feat(libsrtp2): add component (libsrtp 2.8.0 + ESP-IDF mbedTLS port) (IEC-542) by vikramdattu · Pull Request #753 · espressif/idf-extra-components

vikramdattu · 2026-05-22T10:59:49Z

Summary

Adds libsrtp2 — an ESP-IDF wrapper around upstream cisco/libsrtp (the libsrtp 2.x line). Pinned at commit 9fd71ba (post-v2.6, picks up the srtp_remove_stream signature fix). Crypto routes through ESP-IDF's mbedTLS, which means AES protect/unprotect goes through the chip's AES peripheral when CONFIG_MBEDTLS_HARDWARE_AES=y (default on esp32/s2/s3/c3/c5/c6/p4) — no special wrapper-side code needed for HW acceleration.

This is the open-source / source-built libSRTP for ESP-IDF. (Distinct from espressif/esp_libsrtp — that one is a pre-built closed-source binary from esp-adf-libs.)

Why a new component

We've been carrying this as a downstream component (esp_srtp2) on the AWS KVS WebRTC SDK port for ESP32, in production on ESP32-P4 for the camera/WebRTC workstream. Several consumers (KVS, custom WebRTC stacks) want a registry-resolvable libSRTP that isn't tied to the ADF binary distribution. This PR brings that into idf-extra-components so any IDF project can add-dependency espressif/libsrtp2.

Naming

Follows the idf-extra-components convention for upstream-library wrappers — bare upstream project name (like libpng, libsodium, zlib, freetype). The 2 suffix tracks libsrtp's 2.x major version, parallel to catch2.

A handful of search-friendly synonyms (srtp, srtp2, srtcp, esp_srtp, esp_srtp2, esp_libsrtp, esp_libsrtp2, libsrtp, webrtc, rtp, mbedtls, etc.) are in idf_component.yml tags: so the component surfaces under any reasonable registry search.

Commits

feat(libsrtp2): add component (libsrtp 2.6 + ESP-IDF mbedTLS port) — wrapper sources, libsrtp/ as a submodule gitlink at 9fd71ba, root .gitmodules entry, single build-time patch (patches/0001-Disable-AES-ICM-192-cipher-when-GCM-is-enabled.patch to save binary size when GCM is enabled).
ci: register libsrtp2 in CI manifests — .idf_build_apps.toml, .github/workflows/upload_component.yml directories list, .github/ISSUE_TEMPLATE/bug-report.yml dropdown. Alphabetically inserted. Passes .github/consistency_check.py locally.

Layout

libsrtp2/
├── CMakeLists.txt        # ESP-IDF component registration
├── Kconfig               # crypto-backend + log-level toggles
├── idf_component.yml     # registry manifest (tags, examples, sbom)
├── sbom_libsrtp.yml      # SBOM for the wrapped upstream
├── port/config.h         # libsrtp build-time config tailored for IDF
├── patches/
│   ├── 0001-Disable-AES-ICM-192-cipher-when-GCM-is-enabled.patch
│   └── README.md         # patch ledger
├── examples/get_started/
├── test_apps/            # Unity smoke (esp32 + esp32c3)
├── host_test/            # IDF Linux-target AES-GCM-128 roundtrip
└── libsrtp/              # cisco/libsrtp submodule @ 9fd71ba

Build / test verification (local)

test_apps/ on esp32: ✅ builds clean
test_apps/ on esp32c3: ✅ builds clean
host_test/ on IDF Linux target: ✅ builds clean + binary runs, prints libsrtp2 host_test: PASS, library reports libsrtp2 2.4.2
examples/get_started/ builds clean
.github/consistency_check.py passes locally

CI will exercise the same matrix.

