cisco · vikramdattu · Jun 1, 2026 · Jun 1, 2026 · Jun 1, 2026
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -14,7 +14,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        crypto: [internal, openssl, openssl3, nss, mbedtls]
+        crypto: [internal, openssl, openssl3, nss, mbedtls, mbedtls4]
         exclude:
           - os: windows-latest
             crypto: openssl
@@ -24,6 +24,8 @@ jobs:
             crypto: nss
           - os: windows-latest
             crypto: mbedtls
+          - os: windows-latest
+            crypto: mbedtls4
           - os: ubuntu-latest
             crypto: openssl3
         include:
@@ -37,6 +39,8 @@ jobs:
             cmake-crypto-enable: "-DENABLE_NSS=ON"
           - crypto: mbedtls
             cmake-crypto-enable: "-DENABLE_MBEDTLS=ON"
+          - crypto: mbedtls4
+            cmake-crypto-enable: "-DENABLE_MBEDTLS=ON"
 
     runs-on: ${{ matrix.os }}
 
@@ -54,6 +58,23 @@ jobs:
       if:  matrix.os == 'ubuntu-latest' && matrix.crypto == 'mbedtls'
       run: sudo apt-get install libmbedtls-dev
 
+    - name: Setup Ubuntu MbedTLS 4
+      if:  matrix.os == 'ubuntu-latest' && matrix.crypto == 'mbedtls4'
+      run: |
+        python3 -m pip install --break-system-packages --upgrade jsonschema jinja2
+        git clone https://github.com/Mbed-TLS/mbedtls.git /tmp/mbedtls4-src
+        cd /tmp/mbedtls4-src
+        git checkout mbedtls-4.0.0
+        git submodule update --init --recursive
+        # PIC is required to link the static libtfpsacrypto into libsrtp2's
+        # shared library; without it the final shared link fails with
+        # "relocation R_X86_64_PC32 ... can not be used when making a shared
+        # object; recompile with -fPIC".
+        cmake -S . -B build -DENABLE_TESTING=OFF -DENABLE_PROGRAMS=OFF \
+              -DCMAKE_POSITION_INDEPENDENT_CODE=ON
+        cmake --build build -j
+        sudo cmake --install build
+
     - name: Setup macOS OpenSSL
       if: matrix.os == 'macos-latest' && matrix.crypto == 'openssl'
       run: echo "cmake-crypto-dir=-DOPENSSL_ROOT_DIR=$(brew --prefix openssl@1.1)" >> $GITHUB_ENV
@@ -74,6 +95,24 @@ jobs:
         brew install mbedtls@3
         echo "CMAKE_PREFIX_PATH=$(brew --prefix mbedtls@3)" >> $GITHUB_ENV
 
+    - name: Setup macOS MbedTLS 4
+      if:  matrix.os == 'macos-latest' && matrix.crypto == 'mbedtls4'
+      run: |
+        # Install under /tmp/ (outside $GITHUB_WORKSPACE) so the install
+        # survives the actions/checkout@v2 step that runs later in this job
+        # and clears the workspace.
+        python3 -m pip install --break-system-packages --upgrade jsonschema jinja2
+        git clone https://github.com/Mbed-TLS/mbedtls.git /tmp/mbedtls4-src
+        cd /tmp/mbedtls4-src
+        git checkout mbedtls-4.0.0
+        git submodule update --init --recursive
+        cmake -S . -B build -DENABLE_TESTING=OFF -DENABLE_PROGRAMS=OFF \
+              -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
+              -DCMAKE_INSTALL_PREFIX=/tmp/mbedtls4-prefix
+        cmake --build build -j
+        cmake --install build
+        echo "CMAKE_PREFIX_PATH=/tmp/mbedtls4-prefix" >> $GITHUB_ENV
+
     - uses: actions/checkout@v2
 
     - name: Create Build Environment

diff --git a/.github/workflows/meson.yml b/.github/workflows/meson.yml
@@ -14,7 +14,7 @@ jobs:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
-        crypto: [internal, openssl, openssl3, nss, mbedtls]
+        crypto: [internal, openssl, openssl3, nss, mbedtls, mbedtls4]
         exclude:
           - os: windows-latest
             crypto: openssl
@@ -24,6 +24,8 @@ jobs:
             crypto: nss
           - os: windows-latest
             crypto: mbedtls
+          - os: windows-latest
+            crypto: mbedtls4
           - os: ubuntu-latest
             crypto: openssl3
         include:
@@ -37,6 +39,8 @@ jobs:
             meson-crypto-enable: "-Dcrypto-library=nss"
           - crypto: mbedtls
             meson-crypto-enable: "-Dcrypto-library=mbedtls"
+          - crypto: mbedtls4
+            meson-crypto-enable: "-Dcrypto-library=mbedtls"
 
     runs-on: ${{ matrix.os }}
 
@@ -71,6 +75,20 @@ jobs:
       if:  matrix.os == 'ubuntu-latest' && matrix.crypto == 'mbedtls'
       run: sudo apt-get install libmbedtls-dev
 
