3.3.5.2.3 Message Signing

If a message is received and Connection.IsSigningActive is TRUE for the SMB connection, the signature MUST be verified as specified in section 3.1.5.1.

The server is responsible for providing the expected sequence number for signature validation. The sequence number for the next incoming request is stored in Server.Connection.ServerNextReceiveSequenceNumber. The server MUST remember the appropriate sequence number for the response to this request and does so by inserting it into the Server.Connection.ServerSendSequenceNumber table with the PID and MID that identify the request/response pair.

If the signature on the received packet is incorrect, the server MUST return STATUS_ACCESS_DENIED (ERRDOS/ERRnoaccess) and MUST increase Server.Statistics.sts0_permerrors by 1. After verifying that the signature on the current message is correct, the server MUST take the following steps.

 IF request command EQUALS SMB_COM_NT_CANCEL THEN
   INCREMENT ServerNextReceiveSequenceNumber
 ELSE IF request has no response THEN
   INCREMENT ServerNextReceiveSequenceNumber BY 2
 ELSE
   SET ServerSendSequenceNumber[PID,MID] TO ServerNextReceiveSequenceNumber + 1
   INCREMENT ServerNextReceiveSequenceNumber BY 2
 END IF