espressif · vikramdattu · May 22, 2026 · May 22, 2026 · May 23, 2026 · May 25, 2026
diff --git a/.github/ISSUE_TEMPLATE/bug-report.yml b/.github/ISSUE_TEMPLATE/bug-report.yml
@@ -54,6 +54,7 @@ body:
         - led_strip
         - libpng
         - libsodium
+        - libsrtp2
         - lua
         - esp_linenoise
         - network_provisioning

diff --git a/.github/workflows/upload_component.yml b/.github/workflows/upload_component.yml
@@ -57,6 +57,7 @@ jobs:
             json_parser
             led_strip
             libsodium
+            libsrtp2
             lua
             network_provisioning
             nghttp

diff --git a/.gitmodules b/.gitmodules
@@ -61,7 +61,6 @@
 [submodule "thorvg/thorvg"]
 	path = thorvg/thorvg
 	url = https://github.com/thorvg/thorvg
-
 [submodule "libjpeg-turbo/libjpeg-turbo"]
 	path = libjpeg-turbo/libjpeg-turbo
 	url = https://github.com/libjpeg-turbo/libjpeg-turbo.git
@@ -78,6 +77,10 @@
 	path = cjson/cJSON
 	url = https://github.com/DaveGamble/cJSON.git
 
+[submodule "libsrtp2/libsrtp"]
+	path = libsrtp2/libsrtp
+	url = https://github.com/cisco/libsrtp.git
+
 [submodule "lua/lua"]
 	path = lua/lua
 	url = https://github.com/lua/lua.git
diff --git a/.idf_build_apps.toml b/.idf_build_apps.toml
@@ -28,6 +28,7 @@ manifest_file = [
     "json_parser/.build-test-rules.yml",
     "libpng/.build-test-rules.yml",
     "libsodium/.build-test-rules.yml",
+    "libsrtp2/.build-test-rules.yml",
     "lua/.build-test-rules.yml",
     "onewire_bus/.build-test-rules.yml",
     "pcap/.build-test-rules.yml",

diff --git a/libsrtp2/.build-test-rules.yml b/libsrtp2/.build-test-rules.yml
@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2026 Espressif Systems (Shanghai) CO LTD
+# SPDX-License-Identifier: Apache-2.0
+#
+# libsrtp2 requires ESP-IDF 5.4+ (idf_component.yml `idf: ">=5.4"`). The
+# disable rules below skip the build on older IDF releases so the repo-wide
+# CI matrix (v5.1 / v5.2 / v5.3 / v5.4 / v5.5 / latest) doesn't try them.
+#
+# IDF v6+ is also disabled for now: libsrtp 2.x's mbedTLS adapters
+# (aes_gcm_mbedtls.c, aes_icm_mbedtls.c, hmac_mbedtls.c) include the
+# classic <mbedtls/aes.h> / <mbedtls/gcm.h> headers which moved under the
+# TF-PSA-Crypto split in mbedTLS 4.x (shipped by IDF v6+). Re-enable once
+# libsrtp adapts or we ship a port-side compatibility shim.
+
+libsrtp2/examples/get_started:
+  enable:
+    - if: IDF_TARGET in ["esp32", "esp32c3", "esp32s3", "esp32c5", "esp32c6", "esp32p4"]
+      reason: "Build sanity on representative Xtensa + RISC-V targets."
+  disable:
+    - if: IDF_VERSION_MAJOR <= 5 and IDF_VERSION_MINOR < 4
+      reason: "libsrtp2 requires ESP-IDF 5.4+."
+    - if: IDF_VERSION_MAJOR >= 6
+      reason: "libsrtp 2.x mbedTLS adapters not yet ported to mbedTLS 4.x (TF-PSA-Crypto split)."
+
+libsrtp2/test_apps:
+  enable:
+    - if: IDF_TARGET in ["esp32", "esp32c3"]
+      reason: "Sufficient to exercise one Xtensa and one RISC-V target."
+  disable:
+    - if: IDF_VERSION_MAJOR <= 5 and IDF_VERSION_MINOR < 4
+      reason: "libsrtp2 requires ESP-IDF 5.4+."
+    - if: IDF_VERSION_MAJOR >= 6
+      reason: "libsrtp 2.x mbedTLS adapters not yet ported to mbedTLS 4.x (TF-PSA-Crypto split)."
+
+libsrtp2/host_test:
+  enable:
+    - if: IDF_TARGET == "linux"
+      reason: "Linux host build runs the SRTP roundtrip smoke test."
+  disable:
+    - if: IDF_VERSION_MAJOR <= 5 and IDF_VERSION_MINOR < 4
+      reason: "libsrtp2 requires ESP-IDF 5.4+."
