Index: head/dns/kadnode/Makefile
===================================================================
--- head/dns/kadnode/Makefile	(revision 476833)
+++ head/dns/kadnode/Makefile	(revision 476834)
@@ -1,74 +1,74 @@
 # Created by: Moritz Warning <moritzwarning@web.de>
 # $FreeBSD$
 
 PORTNAME=	kadnode
 DISTVERSIONPREFIX=	v
 DISTVERSION=	2.2.3
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	dns
 
 MAINTAINER=	moritzwarning@web.de
 COMMENT=	P2P name resolution daemon
 
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 USES=		gmake
 USE_GITHUB=	yes
 GH_ACCOUNT=	mwarning
 GH_PROJECT=	KadNode
 USE_RC_SUBR=	kadnode
 
 MAKE_ENV=	FEATURES="${FEATURES}"
 SUB_FILES=	kadnode.conf
 
 OPTIONS_DEFINE=	AUTH CMD DEBUG DNS LPD NATPMP NSS UPNP
 OPTIONS_DEFAULT=	AUTH CMD LPD NSS
 OPTIONS_SUB=	yes
 
 AUTH_DESC=	Authorization support based on mbedtls
 CMD_DESC=	Command line control tool kadnode-ctl
 DEBUG_DESC=	Build with debug messages and symbols
 DNS_DESC=	Include local DNS interface
 LPD_DESC=	Local peer discovery
 NATPMP_DESC=	NAT-PMP support (remote port forwarding on the router)
 NSS_DESC=	Name Service Switch support to intercept host queries
 UPNP_DESC=	UPnP support (remote port forwarding on the router)
 
 AUTH_LIB_DEPENDS=	libmbedtls.so:security/mbedtls
 AUTH_VARS=		FEATURES+="bob tls"
 
 CMD_VARS=		FEATURES+="cmd"
 
 DEBUG_VARS=		FEATURES+="debug"
 
 DNS_VARS=		FEATURES+="dns"
 
 LPD_VARS=		FEATURES+="lpd"
 
 NATPMP_LIB_DEPENDS=	libnatpmp.so:net/libnatpmp
 NATPMP_VARS=		FEATURES+="natpmp"
 
 NSS_VARS=		FEATURES+="nss"
 
 UPNP_LIB_DEPENDS=	libminiupnpc.so:net/miniupnpc
 UPNP_VARS=		FEATURES+="upnp"
 
 do-install:
 	${INSTALL_PROGRAM} ${WRKSRC}/build/kadnode ${STAGEDIR}${PREFIX}/bin/
 	${RLN} ${STAGEDIR}${PREFIX}/bin/kadnode ${STAGEDIR}${PREFIX}/bin/kadnode-ctl
 	${MKDIR} ${STAGEDIR}${ETCDIR}
 	${INSTALL_DATA} ${WRKSRC}/misc/peers.txt \
 		${STAGEDIR}${ETCDIR}/peers.txt.sample
 	${INSTALL_DATA} ${WRKDIR}/kadnode.conf \
 		${STAGEDIR}${ETCDIR}/kadnode.conf.sample
 	${INSTALL_MAN} ${WRKSRC}/misc/manpage \
 		${STAGEDIR}${MANPREFIX}/man/man1/kadnode.1
 
 do-install-NSS-on:
 	${INSTALL_LIB} ${WRKSRC}/build/libnss_kadnode.so.2 \
 		${STAGEDIR}${PREFIX}/lib/nss_kadnode.so.1
 	${RLN} ${STAGEDIR}${PREFIX}/lib/nss_kadnode.so.1 \
 		${STAGEDIR}${PREFIX}/lib/nss_kadnode.so
 
 .include <bsd.port.mk>
Index: head/emulators/dolphin-emu/Makefile
===================================================================
--- head/emulators/dolphin-emu/Makefile	(revision 476833)
+++ head/emulators/dolphin-emu/Makefile	(revision 476834)
@@ -1,83 +1,83 @@
 # Created by: Ganael Laplanche <ganael.laplanche@martymac.org>
 # $FreeBSD$
 
 PORTNAME=	dolphin-emu
 PORTVERSION=	5.0
-PORTREVISION=	22
+PORTREVISION=	23
 CATEGORIES=	emulators
 
 MAINTAINER=	martymac@FreeBSD.org
 COMMENT=	Gamecube and Wii Emulator
 
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/license.txt
 
 # Notes on dependencies:
 # - keep enet from Externals as Dolphin's version diverges
 # - xxhash and SOIL are not (yet?) in ports and built from Externals
 # - skip ALSA (emulated), ao (buggy) and bluez support
 LIB_DEPENDS=	libpulse.so:audio/pulseaudio \
 		libavcodec.so:multimedia/ffmpeg \
 		libavformat.so:multimedia/ffmpeg \
 		libswscale.so:multimedia/ffmpeg \
 		libavutil.so:multimedia/ffmpeg \
 		libportaudio.so:audio/portaudio \
 		liblzo2.so:archivers/lzo2 \
 		libpng.so:graphics/png \
 		libSoundTouch.so:audio/soundtouch \
 		libsfml-system.so:devel/sfml \
 		libminiupnpc.so:net/miniupnpc \
 		libmbedtls.so:security/mbedtls \
 		libcurl.so:ftp/curl \
 		libgtest.so:devel/googletest
 
 LLD_UNSAFE=	yes
 USES=		cmake compiler:c++11-lib iconv openal pkgconfig
 
 USE_GITHUB=	yes
 GH_PROJECT=	dolphin
 
 USE_GL=		gl glew glu
 USE_GNOME=	atk cairo glib20 gdkpixbuf2 gtk20 pango
 USE_SDL=	sdl2
 USE_WX=		3.0+
 USE_XORG=	ice sm x11 xext xi xrandr
 
 CMAKE_ARGS+=	-DTRY_X11:BOOL=ON \
 		-DUSE_UPNP:BOOL=ON \
 		-DDISABLE_WX:BOOL=OFF \
 		-DUSE_SHARED_GTEST:BOOL=ON \
 		-DENABLE_PCH:BOOL=OFF \
 		-DCMAKE_REQUIRED_INCLUDES:PATH="${LOCALBASE}/include" \
 		-DCMAKE_REQUIRED_FLAGS:STRING="-L${LOCALBASE}/lib" \
 		-DCMAKE_INSTALL_RPATH_USE_LINK_PATH:BOOL=ON
 
 # XXX Bypass git check (and set a dummy -unused- revision)
 CMAKE_ARGS+=	-DDOLPHIN_WC_BRANCH:STRING="stable" \
 		-DDOLPHIN_WC_REVISION:STRING="1"
 
 OPTIONS_DEFINE=	NLS
 OPTIONS_SUB=	yes
 NLS_USES=	gettext
 NLS_CMAKE_ON=	-DDISABLE_NLS:BOOL=OFF
 NLS_CMAKE_OFF=	-DDISABLE_NLS:BOOL=ON
 
 .include <bsd.port.pre.mk>
 
 # JIT-enabled binaries are amd64 only
 .if ${ARCH} != "amd64"
 CMAKE_ARGS+=	-DENABLE_GENERIC:BOOL=ON
 .endif
 
 # When building with GCC, needs GCC 4.9+
 .if ${COMPILER_TYPE} == gcc && ${COMPILER_VERSION} < 49
 USE_GCC=	yes
 # Enable std::stoul()
 CXXFLAGS+=	-D_GLIBCXX_USE_C99
 # Enable log2f(), exp2f() and roundf()
 CXXFLAGS+=	-D_GLIBCXX_USE_C99_MATH_TR1
 # Turn on extra long double versions of math functions, needed for cmath
 CXXFLAGS+=	-D__ISO_C_VISIBLE=1999 -D_DECLARE_C99_LDBL_MATH
 .endif
 
 .include <bsd.port.post.mk>
Index: head/lang/gauche/Makefile
===================================================================
--- head/lang/gauche/Makefile	(revision 476833)
+++ head/lang/gauche/Makefile	(revision 476834)
@@ -1,100 +1,101 @@
 # Created by: Akinori MUSHA aka knu <knu@idaemons.org>
 # $FreeBSD$
 
 PORTNAME=	gauche
 PORTVERSION=	0.9.6
+PORTREVISION=	1
 CATEGORIES=	lang scheme
 MASTER_SITES=	SF/${PORTNAME}/Gauche
 DISTNAME=	Gauche-${PORTVERSION}
 
 MAINTAINER=	ports@FreeBSD.org
 COMMENT=	Scheme script interpreter with multibyte character handling
 
 LICENSE=	BSD3CLAUSE
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 BROKEN_aarch64=	Fails to link: missing sbrk
 BROKEN_armv6=	Fails to build: unknown attribute __alloc_size__; also fails in assembler
 BROKEN_armv7=	Fails to build: unknown attribute __alloc_size__; also fails in assembler
 BROKEN_mips=	Fails to build: redefinition of GC_register_dynamic_libraries
 BROKEN_mips64=	Fails to build: redefinition of GC_register_dynamic_libraries
 
