test_case->plaintext_length_octets) {
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_algo_fail;
+        }
+        status = srtp_err_status_ok;
+        for (k = 0; k < test_case->plaintext_length_octets; k++) {
+            if (buffer[k] != test_case->plaintext[k]) {
+                status = srtp_err_status_algo_fail;
+                debug_print(srtp_mod_cipher, "test case %d failed", case_num);
+                debug_print(srtp_mod_cipher, "(failure at byte %u)", k);
+            }
+        }
+        if (status) {
+            debug_print(srtp_mod_cipher, "p computed: %s",
+                        srtp_octet_string_hex_string(
+                            buffer, 2 * test_case->plaintext_length_octets));
+            debug_print(srtp_mod_cipher, "p expected: %s",
+                        srtp_octet_string_hex_string(
+                            test_case->plaintext,
+                            2 * test_case->plaintext_length_octets));
+
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_algo_fail;
+        }
+
+        /* deallocate the cipher */
+        status = srtp_cipher_dealloc(c);
+        if (status) {
+            return status;
+        }
+
+        /*
+         * the cipher passed the test case, so move on to the next test
+         * case in the list; if NULL, we'l proceed to the next test
+         */
+        test_case = test_case->next_test_case;
+        ++case_num;
+    }
+
+    /* now run some random invertibility tests */
+
+    /* allocate cipher, using paramaters from the first test case */
+    test_case = test_data;
+    status = srtp_cipher_type_alloc(ct, &c, test_case->key_length_octets,
+                                    test_case->tag_length_octets);
+    if (status) {
+        return status;
+    }
+
+    for (j = 0; j < NUM_RAND_TESTS; j++) {
+        unsigned int length;
+        unsigned int plaintext_len;
+        uint8_t key[MAX_KEY_LEN];
+        uint8_t iv[MAX_KEY_LEN];
+
+        /* choose a length at random (leaving room for IV and padding) */
+        length = rand() % (SELF_TEST_BUF_OCTETS - 64);
+        debug_print(srtp_mod_cipher, "random plaintext length %d\n", length);
+        status = srtp_cipher_rand(buffer, length);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        debug_print(srtp_mod_cipher, "plaintext:    %s",
+                    srtp_octet_string_hex_string(buffer, length));
+
+        /* copy plaintext into second buffer */
+        for (i = 0; (unsigned int)i < length; i++) {
+            buffer2[i] = buffer[i];
+        }
+
+        /* choose a key at random */
+        if (test_case->key_length_octets > MAX_KEY_LEN) {
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_cant_check;
+        }
+        status = srtp_cipher_rand(key, test_case->key_length_octets);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        /* chose a random initialization vector */
+        status = srtp_cipher_rand(iv, MAX_KEY_LEN);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        /* initialize cipher */
+        status = srtp_cipher_init(c, key);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        /* set initialization vector */
+        status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx,
+                                    srtp_direction_encrypt);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        if (c->algorithm == SRTP_AES_GCM_128 ||
+            c->algorithm == SRTP_AES_GCM_256) {
+            /*
+             * Set the AAD
+             */
+            status = srtp_cipher_set_aad(c, test_case->aad,
+                                         test_case->aad_length_octets);
+            if (status) {
+                srtp_cipher_dealloc(c);
+                return status;
+            }
+            debug_print(srtp_mod_cipher, "AAD:    %s",
+                        srtp_octet_string_hex_string(
+                            test_case->aad, test_case->aad_length_octets));
+        }
+
+        /* encrypt buffer with cipher */
+        plaintext_len = length;
+        status = srtp_cipher_encrypt(c, buffer, &length);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+        if (c->algorithm == SRTP_AES_GCM_128 ||
+            c->algorithm == SRTP_AES_GCM_256) {
+            /*
+             * Get the GCM tag
+             */
+            status = srtp_cipher_get_tag(c, buffer + length, &tag_len);
+            if (status) {
+                srtp_cipher_dealloc(c);
+                return status;
+            }
+            length += tag_len;
+        }
+        debug_print(srtp_mod_cipher, "ciphertext:   %s",
+                    srtp_octet_string_hex_string(buffer, length));
+
+        /*
+         * re-initialize cipher for decryption, re-set the iv, then
+         * decrypt the ciphertext
+         */
+        status = srtp_cipher_init(c, key);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+        status = srtp_cipher_set_iv(c, (uint8_t *)test_case->idx,
+                                    srtp_direction_decrypt);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+        if (c->algorithm == SRTP_AES_GCM_128 ||
+            c->algorithm == SRTP_AES_GCM_256) {
+            /*
+             * Set the AAD
+             */
+            status = srtp_cipher_set_aad(c, test_case->aad,
+                                         test_case->aad_length_octets);
+            if (status) {
+                srtp_cipher_dealloc(c);
+                return status;
+            }
+            debug_print(srtp_mod_cipher, "AAD:    %s",
+                        srtp_octet_string_hex_string(
+                            test_case->aad, test_case->aad_length_octets));
+        }
+        status = srtp_cipher_decrypt(c, buffer, &length);
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return status;
+        }
+
+        debug_print(srtp_mod_cipher, "plaintext[2]: %s",
+                    srtp_octet_string_hex_string(buffer, length));
+
+        /* compare the resulting plaintext with the original one */
+        if (length != plaintext_len) {
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_algo_fail;
+        }
+        status = srtp_err_status_ok;
+        for (k = 0; k < plaintext_len; k++) {
+            if (buffer[k] != buffer2[k]) {
+                status = srtp_err_status_algo_fail;
+                debug_print(srtp_mod_cipher, "random test case %d failed",
+                            case_num);
+                debug_print(srtp_mod_cipher, "(failure at byte %u)", k);
+            }
+        }
+        if (status) {
+            srtp_cipher_dealloc(c);
+            return srtp_err_status_algo_fail;
+        }
+    }
+
+    status = srtp_cipher_dealloc(c);
+    if (status) {
+        return status;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_cipher_type_self_test(ct) performs srtp_cipher_type_test on ct's
+ * internal list of test data.
+ */
+srtp_err_status_t srtp_cipher_type_self_test(const srtp_cipher_type_t *ct)
+{
+    return srtp_cipher_type_test(ct, ct->test_data);
+}
+
+/*
+ * cipher_bits_per_second(c, l, t) computes (an estimate of) the
+ * number of bits that a cipher implementation can encrypt in a second
+ *
+ * c is a cipher (which MUST be allocated and initialized already), l
+ * is the length in octets of the test data to be encrypted, and t is
+ * the number of trials
+ *
+ * if an error is encountered, the value 0 is returned
+ */
+uint64_t srtp_cipher_bits_per_second(srtp_cipher_t *c,
+                                     int octets_in_buffer,
+                                     int num_trials)
+{
+    int i;
+    v128_t nonce;
+    clock_t timer;
+    unsigned char *enc_buf;
+    unsigned int len = octets_in_buffer;
+
+    enc_buf = (unsigned char *)srtp_crypto_alloc(octets_in_buffer);
+    if (enc_buf == NULL) {
+        return 0; /* indicate bad parameters by returning null */
+    }
+    /* time repeated trials */
+    v128_set_to_zero(&nonce);
+    timer = clock();
+    for (i = 0; i < num_trials; i++, nonce.v32[3] = i) {
+        if (srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt) !=
+            srtp_err_status_ok) {
+            srtp_crypto_free(enc_buf);
+            return 0;
+        }
+        if (srtp_cipher_encrypt(c, enc_buf, &len) != srtp_err_status_ok) {
+            srtp_crypto_free(enc_buf);
+            return 0;
+        }
+    }
+    timer = clock() - timer;
+
+    srtp_crypto_free(enc_buf);
+
+    if (timer == 0) {
+        /* Too fast! */
+        return 0;
+    }
+
+    return (uint64_t)CLOCKS_PER_SEC * num_trials * 8 * octets_in_buffer / timer;
+}
diff --git a/netwerk/srtp/src/crypto/cipher/null_cipher.c b/netwerk/srtp/src/crypto/cipher/null_cipher.c
new file mode 100644
index 0000000000..659add0d47
--- /dev/null
+++ b/netwerk/srtp/src/crypto/cipher/null_cipher.c
@@ -0,0 +1,153 @@
+/*
+ * null_cipher.c
+ *
+ * A null cipher implementation.  This cipher leaves the plaintext
+ * unchanged.
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "datatypes.h"
+#include "null_cipher.h"
+#include "err.h" /* for srtp_debug */
+#include "alloc.h"
+#include "cipher_types.h"
+
+static srtp_err_status_t srtp_null_cipher_alloc(srtp_cipher_t **c,
+                                                int key_len,
+                                                int tlen)
+{
+    extern const srtp_cipher_type_t srtp_null_cipher;
+
+    debug_print(srtp_mod_cipher, "allocating cipher with key length %d",
+                key_len);
+
+    /* allocate memory a cipher of type null_cipher */
+    *c = (srtp_cipher_t *)srtp_crypto_alloc(sizeof(srtp_cipher_t));
+    if (*c == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    /* set pointers */
+    (*c)->algorithm = SRTP_NULL_CIPHER;
+    (*c)->type = &srtp_null_cipher;
+    (*c)->state = (void *)0x1; /* The null cipher does not maintain state */
+
+    /* set key size */
+    (*c)->key_len = key_len;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_cipher_dealloc(srtp_cipher_t *c)
+{
+    extern const srtp_cipher_type_t srtp_null_cipher;
+
+    /* zeroize entire state*/
+    octet_string_set_to_zero(c, sizeof(srtp_cipher_t));
+
+    /* free memory of type null_cipher */
+    srtp_crypto_free(c);
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_cipher_init(void *cv, const uint8_t *key)
+{
+    /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */
+
+    debug_print(srtp_mod_cipher, "initializing null cipher", NULL);
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_cipher_set_iv(void *cv,
+                                                 uint8_t *iv,
+                                                 srtp_cipher_direction_t dir)
+{
+    /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_cipher_encrypt(void *cv,
+                                                  unsigned char *buf,
+                                                  unsigned int *bytes_to_encr)
+{
+    /* srtp_null_cipher_ctx_t *c = (srtp_null_cipher_ctx_t *)cv; */
+    return srtp_err_status_ok;
+}
+
+static const char srtp_null_cipher_description[] = "null cipher";
+
+static const srtp_cipher_test_case_t srtp_null_cipher_test_0 = {
+    0,    /* octets in key            */
+    NULL, /* key                      */
+    0,    /* packet index             */
+    0,    /* octets in plaintext      */
+    NULL, /* plaintext                */
+    0,    /* octets in plaintext      */
+    NULL, /* ciphertext               */
+    0,    /* */
+    NULL, /* */
+    0,    /* */
+    NULL  /* pointer to next testcase */
+};
+
+/*
+ * note: the decrypt function is idential to the encrypt function
+ */
+
+const srtp_cipher_type_t srtp_null_cipher = {
+    srtp_null_cipher_alloc,       /* */
+    srtp_null_cipher_dealloc,     /* */
+    srtp_null_cipher_init,        /* */
+    0,                            /* set_aad */
+    srtp_null_cipher_encrypt,     /* */
+    srtp_null_cipher_encrypt,     /* */
+    srtp_null_cipher_set_iv,      /* */
+    0,                            /* get_tag */
+    srtp_null_cipher_description, /* */
+    &srtp_null_cipher_test_0,     /* */
+    SRTP_NULL_CIPHER              /* */
+};
diff --git a/netwerk/srtp/src/crypto/hash/auth.c b/netwerk/srtp/src/crypto/hash/auth.c
new file mode 100644
index 0000000000..f19327dc8e
--- /dev/null
+++ b/netwerk/srtp/src/crypto/hash/auth.c
@@ -0,0 +1,187 @@
+/*
+ * auth.c
+ *
+ * some bookkeeping functions for authentication functions
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "auth.h"
+#include "err.h"       /* for srtp_debug */
+#include "datatypes.h" /* for octet_string */
+
+/* the debug module for authentiation */
+
+srtp_debug_module_t srtp_mod_auth = {
+    0,          /* debugging is off by default */
+    "auth func" /* printable name for module   */
+};
+
+int srtp_auth_get_key_length(const srtp_auth_t *a)
+{
+    return a->key_len;
+}
+
+int srtp_auth_get_tag_length(const srtp_auth_t *a)
+{
+    return a->out_len;
+}
+
+int srtp_auth_get_prefix_length(const srtp_auth_t *a)
+{
+    return a->prefix_len;
+}
+
+/*
+ * srtp_auth_type_test() tests an auth function of type ct against
+ * test cases provided in a list test_data of values of key, data, and tag
+ * that is known to be good
+ */
+
+/* should be big enough for most occasions */
+#define SELF_TEST_TAG_BUF_OCTETS 32
+
+srtp_err_status_t srtp_auth_type_test(const srtp_auth_type_t *at,
+                                      const srtp_auth_test_case_t *test_data)
+{
+    const srtp_auth_test_case_t *test_case = test_data;
+    srtp_auth_t *a;
+    srtp_err_status_t status;
+    uint8_t tag[SELF_TEST_TAG_BUF_OCTETS];
+    int i, case_num = 0;
+
+    debug_print(srtp_mod_auth, "running self-test for auth function %s",
+                at->description);
+
+    /*
+     * check to make sure that we have at least one test case, and
+     * return an error if we don't - we need to be paranoid here
+     */
+    if (test_case == NULL) {
+        return srtp_err_status_cant_check;
+    }
+
+    /* loop over all test cases */
+    while (test_case != NULL) {
+        /* check test case parameters */
+        if (test_case->tag_length_octets > SELF_TEST_TAG_BUF_OCTETS) {
+            return srtp_err_status_bad_param;
+        }
+
+        /* allocate auth */
+        status = srtp_auth_type_alloc(at, &a, test_case->key_length_octets,
+                                      test_case->tag_length_octets);
+        if (status) {
+            return status;
+        }
+
+        /* initialize auth */
+        status = srtp_auth_init(a, test_case->key);
+        if (status) {
+            srtp_auth_dealloc(a);
+            return status;
+        }
+
+        /* zeroize tag then compute */
+        octet_string_set_to_zero(tag, test_case->tag_length_octets);
+        status = srtp_auth_compute(a, test_case->data,
+                                   test_case->data_length_octets, tag);
+        if (status) {
+            srtp_auth_dealloc(a);
+            return status;
+        }
+
+        debug_print(srtp_mod_auth, "key: %s",
+                    srtp_octet_string_hex_string(test_case->key,
+                                                 test_case->key_length_octets));
+        debug_print(srtp_mod_auth, "data: %s",
+                    srtp_octet_string_hex_string(
+                        test_case->data, test_case->data_length_octets));
+        debug_print(
+            srtp_mod_auth, "tag computed: %s",
+            srtp_octet_string_hex_string(tag, test_case->tag_length_octets));
+        debug_print(srtp_mod_auth, "tag expected: %s",
+                    srtp_octet_string_hex_string(test_case->tag,
+                                                 test_case->tag_length_octets));
+
+        /* check the result */
+        status = srtp_err_status_ok;
+        for (i = 0; i < test_case->tag_length_octets; i++) {
+            if (tag[i] != test_case->tag[i]) {
+                status = srtp_err_status_algo_fail;
+                debug_print(srtp_mod_auth, "test case %d failed", case_num);
+                debug_print(srtp_mod_auth, "  (mismatch at octet %d)", i);
+            }
+        }
+        if (status) {
+            srtp_auth_dealloc(a);
+            return srtp_err_status_algo_fail;
+        }
+
+        /* deallocate the auth function */
+        status = srtp_auth_dealloc(a);
+        if (status) {
+            return status;
+        }
+
+        /*
+         * the auth function passed the test case, so move on to the next test
+         * case in the list; if NULL, we'll quit and return an OK
+         */
+        test_case = test_case->next_test_case;
+        ++case_num;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_auth_type_self_test(at) performs srtp_auth_type_test on at's internal
+ * list of test data.
+ */
+
+srtp_err_status_t srtp_auth_type_self_test(const srtp_auth_type_t *at)
+{
+    return srtp_auth_type_test(at, at->test_data);
+}
diff --git a/netwerk/srtp/src/crypto/hash/hmac.c b/netwerk/srtp/src/crypto/hash/hmac.c
new file mode 100644
index 0000000000..6e91468f36
--- /dev/null
+++ b/netwerk/srtp/src/crypto/hash/hmac.c
@@ -0,0 +1,283 @@
+/*
+ * hmac.c
+ *
+ * implementation of hmac srtp_auth_type_t
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright(c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "hmac.h"
+#include "alloc.h"
+#include "cipher_types.h"
+
+/* the debug module for authentiation */
+
+srtp_debug_module_t srtp_mod_hmac = {
+    0,           /* debugging is off by default */
+    "hmac sha-1" /* printable name for module   */
+};
+
+static srtp_err_status_t srtp_hmac_alloc(srtp_auth_t **a,
+                                         int key_len,
+                                         int out_len)
+{
+    extern const srtp_auth_type_t srtp_hmac;
+    uint8_t *pointer;
+
+    debug_print(srtp_mod_hmac, "allocating auth func with key length %d",
+                key_len);
+    debug_print(srtp_mod_hmac, "                          tag length %d",
+                out_len);
+
+    /*
+     * check key length - note that we don't support keys larger
+     * than 20 bytes yet
+     */
+    if (key_len > 20) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* check output length - should be less than 20 bytes */
+    if (out_len > 20) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* allocate memory for auth and srtp_hmac_ctx_t structures */
+    pointer = (uint8_t *)srtp_crypto_alloc(sizeof(srtp_hmac_ctx_t) +
+                                           sizeof(srtp_auth_t));
+    if (pointer == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    /* set pointers */
+    *a = (srtp_auth_t *)pointer;
+    (*a)->type = &srtp_hmac;
+    (*a)->state = pointer + sizeof(srtp_auth_t);
+    (*a)->out_len = out_len;
+    (*a)->key_len = key_len;
+    (*a)->prefix_len = 0;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_dealloc(srtp_auth_t *a)
+{
+    /* zeroize entire state*/
+    octet_string_set_to_zero(a, sizeof(srtp_hmac_ctx_t) + sizeof(srtp_auth_t));
+
+    /* free memory */
+    srtp_crypto_free(a);
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_init(void *statev,
+                                        const uint8_t *key,
+                                        int key_len)
+{
+    srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev;
+    int i;
+    uint8_t ipad[64];
+
+    /*
+     * check key length - note that we don't support keys larger
+     * than 20 bytes yet
+     */
+    if (key_len > 20) {
+        return srtp_err_status_bad_param;
+    }
+
+    /*
+     * set values of ipad and opad by exoring the key into the
+     * appropriate constant values
+     */
+    for (i = 0; i < key_len; i++) {
+        ipad[i] = key[i] ^ 0x36;
+        state->opad[i] = key[i] ^ 0x5c;
+    }
+    /* set the rest of ipad, opad to constant values */
+    for (; i < 64; i++) {
+        ipad[i] = 0x36;
+        ((uint8_t *)state->opad)[i] = 0x5c;
+    }
+
+    debug_print(srtp_mod_hmac, "ipad: %s",
+                srtp_octet_string_hex_string(ipad, 64));
+
+    /* initialize sha1 context */
+    srtp_sha1_init(&state->init_ctx);
+
+    /* hash ipad ^ key */
+    srtp_sha1_update(&state->init_ctx, ipad, 64);
+    memcpy(&state->ctx, &state->init_ctx, sizeof(srtp_sha1_ctx_t));
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_start(void *statev)
+{
+    srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev;
+
+    memcpy(&state->ctx, &state->init_ctx, sizeof(srtp_sha1_ctx_t));
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_update(void *statev,
+                                          const uint8_t *message,
+                                          int msg_octets)
+{
+    srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev;
+
+    debug_print(srtp_mod_hmac, "input: %s",
+                srtp_octet_string_hex_string(message, msg_octets));
+
+    /* hash message into sha1 context */
+    srtp_sha1_update(&state->ctx, message, msg_octets);
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_compute(void *statev,
+                                           const uint8_t *message,
+                                           int msg_octets,
+                                           int tag_len,
+                                           uint8_t *result)
+{
+    srtp_hmac_ctx_t *state = (srtp_hmac_ctx_t *)statev;
+    uint32_t hash_value[5];
+    uint32_t H[5];
+    int i;
+
+    /* check tag length, return error if we can't provide the value expected */
+    if (tag_len > 20) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* hash message, copy output into H */
+    srtp_hmac_update(state, message, msg_octets);
+    srtp_sha1_final(&state->ctx, H);
+
+    /*
+     * note that we don't need to debug_print() the input, since the
+     * function hmac_update() already did that for us
+     */
+    debug_print(srtp_mod_hmac, "intermediate state: %s",
+                srtp_octet_string_hex_string((uint8_t *)H, 20));
+
+    /* re-initialize hash context */
+    srtp_sha1_init(&state->ctx);
+
+    /* hash opad ^ key  */
+    srtp_sha1_update(&state->ctx, (uint8_t *)state->opad, 64);
+
+    /* hash the result of the inner hash */
+    srtp_sha1_update(&state->ctx, (uint8_t *)H, 20);
+
+    /* the result is returned in the array hash_value[] */
+    srtp_sha1_final(&state->ctx, hash_value);
+
+    /* copy hash_value to *result */
+    for (i = 0; i < tag_len; i++) {
+        result[i] = ((uint8_t *)hash_value)[i];
+    }
+
+    debug_print(srtp_mod_hmac, "output: %s",
+                srtp_octet_string_hex_string((uint8_t *)hash_value, tag_len));
+
+    return srtp_err_status_ok;
+}
+
+/* begin test case 0 */
+/* clang-format off */
+static const uint8_t srtp_hmac_test_case_0_key[20] = {
+    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+    0x0b, 0x0b, 0x0b, 0x0b
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_hmac_test_case_0_data[8] = {
+    0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 /* "Hi There" */
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_hmac_test_case_0_tag[20] = {
+    0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
+    0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
+    0xf1, 0x46, 0xbe, 0x00
+};
+/* clang-format on */
+
+static const srtp_auth_test_case_t srtp_hmac_test_case_0 = {
+    20,                         /* octets in key            */
+    srtp_hmac_test_case_0_key,  /* key                      */
+    8,                          /* octets in data           */
+    srtp_hmac_test_case_0_data, /* data                     */
+    20,                         /* octets in tag            */
+    srtp_hmac_test_case_0_tag,  /* tag                      */
+    NULL                        /* pointer to next testcase */
+};
+
+/* end test case 0 */
+
+static const char srtp_hmac_description[] =
+    "hmac sha-1 authentication function";
+
+/*
+ * srtp_auth_type_t hmac is the hmac metaobject
+ */
+
+const srtp_auth_type_t srtp_hmac = {
+    srtp_hmac_alloc,        /* */
+    srtp_hmac_dealloc,      /* */
+    srtp_hmac_init,         /* */
+    srtp_hmac_compute,      /* */
+    srtp_hmac_update,       /* */
+    srtp_hmac_start,        /* */
+    srtp_hmac_description,  /* */
+    &srtp_hmac_test_case_0, /* */
+    SRTP_HMAC_SHA1          /* */
+};
diff --git a/netwerk/srtp/src/crypto/hash/hmac_ossl.c b/netwerk/srtp/src/crypto/hash/hmac_ossl.c
new file mode 100644
index 0000000000..8146438b05
--- /dev/null
+++ b/netwerk/srtp/src/crypto/hash/hmac_ossl.c
@@ -0,0 +1,273 @@
+/*
+ * hmac_ossl.c
+ *
+ * Implementation of hmac srtp_auth_type_t that leverages OpenSSL
+ *
+ * John A. Foley
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright(c) 2013-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "auth.h"
+#include "alloc.h"
+#include "err.h" /* for srtp_debug */
+#include <openssl/evp.h>
+#include <openssl/hmac.h>
+
+#define SHA1_DIGEST_SIZE 20
+
+/* the debug module for authentiation */
+
+srtp_debug_module_t srtp_mod_hmac = {
+    0,                   /* debugging is off by default */
+    "hmac sha-1 openssl" /* printable name for module   */
+};
+
+static srtp_err_status_t srtp_hmac_alloc(srtp_auth_t **a,
+                                         int key_len,
+                                         int out_len)
+{
+    extern const srtp_auth_type_t srtp_hmac;
+
+    debug_print(srtp_mod_hmac, "allocating auth func with key length %d",
+                key_len);
+    debug_print(srtp_mod_hmac, "                          tag length %d",
+                out_len);
+
+    /* check output length - should be less than 20 bytes */
+    if (out_len > SHA1_DIGEST_SIZE) {
+        return srtp_err_status_bad_param;
+    }
+
+/* OpenSSL 1.1.0 made HMAC_CTX an opaque structure, which must be allocated
+   using HMAC_CTX_new.  But this function doesn't exist in OpenSSL 1.0.x. */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER
+    {
+        /* allocate memory for auth and HMAC_CTX structures */
+        uint8_t *pointer;
+        HMAC_CTX *new_hmac_ctx;
+        pointer = (uint8_t *)srtp_crypto_alloc(sizeof(HMAC_CTX) +
+                                               sizeof(srtp_auth_t));
+        if (pointer == NULL) {
+            return srtp_err_status_alloc_fail;
+        }
+        *a = (srtp_auth_t *)pointer;
+        (*a)->state = pointer + sizeof(srtp_auth_t);
+        new_hmac_ctx = (HMAC_CTX *)((*a)->state);
+
+        HMAC_CTX_init(new_hmac_ctx);
+    }
+
+#else
+    *a = (srtp_auth_t *)srtp_crypto_alloc(sizeof(srtp_auth_t));
+    if (*a == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    (*a)->state = HMAC_CTX_new();
+    if ((*a)->state == NULL) {
+        srtp_crypto_free(*a);
+        *a = NULL;
+        return srtp_err_status_alloc_fail;
+    }
+#endif
+
+    /* set pointers */
+    (*a)->type = &srtp_hmac;
+    (*a)->out_len = out_len;
+    (*a)->key_len = key_len;
+    (*a)->prefix_len = 0;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_dealloc(srtp_auth_t *a)
+{
+    HMAC_CTX *hmac_ctx;
+
+    hmac_ctx = (HMAC_CTX *)a->state;
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER
+    HMAC_CTX_cleanup(hmac_ctx);
+
+    /* zeroize entire state*/
+    octet_string_set_to_zero(a, sizeof(HMAC_CTX) + sizeof(srtp_auth_t));
+
+#else
+    HMAC_CTX_free(hmac_ctx);
+
+    /* zeroize entire state*/
+    octet_string_set_to_zero(a, sizeof(srtp_auth_t));
+#endif
+
+    /* free memory */
+    srtp_crypto_free(a);
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_start(void *statev)
+{
+    HMAC_CTX *state = (HMAC_CTX *)statev;
+
+    if (HMAC_Init_ex(state, NULL, 0, NULL, NULL) == 0)
+        return srtp_err_status_auth_fail;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_init(void *statev,
+                                        const uint8_t *key,
+                                        int key_len)
+{
+    HMAC_CTX *state = (HMAC_CTX *)statev;
+
+    if (HMAC_Init_ex(state, key, key_len, EVP_sha1(), NULL) == 0)
+        return srtp_err_status_auth_fail;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_update(void *statev,
+                                          const uint8_t *message,
+                                          int msg_octets)
+{
+    HMAC_CTX *state = (HMAC_CTX *)statev;
+
+    debug_print(srtp_mod_hmac, "input: %s",
+                srtp_octet_string_hex_string(message, msg_octets));
+
+    if (HMAC_Update(state, message, msg_octets) == 0)
+        return srtp_err_status_auth_fail;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_hmac_compute(void *statev,
+                                           const uint8_t *message,
+                                           int msg_octets,
+                                           int tag_len,
+                                           uint8_t *result)
+{
+    HMAC_CTX *state = (HMAC_CTX *)statev;
+    uint8_t hash_value[SHA1_DIGEST_SIZE];
+    int i;
+    unsigned int len;
+
+    /* check tag length, return error if we can't provide the value expected */
+    if (tag_len > SHA1_DIGEST_SIZE) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* hash message, copy output into H */
+    if (HMAC_Update(state, message, msg_octets) == 0)
+        return srtp_err_status_auth_fail;
+
+    if (HMAC_Final(state, hash_value, &len) == 0)
+        return srtp_err_status_auth_fail;
+
+    if (len < tag_len)
+        return srtp_err_status_auth_fail;
+
+    /* copy hash_value to *result */
+    for (i = 0; i < tag_len; i++) {
+        result[i] = hash_value[i];
+    }
+
+    debug_print(srtp_mod_hmac, "output: %s",
+                srtp_octet_string_hex_string(hash_value, tag_len));
+
+    return srtp_err_status_ok;
+}
+
+/* begin test case 0 */
+/* clang-format off */
+static const uint8_t srtp_hmac_test_case_0_key[SHA1_DIGEST_SIZE] = {
+    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+    0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
+    0x0b, 0x0b, 0x0b, 0x0b
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_hmac_test_case_0_data[8] = {
+    0x48, 0x69, 0x20, 0x54, 0x68, 0x65, 0x72, 0x65 /* "Hi There" */
+};
+/* clang-format on */
+
+/* clang-format off */
+static const uint8_t srtp_hmac_test_case_0_tag[SHA1_DIGEST_SIZE] = {
+    0xb6, 0x17, 0x31, 0x86, 0x55, 0x05, 0x72, 0x64,
+    0xe2, 0x8b, 0xc0, 0xb6, 0xfb, 0x37, 0x8c, 0x8e,
+    0xf1, 0x46, 0xbe, 0x00
+};
+/* clang-format on */
+
+static const srtp_auth_test_case_t srtp_hmac_test_case_0 = {
+    sizeof(srtp_hmac_test_case_0_key),  /* octets in key            */
+    srtp_hmac_test_case_0_key,          /* key                      */
+    sizeof(srtp_hmac_test_case_0_data), /* octets in data           */
+    srtp_hmac_test_case_0_data,         /* data                     */
+    sizeof(srtp_hmac_test_case_0_tag),  /* octets in tag            */
+    srtp_hmac_test_case_0_tag,          /* tag                      */
+    NULL                                /* pointer to next testcase */
+};
+
+/* end test case 0 */
+
+static const char srtp_hmac_description[] =
+    "hmac sha-1 authentication function";
+
+/*
+ * srtp_auth_type_t hmac is the hmac metaobject
+ */
+
+const srtp_auth_type_t srtp_hmac = {
+    srtp_hmac_alloc,        /* */
+    srtp_hmac_dealloc,      /* */
+    srtp_hmac_init,         /* */
+    srtp_hmac_compute,      /* */
+    srtp_hmac_update,       /* */
+    srtp_hmac_start,        /* */
+    srtp_hmac_description,  /* */
+    &srtp_hmac_test_case_0, /* */
+    SRTP_HMAC_SHA1          /* */
+};
diff --git a/netwerk/srtp/src/crypto/hash/null_auth.c b/netwerk/srtp/src/crypto/hash/null_auth.c
new file mode 100644
index 0000000000..5194417caf
--- /dev/null
+++ b/netwerk/srtp/src/crypto/hash/null_auth.c
@@ -0,0 +1,168 @@
+/*
+ * null_auth.c
+ *
+ * implements the do-nothing auth algorithm
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "null_auth.h"
+#include "err.h" /* for srtp_debug */
+#include "alloc.h"
+#include "cipher_types.h"
+
+static srtp_err_status_t srtp_null_auth_alloc(srtp_auth_t **a,
+                                              int key_len,
+                                              int out_len)
+{
+    extern const srtp_auth_type_t srtp_null_auth;
+    uint8_t *pointer;
+
+    debug_print(srtp_mod_auth, "allocating auth func with key length %d",
+                key_len);
+    debug_print(srtp_mod_auth, "                          tag length %d",
+                out_len);
+
+    /* allocate memory for auth and srtp_null_auth_ctx_t structures */
+    pointer = (uint8_t *)srtp_crypto_alloc(sizeof(srtp_null_auth_ctx_t) +
+                                           sizeof(srtp_auth_t));
+    if (pointer == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    /* set pointers */
+    *a = (srtp_auth_t *)pointer;
+    (*a)->type = &srtp_null_auth;
+    (*a)->state = pointer + sizeof(srtp_auth_t);
+    (*a)->out_len = out_len;
+    (*a)->prefix_len = out_len;
+    (*a)->key_len = key_len;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_auth_dealloc(srtp_auth_t *a)
+{
+    extern const srtp_auth_type_t srtp_null_auth;
+
+    /* zeroize entire state*/
+    octet_string_set_to_zero(a, sizeof(srtp_null_auth_ctx_t) +
+                                    sizeof(srtp_auth_t));
+
+    /* free memory */
+    srtp_crypto_free(a);
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_auth_init(void *statev,
+                                             const uint8_t *key,
+                                             int key_len)
+{
+    /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */
+    /* accept any length of key, and do nothing */
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_auth_compute(void *statev,
+                                                const uint8_t *message,
+                                                int msg_octets,
+                                                int tag_len,
+                                                uint8_t *result)
+{
+    /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_auth_update(void *statev,
+                                               const uint8_t *message,
+                                               int msg_octets)
+{
+    /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_null_auth_start(void *statev)
+{
+    /* srtp_null_auth_ctx_t *state = (srtp_null_auth_ctx_t *)statev; */
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_auth_type_t - defines description, test case, and null_auth
+ * metaobject
+ */
+
+/* begin test case 0 */
+
+static const srtp_auth_test_case_t srtp_null_auth_test_case_0 = {
+    0,    /* octets in key            */
+    NULL, /* key                      */
+    0,    /* octets in data           */
+    NULL, /* data                     */
+    0,    /* octets in tag            */
+    NULL, /* tag                      */
+    NULL  /* pointer to next testcase */
+};
+
+/* end test case 0 */
+
+static const char srtp_null_auth_description[] = "null authentication function";
+
+const srtp_auth_type_t srtp_null_auth = {
+    srtp_null_auth_alloc,        /* */
+    srtp_null_auth_dealloc,      /* */
+    srtp_null_auth_init,         /* */
+    srtp_null_auth_compute,      /* */
+    srtp_null_auth_update,       /* */
+    srtp_null_auth_start,        /* */
+    srtp_null_auth_description,  /* */
+    &srtp_null_auth_test_case_0, /* */
+    SRTP_NULL_AUTH               /* */
+};
diff --git a/netwerk/srtp/src/crypto/hash/sha1.c b/netwerk/srtp/src/crypto/hash/sha1.c
new file mode 100644
index 0000000000..91ebd1e396
--- /dev/null
+++ b/netwerk/srtp/src/crypto/hash/sha1.c
@@ -0,0 +1,474 @@
+/*
+ * sha1.c
+ *
+ * an implementation of the Secure Hash Algorithm v.1 (SHA-1),
+ * specified in FIPS 180-1
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "sha1.h"
+
+srtp_debug_module_t srtp_mod_sha1 = {
+    0,      /* debugging is off by default */
+    "sha-1" /* printable module name       */
+};
+
+/* SN == Rotate left N bits */
+#define S1(X) ((X << 1) | (X >> 31))
+#define S5(X) ((X << 5) | (X >> 27))
+#define S30(X) ((X << 30) | (X >> 2))
+
+#define f0(B, C, D) ((B & C) | (~B & D))
+#define f1(B, C, D) (B ^ C ^ D)
+#define f2(B, C, D) ((B & C) | (B & D) | (C & D))
+#define f3(B, C, D) (B ^ C ^ D)
+
+/*
+ * nota bene: the variable K0 appears in the curses library, so we
+ * give longer names to these variables to avoid spurious warnings
+ * on systems that uses curses
+ */
+
+uint32_t SHA_K0 = 0x5A827999; /* Kt for 0  <= t <= 19 */
+uint32_t SHA_K1 = 0x6ED9EBA1; /* Kt for 20 <= t <= 39 */
+uint32_t SHA_K2 = 0x8F1BBCDC; /* Kt for 40 <= t <= 59 */
+uint32_t SHA_K3 = 0xCA62C1D6; /* Kt for 60 <= t <= 79 */
+
+void srtp_sha1(const uint8_t *msg, int octets_in_msg, uint32_t hash_value[5])
+{
+    srtp_sha1_ctx_t ctx;
+
+    srtp_sha1_init(&ctx);
+    srtp_sha1_update(&ctx, msg, octets_in_msg);
+    srtp_sha1_final(&ctx, hash_value);
+}
+
+/*
+ *  srtp_sha1_core(M, H) computes the core compression function, where M is
+ *  the next part of the message (in network byte order) and H is the
+ *  intermediate state { H0, H1, ...} (in host byte order)
+ *
+ *  this function does not do any of the padding required in the
+ *  complete SHA1 function
+ *
+ *  this function is used in the SEAL 3.0 key setup routines
+ *  (crypto/cipher/seal.c)
+ */
+
+void srtp_sha1_core(const uint32_t M[16], uint32_t hash_value[5])
+{
+    uint32_t H0;
+    uint32_t H1;
+    uint32_t H2;
+    uint32_t H3;
+    uint32_t H4;
+    uint32_t W[80];
+    uint32_t A, B, C, D, E, TEMP;
+    int t;
+
+    /* copy hash_value into H0, H1, H2, H3, H4 */
+    H0 = hash_value[0];
+    H1 = hash_value[1];
+    H2 = hash_value[2];
+    H3 = hash_value[3];
+    H4 = hash_value[4];
+
+    /* copy/xor message into array */
+
+    W[0] = be32_to_cpu(M[0]);
+    W[1] = be32_to_cpu(M[1]);
+    W[2] = be32_to_cpu(M[2]);
+    W[3] = be32_to_cpu(M[3]);
+    W[4] = be32_to_cpu(M[4]);
+    W[5] = be32_to_cpu(M[5]);
+    W[6] = be32_to_cpu(M[6]);
+    W[7] = be32_to_cpu(M[7]);
+    W[8] = be32_to_cpu(M[8]);
+    W[9] = be32_to_cpu(M[9]);
+    W[10] = be32_to_cpu(M[10]);
+    W[11] = be32_to_cpu(M[11]);
+    W[12] = be32_to_cpu(M[12]);
+    W[13] = be32_to_cpu(M[13]);
+    W[14] = be32_to_cpu(M[14]);
+    W[15] = be32_to_cpu(M[15]);
+    TEMP = W[13] ^ W[8] ^ W[2] ^ W[0];
+    W[16] = S1(TEMP);
+    TEMP = W[14] ^ W[9] ^ W[3] ^ W[1];
+    W[17] = S1(TEMP);
+    TEMP = W[15] ^ W[10] ^ W[4] ^ W[2];
+    W[18] = S1(TEMP);
+    TEMP = W[16] ^ W[11] ^ W[5] ^ W[3];
+    W[19] = S1(TEMP);
+    TEMP = W[17] ^ W[12] ^ W[6] ^ W[4];
+    W[20] = S1(TEMP);
+    TEMP = W[18] ^ W[13] ^ W[7] ^ W[5];
+    W[21] = S1(TEMP);
+    TEMP = W[19] ^ W[14] ^ W[8] ^ W[6];
+    W[22] = S1(TEMP);
+    TEMP = W[20] ^ W[15] ^ W[9] ^ W[7];
+    W[23] = S1(TEMP);
+    TEMP = W[21] ^ W[16] ^ W[10] ^ W[8];
+    W[24] = S1(TEMP);
+    TEMP = W[22] ^ W[17] ^ W[11] ^ W[9];
+    W[25] = S1(TEMP);
+    TEMP = W[23] ^ W[18] ^ W[12] ^ W[10];
+    W[26] = S1(TEMP);
+    TEMP = W[24] ^ W[19] ^ W[13] ^ W[11];
+    W[27] = S1(TEMP);
+    TEMP = W[25] ^ W[20] ^ W[14] ^ W[12];
+    W[28] = S1(TEMP);
+    TEMP = W[26] ^ W[21] ^ W[15] ^ W[13];
+    W[29] = S1(TEMP);
+    TEMP = W[27] ^ W[22] ^ W[16] ^ W[14];
+    W[30] = S1(TEMP);
+    TEMP = W[28] ^ W[23] ^ W[17] ^ W[15];
+    W[31] = S1(TEMP);
+
+    /* process the remainder of the array */
+    for (t = 32; t < 80; t++) {
+        TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16];
+        W[t] = S1(TEMP);
+    }
+
+    A = H0;
+    B = H1;
+    C = H2;
+    D = H3;
+    E = H4;
+
+    for (t = 0; t < 20; t++) {
+        TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0;
+        E = D;
+        D = C;
+        C = S30(B);
+        B = A;
+        A = TEMP;
+    }
+    for (; t < 40; t++) {
+        TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1;
+        E = D;
+        D = C;
+        C = S30(B);
+        B = A;
+        A = TEMP;
+    }
+    for (; t < 60; t++) {
+        TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2;
+        E = D;
+        D = C;
+        C = S30(B);
+        B = A;
+        A = TEMP;
+    }
+    for (; t < 80; t++) {
+        TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3;
+        E = D;
+        D = C;
+        C = S30(B);
+        B = A;
+        A = TEMP;
+    }
+
+    hash_value[0] = H0 + A;
+    hash_value[1] = H1 + B;
+    hash_value[2] = H2 + C;
+    hash_value[3] = H3 + D;
+    hash_value[4] = H4 + E;
+
+    return;
+}
+
+void srtp_sha1_init(srtp_sha1_ctx_t *ctx)
+{
+    /* initialize state vector */
+    ctx->H[0] = 0x67452301;
+    ctx->H[1] = 0xefcdab89;
+    ctx->H[2] = 0x98badcfe;
+    ctx->H[3] = 0x10325476;
+    ctx->H[4] = 0xc3d2e1f0;
+
+    /* indicate that message buffer is empty */
+    ctx->octets_in_buffer = 0;
+
+    /* reset message bit-count to zero */
+    ctx->num_bits_in_msg = 0;
+}
+
+void srtp_sha1_update(srtp_sha1_ctx_t *ctx,
+                      const uint8_t *msg,
+                      int octets_in_msg)
+{
+    int i;
+    uint8_t *buf = (uint8_t *)ctx->M;
+
+    /* update message bit-count */
+    ctx->num_bits_in_msg += octets_in_msg * 8;
+
+    /* loop over 16-word blocks of M */
+    while (octets_in_msg > 0) {
+        if (octets_in_msg + ctx->octets_in_buffer >= 64) {
+            /*
+             * copy words of M into msg buffer until that buffer is full,
+             * converting them into host byte order as needed
+             */
+            octets_in_msg -= (64 - ctx->octets_in_buffer);
+            for (i = ctx->octets_in_buffer; i < 64; i++) {
+                buf[i] = *msg++;
+            }
+            ctx->octets_in_buffer = 0;
+
+            /* process a whole block */
+
+            debug_print(srtp_mod_sha1, "(update) running srtp_sha1_core()",
+                        NULL);
+
+            srtp_sha1_core(ctx->M, ctx->H);
+
+        } else {
+            debug_print(srtp_mod_sha1, "(update) not running srtp_sha1_core()",
+                        NULL);
+
+            for (i = ctx->octets_in_buffer;
+                 i < (ctx->octets_in_buffer + octets_in_msg); i++) {
+                buf[i] = *msg++;
+            }
+            ctx->octets_in_buffer += octets_in_msg;
+            octets_in_msg = 0;
+        }
+    }
+}
+
+/*
+ * srtp_sha1_final(ctx, output) computes the result for ctx and copies it
+ * into the twenty octets located at *output
+ */
+
+void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t output[5])
+{
+    uint32_t A, B, C, D, E, TEMP;
+    uint32_t W[80];
+    int i, t;
+
+    /*
+     * process the remaining octets_in_buffer, padding and terminating as
+     * necessary
+     */
+    {
+        int tail = ctx->octets_in_buffer % 4;
+
+        /* copy/xor message into array */
+        for (i = 0; i < (ctx->octets_in_buffer + 3) / 4; i++) {
+            W[i] = be32_to_cpu(ctx->M[i]);
+        }
+
+        /* set the high bit of the octet immediately following the message */
+        switch (tail) {
+        case (3):
+            W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffffff00) | 0x80;
+            W[i] = 0x0;
+            break;
+        case (2):
+            W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xffff0000) | 0x8000;
+            W[i] = 0x0;
+            break;
+        case (1):
+            W[i - 1] = (be32_to_cpu(ctx->M[i - 1]) & 0xff000000) | 0x800000;
+            W[i] = 0x0;
+            break;
+        case (0):
+            W[i] = 0x80000000;
+            break;
+        }
+
+        /* zeroize remaining words */
+        for (i++; i < 15; i++) {
+            W[i] = 0x0;
+        }
+
+        /*
+         * if there is room at the end of the word array, then set the
+         * last word to the bit-length of the message; otherwise, set that
+         * word to zero and then we need to do one more run of the
+         * compression algo.
+         */
+        if (ctx->octets_in_buffer < 56) {
+            W[15] = ctx->num_bits_in_msg;
+        } else if (ctx->octets_in_buffer < 60) {
+            W[15] = 0x0;
+        }
+
+        /* process the word array */
+        for (t = 16; t < 80; t++) {
+            TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16];
+            W[t] = S1(TEMP);
+        }
+
+        A = ctx->H[0];
+        B = ctx->H[1];
+        C = ctx->H[2];
+        D = ctx->H[3];
+        E = ctx->H[4];
+
+        for (t = 0; t < 20; t++) {
+            TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0;
+            E = D;
+            D = C;
+            C = S30(B);
+            B = A;
+            A = TEMP;
+        }
+        for (; t < 40; t++) {
+            TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1;
+            E = D;
+            D = C;
+            C = S30(B);
+            B = A;
+            A = TEMP;
+        }
+        for (; t < 60; t++) {
+            TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2;
+            E = D;
+            D = C;
+            C = S30(B);
+            B = A;
+            A = TEMP;
+        }
+        for (; t < 80; t++) {
+            TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3;
+            E = D;
+            D = C;
+            C = S30(B);
+            B = A;
+            A = TEMP;
+        }
+
+        ctx->H[0] += A;
+        ctx->H[1] += B;
+        ctx->H[2] += C;
+        ctx->H[3] += D;
+        ctx->H[4] += E;
+    }
+
+    debug_print(srtp_mod_sha1, "(final) running srtp_sha1_core()", NULL);
+
+    if (ctx->octets_in_buffer >= 56) {
+        debug_print(srtp_mod_sha1, "(final) running srtp_sha1_core() again",
+                    NULL);
+
+        /* we need to do one final run of the compression algo */
+
+        /*
+         * set initial part of word array to zeros, and set the
+         * final part to the number of bits in the message
+         */
+        for (i = 0; i < 15; i++) {
+            W[i] = 0x0;
+        }
+        W[15] = ctx->num_bits_in_msg;
+
+        /* process the word array */
+        for (t = 16; t < 80; t++) {
+            TEMP = W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16];
+            W[t] = S1(TEMP);
+        }
+
+        A = ctx->H[0];
+        B = ctx->H[1];
+        C = ctx->H[2];
+        D = ctx->H[3];
+        E = ctx->H[4];
+
+        for (t = 0; t < 20; t++) {
+            TEMP = S5(A) + f0(B, C, D) + E + W[t] + SHA_K0;
+            E = D;
+            D = C;
+            C = S30(B);
+            B = A;
+            A = TEMP;
+        }
+        for (; t < 40; t++) {
+            TEMP = S5(A) + f1(B, C, D) + E + W[t] + SHA_K1;
+            E = D;
+            D = C;
+            C = S30(B);
+            B = A;
+            A = TEMP;
+        }
+        for (; t < 60; t++) {
+            TEMP = S5(A) + f2(B, C, D) + E + W[t] + SHA_K2;
+            E = D;
+            D = C;
+            C = S30(B);
+            B = A;
+            A = TEMP;
+        }
+        for (; t < 80; t++) {
+            TEMP = S5(A) + f3(B, C, D) + E + W[t] + SHA_K3;
+            E = D;
+            D = C;
+            C = S30(B);
+            B = A;
+            A = TEMP;
+        }
+
+        ctx->H[0] += A;
+        ctx->H[1] += B;
+        ctx->H[2] += C;
+        ctx->H[3] += D;
+        ctx->H[4] += E;
+    }
+
+    /* copy result into output buffer */
+    output[0] = be32_to_cpu(ctx->H[0]);
+    output[1] = be32_to_cpu(ctx->H[1]);
+    output[2] = be32_to_cpu(ctx->H[2]);
+    output[3] = be32_to_cpu(ctx->H[3]);
+    output[4] = be32_to_cpu(ctx->H[4]);
+
+    /* indicate that message buffer in context is empty */
+    ctx->octets_in_buffer = 0;
+
+    return;
+}
diff --git a/netwerk/srtp/src/crypto/include/aes.h b/netwerk/srtp/src/crypto/include/aes.h
new file mode 100644
index 0000000000..779c3ac744
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/aes.h
@@ -0,0 +1,83 @@
+/*
+ * aes.h
+ *
+ * header file for the AES block cipher
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef AES_H
+#define AES_H
+
+#include "datatypes.h"
+#include "err.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* aes internals */
+
+typedef struct {
+    v128_t round[15];
+    int num_rounds;
+} srtp_aes_expanded_key_t;
+
+srtp_err_status_t srtp_aes_expand_encryption_key(
+    const uint8_t *key,
+    int key_len,
+    srtp_aes_expanded_key_t *expanded_key);
+
+srtp_err_status_t srtp_aes_expand_decryption_key(
+    const uint8_t *key,
+    int key_len,
+    srtp_aes_expanded_key_t *expanded_key);
+
+void srtp_aes_encrypt(v128_t *plaintext,
+                      const srtp_aes_expanded_key_t *exp_key);
+
+void srtp_aes_decrypt(v128_t *plaintext,
+                      const srtp_aes_expanded_key_t *exp_key);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* AES_H */
diff --git a/netwerk/srtp/src/crypto/include/aes_gcm.h b/netwerk/srtp/src/crypto/include/aes_gcm.h
new file mode 100644
index 0000000000..f59d04dbca
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/aes_gcm.h
@@ -0,0 +1,87 @@
+/*
+ * aes_gcm.h
+ *
+ * Header for AES Galois Counter Mode.
+ *
+ * John A. Foley
+ * Cisco Systems, Inc.
+ *
+ */
+/*
+ *
+ * Copyright (c) 2013-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef AES_GCM_H
+#define AES_GCM_H
+
+#include "cipher.h"
+#include "srtp.h"
+#include "datatypes.h"
+
+#ifdef OPENSSL
+
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+
+typedef struct {
+    int key_size;
+    int tag_len;
+    EVP_CIPHER_CTX *ctx;
+    srtp_cipher_direction_t dir;
+} srtp_aes_gcm_ctx_t;
+
+#endif /* OPENSSL */
+
+#ifdef NSS
+
+#include <pk11pub.h>
+
+#define MAX_AD_SIZE 2048
+
+typedef struct {
+    int key_size;
+    int tag_size;
+    srtp_cipher_direction_t dir;
+    PK11SymKey *key;
+    uint8_t iv[12];
+    uint8_t aad[MAX_AD_SIZE];
+    int aad_size;
+    CK_GCM_PARAMS params;
+    uint8_t tag[16];
+} srtp_aes_gcm_ctx_t;
+
+#endif /* NSS */
+
+#endif /* AES_GCM_H */
diff --git a/netwerk/srtp/src/crypto/include/aes_icm.h b/netwerk/srtp/src/crypto/include/aes_icm.h
new file mode 100644
index 0000000000..8ded156a29
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/aes_icm.h
@@ -0,0 +1,62 @@
+/*
+ * aes_icm.h
+ *
+ * Header for AES Integer Counter Mode.
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef AES_ICM_H
+#define AES_ICM_H
+
+#include "aes.h"
+#include "cipher.h"
+
+typedef struct {
+    v128_t counter;                       /* holds the counter value          */
+    v128_t offset;                        /* initial offset value             */
+    v128_t keystream_buffer;              /* buffers bytes of keystream       */
+    srtp_aes_expanded_key_t expanded_key; /* the cipher key                   */
+    int bytes_in_buffer;                  /* number of unused bytes in buffer */
+    int key_size;                         /* AES key size + 14 byte SALT */
+} srtp_aes_icm_ctx_t;
+
+#endif /* AES_ICM_H */
diff --git a/netwerk/srtp/src/crypto/include/aes_icm_ext.h b/netwerk/srtp/src/crypto/include/aes_icm_ext.h
new file mode 100644
index 0000000000..6518d40b06
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/aes_icm_ext.h
@@ -0,0 +1,81 @@
+/*
+ * aes_icm.h
+ *
+ * Header for AES Integer Counter Mode.
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ */
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef AES_ICM_H
+#define AES_ICM_H
+
+#include "cipher.h"
+#include "datatypes.h"
+
+#ifdef OPENSSL
+
+#include <openssl/evp.h>
+#include <openssl/aes.h>
+
+typedef struct {
+    v128_t counter; /* holds the counter value          */
+    v128_t offset;  /* initial offset value             */
+    int key_size;
+    EVP_CIPHER_CTX *ctx;
+} srtp_aes_icm_ctx_t;
+
+#endif /* OPENSSL */
+
+#ifdef NSS
+
+#include <pk11pub.h>
+
+typedef struct {
+    v128_t counter;
+    v128_t offset;
+    int key_size;
+    uint8_t iv[16];
+    PK11SymKey *key;
+    PK11Context *ctx;
+} srtp_aes_icm_ctx_t;
+
+#endif /* NSS */
+
+#endif /* AES_ICM_H */
diff --git a/netwerk/srtp/src/crypto/include/alloc.h b/netwerk/srtp/src/crypto/include/alloc.h
new file mode 100644
index 0000000000..1fc041014d
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/alloc.h
@@ -0,0 +1,76 @@
+/*
+ * alloc.h
+ *
+ * interface to memory allocation and deallocation, with optional debugging
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef CRYPTO_ALLOC_H
+#define CRYPTO_ALLOC_H
+
+#include "datatypes.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * srtp_crypto_alloc
+ *
+ * Allocates a block of memory  of given size. The memory will be
+ * initialized to zero's. Free the memory with a call to srtp_crypto_free.
+ *
+ * returns pointer to memory on success or else NULL
+ */
+void *srtp_crypto_alloc(size_t size);
+
+/*
+ * srtp_crypto_free
+ *
+ * Frees the block of memory  ptr previously  allocated with
+ * srtp_crypto_alloc
+ */
+void srtp_crypto_free(void *ptr);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* CRYPTO_ALLOC_H */
diff --git a/netwerk/srtp/src/crypto/include/auth.h b/netwerk/srtp/src/crypto/include/auth.h
new file mode 100644
index 0000000000..774ea1687b
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/auth.h
@@ -0,0 +1,173 @@
+/*
+ * auth.h
+ *
+ * common interface to authentication functions
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef SRTP_AUTH_H
+#define SRTP_AUTH_H
+
+#include "srtp.h"
+#include "crypto_types.h" /* for values of auth_type_id_t */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef const struct srtp_auth_type_t *srtp_auth_type_pointer;
+typedef struct srtp_auth_t *srtp_auth_pointer_t;
+
+typedef srtp_err_status_t (*srtp_auth_alloc_func)(srtp_auth_pointer_t *ap,
+                                                  int key_len,
+                                                  int out_len);
+
+typedef srtp_err_status_t (*srtp_auth_init_func)(void *state,
+                                                 const uint8_t *key,
+                                                 int key_len);
+
+typedef srtp_err_status_t (*srtp_auth_dealloc_func)(srtp_auth_pointer_t ap);
+
+typedef srtp_err_status_t (*srtp_auth_compute_func)(void *state,
+                                                    const uint8_t *buffer,
+                                                    int octets_to_auth,
+                                                    int tag_len,
+                                                    uint8_t *tag);
+
+typedef srtp_err_status_t (*srtp_auth_update_func)(void *state,
+                                                   const uint8_t *buffer,
+                                                   int octets_to_auth);
+
+typedef srtp_err_status_t (*srtp_auth_start_func)(void *state);
+
+/* some syntactic sugar on these function types */
+#define srtp_auth_type_alloc(at, a, klen, outlen)                              \
+    ((at)->alloc((a), (klen), (outlen)))
+
+#define srtp_auth_init(a, key)                                                 \
+    (((a)->type)->init((a)->state, (key), ((a)->key_len)))
+
+#define srtp_auth_compute(a, buf, len, res)                                    \
+    (((a)->type)->compute((a)->state, (buf), (len), (a)->out_len, (res)))
+
+#define srtp_auth_update(a, buf, len)                                          \
+    (((a)->type)->update((a)->state, (buf), (len)))
+
+#define srtp_auth_start(a) (((a)->type)->start((a)->state))
+
+#define srtp_auth_dealloc(c) (((c)->type)->dealloc(c))
+
+/* functions to get information about a particular auth_t */
+int srtp_auth_get_key_length(const struct srtp_auth_t *a);
+
+int srtp_auth_get_tag_length(const struct srtp_auth_t *a);
+
+int srtp_auth_get_prefix_length(const struct srtp_auth_t *a);
+
+/*
+ * srtp_auth_test_case_t is a (list of) key/message/tag values that are
+ * known to be correct for a particular cipher.  this data can be used
+ * to test an implementation in an on-the-fly self test of the
+ * correctness of the implementation.  (see the srtp_auth_type_self_test()
+ * function below)
+ */
+typedef struct srtp_auth_test_case_t {
+    int key_length_octets;  /* octets in key            */
+    const uint8_t *key;     /* key                      */
+    int data_length_octets; /* octets in data           */
+    const uint8_t *data;    /* data                     */
+    int tag_length_octets;  /* octets in tag            */
+    const uint8_t *tag;     /* tag                      */
+    const struct srtp_auth_test_case_t
+        *next_test_case; /* pointer to next testcase */
+} srtp_auth_test_case_t;
+
+/* srtp_auth_type_t */
+typedef struct srtp_auth_type_t {
+    srtp_auth_alloc_func alloc;
+    srtp_auth_dealloc_func dealloc;
+    srtp_auth_init_func init;
+    srtp_auth_compute_func compute;
+    srtp_auth_update_func update;
+    srtp_auth_start_func start;
+    const char *description;
+    const srtp_auth_test_case_t *test_data;
+    srtp_auth_type_id_t id;
+} srtp_auth_type_t;
+
+typedef struct srtp_auth_t {
+    const srtp_auth_type_t *type;
+    void *state;
+    int out_len;    /* length of output tag in octets */
+    int key_len;    /* length of key in octets        */
+    int prefix_len; /* length of keystream prefix     */
+} srtp_auth_t;
+
+/*
+ * srtp_auth_type_self_test() tests an auth_type against test cases
+ * provided in an array of values of key/message/tag that is known to
+ * be good
+ */
+srtp_err_status_t srtp_auth_type_self_test(const srtp_auth_type_t *at);
+
+/*
+ * srtp_auth_type_test() tests an auth_type against external test cases
+ * provided in an array of values of key/message/tag that is known to
+ * be good
+ */
+srtp_err_status_t srtp_auth_type_test(const srtp_auth_type_t *at,
+                                      const srtp_auth_test_case_t *test_data);
+
+/*
+ * srtp_replace_auth_type(ct, id)
+ *
+ * replaces srtp's kernel's auth type implementation for the auth_type id
+ * with a new one passed in externally.  The new auth type must pass all the
+ * existing auth_type's self tests as well as its own.
+ */
+srtp_err_status_t srtp_replace_auth_type(const srtp_auth_type_t *ct,
+                                         srtp_auth_type_id_t id);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SRTP_AUTH_H */
diff --git a/netwerk/srtp/src/crypto/include/cipher.h b/netwerk/srtp/src/crypto/include/cipher.h
new file mode 100644
index 0000000000..4f14e3560f
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/cipher.h
@@ -0,0 +1,248 @@
+/*
+ * cipher.h
+ *
+ * common interface to ciphers
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef SRTP_CIPHER_H
+#define SRTP_CIPHER_H
+
+#include "srtp.h"
+#include "crypto_types.h" /* for values of cipher_type_id_t */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * srtp_cipher_direction_t defines a particular cipher operation.
+ *
+ * A srtp_cipher_direction_t is an enum that describes a particular cipher
+ * operation, i.e. encryption or decryption.  For some ciphers, this
+ * distinction does not matter, but for others, it is essential.
+ */
+typedef enum {
+    srtp_direction_encrypt, /**< encryption (convert plaintext to ciphertext) */
+    srtp_direction_decrypt, /**< decryption (convert ciphertext to plaintext) */
+    srtp_direction_any      /**< encryption or decryption                     */
+} srtp_cipher_direction_t;
+
+/*
+ * the srtp_cipher_pointer_t definition is needed
+ * as srtp_cipher_t is not yet defined
+ */
+typedef struct srtp_cipher_t *srtp_cipher_pointer_t;
+
+/*
+ *  a srtp_cipher_alloc_func_t allocates (but does not initialize) a
+ * srtp_cipher_t
+ */
+typedef srtp_err_status_t (*srtp_cipher_alloc_func_t)(srtp_cipher_pointer_t *cp,
+                                                      int key_len,
+                                                      int tag_len);
+
+/*
+ * a srtp_cipher_init_func_t [re-]initializes a cipher_t with a given key
+ */
+typedef srtp_err_status_t (*srtp_cipher_init_func_t)(void *state,
+                                                     const uint8_t *key);
+
+/* a srtp_cipher_dealloc_func_t de-allocates a cipher_t */
+typedef srtp_err_status_t (*srtp_cipher_dealloc_func_t)(
+    srtp_cipher_pointer_t cp);
+
+/*
+ * a srtp_cipher_set_aad_func_t processes the AAD data for AEAD ciphers
+ */
+typedef srtp_err_status_t (*srtp_cipher_set_aad_func_t)(void *state,
+                                                        const uint8_t *aad,
+                                                        uint32_t aad_len);
+
+/* a srtp_cipher_encrypt_func_t encrypts data in-place */
+typedef srtp_err_status_t (*srtp_cipher_encrypt_func_t)(
+    void *state,
+    uint8_t *buffer,
+    unsigned int *octets_to_encrypt);
+
+/* a srtp_cipher_decrypt_func_t decrypts data in-place */
+typedef srtp_err_status_t (*srtp_cipher_decrypt_func_t)(
+    void *state,
+    uint8_t *buffer,
+    unsigned int *octets_to_decrypt);
+
+/*
+ * a srtp_cipher_set_iv_func_t function sets the current initialization vector
+ */
+typedef srtp_err_status_t (*srtp_cipher_set_iv_func_t)(
+    void *state,
+    uint8_t *iv,
+    srtp_cipher_direction_t direction);
+
+/*
+ * a cipher_get_tag_func_t function is used to get the authentication
+ * tag that was calculated by an AEAD cipher.
+ */
+typedef srtp_err_status_t (*srtp_cipher_get_tag_func_t)(void *state,
+                                                        uint8_t *tag,
+                                                        uint32_t *len);
+
+/*
+ * srtp_cipher_test_case_t is a (list of) key, salt, plaintext, ciphertext,
+ * and aad values that are known to be correct for a
+ * particular cipher.  this data can be used to test an implementation
+ * in an on-the-fly self test of the correctness of the implementation.
+ * (see the srtp_cipher_type_self_test() function below)
+ */
+typedef struct srtp_cipher_test_case_t {
+    int key_length_octets;                 /* octets in key            */
+    const uint8_t *key;                    /* key                      */
+    uint8_t *idx;                          /* packet index             */
+    unsigned int plaintext_length_octets;  /* octets in plaintext      */
+    const uint8_t *plaintext;              /* plaintext                */
+    unsigned int ciphertext_length_octets; /* octets in plaintext      */
+    const uint8_t *ciphertext;             /* ciphertext               */
+    int aad_length_octets;                 /* octets in AAD            */
+    const uint8_t *aad;                    /* AAD                      */
+    int tag_length_octets;                 /* Length of AEAD tag       */
+    const struct srtp_cipher_test_case_t
+        *next_test_case; /* pointer to next testcase */
+} srtp_cipher_test_case_t;
+
+/* srtp_cipher_type_t defines the 'metadata' for a particular cipher type */
+typedef struct srtp_cipher_type_t {
+    srtp_cipher_alloc_func_t alloc;
+    srtp_cipher_dealloc_func_t dealloc;
+    srtp_cipher_init_func_t init;
+    srtp_cipher_set_aad_func_t set_aad;
+    srtp_cipher_encrypt_func_t encrypt;
+    srtp_cipher_encrypt_func_t decrypt;
+    srtp_cipher_set_iv_func_t set_iv;
+    srtp_cipher_get_tag_func_t get_tag;
+    const char *description;
+    const srtp_cipher_test_case_t *test_data;
+    srtp_cipher_type_id_t id;
+} srtp_cipher_type_t;
+
+/*
+ * srtp_cipher_t defines an instantiation of a particular cipher, with fixed
+ * key length, key and salt values
+ */
+typedef struct srtp_cipher_t {
+    const srtp_cipher_type_t *type;
+    void *state;
+    int key_len;
+    int algorithm;
+} srtp_cipher_t;
+
+/* some bookkeeping functions */
+int srtp_cipher_get_key_length(const srtp_cipher_t *c);
+
+/*
+ * srtp_cipher_type_self_test() tests a cipher against test cases provided in
+ * an array of values of key/srtp_xtd_seq_num_t/plaintext/ciphertext
+ * that is known to be good
+ */
+srtp_err_status_t srtp_cipher_type_self_test(const srtp_cipher_type_t *ct);
+
+/*
+ * srtp_cipher_type_test() tests a cipher against external test cases provided
+ * in
+ * an array of values of key/srtp_xtd_seq_num_t/plaintext/ciphertext
+ * that is known to be good
+ */
+srtp_err_status_t srtp_cipher_type_test(
+    const srtp_cipher_type_t *ct,
+    const srtp_cipher_test_case_t *test_data);
+
+/*
+ * srtp_cipher_bits_per_second(c, l, t) computes (an estimate of) the
+ * number of bits that a cipher implementation can encrypt in a second
+ *
+ * c is a cipher (which MUST be allocated and initialized already), l
+ * is the length in octets of the test data to be encrypted, and t is
+ * the number of trials
+ *
+ * if an error is encountered, then the value 0 is returned
+ */
+uint64_t srtp_cipher_bits_per_second(srtp_cipher_t *c,
+                                     int octets_in_buffer,
+                                     int num_trials);
+
+srtp_err_status_t srtp_cipher_type_alloc(const srtp_cipher_type_t *ct,
+                                         srtp_cipher_t **c,
+                                         int key_len,
+                                         int tlen);
+srtp_err_status_t srtp_cipher_dealloc(srtp_cipher_t *c);
+srtp_err_status_t srtp_cipher_init(srtp_cipher_t *c, const uint8_t *key);
+srtp_err_status_t srtp_cipher_set_iv(srtp_cipher_t *c,
+                                     uint8_t *iv,
+                                     int direction);
+srtp_err_status_t srtp_cipher_output(srtp_cipher_t *c,
+                                     uint8_t *buffer,
+                                     uint32_t *num_octets_to_output);
+srtp_err_status_t srtp_cipher_encrypt(srtp_cipher_t *c,
+                                      uint8_t *buffer,
+                                      uint32_t *num_octets_to_output);
+srtp_err_status_t srtp_cipher_decrypt(srtp_cipher_t *c,
+                                      uint8_t *buffer,
+                                      uint32_t *num_octets_to_output);
+srtp_err_status_t srtp_cipher_get_tag(srtp_cipher_t *c,
+                                      uint8_t *buffer,
+                                      uint32_t *tag_len);
+srtp_err_status_t srtp_cipher_set_aad(srtp_cipher_t *c,
+                                      const uint8_t *aad,
+                                      uint32_t aad_len);
+
+/*
+ * srtp_replace_cipher_type(ct, id)
+ *
+ * replaces srtp's existing cipher implementation for the cipher_type id
+ * with a new one passed in externally.  The new cipher must pass all the
+ * existing cipher_type's self tests as well as its own.
+ */
+srtp_err_status_t srtp_replace_cipher_type(const srtp_cipher_type_t *ct,
+                                           srtp_cipher_type_id_t id);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SRTP_CIPHER_H */
diff --git a/netwerk/srtp/src/crypto/include/cipher_types.h b/netwerk/srtp/src/crypto/include/cipher_types.h
new file mode 100644
index 0000000000..18f0328fbb
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/cipher_types.h
@@ -0,0 +1,84 @@
+/*
+ *
+ * Copyright(c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef CIHPER_TYPES_H
+#define CIHPER_TYPES_H
+
+#include "cipher.h"
+#include "auth.h"
+
+/*
+ * cipher types that can be included in the kernel
+ */
+
+extern const srtp_cipher_type_t srtp_null_cipher;
+extern const srtp_cipher_type_t srtp_aes_icm_128;
+extern const srtp_cipher_type_t srtp_aes_icm_256;
+#ifdef GCM
+extern const srtp_cipher_type_t srtp_aes_icm_192;
+extern const srtp_cipher_type_t srtp_aes_gcm_128;
+extern const srtp_cipher_type_t srtp_aes_gcm_256;
+#endif
+
+/*
+ * auth func types that can be included in the kernel
+ */
+
+extern const srtp_auth_type_t srtp_null_auth;
+extern const srtp_auth_type_t srtp_hmac;
+
+/*
+ * other generic debug modules that can be included in the kernel
+ */
+
+extern srtp_debug_module_t srtp_mod_auth;
+extern srtp_debug_module_t srtp_mod_cipher;
+extern srtp_debug_module_t srtp_mod_stat;
+extern srtp_debug_module_t srtp_mod_alloc;
+
+/* debug modules for cipher types */
+extern srtp_debug_module_t srtp_mod_aes_icm;
+#ifdef OPENSSL
+extern srtp_debug_module_t srtp_mod_aes_gcm;
+#endif
+#ifdef NSS
+extern srtp_debug_module_t srtp_mod_aes_gcm;
+#endif
+
+/* debug modules for auth types */
+extern srtp_debug_module_t srtp_mod_hmac;
+
+#endif
diff --git a/netwerk/srtp/src/crypto/include/crypto_kernel.h b/netwerk/srtp/src/crypto/include/crypto_kernel.h
new file mode 100644
index 0000000000..1f8dfa7712
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/crypto_kernel.h
@@ -0,0 +1,215 @@
+/*
+ * crypto_kernel.h
+ *
+ * header for the cryptographic kernel
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright(c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef CRYPTO_KERNEL
+#define CRYPTO_KERNEL
+
+#include "cipher.h"
+#include "auth.h"
+#include "err.h"
+#include "crypto_types.h"
+#include "key.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * crypto_kernel_state_t defines the possible states:
+ *
+ *    insecure - not yet initialized
+ *    secure   - initialized and passed self-tests
+ */
+typedef enum {
+    srtp_crypto_kernel_state_insecure,
+    srtp_crypto_kernel_state_secure
+} srtp_crypto_kernel_state_t;
+
+/*
+ * linked list of cipher types
+ */
+typedef struct srtp_kernel_cipher_type {
+    srtp_cipher_type_id_t id;
+    const srtp_cipher_type_t *cipher_type;
+    struct srtp_kernel_cipher_type *next;
+} srtp_kernel_cipher_type_t;
+
+/*
+ * linked list of auth types
+ */
+typedef struct srtp_kernel_auth_type {
+    srtp_auth_type_id_t id;
+    const srtp_auth_type_t *auth_type;
+    struct srtp_kernel_auth_type *next;
+} srtp_kernel_auth_type_t;
+
+/*
+ * linked list of debug modules
+ */
+typedef struct srtp_kernel_debug_module {
+    srtp_debug_module_t *mod;
+    struct srtp_kernel_debug_module *next;
+} srtp_kernel_debug_module_t;
+
+/*
+ * crypto_kernel_t is the data structure for the crypto kernel
+ *
+ * note that there is *exactly one* instance of this data type,
+ * a global variable defined in crypto_kernel.c
+ */
+typedef struct {
+    srtp_crypto_kernel_state_t state; /* current state of kernel     */
+    srtp_kernel_cipher_type_t *cipher_type_list; /* list of all cipher types */
+    srtp_kernel_auth_type_t *auth_type_list; /* list of all auth func types */
+    srtp_kernel_debug_module_t
+        *debug_module_list; /* list of all debug modules   */
+} srtp_crypto_kernel_t;
+
+/*
+ * srtp_crypto_kernel_t external api
+ */
+
+/*
+ * The function srtp_crypto_kernel_init() initialized the crypto kernel and
+ * runs the self-test operations on the random number generators and
+ * crypto algorithms.  Possible return values are:
+ *
+ *    srtp_err_status_ok    initialization successful
+ *    <other>               init failure
+ *
+ * If any value other than srtp_err_status_ok is returned, the
+ * crypto_kernel MUST NOT be used.
+ */
+srtp_err_status_t srtp_crypto_kernel_init(void);
+
+/*
+ * The function srtp_crypto_kernel_shutdown() de-initializes the
+ * crypto_kernel, zeroizes keys and other cryptographic material, and
+ * deallocates any dynamically allocated memory.  Possible return
+ * values are:
+ *
+ *    srtp_err_status_ok     shutdown successful
+ *    <other>                shutdown failure
+ *
+ */
+srtp_err_status_t srtp_crypto_kernel_shutdown(void);
+
+/*
+ * The function srtp_crypto_kernel_stats() checks the the crypto_kernel,
+ * running tests on the ciphers, auth funcs, and rng, and prints out a
+ * status report.  Possible return values are:
+ *
+ *    srtp_err_status_ok     all tests were passed
+ *    <other>                a test failed
+ *
+ */
+srtp_err_status_t srtp_crypto_kernel_status(void);
+
+/*
+ * srtp_crypto_kernel_list_debug_modules() outputs a list of debugging modules
+ *
+ */
+srtp_err_status_t srtp_crypto_kernel_list_debug_modules(void);
+
+/*
+ * srtp_crypto_kernel_load_cipher_type()
+ *
+ */
+srtp_err_status_t srtp_crypto_kernel_load_cipher_type(
+    const srtp_cipher_type_t *ct,
+    srtp_cipher_type_id_t id);
+
+srtp_err_status_t srtp_crypto_kernel_load_auth_type(const srtp_auth_type_t *ct,
+                                                    srtp_auth_type_id_t id);
+
+srtp_err_status_t srtp_crypto_kernel_load_debug_module(
+    srtp_debug_module_t *new_dm);
+
+/*
+ * srtp_crypto_kernel_alloc_cipher(id, cp, key_len);
+ *
+ * allocates a cipher of type id at location *cp, with key length
+ * key_len octets.  Return values are:
+ *
+ *    srtp_err_status_ok           no problems
+ *    srtp_err_status_alloc_fail   an allocation failure occured
+ *    srtp_err_status_fail         couldn't find cipher with identifier 'id'
+ */
+srtp_err_status_t srtp_crypto_kernel_alloc_cipher(srtp_cipher_type_id_t id,
+                                                  srtp_cipher_pointer_t *cp,
+                                                  int key_len,
+                                                  int tag_len);
+
+/*
+ * srtp_crypto_kernel_alloc_auth(id, ap, key_len, tag_len);
+ *
+ * allocates an auth function of type id at location *ap, with key
+ * length key_len octets and output tag length of tag_len.  Return
+ * values are:
+ *
+ *    srtp_err_status_ok           no problems
+ *    srtp_err_status_alloc_fail   an allocation failure occured
+ *    srtp_err_status_fail         couldn't find auth with identifier 'id'
+ */
+srtp_err_status_t srtp_crypto_kernel_alloc_auth(srtp_auth_type_id_t id,
+                                                srtp_auth_pointer_t *ap,
+                                                int key_len,
+                                                int tag_len);
+
+/*
+ * srtp_crypto_kernel_set_debug_module(mod_name, v)
+ *
+ * sets dynamic debugging to the value v (0 for off, 1 for on) for the
+ * debug module with the name mod_name
+ *
+ * returns srtp_err_status_ok on success, srtp_err_status_fail otherwise
+ */
+srtp_err_status_t srtp_crypto_kernel_set_debug_module(const char *mod_name,
+                                                      int v);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* CRYPTO_KERNEL */
diff --git a/netwerk/srtp/src/crypto/include/crypto_types.h b/netwerk/srtp/src/crypto/include/crypto_types.h
new file mode 100644
index 0000000000..7fd3178b0b
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/crypto_types.h
@@ -0,0 +1,116 @@
+/*
+ * crypto_types.h
+ *
+ * constants for cipher types and auth func types
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright(c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef SRTP_CRYPTO_TYPES_H
+#define SRTP_CRYPTO_TYPES_H
+
+/*
+ * The null cipher performs no encryption.
+ *
+ * The SRTP_NULL_CIPHER leaves its inputs unaltered, during both the
+ * encryption and decryption operations.  This cipher can be chosen
+ * to indicate that no encryption is to be performed.
+ */
+#define SRTP_NULL_CIPHER 0
+
+/*
+ * AES-128 Integer Counter Mode (AES ICM)
+ *
+ * AES-128 ICM is the variant of counter mode that is used by
+ * Secure RTP.  This cipher uses a 16-octet key concatenated with a
+ * 14-octet offset (or salt) value.
+ */
+#define SRTP_AES_ICM_128 1
+
+/*
+ * AES-192 Integer Counter Mode (AES ICM)
+ *
+ * AES-128 ICM is the variant of counter mode that is used by
+ * Secure RTP.  This cipher uses a 24-octet key concatenated with a
+ * 14-octet offset (or salt) value.
+ */
+#define SRTP_AES_ICM_192 4
+
+/*
+ * AES-256 Integer Counter Mode (AES ICM)
+ *
+ * AES-128 ICM is the variant of counter mode that is used by
+ * Secure RTP.  This cipher uses a 32-octet key concatenated with a
+ * 14-octet offset (or salt) value.
+ */
+#define SRTP_AES_ICM_256 5
+
+/*
+ * AES-128_GCM Galois Counter Mode (AES GCM)
+ *
+ * AES-128 GCM is the variant of galois counter mode that is used by
+ * Secure RTP.  This cipher uses a 16-octet key.
+ */
+#define SRTP_AES_GCM_128 6
+
+/*
+ * AES-256_GCM Galois Counter Mode (AES GCM)
+ *
+ * AES-256 GCM is the variant of galois counter mode that is used by
+ * Secure RTP.  This cipher uses a 32-octet key.
+ */
+#define SRTP_AES_GCM_256 7
+
+/*
+ * The null authentication function performs no authentication.
+ *
+ * The NULL_AUTH function does nothing, and can be selected to indicate
+ * that authentication should not be performed.
+ */
+#define SRTP_NULL_AUTH 0
+
+/*
+ * HMAC-SHA1
+ *
+ * SRTP_HMAC_SHA1 implements the Hash-based MAC using the NIST Secure
+ * Hash Algorithm version 1 (SHA1).
+ */
+#define SRTP_HMAC_SHA1 3
+
+#endif /* SRTP_CRYPTO_TYPES_H */
diff --git a/netwerk/srtp/src/crypto/include/datatypes.h b/netwerk/srtp/src/crypto/include/datatypes.h
new file mode 100644
index 0000000000..182cca25b9
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/datatypes.h
@@ -0,0 +1,378 @@
+/*
+ * datatypes.h
+ *
+ * data types for bit vectors and finite fields
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef DATATYPES_H
+#define DATATYPES_H
+
+#include "integers.h" /* definitions of uint32_t, et cetera   */
+#include "alloc.h"
+
+#include <stdarg.h>
+
+#include <stdio.h>
+#include <string.h>
+#include <time.h>
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#elif defined HAVE_WINSOCK2_H
+#include <winsock2.h>
+#else
+#error "Platform not recognized"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* if DATATYPES_USE_MACROS is defined, then little functions are macros */
+#define DATATYPES_USE_MACROS
+
+typedef union {
+    uint8_t v8[2];
+    uint16_t value;
+} v16_t;
+
+typedef union {
+    uint8_t v8[4];
+    uint16_t v16[2];
+    uint32_t value;
+} v32_t;
+
+typedef union {
+    uint8_t v8[8];
+    uint16_t v16[4];
+    uint32_t v32[2];
+    uint64_t value;
+} v64_t;
+
+typedef union {
+    uint8_t v8[16];
+    uint16_t v16[8];
+    uint32_t v32[4];
+    uint64_t v64[2];
+} v128_t;
+
+typedef union {
+    uint8_t v8[32];
+    uint16_t v16[16];
+    uint32_t v32[8];
+    uint64_t v64[4];
+} v256_t;
+
+/* some useful and simple math functions */
+
+#define pow_2(X) ((unsigned int)1 << (X)) /* 2^X     */
+
+#define pow_minus_one(X) ((X) ? -1 : 1) /* (-1)^X  */
+
+/*
+ * octet_get_weight(x) returns the hamming weight (number of bits equal to
+ * one) in the octet x
+ */
+
+int octet_get_weight(uint8_t octet);
+
+#define MAX_PRINT_STRING_LEN 1024
+
+char *srtp_octet_string_hex_string(const void *str, int length);
+
+char *v128_bit_string(v128_t *x);
+
+char *v128_hex_string(v128_t *x);
+
+void v128_copy_octet_string(v128_t *x, const uint8_t s[16]);
+
+void v128_left_shift(v128_t *x, int shift_index);
+
+void v128_right_shift(v128_t *x, int shift_index);
+
+/*
+ * the following macros define the data manipulation functions
+ *
+ * If DATATYPES_USE_MACROS is defined, then these macros are used
+ * directly (and function call overhead is avoided).  Otherwise,
+ * the macros are used through the functions defined in datatypes.c
+ * (and the compiler provides better warnings).
+ */
+
+#define _v128_set_to_zero(x)                                                   \
+    ((x)->v32[0] = 0, (x)->v32[1] = 0, (x)->v32[2] = 0, (x)->v32[3] = 0)
+
+#define _v128_copy(x, y)                                                       \
+    ((x)->v32[0] = (y)->v32[0], (x)->v32[1] = (y)->v32[1],                     \
+     (x)->v32[2] = (y)->v32[2], (x)->v32[3] = (y)->v32[3])
+
+#define _v128_xor(z, x, y)                                                     \
+    ((z)->v32[0] = (x)->v32[0] ^ (y)->v32[0],                                  \
+     (z)->v32[1] = (x)->v32[1] ^ (y)->v32[1],                                  \
+     (z)->v32[2] = (x)->v32[2] ^ (y)->v32[2],                                  \
+     (z)->v32[3] = (x)->v32[3] ^ (y)->v32[3])
+
+#define _v128_and(z, x, y)                                                     \
+    ((z)->v32[0] = (x)->v32[0] & (y)->v32[0],                                  \
+     (z)->v32[1] = (x)->v32[1] & (y)->v32[1],                                  \
+     (z)->v32[2] = (x)->v32[2] & (y)->v32[2],                                  \
+     (z)->v32[3] = (x)->v32[3] & (y)->v32[3])
+
+#define _v128_or(z, x, y)                                                      \
+    ((z)->v32[0] = (x)->v32[0] | (y)->v32[0],                                  \
+     (z)->v32[1] = (x)->v32[1] | (y)->v32[1],                                  \
+     (z)->v32[2] = (x)->v32[2] | (y)->v32[2],                                  \
+     (z)->v32[3] = (x)->v32[3] | (y)->v32[3])
+
+#define _v128_complement(x)                                                    \
+    ((x)->v32[0] = ~(x)->v32[0], (x)->v32[1] = ~(x)->v32[1],                   \
+     (x)->v32[2] = ~(x)->v32[2], (x)->v32[3] = ~(x)->v32[3])
+
+/* ok for NO_64BIT_MATH if it can compare uint64_t's (even as structures) */
+#define _v128_is_eq(x, y)                                                      \
+    (((x)->v64[0] == (y)->v64[0]) && ((x)->v64[1] == (y)->v64[1]))
+
+#ifdef NO_64BIT_MATH
+#define _v128_xor_eq(z, x)                                                     \
+    ((z)->v32[0] ^= (x)->v32[0], (z)->v32[1] ^= (x)->v32[1],                   \
+     (z)->v32[2] ^= (x)->v32[2], (z)->v32[3] ^= (x)->v32[3])
+#else
+#define _v128_xor_eq(z, x)                                                     \
+    ((z)->v64[0] ^= (x)->v64[0], (z)->v64[1] ^= (x)->v64[1])
+#endif
+
+/* NOTE!  This assumes an odd ordering! */
+/* This will not be compatible directly with math on some processors */
+/* bit 0 is first 32-bit word, low order bit. in little-endian, that's
+   the first byte of the first 32-bit word.  In big-endian, that's
+   the 3rd byte of the first 32-bit word */
+/* The get/set bit code is used by the replay code ONLY, and it doesn't
+   really care which bit is which.  AES does care which bit is which, but
+   doesn't use the 128-bit get/set or 128-bit shifts  */
+
+#define _v128_get_bit(x, bit) (((((x)->v32[(bit) >> 5]) >> ((bit)&31)) & 1))
+
+#define _v128_set_bit(x, bit)                                                  \
+    ((((x)->v32[(bit) >> 5]) |= ((uint32_t)1 << ((bit)&31))))
+
+#define _v128_clear_bit(x, bit)                                                \
+    ((((x)->v32[(bit) >> 5]) &= ~((uint32_t)1 << ((bit)&31))))
+
+#define _v128_set_bit_to(x, bit, value)                                        \
+    ((value) ? _v128_set_bit(x, bit) : _v128_clear_bit(x, bit))
+
+#ifdef DATATYPES_USE_MACROS /* little functions are really macros */
+
+#define v128_set_to_zero(z) _v128_set_to_zero(z)
+#define v128_copy(z, x) _v128_copy(z, x)
+#define v128_xor(z, x, y) _v128_xor(z, x, y)
+#define v128_and(z, x, y) _v128_and(z, x, y)
+#define v128_or(z, x, y) _v128_or(z, x, y)
+#define v128_complement(x) _v128_complement(x)
+#define v128_is_eq(x, y) _v128_is_eq(x, y)
+#define v128_xor_eq(x, y) _v128_xor_eq(x, y)
+#define v128_get_bit(x, i) _v128_get_bit(x, i)
+#define v128_set_bit(x, i) _v128_set_bit(x, i)
+#define v128_clear_bit(x, i) _v128_clear_bit(x, i)
+#define v128_set_bit_to(x, i, y) _v128_set_bit_to(x, i, y)
+
+#else
+
+void v128_set_to_zero(v128_t *x);
+
+int v128_is_eq(const v128_t *x, const v128_t *y);
+
+void v128_copy(v128_t *x, const v128_t *y);
+
+void v128_xor(v128_t *z, v128_t *x, v128_t *y);
+
+void v128_and(v128_t *z, v128_t *x, v128_t *y);
+
+void v128_or(v128_t *z, v128_t *x, v128_t *y);
+
+void v128_complement(v128_t *x);
+
+int v128_get_bit(const v128_t *x, int i);
+
+void v128_set_bit(v128_t *x, int i);
+
+void v128_clear_bit(v128_t *x, int i);
+
+void v128_set_bit_to(v128_t *x, int i, int y);
+
+#endif /* DATATYPES_USE_MACROS */
+
+/*
+ * octet_string_is_eq(a, b, len) returns 1 if the length len strings a
+ * and b are not equal. It returns 0 otherwise. The running time of the
+ * comparison depends only on len, making this safe to use for (e.g.)
+ * verifying authentication tags.
+ */
+
+int octet_string_is_eq(uint8_t *a, uint8_t *b, int len);
+
+/*
+ * A portable way to zero out memory as recommended by
+ * https://cryptocoding.net/index.php/Coding_rules#Clean_memory_of_secret_data
+ * This is used to zero memory when OPENSSL_cleanse() is not available.
+ */
+void srtp_cleanse(void *s, size_t len);
+
+/*
+ * Functions as a wrapper that delegates to either srtp_cleanse() or
+ * OPENSSL_cleanse() if available to zero memory.
+ */
+void octet_string_set_to_zero(void *s, size_t len);
+
+#if defined(HAVE_CONFIG_H)
+
+/*
+ * Convert big endian integers to CPU byte order.
+ */
+#ifdef WORDS_BIGENDIAN
+/* Nothing to do. */
+#define be32_to_cpu(x) (x)
+#define be64_to_cpu(x) (x)
+#elif defined(HAVE_BYTESWAP_H)
+/* We have (hopefully) optimized versions in byteswap.h */
+#include <byteswap.h>
+#define be32_to_cpu(x) bswap_32((x))
+#define be64_to_cpu(x) bswap_64((x))
+#else /* WORDS_BIGENDIAN */
+
+#if defined(__GNUC__) && defined(HAVE_X86)
+/* Fall back. */
+static inline uint32_t be32_to_cpu(uint32_t v)
+{
+    /* optimized for x86. */
+    asm("bswap %0" : "=r"(v) : "0"(v));
+    return v;
+}
+#else /* HAVE_X86 */
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#elif defined HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif /* HAVE_NETINET_IN_H */
+#define be32_to_cpu(x) ntohl((x))
+#endif /* HAVE_X86 */
+
+static inline uint64_t be64_to_cpu(uint64_t v)
+{
+#ifdef NO_64BIT_MATH
+    /* use the make64 functions to do 64-bit math */
+    v = make64(htonl(low32(v)), htonl(high32(v)));
+#else  /* NO_64BIT_MATH */
+    /* use the native 64-bit math */
+    v = (uint64_t)((be32_to_cpu((uint32_t)(v >> 32))) |
+                   (((uint64_t)be32_to_cpu((uint32_t)v)) << 32));
+#endif /* NO_64BIT_MATH */
+    return v;
+}
+
+#endif /* WORDS_BIGENDIAN */
+
+#endif /* HAVE_CONFIG_H */
+
+/*
+ * functions manipulating bitvector_t
+ *
+ * A bitvector_t consists of an array of words and an integer
+ * representing the number of significant bits stored in the array.
+ * The bits are packed as follows: the least significant bit is that
+ * of word[0], while the most significant bit is the nth most
+ * significant bit of word[m], where length = bits_per_word * m + n.