+    - if: IDF_VERSION_MAJOR >= 6
+      reason: "libsrtp 2.x mbedTLS adapters not yet ported to mbedTLS 4.x (TF-PSA-Crypto split)."
diff --git a/libsrtp2/.github/workflows/build.yml b/libsrtp2/.github/workflows/build.yml
@@ -0,0 +1,73 @@
+name: Build check
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  # Embedded examples build — same matrix used by idf-extra-components for
+  # registry-candidate components.
+  build_example:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [esp32, esp32s3, esp32c3, esp32c6, esp32p4]
+        idf_ver: [release-v5.4, release-v5.5, release-v6.0]
+    steps:
+      - name: Checkout (with submodules)
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Build examples/get_started
+        uses: espressif/esp-idf-ci-action@v1
+        with:
+          esp_idf_version: ${{ matrix.idf_ver }}
+          target: ${{ matrix.target }}
+          path: examples/get_started
+
+  # Embedded smoke test (Unity) — one Xtensa + one RISC-V target.
+  build_test_apps:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [esp32, esp32c3]
+        idf_ver: [release-v5.4, release-v5.5, release-v6.0]
+    steps:
+      - name: Checkout (with submodules)
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Build test_apps
+        uses: espressif/esp-idf-ci-action@v1
+        with:
+          esp_idf_version: ${{ matrix.idf_ver }}
+          target: ${{ matrix.target }}
+          path: test_apps
+
+  # IDF Linux target — runs the AES-GCM-128 protect/unprotect roundtrip
+  # smoke test, asserting plaintext recovery.
+  host_test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        idf_ver: [release-v5.4, release-v5.5, release-v6.0]
+    container: espressif/idf:${{ matrix.idf_ver }}
+    steps:
+      - name: Checkout (with submodules)
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+      - name: Build + run host_test on IDF Linux target
+        shell: bash
+        run: |
+          git config --global --add safe.directory "*"
+          cd host_test
+          . /opt/esp/idf/export.sh
+          idf.py --preview set-target linux build
+          ./build/host_test_libsrtp2.elf | tee host_test.log
+          grep -q "libsrtp2 host_test: PASS" host_test.log
diff --git a/libsrtp2/.github/workflows/publish.yml b/libsrtp2/.github/workflows/publish.yml
@@ -0,0 +1,24 @@
+name: Publish to ESP Component Registry
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'idf_component.yml'
+  workflow_dispatch:
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout (with submodules)
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Upload libsrtp2
+        uses: espressif/upload-components-ci-action@v1
+        with:
+          name: libsrtp2
+          namespace: vikramdattu
+          api_token: ${{ secrets.IDF_COMPONENT_API_TOKEN }}
diff --git a/libsrtp2/CHANGELOG.md b/libsrtp2/CHANGELOG.md
@@ -0,0 +1,16 @@
+# Changelog
+
+## 2.8.0
+
+- First release. Tracks upstream cisco/libsrtp [`v2.8.0`](https://github.com/cisco/libsrtp/releases/tag/v2.8.0)
+  (commit `24b3bf8`); component version follows upstream.
+- Wraps libsrtp as an ESP-IDF component using mbedTLS for AES-ICM,
+  AES-GCM and HMAC-SHA1. ESP-IDF's mbedTLS routes AES through the
+  on-chip AES peripheral by default (`CONFIG_MBEDTLS_HARDWARE_AES=y`),
+  so SRTP protect/unprotect leverages hardware crypto with no
+  wrapper-side code.
+- One small port-side delta in `port/crypto_kernel.c`: opts out of the
+  AES-ICM-192 cipher registration when GCM is enabled (saves binary
+  size; AES-CM-128 + AES-GCM cover all WebRTC SRTP suites).
+- Embedded smoke test (`test_apps/`) and host-side AES-GCM-128
+  protect/unprotect roundtrip test (`host_test/`) included.
diff --git a/libsrtp2/CMakeLists.txt b/libsrtp2/CMakeLists.txt
@@ -0,0 +1,79 @@
+# SPDX-FileCopyrightText: 2024-2026 Espressif Systems (Shanghai) CO LTD
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set(SRTP_ROOT "${CMAKE_CURRENT_SOURCE_DIR}/libsrtp")
+
+# Vendored port-side source — replaces the upstream crypto/kernel/crypto_kernel.c
+# (which we exclude from SRCS below). The only delta vs upstream is opting out
+# of the AES-ICM-192 cipher registration when GCM is enabled, to save binary
+# size — AES-CM-128 + AES-GCM cover all WebRTC SRTP suites in use.