 USES=		gmake iconv makeinfo tar:tgz
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--with-local=${LOCALBASE} ${ICONV_CONFIGURE_BASE:S/lib//}
 USE_LDCONFIG=	yes
 MAKE_JOBS_UNSAFE=yes
 TEST_TARGET=	check
 
 PLIST_SUB=	VERSION="${PORTVERSION}" \
 		TARGET="${CONFIGURE_TARGET}"
 
 # avoids a problem with with ccache's pre-processor optimization
 MAKE_ENV+=	CCACHE_CPP2=1
 
 INFO=		gauche-refe gauche-refj
 
 OPTIONS_DEFINE=		GDBM THREADS SLIB
 OPTIONS_RADIO=		MULTIBYTE TLS
 OPTIONS_RADIO_MULTIBYTE=	EUCJP SJIS UTF8
 OPTIONS_RADIO_TLS=	AXTLS MBEDTLS
 OPTIONS_DEFAULT=	AXTLS THREADS UTF8
 OPTIONS_SUB=		yes
 
 AXTLS_DESC=		Cameron Rich's axTLS implementation (bundled)
 AXTLS_CONFIGURE_ON=	--with-tls=axtls
 EUCJP_DESC=		EUC-JP encoding support
 EUCJP_CONFIGURE_ON=	--enable-multibyte=euc-jp
 GDBM_LIB_DEPENDS=	libgdbm.so:databases/gdbm
 MBEDTLS_LIB_DEPENDS=	libmbedtls.so:security/mbedtls
 MBEDTLS_CONFIGURE_ON=	--with-tls=mbedtls
 SLIB_DESC=		Create catalogue for SLIB port
 SLIB_BUILD_DEPENDS=	${LOCALBASE}/share/slib/require.scm:lang/slib
 SLIB_CONFIGURE_ON=	--with-slib=${LOCALBASE}/share/slib
 SLIB_CONFIGURE_OFF=	--with-slib=${WRKDIR}
 SJIS_DESC=		Shift_JIS encoding support
 SJIS_CONFIGURE_ON=	--enable-multibyte=sjis
 THREADS_CONFIGURE_ON=	--enable-threads=pthreads
 THREADS_CONFIGURE_OFF=	--enable-threads=no
 UTF8_CONFIGURE_ON=	--enable-multibyte=utf-8
 
 .include <bsd.port.options.mk>
 
 .if !${PORT_OPTIONS:MEUCJP} && !${PORT_OPTIONS:MSJIS} && !${PORT_OPTIONS:MUTF8}
 CONFIGURE_ARGS+=	--enable-multibyte=none
 .endif
 
 .if !${PORT_OPTIONS:MAXTLS} && !${PORT_OPTIONS:MMBEDTLS}
 CONFIGURE_ARGS+=	--with-tls=none
 .endif
 
 post-patch:
 # required for sparc64, no-op elsewhere
 	@${REINPLACE_CMD} -e \
 		'/^VPATH = /s,$$,/src,' ${WRKSRC}/gc/Makefile.in
 
 post-install:
 	@${TOUCH} ${STAGEDIR}${PREFIX}/lib/gauche-0.9/site/${CONFIGURE_TARGET}/.keepme
 	@${MKDIR} ${STAGEDIR}${DATADIR}/${PORTVERSION}/lib/.packages
 	@${TOUCH} ${STAGEDIR}${DATADIR}/${PORTVERSION}/lib/.packages/.keepme
 	@${MKDIR} ${STAGEDIR}${DATADIR}/site/lib/.packages
 	@${TOUCH} ${STAGEDIR}${DATADIR}/site/lib/.packages/.keepme
 	@${MKDIR} ${STAGEDIR}${PREFIX}/share/gauche-0.9/site/lib/.packages
 	@${TOUCH} ${STAGEDIR}${PREFIX}/share/gauche-0.9/site/lib/.packages/.keepme
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 	@${TOUCH} ${STAGEDIR}${DOCSDIR}/.keepme
 	@${MKDIR} ${STAGEDIR}${EXAMPLESDIR}
 	@${TOUCH} ${STAGEDIR}${EXAMPLESDIR}/.keepme
 .for i in gauche-config gosh
 	@${CHMOD} u+w ${STAGEDIR}${PREFIX}/bin/${i}
 	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/bin/${i}
 	@${CHMOD} u-w ${STAGEDIR}${PREFIX}/bin/${i}
 .endfor
 	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/libgauche-0.9.so.[0-9].*
 .for i in gauche-config gosh *.so
 	@${CHMOD} u+w ${STAGEDIR}${PREFIX}/lib/gauche-0.9/${PORTVERSION}/${CONFIGURE_TARGET}/${i}
 	@${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/gauche-0.9/${PORTVERSION}/${CONFIGURE_TARGET}/${i}
 	@${CHMOD} u-w ${STAGEDIR}${PREFIX}/lib/gauche-0.9/${PORTVERSION}/${CONFIGURE_TARGET}/${i}
 .endfor
 
 .include <bsd.port.mk>
Index: head/lang/neko/Makefile
===================================================================
--- head/lang/neko/Makefile	(revision 476833)
+++ head/lang/neko/Makefile	(revision 476834)
@@ -1,41 +1,41 @@
 # $FreeBSD$
 
 PORTNAME=	neko
 DISTVERSIONPREFIX=	v
 DISTVERSION=	2-2-0
-PORTREVISION=	8
+PORTREVISION=	9
 CATEGORIES=	lang
 
 MAINTAINER=	penzin.dev@gmail.com
 COMMENT=	Neko programming languages and virtual machine
 
 LICENSE=	MIT
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 BUILD_DEPENDS=	git:devel/git
 LIB_DEPENDS=	libgc-threaded.so:devel/boehm-gc-threaded \
 		libapr-1.so:devel/apr1 libaprutil-1.so:devel/apr1 \
 		libpcre.so:devel/pcre libpcreposix.so:devel/pcre \
 		libmbedtls.so:security/mbedtls libmbedcrypto.so:security/mbedtls libmbedx509.so:security/mbedtls \
 		libfontconfig.so:x11-fonts/fontconfig libfreetype.so:print/freetype2
 
 USES=		cmake:outsource mysql pkgconfig sqlite:3
 USE_GITHUB=	yes
 GH_ACCOUNT=	HaxeFoundation
 USE_LDCONFIG=	${PREFIX}/lib ${PREFIX}/lib/neko
 
 MAKE_JOBS_UNSAFE=	yes
 
 OPTIONS_DEFINE=	APACHE UI
 OPTIONS_DEFAULT=	APACHE
 OPTIONS_SUB=	yes
 APACHE_DESC=	Build Apache modules
 UI_DESC=	UI (GTK)
 
 UI_USE=		gnome=atk,cairo,gdkpixbuf2,glib20,gtk20,pango
 UI_CMAKE_BOOL=	WITH_UI
 
 APACHE_USE=	apache=22+
 APACHE_CMAKE_BOOL=	WITH_APACHE
 
 .include <bsd.port.mk>
Index: head/net/bctoolbox/Makefile
===================================================================
--- head/net/bctoolbox/Makefile	(revision 476833)
+++ head/net/bctoolbox/Makefile	(revision 476834)
@@ -1,29 +1,29 @@
 # Created by: Maxim Sobolev <sobomax@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=	bctoolbox
 PORTVERSION=	0.2.0
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	net
 MASTER_SITES=	SAVANNAH/linphone/bctoolbox
 
 MAINTAINER=	tijl@FreeBSD.org
 COMMENT=	Belledonne Communications utility library
 
 LICENSE=	GPLv2+
 LICENSE_FILE=	${WRKSRC}/COPYING
 
 BUILD_DEPENDS=	mbedtls>=2.3.0_2:security/mbedtls
 LIB_DEPENDS=	libmbedtls.so.10:security/mbedtls
 
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--disable-strict
 CPPFLAGS+=	-DHAVE_ARC4RANDOM -DHAVE_DTLS_SRTP
 INSTALL_TARGET=	install-strip
 USES=		libtool pathfix pkgconfig
 USE_LDCONFIG=	yes
 
 post-install:
 	${RM} ${STAGEDIR}${PREFIX}/libdata/pkgconfig/bctoolbox-tester.pc
 
 .include <bsd.port.mk>
Index: head/net/shadowsocks-libev/Makefile
===================================================================
--- head/net/shadowsocks-libev/Makefile	(revision 476833)
+++ head/net/shadowsocks-libev/Makefile	(revision 476834)
@@ -1,62 +1,62 @@
 # Created by: Xiaoding Liu <xiaoding+freebsd@xiaoding.org>
 # $FreeBSD$
 
 PORTNAME=	shadowsocks-libev
 DISTVERSIONPREFIX=	v
 DISTVERSION=	3.1.3
-PORTREVISION=	4
+PORTREVISION=	5
 CATEGORIES=	net
 
 MAINTAINER=	xiaoding+freebsd@xiaoding.org
 COMMENT=	Lightweight tunnel proxy which can help you get through firewalls
 
