From 377b692ff57a1799261aceb55f55bec4b9c815f6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miko=C5=82aj=20Ma=C5=82ecki?= <mmalecki@haivision.com>
Date: Wed, 9 Dec 2020 09:59:56 +0100
Subject: [PATCH 1/3] [docs] Fixed wrong description concerning passphrase

---
 docs/APISocketOptions.md | 16 ++++++++++------
 srtcore/srt.h            |  4 ++--
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/docs/APISocketOptions.md b/docs/APISocketOptions.md
index 82da159cf..d1a6c88a8 100644
--- a/docs/APISocketOptions.md
+++ b/docs/APISocketOptions.md
@@ -867,20 +867,24 @@ For details, see [Packet Filtering & FEC](packet-filtering-and-fec.md).
 | `SRTO_PASSPHRASE`    | 0.0.0 | pre     | `string`   |         | ""       |[10..79]| W   | GSD    |
 
 Sets the passphrase for encryption. This enables encryption on this party (or
-disables it, if an empty passphrase is passed).
+disables it, if an empty passphrase is passed). The password must be minimum
+10 and maximum 79 characters long. If an empty password is specified (default),
+the encryption is disabled.
 
 The passphrase is the shared secret between the sender and the receiver. It is
 used to generate the Key Encrypting Key using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)
-(Password-Based Key Derivation Function 2). It is used on the receiver only if
-the received data is encrypted.
+(Password-Based Key Derivation Function 2).
+
+When a socket with configured passphrase is being connected, the peer must
+have the same password set, or otherwise the connection is rejected. This
+behavior can be changed by [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION).
 
 Note that since the introduction of bidirectional support, there's only one
 initial SEK to encrypt the stream (new keys after refreshing will be updated
 independently), and there's no distinction between "service party that defines
 the password" and "client party that is required to set matching password" - both
 parties are equivalent, and in order to have a working encrypted connection, they
-have to simply set the same passphrase. Otherwise the connection is rejected by
-default (see also [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION)).
+have to simply set the same passphrase.
 
 [Return to list](#list-of-options)
 
@@ -911,7 +915,7 @@ For File mode: Default value is 0 and it's recommended not to be changed.
 | -------------------- | ----- | ------- | ---------- | ------- | -------- | ------ | --- | ------ |
 | `SRTO_PBKEYLEN`      | 0.0.0 | pre     | `int32_t`  | bytes   | 0        | *      | RW  | GSD    |
 
-Sender encryption key length.
+Encryption key length.
 
 Possible values:
 
diff --git a/srtcore/srt.h b/srtcore/srt.h
index f3a5becdc..f0a8b233a 100644
--- a/srtcore/srt.h
+++ b/srtcore/srt.h
@@ -206,8 +206,8 @@ typedef enum SRT_SOCKOPT {
    SRTO_LATENCY = 23,        // NOT RECOMMENDED. SET: to both SRTO_RCVLATENCY and SRTO_PEERLATENCY. GET: same as SRTO_RCVLATENCY.
    SRTO_INPUTBW = 24,        // Estimated input stream rate.
    SRTO_OHEADBW,             // MaxBW ceiling based on % over input stream rate. Applies when UDT_MAXBW=0 (auto).
-   SRTO_PASSPHRASE = 26,     // Crypto PBKDF2 Passphrase size[0,10..64] 0:disable crypto
-   SRTO_PBKEYLEN,            // Crypto key len in bytes {16,24,32} Default: 16 (128-bit)
+   SRTO_PASSPHRASE = 26,     // Crypto PBKDF2 Passphrase (must be 10..79 characters, or empty to disable encryption)
+   SRTO_PBKEYLEN,            // Crypto key len in bytes {16,24,32} Default: 16 (AES-128)
    SRTO_KMSTATE,             // Key Material exchange status (UDT_SRTKmState)
    SRTO_IPTTL = 29,          // IP Time To Live (passthru for system sockopt IPPROTO_IP/IP_TTL)
    SRTO_IPTOS,               // IP Type of Service (passthru for system sockopt IPPROTO_IP/IP_TOS)

From 03609096d4bdb5b892671cdd563a787cf820de4e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miko=C5=82aj=20Ma=C5=82ecki?= <mmalecki@haivision.com>
Date: Wed, 9 Dec 2020 16:16:30 +0100
Subject: [PATCH 2/3] Removed SEK from description

---
 docs/APISocketOptions.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/APISocketOptions.md b/docs/APISocketOptions.md
index d1a6c88a8..602a302f3 100644
--- a/docs/APISocketOptions.md
+++ b/docs/APISocketOptions.md
@@ -880,11 +880,11 @@ have the same password set, or otherwise the connection is rejected. This
 behavior can be changed by [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION).
 
 Note that since the introduction of bidirectional support, there's only one
-initial SEK to encrypt the stream (new keys after refreshing will be updated
-independently), and there's no distinction between "service party that defines
-the password" and "client party that is required to set matching password" - both
-parties are equivalent, and in order to have a working encrypted connection, they
-have to simply set the same passphrase.
+initial encryption key to encrypt the stream (new keys after refreshing will be
+updated independently), and there's no distinction between "service party that
+defines the password" and "client party that is required to set matching
+password" - both parties are equivalent, and in order to have a working
+encrypted connection, they have to simply set the same passphrase.
 
 [Return to list](#list-of-options)
 

From 63580ead9cee8ee7665f11382d6f31500f120315 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miko=C5=82aj=20Ma=C5=82ecki?= <ethouris@gmail.com>
Date: Wed, 9 Dec 2020 16:27:09 +0100
Subject: [PATCH 3/3] Post-review fixes

---
 docs/APISocketOptions.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/docs/APISocketOptions.md b/docs/APISocketOptions.md
index 602a302f3..5e7313526 100644
--- a/docs/APISocketOptions.md
+++ b/docs/APISocketOptions.md
@@ -868,16 +868,15 @@ For details, see [Packet Filtering & FEC](packet-filtering-and-fec.md).
 
 Sets the passphrase for encryption. This enables encryption on this party (or
 disables it, if an empty passphrase is passed). The password must be minimum
-10 and maximum 79 characters long. If an empty password is specified (default),
-the encryption is disabled.
+10 and maximum 79 characters long.
 
 The passphrase is the shared secret between the sender and the receiver. It is
 used to generate the Key Encrypting Key using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)
 (Password-Based Key Derivation Function 2).
 
 When a socket with configured passphrase is being connected, the peer must
-have the same password set, or otherwise the connection is rejected. This
-behavior can be changed by [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION).
+have the same password set, or the connection is rejected. This behavior can be
+changed by [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION).
 
 Note that since the introduction of bidirectional support, there's only one
 initial encryption key to encrypt the stream (new keys after refreshing will be