Export (0) Print
Expand All

3.1.5.1 Verifying an Incoming Message

If a client or server requires verification of a signed message, it provides the message length, the buffer containing the message, and the key to verify the signature. The following steps describe how the signature MUST be verified:

  1. The receiver MUST save the 16-byte signature from the Signature field in the SMB2 Header for use in step 5.

  2. The receiver MUST zero out the 16-byte signature field in the SMB2 Header of the incoming message.

  3. If Session.Connection.Dialect belongs to the SMB 3.x dialect family, the receiver MUST compute a 16-byte hash by using AES_CMAC-128 over the entire message, beginning with the SMB2 Header from step 2, and using the key provided. The AES_CMAC-128 is specified in [RFC4493]. If the message is part of a compounded chain, any padding at the end of the message MUST be used in the hash computation.

  4. If Session.Connection.Dialect is "2.002" or "2.100", the receiver MUST compute a 32-byte hash by using HMAC-SHA256 over the entire message, beginning with the SMB2 Header from step 2, and using the key provided. The HMAC-SHA256 hash is specified in [FIPS180-2] and [RFC2104]. If the message is part of a compounded chain, any padding at the end of the message MUST be used in the hash computation.

  5. If the first 16 bytes (the high-order portion) of the computed signature from step 3 or step 4 matches the saved signature from step 1, the message is signed correctly.

Determining when a client will verify a signature and the action taken on the result of verification is specified in section 3.2.5.1.3. Determining when a server will verify a signature and the action taken on the result of verification is specified in section 3.3.5.2.4.

 
Show:
© 2014 Microsoft