final SecurityDescriptor desc = querySecurity(th, SecurityInfo.DACL_SECURITY_INFO);
            final ACE[] aces = desc.getAces();
            if (aces != null) {
                processAces(aces, resolveSids);
            }

            return aces;
        }
    }

    @Override
    public SID getOwnerUser() throws IOException {
        return getOwnerUser(true);

            this.preauthSalt = salt;

            if (config.isEncryptionEnabled()) {
                // Build cipher list based on AES-256 support
                List<Integer> ciphers = new ArrayList<>();

                // Prefer GCM over CCM for better performance
                if (config.isAES256Enabled()) {

    }

    @Test
    @DisplayName("Should support AES-256 cipher constants")
    void testAES256CipherConstants() {
        // Verify AES-256 constants are defined
        assertEquals(0x0003, Smb2EncryptionContext.CIPHER_AES_256_CCM, "AES-256-CCM constant should be defined");
        assertEquals(0x0004, Smb2EncryptionContext.CIPHER_AES_256_GCM, "AES-256-GCM constant should be defined");

        }

        @Test
        @DisplayName("createEncryptionContext selects AES-CCM for SMB 3.0 and AES-GCM for SMB 3.1.1")
        void createEncryptionContext_happyDialects() throws Exception {
            byte[] sessionKey = new byte[16];
            byte[] preauth = new byte[16];

            // SMB 3.0 -> AES-128-CCM
            setField(transport, "smb2", true);

- [PRF](#prf): HMAC-SHA-256
- [AEAD](#aead): AES-256-GCM if the CPU supports AES-NI, ChaCha20-Poly1305 otherwise. More specifically AES-256-GCM is only selected for X86-64 CPUs with AES-NI extension.

            String archiveId = sessionId + ".v" + currentVersion;
            storeSessionKeyInternal(archiveId, currentKey, "AES");

            // Store new key
            storeSessionKeyInternal(sessionId, newKey, "AES");
            keyVersions.put(sessionId, newVersion);
            keyCreationTimes.put(sessionId, System.currentTimeMillis());

                case FessConfig.search_engine_heartbeat_interval:
                    return "10000";
                case FessConfig.APP_CIPHER_ALGORISM:
                    return "aes";
                case FessConfig.APP_CIPHER_KEY:
                    return "___change__me___";
                case FessConfig.APP_ENCRYPT_PROPERTY_PATTERN:
                    return ".*password|.*key|.*token|.*secret";

    private OneWayCryptographer oneWayCryptographer;

    @Override
    public void setUp() throws Exception {
        super.setUp();

        // Create InvertibleCryptographer with AES
        invertibleCryptographer = InvertibleCryptographer.createAesCipher("1234567890123456");

        // Create OneWayCryptographer with SHA256
        oneWayCryptographer = OneWayCryptographer.createSha256Cryptographer();

     * <p>
     * Alternatively <code>getSecurity(true)</code> may be used to resolve all
     * SIDs together and detect network failures.
     *
     * @return array of ACEs
     * @throws IOException if an I/O error occurs
     */
    ACE[] getSecurity() throws IOException;

    /**
     * Return an array of Access Control Entry (ACE) objects representing

gcm import ( "crypto/internal/fips140" "crypto/internal/fips140/aes" "crypto/internal/fips140/subtle" ) // CMAC implements the CMAC mode from NIST SP 800-38B. // // It is optimized for use in Counter KDF (SP 800-108r1) and XAES-256-GCM // (https://c2sp.org/XAES-256-GCM), rather than for exposing it to applications // as a stand-alone MAC. type CMAC struct { b aes.Block k1 [aes.BlockSize]byte k2 [aes.BlockSize]byte } func NewCMAC(b *aes.Block) *CMAC { c := &CMAC{b: *b} c.deriveSubkeys() return c } func...