 LICENSE=	GPLv3
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 LIB_DEPENDS=	libev.so:devel/libev \
 		libmbedcrypto.so:security/mbedtls \
 		libpcre.so:devel/pcre \
 		libsodium.so:security/libsodium \
 		libcares.so:dns/c-ares
 
 USES=		autoreconf gmake libtool:keepla pathfix
 GNU_CONFIGURE=	yes
 CONFIGURE_ARGS=	--enable-shared
 USE_GITHUB=	yes
 GH_ACCOUNT=	shadowsocks
 GH_TUPLE=	shadowsocks:libbloom:7a9deb8:libbloom/libbloom \
 		shadowsocks:libcork:0220aa5:libcork/libcork \
 		shadowsocks:ipset:3ea7fe3:libipset/libipset
 INSTALL_TARGET=	install-strip
 USE_LDCONFIG=	yes
 
 OPTIONS_DEFINE=	BASH DOCS ZSH
 OPTIONS_SUB=	yes
 
 DOCS_BUILD_DEPENDS=	asciidoc:textproc/asciidoc \
 		xmlto:textproc/xmlto
 DOCS_CONFIGURE_OFF=	--disable-documentation
 
 USE_RC_SUBR=	shadowsocks_libev
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|^#ifdef TCP_FASTOPEN|#if defined(TCP_FASTOPEN) \&\& defined(__linux)|' \
 		${WRKSRC}/src/local.c ${WRKSRC}/src/server.c
 
 post-install:
 	@${MKDIR} ${STAGEDIR}${ETCDIR}
 	${INSTALL_DATA} ${WRKSRC}/debian/config.json ${STAGEDIR}${ETCDIR}/config.json.sample
 
 post-install-BASH-on:
 	@${MKDIR} ${STAGEDIR}${PREFIX}/share/bash-completion/completions
 .for c in ss-local ss-manager ss-redir ss-server ss-tunnel
 	${INSTALL_DATA} ${WRKSRC}/completions/bash/${c} ${STAGEDIR}${PREFIX}/share/bash-completion/completions/${c}
 .endfor
 
 post-install-ZSH-on:
 	@${MKDIR} ${STAGEDIR}${PREFIX}/share/zsh/site-functions
 .for c in _ss-local _ss-manager _ss-redir _ss-server _ss-tunnel
 	${INSTALL_DATA} ${WRKSRC}/completions/zsh/${c} ${STAGEDIR}${PREFIX}/share/zsh/site-functions/${c}
 .endfor
 
 .include <bsd.port.mk>
Index: head/security/mbedtls/Makefile
===================================================================
--- head/security/mbedtls/Makefile	(revision 476833)
+++ head/security/mbedtls/Makefile	(revision 476834)
@@ -1,38 +1,38 @@
 # $FreeBSD$
 
 PORTNAME=	mbedtls
-PORTVERSION=	2.9.0
+PORTVERSION=	2.12.0
 DISTVERSIONPREFIX=${PORTNAME}-
 CATEGORIES=	security devel
 
 MAINTAINER=	tijl@FreeBSD.org
 COMMENT=	SSL/TLS and cryptography library
 
 LICENSE=	APACHE20
 LICENSE_FILE=	${WRKSRC}/apache-2.0.txt
 
 USE_GITHUB=	yes
 GH_ACCOUNT=	ARMmbed
 
 ALL_TARGET=	no_test
 TEST_TARGET=	test
 MAKE_ENV=	SHARED=1
 USES=		gmake tar:tgz
 USE_LDCONFIG=	yes
 
 CONFLICTS_INSTALL=	polarssl13-[0-9]*
 
 post-patch:
 	@${RM} ${WRKSRC}/include/mbedtls/*.orig
 	@${REINPLACE_CMD} \
 		-e 's/PREFIX/NAMEPREFIX/' \
 		-e 's/$$(DESTDIR)/&$$(PREFIX)/' \
 		${WRKSRC}/Makefile
 	@${REINPLACE_CMD} 's/-fpic//' ${WRKSRC}/library/Makefile
 
 post-install:
 	${FIND} ${STAGEDIR}${PREFIX}/bin -type f -not -name \
 		mbedtls_udp_proxy_wrapper.sh -exec ${STRIP_CMD} {} +
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/*.so
 
 .include <bsd.port.mk>
Index: head/security/mbedtls/distinfo
===================================================================
--- head/security/mbedtls/distinfo	(revision 476833)
+++ head/security/mbedtls/distinfo	(revision 476834)
@@ -1,3 +1,3 @@
-TIMESTAMP = 1528372776
-SHA256 (ARMmbed-mbedtls-mbedtls-2.9.0_GH0.tar.gz) = 1972a98a25486a5d174ac97706a468355a007842e0b3ad72305c53d38ea8f6d3
-SIZE (ARMmbed-mbedtls-mbedtls-2.9.0_GH0.tar.gz) = 2163543
+TIMESTAMP = 1533902976
+SHA256 (ARMmbed-mbedtls-mbedtls-2.12.0_GH0.tar.gz) = 05b126f25d4438f206d062b48cd2f2db2a1cd11bda58b21afe40b9b7cf6fca48
+SIZE (ARMmbed-mbedtls-mbedtls-2.12.0_GH0.tar.gz) = 2299830
Index: head/security/mbedtls/files/patch-dtls-srtp
===================================================================
--- head/security/mbedtls/files/patch-dtls-srtp	(revision 476833)
+++ head/security/mbedtls/files/patch-dtls-srtp	(revision 476834)
@@ -1,659 +1,659 @@
 Add DTLS-SRTP (RFC 5764) support.
 
 Obtained from:	git://git.linphone.org/linphone-desktop.git
 
 diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
 index d1db0d8..72e2d04 100644
 --- include/mbedtls/config.h
 +++ include/mbedtls/config.h
 @@ -1154,6 +1154,17 @@
  #define MBEDTLS_SSL_DTLS_HELLO_VERIFY
  
  /**
 + * \def MBEDTLS_SSL_DTLS_SRTP
 + *
 + * Enable support for DTLS-SRTP, RFC5764
 + *
 + * Requires: MBEDTLS_SSL_PROTO_DTLS
 + *
 + * Comment this to disable support for DTLS-SRTP.
 + */
 +#define MBEDTLS_SSL_DTLS_SRTP
 +
 +/**
   * \def MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
   *
   * Enable server-side support for clients that reconnect from the same port.
 diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
 index 00e1c6c..729e95f 100644
 --- include/mbedtls/ssl.h
 +++ include/mbedtls/ssl.h
 @@ -326,6 +326,8 @@
  
  #define MBEDTLS_TLS_EXT_SIG_ALG                     13
  
 +#define MBEDTLS_TLS_EXT_USE_SRTP                    14
 +
  #define MBEDTLS_TLS_EXT_ALPN                        16
  
  #define MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC            22 /* 0x16 */
 @@ -338,6 +340,14 @@
  #define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      0xFF01
  
