MFH: r541749 r546681 r547499

Approved by: portmgr (with hat)

gnupg: Update to 2.2.21

• gpg: Improve symmetric decryption speed by about 25%. See commit 144b95cc9d.
• gpg: Support decryption of AEAD encrypted data packets.
• gpg: Add option --no-include-key-block. [#4856]
• gpg: Allow for extra padding in ECDH. [#4908]
• gpg: Only a single pinentry is shown for symmetric encryption if the pinentry supports this. [#4971]
• gpg: Print a note if no keys are given to --delete-key. [#4959]
• gpg,gpgsm: The ridiculous passphrase quality bar is not anymore shown. [#2103]
• gpgsm: Certificates without a CRL distribution point are now considered valid without looking up a CRL. The new option --enable-issuer-based-crl-check can be used to revert to the former behaviour.
• gpgsm: Support rsaPSS signature verification. [#4538]
• gpgsm: Unless CRL checking is disabled lookup a missing issuer certificate using the certificate's authorityInfoAccess. [#4898]
• gpgsm: Print the certificate's serial number also in decimal notation.
• gpgsm: Fix possible NULL-deref in messages of --gen-key. [#4895]
• scd: Support the CardOS 5 based D-Trust Card 3.1.
• dirmngr: Allow http URLs with "LOOKUP --url".
• wkd: Take name of sendmail from configure. Fixes an OpenBSD specific bug. [#4886]
  
  Release-info: https://dev.gnupg.org/T4897

security/gnupg: Update to 2.2.22

Also, sort plist. The new gpgsplit binary is getting installed as
gpgsplit2 to avoid a conflict with security/gnupg1.

Noteworthy changes in version 2.2.22

• gpg: Change the default key algorithm to rsa3072.
• gpg: Add regular expression support for Trust Signatures on all platforms. [#4843]
• gpg: Fix regression in 2.2.21 with non-default --passphrase-repeat option. [#4991]
• gpg: Ignore --personal-digest-prefs for ECDSA keys. [#5021]
• gpgsm: Make rsaPSS a de-vs compliant scheme.
• gpgsm: Show also the SHA256 fingerprint in key listings.
• gpgsm: Do not require a default keyring for --gpgconf-list. [#4867]
• gpg-agent: Default to extended key format and record the creation time of keys. Add new option --disable-extended-key-format.
• gpg-agent: Support the WAYLAND_DISPLAY envvar. [#5016]
• gpg-agent: Allow using --gpgconf-list even if HOME does not exist. [#4866]
• gpg-agent: Make the Pinentry work even if the envvar TERM is set to the empty string. [#4137]
• scdaemon: Add a workaround for Gnuk tokens <= 2.15 which wrongly incremented the error counter when using the "verify" command of "gpg --edit-key" with only the signature key being present.
• dirmngr: Better handle systems with disabled IPv6. [#4977]
• gpgpslit: Install tool. It was not installed in the past to avoid conflicts with the version installed by GnuPG 1.4. [#5023] (We're installing it as gpgsplit2 to avoid conflict with security/gnupg1)
• gpgtar: Handle Unicode file names on Windows correctly (requires libgpg-error 1.39). [#4083]
• gpgtar: Make --files-from and --null work as documented. [#5027]
• Build the Windows installer with the new Ntbtls 0.2.0 so that TLS connections succeed for servers demanding GCM.
  
  Release-info: https://dev.gnupg.org/T5030

security/gnupg: Update to 2.2.23

Importing an OpenPGP key having a preference list for AEAD algorithms
will lead to an array overflow and thus often to a crash or other
undefined behaviour.

Importing an arbitrary key can often easily be triggered by an attacker
and thus triggering this bug. Exploiting the bug aside from crashes is
not trivial but likely possible for a dedicated attacker. The major
hurdle for an attacker is that only every second byte is under their
control with every first byte having a fixed value of 0x04.

Software distribution verification should not be affected by this bug
because such a system uses a curated list of keys.

Security: CVE-2020-25125