Crypto / supported profiles

AEAD: AEAD_AES_128_GCM, AEAD_AES_256_GCM
SRTP: AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32
Backend: mbedTLS (MBEDTLS_HARDWARE_AES-routed where the chip has the peripheral)

Patch ledger

A single ESP-IDF specific patch (patches/0001-Disable-AES-ICM-192-cipher-when-GCM-is-enabled.patch) opts out of the AES-ICM-192 cipher registration. This is the only divergence from upstream and is purely a binary-size optimisation — AES-CM-128 and AES-GCM cover all WebRTC SRTP suites in use today. See patches/README.md for the ledger.

License

Apache-2.0 AND BSD-3-Clause — the ESP-IDF port glue is Apache-2.0; the bundled libsrtp/ submodule remains under upstream's BSD-3-Clause.

What's next

A sibling PR for usrsctp (the userspace SCTP stack, used together with libsrtp2 for WebRTC data channels) is coming next, also following the bare-upstream-name convention. That one has more nuance (we have an upstream PR in flight at sctplab/usrsctp#743 for lwIP support) so I'm landing libsrtp2 first as the simpler, cleaner introduction.

Open to any review feedback on naming, layout, the patch, or anything else.

vikramdattu · 2026-05-22T11:02:24Z

@euripedesrocha PTAL

suda-morris · 2026-05-22T11:18:52Z

@@ -0,0 +1,58 @@
+version: "1.0.0"


Can we still name the component "libsrtp," the same as the one used by the upstream?

WRT the version, I would prefer to follow the version used by the upstream, so maybe we can use v2.8.0?

Btw, PR description mentions libsrtp 2.6, but the most recent release is 2.8: https://github.com/cisco/libsrtp/releases/tag/v2.8.0

@igrr I will update to v2.8.0
My commit got pinned from aws project and didn't update

@suda-morris though the repo is named srtp all along, the library is actually srtp2
For srtp3, there already is a version espressif/esp_srtp which is actually libsrtp3.
The API is different. Need both separate. Since, that library already uses esp_libsrtp name and not libsrtp3/, I have added the same in the README description. Also esp_srtp/ does mention in their readme that it is version3.

v2.8.0 + the 2.6-in-description nit are addressed in 964fa68. On the naming itself — per discussion with @euripedesrocha we're moving the component to esp-protocols, where it'll be libsrtp tracking cisco's release line. Separate PR coming; I'll cross-link here when it's up.

igrr · 2026-05-22T11:40:06Z

@@ -0,0 +1,58 @@
+version: "1.0.0"
+description: "libsrtp 2.x (Cisco) wrapper for ESP-IDF — mbedTLS crypto backend, AES-GCM + AES-CM + HMAC-SHA1. SRTP/SRTCP packet protection for WebRTC and other RTP-based protocols."


And I don't think it's necessary to limit this component to 2.x releases of libsrtp. When 3.0 comes out, we can support it as well.

Same argument as here.

The 3.x release version is not out yet, but that is a different lib, API is different and does not fully route via mbedtls.

Kind of mbedtls3 vs 4. So, this should keep 2.x only IMO, while the other lib esp_srtp/ can maintain v3

Same direction — single libsrtp component on esp-protocols tracking cisco's official release line (v2.8.0 today, bumps to 3.0 when cisco tags it).

Adds the libsrtp2 wrapper component: cisco/libsrtp tracked at upstream release tag v2.8.0 (commit 24b3bf8) as a submodule, plus the ESP-IDF build glue. Component version matches upstream (2.8.0). - mbedTLS crypto backend (AES-ICM, AES-GCM, HMAC-SHA1). IDF's mbedTLS routes AES through the on-chip AES peripheral when CONFIG_MBEDTLS_HARDWARE_AES is enabled (default), so SRTP protect/unprotect leverages hardware acceleration with no wrapper-side code. - AEAD profiles: AEAD_AES_128_GCM, AEAD_AES_256_GCM - SRTP profiles: AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 - Tests: test_apps/ (embedded Unity smoke for esp32 + esp32c3) and host_test/ (IDF Linux-target AES-GCM-128 protect/unprotect roundtrip). One small port-side delta lives in port/crypto_kernel.c — it replaces upstream's crypto/kernel/crypto_kernel.c (excluded from SRCS) and opts out of the AES-ICM-192 cipher registration when GCM is enabled, to save binary size. Bundled into port/ rather than applied via 'git apply' at configure time so the wrapper works cleanly when installed via the component registry (the registry tarball has no .git dir for git apply to operate on). Re-port from upstream when bumping the libsrtp submodule. Disambiguates from the existing espressif/esp_libsrtp component, which is a pre-built closed-source libSRTP binary distributed via esp-adf-libs (Custom license). libsrtp2 is the open-source path — built from source as part of the consumer's project (Apache-2.0 port glue + BSD-3-Clause upstream).

