From 033716d9fdbfe1605c4ffb77e741727be4eb8e0d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 10 Nov 2020 01:28:03 +0100
Subject: [PATCH] lib/param: offer aes-256-{gcm,ccm} encryption by default

We match Windows and keep aes-128-{gcm,ccm} first...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml | 6 +++---
 docs-xml/smbdotconf/security/serversmbencryptionalgos.xml | 6 +++---
 lib/param/loadparm.h                                      | 2 +-
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
index b5916cc3e4a..27da51ad625 100644
--- a/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
+++ b/docs-xml/smbdotconf/security/clientsmbencryptionalgos.xml
@@ -15,7 +15,7 @@
 	</para>
 </description>
 
-<value type="default">aes-128-gcm, aes-128-ccm</value>
-<value type="example">aes-128-gcm</value>
-<value type="example">-aes-128-ccm</value>
+<value type="default">aes-128-gcm, aes-128-ccm, aes-256-gcm, aes-256-ccm</value>
+<value type="example">aes-256-gcm</value>
+<value type="example">-aes-128-gcm -aes-128-ccm</value>
 </samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
index 025e582d674..3217970d4e7 100644
--- a/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
+++ b/docs-xml/smbdotconf/security/serversmbencryptionalgos.xml
@@ -15,7 +15,7 @@
 	</para>
 </description>
 
-<value type="default">aes-128-gcm, aes-128-ccm</value>
-<value type="example">aes-128-gcm</value>
-<value type="example">-aes-128-ccm</value>
+<value type="default">aes-128-gcm, aes-128-ccm, aes-256-gcm, aes-256-ccm</value>
+<value type="example">aes-256-gcm</value>
+<value type="example">-aes-128-gcm -aes-128-ccm</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index 8b7f6001e30..0f2af4f4167 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -285,7 +285,7 @@ enum samba_weak_crypto {
 #define DEFAULT_SMB2_MAX_TRANSACT (8*1024*1024)
 #define DEFAULT_SMB2_MAX_CREDITS 8192
 
-#define DEFAULT_SMB3_ENCRYPTION_ALGORITHMS "aes-128-gcm aes-128-ccm"
+#define DEFAULT_SMB3_ENCRYPTION_ALGORITHMS "aes-128-gcm aes-128-ccm aes-256-gcm aes-256-ccm"
 
 #define LOADPARM_EXTRA_LOCALS						\
 	int usershare;							\