+#
+# Bundled into port/ rather than applied as a `git apply` patch at configure
+# time, so the wrapper works cleanly when installed via the IDF Component
+# Registry (the registry tarball has no .git dir for `git apply` to operate
+# on). Re-port from upstream when bumping the libsrtp submodule.
+set(SRTP_PORT_DIR "${CMAKE_CURRENT_SOURCE_DIR}/port")
+
+idf_component_register(
+    SRCS "${SRTP_ROOT}/srtp/srtp.c"
+        "${SRTP_ROOT}/crypto/cipher/aes_gcm_mbedtls.c"
+        "${SRTP_ROOT}/crypto/cipher/aes_icm_mbedtls.c"
+        "${SRTP_ROOT}/crypto/cipher/aes_icm.c"
+        "${SRTP_ROOT}/crypto/cipher/aes.c"
+        "${SRTP_ROOT}/crypto/cipher/cipher.c"
+        "${SRTP_ROOT}/crypto/cipher/cipher_test_cases.c"
+        "${SRTP_ROOT}/crypto/cipher/null_cipher.c"
+        "${SRTP_ROOT}/crypto/hash/auth.c"
+        "${SRTP_ROOT}/crypto/hash/hmac.c"
+        "${SRTP_ROOT}/crypto/hash/hmac_mbedtls.c"
+        "${SRTP_ROOT}/crypto/hash/auth_test_cases.c"
+        "${SRTP_ROOT}/crypto/hash/null_auth.c"
+        "${SRTP_ROOT}/crypto/hash/sha1.c"
+        "${SRTP_PORT_DIR}/crypto_kernel.c"     # replaces ${SRTP_ROOT}/crypto/kernel/crypto_kernel.c
+        "${SRTP_ROOT}/crypto/kernel/alloc.c"
+        "${SRTP_ROOT}/crypto/kernel/err.c"
+        "${SRTP_ROOT}/crypto/kernel/key.c"
+        "${SRTP_ROOT}/crypto/math/datatypes.c"
+        "${SRTP_ROOT}/crypto/replay/rdb.c"
+        "${SRTP_ROOT}/crypto/replay/rdbx.c"
+
+    PRIV_INCLUDE_DIRS
+        "${SRTP_ROOT}/crypto/include"
+        "${CMAKE_CURRENT_SOURCE_DIR}/port"
+    INCLUDE_DIRS
+        "${SRTP_ROOT}/include"                  # upstream API headers (srtp.h, ekt.h, ...)
+        "${CMAKE_CURRENT_SOURCE_DIR}/include"   # srtp2/ namespace shim so consumers can still <srtp2/srtp.h>
+
+    REQUIRES "mbedtls"
+)
+
+# Fully suppress (not just downgrade) warnings from third-party libsrtp
+# sources. The repo-wide CI pipeline runs idf-build-apps with strict
+# warning checking, so -Wno-error=* alone (which keeps the warning
+# printed) trips the matrix on otherwise-valid builds. We can't fix the
+# warnings upstream, so silence them here. Apple clang on IDF's Linux
+# target does not recognise -Wno-conflicting-types, so probe first.
+include(CheckCCompilerFlag)
+check_c_compiler_flag("-Wno-conflicting-types" SRTP2_HAS_NO_CONFLICTING_TYPES)
+
+target_compile_options(${COMPONENT_LIB} PRIVATE
+    -Wno-format
+    -Wno-unused-function
+    -Wno-unused-variable
+    -Wno-unused-but-set-variable
+    -Wno-sign-compare
+    -Wno-type-limits
+    -Wno-pointer-sign
+    -Wno-implicit-function-declaration
+    -Wno-strict-prototypes
+    -Wno-old-style-definition
+    -Wno-incompatible-pointer-types
+)
+if(SRTP2_HAS_NO_CONFLICTING_TYPES)
+    target_compile_options(${COMPONENT_LIB} PRIVATE -Wno-conflicting-types)
+endif()
+
+target_compile_definitions(${COMPONENT_LIB} PUBLIC
+    -DHAVE_CONFIG_H
+)
diff --git a/libsrtp2/Kconfig b/libsrtp2/Kconfig
@@ -0,0 +1,17 @@
+menu "libsrtp2 (libsrtp)"
+
+    config SRTP2_CRYPTO_MBEDTLS
+        bool "Use mbedTLS as the libsrtp crypto backend"
+        default y
+        help
+            Use mbedTLS for AES (ICM/GCM) and HMAC-SHA1 primitives.
+            This is currently the only backend the ESP-IDF port wires up.
+
+    config SRTP2_LOG_RTP_TRACE
+        bool "Enable verbose RTP trace logging"
+        default n
+        help
+            Enables libsrtp's internal debug-trace logging at runtime
+            (extra binary size; meant only for development).
+
+endmenu