Remove support for legacy encrypted private keys (#1029)

Both those with a 2-byte hash (instead of SHA1 or an AEAD authentication
tag) and those without an S2K specifier (i.e., using MD5 for S2K) -
support for the latter was already broken.

Vulnerabilities can arise not just from generating keys like this, but
from using them as well (if an attacker can tamper with them), hence why
we're removing support.

src/packet/secret_key.js

@@ -334,10 +334,10 @@ SecretKey.prototype.decrypt = async function (passphrase) {
   }
 
   let key;
-  if (this.s2k_usage === 255 || this.s2k_usage === 254 || this.s2k_usage === 253) {
+  if (this.s2k_usage === 254 || this.s2k_usage === 253) {
     key = await produceEncryptionKey(this.s2k, passphrase, this.symmetric);
   } else {
-    key = await crypto.hash.md5(passphrase);
+    throw new Error('Unsupported legacy encrypted key');
   }
 
   let cleartext;
@@ -355,19 +355,10 @@ SecretKey.prototype.decrypt = async function (passphrase) {
   } else {
     const cleartextWithHash = await crypto.cfb.decrypt(this.symmetric, key, this.keyMaterial, this.iv);
 
-    let hash;
+    cleartext = cleartextWithHash.subarray(0, -20);
-    let hashlen;
+    const hash = await crypto.hash.sha1(cleartext);
-    if (this.s2k_usage === 255) {
-      hashlen = 2;
-      cleartext = cleartextWithHash.subarray(0, -hashlen);
-      hash = util.write_checksum(cleartext);
-    } else {
-      hashlen = 20;
-      cleartext = cleartextWithHash.subarray(0, -hashlen);
-      hash = await crypto.hash.sha1(cleartext);
-    }
 
-    if (!util.equalsUint8Array(hash, cleartextWithHash.subarray(-hashlen))) {
+    if (!util.equalsUint8Array(hash, cleartextWithHash.subarray(-20))) {
       throw new Error('Incorrect key passphrase');
     }
   }