feat(libsrtp): add component (libsrtp v2.8.0 + ESP-IDF mbedTLS port)

[vikramdattu]

Summary

Adds libsrtp — an ESP-IDF wrapper around cisco/libsrtp pinned at the current upstream release tag v2.8.0 (commit 24b3bf8). Crypto routes through ESP-IDF's mbedTLS, so AES protect/unprotect goes through the chip's on-chip AES peripheral by default (CONFIG_MBEDTLS_HARDWARE_AES=y on esp32 / s2 / s3 / c3 / c5 / c6 / p4). Pairs with libwebsockets and (upcoming) usrsctp for the WebRTC transport stack.

Naming + versioning

Per discussion with @euripedesrocha and @suda-morris on the earlier (now-Draft) idf-extra-components#753: the component is named libsrtp (singular, no 2 suffix), aligned with cisco's project name on cisco/libsrtp. Version tracks whichever 2.x release is current upstream — v2.8.0 today. When cisco cuts the 3.0 release we bump the component to follow it; consumers handle the API change as a major-version event.

The IDF version constraint (>=5.4,<6) reflects that libsrtp v2.x's mbedTLS adapters predate the mbedTLS 4 / TF-PSA-Crypto split shipped by IDF v6+ ; the bound bumps when the component tracks a libsrtp release that speaks mbedTLS 4 (tracking cisco/libsrtp#812 for upstream's position).

Layout

components/libsrtp/
├── CMakeLists.txt        # idf_component_register + warning suppress
├── Kconfig               # log-level toggle
├── idf_component.yml     # registry manifest
├── sbom_libsrtp.yml      # SBOM for the wrapped upstream
├── port/
│   ├── config.h          # libsrtp build-time config tailored for IDF
│   └── crypto_kernel.c   # vendored upstream file with the AES-ICM-192-disable delta
├── examples/get_started/ # minimal init/shutdown sanity app
├── test_apps/            # embedded Unity smoke (esp32 + esp32c3)
├── host_test/            # IDF Linux-target AES-GCM-128 roundtrip (aborts on first failure)
└── libsrtp/              # cisco/libsrtp submodule @ 24b3bf8 (v2.8.0)

Crypto / supported SRTP profiles

• AEAD: AEAD_AES_128_GCM, AEAD_AES_256_GCM
• SRTP: AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32
• Backend: mbedTLS (CONFIG_MBEDTLS_HARDWARE_AES-routed where the chip has the peripheral)

Port-side delta

One small ESP-IDF-specific delta lives in port/crypto_kernel.c — it replaces upstream's crypto/kernel/crypto_kernel.c (excluded from SRCS in CMakeLists.txt) to opt out of the AES-ICM-192 cipher registration when GCM is enabled. Pure binary-size optimisation. Re-port from upstream when bumping the submodule.

The file is vendored rather than applied as a patches/ + git apply step, so the component builds clean from the registry tarball (no .git dir at install time).

Local verification

• examples/get_started/ on esp32: ✅ builds clean
• test_apps/ on esp32 + esp32c3: ✅ builds clean
• host_test/ on IDF Linux target: ✅ build clean + binary prints libsrtp host_test: PASS
• pre-commit (astyle, yaml lint, eof/whitespace, large-file, case-conflict): ✅ all pass

CI matrix below will exercise the same.

Prior review

This component went through a full review cycle on espressif/idf-extra-components#753 (now marked Draft). The feedback from @igrr, @suda-morris and the GitHub Copilot review bot is already baked into this PR. Summary of what's changed since 753's first iteration:

• Component renamed libsrtp2 → libsrtp (suda-morris, igrr).
• Component-local .github/workflows/{build,publish}.yml removed (mono-repo doesn't honour them).
• patches/ dropped — port/crypto_kernel.c is vendored.
• targets: list dropped from manifest (works on all targets the mbedTLS dep supports).
• Tags trimmed; SBOM, NOTICE, CHANGELOG, port/config.h PACKAGE_VERSION all aligned to 2.8.0 / SHA 24b3bf8.
• IDF version constraint tightened to >=5.4,<6 with a comment.
• host_test exits non-zero on first libsrtp failure (no continue-on-error).
• .cz.yaml added (commitizen + ci/changelog.py integration, per CONTRIBUTING.md).
• pytest convention aligned with components/mosquitto/ style.
• port/config.h CPU_CISC replaced with CPU_RISC gated on __XTENSA__ || __riscv.
• Manifest URLs + READMEs all point at espressif/esp-protocols/components/libsrtp.

Out of scope (deliberate): no extra Kconfig toggles for alternative crypto backends (OpenSSL/NSS/WolfSSL) — the port wires mbedTLS only, matching esp_mqtt_cxx's minimal-knob approach.

License

Apache-2.0 AND BSD-3-Clause — port glue under components/libsrtp/ is Apache-2.0; the bundled cisco/libsrtp submodule remains under upstream's BSD-3-Clause.

[vikramdattu]

Quick CI note — the new .github/workflows/libsrtp__build.yml follows the project's label-gate convention (matches lws_build.yml, mosq__build.yml, etc.):

if: contains(github.event.pull_request.labels.*.name, 'libsrtp') || github.event_name == 'push'

So the build / host-test jobs won't kick in here until someone with write access adds the libsrtp label to this PR. @euripedesrocha @david-cermak — could one of you add it when you get a chance?

Locally verified (macOS arm64): examples/get_started builds clean for esp32, pre-commit hooks pass, host_test builds + the binary prints libsrtp host_test: PASS on the IDF Linux target.

[vikramdattu]

@euripedesrocha @david-cermak — would appreciate a look when you have time. The PR is essentially the same component I'd prepped at espressif/idf-extra-components#753 (now Draft), with all the feedback from there already baked in + the conventions adapted to esp-protocols (.cz.yaml, paths under components/libsrtp/, build-test-rules relocated, etc.). CI gated on the libsrtp label — adding it would kick the build matrix.

[david-cermak]

Very nice and thorough work, yet with minimal port layer 👏

Left just a couple of nitpicks.
Another think is the release process in esp-protocols: we require specific "Bump commit" to run the release process in CI, I'll guide you through it when this is ready for merging.

Question: About the mbedtls-v4-shim for IDF v6.x: Do you maintain a component shim like that? FYI: I have my own (private) simplified layer: https://github.com/david-cermak/mbedtls_v3_shim

[vikramdattu]

Question: About the mbedtls-v4-shim for IDF v6.x: Do you maintain a component shim like that? FYI: I have my own (private) simplified layer: https://github.com/david-cermak/mbedtls_v3_shim

@david-cermak that's nice way to handle it. I have in mind to port srtp2 to work with mbedtls4 instead. Discussions this and this
I think your idea of using the shim to trick existing libs to use mbedtls4 is also great till it converges. I think, I will consider using similar strategy as a transition.

[david-cermak]

Thanks for the quick update! The PR LGTM from my side.