libcli/smb: maintain smb2.should_sign on smbXcli_req_state

[kai/samba.git] / libcli / smb / smbXcli_base.c

diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 3478e884e431574561bace41a54bac058dcb4ca8..8a41824ef96d233aa91099304102e7ebb6830a24 100644 (file)
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -102,6 +102,7 @@ struct smbXcli_conn {
 
        struct {
                struct {
+                       uint32_t capabilities;
                        uint16_t security_mode;
                        struct GUID guid;
                } client;
@@ -133,10 +134,15 @@ struct smbXcli_session {
        struct {
                uint64_t session_id;
                uint16_t session_flags;
+               DATA_BLOB application_key;
                DATA_BLOB signing_key;
-               DATA_BLOB session_key;
                bool should_sign;
-               bool channel_setup;
+               bool should_encrypt;
+               DATA_BLOB encryption_key;
+               DATA_BLOB decryption_key;
+               uint64_t channel_nonce;
+               uint64_t channel_next;
+               DATA_BLOB channel_signing_key;
        } smb2;
 };
 
@@ -187,14 +193,21 @@ struct smbXcli_req_state {
                const uint8_t *dyn;
                uint32_t dyn_len;
 
-               uint8_t hdr[64];
+               uint8_t hdr[SMB2_HDR_BODY];
                uint8_t pad[7]; /* padding space for compounding */
 
-               /* always an array of 3 talloc elements */
+               /*
+                * always an array of 3 talloc elements
+                * (without a SMB2_TRANSFORM header!)
+                *
+                * HDR, BODY, DYN
+                */
                struct iovec *recv_iov;
 
                uint16_t credit_charge;
 
+               bool should_sign;
+
                bool signing_skipped;
                bool notify_async;
                bool got_async;
@@ -225,7 +238,8 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
                                         const char *remote_name,
                                         enum smb_signing_setting signing_state,
                                         uint32_t smb1_capabilities,
-                                        struct GUID *client_guid)
+                                        struct GUID *client_guid,
+                                        uint32_t smb2_capabilities)
 {
        struct smbXcli_conn *conn = NULL;
        void *ss = NULL;
@@ -319,6 +333,7 @@ struct smbXcli_conn *smbXcli_conn_create(TALLOC_CTX *mem_ctx,
        if (client_guid) {
                conn->smb2.client.guid = *client_guid;
        }
+       conn->smb2.client.capabilities = smb2_capabilities;
 
        conn->smb2.cur_credits = 1;
        conn->smb2.max_credits = 0;
@@ -2399,6 +2414,13 @@ struct tevent_req *smb2cli_req_create(TALLOC_CTX *mem_ctx,
 
        if (session) {
                uid = session->smb2.session_id;
+
+               state->smb2.should_sign = session->smb2.should_sign;
+
+               if (cmd == SMB2_OP_SESSSETUP &&
+                   session->smb2.signing_key.length != 0) {
+                       state->smb2.should_sign = true;
+               }
        }
 
        state->smb2.recv_iov = talloc_zero_array(state, struct iovec, 3);
@@ -2495,7 +2517,7 @@ NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs,
                uint16_t charge;
                uint16_t credits;
                uint64_t mid;
-               bool should_sign = false;
+               const DATA_BLOB *signing_key = NULL;
 
                if (!tevent_req_is_in_progress(reqs[i])) {
                        return NT_STATUS_INTERNAL_ERROR;
@@ -2555,6 +2577,32 @@ NTSTATUS smb2cli_req_compound_submit(struct tevent_req **reqs,
                SBVAL(state->smb2.hdr, SMB2_HDR_MESSAGE_ID, mid);
 
 skip_credits:
+               if (state->session) {
+                       /*
+                        * We prefer the channel signing key if it is
+                        * already there.
+                        */
+                       if (state->smb2.should_sign) {
+                               signing_key = &state->session->smb2.channel_signing_key;
+                       }
+
+                       /*
+                        * If it is a channel binding, we already have the main
+                        * signing key and try that one.
+                        */
+                       if (signing_key && signing_key->length == 0) {
+                               signing_key = &state->session->smb2.signing_key;
+                       }
+
+                       /*
+                        * If we do not have any session key yet, we skip the
+                        * signing of SMB2_OP_SESSSETUP requests.
+                        */
+                       if (signing_key && signing_key->length == 0) {
+                               signing_key = NULL;
+                       }
+               }
+
                hdr_iov = num_iov;
                iov[num_iov].iov_base = state->smb2.hdr;
                iov[num_iov].iov_len  = sizeof(state->smb2.hdr);
@@ -2586,17 +2634,11 @@ skip_credits:
                }
                nbt_len += reqlen;
 
-               if (state->session) {
-                       should_sign = state->session->smb2.should_sign;
-                       if (state->session->smb2.channel_setup) {
-                               should_sign = true;
-                       }
-               }
-
-               if (should_sign) {
+               if (signing_key) {
                        NTSTATUS status;
 
-                       status = smb2_signing_sign_pdu(state->session->smb2.signing_key,
+                       status = smb2_signing_sign_pdu(*signing_key,
+                                                      state->session->conn->protocol,
                                                       &iov[hdr_iov], num_iov - hdr_iov);
                        if (!NT_STATUS_IS_OK(status)) {
                                return status;
@@ -2693,27 +2735,25 @@ static void smb2cli_req_writev_done(struct tevent_req *subreq)
        }
 }
 