+ *
+ */
+
+#define bits_per_word 32
+#define bytes_per_word 4
+
+typedef struct {
+    uint32_t length;
+    uint32_t *word;
+} bitvector_t;
+
+#define _bitvector_get_bit(v, bit_index)                                       \
+    (((((v)->word[((bit_index) >> 5)]) >> ((bit_index)&31)) & 1))
+
+#define _bitvector_set_bit(v, bit_index)                                       \
+    ((((v)->word[((bit_index) >> 5)] |= ((uint32_t)1 << ((bit_index)&31)))))
+
+#define _bitvector_clear_bit(v, bit_index)                                     \
+    ((((v)->word[((bit_index) >> 5)] &= ~((uint32_t)1 << ((bit_index)&31)))))
+
+#define _bitvector_get_length(v) (((v)->length))
+
+#ifdef DATATYPES_USE_MACROS /* little functions are really macros */
+
+#define bitvector_get_bit(v, bit_index) _bitvector_get_bit(v, bit_index)
+#define bitvector_set_bit(v, bit_index) _bitvector_set_bit(v, bit_index)
+#define bitvector_clear_bit(v, bit_index) _bitvector_clear_bit(v, bit_index)
+#define bitvector_get_length(v) _bitvector_get_length(v)
+
+#else
+
+int bitvector_get_bit(const bitvector_t *v, int bit_index);
+
+void bitvector_set_bit(bitvector_t *v, int bit_index);
+
+void bitvector_clear_bit(bitvector_t *v, int bit_index);
+
+unsigned long bitvector_get_length(const bitvector_t *v);
+
+#endif
+
+int bitvector_alloc(bitvector_t *v, unsigned long length);
+
+void bitvector_dealloc(bitvector_t *v);
+
+void bitvector_set_to_zero(bitvector_t *x);
+
+void bitvector_left_shift(bitvector_t *x, int index);
+
+char *bitvector_bit_string(bitvector_t *x, char *buf, int len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* DATATYPES_H */
diff --git a/netwerk/srtp/src/crypto/include/err.h b/netwerk/srtp/src/crypto/include/err.h
new file mode 100644
index 0000000000..66a1023ec8
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/err.h
@@ -0,0 +1,134 @@
+/*
+ * err.h
+ *
+ * error status codes
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef ERR_H
+#define ERR_H
+
+#include <stdio.h>
+#include <stdarg.h>
+#include "srtp.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @defgroup Error Error Codes
+ *
+ * Error status codes are represented by the enumeration srtp_err_status_t.
+ *
+ * @{
+ */
+
+/**
+ * @}
+ */
+
+typedef enum {
+    srtp_err_level_error,
+    srtp_err_level_warning,
+    srtp_err_level_info,
+    srtp_err_level_debug
+} srtp_err_reporting_level_t;
+
+/*
+ * err_reporting_init prepares the error system.  If
+ * ERR_REPORTING_STDOUT is defined, it will log to stdout.
+ *
+ */
+
+srtp_err_status_t srtp_err_reporting_init(void);
+
+typedef void(srtp_err_report_handler_func_t)(srtp_err_reporting_level_t level,
+                                             const char *msg);
+
+srtp_err_status_t srtp_install_err_report_handler(
+    srtp_err_report_handler_func_t func);
+
+/*
+ * srtp_err_report reports a 'printf' formatted error
+ * string, followed by a an arg list.  The level argument
+ * is one of srtp_err_reporting_level_t.
+ *
+ * Errors will be reported to stdout, if ERR_REPORTING_STDOUT
+ * is defined.
+ *
+ */
+
+void srtp_err_report(srtp_err_reporting_level_t level, const char *format, ...);
+
+/*
+ * debug_module_t defines a debug module
+ */
+
+typedef struct {
+    int on;           /* 1 if debugging is on, 0 if it is off */
+    const char *name; /* printable name for debug module      */
+} srtp_debug_module_t;
+
+#ifdef ENABLE_DEBUG_LOGGING
+
+#define debug_print(mod, format, arg)                                          \
+    srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg)
+#define debug_print2(mod, format, arg1, arg2)                                  \
+    srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name,      \
+                    arg1, arg2)
+
+#else
+
+#define debug_print(mod, format, arg)                                          \
+    if (mod.on)                                                                \
+    srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name, arg)
+#define debug_print2(mod, format, arg1, arg2)                                  \
+    if (mod.on)                                                                \
+    srtp_err_report(srtp_err_level_debug, ("%s: " format "\n"), mod.name,      \
+                    arg1, arg2)
+
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* ERR_H */
diff --git a/netwerk/srtp/src/crypto/include/hmac.h b/netwerk/srtp/src/crypto/include/hmac.h
new file mode 100644
index 0000000000..148818122c
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/hmac.h
@@ -0,0 +1,58 @@
+/*
+ * hmac.h
+ *
+ * interface to hmac srtp_auth_type_t
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ */
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef HMAC_H
+#define HMAC_H
+
+#include "auth.h"
+#include "sha1.h"
+
+typedef struct {
+    uint8_t opad[64];
+    srtp_sha1_ctx_t ctx;
+    srtp_sha1_ctx_t init_ctx;
+} srtp_hmac_ctx_t;
+
+#endif /* HMAC_H */
diff --git a/netwerk/srtp/src/crypto/include/integers.h b/netwerk/srtp/src/crypto/include/integers.h
new file mode 100644
index 0000000000..f2cd7c064d
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/integers.h
@@ -0,0 +1,146 @@
+/*
+ * integers.h
+ *
+ * defines integer types (or refers to their definitions)
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef INTEGERS_H
+#define INTEGERS_H
+
+/* use standard integer definitions, if they're available  */
+#ifdef HAVE_STDLIB_H
+#include <stdlib.h>
+#endif
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#ifdef HAVE_INTTYPES_H
+#include <inttypes.h>
+#endif
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_SYS_INT_TYPES_H
+#include <sys/int_types.h> /* this exists on Sun OS */
+#endif
+#ifdef HAVE_MACHINE_TYPES_H
+#include <machine/types.h>
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Can we do 64 bit integers? */
+#if !defined(HAVE_UINT64_T)
+#if SIZEOF_UNSIGNED_LONG == 8
+typedef unsigned long uint64_t;
+#elif SIZEOF_UNSIGNED_LONG_LONG == 8
+typedef unsigned long long uint64_t;
+#else
+#define NO_64BIT_MATH 1
+#endif
+#endif
+
+/* Reasonable defaults for 32 bit machines - you may need to
+ * edit these definitions for your own machine. */
+#ifndef HAVE_UINT8_T
+typedef unsigned char uint8_t;
+#endif
+#ifndef HAVE_UINT16_T
+typedef unsigned short int uint16_t;
+#endif
+#ifndef HAVE_UINT32_T
+typedef unsigned int uint32_t;
+#endif
+#ifndef HAVE_INT32_T
+typedef int int32_t;
+#endif
+
+#if defined(NO_64BIT_MATH) && defined(HAVE_CONFIG_H)
+typedef double uint64_t;
+/* assert that sizeof(double) == 8 */
+extern uint64_t make64(uint32_t high, uint32_t low);
+extern uint32_t high32(uint64_t value);
+extern uint32_t low32(uint64_t value);
+#endif
+
+/* These macros are to load and store 32-bit values from un-aligned
+   addresses.  This is required for processors that do not allow unaligned
+   loads. */
+#ifdef ALIGNMENT_32BIT_REQUIRED
+/* Note that if it's in a variable, you can memcpy it */
+#ifdef WORDS_BIGENDIAN
+#define PUT_32(addr, value)                                                    \
+    {                                                                          \
+        ((unsigned char *)(addr))[0] = (value >> 24);                          \
+        ((unsigned char *)(addr))[1] = (value >> 16) & 0xff;                   \
+        ((unsigned char *)(addr))[2] = (value >> 8) & 0xff;                    \
+        ((unsigned char *)(addr))[3] = (value)&0xff;                           \
+    }
+#define GET_32(addr)                                                           \
+    ((((unsigned char *)(addr))[0] << 24) |                                    \
+     (((unsigned char *)(addr))[1] << 16) |                                    \
+     (((unsigned char *)(addr))[2] << 8) | (((unsigned char *)(addr))[3]))
+#else
+#define PUT_32(addr, value)                                                    \
+    {                                                                          \
+        ((unsigned char *)(addr))[3] = (value >> 24);                          \
+        ((unsigned char *)(addr))[2] = (value >> 16) & 0xff;                   \
+        ((unsigned char *)(addr))[1] = (value >> 8) & 0xff;                    \
+        ((unsigned char *)(addr))[0] = (value)&0xff;                           \
+    }
+#define GET_32(addr)                                                           \
+    ((((unsigned char *)(addr))[3] << 24) |                                    \
+     (((unsigned char *)(addr))[2] << 16) |                                    \
+     (((unsigned char *)(addr))[1] << 8) | (((unsigned char *)(addr))[0]))
+#endif // WORDS_BIGENDIAN
+#else
+#define PUT_32(addr, value) *(((uint32_t *) (addr)) = (value)
+#define GET_32(addr) (*(((uint32_t *) (addr)))
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* INTEGERS_H */
diff --git a/netwerk/srtp/src/crypto/include/key.h b/netwerk/srtp/src/crypto/include/key.h
new file mode 100644
index 0000000000..3498114b05
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/key.h
@@ -0,0 +1,88 @@
+/*
+ * key.h
+ *
+ * key usage limits enforcement
+ *
+ * David A. Mcgrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef KEY_H
+#define KEY_H
+
+#include "rdbx.h" /* for srtp_xtd_seq_num_t */
+#include "err.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct srtp_key_limit_ctx_t *srtp_key_limit_t;
+
+typedef enum {
+    srtp_key_event_normal,
+    srtp_key_event_soft_limit,
+    srtp_key_event_hard_limit
+} srtp_key_event_t;
+
+srtp_err_status_t srtp_key_limit_set(srtp_key_limit_t key,
+                                     const srtp_xtd_seq_num_t s);
+
+srtp_err_status_t srtp_key_limit_clone(srtp_key_limit_t original,
+                                       srtp_key_limit_t *new_key);
+
+srtp_err_status_t srtp_key_limit_check(const srtp_key_limit_t key);
+
+srtp_key_event_t srtp_key_limit_update(srtp_key_limit_t key);
+
+typedef enum {
+    srtp_key_state_normal,
+    srtp_key_state_past_soft_limit,
+    srtp_key_state_expired
+} srtp_key_state_t;
+
+typedef struct srtp_key_limit_ctx_t {
+    srtp_xtd_seq_num_t num_left;
+    srtp_key_state_t state;
+} srtp_key_limit_ctx_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* KEY_H */
diff --git a/netwerk/srtp/src/crypto/include/null_auth.h b/netwerk/srtp/src/crypto/include/null_auth.h
new file mode 100644
index 0000000000..490dd7bc0f
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/null_auth.h
@@ -0,0 +1,73 @@
+/*
+ * null-auth.h
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef NULL_AUTH_H
+#define NULL_AUTH_H
+
+#include "auth.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct {
+    char foo;
+} srtp_null_auth_ctx_t;
+
+#if 0
+srtp_err_status_t srtp_null_auth_alloc(srtp_auth_t **a, int key_len, int out_len);
+
+srtp_err_status_t srtp_null_auth_dealloc(srtp_auth_t *a);
+
+srtp_err_status_t srtp_null_auth_init(srtp_null_auth_ctx_t *state, const uint8_t *key, int key_len);
+
+srtp_err_status_t srtp_null_auth_compute(srtp_null_auth_ctx_t *state, uint8_t *message, int msg_octets, int tag_len, uint8_t *result);
+
+#endif
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* NULL_AUTH_H */
diff --git a/netwerk/srtp/src/crypto/include/null_cipher.h b/netwerk/srtp/src/crypto/include/null_cipher.h
new file mode 100644
index 0000000000..5e8c91c134
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/null_cipher.h
@@ -0,0 +1,57 @@
+/*
+ * null-cipher.h
+ *
+ * header file for the null cipher
+ *
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef NULL_CIPHER_H
+#define NULL_CIPHER_H
+
+#include "datatypes.h"
+#include "cipher.h"
+
+typedef struct {
+    char foo; /* empty, for now */
+} srtp_null_cipher_ctx_t;
+
+#endif /* NULL_CIPHER_H */
diff --git a/netwerk/srtp/src/crypto/include/rdb.h b/netwerk/srtp/src/crypto/include/rdb.h
new file mode 100644
index 0000000000..98314c1f3e
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/rdb.h
@@ -0,0 +1,125 @@
+/*
+ * replay-database.h
+ *
+ * interface for a replay database for packet security
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef REPLAY_DB_H
+#define REPLAY_DB_H
+
+#include "integers.h"  /* for uint32_t     */
+#include "datatypes.h" /* for v128_t       */
+#include "err.h"       /* for srtp_err_status_t */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * if the ith least significant bit is one, then the packet index
+ * window_end-i is in the database
+ */
+
+typedef struct {
+    uint32_t window_start; /* packet index of the first bit in bitmask */
+    v128_t bitmask;
+} srtp_rdb_t;
+
+#define rdb_bits_in_bitmask (8 * sizeof(v128_t))
+
+/*
+ * srtp_rdb_init
+ *
+ * initalizes rdb
+ *
+ * returns srtp_err_status_ok on success, srtp_err_status_t_fail otherwise
+ */
+srtp_err_status_t srtp_rdb_init(srtp_rdb_t *rdb);
+
+/*
+ * srtp_rdb_check
+ *
+ * checks to see if index appears in rdb
+ *
+ * returns srtp_err_status_fail if the index already appears in rdb,
+ * returns srtp_err_status_ok otherwise
+ */
+srtp_err_status_t srtp_rdb_check(const srtp_rdb_t *rdb, uint32_t rdb_index);
+
+/*
+ * srtp_rdb_add_index
+ *
+ * adds index to srtp_rdb_t (and does *not* check if index appears in db)
+ *
+ * returns srtp_err_status_ok on success, srtp_err_status_fail otherwise
+ *
+ */
+srtp_err_status_t srtp_rdb_add_index(srtp_rdb_t *rdb, uint32_t rdb_index);
+
+/*
+ * the functions srtp_rdb_increment() and srtp_rdb_get_value() are for use by
+ * senders, not receivers - DO NOT use these functions on the same
+ * srtp_rdb_t upon which srtp_rdb_add_index is used!
+ */
+
+/*
+ * srtp_rdb_increment(db) increments the sequence number in db, if it is
+ * not too high
+ *
+ * return values:
+ *
+ *    srtp_err_status_ok            no problem
+ *    srtp_err_status_key_expired   sequence number too high
+ *
+ */
+srtp_err_status_t srtp_rdb_increment(srtp_rdb_t *rdb);
+
+/*
+ * srtp_rdb_get_value(db) returns the current sequence number of db
+ */
+uint32_t srtp_rdb_get_value(const srtp_rdb_t *rdb);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* REPLAY_DB_H */
diff --git a/netwerk/srtp/src/crypto/include/rdbx.h b/netwerk/srtp/src/crypto/include/rdbx.h
new file mode 100644
index 0000000000..2194178ee2
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/rdbx.h
@@ -0,0 +1,209 @@
+/*
+ * rdbx.h
+ *
+ * replay database with extended packet indices, using a rollover counter
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef RDBX_H
+#define RDBX_H
+
+#include "datatypes.h"
+#include "err.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* #define ROC_TEST */
+
+#ifndef ROC_TEST
+
+typedef uint16_t srtp_sequence_number_t;  /* 16 bit sequence number  */
+typedef uint32_t srtp_rollover_counter_t; /* 32 bit rollover counter */
+
+#else /* use small seq_num and roc datatypes for testing purposes */
+
+typedef unsigned char srtp_sequence_number_t; /* 8 bit sequence number   */
+typedef uint16_t srtp_rollover_counter_t;     /* 16 bit rollover counter */
+
+#endif
+
+#define seq_num_median (1 << (8 * sizeof(srtp_sequence_number_t) - 1))
+#define seq_num_max (1 << (8 * sizeof(srtp_sequence_number_t)))
+
+/*
+ * An rtp_xtd_seq_num_t is a 64-bit unsigned integer used as an 'extended'
+ * sequence number.
+ */
+typedef uint64_t srtp_xtd_seq_num_t;
+
+/*
+ * An srtp_rdbx_t is a replay database with extended range; it uses an
+ * xtd_seq_num_t and a bitmask of recently received indices.
+ */
+typedef struct {
+    srtp_xtd_seq_num_t index;
+    bitvector_t bitmask;
+} srtp_rdbx_t;
+
+/*
+ * srtp_rdbx_init(rdbx_ptr, ws)
+ *
+ * initializes the rdbx pointed to by its argument with the window size ws,
+ * setting the rollover counter and sequence number to zero
+ */
+srtp_err_status_t srtp_rdbx_init(srtp_rdbx_t *rdbx, unsigned long ws);
+
+/*
+ * srtp_rdbx_dealloc(rdbx_ptr)
+ *
+ * frees memory associated with the rdbx
+ */
+srtp_err_status_t srtp_rdbx_dealloc(srtp_rdbx_t *rdbx);
+
+/*
+ * srtp_rdbx_estimate_index(rdbx, guess, s)
+ *
+ * given an rdbx and a sequence number s (from a newly arrived packet),
+ * sets the contents of *guess to contain the best guess of the packet
+ * index to which s corresponds, and returns the difference between
+ * *guess and the locally stored synch info
+ */
+int32_t srtp_rdbx_estimate_index(const srtp_rdbx_t *rdbx,
+                                 srtp_xtd_seq_num_t *guess,
+                                 srtp_sequence_number_t s);
+
+/*
+ * srtp_rdbx_check(rdbx, delta);
+ *
+ * srtp_rdbx_check(&r, delta) checks to see if the xtd_seq_num_t
+ * which is at rdbx->window_start + delta is in the rdb
+ *
+ */
+srtp_err_status_t srtp_rdbx_check(const srtp_rdbx_t *rdbx, int difference);
+
+/*
+ * srtp_replay_add_index(rdbx, delta)
+ *
+ * adds the srtp_xtd_seq_num_t at rdbx->window_start + delta to replay_db
+ * (and does *not* check if that xtd_seq_num_t appears in db)
+ *
+ * this function should be called *only* after replay_check has
+ * indicated that the index does not appear in the rdbx, and a mutex
+ * should protect the rdbx between these calls if necessary.
+ */
+srtp_err_status_t srtp_rdbx_add_index(srtp_rdbx_t *rdbx, int delta);
+
+/*
+ * srtp_rdbx_set_roc(rdbx, roc) initalizes the srtp_rdbx_t at the location rdbx
+ * to have the rollover counter value roc.  If that value is less than
+ * the current rollover counter value, then the function returns
+ * srtp_err_status_replay_old; otherwise, srtp_err_status_ok is returned.
+ *
+ */
+srtp_err_status_t srtp_rdbx_set_roc(srtp_rdbx_t *rdbx, uint32_t roc);
+
+/*
+ * srtp_rdbx_get_packet_index(rdbx) returns the value of the rollover counter
+ * for
+ * the srtp_rdbx_t pointed to by rdbx
+ *
+ */
+srtp_xtd_seq_num_t srtp_rdbx_get_packet_index(const srtp_rdbx_t *rdbx);
+
+/*
+ * srtp_xtd_seq_num_t functions - these are *internal* functions of rdbx, and
+ * shouldn't be used to manipulate rdbx internal values.  use the rdbx
+ * api instead!
+ */
+
+/*
+ * srtp_rdbx_get_ws(rdbx_ptr)
+ *
+ * gets the window size which was used to initialize the rdbx
+ */
+unsigned long srtp_rdbx_get_window_size(const srtp_rdbx_t *rdbx);
+
+/* index_init(&pi) initializes a packet index pi (sets it to zero) */
+void srtp_index_init(srtp_xtd_seq_num_t *pi);
+
+/* index_advance(&pi, s) advances a xtd_seq_num_t forward by s */
+void srtp_index_advance(srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s);
+
+/*
+ * srtp_index_guess(local, guess, s)
+ *
+ * given a srtp_xtd_seq_num_t local (which represents the highest
+ * known-to-be-good index) and a sequence number s (from a newly
+ * arrived packet), sets the contents of *guess to contain the best
+ * guess of the packet index to which s corresponds, and returns the
+ * difference between *guess and *local
+ */
+int32_t srtp_index_guess(const srtp_xtd_seq_num_t *local,
+                         srtp_xtd_seq_num_t *guess,
+                         srtp_sequence_number_t s);
+
+/*
+ * srtp_rdbx_get_roc(rdbx)
+ *
+ * Get the current rollover counter
+ *
+ */
+uint32_t srtp_rdbx_get_roc(const srtp_rdbx_t *rdbx);
+
+/*
+ * srtp_rdbx_set_roc_seq(rdbx, roc, seq) initalizes the srtp_rdbx_t at the
+ * location rdbx to have the rollover counter value roc and packet sequence
+ * number seq.  If the new rollover counter value is less than the current
+ * rollover counter value, then the function returns
+ * srtp_err_status_replay_old, otherwise, srtp_err_status_ok is returned.
+ */
+srtp_err_status_t srtp_rdbx_set_roc_seq(srtp_rdbx_t *rdbx,
+                                        uint32_t roc,
+                                        uint16_t seq);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* RDBX_H */
diff --git a/netwerk/srtp/src/crypto/include/sha1.h b/netwerk/srtp/src/crypto/include/sha1.h
new file mode 100644
index 0000000000..933c1466a3
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/sha1.h
@@ -0,0 +1,184 @@
+/*
+ * sha1.h
+ *
+ * interface to the Secure Hash Algorithm v.1 (SHA-1), specified in
+ * FIPS 180-1
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef SHA1_H
+#define SHA1_H
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "err.h"
+#ifdef OPENSSL
+#include <openssl/evp.h>
+#include <stdint.h>
+#else
+#include "datatypes.h"
+#endif
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#ifdef OPENSSL
+
+/*
+ * srtp_sha1_init(&ctx) initializes the SHA1 context ctx
+ *
+ * srtp_sha1_update(&ctx, msg, len) hashes the len octets starting at msg
+ * into the SHA1 context
+ *
+ * srtp_sha1_final(&ctx, output) performs the final processing of the SHA1
+ * context and writes the result to the 20 octets at output
+ *
+ * Return values are ignored on the EVP functions since all three
+ * of these functions return void.
+ *
+ */
+
+/* OpenSSL 1.1.0 made EVP_MD_CTX an opaque structure, which must be allocated
+   using EVP_MD_CTX_new. But this function doesn't exist in OpenSSL 1.0.x. */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER
+
+typedef EVP_MD_CTX srtp_sha1_ctx_t;
+
+static inline void srtp_sha1_init(srtp_sha1_ctx_t *ctx)
+{
+    EVP_MD_CTX_init(ctx);
+    EVP_DigestInit(ctx, EVP_sha1());
+}
+
+static inline void srtp_sha1_update(srtp_sha1_ctx_t *ctx,
+                                    const uint8_t *M,
+                                    int octets_in_msg)
+{
+    EVP_DigestUpdate(ctx, M, octets_in_msg);
+}
+
+static inline void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t *output)
+{
+    unsigned int len = 0;
+
+    EVP_DigestFinal(ctx, (unsigned char *)output, &len);
+    EVP_MD_CTX_cleanup(ctx);
+}
+
+#else
+
+typedef EVP_MD_CTX *srtp_sha1_ctx_t;
+
+static inline void srtp_sha1_init(srtp_sha1_ctx_t *ctx)
+{
+    *ctx = EVP_MD_CTX_new();
+    EVP_DigestInit(*ctx, EVP_sha1());
+}
+
+static inline void srtp_sha1_update(srtp_sha1_ctx_t *ctx,
+                                    const uint8_t *M,
+                                    int octets_in_msg)
+{
+    EVP_DigestUpdate(*ctx, M, octets_in_msg);
+}
+
+static inline void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t *output)
+{
+    unsigned int len = 0;
+
+    EVP_DigestFinal(*ctx, (unsigned char *)output, &len);
+    EVP_MD_CTX_free(*ctx);
+}
+#endif
+
+#else
+
+typedef struct {
+    uint32_t H[5];            /* state vector                    */
+    uint32_t M[16];           /* message buffer                  */
+    int octets_in_buffer;     /* octets of message in buffer     */
+    uint32_t num_bits_in_msg; /* total number of bits in message */
+} srtp_sha1_ctx_t;
+
+/*
+ * srtp_sha1_init(&ctx) initializes the SHA1 context ctx
+ *
+ * srtp_sha1_update(&ctx, msg, len) hashes the len octets starting at msg
+ * into the SHA1 context
+ *
+ * srtp_sha1_final(&ctx, output) performs the final processing of the SHA1
+ * context and writes the result to the 20 octets at output
+ *
+ */
+void srtp_sha1_init(srtp_sha1_ctx_t *ctx);
+
+void srtp_sha1_update(srtp_sha1_ctx_t *ctx,
+                      const uint8_t *M,
+                      int octets_in_msg);
+
+void srtp_sha1_final(srtp_sha1_ctx_t *ctx, uint32_t output[5]);
+
+/*
+ * The srtp_sha1_core function is INTERNAL to SHA-1, but it is declared
+ * here because it is also used by the cipher SEAL 3.0 in its key
+ * setup algorithm.
+ */
+
+/*
+ *  srtp_sha1_core(M, H) computes the core sha1 compression function, where M is
+ *  the next part of the message and H is the intermediate state {H0,
+ *  H1, ...}
+ *
+ *  this function does not do any of the padding required in the
+ *  complete sha1 function
+ */
+void srtp_sha1_core(const uint32_t M[16], uint32_t hash_value[5]);
+
+#endif /* else OPENSSL */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SHA1_H */
diff --git a/netwerk/srtp/src/crypto/include/stat.h b/netwerk/srtp/src/crypto/include/stat.h
new file mode 100644
index 0000000000..1894e041aa
--- /dev/null
+++ b/netwerk/srtp/src/crypto/include/stat.h
@@ -0,0 +1,66 @@
+/*
+ * stats.h
+ *
+ * interface to statistical test functions
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright(c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef STAT_H
+#define STAT_H
+
+#include "datatypes.h" /* for uint8_t                       */
+#include "err.h"       /* for srtp_err_status_t             */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+srtp_err_status_t stat_test_monobit(uint8_t *data);
+
+srtp_err_status_t stat_test_poker(uint8_t *data);
+
+srtp_err_status_t stat_test_runs(uint8_t *data);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* STAT_H */
diff --git a/netwerk/srtp/src/crypto/kernel/alloc.c b/netwerk/srtp/src/crypto/kernel/alloc.c
new file mode 100644
index 0000000000..dbe58266f4
--- /dev/null
+++ b/netwerk/srtp/src/crypto/kernel/alloc.c
@@ -0,0 +1,101 @@
+/*
+ * alloc.c
+ *
+ * memory allocation and deallocation
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "alloc.h"
+#include "crypto_kernel.h"
+
+/* the debug module for memory allocation */
+
+srtp_debug_module_t srtp_mod_alloc = {
+    0,      /* debugging is off by default */
+    "alloc" /* printable name for module   */
+};
+
+/*
+ * Nota bene: the debugging statements for srtp_crypto_alloc() and
+ * srtp_crypto_free() have identical prefixes, which include the addresses
+ * of the memory locations on which they are operating.  This fact can
+ * be used to locate memory leaks, by turning on memory debugging,
+ * grepping for 'alloc', then matching alloc and free calls by
+ * address.
+ */
+
+#if defined(HAVE_STDLIB_H)
+
+void *srtp_crypto_alloc(size_t size)
+{
+    void *ptr;
+
+    if (!size) {
+        return NULL;
+    }
+
+    ptr = calloc(1, size);
+
+    if (ptr) {
+        debug_print(srtp_mod_alloc, "(location: %p) allocated", ptr);
+    } else {
+        debug_print(srtp_mod_alloc, "allocation failed (asked for %d bytes)\n",
+                    size);
+    }
+
+    return ptr;
+}
+
+void srtp_crypto_free(void *ptr)
+{
+    debug_print(srtp_mod_alloc, "(location: %p) freed", ptr);
+
+    free(ptr);
+}
+
+#else /* we need to define our own memory allocation routines */
+
+#error no memory allocation defined yet
+
+#endif
diff --git a/netwerk/srtp/src/crypto/kernel/crypto_kernel.c b/netwerk/srtp/src/crypto/kernel/crypto_kernel.c
new file mode 100644
index 0000000000..df6af7da88
--- /dev/null
+++ b/netwerk/srtp/src/crypto/kernel/crypto_kernel.c
@@ -0,0 +1,561 @@
+/*
+ * crypto_kernel.c
+ *
+ * header for the cryptographic kernel
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright(c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "alloc.h"
+
+#include "crypto_kernel.h"
+#include "cipher_types.h"
+
+/* the debug module for the crypto_kernel */
+
+srtp_debug_module_t srtp_mod_crypto_kernel = {
+    0,              /* debugging is off by default */
+    "crypto kernel" /* printable name for module   */
+};
+
+/* crypto_kernel is a global variable, the only one of its datatype */
+
+srtp_crypto_kernel_t crypto_kernel = {
+    srtp_crypto_kernel_state_insecure, /* start off in insecure state */
+    NULL,                              /* no cipher types yet         */
+    NULL,                              /* no auth types yet           */
+    NULL                               /* no debug modules yet        */
+};
+
+#define MAX_RNG_TRIALS 25
+
+srtp_err_status_t srtp_crypto_kernel_init()
+{
+    srtp_err_status_t status;
+
+    /* check the security state */
+    if (crypto_kernel.state == srtp_crypto_kernel_state_secure) {
+        /*
+         * we're already in the secure state, but we've been asked to
+         * re-initialize, so we just re-run the self-tests and then return
+         */
+        return srtp_crypto_kernel_status();
+    }
+
+    /* initialize error reporting system */
+    status = srtp_err_reporting_init();
+    if (status) {
+        return status;
+    }
+
+    /* load debug modules */
+    status = srtp_crypto_kernel_load_debug_module(&srtp_mod_crypto_kernel);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_debug_module(&srtp_mod_auth);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_debug_module(&srtp_mod_cipher);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_debug_module(&srtp_mod_stat);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_debug_module(&srtp_mod_alloc);
+    if (status) {
+        return status;
+    }
+
+    /* load cipher types */
+    status = srtp_crypto_kernel_load_cipher_type(&srtp_null_cipher,
+                                                 SRTP_NULL_CIPHER);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_128,
+                                                 SRTP_AES_ICM_128);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_256,
+                                                 SRTP_AES_ICM_256);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_debug_module(&srtp_mod_aes_icm);
+    if (status) {
+        return status;
+    }
+#ifdef GCM
+    status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_icm_192,
+                                                 SRTP_AES_ICM_192);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_gcm_128,
+                                                 SRTP_AES_GCM_128);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_cipher_type(&srtp_aes_gcm_256,
+                                                 SRTP_AES_GCM_256);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_debug_module(&srtp_mod_aes_gcm);
+    if (status) {
+        return status;
+    }
+#endif
+
+    /* load auth func types */
+    status = srtp_crypto_kernel_load_auth_type(&srtp_null_auth, SRTP_NULL_AUTH);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_auth_type(&srtp_hmac, SRTP_HMAC_SHA1);
+    if (status) {
+        return status;
+    }
+    status = srtp_crypto_kernel_load_debug_module(&srtp_mod_hmac);
+    if (status) {
+        return status;
+    }
+
+    /* change state to secure */
+    crypto_kernel.state = srtp_crypto_kernel_state_secure;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_crypto_kernel_status()
+{
+    srtp_err_status_t status;
+    srtp_kernel_cipher_type_t *ctype = crypto_kernel.cipher_type_list;
+    srtp_kernel_auth_type_t *atype = crypto_kernel.auth_type_list;
+
+    /* for each cipher type, describe and test */
+    while (ctype != NULL) {
+        srtp_err_report(srtp_err_level_info, "cipher: %s\n",
+                        ctype->cipher_type->description);
+        srtp_err_report(srtp_err_level_info, "  self-test: ");
+        status = srtp_cipher_type_self_test(ctype->cipher_type);
+        if (status) {
+            srtp_err_report(srtp_err_level_error, "failed with error code %d\n",
+                            status);
+            exit(status);
+        }
+        srtp_err_report(srtp_err_level_info, "passed\n");
+        ctype = ctype->next;
+    }
+
+    /* for each auth type, describe and test */
+    while (atype != NULL) {
+        srtp_err_report(srtp_err_level_info, "auth func: %s\n",
+                        atype->auth_type->description);
+        srtp_err_report(srtp_err_level_info, "  self-test: ");
+        status = srtp_auth_type_self_test(atype->auth_type);
+        if (status) {
+            srtp_err_report(srtp_err_level_error, "failed with error code %d\n",
+                            status);
+            exit(status);
+        }
+        srtp_err_report(srtp_err_level_info, "passed\n");
+        atype = atype->next;
+    }
+
+    srtp_crypto_kernel_list_debug_modules();
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_crypto_kernel_list_debug_modules()
+{
+    srtp_kernel_debug_module_t *dm = crypto_kernel.debug_module_list;
+
+    /* describe each debug module */
+    srtp_err_report(srtp_err_level_info, "debug modules loaded:\n");
+    while (dm != NULL) {
+        srtp_err_report(srtp_err_level_info, "  %s ", dm->mod->name);
+        if (dm->mod->on) {
+            srtp_err_report(srtp_err_level_info, "(on)\n");
+        } else {
+            srtp_err_report(srtp_err_level_info, "(off)\n");
+        }
+        dm = dm->next;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_crypto_kernel_shutdown()
+{
+    /*
+     * free dynamic memory used in crypto_kernel at present
+     */
+
+    /* walk down cipher type list, freeing memory */
+    while (crypto_kernel.cipher_type_list != NULL) {
+        srtp_kernel_cipher_type_t *ctype = crypto_kernel.cipher_type_list;
+        crypto_kernel.cipher_type_list = ctype->next;
+        debug_print(srtp_mod_crypto_kernel, "freeing memory for cipher %s",
+                    ctype->cipher_type->description);
+        srtp_crypto_free(ctype);
+    }
+
+    /* walk down authetication module list, freeing memory */
+    while (crypto_kernel.auth_type_list != NULL) {
+        srtp_kernel_auth_type_t *atype = crypto_kernel.auth_type_list;
+        crypto_kernel.auth_type_list = atype->next;
+        debug_print(srtp_mod_crypto_kernel,
+                    "freeing memory for authentication %s",
+                    atype->auth_type->description);
+        srtp_crypto_free(atype);
+    }
+
+    /* walk down debug module list, freeing memory */
+    while (crypto_kernel.debug_module_list != NULL) {
+        srtp_kernel_debug_module_t *kdm = crypto_kernel.debug_module_list;
+        crypto_kernel.debug_module_list = kdm->next;
+        debug_print(srtp_mod_crypto_kernel,
+                    "freeing memory for debug module %s", kdm->mod->name);
+        srtp_crypto_free(kdm);
+    }
+
+    /* return to insecure state */
+    crypto_kernel.state = srtp_crypto_kernel_state_insecure;
+
+    return srtp_err_status_ok;
+}
+
+static inline srtp_err_status_t srtp_crypto_kernel_do_load_cipher_type(
+    const srtp_cipher_type_t *new_ct,
+    srtp_cipher_type_id_t id,
+    int replace)
+{
+    srtp_kernel_cipher_type_t *ctype, *new_ctype;
+    srtp_err_status_t status;
+
+    /* defensive coding */
+    if (new_ct == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    if (new_ct->id != id) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* check cipher type by running self-test */
+    status = srtp_cipher_type_self_test(new_ct);
+    if (status) {
+        return status;
+    }
+
+    /* walk down list, checking if this type is in the list already  */
+    ctype = crypto_kernel.cipher_type_list;
+    while (ctype != NULL) {
+        if (id == ctype->id) {
+            if (!replace) {
+                return srtp_err_status_bad_param;
+            }
+            status =
+                srtp_cipher_type_test(new_ct, ctype->cipher_type->test_data);
+            if (status) {
+                return status;
+            }
+            new_ctype = ctype;
+            break;
+        } else if (new_ct == ctype->cipher_type) {
+            return srtp_err_status_bad_param;
+        }
+        ctype = ctype->next;
+    }
+
+    /* if not found, put new_ct at the head of the list */
+    if (ctype == NULL) {
+        /* allocate memory */
+        new_ctype = (srtp_kernel_cipher_type_t *)srtp_crypto_alloc(
+            sizeof(srtp_kernel_cipher_type_t));
+        if (new_ctype == NULL) {
+            return srtp_err_status_alloc_fail;
+        }
+        new_ctype->next = crypto_kernel.cipher_type_list;
+
+        /* set head of list to new cipher type */
+        crypto_kernel.cipher_type_list = new_ctype;
+    }
+
+    /* set fields */
+    new_ctype->cipher_type = new_ct;
+    new_ctype->id = id;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_crypto_kernel_load_cipher_type(
+    const srtp_cipher_type_t *new_ct,
+    srtp_cipher_type_id_t id)
+{
+    return srtp_crypto_kernel_do_load_cipher_type(new_ct, id, 0);
+}
+
+srtp_err_status_t srtp_replace_cipher_type(const srtp_cipher_type_t *new_ct,
+                                           srtp_cipher_type_id_t id)
+{
+    return srtp_crypto_kernel_do_load_cipher_type(new_ct, id, 1);
+}
+
+srtp_err_status_t srtp_crypto_kernel_do_load_auth_type(
+    const srtp_auth_type_t *new_at,
+    srtp_auth_type_id_t id,
+    int replace)
+{
+    srtp_kernel_auth_type_t *atype, *new_atype;
+    srtp_err_status_t status;
+
+    /* defensive coding */
+    if (new_at == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    if (new_at->id != id) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* check auth type by running self-test */
+    status = srtp_auth_type_self_test(new_at);
+    if (status) {
+        return status;
+    }
+
+    /* walk down list, checking if this type is in the list already  */
+    atype = crypto_kernel.auth_type_list;
+    while (atype != NULL) {
+        if (id == atype->id) {
+            if (!replace) {
+                return srtp_err_status_bad_param;
+            }
+            status = srtp_auth_type_test(new_at, atype->auth_type->test_data);
+            if (status) {
+                return status;
+            }
+            new_atype = atype;
+            break;
+        } else if (new_at == atype->auth_type) {
+            return srtp_err_status_bad_param;
+        }
+        atype = atype->next;
+    }
+
+    /* if not found, put new_at at the head of the list */
+    if (atype == NULL) {
+        /* allocate memory */
+        new_atype = (srtp_kernel_auth_type_t *)srtp_crypto_alloc(
+            sizeof(srtp_kernel_auth_type_t));
+        if (new_atype == NULL) {
+            return srtp_err_status_alloc_fail;
+        }
+
+        new_atype->next = crypto_kernel.auth_type_list;
+        /* set head of list to new auth type */
+        crypto_kernel.auth_type_list = new_atype;
+    }
+
+    /* set fields */
+    new_atype->auth_type = new_at;
+    new_atype->id = id;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_crypto_kernel_load_auth_type(
+    const srtp_auth_type_t *new_at,
+    srtp_auth_type_id_t id)
+{
+    return srtp_crypto_kernel_do_load_auth_type(new_at, id, 0);
+}
+
+srtp_err_status_t srtp_replace_auth_type(const srtp_auth_type_t *new_at,
+                                         srtp_auth_type_id_t id)
+{
+    return srtp_crypto_kernel_do_load_auth_type(new_at, id, 1);
+}
+
+const srtp_cipher_type_t *srtp_crypto_kernel_get_cipher_type(
+    srtp_cipher_type_id_t id)
+{
+    srtp_kernel_cipher_type_t *ctype;
+
+    /* walk down list, looking for id  */
+    ctype = crypto_kernel.cipher_type_list;
+    while (ctype != NULL) {
+        if (id == ctype->id) {
+            return ctype->cipher_type;
+        }
+        ctype = ctype->next;
+    }
+
+    /* haven't found the right one, indicate failure by returning NULL */
+    return NULL;
+}
+
+srtp_err_status_t srtp_crypto_kernel_alloc_cipher(srtp_cipher_type_id_t id,
+                                                  srtp_cipher_pointer_t *cp,
+                                                  int key_len,
+                                                  int tag_len)
+{
+    const srtp_cipher_type_t *ct;
+
+    /*
+     * if the crypto_kernel is not yet initialized, we refuse to allocate
+     * any ciphers - this is a bit extra-paranoid
+     */
+    if (crypto_kernel.state != srtp_crypto_kernel_state_secure) {
+        return srtp_err_status_init_fail;
+    }
+
+    ct = srtp_crypto_kernel_get_cipher_type(id);
+    if (!ct) {
+        return srtp_err_status_fail;
+    }
+
+    return ((ct)->alloc(cp, key_len, tag_len));
+}
+
+const srtp_auth_type_t *srtp_crypto_kernel_get_auth_type(srtp_auth_type_id_t id)
+{
+    srtp_kernel_auth_type_t *atype;
+
+    /* walk down list, looking for id  */
+    atype = crypto_kernel.auth_type_list;
+    while (atype != NULL) {
+        if (id == atype->id) {
+            return atype->auth_type;
+        }
+        atype = atype->next;
+    }
+
+    /* haven't found the right one, indicate failure by returning NULL */
+    return NULL;
+}
+
+srtp_err_status_t srtp_crypto_kernel_alloc_auth(srtp_auth_type_id_t id,
+                                                srtp_auth_pointer_t *ap,
+                                                int key_len,
+                                                int tag_len)
+{
+    const srtp_auth_type_t *at;
+
+    /*
+     * if the crypto_kernel is not yet initialized, we refuse to allocate
+     * any auth functions - this is a bit extra-paranoid
+     */
+    if (crypto_kernel.state != srtp_crypto_kernel_state_secure) {
+        return srtp_err_status_init_fail;
+    }
+
+    at = srtp_crypto_kernel_get_auth_type(id);
+    if (!at) {
+        return srtp_err_status_fail;
+    }
+
+    return ((at)->alloc(ap, key_len, tag_len));
+}
+
+srtp_err_status_t srtp_crypto_kernel_load_debug_module(
+    srtp_debug_module_t *new_dm)
+{
+    srtp_kernel_debug_module_t *kdm, *new;
+
+    /* defensive coding */
+    if (new_dm == NULL || new_dm->name == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* walk down list, checking if this type is in the list already  */
+    kdm = crypto_kernel.debug_module_list;
+    while (kdm != NULL) {
+        if (strncmp(new_dm->name, kdm->mod->name, 64) == 0) {
+            return srtp_err_status_bad_param;
+        }
+        kdm = kdm->next;
+    }
+
+    /* put new_dm at the head of the list */
+    /* allocate memory */
+    new = (srtp_kernel_debug_module_t *)srtp_crypto_alloc(
+        sizeof(srtp_kernel_debug_module_t));
+    if (new == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    /* set fields */
+    new->mod = new_dm;
+    new->next = crypto_kernel.debug_module_list;
+
+    /* set head of list to new cipher type */
+    crypto_kernel.debug_module_list = new;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_crypto_kernel_set_debug_module(const char *name, int on)
+{
+    srtp_kernel_debug_module_t *kdm;
+
+    /* walk down list, checking if this type is in the list already  */
+    kdm = crypto_kernel.debug_module_list;
+    while (kdm != NULL) {
+        if (strncmp(name, kdm->mod->name, 64) == 0) {
+            kdm->mod->on = on;
+            return srtp_err_status_ok;
+        }
+        kdm = kdm->next;
+    }
+
+    return srtp_err_status_fail;
+}
diff --git a/netwerk/srtp/src/crypto/kernel/err.c b/netwerk/srtp/src/crypto/kernel/err.c
new file mode 100644
index 0000000000..f443549e5a
--- /dev/null
+++ b/netwerk/srtp/src/crypto/kernel/err.c
@@ -0,0 +1,108 @@
+/*
+ * err.c
+ *
+ * error status reporting functions
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright(c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "err.h"
+#include "datatypes.h"
+#include <string.h>
+
+/* srtp_err_file is the FILE to which errors are reported */
+
+static FILE *srtp_err_file = NULL;
+
+srtp_err_status_t srtp_err_reporting_init()
+{
+#ifdef ERR_REPORTING_STDOUT
+    srtp_err_file = stdout;
+#elif defined(ERR_REPORTING_FILE)
+    /* open file for error reporting */
+    srtp_err_file = fopen(ERR_REPORTING_FILE, "w");
+    if (srtp_err_file == NULL) {
+        return srtp_err_status_init_fail;
+    }
+#endif
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_report_handler_func_t *srtp_err_report_handler = NULL;
+
+srtp_err_status_t srtp_install_err_report_handler(
+    srtp_err_report_handler_func_t func)
+{
+    srtp_err_report_handler = func;
+    return srtp_err_status_ok;
+}
+
+void srtp_err_report(srtp_err_reporting_level_t level, const char *format, ...)
+{
+    va_list args;
+    if (srtp_err_file != NULL) {
+        va_start(args, format);
+        vfprintf(srtp_err_file, format, args);
+        va_end(args);
+    }
+    if (srtp_err_report_handler != NULL) {
+        va_start(args, format);
+        char msg[512];
+        if (vsnprintf(msg, sizeof(msg), format, args) > 0) {
+            /* strip trailing \n, callback should not have one */
+            size_t l = strlen(msg);
+            if (l && msg[l - 1] == '\n') {
+                msg[l - 1] = '\0';
+            }
+            srtp_err_report_handler(level, msg);
+            /*
+             * NOTE, need to be carefull, there is a potential that
+             * octet_string_set_to_zero() could
+             * call srtp_err_report() in the future, leading to recursion
+             */
+            octet_string_set_to_zero(msg, sizeof(msg));
+        }
+        va_end(args);
+    }
+}
diff --git a/netwerk/srtp/src/crypto/kernel/key.c b/netwerk/srtp/src/crypto/kernel/key.c
new file mode 100644
index 0000000000..0466195046
--- /dev/null
+++ b/netwerk/srtp/src/crypto/kernel/key.c
@@ -0,0 +1,122 @@
+/*
+ * key.c
+ *
+ * key usage limits enforcement
+ *
+ * David A. Mcgrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "key.h"
+
+#define soft_limit 0x10000
+
+srtp_err_status_t srtp_key_limit_set(srtp_key_limit_t key,
+                                     const srtp_xtd_seq_num_t s)
+{
+#ifdef NO_64BIT_MATH
+    if (high32(s) == 0 && low32(s) < soft_limit) {
+        return srtp_err_status_bad_param;
+    }
+#else
+    if (s < soft_limit) {
+        return srtp_err_status_bad_param;
+    }
+#endif
+    key->num_left = s;
+    key->state = srtp_key_state_normal;
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_key_limit_clone(srtp_key_limit_t original,
+                                       srtp_key_limit_t *new_key)
+{
+    if (original == NULL) {
+        return srtp_err_status_bad_param;
+    }
+    *new_key = original;
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_key_limit_check(const srtp_key_limit_t key)
+{
+    if (key->state == srtp_key_state_expired) {
+        return srtp_err_status_key_expired;
+    }
+    return srtp_err_status_ok;
+}
+
+srtp_key_event_t srtp_key_limit_update(srtp_key_limit_t key)
+{
+#ifdef NO_64BIT_MATH
+    if (low32(key->num_left) == 0) {
+        // carry
+        key->num_left =
+            make64(high32(key->num_left) - 1, low32(key->num_left) - 1);
+    } else {
+        // no carry
+        key->num_left = make64(high32(key->num_left), low32(key->num_left) - 1);
+    }
+    if (high32(key->num_left) != 0 || low32(key->num_left) >= soft_limit) {
+        return srtp_key_event_normal; /* we're above the soft limit */
+    }
+#else
+    key->num_left--;
+    if (key->num_left >= soft_limit) {
+        return srtp_key_event_normal; /* we're above the soft limit */
+    }
+#endif
+    if (key->state == srtp_key_state_normal) {
+        /* we just passed the soft limit, so change the state */
+        key->state = srtp_key_state_past_soft_limit;
+    }
+#ifdef NO_64BIT_MATH
+    if (low32(key->num_left) == 0 && high32(key->num_left == 0))
+#else
+    if (key->num_left < 1)
+#endif
+    { /* we just hit the hard limit */
+        key->state = srtp_key_state_expired;
+        return srtp_key_event_hard_limit;
+    }
+    return srtp_key_event_soft_limit;
+}
diff --git a/netwerk/srtp/src/crypto/math/datatypes.c b/netwerk/srtp/src/crypto/math/datatypes.c
new file mode 100644
index 0000000000..85c1cbf292
--- /dev/null
+++ b/netwerk/srtp/src/crypto/math/datatypes.c
@@ -0,0 +1,490 @@
+/*
+ * datatypes.c
+ *
+ * data types for finite fields and functions for input, output, and
+ * manipulation
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef OPENSSL
+#include <openssl/crypto.h>
+#endif
+
+#include "datatypes.h"
+
+static const int8_t octet_weight[256] = {
+    0, 1, 1, 2, 1, 2, 2, 3, 1, 2, 2, 3, 2, 3, 3, 4, 1, 2, 2, 3, 2, 3, 3, 4,
+    2, 3, 3, 4, 3, 4, 4, 5, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
+    2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 1, 2, 2, 3, 2, 3, 3, 4,
+    2, 3, 3, 4, 3, 4, 4, 5, 2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6,
+    2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6,
+    4, 5, 5, 6, 5, 6, 6, 7, 1, 2, 2, 3, 2, 3, 3, 4, 2, 3, 3, 4, 3, 4, 4, 5,
+    2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 2, 3, 3, 4, 3, 4, 4, 5,
+    3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7,
+    2, 3, 3, 4, 3, 4, 4, 5, 3, 4, 4, 5, 4, 5, 5, 6, 3, 4, 4, 5, 4, 5, 5, 6,
+    4, 5, 5, 6, 5, 6, 6, 7, 3, 4, 4, 5, 4, 5, 5, 6, 4, 5, 5, 6, 5, 6, 6, 7,
+    4, 5, 5, 6, 5, 6, 6, 7, 5, 6, 6, 7, 6, 7, 7, 8
+};
+
+int octet_get_weight(uint8_t octet)
+{
+    return (int)octet_weight[octet];
+}
+
+/*
+ * bit_string is a buffer that is used to hold output strings, e.g.
+ * for printing.
+ */
+
+/* the value MAX_PRINT_STRING_LEN is defined in datatypes.h */
+
+char bit_string[MAX_PRINT_STRING_LEN];
+
+uint8_t srtp_nibble_to_hex_char(uint8_t nibble)
+{
+    char buf[16] = { '0', '1', '2', '3', '4', '5', '6', '7',
+                     '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+    return buf[nibble & 0xF];
+}
+
+char *srtp_octet_string_hex_string(const void *s, int length)
+{
+    const uint8_t *str = (const uint8_t *)s;
+    int i;
+
+    /* double length, since one octet takes two hex characters */
+    length *= 2;
+
+    /* truncate string if it would be too long */
+    if (length > MAX_PRINT_STRING_LEN)
+        length = MAX_PRINT_STRING_LEN - 2;
+
+    for (i = 0; i < length; i += 2) {
+        bit_string[i] = srtp_nibble_to_hex_char(*str >> 4);
+        bit_string[i + 1] = srtp_nibble_to_hex_char(*str++ & 0xF);
+    }
+    bit_string[i] = 0; /* null terminate string */
+    return bit_string;
+}
+
+char *v128_hex_string(v128_t *x)
+{
+    int i, j;
+
+    for (i = j = 0; i < 16; i++) {
+        bit_string[j++] = srtp_nibble_to_hex_char(x->v8[i] >> 4);
+        bit_string[j++] = srtp_nibble_to_hex_char(x->v8[i] & 0xF);
+    }
+
+    bit_string[j] = 0; /* null terminate string */
+    return bit_string;
+}
+
+char *v128_bit_string(v128_t *x)
+{
+    int j, i;
+    uint32_t mask;
+
+    for (j = i = 0; j < 4; j++) {
+        for (mask = 0x80000000; mask > 0; mask >>= 1) {
+            if (x->v32[j] & mask)
+                bit_string[i] = '1';
+            else
+                bit_string[i] = '0';
+            ++i;
+        }
+    }
+    bit_string[128] = 0; /* null terminate string */
+
+    return bit_string;
+}
+
+void v128_copy_octet_string(v128_t *x, const uint8_t s[16])
+{
+#ifdef ALIGNMENT_32BIT_REQUIRED
+    if ((((uint32_t)&s[0]) & 0x3) != 0)
+#endif
+    {
+        x->v8[0] = s[0];
+        x->v8[1] = s[1];
+        x->v8[2] = s[2];
+        x->v8[3] = s[3];
+        x->v8[4] = s[4];
+        x->v8[5] = s[5];
+        x->v8[6] = s[6];
+        x->v8[7] = s[7];
+        x->v8[8] = s[8];
+        x->v8[9] = s[9];
+        x->v8[10] = s[10];
+        x->v8[11] = s[11];
+        x->v8[12] = s[12];
+        x->v8[13] = s[13];
+        x->v8[14] = s[14];
+        x->v8[15] = s[15];
+    }
+#ifdef ALIGNMENT_32BIT_REQUIRED
+    else {
+        v128_t *v = (v128_t *)&s[0];
+
+        v128_copy(x, v);
+    }
+#endif
+}
+
+#ifndef DATATYPES_USE_MACROS /* little functions are not macros */
+
+void v128_set_to_zero(v128_t *x)
+{
+    _v128_set_to_zero(x);
+}
+
+void v128_copy(v128_t *x, const v128_t *y)
+{
+    _v128_copy(x, y);
+}
+
+void v128_xor(v128_t *z, v128_t *x, v128_t *y)
+{
+    _v128_xor(z, x, y);
+}
+
+void v128_and(v128_t *z, v128_t *x, v128_t *y)
+{
+    _v128_and(z, x, y);
+}
+
+void v128_or(v128_t *z, v128_t *x, v128_t *y)
+{
+    _v128_or(z, x, y);
+}
+
+void v128_complement(v128_t *x)
+{
+    _v128_complement(x);
+}
+
+int v128_is_eq(const v128_t *x, const v128_t *y)
+{
+    return _v128_is_eq(x, y);
+}
+
+int v128_xor_eq(v128_t *x, const v128_t *y)
+{
+    return _v128_xor_eq(x, y);
+}
+
+int v128_get_bit(const v128_t *x, int i)
+{
+    return _v128_get_bit(x, i);
+}
+
+void v128_set_bit(v128_t *x, int i)
+{
+    _v128_set_bit(x, i);
+}
+
+void v128_clear_bit(v128_t *x, int i)
+{
+    _v128_clear_bit(x, i);
+}
+
+void v128_set_bit_to(v128_t *x, int i, int y)
+{
+    _v128_set_bit_to(x, i, y);
+}
+
+#endif /* DATATYPES_USE_MACROS */
+
+void v128_right_shift(v128_t *x, int shift)
+{
+    const int base_index = shift >> 5;
+    const int bit_index = shift & 31;
+    int i, from;
+    uint32_t b;
+
+    if (shift > 127) {
+        v128_set_to_zero(x);
+        return;
+    }
+
+    if (bit_index == 0) {
+        /* copy each word from left size to right side */
+        x->v32[4 - 1] = x->v32[4 - 1 - base_index];
+        for (i = 4 - 1; i > base_index; i--)
+            x->v32[i - 1] = x->v32[i - 1 - base_index];
+
+    } else {
+        /* set each word to the "or" of the two bit-shifted words */
+        for (i = 4; i > base_index; i--) {
+            from = i - 1 - base_index;
+            b = x->v32[from] << bit_index;
+            if (from > 0)
+                b |= x->v32[from - 1] >> (32 - bit_index);
+            x->v32[i - 1] = b;
+        }
+    }
+
+    /* now wrap up the final portion */
+    for (i = 0; i < base_index; i++)
+        x->v32[i] = 0;
+}
+
+void v128_left_shift(v128_t *x, int shift)
+{
+    int i;
+    const int base_index = shift >> 5;
+    const int bit_index = shift & 31;
+
+    if (shift > 127) {
+        v128_set_to_zero(x);
+        return;
+    }
+
+    if (bit_index == 0) {
+        for (i = 0; i < 4 - base_index; i++)
+            x->v32[i] = x->v32[i + base_index];
+    } else {
+        for (i = 0; i < 4 - base_index - 1; i++)
+            x->v32[i] = (x->v32[i + base_index] >> bit_index) ^
+                        (x->v32[i + base_index + 1] << (32 - bit_index));
+        x->v32[4 - base_index - 1] = x->v32[4 - 1] >> bit_index;
+    }
+
+    /* now wrap up the final portion */
+    for (i = 4 - base_index; i < 4; i++)
+        x->v32[i] = 0;
+}
+
+/* functions manipulating bitvector_t */
+
+#ifndef DATATYPES_USE_MACROS /* little functions are not macros */
+
+int bitvector_get_bit(const bitvector_t *v, int bit_index)
+{
+    return _bitvector_get_bit(v, bit_index);
+}
+
+void bitvector_set_bit(bitvector_t *v, int bit_index)
+{
+    _bitvector_set_bit(v, bit_index);
+}
+
+void bitvector_clear_bit(bitvector_t *v, int bit_index)
+{
+    _bitvector_clear_bit(v, bit_index);
+}
+
+#endif /* DATATYPES_USE_MACROS */
+
+int bitvector_alloc(bitvector_t *v, unsigned long length)
+{
+    unsigned long l;
+
+    /* Round length up to a multiple of bits_per_word */
+    length =
+        (length + bits_per_word - 1) & ~(unsigned long)((bits_per_word - 1));
+
+    l = length / bits_per_word * bytes_per_word;
+
+    /* allocate memory, then set parameters */
+    if (l == 0) {
+        v->word = NULL;
+        v->length = 0;
+        return -1;
+    } else {
+        v->word = (uint32_t *)srtp_crypto_alloc(l);
+        if (v->word == NULL) {
+            v->length = 0;
+            return -1;
+        }
+    }
+    v->length = length;
+
+    /* initialize bitvector to zero */
+    bitvector_set_to_zero(v);
+
+    return 0;
+}
+
+void bitvector_dealloc(bitvector_t *v)
+{
+    if (v->word != NULL)
+        srtp_crypto_free(v->word);
+    v->word = NULL;
+    v->length = 0;
+}
+
+void bitvector_set_to_zero(bitvector_t *x)
+{
+    /* C99 guarantees that memset(0) will set the value 0 for uint32_t */
+    memset(x->word, 0, x->length >> 3);
+}
+
+char *bitvector_bit_string(bitvector_t *x, char *buf, int len)
+{
+    int j, i;
+    uint32_t mask;
+
+    for (j = i = 0; j < (int)(x->length >> 5) && i < len - 1; j++) {
+        for (mask = 0x80000000; mask > 0; mask >>= 1) {
+            if (x->word[j] & mask)
+                buf[i] = '1';
+            else
+                buf[i] = '0';
+            ++i;
+            if (i >= len - 1)
+                break;
+        }
+    }
+    buf[i] = 0; /* null terminate string */
+
+    return buf;
+}
+
+void bitvector_left_shift(bitvector_t *x, int shift)
+{
+    int i;
+    const int base_index = shift >> 5;
+    const int bit_index = shift & 31;
+    const int word_length = x->length >> 5;
+
+    if (shift >= (int)x->length) {
+        bitvector_set_to_zero(x);
+        return;
+    }
+
+    if (bit_index == 0) {
+        for (i = 0; i < word_length - base_index; i++)
+            x->word[i] = x->word[i + base_index];
+    } else {
+        for (i = 0; i < word_length - base_index - 1; i++)
+            x->word[i] = (x->word[i + base_index] >> bit_index) ^
+                         (x->word[i + base_index + 1] << (32 - bit_index));
+        x->word[word_length - base_index - 1] =
+            x->word[word_length - 1] >> bit_index;
+    }
+
+    /* now wrap up the final portion */
+    for (i = word_length - base_index; i < word_length; i++)
+        x->word[i] = 0;
+}
+
+int octet_string_is_eq(uint8_t *a, uint8_t *b, int len)
+{
+    uint8_t *end = b + len;
+    uint8_t accumulator = 0;
+
+    /*
+     * We use this somewhat obscure implementation to try to ensure the running
+     * time only depends on len, even accounting for compiler optimizations.
+     * The accumulator ends up zero iff the strings are equal.
+     */
+    while (b < end)
+        accumulator |= (*a++ ^ *b++);
+
+    /* Return 1 if *not* equal. */
+    return accumulator != 0;
+}
+
+void srtp_cleanse(void *s, size_t len)
+{
+    volatile unsigned char *p = (volatile unsigned char *)s;
+    while (len--)
+        *p++ = 0;
+}
+
+void octet_string_set_to_zero(void *s, size_t len)
+{
+#if defined(OPENSSL) && !defined(OPENSSL_CLEANSE_BROKEN)
+    OPENSSL_cleanse(s, len);
+#else
+    srtp_cleanse(s, len);
+#endif
+}
+
+#ifdef TESTAPP_SOURCE
+
+static const char b64chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                               "abcdefghijklmnopqrstuvwxyz0123456789+/";
+
+static int base64_block_to_octet_triple(char *out, char *in)
+{
+    unsigned char sextets[4] = { 0 };
+    int j = 0;
+    int i;
+
+    for (i = 0; i < 4; i++) {
+        char *p = strchr(b64chars, in[i]);
+        if (p != NULL)
+            sextets[i] = p - b64chars;
+        else
+            j++;
+    }
+
+    out[0] = (sextets[0] << 2) | (sextets[1] >> 4);
+    if (j < 2)
+        out[1] = (sextets[1] << 4) | (sextets[2] >> 2);
+    if (j < 1)
+        out[2] = (sextets[2] << 6) | sextets[3];
+    return j;
+}
+
+int base64_string_to_octet_string(char *out, int *pad, char *in, int len)
+{
+    int k = 0;
+    int i = 0;
+    int j = 0;
+    if (len % 4 != 0)
+        return 0;
+
+    while (i < len && j == 0) {
+        j = base64_block_to_octet_triple(out + k, in + i);
+        k += 3;
+        i += 4;
+    }
+    *pad = j;
+    return i;
+}
+
+#endif
diff --git a/netwerk/srtp/src/crypto/math/stat.c b/netwerk/srtp/src/crypto/math/stat.c
new file mode 100644
index 0000000000..6dd332b0cf
--- /dev/null
+++ b/netwerk/srtp/src/crypto/math/stat.c
@@ -0,0 +1,213 @@
+/*
+ * stats.c
+ *
+ * statistical tests
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "stat.h"
+
+srtp_debug_module_t srtp_mod_stat = {
+    0,                  /* debugging is off by default */
+    (char *)"stat test" /* printable module name       */
+};
+
+/*
+ * each test assumes that 20,000 bits (2500 octets) of data is
+ * provided as input
+ */
+
+#define STAT_TEST_DATA_LEN 2500
+
+srtp_err_status_t stat_test_monobit(uint8_t *data)
+{
+    uint8_t *data_end = data + STAT_TEST_DATA_LEN;
+    uint16_t ones_count;
+
+    ones_count = 0;
+    while (data < data_end) {
+        ones_count += octet_get_weight(*data);
+        data++;
+    }
+
+    debug_print(srtp_mod_stat, "bit count: %d", ones_count);
+
+    if ((ones_count < 9725) || (ones_count > 10275))
+        return srtp_err_status_algo_fail;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t stat_test_poker(uint8_t *data)
+{
+    int i;
+    uint8_t *data_end = data + STAT_TEST_DATA_LEN;
+    double poker;
+    uint16_t f[16] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
+
+    while (data < data_end) {
+        f[*data & 0x0f]++; /* increment freq. count for low nibble  */
+        f[(*data) >> 4]++; /* increment freq. count for high nibble */
+        data++;
+    }
+
+    poker = 0.0;
+    for (i = 0; i < 16; i++)
+        poker += (double)f[i] * f[i];
+
+    poker *= (16.0 / 5000.0);
+    poker -= 5000.0;
+
+    debug_print(srtp_mod_stat, "poker test: %f\n", poker);
+
+    if ((poker < 2.16) || (poker > 46.17))
+        return srtp_err_status_algo_fail;
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * runs[i] holds the number of runs of size (i-1)
+ */
+
+srtp_err_status_t stat_test_runs(uint8_t *data)
+{
+    uint8_t *data_end = data + STAT_TEST_DATA_LEN;
+    uint16_t runs[6] = { 0, 0, 0, 0, 0, 0 };
+    uint16_t gaps[6] = { 0, 0, 0, 0, 0, 0 };
+    uint16_t lo_value[6] = { 2315, 1114, 527, 240, 103, 103 };
+    uint16_t hi_value[6] = { 2685, 1386, 723, 384, 209, 209 };
+    int state = 0;
+    uint16_t mask;
+    int i;
+
+    /*
+     * the state variable holds the number of bits in the
+     * current run (or gap, if negative)
+     */
+
+    while (data < data_end) {
+        /* loop over the bits of this byte */
+        for (mask = 1; mask < 256; mask <<= 1) {
+            if (*data & mask) {
+                /* next bit is a one  */
+                if (state > 0) {
+                    /* prefix is a run, so increment the run-count  */
+                    state++;
+
+                    /* check for long runs */
+                    if (state > 25) {
+                        debug_print(srtp_mod_stat, ">25 runs: %d", state);
+                        return srtp_err_status_algo_fail;
+                    }
+
+                } else if (state < 0) {
+                    /* prefix is a gap  */
+                    if (state < -25) {
+                        debug_print(srtp_mod_stat, ">25 gaps: %d", state);
+                        return srtp_err_status_algo_fail; /* long-runs test
+                                                             failed   */
+                    }
+                    if (state < -6) {
+                        state = -6; /* group together gaps > 5 */
+                    }
+                    gaps[-1 - state]++; /* increment gap count      */
+                    state = 1;          /* set state at one set bit */
+                } else {
+                    /* state is zero; this happens only at initialization */
+                    state = 1;
+                }
+            } else {
+                /* next bit is a zero  */
+                if (state > 0) {
+                    /* prefix is a run */
+                    if (state > 25) {
+                        debug_print(srtp_mod_stat, ">25 runs (2): %d", state);
+                        return srtp_err_status_algo_fail; /* long-runs test
+                                                             failed   */
+                    }
+                    if (state > 6) {
+                        state = 6; /* group together runs > 5 */
+                    }
+                    runs[state - 1]++; /* increment run count       */
+                    state = -1;        /* set state at one zero bit */
+                } else if (state < 0) {
+                    /* prefix is a gap, so increment gap-count (decrement state)
+                     */
+                    state--;
+
+                    /* check for long gaps */
+                    if (state < -25) {
+                        debug_print(srtp_mod_stat, ">25 gaps (2): %d", state);
+                        return srtp_err_status_algo_fail;
+                    }
+
+                } else {
+                    /* state is zero; this happens only at initialization */
+                    state = -1;
+                }
+            }
+        }
+
+        /* move along to next octet */
+        data++;
+    }
+
+    if (srtp_mod_stat.on) {
+        debug_print(srtp_mod_stat, "runs test", NULL);
+        for (i = 0; i < 6; i++)
+            debug_print(srtp_mod_stat, "  runs[]: %d", runs[i]);
+        for (i = 0; i < 6; i++)
+            debug_print(srtp_mod_stat, "  gaps[]: %d", gaps[i]);
+    }
+
+    /* check run and gap counts against the fixed limits */
+    for (i = 0; i < 6; i++)
+        if ((runs[i] < lo_value[i]) || (runs[i] > hi_value[i]) ||
+            (gaps[i] < lo_value[i]) || (gaps[i] > hi_value[i]))
+            return srtp_err_status_algo_fail;
+
+    return srtp_err_status_ok;
+}
diff --git a/netwerk/srtp/src/crypto/replay/rdb.c b/netwerk/srtp/src/crypto/replay/rdb.c
new file mode 100644
index 0000000000..ab1c7b55b6
--- /dev/null
+++ b/netwerk/srtp/src/crypto/replay/rdb.c
@@ -0,0 +1,137 @@
+/*
+ * rdb.c
+ *
+ * Implements a replay database for packet security
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "rdb.h"
+
+/*
+ * this implementation of a replay database works as follows:
+ *
+ * window_start is the index of the first packet in the window
+ * bitmask      a bit-buffer, containing the most recently entered
+ *              index as the leftmost bit
+ *
+ */
+
+/* srtp_rdb_init initalizes rdb */
+srtp_err_status_t srtp_rdb_init(srtp_rdb_t *rdb)
+{
+    v128_set_to_zero(&rdb->bitmask);
+    rdb->window_start = 0;
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_rdb_check checks to see if index appears in rdb
+ */
+srtp_err_status_t srtp_rdb_check(const srtp_rdb_t *rdb, uint32_t p_index)
+{
+    /* if the index appears after (or at very end of) the window, its good */
+    if (p_index >= rdb->window_start + rdb_bits_in_bitmask) {
+        return srtp_err_status_ok;
+    }
+
+    /* if the index appears before the window, its bad */
+    if (p_index < rdb->window_start) {
+        return srtp_err_status_replay_old;
+    }
+
+    /* otherwise, the index appears within the window, so check the bitmask */
+    if (v128_get_bit(&rdb->bitmask, (p_index - rdb->window_start)) == 1) {
+        return srtp_err_status_replay_fail;
+    }
+
+    /* otherwise, the index is okay */
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_rdb_add_index adds index to srtp_rdb_t (and does *not* check if
+ * index appears in db)
+ *
+ * this function should be called only after srtp_rdb_check has
+ * indicated that the index does not appear in the rdb, e.g., a mutex
+ * should protect the rdb between these calls
+ */
+srtp_err_status_t srtp_rdb_add_index(srtp_rdb_t *rdb, uint32_t p_index)
+{
+    unsigned int delta;
+
+    if (p_index < rdb->window_start)
+        return srtp_err_status_replay_fail;
+
+    delta = (p_index - rdb->window_start);
+    if (delta < rdb_bits_in_bitmask) {
+        /* if the p_index is within the window, set the appropriate bit */
+        v128_set_bit(&rdb->bitmask, delta);
+
+    } else {
+        delta -= rdb_bits_in_bitmask - 1;
+
+        /* shift the window forward by delta bits*/
+        v128_left_shift(&rdb->bitmask, delta);
+        v128_set_bit(&rdb->bitmask, rdb_bits_in_bitmask - 1);
+        rdb->window_start += delta;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_rdb_increment(srtp_rdb_t *rdb)
+{
+    if (rdb->window_start >= 0x7fffffff) {
+        return srtp_err_status_key_expired;
+    }
+    ++rdb->window_start;
+    return srtp_err_status_ok;
+}
+
+uint32_t srtp_rdb_get_value(const srtp_rdb_t *rdb)
+{
+    return rdb->window_start;
+}
diff --git a/netwerk/srtp/src/crypto/replay/rdbx.c b/netwerk/srtp/src/crypto/replay/rdbx.c
new file mode 100644
index 0000000000..40cba01a1f
--- /dev/null
+++ b/netwerk/srtp/src/crypto/replay/rdbx.c
@@ -0,0 +1,386 @@
+/*
+ * rdbx.c
+ *
+ * a replay database with extended range, using a rollover counter
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "rdbx.h"
+
+/*
+ * from RFC 3711:
+ *
+ * A receiver reconstructs the index i of a packet with sequence
+ *  number SEQ using the estimate
+ *
+ * i = 2^16 * v + SEQ,
+ *
+ * where v is chosen from the set { ROC-1, ROC, ROC+1 } such that i is
+ * closest to the value 2^16 * ROC + s_l.  If the value r+1 is used,
+ * then the rollover counter r in the cryptographic context is
+ * incremented by one (if the packet containing s is authentic).
+ */
+
+/*
+ * rdbx implementation notes
+ *
+ * A srtp_xtd_seq_num_t is essentially a sequence number for which some of
+ * the data on the wire are implicit.  It logically consists of a
+ * rollover counter and a sequence number; the sequence number is the
+ * explicit part, and the rollover counter is the implicit part.
+ *
+ * Upon receiving a sequence_number (e.g. in a newly received SRTP
+ * packet), the complete srtp_xtd_seq_num_t can be estimated by using a
+ * local srtp_xtd_seq_num_t as a basis.  This is done using the function
+ * srtp_index_guess(&local, &guess, seq_from_packet).  This function
+ * returns the difference of the guess and the local value.  The local
+ * srtp_xtd_seq_num_t can be moved forward to the guess using the function
+ * srtp_index_advance(&guess, delta), where delta is the difference.
+ *
+ *
+ * A srtp_rdbx_t consists of a srtp_xtd_seq_num_t and a bitmask.  The index is
+ * highest sequence number that has been received, and the bitmask indicates
+ * which of the recent indicies have been received as well.  The
+ * highest bit in the bitmask corresponds to the index in the bitmask.
+ */
+
+void srtp_index_init(srtp_xtd_seq_num_t *pi)
+{
+#ifdef NO_64BIT_MATH
+    *pi = make64(0, 0);
+#else
+    *pi = 0;
+#endif
+}
+
+void srtp_index_advance(srtp_xtd_seq_num_t *pi, srtp_sequence_number_t s)
+{
+#ifdef NO_64BIT_MATH
+    /* a > ~b means a+b will generate a carry */
+    /* s is uint16 here */
+    *pi = make64(high32(*pi) + (s > ~low32(*pi) ? 1 : 0), low32(*pi) + s);
+#else
+    *pi += s;
+#endif
+}
+
+/*
+ * srtp_index_guess(local, guess, s)
+ *
+ * given a srtp_xtd_seq_num_t local (which represents the last
+ * known-to-be-good received srtp_xtd_seq_num_t) and a sequence number s
+ * (from a newly arrived packet), sets the contents of *guess to
+ * contain the best guess of the packet index to which s corresponds,
+ * and returns the difference between *guess and *local
+ *
+ * nota bene - the output is a signed integer, DON'T cast it to a
+ * unsigned integer!
+ */
+
+int32_t srtp_index_guess(const srtp_xtd_seq_num_t *local,
+                         srtp_xtd_seq_num_t *guess,
+                         srtp_sequence_number_t s)
+{
+#ifdef NO_64BIT_MATH
+    uint32_t local_roc = ((high32(*local) << 16) | (low32(*local) >> 16));
+    uint16_t local_seq = (uint16_t)(low32(*local));
+#else
+    uint32_t local_roc = (uint32_t)(*local >> 16);
+    uint16_t local_seq = (uint16_t)*local;
+#endif
+    uint32_t guess_roc;
+    uint16_t guess_seq;
+    int32_t difference;
+
+    if (local_seq < seq_num_median) {
+        if (s - local_seq > seq_num_median) {
+            guess_roc = local_roc - 1;
+            difference = s - local_seq - seq_num_max;
+        } else {
+            guess_roc = local_roc;
+            difference = s - local_seq;
+        }
+    } else {
+        if (local_seq - seq_num_median > s) {
+            guess_roc = local_roc + 1;
+            difference = s - local_seq + seq_num_max;
+        } else {
+            guess_roc = local_roc;
+            difference = s - local_seq;
+        }
+    }
+    guess_seq = s;
+
+/* Note: guess_roc is 32 bits, so this generates a 48-bit result! */
+#ifdef NO_64BIT_MATH
+    *guess = make64(guess_roc >> 16, (guess_roc << 16) | guess_seq);
+#else
+    *guess = (((uint64_t)guess_roc) << 16) | guess_seq;
+#endif
+
+    return difference;
+}
+
+/*
+ * rdbx
+ *
+ */
+
+/*
+ *  srtp_rdbx_init(&r, ws) initializes the srtp_rdbx_t pointed to by r with
+ * window size ws
+ */
+srtp_err_status_t srtp_rdbx_init(srtp_rdbx_t *rdbx, unsigned long ws)
+{
+    if (ws == 0) {
+        return srtp_err_status_bad_param;
+    }
+
+    if (bitvector_alloc(&rdbx->bitmask, ws) != 0) {
+        return srtp_err_status_alloc_fail;
+    }
+
+    srtp_index_init(&rdbx->index);
+
+    return srtp_err_status_ok;
+}
+
+/*
+ *  srtp_rdbx_dealloc(&r) frees memory for the srtp_rdbx_t pointed to by r
+ */
+srtp_err_status_t srtp_rdbx_dealloc(srtp_rdbx_t *rdbx)
+{
+    bitvector_dealloc(&rdbx->bitmask);
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_rdbx_set_roc(rdbx, roc) initalizes the srtp_rdbx_t at the location rdbx
+ * to have the rollover counter value roc.  If that value is less than
+ * the current rollover counter value, then the function returns
+ * srtp_err_status_replay_old; otherwise, srtp_err_status_ok is returned.
+ *
+ */
+srtp_err_status_t srtp_rdbx_set_roc(srtp_rdbx_t *rdbx, uint32_t roc)
+{
+    bitvector_set_to_zero(&rdbx->bitmask);
+
+#ifdef NO_64BIT_MATH
+#error not yet implemented
+#else
+
+    /* make sure that we're not moving backwards */
+    if (roc < (rdbx->index >> 16)) {
+        return srtp_err_status_replay_old;
+    }
+
+    rdbx->index &= 0xffff;                /* retain lowest 16 bits */
+    rdbx->index |= ((uint64_t)roc) << 16; /* set ROC */
+#endif
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_rdbx_get_packet_index(rdbx) returns the value of the packet index
+ * for the srtp_rdbx_t pointed to by rdbx
+ *
+ */
+srtp_xtd_seq_num_t srtp_rdbx_get_packet_index(const srtp_rdbx_t *rdbx)
+{
+    return rdbx->index;
+}
+
+/*
+ * srtp_rdbx_get_window_size(rdbx) returns the value of the window size
+ * for the srtp_rdbx_t pointed to by rdbx
+ *
+ */
+unsigned long srtp_rdbx_get_window_size(const srtp_rdbx_t *rdbx)
+{
+    return bitvector_get_length(&rdbx->bitmask);
+}
+
+/*
+ * srtp_rdbx_check(&r, delta) checks to see if the srtp_xtd_seq_num_t
+ * which is at rdbx->index + delta is in the rdb
+ */
+srtp_err_status_t srtp_rdbx_check(const srtp_rdbx_t *rdbx, int delta)
+{
+    if (delta > 0) { /* if delta is positive, it's good */
+        return srtp_err_status_ok;
+    } else if ((int)(bitvector_get_length(&rdbx->bitmask) - 1) + delta < 0) {
+        /* if delta is lower than the bitmask, it's bad */
+        return srtp_err_status_replay_old;
+    } else if (bitvector_get_bit(
+                   &rdbx->bitmask,
+                   (int)(bitvector_get_length(&rdbx->bitmask) - 1) + delta) ==
+               1) {
+        /* delta is within the window, so check the bitmask */
+        return srtp_err_status_replay_fail;
+    }
+    /* otherwise, the index is okay */
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_rdbx_add_index adds the srtp_xtd_seq_num_t at rdbx->window_start + d to
+ * replay_db (and does *not* check if that srtp_xtd_seq_num_t appears in db)
+ *
+ * this function should be called only after replay_check has
+ * indicated that the index does not appear in the rdbx, e.g., a mutex
+ * should protect the rdbx between these calls if need be
+ */
+srtp_err_status_t srtp_rdbx_add_index(srtp_rdbx_t *rdbx, int delta)
+{
+    if (delta > 0) {
+        /* shift forward by delta */
+        srtp_index_advance(&rdbx->index, delta);
+        bitvector_left_shift(&rdbx->bitmask, delta);
+        bitvector_set_bit(&rdbx->bitmask,
+                          bitvector_get_length(&rdbx->bitmask) - 1);
+    } else {
+        /* delta is in window */
+        bitvector_set_bit(&rdbx->bitmask,
+                          bitvector_get_length(&rdbx->bitmask) - 1 + delta);
+    }
+
+    /* note that we need not consider the case that delta == 0 */
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_rdbx_estimate_index(rdbx, guess, s)
+ *
+ * given an rdbx and a sequence number s (from a newly arrived packet),
+ * sets the contents of *guess to contain the best guess of the packet
+ * index to which s corresponds, and returns the difference between
+ * *guess and the locally stored synch info
+ */
+int32_t srtp_rdbx_estimate_index(const srtp_rdbx_t *rdbx,
+                                 srtp_xtd_seq_num_t *guess,
+                                 srtp_sequence_number_t s)
+{
+/*
+ * if the sequence number and rollover counter in the rdbx are
+ * non-zero, then use the srtp_index_guess(...) function, otherwise, just
+ * set the rollover counter to zero (since the srtp_index_guess(...)
+ * function might incorrectly guess that the rollover counter is
+ * 0xffffffff)
+ */
+
+#ifdef NO_64BIT_MATH
+    /* seq_num_median = 0x8000 */
+    if (high32(rdbx->index) > 0 || low32(rdbx->index) > seq_num_median)
+#else
+    if (rdbx->index > seq_num_median)
+#endif
+    {
+        return srtp_index_guess(&rdbx->index, guess, s);
+    }
+
+#ifdef NO_64BIT_MATH
+    *guess = make64(0, (uint32_t)s);
+#else
+    *guess = s;
+#endif
+
+#ifdef NO_64BIT_MATH
+    return s - (uint16_t)low32(rdbx->index);
+#else
+    return s - (uint16_t)rdbx->index;
+#endif
+}
+
+/*
+ * srtp_rdbx_get_roc(rdbx)
+ *
+ * Get the current rollover counter
+ *
+ */
+uint32_t srtp_rdbx_get_roc(const srtp_rdbx_t *rdbx)
+{
+    uint32_t roc;
+
+#ifdef NO_64BIT_MATH
+    roc = ((high32(rdbx->index) << 16) | (low32(rdbx->index) >> 16));
+#else
+    roc = (uint32_t)(rdbx->index >> 16);
+#endif
+
+    return roc;
+}
+
+/*
+ * srtp_rdbx_set_roc_seq(rdbx, roc, seq) initalizes the srtp_rdbx_t at the
+ * location rdbx to have the rollover counter value roc and packet sequence
+ * number seq.  If the new rollover counter value is less than the current
+ * rollover counter value, then the function returns
+ * srtp_err_status_replay_old, otherwise, srtp_err_status_ok is returned.