  /*
 + * use_srtp extension protection profiles values as defined in http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml
 + */
 +#define MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE     0x0001
 +#define MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE     0x0002
 +#define MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE          0x0005
 +#define MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE          0x0006
 +
 +/*
   * Size defines
   */
  #if !defined(MBEDTLS_PSK_MAX_LEN)
 @@ -426,6 +436,19 @@ typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert;
  typedef struct mbedtls_ssl_flight_item mbedtls_ssl_flight_item;
  #endif
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +/*
 + * List of SRTP profiles for DTLS-SRTP
 + */
 +enum mbedtls_DTLS_SRTP_protection_profiles {
 +    MBEDTLS_SRTP_UNSET_PROFILE,
 +    MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80,
 +    MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32,
 +    MBEDTLS_SRTP_NULL_HMAC_SHA1_80,
 +    MBEDTLS_SRTP_NULL_HMAC_SHA1_32,
 +};
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
  /*
   * This structure is used for storing current session data.
   */
 @@ -566,6 +589,14 @@ struct mbedtls_ssl_config
      const char **alpn_list;         /*!< ordered list of protocols          */
  #endif
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +    /*
 +     * use_srtp extension
 +     */
 +    enum mbedtls_DTLS_SRTP_protection_profiles *dtls_srtp_profiles_list; /*!< ordered list of supported srtp profile */
 +    size_t dtls_srtp_profiles_list_len; /*!< number of supported profiles */
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
      /*
       * Numerical settings (int then char)
       */
 @@ -765,6 +796,15 @@ struct mbedtls_ssl_context
      const char *alpn_chosen;    /*!<  negotiated protocol                   */
  #endif
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +    /*
 +     * use_srtp extension
 +     */
 +    enum mbedtls_DTLS_SRTP_protection_profiles chosen_dtls_srtp_profile; /*!< negotiated SRTP profile */
 +    unsigned char *dtls_srtp_keys; /*<! master keys and master salt for SRTP generated during handshake */
 +    size_t dtls_srtp_keys_len; /*<! length in bytes of master keys and master salt for SRTP generated during handshake */
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
      /*
       * Information for DTLS hello verify
       */
 @@ -1781,6 +1821,45 @@ int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **prot
  const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
  #endif /* MBEDTLS_SSL_ALPN */
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +/**
 + * \brief                   Set the supported DTLS-SRTP protection profiles.
 + *
 + * \param ssl               SSL configuration
 + * \param protos            List of supported protection profiles,
 + *                          in decreasing preference order.
 + * \param profiles_number   Number of supported profiles.
 + *
 + * \return         0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA.
 + */
 +int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf, const enum mbedtls_DTLS_SRTP_protection_profiles *profiles, size_t profiles_number);
 +
 +/**
 + * \brief          Get the negotiated DTLS-SRTP Protection Profile.
 + *                 This function should be called after the handshake is
 + *                 completed.
 + *
 + * \param ssl      SSL context
 + *
 + * \return         Protection Profile enum member, MBEDTLS_SRTP_UNSET_PROFILE if no protocol was negotiated.
 + */
 +enum mbedtls_DTLS_SRTP_protection_profiles mbedtls_ssl_get_dtls_srtp_protection_profile( const mbedtls_ssl_context *ssl);
 +
 +/**
 + * \brief                  Get the generated DTLS-SRTP key material.
 + *                         This function should be called after the handshake is
 + *                         completed. It shall returns 80 bytes of key material generated according to RFC5764
 + *
 + * \param ssl              SSL context
 + * \param key              Buffer to hold the generated key material
 + * \param key_buffer_len   Length in bytes of the key buffer
 + * \param key_len          Actual length of data written in the key buffer
 + *
 + * \return         0 on succes, MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if the key buffer is too small to hold the generated key
 + */
 +int mbedtls_ssl_get_dtls_srtp_key_material( const mbedtls_ssl_context *ssl, unsigned char *key, const size_t key_buffer_len, size_t *key_len );
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
  /**
   * \brief          Set the maximum supported version sent from the client side
   *                 and/or accepted at the server side
 diff --git a/library/ssl_cli.c b/library/ssl_cli.c
 index 4452169..91569ed 100644
 --- library/ssl_cli.c
 +++ library/ssl_cli.c
 @@ -656,6 +656,79 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
  }
  #endif /* MBEDTLS_SSL_ALPN */
  
 +#if defined (MBEDTLS_SSL_DTLS_SRTP)
 +static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
 +                                unsigned char *buf, size_t *olen )
 +{
 +    unsigned char *p = buf;
 +    size_t protection_profiles_index = 0;
 +
 +    *olen = 0;
 +
 +    if( (ssl->conf->dtls_srtp_profiles_list == NULL)  || (ssl->conf->dtls_srtp_profiles_list_len == 0) )
 +    {
 +        return;
 +    }
 +
 +    MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding use_srtp extension" ) );
 +
 +    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
 +    *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP      ) & 0xFF );
 +
 +    /* RFC5764 section 4.1.1
 +     * uint8 SRTPProtectionProfile[2];
 +     *
 +     * struct {
 +     *   SRTPProtectionProfiles SRTPProtectionProfiles;
 +     *   opaque srtp_mki<0..255>;
 +     * } UseSRTPData;
 +
 +     * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
 +     *
 +     * Note: srtp_mki is not supported
 +     */
 +
 +    /* Extension length = 2bytes for profiles lenght, ssl->conf->dtls_srtp_profiles_list_len*2 (each profile is 2 bytes length ) + 1 byte for the non implemented srtp_mki vector length (always 0) */
 +    *p++ = (unsigned char)( ( ( 2 + 2*(ssl->conf->dtls_srtp_profiles_list_len) + 1 ) >> 8 ) & 0xFF );
 +    *p++ = (unsigned char)( ( ( 2 + 2*(ssl->conf->dtls_srtp_profiles_list_len) + 1 )      ) & 0xFF );
 +
 +
 +    /* protection profile length: 2*(ssl->conf->dtls_srtp_profiles_list_len) */
 +    *p++ = (unsigned char)( ( ( 2*(ssl->conf->dtls_srtp_profiles_list_len) ) >> 8 ) & 0xFF );
 +    *p++ = (unsigned char)( ( 2*(ssl->conf->dtls_srtp_profiles_list_len) ) & 0xFF );
 +
 +    for( protection_profiles_index=0; protection_profiles_index < ssl->conf->dtls_srtp_profiles_list_len; protection_profiles_index++ )
 +    {
 +        switch (ssl->conf->dtls_srtp_profiles_list[protection_profiles_index]) {
 +            case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
 +                *p++ = ( ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) >> 8 ) & 0xFF);
 +                *p++ = ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE ) & 0xFF);
 +                break;
 +            case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
 +                *p++ = ( ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) >> 8 ) & 0xFF);
 +                *p++ = ( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE ) & 0xFF);
 +                break;
 +            case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
 +                *p++ = ( ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) >> 8 ) & 0xFF);
 +                *p++ = ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE ) & 0xFF);
 +                break;
 +            case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
 +                *p++ = ( ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) >> 8 ) & 0xFF);
 +                *p++ = ( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE ) & 0xFF);
 +                break;
 +            default:
 +                /* Note: we shall never arrive here as protection profiles is checked by ssl_set_dtls_srtp_protection_profiles function */
 +                MBEDTLS_SSL_DEBUG_MSG( 1, ( "client hello, ignore illegal DTLS-SRTP protection profile %d",  ssl->conf->dtls_srtp_profiles_list[protection_profiles_index]) );
 +                break;
 +        }
 +    }
 +
 +    *p++ = 0x00;  /* non implemented srtp_mki vector length is always 0 */
 +    /* total extension length: extension type (2 bytes) + extension length (2 bytes) + protection profile length (2 bytes) + 2*nb protection profiles + srtp_mki vector length(1 byte)*/
 +    *olen = 2 + 2 + 2 + 2*(ssl->conf->dtls_srtp_profiles_list_len) + 1;
 +}
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
  /*
   * Generate random bytes for ClientHello
   */
 @@ -1006,6 +1079,11 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
      ext_len += olen;
  #endif
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +    ssl_write_use_srtp_ext( ssl, p + 2 + ext_len, &olen );
 +    ext_len += olen;
 +#endif
 +
  #if defined(MBEDTLS_SSL_SESSION_TICKETS)
      ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
      ext_len += olen;
 @@ -1308,6 +1386,81 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
  }
  #endif /* MBEDTLS_SSL_ALPN */
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
 +                               const unsigned char *buf, size_t len )
 +{
 +    enum mbedtls_DTLS_SRTP_protection_profiles server_protection = MBEDTLS_SRTP_UNSET_PROFILE;
 +    size_t i;
 +    uint16_t server_protection_profile_value = 0;
 +
 +    /* If use_srtp is not configured, just ignore the extension */
 +    if( ( ssl->conf->dtls_srtp_profiles_list == NULL ) || ( ssl->conf->dtls_srtp_profiles_list_len == 0 ) )
 +        return( 0 );
 +
 +    /* RFC5764 section 4.1.1
 +     * uint8 SRTPProtectionProfile[2];
 +     *
 +     * struct {
 +     *   SRTPProtectionProfiles SRTPProtectionProfiles;
 +     *   opaque srtp_mki<0..255>;
 +     * } UseSRTPData;
 +
 +     * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
 +     *
 +     * Note: srtp_mki is not supported
 +     */
 +
 +    /* Length is 5 : one protection profile(2 bytes) + length(2 bytes) and potential srtp_mki which won't be parsed */
 +    if( len < 5 )
 +        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
 +
 +    /*
 +     * get the server protection profile
 +     */
 +    if (((uint16_t)(buf[0]<<8 | buf[1])) != 0x0002) { /* protection profile length must be 0x0002 as we must have only one protection profile in server Hello */
 +        return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
 +    } else {
 +        server_protection_profile_value = buf[2]<<8 | buf[3];
 +    }
 +
 +    /*
 +     * Check we have the server profile in our list
 +     */
 +    for( i=0; i < ssl->conf->dtls_srtp_profiles_list_len; i++)
 +    {
 +        switch ( server_protection_profile_value ) {
 +            case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE:
 +                server_protection = MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80;
 +                break;
 +            case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE:
 +                server_protection = MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32;
 +                break;
 +            case MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE:
 +                server_protection = MBEDTLS_SRTP_NULL_HMAC_SHA1_80;
 +                break;
 +            case MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE:
 +                server_protection = MBEDTLS_SRTP_NULL_HMAC_SHA1_32;
 +                break;
 +            default:
 +                server_protection = MBEDTLS_SRTP_UNSET_PROFILE;
 +                break;
 +        }
 +
 +        if (server_protection == ssl->conf->dtls_srtp_profiles_list[i]) {
 +            ssl->chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profiles_list[i];
 +            return 0;
 +        }
 +    }
 +
 +    /* If we get there, no match was found : server problem, it shall never answer with incompatible profile */
 +    ssl->chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
 +    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
 +                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
 +    return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
 +}
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
  /*
   * Parse HelloVerifyRequest.  Only called after verifying the HS type.
   */
 @@ -1786,6 +1939,16 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
              break;
  #endif /* MBEDTLS_SSL_ALPN */
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +        case MBEDTLS_TLS_EXT_USE_SRTP:
 +            MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
 +
 +            if( ( ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size ) ) != 0 )
 +                return( ret );
 +
 +            break;
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
          default:
              MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
                             ext_id ) );
 diff --git a/library/ssl_srv.c b/library/ssl_srv.c
 index 6b5b461..72b50ab 100644
 --- library/ssl_srv.c
 +++ library/ssl_srv.c
 @@ -573,6 +573,78 @@ static int ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
  }
  #endif /* MBEDTLS_SSL_ALPN */
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +static int ssl_parse_use_srtp_ext( mbedtls_ssl_context *ssl,
 +                               const unsigned char *buf, size_t len )
 +{
 +    enum mbedtls_DTLS_SRTP_protection_profiles client_protection = MBEDTLS_SRTP_UNSET_PROFILE;
 +    size_t i,j;
 +    uint16_t profile_length;
 +
 +    /* If use_srtp is not configured, just ignore the extension */
 +    if( ( ssl->conf->dtls_srtp_profiles_list == NULL ) || ( ssl->conf->dtls_srtp_profiles_list_len == 0 ) )
 +        return( 0 );
 +
 +    /* RFC5764 section 4.1.1
 +     * uint8 SRTPProtectionProfile[2];
 +     *
 +     * struct {
 +     *   SRTPProtectionProfiles SRTPProtectionProfiles;
 +     *   opaque srtp_mki<0..255>;
 +     * } UseSRTPData;
 +
 +     * SRTPProtectionProfile SRTPProtectionProfiles<2..2^16-1>;
 +     *
 +     * Note: srtp_mki is not supported
 +     */
 +
 +    /* Min length is 5 : at least one protection profile(2 bytes) and length(2 bytes) + srtp_mki length(1 byte) */
 +    if( len < 5 )
 +        return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
 +
 +    /*
 +     * Use our order of preference
 +     */
 +    profile_length = buf[0]<<8|buf[1]; /* first 2 bytes are protection profile length(in bytes) */
 +    for( i=0; i < ssl->conf->dtls_srtp_profiles_list_len; i++)
 +    {
 +        /* parse the extension list values are defined in http://www.iana.org/assignments/srtp-protection/srtp-protection.xhtml */
 +        for (j=0; j<profile_length; j+=2) { /* parse only the protection profile, srtp_mki is not supported and ignored */
 +            uint16_t protection_profile_value = buf[j+2]<<8 | buf[j+3]; /* +2 to skip the length field */
 +
 +            switch ( protection_profile_value ) {
 +                case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE:
 +                    client_protection = MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80;
 +                    break;
 +                case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE:
 +                    client_protection = MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32;
 +                    break;
 +                case MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE:
 +                    client_protection = MBEDTLS_SRTP_NULL_HMAC_SHA1_80;
 +                    break;
 +                case MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE:
 +                    client_protection = MBEDTLS_SRTP_NULL_HMAC_SHA1_32;
 +                    break;
 +                default:
 +                    client_protection = MBEDTLS_SRTP_UNSET_PROFILE;
 +                    break;
 +            }
 +
 +            if (client_protection == ssl->conf->dtls_srtp_profiles_list[i]) {
 +                ssl->chosen_dtls_srtp_profile = ssl->conf->dtls_srtp_profiles_list[i];
 +                return 0;
 +            }
 +        }
 +    }
 +
 +    /* If we get there, no match was found */
 +    ssl->chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
 +    mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
 +                            MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE );
 +    return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
 +}
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
  /*
   * Auxiliary functions for ServerHello parsing and related actions
   */
 @@ -1675,7 +1747,16 @@ read_record_header:
                  if( ret != 0 )
                      return( ret );
                  break;
 -#endif /* MBEDTLS_SSL_SESSION_TICKETS */
 +#endif /* MBEDTLS_SSL_ALPN */
 +
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +            case MBEDTLS_TLS_EXT_USE_SRTP:
 +                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found use_srtp extension" ) );
 +                ret = ssl_parse_use_srtp_ext( ssl, ext + 4, ext_size );
 +                if ( ret != 0)
 +                    return( ret );
 +                break;
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
  
