1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Define the string that exports the set of kernel-supported 4 * Kerberos enctypes. This list is sent via upcall to gssd, and 5 * is also exposed via the nfsd /proc API. The consumers generally 6 * treat this as an ordered list, where the first item in the list 7 * is the most preferred. 8 */ 9 10 #ifndef _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H 11 #define _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H 12 13 #ifdef CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES 14 15 /* 16 * NB: This list includes DES3_CBC_SHA1, which was deprecated by RFC 8429. 17 * 18 * ENCTYPE_AES256_CTS_HMAC_SHA1_96 19 * ENCTYPE_AES128_CTS_HMAC_SHA1_96 20 * ENCTYPE_DES3_CBC_SHA1 21 */ 22 #define KRB5_SUPPORTED_ENCTYPES "18,17,16" 23 24 #else /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */ 25 26 /* 27 * NB: This list includes encryption types that were deprecated 28 * by RFC 8429 and RFC 6649. 29 * 30 * ENCTYPE_AES256_CTS_HMAC_SHA1_96 31 * ENCTYPE_AES128_CTS_HMAC_SHA1_96 32 * ENCTYPE_DES3_CBC_SHA1 33 * ENCTYPE_DES_CBC_MD5 34 * ENCTYPE_DES_CBC_CRC 35 * ENCTYPE_DES_CBC_MD4 36 */ 37 #define KRB5_SUPPORTED_ENCTYPES "18,17,16,3,1,2" 38 39 #endif /* CONFIG_SUNRPC_DISABLE_INSECURE_ENCTYPES */ 40 41 #endif /* _LINUX_SUNRPC_GSS_KRB5_ENCTYPES_H */ 42