+ */
+srtp_err_status_t srtp_rdbx_set_roc_seq(srtp_rdbx_t *rdbx,
+                                        uint32_t roc,
+                                        uint16_t seq)
+{
+#ifdef NO_64BIT_MATH
+#error not yet implemented
+#else
+
+    /* make sure that we're not moving backwards */
+    if (roc < (rdbx->index >> 16)) {
+        return srtp_err_status_replay_old;
+    }
+
+    rdbx->index = seq;
+    rdbx->index |= ((uint64_t)roc) << 16; /* set ROC */
+#endif
+
+    bitvector_set_to_zero(&rdbx->bitmask);
+
+    return srtp_err_status_ok;
+}
diff --git a/netwerk/srtp/src/crypto/replay/ut_sim.c b/netwerk/srtp/src/crypto/replay/ut_sim.c
new file mode 100644
index 0000000000..c621c0e9f2
--- /dev/null
+++ b/netwerk/srtp/src/crypto/replay/ut_sim.c
@@ -0,0 +1,104 @@
+/*
+ * ut_sim.c
+ *
+ * an unreliable transport simulator
+ * (for testing replay databases and suchlike)
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "ut_sim.h"
+
+int ut_compar(const void *a, const void *b)
+{
+    return rand() > (RAND_MAX / 2) ? -1 : 1;
+}
+
+void ut_init(ut_connection *utc)
+{
+    int i;
+    utc->index = 0;
+
+    for (i = 0; i < UT_BUF; i++)
+        utc->buffer[i] = i;
+
+    qsort(utc->buffer, UT_BUF, sizeof(uint32_t), ut_compar);
+
+    utc->index = UT_BUF - 1;
+}
+
+uint32_t ut_next_index(ut_connection *utc)
+{
+    uint32_t tmp;
+
+    tmp = utc->buffer[0];
+    utc->index++;
+    utc->buffer[0] = utc->index;
+
+    qsort(utc->buffer, UT_BUF, sizeof(uint32_t), ut_compar);
+
+    return tmp;
+}
+
+#ifdef UT_TEST
+
+#include <stdio.h>
+
+int main()
+{
+    uint32_t i, irecvd, idiff;
+    ut_connection utc;
+
+    ut_init(&utc);
+
+    for (i = 0; i < 1000; i++) {
+        irecvd = ut_next_index(&utc);
+        idiff = i - irecvd;
+        printf("%lu\t%lu\t%d\n", i, irecvd, idiff);
+    }
+
+    return 0;
+}
+
+#endif
diff --git a/netwerk/srtp/src/crypto/test/aes_calc.c b/netwerk/srtp/src/crypto/test/aes_calc.c
new file mode 100644
index 0000000000..b362fd57fc
--- /dev/null
+++ b/netwerk/srtp/src/crypto/test/aes_calc.c
@@ -0,0 +1,157 @@
+/*
+ * aes_calc.c
+ *
+ * A simple AES calculator for generating AES encryption values
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/*
+
+ Example usage (with first NIST FIPS 197 test case):
+
+ [sh]$ test/aes_calc 000102030405060708090a0b0c0d0e0f \
+       00112233445566778899aabbccddeeff -v
+
+ plaintext:      00112233445566778899aabbccddeeff
+ key:            000102030405060708090a0b0c0d0e0f
+ ciphertext:     69c4e0d86a7b0430d8cdb78070b4c55a
+
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "aes.h"
+#include <stdio.h>
+#include <string.h>
+#include "util.h"
+
+void usage(char *prog_name)
+{
+    printf("usage: %s <key> <plaintext> [-v]\n", prog_name);
+    exit(255);
+}
+
+#define AES_MAX_KEY_LEN 32
+
+int main(int argc, char *argv[])
+{
+    v128_t data;
+    uint8_t key[AES_MAX_KEY_LEN];
+    srtp_aes_expanded_key_t exp_key;
+    int key_len, len;
+    int verbose = 0;
+    srtp_err_status_t status;
+
+    if (argc == 3) {
+        /* we're not in verbose mode */
+        verbose = 0;
+    } else if (argc == 4) {
+        if (strncmp(argv[3], "-v", 2) == 0) {
+            /* we're in verbose mode */
+            verbose = 1;
+        } else {
+            /* unrecognized flag, complain and exit */
+            usage(argv[0]);
+        }
+    } else {
+        /* we've been fed the wrong number of arguments - compain and exit */
+        usage(argv[0]);
+    }
+
+    /* read in key, checking length */
+    if (strlen(argv[1]) > AES_MAX_KEY_LEN * 2) {
+        fprintf(stderr, "error: too many digits in key "
+                        "(should be at most %d hexadecimal digits, found %u)\n",
+                AES_MAX_KEY_LEN * 2, (unsigned)strlen(argv[1]));
+        exit(1);
+    }
+    len = hex_string_to_octet_string((char *)key, argv[1], AES_MAX_KEY_LEN * 2);
+    /* check that hex string is the right length */
+    if (len != 32 && len != 48 && len != 64) {
+        fprintf(stderr, "error: bad number of digits in key "
+                        "(should be 32/48/64 hexadecimal digits, found %d)\n",
+                len);
+        exit(1);
+    }
+    key_len = len / 2;
+
+    /* read in plaintext, checking length */
+    if (strlen(argv[2]) > 16 * 2) {
+        fprintf(stderr, "error: too many digits in plaintext "
+                        "(should be %d hexadecimal digits, found %u)\n",
+                16 * 2, (unsigned)strlen(argv[2]));
+        exit(1);
+    }
+    len = hex_string_to_octet_string((char *)(&data), argv[2], 16 * 2);
+    /* check that hex string is the right length */
+    if (len < 16 * 2) {
+        fprintf(stderr, "error: too few digits in plaintext "
+                        "(should be %d hexadecimal digits, found %d)\n",
+                16 * 2, len);
+        exit(1);
+    }
+
+    if (verbose) {
+        /* print out plaintext */
+        printf("plaintext:\t%s\n",
+               octet_string_hex_string((uint8_t *)&data, 16));
+    }
+
+    /* encrypt plaintext */
+    status = srtp_aes_expand_encryption_key(key, key_len, &exp_key);
+    if (status) {
+        fprintf(stderr, "error: AES key expansion failed.\n");
+        exit(1);
+    }
+
+    srtp_aes_encrypt(&data, &exp_key);
+
+    /* write ciphertext to output */
+    if (verbose) {
+        printf("key:\t\t%s\n", octet_string_hex_string(key, key_len));
+        printf("ciphertext:\t");
+    }
+    printf("%s\n", v128_hex_string(&data));
+
+    return 0;
+}
diff --git a/netwerk/srtp/src/crypto/test/cipher_driver.c b/netwerk/srtp/src/crypto/test/cipher_driver.c
new file mode 100644
index 0000000000..4959c90c02
--- /dev/null
+++ b/netwerk/srtp/src/crypto/test/cipher_driver.c
@@ -0,0 +1,604 @@
+/*
+ * cipher_driver.c
+ *
+ * A driver for the generic cipher type
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>  /* for printf() */
+#include <stdlib.h> /* for rand() */
+#include "getopt_s.h"
+#include "cipher.h"
+#ifdef GCM
+#include "aes_icm_ext.h"
+#include "aes_gcm.h"
+#else
+#include "aes_icm.h"
+#endif
+
+#define PRINT_DEBUG 0
+
+void cipher_driver_test_throughput(srtp_cipher_t *c);
+
+srtp_err_status_t cipher_driver_self_test(srtp_cipher_type_t *ct);
+
+/*
+ * cipher_driver_test_buffering(ct) tests the cipher's output
+ * buffering for correctness by checking the consistency of succesive
+ * calls
+ */
+
+srtp_err_status_t cipher_driver_test_buffering(srtp_cipher_t *c);
+
+/*
+ * functions for testing cipher cache thrash
+ */
+srtp_err_status_t cipher_driver_test_array_throughput(srtp_cipher_type_t *ct,
+                                                      int klen,
+                                                      int num_cipher);
+
+void cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher);
+
+uint64_t cipher_array_bits_per_second(srtp_cipher_t *cipher_array[],
+                                      int num_cipher,
+                                      unsigned octets_in_buffer,
+                                      int num_trials);
+
+srtp_err_status_t cipher_array_delete(srtp_cipher_t *cipher_array[],
+                                      int num_cipher);
+
+srtp_err_status_t cipher_array_alloc_init(srtp_cipher_t ***cipher_array,
+                                          int num_ciphers,
+                                          srtp_cipher_type_t *ctype,
+                                          int klen);
+
+void usage(char *prog_name)
+{
+    printf("usage: %s [ -t | -v | -a ]\n", prog_name);
+    exit(255);
+}
+
+void check_status(srtp_err_status_t s)
+{
+    if (s) {
+        printf("error (code %d)\n", s);
+        exit(s);
+    }
+    return;
+}
+
+/*
+ * null_cipher and srtp_aes_icm are the cipher meta-objects
+ * defined in the files in crypto/cipher subdirectory.  these are
+ * declared external so that we can use these cipher types here
+ */
+
+extern srtp_cipher_type_t srtp_null_cipher;
+extern srtp_cipher_type_t srtp_aes_icm_128;
+extern srtp_cipher_type_t srtp_aes_icm_256;
+#ifdef GCM
+extern srtp_cipher_type_t srtp_aes_icm_192;
+extern srtp_cipher_type_t srtp_aes_gcm_128;
+extern srtp_cipher_type_t srtp_aes_gcm_256;
+#endif
+
+int main(int argc, char *argv[])
+{
+    srtp_cipher_t *c = NULL;
+    srtp_err_status_t status;
+    /* clang-format off */
+    unsigned char test_key[48] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+        0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f,
+        0x20, 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27,
+        0x28, 0x29, 0x2a, 0x2b, 0x2c, 0x2d, 0x2e, 0x2f,
+    };
+    /* clang-format on */
+    int q;
+    unsigned do_timing_test = 0;
+    unsigned do_validation = 0;
+    unsigned do_array_timing_test = 0;
+
+    /* process input arguments */
+    while (1) {
+        q = getopt_s(argc, argv, "tva");
+        if (q == -1)
+            break;
+        switch (q) {
+        case 't':
+            do_timing_test = 1;
+            break;
+        case 'v':
+            do_validation = 1;
+            break;
+        case 'a':
+            do_array_timing_test = 1;
+            break;
+        default:
+            usage(argv[0]);
+        }
+    }
+
+    printf("cipher test driver\n"
+           "David A. McGrew\n"
+           "Cisco Systems, Inc.\n");
+
+    if (!do_validation && !do_timing_test && !do_array_timing_test)
+        usage(argv[0]);
+
+    /* arry timing (cache thrash) test */
+    if (do_array_timing_test) {
+        int max_num_cipher = 1 << 16; /* number of ciphers in cipher_array */
+        int num_cipher;
+
+        for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8)
+            cipher_driver_test_array_throughput(&srtp_null_cipher, 0,
+                                                num_cipher);
+
+        for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8)
+            cipher_driver_test_array_throughput(
+                &srtp_aes_icm_128, SRTP_AES_ICM_128_KEY_LEN_WSALT, num_cipher);
+
+        for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8)
+            cipher_driver_test_array_throughput(
+                &srtp_aes_icm_256, SRTP_AES_ICM_256_KEY_LEN_WSALT, num_cipher);
+
+#ifdef GCM
+        for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8)
+            cipher_driver_test_array_throughput(
+                &srtp_aes_icm_192, SRTP_AES_ICM_192_KEY_LEN_WSALT, num_cipher);
+
+        for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) {
+            cipher_driver_test_array_throughput(
+                &srtp_aes_gcm_128, SRTP_AES_GCM_128_KEY_LEN_WSALT, num_cipher);
+        }
+
+        for (num_cipher = 1; num_cipher < max_num_cipher; num_cipher *= 8) {
+            cipher_driver_test_array_throughput(
+                &srtp_aes_gcm_256, SRTP_AES_GCM_256_KEY_LEN_WSALT, num_cipher);
+        }
+#endif
+    }
+
+    if (do_validation) {
+        cipher_driver_self_test(&srtp_null_cipher);
+        cipher_driver_self_test(&srtp_aes_icm_128);
+        cipher_driver_self_test(&srtp_aes_icm_256);
+#ifdef GCM
+        cipher_driver_self_test(&srtp_aes_icm_192);
+        cipher_driver_self_test(&srtp_aes_gcm_128);
+        cipher_driver_self_test(&srtp_aes_gcm_256);
+#endif
+    }
+
+    /* do timing and/or buffer_test on srtp_null_cipher */
+    status = srtp_cipher_type_alloc(&srtp_null_cipher, &c, 0, 0);
+    check_status(status);
+
+    status = srtp_cipher_init(c, NULL);
+    check_status(status);
+
+    if (do_timing_test)
+        cipher_driver_test_throughput(c);
+    if (do_validation) {
+        status = cipher_driver_test_buffering(c);
+        check_status(status);
+    }
+    status = srtp_cipher_dealloc(c);
+    check_status(status);
+
+    /* run the throughput test on the aes_icm cipher (128-bit key) */
+    status = srtp_cipher_type_alloc(&srtp_aes_icm_128, &c,
+                                    SRTP_AES_ICM_128_KEY_LEN_WSALT, 0);
+    if (status) {
+        fprintf(stderr, "error: can't allocate cipher\n");
+        exit(status);
+    }
+
+    status = srtp_cipher_init(c, test_key);
+    check_status(status);
+
+    if (do_timing_test)
+        cipher_driver_test_throughput(c);
+
+    if (do_validation) {
+        status = cipher_driver_test_buffering(c);
+        check_status(status);
+    }
+
+    status = srtp_cipher_dealloc(c);
+    check_status(status);
+
+    /* repeat the tests with 256-bit keys */
+    status = srtp_cipher_type_alloc(&srtp_aes_icm_256, &c,
+                                    SRTP_AES_ICM_256_KEY_LEN_WSALT, 0);
+    if (status) {
+        fprintf(stderr, "error: can't allocate cipher\n");
+        exit(status);
+    }
+
+    status = srtp_cipher_init(c, test_key);
+    check_status(status);
+
+    if (do_timing_test)
+        cipher_driver_test_throughput(c);
+
+    if (do_validation) {
+        status = cipher_driver_test_buffering(c);
+        check_status(status);
+    }
+
+    status = srtp_cipher_dealloc(c);
+    check_status(status);
+
+#ifdef GCM
+    /* run the throughput test on the aes_gcm_128 cipher */
+    status = srtp_cipher_type_alloc(&srtp_aes_gcm_128, &c,
+                                    SRTP_AES_GCM_128_KEY_LEN_WSALT, 8);
+    if (status) {
+        fprintf(stderr, "error: can't allocate GCM 128 cipher\n");
+        exit(status);
+    }
+    status = srtp_cipher_init(c, test_key);
+    check_status(status);
+    if (do_timing_test) {
+        cipher_driver_test_throughput(c);
+    }
+
+    // GCM ciphers don't do buffering; they're "one shot"
+
+    status = srtp_cipher_dealloc(c);
+    check_status(status);
+
+    /* run the throughput test on the aes_gcm_256 cipher */
+    status = srtp_cipher_type_alloc(&srtp_aes_gcm_256, &c,
+                                    SRTP_AES_GCM_256_KEY_LEN_WSALT, 16);
+    if (status) {
+        fprintf(stderr, "error: can't allocate GCM 256 cipher\n");
+        exit(status);
+    }
+    status = srtp_cipher_init(c, test_key);
+    check_status(status);
+    if (do_timing_test) {
+        cipher_driver_test_throughput(c);
+    }
+
+    // GCM ciphers don't do buffering; they're "one shot"
+
+    status = srtp_cipher_dealloc(c);
+    check_status(status);
+#endif
+
+    return 0;
+}
+
+void cipher_driver_test_throughput(srtp_cipher_t *c)
+{
+    int i;
+    int min_enc_len = 32;
+    int max_enc_len = 2048; /* should be a power of two */
+    int num_trials = 1000000;
+
+    printf("timing %s throughput, key length %d:\n", c->type->description,
+           c->key_len);
+    fflush(stdout);
+    for (i = min_enc_len; i <= max_enc_len; i = i * 2)
+        printf("msg len: %d\tgigabits per second: %f\n", i,
+               srtp_cipher_bits_per_second(c, i, num_trials) / 1e9);
+}
+
+srtp_err_status_t cipher_driver_self_test(srtp_cipher_type_t *ct)
+{
+    srtp_err_status_t status;
+
+    printf("running cipher self-test for %s...", ct->description);
+    status = srtp_cipher_type_self_test(ct);
+    if (status) {
+        printf("failed with error code %d\n", status);
+        exit(status);
+    }
+    printf("passed\n");
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * cipher_driver_test_buffering(ct) tests the cipher's output
+ * buffering for correctness by checking the consistency of succesive
+ * calls
+ */
+
+#define INITIAL_BUFLEN 1024
+srtp_err_status_t cipher_driver_test_buffering(srtp_cipher_t *c)
+{
+    int i, j, num_trials = 1000;
+    unsigned len, buflen = INITIAL_BUFLEN;
+    uint8_t buffer0[INITIAL_BUFLEN], buffer1[INITIAL_BUFLEN], *current, *end;
+    uint8_t idx[16] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+                        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x34 };
+    srtp_err_status_t status;
+
+    printf("testing output buffering for cipher %s...", c->type->description);
+
+    for (i = 0; i < num_trials; i++) {
+        /* set buffers to zero */
+        for (j = 0; j < (int)buflen; j++) {
+            buffer0[j] = buffer1[j] = 0;
+        }
+
+        /* initialize cipher  */
+        status = srtp_cipher_set_iv(c, (uint8_t *)idx, srtp_direction_encrypt);
+        if (status)
+            return status;
+
+        /* generate 'reference' value by encrypting all at once */
+        status = srtp_cipher_encrypt(c, buffer0, &buflen);
+        if (status)
+            return status;
+
+        /* re-initialize cipher */
+        status = srtp_cipher_set_iv(c, (uint8_t *)idx, srtp_direction_encrypt);
+        if (status)
+            return status;
+
+        /* now loop over short lengths until buffer1 is encrypted */
+        current = buffer1;
+        end = buffer1 + buflen;
+        while (current < end) {
+            /* choose a short length */
+            len = rand() & 0x01f;
+
+            /* make sure that len doesn't cause us to overreach the buffer */
+            if (current + len > end)
+                len = end - current;
+
+            status = srtp_cipher_encrypt(c, current, &len);
+            if (status)
+                return status;
+
+            /* advance pointer into buffer1 to reflect encryption */
+            current += len;
+
+            /* if buffer1 is all encrypted, break out of loop */
+            if (current == end)
+                break;
+        }
+
+        /* compare buffers */
+        for (j = 0; j < (int)buflen; j++) {
+            if (buffer0[j] != buffer1[j]) {
+#if PRINT_DEBUG
+                printf("test case %d failed at byte %d\n", i, j);
+                printf("computed: %s\n",
+                       octet_string_hex_string(buffer1, buflen));
+                printf("expected: %s\n",
+                       octet_string_hex_string(buffer0, buflen));
+#endif
+                return srtp_err_status_algo_fail;
+            }
+        }
+    }
+
+    printf("passed\n");
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * The function cipher_test_throughput_array() tests the effect of CPU
+ * cache thrash on cipher throughput.
+ *
+ * cipher_array_alloc_init(ctype, array, num_ciphers) creates an array
+ * of srtp_cipher_t of type ctype
+ */
+
+srtp_err_status_t cipher_array_alloc_init(srtp_cipher_t ***ca,
+                                          int num_ciphers,
+                                          srtp_cipher_type_t *ctype,
+                                          int klen)
+{
+    int i, j;
+    srtp_err_status_t status;
+    uint8_t *key;
+    srtp_cipher_t **cipher_array;
+    /* pad klen allocation, to handle aes_icm reading 16 bytes for the
+       14-byte salt */
+    int klen_pad = ((klen + 15) >> 4) << 4;
+
+    /* allocate array of pointers to ciphers */
+    cipher_array = (srtp_cipher_t **)srtp_crypto_alloc(sizeof(srtp_cipher_t *) *
+                                                       num_ciphers);
+    if (cipher_array == NULL)
+        return srtp_err_status_alloc_fail;
+
+    /* set ca to location of cipher_array */
+    *ca = cipher_array;
+
+    /* allocate key */
+    key = srtp_crypto_alloc(klen_pad);
+    if (key == NULL) {
+        srtp_crypto_free(cipher_array);
+        return srtp_err_status_alloc_fail;
+    }
+
+    /* allocate and initialize an array of ciphers */
+    for (i = 0; i < num_ciphers; i++) {
+        /* allocate cipher */
+        status = srtp_cipher_type_alloc(ctype, cipher_array, klen, 16);
+        if (status)
+            return status;
+
+        /* generate random key and initialize cipher */
+        for (j = 0; j < klen; j++)
+            key[j] = (uint8_t)rand();
+        for (; j < klen_pad; j++)
+            key[j] = 0;
+        status = srtp_cipher_init(*cipher_array, key);
+        if (status)
+            return status;
+
+        /*     printf("%dth cipher is at %p\n", i, *cipher_array); */
+        /*     printf("%dth cipher description: %s\n", i,  */
+        /* 	   (*cipher_array)->type->description); */
+
+        /* advance cipher array pointer */
+        cipher_array++;
+    }
+
+    srtp_crypto_free(key);
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t cipher_array_delete(srtp_cipher_t *cipher_array[],
+                                      int num_cipher)
+{
+    int i;
+
+    for (i = 0; i < num_cipher; i++) {
+        srtp_cipher_dealloc(cipher_array[i]);
+    }
+
+    srtp_crypto_free(cipher_array);
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * cipher_array_bits_per_second(c, l, t) computes (an estimate of) the
+ * number of bits that a cipher implementation can encrypt in a second
+ * when distinct keys are used to encrypt distinct messages
+ *
+ * c is a cipher (which MUST be allocated an initialized already), l
+ * is the length in octets of the test data to be encrypted, and t is
+ * the number of trials
+ *
+ * if an error is encountered, the value 0 is returned
+ */
+
+uint64_t cipher_array_bits_per_second(srtp_cipher_t *cipher_array[],
+                                      int num_cipher,
+                                      unsigned octets_in_buffer,
+                                      int num_trials)
+{
+    int i;
+    v128_t nonce;
+    clock_t timer;
+    unsigned char *enc_buf;
+    int cipher_index = rand() % num_cipher;
+
+    /* Over-alloc, for NIST CBC padding */
+    enc_buf = srtp_crypto_alloc(octets_in_buffer + 17);
+    if (enc_buf == NULL)
+        return 0; /* indicate bad parameters by returning null */
+
+    /* time repeated trials */
+    v128_set_to_zero(&nonce);
+    timer = clock();
+    for (i = 0; i < num_trials; i++, nonce.v32[3] = i) {
+        /* length parameter to srtp_cipher_encrypt is in/out -- out is total,
+         * padded
+         * length -- so reset it each time. */
+        unsigned octets_to_encrypt = octets_in_buffer;
+
+        /* encrypt buffer with cipher */
+        srtp_cipher_set_iv(cipher_array[cipher_index], (uint8_t *)&nonce,
+                           srtp_direction_encrypt);
+        srtp_cipher_encrypt(cipher_array[cipher_index], enc_buf,
+                            &octets_to_encrypt);
+
+        /* choose a cipher at random from the array*/
+        cipher_index = (*((uint32_t *)enc_buf)) % num_cipher;
+    }
+    timer = clock() - timer;
+
+    srtp_crypto_free(enc_buf);
+
+    if (timer == 0) {
+        /* Too fast! */
+        return 0;
+    }
+
+    return (uint64_t)CLOCKS_PER_SEC * num_trials * 8 * octets_in_buffer / timer;
+}
+
+void cipher_array_test_throughput(srtp_cipher_t *ca[], int num_cipher)
+{
+    int i;
+    int min_enc_len = 16;
+    int max_enc_len = 2048; /* should be a power of two */
+    int num_trials = 1000000;
+
+    printf("timing %s throughput with key length %d, array size %d:\n",
+           (ca[0])->type->description, (ca[0])->key_len, num_cipher);
+    fflush(stdout);
+    for (i = min_enc_len; i <= max_enc_len; i = i * 4)
+        printf("msg len: %d\tgigabits per second: %f\n", i,
+               cipher_array_bits_per_second(ca, num_cipher, i, num_trials) /
+                   1e9);
+}
+
+srtp_err_status_t cipher_driver_test_array_throughput(srtp_cipher_type_t *ct,
+                                                      int klen,
+                                                      int num_cipher)
+{
+    srtp_cipher_t **ca = NULL;
+    srtp_err_status_t status;
+
+    status = cipher_array_alloc_init(&ca, num_cipher, ct, klen);
+    if (status) {
+        printf("error: cipher_array_alloc_init() failed with error code %d\n",
+               status);
+        return status;
+    }
+
+    cipher_array_test_throughput(ca, num_cipher);
+
+    cipher_array_delete(ca, num_cipher);
+
+    return srtp_err_status_ok;
+}
diff --git a/netwerk/srtp/src/crypto/test/datatypes_driver.c b/netwerk/srtp/src/crypto/test/datatypes_driver.c
new file mode 100644
index 0000000000..96379befe1
--- /dev/null
+++ b/netwerk/srtp/src/crypto/test/datatypes_driver.c
@@ -0,0 +1,256 @@
+/*
+ * datatypes_driver.c
+ *
+ * a test driver for crypto/math datatypes
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>  /* for printf() */
+#include <string.h> /* for strlen() */
+#include "datatypes.h"
+#include "util.h"
+
+void byte_order(void);
+
+void test_hex_string_funcs(void);
+
+void print_string(char *s);
+
+void test_bswap(void);
+
+void test_set_to_zero(void);
+
+int main(void)
+{
+    /*
+     * this program includes various and sundry tests for fundamental
+     * datatypes.  it's a grab-bag of throwaway code, retained only in
+     * case of future problems
+     */
+
+    int i, j;
+    v128_t x;
+    char *r = "The Moving Finger writes; and, having writ,\n"
+              "Moves on: nor all thy Piety nor Wit\n"
+              "Shall lure it back to cancel half a Line,\n"
+              "Nor all thy Tears wash out a Word of it.";
+    char *s = "incomplet";
+
+    print_string(r);
+    print_string(s);
+
+    byte_order();
+    test_hex_string_funcs();
+
+    for (j = 0; j < 128; j++) {
+        v128_set_to_zero(&x);
+        /*      x.v32[0] = (1 << j); */
+        v128_set_bit(&x, j);
+        printf("%s\n", v128_bit_string(&x));
+        v128_clear_bit(&x, j);
+        printf("%s\n", v128_bit_string(&x));
+    }
+
+    printf("----------------------------------------------\n");
+    v128_set_to_zero(&x);
+    for (i = 0; i < 128; i++) {
+        v128_set_bit(&x, i);
+    }
+    printf("%s\n", v128_bit_string(&x));
+
+    printf("----------------------------------------------\n");
+    v128_set_to_zero(&x);
+    v128_set_bit(&x, 0);
+    for (i = 0; i < 128; i++) {
+        printf("%s\n", v128_bit_string(&x));
+        v128_right_shift(&x, 1);
+    }
+    printf("----------------------------------------------\n");
+    v128_set_to_zero(&x);
+    v128_set_bit(&x, 127);
+    for (i = 0; i < 128; i++) {
+        printf("%s\n", v128_bit_string(&x));
+        v128_left_shift(&x, 1);
+    }
+    printf("----------------------------------------------\n");
+    for (i = 0; i < 128; i++) {
+        v128_set_to_zero(&x);
+        v128_set_bit(&x, 127);
+        v128_left_shift(&x, i);
+        printf("%s\n", v128_bit_string(&x));
+    }
+    printf("----------------------------------------------\n");
+    v128_set_to_zero(&x);
+    for (i = 0; i < 128; i += 2) {
+        v128_set_bit(&x, i);
+    }
+    printf("bit_string: { %s }\n", v128_bit_string(&x));
+    printf("get_bit:    { ");
+    for (i = 0; i < 128; i++) {
+        if (v128_get_bit(&x, i) == 1)
+            printf("1");
+        else
+            printf("0");
+    }
+    printf(" } \n");
+
+    test_bswap();
+    test_set_to_zero();
+
+    return 0;
+}
+
+/* byte_order() prints out byte ordering of datatypes */
+
+void byte_order(void)
+{
+    int i;
+    v128_t e;
+#if 0
+  v16_t b;
+  v32_t c;
+  v64_t d;
+
+  for (i=0; i < sizeof(b); i++)
+    b.octet[i] = i;
+  for (i=0; i < sizeof(c); i++)
+    c.octet[i] = i;
+  for (i=0; i < sizeof(d); i++)
+    d.octet[i] = i;
+  
+  printf("v128_t:\t%s\n", v128_hex_string(&e));
+  printf("v64_t:\t%s\n", v64_hex_string(&d));
+  printf("v32_t:\t%s\n", v32_hex_string(c));
+  printf("v16_t:\t%s\n", v16_hex_string(b));
+
+  c.value = 0x01020304;
+  printf("v32_t:\t%s\n", v32_hex_string(c));
+  b.value = 0x0102;
+  printf("v16_t:\t%s\n", v16_hex_string(b));
+
+  printf("uint16_t ordering:\n");
+
+  c.value = 0x00010002;
+  printf("v32_t:\t%x%x\n", c.v16[0], c.v16[1]);
+#endif
+
+    printf("byte ordering of crypto/math datatypes:\n");
+    for (i = 0; i < sizeof(e); i++)
+        e.v8[i] = i;
+    printf("v128_t: %s\n", v128_hex_string(&e));
+}
+
+void test_hex_string_funcs(void)
+{
+    char hex1[] = "abadcafe";
+    char hex2[] = "0123456789abcdefqqqqq";
+    char raw[10];
+    int len;
+
+    len = hex_string_to_octet_string(raw, hex1, strlen(hex1));
+    printf("computed length: %d\tstring: %s\n", len,
+           octet_string_hex_string(raw, len / 2));
+    printf("expected length: %u\tstring: %s\n", (unsigned)strlen(hex1), hex1);
+
+    len = hex_string_to_octet_string(raw, hex2, strlen(hex2));
+    printf("computed length: %d\tstring: %s\n", len,
+           octet_string_hex_string(raw, len / 2));
+    printf("expected length: %d\tstring: %s\n", 16, "0123456789abcdef");
+}
+
+void print_string(char *s)
+{
+    size_t i;
+    printf("%s\n", s);
+    printf("strlen(s) = %u\n", (unsigned)strlen(s));
+    printf("{ ");
+    for (i = 0; i < strlen(s); i++) {
+        printf("0x%x, ", s[i]);
+        if (((i + 1) % 8) == 0)
+            printf("\n   ");
+    }
+    printf("}\n");
+}
+
+void test_bswap(void)
+{
+    uint32_t x = 0x11223344;
+    uint64_t y = 0x1122334455667788LL;
+
+    printf("before: %0x\nafter:  %0x\n", x, (unsigned int)be32_to_cpu(x));
+    printf("before: %0llx\nafter:  %0llx\n", (unsigned long long)y,
+           (unsigned long long)be64_to_cpu(y));
+
+    y = 1234;
+
+    printf("1234: %0llx\n", (unsigned long long)y);
+    printf("as octet string: %s\n", octet_string_hex_string((uint8_t *)&y, 8));
+    y = be64_to_cpu(y);
+    printf("bswapped octet string: %s\n",
+           octet_string_hex_string((uint8_t *)&y, 8));
+}
+
+void test_set_to_zero(void)
+{
+#define BUFFER_SIZE (16)
+    uint8_t buffer[BUFFER_SIZE];
+    size_t i;
+
+    for (i = 0; i < BUFFER_SIZE; i++) {
+        buffer[i] = i & 0xff;
+    }
+    printf("Buffer before: %s\n", octet_string_hex_string(buffer, BUFFER_SIZE));
+    octet_string_set_to_zero(buffer, BUFFER_SIZE);
+    printf("Buffer after: %s\n", octet_string_hex_string(buffer, BUFFER_SIZE));
+    for (i = 0; i < BUFFER_SIZE; i++) {
+        if (buffer[i]) {
+            fprintf(stderr,
+                    "Buffer contents not zero at position %zu (is %d)\n", i,
+                    buffer[i]);
+            abort();
+        }
+    }
+#undef BUFFER_SIZE
+}
diff --git a/netwerk/srtp/src/crypto/test/env.c b/netwerk/srtp/src/crypto/test/env.c
new file mode 100644
index 0000000000..8c3f4edfac
--- /dev/null
+++ b/netwerk/srtp/src/crypto/test/env.c
@@ -0,0 +1,89 @@
+/*
+ * env.c
+ *
+ * prints out a brief report on the build environment
+ *
+ * David McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>
+#include <string.h> /* for srtcmp() */
+#include "config.h"
+
+int main(void)
+{
+    int err_count = 0;
+
+#ifdef WORDS_BIGENDIAN
+    printf("CPU set to big-endian\t\t\t(WORDS_BIGENDIAN == 1)\n");
+#else
+    printf("CPU set to little-endian\t\t(WORDS_BIGENDIAN == 0)\n");
+#endif
+
+#ifdef CPU_RISC
+    printf("CPU set to RISC\t\t\t\t(CPU_RISC == 1)\n");
+#elif defined(CPU_CISC)
+    printf("CPU set to CISC\t\t\t\t(CPU_CISC == 1)\n");
+#else
+    printf(
+        "CPU set to an unknown type, probably due to a configuration error\n");
+    err_count++;
+#endif
+
+#ifdef CPU_ALTIVEC
+    printf("CPU set to ALTIVEC\t\t\t\t(CPU_ALTIVEC == 0)\n");
+#endif
+
+#ifndef NO_64BIT_MATH
+    printf("using native 64-bit type\t\t(NO_64_BIT_MATH == 0)\n");
+#else
+    printf("using built-in 64-bit math\t\t(NO_64_BIT_MATH == 1)\n");
+#endif
+
+#ifdef ERR_REPORTING_STDOUT
+    printf("using stdout for error reporting\t(ERR_REPORTING_STDOUT == 1)\n");
+#endif
+
+    if (err_count)
+        printf("warning: configuration is probably in error "
+               "(found %d problems)\n",
+               err_count);
+
+    return err_count;
+}
diff --git a/netwerk/srtp/src/crypto/test/kernel_driver.c b/netwerk/srtp/src/crypto/test/kernel_driver.c
new file mode 100644
index 0000000000..d29405a971
--- /dev/null
+++ b/netwerk/srtp/src/crypto/test/kernel_driver.c
@@ -0,0 +1,127 @@
+/*
+ * kernel_driver.c
+ *
+ * a test driver for the crypto_kernel
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright(c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h> /* for printf() */
+#include "getopt_s.h"
+#include "crypto_kernel.h"
+
+void usage(char *prog_name)
+{
+    printf("usage: %s [ -v ][ -d debug_module ]*\n", prog_name);
+    exit(255);
+}
+
+int main(int argc, char *argv[])
+{
+    int q;
+    int do_validation = 0;
+    srtp_err_status_t status;
+
+    if (argc == 1)
+        usage(argv[0]);
+
+    /* initialize kernel - we need to do this before anything else */
+    status = srtp_crypto_kernel_init();
+    if (status) {
+        printf("error: srtp_crypto_kernel init failed\n");
+        exit(1);
+    }
+    printf("srtp_crypto_kernel successfully initalized\n");
+
+    /* process input arguments */
+    while (1) {
+        q = getopt_s(argc, argv, "vd:");
+        if (q == -1)
+            break;
+        switch (q) {
+        case 'v':
+            do_validation = 1;
+            break;
+        case 'd':
+            status = srtp_crypto_kernel_set_debug_module(optarg_s, 1);
+            if (status) {
+                printf("error: set debug module (%s) failed\n", optarg_s);
+                exit(1);
+            }
+            break;
+        default:
+            usage(argv[0]);
+        }
+    }
+
+    if (do_validation) {
+        printf("checking srtp_crypto_kernel status...\n");
+        status = srtp_crypto_kernel_status();
+        if (status) {
+            printf("failed\n");
+            exit(1);
+        }
+        printf("srtp_crypto_kernel passed self-tests\n");
+    }
+
+    status = srtp_crypto_kernel_shutdown();
+    if (status) {
+        printf("error: srtp_crypto_kernel shutdown failed\n");
+        exit(1);
+    }
+    printf("srtp_crypto_kernel successfully shut down\n");
+
+    return 0;
+}
+
+/*
+ * crypto_kernel_cipher_test() is a test of the cipher interface
+ * of the crypto_kernel
+ */
+
+srtp_err_status_t crypto_kernel_cipher_test(void)
+{
+    /* not implemented yet! */
+
+    return srtp_err_status_ok;
+}
diff --git a/netwerk/srtp/src/crypto/test/sha1_driver.c b/netwerk/srtp/src/crypto/test/sha1_driver.c
new file mode 100644
index 0000000000..c64b000f81
--- /dev/null
+++ b/netwerk/srtp/src/crypto/test/sha1_driver.c
@@ -0,0 +1,387 @@
+/*
+ * sha1_driver.c
+ *
+ * a test driver for SHA-1
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <string.h>
+#include "sha1.h"
+#include "util.h"
+
+#define SHA_PASS 0
+#define SHA_FAIL 1
+
+#define MAX_HASH_DATA_LEN 1024
+#define MAX_HASH_OUT_LEN 20
+
+typedef struct hash_test_case_t {
+    unsigned data_len;               /* number of octets in data        */
+    unsigned hash_len;               /* number of octets output by hash */
+    uint8_t data[MAX_HASH_DATA_LEN]; /* message data                    */
+    uint8_t hash[MAX_HASH_OUT_LEN];  /* expected hash output            */
+    struct hash_test_case_t *next_test_case;
+} hash_test_case_t;
+
+hash_test_case_t *sha1_test_case_list;
+
+srtp_err_status_t hash_test_case_add(hash_test_case_t **list_ptr,
+                                     char *hex_data,
+                                     unsigned data_len,
+                                     char *hex_hash,
+                                     unsigned hash_len)
+{
+    hash_test_case_t *list_head = *list_ptr;
+    hash_test_case_t *test_case;
+    unsigned tmp_len;
+
+    test_case = malloc(sizeof(hash_test_case_t));
+    if (test_case == NULL)
+        return srtp_err_status_alloc_fail;
+
+    tmp_len = hex_string_to_octet_string((char *)test_case->data, hex_data,
+                                         data_len * 2);
+    if (tmp_len != data_len * 2) {
+        free(test_case);
+        return srtp_err_status_parse_err;
+    }
+
+    tmp_len = hex_string_to_octet_string((char *)test_case->hash, hex_hash,
+                                         hash_len * 2);
+    if (tmp_len != hash_len * 2) {
+        free(test_case);
+        return srtp_err_status_parse_err;
+    }
+
+    test_case->data_len = data_len;
+    test_case->hash_len = hash_len;
+
+    /* add the new test case to the head of the list */
+    test_case->next_test_case = list_head;
+    *list_ptr = test_case;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t sha1_test_case_validate(const hash_test_case_t *test_case)
+{
+    srtp_sha1_ctx_t ctx;
+    uint32_t hash_value[5];
+
+    if (test_case == NULL)
+        return srtp_err_status_bad_param;
+
+    if (test_case->hash_len != 20)
+        return srtp_err_status_bad_param;
+    if (test_case->data_len > MAX_HASH_DATA_LEN)
+        return srtp_err_status_bad_param;
+
+    srtp_sha1_init(&ctx);
+    srtp_sha1_update(&ctx, test_case->data, test_case->data_len);
+    srtp_sha1_final(&ctx, hash_value);
+    if (0 == memcmp(test_case->hash, hash_value, 20)) {
+#if VERBOSE
+        printf("PASSED: reference value: %s\n",
+               octet_string_hex_string((const uint8_t *)test_case->hash, 20));
+        printf("PASSED: computed value:  %s\n",
+               octet_string_hex_string((const uint8_t *)hash_value, 20));
+#endif
+        return srtp_err_status_ok;
+    }
+
+    printf("reference value: %s\n",
+           octet_string_hex_string((const uint8_t *)test_case->hash, 20));
+    printf("computed value:  %s\n",
+           octet_string_hex_string((const uint8_t *)hash_value, 20));
+
+    return srtp_err_status_algo_fail;
+}
+
+struct hex_sha1_test_case_t {
+    unsigned bit_len;
+    char hex_data[MAX_HASH_DATA_LEN * 2];
+    char hex_hash[40];
+};
+
+srtp_err_status_t sha1_add_test_cases(void)
+{
+    int i;
+    srtp_err_status_t err;
+
+    /*
+     * these test cases are taken from the "SHA-1 Sample Vectors"
+     * provided by NIST at http://csrc.nist.gov/cryptval/shs.html
+     */
+
+    struct hex_sha1_test_case_t tc[] = {
+        { 0, "", "da39a3ee5e6b4b0d3255bfef95601890afd80709" },
+        { 8, "a8", "99f2aa95e36f95c2acb0eaf23998f030638f3f15" },
+        { 16, "3000", "f944dcd635f9801f7ac90a407fbc479964dec024" },
+        { 24, "42749e", "a444319e9b6cc1e8464c511ec0969c37d6bb2619" },
+        { 32, "9fc3fe08", "16a0ff84fcc156fd5d3ca3a744f20a232d172253" },
+        { 40, "b5c1c6f1af", "fec9deebfcdedaf66dda525e1be43597a73a1f93" },
+        { 48, "e47571e5022e", "8ce051181f0ed5e9d0c498f6bc4caf448d20deb5" },
+        { 56, "3e1b28839fb758", "67da53837d89e03bf652ef09c369a3415937cfd3" },
+        { 64, "a81350cbb224cb90", "305e4ff9888ad855a78573cddf4c5640cce7e946" },
+        { 72, "c243d167923dec3ce1",
+          "5902b77b3265f023f9bbc396ba1a93fa3509bde7" },
+        { 80, "50ac18c59d6a37a29bf4",
+          "fcade5f5d156bf6f9af97bdfa9c19bccfb4ff6ab" },
+        { 88, "98e2b611ad3b1cccf634f6",
+          "1d20fbe00533c10e3cbd6b27088a5de0c632c4b5" },
+        { 96, "73fe9afb68e1e8712e5d4eec",
+          "7e1b7e0f7a8f3455a9c03e9580fd63ae205a2d93" },
+        { 104, "9e701ed7d412a9226a2a130e66",
+          "706f0677146307b20bb0e8d6311e329966884d13" },
+        { 112, "6d3ee90413b0a7cbf69e5e6144ca",
+          "a7241a703aaf0d53fe142f86bf2e849251fa8dff" },
+        { 120, "fae24d56514efcb530fd4802f5e71f",
+          "400f53546916d33ad01a5e6df66822dfbdc4e9e6" },
+        { 128, "c5a22dd6eda3fe2bdc4ddb3ce6b35fd1",
+          "fac8ab93c1ae6c16f0311872b984f729dc928ccd" },
+        { 136, "d98cded2adabf08fda356445c781802d95",
+          "fba6d750c18da58f6e2aab10112b9a5ef3301b3b" },
+        { 144, "bcc6d7087a84f00103ccb32e5f5487a751a2",
+          "29d27c2d44c205c8107f0351b05753ac708226b6" },
+        { 152, "36ecacb1055434190dbbc556c48bafcb0feb0d",
+          "b971bfc1ebd6f359e8d74cb7ecfe7f898d0ba845" },
+        { 160, "5ff9edb69e8f6bbd498eb4537580b7fba7ad31d0",
+          "96d08c430094b9fcc164ad2fb6f72d0a24268f68" },
+        { 168, "c95b441d8270822a46a798fae5defcf7b26abace36",
+          "a287ea752a593d5209e287881a09c49fa3f0beb1" },
+        { 176, "83104c1d8a55b28f906f1b72cb53f68cbb097b44f860",
+          "a06c713779cbd88519ed4a585ac0cb8a5e9d612b" },
+        { 184, "755175528d55c39c56493d697b790f099a5ce741f7754b",
+          "bff7d52c13a3688132a1d407b1ab40f5b5ace298" },
+        { 192, "088fc38128bbdb9fd7d65228b3184b3faac6c8715f07272f",
+          "c7566b91d7b6f56bdfcaa9781a7b6841aacb17e9" },
+        { 200, "a4a586eb9245a6c87e3adf1009ac8a49f46c07e14185016895",
+          "ffa30c0b5c550ea4b1e34f8a60ec9295a1e06ac1" },
+        { 208, "8e7c555270c006092c2a3189e2a526b873e2e269f0fb28245256",
+          "29e66ed23e914351e872aa761df6e4f1a07f4b81" },
+        { 216, "a5f3bfa6bb0ba3b59f6b9cbdef8a558ec565e8aa3121f405e7f2f0",
+          "b28cf5e5b806a01491d41f69bd9248765c5dc292" },
+        { 224, "589054f0d2bd3c2c85b466bfd8ce18e6ec3e0b87d944cd093ba36469",
+          "60224fb72c46069652cd78bcd08029ef64da62f3" },
+        { 232, "a0abb12083b5bbc78128601bf1cbdbc0fdf4b862b24d899953d8da0ff3",
+          "b72c4a86f72608f24c05f3b9088ef92fba431df7" },
+        { 240, "82143f4cea6fadbf998e128a8811dc75301cf1db4f079501ea568da68eeb",
+          "73779ad5d6b71b9b8328ef7220ff12eb167076ac" },
+        { 248, "9f1231dd6df1ff7bc0b0d4f989d048672683ce35d956d2f57913046267e6f3",
+          "a09671d4452d7cf50015c914a1e31973d20cc1a0" },
+        { 256,
+          "041c512b5eed791f80d3282f3a28df263bb1df95e1239a7650e5670fc2187919",
+          "e88cdcd233d99184a6fd260b8fca1b7f7687aee0" },
+        { 264,
+          "17e81f6ae8c2e5579d69dafa6e070e7111461552d314b691e7a3e7a4feb3fae418",
+          "010def22850deb1168d525e8c84c28116cb8a269" },
+        { 272, "d15976b23a1d712ad28fad04d805f572026b54dd64961fda94d5355a0cc9862"
+               "0cf77",
+          "aeaa40ba1717ed5439b1e6ea901b294ba500f9ad" },
+        { 280, "09fce4d434f6bd32a44e04b848ff50ec9f642a8a85b37a264dc73f130f22838"
+               "443328f",
+          "c6433791238795e34f080a5f1f1723f065463ca0" },
+        { 288, "f17af27d776ec82a257d8d46d2b46b639462c56984cc1be9c1222eadb8b2659"
+               "4a25c709d",
+          "e21e22b89c1bb944a32932e6b2a2f20d491982c3" },
+        { 296, "b13ce635d6f8758143ffb114f2f601cb20b6276951416a2f94fbf4ad081779d"
+               "79f4f195b22",
+          "575323a9661f5d28387964d2ba6ab92c17d05a8a" },
+        { 304, "5498793f60916ff1c918dde572cdea76da8629ba4ead6d065de3dfb48de94d2"
+               "34cc1c5002910",
+          "feb44494af72f245bfe68e86c4d7986d57c11db7" },
+        { 312, "498a1e0b39fa49582ae688cd715c86fbaf8a81b8b11b4d1594c49c902d197c8"
+               "ba8a621fd6e3be5",
+          "cff2290b3648ba2831b98dde436a72f9ebf51eee" },
+        { 320, "3a36ae71521f9af628b3e34dcb0d4513f84c78ee49f10416a98857150b8b15c"
+               "b5c83afb4b570376e",
+          "9b4efe9d27b965905b0c3dab67b8d7c9ebacd56c" },
+        { 328, "dcc76b40ae0ea3ba253e92ac50fcde791662c5b6c948538cffc2d95e9de99ca"
+               "c34dfca38910db2678f",
+          "afedb0ff156205bcd831cbdbda43db8b0588c113" },
+        { 336, "5b5ec6ec4fd3ad9c4906f65c747fd4233c11a1736b6b228b92e90cddabb0c7c"
+               "2fcf9716d3fad261dff33",
+          "8deb1e858f88293a5e5e4d521a34b2a4efa70fc4" },
+        { 344, "df48a37b29b1d6de4e94717d60cdb4293fcf170bba388bddf7a9035a15d433f"
+               "20fd697c3e4c8b8c5f590ab",
+          "95cbdac0f74afa69cebd0e5c7defbc6faf0cbeaf" },
+        { 352, "1f179b3b82250a65e1b0aee949e218e2f45c7a8dbfd6ba08de05c55acfc226b"
+               "48c68d7f7057e5675cd96fcfc",
+          "f0307bcb92842e5ae0cd4f4f14f3df7f877fbef2" },
+        { 360, "ee3d72da3a44d971578972a8e6780ce64941267e0f7d0179b214fa97855e179"
+               "0e888e09fbe3a70412176cb3b54",
+          "7b13bb0dbf14964bd63b133ac85e22100542ef55" },
+        { 368, "d4d4c7843d312b30f610b3682254c8be96d5f6684503f8fbfbcd15774fc1b08"
+               "4d3741afb8d24aaa8ab9c104f7258",
+          "c314d2b6cf439be678d2a74e890d96cfac1c02ed" },
+        { 376, "32c094944f5936a190a0877fb9178a7bf60ceae36fd530671c5b38c5dbd5e6a"
+               "6c0d615c2ac8ad04b213cc589541cf6",
+          "4d0be361e410b47a9d67d8ce0bb6a8e01c53c078" },
+        { 384, "e5d3180c14bf27a5409fa12b104a8fd7e9639609bfde6ee82bbf9648be2546d"
+               "29688a65e2e3f3da47a45ac14343c9c02",
+          "e5353431ffae097f675cbf498869f6fbb6e1c9f2" },
+        { 392, "e7b6e4b69f724327e41e1188a37f4fe38b1dba19cbf5a7311d6e32f1038e97a"
+               "b506ee05aebebc1eed09fc0e357109818b9",
+          "b8720a7068a085c018ab18961de2765aa6cd9ac4" },
+        { 400, "bc880cb83b8ac68ef2fedc2da95e7677ce2aa18b0e2d8b322701f67af7d5e7a"
+               "0d96e9e33326ccb7747cfff0852b961bfd475",
+          "b0732181568543ba85f2b6da602b4b065d9931aa" },
+        { 408, "235ea9c2ba7af25400f2e98a47a291b0bccdaad63faa2475721fda5510cc7da"
+               "d814bce8dabb611790a6abe56030b798b75c944",
+          "9c22674cf3222c3ba921672694aafee4ce67b96b" },
+        { 416, "07e3e29fed63104b8410f323b975fd9fba53f636af8c4e68a53fb202ca35dd9"
+               "ee07cb169ec5186292e44c27e5696a967f5e67709",
+          "d128335f4cecca9066cdae08958ce656ff0b4cfc" },
+        { 424, "65d2a1dd60a517eb27bfbf530cf6a5458f9d5f4730058bd9814379547f34241"
+               "822bf67e6335a6d8b5ed06abf8841884c636a25733f",
+          "0b67c57ac578de88a2ae055caeaec8bb9b0085a0" },
+        { 432, "dcc86b3bd461615bab739d8daafac231c0f462e819ad29f9f14058f3ab5b759"
+               "41d4241ea2f17ebb8a458831b37a9b16dead4a76a9b0e",
+          "c766f912a89d4ccda88e0cce6a713ef5f178b596" },
+        { 440, "4627d54f0568dc126b62a8c35fb46a9ac5024400f2995e51635636e1afc4373"
+               "dbb848eb32df23914230560b82477e9c3572647a7f2bb92",
+          "9aa3925a9dcb177b15ccff9b78e70cf344858779" },
+        { 448, "ba531affd4381168ef24d8b275a84d9254c7f5cc55fded53aa8024b2c5c5c8a"
+               "a7146fe1d1b83d62b70467e9a2e2cb67b3361830adbab28d7",
+          "4811fa30042fc076acf37c8e2274d025307e5943" },
+        { 456, "8764dcbcf89dcf4282eb644e3d568bdccb4b13508bfa7bfe0ffc05efd1390be"
+               "22109969262992d377691eb4f77f3d59ea8466a74abf57b2ef4",
+          "6743018450c9730761ee2b130df9b91c1e118150" },
+        { 464, "497d9df9ddb554f3d17870b1a31986c1be277bc44feff713544217a9f579623"
+               "d18b5ffae306c25a45521d2759a72c0459b58957255ab592f3be4",
+          "71ad4a19d37d92a5e6ef3694ddbeb5aa61ada645" },
+        { 472, "72c3c2e065aefa8d9f7a65229e818176eef05da83f835107ba90ec2e95472e7"
+               "3e538f783b416c04654ba8909f26a12db6e5c4e376b7615e4a25819",
+          "a7d9dc68dacefb7d6116186048cb355cc548e11d" },
+        { 480, "7cc9894454d0055ab5069a33984e2f712bef7e3124960d33559f5f3b81906bb"
+               "66fe64da13c153ca7f5cabc89667314c32c01036d12ecaf5f9a78de98",
+          "142e429f0522ba5abf5131fa81df82d355b96909" },
+        { 488, "74e8404d5a453c5f4d306f2cfa338ca65501c840ddab3fb82117933483afd69"
+               "13c56aaf8a0a0a6b2a342fc3d9dc7599f4a850dfa15d06c61966d74ea59",
+          "ef72db70dcbcab991e9637976c6faf00d22caae9" },
+        { 496, "46fe5ed326c8fe376fcc92dc9e2714e2240d3253b105adfbb256ff7a19bc409"
+               "75c604ad7c0071c4fd78a7cb64786e1bece548fa4833c04065fe593f6fb10",
+          "f220a7457f4588d639dc21407c942e9843f8e26b" },
+        { 504, "836dfa2524d621cf07c3d2908835de859e549d35030433c796b81272fd8bc03"
+               "48e8ddbc7705a5ad1fdf2155b6bc48884ac0cd376925f069a37849c089c864"
+               "5",
+          "ddd2117b6e309c233ede85f962a0c2fc215e5c69" },
+        { 512, "7e3a4c325cb9c52b88387f93d01ae86d42098f5efa7f9457388b5e74b6d28b2"
+               "438d42d8b64703324d4aa25ab6aad153ae30cd2b2af4d5e5c00a8a2d0220c61"
+               "16",
+          "a3054427cdb13f164a610b348702724c808a0dcc" }
+    };
+
+    for (i = 0; i < 65; i++) {
+        err = hash_test_case_add(&sha1_test_case_list, tc[i].hex_data,
+                                 tc[i].bit_len / 8, tc[i].hex_hash, 20);
+        if (err) {
+            printf("error adding hash test case (code %d)\n", err);
+            return err;
+        }
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t sha1_dealloc_test_cases(void)
+{
+    hash_test_case_t *t, *next;
+
+    for (t = sha1_test_case_list; t != NULL; t = next) {
+        next = t->next_test_case;
+        free(t);
+    }
+
+    sha1_test_case_list = NULL;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t sha1_validate(void)
+{
+    hash_test_case_t *test_case;
+    srtp_err_status_t err;
+
+    err = sha1_add_test_cases();
+    if (err) {
+        printf("error adding SHA1 test cases (error code %d)\n", err);
+        return err;
+    }
+
+    if (sha1_test_case_list == NULL)
+        return srtp_err_status_cant_check;
+
+    test_case = sha1_test_case_list;
+    while (test_case != NULL) {
+        err = sha1_test_case_validate(test_case);
+        if (err) {
+            printf("error validating hash test case (error code %d)\n", err);
+            return err;
+        }
+        test_case = test_case->next_test_case;
+    }
+
+    sha1_dealloc_test_cases();
+
+    return srtp_err_status_ok;
+}
+
+int main(void)
+{
+    srtp_err_status_t err;
+
+    printf("sha1 test driver\n");
+
+    err = sha1_validate();
+    if (err) {
+        printf("SHA1 did not pass validation testing\n");
+        return 1;
+    }
+    printf("SHA1 passed validation tests\n");
+
+    return 0;
+}
diff --git a/netwerk/srtp/src/crypto/test/stat_driver.c b/netwerk/srtp/src/crypto/test/stat_driver.c
new file mode 100644
index 0000000000..7f835855ce
--- /dev/null
+++ b/netwerk/srtp/src/crypto/test/stat_driver.c
@@ -0,0 +1,258 @@
+/*
+ * stat-driver.c
+ *
+ * test driver for the stat_test functions
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h> /* for printf() */
+
+#include "err.h"
+#include "stat.h"
+#include "srtp.h"
+
+#include "cipher.h"
+
+typedef struct {
+    void *state;
+} random_source_t;
+
+srtp_err_status_t random_source_alloc(void);
+
+void err_check(srtp_err_status_t s)
+{
+    if (s) {
+        printf("error (code %d)\n", s);
+        exit(1);
+    }
+}
+
+int main(int argc, char *argv[])
+{
+    uint8_t buffer[2532];
+    unsigned int buf_len = 2500;
+    int i, j;
+    extern srtp_cipher_type_t srtp_aes_icm_128;
+    extern srtp_cipher_type_t srtp_aes_icm_256;
+#ifdef GCM
+    extern srtp_cipher_type_t srtp_aes_gcm_128;
+    extern srtp_cipher_type_t srtp_aes_gcm_256;
+#endif
+    srtp_cipher_t *c;
+    /* clang-format off */
+    uint8_t key[46] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05
+    };
+    /* clang-format on */
+    v128_t nonce;
+    int num_trials = 500;
+    int num_fail;
+
+    printf("statistical tests driver\n");
+
+    v128_set_to_zero(&nonce);
+    for (i = 0; i < 2500; i++)
+        buffer[i] = 0;
+
+    /* run tests */
+    printf("running stat_tests on all-null buffer, expecting failure\n");
+    printf("monobit %d\n", stat_test_monobit(buffer));
+    printf("poker   %d\n", stat_test_poker(buffer));
+    printf("runs    %d\n", stat_test_runs(buffer));
+
+    for (i = 0; i < 2500; i++)
+        buffer[i] = rand();
+    printf("running stat_tests on rand(), expecting success\n");
+    printf("monobit %d\n", stat_test_monobit(buffer));
+    printf("poker   %d\n", stat_test_poker(buffer));
+    printf("runs    %d\n", stat_test_runs(buffer));
+
+    printf("running stat_tests on AES-128-ICM, expecting success\n");
+    /* set buffer to cipher output */
+    for (i = 0; i < 2500; i++)
+        buffer[i] = 0;
+    err_check(srtp_cipher_type_alloc(&srtp_aes_icm_128, &c,
+                                     SRTP_AES_ICM_128_KEY_LEN_WSALT, 0));
+    err_check(srtp_cipher_init(c, key));
+    err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt));
+    err_check(srtp_cipher_encrypt(c, buffer, &buf_len));
+    /* run tests on cipher outout */
+    printf("monobit %d\n", stat_test_monobit(buffer));
+    printf("poker   %d\n", stat_test_poker(buffer));
+    printf("runs    %d\n", stat_test_runs(buffer));
+
+    printf("runs test (please be patient): ");
+    fflush(stdout);
+    num_fail = 0;
+    v128_set_to_zero(&nonce);
+    for (j = 0; j < num_trials; j++) {
+        for (i = 0; i < 2500; i++)
+            buffer[i] = 0;
+        nonce.v32[3] = i;
+        err_check(
+            srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt));
+        err_check(srtp_cipher_encrypt(c, buffer, &buf_len));
+        if (stat_test_runs(buffer)) {
+            num_fail++;
+        }
+    }
+
+    printf("%d failures in %d tests\n", num_fail, num_trials);
+    printf("(nota bene: a small fraction of stat_test failures does not \n"
+           "indicate that the random source is invalid)\n");
+
+    err_check(srtp_cipher_dealloc(c));
+
+    printf("running stat_tests on AES-256-ICM, expecting success\n");
+    /* set buffer to cipher output */
+    for (i = 0; i < 2500; i++)
+        buffer[i] = 0;
+    err_check(srtp_cipher_type_alloc(&srtp_aes_icm_256, &c,
+                                     SRTP_AES_ICM_256_KEY_LEN_WSALT, 0));
+    err_check(srtp_cipher_init(c, key));
+    err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt));
+    err_check(srtp_cipher_encrypt(c, buffer, &buf_len));
+    /* run tests on cipher outout */
+    printf("monobit %d\n", stat_test_monobit(buffer));
+    printf("poker   %d\n", stat_test_poker(buffer));
+    printf("runs    %d\n", stat_test_runs(buffer));
+
+    printf("runs test (please be patient): ");
+    fflush(stdout);
+    num_fail = 0;
+    v128_set_to_zero(&nonce);
+    for (j = 0; j < num_trials; j++) {
+        for (i = 0; i < 2500; i++)
+            buffer[i] = 0;
+        nonce.v32[3] = i;
+        err_check(
+            srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt));
+        err_check(srtp_cipher_encrypt(c, buffer, &buf_len));
+        if (stat_test_runs(buffer)) {
+            num_fail++;
+        }
+    }
+
+#ifdef GCM
+    {
+        printf("running stat_tests on AES-128-GCM, expecting success\n");
+        /* set buffer to cipher output */
+        for (i = 0; i < 2500; i++) {
+            buffer[i] = 0;
+        }
+        err_check(srtp_cipher_type_alloc(&srtp_aes_gcm_128, &c,
+                                         SRTP_AES_GCM_128_KEY_LEN_WSALT, 8));
+        err_check(srtp_cipher_init(c, key));
+        err_check(
+            srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt));
+        err_check(srtp_cipher_encrypt(c, buffer, &buf_len));
+        /* run tests on cipher outout */
+        printf("monobit %d\n", stat_test_monobit(buffer));
+        printf("poker   %d\n", stat_test_poker(buffer));
+        printf("runs    %d\n", stat_test_runs(buffer));
+        fflush(stdout);
+        num_fail = 0;
+        v128_set_to_zero(&nonce);
+        for (j = 0; j < num_trials; j++) {
+            for (i = 0; i < 2500; i++) {
+                buffer[i] = 0;
+            }
+            nonce.v32[3] = i;
+            err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce,
+                                         srtp_direction_encrypt));
+            err_check(srtp_cipher_encrypt(c, buffer, &buf_len));
+            buf_len = 2500;
+            if (stat_test_runs(buffer)) {
+                num_fail++;
+            }
+        }
+
+        printf("running stat_tests on AES-256-GCM, expecting success\n");
+        /* set buffer to cipher output */
+        for (i = 0; i < 2500; i++) {
+            buffer[i] = 0;
+        }
+        err_check(srtp_cipher_type_alloc(&srtp_aes_gcm_256, &c,
+                                         SRTP_AES_GCM_256_KEY_LEN_WSALT, 16));
+        err_check(srtp_cipher_init(c, key));
+        err_check(
+            srtp_cipher_set_iv(c, (uint8_t *)&nonce, srtp_direction_encrypt));
+        err_check(srtp_cipher_encrypt(c, buffer, &buf_len));
+        /* run tests on cipher outout */
+        printf("monobit %d\n", stat_test_monobit(buffer));
+        printf("poker   %d\n", stat_test_poker(buffer));
+        printf("runs    %d\n", stat_test_runs(buffer));
+        fflush(stdout);
+        num_fail = 0;
+        v128_set_to_zero(&nonce);
+        for (j = 0; j < num_trials; j++) {
+            for (i = 0; i < 2500; i++) {
+                buffer[i] = 0;
+            }
+            nonce.v32[3] = i;
+            err_check(srtp_cipher_set_iv(c, (uint8_t *)&nonce,
+                                         srtp_direction_encrypt));
+            err_check(srtp_cipher_encrypt(c, buffer, &buf_len));
+            buf_len = 2500;
+            if (stat_test_runs(buffer)) {
+                num_fail++;
+            }
+        }
+    }
+#endif
+
+    printf("%d failures in %d tests\n", num_fail, num_trials);
+    printf("(nota bene: a small fraction of stat_test failures does not \n"
+           "indicate that the random source is invalid)\n");
+
+    err_check(srtp_cipher_dealloc(c));
+
+    return 0;
+}
diff --git a/netwerk/srtp/src/include/config.h b/netwerk/srtp/src/include/config.h
new file mode 100644
index 0000000000..75e05e897f
--- /dev/null
+++ b/netwerk/srtp/src/include/config.h
@@ -0,0 +1,6 @@
+/*
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+/* empty file; config done via Makefile.in & configure.in */
diff --git a/netwerk/srtp/src/include/ekt.h b/netwerk/srtp/src/include/ekt.h
new file mode 100644
index 0000000000..a289a53dab
--- /dev/null
+++ b/netwerk/srtp/src/include/ekt.h
@@ -0,0 +1,181 @@
+/*
+ * ekt.h
+ *
+ * interface to Encrypted Key Transport for SRTP
+ *
+ * David McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/*
+ * EKT implementation strategy
+ *
+ * use stream_template approach
+ *
+ * in srtp_unprotect, when a new stream appears, check if template has
+ * EKT defined, and if it does, then apply EKT processing
+ *
+ * question: will we want to allow key-sharing templates in addition
+ * to EKT templates?  could define a new ssrc_type_t that's associated
+ * with an EKT, e.g.  ssrc_any_ekt.
+ *
+ *
+ */
+
+#ifndef SRTP_EKT_H
+#define SRTP_EKT_H
+
+// left in commented out as reminder to not include private headers
+//#include "srtp_priv.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define SRTP_EKT_CIPHER_DEFAULT 1
+#define SRTP_EKT_CIPHER_AES_128_ECB 1
+#define SRTP_EKT_CIPHER_AES_192_KEY_WRAP 2
+#define SRTP_EKT_CIPHER_AES_256_KEY_WRAP 3
+
+typedef uint16_t srtp_ekt_spi_t;
+
+unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt);
+
+/*
+ * an srtp_policy_t structure can contain a pointer to an
+ * srtp_ekt_policy_t structure
+ *
+ * this structure holds all of the high level EKT information, and it
+ * is passed into libsrtp to indicate what policy should be in effect
+ */
+
+typedef struct srtp_ekt_policy_ctx_t {
+    srtp_ekt_spi_t spi; /* security parameter index */
+    uint8_t ekt_cipher_type;
+    uint8_t *ekt_key;
+    struct srtp_ekt_policy_ctx_t *next_ekt_policy;
+} srtp_ekt_policy_ctx_t;
+
+/*
+ * an srtp_ekt_data_t structure holds the data corresponding to an ekt key,
+ * spi, and so on
+ */
+
+typedef struct srtp_ekt_data_t {
+    srtp_ekt_spi_t spi;
+    uint8_t ekt_cipher_type;
+    srtp_aes_expanded_key_t ekt_enc_key;
+    srtp_aes_expanded_key_t ekt_dec_key;
+    struct ekt_data_t *next_ekt_data;
+} srtp_ekt_data_t;
+
+/*
+ * an srtp_stream_ctx_t can contain an srtp_ekt_stream_ctx_t
+ *
+ * an srtp_ekt_stream_ctx_t structure holds all of the EKT information for
+ * a specific SRTP stream
+ */
+
+typedef struct srtp_ekt_stream_ctx_t {
+    srtp_ekt_data_t *data;
+    uint16_t isn; /* initial sequence number  */
+    uint8_t encrypted_master_key[SRTP_MAX_KEY_LEN];
+} srtp_ekt_stream_ctx_t;
+
+srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data,
+                                 srtp_ekt_policy_t policy);
+
+srtp_err_status_t srtp_ekt_stream_init(srtp_ekt_stream_t e,
+                                       srtp_ekt_spi_t spi,
+                                       void *ekt_key,
+                                       unsigned ekt_cipher_type);
+
+srtp_err_status_t srtp_ekt_stream_init_from_policy(srtp_ekt_stream_t e,
+                                                   srtp_ekt_policy_t p);
+
+srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream,
+                                            const void *srtcp_hdr,
+                                            unsigned pkt_octet_len);
+
+void srtp_ekt_write_data(srtp_ekt_stream_t ekt,
+                         uint8_t *base_tag,
+                         unsigned base_tag_len,
+                         int *packet_len,
+                         srtp_xtd_seq_num_t pkt_index);
+
+/*
+ * We handle EKT by performing some additional steps before
+ * authentication (copying the auth tag into a temporary location,
+ * zeroizing the "base tag" field in the packet)
+ *
+ * With EKT, the tag_len parameter is actually the base tag
+ * length
+ */
+srtp_err_status_t srtp_ekt_tag_verification_preproces(uint8_t *pkt_tag,
+                                                      uint8_t *pkt_tag_copy,
+                                                      unsigned tag_len);
+
+srtp_err_status_t srtp_ekt_tag_verification_postproces(uint8_t *pkt_tag,
+                                                       uint8_t *pkt_tag_copy,
+                                                       unsigned tag_len);
+
+/*
+ * @brief EKT pre-processing for srtcp tag generation
+ *
+ * This function does the pre-processing of the SRTCP authentication
+ * tag format.  When EKT is used, it consists of writing the Encrypted
+ * Master Key, the SRTP ROC, the Initial Sequence Number, and SPI
+ * fields.  The Base Authentication Tag field is set to the all-zero
+ * value
+ *
+ * When EKT is not used, this function is a no-op.
+ *
+ */
+srtp_err_status_t srtp_stream_srtcp_auth_tag_generation_preprocess(
+    const srtp_stream_t *s,
+    uint8_t *pkt_tag,
+    unsigned pkt_octet_len);
+
+/* it's not clear that a tag_generation_postprocess function is needed */
+srtp_err_status_t srtcp_auth_tag_generation_postprocess(void);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SRTP_EKT_H */
diff --git a/netwerk/srtp/src/include/getopt_s.h b/netwerk/srtp/src/include/getopt_s.h
new file mode 100644
index 0000000000..53fb25ba71
--- /dev/null
+++ b/netwerk/srtp/src/include/getopt_s.h
@@ -0,0 +1,67 @@
+/*
+ * getopt.h
+ *
+ * interface to a minimal implementation of the getopt() function,
+ * written so that test applications that use that function can run on
+ * non-POSIX platforms
+ *
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef GETOPT_S_H
+#define GETOPT_S_H
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * getopt_s(), optarg_s, and optind_s are small, locally defined
+ * versions of the POSIX standard getopt() interface.
+ */
+
+int getopt_s(int argc, char *const argv[], const char *optstring);
+
+extern char *optarg_s; /* defined in getopt.c */
+
+extern int optind_s; /* defined in getopt.c */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* GETOPT_S_H */
diff --git a/netwerk/srtp/src/include/srtp.h b/netwerk/srtp/src/include/srtp.h
new file mode 100644
index 0000000000..1fdd6c3aff
--- /dev/null
+++ b/netwerk/srtp/src/include/srtp.h
@@ -0,0 +1,1759 @@
+/*
+ * srtp.h
+ *
+ * interface to libsrtp
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef SRTP_SRTP_H
+#define SRTP_SRTP_H
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/**
+ * @defgroup SRTP Secure RTP
+ *
+ * @brief libSRTP provides functions for protecting RTP and RTCP.  See
+ * Section @ref Overview for an introduction to the use of the library.
+ *
+ * @{
+ */
+
+/*
+ * SRTP_MASTER_KEY_LEN is the nominal master key length supported by libSRTP
+ */
+
+#define SRTP_MASTER_KEY_LEN 30
+
+/*
+ * SRTP_MAX_KEY_LEN is the maximum key length supported by libSRTP
+ */
+#define SRTP_MAX_KEY_LEN 64
+
+/*
+ * SRTP_MAX_TAG_LEN is the maximum tag length supported by libSRTP
+ */
+
+#define SRTP_MAX_TAG_LEN 16
+
+/**
+ * SRTP_MAX_MKI_LEN is the maximum size the MKI could be which is
+ * 128 bytes
+ */
+#define SRTP_MAX_MKI_LEN 128
+
+/**
+ * SRTP_MAX_TRAILER_LEN is the maximum length of the SRTP trailer
+ * (authentication tag and MKI) supported by libSRTP.  This value is
+ * the maixmum number of octets that will be added to an RTP packet by
+ * srtp_protect().
+ *
+ * @brief the maximum number of octets added by srtp_protect().
+ */
+#define SRTP_MAX_TRAILER_LEN (SRTP_MAX_TAG_LEN + SRTP_MAX_MKI_LEN)
+
+/**
+ * SRTP_MAX_NUM_MASTER_KEYS is the maximum number of Master keys for
+ * MKI supported by libSRTP.
+ *
+ */
+#define SRTP_MAX_NUM_MASTER_KEYS 16
+
+#define SRTP_SALT_LEN 14
+
+/*
+ * SRTP_AEAD_SALT_LEN is the length of the SALT values used with
+ * GCM mode.  GCM mode requires an IV.  The SALT value is used
+ * as part of the IV formation logic applied to each RTP packet.
+ */
+#define SRTP_AEAD_SALT_LEN 12
+
+#define SRTP_AES_128_KEY_LEN 16
+#define SRTP_AES_192_KEY_LEN 24
+#define SRTP_AES_256_KEY_LEN 32
+
+#define SRTP_AES_ICM_128_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_128_KEY_LEN)
+#define SRTP_AES_ICM_192_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_192_KEY_LEN)
+#define SRTP_AES_ICM_256_KEY_LEN_WSALT (SRTP_SALT_LEN + SRTP_AES_256_KEY_LEN)
+
+#define SRTP_AES_GCM_128_KEY_LEN_WSALT                                         \
+    (SRTP_AEAD_SALT_LEN + SRTP_AES_128_KEY_LEN)
+#define SRTP_AES_GCM_192_KEY_LEN_WSALT                                         \
+    (SRTP_AEAD_SALT_LEN + SRTP_AES_192_KEY_LEN)
+#define SRTP_AES_GCM_256_KEY_LEN_WSALT                                         \
+    (SRTP_AEAD_SALT_LEN + SRTP_AES_256_KEY_LEN)
+
+/**
+ *  @brief A srtp_cipher_type_id_t is an identifier for a particular cipher
+ *  type.
+ *
+ *  A srtp_cipher_type_id_t is an integer that represents a particular
+ *  cipher type, e.g. the Advanced Encryption Standard (AES).  A
+ *  SRTP_NULL_CIPHER is avaliable; this cipher leaves the data unchanged,
+ *  and can be selected to indicate that no encryption is to take
+ *  place.
+ *
+ *  @ingroup Ciphers
+ */
+typedef uint32_t srtp_cipher_type_id_t;
+
+/**
+ *  @brief An srtp_auth_type_id_t is an identifier for a particular
+ * authentication
+ *   function.
+ *
+ *  An srtp_auth_type_id_t is an integer that represents a particular
+ *  authentication function type, e.g. HMAC-SHA1.  A SRTP_NULL_AUTH is
+ *  avaliable; this authentication function performs no computation,
+ *  and can be selected to indicate that no authentication is to take
+ *  place.
+ *
+ *  @ingroup Authentication
+ */
+typedef uint32_t srtp_auth_type_id_t;
+
+/**
+ * @brief srtp_err_status_t defines error codes.
+ *
+ * The enumeration srtp_err_status_t defines error codes.  Note that the
+ * value of srtp_err_status_ok is equal to zero, which can simplify error
+ * checking somewhat.
+ *
+ */
+typedef enum {
+    srtp_err_status_ok = 0,             /**< nothing to report               */
+    srtp_err_status_fail = 1,           /**< unspecified failure             */
+    srtp_err_status_bad_param = 2,      /**< unsupported parameter           */
+    srtp_err_status_alloc_fail = 3,     /**< couldn't allocate memory        */
+    srtp_err_status_dealloc_fail = 4,   /**< couldn't deallocate properly    */
+    srtp_err_status_init_fail = 5,      /**< couldn't initialize             */
+    srtp_err_status_terminus = 6,       /**< can't process as much data as   */
+                                        /**< requested                       */
+    srtp_err_status_auth_fail = 7,      /**< authentication failure          */
+    srtp_err_status_cipher_fail = 8,    /**< cipher failure                  */
+    srtp_err_status_replay_fail = 9,    /**< replay check failed (bad index) */
+    srtp_err_status_replay_old = 10,    /**< replay check failed (index too  */
+                                        /**< old)                            */
+    srtp_err_status_algo_fail = 11,     /**< algorithm failed test routine   */
+    srtp_err_status_no_such_op = 12,    /**< unsupported operation           */
+    srtp_err_status_no_ctx = 13,        /**< no appropriate context found    */
+    srtp_err_status_cant_check = 14,    /**< unable to perform desired       */
+                                        /**< validation                      */
+    srtp_err_status_key_expired = 15,   /**< can't use key any more          */
+    srtp_err_status_socket_err = 16,    /**< error in use of socket          */
+    srtp_err_status_signal_err = 17,    /**< error in use POSIX signals      */
+    srtp_err_status_nonce_bad = 18,     /**< nonce check failed              */
+    srtp_err_status_read_fail = 19,     /**< couldn't read data              */
+    srtp_err_status_write_fail = 20,    /**< couldn't write data             */
+    srtp_err_status_parse_err = 21,     /**< error parsing data              */
+    srtp_err_status_encode_err = 22,    /**< error encoding data             */
+    srtp_err_status_semaphore_err = 23, /**< error while using semaphores    */
+    srtp_err_status_pfkey_err = 24,     /**< error while using pfkey         */
+    srtp_err_status_bad_mki = 25,       /**< error MKI present in packet is  */
+                                        /**< invalid                         */
+    srtp_err_status_pkt_idx_old = 26,   /**< packet index is too old to      */
+                                        /**< consider                        */
+    srtp_err_status_pkt_idx_adv = 27    /**< packet index advanced, reset    */
+                                        /**< needed                          */
+} srtp_err_status_t;
+
+typedef struct srtp_ctx_t_ srtp_ctx_t;
+
+/**
+ * @brief srtp_sec_serv_t describes a set of security services.
+ *
+ * A srtp_sec_serv_t enumeration is used to describe the particular
+ * security services that will be applied by a particular crypto
+ * policy (or other mechanism).
+ */
+typedef enum {
+    sec_serv_none = 0,         /**< no services                        */
+    sec_serv_conf = 1,         /**< confidentiality                    */
+    sec_serv_auth = 2,         /**< authentication                     */
+    sec_serv_conf_and_auth = 3 /**< confidentiality and authentication */
+} srtp_sec_serv_t;
+
+/**
+ * @brief srtp_crypto_policy_t describes a particular crypto policy that
+ * can be applied to an SRTP stream.
+ *
+ * A srtp_crypto_policy_t describes a particular cryptographic policy that
+ * can be applied to an SRTP or SRTCP stream.  An SRTP session policy
+ * consists of a list of these policies, one for each SRTP stream
+ * in the session.
+ */
+typedef struct srtp_crypto_policy_t {
+    srtp_cipher_type_id_t cipher_type; /**< An integer representing          */
+                                       /**< the type of cipher.              */
+    int cipher_key_len;                /**< The length of the cipher key     */
+                                       /**< in octets.                       */
+    srtp_auth_type_id_t auth_type;     /**< An integer representing the      */
+                                       /**< authentication function.         */
+    int auth_key_len;                  /**< The length of the authentication */
+                                       /**< function key in octets.          */
+    int auth_tag_len;                  /**< The length of the authentication */
+                                       /**< tag in octets.                   */
+    srtp_sec_serv_t sec_serv;          /**< The flag indicating the security */
+                                       /**< services to be applied.          */
+} srtp_crypto_policy_t;
+
+/**
+ * @brief srtp_ssrc_type_t describes the type of an SSRC.
+ *
+ * An srtp_ssrc_type_t enumeration is used to indicate a type of SSRC.  See
+ * @ref srtp_policy_t for more informataion.
+ */
+typedef enum {
+    ssrc_undefined = 0,   /**< Indicates an undefined SSRC type.    */
+    ssrc_specific = 1,    /**< Indicates a specific SSRC value      */
+    ssrc_any_inbound = 2, /**< Indicates any inbound SSRC value     */
+                          /**< (i.e. a value that is used in the    */
+                          /**< function srtp_unprotect())           */
+    ssrc_any_outbound = 3 /**< Indicates any outbound SSRC value    */
+                          /**< (i.e. a value that is used in the    */
+                          /**< function srtp_protect())             */
+} srtp_ssrc_type_t;
+
+/**
+ * @brief An srtp_ssrc_t represents a particular SSRC value, or a `wildcard'
+ * SSRC.
+ *
+ * An srtp_ssrc_t represents a particular SSRC value (if its type is
+ * ssrc_specific), or a wildcard SSRC value that will match all
+ * outbound SSRCs (if its type is ssrc_any_outbound) or all inbound
+ * SSRCs (if its type is ssrc_any_inbound).
+ */
+typedef struct {
+    srtp_ssrc_type_t type; /**< The type of this particular SSRC */
+    unsigned int value;    /**< The value of this SSRC, if it is not a */
+                           /**< wildcard */
+} srtp_ssrc_t;
+
+/**
+ * @brief points to an EKT policy
+ */
+typedef struct srtp_ekt_policy_ctx_t *srtp_ekt_policy_t;
+
+/**
+ * @brief points to EKT stream data
+ */
+typedef struct srtp_ekt_stream_ctx_t *srtp_ekt_stream_t;
+
+/**
+ * @brief srtp_master_key_t represents a master key.  There will
+ * be a Master Key Index and the Master Key associated with the
+ * Master Key Index.  Need to also keep track of the Master Key
+ * Index Size to correctly read it from a packet.
+ */
+typedef struct srtp_master_key_t {
+    unsigned char *key;
+    unsigned char *mki_id;
+    unsigned int mki_size;
+} srtp_master_key_t;
+
+/**
+ * @brief represents the policy for an SRTP session.
+ *
+ * A single srtp_policy_t struct represents the policy for a single
+ * SRTP stream, and a linked list of these elements represents the
+ * policy for an entire SRTP session.  Each element contains the SRTP
+ * and SRTCP crypto policies for that stream, a pointer to the SRTP
+ * master key for that stream, the SSRC describing that stream, or a
+ * flag indicating a `wildcard' SSRC value, and a `next' field that
+ * holds a pointer to the next element in the list of policy elements,
+ * or NULL if it is the last element.
+ *
+ * The wildcard value SSRC_ANY_INBOUND matches any SSRC from an
+ * inbound stream that for which there is no explicit SSRC entry in
+ * another policy element.  Similarly, the value SSRC_ANY_OUTBOUND
+ * will matches any SSRC from an outbound stream that does not appear
+ * in another policy element.  Note that wildcard SSRCs &b cannot be
+ * used to match both inbound and outbound traffic.  This restriction
+ * is intentional, and it allows libSRTP to ensure that no security
+ * lapses result from accidental re-use of SSRC values during key
+ * sharing.
+ *
+ * @warning The final element of the list @b must have its `next' pointer
+ *          set to NULL.
+ */
+
+typedef struct srtp_policy_t {
+    srtp_ssrc_t ssrc;              /**< The SSRC value of stream, or the    */
+                                   /**< flags SSRC_ANY_INBOUND or           */
+                                   /**< SSRC_ANY_OUTBOUND if key sharing    */
+                                   /**< is used for this policy element.    */
+    srtp_crypto_policy_t rtp;      /**< SRTP crypto policy.                 */
+    srtp_crypto_policy_t rtcp;     /**< SRTCP crypto policy.                */
+    unsigned char *key;            /**< Pointer to the SRTP master key for  */
+                                   /**< this stream.                        */
+    srtp_master_key_t **keys;      /** Array of Master Key structures       */
+    unsigned long num_master_keys; /** Number of master keys                */
+    srtp_ekt_policy_t ekt;         /**< Pointer to the EKT policy structure */
+                                   /**< for this stream (if any)            */
+    unsigned long window_size;     /**< The window size to use for replay   */
+                                   /**< protection.                         */
+    int allow_repeat_tx;           /**< Whether retransmissions of          */
+                                   /**< packets with the same sequence      */
+                                   /**< number are allowed.                 */
+                                   /**< (Note that such repeated            */
+                                   /**< transmissions must have the same    */
+                                   /**< RTP payload, or a severe security   */
+                                   /**< weakness is introduced!)            */
+    int *enc_xtn_hdr;              /**< List of header ids to encrypt.      */
+    int enc_xtn_hdr_count;         /**< Number of entries in list of header */
+                                   /**<  ids.                               */
+    struct srtp_policy_t *next;    /**< Pointer to next stream policy.      */
+} srtp_policy_t;
+
+/**
+ * @brief An srtp_t points to an SRTP session structure.
+ *
+ * The typedef srtp_t is a pointer to a structure that represents
+ * an SRTP session.  This datatype is intentially opaque in
+ * order to separate the interface from the implementation.
+ *
+ * An SRTP session consists of all of the traffic sent to the RTP and
+ * RTCP destination transport addresses, using the RTP/SAVP (Secure
+ * Audio/Video Profile).  A session can be viewed as a set of SRTP
+ * streams, each of which originates with a different participant.
+ */
+typedef srtp_ctx_t *srtp_t;
+
+/**
+ * @brief srtp_init() initializes the srtp library.
+ *
+ * @warning This function @b must be called before any other srtp
+ * functions.
+ */
+srtp_err_status_t srtp_init(void);
+
+/**
+ * @brief srtp_shutdown() de-initializes the srtp library.
+ *
+ * @warning No srtp functions may be called after calling this function.
+ */
+srtp_err_status_t srtp_shutdown(void);
+
+/**
+ * @brief srtp_protect() is the Secure RTP sender-side packet processing
+ * function.
+ *
+ * The function call srtp_protect(ctx, rtp_hdr, len_ptr) applies SRTP
+ * protection to the RTP packet rtp_hdr (which has length *len_ptr) using
+ * the SRTP context ctx.  If srtp_err_status_ok is returned, then rtp_hdr
+ * points to the resulting SRTP packet and *len_ptr is the number of
+ * octets in that packet; otherwise, no assumptions should be made
+ * about the value of either data elements.
+ *
+ * The sequence numbers of the RTP packets presented to this function
+ * need not be consecutive, but they @b must be out of order by less
+ * than 2^15 = 32,768 packets.
+ *
+ * @warning This function assumes that it can write the authentication
+ * tag into the location in memory immediately following the RTP
+ * packet, and assumes that the RTP packet is aligned on a 32-bit
+ * boundary.
+ *
+ * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN
+ * into the location in memory immediately following the RTP packet.
+ * Callers MUST ensure that this much writable memory is available in
+ * the buffer that holds the RTP packet.
+ *
+ * @param ctx is the SRTP context to use in processing the packet.
+ *
+ * @param rtp_hdr is a pointer to the RTP packet (before the call); after
+ * the function returns, it points to the srtp packet.
+ *
+ * @param len_ptr is a pointer to the length in octets of the complete
+ * RTP packet (header and body) before the function call, and of the
+ * complete SRTP packet after the call, if srtp_err_status_ok was returned.
+ * Otherwise, the value of the data to which it points is undefined.
+ *
+ * @return
+ *    - srtp_err_status_ok            no problems
+ *    - srtp_err_status_replay_fail   rtp sequence number was non-increasing
+ *    - @e other                 failure in cryptographic mechanisms
+ */
+srtp_err_status_t srtp_protect(srtp_t ctx, void *rtp_hdr, int *len_ptr);
+
+/**
+ * @brief srtp_protect_mki() is the Secure RTP sender-side packet processing
+ * function that can utilize MKI.
+ *
+ * The function call srtp_protect(ctx, rtp_hdr, len_ptr) applies SRTP
+ * protection to the RTP packet rtp_hdr (which has length *len_ptr) using
+ * the SRTP context ctx.  If srtp_err_status_ok is returned, then rtp_hdr
+ * points to the resulting SRTP packet and *len_ptr is the number of
+ * octets in that packet; otherwise, no assumptions should be made
+ * about the value of either data elements.
+ *
+ * The sequence numbers of the RTP packets presented to this function
+ * need not be consecutive, but they @b must be out of order by less
+ * than 2^15 = 32,768 packets.
+ *
+ * @warning This function assumes that it can write the authentication
+ * tag into the location in memory immediately following the RTP
+ * packet, and assumes that the RTP packet is aligned on a 32-bit
+ * boundary.
+ *
+ * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN
+ * into the location in memory immediately following the RTP packet.
+ * Callers MUST ensure that this much writable memory is available in
+ * the buffer that holds the RTP packet.
+ *
+ * @param ctx is the SRTP context to use in processing the packet.
+ *
+ * @param rtp_hdr is a pointer to the RTP packet (before the call); after
+ * the function returns, it points to the srtp packet.
+ *
+ * @param pkt_octet_len is a pointer to the length in octets of the complete
+ * RTP packet (header and body) before the function call, and of the
+ * complete SRTP packet after the call, if srtp_err_status_ok was returned.
+ * Otherwise, the value of the data to which it points is undefined.
+ *
+ * @param use_mki is a boolean to tell the system if mki is being used.  If
+ * set to false then will use the first set of session keys.  If set to true
+ * will
+ * use the session keys identified by the mki_index
+ *
+ * @param mki_index integer value specifying which set of session keys should be
+ * used if use_mki is set to true.
+ *
+ * @return
+ *    - srtp_err_status_ok            no problems
+ *    - srtp_err_status_replay_fail   rtp sequence number was non-increasing
+ *    - @e other                 failure in cryptographic mechanisms
+ */
+srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx,
+                                   void *rtp_hdr,
+                                   int *pkt_octet_len,
+                                   unsigned int use_mki,
+                                   unsigned int mki_index);
+
+/**
+ * @brief srtp_unprotect() is the Secure RTP receiver-side packet
+ * processing function.
+ *
+ * The function call srtp_unprotect(ctx, srtp_hdr, len_ptr) verifies
+ * the Secure RTP protection of the SRTP packet pointed to by srtp_hdr
+ * (which has length *len_ptr), using the SRTP context ctx.  If
+ * srtp_err_status_ok is returned, then srtp_hdr points to the resulting
+ * RTP packet and *len_ptr is the number of octets in that packet;
+ * otherwise, no assumptions should be made about the value of either
+ * data elements.
+ *
+ * The sequence numbers of the RTP packets presented to this function
+ * need not be consecutive, but they @b must be out of order by less
+ * than 2^15 = 32,768 packets.
+ *
+ * @warning This function assumes that the SRTP packet is aligned on a
+ * 32-bit boundary.
+ *
+ * @param ctx is the SRTP session which applies to the particular packet.
+ *
+ * @param srtp_hdr is a pointer to the header of the SRTP packet
+ * (before the call).  after the function returns, it points to the
+ * rtp packet if srtp_err_status_ok was returned; otherwise, the value of
+ * the data to which it points is undefined.
+ *
+ * @param len_ptr is a pointer to the length in octets of the complete
+ * srtp packet (header and body) before the function call, and of the
+ * complete rtp packet after the call, if srtp_err_status_ok was returned.
+ * Otherwise, the value of the data to which it points is undefined.
+ *
+ * @return
+ *    - srtp_err_status_ok          if the RTP packet is valid.
+ *    - srtp_err_status_auth_fail   if the SRTP packet failed the message
+ *                                  authentication check.
+ *    - srtp_err_status_replay_fail if the SRTP packet is a replay (e.g. packet
+ *                                  has already been processed and accepted).
+ *    - [other]  if there has been an error in the cryptographic mechanisms.
+ *
+ */
+srtp_err_status_t srtp_unprotect(srtp_t ctx, void *srtp_hdr, int *len_ptr);
+
+/**
+ * @brief srtp_unprotect_mki() is the Secure RTP receiver-side packet
+ * processing function that checks for MKI.
+ *
+ * The function call srtp_unprotect(ctx, srtp_hdr, len_ptr) verifies
+ * the Secure RTP protection of the SRTP packet pointed to by srtp_hdr
+ * (which has length *len_ptr), using the SRTP context ctx.  If
+ * srtp_err_status_ok is returned, then srtp_hdr points to the resulting
+ * RTP packet and *len_ptr is the number of octets in that packet;
+ * otherwise, no assumptions should be made about the value of either
+ * data elements.
+ *
+ * The sequence numbers of the RTP packets presented to this function
+ * need not be consecutive, but they @b must be out of order by less
+ * than 2^15 = 32,768 packets.
+ *
+ * @warning This function assumes that the SRTP packet is aligned on a
+ * 32-bit boundary.
+ *
+ * @param ctx is the SRTP session which applies to the particular packet.
+ *
+ * @param srtp_hdr is a pointer to the header of the SRTP packet
+ * (before the call).  after the function returns, it points to the
+ * rtp packet if srtp_err_status_ok was returned; otherwise, the value of
+ * the data to which it points is undefined.
+ *
+ * @param len_ptr is a pointer to the length in octets of the complete
+ * srtp packet (header and body) before the function call, and of the
+ * complete rtp packet after the call, if srtp_err_status_ok was returned.
+ * Otherwise, the value of the data to which it points is undefined.
+ *
+ * @param use_mki is a boolean to tell the system if mki is being used.  If
+ * set to false then will use the first set of session keys.  If set to true
+ * will
+ * use the session keys identified by the mki_index
+ *
+ * @return
+ *    - srtp_err_status_ok          if the RTP packet is valid.
+ *    - srtp_err_status_auth_fail   if the SRTP packet failed the message
+ *                                  authentication check.
+ *    - srtp_err_status_replay_fail if the SRTP packet is a replay (e.g. packet
+ *                                  has already been processed and accepted).
+ *    - srtp_err_status_bad_mki if the MKI in the packet is not a known MKI id
+ *    - [other]  if there has been an error in the cryptographic mechanisms.
+ *
+ */
+srtp_err_status_t srtp_unprotect_mki(srtp_t ctx,
+                                     void *srtp_hdr,
+                                     int *len_ptr,
+                                     unsigned int use_mki);
+
+/**
+ * @brief srtp_create() allocates and initializes an SRTP session.
+
+ * The function call srtp_create(session, policy) allocates and
+ * initializes an SRTP session context, applying the given policy.
+ *
+ * @param session is a pointer to the SRTP session to which the policy is
+ * to be added.
+ *
+ * @param policy is the srtp_policy_t struct that describes the policy
+ * for the session.  The struct may be a single element, or it may be
+ * the head of a list, in which case each element of the list is
+ * processed.  It may also be NULL, in which case streams should be added
+ * later using srtp_add_stream().  The final element of the list @b must
+ * have its `next' field set to NULL.
+ *
+ * @return
+ *    - srtp_err_status_ok           if creation succeded.
+ *    - srtp_err_status_alloc_fail   if allocation failed.
+ *    - srtp_err_status_init_fail    if initialization failed.
+ */
+srtp_err_status_t srtp_create(srtp_t *session, const srtp_policy_t *policy);
+
+/**
+ * @brief srtp_add_stream() allocates and initializes an SRTP stream
+ * within a given SRTP session.
+ *
+ * The function call srtp_add_stream(session, policy) allocates and
+ * initializes a new SRTP stream within a given, previously created
+ * session, applying the policy given as the other argument to that
+ * stream.
+ *
+ * @return values:
+ *    - srtp_err_status_ok           if stream creation succeded.
+ *    - srtp_err_status_alloc_fail   if stream allocation failed
+ *    - srtp_err_status_init_fail    if stream initialization failed.
+ */
+srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy);
+
+/**
+ * @brief srtp_remove_stream() deallocates an SRTP stream.
+ *
+ * The function call srtp_remove_stream(session, ssrc) removes
+ * the SRTP stream with the SSRC value ssrc from the SRTP session
+ * context given by the argument session.
+ *
+ * @param session is the SRTP session from which the stream
+ *        will be removed.
+ *
+ * @param ssrc is the SSRC value of the stream to be removed
+ *             in network byte order.
+ *
+ * @warning Wildcard SSRC values cannot be removed from a
+ *          session.
+ *
+ * @return
+ *    - srtp_err_status_ok     if the stream deallocation succeded.
+ *    - [other]           otherwise.
+ *
+ */
+srtp_err_status_t srtp_remove_stream(srtp_t session, unsigned int ssrc);
+
+/**
+ * @brief srtp_update() udpates all streams in the session.
+ *
+ * The function call srtp_update(session, policy) updates
+ * all the streams in the session applying the given policy
+ * and key. The exsisting ROC value of all streams will be
+ * preserved.
+ *
+ * @param session is the SRTP session that contains the streams
+ *        to be updated.
+ *
+ * @param policy is the srtp_policy_t struct that describes the policy
+ * for the session.  The struct may be a single element, or it may be
+ * the head of a list, in which case each element of the list is
+ * processed. The final element of the list @b must
+ * have its `next' field set to NULL.
+ *
+ * @return
+ *    - srtp_err_status_ok           if stream creation succeded.
+ *    - srtp_err_status_alloc_fail   if stream allocation failed
+ *    - srtp_err_status_init_fail    if stream initialization failed.
+ *    - [other]                 otherwise.
+ *
+ */
+srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy);
+
+/**
+ * @brief srtp_update_stream() udpates a SRTP stream.
+ *
+ * The function call srtp_update_stream(session, policy) updates
+ * the stream(s) in the session that match applying the given
+ * policy and key. The exsisting ROC value of all stream(s) will
+ * be preserved.
+ *
+ * @param session is the SRTP session that contains the streams
+ *        to be updated.
+ *
+ * @param policy is the srtp_policy_t struct that describes the policy
+ * for the session.
+ *
+ * @return
+ *    - srtp_err_status_ok           if stream creation succeded.
+ *    - srtp_err_status_alloc_fail   if stream allocation failed
+ *    - srtp_err_status_init_fail    if stream initialization failed.
+ *    - [other]                      otherwise.