- .idf_build_apps.toml: add libsrtp2/.build-test-rules.yml so build_apps picks up the new component. - .github/workflows/upload_component.yml: add libsrtp2 to the 'components:' list so 'compote component upload' processes the tarball on push to master. - .github/ISSUE_TEMPLATE/bug-report.yml: add libsrtp2 to the component dropdown. All entries inserted alphabetically.

- CMakeLists.txt: switch -Wno-error=* to plain -Wno-* so libsrtp's -Wincompatible-pointer-types / -Wformat warnings are fully suppressed, not just downgraded. idf-build-apps in the repo CI treats any unsuppressed warning as a build failure. - .build-test-rules.yml: disable on IDF v6+ for now. libsrtp 2.x's mbedTLS adapters (aes_gcm_mbedtls.c, aes_icm_mbedtls.c, hmac_mbedtls.c) include classic <mbedtls/aes.h> / <mbedtls/gcm.h> which moved under TF-PSA-Crypto in mbedTLS 4.x. Re-enable once libsrtp adapts upstream or we add a port-side header shim. - port/crypto_kernel.c: reformat to idf-extra-components astyle rules + fix upstream 'authetication' typo flagged by codespell. The file was hand-vendored from upstream; this brings it in line with the repo's pre-commit hooks. Re-port from upstream when bumping the libsrtp submodule.

vikramdattu · 2026-05-24T18:06:12Z

Sibling PR for the SCTP transport (paired use case for WebRTC data channels): #754 — currently in draft until libsrtp2 here lands.

Copilot

Pull request overview

Adds a new libsrtp2 ESP-IDF component wrapping upstream Cisco libsrtp 2.x with an mbedTLS crypto backend, plus registry metadata, examples, CI/build registration, embedded smoke tests, and a Linux-host SRTP roundtrip test.

Changes:

Introduces the libsrtp2 component build glue, config headers, namespace shim, metadata, license/SBOM files, and upstream submodule registration.
Adds example, embedded Unity smoke test, and Linux host roundtrip test applications.
Registers the component in repository-wide build/upload/issue-template configuration.

Reviewed changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated 11 comments.

