2 files changed, 3 insertions, 23 deletions

diff --git a/src/lib/crypto/krb/s2k_des.c b/src/lib/crypto/krb/s2k_des.c
index fd2143054..61b3c0f01 100644
--- a/src/lib/crypto/krb/s2k_des.c
+++ b/src/lib/crypto/krb/s2k_des.c
@@ -670,7 +670,6 @@ krb5int_des_string_to_key(const struct krb5_keytypes *ktp,
                           const krb5_data *parm, krb5_keyblock *keyblock)
 {
     int type;
-    krb5_data afssalt;
 
     if (parm != NULL) {
         if (parm->length != 1)
@@ -685,12 +684,5 @@ krb5int_des_string_to_key(const struct krb5_keytypes *ktp,
     if (type == 1)
         return afs_s2k(string, salt, keyblock->contents);
 
-    /* Also use AFS string to key if the salt indicates it. */
-    if (salt != NULL && (salt->length == SALT_TYPE_AFS_LENGTH
-                         || salt->length == (unsigned)-1)) {
-        afssalt = make_data(salt->data, strcspn(salt->data, "@"));
-        return afs_s2k(string, &afssalt, keyblock->contents);
-    }
-
     return des_s2k(string, salt, keyblock->contents);
 }
diff --git a/src/lib/crypto/krb/string_to_key.c b/src/lib/crypto/krb/string_to_key.c
index cd46d454a..b55ee75d2 100644
--- a/src/lib/crypto/krb/string_to_key.c
+++ b/src/lib/crypto/krb/string_to_key.c
@@ -51,21 +51,9 @@ krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype,
         return KRB5_BAD_ENCTYPE;
     keylength = ktp->enc->keylength;
 
-    /*
-     * xxx AFS string2key function is indicated by a special length  in
-     * the salt in much of the code.  However only the DES enctypes can
-     * deal with this.  Using s2kparams would be a much better solution.
-     */
-    if (salt && salt->length == SALT_TYPE_AFS_LENGTH) {
-        switch (enctype) {
-        case ENCTYPE_DES_CBC_CRC:
-        case ENCTYPE_DES_CBC_MD4:
-        case ENCTYPE_DES_CBC_MD5:
-            break;
-        default:
-            return KRB5_CRYPTO_INTERNAL;
-        }
-    }
+    /* Fail gracefully if someone is using the old AFS string-to-key hack. */
+    if (salt != NULL && salt->length == SALT_TYPE_AFS_LENGTH)
+        return EINVAL;
 
     key->contents = malloc(keylength);
     if (key->contents == NULL)