+ *
+ */
+srtp_err_status_t srtp_update_stream(srtp_t session,
+                                     const srtp_policy_t *policy);
+
+/**
+ * @brief srtp_crypto_policy_set_rtp_default() sets a crypto policy
+ * structure to the SRTP default policy for RTP protection.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call crypto_policy_set_rtp_default(&p) sets the
+ * crypto_policy_t at location p to the SRTP default policy for RTP
+ * protection, as defined in the specification.  This function is a
+ * convenience that helps to avoid dealing directly with the policy
+ * data structure.  You are encouraged to initialize policy elements
+ * with this function call.  Doing so may allow your code to be
+ * forward compatible with later versions of libSRTP that include more
+ * elements in the crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_rtcp_default() sets a crypto policy
+ * structure to the SRTP default policy for RTCP protection.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_rtcp_default(&p) sets the
+ * srtp_crypto_policy_t at location p to the SRTP default policy for RTCP
+ * protection, as defined in the specification.  This function is a
+ * convenience that helps to avoid dealing directly with the policy
+ * data structure.  You are encouraged to initialize policy elements
+ * with this function call.  Doing so may allow your code to be
+ * forward compatible with later versions of libSRTP that include more
+ * elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80() sets a crypto
+ * policy structure to the SRTP default policy for RTP protection.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80() is a
+ * synonym for srtp_crypto_policy_set_rtp_default().  It conforms to the
+ * naming convention used in RFC 4568 (SDP Security Descriptions for
+ * Media Streams).
+ *
+ * @return void.
+ *
+ */
+#define srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(p)                      \
+    srtp_crypto_policy_set_rtp_default(p)
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32() sets a crypto
+ * policy structure to a short-authentication tag policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&p)
+ * sets the srtp_crypto_policy_t at location p to use policy
+ * AES_CM_128_HMAC_SHA1_32 as defined in RFC 4568.
+ * This policy uses AES-128
+ * Counter Mode encryption and HMAC-SHA1 authentication, with an
+ * authentication tag that is only 32 bits long.  This length is
+ * considered adequate only for protecting audio and video media that
+ * use a stateless playback function.  See Section 7.5 of RFC 3711
+ * (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @warning This crypto policy is intended for use in SRTP, but not in
+ * SRTCP.  It is recommended that a policy that uses longer
+ * authentication tags be used for SRTCP.  See Section 7.5 of RFC 3711
+ * (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_128_null_auth() sets a crypto
+ * policy structure to an encryption-only policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_cm_128_null_auth(&p) sets
+ * the srtp_crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-128 Counter Mode), but to use no authentication method.  This
+ * policy is NOT RECOMMENDED unless it is unavoidable; see Section 7.5
+ * of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @warning This policy is NOT RECOMMENDED for SRTP unless it is
+ * unavoidable, and it is NOT RECOMMENDED at all for SRTCP; see
+ * Section 7.5 of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_null_cipher_hmac_sha1_80() sets a crypto
+ * policy structure to an authentication-only policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&p)
+ * sets the srtp_crypto_policy_t at location p to use HMAC-SHA1 with an 80
+ * bit authentication tag to provide message authentication, but to
+ * use no encryption.  This policy is NOT RECOMMENDED for SRTP unless
+ * there is a requirement to forego encryption.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @warning This policy is NOT RECOMMENDED for SRTP unless there is a
+ * requirement to forego encryption.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_null_cipher_hmac_null() sets a crypto
+ * policy structure to use no encryption or authentication.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_null_cipher_hmac_null(&p)
+ * sets the srtp_crypto_policy_t at location p to use no encryption and
+ * no authentication.  This policy should only be used for testing and
+ * troubleshootingl.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @warning This policy is NOT RECOMMENDED for SRTP unless there is a
+ * requirement to forego encryption and authentication.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80() sets a crypto
+ * policy structure to a encryption and authentication policy using AES-256
+ * for RTP protection.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&p)
+ * sets the srtp_crypto_policy_t at location p to use policy
+ * AES_CM_256_HMAC_SHA1_80 as defined in RFC 6188.  This policy uses AES-256
+ * Counter Mode encryption and HMAC-SHA1 authentication, with an 80 bit
+ * authentication tag.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32() sets a crypto
+ * policy structure to a short-authentication tag policy using AES-256
+ * encryption.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(&p)
+ * sets the srtp_crypto_policy_t at location p to use policy
+ * AES_CM_256_HMAC_SHA1_32 as defined in RFC 6188.  This policy uses AES-256
+ * Counter Mode encryption and HMAC-SHA1 authentication, with an
+ * authentication tag that is only 32 bits long.  This length is
+ * considered adequate only for protecting audio and video media that
+ * use a stateless playback function.  See Section 7.5 of RFC 3711
+ * (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @warning This crypto policy is intended for use in SRTP, but not in
+ * SRTCP.  It is recommended that a policy that uses longer
+ * authentication tags be used for SRTCP.  See Section 7.5 of RFC 3711
+ * (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_256_null_auth() sets a crypto
+ * policy structure to an encryption-only policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_cm_256_null_auth(&p) sets
+ * the srtp_crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-256 Counter Mode), but to use no authentication method.  This
+ * policy is NOT RECOMMENDED unless it is unavoidable; see Section 7.5
+ * of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @warning This policy is NOT RECOMMENDED for SRTP unless it is
+ * unavoidable, and it is NOT RECOMMENDED at all for SRTCP; see
+ * Section 7.5 of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80() sets a crypto
+ * policy structure to a encryption and authentication policy using AES-192
+ * for RTP protection.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(&p)
+ * sets the crypto_policy_t at location p to use policy
+ * AES_CM_192_HMAC_SHA1_80 as defined in RFC 6188.  This policy uses AES-192
+ * Counter Mode encryption and HMAC-SHA1 authentication, with an 80 bit
+ * authentication tag.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32() sets a crypto
+ * policy structure to a short-authentication tag policy using AES-192
+ * encryption.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(&p)
+ * sets the crypto_policy_t at location p to use policy
+ * AES_CM_192_HMAC_SHA1_32 as defined in RFC 6188.  This policy uses AES-192
+ * Counter Mode encryption and HMAC-SHA1 authentication, with an
+ * authentication tag that is only 32 bits long.  This length is
+ * considered adequate only for protecting audio and video media that
+ * use a stateless playback function.  See Section 7.5 of RFC 3711
+ * (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the crypto_policy_t datatype.
+ *
+ * @warning This crypto policy is intended for use in SRTP, but not in
+ * SRTCP.  It is recommended that a policy that uses longer
+ * authentication tags be used for SRTCP.  See Section 7.5 of RFC 3711
+ * (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_cm_192_null_auth() sets a crypto
+ * policy structure to an encryption-only policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_cm_192_null_auth(&p) sets
+ * the crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-192 Counter Mode), but to use no authentication method.  This
+ * policy is NOT RECOMMENDED unless it is unavoidable; see Section 7.5
+ * of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the crypto_policy_t datatype.
+ *
+ * @warning This policy is NOT RECOMMENDED for SRTP unless it is
+ * unavoidable, and it is NOT RECOMMENDED at all for SRTCP; see
+ * Section 7.5 of RFC 3711 (http://www.ietf.org/rfc/rfc3711.txt).
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_gcm_128_8_auth() sets a crypto
+ * policy structure to an AEAD encryption policy.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_gcm_128_8_auth(&p) sets
+ * the srtp_crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-128 Galois Counter Mode) with 8 octet auth tag.  This
+ * policy applies confidentiality and authentication to both the
+ * RTP and RTCP packets.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_gcm_256_8_auth() sets a crypto
+ * policy structure to an AEAD encryption policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_gcm_256_8_auth(&p) sets
+ * the srtp_crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-256 Galois Counter Mode) with 8 octet auth tag.  This
+ * policy applies confidentiality and authentication to both the
+ * RTP and RTCP packets.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_gcm_128_8_only_auth() sets a crypto
+ * policy structure to an AEAD authentication-only policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&p) sets
+ * the srtp_crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-128 Galois Counter Mode) with 8 octet auth tag.  This policy
+ * applies confidentiality and authentication to the RTP packets,
+ * but only authentication to the RTCP packets.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_gcm_256_8_only_auth() sets a crypto
+ * policy structure to an AEAD authentication-only policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&p) sets
+ * the srtp_crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-256 Galois Counter Mode) with 8 octet auth tag.  This policy
+ * applies confidentiality and authentication to the RTP packets,
+ * but only authentication to the RTCP packets.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_gcm_128_16_auth() sets a crypto
+ * policy structure to an AEAD encryption policy.
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_gcm_128_16_auth(&p) sets
+ * the srtp_crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-128 Galois Counter Mode) with 16 octet auth tag.  This
+ * policy applies confidentiality and authentication to both the
+ * RTP and RTCP packets.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_crypto_policy_set_aes_gcm_256_16_auth() sets a crypto
+ * policy structure to an AEAD encryption policy
+ *
+ * @param p is a pointer to the policy structure to be set
+ *
+ * The function call srtp_crypto_policy_set_aes_gcm_256_16_auth(&p) sets
+ * the srtp_crypto_policy_t at location p to use the SRTP default cipher
+ * (AES-256 Galois Counter Mode) with 16 octet auth tag.  This
+ * policy applies confidentiality and authentication to both the
+ * RTP and RTCP packets.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return void.
+ *
+ */
+void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p);
+
+/**
+ * @brief srtp_dealloc() deallocates storage for an SRTP session
+ * context.
+ *
+ * The function call srtp_dealloc(s) deallocates storage for the
+ * SRTP session context s.  This function should be called no more
+ * than one time for each of the contexts allocated by the function
+ * srtp_create().
+ *
+ * @param s is the srtp_t for the session to be deallocated.
+ *
+ * @return
+ *    - srtp_err_status_ok             if there no problems.
+ *    - srtp_err_status_dealloc_fail   a memory deallocation failure occured.
+ */
+srtp_err_status_t srtp_dealloc(srtp_t s);
+
+/*
+ * @brief identifies a particular SRTP profile
+ *
+ * An srtp_profile_t enumeration is used to identify a particular SRTP
+ * profile (that is, a set of algorithms and parameters). These profiles
+ * are defined for DTLS-SRTP:
+ * https://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
+ */
+typedef enum {
+    srtp_profile_reserved = 0,
+    srtp_profile_aes128_cm_sha1_80 = 1,
+    srtp_profile_aes128_cm_sha1_32 = 2,
+    srtp_profile_null_sha1_80 = 5,
+    srtp_profile_null_sha1_32 = 6,
+    srtp_profile_aead_aes_128_gcm = 7,
+    srtp_profile_aead_aes_256_gcm = 8,
+} srtp_profile_t;
+
+/**
+ * @brief srtp_crypto_policy_set_from_profile_for_rtp() sets a crypto policy
+ * structure to the appropriate value for RTP based on an srtp_profile_t
+ *
+ * @param policy is a pointer to the policy structure to be set
+ *
+ * @param profile is an enumeration for the policy to be set
+ *
+ * The function call srtp_crypto_policy_set_rtp_default(&policy, profile)
+ * sets the srtp_crypto_policy_t at location policy to the policy for RTP
+ * protection, as defined by the srtp_profile_t profile.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return values
+ *     - srtp_err_status_ok         no problems were encountered
+ *     - srtp_err_status_bad_param  the profile is not supported
+ *
+ */
+srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp(
+    srtp_crypto_policy_t *policy,
+    srtp_profile_t profile);
+
+/**
+ * @brief srtp_crypto_policy_set_from_profile_for_rtcp() sets a crypto policy
+ * structure to the appropriate value for RTCP based on an srtp_profile_t
+ *
+ * @param policy is a pointer to the policy structure to be set
+ *
+ * @param profile is an enumeration for the policy to be set
+ *
+ * The function call srtp_crypto_policy_set_rtcp_default(&policy, profile)
+ * sets the srtp_crypto_policy_t at location policy to the policy for RTCP
+ * protection, as defined by the srtp_profile_t profile.
+ *
+ * This function is a convenience that helps to avoid dealing directly
+ * with the policy data structure.  You are encouraged to initialize
+ * policy elements with this function call.  Doing so may allow your
+ * code to be forward compatible with later versions of libSRTP that
+ * include more elements in the srtp_crypto_policy_t datatype.
+ *
+ * @return values
+ *     - srtp_err_status_ok         no problems were encountered
+ *     - srtp_err_status_bad_param  the profile is not supported
+ *
+ */
+srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp(
+    srtp_crypto_policy_t *policy,
+    srtp_profile_t profile);
+
+/**
+ * @brief returns the master key length for a given SRTP profile
+ */
+unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile);
+
+/**
+ * @brief returns the master salt length for a given SRTP profile
+ */
+unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile);
+
+/**
+ * @brief appends the salt to the key
+ *
+ * The function call srtp_append_salt_to_key(k, klen, s, slen)
+ * copies the string s to the location at klen bytes following
+ * the location k.
+ *
+ * @warning There must be at least bytes_in_salt + bytes_in_key bytes
+ *          available at the location pointed to by key.
+ *
+ */
+void srtp_append_salt_to_key(unsigned char *key,
+                             unsigned int bytes_in_key,
+                             unsigned char *salt,
+                             unsigned int bytes_in_salt);
+
+/**
+ * @}
+ */
+
+/**
+ * @defgroup SRTCP Secure RTCP
+ * @ingroup  SRTP
+ *
+ * @brief Secure RTCP functions are used to protect RTCP traffic.
+ *
+ * RTCP is the control protocol for RTP.  libSRTP protects RTCP
+ * traffic in much the same way as it does RTP traffic.  The function
+ * srtp_protect_rtcp() applies cryptographic protections to outbound
+ * RTCP packets, and srtp_unprotect_rtcp() verifies the protections on
+ * inbound RTCP packets.
+ *
+ * A note on the naming convention: srtp_protect_rtcp() has an srtp_t
+ * as its first argument, and thus has `srtp_' as its prefix.  The
+ * trailing `_rtcp' indicates the protocol on which it acts.
+ *
+ * @{
+ */
+
+/**
+ * @brief srtp_protect_rtcp() is the Secure RTCP sender-side packet
+ * processing function.
+ *
+ * The function call srtp_protect_rtcp(ctx, rtp_hdr, len_ptr) applies
+ * SRTCP protection to the RTCP packet rtcp_hdr (which has length
+ * *len_ptr) using the SRTP session context ctx.  If srtp_err_status_ok is
+ * returned, then rtp_hdr points to the resulting SRTCP packet and
+ * *len_ptr is the number of octets in that packet; otherwise, no
+ * assumptions should be made about the value of either data elements.
+ *
+ * @warning This function assumes that it can write the authentication
+ * tag into the location in memory immediately following the RTCP
+ * packet, and assumes that the RTCP packet is aligned on a 32-bit
+ * boundary.
+ *
+ * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN+4
+ * into the location in memory immediately following the RTCP packet.
+ * Callers MUST ensure that this much writable memory is available in
+ * the buffer that holds the RTCP packet.
+ *
+ * @param ctx is the SRTP context to use in processing the packet.
+ *
+ * @param rtcp_hdr is a pointer to the RTCP packet (before the call); after
+ * the function returns, it points to the srtp packet.
+ *
+ * @param pkt_octet_len is a pointer to the length in octets of the
+ * complete RTCP packet (header and body) before the function call,
+ * and of the complete SRTCP packet after the call, if srtp_err_status_ok
+ * was returned.  Otherwise, the value of the data to which it points
+ * is undefined.
+ *
+ * @return
+ *    - srtp_err_status_ok            if there were no problems.
+ *    - [other]                  if there was a failure in
+ *                               the cryptographic mechanisms.
+ */
+srtp_err_status_t srtp_protect_rtcp(srtp_t ctx,
+                                    void *rtcp_hdr,
+                                    int *pkt_octet_len);
+
+/**
+ * @brief srtp_protect_rtcp_mki() is the Secure RTCP sender-side packet
+ * processing function that can utilize mki.
+ *
+ * The function call srtp_protect_rtcp(ctx, rtp_hdr, len_ptr) applies
+ * SRTCP protection to the RTCP packet rtcp_hdr (which has length
+ * *len_ptr) using the SRTP session context ctx.  If srtp_err_status_ok is
+ * returned, then rtp_hdr points to the resulting SRTCP packet and
+ * *len_ptr is the number of octets in that packet; otherwise, no
+ * assumptions should be made about the value of either data elements.
+ *
+ * @warning This function assumes that it can write the authentication
+ * tag into the location in memory immediately following the RTCP
+ * packet, and assumes that the RTCP packet is aligned on a 32-bit
+ * boundary.
+ *
+ * @warning This function assumes that it can write SRTP_MAX_TRAILER_LEN+4
+ * into the location in memory immediately following the RTCP packet.
+ * Callers MUST ensure that this much writable memory is available in
+ * the buffer that holds the RTCP packet.
+ *
+ * @param ctx is the SRTP context to use in processing the packet.
+ *
+ * @param rtcp_hdr is a pointer to the RTCP packet (before the call); after
+ * the function returns, it points to the srtp packet.
+ *
+ * @param pkt_octet_len is a pointer to the length in octets of the
+ * complete RTCP packet (header and body) before the function call,
+ * and of the complete SRTCP packet after the call, if srtp_err_status_ok
+ * was returned.  Otherwise, the value of the data to which it points
+ * is undefined.
+ *
+ * @param use_mki is a boolean to tell the system if mki is being used.  If
+ * set to false then will use the first set of session keys.  If set to true
+ * will
+ * use the session keys identified by the mki_index
+ *
+ * @param mki_index integer value specifying which set of session kesy should be
+ * used if use_mki is set to true.
+ *
+ * @return
+ *    - srtp_err_status_ok            if there were no problems.
+ *    - [other]                  if there was a failure in
+ *                               the cryptographic mechanisms.
+ */
+srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx,
+                                        void *rtcp_hdr,
+                                        int *pkt_octet_len,
+                                        unsigned int use_mki,
+                                        unsigned int mki_index);
+
+/**
+ * @brief srtp_unprotect_rtcp() is the Secure RTCP receiver-side packet
+ * processing function.
+ *
+ * The function call srtp_unprotect_rtcp(ctx, srtp_hdr, len_ptr)
+ * verifies the Secure RTCP protection of the SRTCP packet pointed to
+ * by srtcp_hdr (which has length *len_ptr), using the SRTP session
+ * context ctx.  If srtp_err_status_ok is returned, then srtcp_hdr points
+ * to the resulting RTCP packet and *len_ptr is the number of octets
+ * in that packet; otherwise, no assumptions should be made about the
+ * value of either data elements.
+ *
+ * @warning This function assumes that the SRTCP packet is aligned on a
+ * 32-bit boundary.
+ *
+ * @param ctx is a pointer to the srtp_t which applies to the
+ * particular packet.
+ *
+ * @param srtcp_hdr is a pointer to the header of the SRTCP packet
+ * (before the call).  After the function returns, it points to the
+ * rtp packet if srtp_err_status_ok was returned; otherwise, the value of
+ * the data to which it points is undefined.
+ *
+ * @param pkt_octet_len is a pointer to the length in octets of the
+ * complete SRTCP packet (header and body) before the function call,
+ * and of the complete rtp packet after the call, if srtp_err_status_ok was
+ * returned.  Otherwise, the value of the data to which it points is
+ * undefined.
+ *
+ * @return
+ *    - srtp_err_status_ok          if the RTCP packet is valid.
+ *    - srtp_err_status_auth_fail   if the SRTCP packet failed the message
+ *                             authentication check.
+ *    - srtp_err_status_replay_fail if the SRTCP packet is a replay (e.g. has
+ *                             already been processed and accepted).
+ *    - [other]  if there has been an error in the cryptographic mechanisms.
+ *
+ */
+srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx,
+                                      void *srtcp_hdr,
+                                      int *pkt_octet_len);
+
+/**
+ * @brief srtp_unprotect_rtcp() is the Secure RTCP receiver-side packet
+ * processing function.
+ *
+ * The function call srtp_unprotect_rtcp(ctx, srtp_hdr, len_ptr)
+ * verifies the Secure RTCP protection of the SRTCP packet pointed to
+ * by srtcp_hdr (which has length *len_ptr), using the SRTP session
+ * context ctx.  If srtp_err_status_ok is returned, then srtcp_hdr points
+ * to the resulting RTCP packet and *len_ptr is the number of octets
+ * in that packet; otherwise, no assumptions should be made about the
+ * value of either data elements.
+ *
+ * @warning This function assumes that the SRTCP packet is aligned on a
+ * 32-bit boundary.
+ *
+ * @param ctx is a pointer to the srtp_t which applies to the
+ * particular packet.
+ *
+ * @param srtcp_hdr is a pointer to the header of the SRTCP packet
+ * (before the call).  After the function returns, it points to the
+ * rtp packet if srtp_err_status_ok was returned; otherwise, the value of
+ * the data to which it points is undefined.
+ *
+ * @param pkt_octet_len is a pointer to the length in octets of the
+ * complete SRTCP packet (header and body) before the function call,
+ * and of the complete rtp packet after the call, if srtp_err_status_ok was
+ * returned.  Otherwise, the value of the data to which it points is
+ * undefined.
+ *
+ * @param use_mki is a boolean to tell the system if mki is being used.  If
+ * set to false then will use the first set of session keys.  If set to true
+ * will use the session keys identified by the mki_index
+ *
+ * @return
+ *    - srtp_err_status_ok          if the RTCP packet is valid.
+ *    - srtp_err_status_auth_fail   if the SRTCP packet failed the message
+ *                                  authentication check.
+ *    - srtp_err_status_replay_fail if the SRTCP packet is a replay (e.g. has
+ *                                  already been processed and accepted).
+ *    - srtp_err_status_bad_mki     if the MKI in the packet is not a known MKI
+ *                                  id
+ *    - [other]                     if there has been an error in the
+ *                                  cryptographic mechanisms.
+ *
+ */
+srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx,
+                                          void *srtcp_hdr,
+                                          int *pkt_octet_len,
+                                          unsigned int use_mki);
+
+/**
+ * @}
+ */
+
+/**
+ * @defgroup User data associated to a SRTP session.
+ * @ingroup  SRTP
+ *
+ * @brief Store custom user data within a SRTP session.
+ *
+ * @{
+ */
+
+/**
+ * @brief srtp_set_user_data() stores the given pointer into the SRTP
+ * session for later retrieval.
+ *
+ * @param ctx is the srtp_t context in which the given data pointer is
+ * stored.
+ *
+ * @param data is a pointer to the custom information (struct, function,
+ * etc) associated with the SRTP session.
+ *
+ * @return void.
+ *
+ */
+void srtp_set_user_data(srtp_t ctx, void *data);
+
+/**
+ * @brief srtp_get_user_data() retrieves the pointer to the custom data
+ * previously stored with srtp_set_user_data().
+ *
+ * This function is mostly useful for retrieving data associated to a
+ * SRTP session when an event fires. The user can then get such a custom
+ * data by calling this function with the session field of the
+ * srtp_event_data_t struct as argument.
+ *
+ * @param ctx is the srtp_t context in which the given data pointer was
+ * stored.
+ *
+ * @return void* pointer to the user data.
+ *
+ */
+void *srtp_get_user_data(srtp_t ctx);
+
+/**
+ * @}
+ */
+
+/**
+ * @defgroup SRTPevents SRTP events and callbacks
+ * @ingroup  SRTP
+ *
+ * @brief libSRTP can use a user-provided callback function to
+ * handle events.
+ *
+ *
+ * libSRTP allows a user to provide a callback function to handle
+ * events that need to be dealt with outside of the data plane (see
+ * the enum srtp_event_t for a description of these events).  Dealing
+ * with these events is not a strict necessity; they are not
+ * security-critical, but the application may suffer if they are not
+ * handled.  The function srtp_set_event_handler() is used to provide
+ * the callback function.
+ *
+ * A default event handler that merely reports on the events as they
+ * happen is included.  It is also possible to set the event handler
+ * function to NULL, in which case all events will just be silently
+ * ignored.
+ *
+ * @{
+ */
+
+/**
+ * @brief srtp_event_t defines events that need to be handled
+ *
+ * The enum srtp_event_t defines events that need to be handled
+ * outside the `data plane', such as SSRC collisions and
+ * key expirations.
+ *
+ * When a key expires or the maximum number of packets has been
+ * reached, an SRTP stream will enter an `expired' state in which no
+ * more packets can be protected or unprotected.  When this happens,
+ * it is likely that you will want to either deallocate the stream
+ * (using srtp_remove_stream()), and possibly allocate a new one.
+ *
+ * When an SRTP stream expires, the other streams in the same session
+ * are unaffected, unless key sharing is used by that stream.  In the
+ * latter case, all of the streams in the session will expire.
+ */
+typedef enum {
+    event_ssrc_collision,    /**< An SSRC collision occured.            */
+    event_key_soft_limit,    /**< An SRTP stream reached the soft key   */
+                             /**< usage limit and will expire soon.     */
+    event_key_hard_limit,    /**< An SRTP stream reached the hard       */
+                             /**< key usage limit and has expired.      */
+    event_packet_index_limit /**< An SRTP stream reached the hard       */
+                             /**< packet limit (2^48 packets).          */
+} srtp_event_t;
+
+/**
+ * @brief srtp_event_data_t is the structure passed as a callback to
+ * the event handler function
+ *
+ * The struct srtp_event_data_t holds the data passed to the event
+ * handler function.
+ */
+typedef struct srtp_event_data_t {
+    srtp_t session;     /**< The session in which the event happend.        */
+    uint32_t ssrc;      /**< The ssrc in host order of the stream in which  */
+                        /**< the event happend                              */
+    srtp_event_t event; /**< An enum indicating the type of event.          */
+} srtp_event_data_t;
+
+/**
+ * @brief srtp_event_handler_func_t is the function prototype for
+ * the event handler.
+ *
+ * The typedef srtp_event_handler_func_t is the prototype for the
+ * event handler function.  It has as its only argument an
+ * srtp_event_data_t which describes the event that needs to be handled.
+ * There can only be a single, global handler for all events in
+ * libSRTP.
+ */
+typedef void(srtp_event_handler_func_t)(srtp_event_data_t *data);
+
+/**
+ * @brief sets the event handler to the function supplied by the caller.
+ *
+ * The function call srtp_install_event_handler(func) sets the event
+ * handler function to the value func.  The value NULL is acceptable
+ * as an argument; in this case, events will be ignored rather than
+ * handled.
+ *
+ * @param func is a pointer to a fuction that takes an srtp_event_data_t
+ *             pointer as an argument and returns void.  This function
+ *             will be used by libSRTP to handle events.
+ */
+srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func);
+
+/**
+ * @brief Returns the version string of the library.
+ *
+ */
+const char *srtp_get_version_string(void);
+
+/**
+ * @brief Returns the numeric representation of the library version.
+ *
+ */
+unsigned int srtp_get_version(void);
+
+/**
+ * @brief srtp_set_debug_module(mod_name, v)
+ *
+ * sets dynamic debugging to the value v (0 for off, 1 for on) for the
+ * debug module with the name mod_name
+ *
+ * returns err_status_ok on success, err_status_fail otherwise
+ */
+srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v);
+
+/**
+ * @brief srtp_list_debug_modules() outputs a list of debugging modules
+ *
+ */
+srtp_err_status_t srtp_list_debug_modules(void);
+
+/**
+ * @brief srtp_log_level_t defines log levels.
+ *
+ * The enumeration srtp_log_level_t defines log levels reported
+ * in the srtp_log_handler_func_t.
+ *
+ */
+typedef enum {
+    srtp_log_level_error,   /**< log level is reporting an error message  */
+    srtp_log_level_warning, /**< log level is reporting a warning message */
+    srtp_log_level_info,    /**< log level is reporting an info message   */
+    srtp_log_level_debug    /**< log level is reporting a debug message   */
+} srtp_log_level_t;
+
+/**
+ * @brief srtp_log_handler_func_t is the function prototype for
+ * the log handler.
+ *
+ * The typedef srtp_event_handler_func_t is the prototype for the
+ * event handler function.  It has as srtp_log_level_t, log
+ * message and data as arguments.
+ * There can only be a single, global handler for all log messages in
+ * libSRTP.
+ */
+typedef void(srtp_log_handler_func_t)(srtp_log_level_t level,
+                                      const char *msg,
+                                      void *data);
+
+/**
+ * @brief sets the log handler to the function supplied by the caller.
+ *
+ * The function call srtp_install_log_handler(func) sets the log
+ * handler function to the value func.  The value NULL is acceptable
+ * as an argument; in this case, log messages will be ignored.
+ * This function can be called before srtp_init() inorder to capture
+ * any logging during start up.
+ *
+ * @param func is a pointer to a fuction of type srtp_log_handler_func_t.
+ *             This function will be used by libSRTP to output log messages.
+ * @param data is a user pointer that will be returned as the data argument in
+ * func.
+ */
+srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func,
+                                           void *data);
+
+/**
+ * @brief srtp_get_protect_trailer_length(session, use_mki, mki_index, length)
+ *
+ * Determines the length of the amount of data Lib SRTP will add to the
+ * packet during the protect process. The length is returned in the length
+ * parameter
+ *
+ * returns err_status_ok on success, err_status_bad_mki if the MKI index is
+ * invalid
+ *
+ */
+srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session,
+                                                  uint32_t use_mki,
+                                                  uint32_t mki_index,
+                                                  uint32_t *length);
+
+/**
+ * @brief srtp_get_protect_rtcp_trailer_length(session, use_mki, mki_index,
+ * length)
+ *
+ * Determines the length of the amount of data Lib SRTP will add to the
+ * packet during the protect process. The length is returned in the length
+ * parameter
+ *
+ * returns err_status_ok on success, err_status_bad_mki if the MKI index is
+ * invalid
+ *
+ */
+srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session,
+                                                       uint32_t use_mki,
+                                                       uint32_t mki_index,
+                                                       uint32_t *length);
+
+/**
+ * @brief srtp_set_stream_roc(session, ssrc, roc)
+ *
+ * Set the roll-over-counter on a session for a given SSRC
+ *
+ * returns err_status_ok on success, srtp_err_status_bad_param if there is no
+ * stream found
+ *
+ */
+srtp_err_status_t srtp_set_stream_roc(srtp_t session,
+                                      uint32_t ssrc,
+                                      uint32_t roc);
+
+/**
+ * @brief srtp_get_stream_roc(session, ssrc, roc)
+ *
+ * Get the roll-over-counter on a session for a given SSRC
+ *
+ * returns err_status_ok on success, srtp_err_status_bad_param if there is no
+ * stream found
+ *
+ */
+srtp_err_status_t srtp_get_stream_roc(srtp_t session,
+                                      uint32_t ssrc,
+                                      uint32_t *roc);
+
+/**
+ * @}
+ */
+
+/* in host order, so outside the #if */
+#define SRTCP_E_BIT 0x80000000
+
+/* for byte-access */
+#define SRTCP_E_BYTE_BIT 0x80
+#define SRTCP_INDEX_MASK 0x7fffffff
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SRTP_SRTP_H */
diff --git a/netwerk/srtp/src/include/srtp_priv.h b/netwerk/srtp/src/include/srtp_priv.h
new file mode 100644
index 0000000000..988efc4164
--- /dev/null
+++ b/netwerk/srtp/src/include/srtp_priv.h
@@ -0,0 +1,280 @@
+/*
+ * srtp_priv.h
+ *
+ * private internal data structures and functions for libSRTP
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef SRTP_PRIV_H
+#define SRTP_PRIV_H
+
+// Leave this as the top level import. Ensures the existence of defines
+#include "config.h"
+
+#include "srtp.h"
+#include "rdbx.h"
+#include "rdb.h"
+#include "integers.h"
+#include "cipher.h"
+#include "auth.h"
+#include "aes.h"
+#include "key.h"
+#include "crypto_kernel.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define SRTP_VER_STRING PACKAGE_STRING
+#define SRTP_VERSION PACKAGE_VERSION
+
+typedef struct srtp_stream_ctx_t_ srtp_stream_ctx_t;
+typedef srtp_stream_ctx_t *srtp_stream_t;
+
+/*
+ * the following declarations are libSRTP internal functions
+ */
+
+/*
+ * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
+ * to ssrc, or NULL if no stream exists for that ssrc
+ */
+srtp_stream_t srtp_get_stream(srtp_t srtp, uint32_t ssrc);
+
+/*
+ * srtp_stream_init_keys(s, k) (re)initializes the srtp_stream_t s by
+ * deriving all of the needed keys using the KDF and the key k.
+ */
+srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp,
+                                        srtp_master_key_t *master_key,
+                                        const unsigned int current_mki_index);
+
+/*
+ * srtp_stream_init_all_master_keys(s, k, m) (re)initializes the srtp_stream_t s
+ * by deriving all of the needed keys for all the master keys using the KDF and
+ * the keys from k.
+ */
+srtp_err_status_t srtp_steam_init_all_master_keys(
+    srtp_stream_ctx_t *srtp,
+    unsigned char *key,
+    srtp_master_key_t **keys,
+    const unsigned int max_master_keys);
+
+/*
+ * srtp_stream_init(s, p) initializes the srtp_stream_t s to
+ * use the policy at the location p
+ */
+srtp_err_status_t srtp_stream_init(srtp_stream_t srtp, const srtp_policy_t *p);
+
+/*
+ * libsrtp internal datatypes
+ */
+typedef enum direction_t {
+    dir_unknown = 0,
+    dir_srtp_sender = 1,
+    dir_srtp_receiver = 2
+} direction_t;
+
+/*
+ * srtp_session_keys_t will contain the encryption, hmac, salt keys
+ * for both SRTP and SRTCP.  The session keys will also contain the
+ * MKI ID which is used to identify the session keys.
+ */
+typedef struct srtp_session_keys_t {
+    srtp_cipher_t *rtp_cipher;
+    srtp_cipher_t *rtp_xtn_hdr_cipher;
+    srtp_auth_t *rtp_auth;
+    srtp_cipher_t *rtcp_cipher;
+    srtp_auth_t *rtcp_auth;
+    uint8_t salt[SRTP_AEAD_SALT_LEN];
+    uint8_t c_salt[SRTP_AEAD_SALT_LEN];
+    uint8_t *mki_id;
+    unsigned int mki_size;
+    srtp_key_limit_ctx_t *limit;
+} srtp_session_keys_t;
+
+/*
+ * an srtp_stream_t has its own SSRC, encryption key, authentication
+ * key, sequence number, and replay database
+ *
+ * note that the keys might not actually be unique, in which case the
+ * srtp_cipher_t and srtp_auth_t pointers will point to the same structures
+ */
+typedef struct srtp_stream_ctx_t_ {
+    uint32_t ssrc;
+    srtp_session_keys_t *session_keys;
+    unsigned int num_master_keys;
+    srtp_rdbx_t rtp_rdbx;
+    srtp_sec_serv_t rtp_services;
+    srtp_rdb_t rtcp_rdb;
+    srtp_sec_serv_t rtcp_services;
+    direction_t direction;
+    int allow_repeat_tx;
+    srtp_ekt_stream_t ekt;
+    int *enc_xtn_hdr;
+    int enc_xtn_hdr_count;
+    uint32_t pending_roc;
+    struct srtp_stream_ctx_t_ *next; /* linked list of streams */
+} strp_stream_ctx_t_;
+
+/*
+ * an srtp_ctx_t holds a stream list and a service description
+ */
+typedef struct srtp_ctx_t_ {
+    struct srtp_stream_ctx_t_ *stream_list;     /* linked list of streams     */
+    struct srtp_stream_ctx_t_ *stream_template; /* act as template for other  */
+                                                /* streams                    */
+    void *user_data;                            /* user custom data           */
+} srtp_ctx_t_;
+
+/*
+ * srtp_hdr_t represents an RTP or SRTP header.  The bit-fields in
+ * this structure should be declared "unsigned int" instead of
+ * "unsigned char", but doing so causes the MS compiler to not
+ * fully pack the bit fields.
+ *
+ * In this implementation, an srtp_hdr_t is assumed to be 32-bit aligned
+ *
+ * (note that this definition follows that of RFC 1889 Appendix A, but
+ * is not identical)
+ */
+
+#ifndef WORDS_BIGENDIAN
+
+typedef struct {
+    unsigned char cc : 4;      /* CSRC count             */
+    unsigned char x : 1;       /* header extension flag  */
+    unsigned char p : 1;       /* padding flag           */
+    unsigned char version : 2; /* protocol version       */
+    unsigned char pt : 7;      /* payload type           */
+    unsigned char m : 1;       /* marker bit             */
+    uint16_t seq;              /* sequence number        */
+    uint32_t ts;               /* timestamp              */
+    uint32_t ssrc;             /* synchronization source */
+} srtp_hdr_t;
+
+#else /*  BIG_ENDIAN */
+
+typedef struct {
+    unsigned char version : 2; /* protocol version       */
+    unsigned char p : 1;       /* padding flag           */
+    unsigned char x : 1;       /* header extension flag  */
+    unsigned char cc : 4;      /* CSRC count             */
+    unsigned char m : 1;       /* marker bit             */
+    unsigned char pt : 7;      /* payload type           */
+    uint16_t seq;              /* sequence number        */
+    uint32_t ts;               /* timestamp              */
+    uint32_t ssrc;             /* synchronization source */
+} srtp_hdr_t;
+
+#endif
+
+typedef struct {
+    uint16_t profile_specific; /* profile-specific info               */
+    uint16_t length;           /* number of 32-bit words in extension */
+} srtp_hdr_xtnd_t;
+
+/*
+ * srtcp_hdr_t represents a secure rtcp header
+ *
+ * in this implementation, an srtcp header is assumed to be 32-bit
+ * alinged
+ */
+
+#ifndef WORDS_BIGENDIAN
+
+typedef struct {
+    unsigned char rc : 5;      /* reception report count */
+    unsigned char p : 1;       /* padding flag           */
+    unsigned char version : 2; /* protocol version       */
+    unsigned char pt : 8;      /* payload type           */
+    uint16_t len;              /* length                 */
+    uint32_t ssrc;             /* synchronization source */
+} srtcp_hdr_t;
+
+typedef struct {
+    unsigned int index : 31; /* srtcp packet index in network order!  */
+    unsigned int e : 1;      /* encrypted? 1=yes                      */
+                             /* optional mikey/etc go here            */
+                             /* and then the variable-length auth tag */
+} srtcp_trailer_t;
+
+#else /*  BIG_ENDIAN */
+
+typedef struct {
+    unsigned char version : 2; /* protocol version       */
+    unsigned char p : 1;       /* padding flag           */
+    unsigned char rc : 5;      /* reception report count */
+    unsigned char pt : 8;      /* payload type           */
+    uint16_t len;              /* length                 */
+    uint32_t ssrc;             /* synchronization source */
+} srtcp_hdr_t;
+
+typedef struct {
+    unsigned int e : 1;      /* encrypted? 1=yes                      */
+    unsigned int index : 31; /* srtcp packet index                    */
+                             /* optional mikey/etc go here            */
+                             /* and then the variable-length auth tag */
+} srtcp_trailer_t;
+
+#endif
+
+/*
+ * srtp_handle_event(srtp, srtm, evnt) calls the event handling
+ * function, if there is one.
+ *
+ * This macro is not included in the documentation as it is
+ * an internal-only function.
+ */
+
+#define srtp_handle_event(srtp, strm, evnt)                                    \
+    if (srtp_event_handler) {                                                  \
+        srtp_event_data_t data;                                                \
+        data.session = srtp;                                                   \
+        data.ssrc = ntohl(strm->ssrc);                                         \
+        data.event = evnt;                                                     \
+        srtp_event_handler(&data);                                             \
+    }
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SRTP_PRIV_H */
diff --git a/netwerk/srtp/src/include/ut_sim.h b/netwerk/srtp/src/include/ut_sim.h
new file mode 100644
index 0000000000..e678b5fdf7
--- /dev/null
+++ b/netwerk/srtp/src/include/ut_sim.h
@@ -0,0 +1,83 @@
+/*
+ * ut-sim.h
+ *
+ * an unreliable transport simulator
+ * (for testing replay databases and suchlike)
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef UT_SIM_H
+#define UT_SIM_H
+
+#include "integers.h" /* for uint32_t */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define UT_BUF 160 /* maximum amount of packet reorder */
+
+typedef struct {
+    uint32_t index;
+    uint32_t buffer[UT_BUF];
+} ut_connection;
+
+/*
+ * ut_init(&u) initializes the ut_connection
+ *
+ * this function should always be the first one called on a new
+ * ut_connection
+ */
+
+void ut_init(ut_connection *utc);
+
+/*
+ * ut_next_index(&u) returns the next index from the simulated
+ * unreliable connection
+ */
+
+uint32_t ut_next_index(ut_connection *utc);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* UT_SIM_H */
diff --git a/netwerk/srtp/src/moz.build b/netwerk/srtp/src/moz.build
new file mode 100644
index 0000000000..a2e5a6d3e5
--- /dev/null
+++ b/netwerk/srtp/src/moz.build
@@ -0,0 +1,76 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+UNIFIED_SOURCES += [
+    'crypto/cipher/aes_gcm_nss.c',
+    'crypto/cipher/aes_icm_nss.c',
+    'crypto/cipher/cipher.c',
+    'crypto/cipher/null_cipher.c',
+    'crypto/hash/auth.c',
+    'crypto/hash/hmac.c',
+    'crypto/hash/null_auth.c',
+    'crypto/hash/sha1.c',
+    'crypto/kernel/alloc.c',
+    'crypto/kernel/crypto_kernel.c',
+    'crypto/kernel/err.c',
+    'crypto/kernel/key.c',
+    'crypto/math/datatypes.c',
+    'crypto/math/stat.c',
+    'crypto/replay/rdb.c',
+    'crypto/replay/rdbx.c',
+    'crypto/replay/ut_sim.c',
+    'srtp/ekt.c',
+    'srtp/srtp.c',
+]
+
+Library('nksrtp_s')
+
+include('/ipc/chromium/chromium-config.mozbuild')
+
+FINAL_LIBRARY = 'xul'
+
+LOCAL_INCLUDES += [
+    'crypto/include',
+    'include',
+]
+
+DEFINES['PACKAGE_STRING'] = '"libsrtp2 2.2.0-pre"'
+DEFINES['PACKAGE_VERSION'] = '"2.2.0-pre"'
+
+# This is needed to enable the be32_to_cpu and be64_to_cpu
+# macro's in datatypes.h
+DEFINES['HAVE_CONFIG_H'] = 1
+
+# We know stdint.h will define uint8/16/32/64_t, so we don't need
+# to define SIZEOF_UNSIGNED_LONG/SIZEOF_UNSIGNED_LONG_LONG
+for var in ('HAVE_STDLIB_H', 'HAVE_UINT8_T', 'HAVE_UINT16_T',
+            'HAVE_INT32_T', 'HAVE_UINT32_T', 'HAVE_UINT64_T'):
+    DEFINES[var] = 1
+
+# Enable AES-GCM cipher suite in libsrtp
+DEFINES['GCM'] = 1
+# Let libsrtp use NSS instead of build-in crypto
+DEFINES['NSS'] = 1
+
+# XXX while arm is not a CISC architecture, the code guarded by CPU_RISC makes
+# (at least) the AES ciphers fail their self-tests on ARM, so for now we're
+# falling back to the (presumably) slower-on-this-architecture but working
+# code path.  https://bugzilla.mozilla.org/show_bug.cgi?id=822380 has been filed
+# to make the right and more performant fix and push it back upstream.
+if CONFIG['CPU_ARCH'] in ('arm', 'x86', 'x86_64', 'mips', 'mips64'):
+    DEFINES['CPU_CISC'] = 1
+else:
+    # best guess
+    DEFINES['CPU_RISC'] = 1
+
+if  CONFIG['CPU_ARCH'] in ('x86', 'x86_64'):
+    DEFINES['HAVE_X86'] = True
+
+if CONFIG['OS_TARGET'] == 'WINNT':
+    DEFINES['HAVE_WINSOCK2_H'] = True
+    DEFINES['inline'] = '__inline'
+else:
+    DEFINES['HAVE_NETINET_IN_H'] = 1
diff --git a/netwerk/srtp/src/srtp/ekt.c b/netwerk/srtp/src/srtp/ekt.c
new file mode 100644
index 0000000000..f09dc58580
--- /dev/null
+++ b/netwerk/srtp/src/srtp/ekt.c
@@ -0,0 +1,281 @@
+/*
+ * ekt.c
+ *
+ * Encrypted Key Transport for SRTP
+ *
+ * David McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include "srtp_priv.h"
+#include "err.h"
+#include "ekt.h"
+
+extern srtp_debug_module_t mod_srtp;
+
+/*
+ *  The EKT Authentication Tag format.
+ *
+ *    0                   1                   2                   3
+ *    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   :                   Base Authentication Tag                     :
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   :                     Encrypted Master Key                      :
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |                       Rollover Counter                        |
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *   |    Initial Sequence Number    |   Security Parameter Index    |
+ *   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *
+ */
+
+#define EKT_OCTETS_AFTER_BASE_TAG 24
+#define EKT_OCTETS_AFTER_EMK 8
+#define EKT_OCTETS_AFTER_ROC 4
+#define EKT_SPI_LEN 2
+
+unsigned srtp_ekt_octets_after_base_tag(srtp_ekt_stream_t ekt)
+{
+    /*
+     * if the pointer ekt is NULL, then EKT is not in effect, so we
+     * indicate this by returning zero
+     */
+    if (!ekt)
+        return 0;
+
+    switch (ekt->data->ekt_cipher_type) {
+    case SRTP_EKT_CIPHER_AES_128_ECB:
+        return 16 + EKT_OCTETS_AFTER_EMK;
+        break;
+    default:
+        break;
+    }
+    return 0;
+}
+
+static inline srtp_ekt_spi_t srtcp_packet_get_ekt_spi(
+    const uint8_t *packet_start,
+    unsigned pkt_octet_len)
+{
+    const uint8_t *spi_location;
+
+    spi_location = packet_start + (pkt_octet_len - EKT_SPI_LEN);
+
+    return *((const srtp_ekt_spi_t *)spi_location);
+}
+
+static inline uint32_t srtcp_packet_get_ekt_roc(const uint8_t *packet_start,
+                                                unsigned pkt_octet_len)
+{
+    const uint8_t *roc_location;
+
+    roc_location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_ROC);
+
+    return *((const uint32_t *)roc_location);
+}
+
+static inline const uint8_t *srtcp_packet_get_emk_location(
+    const uint8_t *packet_start,
+    unsigned pkt_octet_len)
+{
+    const uint8_t *location;
+
+    location = packet_start + (pkt_octet_len - EKT_OCTETS_AFTER_BASE_TAG);
+
+    return location;
+}
+
+srtp_err_status_t srtp_ekt_alloc(srtp_ekt_stream_t *stream_data,
+                                 srtp_ekt_policy_t policy)
+{
+    /*
+     * if the policy pointer is NULL, then EKT is not in use
+     * so we just set the EKT stream data pointer to NULL
+     */
+    if (!policy) {
+        *stream_data = NULL;
+        return srtp_err_status_ok;
+    }
+
+    /* TODO */
+    *stream_data = NULL;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_ekt_stream_init_from_policy(
+    srtp_ekt_stream_t stream_data,
+    srtp_ekt_policy_t policy)
+{
+    if (!stream_data)
+        return srtp_err_status_ok;
+
+    return srtp_err_status_ok;
+}
+
+void aes_decrypt_with_raw_key(void *ciphertext, const void *key, int key_len)
+{
+#ifndef GCM
+    // FIXME: need to get this working through the crypto module interface
+    srtp_aes_expanded_key_t expanded_key;
+
+    srtp_aes_expand_decryption_key(key, key_len, &expanded_key);
+    srtp_aes_decrypt(ciphertext, &expanded_key);
+#endif
+}
+
+/*
+ * The function srtp_stream_init_from_ekt() initializes a stream using
+ * the EKT data from an SRTCP trailer.
+ */
+
+srtp_err_status_t srtp_stream_init_from_ekt(srtp_stream_t stream,
+                                            const void *srtcp_hdr,
+                                            unsigned pkt_octet_len)
+{
+    srtp_err_status_t err;
+    const uint8_t *master_key;
+    srtp_policy_t srtp_policy;
+    uint32_t roc;
+
+    /*
+     * NOTE: at present, we only support a single ekt_policy at a time.
+     */
+    if (stream->ekt->data->spi !=
+        srtcp_packet_get_ekt_spi(srtcp_hdr, pkt_octet_len))
+        return srtp_err_status_no_ctx;
+
+    if (stream->ekt->data->ekt_cipher_type != SRTP_EKT_CIPHER_AES_128_ECB)
+        return srtp_err_status_bad_param;
+
+    /* decrypt the Encrypted Master Key field */
+    master_key = srtcp_packet_get_emk_location(srtcp_hdr, pkt_octet_len);
+    /* FIX!? This decrypts the master key in-place, and never uses it */
+    /* FIX!? It's also passing to ekt_dec_key (which is an aes_expanded_key_t)
+     * to a function which expects a raw (unexpanded) key */
+    aes_decrypt_with_raw_key((void *)master_key,
+                             &stream->ekt->data->ekt_dec_key, 16);
+
+    /* set the SRTP ROC */
+    roc = srtcp_packet_get_ekt_roc(srtcp_hdr, pkt_octet_len);
+    err = srtp_rdbx_set_roc(&stream->rtp_rdbx, roc);
+    if (err)
+        return err;
+
+    err = srtp_stream_init(stream, &srtp_policy);
+    if (err)
+        return err;
+
+    return srtp_err_status_ok;
+}
+
+void srtp_ekt_write_data(srtp_ekt_stream_t ekt,
+                         uint8_t *base_tag,
+                         unsigned base_tag_len,
+                         int *packet_len,
+                         srtp_xtd_seq_num_t pkt_index)
+{
+    uint32_t roc;
+    uint16_t isn;
+    unsigned emk_len;
+    uint8_t *packet;
+
+    /* if the pointer ekt is NULL, then EKT is not in effect */
+    if (!ekt) {
+        debug_print(mod_srtp, "EKT not in use", NULL);
+        return;
+    }
+
+    /* write zeros into the location of the base tag */
+    octet_string_set_to_zero(base_tag, base_tag_len);
+    packet = base_tag + base_tag_len;
+
+    /* copy encrypted master key into packet */
+    emk_len = srtp_ekt_octets_after_base_tag(ekt);
+    memcpy(packet, ekt->encrypted_master_key, emk_len);
+    debug_print(mod_srtp, "writing EKT EMK: %s,",
+                srtp_octet_string_hex_string(packet, emk_len));
+    packet += emk_len;
+
+    /* copy ROC into packet */
+    roc = (uint32_t)(pkt_index >> 16);
+    *((uint32_t *)packet) = be32_to_cpu(roc);
+    debug_print(mod_srtp, "writing EKT ROC: %s,",
+                srtp_octet_string_hex_string(packet, sizeof(roc)));
+    packet += sizeof(roc);
+
+    /* copy ISN into packet */
+    isn = (uint16_t)pkt_index;
+    *((uint16_t *)packet) = htons(isn);
+    debug_print(mod_srtp, "writing EKT ISN: %s,",
+                srtp_octet_string_hex_string(packet, sizeof(isn)));
+    packet += sizeof(isn);
+
+    /* copy SPI into packet */
+    *((uint16_t *)packet) = htons(ekt->data->spi);
+    debug_print(mod_srtp, "writing EKT SPI: %s,",
+                srtp_octet_string_hex_string(packet, sizeof(ekt->data->spi)));
+
+    /* increase packet length appropriately */
+    *packet_len += EKT_OCTETS_AFTER_EMK + emk_len;
+}
+
+/*
+ * The function call srtcp_ekt_trailer(ekt, auth_len, auth_tag   )
+ *
+ * If the pointer ekt is NULL, then the other inputs are unaffected.
+ *
+ * auth_tag is a pointer to the pointer to the location of the
+ * authentication tag in the packet.  If EKT is in effect, then the
+ * auth_tag pointer is set to the location
+ */
+
+void srtcp_ekt_trailer(srtp_ekt_stream_t ekt,
+                       unsigned *auth_len,
+                       void **auth_tag,
+                       void *tag_copy)
+{
+    /*
+     * if there is no EKT policy, then the other inputs are unaffected
+     */
+    if (!ekt)
+        return;
+
+    /* copy auth_tag into temporary location */
+}
diff --git a/netwerk/srtp/src/srtp/srtp.c b/netwerk/srtp/src/srtp/srtp.c
new file mode 100644
index 0000000000..5d9da7b2ec
--- /dev/null
+++ b/netwerk/srtp/src/srtp/srtp.c
@@ -0,0 +1,4730 @@
+/*
+ * srtp.c
+ *
+ * the secure real-time transport protocol
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+// Leave this as the top level import. Ensures the existence of defines
+#include "config.h"
+
+#include "srtp_priv.h"
+#include "crypto_types.h"
+#include "err.h"
+#include "ekt.h"   /* for SRTP Encrypted Key Transport */
+#include "alloc.h" /* for srtp_crypto_alloc() */
+
+#ifdef GCM
+#include "aes_gcm.h" /* for AES GCM mode */
+#endif
+
+#ifdef OPENSSL_KDF
+#include <openssl/kdf.h>
+#include "aes_icm_ext.h"
+#endif
+
+#include <limits.h>
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#elif defined(HAVE_WINSOCK2_H)
+#include <winsock2.h>
+#endif
+
+/* the debug module for srtp */
+srtp_debug_module_t mod_srtp = {
+    0,     /* debugging is off by default */
+    "srtp" /* printable name for module */
+};
+
+#define octets_in_rtp_header 12
+#define uint32s_in_rtp_header 3
+#define octets_in_rtcp_header 8
+#define uint32s_in_rtcp_header 2
+#define octets_in_rtp_extn_hdr 4
+
+static srtp_err_status_t srtp_validate_rtp_header(void *rtp_hdr,
+                                                  int *pkt_octet_len)
+{
+    if (*pkt_octet_len < octets_in_rtp_header)
+        return srtp_err_status_bad_param;
+
+    srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
+
+    /* Check RTP header length */
+    int rtp_header_len = octets_in_rtp_header + 4 * hdr->cc;
+    if (hdr->x == 1)
+        rtp_header_len += octets_in_rtp_extn_hdr;
+
+    if (*pkt_octet_len < rtp_header_len)
+        return srtp_err_status_bad_param;
+
+    /* Verifing profile length. */
+    if (hdr->x == 1) {
+        srtp_hdr_xtnd_t *xtn_hdr =
+            (srtp_hdr_xtnd_t *)((uint32_t *)hdr + uint32s_in_rtp_header +
+                                hdr->cc);
+        int profile_len = ntohs(xtn_hdr->length);
+        rtp_header_len += profile_len * 4;
+        /* profile length counts the number of 32-bit words */
+        if (*pkt_octet_len < rtp_header_len)
+            return srtp_err_status_bad_param;
+    }
+    return srtp_err_status_ok;
+}
+
+const char *srtp_get_version_string()
+{
+    /*
+     * Simply return the autotools generated string
+     */
+    return SRTP_VER_STRING;
+}
+
+unsigned int srtp_get_version()
+{
+    unsigned int major = 0, minor = 0, micro = 0;
+    unsigned int rv = 0;
+    int parse_rv;
+
+    /*
+     * Parse the autotools generated version
+     */
+    parse_rv = sscanf(SRTP_VERSION, "%u.%u.%u", &major, &minor, &micro);
+    if (parse_rv != 3) {
+        /*
+         * We're expected to parse all 3 version levels.
+         * If not, then this must not be an official release.
+         * Return all zeros on the version
+         */
+        return (0);
+    }
+
+    /*
+     * We allow 8 bits for the major and minor, while
+     * allowing 16 bits for the micro.  16 bits for the micro
+     * may be beneficial for a continuous delivery model
+     * in the future.
+     */
+    rv |= (major & 0xFF) << 24;
+    rv |= (minor & 0xFF) << 16;
+    rv |= micro & 0xFF;
+    return rv;
+}
+
+srtp_err_status_t srtp_stream_dealloc(srtp_stream_ctx_t *stream,
+                                      const srtp_stream_ctx_t *stream_template)
+{
+    srtp_err_status_t status;
+    unsigned int i = 0;
+    srtp_session_keys_t *session_keys = NULL;
+    srtp_session_keys_t *template_session_keys = NULL;
+
+    /*
+     * we use a conservative deallocation strategy - if any deallocation
+     * fails, then we report that fact without trying to deallocate
+     * anything else
+     */
+    if (stream->session_keys) {
+        for (i = 0; i < stream->num_master_keys; i++) {
+            session_keys = &stream->session_keys[i];
+
+            if (stream_template &&
+                stream->num_master_keys == stream_template->num_master_keys) {
+                template_session_keys = &stream_template->session_keys[i];
+            } else {
+                template_session_keys = NULL;
+            }
+
+            /*
+            * deallocate cipher, if it is not the same as that in template
+            */
+            if (template_session_keys &&
+                session_keys->rtp_cipher == template_session_keys->rtp_cipher) {
+                /* do nothing */
+            } else if (session_keys->rtp_cipher) {
+                status = srtp_cipher_dealloc(session_keys->rtp_cipher);
+                if (status)
+                    return status;
+            }
+
+            /*
+             * deallocate auth function, if it is not the same as that in
+             * template
+             */
+            if (template_session_keys &&
+                session_keys->rtp_auth == template_session_keys->rtp_auth) {
+                /* do nothing */
+            } else if (session_keys->rtp_auth) {
+                status = srtp_auth_dealloc(session_keys->rtp_auth);
+                if (status)
+                    return status;
+            }
+
+            if (template_session_keys &&
+                session_keys->rtp_xtn_hdr_cipher ==
+                    template_session_keys->rtp_xtn_hdr_cipher) {
+                /* do nothing */
+            } else if (session_keys->rtp_xtn_hdr_cipher) {
+                status = srtp_cipher_dealloc(session_keys->rtp_xtn_hdr_cipher);
+                if (status)
+                    return status;
+            }
+
+            /*
+             * deallocate rtcp cipher, if it is not the same as that in
+             * template
+             */
+            if (template_session_keys &&
+                session_keys->rtcp_cipher ==
+                    template_session_keys->rtcp_cipher) {
+                /* do nothing */
+            } else if (session_keys->rtcp_cipher) {
+                status = srtp_cipher_dealloc(session_keys->rtcp_cipher);
+                if (status)
+                    return status;
+            }
+
+            /*
+             * deallocate rtcp auth function, if it is not the same as that in
+             * template
+             */
+            if (template_session_keys &&
+                session_keys->rtcp_auth == template_session_keys->rtcp_auth) {
+                /* do nothing */
+            } else if (session_keys->rtcp_auth) {
+                status = srtp_auth_dealloc(session_keys->rtcp_auth);
+                if (status)
+                    return status;
+            }
+
+            /*
+             * zeroize the salt value
+             */
+            octet_string_set_to_zero(session_keys->salt, SRTP_AEAD_SALT_LEN);
+            octet_string_set_to_zero(session_keys->c_salt, SRTP_AEAD_SALT_LEN);
+
+            if (session_keys->mki_id) {
+                octet_string_set_to_zero(session_keys->mki_id,
+                                         session_keys->mki_size);
+                srtp_crypto_free(session_keys->mki_id);
+                session_keys->mki_id = NULL;
+            }
+
+            /*
+             * deallocate key usage limit, if it is not the same as that in
+             * template
+             */
+            if (template_session_keys &&
+                session_keys->limit == template_session_keys->limit) {
+                /* do nothing */
+            } else if (session_keys->limit) {
+                srtp_crypto_free(session_keys->limit);
+            }
+        }
+        srtp_crypto_free(stream->session_keys);
+    }
+
+    status = srtp_rdbx_dealloc(&stream->rtp_rdbx);
+    if (status)
+        return status;
+
+    /* DAM - need to deallocate EKT here */
+
+    if (stream_template &&
+        stream->enc_xtn_hdr == stream_template->enc_xtn_hdr) {
+        /* do nothing */
+    } else if (stream->enc_xtn_hdr) {
+        srtp_crypto_free(stream->enc_xtn_hdr);
+    }
+
+    /* deallocate srtp stream context */
+    srtp_crypto_free(stream);
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_stream_alloc(srtp_stream_ctx_t **str_ptr,
+                                    const srtp_policy_t *p)
+{
+    srtp_stream_ctx_t *str;
+    srtp_err_status_t stat;
+    unsigned int i = 0;
+    srtp_session_keys_t *session_keys = NULL;
+
+    /*
+     * This function allocates the stream context, rtp and rtcp ciphers
+     * and auth functions, and key limit structure.  If there is a
+     * failure during allocation, we free all previously allocated
+     * memory and return a failure code.  The code could probably
+     * be improved, but it works and should be clear.
+     */
+
+    /* allocate srtp stream and set str_ptr */
+    str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t));
+    if (str == NULL)
+        return srtp_err_status_alloc_fail;
+
+    *str_ptr = str;
+
+    /*
+     *To keep backwards API compatible if someone is using multiple master
+     * keys then key should be set to NULL
+     */
+    if (p->key != NULL) {
+        str->num_master_keys = 1;
+    } else {
+        str->num_master_keys = p->num_master_keys;
+    }
+
+    str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc(
+        sizeof(srtp_session_keys_t) * str->num_master_keys);
+
+    if (str->session_keys == NULL) {
+        srtp_stream_dealloc(str, NULL);
+        return srtp_err_status_alloc_fail;
+    }
+
+    for (i = 0; i < str->num_master_keys; i++) {
+        session_keys = &str->session_keys[i];
+
+        /* allocate cipher */
+        stat = srtp_crypto_kernel_alloc_cipher(
+            p->rtp.cipher_type, &session_keys->rtp_cipher,
+            p->rtp.cipher_key_len, p->rtp.auth_tag_len);
+        if (stat) {
+            srtp_stream_dealloc(str, NULL);
+            return stat;
+        }
+
+        /* allocate auth function */
+        stat = srtp_crypto_kernel_alloc_auth(
+            p->rtp.auth_type, &session_keys->rtp_auth, p->rtp.auth_key_len,
+            p->rtp.auth_tag_len);
+        if (stat) {
+            srtp_stream_dealloc(str, NULL);
+            return stat;
+        }
+
+        /*
+         * ...and now the RTCP-specific initialization - first, allocate
+         * the cipher
+         */
+        stat = srtp_crypto_kernel_alloc_cipher(
+            p->rtcp.cipher_type, &session_keys->rtcp_cipher,
+            p->rtcp.cipher_key_len, p->rtcp.auth_tag_len);
+        if (stat) {
+            srtp_stream_dealloc(str, NULL);
+            return stat;
+        }
+
+        /* allocate auth function */
+        stat = srtp_crypto_kernel_alloc_auth(
+            p->rtcp.auth_type, &session_keys->rtcp_auth, p->rtcp.auth_key_len,
+            p->rtcp.auth_tag_len);
+        if (stat) {
+            srtp_stream_dealloc(str, NULL);
+            return stat;
+        }
+
+        session_keys->mki_id = NULL;
+
+        /* allocate key limit structure */
+        session_keys->limit = (srtp_key_limit_ctx_t *)srtp_crypto_alloc(
+            sizeof(srtp_key_limit_ctx_t));
+        if (session_keys->limit == NULL) {
+            srtp_stream_dealloc(str, NULL);
+            return srtp_err_status_alloc_fail;
+        }
+    }
+
+    /* allocate ekt data associated with stream */
+    stat = srtp_ekt_alloc(&str->ekt, p->ekt);
+    if (stat) {
+        srtp_stream_dealloc(str, NULL);
+        return stat;
+    }
+
+    if (p->enc_xtn_hdr && p->enc_xtn_hdr_count > 0) {
+        srtp_cipher_type_id_t enc_xtn_hdr_cipher_type;
+        int enc_xtn_hdr_cipher_key_len;
+
+        str->enc_xtn_hdr = (int *)srtp_crypto_alloc(p->enc_xtn_hdr_count *
+                                                    sizeof(p->enc_xtn_hdr[0]));
+        if (!str->enc_xtn_hdr) {
+            srtp_stream_dealloc(str, NULL);
+            return srtp_err_status_alloc_fail;
+        }
+        memcpy(str->enc_xtn_hdr, p->enc_xtn_hdr,
+               p->enc_xtn_hdr_count * sizeof(p->enc_xtn_hdr[0]));
+        str->enc_xtn_hdr_count = p->enc_xtn_hdr_count;
+
+        /*
+         * For GCM ciphers, the corresponding ICM cipher is used for header
+         * extensions encryption.
+         */
+        switch (p->rtp.cipher_type) {
+        case SRTP_AES_GCM_128:
+            enc_xtn_hdr_cipher_type = SRTP_AES_ICM_128;
+            enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_128_KEY_LEN_WSALT;
+            break;
+        case SRTP_AES_GCM_256:
+            enc_xtn_hdr_cipher_type = SRTP_AES_ICM_256;
+            enc_xtn_hdr_cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
+            break;
+        default:
+            enc_xtn_hdr_cipher_type = p->rtp.cipher_type;
+            enc_xtn_hdr_cipher_key_len = p->rtp.cipher_key_len;
+            break;
+        }
+
+        for (i = 0; i < str->num_master_keys; i++) {
+            session_keys = &str->session_keys[i];
+
+            /* allocate cipher for extensions header encryption */
+            stat = srtp_crypto_kernel_alloc_cipher(
+                enc_xtn_hdr_cipher_type, &session_keys->rtp_xtn_hdr_cipher,
+                enc_xtn_hdr_cipher_key_len, 0);
+            if (stat) {
+                srtp_stream_dealloc(str, NULL);
+                return stat;
+            }
+        }
+    } else {
+        for (i = 0; i < str->num_master_keys; i++) {
+            session_keys = &str->session_keys[i];
+            session_keys->rtp_xtn_hdr_cipher = NULL;
+        }
+
+        str->enc_xtn_hdr = NULL;
+        str->enc_xtn_hdr_count = 0;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_stream_clone(stream_template, new) allocates a new stream and
+ * initializes it using the cipher and auth of the stream_template
+ *
+ * the only unique data in a cloned stream is the replay database and
+ * the SSRC
+ */
+
+srtp_err_status_t srtp_stream_clone(const srtp_stream_ctx_t *stream_template,
+                                    uint32_t ssrc,
+                                    srtp_stream_ctx_t **str_ptr)
+{
+    srtp_err_status_t status;
+    srtp_stream_ctx_t *str;
+    unsigned int i = 0;
+    srtp_session_keys_t *session_keys = NULL;
+    const srtp_session_keys_t *template_session_keys = NULL;
+
+    debug_print(mod_srtp, "cloning stream (SSRC: 0x%08x)", ntohl(ssrc));
+
+    /* allocate srtp stream and set str_ptr */
+    str = (srtp_stream_ctx_t *)srtp_crypto_alloc(sizeof(srtp_stream_ctx_t));
+    if (str == NULL)
+        return srtp_err_status_alloc_fail;
+    *str_ptr = str;
+
+    str->num_master_keys = stream_template->num_master_keys;
+    str->session_keys = (srtp_session_keys_t *)srtp_crypto_alloc(
+        sizeof(srtp_session_keys_t) * str->num_master_keys);
+
+    if (str->session_keys == NULL) {
+        srtp_stream_dealloc(*str_ptr, stream_template);
+        *str_ptr = NULL;
+        return srtp_err_status_alloc_fail;
+    }
+
+    for (i = 0; i < stream_template->num_master_keys; i++) {
+        session_keys = &str->session_keys[i];
+        template_session_keys = &stream_template->session_keys[i];
+
+        /* set cipher and auth pointers to those of the template */
+        session_keys->rtp_cipher = template_session_keys->rtp_cipher;
+        session_keys->rtp_auth = template_session_keys->rtp_auth;
+        session_keys->rtp_xtn_hdr_cipher =
+            template_session_keys->rtp_xtn_hdr_cipher;
+        session_keys->rtcp_cipher = template_session_keys->rtcp_cipher;
+        session_keys->rtcp_auth = template_session_keys->rtcp_auth;
+        session_keys->mki_size = template_session_keys->mki_size;
+
+        if (template_session_keys->mki_size == 0) {
+            session_keys->mki_id = NULL;
+        } else {
+            session_keys->mki_id =
+                srtp_crypto_alloc(template_session_keys->mki_size);
+
+            if (session_keys->mki_id == NULL) {
+                srtp_stream_dealloc(*str_ptr, stream_template);
+                *str_ptr = NULL;
+                return srtp_err_status_init_fail;
+            }
+            memcpy(session_keys->mki_id, template_session_keys->mki_id,
+                   session_keys->mki_size);
+        }
+        /* Copy the salt values */
+        memcpy(session_keys->salt, template_session_keys->salt,
+               SRTP_AEAD_SALT_LEN);
+        memcpy(session_keys->c_salt, template_session_keys->c_salt,
+               SRTP_AEAD_SALT_LEN);
+
+        /* set key limit to point to that of the template */
+        status = srtp_key_limit_clone(template_session_keys->limit,
+                                      &session_keys->limit);
+        if (status) {
+            srtp_stream_dealloc(*str_ptr, stream_template);
+            *str_ptr = NULL;
+            return status;
+        }
+    }
+
+    /* initialize replay databases */
+    status = srtp_rdbx_init(
+        &str->rtp_rdbx, srtp_rdbx_get_window_size(&stream_template->rtp_rdbx));
+    if (status) {
+        srtp_stream_dealloc(*str_ptr, stream_template);
+        *str_ptr = NULL;
+        return status;
+    }
+    srtp_rdb_init(&str->rtcp_rdb);
+    str->allow_repeat_tx = stream_template->allow_repeat_tx;
+
+    /* set ssrc to that provided */
+    str->ssrc = ssrc;
+
+    /* reset pending ROC */
+    str->pending_roc = 0;
+
+    /* set direction and security services */
+    str->direction = stream_template->direction;
+    str->rtp_services = stream_template->rtp_services;
+    str->rtcp_services = stream_template->rtcp_services;
+
+    /* set pointer to EKT data associated with stream */
+    str->ekt = stream_template->ekt;
+
+    /* copy information about extensions header encryption */
+    str->enc_xtn_hdr = stream_template->enc_xtn_hdr;
+    str->enc_xtn_hdr_count = stream_template->enc_xtn_hdr_count;
+
+    /* defensive coding */
+    str->next = NULL;
+    return srtp_err_status_ok;
+}
+
+/*
+ * key derivation functions, internal to libSRTP
+ *
+ * srtp_kdf_t is a key derivation context
+ *
+ * srtp_kdf_init(&kdf, cipher_id, k, keylen) initializes kdf to use cipher
+ * described by cipher_id, with the master key k with length in octets keylen.
+ *
+ * srtp_kdf_generate(&kdf, l, kl, keylen) derives the key
+ * corresponding to label l and puts it into kl; the length
+ * of the key in octets is provided as keylen.  this function
+ * should be called once for each subkey that is derived.
+ *
+ * srtp_kdf_clear(&kdf) zeroizes and deallocates the kdf state
+ */
+
+typedef enum {
+    label_rtp_encryption = 0x00,
+    label_rtp_msg_auth = 0x01,
+    label_rtp_salt = 0x02,
+    label_rtcp_encryption = 0x03,
+    label_rtcp_msg_auth = 0x04,
+    label_rtcp_salt = 0x05,
+    label_rtp_header_encryption = 0x06,
+    label_rtp_header_salt = 0x07
+} srtp_prf_label;
+
+#define MAX_SRTP_KEY_LEN 256
+
+#if defined(OPENSSL) && defined(OPENSSL_KDF)
+#define MAX_SRTP_AESKEY_LEN 32
+#define MAX_SRTP_SALT_LEN 14
+
+/*
+ * srtp_kdf_t represents a key derivation function.  The SRTP
+ * default KDF is the only one implemented at present.
+ */
+typedef struct {
+    uint8_t master_key[MAX_SRTP_AESKEY_LEN];
+    uint8_t master_salt[MAX_SRTP_SALT_LEN];
+    const EVP_CIPHER *evp;
+} srtp_kdf_t;
+
+static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf,
+                                       const uint8_t *key,
+                                       int key_len,
+                                       int salt_len)
+{
+    memset(kdf, 0x0, sizeof(srtp_kdf_t));
+
+    /* The NULL cipher has zero key length */
+    if (key_len == 0)
+        return srtp_err_status_ok;
+
+    if ((key_len > MAX_SRTP_AESKEY_LEN) || (salt_len > MAX_SRTP_SALT_LEN)) {
+        return srtp_err_status_bad_param;
+    }
+    switch (key_len) {
+    case SRTP_AES_256_KEYSIZE:
+        kdf->evp = EVP_aes_256_ctr();
+        break;
+    case SRTP_AES_192_KEYSIZE:
+        kdf->evp = EVP_aes_192_ctr();
+        break;
+    case SRTP_AES_128_KEYSIZE:
+        kdf->evp = EVP_aes_128_ctr();
+        break;
+    default:
+        return srtp_err_status_bad_param;
+        break;
+    }
+    memcpy(kdf->master_key, key, key_len);
+    memcpy(kdf->master_salt, key + key_len, salt_len);
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf,
+                                           srtp_prf_label label,
+                                           uint8_t *key,
+                                           unsigned int length)
+{
+    int ret;
+
+    /* The NULL cipher will not have an EVP */
+    if (!kdf->evp)
+        return srtp_err_status_ok;
+    octet_string_set_to_zero(key, length);
+
+    /*
+     * Invoke the OpenSSL SRTP KDF function
+     * This is useful if OpenSSL is in FIPS mode and FIP
+     * compliance is required for SRTP.
+     */
+    ret = kdf_srtp(kdf->evp, (char *)&kdf->master_key,
+                   (char *)&kdf->master_salt, NULL, NULL, label, (char *)key);
+    if (ret == -1) {
+        return (srtp_err_status_algo_fail);
+    }
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf)
+{
+    octet_string_set_to_zero(kdf->master_key, MAX_SRTP_AESKEY_LEN);
+    octet_string_set_to_zero(kdf->master_salt, MAX_SRTP_SALT_LEN);
+    kdf->evp = NULL;
+
+    return srtp_err_status_ok;
+}
+
+#else  /* if OPENSSL_KDF */
+
+/*
+ * srtp_kdf_t represents a key derivation function.  The SRTP
+ * default KDF is the only one implemented at present.
+ */
+typedef struct {
+    srtp_cipher_t *cipher; /* cipher used for key derivation  */
+} srtp_kdf_t;
+
+static srtp_err_status_t srtp_kdf_init(srtp_kdf_t *kdf,
+                                       const uint8_t *key,
+                                       int key_len)
+{
+    srtp_cipher_type_id_t cipher_id;
+    switch (key_len) {
+    case SRTP_AES_ICM_256_KEY_LEN_WSALT:
+        cipher_id = SRTP_AES_ICM_256;
+        break;
+    case SRTP_AES_ICM_192_KEY_LEN_WSALT:
+        cipher_id = SRTP_AES_ICM_192;
+        break;
+    case SRTP_AES_ICM_128_KEY_LEN_WSALT:
+        cipher_id = SRTP_AES_ICM_128;
+        break;
+    default:
+        return srtp_err_status_bad_param;
+        break;
+    }
+
+    srtp_err_status_t stat;
+    stat = srtp_crypto_kernel_alloc_cipher(cipher_id, &kdf->cipher, key_len, 0);
+    if (stat)
+        return stat;
+
+    stat = srtp_cipher_init(kdf->cipher, key);
+    if (stat) {
+        srtp_cipher_dealloc(kdf->cipher);
+        return stat;
+    }
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_kdf_generate(srtp_kdf_t *kdf,
+                                           srtp_prf_label label,
+                                           uint8_t *key,
+                                           unsigned int length)
+{
+    srtp_err_status_t status;
+    v128_t nonce;
+
+    /* set eigth octet of nonce to <label>, set the rest of it to zero */
+    v128_set_to_zero(&nonce);
+    nonce.v8[7] = label;
+
+    status = srtp_cipher_set_iv(kdf->cipher, (uint8_t *)&nonce,
+                                srtp_direction_encrypt);
+    if (status)
+        return status;
+
+    /* generate keystream output */
+    octet_string_set_to_zero(key, length);
+    status = srtp_cipher_encrypt(kdf->cipher, key, &length);
+    if (status)
+        return status;
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_kdf_clear(srtp_kdf_t *kdf)
+{
+    srtp_err_status_t status;
+    status = srtp_cipher_dealloc(kdf->cipher);
+    if (status)
+        return status;
+    kdf->cipher = NULL;
+    return srtp_err_status_ok;
+}
+#endif /* else OPENSSL_KDF */
+
+/*
+ *  end of key derivation functions
+ */
+
+/* Get the base key length corresponding to a given combined key+salt
+ * length for the given cipher.
+ * TODO: key and salt lengths should be separate fields in the policy.  */
+static inline int base_key_length(const srtp_cipher_type_t *cipher,
+                                  int key_length)
+{
+    switch (cipher->id) {
+    case SRTP_AES_ICM_128:
+    case SRTP_AES_ICM_192:
+    case SRTP_AES_ICM_256:
+        /* The legacy modes are derived from
+         * the configured key length on the policy */
+        return key_length - SRTP_SALT_LEN;
+        break;
+    case SRTP_AES_GCM_128:
+        return key_length - SRTP_AEAD_SALT_LEN;
+        break;
+    case SRTP_AES_GCM_256:
+        return key_length - SRTP_AEAD_SALT_LEN;
+        break;
+    default:
+        return key_length;
+        break;
+    }
+}
+
+unsigned int srtp_validate_policy_master_keys(const srtp_policy_t *policy)
+{
+    unsigned long i = 0;
+
+    if (policy->key == NULL) {
+        if (policy->num_master_keys <= 0)
+            return 0;
+
+        if (policy->num_master_keys > SRTP_MAX_NUM_MASTER_KEYS)
+            return 0;
+
+        for (i = 0; i < policy->num_master_keys; i++) {
+            if (policy->keys[i]->key == NULL)
+                return 0;
+            if (policy->keys[i]->mki_size > SRTP_MAX_MKI_LEN)
+                return 0;
+        }
+    }
+
+    return 1;
+}
+
+srtp_session_keys_t *srtp_get_session_keys_with_mki_index(
+    srtp_stream_ctx_t *stream,
+    unsigned int use_mki,
+    unsigned int mki_index)
+{
+    if (use_mki) {
+        if (mki_index >= stream->num_master_keys) {
+            return NULL;
+        }
+        return &stream->session_keys[mki_index];
+    }
+
+    return &stream->session_keys[0];
+}
+
+unsigned int srtp_inject_mki(uint8_t *mki_tag_location,
+                             srtp_session_keys_t *session_keys,
+                             unsigned int use_mki)
+{
+    unsigned int mki_size = 0;
+
+    if (use_mki) {
+        mki_size = session_keys->mki_size;
+
+        if (mki_size != 0) {
+            // Write MKI into memory
+            memcpy(mki_tag_location, session_keys->mki_id, mki_size);
+        }
+    }
+
+    return mki_size;
+}
+
+srtp_err_status_t srtp_stream_init_all_master_keys(
+    srtp_stream_ctx_t *srtp,
+    unsigned char *key,
+    srtp_master_key_t **keys,
+    const unsigned int max_master_keys)
+{
+    unsigned int i = 0;
+    srtp_err_status_t status = srtp_err_status_ok;
+    srtp_master_key_t single_master_key;
+
+    if (key != NULL) {
+        srtp->num_master_keys = 1;
+        single_master_key.key = key;
+        single_master_key.mki_id = NULL;
+        single_master_key.mki_size = 0;
+        status = srtp_stream_init_keys(srtp, &single_master_key, 0);
+    } else {
+        srtp->num_master_keys = max_master_keys;
+
+        for (i = 0; i < srtp->num_master_keys && i < SRTP_MAX_NUM_MASTER_KEYS;
+             i++) {
+            status = srtp_stream_init_keys(srtp, keys[i], i);
+
+            if (status) {
+                return status;
+            }
+        }
+    }
+
+    return status;
+}
+
+srtp_err_status_t srtp_stream_init_keys(srtp_stream_ctx_t *srtp,
+                                        srtp_master_key_t *master_key,
+                                        const unsigned int current_mki_index)
+{
+    srtp_err_status_t stat;
+    srtp_kdf_t kdf;
+    uint8_t tmp_key[MAX_SRTP_KEY_LEN];
+    int kdf_keylen = 30, rtp_keylen, rtcp_keylen;
+    int rtp_base_key_len, rtp_salt_len;
+    int rtcp_base_key_len, rtcp_salt_len;
+    srtp_session_keys_t *session_keys = NULL;
+    unsigned char *key = master_key->key;
+
+    /* If RTP or RTCP have a key length > AES-128, assume matching kdf. */
+    /* TODO: kdf algorithm, master key length, and master salt length should
+     * be part of srtp_policy_t.
+    */
+    session_keys = &srtp->session_keys[current_mki_index];
+
+/* initialize key limit to maximum value */
+#ifdef NO_64BIT_MATH
+    {
+        uint64_t temp;
+        temp = make64(UINT_MAX, UINT_MAX);
+        srtp_key_limit_set(session_keys->limit, temp);
+    }
+#else
+    srtp_key_limit_set(session_keys->limit, 0xffffffffffffLL);
+#endif
+
+    if (master_key->mki_size != 0) {
+        session_keys->mki_id = srtp_crypto_alloc(master_key->mki_size);
+
+        if (session_keys->mki_id == NULL) {
+            return srtp_err_status_init_fail;
+        }
+        memcpy(session_keys->mki_id, master_key->mki_id, master_key->mki_size);
+    } else {
+        session_keys->mki_id = NULL;
+    }
+
+    session_keys->mki_size = master_key->mki_size;
+
+    rtp_keylen = srtp_cipher_get_key_length(session_keys->rtp_cipher);
+    rtcp_keylen = srtp_cipher_get_key_length(session_keys->rtcp_cipher);
+    rtp_base_key_len =
+        base_key_length(session_keys->rtp_cipher->type, rtp_keylen);
+    rtp_salt_len = rtp_keylen - rtp_base_key_len;
+
+    if (rtp_keylen > kdf_keylen) {
+        kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
+    }
+
+    if (rtcp_keylen > kdf_keylen) {
+        kdf_keylen = 46; /* AES-CTR mode is always used for KDF */
+    }
+
+    debug_print(mod_srtp, "srtp key len: %d", rtp_keylen);
+    debug_print(mod_srtp, "srtcp key len: %d", rtcp_keylen);
+    debug_print(mod_srtp, "base key len: %d", rtp_base_key_len);
+    debug_print(mod_srtp, "kdf key len: %d", kdf_keylen);
+    debug_print(mod_srtp, "rtp salt len: %d", rtp_salt_len);
+
+    /*
+     * Make sure the key given to us is 'zero' appended.  GCM
+     * mode uses a shorter master SALT (96 bits), but still relies on
+     * the legacy CTR mode KDF, which uses a 112 bit master SALT.
+     */
+    memset(tmp_key, 0x0, MAX_SRTP_KEY_LEN);
+    memcpy(tmp_key, key, (rtp_base_key_len + rtp_salt_len));
+
+/* initialize KDF state     */
+#if defined(OPENSSL) && defined(OPENSSL_KDF)
+    stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, rtp_base_key_len,
+                         rtp_salt_len);
+#else
+    stat = srtp_kdf_init(&kdf, (const uint8_t *)tmp_key, kdf_keylen);
+#endif
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+
+    /* generate encryption key  */
+    stat = srtp_kdf_generate(&kdf, label_rtp_encryption, tmp_key,
+                             rtp_base_key_len);
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+    debug_print(mod_srtp, "cipher key: %s",
+                srtp_octet_string_hex_string(tmp_key, rtp_base_key_len));
+
+    /*
+     * if the cipher in the srtp context uses a salt, then we need
+     * to generate the salt value
+     */
+    if (rtp_salt_len > 0) {
+        debug_print(mod_srtp, "found rtp_salt_len > 0, generating salt", NULL);
+
+        /* generate encryption salt, put after encryption key */
+        stat = srtp_kdf_generate(&kdf, label_rtp_salt,
+                                 tmp_key + rtp_base_key_len, rtp_salt_len);
+        if (stat) {
+            /* zeroize temp buffer */
+            octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+            return srtp_err_status_init_fail;
+        }
+        memcpy(session_keys->salt, tmp_key + rtp_base_key_len,
+               SRTP_AEAD_SALT_LEN);
+    }
+    if (rtp_salt_len > 0) {
+        debug_print(mod_srtp, "cipher salt: %s",
+                    srtp_octet_string_hex_string(tmp_key + rtp_base_key_len,
+                                                 rtp_salt_len));
+    }
+
+    /* initialize cipher */
+    stat = srtp_cipher_init(session_keys->rtp_cipher, tmp_key);
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+
+    if (session_keys->rtp_xtn_hdr_cipher) {
+        /* generate extensions header encryption key  */
+        int rtp_xtn_hdr_keylen;
+        int rtp_xtn_hdr_base_key_len;
+        int rtp_xtn_hdr_salt_len;
+        srtp_kdf_t tmp_kdf;
+        srtp_kdf_t *xtn_hdr_kdf;
+
+        if (session_keys->rtp_xtn_hdr_cipher->type !=
+            session_keys->rtp_cipher->type) {
+            /*
+             * With GCM ciphers, the header extensions are still encrypted using
+             * the corresponding ICM cipher.
+             * See https://tools.ietf.org/html/rfc7714#section-8.3
+             */
+            uint8_t tmp_xtn_hdr_key[MAX_SRTP_KEY_LEN];
+            rtp_xtn_hdr_keylen =
+                srtp_cipher_get_key_length(session_keys->rtp_xtn_hdr_cipher);
+            rtp_xtn_hdr_base_key_len = base_key_length(
+                session_keys->rtp_xtn_hdr_cipher->type, rtp_xtn_hdr_keylen);
+            rtp_xtn_hdr_salt_len =
+                rtp_xtn_hdr_keylen - rtp_xtn_hdr_base_key_len;
+            if (rtp_xtn_hdr_salt_len > rtp_salt_len) {
+                switch (session_keys->rtp_cipher->type->id) {
+                case SRTP_AES_GCM_128:
+                case SRTP_AES_GCM_256:
+                    /*
+                     * The shorter GCM salt is padded to the required ICM salt
+                     * length.
+                     */
+                    rtp_xtn_hdr_salt_len = rtp_salt_len;
+                    break;
+                default:
+                    /* zeroize temp buffer */
+                    octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+                    return srtp_err_status_bad_param;
+                }
+            }
+            memset(tmp_xtn_hdr_key, 0x0, MAX_SRTP_KEY_LEN);
+            memcpy(tmp_xtn_hdr_key, key,
+                   (rtp_xtn_hdr_base_key_len + rtp_xtn_hdr_salt_len));
+            xtn_hdr_kdf = &tmp_kdf;
+
+/* initialize KDF state */
+#if defined(OPENSSL) && defined(OPENSSL_KDF)
+            stat =
+                srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key,
+                              rtp_xtn_hdr_base_key_len, rtp_xtn_hdr_salt_len);
+#else
+            stat = srtp_kdf_init(xtn_hdr_kdf, (const uint8_t *)tmp_xtn_hdr_key,
+                                 kdf_keylen);
+#endif
+            octet_string_set_to_zero(tmp_xtn_hdr_key, MAX_SRTP_KEY_LEN);
+            if (stat) {
+                /* zeroize temp buffer */
+                octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+                return srtp_err_status_init_fail;
+            }
+        } else {
+            /* Reuse main KDF. */
+            rtp_xtn_hdr_keylen = rtp_keylen;
+            rtp_xtn_hdr_base_key_len = rtp_base_key_len;
+            rtp_xtn_hdr_salt_len = rtp_salt_len;
+            xtn_hdr_kdf = &kdf;
+        }
+
+        stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_encryption,
+                                 tmp_key, rtp_xtn_hdr_base_key_len);
+        if (stat) {
+            /* zeroize temp buffer */
+            octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+            return srtp_err_status_init_fail;
+        }
+        debug_print(
+            mod_srtp, "extensions cipher key: %s",
+            srtp_octet_string_hex_string(tmp_key, rtp_xtn_hdr_base_key_len));
+
+        /*
+         * if the cipher in the srtp context uses a salt, then we need
+         * to generate the salt value
+         */
+        if (rtp_xtn_hdr_salt_len > 0) {
+            debug_print(mod_srtp,
+                        "found rtp_xtn_hdr_salt_len > 0, generating salt",
+                        NULL);
+
+            /* generate encryption salt, put after encryption key */
+            stat = srtp_kdf_generate(xtn_hdr_kdf, label_rtp_header_salt,
+                                     tmp_key + rtp_xtn_hdr_base_key_len,
+                                     rtp_xtn_hdr_salt_len);
+            if (stat) {
+                /* zeroize temp buffer */
+                octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+                return srtp_err_status_init_fail;
+            }
+        }
+        if (rtp_xtn_hdr_salt_len > 0) {
+            debug_print(
+                mod_srtp, "extensions cipher salt: %s",
+                srtp_octet_string_hex_string(tmp_key + rtp_xtn_hdr_base_key_len,
+                                             rtp_xtn_hdr_salt_len));
+        }
+
+        /* initialize extensions header cipher */
+        stat = srtp_cipher_init(session_keys->rtp_xtn_hdr_cipher, tmp_key);
+        if (stat) {
+            /* zeroize temp buffer */
+            octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+            return srtp_err_status_init_fail;
+        }
+
+        if (xtn_hdr_kdf != &kdf) {
+            /* release memory for custom header extension encryption kdf */
+            stat = srtp_kdf_clear(xtn_hdr_kdf);
+            if (stat) {
+                /* zeroize temp buffer */
+                octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+                return srtp_err_status_init_fail;
+            }
+        }
+    }
+
+    /* generate authentication key */
+    stat = srtp_kdf_generate(&kdf, label_rtp_msg_auth, tmp_key,
+                             srtp_auth_get_key_length(session_keys->rtp_auth));
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+    debug_print(mod_srtp, "auth key:   %s",
+                srtp_octet_string_hex_string(
+                    tmp_key, srtp_auth_get_key_length(session_keys->rtp_auth)));
+
+    /* initialize auth function */
+    stat = srtp_auth_init(session_keys->rtp_auth, tmp_key);
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+
+    /*
+     * ...now initialize SRTCP keys
+     */
+
+    rtcp_base_key_len =
+        base_key_length(session_keys->rtcp_cipher->type, rtcp_keylen);
+    rtcp_salt_len = rtcp_keylen - rtcp_base_key_len;
+    debug_print(mod_srtp, "rtcp salt len: %d", rtcp_salt_len);
+
+    /* generate encryption key  */
+    stat = srtp_kdf_generate(&kdf, label_rtcp_encryption, tmp_key,
+                             rtcp_base_key_len);
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+
+    /*
+     * if the cipher in the srtp context uses a salt, then we need
+     * to generate the salt value
+     */
+    if (rtcp_salt_len > 0) {
+        debug_print(mod_srtp, "found rtcp_salt_len > 0, generating rtcp salt",
+                    NULL);
+
+        /* generate encryption salt, put after encryption key */
+        stat = srtp_kdf_generate(&kdf, label_rtcp_salt,
+                                 tmp_key + rtcp_base_key_len, rtcp_salt_len);
+        if (stat) {
+            /* zeroize temp buffer */
+            octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+            return srtp_err_status_init_fail;
+        }
+        memcpy(session_keys->c_salt, tmp_key + rtcp_base_key_len,
+               SRTP_AEAD_SALT_LEN);
+    }
+    debug_print(mod_srtp, "rtcp cipher key: %s",
+                srtp_octet_string_hex_string(tmp_key, rtcp_base_key_len));
+    if (rtcp_salt_len > 0) {
+        debug_print(mod_srtp, "rtcp cipher salt: %s",
+                    srtp_octet_string_hex_string(tmp_key + rtcp_base_key_len,
+                                                 rtcp_salt_len));
+    }
+
+    /* initialize cipher */
+    stat = srtp_cipher_init(session_keys->rtcp_cipher, tmp_key);
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+
+    /* generate authentication key */
+    stat = srtp_kdf_generate(&kdf, label_rtcp_msg_auth, tmp_key,
+                             srtp_auth_get_key_length(session_keys->rtcp_auth));
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+
+    debug_print(
+        mod_srtp, "rtcp auth key:   %s",
+        srtp_octet_string_hex_string(
+            tmp_key, srtp_auth_get_key_length(session_keys->rtcp_auth)));
+
+    /* initialize auth function */
+    stat = srtp_auth_init(session_keys->rtcp_auth, tmp_key);
+    if (stat) {
+        /* zeroize temp buffer */
+        octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+        return srtp_err_status_init_fail;
+    }
+
+    /* clear memory then return */
+    stat = srtp_kdf_clear(&kdf);
+    octet_string_set_to_zero(tmp_key, MAX_SRTP_KEY_LEN);
+    if (stat)
+        return srtp_err_status_init_fail;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_stream_init(srtp_stream_ctx_t *srtp,
+                                   const srtp_policy_t *p)
+{
+    srtp_err_status_t err;
+
+    debug_print(mod_srtp, "initializing stream (SSRC: 0x%08x)", p->ssrc.value);
+
+    /* initialize replay database */
+    /*
+     * window size MUST be at least 64.  MAY be larger.  Values more than
+     * 2^15 aren't meaningful due to how extended sequence numbers are
+     * calculated.
