feat(libsrtp): add component (libsrtp v2.8.0 + ESP-IDF mbedTLS port)

.github/workflows/libsrtp__build.yml

@@ -0,0 +1,58 @@
+name: "libsrtp: build-tests"
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened, labeled]
+
+jobs:
+  build_libsrtp:
+    if: contains(github.event.pull_request.labels.*.name, 'libsrtp') || github.event_name == 'push'
+    name: libsrtp build
+    strategy:
+      fail-fast: false
+      matrix:
+        idf_ver: ["release-v5.4", "release-v5.5"]
+        app:
+          - { name: "get_started",  path: "components/libsrtp/examples/get_started" }
+          - { name: "test_apps",    path: "components/libsrtp/test_apps" }
+    runs-on: ubuntu-22.04
+    container: espressif/idf:${{ matrix.idf_ver }}
+    steps:
+      - name: Checkout esp-protocols
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Build ${{ matrix.app.name }} with IDF-${{ matrix.idf_ver }}
+        shell: bash
+        run: |
+          . ${IDF_PATH}/export.sh
+          python -m pip install idf-build-apps
+          python ./ci/build_apps.py -c ${{ matrix.app.path }} -m components/libsrtp/.build-test-rules.yml
+
+  host_test_libsrtp:
+    if: contains(github.event.pull_request.labels.*.name, 'libsrtp') || github.event_name == 'push'
+    name: libsrtp host test
+    strategy:
+      fail-fast: false
+      matrix:
+        idf_ver: ["release-v5.4", "release-v5.5"]
+    runs-on: ubuntu-22.04
+    container: espressif/idf:${{ matrix.idf_ver }}
+    steps:
+      - name: Checkout esp-protocols
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Build + run host_test with IDF-${{ matrix.idf_ver }}
+        shell: bash
+        run: |
+          . ${IDF_PATH}/export.sh
+          python -m pip install idf-build-apps
+          python ./ci/build_apps.py -c components/libsrtp/host_test -m components/libsrtp/.build-test-rules.yml
+          cd components/libsrtp/host_test
+          for dir in $(ls -d build_linux_* 2>/dev/null); do
+            "./$dir/host_test_libsrtp.elf"
+          done

.gitmodules

@@ -7,3 +7,6 @@
 [submodule "components/libwebsockets/libwebsockets"]
 	path = components/libwebsockets/libwebsockets
 	url = https://github.com/warmcat/libwebsockets.git
+[submodule "components/libsrtp/libsrtp"]
+	path = components/libsrtp/libsrtp
+	url = https://github.com/cisco/libsrtp.git

ci/check_copyright_ignore.txt

@@ -1 +1,2 @@
 components/mosquitto/examples/serverless_mqtt/components/libjuice/port/juice_random.c
+components/libsrtp/port/crypto_kernel.c

components/libsrtp/.build-test-rules.yml

@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2026 Espressif Systems (Shanghai) CO LTD
+# SPDX-License-Identifier: Apache-2.0
+#
+# libsrtp requires ESP-IDF 5.4+ (idf_component.yml `idf: ">=5.4"`). The
+# disable rules below skip the build on older IDF releases so the repo-wide
+# CI matrix (v5.1 / v5.2 / v5.3 / v5.4 / v5.5 / latest) doesn't try them.
+#
+# IDF v6+ is also disabled for now: libsrtp 2.x's mbedTLS adapters
+# (aes_gcm_mbedtls.c, aes_icm_mbedtls.c, hmac_mbedtls.c) include the
+# classic <mbedtls/aes.h> / <mbedtls/gcm.h> headers which moved under the
+# TF-PSA-Crypto split in mbedTLS 4.x (shipped by IDF v6+). Re-enable once
+# libsrtp adapts or we ship a port-side compatibility shim.
+
+components/libsrtp/examples/get_started:
+  enable:
+    - if: IDF_TARGET in ["esp32", "esp32c3", "esp32s3", "esp32c5", "esp32c6", "esp32p4"]
+      reason: "Build sanity on representative Xtensa + RISC-V targets."
+  disable:
+    - if: IDF_VERSION_MAJOR <= 5 and IDF_VERSION_MINOR < 4
+      reason: "libsrtp requires ESP-IDF 5.4+."
+    - if: IDF_VERSION_MAJOR >= 6
+      reason: "libsrtp 2.x mbedTLS adapters not yet ported to mbedTLS 4.x (TF-PSA-Crypto split)."
+
+components/libsrtp/test_apps:
+  enable:
+    - if: IDF_TARGET in ["esp32", "esp32c3"]
+      reason: "Sufficient to exercise one Xtensa and one RISC-V target."
+  disable:
+    - if: IDF_VERSION_MAJOR <= 5 and IDF_VERSION_MINOR < 4
+      reason: "libsrtp requires ESP-IDF 5.4+."
+    - if: IDF_VERSION_MAJOR >= 6
+      reason: "libsrtp 2.x mbedTLS adapters not yet ported to mbedTLS 4.x (TF-PSA-Crypto split)."
+
+components/libsrtp/host_test:
+  enable:
+    - if: IDF_TARGET == "linux"
+      reason: "Linux host build runs the SRTP roundtrip smoke test."
+  disable:
+    - if: IDF_VERSION_MAJOR <= 5 and IDF_VERSION_MINOR < 4
+      reason: "libsrtp requires ESP-IDF 5.4+."
+    - if: IDF_VERSION_MAJOR >= 6
+      reason: "libsrtp 2.x mbedTLS adapters not yet ported to mbedTLS 4.x (TF-PSA-Crypto split)."

