cisco · pabuhler · May 8, 2026 · May 7, 2026 · May 7, 2026
diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml
@@ -124,7 +124,18 @@ jobs:
     - name: Configure CMake
       working-directory: ${{github.workspace}}/build
       shell: bash
-      run: cmake $GITHUB_WORKSPACE -DLIBSRTP_TEST_APPS=ON  ${{ matrix.cmake-crypto-enable}} ${{env.cmake-crypto-dir}}
+      run: |
+        sanitizer_flags=""
+        if [[ "${{ matrix.os }}" != "windows-latest" ]]; then
+          sanitizer_flags="-DENABLE_SANITIZE_ADDR=ON -DENABLE_SANITIZE_UNDEF=ON"
+        fi
+
+        cmake $GITHUB_WORKSPACE \
+          -DLIBSRTP_TEST_APPS=ON \
+          -DCMAKE_BUILD_TYPE=Debug \
+          $sanitizer_flags \
+          ${{ matrix.cmake-crypto-enable}} \
+          ${{env.cmake-crypto-dir}}
 
     - name: Build
       working-directory: ${{github.workspace}}/build

diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -132,7 +132,7 @@ include_directories(${CONFIG_FILE_DIR})
 configure_file(config_in_cmake.h ${CONFIG_FILE_DIR}/config.h)
 add_definitions(-DHAVE_CONFIG_H)
 
-if(ENABLE_SANITIZE_ADDR OR ENABLE_SANITIZE_UNDEF)
+if(ENABLE_SANITIZE_ADDR OR ENABLE_SANITIZE_UNDEF OR ENABLE_SANITIZE_LEAK OR ENABLE_SANITIZE_THREAD)
     include(Sanitizer)
     add_sanitizer_flags()
 endif()

diff --git a/CMakePresets.json b/CMakePresets.json
@@ -0,0 +1,30 @@
+{
+  "version": 3,
+  "configurePresets": [
+    {
+      "name": "dev",
+      "displayName": "Developer with ASan/UBSan",
+      "description": "Debug build with AddressSanitizer/UndefinedBehaviorSanitizer enabled.",
+      "cacheVariables": {
+        "CMAKE_BUILD_TYPE": "Debug",
+        "ENABLE_SANITIZE_ADDR": "ON",
+        "ENABLE_SANITIZE_UNDEF": "ON"
+      }
+    }
+  ],
+  "buildPresets": [
+    {
+      "name": "dev",
+      "configurePreset": "dev"
+    }
+  ],
+  "testPresets": [
+    {
+      "name": "dev",
+      "configurePreset": "dev",
+      "output": {
+        "outputOnFailure": true
+      }
+    }
+  ]
+}
diff --git a/cmake/ConfigSafeGuards.cmake b/cmake/ConfigSafeGuards.cmake
@@ -4,7 +4,9 @@ if(${CMAKE_SOURCE_DIR} STREQUAL ${CMAKE_BINARY_DIR})
             "In-source builds not allowed. Please make a build directory.")
 endif()
 
-if(NOT CMAKE_BUILD_TYPE)
-    message(STATUS "No build type selected, default to Debug")
-    set(CMAKE_BUILD_TYPE "Debug")
+if(NOT CMAKE_CONFIGURATION_TYPES AND NOT CMAKE_BUILD_TYPE)
+    message(STATUS "No build type selected, defaulting to Debug")
+    set(CMAKE_BUILD_TYPE "Debug" CACHE STRING "Build type" FORCE)
+    set_property(CACHE CMAKE_BUILD_TYPE PROPERTY STRINGS
+        "Debug" "Release" "RelWithDebInfo" "MinSizeRel")
 endif()
diff --git a/cmake/FindMbedTLS.cmake b/cmake/FindMbedTLS.cmake
@@ -1,8 +1,12 @@
-find_path(MBEDTLS_INCLUDE_DIRS mbedtls/ssl.h)
+if (MBEDTLS_ROOT_DIR)
+    set(_MBEDTLS_ROOT_HINTS_AND_PATHS HINTS ${MBEDTLS_ROOT_DIR} PATH_SUFFIXES include lib NO_DEFAULT_PATH)
+endif()
+
+find_path(MBEDTLS_INCLUDE_DIRS mbedtls/ssl.h ${_MBEDTLS_ROOT_HINTS_AND_PATHS})
 
-find_library(MBEDTLS_LIBRARY mbedtls)
-find_library(MBEDX509_LIBRARY mbedx509)
-find_library(MBEDCRYPTO_LIBRARY mbedcrypto)
+find_library(MBEDTLS_LIBRARY mbedtls ${_MBEDTLS_ROOT_HINTS_AND_PATHS})
+find_library(MBEDX509_LIBRARY mbedx509 ${_MBEDTLS_ROOT_HINTS_AND_PATHS})
+find_library(MBEDCRYPTO_LIBRARY mbedcrypto ${_MBEDTLS_ROOT_HINTS_AND_PATHS})
 
 set(MBEDTLS_LIBRARIES "${MBEDTLS_LIBRARY}" "${MBEDX509_LIBRARY}" "${MBEDCRYPTO_LIBRARY}")
 

diff --git a/cmake/Sanitizer.cmake b/cmake/Sanitizer.cmake
@@ -1,5 +1,5 @@
 function(add_sanitizer_flags)
-    if(NOT ENABLE_SANITIZE_ADDR AND NOT ENABLE_SANITIZE_UNDEF)
+    if(NOT ENABLE_SANITIZE_ADDR AND NOT ENABLE_SANITIZE_UNDEF AND NOT ENABLE_SANITIZE_LEAK AND NOT ENABLE_SANITIZE_THREAD)
         return()
     endif()
 
@@ -24,7 +24,7 @@ function(add_sanitizer_flags)
 
         if(ENABLE_SANITIZE_THREAD)
             if(ENABLE_SANITIZE_ADDR OR ENABLE_SANITIZE_LEAK)
-                message(WARNING "thread does not work with: address and leak")
+                message(FATAL_ERROR "sanitize=thread does not work with sanitize=address or sanitize=leak")
             endif()
             add_compile_options("-fsanitize=thread")
             add_link_options("-fsanitize=thread")

diff --git a/crypto/cipher/aes_gcm_mbedtls.c b/crypto/cipher/aes_gcm_mbedtls.c
@@ -256,6 +256,7 @@ static srtp_err_status_t srtp_aes_gcm_mbedtls_dealloc(srtp_cipher_t *c)
     FUNC_ENTRY();
     ctx = (srtp_aes_gcm_ctx_t *)c->state;
     if (ctx) {
+        psa_aead_abort(&(ctx->ctx->op));
         psa_destroy_key(ctx->ctx->key_id);
         srtp_crypto_free(ctx->ctx);
         /* zeroize the key material */

diff --git a/crypto/cipher/aes_icm_mbedtls.c b/crypto/cipher/aes_icm_mbedtls.c
@@ -288,6 +288,7 @@ static srtp_err_status_t srtp_aes_icm_mbedtls_dealloc(srtp_cipher_t *c)
      */
     ctx = (srtp_aes_icm_ctx_t *)c->state;
     if (ctx != NULL) {
+        psa_cipher_abort(&(ctx->ctx->op));
         psa_destroy_key(ctx->ctx->key_id);
         srtp_crypto_free(ctx->ctx);
         /* zeroize the key material */