[docs] Fixed wrong description concerning passphrase (#1701)

Haivision · Dec 14, 2020 · 6f953e3 · 6f953e3
1 parent fd82e83
commit 6f953e3
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 12 deletions.
diff --git a/docs/APISocketOptions.md b/docs/APISocketOptions.md
@@ -867,20 +867,23 @@ For details, see [Packet Filtering & FEC](packet-filtering-and-fec.md).
 | `SRTO_PASSPHRASE`    | 0.0.0 | pre     | `string`   |         | ""       |[10..79]| W   | GSD    |
 
 Sets the passphrase for encryption. This enables encryption on this party (or
-disables it, if an empty passphrase is passed).
+disables it, if an empty passphrase is passed). The password must be minimum
+10 and maximum 79 characters long.
 
 The passphrase is the shared secret between the sender and the receiver. It is
 used to generate the Key Encrypting Key using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)
-(Password-Based Key Derivation Function 2). It is used on the receiver only if
-the received data is encrypted.
+(Password-Based Key Derivation Function 2).
+
+When a socket with configured passphrase is being connected, the peer must
+have the same password set, or the connection is rejected. This behavior can be
+changed by [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION).
 
 Note that since the introduction of bidirectional support, there's only one
-initial SEK to encrypt the stream (new keys after refreshing will be updated
-independently), and there's no distinction between "service party that defines
-the password" and "client party that is required to set matching password" - both
-parties are equivalent, and in order to have a working encrypted connection, they
-have to simply set the same passphrase. Otherwise the connection is rejected by
-default (see also [`SRTO_ENFORCEDENCRYPTION`](#SRTO_ENFORCEDENCRYPTION)).
+initial encryption key to encrypt the stream (new keys after refreshing will be
+updated independently), and there's no distinction between "service party that
+defines the password" and "client party that is required to set matching
+password" - both parties are equivalent, and in order to have a working
+encrypted connection, they have to simply set the same passphrase.
 
 [Return to list](#list-of-options)
 
@@ -911,7 +914,7 @@ For File mode: Default value is 0 and it's recommended not to be changed.
 | -------------------- | ----- | ------- | ---------- | ------- | -------- | ------ | --- | ------ |
 | `SRTO_PBKEYLEN`      | 0.0.0 | pre     | `int32_t`  | bytes   | 0        | *      | RW  | GSD    |
 
-Sender encryption key length.
+Encryption key length.
 
 Possible values:
 

diff --git a/srtcore/srt.h b/srtcore/srt.h
@@ -206,8 +206,8 @@ typedef enum SRT_SOCKOPT {
    SRTO_LATENCY = 23,        // NOT RECOMMENDED. SET: to both SRTO_RCVLATENCY and SRTO_PEERLATENCY. GET: same as SRTO_RCVLATENCY.
    SRTO_INPUTBW = 24,        // Estimated input stream rate.
    SRTO_OHEADBW,             // MaxBW ceiling based on % over input stream rate. Applies when UDT_MAXBW=0 (auto).
-   SRTO_PASSPHRASE = 26,     // Crypto PBKDF2 Passphrase size[0,10..64] 0:disable crypto
-   SRTO_PBKEYLEN,            // Crypto key len in bytes {16,24,32} Default: 16 (128-bit)
+   SRTO_PASSPHRASE = 26,     // Crypto PBKDF2 Passphrase (must be 10..79 characters, or empty to disable encryption)
+   SRTO_PBKEYLEN,            // Crypto key len in bytes {16,24,32} Default: 16 (AES-128)
    SRTO_KMSTATE,             // Key Material exchange status (UDT_SRTKmState)
    SRTO_IPTTL = 29,          // IP Time To Live (passthru for system sockopt IPPROTO_IP/IP_TTL)
    SRTO_IPTOS,               // IP Type of Service (passthru for system sockopt IPPROTO_IP/IP_TOS)