              default:
                  MBEDTLS_SSL_DEBUG_MSG( 3, ( "unknown extension found: %d (ignoring)",
 @@ -2144,6 +2225,57 @@ static void ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
  }
  #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP )
 +static void ssl_write_use_srtp_ext( mbedtls_ssl_context *ssl,
 +                                unsigned char *buf, size_t *olen )
 +{
 +    if( ssl->chosen_dtls_srtp_profile == MBEDTLS_SRTP_UNSET_PROFILE )
 +    {
 +        *olen = 0;
 +        return;
 +    }
 +
 +    MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, adding use_srtp extension" ) );
 +
 +    /* extension */
 +    buf[0] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP >> 8 ) & 0xFF );
 +    buf[1] = (unsigned char)( ( MBEDTLS_TLS_EXT_USE_SRTP      ) & 0xFF );
 +    /* total length (5: only one profile(2 bytes) and length(2bytes) and srtp_mki not supported so zero length(1byte) ) */
 +    buf[2] = 0x00;
 +    buf[3] = 0x05;
 +
 +    /* protection profile length: 2 */
 +    buf[4] = 0x00;
 +    buf[5] = 0x02;
 +    switch (ssl->chosen_dtls_srtp_profile) {
 +        case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
 +            buf[6] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE >> 8) & 0xFF );
 +            buf[7] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80_IANA_VALUE     ) & 0xFF );
 +            break;
 +        case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
 +            buf[6] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE >> 8) & 0xFF );
 +            buf[7] = (unsigned char)( ( MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32_IANA_VALUE     ) & 0xFF );
 +            break;
 +        case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
 +            buf[6] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE >> 8) & 0xFF );
 +            buf[7] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_80_IANA_VALUE     ) & 0xFF );
 +            break;
 +        case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
 +            buf[6] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE >> 8) & 0xFF );
 +            buf[7] = (unsigned char)( ( MBEDTLS_SRTP_NULL_HMAC_SHA1_32_IANA_VALUE     ) & 0xFF );
 +            break;
 +        default:
 +            *olen = 0;
 +            return;
 +            break;
 +    }
 +
 +    buf[8] = 0x00; /* unsupported srtp_mki variable length vector set to 0 */
 +
 +    *olen = 9;
 +}
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
  #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
  static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
  {
 @@ -2408,6 +2540,11 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
      ext_len += olen;
  #endif
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +    ssl_write_use_srtp_ext( ssl, p + 2 + ext_len, &olen);
 +    ext_len += olen;
 +#endif
 +
      MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, total extension length: %d", ext_len ) );
  
      if( ext_len > 0 )
 diff --git a/library/ssl_tls.c b/library/ssl_tls.c
 index 4424f56..940f8aa 100644
 --- library/ssl_tls.c
 +++ library/ssl_tls.c
 @@ -373,7 +373,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
  {
      size_t nb;
      size_t i, j, k, md_len;
 -    unsigned char tmp[128];
 +    unsigned char tmp[144];
      unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
      const mbedtls_md_info_t *md_info;
      mbedtls_md_context_t md_ctx;
 @@ -636,6 +636,30 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
      else
          MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +    /* check if we have a chosen srtp protection profile */
 +    if (ssl->chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE) {
 +        /* derive key material for srtp session RFC5764 section 4.2 */
 +        /* master key and master salt are respectively 128 bits and 112 bits for all currently available modes :
 +         * SRTP_AES128_CM_HMAC_SHA1_80, SRTP_AES128_CM_HMAC_SHA1_32
 +         * SRTP_NULL_HMAC_SHA1_80, SRTP_NULL_HMAC_SHA1_32
 +         * So we must export 2*(128 + 112) = 480 bits
 +         */
 +        ssl->dtls_srtp_keys_len = 60;
 +
 +        ssl->dtls_srtp_keys = (unsigned char *)mbedtls_calloc(1, ssl->dtls_srtp_keys_len);
 +
 +        ret = handshake->tls_prf( session->master, 48, "EXTRACTOR-dtls_srtp",
 +                        handshake->randbytes, 64, ssl->dtls_srtp_keys, ssl->dtls_srtp_keys_len );
 +
 +        if( ret != 0 )
 +        {
 +            MBEDTLS_SSL_DEBUG_RET( 1, "dtls srtp prf", ret );
 +            return( ret );
 +        }
 +    }
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
      /*
       * Swap the client and server random values.
       */
 @@ -5408,6 +5432,12 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
          ssl->in_msg = ssl->in_buf + 13;
      }
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +    ssl->chosen_dtls_srtp_profile = MBEDTLS_SRTP_UNSET_PROFILE;
 +    ssl->dtls_srtp_keys = NULL;
 +    ssl->dtls_srtp_keys_len = 0;
 +#endif
 +
      if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
          return( ret );
  
 @@ -5997,6 +6027,61 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
  }
  #endif /* MBEDTLS_SSL_ALPN */
  
