Skip to content

mbedtls files changed and cmake instruction added to support MbedTLS … #782

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
seyednasermoravej wants to merge 4 commits into
base: main
Choose a base branch
from
Open

mbedtls files changed and cmake instruction added to support MbedTLS … #782

seyednasermoravej wants to merge 4 commits into from
+267 −86

Conversation

@seyednasermoravej
Copy link

@seyednasermoravej seyednasermoravej commented Dec 25, 2025

Hi Cisco team, and Merry Christmas 🎄

This PR is a draft for the migration to Mbed TLS v4.0.
For easier review and comparison, I’ve kept both the legacy code and the new implementation side by side.

There are still some unnecessary fields in a few structures, and in some places the implementation can be improved (for example, using status instead of errCode). I intentionally kept the changes as minimal as possible for now; we can clean up and refine these parts in follow-up steps once the migration direction is agreed upon.

Feedback and suggestions are very welcome.

This was referenced Dec 25, 2025
Open
Open
Draft
Open
@seyednasermoravej seyednasermoravej force-pushed the migration-to-psa-crypto branch 3 times, most recently from 1791e08 to 40c43bf Compare January 7, 2026 15:50
@seyednasermoravej
Copy link
Author

seyednasermoravej commented Jan 7, 2026

How can I check CI before push my code?
I'm facing GCM mode error in the CI while it passed on my side.
My command to build the code is:
cmake -S . -B build -DCRYPTO_LIBRARY=mbedtls -DMBEDTLS_INCLUDE_DIRS=/opt/mbedtls-4/include -DMBEDTLS_LIBRARY="/opt/mbedtls-4/lib/libmbedtls.a;/opt/mbedtls-4/lib/libmbedcrypto.a" && cmake --build build
assuming MbedTLS V4.0 is installed in /opt/mbedtls-4 directory.
I have tested rtpw application while the sender is output from mbedtls4.0 and the receiver is from previous mbedtls and vice versa.

@pabuhler
Copy link
Member

pabuhler commented Jan 7, 2026

I normally just try to replicate the environment, or else do a lot of pushing to a PR and then clean up and squash before creating the final PR.

Just looking quickly I would guess you need to update the CI scripts to use MbedTLS 4 or ?
If you tell me how to install the correct version of mbedtls on ubuntu I could try to build and run locally and look at CI script.

@seyednasermoravej
Copy link
Author

seyednasermoravej commented Jan 8, 2026

I normally just try to replicate the environment, or else do a lot of pushing to a PR and then clean up and squash before creating the final PR.

Just looking quickly I would guess you need to update the CI scripts to use MbedTLS 4 or ? If you tell me how to install the correct version of mbedtls on ubuntu I could try to build and run locally and look at CI script.

I tested this scripts on Ubuntu 24.04 and Ubuntu 22.04. Maybe you face python errors because of absence of some packages. Please install them via pip. If you face no python error, you could create a .sh file and source it:

cd ~ git clone https://github.com/Mbed-TLS/mbedtls.git cd mbedtls git checkout mbedtls-4.0.0 git submodule update --init --recursive cmake -S . -B build cmake --build build cd ~/mbedtls/build sudo cmake --install . --prefix=/opt/mbedtls-4 cd ~ git clone https://github.com/seyednasermoravej/libsrtp.git cd libsrtp git checkout migration-to-psa-crypto cmake -S . -B build -DCRYPTO_LIBRARY=mbedtls -DMBEDTLS_INCLUDE_DIRS=/opt/mbedtls-4/include -DMBEDTLS_LIBRARY=/opt/mbedtls-4/lib/libmbedtls.a -DMBEDX509_LIBRARY=/opt/mbedtls-4/lib/libmbedx509.a -DMBEDCRYPTO_LIBRARY=/opt/mbedtls-4/lib/libmbedcrypto.a cmake --build build cp test/words.txt build cd build ./rtpw -s -k c1eec3717da76195bb878578790af71c4ee9f859e197a414a78d5abc7451 -e 128 -a 0.0.0.0 9999
That is the sender, you could run the receiver using this command:
cd ~/libsrtp/build ./rtpw -r -k c1eec3717da76195bb878578790af71c4ee9f859e197a414a78d5abc7451 -e 128 -a 0.0.0.0 9999

@pabuhler
Copy link
Member

pabuhler commented Jan 10, 2026

@seyednasermoravej I made some change to get the CI to pass, hope it was OK to push to this branch. You can do what you want with them.

I would suggest rebasing and removing the commits which are not related to getting mbtls working.

@seyednasermoravej
Copy link
Author

seyednasermoravej commented Jan 28, 2026

@seyednasermoravej I made some change to get the CI to pass, hope it was OK to push to this branch. You can do what you want with them.

I would suggest rebasing and removing the commits which are not related to getting mbtls working.

Apologies for my delayed response. Is there anything in the code that could be improved?

@pabuhler
Copy link
Member

pabuhler commented Jan 28, 2026

@seyednasermoravej I am not sure you need the change to the readme as when this is merged then it should just build as before.
Other than that I think you should make it "ready for review" and see if any one else has comments.

seyednasermoravej and others added 4 commits January 29, 2026 00:19
@seyednasermoravej
mbedtls files changed and cmake instruction added to support MbedTLS …
5dcb624 
…V4.0
@seyednasermoravej
Use MbedTLS 4 on Ubuntu
c157358
@seyednasermoravej
Fixup mbedtls aes icm
467ca66 
The aes interface in libsrtp expects to be able to call encrypt multiple times in a progressive manor. A call to set the IV should reset for a new set of operations.
This interface is not so oblivious and there is currently no indication of the last call.
This should really be improved.
@seyednasermoravej
Fix mbedtls aes gcm
2bf6953 
Pass dst_len as it is the actual buffer size.
Remove unused code, full_tag & ciphertext_len.
@seyednasermoravej seyednasermoravej marked this pull request as ready for review January 28, 2026 20:58
@seyednasermoravej
Copy link
Author

seyednasermoravej commented Jan 28, 2026

@seyednasermoravej I am not sure you need the change to the readme as when this is merged then it should just build as before. Other than that I think you should make it "ready for review" and see if any one else has comments.

I removed the "README.md" changes from the branch "migration-to-psa-crypto"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@seyednasermoravej @pabuhler