3.3.5.2.4 Verifying the Signature

If Connection.Dialect belongs to the SMB 3.x dialect family and if the decryption in section 3.3.5.2.1.1 succeeds, the server MUST skip the processing in this section.

If the SMB2 header of the SMB2 NEGOTIATE request has the SMB2_FLAGS_SIGNED bit set in the Flags field, the server MUST fail the request with STATUS_INVALID_PARAMETER.

If the SMB2 header of the request has SMB2_FLAGS_SIGNED set in the Flags field and the message is not encrypted, the server MUST verify the signature. If the request is for binding the session, the server MUST look up the session in the GlobalSessionTable using the SessionId in the SMB2 header of the request. For all other requests, the server MUST look up the session in the Connection.SessionTable using the SessionId in the SMB2 header of the request. If the session is not found, the request MUST be failed, as specified in section Sending an Error Response (section 3.3.4.4), with the error code STATUS_USER_SESSION_DELETED. If the session is found, the server MUST verify the signature of the message as specified in section 3.1.5.1.

If Session.Connection.Dialect belongs to the SMB 3.x dialect family, the server MUST use Session.SigningKey if the request is for binding a session, and for all other requests the server MUST use Channel.SigningKey in Session.ChannelList, where Channel.Connection matches the connection on which the request is received.

Otherwise, the server MUST use Session.SessionKey as the session key to verify the signature.

If Session.SigningKey, Channel.SigningKey, or Session.SessionKey is NULL, the server MUST fail the request with STATUS_NOT_SUPPORTED and MUST stop processing the request.

If the signature verification fails, the server MUST fail the request with the error code STATUS_ACCESS_DENIED. The server MAY also disconnect the connection as specified in section 3.3.7.1. If signature verification succeeds, the server MUST continue processing on the packet.<259>

If the SMB2 header of the request does not have SMB2_FLAGS_SIGNED set in the Flags field, the server MUST determine if the client failed to sign a packet that required it. The server MUST look up the session in the GlobalSessionTable using the SessionId in the SMB2 header of the request. If the session is found and Session.SigningRequired is equal to TRUE, the server MUST fail this request with STATUS_ACCESS_DENIED. The server MAY<260> also disconnect the connection, as specified in section 3.3.7.1. If either the session is not found, or Session.SigningRequired is FALSE, the server continues processing on the packet.

If the connection is disconnected, the server MUST remove the connection from the ConnectionList, as specified in section 3.3.7.1.