+    - name: Setup Ubuntu MbedTLS 4
+      if:  matrix.os == 'ubuntu-latest' && matrix.crypto == 'mbedtls4'
+      run: |
+        python3 -m pip install --break-system-packages --upgrade jsonschema jinja2
+        git clone https://github.com/Mbed-TLS/mbedtls.git /tmp/mbedtls4-src
+        cd /tmp/mbedtls4-src
+        git checkout mbedtls-4.0.0
+        git submodule update --init --recursive
+        # PIC: static libtfpsacrypto must be linkable into libsrtp2.so.
+        cmake -S . -B build -DENABLE_TESTING=OFF -DENABLE_PROGRAMS=OFF \
+              -DCMAKE_POSITION_INDEPENDENT_CODE=ON
+        cmake --build build -j
+        sudo cmake --install build
+
     - name: Setup macOS OpenSSL
       if: matrix.os == 'macos-latest' && matrix.crypto == 'openssl'
       run: echo "PKG_CONFIG_PATH=$(brew --prefix openssl@1.1)/lib/pkgconfig" >> $GITHUB_ENV
@@ -91,6 +109,23 @@ jobs:
         brew install mbedtls@3
         echo "PKG_CONFIG_PATH=$(brew --prefix mbedtls@3)/lib/pkgconfig" >> $GITHUB_ENV
 
+    - name: Setup macOS MbedTLS 4
+      if:  matrix.os == 'macos-latest' && matrix.crypto == 'mbedtls4'
+      run: |
+        # Install outside $GITHUB_WORKSPACE so the install survives the
+        # actions/checkout@v2 step that wipes the workspace later in the job.
+        python3 -m pip install --break-system-packages --upgrade jsonschema jinja2
+        git clone https://github.com/Mbed-TLS/mbedtls.git /tmp/mbedtls4-src
+        cd /tmp/mbedtls4-src
+        git checkout mbedtls-4.0.0
+        git submodule update --init --recursive
+        cmake -S . -B build -DENABLE_TESTING=OFF -DENABLE_PROGRAMS=OFF \
+              -DCMAKE_POSITION_INDEPENDENT_CODE=ON \
+              -DCMAKE_INSTALL_PREFIX=/tmp/mbedtls4-prefix
+        cmake --build build -j
+        cmake --install build
+        echo "PKG_CONFIG_PATH=/tmp/mbedtls4-prefix/lib/pkgconfig" >> $GITHUB_ENV
+
     - uses: actions/checkout@v2
 
     - name: Create Build Environment

diff --git a/cmake/FindMbedTLS.cmake b/cmake/FindMbedTLS.cmake
@@ -4,13 +4,22 @@ find_library(MBEDTLS_LIBRARY mbedtls)
 find_library(MBEDX509_LIBRARY mbedx509)
 find_library(MBEDCRYPTO_LIBRARY mbedcrypto)
 
+# mbedTLS 4.x splits the PSA Crypto implementation into its own library
+# (libtfpsacrypto).  libmbedcrypto remains as a thin wrapper but the actual
+# psa_* symbols live in tfpsacrypto, so we must link it when present.  Older
+# 3.x installs do not ship this library; the find is best-effort.
+find_library(MBEDTFPSACRYPTO_LIBRARY tfpsacrypto)
+
 set(MBEDTLS_LIBRARIES "${MBEDTLS_LIBRARY}" "${MBEDX509_LIBRARY}" "${MBEDCRYPTO_LIBRARY}")
+if(MBEDTFPSACRYPTO_LIBRARY)
+    list(APPEND MBEDTLS_LIBRARIES "${MBEDTFPSACRYPTO_LIBRARY}")
+endif()
 
 include(FindPackageHandleStandardArgs)
 find_package_handle_standard_args(MbedTLS DEFAULT_MSG
     MBEDTLS_LIBRARY MBEDTLS_INCLUDE_DIRS MBEDX509_LIBRARY MBEDCRYPTO_LIBRARY)
 
-mark_as_advanced(MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARY MBEDX509_LIBRARY MBEDCRYPTO_LIBRARY)
+mark_as_advanced(MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARY MBEDX509_LIBRARY MBEDCRYPTO_LIBRARY MBEDTFPSACRYPTO_LIBRARY)
 
 if(NOT TARGET MbedTLS)
     message("in mbedtls ${MBEDTLS_LIBRARY}")