Export (0) Print
Expand All

3.2.5.1.3 Verifying the Signature

If the client implements the SMB 3.x dialect family and if the decryption in section 3.2.5.1.1 succeeds, the client MUST skip the processing in this section.

If the MessageId is 0xFFFFFFFFFFFFFFFF, no verification is necessary.

If the SMB2 header of the response has SMB2_FLAGS_SIGNED set in the Flags field, the client MUST verify the signature as follows:

The client MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 header of the response. If the session is not found, the response MUST be discarded as invalid.

If Connection.Dialect belongs to the SMB 3.x dialect family, and the received message is an SMB2 SESSION_SETUP Response without a status code equal to STATUS_SUCCESS in the header, the client MUST verify the signature of the message as specified in section 3.1.5.1, using Session.SigningKey as the signing key, and passing the response message. For all other messages, the client MUST look up the Channel in Session.ChannelList, where the Channel.Connection matches the connection on which this message is received, and MUST use Channel.SigningKey for verifying the signature as specified in section 3.1.5.1.

Otherwise, the client MUST verify the signature of the message as specified in section 3.1.5.1, using Session.SessionKey as the signing key, and passing the response message.

If signature verification fails, the client MUST discard the received message and do no further processing for it. The client MAY also choose to disconnect the connection. If signature verification succeeds, the client MUST continue processing the packet, as specified in subsequent sections.

If the SMB2 header of the response does not have SMB2_FLAGS_SIGNED set in the Flags field, the client MUST determine if the server failed to sign a packet that required signing. If the message is an interim response or an SMB2 OPLOCK_BREAK notification, signing validation MUST NOT occur. Otherwise, the client MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 header of the response. If the session is found, the Session.SigningRequired is equal to TRUE, the message is not an interim response, and the message is not an SMB2 OPLOCK_BREAK notification, the client MUST discard the received message and do no further processing for it. The client MAY also choose to disconnect the connection. If there is no SessionId, if the session is not found, or if Session.SigningRequired is FALSE, the client continues processing on the packet, as specified in subsequent sections.<143>

 
Show:
© 2015 Microsoft