 +#if defined(MBEDTLS_SSL_DTLS_SRTP)
 +int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf, const enum mbedtls_DTLS_SRTP_protection_profiles *profiles, size_t profiles_number)
 +{
 +    size_t i;
 +    /* check in put validity : must be a list of profiles from enumeration */
 +    /* maximum length is 4 as only 4 protection profiles are defined */
 +    if (profiles_number>4) {
 +            return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
 +    }
 +
 +    mbedtls_free(conf->dtls_srtp_profiles_list);
 +    conf->dtls_srtp_profiles_list = (enum mbedtls_DTLS_SRTP_protection_profiles *)mbedtls_calloc(1, profiles_number*sizeof(enum mbedtls_DTLS_SRTP_protection_profiles));
 +
 +    for (i=0; i<profiles_number; i++) {
 +        switch (profiles[i]) {
 +            case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_80:
 +            case MBEDTLS_SRTP_AES128_CM_HMAC_SHA1_32:
 +            case MBEDTLS_SRTP_NULL_HMAC_SHA1_80:
 +            case MBEDTLS_SRTP_NULL_HMAC_SHA1_32:
 +                conf->dtls_srtp_profiles_list[i] = profiles[i];
 +                break;
 +            default:
 +                mbedtls_free(conf->dtls_srtp_profiles_list);
 +                conf->dtls_srtp_profiles_list = NULL;
 +                conf->dtls_srtp_profiles_list_len = 0;
 +                return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
 +        }
 +    }
 +
 +    /* assign array length */
 +    conf->dtls_srtp_profiles_list_len = profiles_number;
 +
 +    return( 0 );
 +}
 +
 +enum mbedtls_DTLS_SRTP_protection_profiles mbedtls_ssl_get_dtls_srtp_protection_profile( const mbedtls_ssl_context *ssl)
 +{
 +    return( ssl->chosen_dtls_srtp_profile);
 +}
 +
 +int mbedtls_ssl_get_dtls_srtp_key_material( const mbedtls_ssl_context *ssl, unsigned char *key, const size_t key_buffer_len, size_t *key_len ) {
 +    *key_len = 0;
 +
 +    /* check output buffer size */
 +    if ( key_buffer_len < ssl->dtls_srtp_keys_len) {
 +        return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
 +    }
 +
 +    memcpy( key, ssl->dtls_srtp_keys, ssl->dtls_srtp_keys_len);
 +    *key_len = ssl->dtls_srtp_keys_len;
 +
 +    return 0;
 +}
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
  void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
  {
      conf->max_major_ver = major;
 @@ -7083,6 +7169,11 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
      mbedtls_free( ssl->cli_id );
  #endif
  
 +#if defined (MBEDTLS_SSL_DTLS_SRTP)
-+    mbedtls_zeroize( ssl->dtls_srtp_keys, ssl->dtls_srtp_keys_len );
++    mbedtls_platform_zeroize( ssl->dtls_srtp_keys, ssl->dtls_srtp_keys_len );
 +    mbedtls_free( ssl->dtls_srtp_keys );
 +#endif /* MBEDTLS_SSL_DTLS_SRTP */
 +
      MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
  
      /* Actually clear after last debug message */
 @@ -7311,6 +7402,10 @@ void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
      ssl_key_cert_free( conf->key_cert );
  #endif
  
 +#if defined (MBEDTLS_SSL_DTLS_SRTP)
 +    mbedtls_free( conf->dtls_srtp_profiles_list );
 +#endif
 +
-     mbedtls_zeroize( conf, sizeof( mbedtls_ssl_config ) );
+     mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
  }
  
Index: head/security/mbedtls/pkg-plist
===================================================================
--- head/security/mbedtls/pkg-plist	(revision 476833)
+++ head/security/mbedtls/pkg-plist	(revision 476834)
@@ -1,128 +1,136 @@
 bin/mbedtls_aescrypt2
 bin/mbedtls_benchmark
 bin/mbedtls_cert_app
 bin/mbedtls_cert_req
 bin/mbedtls_cert_write
 bin/mbedtls_crl_app
 bin/mbedtls_crypt_and_hash
 bin/mbedtls_dh_client
 bin/mbedtls_dh_genprime
 bin/mbedtls_dh_server
 bin/mbedtls_dtls_client
 bin/mbedtls_dtls_server
 bin/mbedtls_ecdh_curve25519
 bin/mbedtls_ecdsa
 bin/mbedtls_gen_entropy
 bin/mbedtls_gen_key
 bin/mbedtls_gen_random_ctr_drbg
 bin/mbedtls_gen_random_havege
 bin/mbedtls_generic_sum
 bin/mbedtls_hello
 bin/mbedtls_key_app
 bin/mbedtls_key_app_writer
 bin/mbedtls_mini_client
 bin/mbedtls_mpi_demo
 bin/mbedtls_pem2der
 bin/mbedtls_pk_decrypt
 bin/mbedtls_pk_encrypt
 bin/mbedtls_pk_sign
 bin/mbedtls_pk_verify
 bin/mbedtls_req_app
 bin/mbedtls_rsa_decrypt
 bin/mbedtls_rsa_encrypt
 bin/mbedtls_rsa_genkey
 bin/mbedtls_rsa_sign
 bin/mbedtls_rsa_sign_pss
 bin/mbedtls_rsa_verify
 bin/mbedtls_rsa_verify_pss
 bin/mbedtls_selftest
 bin/mbedtls_ssl_cert_test
 bin/mbedtls_ssl_client1
 bin/mbedtls_ssl_client2
 bin/mbedtls_ssl_fork_server
 bin/mbedtls_ssl_mail_client
 bin/mbedtls_ssl_server
 bin/mbedtls_ssl_server2
 bin/mbedtls_strerror
 bin/mbedtls_udp_proxy
 bin/mbedtls_udp_proxy_wrapper.sh
+bin/mbedtls_zeroize
 include/mbedtls/aes.h
 include/mbedtls/aesni.h
 include/mbedtls/arc4.h
+include/mbedtls/aria.h
 include/mbedtls/asn1.h
 include/mbedtls/asn1write.h
 include/mbedtls/base64.h
 include/mbedtls/bignum.h
 include/mbedtls/blowfish.h
 include/mbedtls/bn_mul.h
 include/mbedtls/camellia.h
 include/mbedtls/ccm.h
 include/mbedtls/certs.h
+include/mbedtls/chacha20.h
+include/mbedtls/chachapoly.h
 include/mbedtls/check_config.h
 include/mbedtls/cipher.h
 include/mbedtls/cipher_internal.h
 include/mbedtls/cmac.h
 include/mbedtls/compat-1.3.h
 include/mbedtls/config.h
 include/mbedtls/ctr_drbg.h
 include/mbedtls/debug.h
 include/mbedtls/des.h
 include/mbedtls/dhm.h
 include/mbedtls/ecdh.h
 include/mbedtls/ecdsa.h
 include/mbedtls/ecjpake.h
 include/mbedtls/ecp.h
 include/mbedtls/ecp_internal.h
 include/mbedtls/entropy.h
 include/mbedtls/entropy_poll.h
 include/mbedtls/error.h
 include/mbedtls/gcm.h
 include/mbedtls/havege.h
+include/mbedtls/hkdf.h
 include/mbedtls/hmac_drbg.h
 include/mbedtls/md.h
 include/mbedtls/md2.h
 include/mbedtls/md4.h
 include/mbedtls/md5.h
 include/mbedtls/md_internal.h
 include/mbedtls/memory_buffer_alloc.h
 include/mbedtls/net.h
 include/mbedtls/net_sockets.h
+include/mbedtls/nist_kw.h
 include/mbedtls/oid.h
 include/mbedtls/padlock.h
 include/mbedtls/pem.h
 include/mbedtls/pk.h
 include/mbedtls/pk_internal.h
 include/mbedtls/pkcs11.h
 include/mbedtls/pkcs12.h
 include/mbedtls/pkcs5.h
 include/mbedtls/platform.h
 include/mbedtls/platform_time.h
+include/mbedtls/platform_util.h
+include/mbedtls/poly1305.h
 include/mbedtls/ripemd160.h
 include/mbedtls/rsa.h
 include/mbedtls/rsa_internal.h
 include/mbedtls/sha1.h
 include/mbedtls/sha256.h
 include/mbedtls/sha512.h
 include/mbedtls/ssl.h
 include/mbedtls/ssl_cache.h
 include/mbedtls/ssl_ciphersuites.h
 include/mbedtls/ssl_cookie.h
 include/mbedtls/ssl_internal.h
 include/mbedtls/ssl_ticket.h
 include/mbedtls/threading.h
 include/mbedtls/timing.h
 include/mbedtls/version.h
 include/mbedtls/x509.h
 include/mbedtls/x509_crl.h
 include/mbedtls/x509_crt.h
 include/mbedtls/x509_csr.h
 include/mbedtls/xtea.h
 lib/libmbedcrypto.a
 lib/libmbedcrypto.so
-lib/libmbedcrypto.so.2
+lib/libmbedcrypto.so.3
 lib/libmbedtls.a
 lib/libmbedtls.so
-lib/libmbedtls.so.10
+lib/libmbedtls.so.11
 lib/libmbedx509.a
 lib/libmbedx509.so
 lib/libmbedx509.so.0
Index: head/security/openvpn/Makefile
===================================================================
--- head/security/openvpn/Makefile	(revision 476833)
+++ head/security/openvpn/Makefile	(revision 476834)
@@ -1,153 +1,153 @@
 # Created by: Matthias Andree <mandree@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=		openvpn
 DISTVERSION=		2.4.6
-PORTREVISION?=		1
+PORTREVISION?=		2
 CATEGORIES=		security net
 MASTER_SITES=		https://swupdate.openvpn.org/community/releases/ \
 			https://build.openvpn.net/downloads/releases/
 
