}

        @Test
        @DisplayName("createEncryptionContext selects AES-CCM for SMB 3.0 and AES-GCM for SMB 3.1.1")
        void createEncryptionContext_happyDialects() throws Exception {
            byte[] sessionKey = new byte[16];
            byte[] preauth = new byte[16];

            // SMB 3.0 -> AES-128-CCM
            setField(transport, "smb2", true);

- [PRF](#prf): HMAC-SHA-256
- [AEAD](#aead): AES-256-GCM if the CPU supports AES-NI, ChaCha20-Poly1305 otherwise. More specifically AES-256-GCM is only selected for X86-64 CPUs with AES-NI extension.

kQyKGUTpDbKLuyYMFsoH73YLjBqNe+UEhPwE+FWpcky1Sp9RTx/oMLpiZaPR
-----END CERTIFICATE-----`,
		shouldFail: true,
	},
	{
		password: "foobar",
		privateKey: `-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,CC483BF11678C35F9F02A1AD85DAE285

nMDFd+Qxk1f+S7LwMitmMofNXYNbCY4L1QEqPOOx5wnjNF1wSxmEkL7+h8W4Y/vb
AQt/7TCcUSuSqEMl45nUIcCbhBos5wz+ShvFiez3qKwmR5HSURvqyN6PIJeAbU+h

    private static final int SIGNATURE_OFFSET = 48;
    private static final int SIGNATURE_LENGTH = 16;

    @BeforeAll
    static void setupClass() {
        // Ensure BouncyCastle provider is available for AES-CMAC
        if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
            Security.addProvider(new BouncyCastleProvider());
        }
    }

    @BeforeEach
    void setup() {

gcm import ( "crypto/internal/fips140" "crypto/internal/fips140/aes" "crypto/internal/fips140/subtle" ) // CMAC implements the CMAC mode from NIST SP 800-38B. // // It is optimized for use in Counter KDF (SP 800-108r1) and XAES-256-GCM // (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications // as a stand-alone MAC. type CMAC struct { b aes.Block k1 [aes.BlockSize]byte k2 [aes.BlockSize]byte } func NewCMAC(b *aes.Block) *CMAC { c := &CMAC{b: *b} c.deriveSubkeys() return c } func...

    }

    @Test
    @DisplayName("Test log encryption")
    void testLogEncryption() {
        logger.logEncryption(true, "AES-128-GCM", "SMB3.1.1");

        Map<EventType, Long> stats = logger.getStatistics();
        assertEquals(Long.valueOf(1), stats.get(EventType.ENCRYPTION_ENABLED), "Should have 1 encryption event");
    }

    @Test

> **NOTE:** Do **NOT** run `gradle build` on the local development environment,
> even if you have Gradle or Develocity build caching enabled for the project.
> The Gradle Build Tool repository is massive, and it will take ages to build on
> a local machine without necessary parallelization and caching.
> The full test suites are executed on the CI instance for multiple configurations,

            if (cipherId == -1) {
                // Default to AES-128-GCM for SMB 3.1.1 if no cipher negotiated
                cipherId = EncryptionNegotiateContext.CIPHER_AES128_GCM;
            }
        } else if (dialect.atLeast(DialectVersion.SMB300)) {
            // SMB 3.0/3.0.2 only supports AES-128-CCM
            cipherId = EncryptionNegotiateContext.CIPHER_AES128_CCM;
        } else {

```java
public class SecureHandleStorage {
    private final SecretKey encryptionKey;
    
    public void saveEncrypted(HandleInfo handle, Path file) throws Exception {
        Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
        cipher.init(Cipher.ENCRYPT_MODE, encryptionKey);
        
        ByteArrayOutputStream baos = new ByteArrayOutputStream();
        try (CipherOutputStream cos = new CipherOutputStream(baos, cipher);

    protected boolean compressionEnabled = false;
    /** Preferred encryption ciphers in order of preference */
    protected String preferredCiphers = "AES_128_GCM,AES_128_CCM,AES_256_GCM,AES_256_CCM";
    /** Whether AES-256 encryption is enabled */
    protected boolean aes256Enabled = true;
    /** Whether to use SMB2/SMB3 leases for caching */
    protected boolean useLease = true;
    /** Lease timeout in milliseconds */