pion
diff --git a/‎bundlepolicy.go‎
Lines changed: 1 addition & 0 deletions b/‎bundlepolicy.go‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎configuration.go‎
Lines changed: 4 additions & 0 deletions b/‎configuration.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎configuration_js.go‎
Lines changed: 4 additions & 0 deletions b/‎configuration_js.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎dtlstransport.go‎
Lines changed: 19 additions & 1 deletion b/‎dtlstransport.go‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎errors.go‎
Lines changed: 8 additions & 0 deletions b/‎errors.go‎
Lines changed: 8 additions & 0 deletions
@@ -1,6 +1,7 @@
 // SPDX-FileCopyrightText: 2026 The Pion community <https://pion.ly>
 // SPDX-License-Identifier: MIT
 
+// nolint:dupl,staticcheck
 package webrtc
 
 import (
 
@@ -56,4 +56,8 @@ type Configuration struct {
 	// AlwaysNegotiateDataChannels specifies whether the application prefers
 	// to always negotiate data channels in the initial SDP offer.
 	AlwaysNegotiateDataChannels bool `json:"alwaysNegotiateDataChannels,omitempty"`
+
+	// RTPHeaderEncryptionPolicy affects whether RTP header extension encryption
+	// (RFC 9335 Cryptex) is negotiated.
+	RTPHeaderEncryptionPolicy RTPHeaderEncryptionPolicy `json:"rtpHeaderEncryptionPolicy,omitempty"`
 }
@@ -41,5 +41,9 @@ type Configuration struct {
 	// to always negotiate data channels in the initial SDP offer.
 	AlwaysNegotiateDataChannels bool
 
+	// RTPHeaderEncryptionPolicy affects whether RTP header extension encryption
+	// (RFC 9335 Cryptex) is negotiated.
+	RTPHeaderEncryptionPolicy RTPHeaderEncryptionPolicy
+
 	Certificates []Certificate `json:"certificates,omitempty"`
 }
@@ -43,6 +43,7 @@ type DTLSTransport struct {
 	remoteCertificate     []byte
 	state                 DTLSTransportState
 	srtpProtectionProfile srtp.ProtectionProfile
+	cryptexMode           srtp.CryptexMode
 
 	onStateChangeHandler   func(DTLSTransportState)
 	internalOnCloseHandler func()
@@ -192,12 +193,20 @@ func (t *DTLSTransport) GetRemoteCertificate() []byte {
 	return t.remoteCertificate
 }
 
-func (t *DTLSTransport) startSRTP() error {
+// startSRTP requires the caller holds the lock.
+func (t *DTLSTransport) startSRTP() error { //nolint:cyclop
 	srtpConfig := &srtp.Config{
 		Profile:       t.srtpProtectionProfile,
 		BufferFactory: t.api.settingEngine.BufferFactory,
 		LoggerFactory: t.api.settingEngine.LoggerFactory,
 	}
+
+	if t.cryptexMode == srtp.CryptexModeEnabled || t.cryptexMode == srtp.CryptexModeRequired {
+		opt := srtp.Cryptex(t.cryptexMode)
+		srtpConfig.LocalOptions = append(srtpConfig.LocalOptions, opt)
+		srtpConfig.RemoteOptions = append(srtpConfig.RemoteOptions, opt)
+	}
+
 	if t.api.settingEngine.replayProtection.SRTP != nil {
 		srtpConfig.RemoteOptions = append(
 			srtpConfig.RemoteOptions,
@@ -567,3 +576,12 @@ func (t *DTLSTransport) streamsForSSRC(
 		rtcpInterceptor: rtcpInterceptor,
 	}, nil
 }
+
+// rtpHeaderEncryptionNegotiated reports if RFC 9335 RTP Header Extension Encryption ("Cryptex")
+// has been negotiated and is enabled for this transceiver.
+func (t *DTLSTransport) rtpHeaderEncryptionNegotiated() bool {
+	t.lock.RLock()
+	defer t.lock.RUnlock()
+
+	return t.cryptexMode == srtp.CryptexModeEnabled || t.cryptexMode == srtp.CryptexModeRequired
+}
@@ -53,6 +53,10 @@ var (
 	// RTCPMuxPolicy was made after PeerConnection has been initialized.
 	ErrModifyingRTCPMuxPolicy = errors.New("rtcp mux policy cannot be modified")
 
+	// errModifyingRTPHeaderEncryptionPolicy indicates that an attempt to modify
+	// RTPHeaderEncryptionPolicy was made after PeerConnection has been initialized.
+	errModifyingRTPHeaderEncryptionPolicy = errors.New("rtp header encryption policy cannot be modified")
+
 	// ErrModifyingICECandidatePoolSize indicates that an attempt to modify
 	// ICECandidatePoolSize was made after PeerConnection has been initialized.
 	ErrModifyingICECandidatePoolSize = errors.New("ice candidate pool size cannot be modified")
@@ -135,6 +139,10 @@ var (
 	// ErrNoSRTPProtectionProfile indicates that the DTLS handshake completed and no SRTP Protection Profile was chosen.
 	ErrNoSRTPProtectionProfile = errors.New("DTLS Handshake completed and no SRTP Protection Profile was chosen")
 
+	// ErrRTPHeaderEncryptionRequired indicates that the local endpoint requires
+	// RFC 9335 Cryptex negotiation, but the remote SDP did not negotiate it.
+	ErrRTPHeaderEncryptionRequired = errors.New("rtp header extension encryption required")
+
 	// ErrFailedToGenerateCertificateFingerprint indicates that we failed to generate the fingerprint
 	// used for comparing certificates.
 	ErrFailedToGenerateCertificateFingerprint = errors.New("failed to generate certificate fingerprint")
Original file line number	Diff line number	Diff line change
`@@ -56,4 +56,8 @@ type Configuration struct {`
`56`	`56`	`// AlwaysNegotiateDataChannels specifies whether the application prefers`
`57`	`57`	`// to always negotiate data channels in the initial SDP offer.`
`58`	`58`	AlwaysNegotiateDataChannels bool `json:"alwaysNegotiateDataChannels,omitempty"`
	`59`	`+`
	`60`	`+ // RTPHeaderEncryptionPolicy affects whether RTP header extension encryption`
	`61`	`+ // (RFC 9335 Cryptex) is negotiated.`
	`62`	+ RTPHeaderEncryptionPolicy RTPHeaderEncryptionPolicy `json:"rtpHeaderEncryptionPolicy,omitempty"`
`59`	`63`	`}`
Original file line number	Diff line number	Diff line change
`@@ -41,5 +41,9 @@ type Configuration struct {`
`41`	`41`	`// to always negotiate data channels in the initial SDP offer.`
`42`	`42`	`AlwaysNegotiateDataChannels bool`
`43`	`43`
	`44`	`+ // RTPHeaderEncryptionPolicy affects whether RTP header extension encryption`
	`45`	`+ // (RFC 9335 Cryptex) is negotiated.`
	`46`	`+ RTPHeaderEncryptionPolicy RTPHeaderEncryptionPolicy`
	`47`	`+`
`44`	`48`	Certificates []Certificate `json:"certificates,omitempty"`
`45`	`49`	`}`