Show a summary per file

File	Description
`.github/ISSUE_TEMPLATE/bug-report.yml`	Adds `libsrtp2` to issue component choices.
`.github/workflows/upload_component.yml`	Adds `libsrtp2` to upload list.
`.gitmodules`	Registers the libsrtp upstream submodule.
`.idf_build_apps.toml`	Registers libsrtp2 build-test manifest.
`libsrtp2/.build-test-rules.yml`	Defines CI build matrix and IDF version gates.
`libsrtp2/.github/workflows/build.yml`	Adds nested build workflow.
`libsrtp2/.github/workflows/publish.yml`	Adds nested publish workflow.
`libsrtp2/CHANGELOG.md`	Documents initial component release.
`libsrtp2/CMakeLists.txt`	Defines ESP-IDF component sources/includes/compile flags.
`libsrtp2/Kconfig`	Adds libsrtp2 configuration options.
`libsrtp2/LICENSE`	Adds Apache-2.0 license text for wrapper code.
`libsrtp2/NOTICE`	Adds third-party attribution metadata.
`libsrtp2/README.md`	Documents usage, features, tests, source, and license.
`libsrtp2/examples/get_started/CMakeLists.txt`	Adds example project definition.
`libsrtp2/examples/get_started/README.md`	Documents example usage.
`libsrtp2/examples/get_started/main/CMakeLists.txt`	Defines example main component.
`libsrtp2/examples/get_started/main/idf_component.yml`	Adds example dependency override.
`libsrtp2/examples/get_started/main/main.c`	Adds minimal init/shutdown example.
`libsrtp2/host_test/CMakeLists.txt`	Adds Linux host-test project definition.
`libsrtp2/host_test/main/CMakeLists.txt`	Defines host-test main component.
`libsrtp2/host_test/main/host_test_main.c`	Adds AES-GCM protect/unprotect smoke test.
`libsrtp2/host_test/main/idf_component.yml`	Adds host-test dependency override.
`libsrtp2/host_test/pytest_libsrtp2_linux.py`	Adds pytest runner for Linux host test.
`libsrtp2/host_test/sdkconfig.defaults`	Configures Linux host target defaults.
`libsrtp2/idf_component.yml`	Adds component registry manifest and SBOM references.
`libsrtp2/include/srtp2/srtp.h`	Adds public namespace shim header.
`libsrtp2/port/config.h`	Adds ESP-IDF libsrtp config header.
`libsrtp2/port/crypto_kernel.c`	Adds port-side crypto kernel replacement.
`libsrtp2/sbom.yml`	Adds wrapper SBOM metadata.
`libsrtp2/sbom_libsrtp.yml`	Adds upstream libsrtp SBOM metadata.
`libsrtp2/test_apps/CMakeLists.txt`	Adds embedded test project definition.
`libsrtp2/test_apps/main/CMakeLists.txt`	Defines embedded test main component.
`libsrtp2/test_apps/main/idf_component.yml`	Adds embedded test dependency override.
`libsrtp2/test_apps/main/test_libsrtp2_main.c`	Adds Unity smoke tests.
`libsrtp2/test_apps/pytest_libsrtp2.py`	Adds pytest runner for embedded smoke test.
`libsrtp2/test_apps/sdkconfig.defaults`	Adds embedded test sdkconfig defaults.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

- port/config.h: PACKAGE_VERSION 2.4.2 -> 2.8.0 (matches manifest + CHANGELOG + SBOM + submodule pin). - port/config.h: drop unconditional CPU_CISC. ESP-IDF embedded targets are Xtensa / RISC-V; set CPU_RISC for those, leave unset for the IDF Linux host (libsrtp's C fallback is correct there). - examples/get_started: dependency namespace vikramdattu -> espressif in both main/idf_component.yml and README (matches the published registry namespace; override_path stays for local CI). - NOTICE: submodule SHA 9fd71ba (post-v2.6) -> 24b3bf8 (release tag v2.8.0). Now matches the rest of the component. - Kconfig: drop the unwired SRTP2_CRYPTO_MBEDTLS toggle. The ESP-IDF port only wires the mbedTLS backend; the option was misleading. Note documented in the menu comment. - host_test/main: switch CHECK() from continue-on-error to abort-on- error, add an EXPECT() macro for boolean assertions. Continuing past an init / srtp_create failure either masked the original error or crashed on uninitialised state. - libsrtp2/.github/workflows/{build,publish}.yml: delete. Component- scoped workflow files are not honoured in this mono-repo; only top-level .github/workflows are. - host_test/pytest_libsrtp2_linux.py: align with the repo convention used by spi_nand_flash/host_test — use idf_parametrize('target', ['linux'], ...) + skipif on missing build dir, drop the pytest.mark.linux.

libsrtp v2.x's mbedTLS adapters predate the mbedTLS 4 / TF-PSA-Crypto split that ships with ESP-IDF v6. The component is already disabled on v6+ via .build-test-rules.yml; mirror that in idf_component.yml so the manifest is honest about supported IDF range. Bump the bound when the component tracks a libsrtp release that speaks mbedTLS 4.

vikramdattu · 2026-05-25T09:20:15Z

Heads-up — moving this component to espressif/esp-protocols instead of idf-extra-components, per discussion with @euripedesrocha (it naturally sits there alongside libwebsockets and the rest of the WebRTC transport stack).