+     * Let a window size of 0 imply the default value.
+     */
+
+    if (p->window_size != 0 &&
+        (p->window_size < 64 || p->window_size >= 0x8000))
+        return srtp_err_status_bad_param;
+
+    if (p->window_size != 0)
+        err = srtp_rdbx_init(&srtp->rtp_rdbx, p->window_size);
+    else
+        err = srtp_rdbx_init(&srtp->rtp_rdbx, 128);
+    if (err)
+        return err;
+
+    /* set the SSRC value */
+    srtp->ssrc = htonl(p->ssrc.value);
+
+    /* reset pending ROC */
+    srtp->pending_roc = 0;
+
+    /* set the security service flags */
+    srtp->rtp_services = p->rtp.sec_serv;
+    srtp->rtcp_services = p->rtcp.sec_serv;
+
+    /*
+     * set direction to unknown - this flag gets checked in srtp_protect(),
+     * srtp_unprotect(), srtp_protect_rtcp(), and srtp_unprotect_rtcp(), and
+     * gets set appropriately if it is set to unknown.
+     */
+    srtp->direction = dir_unknown;
+
+    /* initialize SRTCP replay database */
+    srtp_rdb_init(&srtp->rtcp_rdb);
+
+    /* initialize allow_repeat_tx */
+    /* guard against uninitialized memory: allow only 0 or 1 here */
+    if (p->allow_repeat_tx != 0 && p->allow_repeat_tx != 1) {
+        srtp_rdbx_dealloc(&srtp->rtp_rdbx);
+        return srtp_err_status_bad_param;
+    }
+    srtp->allow_repeat_tx = p->allow_repeat_tx;
+
+    /* DAM - no RTCP key limit at present */
+
+    /* initialize keys */
+    err = srtp_stream_init_all_master_keys(srtp, p->key, p->keys,
+                                           p->num_master_keys);
+    if (err) {
+        srtp_rdbx_dealloc(&srtp->rtp_rdbx);
+        return err;
+    }
+
+    /*
+     * if EKT is in use, then initialize the EKT data associated with
+     * the stream
+     */
+    err = srtp_ekt_stream_init_from_policy(srtp->ekt, p->ekt);
+    if (err) {
+        srtp_rdbx_dealloc(&srtp->rtp_rdbx);
+        return err;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_event_reporter is an event handler function that merely
+ * reports the events that are reported by the callbacks
+ */
+
+void srtp_event_reporter(srtp_event_data_t *data)
+{
+    srtp_err_report(srtp_err_level_warning, "srtp: in stream 0x%x: ",
+                    data->ssrc);
+
+    switch (data->event) {
+    case event_ssrc_collision:
+        srtp_err_report(srtp_err_level_warning, "\tSSRC collision\n");
+        break;
+    case event_key_soft_limit:
+        srtp_err_report(srtp_err_level_warning,
+                        "\tkey usage soft limit reached\n");
+        break;
+    case event_key_hard_limit:
+        srtp_err_report(srtp_err_level_warning,
+                        "\tkey usage hard limit reached\n");
+        break;
+    case event_packet_index_limit:
+        srtp_err_report(srtp_err_level_warning,
+                        "\tpacket index limit reached\n");
+        break;
+    default:
+        srtp_err_report(srtp_err_level_warning,
+                        "\tunknown event reported to handler\n");
+    }
+}
+
+/*
+ * srtp_event_handler is a global variable holding a pointer to the
+ * event handler function; this function is called for any unexpected
+ * event that needs to be handled out of the SRTP data path.  see
+ * srtp_event_t in srtp.h for more info
+ *
+ * it is okay to set srtp_event_handler to NULL, but we set
+ * it to the srtp_event_reporter.
+ */
+
+static srtp_event_handler_func_t *srtp_event_handler = srtp_event_reporter;
+
+srtp_err_status_t srtp_install_event_handler(srtp_event_handler_func_t func)
+{
+    /*
+     * note that we accept NULL arguments intentionally - calling this
+     * function with a NULL arguments removes an event handler that's
+     * been previously installed
+     */
+
+    /* set global event handling function */
+    srtp_event_handler = func;
+    return srtp_err_status_ok;
+}
+
+/*
+ * Check if the given extension header id is / should be encrypted.
+ * Returns 1 if yes, otherwise 0.
+ */
+static int srtp_protect_extension_header(srtp_stream_ctx_t *stream, int id)
+{
+    int *enc_xtn_hdr = stream->enc_xtn_hdr;
+    int count = stream->enc_xtn_hdr_count;
+
+    if (!enc_xtn_hdr || count <= 0) {
+        return 0;
+    }
+
+    while (count > 0) {
+        if (*enc_xtn_hdr == id) {
+            return 1;
+        }
+
+        enc_xtn_hdr++;
+        count--;
+    }
+    return 0;
+}
+
+/*
+ * extensions header encryption RFC 6904
+ */
+static srtp_err_status_t srtp_process_header_encryption(
+    srtp_stream_ctx_t *stream,
+    srtp_hdr_xtnd_t *xtn_hdr,
+    srtp_session_keys_t *session_keys)
+{
+    srtp_err_status_t status;
+    uint8_t keystream[257]; /* Maximum 2 bytes header + 255 bytes data. */
+    int keystream_pos;
+    uint8_t *xtn_hdr_data = ((uint8_t *)xtn_hdr) + octets_in_rtp_extn_hdr;
+    uint8_t *xtn_hdr_end =
+        xtn_hdr_data + (ntohs(xtn_hdr->length) * sizeof(uint32_t));
+
+    if (ntohs(xtn_hdr->profile_specific) == 0xbede) {
+        /* RFC 5285, section 4.2. One-Byte Header */
+        while (xtn_hdr_data < xtn_hdr_end) {
+            uint8_t xid = (*xtn_hdr_data & 0xf0) >> 4;
+            unsigned int xlen = (*xtn_hdr_data & 0x0f) + 1;
+            uint32_t xlen_with_header = 1 + xlen;
+            xtn_hdr_data++;
+
+            if (xtn_hdr_data + xlen > xtn_hdr_end)
+                return srtp_err_status_parse_err;
+
+            if (xid == 15) {
+                /* found header 15, stop further processing. */
+                break;
+            }
+
+            status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher,
+                                        keystream, &xlen_with_header);
+            if (status)
+                return srtp_err_status_cipher_fail;
+
+            if (srtp_protect_extension_header(stream, xid)) {
+                keystream_pos = 1;
+                while (xlen > 0) {
+                    *xtn_hdr_data ^= keystream[keystream_pos++];
+                    xtn_hdr_data++;
+                    xlen--;
+                }
+            } else {
+                xtn_hdr_data += xlen;
+            }
+
+            /* skip padding bytes. */
+            while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) {
+                xtn_hdr_data++;
+            }
+        }
+    } else if ((ntohs(xtn_hdr->profile_specific) & 0x1fff) == 0x100) {
+        /* RFC 5285, section 4.3. Two-Byte Header */
+        while (xtn_hdr_data + 1 < xtn_hdr_end) {
+            uint8_t xid = *xtn_hdr_data;
+            unsigned int xlen = *(xtn_hdr_data + 1);
+            uint32_t xlen_with_header = 2 + xlen;
+            xtn_hdr_data += 2;
+
+            if (xtn_hdr_data + xlen > xtn_hdr_end)
+                return srtp_err_status_parse_err;
+
+            status = srtp_cipher_output(session_keys->rtp_xtn_hdr_cipher,
+                                        keystream, &xlen_with_header);
+            if (status)
+                return srtp_err_status_cipher_fail;
+
+            if (xlen > 0 && srtp_protect_extension_header(stream, xid)) {
+                keystream_pos = 2;
+                while (xlen > 0) {
+                    *xtn_hdr_data ^= keystream[keystream_pos++];
+                    xtn_hdr_data++;
+                    xlen--;
+                }
+            } else {
+                xtn_hdr_data += xlen;
+            }
+
+            /* skip padding bytes. */
+            while (xtn_hdr_data < xtn_hdr_end && *xtn_hdr_data == 0) {
+                xtn_hdr_data++;
+            }
+        }
+    } else {
+        /* unsupported extension header format. */
+        return srtp_err_status_parse_err;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * AEAD uses a new IV formation method.  This function implements
+ * section 8.1. (SRTP IV Formation for AES-GCM) of RFC7714.
+ * The calculation is defined as, where (+) is the xor operation:
+ *
+ *
+ *              0  0  0  0  0  0  0  0  0  0  1  1
+ *              0  1  2  3  4  5  6  7  8  9  0  1
+ *            +--+--+--+--+--+--+--+--+--+--+--+--+
+ *            |00|00|    SSRC   |     ROC   | SEQ |---+
+ *            +--+--+--+--+--+--+--+--+--+--+--+--+   |
+ *                                                    |
+ *            +--+--+--+--+--+--+--+--+--+--+--+--+   |
+ *            |         Encryption Salt           |->(+)
+ *            +--+--+--+--+--+--+--+--+--+--+--+--+   |
+ *                                                    |
+ *            +--+--+--+--+--+--+--+--+--+--+--+--+   |
+ *            |       Initialization Vector       |<--+
+ *            +--+--+--+--+--+--+--+--+--+--+--+--+*
+ *
+ * Input:  *session_keys - pointer to SRTP stream context session keys,
+ *                         used to retrieve the SALT
+ *         *iv     - Pointer to receive the calculated IV
+ *         *seq    - The ROC and SEQ value to use for the
+ *                   IV calculation.
+ *         *hdr    - The RTP header, used to get the SSRC value
+ *
+ */
+
+static void srtp_calc_aead_iv(srtp_session_keys_t *session_keys,
+                              v128_t *iv,
+                              srtp_xtd_seq_num_t *seq,
+                              srtp_hdr_t *hdr)
+{
+    v128_t in;
+    v128_t salt;
+
+#ifdef NO_64BIT_MATH
+    uint32_t local_roc = ((high32(*seq) << 16) | (low32(*seq) >> 16));
+    uint16_t local_seq = (uint16_t)(low32(*seq));
+#else
+    uint32_t local_roc = (uint32_t)(*seq >> 16);
+    uint16_t local_seq = (uint16_t)*seq;
+#endif
+
+    memset(&in, 0, sizeof(v128_t));
+    memset(&salt, 0, sizeof(v128_t));
+
+    in.v16[5] = htons(local_seq);
+    local_roc = htonl(local_roc);
+    memcpy(&in.v16[3], &local_roc, sizeof(local_roc));
+
+    /*
+     * Copy in the RTP SSRC value
+     */
+    memcpy(&in.v8[2], &hdr->ssrc, 4);
+    debug_print(mod_srtp, "Pre-salted RTP IV = %s\n", v128_hex_string(&in));
+
+    /*
+     * Get the SALT value from the context
+     */
+    memcpy(salt.v8, session_keys->salt, SRTP_AEAD_SALT_LEN);
+    debug_print(mod_srtp, "RTP SALT = %s\n", v128_hex_string(&salt));
+
+    /*
+     * Finally, apply tyhe SALT to the input
+     */
+    v128_xor(iv, &in, &salt);
+}
+
+srtp_session_keys_t *srtp_get_session_keys(srtp_stream_ctx_t *stream,
+                                           uint8_t *hdr,
+                                           const unsigned int *pkt_octet_len,
+                                           unsigned int *mki_size)
+{
+    unsigned int base_mki_start_location = *pkt_octet_len;
+    unsigned int mki_start_location = 0;
+    unsigned int tag_len = 0;
+    unsigned int i = 0;
+
+    // Determine the authentication tag size
+    if (stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
+        stream->session_keys[0].rtp_cipher->algorithm == SRTP_AES_GCM_256) {
+        tag_len = 0;
+    } else {
+        tag_len = srtp_auth_get_tag_length(stream->session_keys[0].rtp_auth);
+    }
+
+    if (tag_len > base_mki_start_location) {
+        *mki_size = 0;
+        return NULL;
+    }
+
+    base_mki_start_location -= tag_len;
+
+    for (i = 0; i < stream->num_master_keys; i++) {
+        if (stream->session_keys[i].mki_size != 0 &&
+            stream->session_keys[i].mki_size <= base_mki_start_location) {
+            *mki_size = stream->session_keys[i].mki_size;
+            mki_start_location = base_mki_start_location - *mki_size;
+
+            if (memcmp(hdr + mki_start_location, stream->session_keys[i].mki_id,
+                       *mki_size) == 0) {
+                return &stream->session_keys[i];
+            }
+        }
+    }
+
+    *mki_size = 0;
+    return NULL;
+}
+
+static srtp_err_status_t srtp_estimate_index(srtp_rdbx_t *rdbx,
+                                             uint32_t roc,
+                                             srtp_xtd_seq_num_t *est,
+                                             srtp_sequence_number_t seq,
+                                             int *delta)
+{
+#ifdef NO_64BIT_MATH
+    uint32_t internal_pkt_idx_reduced;
+    uint32_t external_pkt_idx_reduced;
+    uint32_t internal_roc;
+    uint32_t roc_difference;
+#endif
+
+#ifdef NO_64BIT_MATH
+    *est = (srtp_xtd_seq_num_t)make64(roc >> 16, (roc << 16) | seq);
+    *delta = low32(est) - rdbx->index;
+#else
+    *est = (srtp_xtd_seq_num_t)(((uint64_t)roc) << 16) | seq;
+    *delta = (int)(*est - rdbx->index);
+#endif
+
+    if (*est > rdbx->index) {
+#ifdef NO_64BIT_MATH
+        internal_roc = (uint32_t)(rdbx->index >> 16);
+        roc_difference = roc - internal_roc;
+        if (roc_difference > 1) {
+            *delta = 0;
+            return srtp_err_status_pkt_idx_adv;
+        }
+
+        internal_pkt_idx_reduced = (uint32_t)(rdbx->index & 0xFFFF);
+        external_pkt_idx_reduced = (uint32_t)((roc_difference << 16) | seq);
+
+        if (external_pkt_idx_reduced - internal_pkt_idx_reduced >
+            seq_num_median) {
+            *delta = 0;
+            return srtp_err_status_pkt_idx_adv;
+        }
+#else
+        if (*est - rdbx->index > seq_num_median) {
+            *delta = 0;
+            return srtp_err_status_pkt_idx_adv;
+        }
+#endif
+    } else if (*est < rdbx->index) {
+#ifdef NO_64BIT_MATH
+
+        internal_roc = (uint32_t)(rdbx->index >> 16);
+        roc_difference = internal_roc - roc;
+        if (roc_difference > 1) {
+            *delta = 0;
+            return srtp_err_status_pkt_idx_adv;
+        }
+
+        internal_pkt_idx_reduced =
+            (uint32_t)((roc_difference << 16) | rdbx->index & 0xFFFF);
+        external_pkt_idx_reduced = (uint32_t)(seq);
+
+        if (internal_pkt_idx_reduced - external_pkt_idx_reduced >
+            seq_num_median) {
+            *delta = 0;
+            return srtp_err_status_pkt_idx_old;
+        }
+#else
+        if (rdbx->index - *est > seq_num_median) {
+            *delta = 0;
+            return srtp_err_status_pkt_idx_old;
+        }
+#endif
+    }
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t srtp_get_est_pkt_index(srtp_hdr_t *hdr,
+                                                srtp_stream_ctx_t *stream,
+                                                srtp_xtd_seq_num_t *est,
+                                                int *delta)
+{
+    srtp_err_status_t result = srtp_err_status_ok;
+
+    if (stream->pending_roc) {
+        result = srtp_estimate_index(&stream->rtp_rdbx, stream->pending_roc,
+                                     est, ntohs(hdr->seq), delta);
+    } else {
+        /* estimate packet index from seq. num. in header */
+        *delta =
+            srtp_rdbx_estimate_index(&stream->rtp_rdbx, est, ntohs(hdr->seq));
+    }
+
+#ifdef NO_64BIT_MATH
+    debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(*est),
+                 low32(*est));
+#else
+    debug_print(mod_srtp, "estimated u_packet index: %016llx", *est);
+#endif
+    return result;
+}
+
+/*
+ * This function handles outgoing SRTP packets while in AEAD mode,
+ * which currently supports AES-GCM encryption.  All packets are
+ * encrypted and authenticated.
+ */
+static srtp_err_status_t srtp_protect_aead(srtp_ctx_t *ctx,
+                                           srtp_stream_ctx_t *stream,
+                                           void *rtp_hdr,
+                                           unsigned int *pkt_octet_len,
+                                           srtp_session_keys_t *session_keys,
+                                           unsigned int use_mki)
+{
+    srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
+    uint32_t *enc_start;    /* pointer to start of encrypted portion  */
+    int enc_octet_len = 0;  /* number of octets in encrypted portion  */
+    srtp_xtd_seq_num_t est; /* estimated xtd_seq_num_t of *hdr        */
+    int delta;              /* delta of local pkt idx and that in hdr */
+    srtp_err_status_t status;
+    uint32_t tag_len;
+    v128_t iv;
+    unsigned int aad_len;
+    srtp_hdr_xtnd_t *xtn_hdr = NULL;
+    unsigned int mki_size = 0;
+    uint8_t *mki_location = NULL;
+
+    debug_print(mod_srtp, "function srtp_protect_aead", NULL);
+
+    /*
+     * update the key usage limit, and check it to make sure that we
+     * didn't just hit either the soft limit or the hard limit, and call
+     * the event handler if we hit either.
+     */
+    switch (srtp_key_limit_update(session_keys->limit)) {
+    case srtp_key_event_normal:
+        break;
+    case srtp_key_event_hard_limit:
+        srtp_handle_event(ctx, stream, event_key_hard_limit);
+        return srtp_err_status_key_expired;
+    case srtp_key_event_soft_limit:
+    default:
+        srtp_handle_event(ctx, stream, event_key_soft_limit);
+        break;
+    }
+
+    /* get tag length from stream */
+    tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
+
+    /*
+     * find starting point for encryption and length of data to be
+     * encrypted - the encrypted portion starts after the rtp header
+     * extension, if present; otherwise, it starts after the last csrc,
+     * if any are present
+     */
+    enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
+    if (hdr->x == 1) {
+        xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+        enc_start += (ntohs(xtn_hdr->length) + 1);
+    }
+    /* note: the passed size is without the auth tag */
+    if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len))
+        return srtp_err_status_parse_err;
+    enc_octet_len =
+        (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr));
+    if (enc_octet_len < 0)
+        return srtp_err_status_parse_err;
+
+    /*
+     * estimate the packet index using the start of the replay window
+     * and the sequence number from the header
+     */
+    delta = srtp_rdbx_estimate_index(&stream->rtp_rdbx, &est, ntohs(hdr->seq));
+    status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
+    if (status) {
+        if (status != srtp_err_status_replay_fail || !stream->allow_repeat_tx) {
+            return status; /* we've been asked to reuse an index */
+        }
+    } else {
+        srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
+    }
+
+#ifdef NO_64BIT_MATH
+    debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est),
+                 low32(est));
+#else
+    debug_print(mod_srtp, "estimated packet index: %016llx", est);
+#endif
+
+    /*
+     * AEAD uses a new IV formation method
+     */
+    srtp_calc_aead_iv(session_keys, &iv, &est, hdr);
+/* shift est, put into network byte order */
+#ifdef NO_64BIT_MATH
+    est = be64_to_cpu(
+        make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
+#else
+    est = be64_to_cpu(est << 16);
+#endif
+
+    status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
+                                srtp_direction_encrypt);
+    if (!status && session_keys->rtp_xtn_hdr_cipher) {
+        iv.v32[0] = 0;
+        iv.v32[1] = hdr->ssrc;
+        iv.v64[1] = est;
+        status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
+                                    (uint8_t *)&iv, srtp_direction_encrypt);
+    }
+    if (status) {
+        return srtp_err_status_cipher_fail;
+    }
+
+    if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
+        /*
+         * extensions header encryption RFC 6904
+         */
+        status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
+        if (status) {
+            return status;
+        }
+    }
+
+    /*
+     * Set the AAD over the RTP header
+     */
+    aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
+    status =
+        srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len);
+    if (status) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    /* Encrypt the payload  */
+    status = srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
+                                 (unsigned int *)&enc_octet_len);
+    if (status) {
+        return srtp_err_status_cipher_fail;
+    }
+    /*
+     * If we're doing GCM, we need to get the tag
+     * and append that to the output
+     */
+    status =
+        srtp_cipher_get_tag(session_keys->rtp_cipher,
+                            (uint8_t *)enc_start + enc_octet_len, &tag_len);
+    if (status) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    mki_location = (uint8_t *)hdr + *pkt_octet_len + tag_len;
+    mki_size = srtp_inject_mki(mki_location, session_keys, use_mki);
+
+    /* increase the packet length by the length of the auth tag */
+    *pkt_octet_len += tag_len;
+
+    /* increase the packet length by the length of the mki_size */
+    *pkt_octet_len += mki_size;
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * This function handles incoming SRTP packets while in AEAD mode,
+ * which currently supports AES-GCM encryption.  All packets are
+ * encrypted and authenticated.  Note, the auth tag is at the end
+ * of the packet stream and is automatically checked by GCM
+ * when decrypting the payload.
+ */
+static srtp_err_status_t srtp_unprotect_aead(srtp_ctx_t *ctx,
+                                             srtp_stream_ctx_t *stream,
+                                             int delta,
+                                             srtp_xtd_seq_num_t est,
+                                             void *srtp_hdr,
+                                             unsigned int *pkt_octet_len,
+                                             srtp_session_keys_t *session_keys,
+                                             unsigned int mki_size)
+{
+    srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
+    uint32_t *enc_start;            /* pointer to start of encrypted portion  */
+    unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
+    v128_t iv;
+    srtp_err_status_t status;
+    int tag_len;
+    unsigned int aad_len;
+    srtp_hdr_xtnd_t *xtn_hdr = NULL;
+
+    debug_print(mod_srtp, "function srtp_unprotect_aead", NULL);
+
+#ifdef NO_64BIT_MATH
+    debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),
+                 low32(est));
+#else
+    debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
+#endif
+
+    /* get tag length from stream */
+    tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
+
+    /*
+     * AEAD uses a new IV formation method
+     */
+    srtp_calc_aead_iv(session_keys, &iv, &est, hdr);
+    status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
+                                srtp_direction_decrypt);
+    if (!status && session_keys->rtp_xtn_hdr_cipher) {
+        iv.v32[0] = 0;
+        iv.v32[1] = hdr->ssrc;
+#ifdef NO_64BIT_MATH
+        iv.v64[1] = be64_to_cpu(
+            make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
+#else
+        iv.v64[1] = be64_to_cpu(est << 16);
+#endif
+        status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
+                                    (uint8_t *)&iv, srtp_direction_encrypt);
+    }
+    if (status) {
+        return srtp_err_status_cipher_fail;
+    }
+
+    /*
+     * find starting point for decryption and length of data to be
+     * decrypted - the encrypted portion starts after the rtp header
+     * extension, if present; otherwise, it starts after the last csrc,
+     * if any are present
+     */
+    enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
+    if (hdr->x == 1) {
+        xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+        enc_start += (ntohs(xtn_hdr->length) + 1);
+    }
+    if (!((uint8_t *)enc_start <=
+          (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size)))
+        return srtp_err_status_parse_err;
+    /*
+     * We pass the tag down to the cipher when doing GCM mode
+     */
+    enc_octet_len = (unsigned int)(*pkt_octet_len - mki_size -
+                                   ((uint8_t *)enc_start - (uint8_t *)hdr));
+
+    /*
+     * Sanity check the encrypted payload length against
+     * the tag size.  It must always be at least as large
+     * as the tag length.
+     */
+    if (enc_octet_len < (unsigned int)tag_len) {
+        return srtp_err_status_cipher_fail;
+    }
+
+    /*
+     * update the key usage limit, and check it to make sure that we
+     * didn't just hit either the soft limit or the hard limit, and call
+     * the event handler if we hit either.
+     */
+    switch (srtp_key_limit_update(session_keys->limit)) {
+    case srtp_key_event_normal:
+        break;
+    case srtp_key_event_soft_limit:
+        srtp_handle_event(ctx, stream, event_key_soft_limit);
+        break;
+    case srtp_key_event_hard_limit:
+        srtp_handle_event(ctx, stream, event_key_hard_limit);
+        return srtp_err_status_key_expired;
+    default:
+        break;
+    }
+
+    /*
+     * Set the AAD for AES-GCM, which is the RTP header
+     */
+    aad_len = (uint8_t *)enc_start - (uint8_t *)hdr;
+    status =
+        srtp_cipher_set_aad(session_keys->rtp_cipher, (uint8_t *)hdr, aad_len);
+    if (status) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    /* Decrypt the ciphertext.  This also checks the auth tag based
+     * on the AAD we just specified above */
+    status = srtp_cipher_decrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
+                                 &enc_octet_len);
+    if (status) {
+        return status;
+    }
+
+    if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
+        /*
+         * extensions header encryption RFC 6904
+         */
+        status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
+        if (status) {
+            return status;
+        }
+    }
+
+    /*
+     * verify that stream is for received traffic - this check will
+     * detect SSRC collisions, since a stream that appears in both
+     * srtp_protect() and srtp_unprotect() will fail this test in one of
+     * those functions.
+     *
+     * we do this check *after* the authentication check, so that the
+     * latter check will catch any attempts to fool us into thinking
+     * that we've got a collision
+     */
+    if (stream->direction != dir_srtp_receiver) {
+        if (stream->direction == dir_unknown) {
+            stream->direction = dir_srtp_receiver;
+        } else {
+            srtp_handle_event(ctx, stream, event_ssrc_collision);
+        }
+    }
+
+    /*
+     * if the stream is a 'provisional' one, in which the template context
+     * is used, then we need to allocate a new stream at this point, since
+     * the authentication passed
+     */
+    if (stream == ctx->stream_template) {
+        srtp_stream_ctx_t *new_stream;
+
+        /*
+         * allocate and initialize a new stream
+         *
+         * note that we indicate failure if we can't allocate the new
+         * stream, and some implementations will want to not return
+         * failure here
+         */
+        status =
+            srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
+        if (status) {
+            return status;
+        }
+
+        /* add new stream to the head of the stream_list */
+        new_stream->next = ctx->stream_list;
+        ctx->stream_list = new_stream;
+
+        /* set stream (the pointer used in this function) */
+        stream = new_stream;
+    }
+
+    /*
+     * the message authentication function passed, so add the packet
+     * index into the replay database
+     */
+    srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
+
+    /* decrease the packet length by the length of the auth tag */
+    *pkt_octet_len -= tag_len;
+
+    /* decrease the packet length by the length of the mki_size */
+    *pkt_octet_len -= mki_size;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_protect(srtp_ctx_t *ctx,
+                               void *rtp_hdr,
+                               int *pkt_octet_len)
+{
+    return srtp_protect_mki(ctx, rtp_hdr, pkt_octet_len, 0, 0);
+}
+
+srtp_err_status_t srtp_protect_mki(srtp_ctx_t *ctx,
+                                   void *rtp_hdr,
+                                   int *pkt_octet_len,
+                                   unsigned int use_mki,
+                                   unsigned int mki_index)
+{
+    srtp_hdr_t *hdr = (srtp_hdr_t *)rtp_hdr;
+    uint32_t *enc_start;      /* pointer to start of encrypted portion  */
+    uint32_t *auth_start;     /* pointer to start of auth. portion      */
+    int enc_octet_len = 0;    /* number of octets in encrypted portion  */
+    srtp_xtd_seq_num_t est;   /* estimated xtd_seq_num_t of *hdr        */
+    int delta;                /* delta of local pkt idx and that in hdr */
+    uint8_t *auth_tag = NULL; /* location of auth_tag within packet     */
+    srtp_err_status_t status;
+    int tag_len;
+    srtp_stream_ctx_t *stream;
+    uint32_t prefix_len;
+    srtp_hdr_xtnd_t *xtn_hdr = NULL;
+    unsigned int mki_size = 0;
+    srtp_session_keys_t *session_keys = NULL;
+    uint8_t *mki_location = NULL;
+    int advance_packet_index = 0;
+
+    debug_print(mod_srtp, "function srtp_protect", NULL);
+
+    /* we assume the hdr is 32-bit aligned to start */
+
+    /* Verify RTP header */
+    status = srtp_validate_rtp_header(rtp_hdr, pkt_octet_len);
+    if (status)
+        return status;
+
+    /* check the packet length - it must at least contain a full header */
+    if (*pkt_octet_len < octets_in_rtp_header)
+        return srtp_err_status_bad_param;
+
+    /*
+     * look up ssrc in srtp_stream list, and process the packet with
+     * the appropriate stream.  if we haven't seen this stream before,
+     * there's a template key for this srtp_session, and the cipher
+     * supports key-sharing, then we assume that a new stream using
+     * that key has just started up
+     */
+    stream = srtp_get_stream(ctx, hdr->ssrc);
+    if (stream == NULL) {
+        if (ctx->stream_template != NULL) {
+            srtp_stream_ctx_t *new_stream;
+
+            /* allocate and initialize a new stream */
+            status =
+                srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
+            if (status)
+                return status;
+
+            /* add new stream to the head of the stream_list */
+            new_stream->next = ctx->stream_list;
+            ctx->stream_list = new_stream;
+
+            /* set direction to outbound */
+            new_stream->direction = dir_srtp_sender;
+
+            /* set stream (the pointer used in this function) */
+            stream = new_stream;
+        } else {
+            /* no template stream, so we return an error */
+            return srtp_err_status_no_ctx;
+        }
+    }
+
+    /*
+     * verify that stream is for sending traffic - this check will
+     * detect SSRC collisions, since a stream that appears in both
+     * srtp_protect() and srtp_unprotect() will fail this test in one of
+     * those functions.
+     */
+
+    if (stream->direction != dir_srtp_sender) {
+        if (stream->direction == dir_unknown) {
+            stream->direction = dir_srtp_sender;
+        } else {
+            srtp_handle_event(ctx, stream, event_ssrc_collision);
+        }
+    }
+
+    session_keys =
+        srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index);
+
+    if (session_keys == NULL)
+        return srtp_err_status_bad_mki;
+
+    /*
+     * Check if this is an AEAD stream (GCM mode).  If so, then dispatch
+     * the request to our AEAD handler.
+     */
+    if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
+        session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
+        return srtp_protect_aead(ctx, stream, rtp_hdr,
+                                 (unsigned int *)pkt_octet_len, session_keys,
+                                 use_mki);
+    }
+
+    /*
+     * update the key usage limit, and check it to make sure that we
+     * didn't just hit either the soft limit or the hard limit, and call
+     * the event handler if we hit either.
+     */
+    switch (srtp_key_limit_update(session_keys->limit)) {
+    case srtp_key_event_normal:
+        break;
+    case srtp_key_event_soft_limit:
+        srtp_handle_event(ctx, stream, event_key_soft_limit);
+        break;
+    case srtp_key_event_hard_limit:
+        srtp_handle_event(ctx, stream, event_key_hard_limit);
+        return srtp_err_status_key_expired;
+    default:
+        break;
+    }
+
+    /* get tag length from stream */
+    tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
+
+    /*
+     * find starting point for encryption and length of data to be
+     * encrypted - the encrypted portion starts after the rtp header
+     * extension, if present; otherwise, it starts after the last csrc,
+     * if any are present
+     *
+     * if we're not providing confidentiality, set enc_start to NULL
+     */
+    if (stream->rtp_services & sec_serv_conf) {
+        enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
+        if (hdr->x == 1) {
+            xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+            enc_start += (ntohs(xtn_hdr->length) + 1);
+        }
+        /* note: the passed size is without the auth tag */
+        if (!((uint8_t *)enc_start <= (uint8_t *)hdr + *pkt_octet_len))
+            return srtp_err_status_parse_err;
+        enc_octet_len =
+            (int)(*pkt_octet_len - ((uint8_t *)enc_start - (uint8_t *)hdr));
+        if (enc_octet_len < 0)
+            return srtp_err_status_parse_err;
+    } else {
+        enc_start = NULL;
+    }
+
+    mki_location = (uint8_t *)hdr + *pkt_octet_len;
+    mki_size = srtp_inject_mki(mki_location, session_keys, use_mki);
+
+    /*
+     * if we're providing authentication, set the auth_start and auth_tag
+     * pointers to the proper locations; otherwise, set auth_start to NULL
+     * to indicate that no authentication is needed
+     */
+    if (stream->rtp_services & sec_serv_auth) {
+        auth_start = (uint32_t *)hdr;
+        auth_tag = (uint8_t *)hdr + *pkt_octet_len + mki_size;
+    } else {
+        auth_start = NULL;
+        auth_tag = NULL;
+    }
+
+    /*
+     * estimate the packet index using the start of the replay window
+     * and the sequence number from the header
+     */
+    status = srtp_get_est_pkt_index(hdr, stream, &est, &delta);
+
+    if (status && (status != srtp_err_status_pkt_idx_adv))
+        return status;
+
+    if (status == srtp_err_status_pkt_idx_adv)
+        advance_packet_index = 1;
+
+    if (advance_packet_index) {
+        srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, (uint32_t)(est >> 16),
+                              (uint16_t)(est & 0xFFFF));
+        stream->pending_roc = 0;
+        srtp_rdbx_add_index(&stream->rtp_rdbx, 0);
+    } else {
+        status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
+        if (status) {
+            if (status != srtp_err_status_replay_fail ||
+                !stream->allow_repeat_tx)
+                return status; /* we've been asked to reuse an index */
+        }
+        srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
+    }
+
+#ifdef NO_64BIT_MATH
+    debug_print2(mod_srtp, "estimated packet index: %08x%08x", high32(est),
+                 low32(est));
+#else
+    debug_print(mod_srtp, "estimated packet index: %016llx", est);
+#endif
+
+    /*
+     * if we're using rindael counter mode, set nonce and seq
+     */
+    if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 ||
+        session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 ||
+        session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) {
+        v128_t iv;
+
+        iv.v32[0] = 0;
+        iv.v32[1] = hdr->ssrc;
+#ifdef NO_64BIT_MATH
+        iv.v64[1] = be64_to_cpu(
+            make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
+#else
+        iv.v64[1] = be64_to_cpu(est << 16);
+#endif
+        status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
+                                    srtp_direction_encrypt);
+        if (!status && session_keys->rtp_xtn_hdr_cipher) {
+            status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
+                                        (uint8_t *)&iv, srtp_direction_encrypt);
+        }
+    } else {
+        v128_t iv;
+
+/* otherwise, set the index to est */
+#ifdef NO_64BIT_MATH
+        iv.v32[0] = 0;
+        iv.v32[1] = 0;
+#else
+        iv.v64[0] = 0;
+#endif
+        iv.v64[1] = be64_to_cpu(est);
+        status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
+                                    srtp_direction_encrypt);
+        if (!status && session_keys->rtp_xtn_hdr_cipher) {
+            status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
+                                        (uint8_t *)&iv, srtp_direction_encrypt);
+        }
+    }
+    if (status)
+        return srtp_err_status_cipher_fail;
+
+/* shift est, put into network byte order */
+#ifdef NO_64BIT_MATH
+    est = be64_to_cpu(
+        make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
+#else
+    est = be64_to_cpu(est << 16);
+#endif
+
+    /*
+     * if we're authenticating using a universal hash, put the keystream
+     * prefix into the authentication tag
+     */
+    if (auth_start) {
+        prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth);
+        if (prefix_len) {
+            status = srtp_cipher_output(session_keys->rtp_cipher, auth_tag,
+                                        &prefix_len);
+            if (status)
+                return srtp_err_status_cipher_fail;
+            debug_print(mod_srtp, "keystream prefix: %s",
+                        srtp_octet_string_hex_string(auth_tag, prefix_len));
+        }
+    }
+
+    if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
+        /*
+         * extensions header encryption RFC 6904
+         */
+        status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
+        if (status) {
+            return status;
+        }
+    }
+
+    /* if we're encrypting, exor keystream into the message */
+    if (enc_start) {
+        status =
+            srtp_cipher_encrypt(session_keys->rtp_cipher, (uint8_t *)enc_start,
+                                (unsigned int *)&enc_octet_len);
+        if (status)
+            return srtp_err_status_cipher_fail;
+    }
+
+    /*
+     *  if we're authenticating, run authentication function and put result
+     *  into the auth_tag
+     */
+    if (auth_start) {
+        /* initialize auth func context */
+        status = srtp_auth_start(session_keys->rtp_auth);
+        if (status)
+            return status;
+
+        /* run auth func over packet */
+        status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start,
+                                  *pkt_octet_len);
+        if (status)
+            return status;
+
+        /* run auth func over ROC, put result into auth_tag */
+        debug_print(mod_srtp, "estimated packet index: %016llx", est);
+        status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4,
+                                   auth_tag);
+        debug_print(mod_srtp, "srtp auth tag:    %s",
+                    srtp_octet_string_hex_string(auth_tag, tag_len));
+        if (status)
+            return srtp_err_status_auth_fail;
+    }
+
+    if (auth_tag) {
+        /* increase the packet length by the length of the auth tag */
+        *pkt_octet_len += tag_len;
+    }
+
+    if (use_mki) {
+        /* increate the packet length by the mki size */
+        *pkt_octet_len += mki_size;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_unprotect(srtp_ctx_t *ctx,
+                                 void *srtp_hdr,
+                                 int *pkt_octet_len)
+{
+    return srtp_unprotect_mki(ctx, srtp_hdr, pkt_octet_len, 0);
+}
+
+srtp_err_status_t srtp_unprotect_mki(srtp_ctx_t *ctx,
+                                     void *srtp_hdr,
+                                     int *pkt_octet_len,
+                                     unsigned int use_mki)
+{
+    srtp_hdr_t *hdr = (srtp_hdr_t *)srtp_hdr;
+    uint32_t *enc_start;            /* pointer to start of encrypted portion  */
+    uint32_t *auth_start;           /* pointer to start of auth. portion      */
+    unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
+    uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
+    srtp_xtd_seq_num_t est;         /* estimated xtd_seq_num_t of *hdr        */
+    int delta;                      /* delta of local pkt idx and that in hdr */
+    v128_t iv;
+    srtp_err_status_t status;
+    srtp_stream_ctx_t *stream;
+    uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
+    uint32_t tag_len, prefix_len;
+    srtp_hdr_xtnd_t *xtn_hdr = NULL;
+    unsigned int mki_size = 0;
+    srtp_session_keys_t *session_keys = NULL;
+    int advance_packet_index = 0;
+    uint32_t roc_to_set = 0;
+    uint16_t seq_to_set = 0;
+
+    debug_print(mod_srtp, "function srtp_unprotect", NULL);
+
+    /* we assume the hdr is 32-bit aligned to start */
+
+    /* Verify RTP header */
+    status = srtp_validate_rtp_header(srtp_hdr, pkt_octet_len);
+    if (status)
+        return status;
+
+    /* check the packet length - it must at least contain a full header */
+    if (*pkt_octet_len < octets_in_rtp_header)
+        return srtp_err_status_bad_param;
+
+    /*
+     * look up ssrc in srtp_stream list, and process the packet with
+     * the appropriate stream.  if we haven't seen this stream before,
+     * there's only one key for this srtp_session, and the cipher
+     * supports key-sharing, then we assume that a new stream using
+     * that key has just started up
+     */
+    stream = srtp_get_stream(ctx, hdr->ssrc);
+    if (stream == NULL) {
+        if (ctx->stream_template != NULL) {
+            stream = ctx->stream_template;
+            debug_print(mod_srtp, "using provisional stream (SSRC: 0x%08x)",
+                        ntohl(hdr->ssrc));
+
+/*
+ * set estimated packet index to sequence number from header,
+ * and set delta equal to the same value
+ */
+#ifdef NO_64BIT_MATH
+            est = (srtp_xtd_seq_num_t)make64(0, ntohs(hdr->seq));
+            delta = low32(est);
+#else
+            est = (srtp_xtd_seq_num_t)ntohs(hdr->seq);
+            delta = (int)est;
+#endif
+        } else {
+            /*
+             * no stream corresponding to SSRC found, and we don't do
+             * key-sharing, so return an error
+             */
+            return srtp_err_status_no_ctx;
+        }
+    } else {
+        status = srtp_get_est_pkt_index(hdr, stream, &est, &delta);
+
+        if (status && (status != srtp_err_status_pkt_idx_adv))
+            return status;
+
+        if (status == srtp_err_status_pkt_idx_adv) {
+            advance_packet_index = 1;
+            roc_to_set = (uint32_t)(est >> 16);
+            seq_to_set = (uint16_t)(est & 0xFFFF);
+        }
+
+        /* check replay database */
+        if (!advance_packet_index) {
+            status = srtp_rdbx_check(&stream->rtp_rdbx, delta);
+            if (status)
+                return status;
+        }
+    }
+
+#ifdef NO_64BIT_MATH
+    debug_print2(mod_srtp, "estimated u_packet index: %08x%08x", high32(est),
+                 low32(est));
+#else
+    debug_print(mod_srtp, "estimated u_packet index: %016llx", est);
+#endif
+
+    /* Determine if MKI is being used and what session keys should be used */
+    if (use_mki) {
+        session_keys = srtp_get_session_keys(
+            stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len,
+            &mki_size);
+
+        if (session_keys == NULL)
+            return srtp_err_status_bad_mki;
+    } else {
+        session_keys = &stream->session_keys[0];
+    }
+
+    /*
+     * Check if this is an AEAD stream (GCM mode).  If so, then dispatch
+     * the request to our AEAD handler.
+     */
+    if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
+        session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
+        return srtp_unprotect_aead(ctx, stream, delta, est, srtp_hdr,
+                                   (unsigned int *)pkt_octet_len, session_keys,
+                                   mki_size);
+    }
+
+    /* get tag length from stream */
+    tag_len = srtp_auth_get_tag_length(session_keys->rtp_auth);
+
+    /*
+     * set the cipher's IV properly, depending on whatever cipher we
+     * happen to be using
+     */
+    if (session_keys->rtp_cipher->type->id == SRTP_AES_ICM_128 ||
+        session_keys->rtp_cipher->type->id == SRTP_AES_ICM_192 ||
+        session_keys->rtp_cipher->type->id == SRTP_AES_ICM_256) {
+        /* aes counter mode */
+        iv.v32[0] = 0;
+        iv.v32[1] = hdr->ssrc; /* still in network order */
+#ifdef NO_64BIT_MATH
+        iv.v64[1] = be64_to_cpu(
+            make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
+#else
+        iv.v64[1] = be64_to_cpu(est << 16);
+#endif
+        status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
+                                    srtp_direction_decrypt);
+        if (!status && session_keys->rtp_xtn_hdr_cipher) {
+            status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
+                                        (uint8_t *)&iv, srtp_direction_decrypt);
+        }
+    } else {
+/* no particular format - set the iv to the pakcet index */
+#ifdef NO_64BIT_MATH
+        iv.v32[0] = 0;
+        iv.v32[1] = 0;
+#else
+        iv.v64[0] = 0;
+#endif
+        iv.v64[1] = be64_to_cpu(est);
+        status = srtp_cipher_set_iv(session_keys->rtp_cipher, (uint8_t *)&iv,
+                                    srtp_direction_decrypt);
+        if (!status && session_keys->rtp_xtn_hdr_cipher) {
+            status = srtp_cipher_set_iv(session_keys->rtp_xtn_hdr_cipher,
+                                        (uint8_t *)&iv, srtp_direction_decrypt);
+        }
+    }
+    if (status)
+        return srtp_err_status_cipher_fail;
+
+/* shift est, put into network byte order */
+#ifdef NO_64BIT_MATH
+    est = be64_to_cpu(
+        make64((high32(est) << 16) | (low32(est) >> 16), low32(est) << 16));
+#else
+    est = be64_to_cpu(est << 16);
+#endif
+
+    /*
+     * find starting point for decryption and length of data to be
+     * decrypted - the encrypted portion starts after the rtp header
+     * extension, if present; otherwise, it starts after the last csrc,
+     * if any are present
+     *
+     * if we're not providing confidentiality, set enc_start to NULL
+     */
+    if (stream->rtp_services & sec_serv_conf) {
+        enc_start = (uint32_t *)hdr + uint32s_in_rtp_header + hdr->cc;
+        if (hdr->x == 1) {
+            xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
+            enc_start += (ntohs(xtn_hdr->length) + 1);
+        }
+        if (!((uint8_t *)enc_start <=
+              (uint8_t *)hdr + (*pkt_octet_len - tag_len - mki_size)))
+            return srtp_err_status_parse_err;
+        enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len - mki_size -
+                                   ((uint8_t *)enc_start - (uint8_t *)hdr));
+    } else {
+        enc_start = NULL;
+    }
+
+    /*
+     * if we're providing authentication, set the auth_start and auth_tag
+     * pointers to the proper locations; otherwise, set auth_start to NULL
+     * to indicate that no authentication is needed
+     */
+    if (stream->rtp_services & sec_serv_auth) {
+        auth_start = (uint32_t *)hdr;
+        auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len;
+    } else {
+        auth_start = NULL;
+        auth_tag = NULL;
+    }
+
+    /*
+     * if we expect message authentication, run the authentication
+     * function and compare the result with the value of the auth_tag
+     */
+    if (auth_start) {
+        /*
+         * if we're using a universal hash, then we need to compute the
+         * keystream prefix for encrypting the universal hash output
+         *
+         * if the keystream prefix length is zero, then we know that
+         * the authenticator isn't using a universal hash function
+         */
+        if (session_keys->rtp_auth->prefix_len != 0) {
+            prefix_len = srtp_auth_get_prefix_length(session_keys->rtp_auth);
+            status = srtp_cipher_output(session_keys->rtp_cipher, tmp_tag,
+                                        &prefix_len);
+            debug_print(mod_srtp, "keystream prefix: %s",
+                        srtp_octet_string_hex_string(tmp_tag, prefix_len));
+            if (status)
+                return srtp_err_status_cipher_fail;
+        }
+
+        /* initialize auth func context */
+        status = srtp_auth_start(session_keys->rtp_auth);
+        if (status)
+            return status;
+
+        /* now compute auth function over packet */
+        status = srtp_auth_update(session_keys->rtp_auth, (uint8_t *)auth_start,
+                                  *pkt_octet_len - tag_len - mki_size);
+
+        /* run auth func over ROC, then write tmp tag */
+        status = srtp_auth_compute(session_keys->rtp_auth, (uint8_t *)&est, 4,
+                                   tmp_tag);
+
+        debug_print(mod_srtp, "computed auth tag:    %s",
+                    srtp_octet_string_hex_string(tmp_tag, tag_len));
+        debug_print(mod_srtp, "packet auth tag:      %s",
+                    srtp_octet_string_hex_string(auth_tag, tag_len));
+        if (status)
+            return srtp_err_status_auth_fail;
+
+        if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
+            return srtp_err_status_auth_fail;
+    }
+
+    /*
+     * update the key usage limit, and check it to make sure that we
+     * didn't just hit either the soft limit or the hard limit, and call
+     * the event handler if we hit either.
+     */
+    switch (srtp_key_limit_update(session_keys->limit)) {
+    case srtp_key_event_normal:
+        break;
+    case srtp_key_event_soft_limit:
+        srtp_handle_event(ctx, stream, event_key_soft_limit);
+        break;
+    case srtp_key_event_hard_limit:
+        srtp_handle_event(ctx, stream, event_key_hard_limit);
+        return srtp_err_status_key_expired;
+    default:
+        break;
+    }
+
+    if (xtn_hdr && session_keys->rtp_xtn_hdr_cipher) {
+        /* extensions header encryption RFC 6904 */
+        status = srtp_process_header_encryption(stream, xtn_hdr, session_keys);
+        if (status) {
+            return status;
+        }
+    }
+
+    /* if we're decrypting, add keystream into ciphertext */
+    if (enc_start) {
+        status = srtp_cipher_decrypt(session_keys->rtp_cipher,
+                                     (uint8_t *)enc_start, &enc_octet_len);
+        if (status)
+            return srtp_err_status_cipher_fail;
+    }
+
+    /*
+     * verify that stream is for received traffic - this check will
+     * detect SSRC collisions, since a stream that appears in both
+     * srtp_protect() and srtp_unprotect() will fail this test in one of
+     * those functions.
+     *
+     * we do this check *after* the authentication check, so that the
+     * latter check will catch any attempts to fool us into thinking
+     * that we've got a collision
+     */
+    if (stream->direction != dir_srtp_receiver) {
+        if (stream->direction == dir_unknown) {
+            stream->direction = dir_srtp_receiver;
+        } else {
+            srtp_handle_event(ctx, stream, event_ssrc_collision);
+        }
+    }
+
+    /*
+     * if the stream is a 'provisional' one, in which the template context
+     * is used, then we need to allocate a new stream at this point, since
+     * the authentication passed
+     */
+    if (stream == ctx->stream_template) {
+        srtp_stream_ctx_t *new_stream;
+
+        /*
+         * allocate and initialize a new stream
+         *
+         * note that we indicate failure if we can't allocate the new
+         * stream, and some implementations will want to not return
+         * failure here
+         */
+        status =
+            srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
+        if (status)
+            return status;
+
+        /* add new stream to the head of the stream_list */
+        new_stream->next = ctx->stream_list;
+        ctx->stream_list = new_stream;
+
+        /* set stream (the pointer used in this function) */
+        stream = new_stream;
+    }
+
+    /*
+     * the message authentication function passed, so add the packet
+     * index into the replay database
+     */
+    if (advance_packet_index) {
+        srtp_rdbx_set_roc_seq(&stream->rtp_rdbx, roc_to_set, seq_to_set);
+        stream->pending_roc = 0;
+        srtp_rdbx_add_index(&stream->rtp_rdbx, 0);
+    } else {
+        srtp_rdbx_add_index(&stream->rtp_rdbx, delta);
+    }
+
+    /* decrease the packet length by the length of the auth tag */
+    *pkt_octet_len -= tag_len;
+
+    /* decrease the packet length by the mki size */
+    *pkt_octet_len -= mki_size;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_init()
+{
+    srtp_err_status_t status;
+
+    /* initialize crypto kernel */
+    status = srtp_crypto_kernel_init();
+    if (status)
+        return status;
+
+    /* load srtp debug module into the kernel */
+    status = srtp_crypto_kernel_load_debug_module(&mod_srtp);
+    if (status)
+        return status;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_shutdown()
+{
+    srtp_err_status_t status;
+
+    /* shut down crypto kernel */
+    status = srtp_crypto_kernel_shutdown();
+    if (status)
+        return status;
+
+    /* shutting down crypto kernel frees the srtp debug module as well */
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * The following code is under consideration for removal.  See
+ * SRTP_MAX_TRAILER_LEN
+ */
+#if 0
+
+/*
+ * srtp_get_trailer_length(&a) returns the number of octets that will
+ * be added to an RTP packet by the SRTP processing.  This value
+ * is constant for a given srtp_stream_t (i.e. between initializations).
+ */
+
+int
+srtp_get_trailer_length(const srtp_stream_t s) {
+  return srtp_auth_get_tag_length(s->rtp_auth);
+}
+
+#endif
+
+/*
+ * srtp_get_stream(ssrc) returns a pointer to the stream corresponding
+ * to ssrc, or NULL if no stream exists for that ssrc
+ *
+ * this is an internal function
+ */
+
+srtp_stream_ctx_t *srtp_get_stream(srtp_t srtp, uint32_t ssrc)
+{
+    srtp_stream_ctx_t *stream;
+
+    /* walk down list until ssrc is found */
+    stream = srtp->stream_list;
+    while (stream != NULL) {
+        if (stream->ssrc == ssrc)
+            return stream;
+        stream = stream->next;
+    }
+
+    /* we haven't found our ssrc, so return a null */
+    return NULL;
+}
+
+srtp_err_status_t srtp_dealloc(srtp_t session)
+{
+    srtp_stream_ctx_t *stream;
+    srtp_err_status_t status;
+
+    /*
+     * we take a conservative deallocation strategy - if we encounter an
+     * error deallocating a stream, then we stop trying to deallocate
+     * memory and just return an error
+     */
+
+    /* walk list of streams, deallocating as we go */
+    stream = session->stream_list;
+    while (stream != NULL) {
+        srtp_stream_t next = stream->next;
+        status = srtp_stream_dealloc(stream, session->stream_template);
+        if (status)
+            return status;
+        stream = next;
+    }
+
+    /* deallocate stream template, if there is one */
+    if (session->stream_template != NULL) {
+        status = srtp_stream_dealloc(session->stream_template, NULL);
+        if (status)
+            return status;
+    }
+
+    /* deallocate session context */
+    srtp_crypto_free(session);
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_add_stream(srtp_t session, const srtp_policy_t *policy)
+{
+    srtp_err_status_t status;
+    srtp_stream_t tmp;
+
+    /* sanity check arguments */
+    if ((session == NULL) || (policy == NULL) ||
+        (!srtp_validate_policy_master_keys(policy)))
+        return srtp_err_status_bad_param;
+
+    /* allocate stream  */
+    status = srtp_stream_alloc(&tmp, policy);
+    if (status) {
+        return status;
+    }
+
+    /* initialize stream  */
+    status = srtp_stream_init(tmp, policy);
+    if (status) {
+        srtp_stream_dealloc(tmp, NULL);
+        return status;
+    }
+
+    /*
+     * set the head of the stream list or the template to point to the
+     * stream that we've just alloced and init'ed, depending on whether
+     * or not it has a wildcard SSRC value or not
+     *
+     * if the template stream has already been set, then the policy is
+     * inconsistent, so we return a bad_param error code
+     */
+    switch (policy->ssrc.type) {
+    case (ssrc_any_outbound):
+        if (session->stream_template) {
+            srtp_stream_dealloc(tmp, NULL);
+            return srtp_err_status_bad_param;
+        }
+        session->stream_template = tmp;
+        session->stream_template->direction = dir_srtp_sender;
+        break;
+    case (ssrc_any_inbound):
+        if (session->stream_template) {
+            srtp_stream_dealloc(tmp, NULL);
+            return srtp_err_status_bad_param;
+        }
+        session->stream_template = tmp;
+        session->stream_template->direction = dir_srtp_receiver;
+        break;
+    case (ssrc_specific):
+        tmp->next = session->stream_list;
+        session->stream_list = tmp;
+        break;
+    case (ssrc_undefined):
+    default:
+        srtp_stream_dealloc(tmp, NULL);
+        return srtp_err_status_bad_param;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_create(srtp_t *session, /* handle for session     */
+                              const srtp_policy_t *policy)
+{ /* SRTP policy (list)     */
+    srtp_err_status_t stat;
+    srtp_ctx_t *ctx;
+
+    /* sanity check arguments */
+    if (session == NULL)
+        return srtp_err_status_bad_param;
+
+    /* allocate srtp context and set ctx_ptr */
+    ctx = (srtp_ctx_t *)srtp_crypto_alloc(sizeof(srtp_ctx_t));
+    if (ctx == NULL)
+        return srtp_err_status_alloc_fail;
+    *session = ctx;
+
+    /*
+     * loop over elements in the policy list, allocating and
+     * initializing a stream for each element
+     */
+    ctx->stream_template = NULL;
+    ctx->stream_list = NULL;
+    ctx->user_data = NULL;
+    while (policy != NULL) {
+        stat = srtp_add_stream(ctx, policy);
+        if (stat) {
+            /* clean up everything */
+            srtp_dealloc(*session);
+            *session = NULL;
+            return stat;
+        }
+
+        /* set policy to next item in list  */
+        policy = policy->next;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_remove_stream(srtp_t session, uint32_t ssrc)
+{
+    srtp_stream_ctx_t *stream, *last_stream;
+    srtp_err_status_t status;
+
+    /* sanity check arguments */
+    if (session == NULL)
+        return srtp_err_status_bad_param;
+
+    /* find stream in list; complain if not found */
+    last_stream = stream = session->stream_list;
+    while ((stream != NULL) && (ssrc != stream->ssrc)) {
+        last_stream = stream;
+        stream = stream->next;
+    }
+    if (stream == NULL)
+        return srtp_err_status_no_ctx;
+
+    /* remove stream from the list */
+    if (last_stream == stream)
+        /* stream was first in list */
+        session->stream_list = stream->next;
+    else
+        last_stream->next = stream->next;
+
+    /* deallocate the stream */
+    status = srtp_stream_dealloc(stream, session->stream_template);
+    if (status)
+        return status;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_update(srtp_t session, const srtp_policy_t *policy)
+{
+    srtp_err_status_t stat;
+
+    /* sanity check arguments */
+    if ((session == NULL) || (policy == NULL) ||
+        (!srtp_validate_policy_master_keys(policy))) {
+        return srtp_err_status_bad_param;
+    }
+
+    while (policy != NULL) {
+        stat = srtp_update_stream(session, policy);
+        if (stat) {
+            return stat;
+        }
+
+        /* set policy to next item in list  */
+        policy = policy->next;
+    }
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t update_template_streams(srtp_t session,
+                                                 const srtp_policy_t *policy)
+{
+    srtp_err_status_t status;
+    srtp_stream_t new_stream_template;
+    srtp_stream_t new_stream_list = NULL;
+
+    if (session->stream_template == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* allocate new template stream  */
+    status = srtp_stream_alloc(&new_stream_template, policy);
+    if (status) {
+        return status;
+    }
+
+    /* initialize new template stream  */
+    status = srtp_stream_init(new_stream_template, policy);
+    if (status) {
+        srtp_crypto_free(new_stream_template);
+        return status;
+    }
+
+    /* for all old templated streams */
+    for (;;) {
+        srtp_stream_t stream;
+        uint32_t ssrc;
+        srtp_xtd_seq_num_t old_index;
+        srtp_rdb_t old_rtcp_rdb;
+
+        stream = session->stream_list;
+        while ((stream != NULL) &&
+               (stream->session_keys[0].rtp_auth !=
+                session->stream_template->session_keys[0].rtp_auth)) {
+            stream = stream->next;
+        }
+        if (stream == NULL) {
+            /* no more templated streams */
+            break;
+        }
+
+        /* save old extendard seq */
+        ssrc = stream->ssrc;
+        old_index = stream->rtp_rdbx.index;
+        old_rtcp_rdb = stream->rtcp_rdb;
+
+        /* remove stream */
+        status = srtp_remove_stream(session, ssrc);
+        if (status) {
+            /* free new allocations */
+            while (new_stream_list != NULL) {
+                srtp_stream_t next = new_stream_list->next;
+                srtp_stream_dealloc(new_stream_list, new_stream_template);
+                new_stream_list = next;
+            }
+            srtp_stream_dealloc(new_stream_template, NULL);
+            return status;
+        }
+
+        /* allocate and initialize a new stream */
+        status = srtp_stream_clone(new_stream_template, ssrc, &stream);
+        if (status) {
+            /* free new allocations */
+            while (new_stream_list != NULL) {
+                srtp_stream_t next = new_stream_list->next;
+                srtp_stream_dealloc(new_stream_list, new_stream_template);
+                new_stream_list = next;
+            }
+            srtp_stream_dealloc(new_stream_template, NULL);
+            return status;
+        }
+
+        /* add new stream to the head of the new_stream_list */
+        stream->next = new_stream_list;
+        new_stream_list = stream;
+
+        /* restore old extended seq */
+        stream->rtp_rdbx.index = old_index;
+        stream->rtcp_rdb = old_rtcp_rdb;
+    }
+    /* dealloc old template */
+    srtp_stream_dealloc(session->stream_template, NULL);
+    /* set new template */
+    session->stream_template = new_stream_template;
+    /* add new list */
+    if (new_stream_list) {
+        srtp_stream_t tail = new_stream_list;
+        while (tail->next) {
+            tail = tail->next;
+        }
+        tail->next = session->stream_list;
+        session->stream_list = new_stream_list;
+    }
+    return status;
+}
+
+static srtp_err_status_t update_stream(srtp_t session,
+                                       const srtp_policy_t *policy)
+{
+    srtp_err_status_t status;
+    srtp_xtd_seq_num_t old_index;
+    srtp_rdb_t old_rtcp_rdb;
+    srtp_stream_t stream;
+
+    stream = srtp_get_stream(session, htonl(policy->ssrc.value));
+    if (stream == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    /* save old extendard seq */
+    old_index = stream->rtp_rdbx.index;
+    old_rtcp_rdb = stream->rtcp_rdb;
+
+    status = srtp_remove_stream(session, htonl(policy->ssrc.value));
+    if (status) {
+        return status;
+    }
+
+    status = srtp_add_stream(session, policy);
+    if (status) {
+        return status;
+    }
+
+    stream = srtp_get_stream(session, htonl(policy->ssrc.value));
+    if (stream == NULL) {
+        return srtp_err_status_fail;
+    }
+
+    /* restore old extended seq */
+    stream->rtp_rdbx.index = old_index;
+    stream->rtcp_rdb = old_rtcp_rdb;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_update_stream(srtp_t session,
+                                     const srtp_policy_t *policy)
+{
+    srtp_err_status_t status;
+
+    /* sanity check arguments */
+    if ((session == NULL) || (policy == NULL) ||
+        (!srtp_validate_policy_master_keys(policy)))
+        return srtp_err_status_bad_param;
+
+    switch (policy->ssrc.type) {
+    case (ssrc_any_outbound):
+    case (ssrc_any_inbound):
+        status = update_template_streams(session, policy);
+        break;
+    case (ssrc_specific):
+        status = update_stream(session, policy);
+        break;
+    case (ssrc_undefined):
+    default:
+        return srtp_err_status_bad_param;
+    }
+
+    return status;
+}
+
+/*
+ * The default policy - provides a convenient way for callers to use
+ * the default security policy
+ *
+ * The default policy is defined in RFC 3711
+ * (Section 5. Default and mandatory-to-implement Transforms)
+ *
+ */
+
+/*
+ * NOTE: cipher_key_len is really key len (128 bits) plus salt len
+ *  (112 bits)
+ */
+/* There are hard-coded 16's for base_key_len in the key generation code */
+
+void srtp_crypto_policy_set_rtp_default(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_ICM_128;
+    p->cipher_key_len =
+        SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */
+    p->auth_type = SRTP_HMAC_SHA1;
+    p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
+    p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+void srtp_crypto_policy_set_rtcp_default(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_ICM_128;
+    p->cipher_key_len =
+        SRTP_AES_ICM_128_KEY_LEN_WSALT; /* default 128 bits per RFC 3711 */
+    p->auth_type = SRTP_HMAC_SHA1;
+    p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
+    p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+void srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(srtp_crypto_policy_t *p)
+{
+    /*
+     * corresponds to RFC 4568
+     *
+     * note that this crypto policy is intended for SRTP, but not SRTCP
+     */
+
+    p->cipher_type = SRTP_AES_ICM_128;
+    p->cipher_key_len =
+        SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */
+    p->auth_type = SRTP_HMAC_SHA1;
+    p->auth_key_len = 20; /* 160 bit key               */
+    p->auth_tag_len = 4;  /* 32 bit tag                */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+void srtp_crypto_policy_set_aes_cm_128_null_auth(srtp_crypto_policy_t *p)
+{
+    /*
+     * corresponds to RFC 4568
+     *
+     * note that this crypto policy is intended for SRTP, but not SRTCP
+     */
+
+    p->cipher_type = SRTP_AES_ICM_128;
+    p->cipher_key_len =
+        SRTP_AES_ICM_128_KEY_LEN_WSALT; /* 128 bit key, 112 bit salt */
+    p->auth_type = SRTP_NULL_AUTH;
+    p->auth_key_len = 0;
+    p->auth_tag_len = 0;
+    p->sec_serv = sec_serv_conf;
+}
+
+void srtp_crypto_policy_set_null_cipher_hmac_sha1_80(srtp_crypto_policy_t *p)
+{
+    /*
+     * corresponds to RFC 4568
+     */
+
+    p->cipher_type = SRTP_NULL_CIPHER;
+    p->cipher_key_len = 0;
+    p->auth_type = SRTP_HMAC_SHA1;
+    p->auth_key_len = 20;
+    p->auth_tag_len = 10;
+    p->sec_serv = sec_serv_auth;
+}
+
+void srtp_crypto_policy_set_null_cipher_hmac_null(srtp_crypto_policy_t *p)
+{
+    /*
+     * Should only be used for testing
+     */
+
+    p->cipher_type = SRTP_NULL_CIPHER;
+    p->cipher_key_len = 0;
+    p->auth_type = SRTP_NULL_AUTH;
+    p->auth_key_len = 0;
+    p->auth_tag_len = 0;
+    p->sec_serv = sec_serv_none;
+}
+
+void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(srtp_crypto_policy_t *p)
+{
+    /*
+     * corresponds to RFC 6188
+     */
+
+    p->cipher_type = SRTP_AES_ICM_256;
+    p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
+    p->auth_type = SRTP_HMAC_SHA1;
+    p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
+    p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+void srtp_crypto_policy_set_aes_cm_256_hmac_sha1_32(srtp_crypto_policy_t *p)
+{
+    /*
+     * corresponds to RFC 6188
+     *
+     * note that this crypto policy is intended for SRTP, but not SRTCP
+     */
+
+    p->cipher_type = SRTP_AES_ICM_256;
+    p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
+    p->auth_type = SRTP_HMAC_SHA1;
+    p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
+    p->auth_tag_len = 4;  /* default 80 bits per RFC 3711 */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+/*
+ * AES-256 with no authentication.
+ */
+void srtp_crypto_policy_set_aes_cm_256_null_auth(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_ICM_256;
+    p->cipher_key_len = SRTP_AES_ICM_256_KEY_LEN_WSALT;
+    p->auth_type = SRTP_NULL_AUTH;
+    p->auth_key_len = 0;
+    p->auth_tag_len = 0;
+    p->sec_serv = sec_serv_conf;
+}
+
+#ifdef GCM
+void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_80(srtp_crypto_policy_t *p)
+{
+    /*
+     * corresponds to RFC 6188
+     */
+
+    p->cipher_type = SRTP_AES_ICM_192;
+    p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
+    p->auth_type = SRTP_HMAC_SHA1;
+    p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
+    p->auth_tag_len = 10; /* default 80 bits per RFC 3711 */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+void srtp_crypto_policy_set_aes_cm_192_hmac_sha1_32(srtp_crypto_policy_t *p)
+{
+    /*
+     * corresponds to RFC 6188
+     *
+     * note that this crypto policy is intended for SRTP, but not SRTCP
+     */
+
+    p->cipher_type = SRTP_AES_ICM_192;
+    p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
+    p->auth_type = SRTP_HMAC_SHA1;
+    p->auth_key_len = 20; /* default 160 bits per RFC 3711 */
+    p->auth_tag_len = 4;  /* default 80 bits per RFC 3711 */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+/*
+ * AES-192 with no authentication.
+ */
+void srtp_crypto_policy_set_aes_cm_192_null_auth(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_ICM_192;
+    p->cipher_key_len = SRTP_AES_ICM_192_KEY_LEN_WSALT;
+    p->auth_type = SRTP_NULL_AUTH;
+    p->auth_key_len = 0;
+    p->auth_tag_len = 0;
+    p->sec_serv = sec_serv_conf;
+}
+
+/*
+ * AES-128 GCM mode with 8 octet auth tag.
+ */
+void srtp_crypto_policy_set_aes_gcm_128_8_auth(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_GCM_128;
+    p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
+    p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
+    p->auth_key_len = 0;
+    p->auth_tag_len = 8; /* 8 octet tag length */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+/*
+ * AES-256 GCM mode with 8 octet auth tag.
+ */
+void srtp_crypto_policy_set_aes_gcm_256_8_auth(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_GCM_256;
+    p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
+    p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
+    p->auth_key_len = 0;
+    p->auth_tag_len = 8; /* 8 octet tag length */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+/*
+ * AES-128 GCM mode with 8 octet auth tag, no RTCP encryption.
+ */
+void srtp_crypto_policy_set_aes_gcm_128_8_only_auth(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_GCM_128;
+    p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
+    p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
+    p->auth_key_len = 0;
+    p->auth_tag_len = 8;         /* 8 octet tag length */
+    p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
+}
+
+/*
+ * AES-256 GCM mode with 8 octet auth tag, no RTCP encryption.
+ */
+void srtp_crypto_policy_set_aes_gcm_256_8_only_auth(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_GCM_256;
+    p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
+    p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
+    p->auth_key_len = 0;
+    p->auth_tag_len = 8;         /* 8 octet tag length */
+    p->sec_serv = sec_serv_auth; /* This only applies to RTCP */
+}
+
+/*
+ * AES-128 GCM mode with 16 octet auth tag.
+ */
+void srtp_crypto_policy_set_aes_gcm_128_16_auth(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_GCM_128;
+    p->cipher_key_len = SRTP_AES_GCM_128_KEY_LEN_WSALT;
+    p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
+    p->auth_key_len = 0;
+    p->auth_tag_len = 16; /* 16 octet tag length */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+/*
+ * AES-256 GCM mode with 16 octet auth tag.
+ */
+void srtp_crypto_policy_set_aes_gcm_256_16_auth(srtp_crypto_policy_t *p)
+{
+    p->cipher_type = SRTP_AES_GCM_256;
+    p->cipher_key_len = SRTP_AES_GCM_256_KEY_LEN_WSALT;
+    p->auth_type = SRTP_NULL_AUTH; /* GCM handles the auth for us */
+    p->auth_key_len = 0;
+    p->auth_tag_len = 16; /* 16 octet tag length */
+    p->sec_serv = sec_serv_conf_and_auth;
+}
+
+#endif
+
+/*
+ * secure rtcp functions
+ */
+
+/*
+ * AEAD uses a new IV formation method.  This function implements
+ * section 9.1 (SRTCP IV Formation for AES-GCM) from RFC7714.
+ * The calculation is defined as, where (+) is the xor operation:
+ *
+ *                0  1  2  3  4  5  6  7  8  9 10 11
+ *               +--+--+--+--+--+--+--+--+--+--+--+--+
+ *               |00|00|    SSRC   |00|00|0+SRTCP Idx|---+
+ *               +--+--+--+--+--+--+--+--+--+--+--+--+   |
+ *                                                       |
+ *               +--+--+--+--+--+--+--+--+--+--+--+--+   |
+ *               |         Encryption Salt           |->(+)
+ *               +--+--+--+--+--+--+--+--+--+--+--+--+   |
+ *                                                       |
+ *               +--+--+--+--+--+--+--+--+--+--+--+--+   |
+ *               |       Initialization Vector       |<--+
+ *               +--+--+--+--+--+--+--+--+--+--+--+--+*
+ *
+ * Input:  *session_keys - pointer to SRTP stream context session keys,
+ *                        used to retrieve the SALT
+ *         *iv           - Pointer to recieve the calculated IV
+ *         seq_num       - The SEQ value to use for the IV calculation.
+ *         *hdr          - The RTP header, used to get the SSRC value
+ *
+ * Returns: srtp_err_status_ok if no error or srtp_err_status_bad_param
+ *          if seq_num is invalid
+ *
+ */
+static srtp_err_status_t srtp_calc_aead_iv_srtcp(
+    srtp_session_keys_t *session_keys,
+    v128_t *iv,
+    uint32_t seq_num,
+    srtcp_hdr_t *hdr)
+{
+    v128_t in;
+    v128_t salt;
+
+    memset(&in, 0, sizeof(v128_t));
+    memset(&salt, 0, sizeof(v128_t));
+
+    in.v16[0] = 0;
+    memcpy(&in.v16[1], &hdr->ssrc, 4); /* still in network order! */
+    in.v16[3] = 0;
+
+    /*
+     *  The SRTCP index (seq_num) spans bits 0 through 30 inclusive.
+     *  The most significant bit should be zero.
+     */
+    if (seq_num & 0x80000000UL) {
+        return srtp_err_status_bad_param;
+    }
+    in.v32[2] = htonl(seq_num);
+
+    debug_print(mod_srtp, "Pre-salted RTCP IV = %s\n", v128_hex_string(&in));
+
+    /*
+     * Get the SALT value from the context
+     */
+    memcpy(salt.v8, session_keys->c_salt, 12);
+    debug_print(mod_srtp, "RTCP SALT = %s\n", v128_hex_string(&salt));
+
+    /*
+     * Finally, apply the SALT to the input
+     */
+    v128_xor(iv, &in, &salt);
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * This code handles AEAD ciphers for outgoing RTCP.  We currently support
+ * AES-GCM mode with 128 or 256 bit keys.
+ */
+static srtp_err_status_t srtp_protect_rtcp_aead(
+    srtp_t ctx,
+    srtp_stream_ctx_t *stream,
+    void *rtcp_hdr,
+    unsigned int *pkt_octet_len,
+    srtp_session_keys_t *session_keys,
+    unsigned int use_mki)
+{
+    srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
+    uint32_t *enc_start;            /* pointer to start of encrypted portion  */
+    uint32_t *trailer_p;            /* pointer to start of trailer            */
+    uint32_t trailer;               /* trailer value                          */
+    unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
+    uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
+    srtp_err_status_t status;
+    uint32_t tag_len;
+    uint32_t seq_num;
+    v128_t iv;
+    uint32_t tseq;
+    unsigned int mki_size = 0;
+
+    /* get tag length from stream context */
+    tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
+
+    /*
+     * set encryption start and encryption length - if we're not
+     * providing confidentiality, set enc_start to NULL
+     */
+    enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
+    enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
+
+    /* NOTE: hdr->length is not usable - it refers to only the first
+     * RTCP report in the compound packet!
+     */
+    trailer_p = (uint32_t *)((char *)enc_start + enc_octet_len + tag_len);
+
+    if (stream->rtcp_services & sec_serv_conf) {
+        trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
+    } else {
+        enc_start = NULL;
+        enc_octet_len = 0;
+        /* 0 is network-order independant */
+        trailer = 0x00000000; /* set encrypt bit */
+    }
+
+    mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len + tag_len +
+                                   sizeof(srtcp_trailer_t),
+                               session_keys, use_mki);
+
+    /*
+     * set the auth_tag pointer to the proper location, which is after
+     * the payload, but before the trailer
+     * (note that srtpc *always* provides authentication, unlike srtp)
+     */
+    /* Note: This would need to change for optional mikey data */
+    auth_tag = (uint8_t *)hdr + *pkt_octet_len;
+
+    /*
+     * check sequence number for overruns, and copy it into the packet
+     * if its value isn't too big
+     */
+    status = srtp_rdb_increment(&stream->rtcp_rdb);
+    if (status) {
+        return status;
+    }
+    seq_num = srtp_rdb_get_value(&stream->rtcp_rdb);
+    trailer |= htonl(seq_num);
+    debug_print(mod_srtp, "srtcp index: %x", seq_num);
+
+    memcpy(trailer_p, &trailer, sizeof(trailer));
+
+    /*
+     * Calculate and set the IV
+     */
+    status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr);
+    if (status) {
+        return srtp_err_status_cipher_fail;
+    }
+    status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
+                                srtp_direction_encrypt);
+    if (status) {
+        return srtp_err_status_cipher_fail;
+    }
+
+    /*
+     * Set the AAD for GCM mode
+     */
+    if (enc_start) {
+        /*
+         * If payload encryption is enabled, then the AAD consist of
+         * the RTCP header and the seq# at the end of the packet
+         */
+        status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
+                                     octets_in_rtcp_header);
+        if (status) {
+            return (srtp_err_status_cipher_fail);
+        }
+    } else {
+        /*
+         * Since payload encryption is not enabled, we must authenticate
+         * the entire packet as described in RFC 7714 (Section 9.3. Data
+         * Types in Unencrypted SRTCP Compound Packets)
+         */
+        status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
+                                     *pkt_octet_len);
+        if (status) {
+            return (srtp_err_status_cipher_fail);
+        }
+    }
+    /*
+     * Process the sequence# as AAD
+     */
+    tseq = trailer;
+    status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq,
+                                 sizeof(srtcp_trailer_t));
+    if (status) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    /* if we're encrypting, exor keystream into the message */
+    if (enc_start) {
+        status = srtp_cipher_encrypt(session_keys->rtcp_cipher,
+                                     (uint8_t *)enc_start, &enc_octet_len);
+        if (status) {
+            return srtp_err_status_cipher_fail;
+        }
+        /*
+         * Get the tag and append that to the output
+         */
+        status = srtp_cipher_get_tag(session_keys->rtcp_cipher,
+                                     (uint8_t *)auth_tag, &tag_len);
+        if (status) {
+            return (srtp_err_status_cipher_fail);
+        }
+        enc_octet_len += tag_len;
+    } else {
+        /*
+         * Even though we're not encrypting the payload, we need
+         * to run the cipher to get the auth tag.
+         */
+        unsigned int nolen = 0;
+        status = srtp_cipher_encrypt(session_keys->rtcp_cipher, NULL, &nolen);
+        if (status) {
+            return srtp_err_status_cipher_fail;
+        }
+        /*
+         * Get the tag and append that to the output
+         */
+        status = srtp_cipher_get_tag(session_keys->rtcp_cipher,
+                                     (uint8_t *)auth_tag, &tag_len);
+        if (status) {
+            return (srtp_err_status_cipher_fail);
+        }
+        enc_octet_len += tag_len;
+    }
+
+    /* increase the packet length by the length of the auth tag and seq_num*/
+    *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
+
+    /* increase the packet by the mki_size */
+    *pkt_octet_len += mki_size;
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * This function handles incoming SRTCP packets while in AEAD mode,
+ * which currently supports AES-GCM encryption.  Note, the auth tag is
+ * at the end of the packet stream and is automatically checked by GCM
+ * when decrypting the payload.
+ */
+static srtp_err_status_t srtp_unprotect_rtcp_aead(
+    srtp_t ctx,
+    srtp_stream_ctx_t *stream,
+    void *srtcp_hdr,
+    unsigned int *pkt_octet_len,
+    srtp_session_keys_t *session_keys,
+    unsigned int use_mki)
+{
+    srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
+    uint32_t *enc_start;            /* pointer to start of encrypted portion  */
+    uint32_t *trailer_p;            /* pointer to start of trailer            */
+    uint32_t trailer;               /* trailer value                          */
+    unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
+    uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
+    srtp_err_status_t status;
+    int tag_len;
+    unsigned int tmp_len;
+    uint32_t seq_num;
+    v128_t iv;
+    uint32_t tseq;
+    unsigned int mki_size = 0;
+
+    /* get tag length from stream context */
+    tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
+
+    if (use_mki) {
+        mki_size = session_keys->mki_size;
+    }
+
+    /*
+     * set encryption start, encryption length, and trailer
+     */
+    /* index & E (encryption) bit follow normal data. hdr->len is the number of
+     * words (32-bit) in the normal packet minus 1
+     */
+    /* This should point trailer to the word past the end of the normal data. */
+    /* This would need to be modified for optional mikey data */
+    trailer_p = (uint32_t *)((char *)hdr + *pkt_octet_len -
+                             sizeof(srtcp_trailer_t) - mki_size);
+    memcpy(&trailer, trailer_p, sizeof(trailer));
+
+    /*
+     * We pass the tag down to the cipher when doing GCM mode
+     */
+    enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header +
+                                      sizeof(srtcp_trailer_t) + mki_size);
+    auth_tag = (uint8_t *)hdr + *pkt_octet_len - tag_len - mki_size -
+               sizeof(srtcp_trailer_t);
+
+    if (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) {
+        enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
+    } else {
+        enc_octet_len = 0;
+        enc_start = NULL; /* this indicates that there's no encryption */
+    }
+
+    /*
+     * check the sequence number for replays
+     */
+    /* this is easier than dealing with bitfield access */
+    seq_num = ntohl(trailer) & SRTCP_INDEX_MASK;
+    debug_print(mod_srtp, "srtcp index: %x", seq_num);
+    status = srtp_rdb_check(&stream->rtcp_rdb, seq_num);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * Calculate and set the IV
+     */
+    status = srtp_calc_aead_iv_srtcp(session_keys, &iv, seq_num, hdr);
+    if (status) {
+        return srtp_err_status_cipher_fail;
+    }
+    status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
+                                srtp_direction_decrypt);
+    if (status) {
+        return srtp_err_status_cipher_fail;
+    }
+
+    /*
+     * Set the AAD for GCM mode
+     */
+    if (enc_start) {
+        /*
+         * If payload encryption is enabled, then the AAD consist of
+         * the RTCP header and the seq# at the end of the packet
+         */
+        status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)hdr,
+                                     octets_in_rtcp_header);
+        if (status) {
+            return (srtp_err_status_cipher_fail);
+        }
+    } else {
+        /*
+         * Since payload encryption is not enabled, we must authenticate
+         * the entire packet as described in RFC 7714 (Section 9.3. Data
+         * Types in Unencrypted SRTCP Compound Packets)
+         */
+        status = srtp_cipher_set_aad(
+            session_keys->rtcp_cipher, (uint8_t *)hdr,
+            (*pkt_octet_len - tag_len - sizeof(srtcp_trailer_t) - mki_size));
+        if (status) {
+            return (srtp_err_status_cipher_fail);
+        }
+    }
+
+    /*
+     * Process the sequence# as AAD
+     */
+    tseq = trailer;
+    status = srtp_cipher_set_aad(session_keys->rtcp_cipher, (uint8_t *)&tseq,
+                                 sizeof(srtcp_trailer_t));
+    if (status) {
+        return (srtp_err_status_cipher_fail);
+    }
+
+    /* if we're decrypting, exor keystream into the message */
+    if (enc_start) {
+        status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
+                                     (uint8_t *)enc_start, &enc_octet_len);
+        if (status) {
+            return status;
+        }
+    } else {
+        /*
+         * Still need to run the cipher to check the tag
+         */
+        tmp_len = tag_len;
+        status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
+                                     (uint8_t *)auth_tag, &tmp_len);
+        if (status) {
+            return status;
+        }
+    }
+
+    /* decrease the packet length by the length of the auth tag and seq_num*/
+    *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t) + mki_size);
+
+    /*
+     * verify that stream is for received traffic - this check will
+     * detect SSRC collisions, since a stream that appears in both
+     * srtp_protect() and srtp_unprotect() will fail this test in one of
+     * those functions.
+     *
+     * we do this check *after* the authentication check, so that the
+     * latter check will catch any attempts to fool us into thinking
+     * that we've got a collision
+     */
+    if (stream->direction != dir_srtp_receiver) {
+        if (stream->direction == dir_unknown) {
+            stream->direction = dir_srtp_receiver;
+        } else {
+            srtp_handle_event(ctx, stream, event_ssrc_collision);
+        }
+    }
+
+    /*
+     * if the stream is a 'provisional' one, in which the template context
+     * is used, then we need to allocate a new stream at this point, since
+     * the authentication passed
+     */
+    if (stream == ctx->stream_template) {
+        srtp_stream_ctx_t *new_stream;
+
+        /*
+         * allocate and initialize a new stream
+         *
+         * note that we indicate failure if we can't allocate the new
+         * stream, and some implementations will want to not return
+         * failure here
+         */
+        status =
+            srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
+        if (status) {
+            return status;
+        }
+
+        /* add new stream to the head of the stream_list */
+        new_stream->next = ctx->stream_list;
+        ctx->stream_list = new_stream;
+
+        /* set stream (the pointer used in this function) */
+        stream = new_stream;
+    }
+
+    /* we've passed the authentication check, so add seq_num to the rdb */
+    srtp_rdb_add_index(&stream->rtcp_rdb, seq_num);
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_protect_rtcp(srtp_t ctx,
+                                    void *rtcp_hdr,
+                                    int *pkt_octet_len)
+{
+    return srtp_protect_rtcp_mki(ctx, rtcp_hdr, pkt_octet_len, 0, 0);
+}
+
+srtp_err_status_t srtp_protect_rtcp_mki(srtp_t ctx,
+                                        void *rtcp_hdr,
+                                        int *pkt_octet_len,
+                                        unsigned int use_mki,
+                                        unsigned int mki_index)
+{
+    srtcp_hdr_t *hdr = (srtcp_hdr_t *)rtcp_hdr;
+    uint32_t *enc_start;            /* pointer to start of encrypted portion  */
+    uint32_t *auth_start;           /* pointer to start of auth. portion      */
+    uint32_t *trailer_p;            /* pointer to start of trailer            */
+    uint32_t trailer;               /* trailer value                          */
+    unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
+    uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
+    srtp_err_status_t status;
+    int tag_len;
+    srtp_stream_ctx_t *stream;
+    uint32_t prefix_len;
+    uint32_t seq_num;
+    unsigned int mki_size = 0;
+    srtp_session_keys_t *session_keys = NULL;
+
+    /* we assume the hdr is 32-bit aligned to start */
+
+    /* check the packet length - it must at least contain a full header */
+    if (*pkt_octet_len < octets_in_rtcp_header)
+        return srtp_err_status_bad_param;
+
+    /*
+     * look up ssrc in srtp_stream list, and process the packet with
+     * the appropriate stream.  if we haven't seen this stream before,
+     * there's only one key for this srtp_session, and the cipher
+     * supports key-sharing, then we assume that a new stream using
+     * that key has just started up
+     */
+    stream = srtp_get_stream(ctx, hdr->ssrc);
+    if (stream == NULL) {
+        if (ctx->stream_template != NULL) {
+            srtp_stream_ctx_t *new_stream;
+
+            /* allocate and initialize a new stream */
+            status =
+                srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
+            if (status)
+                return status;
+
+            /* add new stream to the head of the stream_list */
+            new_stream->next = ctx->stream_list;
+            ctx->stream_list = new_stream;
+
+            /* set stream (the pointer used in this function) */
+            stream = new_stream;
+        } else {
+            /* no template stream, so we return an error */
+            return srtp_err_status_no_ctx;
+        }
+    }
+
+    /*
+     * verify that stream is for sending traffic - this check will
+     * detect SSRC collisions, since a stream that appears in both
+     * srtp_protect() and srtp_unprotect() will fail this test in one of
+     * those functions.
+     */
+    if (stream->direction != dir_srtp_sender) {
+        if (stream->direction == dir_unknown) {
+            stream->direction = dir_srtp_sender;
+        } else {
+            srtp_handle_event(ctx, stream, event_ssrc_collision);
+        }
+    }
+
+    session_keys =
+        srtp_get_session_keys_with_mki_index(stream, use_mki, mki_index);
+
+    if (session_keys == NULL)
+        return srtp_err_status_bad_mki;
+
+    /*
+     * Check if this is an AEAD stream (GCM mode).  If so, then dispatch
+     * the request to our AEAD handler.
+     */
+    if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
+        session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
+        return srtp_protect_rtcp_aead(ctx, stream, rtcp_hdr,
+                                      (unsigned int *)pkt_octet_len,
+                                      session_keys, use_mki);
+    }
+
+    /* get tag length from stream context */
+    tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
+
+    /*
+     * set encryption start and encryption length - if we're not
+     * providing confidentiality, set enc_start to NULL
+     */
+    enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
+    enc_octet_len = *pkt_octet_len - octets_in_rtcp_header;
+
+    /* all of the packet, except the header, gets encrypted */
+    /*
+     * NOTE: hdr->length is not usable - it refers to only the first RTCP report
+     * in the compound packet!
