3.2.5.1.3 Verifying the Signature

The client MUST skip the processing in this section if any of the following is TRUE:

  • Client implements the SMB 3.x dialect family and decryption in section 3.2.5.1.1.1 succeeds

  • MessageId is 0xFFFFFFFFFFFFFFFF

  • Status in the SMB2 header is STATUS_PENDING

For SMB2 SESSION_SETUP, the client MUST retrieve SessionId from SMB2 header of the response. For all other messages, the client MUST retrieve SessionId from the corresponding Request.Message. The client MUST look up the session in the Connection.SessionTable using the SessionId.

If the session is not found, the response MUST be discarded as invalid. Otherwise if Session.SigningRequired is TRUE, the client MUST perform the following:

  • If Connection.Dialect belongs to the SMB 3.x dialect family, and the received message is an SMB2 SESSION_SETUP Response without a status code equal to STATUS_SUCCESS in the header, the client MUST verify the signature of the message as specified in section 3.1.5.1, using Session.SigningKey as the signing key, and passing the response message. For all other messages, the client MUST look up the Channel in Session.ChannelList, where the Channel.Connection matches the connection on which this message is received, and MUST use Channel.SigningKey for verifying the signature as specified in section 3.1.5.1.

  • Otherwise, the client MUST verify the signature of the message as specified in section 3.1.5.1, using Session.SessionKey as the signing key, and passing the response message.

If signature verification fails, the client MUST discard the received message. The client MAY also choose to disconnect the connection.