New PR: espressif/esp-protocols#1060

The new PR has all the feedback from this thread already incorporated:

Renamed libsrtp2 → libsrtp (cc @suda-morris, @igrr — picks up your suggestion to match the upstream name and not lock to a major version).
Removed component-local .github/workflows/, dropped patches/ (port/crypto_kernel.c vendored), trimmed targets: list + tags, aligned SBOM/NOTICE/CHANGELOG/port-config to v2.8.0 + 24b3bf8, tightened IDF range to >=5.4,<6, replaced CPU_CISC with CPU_RISC for embedded targets, switched host_test to abort-on-failure, aligned pytest convention with the repo style, added .cz.yaml per esp-protocols CONTRIBUTING.md.

Marking this one as Draft so the discussion stays put but it's not in the active review queue. Will close it once the esp-protocols PR lands.

@igrr @suda-morris @euripedesrocha — please look at #1060 when convenient. The major comments from here are already addressed there, so the review should be light.

Adds libsrtp — an ESP-IDF wrapper around cisco/libsrtp pinned at v2.8.0 (commit 24b3bf8). Crypto routes through ESP-IDF's mbedTLS, so AES protect/unprotect goes through the chip's on-chip AES peripheral by default (CONFIG_MBEDTLS_HARDWARE_AES=y on esp32 / s2 / s3 / c3 / c5 / c6 / p4). Pairs with libwebsockets and (upcoming) usrsctp for the WebRTC transport stack. The wrapper bundles cisco/libsrtp as a git submodule and compiles its sources directly into the IDF component archive — no internal libsrtp2.a dance. One small port-side delta in port/crypto_kernel.c opts out of the AES-ICM-192 cipher registration when GCM is enabled (saves binary size; AES-CM-128 + AES-GCM cover all WebRTC SRTP suites in use). Naming + version follow cisco's release line. Component is named 'libsrtp' (registry: espressif/libsrtp) tracking whichever 2.x release is current upstream — v2.8.0 today. The IDF version constraint (>=5.4,<6) reflects the fact that libsrtp v2.x's mbedTLS adapters predate the mbedTLS 4 / TF-PSA-Crypto split shipped by IDF v6; bump when the component tracks a release that speaks mbedTLS 4. Supported SRTP profiles via the mbedTLS backend: AEAD: AEAD_AES_128_GCM, AEAD_AES_256_GCM SRTP: AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32 Tests included: test_apps/ — embedded Unity smoke (esp32 + esp32c3 via .build-test-rules) host_test/ — IDF Linux-target binary, AES-GCM-128 protect/ unprotect roundtrip; aborts on the first libsrtp failure with EXPECT() for boolean assertions examples/get_started/ — minimal init/shutdown sanity app License: Apache-2.0 (port glue) AND BSD-3-Clause (bundled cisco/libsrtp). (Previously prepared as espressif/idf-extra-components#753; relocated to esp-protocols where it naturally sits alongside libwebsockets and the other transport-stack components.)

vikramdattu force-pushed the feat/add-libsrtp2 branch from e091c8f to 7e0e4cb Compare May 22, 2026 11:03

espressif-bot added the Status: Opened label May 22, 2026

github-actions Bot changed the title ~~feat(libsrtp2): add component (libsrtp 2.6 + ESP-IDF mbedTLS port)~~ feat(libsrtp2): add component (libsrtp 2.6 + ESP-IDF mbedTLS port) (IEC-542) May 22, 2026

vikramdattu force-pushed the feat/add-libsrtp2 branch from 7e0e4cb to 49695f0 Compare May 22, 2026 11:14

suda-morris reviewed May 22, 2026

View reviewed changes

suda-morris requested a review from mahavirj May 22, 2026 11:20