Signing the Message

The client MUST sign the message under the following conditions:

  • If the request message being sent contains a nonzero value in the SessionId field, the session identified by the SessionId has Session.SigningRequired equal to TRUE and either the request is a TREE_CONNECT request or the tree connection identified by the TreeId field has TreeConnect.EncryptData equal to FALSE.

  • If Connection.Dialect is "3.1.1" and the message being sent is a TREE_CONNECT Request and the session identified by SessionId has Session.EncryptData equal to FALSE.

If Session.SigningRequired is FALSE, the client MAY<81> sign the request.

If the client implements the SMB 3.x dialect family, and if the request is for session set up, the client MUST use Session.SigningKey, and for all other requests the client MUST provide Channel.SigningKey by looking up the Channel in Session.ChannelList, where the connection matches the Channel.Connection. Otherwise, the client MUST use Session.SessionKey for signing the request. The client provides the key for signing, the length of the request, and the request itself, and calculates the signature as specified in section If the client signs the request, it MUST set the SMB2_FLAGS_SIGNED bit in the Flags field of the SMB2 header.