components/libsrtp/.cz.yaml

@@ -0,0 +1,8 @@
+---
+commitizen:
+  bump_message: 'bump(libsrtp): $current_version -> $new_version'
+  pre_bump_hooks: python ../../ci/changelog.py libsrtp
+  tag_format: libsrtp-v$version
+  version: 2.8.0
+  version_files:
+    - idf_component.yml

components/libsrtp/CMakeLists.txt

@@ -0,0 +1,79 @@
+# SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set(SRTP_ROOT "${CMAKE_CURRENT_SOURCE_DIR}/libsrtp")
+
+# Vendored port-side source — replaces the upstream crypto/kernel/crypto_kernel.c
+# (which we exclude from SRCS below). The only delta vs upstream is opting out
+# of the AES-ICM-192 cipher registration when GCM is enabled, to save binary
+# size — AES-CM-128 + AES-GCM cover all WebRTC SRTP suites in use.
+#
+# Bundled into port/ rather than applied as a `git apply` patch at configure
+# time, so the wrapper works cleanly when installed via the IDF Component
+# Registry (the registry tarball has no .git dir for `git apply` to operate
+# on). Re-port from upstream when bumping the libsrtp submodule.
+set(SRTP_PORT_DIR "${CMAKE_CURRENT_SOURCE_DIR}/port")
+
+idf_component_register(
+    SRCS "${SRTP_ROOT}/srtp/srtp.c"
+        "${SRTP_ROOT}/crypto/cipher/aes_gcm_mbedtls.c"
+        "${SRTP_ROOT}/crypto/cipher/aes_icm_mbedtls.c"
+        "${SRTP_ROOT}/crypto/cipher/aes_icm.c"
+        "${SRTP_ROOT}/crypto/cipher/aes.c"
+        "${SRTP_ROOT}/crypto/cipher/cipher.c"
+        "${SRTP_ROOT}/crypto/cipher/cipher_test_cases.c"
+        "${SRTP_ROOT}/crypto/cipher/null_cipher.c"
+        "${SRTP_ROOT}/crypto/hash/auth.c"
+        "${SRTP_ROOT}/crypto/hash/hmac.c"
+        "${SRTP_ROOT}/crypto/hash/hmac_mbedtls.c"
+        "${SRTP_ROOT}/crypto/hash/auth_test_cases.c"
+        "${SRTP_ROOT}/crypto/hash/null_auth.c"
+        "${SRTP_ROOT}/crypto/hash/sha1.c"
+        "${SRTP_PORT_DIR}/crypto_kernel.c"     # replaces ${SRTP_ROOT}/crypto/kernel/crypto_kernel.c
+        "${SRTP_ROOT}/crypto/kernel/alloc.c"
+        "${SRTP_ROOT}/crypto/kernel/err.c"
+        "${SRTP_ROOT}/crypto/kernel/key.c"
+        "${SRTP_ROOT}/crypto/math/datatypes.c"
+        "${SRTP_ROOT}/crypto/replay/rdb.c"
+        "${SRTP_ROOT}/crypto/replay/rdbx.c"
+
+    PRIV_INCLUDE_DIRS
+        "${SRTP_ROOT}/crypto/include"
+        "${CMAKE_CURRENT_SOURCE_DIR}/port"
+    INCLUDE_DIRS
+        "${SRTP_ROOT}/include"                  # upstream API headers (srtp.h, ekt.h, ...)
+        "${CMAKE_CURRENT_SOURCE_DIR}/include"   # srtp2/ namespace shim so consumers can still <srtp2/srtp.h>
+
+    REQUIRES "mbedtls"
+)
+
+# Fully suppress (not just downgrade) warnings from third-party libsrtp
+# sources. The repo-wide CI pipeline runs idf-build-apps with strict
+# warning checking, so -Wno-error=* alone (which keeps the warning
+# printed) trips the matrix on otherwise-valid builds. We can't fix the
+# warnings upstream, so silence them here. Apple clang on IDF's Linux
+# target does not recognise -Wno-conflicting-types, so probe first.
+include(CheckCCompilerFlag)
+check_c_compiler_flag("-Wno-conflicting-types" SRTP2_HAS_NO_CONFLICTING_TYPES)
+
+target_compile_options(${COMPONENT_LIB} PRIVATE
+    -Wno-format
+    -Wno-unused-function
+    -Wno-unused-variable
+    -Wno-unused-but-set-variable
+    -Wno-sign-compare
+    -Wno-type-limits
+    -Wno-pointer-sign
+    -Wno-implicit-function-declaration
+    -Wno-strict-prototypes
+    -Wno-old-style-definition
+    -Wno-incompatible-pointer-types
+)
+if(SRTP2_HAS_NO_CONFLICTING_TYPES)
+    target_compile_options(${COMPONENT_LIB} PRIVATE -Wno-conflicting-types)
+endif()
+
+target_compile_definitions(${COMPONENT_LIB} PUBLIC
+    -DHAVE_CONFIG_H
+)

components/libsrtp/Kconfig

@@ -0,0 +1,14 @@
+menu "libsrtp (libsrtp)"
+
+    # The ESP-IDF port wires libsrtp's crypto exclusively through mbedTLS
+    # (AES-CM, AES-GCM, HMAC-SHA1). No Kconfig knob — the alternative
+    # backends (OpenSSL, NSS, WolfSSL) aren't built in this component.
+
+    config SRTP2_LOG_RTP_TRACE
+        bool "Enable verbose RTP trace logging"
+        default n
+        help
+            Enables libsrtp's internal debug-trace logging at runtime
+            (extra binary size; meant only for development).
+
+endmenu