+     */
+    trailer_p = (uint32_t *)((char *)enc_start + enc_octet_len);
+
+    if (stream->rtcp_services & sec_serv_conf) {
+        trailer = htonl(SRTCP_E_BIT); /* set encrypt bit */
+    } else {
+        enc_start = NULL;
+        enc_octet_len = 0;
+        /* 0 is network-order independant */
+        trailer = 0x00000000; /* set encrypt bit */
+    }
+
+    mki_size = srtp_inject_mki((uint8_t *)hdr + *pkt_octet_len +
+                                   sizeof(srtcp_trailer_t),
+                               session_keys, use_mki);
+
+    /*
+     * set the auth_start and auth_tag pointers to the proper locations
+     * (note that srtpc *always* provides authentication, unlike srtp)
+     */
+    /* Note: This would need to change for optional mikey data */
+    auth_start = (uint32_t *)hdr;
+    auth_tag =
+        (uint8_t *)hdr + *pkt_octet_len + sizeof(srtcp_trailer_t) + mki_size;
+
+    /* perform EKT processing if needed */
+    srtp_ekt_write_data(stream->ekt, auth_tag, tag_len, pkt_octet_len,
+                        srtp_rdbx_get_packet_index(&stream->rtp_rdbx));
+
+    /*
+     * check sequence number for overruns, and copy it into the packet
+     * if its value isn't too big
+     */
+    status = srtp_rdb_increment(&stream->rtcp_rdb);
+    if (status)
+        return status;
+    seq_num = srtp_rdb_get_value(&stream->rtcp_rdb);
+    trailer |= htonl(seq_num);
+    debug_print(mod_srtp, "srtcp index: %x", seq_num);
+
+    memcpy(trailer_p, &trailer, sizeof(trailer));
+
+    /*
+     * if we're using rindael counter mode, set nonce and seq
+     */
+    if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 ||
+        session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 ||
+        session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) {
+        v128_t iv;
+
+        iv.v32[0] = 0;
+        iv.v32[1] = hdr->ssrc; /* still in network order! */
+        iv.v32[2] = htonl(seq_num >> 16);
+        iv.v32[3] = htonl(seq_num << 16);
+        status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
+                                    srtp_direction_encrypt);
+
+    } else {
+        v128_t iv;
+
+        /* otherwise, just set the index to seq_num */
+        iv.v32[0] = 0;
+        iv.v32[1] = 0;
+        iv.v32[2] = 0;
+        iv.v32[3] = htonl(seq_num);
+        status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
+                                    srtp_direction_encrypt);
+    }
+    if (status)
+        return srtp_err_status_cipher_fail;
+
+    /*
+     * if we're authenticating using a universal hash, put the keystream
+     * prefix into the authentication tag
+     */
+
+    /* if auth_start is non-null, then put keystream into tag  */
+    if (auth_start) {
+        /* put keystream prefix into auth_tag */
+        prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth);
+        status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag,
+                                    &prefix_len);
+
+        debug_print(mod_srtp, "keystream prefix: %s",
+                    srtp_octet_string_hex_string(auth_tag, prefix_len));
+
+        if (status)
+            return srtp_err_status_cipher_fail;
+    }
+
+    /* if we're encrypting, exor keystream into the message */
+    if (enc_start) {
+        status = srtp_cipher_encrypt(session_keys->rtcp_cipher,
+                                     (uint8_t *)enc_start, &enc_octet_len);
+        if (status)
+            return srtp_err_status_cipher_fail;
+    }
+
+    /* initialize auth func context */
+    srtp_auth_start(session_keys->rtcp_auth);
+
+    /*
+     * run auth func over packet (including trailer), and write the
+     * result at auth_tag
+     */
+    status =
+        srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start,
+                          (*pkt_octet_len) + sizeof(srtcp_trailer_t), auth_tag);
+    debug_print(mod_srtp, "srtcp auth tag:    %s",
+                srtp_octet_string_hex_string(auth_tag, tag_len));
+    if (status)
+        return srtp_err_status_auth_fail;
+
+    /* increase the packet length by the length of the auth tag and seq_num*/
+    *pkt_octet_len += (tag_len + sizeof(srtcp_trailer_t));
+
+    /* increase the packet by the mki_size */
+    *pkt_octet_len += mki_size;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_unprotect_rtcp(srtp_t ctx,
+                                      void *srtcp_hdr,
+                                      int *pkt_octet_len)
+{
+    return srtp_unprotect_rtcp_mki(ctx, srtcp_hdr, pkt_octet_len, 0);
+}
+
+srtp_err_status_t srtp_unprotect_rtcp_mki(srtp_t ctx,
+                                          void *srtcp_hdr,
+                                          int *pkt_octet_len,
+                                          unsigned int use_mki)
+{
+    srtcp_hdr_t *hdr = (srtcp_hdr_t *)srtcp_hdr;
+    uint32_t *enc_start;            /* pointer to start of encrypted portion  */
+    uint32_t *auth_start;           /* pointer to start of auth. portion      */
+    uint32_t *trailer_p;            /* pointer to start of trailer            */
+    uint32_t trailer;               /* trailer value                          */
+    unsigned int enc_octet_len = 0; /* number of octets in encrypted portion */
+    uint8_t *auth_tag = NULL;       /* location of auth_tag within packet     */
+    uint8_t tmp_tag[SRTP_MAX_TAG_LEN];
+    uint8_t tag_copy[SRTP_MAX_TAG_LEN];
+    srtp_err_status_t status;
+    unsigned int auth_len;
+    int tag_len;
+    srtp_stream_ctx_t *stream;
+    uint32_t prefix_len;
+    uint32_t seq_num;
+    int e_bit_in_packet; /* whether the E-bit was found in the packet */
+    int sec_serv_confidentiality; /* whether confidentiality was requested */
+    unsigned int mki_size = 0;
+    srtp_session_keys_t *session_keys = NULL;
+
+    /* we assume the hdr is 32-bit aligned to start */
+
+    if (*pkt_octet_len < 0)
+        return srtp_err_status_bad_param;
+
+    /*
+     * check that the length value is sane; we'll check again once we
+     * know the tag length, but we at least want to know that it is
+     * a positive value
+     */
+    if ((unsigned int)(*pkt_octet_len) <
+        octets_in_rtcp_header + sizeof(srtcp_trailer_t))
+        return srtp_err_status_bad_param;
+
+    /*
+     * look up ssrc in srtp_stream list, and process the packet with
+     * the appropriate stream.  if we haven't seen this stream before,
+     * there's only one key for this srtp_session, and the cipher
+     * supports key-sharing, then we assume that a new stream using
+     * that key has just started up
+     */
+    stream = srtp_get_stream(ctx, hdr->ssrc);
+    if (stream == NULL) {
+        if (ctx->stream_template != NULL) {
+            stream = ctx->stream_template;
+
+            /*
+             * check to see if stream_template has an EKT data structure, in
+             * which case we initialize the template using the EKT policy
+             * referenced by that data (which consists of decrypting the
+             * master key from the EKT field)
+             *
+             * this function initializes a *provisional* stream, and this
+             * stream should not be accepted until and unless the packet
+             * passes its authentication check
+             */
+            if (stream->ekt != NULL) {
+                status = srtp_stream_init_from_ekt(stream, srtcp_hdr,
+                                                   *pkt_octet_len);
+                if (status)
+                    return status;
+            }
+
+            debug_print(mod_srtp,
+                        "srtcp using provisional stream (SSRC: 0x%08x)",
+                        ntohl(hdr->ssrc));
+        } else {
+            /* no template stream, so we return an error */
+            return srtp_err_status_no_ctx;
+        }
+    }
+
+    /*
+     * Determine if MKI is being used and what session keys should be used
+     */
+    if (use_mki) {
+        session_keys = srtp_get_session_keys(
+            stream, (uint8_t *)hdr, (const unsigned int *)pkt_octet_len,
+            &mki_size);
+
+        if (session_keys == NULL)
+            return srtp_err_status_bad_mki;
+    } else {
+        session_keys = &stream->session_keys[0];
+    }
+
+    /* get tag length from stream context */
+    tag_len = srtp_auth_get_tag_length(session_keys->rtcp_auth);
+
+    /* check the packet length - it must contain at least a full RTCP
+       header, an auth tag (if applicable), and the SRTCP encrypted flag
+       and 31-bit index value */
+    if (*pkt_octet_len < (int)(octets_in_rtcp_header + tag_len + mki_size +
+                               sizeof(srtcp_trailer_t))) {
+        return srtp_err_status_bad_param;
+    }
+
+    /*
+     * Check if this is an AEAD stream (GCM mode).  If so, then dispatch
+     * the request to our AEAD handler.
+     */
+    if (session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_128 ||
+        session_keys->rtp_cipher->algorithm == SRTP_AES_GCM_256) {
+        return srtp_unprotect_rtcp_aead(ctx, stream, srtcp_hdr,
+                                        (unsigned int *)pkt_octet_len,
+                                        session_keys, mki_size);
+    }
+
+    sec_serv_confidentiality = stream->rtcp_services == sec_serv_conf ||
+                               stream->rtcp_services == sec_serv_conf_and_auth;
+
+    /*
+     * set encryption start, encryption length, and trailer
+     */
+    enc_octet_len = *pkt_octet_len - (octets_in_rtcp_header + tag_len +
+                                      mki_size + sizeof(srtcp_trailer_t));
+    /*
+     *index & E (encryption) bit follow normal data. hdr->len is the number of
+     * words (32-bit) in the normal packet minus 1
+     */
+    /* This should point trailer to the word past the end of the normal data. */
+    /* This would need to be modified for optional mikey data */
+    trailer_p = (uint32_t *)((char *)hdr + *pkt_octet_len -
+                             (tag_len + mki_size + sizeof(srtcp_trailer_t)));
+    memcpy(&trailer, trailer_p, sizeof(trailer));
+
+    e_bit_in_packet =
+        (*((unsigned char *)trailer_p) & SRTCP_E_BYTE_BIT) == SRTCP_E_BYTE_BIT;
+    if (e_bit_in_packet != sec_serv_confidentiality) {
+        return srtp_err_status_cant_check;
+    }
+    if (sec_serv_confidentiality) {
+        enc_start = (uint32_t *)hdr + uint32s_in_rtcp_header;
+    } else {
+        enc_octet_len = 0;
+        enc_start = NULL; /* this indicates that there's no encryption */
+    }
+
+    /*
+     * set the auth_start and auth_tag pointers to the proper locations
+     * (note that srtcp *always* uses authentication, unlike srtp)
+     */
+    auth_start = (uint32_t *)hdr;
+
+    /*
+     * The location of the auth tag in the packet needs to know MKI
+     * could be present.  The data needed to calculate the Auth tag
+     * must not include the MKI
+     */
+    auth_len = *pkt_octet_len - tag_len - mki_size;
+    auth_tag = (uint8_t *)hdr + auth_len + mki_size;
+
+    /*
+     * if EKT is in use, then we make a copy of the tag from the packet,
+     * and then zeroize the location of the base tag
+     *
+     * we first re-position the auth_tag pointer so that it points to
+     * the base tag
+     */
+    if (stream->ekt) {
+        auth_tag -= srtp_ekt_octets_after_base_tag(stream->ekt);
+        memcpy(tag_copy, auth_tag, tag_len);
+        octet_string_set_to_zero(auth_tag, tag_len);
+        auth_tag = tag_copy;
+        auth_len += tag_len;
+    }
+
+    /*
+     * check the sequence number for replays
+     */
+    /* this is easier than dealing with bitfield access */
+    seq_num = ntohl(trailer) & SRTCP_INDEX_MASK;
+    debug_print(mod_srtp, "srtcp index: %x", seq_num);
+    status = srtp_rdb_check(&stream->rtcp_rdb, seq_num);
+    if (status)
+        return status;
+
+    /*
+     * if we're using aes counter mode, set nonce and seq
+     */
+    if (session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_128 ||
+        session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_192 ||
+        session_keys->rtcp_cipher->type->id == SRTP_AES_ICM_256) {
+        v128_t iv;
+
+        iv.v32[0] = 0;
+        iv.v32[1] = hdr->ssrc; /* still in network order! */
+        iv.v32[2] = htonl(seq_num >> 16);
+        iv.v32[3] = htonl(seq_num << 16);
+        status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
+                                    srtp_direction_decrypt);
+
+    } else {
+        v128_t iv;
+
+        /* otherwise, just set the index to seq_num */
+        iv.v32[0] = 0;
+        iv.v32[1] = 0;
+        iv.v32[2] = 0;
+        iv.v32[3] = htonl(seq_num);
+        status = srtp_cipher_set_iv(session_keys->rtcp_cipher, (uint8_t *)&iv,
+                                    srtp_direction_decrypt);
+    }
+    if (status)
+        return srtp_err_status_cipher_fail;
+
+    /* initialize auth func context */
+    srtp_auth_start(session_keys->rtcp_auth);
+
+    /* run auth func over packet, put result into tmp_tag */
+    status = srtp_auth_compute(session_keys->rtcp_auth, (uint8_t *)auth_start,
+                               auth_len, tmp_tag);
+    debug_print(mod_srtp, "srtcp computed tag:       %s",
+                srtp_octet_string_hex_string(tmp_tag, tag_len));
+    if (status)
+        return srtp_err_status_auth_fail;
+
+    /* compare the tag just computed with the one in the packet */
+    debug_print(mod_srtp, "srtcp tag from packet:    %s",
+                srtp_octet_string_hex_string(auth_tag, tag_len));
+    if (octet_string_is_eq(tmp_tag, auth_tag, tag_len))
+        return srtp_err_status_auth_fail;
+
+    /*
+     * if we're authenticating using a universal hash, put the keystream
+     * prefix into the authentication tag
+     */
+    prefix_len = srtp_auth_get_prefix_length(session_keys->rtcp_auth);
+    if (prefix_len) {
+        status = srtp_cipher_output(session_keys->rtcp_cipher, auth_tag,
+                                    &prefix_len);
+        debug_print(mod_srtp, "keystream prefix: %s",
+                    srtp_octet_string_hex_string(auth_tag, prefix_len));
+        if (status)
+            return srtp_err_status_cipher_fail;
+    }
+
+    /* if we're decrypting, exor keystream into the message */
+    if (enc_start) {
+        status = srtp_cipher_decrypt(session_keys->rtcp_cipher,
+                                     (uint8_t *)enc_start, &enc_octet_len);
+        if (status)
+            return srtp_err_status_cipher_fail;
+    }
+
+    /* decrease the packet length by the length of the auth tag and seq_num */
+    *pkt_octet_len -= (tag_len + sizeof(srtcp_trailer_t));
+
+    /* decrease the packet length by the length of the mki_size */
+    *pkt_octet_len -= mki_size;
+
+    /*
+     * if EKT is in effect, subtract the EKT data out of the packet
+     * length
+     */
+    *pkt_octet_len -= srtp_ekt_octets_after_base_tag(stream->ekt);
+
+    /*
+     * verify that stream is for received traffic - this check will
+     * detect SSRC collisions, since a stream that appears in both
+     * srtp_protect() and srtp_unprotect() will fail this test in one of
+     * those functions.
+     *
+     * we do this check *after* the authentication check, so that the
+     * latter check will catch any attempts to fool us into thinking
+     * that we've got a collision
+     */
+    if (stream->direction != dir_srtp_receiver) {
+        if (stream->direction == dir_unknown) {
+            stream->direction = dir_srtp_receiver;
+        } else {
+            srtp_handle_event(ctx, stream, event_ssrc_collision);
+        }
+    }
+
+    /*
+     * if the stream is a 'provisional' one, in which the template context
+     * is used, then we need to allocate a new stream at this point, since
+     * the authentication passed
+     */
+    if (stream == ctx->stream_template) {
+        srtp_stream_ctx_t *new_stream;
+
+        /*
+         * allocate and initialize a new stream
+         *
+         * note that we indicate failure if we can't allocate the new
+         * stream, and some implementations will want to not return
+         * failure here
+         */
+        status =
+            srtp_stream_clone(ctx->stream_template, hdr->ssrc, &new_stream);
+        if (status)
+            return status;
+
+        /* add new stream to the head of the stream_list */
+        new_stream->next = ctx->stream_list;
+        ctx->stream_list = new_stream;
+
+        /* set stream (the pointer used in this function) */
+        stream = new_stream;
+    }
+
+    /* we've passed the authentication check, so add seq_num to the rdb */
+    srtp_rdb_add_index(&stream->rtcp_rdb, seq_num);
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * user data within srtp_t context
+ */
+
+void srtp_set_user_data(srtp_t ctx, void *data)
+{
+    ctx->user_data = data;
+}
+
+void *srtp_get_user_data(srtp_t ctx)
+{
+    return ctx->user_data;
+}
+
+/*
+ * dtls keying for srtp
+ */
+
+srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtp(
+    srtp_crypto_policy_t *policy,
+    srtp_profile_t profile)
+{
+    /* set SRTP policy from the SRTP profile in the key set */
+    switch (profile) {
+    case srtp_profile_aes128_cm_sha1_80:
+        srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+        break;
+    case srtp_profile_aes128_cm_sha1_32:
+        srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(policy);
+        break;
+    case srtp_profile_null_sha1_80:
+        srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+        break;
+#ifdef GCM
+    case srtp_profile_aead_aes_128_gcm:
+        srtp_crypto_policy_set_aes_gcm_128_16_auth(policy);
+        break;
+    case srtp_profile_aead_aes_256_gcm:
+        srtp_crypto_policy_set_aes_gcm_256_16_auth(policy);
+        break;
+#endif
+    /* the following profiles are not (yet) supported */
+    case srtp_profile_null_sha1_32:
+    default:
+        return srtp_err_status_bad_param;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_crypto_policy_set_from_profile_for_rtcp(
+    srtp_crypto_policy_t *policy,
+    srtp_profile_t profile)
+{
+    /* set SRTP policy from the SRTP profile in the key set */
+    switch (profile) {
+    case srtp_profile_aes128_cm_sha1_80:
+        srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+        break;
+    case srtp_profile_aes128_cm_sha1_32:
+        /* We do not honor the 32-bit auth tag request since
+         * this is not compliant with RFC 3711 */
+        srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(policy);
+        break;
+    case srtp_profile_null_sha1_80:
+        srtp_crypto_policy_set_null_cipher_hmac_sha1_80(policy);
+        break;
+#ifdef GCM
+    case srtp_profile_aead_aes_128_gcm:
+        srtp_crypto_policy_set_aes_gcm_128_16_auth(policy);
+        break;
+    case srtp_profile_aead_aes_256_gcm:
+        srtp_crypto_policy_set_aes_gcm_256_16_auth(policy);
+        break;
+#endif
+    /* the following profiles are not (yet) supported */
+    case srtp_profile_null_sha1_32:
+    default:
+        return srtp_err_status_bad_param;
+    }
+
+    return srtp_err_status_ok;
+}
+
+void srtp_append_salt_to_key(uint8_t *key,
+                             unsigned int bytes_in_key,
+                             uint8_t *salt,
+                             unsigned int bytes_in_salt)
+{
+    memcpy(key + bytes_in_key, salt, bytes_in_salt);
+}
+
+unsigned int srtp_profile_get_master_key_length(srtp_profile_t profile)
+{
+    switch (profile) {
+    case srtp_profile_aes128_cm_sha1_80:
+        return SRTP_AES_128_KEY_LEN;
+        break;
+    case srtp_profile_aes128_cm_sha1_32:
+        return SRTP_AES_128_KEY_LEN;
+        break;
+    case srtp_profile_null_sha1_80:
+        return SRTP_AES_128_KEY_LEN;
+        break;
+    case srtp_profile_aead_aes_128_gcm:
+        return SRTP_AES_128_KEY_LEN;
+        break;
+    case srtp_profile_aead_aes_256_gcm:
+        return SRTP_AES_256_KEY_LEN;
+        break;
+    /* the following profiles are not (yet) supported */
+    case srtp_profile_null_sha1_32:
+    default:
+        return 0; /* indicate error by returning a zero */
+    }
+}
+
+unsigned int srtp_profile_get_master_salt_length(srtp_profile_t profile)
+{
+    switch (profile) {
+    case srtp_profile_aes128_cm_sha1_80:
+        return SRTP_SALT_LEN;
+        break;
+    case srtp_profile_aes128_cm_sha1_32:
+        return SRTP_SALT_LEN;
+        break;
+    case srtp_profile_null_sha1_80:
+        return SRTP_SALT_LEN;
+        break;
+    case srtp_profile_aead_aes_128_gcm:
+        return SRTP_AEAD_SALT_LEN;
+        break;
+    case srtp_profile_aead_aes_256_gcm:
+        return SRTP_AEAD_SALT_LEN;
+        break;
+    /* the following profiles are not (yet) supported */
+    case srtp_profile_null_sha1_32:
+    default:
+        return 0; /* indicate error by returning a zero */
+    }
+}
+
+srtp_err_status_t stream_get_protect_trailer_length(srtp_stream_ctx_t *stream,
+                                                    uint32_t is_rtp,
+                                                    uint32_t use_mki,
+                                                    uint32_t mki_index,
+                                                    uint32_t *length)
+{
+    *length = 0;
+
+    srtp_session_keys_t *session_key;
+
+    if (use_mki) {
+        if (mki_index >= stream->num_master_keys) {
+            return srtp_err_status_bad_mki;
+        }
+        session_key = &stream->session_keys[mki_index];
+
+        *length += session_key->mki_size;
+
+    } else {
+        session_key = &stream->session_keys[0];
+    }
+    if (is_rtp) {
+        *length += srtp_auth_get_tag_length(session_key->rtp_auth);
+    } else {
+        *length += srtp_auth_get_tag_length(session_key->rtcp_auth);
+        *length += sizeof(srtcp_trailer_t);
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t get_protect_trailer_length(srtp_t session,
+                                             uint32_t is_rtp,
+                                             uint32_t use_mki,
+                                             uint32_t mki_index,
+                                             uint32_t *length)
+{
+    srtp_stream_ctx_t *stream;
+
+    if (session == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    if (session->stream_template == NULL && session->stream_list == NULL) {
+        return srtp_err_status_bad_param;
+    }
+
+    *length = 0;
+
+    stream = session->stream_template;
+
+    if (stream != NULL) {
+        stream_get_protect_trailer_length(stream, is_rtp, use_mki, mki_index,
+                                          length);
+    }
+
+    stream = session->stream_list;
+
+    while (stream != NULL) {
+        uint32_t temp_length;
+        if (stream_get_protect_trailer_length(stream, is_rtp, use_mki,
+                                              mki_index, &temp_length) ==
+            srtp_err_status_ok) {
+            if (temp_length > *length) {
+                *length = temp_length;
+            }
+        }
+        stream = stream->next;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_get_protect_trailer_length(srtp_t session,
+                                                  uint32_t use_mki,
+                                                  uint32_t mki_index,
+                                                  uint32_t *length)
+{
+    return get_protect_trailer_length(session, 1, use_mki, mki_index, length);
+}
+
+srtp_err_status_t srtp_get_protect_rtcp_trailer_length(srtp_t session,
+                                                       uint32_t use_mki,
+                                                       uint32_t mki_index,
+                                                       uint32_t *length)
+{
+    return get_protect_trailer_length(session, 0, use_mki, mki_index, length);
+}
+
+/*
+ * SRTP debug interface
+ */
+srtp_err_status_t srtp_set_debug_module(const char *mod_name, int v)
+{
+    return srtp_crypto_kernel_set_debug_module(mod_name, v);
+}
+
+srtp_err_status_t srtp_list_debug_modules(void)
+{
+    return srtp_crypto_kernel_list_debug_modules();
+}
+
+/*
+ * srtp_log_handler is a global variable holding a pointer to the
+ * log handler function; this function is called for any log
+ * output.
+ */
+
+static srtp_log_handler_func_t *srtp_log_handler = NULL;
+static void *srtp_log_handler_data = NULL;
+
+void srtp_err_handler(srtp_err_reporting_level_t level, const char *msg)
+{
+    if (srtp_log_handler) {
+        srtp_log_level_t log_level = srtp_log_level_error;
+        switch (level) {
+        case srtp_err_level_error:
+            log_level = srtp_log_level_error;
+            break;
+        case srtp_err_level_warning:
+            log_level = srtp_log_level_warning;
+            break;
+        case srtp_err_level_info:
+            log_level = srtp_log_level_info;
+            break;
+        case srtp_err_level_debug:
+            log_level = srtp_log_level_debug;
+            break;
+        }
+
+        srtp_log_handler(log_level, msg, srtp_log_handler_data);
+    }
+}
+
+srtp_err_status_t srtp_install_log_handler(srtp_log_handler_func_t func,
+                                           void *data)
+{
+    /*
+     * note that we accept NULL arguments intentionally - calling this
+     * function with a NULL arguments removes a log handler that's
+     * been previously installed
+     */
+
+    if (srtp_log_handler) {
+        srtp_install_err_report_handler(NULL);
+    }
+    srtp_log_handler = func;
+    srtp_log_handler_data = data;
+    if (srtp_log_handler) {
+        srtp_install_err_report_handler(srtp_err_handler);
+    }
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_set_stream_roc(srtp_t session,
+                                      uint32_t ssrc,
+                                      uint32_t roc)
+{
+    srtp_stream_t stream;
+
+    stream = srtp_get_stream(session, htonl(ssrc));
+    if (stream == NULL)
+        return srtp_err_status_bad_param;
+
+    stream->pending_roc = roc;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_get_stream_roc(srtp_t session,
+                                      uint32_t ssrc,
+                                      uint32_t *roc)
+{
+    srtp_stream_t stream;
+
+    stream = srtp_get_stream(session, htonl(ssrc));
+    if (stream == NULL)
+        return srtp_err_status_bad_param;
+
+    *roc = srtp_rdbx_get_roc(&stream->rtp_rdbx);
+
+    return srtp_err_status_ok;
+}
diff --git a/netwerk/srtp/src/test/cutest.h b/netwerk/srtp/src/test/cutest.h
new file mode 100644
index 0000000000..f46626d395
--- /dev/null
+++ b/netwerk/srtp/src/test/cutest.h
@@ -0,0 +1,713 @@
+/*
+ * CUTest -- C/C++ Unit Test facility
+ * <http://github.com/mity/cutest>
+ *
+ * Copyright (c) 2013-2017 Martin Mitas
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+ * IN THE SOFTWARE.
+ */
+
+#ifndef CUTEST_H__
+#define CUTEST_H__
+
+/************************
+ *** Public interface ***
+ ************************/
+
+/* By default, <cutest.h> provides the main program entry point (function
+ * main()). However, if the test suite is composed of multiple source files
+ * which include <cutest.h>, then this causes a problem of multiple main()
+ * definitions. To avoid this problem, #define macro TEST_NO_MAIN in all
+ * compilation units but one.
+ */
+
+/* Macro to specify list of unit tests in the suite.
+ * The unit test implementation MUST provide list of unit tests it implements
+ * with this macro:
+ *
+ *   TEST_LIST = {
+ *       { "test1_name", test1_func_ptr },
+ *       { "test2_name", test2_func_ptr },
+ *       ...
+ *       { 0 }
+ *   };
+ *
+ * The list specifies names of each test (must be unique) and pointer to
+ * a function implementing it. The function does not take any arguments
+ * and has no return values, i.e. every test function has tp be compatible
+ * with this prototype:
+ *
+ *   void test_func(void);
+ */
+#define TEST_LIST const struct test__ test_list__[]
+
+/* Macros for testing whether an unit test succeeds or fails. These macros
+ * can be used arbitrarily in functions implementing the unit tests.
+ *
+ * If any condition fails throughout execution of a test, the test fails.
+ *
+ * TEST_CHECK takes only one argument (the condition), TEST_CHECK_ allows
+ * also to specify an error message to print out if the condition fails.
+ * (It expects printf-like format string and its parameters). The macros
+ * return non-zero (condition passes) or 0 (condition fails).
+ *
+ * That can be useful when more conditions should be checked only if some
+ * preceding condition passes, as illustrated in this code snippet:
+ *
+ *   SomeStruct* ptr = allocate_some_struct();
+ *   if(TEST_CHECK(ptr != NULL)) {
+ *       TEST_CHECK(ptr->member1 < 100);
+ *       TEST_CHECK(ptr->member2 > 200);
+ *   }
+ */
+#define TEST_CHECK_(cond, ...)                                                 \
+    test_check__((cond), __FILE__, __LINE__, __VA_ARGS__)
+#define TEST_CHECK(cond) test_check__((cond), __FILE__, __LINE__, "%s", #cond)
+
+/**********************
+ *** Implementation ***
+ **********************/
+
+/* The unit test files should not rely on anything below. */
+
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#if defined(unix) || defined(__unix__) || defined(__unix) || defined(__APPLE__)
+#define CUTEST_UNIX__ 1
+#include <errno.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <signal.h>
+#endif
+
+#if defined(_WIN32) || defined(__WIN32__) || defined(__WINDOWS__)
+#define CUTEST_WIN__ 1
+#include <windows.h>
+#include <io.h>
+#endif
+
+#ifdef __cplusplus
+#include <exception>
+#endif
+
+/* Note our global private identifiers end with '__' to mitigate risk of clash
+ * with the unit tests implementation. */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+struct test__ {
+    const char *name;
+    void (*func)(void);
+};
+
+extern const struct test__ test_list__[];
+
+int test_check__(int cond, const char *file, int line, const char *fmt, ...);
+
+#ifndef TEST_NO_MAIN
+
+static char *test_argv0__ = NULL;
+static int test_count__ = 0;
+static int test_no_exec__ = 0;
+static int test_no_summary__ = 0;
+static int test_skip_mode__ = 0;
+
+static int test_stat_failed_units__ = 0;
+static int test_stat_run_units__ = 0;
+
+static const struct test__ *test_current_unit__ = NULL;
+static int test_current_already_logged__ = 0;
+static int test_verbose_level__ = 2;
+static int test_current_failures__ = 0;
+static int test_colorize__ = 0;
+
+#define CUTEST_COLOR_DEFAULT__ 0
+#define CUTEST_COLOR_GREEN__ 1
+#define CUTEST_COLOR_RED__ 2
+#define CUTEST_COLOR_DEFAULT_INTENSIVE__ 3
+#define CUTEST_COLOR_GREEN_INTENSIVE__ 4
+#define CUTEST_COLOR_RED_INTENSIVE__ 5
+
+static size_t test_print_in_color__(int color, const char *fmt, ...)
+{
+    va_list args;
+    char buffer[256];
+    size_t n;
+
+    va_start(args, fmt);
+    vsnprintf(buffer, sizeof(buffer), fmt, args);
+    va_end(args);
+    buffer[sizeof(buffer) - 1] = '\0';
+
+    if (!test_colorize__) {
+        return printf("%s", buffer);
+    }
+
+#if defined CUTEST_UNIX__
+    {
+        const char *col_str;
+        switch (color) {
+        case CUTEST_COLOR_GREEN__:
+            col_str = "\033[0;32m";
+            break;
+        case CUTEST_COLOR_RED__:
+            col_str = "\033[0;31m";
+            break;
+        case CUTEST_COLOR_GREEN_INTENSIVE__:
+            col_str = "\033[1;32m";
+            break;
+        case CUTEST_COLOR_RED_INTENSIVE__:
+            col_str = "\033[1;30m";
+            break;
+        case CUTEST_COLOR_DEFAULT_INTENSIVE__:
+            col_str = "\033[1m";
+            break;
+        default:
+            col_str = "\033[0m";
+            break;
+        }
+        printf("%s", col_str);
+        n = printf("%s", buffer);
+        printf("\033[0m");
+        return n;
+    }
+#elif defined CUTEST_WIN__
+    {
+        HANDLE h;
+        CONSOLE_SCREEN_BUFFER_INFO info;
+        WORD attr;
+
+        h = GetStdHandle(STD_OUTPUT_HANDLE);
+        GetConsoleScreenBufferInfo(h, &info);
+
+        switch (color) {
+        case CUTEST_COLOR_GREEN__:
+            attr = FOREGROUND_GREEN;
+            break;
+        case CUTEST_COLOR_RED__:
+            attr = FOREGROUND_RED;
+            break;
+        case CUTEST_COLOR_GREEN_INTENSIVE__:
+            attr = FOREGROUND_GREEN | FOREGROUND_INTENSITY;
+            break;
+        case CUTEST_COLOR_RED_INTENSIVE__:
+            attr = FOREGROUND_RED | FOREGROUND_INTENSITY;
+            break;
+        case CUTEST_COLOR_DEFAULT_INTENSIVE__:
+            attr = FOREGROUND_BLUE | FOREGROUND_GREEN | FOREGROUND_RED |
+                   FOREGROUND_INTENSITY;
+            break;
+        default:
+            attr = 0;
+            break;
+        }
+        if (attr != 0)
+            SetConsoleTextAttribute(h, attr);
+        n = printf("%s", buffer);
+        SetConsoleTextAttribute(h, info.wAttributes);
+        return n;
+    }
+#else
+    n = printf("%s", buffer);
+    return n;
+#endif
+}
+
+int test_check__(int cond, const char *file, int line, const char *fmt, ...)
+{
+    const char *result_str;
+    int result_color;
+    int verbose_level;
+
+    if (cond) {
+        result_str = "ok";
+        result_color = CUTEST_COLOR_GREEN__;
+        verbose_level = 3;
+    } else {
+        if (!test_current_already_logged__ && test_current_unit__ != NULL) {
+            printf("[ ");
+            test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, "FAILED");
+            printf(" ]\n");
+        }
+        result_str = "failed";
+        result_color = CUTEST_COLOR_RED__;
+        verbose_level = 2;
+        test_current_failures__++;
+        test_current_already_logged__++;
+    }
+
+    if (test_verbose_level__ >= verbose_level) {
+        size_t n = 0;
+        va_list args;
+
+        printf("  ");
+
+        if (file != NULL)
+            n += printf("%s:%d: Check ", file, line);
+
+        va_start(args, fmt);
+        n += vprintf(fmt, args);
+        va_end(args);
+
+        printf("... ");
+        test_print_in_color__(result_color, result_str);
+        printf("\n");
+        test_current_already_logged__++;
+    }
+
+    return (cond != 0);
+}
+
+static void test_list_names__(void)
+{
+    const struct test__ *test;
+
+    printf("Unit tests:\n");
+    for (test = &test_list__[0]; test->func != NULL; test++)
+        printf("  %s\n", test->name);
+}
+
+static const struct test__ *test_by_name__(const char *name)
+{
+    const struct test__ *test;
+
+    for (test = &test_list__[0]; test->func != NULL; test++) {
+        if (strcmp(test->name, name) == 0)
+            return test;
+    }
+
+    return NULL;
+}
+
+/* Call directly the given test unit function. */
+static int test_do_run__(const struct test__ *test)
+{
+    test_current_unit__ = test;
+    test_current_failures__ = 0;
+    test_current_already_logged__ = 0;
+
+    if (test_verbose_level__ >= 3) {
+        test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, "Test %s:\n",
+                              test->name);
+        test_current_already_logged__++;
+    } else if (test_verbose_level__ >= 1) {
+        size_t n;
+        char spaces[32];
+
+        n = test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__,
+                                  "Test %s... ", test->name);
+        memset(spaces, ' ', sizeof(spaces));
+        if (n < sizeof(spaces))
+            printf("%.*s", (int)(sizeof(spaces) - n), spaces);
+    } else {
+        test_current_already_logged__ = 1;
+    }
+
+#ifdef __cplusplus
+    try {
+#endif
+
+        /* This is good to do for case the test unit e.g. crashes. */
+        fflush(stdout);
+        fflush(stderr);
+
+        test->func();
+
+#ifdef __cplusplus
+    } catch (std::exception &e) {
+        const char *what = e.what();
+        if (what != NULL)
+            test_check__(0, NULL, 0, "Threw std::exception: %s", what);
+        else
+            test_check__(0, NULL, 0, "Threw std::exception");
+    } catch (...) {
+        test_check__(0, NULL, 0, "Threw an exception");
+    }
+#endif
+
+    if (test_verbose_level__ >= 3) {
+        switch (test_current_failures__) {
+        case 0:
+            test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__,
+                                  "  All conditions have passed.\n\n");
+            break;
+        case 1:
+            test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__,
+                                  "  One condition has FAILED.\n\n");
+            break;
+        default:
+            test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__,
+                                  "  %d conditions have FAILED.\n\n",
+                                  test_current_failures__);
+            break;
+        }
+    } else if (test_verbose_level__ >= 1 && test_current_failures__ == 0) {
+        printf("[   ");
+        test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__, "OK");
+        printf("   ]\n");
+    }
+
+    test_current_unit__ = NULL;
+    return (test_current_failures__ == 0) ? 0 : -1;
+}
+
+#if defined(CUTEST_UNIX__) || defined(CUTEST_WIN__)
+/* Called if anything goes bad in cutest, or if the unit test ends in other
+ * way then by normal returning from its function (e.g. exception or some
+ * abnormal child process termination). */
+static void test_error__(const char *fmt, ...)
+{
+    va_list args;
+
+    if (test_verbose_level__ == 0)
+        return;
+
+    if (test_verbose_level__ <= 2 && !test_current_already_logged__ &&
+        test_current_unit__ != NULL) {
+        printf("[ ");
+        test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, "FAILED");
+        printf(" ]\n");
+    }
+
+    if (test_verbose_level__ >= 2) {
+        test_print_in_color__(CUTEST_COLOR_RED_INTENSIVE__, "  Error: ");
+        va_start(args, fmt);
+        vprintf(fmt, args);
+        va_end(args);
+        printf("\n");
+    }
+}
+#endif
+
+/* Trigger the unit test. If possible (and not suppressed) it starts a child
+ * process who calls test_do_run__(), otherwise it calls test_do_run__()
+ * directly. */
+static void test_run__(const struct test__ *test)
+{
+    int failed = 1;
+
+    test_current_unit__ = test;
+    test_current_already_logged__ = 0;
+
+    if (!test_no_exec__) {
+#if defined(CUTEST_UNIX__)
+
+        pid_t pid;
+        int exit_code;
+
+        pid = fork();
+        if (pid == (pid_t)-1) {
+            test_error__("Cannot fork. %s [%d]", strerror(errno), errno);
+            failed = 1;
+        } else if (pid == 0) {
+            /* Child: Do the test. */
+            failed = (test_do_run__(test) != 0);
+            exit(failed ? 1 : 0);
+        } else {
+            /* Parent: Wait until child terminates and analyze its exit code. */
+            waitpid(pid, &exit_code, 0);
+            if (WIFEXITED(exit_code)) {
+                switch (WEXITSTATUS(exit_code)) {
+                case 0:
+                    failed = 0;
+                    break; /* test has passed. */
+                case 1:    /* noop */
+                    break; /* "normal" failure. */
+                default:
+                    test_error__("Unexpected exit code [%d]",
+                                 WEXITSTATUS(exit_code));
+                }
+            } else if (WIFSIGNALED(exit_code)) {
+                char tmp[32];
+                const char *signame;
+                switch (WTERMSIG(exit_code)) {
+                case SIGINT:
+                    signame = "SIGINT";
+                    break;
+                case SIGHUP:
+                    signame = "SIGHUP";
+                    break;
+                case SIGQUIT:
+                    signame = "SIGQUIT";
+                    break;
+                case SIGABRT:
+                    signame = "SIGABRT";
+                    break;
+                case SIGKILL:
+                    signame = "SIGKILL";
+                    break;
+                case SIGSEGV:
+                    signame = "SIGSEGV";
+                    break;
+                case SIGILL:
+                    signame = "SIGILL";
+                    break;
+                case SIGTERM:
+                    signame = "SIGTERM";
+                    break;
+                default:
+                    sprintf(tmp, "signal %d", WTERMSIG(exit_code));
+                    signame = tmp;
+                    break;
+                }
+                test_error__("Test interrupted by %s", signame);
+            } else {
+                test_error__("Test ended in an unexpected way [%d]", exit_code);
+            }
+        }
+
+#elif defined(CUTEST_WIN__)
+
+        char buffer[512] = { 0 };
+        STARTUPINFOA startupInfo = { 0 };
+        PROCESS_INFORMATION processInfo;
+        DWORD exitCode;
+
+        /* Windows has no fork(). So we propagate all info into the child
+         * through a command line arguments. */
+        _snprintf(buffer, sizeof(buffer) - 1,
+                  "%s --no-exec --no-summary --verbose=%d --color=%s -- \"%s\"",
+                  test_argv0__, test_verbose_level__,
+                  test_colorize__ ? "always" : "never", test->name);
+        startupInfo.cb = sizeof(STARTUPINFO);
+        if (CreateProcessA(NULL, buffer, NULL, NULL, FALSE, 0, NULL, NULL,
+                           &startupInfo, &processInfo)) {
+            WaitForSingleObject(processInfo.hProcess, INFINITE);
+            GetExitCodeProcess(processInfo.hProcess, &exitCode);
+            CloseHandle(processInfo.hThread);
+            CloseHandle(processInfo.hProcess);
+            failed = (exitCode != 0);
+        } else {
+            test_error__("Cannot create unit test subprocess [%ld].",
+                         GetLastError());
+            failed = 1;
+        }
+
+#else
+
+        /* A platform where we don't know how to run child process. */
+        failed = (test_do_run__(test) != 0);
+
+#endif
+
+    } else {
+        /* Child processes suppressed through --no-exec. */
+        failed = (test_do_run__(test) != 0);
+    }
+
+    test_current_unit__ = NULL;
+
+    test_stat_run_units__++;
+    if (failed)
+        test_stat_failed_units__++;
+}
+
+#if defined(CUTEST_WIN__)
+/* Callback for SEH events. */
+static LONG CALLBACK test_exception_filter__(EXCEPTION_POINTERS *ptrs)
+{
+    test_error__("Unhandled SEH exception %08lx at %p.",
+                 ptrs->ExceptionRecord->ExceptionCode,
+                 ptrs->ExceptionRecord->ExceptionAddress);
+    fflush(stdout);
+    fflush(stderr);
+    return EXCEPTION_EXECUTE_HANDLER;
+}
+#endif
+
+static void test_help__(void)
+{
+    printf("Usage: %s [options] [test...]\n", test_argv0__);
+    printf("Run the specified unit tests; or if the option '--skip' is used, "
+           "run all\n");
+    printf("tests in the suite but those listed.  By default, if no tests are "
+           "specified\n");
+    printf("on the command line, all unit tests in the suite are run.\n");
+    printf("\n");
+    printf("Options:\n");
+    printf(
+        "  -s, --skip            Execute all unit tests but the listed ones\n");
+    printf("      --no-exec         Do not execute unit tests as child "
+           "processes\n");
+    printf(
+        "      --no-summary      Suppress printing of test results summary\n");
+    printf("  -l, --list            List unit tests in the suite and exit\n");
+    printf("  -v, --verbose         Enable more verbose output\n");
+    printf("      --verbose=LEVEL   Set verbose level to LEVEL:\n");
+    printf("                          0 ... Be silent\n");
+    printf("                          1 ... Output one line per test (and "
+           "summary)\n");
+    printf("                          2 ... As 1 and failed conditions (this "
+           "is default)\n");
+    printf("                          3 ... As 1 and all conditions (and "
+           "extended summary)\n");
+    printf("      --color=WHEN      Enable colorized output (WHEN is one of "
+           "'auto', 'always', 'never')\n");
+    printf("  -h, --help            Display this help and exit\n");
+    printf("\n");
+    test_list_names__();
+}
+
+int main(int argc, char **argv)
+{
+    const struct test__ **tests = NULL;
+    int i, j, n = 0;
+    int seen_double_dash = 0;
+
+    test_argv0__ = argv[0];
+
+#if defined CUTEST_UNIX__
+    test_colorize__ = isatty(STDOUT_FILENO);
+#elif defined CUTEST_WIN__
+    test_colorize__ = _isatty(_fileno(stdout));
+#else
+    test_colorize__ = 0;
+#endif
+
+    /* Parse options */
+    for (i = 1; i < argc; i++) {
+        if (seen_double_dash || argv[i][0] != '-') {
+            tests = (const struct test__ **)realloc(
+                (void *)tests, (n + 1) * sizeof(const struct test__ *));
+            if (tests == NULL) {
+                fprintf(stderr, "Out of memory.\n");
+                exit(2);
+            }
+            tests[n] = test_by_name__(argv[i]);
+            if (tests[n] == NULL) {
+                fprintf(stderr, "%s: Unrecognized unit test '%s'\n", argv[0],
+                        argv[i]);
+                fprintf(stderr, "Try '%s --list' for list of unit tests.\n",
+                        argv[0]);
+                exit(2);
+            }
+            n++;
+        } else if (strcmp(argv[i], "--") == 0) {
+            seen_double_dash = 1;
+        } else if (strcmp(argv[i], "--help") == 0 ||
+                   strcmp(argv[i], "-h") == 0) {
+            test_help__();
+            exit(0);
+        } else if (strcmp(argv[i], "--verbose") == 0 ||
+                   strcmp(argv[i], "-v") == 0) {
+            test_verbose_level__++;
+        } else if (strncmp(argv[i], "--verbose=", 10) == 0) {
+            test_verbose_level__ = atoi(argv[i] + 10);
+        } else if (strcmp(argv[i], "--color=auto") == 0) {
+            /* noop (set from above) */
+        } else if (strcmp(argv[i], "--color=always") == 0 ||
+                   strcmp(argv[i], "--color") == 0) {
+            test_colorize__ = 1;
+        } else if (strcmp(argv[i], "--color=never") == 0) {
+            test_colorize__ = 0;
+        } else if (strcmp(argv[i], "--skip") == 0 ||
+                   strcmp(argv[i], "-s") == 0) {
+            test_skip_mode__ = 1;
+        } else if (strcmp(argv[i], "--no-exec") == 0) {
+            test_no_exec__ = 1;
+        } else if (strcmp(argv[i], "--no-summary") == 0) {
+            test_no_summary__ = 1;
+        } else if (strcmp(argv[i], "--list") == 0 ||
+                   strcmp(argv[i], "-l") == 0) {
+            test_list_names__();
+            exit(0);
+        } else {
+            fprintf(stderr, "%s: Unrecognized option '%s'\n", argv[0], argv[i]);
+            fprintf(stderr, "Try '%s --help' for more information.\n", argv[0]);
+            exit(2);
+        }
+    }
+
+#if defined(CUTEST_WIN__)
+    SetUnhandledExceptionFilter(test_exception_filter__);
+#endif
+
+    /* Count all test units */
+    test_count__ = 0;
+    for (i = 0; test_list__[i].func != NULL; i++)
+        test_count__++;
+
+    /* Run the tests */
+    if (n == 0) {
+        /* Run all tests */
+        for (i = 0; test_list__[i].func != NULL; i++)
+            test_run__(&test_list__[i]);
+    } else if (!test_skip_mode__) {
+        /* Run the listed tests */
+        for (i = 0; i < n; i++)
+            test_run__(tests[i]);
+    } else {
+        /* Run all tests except those listed */
+        for (i = 0; test_list__[i].func != NULL; i++) {
+            int want_skip = 0;
+            for (j = 0; j < n; j++) {
+                if (tests[j] == &test_list__[i]) {
+                    want_skip = 1;
+                    break;
+                }
+            }
+            if (!want_skip)
+                test_run__(&test_list__[i]);
+        }
+    }
+
+    /* Write a summary */
+    if (!test_no_summary__ && test_verbose_level__ >= 1) {
+        test_print_in_color__(CUTEST_COLOR_DEFAULT_INTENSIVE__, "\nSummary:\n");
+
+        if (test_verbose_level__ >= 3) {
+            printf("  Count of all unit tests:     %4d\n", test_count__);
+            printf("  Count of run unit tests:     %4d\n",
+                   test_stat_run_units__);
+            printf("  Count of failed unit tests:  %4d\n",
+                   test_stat_failed_units__);
+            printf("  Count of skipped unit tests: %4d\n",
+                   test_count__ - test_stat_run_units__);
+        }
+
+        if (test_stat_failed_units__ == 0) {
+            test_print_in_color__(CUTEST_COLOR_GREEN_INTENSIVE__,
+                                  "  SUCCESS: All unit tests have passed.\n");
+        } else {
+            test_print_in_color__(
+                CUTEST_COLOR_RED_INTENSIVE__,
+                "  FAILED: %d of %d unit tests have failed.\n",
+                test_stat_failed_units__, test_stat_run_units__);
+        }
+    }
+
+    if (tests != NULL)
+        free((void *)tests);
+
+    return (test_stat_failed_units__ == 0) ? 0 : 1;
+}
+
+#endif /* #ifndef TEST_NO_MAIN */
+
+#ifdef __cplusplus
+} /* extern "C" */
+#endif
+
+#endif /* #ifndef CUTEST_H__ */
diff --git a/netwerk/srtp/src/test/dtls_srtp_driver.c b/netwerk/srtp/src/test/dtls_srtp_driver.c
new file mode 100644
index 0000000000..4f4d0a39b3
--- /dev/null
+++ b/netwerk/srtp/src/test/dtls_srtp_driver.c
@@ -0,0 +1,261 @@
+/*
+ * dtls_srtp_driver.c
+ *
+ * test driver for DTLS-SRTP functions
+ *
+ * David McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdio.h>    /* for printf()          */
+#include "getopt_s.h" /* for local getopt()    */
+#include "srtp_priv.h"
+
+srtp_err_status_t test_dtls_srtp(void);
+
+srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len, uint32_t ssrc);
+
+void usage(char *prog_name)
+{
+    printf("usage: %s [ -t ][ -c ][ -v ][-d <debug_module> ]* [ -l ]\n"
+           "  -d <mod>   turn on debugging module <mod>\n"
+           "  -l         list debugging modules\n",
+           prog_name);
+    exit(1);
+}
+
+int main(int argc, char *argv[])
+{
+    unsigned do_list_mods = 0;
+    int q;
+    srtp_err_status_t err;
+
+    printf("dtls_srtp_driver\n");
+
+    /* initialize srtp library */
+    err = srtp_init();
+    if (err) {
+        printf("error: srtp init failed with error code %d\n", err);
+        exit(1);
+    }
+
+    /* process input arguments */
+    while (1) {
+        q = getopt_s(argc, argv, "ld:");
+        if (q == -1)
+            break;
+        switch (q) {
+        case 'l':
+            do_list_mods = 1;
+            break;
+        case 'd':
+            err = srtp_crypto_kernel_set_debug_module(optarg_s, 1);
+            if (err) {
+                printf("error: set debug module (%s) failed\n", optarg_s);
+                exit(1);
+            }
+            break;
+        default:
+            usage(argv[0]);
+        }
+    }
+
+    if (do_list_mods) {
+        err = srtp_crypto_kernel_list_debug_modules();
+        if (err) {
+            printf("error: list of debug modules failed\n");
+            exit(1);
+        }
+    }
+
+    printf("testing dtls_srtp...");
+    err = test_dtls_srtp();
+    if (err) {
+        printf("\nerror (code %d)\n", err);
+        exit(1);
+    }
+    printf("passed\n");
+
+    /* shut down srtp library */
+    err = srtp_shutdown();
+    if (err) {
+        printf("error: srtp shutdown failed with error code %d\n", err);
+        exit(1);
+    }
+
+    return 0;
+}
+
+srtp_err_status_t test_dtls_srtp(void)
+{
+    srtp_hdr_t *test_packet;
+    int test_packet_len = 80;
+    srtp_t s;
+    srtp_policy_t policy;
+    uint8_t key[SRTP_MAX_KEY_LEN];
+    uint8_t salt[SRTP_MAX_KEY_LEN];
+    unsigned int key_len, salt_len;
+    srtp_profile_t profile;
+    srtp_err_status_t err;
+
+    memset(&policy, 0x0, sizeof(srtp_policy_t));
+
+    /* create a 'null' SRTP session */
+    err = srtp_create(&s, NULL);
+    if (err)
+        return err;
+
+    /*
+     * verify that packet-processing functions behave properly - we
+     * expect that these functions will return srtp_err_status_no_ctx
+     */
+    test_packet = srtp_create_test_packet(80, 0xa5a5a5a5);
+    if (test_packet == NULL)
+        return srtp_err_status_alloc_fail;
+
+    err = srtp_protect(s, test_packet, &test_packet_len);
+    if (err != srtp_err_status_no_ctx) {
+        printf("wrong return value from srtp_protect() (got code %d)\n", err);
+        return srtp_err_status_fail;
+    }
+
+    err = srtp_unprotect(s, test_packet, &test_packet_len);
+    if (err != srtp_err_status_no_ctx) {
+        printf("wrong return value from srtp_unprotect() (got code %d)\n", err);
+        return srtp_err_status_fail;
+    }
+
+    err = srtp_protect_rtcp(s, test_packet, &test_packet_len);
+    if (err != srtp_err_status_no_ctx) {
+        printf("wrong return value from srtp_protect_rtcp() (got code %d)\n",
+               err);
+        return srtp_err_status_fail;
+    }
+
+    err = srtp_unprotect_rtcp(s, test_packet, &test_packet_len);
+    if (err != srtp_err_status_no_ctx) {
+        printf("wrong return value from srtp_unprotect_rtcp() (got code %d)\n",
+               err);
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * set keys to known values for testing
+     */
+    profile = srtp_profile_aes128_cm_sha1_80;
+    key_len = srtp_profile_get_master_key_length(profile);
+    salt_len = srtp_profile_get_master_salt_length(profile);
+    memset(key, 0xff, key_len);
+    memset(salt, 0xee, salt_len);
+    srtp_append_salt_to_key(key, key_len, salt, salt_len);
+    policy.key = key;
+
+    /* initialize SRTP policy from profile  */
+    err = srtp_crypto_policy_set_from_profile_for_rtp(&policy.rtp, profile);
+    if (err)
+        return err;
+    err = srtp_crypto_policy_set_from_profile_for_rtcp(&policy.rtcp, profile);
+    if (err)
+        return err;
+    policy.ssrc.type = ssrc_any_inbound;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+
+    err = srtp_add_stream(s, &policy);
+    if (err)
+        return err;
+
+    err = srtp_dealloc(s);
+    if (err)
+        return err;
+
+    free(test_packet);
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_create_test_packet(len, ssrc) returns a pointer to a
+ * (malloced) example RTP packet whose data field has the length given
+ * by pkt_octet_len and the SSRC value ssrc.  The total length of the
+ * packet is twelve octets longer, since the header is at the
+ * beginning.  There is room at the end of the packet for a trailer,
+ * and the four octets following the packet are filled with 0xff
+ * values to enable testing for overwrites.
+ *
+ * note that the location of the test packet can (and should) be
+ * deallocated with the free() call once it is no longer needed.
+ */
+
+srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len, uint32_t ssrc)
+{
+    int i;
+    uint8_t *buffer;
+    srtp_hdr_t *hdr;
+    int bytes_in_hdr = 12;
+
+    /* allocate memory for test packet */
+    hdr = malloc(pkt_octet_len + bytes_in_hdr + SRTP_MAX_TRAILER_LEN + 4);
+    if (!hdr)
+        return NULL;
+
+    hdr->version = 2;            /* RTP version two     */
+    hdr->p = 0;                  /* no padding needed   */
+    hdr->x = 0;                  /* no header extension */
+    hdr->cc = 0;                 /* no CSRCs            */
+    hdr->m = 0;                  /* marker bit          */
+    hdr->pt = 0xf;               /* payload type        */
+    hdr->seq = htons(0x1234);    /* sequence number     */
+    hdr->ts = htonl(0xdecafbad); /* timestamp           */
+    hdr->ssrc = htonl(ssrc);     /* synch. source       */
+
+    buffer = (uint8_t *)hdr;
+    buffer += bytes_in_hdr;
+
+    /* set RTP data to 0xab */
+    for (i = 0; i < pkt_octet_len; i++)
+        *buffer++ = 0xab;
+
+    /* set post-data value to 0xffff to enable overrun checking */
+    for (i = 0; i < SRTP_MAX_TRAILER_LEN + 4; i++)
+        *buffer++ = 0xff;
+
+    return hdr;
+}
diff --git a/netwerk/srtp/src/test/getopt_s.c b/netwerk/srtp/src/test/getopt_s.c
new file mode 100644
index 0000000000..e0bd7f77ed
--- /dev/null
+++ b/netwerk/srtp/src/test/getopt_s.c
@@ -0,0 +1,109 @@
+/*
+ * getopt.c
+ *
+ * a minimal implementation of the getopt() function, written so that
+ * test applications that use that function can run on non-POSIX
+ * platforms
+ *
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <stdlib.h> /* for NULL */
+
+int optind_s = 0;
+
+char *optarg_s;
+
+#define GETOPT_FOUND_WITHOUT_ARGUMENT 2
+#define GETOPT_FOUND_WITH_ARGUMENT 1
+#define GETOPT_NOT_FOUND 0
+
+static int getopt_check_character(char c, const char *string)
+{
+    unsigned int max_string_len = 128;
+
+    while (*string != 0) {
+        if (max_string_len == 0) {
+            return GETOPT_NOT_FOUND;
+        }
+        max_string_len--;
+        if (*string++ == c) {
+            if (*string == ':') {
+                return GETOPT_FOUND_WITH_ARGUMENT;
+            } else {
+                return GETOPT_FOUND_WITHOUT_ARGUMENT;
+            }
+        }
+    }
+    return GETOPT_NOT_FOUND;
+}
+
+int getopt_s(int argc, char *const argv[], const char *optstring)
+{
+    while (optind_s + 1 < argc) {
+        char *string;
+
+        /* move 'string' on to next argument */
+        optind_s++;
+        string = argv[optind_s];
+
+        if (string == NULL)
+            return '?'; /* NULL argument string */
+
+        if (string[0] != '-')
+            return -1; /* found an unexpected character */
+
+        switch (getopt_check_character(string[1], optstring)) {
+        case GETOPT_FOUND_WITH_ARGUMENT:
+            if (optind_s + 1 < argc) {
+                optind_s++;
+                optarg_s = argv[optind_s];
+                return string[1];
+            } else {
+                return '?'; /* argument missing */
+            }
+        case GETOPT_FOUND_WITHOUT_ARGUMENT:
+            return string[1];
+        case GETOPT_NOT_FOUND:
+        default:
+            return '?'; /* didn't find expected character */
+            break;
+        }
+    }
+
+    return -1;
+}
diff --git a/netwerk/srtp/src/test/rdbx_driver.c b/netwerk/srtp/src/test/rdbx_driver.c
new file mode 100644
index 0000000000..3da6503719
--- /dev/null
+++ b/netwerk/srtp/src/test/rdbx_driver.c
@@ -0,0 +1,360 @@
+/*
+ * rdbx_driver.c
+ *
+ * driver for the rdbx implementation (replay database with extended range)
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>    /* for printf()          */
+#include "getopt_s.h" /* for local getopt()    */
+
+#include "rdbx.h"
+
+#ifdef ROC_TEST
+#error "srtp_rdbx_t won't work with ROC_TEST - bitmask same size as seq_median"
+#endif
+
+#include "ut_sim.h"
+
+srtp_err_status_t test_replay_dbx(int num_trials, unsigned long ws);
+
+double rdbx_check_adds_per_second(int num_trials, unsigned long ws);
+
+void usage(char *prog_name)
+{
+    printf("usage: %s [ -t | -v ]\n", prog_name);
+    exit(255);
+}
+
+int main(int argc, char *argv[])
+{
+    double rate;
+    srtp_err_status_t status;
+    int q;
+    unsigned do_timing_test = 0;
+    unsigned do_validation = 0;
+
+    /* process input arguments */
+    while (1) {
+        q = getopt_s(argc, argv, "tv");
+        if (q == -1)
+            break;
+        switch (q) {
+        case 't':
+            do_timing_test = 1;
+            break;
+        case 'v':
+            do_validation = 1;
+            break;
+        default:
+            usage(argv[0]);
+        }
+    }
+
+    printf("rdbx (replay database w/ extended range) test driver\n"
+           "David A. McGrew\n"
+           "Cisco Systems, Inc.\n");
+
+    if (!do_validation && !do_timing_test)
+        usage(argv[0]);
+
+    if (do_validation) {
+        printf("testing srtp_rdbx_t (ws=128)...\n");
+
+        status = test_replay_dbx(1 << 12, 128);
+        if (status) {
+            printf("failed\n");
+            exit(1);
+        }
+        printf("passed\n");
+
+        printf("testing srtp_rdbx_t (ws=1024)...\n");
+
+        status = test_replay_dbx(1 << 12, 1024);
+        if (status) {
+            printf("failed\n");
+            exit(1);
+        }
+        printf("passed\n");
+    }
+
+    if (do_timing_test) {
+        rate = rdbx_check_adds_per_second(1 << 18, 128);
+        printf("rdbx_check/replay_adds per second (ws=128): %e\n", rate);
+        rate = rdbx_check_adds_per_second(1 << 18, 1024);
+        printf("rdbx_check/replay_adds per second (ws=1024): %e\n", rate);
+    }
+
+    return 0;
+}
+
+void print_rdbx(srtp_rdbx_t *rdbx)
+{
+    char buf[2048];
+    printf("rdbx: {%llu, %s}\n", (unsigned long long)(rdbx->index),
+           bitvector_bit_string(&rdbx->bitmask, buf, sizeof(buf)));
+}
+
+/*
+ * rdbx_check_add(rdbx, idx) checks a known-to-be-good idx against
+ * rdbx, then adds it.  if a failure is detected (i.e., the check
+ * indicates that the value is already in rdbx) then
+ * srtp_err_status_algo_fail is returned.
+ *
+ */
+
+srtp_err_status_t rdbx_check_add(srtp_rdbx_t *rdbx, uint32_t idx)
+{
+    int delta;
+    srtp_xtd_seq_num_t est;
+
+    delta = srtp_index_guess(&rdbx->index, &est, idx);
+
+    if (srtp_rdbx_check(rdbx, delta) != srtp_err_status_ok) {
+        printf("replay_check failed at index %u\n", idx);
+        return srtp_err_status_algo_fail;
+    }
+
+    /*
+     * in practice, we'd authenticate the packet containing idx, using
+     * the estimated value est, at this point
+     */
+
+    if (srtp_rdbx_add_index(rdbx, delta) != srtp_err_status_ok) {
+        printf("rdbx_add_index failed at index %u\n", idx);
+        return srtp_err_status_algo_fail;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * rdbx_check_expect_failure(srtp_rdbx_t *rdbx, uint32_t idx)
+ *
+ * checks that a sequence number idx is in the replay database
+ * and thus will be rejected
+ */
+
+srtp_err_status_t rdbx_check_expect_failure(srtp_rdbx_t *rdbx, uint32_t idx)
+{
+    int delta;
+    srtp_xtd_seq_num_t est;
+    srtp_err_status_t status;
+
+    delta = srtp_index_guess(&rdbx->index, &est, idx);
+
+    status = srtp_rdbx_check(rdbx, delta);
+    if (status == srtp_err_status_ok) {
+        printf("delta: %d ", delta);
+        printf("replay_check failed at index %u (false positive)\n", idx);
+        return srtp_err_status_algo_fail;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t rdbx_check_add_unordered(srtp_rdbx_t *rdbx, uint32_t idx)
+{
+    int delta;
+    srtp_xtd_seq_num_t est;
+    srtp_err_status_t rstat;
+
+    delta = srtp_index_guess(&rdbx->index, &est, idx);
+
+    rstat = srtp_rdbx_check(rdbx, delta);
+    if ((rstat != srtp_err_status_ok) &&
+        (rstat != srtp_err_status_replay_old)) {
+        printf("replay_check_add_unordered failed at index %u\n", idx);
+        return srtp_err_status_algo_fail;
+    }
+    if (rstat == srtp_err_status_replay_old) {
+        return srtp_err_status_ok;
+    }
+    if (srtp_rdbx_add_index(rdbx, delta) != srtp_err_status_ok) {
+        printf("rdbx_add_index failed at index %u\n", idx);
+        return srtp_err_status_algo_fail;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t test_replay_dbx(int num_trials, unsigned long ws)
+{
+    srtp_rdbx_t rdbx;
+    uint32_t idx, ircvd;
+    ut_connection utc;
+    srtp_err_status_t status;
+    int num_fp_trials;
+
+    status = srtp_rdbx_init(&rdbx, ws);
+    if (status) {
+        printf("replay_init failed with error code %d\n", status);
+        exit(1);
+    }
+
+    /*
+     *  test sequential insertion
+     */
+    printf("\ttesting sequential insertion...");
+    for (idx = 0; (int)idx < num_trials; idx++) {
+        status = rdbx_check_add(&rdbx, idx);
+        if (status)
+            return status;
+    }
+    printf("passed\n");
+
+    /*
+     *  test for false positives by checking all of the index
+     *  values which we've just added
+     *
+     * note that we limit the number of trials here, since allowing the
+     * rollover counter to roll over would defeat this test
+     */
+    num_fp_trials = num_trials % 0x10000;
+    if (num_fp_trials == 0) {
+        printf("warning: no false positive tests performed\n");
+    }
+    printf("\ttesting for false positives...");
+    for (idx = 0; (int)idx < num_fp_trials; idx++) {
+        status = rdbx_check_expect_failure(&rdbx, idx);
+        if (status)
+            return status;
+    }
+    printf("passed\n");
+
+    /* re-initialize */
+    srtp_rdbx_dealloc(&rdbx);
+
+    if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) {
+        printf("replay_init failed\n");
+        return srtp_err_status_init_fail;
+    }
+
+    /*
+     * test non-sequential insertion
+     *
+     * this test covers only fase negatives, since the values returned
+     * by ut_next_index(...) are distinct
+     */
+    ut_init(&utc);
+
+    printf("\ttesting non-sequential insertion...");
+    for (idx = 0; (int)idx < num_trials; idx++) {
+        ircvd = ut_next_index(&utc);
+        status = rdbx_check_add_unordered(&rdbx, ircvd);
+        if (status)
+            return status;
+        status = rdbx_check_expect_failure(&rdbx, ircvd);
+        if (status)
+            return status;
+    }
+    printf("passed\n");
+
+    /* re-initialize */
+    srtp_rdbx_dealloc(&rdbx);
+
+    if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) {
+        printf("replay_init failed\n");
+        return srtp_err_status_init_fail;
+    }
+
+    /*
+     * test insertion with large gaps.
+     * check for false positives for each insertion.
+     */
+    printf("\ttesting insertion with large gaps...");
+    for (idx = 0, ircvd = 0; (int)idx < num_trials;
+         idx++, ircvd += (1 << (rand() % 12))) {
+        status = rdbx_check_add(&rdbx, ircvd);
+        if (status)
+            return status;
+        status = rdbx_check_expect_failure(&rdbx, ircvd);
+        if (status)
+            return status;
+    }
+    printf("passed\n");
+
+    srtp_rdbx_dealloc(&rdbx);
+
+    return srtp_err_status_ok;
+}
+
+#include <time.h>   /* for clock()  */
+#include <stdlib.h> /* for random() */
+
+double rdbx_check_adds_per_second(int num_trials, unsigned long ws)
+{
+    uint32_t i;
+    int delta;
+    srtp_rdbx_t rdbx;
+    srtp_xtd_seq_num_t est;
+    clock_t timer;
+    int failures; /* count number of failures */
+
+    if (srtp_rdbx_init(&rdbx, ws) != srtp_err_status_ok) {
+        printf("replay_init failed\n");
+        exit(1);
+    }
+
+    failures = 0;
+    timer = clock();
+    for (i = 0; (int)i < num_trials; i++) {
+        delta = srtp_index_guess(&rdbx.index, &est, i);
+
+        if (srtp_rdbx_check(&rdbx, delta) != srtp_err_status_ok)
+            ++failures;
+        else if (srtp_rdbx_add_index(&rdbx, delta) != srtp_err_status_ok)
+            ++failures;
+    }
+    timer = clock() - timer;
+    if (timer < 1) {
+        timer = 1;
+    }
+
+    printf("number of failures: %d \n", failures);
+
+    srtp_rdbx_dealloc(&rdbx);
+
+    return (double)CLOCKS_PER_SEC * num_trials / timer;
+}
diff --git a/netwerk/srtp/src/test/replay_driver.c b/netwerk/srtp/src/test/replay_driver.c
new file mode 100644
index 0000000000..a88224684f
--- /dev/null
+++ b/netwerk/srtp/src/test/replay_driver.c
@@ -0,0 +1,283 @@
+/*
+ * replay_driver.c
+ *
+ * A driver for the replay_database implementation
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+
+#include "rdb.h"
+#include "ut_sim.h"
+
+/*
+ * num_trials defines the number of trials that are used in the
+ * validation functions below
+ */
+
+unsigned num_trials = 1 << 16;
+
+srtp_err_status_t test_rdb_db(void);
+
+double rdb_check_adds_per_second(void);
+
+int main(void)
+{
+    srtp_err_status_t err;
+
+    printf("testing anti-replay database (srtp_rdb_t)...\n");
+    err = test_rdb_db();
+    if (err) {
+        printf("failed\n");
+        exit(1);
+    }
+    printf("done\n");
+
+    printf("rdb_check/rdb_adds per second: %e\n", rdb_check_adds_per_second());
+
+    return 0;
+}
+
+void print_rdb(srtp_rdb_t *rdb)
+{
+    printf("rdb: {%u, %s}\n", rdb->window_start,
+           v128_bit_string(&rdb->bitmask));
+}
+
+srtp_err_status_t rdb_check_add(srtp_rdb_t *rdb, uint32_t idx)
+{
+    if (srtp_rdb_check(rdb, idx) != srtp_err_status_ok) {
+        printf("rdb_check failed at index %u\n", idx);
+        return srtp_err_status_fail;
+    }
+    if (srtp_rdb_add_index(rdb, idx) != srtp_err_status_ok) {
+        printf("rdb_add_index failed at index %u\n", idx);
+        return srtp_err_status_fail;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t rdb_check_expect_failure(srtp_rdb_t *rdb, uint32_t idx)
+{
+    srtp_err_status_t err;
+
+    err = srtp_rdb_check(rdb, idx);
+    if ((err != srtp_err_status_replay_old) &&
+        (err != srtp_err_status_replay_fail)) {
+        printf("rdb_check failed at index %u (false positive)\n", idx);
+        return srtp_err_status_fail;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t rdb_check_add_unordered(srtp_rdb_t *rdb, uint32_t idx)
+{
+    srtp_err_status_t rstat;
+
+    /* printf("index: %u\n", idx); */
+    rstat = srtp_rdb_check(rdb, idx);
+    if ((rstat != srtp_err_status_ok) &&
+        (rstat != srtp_err_status_replay_old)) {
+        printf("rdb_check_add_unordered failed at index %u\n", idx);
+        return rstat;
+    }
+    if (rstat == srtp_err_status_replay_old) {
+        return srtp_err_status_ok;
+    }
+    if (srtp_rdb_add_index(rdb, idx) != srtp_err_status_ok) {
+        printf("rdb_add_index failed at index %u\n", idx);
+        return srtp_err_status_fail;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t test_rdb_db()
+{
+    srtp_rdb_t rdb;
+    uint32_t idx, ircvd;
+    ut_connection utc;
+    srtp_err_status_t err;
+
+    if (srtp_rdb_init(&rdb) != srtp_err_status_ok) {
+        printf("rdb_init failed\n");
+        return srtp_err_status_init_fail;
+    }
+
+    /* test sequential insertion */
+    for (idx = 0; idx < num_trials; idx++) {
+        err = rdb_check_add(&rdb, idx);
+        if (err)
+            return err;
+    }
+
+    /* test for false positives */
+    for (idx = 0; idx < num_trials; idx++) {
+        err = rdb_check_expect_failure(&rdb, idx);
+        if (err)
+            return err;
+    }
+
+    /* re-initialize */
+    if (srtp_rdb_init(&rdb) != srtp_err_status_ok) {
+        printf("rdb_init failed\n");
+        return srtp_err_status_fail;
+    }
+
+    /* test non-sequential insertion */
+    ut_init(&utc);
+
+    for (idx = 0; idx < num_trials; idx++) {
+        ircvd = ut_next_index(&utc);
+        err = rdb_check_add_unordered(&rdb, ircvd);
+        if (err)
+            return err;
+        err = rdb_check_expect_failure(&rdb, ircvd);
+        if (err)
+            return err;
+    }
+
+    /* re-initialize */
+    if (srtp_rdb_init(&rdb) != srtp_err_status_ok) {
+        printf("rdb_init failed\n");
+        return srtp_err_status_fail;
+    }
+
+    /* test insertion with large gaps */
+    for (idx = 0, ircvd = 0; idx < num_trials;
+         idx++, ircvd += (1 << (rand() % 10))) {
+        err = rdb_check_add(&rdb, ircvd);
+        if (err)
+            return err;
+        err = rdb_check_expect_failure(&rdb, ircvd);
+        if (err)
+            return err;
+    }
+
+    /* re-initialize */
+    if (srtp_rdb_init(&rdb) != srtp_err_status_ok) {
+        printf("rdb_init failed\n");
+        return srtp_err_status_fail;
+    }
+
+    /* test loss of first 513 packets */
+    for (idx = 0; idx < num_trials; idx++) {
+        err = rdb_check_add(&rdb, idx + 513);
+        if (err)
+            return err;
+    }
+
+    /* test for false positives */
+    for (idx = 0; idx < num_trials + 513; idx++) {
+        err = rdb_check_expect_failure(&rdb, idx);
+        if (err)
+            return err;
+    }
+
+    /* test for key expired */
+    if (srtp_rdb_init(&rdb) != srtp_err_status_ok) {
+        printf("rdb_init failed\n");
+        return srtp_err_status_fail;
+    }
+    rdb.window_start = 0x7ffffffe;
+    if (srtp_rdb_increment(&rdb) != srtp_err_status_ok) {
+        printf("srtp_rdb_increment of 0x7ffffffe failed\n");
+        return srtp_err_status_fail;
+    }
+    if (srtp_rdb_get_value(&rdb) != 0x7fffffff) {
+        printf("rdb valiue was not 0x7fffffff\n");
+        return srtp_err_status_fail;
+    }
+    if (srtp_rdb_increment(&rdb) != srtp_err_status_key_expired) {
+        printf("srtp_rdb_increment of 0x7fffffff did not return "
+               "srtp_err_status_key_expired\n");
+        return srtp_err_status_fail;
+    }
+    if (srtp_rdb_get_value(&rdb) != 0x7fffffff) {
+        printf("rdb valiue was not 0x7fffffff\n");
+        return srtp_err_status_fail;
+    }
+
+    return srtp_err_status_ok;
+}
+
+#include <time.h>   /* for clock()  */
+#include <stdlib.h> /* for random() */
+
+#define REPLAY_NUM_TRIALS 10000000
+
+double rdb_check_adds_per_second(void)
+{
+    uint32_t i;
+    srtp_rdb_t rdb;
+    clock_t timer;
+    int failures = 0; /* count number of failures        */
+
+    if (srtp_rdb_init(&rdb) != srtp_err_status_ok) {
+        printf("rdb_init failed\n");
+        exit(1);
+    }
+
+    timer = clock();
+    for (i = 0; i < REPLAY_NUM_TRIALS; i += 3) {
+        if (srtp_rdb_check(&rdb, i + 2) != srtp_err_status_ok)
+            ++failures;
+        if (srtp_rdb_add_index(&rdb, i + 2) != srtp_err_status_ok)
+            ++failures;
+        if (srtp_rdb_check(&rdb, i + 1) != srtp_err_status_ok)
+            ++failures;
+        if (srtp_rdb_add_index(&rdb, i + 1) != srtp_err_status_ok)
+            ++failures;
+        if (srtp_rdb_check(&rdb, i) != srtp_err_status_ok)
+            ++failures;
+        if (srtp_rdb_add_index(&rdb, i) != srtp_err_status_ok)
+            ++failures;
+    }
+    timer = clock() - timer;
+
+    return (double)CLOCKS_PER_SEC * REPLAY_NUM_TRIALS / timer;
+}
diff --git a/netwerk/srtp/src/test/roc_driver.c b/netwerk/srtp/src/test/roc_driver.c
new file mode 100644
index 0000000000..439862039a
--- /dev/null
+++ b/netwerk/srtp/src/test/roc_driver.c
@@ -0,0 +1,170 @@
+/*
+ * roc_driver.c
+ *
+ * test driver for rollover counter replay implementation
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+
+/*
+ * defining ROC_TEST causes small datatypes to be used in
+ * srtp_xtd_seq_num_t - this allows the functions to be exhaustively tested.
+ */
+#if ROC_NEEDS_TO_BE_TESTED
+#define ROC_TEST
+#endif
+
+#include "rdbx.h"
+#include "ut_sim.h"
+
+srtp_err_status_t roc_test(int num_trials);
+
+int main(void)
+{
+    srtp_err_status_t status;
+
+    printf("rollover counter test driver\n"
+           "David A. McGrew\n"
+           "Cisco Systems, Inc.\n");
+
+    printf("testing index functions...");
+    status = roc_test(1 << 18);
+    if (status) {
+        printf("failed\n");
+        exit(status);
+    }
+    printf("passed\n");
+    return 0;
+}
+
+#define ROC_VERBOSE 0
+
+srtp_err_status_t roc_test(int num_trials)
+{
+    srtp_xtd_seq_num_t local, est, ref;
+    ut_connection utc;
+    int i, num_bad_est = 0;
+    int delta;
+    uint32_t ircvd;
+    double failure_rate;
+
+    srtp_index_init(&local);
+    srtp_index_init(&ref);
+    srtp_index_init(&est);
+
+    printf("\n\ttesting sequential insertion...");
+    for (i = 0; i < 2048; i++) {
+        srtp_index_guess(&local, &est, (uint16_t)ref);
+#if ROC_VERBOSE
+        printf("%lld, %lld, %d\n", ref, est, i);
+#endif
+        if (ref != est) {
+#if ROC_VERBOSE
+            printf(" *bad estimate*\n");
+#endif
+            ++num_bad_est;
+        }
+        srtp_index_advance(&ref, 1);
+    }
+    failure_rate = (double)num_bad_est / num_trials;
+    if (failure_rate > 0.01) {
+        printf("error: failure rate too high (%d bad estimates in %d trials)\n",
+               num_bad_est, num_trials);
+        return srtp_err_status_algo_fail;
+    }
+    printf("done\n");
+
+    printf("\ttesting non-sequential insertion...");
+    srtp_index_init(&local);
+    srtp_index_init(&ref);
+    srtp_index_init(&est);
+    ut_init(&utc);
+
+    for (i = 0; i < num_trials; i++) {
+        /* get next seq num from unreliable transport simulator */
+        ircvd = ut_next_index(&utc);
+
+        /* set ref to value of ircvd */
+        ref = ircvd;
+
+        /* estimate index based on low bits of ircvd */
+        delta = srtp_index_guess(&local, &est, (uint16_t)ref);
+#if ROC_VERBOSE
+        printf("ref: %lld, local: %lld, est: %lld, ircvd: %d, delta: %d\n", ref,
+               local, est, ircvd, delta);
+#endif
+
+        if (local + delta != est) {
+            printf(" *bad delta*: local %llu + delta %d != est %llu\n",
+                   (unsigned long long)local, delta, (unsigned long long)est);
+            return srtp_err_status_algo_fail;
+        }
+
+        /* now update local srtp_xtd_seq_num_t as necessary */
+        if (delta > 0)
+            srtp_index_advance(&local, delta);
+
+        if (ref != est) {
+#if ROC_VERBOSE
+            printf(" *bad estimate*\n");
+#endif
+            /* record failure event */
+            ++num_bad_est;
+
+            /* reset local value to correct value */
+            local = ref;
+        }
+    }
+    failure_rate = (double)num_bad_est / num_trials;
+    if (failure_rate > 0.01) {
+        printf("error: failure rate too high (%d bad estimates in %d trials)\n",
+               num_bad_est, num_trials);
+        return srtp_err_status_algo_fail;
+    }
+    printf("done\n");
+
+    return srtp_err_status_ok;
+}
diff --git a/netwerk/srtp/src/test/rtp.c b/netwerk/srtp/src/test/rtp.c
new file mode 100644
index 0000000000..f60a9b11b2
--- /dev/null
+++ b/netwerk/srtp/src/test/rtp.c
@@ -0,0 +1,227 @@
+/*
+ * rtp.c
+ *
+ * library functions for the real-time transport protocol
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include "rtp.h"
+
+#include <stdio.h>
+#include <string.h>
+
+#include <sys/types.h>
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+
+#define PRINT_DEBUG 0   /* set to 1 to print out debugging data */
+#define VERBOSE_DEBUG 0 /* set to 1 to print out more data      */
+
+int rtp_sendto(rtp_sender_t sender, const void *msg, int len)
+{
+    int octets_sent;
+    srtp_err_status_t stat;
+    int pkt_len = len + RTP_HEADER_LEN;
+
+    /* marshal data */
+    strncpy(sender->message.body, msg, len);
+
+    /* update header */
+    sender->message.header.seq = ntohs(sender->message.header.seq) + 1;
+    sender->message.header.seq = htons(sender->message.header.seq);
+    sender->message.header.ts = ntohl(sender->message.header.ts) + 1;
+    sender->message.header.ts = htonl(sender->message.header.ts);
+
+    /* apply srtp */
+    stat = srtp_protect(sender->srtp_ctx, &sender->message.header, &pkt_len);
+    if (stat) {
+#if PRINT_DEBUG
+        fprintf(stderr, "error: srtp protection failed with code %d\n", stat);
+#endif
+        return -1;
+    }
+#if VERBOSE_DEBUG
+    srtp_print_packet(&sender->message.header, pkt_len);
+#endif
+    octets_sent =
+        sendto(sender->socket, (void *)&sender->message, pkt_len, 0,
+               (struct sockaddr *)&sender->addr, sizeof(struct sockaddr_in));
+
+    if (octets_sent != pkt_len) {
+#if PRINT_DEBUG
+        fprintf(stderr, "error: couldn't send message %s", (char *)msg);
+        perror("");
+#endif
+    }
+
+    return octets_sent;
+}
+
+int rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len)
+{
+    int octets_recvd;
+    srtp_err_status_t stat;
+
+    octets_recvd = recvfrom(receiver->socket, (void *)&receiver->message, *len,
+                            0, (struct sockaddr *)NULL, 0);
+
+    if (octets_recvd == -1) {
+        *len = 0;
+        return -1;
+    }
+
+    /* verify rtp header */
+    if (receiver->message.header.version != 2) {
+        *len = 0;
+        return -1;
+    }
+
+#if PRINT_DEBUG
+    fprintf(stderr, "%d octets received from SSRC %u\n", octets_recvd,
+            receiver->message.header.ssrc);
+#endif
+#if VERBOSE_DEBUG
+    srtp_print_packet(&receiver->message.header, octets_recvd);
+#endif
+
+    /* apply srtp */
+    stat = srtp_unprotect(receiver->srtp_ctx, &receiver->message.header,
+                          &octets_recvd);
+    if (stat) {
+        fprintf(stderr, "error: srtp unprotection failed with code %d%s\n",
+                stat,
+                stat == srtp_err_status_replay_fail
+                    ? " (replay check failed)"
+                    : stat == srtp_err_status_auth_fail ? " (auth check failed)"
+                                                        : "");
+        return -1;
+    }
+    strncpy(msg, receiver->message.body, octets_recvd);
+
+    return octets_recvd;
+}
+
+int rtp_sender_init(rtp_sender_t sender,
+                    int sock,
+                    struct sockaddr_in addr,
+                    unsigned int ssrc)
+{
+    /* set header values */
+    sender->message.header.ssrc = htonl(ssrc);
+    sender->message.header.ts = 0;
+    sender->message.header.seq = (uint16_t)rand();
+    sender->message.header.m = 0;
+    sender->message.header.pt = 0x1;
+    sender->message.header.version = 2;
+    sender->message.header.p = 0;
+    sender->message.header.x = 0;
+    sender->message.header.cc = 0;
+
+    /* set other stuff */
+    sender->socket = sock;
+    sender->addr = addr;
+
+    return 0;
+}
+
+int rtp_receiver_init(rtp_receiver_t rcvr,
+                      int sock,
+                      struct sockaddr_in addr,
+                      unsigned int ssrc)
+{
+    /* set header values */
+    rcvr->message.header.ssrc = htonl(ssrc);
+    rcvr->message.header.ts = 0;
+    rcvr->message.header.seq = 0;
+    rcvr->message.header.m = 0;
+    rcvr->message.header.pt = 0x1;
+    rcvr->message.header.version = 2;
+    rcvr->message.header.p = 0;
+    rcvr->message.header.x = 0;
+    rcvr->message.header.cc = 0;
+
+    /* set other stuff */
+    rcvr->socket = sock;
+    rcvr->addr = addr;
+
+    return 0;
+}
+
+int rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy)
+{
+    return srtp_create(&sender->srtp_ctx, policy);
+}
+
+int rtp_sender_deinit_srtp(rtp_sender_t sender)
+{
+    return srtp_dealloc(sender->srtp_ctx);
+}
+
+int rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy)
+{
+    return srtp_create(&sender->srtp_ctx, policy);
+}
+
+int rtp_receiver_deinit_srtp(rtp_receiver_t sender)
+{
+    return srtp_dealloc(sender->srtp_ctx);
+}
+
+rtp_sender_t rtp_sender_alloc(void)
+{
+    return (rtp_sender_t)malloc(sizeof(rtp_sender_ctx_t));
+}
+
+void rtp_sender_dealloc(rtp_sender_t rtp_ctx)
+{
+    free(rtp_ctx);
+}
+
+rtp_receiver_t rtp_receiver_alloc(void)
+{
+    return (rtp_receiver_t)malloc(sizeof(rtp_receiver_ctx_t));
+}
+
+void rtp_receiver_dealloc(rtp_receiver_t rtp_ctx)
+{
+    free(rtp_ctx);
+}
diff --git a/netwerk/srtp/src/test/rtp.h b/netwerk/srtp/src/test/rtp.h
new file mode 100644
index 0000000000..37921a665c
--- /dev/null
+++ b/netwerk/srtp/src/test/rtp.h
@@ -0,0 +1,155 @@
+/*
+ * rtp.h
+ *
+ * rtp interface for srtp reference implementation
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ * data types:
+ *
+ * rtp_msg_t       an rtp message (the data that goes on the wire)
+ * rtp_sender_t    sender side socket and rtp info
+ * rtp_receiver_t  receiver side socket and rtp info
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef SRTP_RTP_H
+#define SRTP_RTP_H
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#elif defined HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#include "srtp_priv.h"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * RTP_HEADER_LEN indicates the size of an RTP header
+ */
+#define RTP_HEADER_LEN 12
+
+/*
+ * RTP_MAX_BUF_LEN defines the largest RTP packet in the rtp.c implementation
+ */
+#define RTP_MAX_BUF_LEN 16384
+
+typedef srtp_hdr_t rtp_hdr_t;
+
+typedef struct {
+    srtp_hdr_t header;
+    char body[RTP_MAX_BUF_LEN];
+} rtp_msg_t;
+
+typedef struct rtp_sender_ctx_t {
+    rtp_msg_t message;
+    int socket;
+    srtp_ctx_t *srtp_ctx;
+    struct sockaddr_in addr; /* reciever's address */
+} rtp_sender_ctx_t;
+
+typedef struct rtp_receiver_ctx_t {
+    rtp_msg_t message;
+    int socket;
+    srtp_ctx_t *srtp_ctx;
+    struct sockaddr_in addr; /* receiver's address */
+} rtp_receiver_ctx_t;
+
+typedef struct rtp_sender_ctx_t *rtp_sender_t;
+
+typedef struct rtp_receiver_ctx_t *rtp_receiver_t;
+
+int rtp_sendto(rtp_sender_t sender, const void *msg, int len);
+
+int rtp_recvfrom(rtp_receiver_t receiver, void *msg, int *len);
+
+int rtp_receiver_init(rtp_receiver_t rcvr,
+                      int sock,
+                      struct sockaddr_in addr,
+                      unsigned int ssrc);
+
+int rtp_sender_init(rtp_sender_t sender,
+                    int sock,
+                    struct sockaddr_in addr,
+                    unsigned int ssrc);
+
+/*
+ * srtp_sender_init(...) initializes an rtp_sender_t
+ */
+
+int srtp_sender_init(
+    rtp_sender_t rtp_ctx,              /* structure to be init'ed */
+    struct sockaddr_in name,           /* socket name             */
+    srtp_sec_serv_t security_services, /* sec. servs. to be used  */
+    unsigned char *input_key           /* master key/salt in hex  */
+    );
+
+int srtp_receiver_init(
+    rtp_receiver_t rtp_ctx,            /* structure to be init'ed */
+    struct sockaddr_in name,           /* socket name             */
+    srtp_sec_serv_t security_services, /* sec. servs. to be used  */
+    unsigned char *input_key           /* master key/salt in hex  */
+    );
+
+int rtp_sender_init_srtp(rtp_sender_t sender, const srtp_policy_t *policy);
+
+int rtp_sender_deinit_srtp(rtp_sender_t sender);
+
+int rtp_receiver_init_srtp(rtp_receiver_t sender, const srtp_policy_t *policy);
+
+int rtp_receiver_deinit_srtp(rtp_receiver_t sender);
+
+rtp_sender_t rtp_sender_alloc(void);
+
+void rtp_sender_dealloc(rtp_sender_t rtp_ctx);
+
+rtp_receiver_t rtp_receiver_alloc(void);
+
+void rtp_receiver_dealloc(rtp_receiver_t rtp_ctx);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* SRTP_RTP_H */
diff --git a/netwerk/srtp/src/test/rtp_decoder.c b/netwerk/srtp/src/test/rtp_decoder.c
new file mode 100644
index 0000000000..d718a2b3ad
--- /dev/null
+++ b/netwerk/srtp/src/test/rtp_decoder.c
@@ -0,0 +1,574 @@
+/*
+ * rtp_decoder.c
+ *
+ * decoder structures and functions for SRTP pcap decoder
+ *
+ * Example:
+ * $ wget --no-check-certificate \
+ *     https://raw.githubusercontent.com/gteissier/srtp-decrypt/master/marseillaise-srtp.pcap
+ * $ ./test/rtp_decoder -a -t 10 -e 128 -b \
+ *     aSBrbm93IGFsbCB5b3VyIGxpdHRsZSBzZWNyZXRz \
+ *         < ~/marseillaise-srtp.pcap \
+ *         | text2pcap -t "%M:%S." -u 10000,10000 - - \
+ *         > ./marseillaise-rtp.pcap
+ *
+ * There is also a different way of setting up key size and tag size
+ * based upon RFC 4568 crypto suite specification, i.e.:
+ *
+ * $ ./test/rtp_decoder -s AES_CM_128_HMAC_SHA1_80 -b \
+ *     aSBrbm93IGFsbCB5b3VyIGxpdHRsZSBzZWNyZXRz ...