 MAINTAINER=		mandree@FreeBSD.org
 COMMENT?=		Secure IP/Ethernet tunnel daemon
 
 LICENSE=		GPLv2
 
 CONFLICTS_INSTALL?=	openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]* openvpn-mbedtls-[0-9]*
 
 GNU_CONFIGURE=		yes
 USES=			cpe libtool pkgconfig shebangfix tar:xz
 SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 			sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/ucn.pl
 CONFIGURE_ARGS+=	--enable-strict
 # avoid picking up CMAKE, we don't have cmocka in the tarballs..
 CONFIGURE_ENV+=		ac_cv_prog_CMAKE= CMAKE=
 
 # let OpenVPN's configure script pick up the requisite libraries,
 # but do not break the plugin build if an older version is installed
 CPPFLAGS+=		-I${WRKSRC}/include -I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
 
 OPTIONS_DEFINE=		PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
 			TEST LZ4 SMALL TUNNELBLICK
 OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST LZ4
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL MBEDTLS
 PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 MBEDTLS_DESC=		SSL/TLS via mbedTLS
 TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
 SMALL_DESC=		Build a smaller executable with fewer features
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
 PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
 PKCS11_CONFIGURE_ENABLE=	pkcs11
 PKCS11_PREVENTS=	MBEDTLS
 PKCS11_PREVENTS_MSG=	OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead
 
 TUNNELBLICK_EXTRA_PATCHES=	${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
 
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 X509ALTUSERNAME_PREVENTS=	MBEDTLS
 X509ALTUSERNAME_PREVENTS_MSG=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
 
 OPENSSL_USES=		ssl
 OPENSSL_CONFIGURE_ON=	--with-crypto-library=openssl
 
 LZ4_CONFIGURE_OFF=	--disable-lz4
 
 SMALL_CONFIGURE_ON=	--enable-small
 
 MBEDTLS_LIB_DEPENDS=	libmbedtls.so:security/mbedtls
 MBEDTLS_CONFIGURE_ON=	--with-crypto-library=mbedtls
 
 USE_RC_SUBR=		openvpn
 USE_LDCONFIG=		${PREFIX}/lib
 
 SUB_FILES=		pkg-message openvpn-client
 
 .ifdef (LOG_OPENVPN)
 CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
 .endif
 
 LIB_DEPENDS+=		liblzo2.so:archivers/lzo2
 
 LZ4_LIB_DEPENDS+=	liblz4.so:archivers/liblz4
 
 PORTDOCS=		*
 PORTEXAMPLES=		*
 
 TEST_ALL_TARGET=	check
 TEST_TEST_TARGET_OFF=	check
 
 pre-configure:
 .ifdef (LOG_OPENVPN)
 	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
 .else
 	@${ECHO} ""
 	@${ECHO} "You may use the following build options:"
 	@${ECHO} ""
 	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
 	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
 	@${ECHO} ""
 .endif
 
 post-configure:
 	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
 	    ${WRKSRC}/src/plugins/auth-pam/Makefile \
 	    ${WRKSRC}/src/plugins/down-root/Makefile
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MMBEDTLS}
 _tlslibs=libmbedtls libmbedx509 libmbedcrypto
 .else
 # OpenSSL
 _tlslibs=libssl libcrypto
 .endif
 
 .if ${SSL_DEFAULT:Mlibressl*} && empty(PORT_OPTIONS:MMBEDTLS)
 pre-everything::
 	@${ECHO_CMD} "WARNING: OpenVPN does not officially support LibreSSL."
 	@${ECHO_CMD} "If things break, rebuild with OpenSSL or mbedTLS."
 	@${ECHO_CMD} "You may wish to change your default SSL library"
 	@${ECHO_CMD} "and press Ctrl+C within the next 10 seconds to abort."
 .  if !(defined(PACKAGE_BUILDING) || defined(BATCH))
 	@sleep 10
 .  endif
 .endif
 
 # sanity check that we don't inherit incompatible SSL libs through,
 # for instance, pkcs11-helper:
 post-build:
 	@a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
 	|	${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
 	if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi
 
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
 	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
 .endfor
 
 post-install-EXAMPLES-on:
 	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
 	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
 
 .include <bsd.port.mk>
Index: head/security/openvpn-devel/Makefile
===================================================================
--- head/security/openvpn-devel/Makefile	(revision 476833)
+++ head/security/openvpn-devel/Makefile	(revision 476834)
@@ -1,150 +1,150 @@
 # Created by: Matthias Andree <mandree@FreeBSD.org>
 # $FreeBSD$
 
 PORTNAME=		openvpn
 DISTVERSION=		201821
-PORTREVISION=		1
+PORTREVISION=		2
 CATEGORIES=		security net
 MASTER_SITES=		https://secure-computing.net/files/openvpn/ \
 			ftp://ftp2.secure-computing.net/pub/FreeBSD/openvpn-devel/
 PKGNAMESUFFIX=		-devel
 
 MAINTAINER=		ecrist@secure-computing.net
 COMMENT?=		Secure IP/Ethernet tunnel daemon
 
 LICENSE=		GPLv2
 
 CONFLICTS_INSTALL=	openvpn-2.[!4].* openvpn-[!2].* openvpn-beta-[0-9]* openvpn-devel-[0-9]*
 
 GNU_CONFIGURE=		yes
 WRKSRC=			${WRKDIR}/${PORTNAME}${PKGNAMESUFFIX}
 USES=			cpe libtool pkgconfig shebangfix tar:xz
 SHEBANG_FILES=		sample/sample-scripts/verify-cn \
 			sample/sample-scripts/auth-pam.pl \
 			sample/sample-scripts/ucn.pl
 CONFIGURE_ARGS+=	--enable-strict
 # avoid picking up CMAKE, we don't have cmocka in the tarballs..
 CONFIGURE_ENV+=		ac_cv_prog_CMAKE= CMAKE=
 
 # let OpenVPN's configure script pick up the requisite libraries,
 # but do not break the plugin build if an older version is installed
 CPPFLAGS+=		-I${WRKSRC}/include -I${LOCALBASE}/include
 LDFLAGS+=		-L${LOCALBASE}/lib
 
 # set PLUGIN_LIBDIR so that unqualified plugin paths are found:
 CPPFLAGS+=		-DPLUGIN_LIBDIR=\\\"${PREFIX}/lib/openvpn/plugins\\\"
 
 OPTIONS_DEFINE=		PKCS11 EASYRSA DOCS EXAMPLES X509ALTUSERNAME \
 			TEST LZ4 SMALL TUNNELBLICK
 OPTIONS_DEFAULT=	EASYRSA OPENSSL TEST LZ4
 OPTIONS_SINGLE=		SSL
 OPTIONS_SINGLE_SSL=	OPENSSL MBEDTLS
 PKCS11_DESC=		Use security/pkcs11-helper
 EASYRSA_DESC=		Install security/easy-rsa RSA helper package
 MBEDTLS_DESC=		SSL/TLS via mbedTLS
 TUNNELBLICK_DESC=	Tunnelblick XOR scramble patch (READ HELP!)
 X509ALTUSERNAME_DESC=	Enable --x509-username-field (OpenSSL only)
 SMALL_DESC=		Build a smaller executable with fewer features
 
 EASYRSA_RUN_DEPENDS=	easy-rsa>=0:security/easy-rsa
 
 PKCS11_LIB_DEPENDS=	libpkcs11-helper.so:security/pkcs11-helper
 PKCS11_CONFIGURE_ENABLE=	pkcs11
 PKCS11_PREVENTS=	MBEDTLS
 PKCS11_PREVENTS_MSG=	OpenVPN cannot use pkcs11-helper with mbedTLS. Disable PKCS11, or use OpenSSL instead
 
 TUNNELBLICK_EXTRA_PATCHES=	${FILESDIR}/extra-tunnelblick-openvpn_xorpatch
 
 X509ALTUSERNAME_CONFIGURE_ENABLE=	x509-alt-username
 
 X509ALTUSERNAME_PREVENTS=	MBEDTLS
 X509ALTUSERNAME_PREVENTS_MSG=	OpenVPN ${DISTVERSION} cannot use --x509-username-field with mbedTLS. Disable X509ALTUSERNAME, or use OpenSSL instead
 