+ *
+ * Audio can be extracted using extractaudio utility from the RTPproxy
+ * package:
+ *
+ * $ extractaudio -A ./marseillaise-rtp.pcap ./marseillaise-out.wav
+ *
+ * Bernardo Torres <bernardo@torresautomacao.com.br>
+ *
+ * Some structure and code from https://github.com/gteissier/srtp-decrypt
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+#include "getopt_s.h" /* for local getopt()  */
+#include <assert.h>   /* for assert()  */
+
+#include <pcap.h>
+#include "rtp_decoder.h"
+#include "util.h"
+
+#ifndef timersub
+#define timersub(a, b, result)                                                 \
+    do {                                                                       \
+        (result)->tv_sec = (a)->tv_sec - (b)->tv_sec;                          \
+        (result)->tv_usec = (a)->tv_usec - (b)->tv_usec;                       \
+        if ((result)->tv_usec < 0) {                                           \
+            --(result)->tv_sec;                                                \
+            (result)->tv_usec += 1000000;                                      \
+        }                                                                      \
+    } while (0)
+#endif
+
+#define MAX_KEY_LEN 96
+#define MAX_FILTER 256
+
+struct srtp_crypto_suite {
+    const char *can_name;
+    int key_size;
+    int tag_size;
+};
+
+static struct srtp_crypto_suite srtp_crypto_suites[] = {
+    {.can_name = "AES_CM_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4 },
+#if 0
+  {.can_name = "F8_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4},
+#endif
+    {.can_name = "AES_CM_128_HMAC_SHA1_32", .key_size = 128, .tag_size = 4 },
+    {.can_name = "AES_CM_128_HMAC_SHA1_80", .key_size = 128, .tag_size = 10 },
+    {.can_name = NULL }
+};
+
+int main(int argc, char *argv[])
+{
+    char errbuf[PCAP_ERRBUF_SIZE];
+    bpf_u_int32 pcap_net = 0;
+    pcap_t *pcap_handle;
+#if BEW
+    struct sockaddr_in local;
+#endif
+    srtp_sec_serv_t sec_servs = sec_serv_none;
+    int c;
+    struct srtp_crypto_suite scs, *i_scsp;
+    scs.key_size = 128;
+    scs.tag_size = 8;
+    int gcm_on = 0;
+    char *input_key = NULL;
+    int b64_input = 0;
+    char key[MAX_KEY_LEN];
+    struct bpf_program fp;
+    char filter_exp[MAX_FILTER] = "";
+    rtp_decoder_t dec;
+    srtp_policy_t policy;
+    srtp_err_status_t status;
+    int len;
+    int expected_len;
+    int do_list_mods = 0;
+
+    fprintf(stderr, "Using %s [0x%x]\n", srtp_get_version_string(),
+            srtp_get_version());
+
+    /* initialize srtp library */
+    status = srtp_init();
+    if (status) {
+        fprintf(stderr,
+                "error: srtp initialization failed with error code %d\n",
+                status);
+        exit(1);
+    }
+
+    /* check args */
+    while (1) {
+        c = getopt_s(argc, argv, "b:k:gt:ae:ld:f:s:");
+        if (c == -1) {
+            break;
+        }
+        switch (c) {
+        case 'b':
+            b64_input = 1;
+        /* fall thru */
+        case 'k':
+            input_key = optarg_s;
+            break;
+        case 'e':
+            scs.key_size = atoi(optarg_s);
+            if (scs.key_size != 128 && scs.key_size != 256) {
+                fprintf(stderr,
+                        "error: encryption key size must be 128 or 256 (%d)\n",
+                        scs.key_size);
+                exit(1);
+            }
+            input_key = malloc(scs.key_size);
+            sec_servs |= sec_serv_conf;
+            break;
+        case 't':
+            scs.tag_size = atoi(optarg_s);
+            break;
+        case 'a':
+            sec_servs |= sec_serv_auth;
+            break;
+        case 'g':
+            gcm_on = 1;
+            sec_servs |= sec_serv_auth;
+            break;
+        case 'd':
+            status = srtp_crypto_kernel_set_debug_module(optarg_s, 1);
+            if (status) {
+                fprintf(stderr, "error: set debug module (%s) failed\n",
+                        optarg_s);
+                exit(1);
+            }
+            break;
+        case 'f':
+            if (strlen(optarg_s) > MAX_FILTER) {
+                fprintf(stderr, "error: filter bigger than %d characters\n",
+                        MAX_FILTER);
+                exit(1);
+            }
+            fprintf(stderr, "Setting filter as %s\n", optarg_s);
+            strcpy(filter_exp, optarg_s);
+            break;
+        case 'l':
+            do_list_mods = 1;
+            break;
+        case 's':
+            for (i_scsp = &srtp_crypto_suites[0]; i_scsp->can_name != NULL;
+                 i_scsp++) {
+                if (strcasecmp(i_scsp->can_name, optarg_s) == 0) {
+                    break;
+                }
+            }
+            if (i_scsp->can_name == NULL) {
+                fprintf(stderr, "Unknown/unsupported crypto suite name %s\n",
+                        optarg_s);
+                exit(1);
+            }
+            scs = *i_scsp;
+            input_key = malloc(scs.key_size);
+            sec_servs |= sec_serv_conf | sec_serv_auth;
+            break;
+        default:
+            usage(argv[0]);
+        }
+    }
+
+    if (gcm_on && scs.tag_size != 8 && scs.tag_size != 16) {
+        fprintf(stderr, "error: GCM tag size must be 8 or 16 (%d)\n",
+                scs.tag_size);
+        // exit(1);
+    }
+
+    if (do_list_mods) {
+        status = srtp_crypto_kernel_list_debug_modules();
+        if (status) {
+            fprintf(stderr, "error: list of debug modules failed\n");
+            exit(1);
+        }
+        return 0;
+    }
+
+    if ((sec_servs && !input_key) || (!sec_servs && input_key)) {
+        /*
+         * a key must be provided if and only if security services have
+         * been requested
+         */
+        if (input_key == NULL) {
+            fprintf(stderr, "key not provided\n");
+        }
+        if (!sec_servs) {
+            fprintf(stderr, "no secservs\n");
+        }
+        fprintf(stderr, "provided\n");
+        usage(argv[0]);
+    }
+
+    /* report security services selected on the command line */
+    fprintf(stderr, "security services: ");
+    if (sec_servs & sec_serv_conf)
+        fprintf(stderr, "confidentiality ");
+    if (sec_servs & sec_serv_auth)
+        fprintf(stderr, "message authentication");
+    if (sec_servs == sec_serv_none)
+        fprintf(stderr, "none");
+    fprintf(stderr, "\n");
+
+    /* set up the srtp policy and master key */
+    if (sec_servs) {
+        /*
+         * create policy structure, using the default mechanisms but
+         * with only the security services requested on the command line,
+         * using the right SSRC value
+         */
+        switch (sec_servs) {
+        case sec_serv_conf_and_auth:
+            if (gcm_on) {
+#ifdef OPENSSL
+                switch (scs.key_size) {
+                case 128:
+                    srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp);
+                    srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp);
+                    break;
+                case 256:
+                    srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtp);
+                    srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtcp);
+                    break;
+                }
+#else
+                fprintf(stderr, "error: GCM mode only supported when using the "
+                                "OpenSSL crypto engine.\n");
+                return 0;
+#endif
+            } else {
+                switch (scs.key_size) {
+                case 128:
+                    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+                    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+                    break;
+                case 256:
+                    srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp);
+                    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+                    break;
+                }
+            }
+            break;
+        case sec_serv_conf:
+            if (gcm_on) {
+                fprintf(
+                    stderr,
+                    "error: GCM mode must always be used with auth enabled\n");
+                return -1;
+            } else {
+                switch (scs.key_size) {
+                case 128:
+                    srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp);
+                    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+                    break;
+                case 256:
+                    srtp_crypto_policy_set_aes_cm_256_null_auth(&policy.rtp);
+                    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+                    break;
+                }
+            }
+            break;
+        case sec_serv_auth:
+            if (gcm_on) {
+#ifdef OPENSSL
+                switch (scs.key_size) {
+                case 128:
+                    srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtp);
+                    srtp_crypto_policy_set_aes_gcm_128_8_only_auth(
+                        &policy.rtcp);
+                    break;
+                case 256:
+                    srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtp);
+                    srtp_crypto_policy_set_aes_gcm_256_8_only_auth(
+                        &policy.rtcp);
+                    break;
+                }
+#else
+                printf("error: GCM mode only supported when using the OpenSSL "
+                       "crypto engine.\n");
+                return 0;
+#endif
+            } else {
+                srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&policy.rtp);
+                srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+            }
+            break;
+        default:
+            fprintf(stderr, "error: unknown security service requested\n");
+            return -1;
+        }
+
+        policy.key = (uint8_t *)key;
+        policy.ekt = NULL;
+        policy.next = NULL;
+        policy.window_size = 128;
+        policy.allow_repeat_tx = 0;
+        policy.rtp.sec_serv = sec_servs;
+        policy.rtcp.sec_serv =
+            sec_servs; // sec_serv_none;  /* we don't do RTCP anyway */
+        fprintf(stderr, "setting tag len %d\n", scs.tag_size);
+        policy.rtp.auth_tag_len = scs.tag_size;
+
+        if (gcm_on && scs.tag_size != 8) {
+            fprintf(stderr, "setted tag len %d\n", scs.tag_size);
+            policy.rtp.auth_tag_len = scs.tag_size;
+        }
+
+        /*
+         * read key from hexadecimal or base64 on command line into an octet
+         * string
+         */
+        if (b64_input) {
+            int pad;
+            expected_len = policy.rtp.cipher_key_len * 4 / 3;
+            len = base64_string_to_octet_string(key, &pad, input_key,
+                                                expected_len);
+            if (pad != 0) {
+                fprintf(stderr, "error: padding in base64 unexpected\n");
+                exit(1);
+            }
+        } else {
+            expected_len = policy.rtp.cipher_key_len * 2;
+            len = hex_string_to_octet_string(key, input_key, expected_len);
+        }
+        /* check that hex string is the right length */
+        if (len < expected_len) {
+            fprintf(stderr, "error: too few digits in key/salt "
+                            "(should be %d digits, found %d)\n",
+                    expected_len, len);
+            exit(1);
+        }
+        if (strlen(input_key) > policy.rtp.cipher_key_len * 2) {
+            fprintf(stderr, "error: too many digits in key/salt "
+                            "(should be %d hexadecimal digits, found %u)\n",
+                    policy.rtp.cipher_key_len * 2, (unsigned)strlen(input_key));
+            exit(1);
+        }
+
+        fprintf(stderr, "set master key/salt to %s/",
+                octet_string_hex_string(key, 16));
+        fprintf(stderr, "%s\n", octet_string_hex_string(key + 16, 14));
+
+    } else {
+        fprintf(stderr,
+                "error: neither encryption or authentication were selected");
+        exit(1);
+    }
+
+    pcap_handle = pcap_open_offline("-", errbuf);
+
+    if (!pcap_handle) {
+        fprintf(stderr, "libpcap failed to open file '%s'\n", errbuf);
+        exit(1);
+    }
+    assert(pcap_handle != NULL);
+    if ((pcap_compile(pcap_handle, &fp, filter_exp, 1, pcap_net)) == -1) {
+        fprintf(stderr, "Couldn't parse filter %s: %s\n", filter_exp,
+                pcap_geterr(pcap_handle));
+        return (2);
+    }
+    if (pcap_setfilter(pcap_handle, &fp) == -1) {
+        fprintf(stderr, "couldn't install filter %s: %s\n", filter_exp,
+                pcap_geterr(pcap_handle));
+        return (2);
+    }
+    dec = rtp_decoder_alloc();
+    if (dec == NULL) {
+        fprintf(stderr, "error: malloc() failed\n");
+        exit(1);
+    }
+    fprintf(stderr, "Starting decoder\n");
+    rtp_decoder_init(dec, policy);
+
+    pcap_loop(pcap_handle, 0, rtp_decoder_handle_pkt, (u_char *)dec);
+
+    rtp_decoder_deinit_srtp(dec);
+    rtp_decoder_dealloc(dec);
+
+    status = srtp_shutdown();
+    if (status) {
+        fprintf(stderr, "error: srtp shutdown failed with error code %d\n",
+                status);
+        exit(1);
+    }
+
+    return 0;
+}
+
+void usage(char *string)
+{
+    fprintf(
+        stderr,
+        "usage: %s [-d <debug>]* [[-k][-b] <key> [-a][-e]]\n"
+        "or     %s -l\n"
+        "where  -a use message authentication\n"
+        "       -e <key size> use encryption (use 128 or 256 for key size)\n"
+        "       -g Use AES-GCM mode (must be used with -e)\n"
+        "       -t <tag size> Tag size to use (in GCM mode use 8 or 16)\n"
+        "       -k <key>  sets the srtp master key given in hexadecimal\n"
+        "       -b <key>  sets the srtp master key given in base64\n"
+        "       -l list debug modules\n"
+        "       -f \"<pcap filter>\" to filter only the desired SRTP packets\n"
+        "       -d <debug> turn on debugging for module <debug>\n"
+        "       -s \"<srtp-crypto-suite>\" to set both key and tag size based\n"
+        "          on RFC4568-style crypto suite specification\n",
+        string, string);
+    exit(1);
+}
+
+rtp_decoder_t rtp_decoder_alloc(void)
+{
+    return (rtp_decoder_t)malloc(sizeof(rtp_decoder_ctx_t));
+}
+
+void rtp_decoder_dealloc(rtp_decoder_t rtp_ctx)
+{
+    free(rtp_ctx);
+}
+
+srtp_err_status_t rtp_decoder_init_srtp(rtp_decoder_t decoder,
+                                        unsigned int ssrc)
+{
+    decoder->policy.ssrc.value = htonl(ssrc);
+    return srtp_create(&decoder->srtp_ctx, &decoder->policy);
+}
+
+int rtp_decoder_deinit_srtp(rtp_decoder_t decoder)
+{
+    return srtp_dealloc(decoder->srtp_ctx);
+}
+
+int rtp_decoder_init(rtp_decoder_t dcdr, srtp_policy_t policy)
+{
+    dcdr->rtp_offset = DEFAULT_RTP_OFFSET;
+    dcdr->srtp_ctx = NULL;
+    dcdr->start_tv.tv_usec = 0;
+    dcdr->start_tv.tv_sec = 0;
+    dcdr->frame_nr = -1;
+    dcdr->policy = policy;
+    dcdr->policy.ssrc.type = ssrc_specific;
+    return 0;
+}
+
+/*
+ * decodes key as base64
+ */
+
+void hexdump(const void *ptr, size_t size)
+{
+    int i, j;
+    const unsigned char *cptr = ptr;
+
+    for (i = 0; i < size; i += 16) {
+        fprintf(stdout, "%04x ", i);
+        for (j = 0; j < 16 && i + j < size; j++) {
+            fprintf(stdout, "%02x ", cptr[i + j]);
+        }
+        fprintf(stdout, "\n");
+    }
+}
+
+void rtp_decoder_handle_pkt(u_char *arg,
+                            const struct pcap_pkthdr *hdr,
+                            const u_char *bytes)
+{
+    rtp_decoder_t dcdr = (rtp_decoder_t)arg;
+    int pktsize;
+    struct timeval delta;
+    int octets_recvd;
+    srtp_err_status_t status;
+    dcdr->frame_nr++;
+
+    if ((dcdr->start_tv.tv_sec == 0) && (dcdr->start_tv.tv_usec == 0)) {
+        dcdr->start_tv = hdr->ts;
+    }
+
+    if (hdr->caplen < dcdr->rtp_offset) {
+        return;
+    }
+    const void *rtp_packet = bytes + dcdr->rtp_offset;
+
+    memcpy((void *)&dcdr->message, rtp_packet, hdr->caplen - dcdr->rtp_offset);
+    pktsize = hdr->caplen - dcdr->rtp_offset;
+    octets_recvd = pktsize;
+
+    if (octets_recvd == -1) {
+        return;
+    }
+
+    /* verify rtp header */
+    if (dcdr->message.header.version != 2) {
+        return;
+    }
+    if (dcdr->srtp_ctx == NULL) {
+        status = rtp_decoder_init_srtp(dcdr, dcdr->message.header.ssrc);
+        if (status) {
+            exit(1);
+        }
+    }
+    status = srtp_unprotect(dcdr->srtp_ctx, &dcdr->message, &octets_recvd);
+    if (status) {
+        return;
+    }
+    timersub(&hdr->ts, &dcdr->start_tv, &delta);
+    fprintf(stdout, "%02ld:%02ld.%06ld\n", delta.tv_sec / 60, delta.tv_sec % 60,
+            (long)delta.tv_usec);
+    hexdump(&dcdr->message, octets_recvd);
+}
+
+void rtp_print_error(srtp_err_status_t status, char *message)
+{
+    // clang-format off
+    fprintf(stderr,
+            "error: %s %d%s\n", message, status,
+            status == srtp_err_status_replay_fail ? " (replay check failed)" :
+            status == srtp_err_status_bad_param ? " (bad param)" :
+            status == srtp_err_status_no_ctx ? " (no context)" :
+            status == srtp_err_status_cipher_fail ? " (cipher failed)" :
+            status == srtp_err_status_key_expired ? " (key expired)" :
+            status == srtp_err_status_auth_fail ? " (auth check failed)" : "");
+    // clang-format on
+}
diff --git a/netwerk/srtp/src/test/rtp_decoder.h b/netwerk/srtp/src/test/rtp_decoder.h
new file mode 100644
index 0000000000..c8c31dd773
--- /dev/null
+++ b/netwerk/srtp/src/test/rtp_decoder.h
@@ -0,0 +1,105 @@
+/*
+ * rtp_decoder.h
+ *
+ * decoder structures and functions for SRTP pcap decoder
+ *
+ * Bernardo Torres <bernardo@torresautomacao.com.br>
+ *
+ * Some structure and code from https://github.com/gteissier/srtp-decrypt
+ *
+ */
+/*
+ *
+ * Copyright (c) 2001-2017 Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifndef RTP_DECODER_H
+#define RTP_DECODER_H
+
+#include "srtp_priv.h"
+#include "rtp.h"
+
+#define DEFAULT_RTP_OFFSET 42
+
+typedef struct rtp_decoder_ctx_t {
+    srtp_policy_t policy;
+    srtp_ctx_t *srtp_ctx;
+    int rtp_offset;
+    struct timeval start_tv;
+    int frame_nr;
+    rtp_msg_t message;
+} rtp_decoder_ctx_t;
+
+typedef struct rtp_decoder_ctx_t *rtp_decoder_t;
+
+/*
+ * error to string
+ */
+void rtp_print_error(srtp_err_status_t status, char *message);
+
+/*
+ * prints the output of a random buffer in hexadecimal
+ */
+void hexdump(const void *ptr, size_t size);
+
+/*
+ * the function usage() prints an error message describing how this
+ * program should be called, then calls exit()
+ */
+void usage(char *prog_name);
+
+/*
+ * transforms base64 key into octet
+ */
+char *decode_sdes(char *in, char *out);
+
+/*
+ * pcap handling
+ */
+void rtp_decoder_handle_pkt(u_char *arg,
+                            const struct pcap_pkthdr *hdr,
+                            const u_char *bytes);
+
+rtp_decoder_t rtp_decoder_alloc(void);
+
+void rtp_decoder_dealloc(rtp_decoder_t rtp_ctx);
+
+int rtp_decoder_init(rtp_decoder_t dcdr, srtp_policy_t policy);
+
+srtp_err_status_t rtp_decoder_init_srtp(rtp_decoder_t decoder,
+                                        unsigned int ssrc);
+
+int rtp_decoder_deinit_srtp(rtp_decoder_t decoder);
+
+#endif /* RTP_DECODER_H */
diff --git a/netwerk/srtp/src/test/rtpw.c b/netwerk/srtp/src/test/rtpw.c
new file mode 100644
index 0000000000..901816e46d
--- /dev/null
+++ b/netwerk/srtp/src/test/rtpw.c
@@ -0,0 +1,701 @@
+/*
+ * rtpw.c
+ *
+ * rtp word sender/receiver
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ *
+ * This app is a simple RTP application intended only for testing
+ * libsrtp.  It reads one word at a time from words.txt (or
+ * whatever file is specified as DICT_FILE or with -w), and sends one word out
+ * each USEC_RATE microseconds.  Secure RTP protections can be
+ * applied.  See the usage() function for more details.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include "getopt_s.h" /* for local getopt()  */
+
+#include <stdio.h>  /* for printf, fprintf */
+#include <stdlib.h> /* for atoi()          */
+#include <errno.h>
+#include <signal.h> /* for signal()        */
+
+#include <string.h> /* for strncpy()       */
+#include <time.h>   /* for usleep()        */
+
+#ifdef HAVE_UNISTD_H
+#include <unistd.h> /* for close()         */
+#elif defined(_MSC_VER)
+#include <io.h> /* for _close()        */
+#define close _close
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#elif defined HAVE_WINSOCK2_H
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#define RTPW_USE_WINSOCK2 1
+#endif
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+
+#include "srtp.h"
+#include "rtp.h"
+#include "util.h"
+
+#define DICT_FILE "words.txt"
+#define USEC_RATE (5e5)
+#define MAX_WORD_LEN 128
+#define ADDR_IS_MULTICAST(a) IN_MULTICAST(htonl(a))
+#define MAX_KEY_LEN 96
+
+#ifndef HAVE_USLEEP
+#ifdef HAVE_WINDOWS_H
+#define usleep(us) Sleep((us) / 1000)
+#else
+#define usleep(us) sleep((us) / 1000000)
+#endif
+#endif
+
+/*
+ * the function usage() prints an error message describing how this
+ * program should be called, then calls exit()
+ */
+
+void usage(char *prog_name);
+
+/*
+ * leave_group(...) de-registers from a multicast group
+ */
+
+void leave_group(int sock, struct ip_mreq mreq, char *name);
+
+/*
+ * setup_signal_handler() sets up a signal handler to trigger
+ * cleanups after an interrupt
+ */
+int setup_signal_handler(char *name);
+
+/*
+ * handle_signal(...) handles interrupt signal to trigger cleanups
+ */
+
+volatile int interrupted = 0;
+
+/*
+ * program_type distinguishes the [s]rtp sender and receiver cases
+ */
+
+typedef enum { sender, receiver, unknown } program_type;
+
+int main(int argc, char *argv[])
+{
+    char *dictfile = DICT_FILE;
+    FILE *dict;
+    char word[MAX_WORD_LEN];
+    int sock, ret;
+    struct in_addr rcvr_addr;
+    struct sockaddr_in name;
+    struct ip_mreq mreq;
+#if BEW
+    struct sockaddr_in local;
+#endif
+    program_type prog_type = unknown;
+    srtp_sec_serv_t sec_servs = sec_serv_none;
+    unsigned char ttl = 5;
+    int c;
+    int key_size = 128;
+    int tag_size = 8;
+    int gcm_on = 0;
+    char *input_key = NULL;
+    int b64_input = 0;
+    char *address = NULL;
+    char key[MAX_KEY_LEN];
+    unsigned short port = 0;
+    rtp_sender_t snd;
+    srtp_policy_t policy;
+    srtp_err_status_t status;
+    int len;
+    int expected_len;
+    int do_list_mods = 0;
+    uint32_t ssrc = 0xdeadbeef; /* ssrc value hardcoded for now */
+#ifdef RTPW_USE_WINSOCK2
+    WORD wVersionRequested = MAKEWORD(2, 0);
+    WSADATA wsaData;
+
+    ret = WSAStartup(wVersionRequested, &wsaData);
+    if (ret != 0) {
+        fprintf(stderr, "error: WSAStartup() failed: %d\n", ret);
+        exit(1);
+    }
+#endif
+
+    memset(&policy, 0x0, sizeof(srtp_policy_t));
+
+    printf("Using %s [0x%x]\n", srtp_get_version_string(), srtp_get_version());
+
+    if (setup_signal_handler(argv[0]) != 0) {
+        exit(1);
+    }
+
+    /* initialize srtp library */
+    status = srtp_init();
+    if (status) {
+        printf("error: srtp initialization failed with error code %d\n",
+               status);
+        exit(1);
+    }
+
+    /* check args */
+    while (1) {
+        c = getopt_s(argc, argv, "b:k:rsgt:ae:ld:w:");
+        if (c == -1) {
+            break;
+        }
+        switch (c) {
+        case 'b':
+            b64_input = 1;
+        /* fall thru */
+        case 'k':
+            input_key = optarg_s;
+            break;
+        case 'e':
+            key_size = atoi(optarg_s);
+            if (key_size != 128 && key_size != 256) {
+                printf("error: encryption key size must be 128 or 256 (%d)\n",
+                       key_size);
+                exit(1);
+            }
+            sec_servs |= sec_serv_conf;
+            break;
+        case 't':
+            tag_size = atoi(optarg_s);
+            if (tag_size != 8 && tag_size != 16) {
+                printf("error: GCM tag size must be 8 or 16 (%d)\n", tag_size);
+                exit(1);
+            }
+            break;
+        case 'a':
+            sec_servs |= sec_serv_auth;
+            break;
+        case 'g':
+            gcm_on = 1;
+            sec_servs |= sec_serv_auth;
+            break;
+        case 'r':
+            prog_type = receiver;
+            break;
+        case 's':
+            prog_type = sender;
+            break;
+        case 'd':
+            status = srtp_set_debug_module(optarg_s, 1);
+            if (status) {
+                printf("error: set debug module (%s) failed\n", optarg_s);
+                exit(1);
+            }
+            break;
+        case 'l':
+            do_list_mods = 1;
+            break;
+        case 'w':
+            dictfile = optarg_s;
+            break;
+        default:
+            usage(argv[0]);
+        }
+    }
+
+    if (prog_type == unknown) {
+        if (do_list_mods) {
+            status = srtp_list_debug_modules();
+            if (status) {
+                printf("error: list of debug modules failed\n");
+                exit(1);
+            }
+            return 0;
+        } else {
+            printf("error: neither sender [-s] nor receiver [-r] specified\n");
+            usage(argv[0]);
+        }
+    }
+
+    if ((sec_servs && !input_key) || (!sec_servs && input_key)) {
+        /*
+         * a key must be provided if and only if security services have
+         * been requested
+         */
+        usage(argv[0]);
+    }
+
+    if (argc != optind_s + 2) {
+        /* wrong number of arguments */
+        usage(argv[0]);
+    }
+
+    /* get address from arg */
+    address = argv[optind_s++];
+
+    /* get port from arg */
+    port = atoi(argv[optind_s++]);
+
+/* set address */
+#ifdef HAVE_INET_ATON
+    if (0 == inet_aton(address, &rcvr_addr)) {
+        fprintf(stderr, "%s: cannot parse IP v4 address %s\n", argv[0],
+                address);
+        exit(1);
+    }
+    if (rcvr_addr.s_addr == INADDR_NONE) {
+        fprintf(stderr, "%s: address error", argv[0]);
+        exit(1);
+    }
+#else
+    rcvr_addr.s_addr = inet_addr(address);
+    if (0xffffffff == rcvr_addr.s_addr) {
+        fprintf(stderr, "%s: cannot parse IP v4 address %s\n", argv[0],
+                address);
+        exit(1);
+    }
+#endif
+
+    /* open socket */
+    sock = socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP);
+    if (sock < 0) {
+        int err;
+#ifdef RTPW_USE_WINSOCK2
+        err = WSAGetLastError();
+#else
+        err = errno;
+#endif
+        fprintf(stderr, "%s: couldn't open socket: %d\n", argv[0], err);
+        exit(1);
+    }
+
+    memset(&name, 0, sizeof(struct sockaddr_in));
+    name.sin_addr = rcvr_addr;
+    name.sin_family = PF_INET;
+    name.sin_port = htons(port);
+
+    if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) {
+        if (prog_type == sender) {
+            ret = setsockopt(sock, IPPROTO_IP, IP_MULTICAST_TTL, &ttl,
+                             sizeof(ttl));
+            if (ret < 0) {
+                fprintf(stderr, "%s: Failed to set TTL for multicast group",
+                        argv[0]);
+                perror("");
+                exit(1);
+            }
+        }
+
+        mreq.imr_multiaddr.s_addr = rcvr_addr.s_addr;
+        mreq.imr_interface.s_addr = htonl(INADDR_ANY);
+        ret = setsockopt(sock, IPPROTO_IP, IP_ADD_MEMBERSHIP, (void *)&mreq,
+                         sizeof(mreq));
+        if (ret < 0) {
+            fprintf(stderr, "%s: Failed to join multicast group", argv[0]);
+            perror("");
+            exit(1);
+        }
+    }
+
+    /* report security services selected on the command line */
+    printf("security services: ");
+    if (sec_servs & sec_serv_conf)
+        printf("confidentiality ");
+    if (sec_servs & sec_serv_auth)
+        printf("message authentication");
+    if (sec_servs == sec_serv_none)
+        printf("none");
+    printf("\n");
+
+    /* set up the srtp policy and master key */
+    if (sec_servs) {
+        /*
+         * create policy structure, using the default mechanisms but
+         * with only the security services requested on the command line,
+         * using the right SSRC value
+         */
+        switch (sec_servs) {
+        case sec_serv_conf_and_auth:
+            if (gcm_on) {
+#ifdef GCM
+                switch (key_size) {
+                case 128:
+                    srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp);
+                    srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp);
+                    break;
+                case 256:
+                    srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtp);
+                    srtp_crypto_policy_set_aes_gcm_256_8_auth(&policy.rtcp);
+                    break;
+                }
+#else
+                printf("error: GCM mode only supported when using the OpenSSL "
+                       "or NSS crypto engine.\n");
+                return 0;
+#endif
+            } else {
+                switch (key_size) {
+                case 128:
+                    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+                    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+                    break;
+                case 256:
+                    srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp);
+                    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+                    break;
+                }
+            }
+            break;
+        case sec_serv_conf:
+            if (gcm_on) {
+                printf(
+                    "error: GCM mode must always be used with auth enabled\n");
+                return -1;
+            } else {
+                switch (key_size) {
+                case 128:
+                    srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp);
+                    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+                    break;
+                case 256:
+                    srtp_crypto_policy_set_aes_cm_256_null_auth(&policy.rtp);
+                    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+                    break;
+                }
+            }
+            break;
+        case sec_serv_auth:
+            if (gcm_on) {
+#ifdef GCM
+                switch (key_size) {
+                case 128:
+                    srtp_crypto_policy_set_aes_gcm_128_8_only_auth(&policy.rtp);
+                    srtp_crypto_policy_set_aes_gcm_128_8_only_auth(
+                        &policy.rtcp);
+                    break;
+                case 256:
+                    srtp_crypto_policy_set_aes_gcm_256_8_only_auth(&policy.rtp);
+                    srtp_crypto_policy_set_aes_gcm_256_8_only_auth(
+                        &policy.rtcp);
+                    break;
+                }
+#else
+                printf("error: GCM mode only supported when using the OpenSSL "
+                       "crypto engine.\n");
+                return 0;
+#endif
+            } else {
+                srtp_crypto_policy_set_null_cipher_hmac_sha1_80(&policy.rtp);
+                srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+            }
+            break;
+        default:
+            printf("error: unknown security service requested\n");
+            return -1;
+        }
+        policy.ssrc.type = ssrc_specific;
+        policy.ssrc.value = ssrc;
+        policy.key = (uint8_t *)key;
+        policy.ekt = NULL;
+        policy.next = NULL;
+        policy.window_size = 128;
+        policy.allow_repeat_tx = 0;
+        policy.rtp.sec_serv = sec_servs;
+        policy.rtcp.sec_serv = sec_serv_none; /* we don't do RTCP anyway */
+
+        if (gcm_on && tag_size != 8) {
+            policy.rtp.auth_tag_len = tag_size;
+        }
+
+        /*
+         * read key from hexadecimal or base64 on command line into an octet
+         * string
+         */
+        if (b64_input) {
+            int pad;
+            expected_len = (policy.rtp.cipher_key_len * 4) / 3;
+            len = base64_string_to_octet_string(key, &pad, input_key,
+                                                expected_len);
+            if (pad != 0) {
+                fprintf(stderr, "error: padding in base64 unexpected\n");
+                exit(1);
+            }
+        } else {
+            expected_len = policy.rtp.cipher_key_len * 2;
+            len = hex_string_to_octet_string(key, input_key, expected_len);
+        }
+        /* check that hex string is the right length */
+        if (len < expected_len) {
+            fprintf(stderr, "error: too few digits in key/salt "
+                            "(should be %d digits, found %d)\n",
+                    expected_len, len);
+            exit(1);
+        }
+        if ((int)strlen(input_key) > policy.rtp.cipher_key_len * 2) {
+            fprintf(stderr, "error: too many digits in key/salt "
+                            "(should be %d hexadecimal digits, found %u)\n",
+                    policy.rtp.cipher_key_len * 2, (unsigned)strlen(input_key));
+            exit(1);
+        }
+
+        printf("set master key/salt to %s/", octet_string_hex_string(key, 16));
+        printf("%s\n", octet_string_hex_string(key + 16, 14));
+
+    } else {
+        /*
+         * we're not providing security services, so set the policy to the
+         * null policy
+         *
+         * Note that this policy does not conform to the SRTP
+         * specification, since RTCP authentication is required.  However,
+         * the effect of this policy is to turn off SRTP, so that this
+         * application is now a vanilla-flavored RTP application.
+         */
+        srtp_crypto_policy_set_null_cipher_hmac_null(&policy.rtp);
+        srtp_crypto_policy_set_null_cipher_hmac_null(&policy.rtcp);
+        policy.key = (uint8_t *)key;
+        policy.ssrc.type = ssrc_specific;
+        policy.ssrc.value = ssrc;
+        policy.window_size = 0;
+        policy.allow_repeat_tx = 0;
+        policy.ekt = NULL;
+        policy.next = NULL;
+    }
+
+    if (prog_type == sender) {
+#if BEW
+        /* bind to local socket (to match crypto policy, if need be) */
+        memset(&local, 0, sizeof(struct sockaddr_in));
+        local.sin_addr.s_addr = htonl(INADDR_ANY);
+        local.sin_port = htons(port);
+        ret = bind(sock, (struct sockaddr *)&local, sizeof(struct sockaddr_in));
+        if (ret < 0) {
+            fprintf(stderr, "%s: bind failed\n", argv[0]);
+            perror("");
+            exit(1);
+        }
+#endif /* BEW */
+
+        /* initialize sender's rtp and srtp contexts */
+        snd = rtp_sender_alloc();
+        if (snd == NULL) {
+            fprintf(stderr, "error: malloc() failed\n");
+            exit(1);
+        }
+        rtp_sender_init(snd, sock, name, ssrc);
+        status = rtp_sender_init_srtp(snd, &policy);
+        if (status) {
+            fprintf(stderr, "error: srtp_create() failed with code %d\n",
+                    status);
+            exit(1);
+        }
+
+        /* open dictionary */
+        dict = fopen(dictfile, "r");
+        if (dict == NULL) {
+            fprintf(stderr, "%s: couldn't open file %s\n", argv[0], dictfile);
+            if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) {
+                leave_group(sock, mreq, argv[0]);
+            }
+            exit(1);
+        }
+
+        /* read words from dictionary, then send them off */
+        while (!interrupted && fgets(word, MAX_WORD_LEN, dict) != NULL) {
+            len = strlen(word) + 1; /* plus one for null */
+
+            if (len > MAX_WORD_LEN)
+                printf("error: word %s too large to send\n", word);
+            else {
+                rtp_sendto(snd, word, len);
+                printf("sending word: %s", word);
+            }
+            usleep(USEC_RATE);
+        }
+
+        rtp_sender_deinit_srtp(snd);
+        rtp_sender_dealloc(snd);
+
+        fclose(dict);
+    } else { /* prog_type == receiver */
+        rtp_receiver_t rcvr;
+
+        if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0) {
+            close(sock);
+            fprintf(stderr, "%s: socket bind error\n", argv[0]);
+            perror(NULL);
+            if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) {
+                leave_group(sock, mreq, argv[0]);
+            }
+            exit(1);
+        }
+
+        rcvr = rtp_receiver_alloc();
+        if (rcvr == NULL) {
+            fprintf(stderr, "error: malloc() failed\n");
+            exit(1);
+        }
+        rtp_receiver_init(rcvr, sock, name, ssrc);
+        status = rtp_receiver_init_srtp(rcvr, &policy);
+        if (status) {
+            fprintf(stderr, "error: srtp_create() failed with code %d\n",
+                    status);
+            exit(1);
+        }
+
+        /* get next word and loop */
+        while (!interrupted) {
+            len = MAX_WORD_LEN;
+            if (rtp_recvfrom(rcvr, word, &len) > -1)
+                printf("\tword: %s\n", word);
+        }
+
+        rtp_receiver_deinit_srtp(rcvr);
+        rtp_receiver_dealloc(rcvr);
+    }
+
+    if (ADDR_IS_MULTICAST(rcvr_addr.s_addr)) {
+        leave_group(sock, mreq, argv[0]);
+    }
+
+#ifdef RTPW_USE_WINSOCK2
+    ret = closesocket(sock);
+#else
+    ret = close(sock);
+#endif
+    if (ret < 0) {
+        fprintf(stderr, "%s: Failed to close socket", argv[0]);
+        perror("");
+    }
+
+    status = srtp_shutdown();
+    if (status) {
+        printf("error: srtp shutdown failed with error code %d\n", status);
+        exit(1);
+    }
+
+#ifdef RTPW_USE_WINSOCK2
+    WSACleanup();
+#endif
+
+    return 0;
+}
+
+void usage(char *string)
+{
+    printf("usage: %s [-d <debug>]* [-k <key> [-a][-e]] "
+           "[-s | -r] dest_ip dest_port\n"
+           "or     %s -l\n"
+           "where  -a use message authentication\n"
+           "       -e <key size> use encryption (use 128 or 256 for key size)\n"
+           "       -g Use AES-GCM mode (must be used with -e)\n"
+           "       -t <tag size> Tag size to use in GCM mode (use 8 or 16)\n"
+           "       -k <key>  sets the srtp master key given in hexadecimal\n"
+           "       -b <key>  sets the srtp master key given in base64\n"
+           "       -s act as rtp sender\n"
+           "       -r act as rtp receiver\n"
+           "       -l list debug modules\n"
+           "       -d <debug> turn on debugging for module <debug>\n"
+           "       -w <wordsfile> use <wordsfile> for input, rather than %s\n",
+           string, string, DICT_FILE);
+    exit(1);
+}
+
+void leave_group(int sock, struct ip_mreq mreq, char *name)
+{
+    int ret;
+
+    ret = setsockopt(sock, IPPROTO_IP, IP_DROP_MEMBERSHIP, (void *)&mreq,
+                     sizeof(mreq));
+    if (ret < 0) {
+        fprintf(stderr, "%s: Failed to leave multicast group", name);
+        perror("");
+    }
+}
+
+void handle_signal(int signum)
+{
+    interrupted = 1;
+    /* Reset handler explicitly, in case we don't have sigaction() (and signal()
+       has BSD semantics), or we don't have SA_RESETHAND */
+    signal(signum, SIG_DFL);
+}
+
+int setup_signal_handler(char *name)
+{
+#if HAVE_SIGACTION
+    struct sigaction act;
+    memset(&act, 0, sizeof(act));
+
+    act.sa_handler = handle_signal;
+    sigemptyset(&act.sa_mask);
+#if defined(SA_RESETHAND)
+    act.sa_flags = SA_RESETHAND;
+#else
+    act.sa_flags = 0;
+#endif
+    /* Note that we're not setting SA_RESTART; we want recvfrom to return
+     * EINTR when we signal the receiver. */
+
+    if (sigaction(SIGTERM, &act, NULL) != 0) {
+        fprintf(stderr, "%s: error setting up signal handler", name);
+        perror("");
+        return -1;
+    }
+#else
+    if (signal(SIGTERM, handle_signal) == SIG_ERR) {
+        fprintf(stderr, "%s: error setting up signal handler", name);
+        perror("");
+        return -1;
+    }
+#endif
+    return 0;
+}
diff --git a/netwerk/srtp/src/test/rtpw_test.sh b/netwerk/srtp/src/test/rtpw_test.sh
new file mode 100755
index 0000000000..158a39312d
--- /dev/null
+++ b/netwerk/srtp/src/test/rtpw_test.sh
@@ -0,0 +1,176 @@
+#!/bin/sh
+# 
+# usage: rtpw_test <rtpw_commands>
+# 
+# tests the rtpw sender and receiver functions
+#
+# Copyright (c) 2001-2017, Cisco Systems, Inc.
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 
+#   Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+# 
+#   Redistributions in binary form must reproduce the above
+#   copyright notice, this list of conditions and the following
+#   disclaimer in the documentation and/or other materials provided
+#   with the distribution.
+# 
+#   Neither the name of the Cisco Systems, Inc. nor the names of its
+#   contributors may be used to endorse or promote products derived
+#   from this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+case $(uname -s) in
+    *CYGWIN*|*MINGW*)
+        EXE=".exe"
+        ;;
+    *Linux*)
+        EXE=""
+        export LD_LIBRARY_PATH=$CRYPTO_LIBDIR
+        ;;
+    *Darwin*)
+        EXE=""
+        export DYLD_LIBRARY_PATH=$CRYPTO_LIBDIR
+        ;;
+esac
+
+RTPW=./rtpw$EXE
+DEST_PORT=9999
+DURATION=3
+
+key=Ky7cUDT2GnI0XKWYbXv9AYmqbcLsqzL9mvdN9t/G
+
+ARGS="-b $key -a -e 128"
+
+# First, we run "killall" to get rid of all existing rtpw processes.
+# This step also enables this script to clean up after itself; if this
+# script is interrupted after the rtpw processes are started but before
+# they are killed, those processes will linger.  Re-running the script
+# will get rid of them.
+
+killall rtpw 2>/dev/null
+
+if test -x $RTPW; then
+
+echo  $0 ": starting rtpw receiver process... "
+
+$RTPW $* $ARGS -r 0.0.0.0 $DEST_PORT  &
+
+receiver_pid=$!
+
+echo $0 ": receiver PID = $receiver_pid"
+
+sleep 1 
+
+# verify that the background job is running
+ps -e | grep -q $receiver_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 254
+fi
+
+echo  $0 ": starting rtpw sender process..."
+
+$RTPW $* $ARGS -s 127.0.0.1 $DEST_PORT  &
+
+sender_pid=$!
+
+echo $0 ": sender PID = $sender_pid"
+
+# verify that the background job is running
+ps -e | grep -q $sender_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 255
+fi
+
+sleep $DURATION
+
+kill $receiver_pid
+kill $sender_pid
+
+wait $receiver_pid 2>/dev/null
+wait $sender_pid 2>/dev/null
+
+
+key=033490ba9e82994fc21013395739038992b2edc5034f61a72345ca598d7bfd0189aa6dc2ecab32fd9af74df6dfc6
+
+ARGS="-k $key -a -e 256"
+
+echo  $0 ": starting rtpw receiver process... "
+
+$RTPW $* $ARGS -r 0.0.0.0 $DEST_PORT  &
+
+receiver_pid=$!
+
+echo $0 ": receiver PID = $receiver_pid"
+
+sleep 1 
+
+# verify that the background job is running
+ps -e | grep -q $receiver_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 254
+fi
+
+echo  $0 ": starting rtpw sender process..."
+
+$RTPW $* $ARGS -s 127.0.0.1 $DEST_PORT  &
+
+sender_pid=$!
+
+echo $0 ": sender PID = $sender_pid"
+
+# verify that the background job is running
+ps -e | grep -q $sender_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 255
+fi
+
+sleep $DURATION
+
+kill $receiver_pid
+kill $sender_pid
+
+wait $receiver_pid 2>/dev/null
+wait $sender_pid 2>/dev/null
+
+echo $0 ": done (test passed)"
+
+else 
+
+echo "error: can't find executable" $RTPW
+exit 1
+
+fi
+
+# EOF
+
+
diff --git a/netwerk/srtp/src/test/rtpw_test_gcm.sh b/netwerk/srtp/src/test/rtpw_test_gcm.sh
new file mode 100755
index 0000000000..644255e1a1
--- /dev/null
+++ b/netwerk/srtp/src/test/rtpw_test_gcm.sh
@@ -0,0 +1,260 @@
+#!/bin/sh
+# 
+# usage: rtpw_test <rtpw_commands>
+# 
+# tests the rtpw sender and receiver functions
+#
+# Copyright (c) 2001-2017, Cisco Systems, Inc.
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 
+#   Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+# 
+#   Redistributions in binary form must reproduce the above
+#   copyright notice, this list of conditions and the following
+#   disclaimer in the documentation and/or other materials provided
+#   with the distribution.
+# 
+#   Neither the name of the Cisco Systems, Inc. nor the names of its
+#   contributors may be used to endorse or promote products derived
+#   from this software without specific prior written permission.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+case $(uname -s) in
+    *CYGWIN*|*MINGW*)
+        EXE=".exe"
+        ;;
+    *Linux*)
+        EXE=""
+        export LD_LIBRARY_PATH=$CRYPTO_LIBDIR
+        ;;
+    *Darwin*)
+        EXE=""
+        export DYLD_LIBRARY_PATH=$CRYPTO_LIBDIR
+        ;;
+esac
+
+RTPW=./rtpw$EXE
+DEST_PORT=9999
+DURATION=3
+
+# First, we run "killall" to get rid of all existing rtpw processes.
+# This step also enables this script to clean up after itself; if this
+# script is interrupted after the rtpw processes are started but before
+# they are killed, those processes will linger.  Re-running the script
+# will get rid of them.
+
+killall rtpw 2>/dev/null
+
+if test -x $RTPW; then
+
+GCMARGS128="-k 01234567890123456789012345678901234567890123456789012345 -g -e 128"
+echo  $0 ": starting GCM mode 128-bit rtpw receiver process... "
+
+exec $RTPW $* $GCMARGS128 -r 127.0.0.1 $DEST_PORT &
+
+receiver_pid=$!
+
+echo $0 ": receiver PID = $receiver_pid"
+
+sleep 1 
+
+# verify that the background job is running
+ps -e | grep -q $receiver_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 254
+fi
+
+echo  $0 ": starting GCM 128-bit rtpw sender process..."
+
+exec $RTPW $* $GCMARGS128 -s 127.0.0.1 $DEST_PORT  &
+
+sender_pid=$!
+
+echo $0 ": sender PID = $sender_pid"
+
+# verify that the background job is running
+ps -e | grep -q $sender_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 255
+fi
+
+sleep $DURATION
+
+kill $receiver_pid
+kill $sender_pid
+
+wait $receiver_pid 2>/dev/null
+wait $sender_pid 2>/dev/null
+
+GCMARGS128="-k 01234567890123456789012345678901234567890123456789012345 -g -t 16 -e 128"
+echo  $0 ": starting GCM mode 128-bit (16 byte tag) rtpw receiver process... "
+
+exec $RTPW $* $GCMARGS128 -r 127.0.0.1 $DEST_PORT &
+
+receiver_pid=$!
+
+echo $0 ": receiver PID = $receiver_pid"
+
+sleep 1 
+
+# verify that the background job is running
+ps -e | grep -q $receiver_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 254
+fi
+
+echo  $0 ": starting GCM 128-bit (16 byte tag) rtpw sender process..."
+
+exec $RTPW $* $GCMARGS128 -s 127.0.0.1 $DEST_PORT  &
+
+sender_pid=$!
+
+echo $0 ": sender PID = $sender_pid"
+
+# verify that the background job is running
+ps -e | grep -q $sender_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 255
+fi
+
+sleep $DURATION
+
+kill $receiver_pid
+kill $sender_pid
+
+wait $receiver_pid 2>/dev/null
+wait $sender_pid 2>/dev/null
+
+
+GCMARGS256="-k 0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 -g -e 256"
+echo  $0 ": starting GCM mode 256-bit rtpw receiver process... "
+
+exec $RTPW $* $GCMARGS256 -r 127.0.0.1 $DEST_PORT &
+
+receiver_pid=$!
+
+echo $0 ": receiver PID = $receiver_pid"
+
+sleep 1 
+
+# verify that the background job is running
+ps -e | grep -q $receiver_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 254
+fi
+
+echo  $0 ": starting GCM 256-bit rtpw sender process..."
+
+exec $RTPW $* $GCMARGS256 -s 127.0.0.1 $DEST_PORT  &
+
+sender_pid=$!
+
+echo $0 ": sender PID = $sender_pid"
+
+# verify that the background job is running
+ps -e | grep -q $sender_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 255
+fi
+
+sleep $DURATION
+
+kill $receiver_pid
+kill $sender_pid
+
+wait $receiver_pid 2>/dev/null
+wait $sender_pid 2>/dev/null
+
+GCMARGS256="-k a123456789012345678901234567890123456789012345678901234567890123456789012345678901234567 -g -t 16 -e 256"
+echo  $0 ": starting GCM mode 256-bit (16 byte tag) rtpw receiver process... "
+
+exec $RTPW $* $GCMARGS256 -r 127.0.0.1 $DEST_PORT &
+
+receiver_pid=$!
+
+echo $0 ": receiver PID = $receiver_pid"
+
+sleep 1 
+
+# verify that the background job is running
+ps -e | grep -q $receiver_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 254
+fi
+
+echo  $0 ": starting GCM 256-bit (16 byte tag) rtpw sender process..."
+
+exec $RTPW $* $GCMARGS256 -s 127.0.0.1 $DEST_PORT  &
+
+sender_pid=$!
+
+echo $0 ": sender PID = $sender_pid"
+
+# verify that the background job is running
+ps -e | grep -q $sender_pid
+retval=$?
+echo $retval
+if [ $retval != 0 ]; then
+    echo $0 ": error"
+    exit 255
+fi
+
+sleep $DURATION
+
+kill $receiver_pid
+kill $sender_pid
+
+wait $receiver_pid 2>/dev/null
+wait $sender_pid 2>/dev/null
+
+echo $0 ": done (test passed)"
+
+else 
+
+echo "error: can't find executable" $RTPW
+exit 1
+
+fi
+
+# EOF
+
+
diff --git a/netwerk/srtp/src/test/srtp_driver.c b/netwerk/srtp/src/test/srtp_driver.c
new file mode 100644
index 0000000000..a7234539f7
--- /dev/null
+++ b/netwerk/srtp/src/test/srtp_driver.c
@@ -0,0 +1,3837 @@
+/*
+ * srtp_driver.c
+ *
+ * a test driver for libSRTP
+ *
+ * David A. McGrew
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2001-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>   /* for memcpy()          */
+#include <time.h>     /* for clock()           */
+#include <stdlib.h>   /* for malloc(), free()  */
+#include <stdio.h>    /* for print(), fflush() */
+#include "getopt_s.h" /* for local getopt()    */
+
+#include "srtp_priv.h"
+#include "util.h"
+
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#elif defined HAVE_WINSOCK2_H
+#include <winsock2.h>
+#endif
+
+#define PRINT_REFERENCE_PACKET 1
+
+srtp_err_status_t srtp_validate(void);
+
+#ifdef GCM
+srtp_err_status_t srtp_validate_gcm(void);
+#endif
+
+srtp_err_status_t srtp_validate_encrypted_extensions_headers(void);
+
+#ifdef GCM
+srtp_err_status_t srtp_validate_encrypted_extensions_headers_gcm(void);
+#endif
+
+srtp_err_status_t srtp_validate_aes_256(void);
+
+srtp_err_status_t srtp_create_big_policy(srtp_policy_t **list);
+
+srtp_err_status_t srtp_dealloc_big_policy(srtp_policy_t *list);
+
+srtp_err_status_t srtp_test_empty_payload(void);
+
+#ifdef GCM
+srtp_err_status_t srtp_test_empty_payload_gcm(void);
+#endif
+
+srtp_err_status_t srtp_test_remove_stream(void);
+
+srtp_err_status_t srtp_test_update(void);
+
+srtp_err_status_t srtp_test_protect_trailer_length(void);
+
+srtp_err_status_t srtp_test_protect_rtcp_trailer_length(void);
+
+srtp_err_status_t srtp_test_get_roc(void);
+
+srtp_err_status_t srtp_test_set_receiver_roc(void);
+
+srtp_err_status_t srtp_test_set_sender_roc(void);
+
+double srtp_bits_per_second(int msg_len_octets, const srtp_policy_t *policy);
+
+double srtp_rejections_per_second(int msg_len_octets,
+                                  const srtp_policy_t *policy);
+
+void srtp_do_timing(const srtp_policy_t *policy);
+
+void srtp_do_rejection_timing(const srtp_policy_t *policy);
+
+srtp_err_status_t srtp_test(const srtp_policy_t *policy,
+                            int extension_header,
+                            int mki_index);
+
+srtp_err_status_t srtcp_test(const srtp_policy_t *policy, int mki_index);
+
+srtp_err_status_t srtp_session_print_policy(srtp_t srtp);
+
+srtp_err_status_t srtp_print_policy(const srtp_policy_t *policy);
+
+char *srtp_packet_to_string(srtp_hdr_t *hdr, int packet_len);
+
+double mips_estimate(int num_trials, int *ignore);
+
+#define TEST_MKI_ID_SIZE 4
+
+extern uint8_t test_key[46];
+extern uint8_t test_key_2[46];
+extern uint8_t test_mki_id[TEST_MKI_ID_SIZE];
+extern uint8_t test_mki_id_2[TEST_MKI_ID_SIZE];
+
+// clang-format off
+srtp_master_key_t master_key_1 = {
+    test_key,
+    test_mki_id,
+    TEST_MKI_ID_SIZE
+};
+
+srtp_master_key_t master_key_2 = {
+    test_key_2,
+    test_mki_id_2,
+    TEST_MKI_ID_SIZE
+};
+
+srtp_master_key_t *test_keys[2] = {
+    &master_key_1,
+    &master_key_2
+};
+// clang-format on
+
+void usage(char *prog_name)
+{
+    printf("usage: %s [ -t ][ -c ][ -v ][ -o ][-d <debug_module> ]* [ -l ]\n"
+           "  -t         run timing test\n"
+           "  -r         run rejection timing test\n"
+           "  -c         run codec timing test\n"
+           "  -v         run validation tests\n"
+           "  -o         output logging to stdout\n"
+           "  -d <mod>   turn on debugging module <mod>\n"
+           "  -l         list debugging modules\n",
+           prog_name);
+    exit(1);
+}
+
+void log_handler(srtp_log_level_t level, const char *msg, void *data)
+{
+    char level_char = '?';
+    switch (level) {
+    case srtp_log_level_error:
+        level_char = 'e';
+        break;
+    case srtp_log_level_warning:
+        level_char = 'w';
+        break;
+    case srtp_log_level_info:
+        level_char = 'i';
+        break;
+    case srtp_log_level_debug:
+        level_char = 'd';
+        break;
+    }
+    printf("SRTP-LOG [%c]: %s\n", level_char, msg);
+}
+
+/*
+ * The policy_array is a null-terminated array of policy structs. it
+ * is declared at the end of this file
+ */
+
+extern const srtp_policy_t *policy_array[];
+
+/* the wildcard_policy is declared below; it has a wildcard ssrc */
+
+extern const srtp_policy_t wildcard_policy;
+
+/*
+ * mod_driver debug module - debugging module for this test driver
+ *
+ * we use the crypto_kernel debugging system in this driver, which
+ * makes the interface uniform and increases portability
+ */
+
+srtp_debug_module_t mod_driver = {
+    0,       /* debugging is off by default */
+    "driver" /* printable name for module   */
+};
+
+int main(int argc, char *argv[])
+{
+    int q;
+    unsigned do_timing_test = 0;
+    unsigned do_rejection_test = 0;
+    unsigned do_codec_timing = 0;
+    unsigned do_validation = 0;
+    unsigned do_list_mods = 0;
+    unsigned do_log_stdout = 0;
+    srtp_err_status_t status;
+
+    /*
+     * verify that the compiler has interpreted the header data
+     * structure srtp_hdr_t correctly
+     */
+    if (sizeof(srtp_hdr_t) != 12) {
+        printf("error: srtp_hdr_t has incorrect size"
+               "(size is %ld bytes, expected 12)\n",
+               (long)sizeof(srtp_hdr_t));
+        exit(1);
+    }
+
+    /* initialize srtp library */
+    status = srtp_init();
+    if (status) {
+        printf("error: srtp init failed with error code %d\n", status);
+        exit(1);
+    }
+
+    /*  load srtp_driver debug module */
+    status = srtp_crypto_kernel_load_debug_module(&mod_driver);
+    if (status) {
+        printf("error: load of srtp_driver debug module failed "
+               "with error code %d\n",
+               status);
+        exit(1);
+    }
+
+    /* process input arguments */
+    while (1) {
+        q = getopt_s(argc, argv, "trcvold:");
+        if (q == -1) {
+            break;
+        }
+        switch (q) {
+        case 't':
+            do_timing_test = 1;
+            break;
+        case 'r':
+            do_rejection_test = 1;
+            break;
+        case 'c':
+            do_codec_timing = 1;
+            break;
+        case 'v':
+            do_validation = 1;
+            break;
+        case 'o':
+            do_log_stdout = 1;
+            break;
+        case 'l':
+            do_list_mods = 1;
+            break;
+        case 'd':
+            status = srtp_set_debug_module(optarg_s, 1);
+            if (status) {
+                printf("error: set debug module (%s) failed\n", optarg_s);
+                exit(1);
+            }
+            break;
+        default:
+            usage(argv[0]);
+        }
+    }
+
+    if (!do_validation && !do_timing_test && !do_codec_timing &&
+        !do_list_mods && !do_rejection_test) {
+        usage(argv[0]);
+    }
+
+    if (do_log_stdout) {
+        status = srtp_install_log_handler(log_handler, NULL);
+        if (status) {
+            printf("error: install log handler failed\n");
+            exit(1);
+        }
+    }
+
+    if (do_list_mods) {
+        status = srtp_list_debug_modules();
+        if (status) {
+            printf("error: list of debug modules failed\n");
+            exit(1);
+        }
+    }
+
+    if (do_validation) {
+        const srtp_policy_t **policy = policy_array;
+        srtp_policy_t *big_policy;
+
+        /* loop over policy array, testing srtp and srtcp for each policy */
+        while (*policy != NULL) {
+            printf("testing srtp_protect and srtp_unprotect\n");
+            if (srtp_test(*policy, 0, -1) == srtp_err_status_ok) {
+                printf("passed\n\n");
+            } else {
+                printf("failed\n");
+                exit(1);
+            }
+
+            printf("testing srtp_protect and srtp_unprotect with encrypted "
+                   "extensions headers\n");
+            if (srtp_test(*policy, 1, -1) == srtp_err_status_ok) {
+                printf("passed\n\n");
+            } else {
+                printf("failed\n");
+                exit(1);
+            }
+            printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp\n");
+            if (srtcp_test(*policy, -1) == srtp_err_status_ok) {
+                printf("passed\n\n");
+            } else {
+                printf("failed\n");
+                exit(1);
+            }
+            printf("testing srtp_protect_rtp and srtp_unprotect_rtp with MKI "
+                   "index set to 0\n");
+            if (srtp_test(*policy, 0, 0) == srtp_err_status_ok) {
+                printf("passed\n\n");
+            } else {
+                printf("failed\n");
+                exit(1);
+            }
+            printf("testing srtp_protect_rtp and srtp_unprotect_rtp with MKI "
+                   "index set to 1\n");
+            if (srtp_test(*policy, 0, 1) == srtp_err_status_ok) {
+                printf("passed\n\n");
+            } else {
+                printf("failed\n");
+                exit(1);
+            }
+
+            printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp with MKI "
+                   "index set to 0\n");
+            if (srtcp_test(*policy, 0) == srtp_err_status_ok) {
+                printf("passed\n\n");
+            } else {
+                printf("failed\n");
+                exit(1);
+            }
+            printf("testing srtp_protect_rtcp and srtp_unprotect_rtcp with MKI "
+                   "index set to 1\n");
+            if (srtcp_test(*policy, 1) == srtp_err_status_ok) {
+                printf("passed\n\n");
+            } else {
+                printf("failed\n");
+                exit(1);
+            }
+            policy++;
+        }
+
+        /* create a big policy list and run tests on it */
+        status = srtp_create_big_policy(&big_policy);
+        if (status) {
+            printf("unexpected failure with error code %d\n", status);
+            exit(1);
+        }
+        printf("testing srtp_protect and srtp_unprotect with big policy\n");
+        if (srtp_test(big_policy, 0, -1) == srtp_err_status_ok) {
+            printf("passed\n\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+        printf("testing srtp_protect and srtp_unprotect with big policy and "
+               "encrypted extensions headers\n");
+        if (srtp_test(big_policy, 1, -1) == srtp_err_status_ok) {
+            printf("passed\n\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+        status = srtp_dealloc_big_policy(big_policy);
+        if (status) {
+            printf("unexpected failure with error code %d\n", status);
+            exit(1);
+        }
+
+        /* run test on wildcard policy */
+        printf("testing srtp_protect and srtp_unprotect on "
+               "wildcard ssrc policy\n");
+        if (srtp_test(&wildcard_policy, 0, -1) == srtp_err_status_ok) {
+            printf("passed\n\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+        printf("testing srtp_protect and srtp_unprotect on "
+               "wildcard ssrc policy and encrypted extensions headers\n");
+        if (srtp_test(&wildcard_policy, 1, -1) == srtp_err_status_ok) {
+            printf("passed\n\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+        /*
+         * run validation test against the reference packets - note
+         * that this test only covers the default policy
+         */
+        printf("testing srtp_protect and srtp_unprotect against "
+               "reference packet\n");
+        if (srtp_validate() == srtp_err_status_ok) {
+            printf("passed\n\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+#ifdef GCM
+        printf("testing srtp_protect and srtp_unprotect against "
+               "reference packet using GCM\n");
+        if (srtp_validate_gcm() == srtp_err_status_ok) {
+            printf("passed\n\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+#endif
+
+        printf("testing srtp_protect and srtp_unprotect against "
+               "reference packet with encrypted extensions headers\n");
+        if (srtp_validate_encrypted_extensions_headers() == srtp_err_status_ok)
+            printf("passed\n\n");
+        else {
+            printf("failed\n");
+            exit(1);
+        }
+
+#ifdef GCM
+        printf("testing srtp_protect and srtp_unprotect against "
+               "reference packet with encrypted extension headers (GCM)\n");
+        if (srtp_validate_encrypted_extensions_headers_gcm() ==
+            srtp_err_status_ok) {
+            printf("passed\n\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+#endif
+
+        /*
+         * run validation test against the reference packets for
+         * AES-256
+         */
+        printf("testing srtp_protect and srtp_unprotect against "
+               "reference packet (AES-256)\n");
+        if (srtp_validate_aes_256() == srtp_err_status_ok) {
+            printf("passed\n\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+        /*
+         * test packets with empty payload
+         */
+        printf("testing srtp_protect and srtp_unprotect against "
+               "packet with empty payload\n");
+        if (srtp_test_empty_payload() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+#ifdef GCM
+        printf("testing srtp_protect and srtp_unprotect against "
+               "packet with empty payload (GCM)\n");
+        if (srtp_test_empty_payload_gcm() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+#endif
+
+        /*
+         * test the function srtp_remove_stream()
+         */
+        printf("testing srtp_remove_stream()...");
+        if (srtp_test_remove_stream() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+        /*
+         * test the function srtp_update()
+         */
+        printf("testing srtp_update()...");
+        if (srtp_test_update() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+        /*
+         * test the functions srtp_get_protect_trailer_length
+         * and srtp_get_protect_rtcp_trailer_length
+         */
+        printf("testing srtp_get_protect_trailer_length()...");
+        if (srtp_test_protect_trailer_length() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+        printf("testing srtp_get_protect_rtcp_trailer_length()...");
+        if (srtp_test_protect_rtcp_trailer_length() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+        printf("testing srtp_test_get_roc()...");
+        if (srtp_test_get_roc() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+        printf("testing srtp_test_set_receiver_roc()...");
+        if (srtp_test_set_receiver_roc() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+
+        printf("testing srtp_test_set_sender_roc()...");
+        if (srtp_test_set_sender_roc() == srtp_err_status_ok) {
+            printf("passed\n");
+        } else {
+            printf("failed\n");
+            exit(1);
+        }
+    }
+
+    if (do_timing_test) {
+        const srtp_policy_t **policy = policy_array;
+
+        /* loop over policies, run timing test for each */
+        while (*policy != NULL) {
+            srtp_print_policy(*policy);
+            srtp_do_timing(*policy);
+            policy++;
+        }
+    }
+
+    if (do_rejection_test) {
+        const srtp_policy_t **policy = policy_array;
+
+        /* loop over policies, run rejection timing test for each */
+        while (*policy != NULL) {
+            srtp_print_policy(*policy);
+            srtp_do_rejection_timing(*policy);
+            policy++;
+        }
+    }
+
+    if (do_codec_timing) {
+        srtp_policy_t policy;
+        int ignore;
+        double mips_value = mips_estimate(1000000000, &ignore);
+
+        memset(&policy, 0, sizeof(policy));
+        srtp_crypto_policy_set_rtp_default(&policy.rtp);
+        srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+        policy.ssrc.type = ssrc_specific;
+        policy.ssrc.value = 0xdecafbad;
+        policy.key = test_key;
+        policy.ekt = NULL;
+        policy.window_size = 128;
+        policy.allow_repeat_tx = 0;
+        policy.next = NULL;
+
+        printf("mips estimate: %e\n", mips_value);
+
+        printf("testing srtp processing time for voice codecs:\n");
+        printf("codec\t\tlength (octets)\t\tsrtp instructions/second\n");
+        printf("G.711\t\t%d\t\t\t%e\n", 80,
+               (double)mips_value * (80 * 8) /
+                   srtp_bits_per_second(80, &policy) / .01);
+        printf("G.711\t\t%d\t\t\t%e\n", 160,
+               (double)mips_value * (160 * 8) /
+                   srtp_bits_per_second(160, &policy) / .02);
+        printf("G.726-32\t%d\t\t\t%e\n", 40,
+               (double)mips_value * (40 * 8) /
+                   srtp_bits_per_second(40, &policy) / .01);
+        printf("G.726-32\t%d\t\t\t%e\n", 80,
+               (double)mips_value * (80 * 8) /
+                   srtp_bits_per_second(80, &policy) / .02);
+        printf("G.729\t\t%d\t\t\t%e\n", 10,
+               (double)mips_value * (10 * 8) /
+                   srtp_bits_per_second(10, &policy) / .01);
+        printf("G.729\t\t%d\t\t\t%e\n", 20,
+               (double)mips_value * (20 * 8) /
+                   srtp_bits_per_second(20, &policy) / .02);
+        printf("Wideband\t%d\t\t\t%e\n", 320,
+               (double)mips_value * (320 * 8) /
+                   srtp_bits_per_second(320, &policy) / .01);
+        printf("Wideband\t%d\t\t\t%e\n", 640,
+               (double)mips_value * (640 * 8) /
+                   srtp_bits_per_second(640, &policy) / .02);
+    }
+
+    status = srtp_shutdown();
+    if (status) {
+        printf("error: srtp shutdown failed with error code %d\n", status);
+        exit(1);
+    }
+
+    return 0;
+}
+
+/*
+ * srtp_create_test_packet(len, ssrc) returns a pointer to a
+ * (malloced) example RTP packet whose data field has the length given
+ * by pkt_octet_len and the SSRC value ssrc.  The total length of the
+ * packet is twelve octets longer, since the header is at the
+ * beginning.  There is room at the end of the packet for a trailer,
+ * and the four octets following the packet are filled with 0xff
+ * values to enable testing for overwrites.
+ *
+ * note that the location of the test packet can (and should) be
+ * deallocated with the free() call once it is no longer needed.
+ */
+
+srtp_hdr_t *srtp_create_test_packet(int pkt_octet_len,
+                                    uint32_t ssrc,
+                                    int *pkt_len)
+{
+    int i;
+    uint8_t *buffer;
+    srtp_hdr_t *hdr;
+    int bytes_in_hdr = 12;
+
+    /* allocate memory for test packet */
+    hdr = (srtp_hdr_t *)malloc(pkt_octet_len + bytes_in_hdr +
+                               SRTP_MAX_TRAILER_LEN + 4);
+    if (!hdr) {
+        return NULL;
+    }
+
+    hdr->version = 2;            /* RTP version two     */
+    hdr->p = 0;                  /* no padding needed   */
+    hdr->x = 0;                  /* no header extension */
+    hdr->cc = 0;                 /* no CSRCs            */
+    hdr->m = 0;                  /* marker bit          */
+    hdr->pt = 0xf;               /* payload type        */
+    hdr->seq = htons(0x1234);    /* sequence number     */
+    hdr->ts = htonl(0xdecafbad); /* timestamp           */
+    hdr->ssrc = htonl(ssrc);     /* synch. source       */
+
+    buffer = (uint8_t *)hdr;
+    buffer += bytes_in_hdr;
+
+    /* set RTP data to 0xab */
+    for (i = 0; i < pkt_octet_len; i++) {
+        *buffer++ = 0xab;
+    }
+
+    /* set post-data value to 0xffff to enable overrun checking */
+    for (i = 0; i < SRTP_MAX_TRAILER_LEN + 4; i++) {
+        *buffer++ = 0xff;
+    }
+
+    *pkt_len = bytes_in_hdr + pkt_octet_len;
+
+    return hdr;
+}
+
+static srtp_hdr_t *srtp_create_test_packet_extended(int pkt_octet_len,
+                                                    uint32_t ssrc,
+                                                    uint16_t seq,
+                                                    uint32_t ts,
+                                                    int *pkt_len)
+{
+    srtp_hdr_t *hdr;
+
+    hdr = srtp_create_test_packet(pkt_octet_len, ssrc, pkt_len);
+    if (hdr == NULL)
+        return hdr;
+
+    hdr->seq = htons(seq);
+    hdr->ts = htonl(ts);
+    return hdr;
+}
+
+srtp_hdr_t *srtp_create_test_packet_ext_hdr(int pkt_octet_len,
+                                            uint32_t ssrc,
+                                            int *pkt_len)
+{
+    int i;
+    uint8_t *buffer;
+    srtp_hdr_t *hdr;
+    int bytes_in_hdr = 12;
+    uint8_t extension_header[12] = { /* one-byte header */
+                                     0xbe, 0xde,
+                                     /* size */
+                                     0x00, 0x02,
+                                     /* id 1, length 1 (i.e. 2 bytes) */
+                                     0x11,
+                                     /* payload */
+                                     0xca, 0xfe,
+                                     /* padding */
+                                     0x00,
+                                     /* id 2, length 0 (i.e. 1 byte) */
+                                     0x20,
+                                     /* payload */
+                                     0xba,
+                                     /* padding */
+                                     0x00, 0x00
+    };
+
+    /* allocate memory for test packet */
+    hdr = (srtp_hdr_t *)malloc(pkt_octet_len + bytes_in_hdr +
+                               sizeof(extension_header) + SRTP_MAX_TRAILER_LEN +
+                               4);
+    if (!hdr)
+        return NULL;
+
+    hdr->version = 2;            /* RTP version two     */
+    hdr->p = 0;                  /* no padding needed   */
+    hdr->x = 1;                  /* no header extension */
+    hdr->cc = 0;                 /* no CSRCs            */
+    hdr->m = 0;                  /* marker bit          */
+    hdr->pt = 0xf;               /* payload type        */
+    hdr->seq = htons(0x1234);    /* sequence number     */
+    hdr->ts = htonl(0xdecafbad); /* timestamp           */
+    hdr->ssrc = htonl(ssrc);     /* synch. source       */
+
+    buffer = (uint8_t *)hdr;
+    buffer += bytes_in_hdr;
+
+    memcpy(buffer, extension_header, sizeof(extension_header));
+    buffer += sizeof(extension_header);
+
+    /* set RTP data to 0xab */
+    for (i = 0; i < pkt_octet_len; i++)
+        *buffer++ = 0xab;
+
+    /* set post-data value to 0xffff to enable overrun checking */
+    for (i = 0; i < SRTP_MAX_TRAILER_LEN + 4; i++)
+        *buffer++ = 0xff;
+
+    *pkt_len = bytes_in_hdr + sizeof(extension_header) + pkt_octet_len;
+
+    return hdr;
+}
+
+void srtp_do_timing(const srtp_policy_t *policy)
+{
+    int len;
+
+    /*
+     * note: the output of this function is formatted so that it
+     * can be used in gnuplot.  '#' indicates a comment, and "\r\n"
+     * terminates a record
+     */
+
+    printf("# testing srtp throughput:\r\n");
+    printf("# mesg length (octets)\tthroughput (megabits per second)\r\n");
+
+    for (len = 16; len <= 2048; len *= 2) {
+        printf("%d\t\t\t%f\r\n", len,
+               srtp_bits_per_second(len, policy) / 1.0E6);
+    }
+
+    /* these extra linefeeds let gnuplot know that a dataset is done */
+    printf("\r\n\r\n");
+}
+
+void srtp_do_rejection_timing(const srtp_policy_t *policy)
+{
+    int len;
+
+    /*
+     * note: the output of this function is formatted so that it
+     * can be used in gnuplot.  '#' indicates a comment, and "\r\n"
+     * terminates a record
+     */
+
+    printf("# testing srtp rejection throughput:\r\n");
+    printf("# mesg length (octets)\trejections per second\r\n");
+
+    for (len = 8; len <= 2048; len *= 2) {
+        printf("%d\t\t\t%e\r\n", len, srtp_rejections_per_second(len, policy));
+    }
+
+    /* these extra linefeeds let gnuplot know that a dataset is done */
+    printf("\r\n\r\n");
+}
+
+#define MAX_MSG_LEN 1024
+
+double srtp_bits_per_second(int msg_len_octets, const srtp_policy_t *policy)
+{
+    srtp_t srtp;
+    srtp_hdr_t *mesg;
+    int i;
+    clock_t timer;
+    int num_trials = 100000;
+    int input_len, len;
+    uint32_t ssrc;
+    srtp_err_status_t status;
+
+    /*
+     * allocate and initialize an srtp session
+     */
+    status = srtp_create(&srtp, policy);
+    if (status) {
+        printf("error: srtp_create() failed with error code %d\n", status);
+        exit(1);
+    }
+
+    /*
+     * if the ssrc is unspecified, use a predetermined one
+     */
+    if (policy->ssrc.type != ssrc_specific) {
+        ssrc = 0xdeadbeef;
+    } else {
+        ssrc = policy->ssrc.value;
+    }
+
+    /*
+     * create a test packet
+     */
+    mesg = srtp_create_test_packet(msg_len_octets, ssrc, &input_len);
+    if (mesg == NULL) {
+        return 0.0; /* indicate failure by returning zero */
+    }
+    timer = clock();
+    for (i = 0; i < num_trials; i++) {
+        len = input_len;
+        /* srtp protect message */
+        status = srtp_protect(srtp, mesg, &len);
+        if (status) {
+            printf("error: srtp_protect() failed with error code %d\n", status);
+            exit(1);
+        }
+
+        /* increment message number */
+        {
+            /* hack sequence to avoid problems with macros for htons/ntohs on
+             * some systems */
+            short new_seq = ntohs(mesg->seq) + 1;
+            mesg->seq = htons(new_seq);
+        }
+    }
+    timer = clock() - timer;
+
+    free(mesg);
+
+    status = srtp_dealloc(srtp);
+    if (status) {
+        printf("error: srtp_dealloc() failed with error code %d\n", status);
+        exit(1);
+    }
+
+    return (double)(msg_len_octets)*8 * num_trials * CLOCKS_PER_SEC / timer;
+}
+
+double srtp_rejections_per_second(int msg_len_octets,
+                                  const srtp_policy_t *policy)
+{
+    srtp_ctx_t *srtp;
+    srtp_hdr_t *mesg;
+    int i;
+    int len;
+    clock_t timer;
+    int num_trials = 1000000;
+    uint32_t ssrc = policy->ssrc.value;
+    srtp_err_status_t status;
+
+    /*
+     * allocate and initialize an srtp session
+     */
+    status = srtp_create(&srtp, policy);
+    if (status) {
+        printf("error: srtp_create() failed with error code %d\n", status);
+        exit(1);
+    }
+
+    mesg = srtp_create_test_packet(msg_len_octets, ssrc, &len);
+    if (mesg == NULL) {
+        return 0.0; /* indicate failure by returning zero */
+    }
+    srtp_protect(srtp, (srtp_hdr_t *)mesg, &len);
+
+    timer = clock();
+    for (i = 0; i < num_trials; i++) {
+        len = msg_len_octets;
+        srtp_unprotect(srtp, (srtp_hdr_t *)mesg, &len);
+    }
+    timer = clock() - timer;
+
+    free(mesg);
+
+    status = srtp_dealloc(srtp);
+    if (status) {
+        printf("error: srtp_dealloc() failed with error code %d\n", status);
+        exit(1);
+    }
+
+    return (double)num_trials * CLOCKS_PER_SEC / timer;
+}
+
+void err_check(srtp_err_status_t s)
+{
+    if (s == srtp_err_status_ok) {
+        return;
+    } else {
+        fprintf(stderr, "error: unexpected srtp failure (code %d)\n", s);
+    }
+    exit(1);
+}
+
+srtp_err_status_t srtp_test_call_protect(srtp_t srtp_sender,
+                                         srtp_hdr_t *hdr,
+                                         int *len,
+                                         int mki_index)
+{
+    if (mki_index == -1) {
+        return srtp_protect(srtp_sender, hdr, len);
+    } else {
+        return srtp_protect_mki(srtp_sender, hdr, len, 1, mki_index);
+    }
+}
+
+srtp_err_status_t srtp_test_call_protect_rtcp(srtp_t srtp_sender,
+                                              srtp_hdr_t *hdr,
+                                              int *len,
+                                              int mki_index)
+{
+    if (mki_index == -1) {
+        return srtp_protect_rtcp(srtp_sender, hdr, len);
+    } else {
+        return srtp_protect_rtcp_mki(srtp_sender, hdr, len, 1, mki_index);
+    }
+}
+
+srtp_err_status_t srtp_test_call_unprotect(srtp_t srtp_sender,
+                                           srtp_hdr_t *hdr,
+                                           int *len,
+                                           int use_mki)
+{
+    if (use_mki == -1) {
+        return srtp_unprotect(srtp_sender, hdr, len);
+    } else {
+        return srtp_unprotect_mki(srtp_sender, hdr, len, use_mki);
+    }
+}
+
+srtp_err_status_t srtp_test_call_unprotect_rtcp(srtp_t srtp_sender,
+                                                srtp_hdr_t *hdr,
+                                                int *len,
+                                                int use_mki)
+{
+    if (use_mki == -1) {
+        return srtp_unprotect_rtcp(srtp_sender, hdr, len);
+    } else {
+        return srtp_unprotect_rtcp_mki(srtp_sender, hdr, len, use_mki);
+    }
+}
+
+srtp_err_status_t srtp_test(const srtp_policy_t *policy,
+                            int extension_header,
+                            int mki_index)
+{
+    int i;
+    srtp_t srtp_sender;
+    srtp_t srtp_rcvr;
+    srtp_err_status_t status = srtp_err_status_ok;
+    srtp_hdr_t *hdr, *hdr2;
+    uint8_t hdr_enc[64];
+    uint8_t *pkt_end;
+    int msg_len_octets, msg_len_enc, msg_len;
+    int len, len2;
+    uint32_t tag_length;
+    uint32_t ssrc;
+    srtp_policy_t *rcvr_policy;
+    srtp_policy_t tmp_policy;
+    int header = 1;
+    int use_mki = 0;
+
+    if (mki_index >= 0)
+        use_mki = 1;
+
+    if (extension_header) {
+        memcpy(&tmp_policy, policy, sizeof(srtp_policy_t));
+        tmp_policy.enc_xtn_hdr = &header;
+        tmp_policy.enc_xtn_hdr_count = 1;
+        err_check(srtp_create(&srtp_sender, &tmp_policy));
+    } else {
+        err_check(srtp_create(&srtp_sender, policy));
+    }
+
+    /* print out policy */
+    err_check(srtp_session_print_policy(srtp_sender));
+
+    /*
+     * initialize data buffer, using the ssrc in the policy unless that
+     * value is a wildcard, in which case we'll just use an arbitrary
+     * one
+     */
+    if (policy->ssrc.type != ssrc_specific) {
+        ssrc = 0xdecafbad;
+    } else {
+        ssrc = policy->ssrc.value;
+    }
+    msg_len_octets = 28;
+    if (extension_header) {
+        hdr = srtp_create_test_packet_ext_hdr(msg_len_octets, ssrc, &len);
+        hdr2 = srtp_create_test_packet_ext_hdr(msg_len_octets, ssrc, &len2);
+    } else {
+        hdr = srtp_create_test_packet(msg_len_octets, ssrc, &len);
+        hdr2 = srtp_create_test_packet(msg_len_octets, ssrc, &len2);
+    }
+
+    /* save original msg len */
+    msg_len = len;
+
+    if (hdr == NULL) {
+        free(hdr2);
+        return srtp_err_status_alloc_fail;
+    }
+    if (hdr2 == NULL) {
+        free(hdr);
+        return srtp_err_status_alloc_fail;
+    }
+
+    debug_print(mod_driver, "before protection:\n%s",
+                srtp_packet_to_string(hdr, len));
+
+#if PRINT_REFERENCE_PACKET
+    debug_print(mod_driver, "reference packet before protection:\n%s",
+                octet_string_hex_string((uint8_t *)hdr, len));
+#endif
+    err_check(srtp_test_call_protect(srtp_sender, hdr, &len, mki_index));
+
+    debug_print(mod_driver, "after protection:\n%s",
+                srtp_packet_to_string(hdr, len));
+#if PRINT_REFERENCE_PACKET
+    debug_print(mod_driver, "after protection:\n%s",
+                octet_string_hex_string((uint8_t *)hdr, len));
+#endif
+
+    /* save protected message and length */
+    memcpy(hdr_enc, hdr, len);
+    msg_len_enc = len;
+
+    /*
+     * check for overrun of the srtp_protect() function
+     *
+     * The packet is followed by a value of 0xfffff; if the value of the
+     * data following the packet is different, then we know that the
+     * protect function is overwriting the end of the packet.
+     */
+    err_check(srtp_get_protect_trailer_length(srtp_sender, use_mki, mki_index,
+                                              &tag_length));
+    pkt_end = (uint8_t *)hdr + msg_len + tag_length;
+    for (i = 0; i < 4; i++) {
+        if (pkt_end[i] != 0xff) {
+            fprintf(stdout, "overwrite in srtp_protect() function "
+                            "(expected %x, found %x in trailing octet %d)\n",
+                    0xff, ((uint8_t *)hdr)[i], i);
+            free(hdr);
+            free(hdr2);
+            return srtp_err_status_algo_fail;
+        }
+    }
+
+    /*
+     * if the policy includes confidentiality, check that ciphertext is
+     * different than plaintext
+     *
+     * Note that this check will give false negatives, with some small
+     * probability, especially if the packets are short.  For that
+     * reason, we skip this check if the plaintext is less than four
+     * octets long.
+     */
+    if ((policy->rtp.sec_serv & sec_serv_conf) && (msg_len_octets >= 4)) {
+        printf("testing that ciphertext is distinct from plaintext...");
+        status = srtp_err_status_algo_fail;
+        for (i = 12; i < msg_len_octets + 12; i++) {
+            if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) {
+                status = srtp_err_status_ok;
+            }
+        }
+        if (status) {
+            printf("failed\n");
+            free(hdr);
+            free(hdr2);
+            return status;
+        }
+        printf("passed\n");
+    }
+
+    /*
+     * if the policy uses a 'wildcard' ssrc, then we need to make a copy
+     * of the policy that changes the direction to inbound
+     *
+     * we always copy the policy into the rcvr_policy, since otherwise
+     * the compiler would fret about the constness of the policy
+     */
+    rcvr_policy = (srtp_policy_t *)malloc(sizeof(srtp_policy_t));
+    if (rcvr_policy == NULL) {
+        free(hdr);
+        free(hdr2);
+        return srtp_err_status_alloc_fail;
+    }
+    if (extension_header) {
+        memcpy(rcvr_policy, &tmp_policy, sizeof(srtp_policy_t));
+        if (tmp_policy.ssrc.type == ssrc_any_outbound) {
+            rcvr_policy->ssrc.type = ssrc_any_inbound;
+        }
+    } else {
+        memcpy(rcvr_policy, policy, sizeof(srtp_policy_t));
+        if (policy->ssrc.type == ssrc_any_outbound) {
+            rcvr_policy->ssrc.type = ssrc_any_inbound;
+        }
+    }
+
+    err_check(srtp_create(&srtp_rcvr, rcvr_policy));
+
+    err_check(srtp_test_call_unprotect(srtp_rcvr, hdr, &len, use_mki));
+
+    debug_print(mod_driver, "after unprotection:\n%s",
+                srtp_packet_to_string(hdr, len));
+
+    /* verify that the unprotected packet matches the origial one */
+    for (i = 0; i < len; i++) {
+        if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) {
+            fprintf(stdout, "mismatch at octet %d\n", i);
+            status = srtp_err_status_algo_fail;
+        }
+    }
+    if (status) {
+        free(hdr);
+        free(hdr2);
+        free(rcvr_policy);
+        return status;
+    }
+
+    /*
+     * if the policy includes authentication, then test for false positives
+     */
+    if (policy->rtp.sec_serv & sec_serv_auth) {
+        char *data = ((char *)hdr) + (extension_header ? 24 : 12);
+
+        printf("testing for false positives in replay check...");
+
+        /* unprotect a second time - should fail with a replay error */
+        status =
+            srtp_test_call_unprotect(srtp_rcvr, hdr, &msg_len_enc, use_mki);
+        if (status != srtp_err_status_replay_fail) {
+            printf("failed with error code %d\n", status);
+            free(hdr);
+            free(hdr2);
+            free(rcvr_policy);
+            return status;
+        } else {
+            printf("passed\n");
+        }
+
+        printf("testing for false positives in auth check...");
+
+        /* increment sequence number in header */
+        hdr->seq++;
+
+        /* apply protection */
+        err_check(srtp_test_call_protect(srtp_sender, hdr, &len, mki_index));
+
+        /* flip bits in packet */
+        data[0] ^= 0xff;
+
+        /* unprotect, and check for authentication failure */
+        status = srtp_test_call_unprotect(srtp_rcvr, hdr, &len, use_mki);
+        if (status != srtp_err_status_auth_fail) {
+            printf("failed\n");
+            free(hdr);
+            free(hdr2);
+            free(rcvr_policy);
+            return status;
+        } else {
+            printf("passed\n");
+        }
+    }
+
+    err_check(srtp_dealloc(srtp_sender));
+    err_check(srtp_dealloc(srtp_rcvr));
+
+    free(hdr);
+    free(hdr2);
+    free(rcvr_policy);
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtcp_test(const srtp_policy_t *policy, int mki_index)
+{
+    int i;
+    srtp_t srtcp_sender;
+    srtp_t srtcp_rcvr;
+    srtp_err_status_t status = srtp_err_status_ok;
+    srtp_hdr_t *hdr, *hdr2;
+    uint8_t hdr_enc[64];
+    uint8_t *pkt_end;
+    int msg_len_octets, msg_len_enc, msg_len;
+    int len, len2;
+    uint32_t tag_length;
+    uint32_t ssrc;
+    srtp_policy_t *rcvr_policy;
+    int use_mki = 0;
+
+    if (mki_index >= 0)
+        use_mki = 1;
+
+    err_check(srtp_create(&srtcp_sender, policy));
+
+    /* print out policy */
+    err_check(srtp_session_print_policy(srtcp_sender));
+
+    /*
+     * initialize data buffer, using the ssrc in the policy unless that
+     * value is a wildcard, in which case we'll just use an arbitrary
+     * one
+     */
+    if (policy->ssrc.type != ssrc_specific) {
+        ssrc = 0xdecafbad;
+    } else {
+        ssrc = policy->ssrc.value;
+    }
+    msg_len_octets = 28;
+    hdr = srtp_create_test_packet(msg_len_octets, ssrc, &len);
+    /* save message len */
+    msg_len = len;
+
+    if (hdr == NULL) {
+        return srtp_err_status_alloc_fail;
+    }
+    hdr2 = srtp_create_test_packet(msg_len_octets, ssrc, &len2);
+    if (hdr2 == NULL) {
+        free(hdr);
+        return srtp_err_status_alloc_fail;
+    }
+
+    debug_print(mod_driver, "before protection:\n%s",
+                srtp_packet_to_string(hdr, len));
+
+#if PRINT_REFERENCE_PACKET
+    debug_print(mod_driver, "reference packet before protection:\n%s",
+                octet_string_hex_string((uint8_t *)hdr, len));
+#endif
+    err_check(srtp_test_call_protect_rtcp(srtcp_sender, hdr, &len, mki_index));
+
+    debug_print(mod_driver, "after protection:\n%s",
+                srtp_packet_to_string(hdr, len));
+#if PRINT_REFERENCE_PACKET
+    debug_print(mod_driver, "after protection:\n%s",
+                octet_string_hex_string((uint8_t *)hdr, len));
+#endif
+
+    /* save protected message and length */
+    memcpy(hdr_enc, hdr, len);
+    msg_len_enc = len;
+
+    /*
+     * check for overrun of the srtp_protect() function
+     *
+     * The packet is followed by a value of 0xfffff; if the value of the
+     * data following the packet is different, then we know that the
+     * protect function is overwriting the end of the packet.
+     */
+    srtp_get_protect_rtcp_trailer_length(srtcp_sender, use_mki, mki_index,
+                                         &tag_length);
+    pkt_end = (uint8_t *)hdr + msg_len + tag_length;
+    for (i = 0; i < 4; i++) {
+        if (pkt_end[i] != 0xff) {
+            fprintf(stdout, "overwrite in srtp_protect_rtcp() function "
+                            "(expected %x, found %x in trailing octet %d)\n",
+                    0xff, ((uint8_t *)hdr)[i], i);
+            free(hdr);
+            free(hdr2);
+            return srtp_err_status_algo_fail;
+        }
+    }
+
+    /*
+     * if the policy includes confidentiality, check that ciphertext is
+     * different than plaintext
+     *
+     * Note that this check will give false negatives, with some small
+     * probability, especially if the packets are short.  For that
+     * reason, we skip this check if the plaintext is less than four
+     * octets long.
+     */
+    if ((policy->rtcp.sec_serv & sec_serv_conf) && (msg_len_octets >= 4)) {
+        printf("testing that ciphertext is distinct from plaintext...");
+        status = srtp_err_status_algo_fail;
+        for (i = 12; i < msg_len_octets + 12; i++) {
+            if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) {
+                status = srtp_err_status_ok;
+            }
+        }
+        if (status) {
+            printf("failed\n");
+            free(hdr);
+            free(hdr2);
+            return status;
+        }
+        printf("passed\n");
+    }
+
+    /*
+     * if the policy uses a 'wildcard' ssrc, then we need to make a copy
+     * of the policy that changes the direction to inbound
+     *
+     * we always copy the policy into the rcvr_policy, since otherwise
+     * the compiler would fret about the constness of the policy
+     */
+    rcvr_policy = (srtp_policy_t *)malloc(sizeof(srtp_policy_t));
+    if (rcvr_policy == NULL) {
+        free(hdr);
+        free(hdr2);
+        return srtp_err_status_alloc_fail;
+    }
+    memcpy(rcvr_policy, policy, sizeof(srtp_policy_t));
+    if (policy->ssrc.type == ssrc_any_outbound) {
+        rcvr_policy->ssrc.type = ssrc_any_inbound;
+    }
+
+    err_check(srtp_create(&srtcp_rcvr, rcvr_policy));
+
+    err_check(srtp_test_call_unprotect_rtcp(srtcp_rcvr, hdr, &len, use_mki));
+
+    debug_print(mod_driver, "after unprotection:\n%s",
+                srtp_packet_to_string(hdr, len));
+
+    /* verify that the unprotected packet matches the origial one */
+    for (i = 0; i < len; i++) {
+        if (((uint8_t *)hdr)[i] != ((uint8_t *)hdr2)[i]) {
+            fprintf(stdout, "mismatch at octet %d\n", i);
+            status = srtp_err_status_algo_fail;
+        }
+    }
+    if (status) {
+        free(hdr);
+        free(hdr2);
+        free(rcvr_policy);
+        return status;
+    }
+
+    /*
+     * if the policy includes authentication, then test for false positives
+     */
+    if (policy->rtp.sec_serv & sec_serv_auth) {
+        char *data = ((char *)hdr) + 12;
+
+        printf("testing for false positives in replay check...");
+
+        /* unprotect a second time - should fail with a replay error */
+        status = srtp_test_call_unprotect_rtcp(srtcp_rcvr, hdr, &msg_len_enc,
+                                               use_mki);
+        if (status != srtp_err_status_replay_fail) {
+            printf("failed with error code %d\n", status);
+            free(hdr);
+            free(hdr2);
+            free(rcvr_policy);
+            return status;
+        } else {
+            printf("passed\n");
+        }
+
+        printf("testing for false positives in auth check...");
+
+        /* increment sequence number in header */
+        hdr->seq++;
+
+        /* apply protection */
+        err_check(
+            srtp_test_call_protect_rtcp(srtcp_sender, hdr, &len, mki_index));
+
+        /* flip bits in packet */
+        data[0] ^= 0xff;
+
+        /* unprotect, and check for authentication failure */
+        status = srtp_test_call_unprotect_rtcp(srtcp_rcvr, hdr, &len, use_mki);
+        if (status != srtp_err_status_auth_fail) {
+            printf("failed\n");
+            free(hdr);
+            free(hdr2);
+            free(rcvr_policy);
+            return status;
+        } else {
+            printf("passed\n");
+        }
+    }
+
+    err_check(srtp_dealloc(srtcp_sender));
+    err_check(srtp_dealloc(srtcp_rcvr));
+
+    free(hdr);
+    free(hdr2);
+    free(rcvr_policy);
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_session_print_policy(srtp_t srtp)
+{
+    char *serv_descr[4] = { "none", "confidentiality", "authentication",
+                            "confidentiality and authentication" };
+    char *direction[3] = { "unknown", "outbound", "inbound" };
+    srtp_stream_t stream;
+    srtp_session_keys_t *session_keys = NULL;
+
+    /* sanity checking */
+    if (srtp == NULL) {
+        return srtp_err_status_fail;
+    }
+
+    /* if there's a template stream, print it out */
+    if (srtp->stream_template != NULL) {
+        stream = srtp->stream_template;
+        session_keys = &stream->session_keys[0];
+        printf("# SSRC:          any %s\r\n"
+               "# rtp cipher:    %s\r\n"
+               "# rtp auth:      %s\r\n"
+               "# rtp services:  %s\r\n"
+               "# rtcp cipher:   %s\r\n"
+               "# rtcp auth:     %s\r\n"
+               "# rtcp services: %s\r\n"
+               "# window size:   %lu\r\n"
+               "# tx rtx allowed:%s\r\n",
+               direction[stream->direction],
+               session_keys->rtp_cipher->type->description,
+               session_keys->rtp_auth->type->description,
+               serv_descr[stream->rtp_services],
+               session_keys->rtcp_cipher->type->description,
+               session_keys->rtcp_auth->type->description,
+               serv_descr[stream->rtcp_services],
+               srtp_rdbx_get_window_size(&stream->rtp_rdbx),
+               stream->allow_repeat_tx ? "true" : "false");
+
+        printf("# Encrypted extension headers: ");
+        if (stream->enc_xtn_hdr && stream->enc_xtn_hdr_count > 0) {
+            int *enc_xtn_hdr = stream->enc_xtn_hdr;
+            int count = stream->enc_xtn_hdr_count;
+            while (count > 0) {
+                printf("%d ", *enc_xtn_hdr);
+                enc_xtn_hdr++;
+                count--;
+            }
+            printf("\n");
+        } else {
+            printf("none\n");
+        }
+    }
+
+    /* loop over streams in session, printing the policy of each */
+    stream = srtp->stream_list;
+    while (stream != NULL) {
+        if (stream->rtp_services > sec_serv_conf_and_auth) {
+            return srtp_err_status_bad_param;
+        }
+        session_keys = &stream->session_keys[0];
+
+        printf("# SSRC:          0x%08x\r\n"
+               "# rtp cipher:    %s\r\n"
+               "# rtp auth:      %s\r\n"
+               "# rtp services:  %s\r\n"
+               "# rtcp cipher:   %s\r\n"
+               "# rtcp auth:     %s\r\n"
+               "# rtcp services: %s\r\n"
+               "# window size:   %lu\r\n"
+               "# tx rtx allowed:%s\r\n",
+               stream->ssrc, session_keys->rtp_cipher->type->description,
+               session_keys->rtp_auth->type->description,
+               serv_descr[stream->rtp_services],
+               session_keys->rtcp_cipher->type->description,
+               session_keys->rtcp_auth->type->description,
+               serv_descr[stream->rtcp_services],
+               srtp_rdbx_get_window_size(&stream->rtp_rdbx),
+               stream->allow_repeat_tx ? "true" : "false");
+
+        printf("# Encrypted extension headers: ");
+        if (stream->enc_xtn_hdr && stream->enc_xtn_hdr_count > 0) {
+            int *enc_xtn_hdr = stream->enc_xtn_hdr;
+            int count = stream->enc_xtn_hdr_count;
+            while (count > 0) {
+                printf("%d ", *enc_xtn_hdr);
+                enc_xtn_hdr++;
+                count--;
+            }
+            printf("\n");
+        } else {
+            printf("none\n");
+        }
+
+        /* advance to next stream in the list */
+        stream = stream->next;
+    }
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_print_policy(const srtp_policy_t *policy)
+{
+    srtp_err_status_t status;
+    srtp_t session;
+
+    status = srtp_create(&session, policy);
+    if (status) {
+        return status;
+    }
+    status = srtp_session_print_policy(session);
+    if (status) {
+        return status;
+    }
+    status = srtp_dealloc(session);
+    if (status) {
+        return status;
+    }
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp_print_packet(...) is for debugging only
+ * it prints an RTP packet to the stdout
+ *
+ * note that this function is *not* threadsafe
+ */
+
+#include <stdio.h>
+
+#define MTU 2048
+
+char packet_string[MTU];
+
+char *srtp_packet_to_string(srtp_hdr_t *hdr, int pkt_octet_len)
+{
+    int octets_in_rtp_header = 12;
+    uint8_t *data = ((uint8_t *)hdr) + octets_in_rtp_header;
+    int hex_len = pkt_octet_len - octets_in_rtp_header;
+
+    /* sanity checking */
+    if ((hdr == NULL) || (pkt_octet_len > MTU)) {
+        return NULL;
+    }
+
+    /* write packet into string */
+    sprintf(packet_string, "(s)rtp packet: {\n"
+                           "   version:\t%d\n"
+                           "   p:\t\t%d\n"
+                           "   x:\t\t%d\n"
+                           "   cc:\t\t%d\n"
+                           "   m:\t\t%d\n"
+                           "   pt:\t\t%x\n"
+                           "   seq:\t\t%x\n"
+                           "   ts:\t\t%x\n"
+                           "   ssrc:\t%x\n"
+                           "   data:\t%s\n"
+                           "} (%d octets in total)\n",
+            hdr->version, hdr->p, hdr->x, hdr->cc, hdr->m, hdr->pt, hdr->seq,
+            hdr->ts, hdr->ssrc, octet_string_hex_string(data, hex_len),
+            pkt_octet_len);
+
+    return packet_string;
+}
+
+/*
+ * mips_estimate() is a simple function to estimate the number of
+ * instructions per second that the host can perform.  note that this
+ * function can be grossly wrong; you may want to have a manual sanity
+ * check of its output!
+ *
+ * the 'ignore' pointer is there to convince the compiler to not just
+ * optimize away the function
+ */
+
+double mips_estimate(int num_trials, int *ignore)
+{
+    clock_t t;
+    volatile int i, sum;
+
+    sum = 0;
+    t = clock();
+    for (i = 0; i < num_trials; i++) {
+        sum += i;
+    }
+    t = clock() - t;
+    if (t < 1) {
+        t = 1;
+    }
+
+    /*   printf("%d\n", sum); */
+    *ignore = sum;
+
+    return (double)num_trials * CLOCKS_PER_SEC / t;
+}
+
+/*
+ * srtp_validate() verifies the correctness of libsrtp by comparing
+ * some computed packets against some pre-computed reference values.
+ * These packets were made with the default SRTP policy.
+ */
+
+srtp_err_status_t srtp_validate()
+{
+    // clang-format off
+    uint8_t srtp_plaintext_ref[28] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab
+    };
+    uint8_t srtp_plaintext[38] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+    uint8_t srtp_ciphertext[38] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0x4e, 0x55, 0xdc, 0x4c,
+        0xe7, 0x99, 0x78, 0xd8, 0x8c, 0xa4, 0xd2, 0x15,
+        0x94, 0x9d, 0x24, 0x02, 0xb7, 0x8d, 0x6a, 0xcc,
+        0x99, 0xea, 0x17, 0x9b, 0x8d, 0xbb
+    };
+    uint8_t rtcp_plaintext_ref[24] = {
+        0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+    };
+    uint8_t rtcp_plaintext[38] = {
+        0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+    uint8_t srtcp_ciphertext[38] = {
+        0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe,
+        0x71, 0x28, 0x03, 0x5b, 0xe4, 0x87, 0xb9, 0xbd,
+        0xbe, 0xf8, 0x90, 0x41, 0xf9, 0x77, 0xa5, 0xa8,
+        0x80, 0x00, 0x00, 0x01, 0x99, 0x3e, 0x08, 0xcd,
+        0x54, 0xd6, 0xc1, 0x23, 0x07, 0x98
+    };
+    // clang-format on
+
+    srtp_t srtp_snd, srtp_recv;
+    srtp_err_status_t status;
+    int len;
+    srtp_policy_t policy;
+
+    /*
+     * create a session with a single stream using the default srtp
+     * policy and with the SSRC value 0xcafebabe
+     */
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = test_key;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+
+    status = srtp_create(&srtp_snd, &policy);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * protect plaintext, then compare with ciphertext
+     */
+    len = 28;
+    status = srtp_protect(srtp_snd, srtp_plaintext, &len);
+    if (status || (len != 38)) {
+        return srtp_err_status_fail;
+    }
+
+    debug_print(mod_driver, "ciphertext:\n  %s",
+                octet_string_hex_string(srtp_plaintext, len));
+    debug_print(mod_driver, "ciphertext reference:\n  %s",
+                octet_string_hex_string(srtp_ciphertext, len));
+
+    if (octet_string_is_eq(srtp_plaintext, srtp_ciphertext, len)) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * protect plaintext rtcp, then compare with srtcp ciphertext
+     */
+    len = 24;
+    status = srtp_protect_rtcp(srtp_snd, rtcp_plaintext, &len);
+    if (status || (len != 38)) {
+        return srtp_err_status_fail;
+    }
+
+    debug_print(mod_driver, "srtcp ciphertext:\n  %s",
+                octet_string_hex_string(rtcp_plaintext, len));
+    debug_print(mod_driver, "srtcp ciphertext reference:\n  %s",
+                octet_string_hex_string(srtcp_ciphertext, len));
+
+    if (octet_string_is_eq(rtcp_plaintext, srtcp_ciphertext, len)) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * create a receiver session context comparable to the one created
+     * above - we need to do this so that the replay checking doesn't
+     * complain
+     */
+    status = srtp_create(&srtp_recv, &policy);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * unprotect ciphertext, then compare with plaintext
+     */
+    status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len);
+    if (status || (len != 28)) {
+        return status;
+    }
+
+    if (octet_string_is_eq(srtp_ciphertext, srtp_plaintext_ref, len)) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * unprotect srtcp ciphertext, then compare with rtcp plaintext
+     */
+    len = 38;
+    status = srtp_unprotect_rtcp(srtp_recv, srtcp_ciphertext, &len);
+    if (status || (len != 24)) {
+        return status;
+    }
+
+    if (octet_string_is_eq(srtcp_ciphertext, rtcp_plaintext_ref, len)) {
+        return srtp_err_status_fail;
+    }
+
+    status = srtp_dealloc(srtp_snd);
+    if (status) {
+        return status;
+    }
+
+    status = srtp_dealloc(srtp_recv);
+    if (status) {
+        return status;
+    }
+
+    return srtp_err_status_ok;
+}
+
+#ifdef GCM
+/*
+ * srtp_validate_gcm() verifies the correctness of libsrtp by comparing
+ * an computed packet against the known ciphertext for the plaintext.
+ */
+srtp_err_status_t srtp_validate_gcm()
+{
+    // clang-format off
+    unsigned char test_key_gcm[28] = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
+        0xa0, 0xa1, 0xa2, 0xa3, 0xa4, 0xa5, 0xa6, 0xa7,
+        0xa8, 0xa9, 0xaa, 0xab
+    };
+    uint8_t rtp_plaintext_ref[28] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab
+    };
+    uint8_t rtp_plaintext[44] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    };
+    uint8_t srtp_ciphertext[44] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xc5, 0x00, 0x2e, 0xde,
+        0x04, 0xcf, 0xdd, 0x2e, 0xb9, 0x11, 0x59, 0xe0,
+        0x88, 0x0a, 0xa0, 0x6e, 0xd2, 0x97, 0x68, 0x26,
+        0xf7, 0x96, 0xb2, 0x01, 0xdf, 0x31, 0x31, 0xa1,
+        0x27, 0xe8, 0xa3, 0x92
+    };
+    uint8_t rtcp_plaintext_ref[24] = {
+        0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+    };
+    uint8_t rtcp_plaintext[44] = {
+        0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00
+    };
+    uint8_t srtcp_ciphertext[44] = {
+        0x81, 0xc8, 0x00, 0x0b, 0xca, 0xfe, 0xba, 0xbe,
+        0xc9, 0x8b, 0x8b, 0x5d, 0xf0, 0x39, 0x2a, 0x55,
+        0x85, 0x2b, 0x6c, 0x21, 0xac, 0x8e, 0x70, 0x25,
+        0xc5, 0x2c, 0x6f, 0xbe, 0xa2, 0xb3, 0xb4, 0x46,
+        0xea, 0x31, 0x12, 0x3b, 0xa8, 0x8c, 0xe6, 0x1e,
+        0x80, 0x00, 0x00, 0x01
+    };
+    // clang-format on
+
+    srtp_t srtp_snd, srtp_recv;
+    srtp_err_status_t status;
+    int len;
+    srtp_policy_t policy;
+
+    /*
+     * create a session with a single stream using the default srtp
+     * policy and with the SSRC value 0xcafebabe
+     */
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtp);
+    srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = test_key_gcm;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+
+    status = srtp_create(&srtp_snd, &policy);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * protect plaintext rtp, then compare with srtp ciphertext
+     */
+    len = 28;
+    status = srtp_protect(srtp_snd, rtp_plaintext, &len);
+    if (status || (len != 44)) {
+        return srtp_err_status_fail;
+    }
+
+    debug_print(mod_driver, "srtp ciphertext:\n  %s",
+                octet_string_hex_string(rtp_plaintext, len));
+    debug_print(mod_driver, "srtp ciphertext reference:\n  %s",
+                octet_string_hex_string(srtp_ciphertext, len));
+
+    if (octet_string_is_eq(rtp_plaintext, srtp_ciphertext, len)) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * protect plaintext rtcp, then compare with srtcp ciphertext
+     */
+    len = 24;
+    status = srtp_protect_rtcp(srtp_snd, rtcp_plaintext, &len);
+    if (status || (len != 44)) {
+        return srtp_err_status_fail;
+    }
+
+    debug_print(mod_driver, "srtcp ciphertext:\n  %s",
+                octet_string_hex_string(rtcp_plaintext, len));
+    debug_print(mod_driver, "srtcp ciphertext reference:\n  %s",
+                octet_string_hex_string(srtcp_ciphertext, len));
+
+    if (octet_string_is_eq(rtcp_plaintext, srtcp_ciphertext, len)) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * create a receiver session context comparable to the one created
+     * above - we need to do this so that the replay checking doesn't
+     * complain
+     */
+    status = srtp_create(&srtp_recv, &policy);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * unprotect srtp ciphertext, then compare with rtp plaintext
+     */
+    len = 44;
+    status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len);
+    if (status || (len != 28)) {
+        return status;
+    }
+
+    if (octet_string_is_eq(srtp_ciphertext, rtp_plaintext_ref, len)) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * unprotect srtcp ciphertext, then compare with rtcp plaintext
+     */
+    len = 44;
+    status = srtp_unprotect_rtcp(srtp_recv, srtcp_ciphertext, &len);
+    if (status || (len != 24)) {
+        return status;
+    }
+
+    if (octet_string_is_eq(srtcp_ciphertext, rtcp_plaintext_ref, len)) {
+        return srtp_err_status_fail;
+    }
+
+    status = srtp_dealloc(srtp_snd);
+    if (status) {
+        return status;
+    }
+
+    status = srtp_dealloc(srtp_recv);
+    if (status) {
+        return status;
+    }
+
+    return srtp_err_status_ok;
+}
+#endif
+
+/*
+ * Test vectors taken from RFC 6904, Appendix A
+ */
+srtp_err_status_t srtp_validate_encrypted_extensions_headers()
+{
+    // clang-format off
+    unsigned char test_key_ext_headers[30] = {
+        0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0,
+        0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39,
+        0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb,
+        0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6
+    };
+    uint8_t srtp_plaintext_ref[56] = {
+        0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06,
+        0x17, 0x41, 0x42, 0x73, 0xA4, 0x75, 0x26, 0x27,
+        0x48, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x8E, 0x46,
+        0x55, 0x99, 0x63, 0x86, 0xB3, 0x95, 0xFB, 0x00,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab
+    };
+    uint8_t srtp_plaintext[66] = {
+        0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06,
+        0x17, 0x41, 0x42, 0x73, 0xA4, 0x75, 0x26, 0x27,
+        0x48, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x8E, 0x46,
+        0x55, 0x99, 0x63, 0x86, 0xB3, 0x95, 0xFB, 0x00,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00
+    };
+    uint8_t srtp_ciphertext[66] = {
+        0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06,
+        0x17, 0x58, 0x8A, 0x92, 0x70, 0xF4, 0xE1, 0x5E,
+        0x1C, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x95, 0x46,
+        0xA9, 0x94, 0xF0, 0xBC, 0x54, 0x78, 0x97, 0x00,
+        0x4e, 0x55, 0xdc, 0x4c, 0xe7, 0x99, 0x78, 0xd8,
+        0x8c, 0xa4, 0xd2, 0x15, 0x94, 0x9d, 0x24, 0x02,
+        0x5a, 0x46, 0xb3, 0xca, 0x35, 0xc5, 0x35, 0xa8,
+        0x91, 0xc7
+    };
+    // clang-format on
+
+    srtp_t srtp_snd, srtp_recv;
+    srtp_err_status_t status;
+    int len;
+    srtp_policy_t policy;
+    int headers[3] = { 1, 3, 4 };
+
+    /*
+     * create a session with a single stream using the default srtp
+     * policy and with the SSRC value 0xcafebabe
+     */
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = test_key_ext_headers;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.enc_xtn_hdr = headers;
+    policy.enc_xtn_hdr_count = sizeof(headers) / sizeof(headers[0]);
+    policy.next = NULL;
+
+    status = srtp_create(&srtp_snd, &policy);
+    if (status)
+        return status;
+
+    /*
+     * protect plaintext, then compare with ciphertext
+     */
+    len = sizeof(srtp_plaintext_ref);
+    status = srtp_protect(srtp_snd, srtp_plaintext, &len);
+    if (status || (len != sizeof(srtp_plaintext)))
+        return srtp_err_status_fail;
+
+    debug_print(mod_driver, "ciphertext:\n  %s",
+                srtp_octet_string_hex_string(srtp_plaintext, len));
+    debug_print(mod_driver, "ciphertext reference:\n  %s",
+                srtp_octet_string_hex_string(srtp_ciphertext, len));
+
+    if (octet_string_is_eq(srtp_plaintext, srtp_ciphertext, len))
+        return srtp_err_status_fail;
+
+    /*
+     * create a receiver session context comparable to the one created
+     * above - we need to do this so that the replay checking doesn't
+     * complain
+     */
+    status = srtp_create(&srtp_recv, &policy);
+    if (status)
+        return status;
+
+    /*
+     * unprotect ciphertext, then compare with plaintext
+     */
+    status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len);
+    if (status) {
+        return status;
+    } else if (len != sizeof(srtp_plaintext_ref)) {
+        return srtp_err_status_fail;
+    }
+
+    if (octet_string_is_eq(srtp_ciphertext, srtp_plaintext_ref, len))
+        return srtp_err_status_fail;
+
+    status = srtp_dealloc(srtp_snd);
+    if (status)
+        return status;
+
+    status = srtp_dealloc(srtp_recv);
+    if (status)
+        return status;
+
+    return srtp_err_status_ok;
+}
+
+#ifdef GCM
+
+/*
+ * Headers of test vectors taken from RFC 6904, Appendix A
+ */
+srtp_err_status_t srtp_validate_encrypted_extensions_headers_gcm()
+{
+    // clang-format off
+    unsigned char test_key_ext_headers[30] = {
+        0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0,
+        0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39,
+        0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb,
+        0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6
+    };
+    uint8_t srtp_plaintext_ref[56] = {
+        0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06,
+        0x17, 0x41, 0x42, 0x73, 0xA4, 0x75, 0x26, 0x27,
+        0x48, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x8E, 0x46,
+        0x55, 0x99, 0x63, 0x86, 0xB3, 0x95, 0xFB, 0x00,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab
+    };
+    uint8_t srtp_plaintext[64] = {
+        0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06,
+        0x17, 0x41, 0x42, 0x73, 0xA4, 0x75, 0x26, 0x27,
+        0x48, 0x22, 0x00, 0x00, 0xC8, 0x30, 0x8E, 0x46,
+        0x55, 0x99, 0x63, 0x86, 0xB3, 0x95, 0xFB, 0x00,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+    uint8_t srtp_ciphertext[64] = {
+        0x90, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xBE, 0xDE, 0x00, 0x06,
+        0x17, 0x12, 0xe0, 0x20, 0x5b, 0xfa, 0x94, 0x9b,
+        0x1C, 0x22, 0x00, 0x00, 0xC8, 0x30, 0xbb, 0x46,
+        0x73, 0x27, 0x78, 0xd9, 0x92, 0x9a, 0xab, 0x00,
+        0x0e, 0xca, 0x0c, 0xf9, 0x5e, 0xe9, 0x55, 0xb2,
+        0x6c, 0xd3, 0xd2, 0x88, 0xb4, 0x9f, 0x6c, 0xa9,
+        0xf4, 0xb1, 0xb7, 0x59, 0x71, 0x9e, 0xb5, 0xbc
+    };
+    // clang-format on
+
+    srtp_t srtp_snd, srtp_recv;
+    srtp_err_status_t status;
+    int len;
+    srtp_policy_t policy;
+    int headers[3] = { 1, 3, 4 };
+
+    /*
+     * create a session with a single stream using the default srtp
+     * policy and with the SSRC value 0xcafebabe
+     */
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp);
+    srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = test_key_ext_headers;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.enc_xtn_hdr = headers;
+    policy.enc_xtn_hdr_count = sizeof(headers) / sizeof(headers[0]);
+    policy.next = NULL;
+
+    status = srtp_create(&srtp_snd, &policy);
+    if (status)
+        return status;
+
+    /*
+     * protect plaintext, then compare with ciphertext
+     */
+    len = sizeof(srtp_plaintext_ref);
+    status = srtp_protect(srtp_snd, srtp_plaintext, &len);
+    if (status || (len != sizeof(srtp_plaintext)))
+        return srtp_err_status_fail;
+
+    debug_print(mod_driver, "ciphertext:\n  %s",
+                srtp_octet_string_hex_string(srtp_plaintext, len));
+    debug_print(mod_driver, "ciphertext reference:\n  %s",
+                srtp_octet_string_hex_string(srtp_ciphertext, len));
+
+    if (octet_string_is_eq(srtp_plaintext, srtp_ciphertext, len))
+        return srtp_err_status_fail;
+
+    /*
+     * create a receiver session context comparable to the one created
+     * above - we need to do this so that the replay checking doesn't
+     * complain
+     */
+    status = srtp_create(&srtp_recv, &policy);
+    if (status)
+        return status;
+
+    /*
+     * unprotect ciphertext, then compare with plaintext
+     */
+    status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len);
+    if (status) {
+        return status;
+    } else if (len != sizeof(srtp_plaintext_ref)) {
+        return srtp_err_status_fail;
+    }
+
+    if (octet_string_is_eq(srtp_ciphertext, srtp_plaintext_ref, len))
+        return srtp_err_status_fail;
+
+    status = srtp_dealloc(srtp_snd);
+    if (status)
+        return status;
+
+    status = srtp_dealloc(srtp_recv);
+    if (status)
+        return status;
+
+    return srtp_err_status_ok;
+}
+#endif
+
+/*
+ * srtp_validate_aes_256() verifies the correctness of libsrtp by comparing
+ * some computed packets against some pre-computed reference values.
+ * These packets were made with the AES-CM-256/HMAC-SHA-1-80 policy.
+ */
+
+srtp_err_status_t srtp_validate_aes_256()
+{
+    // clang-format off
+    unsigned char aes_256_test_key[46] = {
+        0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76,
+        0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29,
+        0x98, 0xf6, 0xf6, 0xe4, 0x3e, 0x43, 0x09, 0xd1,
+        0xe6, 0x22, 0xa0, 0xe3, 0x32, 0xb9, 0xf1, 0xb6,
+
+        0x3b, 0x04, 0x80, 0x3d, 0xe5, 0x1e, 0xe7, 0xc9,
+        0x64, 0x23, 0xab, 0x5b, 0x78, 0xd2
+    };
+    uint8_t srtp_plaintext_ref[28] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab
+    };
+    uint8_t srtp_plaintext[38] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab, 0xab,
+        0xab, 0xab, 0xab, 0xab, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+    };
+    uint8_t srtp_ciphertext[38] = {
+        0x80, 0x0f, 0x12, 0x34, 0xde, 0xca, 0xfb, 0xad,
+        0xca, 0xfe, 0xba, 0xbe, 0xf1, 0xd9, 0xde, 0x17,
+        0xff, 0x25, 0x1f, 0xf1, 0xaa, 0x00, 0x77, 0x74,
+        0xb0, 0xb4, 0xb4, 0x0d, 0xa0, 0x8d, 0x9d, 0x9a,
+        0x5b, 0x3a, 0x55, 0xd8, 0x87, 0x3b
+    };
+    // clang-format on
+
+    srtp_t srtp_snd, srtp_recv;
+    srtp_err_status_t status;
+    int len;
+    srtp_policy_t policy;
+
+    /*
+     * create a session with a single stream using the default srtp
+     * policy and with the SSRC value 0xcafebabe
+     */
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtp);
+    srtp_crypto_policy_set_aes_cm_256_hmac_sha1_80(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = aes_256_test_key;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+
+    status = srtp_create(&srtp_snd, &policy);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * protect plaintext, then compare with ciphertext
+     */
+    len = 28;
+    status = srtp_protect(srtp_snd, srtp_plaintext, &len);
+    if (status || (len != 38)) {
+        return srtp_err_status_fail;
+    }
+
+    debug_print(mod_driver, "ciphertext:\n  %s",
+                octet_string_hex_string(srtp_plaintext, len));
+    debug_print(mod_driver, "ciphertext reference:\n  %s",
+                octet_string_hex_string(srtp_ciphertext, len));
+
+    if (octet_string_is_eq(srtp_plaintext, srtp_ciphertext, len)) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * create a receiver session context comparable to the one created
+     * above - we need to do this so that the replay checking doesn't
+     * complain
+     */
+    status = srtp_create(&srtp_recv, &policy);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * unprotect ciphertext, then compare with plaintext
+     */
+    status = srtp_unprotect(srtp_recv, srtp_ciphertext, &len);
+    if (status || (len != 28)) {
+        return status;
+    }
+
+    if (octet_string_is_eq(srtp_ciphertext, srtp_plaintext_ref, len)) {
+        return srtp_err_status_fail;
+    }
+
+    status = srtp_dealloc(srtp_snd);
+    if (status) {
+        return status;
+    }
+
+    status = srtp_dealloc(srtp_recv);
+    if (status) {
+        return status;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_create_big_policy(srtp_policy_t **list)
+{
+    extern const srtp_policy_t *policy_array[];
+    srtp_policy_t *p, *tmp;
+    int i = 0;
+    uint32_t ssrc = 0;
+
+    /* sanity checking */
+    if ((list == NULL) || (policy_array[0] == NULL)) {
+        return srtp_err_status_bad_param;
+    }
+
+    /*
+     * loop over policy list, mallocing a new list and copying values
+     * into it (and incrementing the SSRC value as we go along)
+     */
+    tmp = NULL;
+    while (policy_array[i] != NULL) {
+        p = (srtp_policy_t *)malloc(sizeof(srtp_policy_t));
+        if (p == NULL) {
+            return srtp_err_status_bad_param;
+        }
+        memcpy(p, policy_array[i], sizeof(srtp_policy_t));
+        p->ssrc.type = ssrc_specific;
+        p->ssrc.value = ssrc++;
+        p->next = tmp;
+        tmp = p;
+        i++;
+    }
+    *list = p;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_dealloc_big_policy(srtp_policy_t *list)
+{
+    srtp_policy_t *p, *next;
+
+    for (p = list; p != NULL; p = next) {
+        next = p->next;
+        free(p);
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_test_empty_payload()
+{
+    srtp_t srtp_snd, srtp_recv;
+    srtp_err_status_t status;
+    int len;
+    srtp_policy_t policy;
+    srtp_hdr_t *mesg;
+
+    /*
+     * create a session with a single stream using the default srtp
+     * policy and with the SSRC value 0xcafebabe
+     */
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = test_key;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+
+    status = srtp_create(&srtp_snd, &policy);
+    if (status) {
+        return status;
+    }
+
+    mesg = srtp_create_test_packet(0, policy.ssrc.value, &len);
+    if (mesg == NULL) {
+        return srtp_err_status_fail;
+    }
+
+    status = srtp_protect(srtp_snd, mesg, &len);
+    if (status) {
+        return status;
+    } else if (len != 12 + 10) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * create a receiver session context comparable to the one created
+     * above - we need to do this so that the replay checking doesn't
+     * complain
+     */
+    status = srtp_create(&srtp_recv, &policy);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * unprotect ciphertext, then compare with plaintext
+     */
+    status = srtp_unprotect(srtp_recv, mesg, &len);
+    if (status) {
+        return status;
+    } else if (len != 12) {
+        return srtp_err_status_fail;
+    }
+
+    status = srtp_dealloc(srtp_snd);
+    if (status) {
+        return status;
+    }
+
+    status = srtp_dealloc(srtp_recv);
+    if (status) {
+        return status;
+    }
+
+    free(mesg);
+
+    return srtp_err_status_ok;
+}
+
+#ifdef GCM
+srtp_err_status_t srtp_test_empty_payload_gcm()
+{
+    srtp_t srtp_snd, srtp_recv;
+    srtp_err_status_t status;
+    int len;
+    srtp_policy_t policy;
+    srtp_hdr_t *mesg;
+
+    /*
+     * create a session with a single stream using the default srtp
+     * policy and with the SSRC value 0xcafebabe
+     */
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtp);
+    srtp_crypto_policy_set_aes_gcm_128_8_auth(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = test_key;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+
+    status = srtp_create(&srtp_snd, &policy);
+    if (status) {
+        return status;
+    }
+
+    mesg = srtp_create_test_packet(0, policy.ssrc.value, &len);
+    if (mesg == NULL) {
+        return srtp_err_status_fail;
+    }
+
+    status = srtp_protect(srtp_snd, mesg, &len);
+    if (status) {
+        return status;
+    } else if (len != 12 + 8) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * create a receiver session context comparable to the one created
+     * above - we need to do this so that the replay checking doesn't
+     * complain
+     */
+    status = srtp_create(&srtp_recv, &policy);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * unprotect ciphertext, then compare with plaintext
+     */
+    status = srtp_unprotect(srtp_recv, mesg, &len);
+    if (status) {
+        return status;
+    } else if (len != 12) {
+        return srtp_err_status_fail;
+    }
+
+    status = srtp_dealloc(srtp_snd);
+    if (status) {
+        return status;
+    }
+
+    status = srtp_dealloc(srtp_recv);
+    if (status) {
+        return status;
+    }
+
+    free(mesg);
+
+    return srtp_err_status_ok;
+}
+#endif // GCM
+
+srtp_err_status_t srtp_test_remove_stream()
+{
+    srtp_err_status_t status;
+    srtp_policy_t *policy_list, policy;
+    srtp_t session;
+    srtp_stream_t stream;
+
+    /*
+     * srtp_get_stream() is a libSRTP internal function that we declare
+     * here so that we can use it to verify the correct operation of the
+     * library
+     */
+    extern srtp_stream_t srtp_get_stream(srtp_t srtp, uint32_t ssrc);
+
+    status = srtp_create_big_policy(&policy_list);
+    if (status) {
+        return status;
+    }
+
+    status = srtp_create(&session, policy_list);
+    if (status) {
+        return status;
+    }
+
+    /*
+     * check for false positives by trying to remove a stream that's not
+     * in the session
+     */
+    status = srtp_remove_stream(session, htonl(0xaaaaaaaa));
+    if (status != srtp_err_status_no_ctx) {
+        return srtp_err_status_fail;
+    }
+
+    /*
+     * check for false negatives by removing stream 0x1, then
+     * searching for streams 0x0 and 0x2
+     */
+    status = srtp_remove_stream(session, htonl(0x1));
+    if (status != srtp_err_status_ok) {
+        return srtp_err_status_fail;
+    }
+    stream = srtp_get_stream(session, htonl(0x0));
+    if (stream == NULL) {
+        return srtp_err_status_fail;
+    }
+    stream = srtp_get_stream(session, htonl(0x2));
+    if (stream == NULL) {
+        return srtp_err_status_fail;
+    }
+
+    status = srtp_dealloc(session);
+    if (status != srtp_err_status_ok) {
+        return status;
+    }
+
+    status = srtp_dealloc_big_policy(policy_list);
+    if (status != srtp_err_status_ok) {
+        return status;
+    }
+
+    /* Now test adding and removing a single stream */
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = test_key;
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+
+    status = srtp_create(&session, NULL);
+    if (status != srtp_err_status_ok) {
+        return status;
+    }
+
+    status = srtp_add_stream(session, &policy);
+    if (status != srtp_err_status_ok) {
+        return status;
+    }
+
+    status = srtp_remove_stream(session, htonl(0xcafebabe));
+    if (status != srtp_err_status_ok) {
+        return status;
+    }
+
+    status = srtp_dealloc(session);
+    if (status != srtp_err_status_ok) {
+        return status;
+    }
+
+    return srtp_err_status_ok;
+}
+
+// clang-format off
+unsigned char test_alt_key[46] = {
+  0xe5, 0x19, 0x6f, 0x01, 0x5e, 0xf1, 0x9b, 0xe1,
+  0xd7, 0x47, 0xa7, 0x27, 0x07, 0xd7, 0x47, 0x33,
+  0x01, 0xc2, 0x35, 0x4d, 0x59, 0x6a, 0xf7, 0x84,
+  0x96, 0x98, 0xeb, 0xaa, 0xac, 0xf6, 0xa1, 0x45,
+  0xc7, 0x15, 0xe2, 0xea, 0xfe, 0x55, 0x67, 0x96,
+  0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6
+};
+// clang-format on
+
+/*
+ * srtp_test_update() verifies updating/rekeying exsisting streams.
+ * As stated in https://tools.ietf.org/html/rfc3711#section-3.3.1
+ * the value of the ROC must not be reset after a rekey, this test
+ * atempts to prove that srtp_update does not reset the ROC.
+ */
+
+srtp_err_status_t srtp_test_update()
+{
+    srtp_err_status_t status;
+    uint32_t ssrc = 0x12121212;
+    int msg_len_octets = 32;
+    int protected_msg_len_octets;
+    srtp_hdr_t *msg;
+    srtp_t srtp_snd, srtp_recv;
+    srtp_policy_t policy;
+
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+    policy.ssrc.type = ssrc_any_outbound;
+    policy.key = test_key;
+
+    /* create a send and recive ctx with defualt profile and test_key */
+    status = srtp_create(&srtp_recv, &policy);
+    if (status)
+        return status;
+
+    policy.ssrc.type = ssrc_any_inbound;
+    status = srtp_create(&srtp_snd, &policy);
+    if (status)
+        return status;
+
+    /* protect and unprotect two msg's that will cause the ROC to be equal to 1
+     */
+    msg = srtp_create_test_packet(msg_len_octets, ssrc,
+                                  &protected_msg_len_octets);
+    if (msg == NULL)
+        return srtp_err_status_alloc_fail;
+    msg->seq = htons(65535);
+
+    status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets);
+    if (status)
+        return srtp_err_status_fail;
+
+    status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets);
+    if (status)
+        return status;
+
+    free(msg);
+
+    msg = srtp_create_test_packet(msg_len_octets, ssrc,
+                                  &protected_msg_len_octets);
+    if (msg == NULL)
+        return srtp_err_status_alloc_fail;
+    msg->seq = htons(1);
+
+    status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets);
+    if (status)
+        return srtp_err_status_fail;
+
+    status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets);
+    if (status)
+        return status;
+
+    free(msg);
+
+    /* update send ctx with same test_key t verify update works*/
+    policy.ssrc.type = ssrc_any_outbound;
+    policy.key = test_key;
+    status = srtp_update(srtp_snd, &policy);
+    if (status)
+        return status;
+
+    msg = srtp_create_test_packet(msg_len_octets, ssrc,
+                                  &protected_msg_len_octets);
+    if (msg == NULL)
+        return srtp_err_status_alloc_fail;
+    msg->seq = htons(2);
+
+    status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets);
+    if (status)
+        return srtp_err_status_fail;
+
+    status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets);
+    if (status)
+        return status;
+
+    free(msg);
+
+    /* update send ctx to use test_alt_key */
+    policy.ssrc.type = ssrc_any_outbound;
+    policy.key = test_alt_key;
+    status = srtp_update(srtp_snd, &policy);
+    if (status)
+        return status;
+
+    /* create and protect msg with new key and ROC still equal to 1 */
+    msg = srtp_create_test_packet(msg_len_octets, ssrc,
+                                  &protected_msg_len_octets);
+    if (msg == NULL)
+        return srtp_err_status_alloc_fail;
+    msg->seq = htons(3);
+
+    status = srtp_protect(srtp_snd, msg, &protected_msg_len_octets);
+    if (status)
+        return srtp_err_status_fail;
+
+    /* verify that recive ctx will fail to unprotect as it still uses test_key
+     */
+    status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets);
+    if (status == srtp_err_status_ok)
+        return srtp_err_status_fail;
+
+    /* create a new recvieve ctx with test_alt_key but since it is new it will
+     * have ROC equal to 1
+     * and therefore should fail to unprotected */
+    {
+        srtp_t srtp_recv_roc_0;
+
+        policy.ssrc.type = ssrc_any_inbound;
+        policy.key = test_alt_key;
+        status = srtp_create(&srtp_recv_roc_0, &policy);
+        if (status)
+            return status;
+
+        status =
+            srtp_unprotect(srtp_recv_roc_0, msg, &protected_msg_len_octets);
+        if (status == srtp_err_status_ok)
+            return srtp_err_status_fail;
+
+        status = srtp_dealloc(srtp_recv_roc_0);
+        if (status)
+            return status;
+    }
+
+    /* update recive ctx to use test_alt_key */
+    policy.ssrc.type = ssrc_any_inbound;
+    policy.key = test_alt_key;
+    status = srtp_update(srtp_recv, &policy);
+    if (status)
+        return status;
+
+    /* verify that can still unprotect, therfore key is updated and ROC value is
+     * preserved */
+    status = srtp_unprotect(srtp_recv, msg, &protected_msg_len_octets);
+    if (status)
+        return status;
+
+    free(msg);
+
+    status = srtp_dealloc(srtp_snd);
+    if (status)
+        return status;
+
+    status = srtp_dealloc(srtp_recv);
+    if (status)
+        return status;
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_test_setup_protect_trailer_streams(
+    srtp_t *srtp_send,
+    srtp_t *srtp_send_mki,
+    srtp_t *srtp_send_aes_gcm,
+    srtp_t *srtp_send_aes_gcm_mki)
+{
+    srtp_err_status_t status;
+    srtp_policy_t policy;
+    srtp_policy_t policy_mki;
+
+#ifdef GCM
+    srtp_policy_t policy_aes_gcm;
+    srtp_policy_t policy_aes_gcm_mki;
+#endif // GCM
+
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+    policy.ekt = NULL;
+    policy.window_size = 128;
+    policy.allow_repeat_tx = 0;
+    policy.next = NULL;
+    policy.ssrc.type = ssrc_any_outbound;
+    policy.key = test_key;
+
+    memset(&policy_mki, 0, sizeof(policy_mki));
+    srtp_crypto_policy_set_rtp_default(&policy_mki.rtp);
+    srtp_crypto_policy_set_rtcp_default(&policy_mki.rtcp);
+    policy_mki.ekt = NULL;
+    policy_mki.window_size = 128;
+    policy_mki.allow_repeat_tx = 0;
+    policy_mki.next = NULL;
+    policy_mki.ssrc.type = ssrc_any_outbound;
+    policy_mki.key = NULL;
+    policy_mki.keys = test_keys;
+    policy_mki.num_master_keys = 2;
+
+#ifdef GCM
+    memset(&policy_aes_gcm, 0, sizeof(policy_aes_gcm));
+    srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm.rtp);
+    srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm.rtcp);
+    policy_aes_gcm.ekt = NULL;
+    policy_aes_gcm.window_size = 128;
+    policy_aes_gcm.allow_repeat_tx = 0;
+    policy_aes_gcm.next = NULL;
+    policy_aes_gcm.ssrc.type = ssrc_any_outbound;
+    policy_aes_gcm.key = test_key;
+
+    memset(&policy_aes_gcm_mki, 0, sizeof(policy_aes_gcm_mki));
+    srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm_mki.rtp);
+    srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy_aes_gcm_mki.rtcp);
+    policy_aes_gcm_mki.ekt = NULL;
+    policy_aes_gcm_mki.window_size = 128;
+    policy_aes_gcm_mki.allow_repeat_tx = 0;
+    policy_aes_gcm_mki.next = NULL;
+    policy_aes_gcm_mki.ssrc.type = ssrc_any_outbound;
+    policy_aes_gcm_mki.key = NULL;
+    policy_aes_gcm_mki.keys = test_keys;
+    policy_aes_gcm_mki.num_master_keys = 2;
+#endif // GCM
+
+    /* create a send ctx with defualt profile and test_key */
+    status = srtp_create(srtp_send, &policy);
+    if (status)
+        return status;
+
+    status = srtp_create(srtp_send_mki, &policy_mki);
+    if (status)
+        return status;
+
+#ifdef GCM
+    status = srtp_create(srtp_send_aes_gcm, &policy_aes_gcm);
+    if (status)
+        return status;
+
+    status = srtp_create(srtp_send_aes_gcm_mki, &policy_aes_gcm_mki);
+    if (status)
+        return status;
+#endif // GCM
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_test_protect_trailer_length()
+{
+    srtp_t srtp_send;
+    srtp_t srtp_send_mki;
+    srtp_t srtp_send_aes_gcm;
+    srtp_t srtp_send_aes_gcm_mki;
+    uint32_t length = 0;
+    srtp_err_status_t status;
+
+    srtp_test_setup_protect_trailer_streams(
+        &srtp_send, &srtp_send_mki, &srtp_send_aes_gcm, &srtp_send_aes_gcm_mki);
+
+    status = srtp_get_protect_trailer_length(srtp_send, 0, 0, &length);
+    if (status)
+        return status;
+
+    /*  TAG Length: 10 bytes */
+    if (length != 10)
+        return srtp_err_status_fail;
+
+    status = srtp_get_protect_trailer_length(srtp_send_mki, 1, 1, &length);
+    if (status)
+        return status;
+
+    /*  TAG Length: 10 bytes + MKI length: 4 bytes*/
+    if (length != 14)
+        return srtp_err_status_fail;
+
+#ifdef GCM
+    status = srtp_get_protect_trailer_length(srtp_send_aes_gcm, 0, 0, &length);
+    if (status)
+        return status;
+
+    /*  TAG Length: 16 bytes */
+    if (length != 16)
+        return srtp_err_status_fail;
+
+    status =
+        srtp_get_protect_trailer_length(srtp_send_aes_gcm_mki, 1, 1, &length);
+    if (status)
+        return status;
+
+    /*  TAG Length: 16 bytes + MKI length: 4 bytes*/
+    if (length != 20)
+        return srtp_err_status_fail;
+#endif // GCM
+
+    srtp_dealloc(srtp_send);
+    srtp_dealloc(srtp_send_mki);
+#ifdef GCM
+    srtp_dealloc(srtp_send_aes_gcm);
+    srtp_dealloc(srtp_send_aes_gcm_mki);
+#endif
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_test_protect_rtcp_trailer_length()
+{
+    srtp_t srtp_send;
+    srtp_t srtp_send_mki;
+    srtp_t srtp_send_aes_gcm;
+    srtp_t srtp_send_aes_gcm_mki;
+    uint32_t length = 0;
+    srtp_err_status_t status;
+
+    srtp_test_setup_protect_trailer_streams(
+        &srtp_send, &srtp_send_mki, &srtp_send_aes_gcm, &srtp_send_aes_gcm_mki);
+
+    status = srtp_get_protect_rtcp_trailer_length(srtp_send, 0, 0, &length);
+    if (status)
+        return status;
+
+    /*  TAG Length: 10 bytes + SRTCP Trailer 4 bytes*/
+    if (length != 14)
+        return srtp_err_status_fail;
+
+    status = srtp_get_protect_rtcp_trailer_length(srtp_send_mki, 1, 1, &length);
+    if (status)
+        return status;
+
+    /*  TAG Length: 10 bytes + SRTCP Trailer 4 bytes + MKI 4 bytes*/
+    if (length != 18)
+        return srtp_err_status_fail;
+
+#ifdef GCM
+    status =
+        srtp_get_protect_rtcp_trailer_length(srtp_send_aes_gcm, 0, 0, &length);
+    if (status)
+        return status;
+
+    /*  TAG Length: 16 bytes + SRTCP Trailer 4 bytes*/
+    if (length != 20)
+        return srtp_err_status_fail;
+
+    status = srtp_get_protect_rtcp_trailer_length(srtp_send_aes_gcm_mki, 1, 1,
+                                                  &length);
+    if (status)
+        return status;
+
+    /*  TAG Length: 16 bytes + SRTCP Trailer 4 bytes + MKI 4 bytes*/
+    if (length != 24)
+        return srtp_err_status_fail;
+#endif // GCM
+
+    srtp_dealloc(srtp_send);
+    srtp_dealloc(srtp_send_mki);
+#ifdef GCM
+    srtp_dealloc(srtp_send_aes_gcm);
+    srtp_dealloc(srtp_send_aes_gcm_mki);
+#endif
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_test_get_roc()
+{
+    srtp_err_status_t status;
+    srtp_policy_t policy;
+    srtp_t session;
+    srtp_hdr_t *pkt;
+    uint32_t i;
+    uint32_t roc;
+    uint32_t ts;
+    uint16_t seq;
+
+    int msg_len_octets = 32;
+    int protected_msg_len_octets;
+
+    memset(&policy, 0, sizeof(policy));
+    srtp_crypto_policy_set_rtp_default(&policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&policy.rtcp);
+    policy.ssrc.type = ssrc_specific;
+    policy.ssrc.value = 0xcafebabe;
+    policy.key = test_key;
+    policy.window_size = 128;
+
+    /* Create a sender session */
+    status = srtp_create(&session, &policy);
+    if (status) {
+        return status;
+    }
+
+    /* Set start sequence so we roll over */
+    seq = 65535;
+    ts = 0;
+
+    for (i = 0; i < 2; i++) {
+        pkt = srtp_create_test_packet_extended(msg_len_octets,
+                                               policy.ssrc.value, seq, ts,
+                                               &protected_msg_len_octets);
+        status = srtp_protect(session, pkt, &protected_msg_len_octets);
+        free(pkt);
+        if (status) {
+            return status;
+        }
+
+        status = srtp_get_stream_roc(session, policy.ssrc.value, &roc);
+        if (status) {
+            return status;
+        }
+
+        if (roc != i) {
+            return srtp_err_status_fail;
+        }
+
+        seq++;
+        ts++;
+    }
+
+    /* Cleanup */
+    status = srtp_dealloc(session);
+    if (status) {
+        return status;
+    }
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t test_set_receiver_roc(uint32_t packets,
+                                               uint32_t roc_to_set)
+{
+    srtp_err_status_t status;
+
+    srtp_policy_t sender_policy;
+    srtp_t sender_session;
+
+    srtp_policy_t receiver_policy;
+    srtp_t receiver_session;
+
+    srtp_hdr_t *pkt_1;
+    unsigned char *recv_pkt_1;
+
+    srtp_hdr_t *pkt_2;
+    unsigned char *recv_pkt_2;
+
+    uint32_t i;
+    uint32_t ts;
+    uint16_t seq;
+
+    int msg_len_octets = 32;
+    int protected_msg_len_octets_1;
+    int protected_msg_len_octets_2;
+
+    /* Create sender */
+    memset(&sender_policy, 0, sizeof(sender_policy));
+    srtp_crypto_policy_set_rtp_default(&sender_policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&sender_policy.rtcp);
+    sender_policy.ssrc.type = ssrc_specific;
+    sender_policy.ssrc.value = 0xcafebabe;
+    sender_policy.key = test_key;
+    sender_policy.window_size = 128;
+
+    status = srtp_create(&sender_session, &sender_policy);
+    if (status) {
+        return status;
+    }
+
+    /* Create and protect packets */
+    seq = 0;
+    ts = 0;
+    for (i = 0; i < packets; i++) {
+        srtp_hdr_t *tmp_pkt;
+        int tmp_len;
+
+        tmp_pkt = srtp_create_test_packet_extended(
+            msg_len_octets, sender_policy.ssrc.value, seq, ts, &tmp_len);
+        status = srtp_protect(sender_session, tmp_pkt, &tmp_len);
+        free(tmp_pkt);
+        if (status) {
+            return status;
+        }
+
+        seq++;
+        ts++;
+    }
+
+    /* Create the first packet to decrypt and test for ROC change */
+    pkt_1 = srtp_create_test_packet_extended(msg_len_octets,
+                                             sender_policy.ssrc.value, seq, ts,
+                                             &protected_msg_len_octets_1);
+    status = srtp_protect(sender_session, pkt_1, &protected_msg_len_octets_1);
+    if (status) {
+        return status;
+    }
+
+    /* Create the second packet to decrypt and test for ROC change */
+    seq++;
+    ts++;
+    pkt_2 = srtp_create_test_packet_extended(msg_len_octets,
+                                             sender_policy.ssrc.value, seq, ts,
+                                             &protected_msg_len_octets_2);
+    status = srtp_protect(sender_session, pkt_2, &protected_msg_len_octets_2);
+    if (status) {
+        return status;
+    }
+
+    /* Create the receiver */
+    memset(&receiver_policy, 0, sizeof(receiver_policy));
+    srtp_crypto_policy_set_rtp_default(&receiver_policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&receiver_policy.rtcp);
+    receiver_policy.ssrc.type = ssrc_specific;
+    receiver_policy.ssrc.value = sender_policy.ssrc.value;
+    receiver_policy.key = test_key;
+    receiver_policy.window_size = 128;
+
+    status = srtp_create(&receiver_session, &receiver_policy);
+    if (status) {
+        return status;
+    }
+
+    /* Make a copy of the first sent protected packet */
+    recv_pkt_1 = malloc(protected_msg_len_octets_1);
+    if (recv_pkt_1 == NULL) {
+        return srtp_err_status_fail;
+    }
+    memcpy(recv_pkt_1, pkt_1, protected_msg_len_octets_1);
+
+    /* Make a copy of the second sent protected packet */
+    recv_pkt_2 = malloc(protected_msg_len_octets_2);
+    if (recv_pkt_2 == NULL) {
+        return srtp_err_status_fail;
+    }
+    memcpy(recv_pkt_2, pkt_2, protected_msg_len_octets_2);
+
+    /* Set the ROC to the wanted value */
+    status = srtp_set_stream_roc(receiver_session, receiver_policy.ssrc.value,
+                                 roc_to_set);
+    if (status) {
+        return status;
+    }
+
+    /* Unprotect the first packet */
+    status = srtp_unprotect(receiver_session, recv_pkt_1,
+                            &protected_msg_len_octets_1);
+    if (status) {
+        return status;
+    }
+
+    /* Unprotect the second packet */
+    status = srtp_unprotect(receiver_session, recv_pkt_2,
+                            &protected_msg_len_octets_2);
+    if (status) {
+        return status;
+    }
+
+    /* Cleanup */
+    status = srtp_dealloc(sender_session);
+    if (status) {
+        return status;
+    }
+
+    status = srtp_dealloc(receiver_session);
+    if (status) {
+        return status;
+    }
+
+    free(pkt_1);
+    free(recv_pkt_1);
+    free(pkt_2);
+    free(recv_pkt_2);
+
+    return srtp_err_status_ok;
+}
+
+static srtp_err_status_t test_set_sender_roc(uint16_t seq, uint32_t roc_to_set)
+{
+    srtp_err_status_t status;
+
+    srtp_policy_t sender_policy;
+    srtp_t sender_session;
+
+    srtp_policy_t receiver_policy;
+    srtp_t receiver_session;
+
+    srtp_hdr_t *pkt;
+    unsigned char *recv_pkt;
+
+    uint32_t ts;
+
+    int msg_len_octets = 32;
+    int protected_msg_len_octets;
+
+    /* Create sender */
+    memset(&sender_policy, 0, sizeof(sender_policy));
+    srtp_crypto_policy_set_rtp_default(&sender_policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&sender_policy.rtcp);
+    sender_policy.ssrc.type = ssrc_specific;
+    sender_policy.ssrc.value = 0xcafebabe;
+    sender_policy.key = test_key;
+    sender_policy.window_size = 128;
+
+    status = srtp_create(&sender_session, &sender_policy);
+    if (status) {
+        return status;
+    }
+
+    /* Set the ROC before encrypting the first packet */
+    status = srtp_set_stream_roc(sender_session, sender_policy.ssrc.value,
+                                 roc_to_set);
+    if (status != srtp_err_status_ok) {
+        return status;
+    }
+
+    /* Create the packet to decrypt */
+    ts = 0;
+    pkt = srtp_create_test_packet_extended(msg_len_octets,
+                                           sender_policy.ssrc.value, seq, ts,
+                                           &protected_msg_len_octets);
+    status = srtp_protect(sender_session, pkt, &protected_msg_len_octets);
+    if (status) {
+        return status;
+    }
+
+    /* Create the receiver */
+    memset(&receiver_policy, 0, sizeof(receiver_policy));
+    srtp_crypto_policy_set_rtp_default(&receiver_policy.rtp);
+    srtp_crypto_policy_set_rtcp_default(&receiver_policy.rtcp);
+    receiver_policy.ssrc.type = ssrc_specific;
+    receiver_policy.ssrc.value = sender_policy.ssrc.value;
+    receiver_policy.key = test_key;
+    receiver_policy.window_size = 128;
+
+    status = srtp_create(&receiver_session, &receiver_policy);
+    if (status) {
+        return status;
+    }
+
+    /* Make a copy of the sent protected packet */
+    recv_pkt = malloc(protected_msg_len_octets);
+    if (recv_pkt == NULL) {
+        return srtp_err_status_fail;
+    }
+    memcpy(recv_pkt, pkt, protected_msg_len_octets);
+
+    /* Set the ROC to the wanted value */
+    status = srtp_set_stream_roc(receiver_session, receiver_policy.ssrc.value,
+                                 roc_to_set);
+    if (status) {
+        return status;
+    }
+
+    status =
+        srtp_unprotect(receiver_session, recv_pkt, &protected_msg_len_octets);
+    if (status) {
+        return status;
+    }
+
+    /* Cleanup */
+    status = srtp_dealloc(sender_session);
+    if (status) {
+        return status;
+    }
+
+    status = srtp_dealloc(receiver_session);
+    if (status) {
+        return status;
+    }
+
+    free(pkt);
+    free(recv_pkt);
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_test_set_receiver_roc()
+{
+    int packets;
+    uint32_t roc;
+    srtp_err_status_t status;
+
+    /* First test does not rollover */
+    packets = 1;
+    roc = 0;
+
+    status = test_set_receiver_roc(packets - 1, roc);
+    if (status) {
+        return status;
+    }
+
+    status = test_set_receiver_roc(packets, roc);
+    if (status) {
+        return status;
+    }
+
+    status = test_set_receiver_roc(packets + 1, roc);
+    if (status) {
+        return status;
+    }
+
+    status = test_set_receiver_roc(packets + 60000, roc);
+    if (status) {
+        return status;
+    }
+
+    /* Second test should rollover */
+    packets = 65535;
+    roc = 0;
+
+    status = test_set_receiver_roc(packets - 1, roc);
+    if (status) {
+        return status;
+    }
+
+    status = test_set_receiver_roc(packets, roc);
+    if (status) {
+        return status;
+    }
+
+    /* Now the rollover counter should be 1 */
+    roc = 1;
+    status = test_set_receiver_roc(packets + 1, roc);
+    if (status) {
+        return status;
+    }
+
+    status = test_set_receiver_roc(packets + 60000, roc);
+    if (status) {
+        return status;
+    }
+
+    return srtp_err_status_ok;
+}
+
+srtp_err_status_t srtp_test_set_sender_roc()
+{
+    uint32_t roc;
+    uint16_t seq;
+    srtp_err_status_t status;
+
+    seq = 43210;
+    roc = 0;
+    status = test_set_sender_roc(seq, roc);
+    if (status) {
+        return status;
+    }
+
+    roc = 65535;
+    status = test_set_sender_roc(seq, roc);
+    if (status) {
+        return status;
+    }
+
+    roc = 0xffff;
+    status = test_set_sender_roc(seq, roc);
+    if (status) {
+        return status;
+    }
+
+    roc = 0xffff00;
+    status = test_set_sender_roc(seq, roc);
+    if (status) {
+        return status;
+    }
+
+    roc = 0xfffffff0;
+    status = test_set_sender_roc(seq, roc);
+    if (status) {
+        return status;
+    }
+
+    return srtp_err_status_ok;
+}
+
+/*
+ * srtp policy definitions - these definitions are used above
+ */
+
+// clang-format off
+unsigned char test_key[46] = {
+    0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0,
+    0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39,
+    0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb,
+    0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6, 0xc1, 0x73,
+    0xc3, 0x17, 0xf2, 0xda, 0xbe, 0x35, 0x77, 0x93,
+    0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6
+};
+
+unsigned char test_key_2[46] = {
+    0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76,
+    0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29,
+    0x98, 0xf6, 0xf6, 0xe4, 0x3e, 0x43, 0x09, 0xd1,
+    0xe6, 0x22, 0xa0, 0xe3, 0x32, 0xb9, 0xf1, 0xb6,
+    0xc3, 0x17, 0xf2, 0xda, 0xbe, 0x35, 0x77, 0x93,
+    0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6
+};
+
+unsigned char test_mki_id[TEST_MKI_ID_SIZE] = {
+    0xe1, 0xf9, 0x7a, 0x0d
+};
+
+unsigned char test_mki_id_2[TEST_MKI_ID_SIZE] = {
+    0xf3, 0xa1, 0x46, 0x71
+};
+// clang-format on
+
+const srtp_policy_t default_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        /* SRTP policy */
+        SRTP_AES_ICM_128,               /* cipher type                 */
+        SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_HMAC_SHA1,                 /* authentication func type    */
+        16,                             /* auth key length in octets   */
+        10,                             /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    {
+        /* SRTCP policy */
+        SRTP_AES_ICM_128,               /* cipher type                 */
+        SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_HMAC_SHA1,                 /* authentication func type    */
+        16,                             /* auth key length in octets   */
+        10,                             /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,    /* indicates the number of Master keys          */
+    NULL, /* indicates that EKT is not in use             */
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
+
+const srtp_policy_t aes_only_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC                        */
+    {
+        SRTP_AES_ICM_128,               /* cipher type                 */
+        SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        0,                              /* auth tag length in octets   */
+        sec_serv_conf                   /* security services flag      */
+    },
+    {
+        SRTP_AES_ICM_128,               /* cipher type                 */
+        SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        0,                              /* auth tag length in octets   */
+        sec_serv_conf                   /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,    /* indicates the number of Master keys          */
+    NULL, /* indicates that EKT is not in use             */
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
+
+const srtp_policy_t hmac_only_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        SRTP_NULL_CIPHER, /* cipher type                 */
+        0,                /* cipher key length in octets */
+        SRTP_HMAC_SHA1,   /* authentication func type    */
+        20,               /* auth key length in octets   */
+        4,                /* auth tag length in octets   */
+        sec_serv_auth     /* security services flag      */
+    },
+    {
+        SRTP_NULL_CIPHER, /* cipher type                 */
+        0,                /* cipher key length in octets */
+        SRTP_HMAC_SHA1,   /* authentication func type    */
+        20,               /* auth key length in octets   */
+        4,                /* auth tag length in octets   */
+        sec_serv_auth     /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,    /* Number of Master keys associated with the policy */
+    NULL, /* indicates that EKT is not in use                 */
+    128,  /* replay window size                               */
+    0,    /* retransmission not allowed                       */
+    NULL, /* no encrypted extension headers                   */
+    0,    /* list of encrypted extension headers is empty     */
+    NULL
+};
+
+#ifdef GCM
+const srtp_policy_t aes128_gcm_8_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        /* SRTP policy */
+        SRTP_AES_GCM_128,               /* cipher type                 */
+        SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        8,                              /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    {
+        /* SRTCP policy */
+        SRTP_AES_GCM_128,               /* cipher type                 */
+        SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        8,                              /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,    /* indicates the number of Master keys          */
+    NULL, /* indicates that EKT is not in use             */
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
+
+const srtp_policy_t aes128_gcm_8_cauth_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        /* SRTP policy */
+        SRTP_AES_GCM_128,               /* cipher type                 */
+        SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        8,                              /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    {
+        /* SRTCP policy */
+        SRTP_AES_GCM_128,               /* cipher type                 */
+        SRTP_AES_GCM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        8,                              /* auth tag length in octets   */
+        sec_serv_auth                   /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,    /* indicates the number of Master keys          */
+    NULL, /* indicates that EKT is not in use             */
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
+
+const srtp_policy_t aes256_gcm_8_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        /* SRTP policy */
+        SRTP_AES_GCM_256,               /* cipher type                 */
+        SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        8,                              /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    {
+        /* SRTCP policy */
+        SRTP_AES_GCM_256,               /* cipher type                 */
+        SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        8,                              /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,    /* indicates the number of Master keys          */
+    NULL, /* indicates that EKT is not in use             */
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
+
+const srtp_policy_t aes256_gcm_8_cauth_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        /* SRTP policy */
+        SRTP_AES_GCM_256,               /* cipher type                 */
+        SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        8,                              /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    {
+        /* SRTCP policy */
+        SRTP_AES_GCM_256,               /* cipher type                 */
+        SRTP_AES_GCM_256_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_NULL_AUTH,                 /* authentication func type    */
+        0,                              /* auth key length in octets   */
+        8,                              /* auth tag length in octets   */
+        sec_serv_auth                   /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,    /* indicates the number of Master keys          */
+    NULL, /* indicates that EKT is not in use             */
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
+#endif
+
+const srtp_policy_t null_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        SRTP_NULL_CIPHER, /* cipher type                 */
+        0,                /* cipher key length in octets */
+        SRTP_NULL_AUTH,   /* authentication func type    */
+        0,                /* auth key length in octets   */
+        0,                /* auth tag length in octets   */
+        sec_serv_none     /* security services flag      */
+    },
+    {
+        SRTP_NULL_CIPHER, /* cipher type                 */
+        0,                /* cipher key length in octets */
+        SRTP_NULL_AUTH,   /* authentication func type    */
+        0,                /* auth key length in octets   */
+        0,                /* auth tag length in octets   */
+        sec_serv_none     /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,    /* indicates the number of Master keys          */
+    NULL, /* indicates that EKT is not in use             */
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
+
+// clang-format off
+unsigned char test_256_key[46] = {
+    0xf0, 0xf0, 0x49, 0x14, 0xb5, 0x13, 0xf2, 0x76,
+    0x3a, 0x1b, 0x1f, 0xa1, 0x30, 0xf1, 0x0e, 0x29,
+    0x98, 0xf6, 0xf6, 0xe4, 0x3e, 0x43, 0x09, 0xd1,
+    0xe6, 0x22, 0xa0, 0xe3, 0x32, 0xb9, 0xf1, 0xb6,
+
+    0x3b, 0x04, 0x80, 0x3d, 0xe5, 0x1e, 0xe7, 0xc9,
+    0x64, 0x23, 0xab, 0x5b, 0x78, 0xd2
+};
+
+unsigned char test_256_key_2[46] = {
+    0xe1, 0xf9, 0x7a, 0x0d, 0x3e, 0x01, 0x8b, 0xe0,
+    0xd6, 0x4f, 0xa3, 0x2c, 0x06, 0xde, 0x41, 0x39,
+    0x0e, 0xc6, 0x75, 0xad, 0x49, 0x8a, 0xfe, 0xeb,
+    0xb6, 0x96, 0x0b, 0x3a, 0xab, 0xe6, 0xc1, 0x73,
+    0x3b, 0x04, 0x80, 0x3d, 0xe5, 0x1e, 0xe7, 0xc9,
+    0x64, 0x23, 0xab, 0x5b, 0x78, 0xd2
+};
+
+srtp_master_key_t master_256_key_1 = {
+    test_256_key,
+    test_mki_id,
+    TEST_MKI_ID_SIZE
+};
+
+srtp_master_key_t master_256_key_2 = {
+    test_256_key_2,
+    test_mki_id_2,
+    TEST_MKI_ID_SIZE
+};
+
+srtp_master_key_t *test_256_keys[2] = {
+    &master_key_1,
+    &master_key_2
+};
+// clang-format on
+
+const srtp_policy_t aes_256_hmac_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        /* SRTP policy */
+        SRTP_AES_ICM_256,               /* cipher type                 */
+        SRTP_AES_ICM_256_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_HMAC_SHA1,                 /* authentication func type    */
+        20,                             /* auth key length in octets   */
+        10,                             /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    {
+        /* SRTCP policy */
+        SRTP_AES_ICM_256,               /* cipher type                 */
+        SRTP_AES_ICM_256_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_HMAC_SHA1,                 /* authentication func type    */
+        20,                             /* auth key length in octets   */
+        10,                             /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_256_keys,
+    2,    /* indicates the number of Master keys          */
+    NULL, /* indicates that EKT is not in use             */
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
+
+// clang-format off
+uint8_t ekt_test_key[16] = {
+    0x77, 0x26, 0x9d, 0xac, 0x16, 0xa3, 0x28, 0xca,
+    0x8e, 0xc9, 0x68, 0x4b, 0xcc, 0xc4, 0xd2, 0x1b
+};
+// clang-format on
+
+#include "ekt.h"
+
+// clang-format off
+srtp_ekt_policy_ctx_t ekt_test_policy = {
+    0xa5a5,                     /* SPI */
+    SRTP_EKT_CIPHER_AES_128_ECB,
+    ekt_test_key,
+    NULL
+};
+// clang-format on
+
+const srtp_policy_t hmac_only_with_ekt_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        SRTP_NULL_CIPHER, /* cipher type                 */
+        0,                /* cipher key length in octets */
+        SRTP_HMAC_SHA1,   /* authentication func type    */
+        20,               /* auth key length in octets   */
+        4,                /* auth tag length in octets   */
+        sec_serv_auth     /* security services flag      */
+    },
+    {
+        SRTP_NULL_CIPHER, /* cipher type                 */
+        0,                /* cipher key length in octets */
+        SRTP_HMAC_SHA1,   /* authentication func type    */
+        20,               /* auth key length in octets   */
+        4,                /* auth tag length in octets   */
+        sec_serv_auth     /* security services flag      */
+    },
+    NULL,
+    (srtp_master_key_t **)test_keys,
+    2,                /* indicates the number of Master keys          */
+    &ekt_test_policy, /* indicates that EKT is not in use             */
+    128,              /* replay window size                           */
+    0,                /* retransmission not allowed                   */
+    NULL,             /* no encrypted extension headers               */
+    0,                /* list of encrypted extension headers is empty */
+    NULL
+};
+
+/*
+ * an array of pointers to the policies listed above
+ *
+ * This array is used to test various aspects of libSRTP for
+ * different cryptographic policies.  The order of the elements
+ * matters - the timing test generates output that can be used
+ * in a plot (see the gnuplot script file 'timing').  If you
+ * add to this list, you should do it at the end.
+ */
+
+// clang-format off
+const srtp_policy_t *policy_array[] = {
+    &hmac_only_policy,
+    &aes_only_policy,
+    &default_policy,
+#ifdef GCM
+    &aes128_gcm_8_policy,
+    &aes128_gcm_8_cauth_policy,
+    &aes256_gcm_8_policy,
+    &aes256_gcm_8_cauth_policy,
+#endif
+    &null_policy,
+    &aes_256_hmac_policy,
+    &hmac_only_with_ekt_policy,
+    NULL
+};
+// clang-format on
+
+const srtp_policy_t wildcard_policy = {
+    { ssrc_any_outbound, 0 }, /* SSRC */
+    {
+        /* SRTP policy */
+        SRTP_AES_ICM_128,               /* cipher type                 */
+        SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_HMAC_SHA1,                 /* authentication func type    */
+        16,                             /* auth key length in octets   */
+        10,                             /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    {
+        /* SRTCP policy */
+        SRTP_AES_ICM_128,               /* cipher type                 */
+        SRTP_AES_ICM_128_KEY_LEN_WSALT, /* cipher key length in octets */
+        SRTP_HMAC_SHA1,                 /* authentication func type    */
+        16,                             /* auth key length in octets   */
+        10,                             /* auth tag length in octets   */
+        sec_serv_conf_and_auth          /* security services flag      */
+    },
+    test_key,
+    NULL,
+    0,
+    NULL,
+    128,  /* replay window size                           */
+    0,    /* retransmission not allowed                   */
+    NULL, /* no encrypted extension headers               */
+    0,    /* list of encrypted extension headers is empty */
+    NULL
+};
diff --git a/netwerk/srtp/src/test/test_srtp.c b/netwerk/srtp/src/test/test_srtp.c
new file mode 100644
index 0000000000..cdc9b5d5b7
--- /dev/null
+++ b/netwerk/srtp/src/test/test_srtp.c
@@ -0,0 +1,185 @@
+/*
+ * test_srtp.c
+ *
+ * Unit tests for internal srtp functions
+ *
+ * Cisco Systems, Inc.
+ *
+ */
+
+/*
+ *
+ * Copyright (c) 2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+/*
+ * Test specific.
+ */
+#include "cutest.h"
+
+/*
+ * libSRTP specific.
+ */
+#include "../srtp/srtp.c" // Get access to static functions
+
+/*
+ * Standard library.
+ */
+
+/*
+ * Forward declarations for all tests.
+ */
+
+void srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output(void);
+void srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param(void);
+void srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number(void);
+
+/*
+ * NULL terminated array of tests.
+ * The first item in the array is a char[] which give some information about
+ * what is being tested and is displayed to the user during runtime, the second
+ * item is the test function.
+ */
+
+TEST_LIST = { { "srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output()",
+                srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output },
+              { "srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param()",
+                srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param },
+              { "srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number()",
+                srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number },
+              { NULL } /* End of tests */ };
+
+/*
+ * Implementation.
+ */
+
+void srtp_calc_aead_iv_srtcp_all_zero_input_yield_zero_output()
+{
+    // Preconditions
+    srtp_session_keys_t session_keys;
+    v128_t init_vector;
+    srtcp_hdr_t header;
+    uint32_t sequence_num;
+
+    // Postconditions
+    srtp_err_status_t status;
+    const v128_t zero_vector;
+    memset((v128_t *)&zero_vector, 0, sizeof(v128_t));
+
+    // Given
+    memset(&session_keys, 0, sizeof(srtp_session_keys_t));
+    memset(&init_vector, 0, sizeof(v128_t));
+    memset(&header, 0, sizeof(srtcp_hdr_t));
+    sequence_num = 0x0UL;
+
+    // When
+    status = srtp_calc_aead_iv_srtcp(&session_keys, &init_vector, sequence_num,
+                                     &header);
+
+    // Then
+    TEST_CHECK(status == srtp_err_status_ok);
+    TEST_CHECK(memcmp(&zero_vector, &init_vector, sizeof(v128_t)) == 0);
+}
+
+void srtp_calc_aead_iv_srtcp_seq_num_over_0x7FFFFFFF_bad_param()
+{
+    // Preconditions
+    srtp_session_keys_t session_keys;
+    v128_t init_vector;
+    srtcp_hdr_t header;
+    uint32_t sequence_num;
+
+    // Postconditions
+    srtp_err_status_t status;
+
+    // Given
+    memset(&session_keys, 0, sizeof(srtp_session_keys_t));
+    memset(&init_vector, 0, sizeof(v128_t));
+    memset(&header, 0, sizeof(srtcp_hdr_t));
+    sequence_num = 0x7FFFFFFFUL + 0x1UL;
+
+    // When
+    status = srtp_calc_aead_iv_srtcp(&session_keys, &init_vector, sequence_num,
+                                     &header);
+
+    // Then
+    TEST_CHECK(status == srtp_err_status_bad_param);
+}
+
+/*
+ * Regression test for issue #256:
+ * Srtcp IV calculation incorrectly masks high bit of sequence number for
+ * little-endian platforms.
+ * Ensure that for each valid sequence number where the most significant bit is
+ * high that we get an expected and unique IV.
+ */
+void srtp_calc_aead_iv_srtcp_distinct_iv_per_sequence_number()
+{
+#define SAMPLE_COUNT (3)
+    // Preconditions
+    // Test each significant bit high in each full byte.
+    srtp_session_keys_t session_keys;
+    srtcp_hdr_t header;
+    v128_t output_iv[SAMPLE_COUNT];
+    memset(&output_iv, 0, SAMPLE_COUNT * sizeof(v128_t));
+    uint32_t sequence_num[SAMPLE_COUNT];
+    sequence_num[0] = 0xFF;
+    sequence_num[1] = 0xFF00;
+    sequence_num[2] = 0xFF0000;
+
+    // Postconditions
+    v128_t final_iv[SAMPLE_COUNT];
+    memset(&final_iv, 0, SAMPLE_COUNT * sizeof(v128_t));
+    final_iv[0].v8[11] = 0xFF;
+    final_iv[1].v8[10] = 0xFF;
+    final_iv[2].v8[9] = 0xFF;
+
+    // Given
+    memset(&session_keys, 0, sizeof(srtp_session_keys_t));
+    memset(&header, 0, sizeof(srtcp_hdr_t));
+
+    // When
+    size_t i = 0;
+    for (i = 0; i < SAMPLE_COUNT; i++) {
+        TEST_CHECK(srtp_calc_aead_iv_srtcp(&session_keys, &output_iv[i],
+                                           sequence_num[i],
+                                           &header) == srtp_err_status_ok);
+    }
+
+    // Then all IVs are as expected
+    for (i = 0; i < SAMPLE_COUNT; i++) {
+        TEST_CHECK(memcmp(&final_iv[i], &output_iv[i], sizeof(v128_t)) == 0);
+    }
+#undef SAMPLE_COUNT
+}
diff --git a/netwerk/srtp/src/test/util.c b/netwerk/srtp/src/test/util.c
new file mode 100644
index 0000000000..4465e90ccd
--- /dev/null
+++ b/netwerk/srtp/src/test/util.c
@@ -0,0 +1,211 @@
+/*
+ * util.c
+ *
+ * Utilities used by the test apps
+ *
+ * John A. Foley
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2014-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include "util.h"
+
+#include <string.h>
+#include <stdint.h>
+
+/* include space for null terminator */
+char bit_string[MAX_PRINT_STRING_LEN + 1];
+
+static inline int hex_char_to_nibble(uint8_t c)
+{
+    switch (c) {
+    case ('0'):
+        return 0x0;
+    case ('1'):
+        return 0x1;
+    case ('2'):
+        return 0x2;
+    case ('3'):
+        return 0x3;
+    case ('4'):
+        return 0x4;
+    case ('5'):
+        return 0x5;
+    case ('6'):
+        return 0x6;
+    case ('7'):
+        return 0x7;
+    case ('8'):
+        return 0x8;
+    case ('9'):
+        return 0x9;
+    case ('a'):
+        return 0xa;
+    case ('A'):
+        return 0xa;
+    case ('b'):
+        return 0xb;
+    case ('B'):
+        return 0xb;
+    case ('c'):
+        return 0xc;
+    case ('C'):
+        return 0xc;
+    case ('d'):
+        return 0xd;
+    case ('D'):
+        return 0xd;
+    case ('e'):
+        return 0xe;
+    case ('E'):
+        return 0xe;
+    case ('f'):
+        return 0xf;
+    case ('F'):
+        return 0xf;
+    default:
+        return -1; /* this flags an error */
+    }
+    /* NOTREACHED */
+    return -1; /* this keeps compilers from complaining */
+}
+
+uint8_t nibble_to_hex_char(uint8_t nibble)
+{
+    char buf[16] = { '0', '1', '2', '3', '4', '5', '6', '7',
+                     '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' };
+
+    return buf[nibble & 0xF];
+}
+
+/*
+ * hex_string_to_octet_string converts a hexadecimal string
+ * of length 2 * len to a raw octet string of length len
+ */
+int hex_string_to_octet_string(char *raw, char *hex, int len)
+{
+    uint8_t x;
+    int tmp;
+    int hex_len;
+
+    hex_len = 0;
+    while (hex_len < len) {
+        tmp = hex_char_to_nibble(hex[0]);
+        if (tmp == -1) {
+            return hex_len;
+        }
+        x = (tmp << 4);
+        hex_len++;
+        tmp = hex_char_to_nibble(hex[1]);
+        if (tmp == -1) {
+            return hex_len;
+        }
+        x |= (tmp & 0xff);
+        hex_len++;
+        *raw++ = x;
+        hex += 2;
+    }
+    return hex_len;
+}
+
+char *octet_string_hex_string(const void *s, int length)
+{
+    const uint8_t *str = (const uint8_t *)s;
+    int i;
+
+    /* double length, since one octet takes two hex characters */
+    length *= 2;
+
+    /* truncate string if it would be too long */
+    if (length > MAX_PRINT_STRING_LEN) {
+        length = MAX_PRINT_STRING_LEN;
+    }
+
+    for (i = 0; i < length; i += 2) {
+        bit_string[i] = nibble_to_hex_char(*str >> 4);
+        bit_string[i + 1] = nibble_to_hex_char(*str++ & 0xF);
+    }
+    bit_string[i] = 0; /* null terminate string */
+    return bit_string;
+}
+
+static const char b64chars[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+                               "abcdefghijklmnopqrstuvwxyz0123456789+/";
+
+static int base64_block_to_octet_triple(char *out, char *in)
+{
+    unsigned char sextets[4] = { 0 };
+    int j = 0;
+    int i;
+
+    for (i = 0; i < 4; i++) {
+        char *p = strchr(b64chars, in[i]);
+        if (p != NULL) {
+            sextets[i] = p - b64chars;
+        } else {
+            j++;
+        }
+    }
+
+    out[0] = (sextets[0] << 2) | (sextets[1] >> 4);
+    if (j < 2) {
+        out[1] = (sextets[1] << 4) | (sextets[2] >> 2);
+    }
+    if (j < 1) {
+        out[2] = (sextets[2] << 6) | sextets[3];
+    }
+    return j;
+}
+
+int base64_string_to_octet_string(char *out, int *pad, char *in, int len)
+{
+    int k = 0;
+    int i = 0;
+    int j = 0;
+
+    if (len % 4 != 0) {
+        return 0;
+    }
+
+    while (i < len && j == 0) {
+        j = base64_block_to_octet_triple(out + k, in + i);
+        k += 3;
+        i += 4;
+    }
+    *pad = j;
+    return i;
+}
diff --git a/netwerk/srtp/src/test/util.h b/netwerk/srtp/src/test/util.h
new file mode 100644
index 0000000000..d04b279b3a
--- /dev/null
+++ b/netwerk/srtp/src/test/util.h
@@ -0,0 +1,53 @@
+/*
+ * util.h
+ *
+ * Utilities used by the test apps
+ *
+ * John A. Foley
+ * Cisco Systems, Inc.
+ */
+/*
+ *
+ * Copyright (c) 2014-2017, Cisco Systems, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ *   Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *
+ *   Redistributions in binary form must reproduce the above
+ *   copyright notice, this list of conditions and the following
+ *   disclaimer in the documentation and/or other materials provided
+ *   with the distribution.
+ *
+ *   Neither the name of the Cisco Systems, Inc. nor the names of its
+ *   contributors may be used to endorse or promote products derived
+ *   from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+#ifndef SRTP_TEST_UTIL_H
+#define SRTP_TEST_UTIL_H
+
+#define MAX_PRINT_STRING_LEN 1024
+
+int hex_string_to_octet_string(char *raw, char *hex, int len);
+char *octet_string_hex_string(const void *s, int length);
+int base64_string_to_octet_string(char *raw, int *pad, char *base64, int len);
+
+#endif
diff --git a/netwerk/srtp/src/test/words.txt b/netwerk/srtp/src/test/words.txt
new file mode 100644
index 0000000000..fe99c2d465
--- /dev/null
+++ b/netwerk/srtp/src/test/words.txt
@@ -0,0 +1,250 @@
+abducing
+acidheads
+acidness
+actons
+admixtures
+affidavit
+agelastic
+alated
+alimentary
+alleviated
+allseed
+annexure
+arragonite
+atonements
+autacoid
+axe
+axon
+ayres
+beathing
+blazonry
+bottom
+braising
+brehon
+brindisi
+broadcasts
+buds
+bulnbulns
+bushcraft
+calamander
+calipee
+casing
+caveat
+chaffings
+citifies
+clappers
+claques
+clavate
+colonial
+colonials
+commonalty
+compares
+consequent
+consumed
+contango
+courtierly
+creamery
+cruddiest
+cue
+cultish
+cumin
+cyclus
+dahlias
+dentitions
+derailers
+devitrify
+dibs
+diphysite
+disjunes
+drolleries
+dubitated
+dupion
+earliness
+eductor
+elenctic
+empresses
+entames
+epaulettes
+epicanthic
+epochal
+estated
+eurhythmic
+exfoliated
+extremity
+fayence
+figgery
+flaming
+foes
+forelays
+forewings
+forfeits
+fratches
+gardened
+gentile
+glumpish
+glyph
+goatherd
+grow
+gulden
+gumming
+hackling
+hanapers
+hared
+hatters
+hectare
+hedger
+heel
+heterodox
+hidden
+histologic
+howe
+inglobe
+inliers
+inuredness
+iotacism
+japed
+jelled
+jiffy
+jollies
+judgeship
+karite
+kart
+kenophobia
+kittens
+lactarian
+lancets
+leasable
+leep
+leming
+licorice
+listing
+lividly
+lobectomy
+lysosome
+madders
+maderizing
+manacle
+mangels
+marshiest
+maulstick
+meliorates
+mercy
+mikados
+monarchise
+moultings
+mucro
+munnions
+mystic
+myxoedemic
+nointing
+nong
+nonsense
+ochidore
+octuor
+officering
+opaqued
+oragious
+outtell
+oxeye
+pads
+palamae
+pansophy
+parazoa
+pepsines
+perimetric
+pheasant
+phonotypy
+pitarah
+plaintful
+poinders
+poke
+politer
+poonces
+populism
+pouty
+praedial
+presence
+prompter
+pummelled
+punishing
+quippish
+radicality
+radiuses
+rebuffing
+recorded
+redips
+regulators
+replay
+retrocedes
+rigors
+risen
+rootstocks
+rotenone
+rudenesses
+ruggedest
+runabout
+ruthfully
+sagacious
+scapes
+sclera
+sclerotium
+scumbering
+secondi
+serial
+shampoo
+showed
+sights
+sirenised
+sized
+slave
+socle
+solidness
+some
+spetches
+spiels
+squiring
+staminode
+stay
+stewpot
+stunsails
+subhumid
+subprogram
+supawn
+surplusage
+swimming
+swineherd
+tabun
+talliths
+taroks
+tensed
+thinnings
+three
+tipper
+toko
+tomahawks
+tombolos
+torpefy
+torulae
+touns
+travails
+tsarist
+unbeseems
+unblamably
+unbooked
+unnailed
+updates
+valorise
+viability
+virtue
+vulturns
+vulvate
+warran
+weakness
+westernise
+whingeings
+wrenching
+written
+yak
+yate
+yaupon
+zendiks
diff --git a/netwerk/srtp/srtp_update.log b/netwerk/srtp/srtp_update.log
new file mode 100644
index 0000000000..3ebbbfcbe1
--- /dev/null
+++ b/netwerk/srtp/srtp_update.log
@@ -0,0 +1,3 @@
+srtp updated from CVS on Fri Sep 21 14:51:37 EDT 2012
+srtp updated to revision 8f38517394a45678cd4468febf69f75722f35d00 from git on Wed Nov 22 14:15:32 PST 2017
+srtp updated to revision bb0412ee84ebe3d2916b45b19de72fabb183d9db from git on Tue Sep 11 21:51:05 PDT 2018
diff --git a/netwerk/srtp/update_srtp.sh b/netwerk/srtp/update_srtp.sh
new file mode 100644
index 0000000000..61fa7c4518
--- /dev/null
+++ b/netwerk/srtp/update_srtp.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# assume $1 is the directory with a git checkout of the libsrtp source
+#
+# srtp source is available at: https://github.com/cisco/libsrtp/
+#
+# also assumes we've made *NO* changes to the SRTP sources!  If we do, we have to merge by
+# hand after this process, or use a more complex one.
+#
+# For example, one could update an srtp library import head, and merge back to default.  Or keep a
+# separate repo with this in it, and pull from there to m-c and merge.
+if [ "$1" ] ; then
+  DATE=`date`
+  REVISION=`(cd $1; git log --pretty=oneline | head -1 | cut -c 1-40)`
+  cp -rf $1/srtp $1/crypto $1/include $1/test $1/LICENSE $1/README.md netwerk/srtp/src
+
+  hg addremove netwerk/srtp/src --include "netwerk/srtp/src/VERSION" --include "netwerk/srtp/src/LICENSE" --include "netwerk/srtp/src/README.md" --include "**.c" --include "**.h" --similarity 90
+
+  echo "srtp updated to revision $REVISION from git on $DATE" >> netwerk/srtp/srtp_update.log
+  echo "srtp updated to revision $REVISION from git on $DATE"
+  echo "WARNING: reapply any local patches!"
+else
+  echo "usage: $0 path_to_srtp_directory"
+  echo "run from the root of your m-c clone"
+fi
author	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-28 14:29:10 +0000
committer	Daniel Baumann <daniel.baumann@progress-linux.org>	2024-04-28 14:29:10 +0000
commit	2aa4a82499d4becd2284cdb482213d541b8804dd (patch)
tree	b80bf8bf13c3766139fbacc530efd0dd9d54394c /netwerk/srtp
parent	Initial commit. (diff)
download	firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.tar.xz firefox-2aa4a82499d4becd2284cdb482213d541b8804dd.zip