 OPENSSL_USES=		ssl
 OPENSSL_CONFIGURE_ON=	--with-crypto-library=openssl
 
 LZ4_CONFIGURE_OFF=	--disable-lz4
 
 SMALL_CONFIGURE_ON=	--enable-small
 
 MBEDTLS_LIB_DEPENDS=	libmbedtls.so:security/mbedtls
 MBEDTLS_CONFIGURE_ON=	--with-crypto-library=mbedtls
 
 USE_RC_SUBR=		openvpn
 USE_LDCONFIG=		${PREFIX}/lib
 
 SUB_FILES=		pkg-message openvpn-client
 
 .ifdef (LOG_OPENVPN)
 CFLAGS+=		-DLOG_OPENVPN=${LOG_OPENVPN}
 .endif
 
 LIB_DEPENDS+=		liblzo2.so:archivers/lzo2
 
 LZ4_LIB_DEPENDS+=	liblz4.so:archivers/liblz4
 
 PORTDOCS=		*
 PORTEXAMPLES=		*
 
 TEST_ALL_TARGET=	check
 TEST_TEST_TARGET_OFF=	check
 
 # XXX Please remove this compatibility wrapper after 2017Q2 is branched.
 .ifdef(WITHOUT_CHECK)
 WARNING+=	"${.CURDIR}: WITHOUT_CHECK is deprecated, please use WITHOUT=TEST or OPTIONS_UNSET=TEST."
 WITHOUT+=	TEST
 .endif
 
 pre-configure:
 .ifdef (LOG_OPENVPN)
 	@${ECHO} "Building with LOG_OPENVPN=${LOG_OPENVPN}"
 .else
 	@${ECHO} ""
 	@${ECHO} "You may use the following build options:"
 	@${ECHO} ""
 	@${ECHO} "      LOG_OPENVPN={Valid syslog facility, default LOG_DAEMON}"
 	@${ECHO} "      EXAMPLE:  make LOG_OPENVPN=LOG_LOCAL6"
 	@${ECHO} ""
 .endif
 
 post-configure:
 	${REINPLACE_CMD} '/^CFLAGS =/s/$$/ -fPIC/' \
 	    ${WRKSRC}/src/plugins/auth-pam/Makefile \
 	    ${WRKSRC}/src/plugins/down-root/Makefile
 
 .include <bsd.port.options.mk>
 
 .if ${PORT_OPTIONS:MMBEDTLS}
 _tlslibs=libmbedtls libmbedx509 libmbedcrypto
 .else
 # OpenSSL
 _tlslibs=libssl libcrypto
 .endif
 
 # sanity check that we don't inherit incompatible SSL libs through,
 # for instance, pkcs11-helper:
 post-build:
 	   @a=$$(LC_ALL=C ldd -f '%o\n' ${WRKSRC}/src/openvpn/openvpn \
        |	${SORT} -u) ; set -- $$(for i in ${_tlslibs} ; do ${PRINTF} '%s\n' "$$a" | ${GREP} $${i}.so | wc -l ; done | ${SORT} -u) ;\
        if test "$$*" != "1" ; then ${ECHO_CMD} >&2 "${.CURDIR} FAILED: either of ${_tlslibs} libraries linked multiple times" ; ${PRINTF} '%s\n' "$$a"; ${RM} ${BUILD_COOKIE} ; exit 1 ; fi
 
 post-install:
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-auth-pam.so
 	${STRIP_CMD} ${STAGEDIR}${PREFIX}/lib/openvpn/plugins/openvpn-plugin-down-root.so
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.up ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKSRC}/contrib/pull-resolv-conf/client.down ${STAGEDIR}${PREFIX}/libexec/openvpn-client.down
 	@${REINPLACE_CMD} 's|resolvconf -p -a|resolvconf -a|' ${STAGEDIR}${PREFIX}/libexec/openvpn-client.up
 	${INSTALL_SCRIPT} ${WRKDIR}/openvpn-client ${STAGEDIR}${PREFIX}/sbin/openvpn-client
 	${MKDIR} ${STAGEDIR}${PREFIX}/include
 
 post-install-DOCS-on:
 	${MKDIR} ${STAGEDIR}${DOCSDIR}/
 .for i in AUTHORS ChangeLog PORTS
 	${INSTALL_DATA} ${WRKSRC}/${i} ${STAGEDIR}${DOCSDIR}/
 .endfor
 
 post-install-EXAMPLES-on:
 	(cd ${WRKSRC}/sample && ${COPYTREE_SHARE} \* ${STAGEDIR}${EXAMPLESDIR}/)
 	${CHMOD} ${BINMODE} ${STAGEDIR}${EXAMPLESDIR}/sample-scripts/*
 
 .include <bsd.port.mk>
Index: head/www/hiawatha/Makefile
===================================================================
--- head/www/hiawatha/Makefile	(revision 476833)
+++ head/www/hiawatha/Makefile	(revision 476834)
@@ -1,74 +1,74 @@
 # Created by: Hugo Leisink
 # $FreeBSD$
 
 PORTNAME=	hiawatha
 PORTVERSION=	10.7
-PORTREVISION=	5
+PORTREVISION=	6
 CATEGORIES=	www
 MASTER_SITES=	https://www.hiawatha-webserver.org/files/
 
 MAINTAINER=	portmaster@BSDforge.com
 COMMENT=	Advanced and secure webserver for Unix
 
 LICENSE=	GPLv2
 LICENSE_FILE=	${WRKSRC}/LICENSE
 
 PORTDOCS=	ChangeLog README.md
 CONFIG_FILES=	hiawatha.conf mimetype.conf cgi-wrapper.conf toolkit.conf \
 		error.xslt index.xslt
 
 SUB_FILES=	pkg-message
 USES=		cmake compiler:c11
 USE_LDCONFIG=	yes
 USE_RC_SUBR=	hiawatha
 
 LDFLAGS+=	-L${LOCALBASE}/lib
 CMAKE_ARGS+=	-DCMAKE_INSTALL_LOCALSTATEDIR=/var \
 		-DCMAKE_INSTALL_MANDIR=${PREFIX}/man \
 		-DWEBROOT_DIR=${WWWDIR} \
 		-DWORK_DIR=/var/db/${PORTNAME}
 
 OPTIONS_DEFINE=	CACHE DOCS IPV6 MONITOR RPROXY MBEDTLS TOMAHAWK TOOLKIT XSLT
 
 OPTIONS_DEFAULT=	CACHE RPROXY MBEDTLS TOOLKIT XSLT
 
 CACHE_DESC=	Enable cache support
 MONITOR_DESC=	Enable Hiawatha Monitor
 RPROXY_DESC=	Enable reverse proxy
 TOMAHAWK_DESC=	Enable Tomahawk command channel
 TOOLKIT_DESC=	Enable URL toolkit
 XSLT_DESC=	Enable XSLT support
 
 CACHE_CMAKE_BOOL=	ENABLE_CACHE
 TOMAHAWK_CMAKE_BOOL=	ENABLE_TOMAHAWK
 IPV6_CMAKE_BOOL=	ENABLE_IPV6
 MONITOR_CMAKE_BOOL=	ENABLE_MONITOR
 RPROXY_CMAKE_BOOL=	ENABLE_RPROXY
 MBEDTLS_CMAKE_BOOL=	ENABLE_TLS USE_SYSTEM_MBEDTLS
 TOOLKIT_CMAKE_BOOL=	ENABLE_TOOLKIT
 XSLT_USE=		GNOME=libxslt
 XSLT_CMAKE_BOOL=	ENABLE_XSLT
 
 MBEDTLS_LIB_DEPENDS=	libmbedtls.so:security/mbedtls
 
 post-patch:
 	@${REINPLACE_CMD} -e 's|/usr|${PREFIX}|g' \
 	${WRKSRC}/man/hiawatha.1.in ${WRKSRC}/man/cgi-wrapper.1.in \
 	${WRKSRC}/config/cgi-wrapper.conf ${WRKSRC}/config/hiawatha.conf.in
 
 	@${REINPLACE_CMD} -e 's|/etc/hiawatha|${ETCDIR}|g' \
 	${WRKSRC}/man/hiawatha.1.in ${WRKSRC}/man/cgi-wrapper.1.in
 
 post-install:
 .for FILE in ${CONFIG_FILES}
 	${INSTALL_DATA} ${WRKSRC}/config/${FILE} ${STAGEDIR}${PREFIX}/etc/hiawatha/${FILE}.sample
 .endfor
 
 	@${MKDIR} ${STAGEDIR}${WWWDIR} ; \
 	${INSTALL_DATA} ${WRKSRC}/extra/index.html ${STAGEDIR}${WWWDIR}/index.html.sample
 
 post-install-DOCS-on:
 	@${MKDIR} ${STAGEDIR}${DOCSDIR}
 	${INSTALL_DATA} ${PORTDOCS:S,^,${WRKSRC}/,} ${STAGEDIR}${DOCSDIR}/
 
 .include <bsd.port.mk>