-static NTSTATUS smb2cli_inbuf_parse_compound(uint8_t *buf, TALLOC_CTX *mem_ctx,
+static NTSTATUS smb2cli_inbuf_parse_compound(struct smbXcli_conn *conn,
+                                            uint8_t *buf,
+                                            size_t buflen,
+                                            TALLOC_CTX *mem_ctx,
                                             struct iovec **piov, int *pnum_iov)
 {
        struct iovec *iov;
-       int num_iov;
-       size_t buflen;
-       size_t taken;
-       uint8_t *first_hdr;
-
-       num_iov = 0;
+       int num_iov = 0;
+       size_t taken = 0;
+       uint8_t *first_hdr = buf;
 
        iov = talloc_array(mem_ctx, struct iovec, num_iov);
        if (iov == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
 
-       buflen = smb_len_tcp(buf);
-       taken = 0;
-       first_hdr = buf + NBT_HDR_SIZE;
-
        while (taken < buflen) {
+               uint8_t *tf = NULL;
+               size_t tf_len = 0;
                size_t len = buflen - taken;
                uint8_t *hdr = first_hdr + taken;
                struct iovec *cur;
@@ -2722,6 +2762,58 @@ static NTSTATUS smb2cli_inbuf_parse_compound(uint8_t *buf, TALLOC_CTX *mem_ctx,
                uint16_t body_size;
                struct iovec *iov_tmp;
 
+               if (len < 4) {
+                       DEBUG(10, ("%d bytes left, expected at least %d\n",
+                                  (int)len, 4));
+                       goto inval;
+               }
+               if (IVAL(hdr, 0) == SMB2_TF_MAGIC) {
+                       struct smbXcli_session *s;
+                       uint64_t uid;
+                       struct iovec tf_iov[2];
+                       NTSTATUS status;
+
+                       if (len < SMB2_TF_HDR_SIZE) {
+                               DEBUG(10, ("%d bytes left, expected at least %d\n",
+                                          (int)len, SMB2_TF_HDR_SIZE));
+                               goto inval;
+                       }
+                       tf = hdr;
+                       tf_len = SMB2_TF_HDR_SIZE;
+                       taken += tf_len;
+
+                       hdr = first_hdr + taken;
+                       len = IVAL(tf, SMB2_TF_MSG_SIZE);
+                       uid = BVAL(tf, SMB2_TF_SESSION_ID);
+
+                       s = conn->sessions;
+                       for (; s; s = s->next) {
+                               if (s->smb2.session_id != uid) {
+                                       continue;
+                               }
+                               break;
+                       }
+
+                       if (s == NULL) {
+                               DEBUG(10, ("unknown session_id %llu\n",
+                                          (unsigned long long)uid));
+                               goto inval;
+                       }
+
+                       tf_iov[0].iov_base = (void *)tf;
+                       tf_iov[0].iov_len = tf_len;
+                       tf_iov[1].iov_base = (void *)hdr;
+                       tf_iov[1].iov_len = len;
+
+                       status = smb2_signing_decrypt_pdu(s->smb2.decryption_key,
+                                                         conn->protocol,
+                                                         tf_iov, 2);
+                       if (!NT_STATUS_IS_OK(status)) {
+                               TALLOC_FREE(iov);
+                               return status;
+                       }
+               }
+
                /*
                 * We need the header plus the body length field
                 */
@@ -2753,6 +2845,9 @@ static NTSTATUS smb2cli_inbuf_parse_compound(uint8_t *buf, TALLOC_CTX *mem_ctx,
                        if (next_command_ofs > full_size) {
                                goto inval;
                        }
+                       if (tf && next_command_ofs < len) {
+                               goto inval;
+                       }
                        full_size = next_command_ofs;
                }
                if (body_size < 2) {
@@ -2765,21 +2860,23 @@ static NTSTATUS smb2cli_inbuf_parse_compound(uint8_t *buf, TALLOC_CTX *mem_ctx,
                }
 
                iov_tmp = talloc_realloc(mem_ctx, iov, struct iovec,
-                                        num_iov + 3);
+                                        num_iov + 4);
                if (iov_tmp == NULL) {
                        TALLOC_FREE(iov);
                        return NT_STATUS_NO_MEMORY;
                }
                iov = iov_tmp;
                cur = &iov[num_iov];
-               num_iov += 3;
+               num_iov += 4;
 
-               cur[0].iov_base = hdr;
-               cur[0].iov_len  = SMB2_HDR_BODY;
-               cur[1].iov_base = hdr + SMB2_HDR_BODY;
-               cur[1].iov_len  = body_size;
-               cur[2].iov_base = hdr + SMB2_HDR_BODY + body_size;
-               cur[2].iov_len  = full_size - (SMB2_HDR_BODY + body_size);
+               cur[0].iov_base = tf;
+               cur[0].iov_len  = tf_len;
+               cur[1].iov_base = hdr;
+               cur[1].iov_len  = SMB2_HDR_BODY;
+               cur[2].iov_base = hdr + SMB2_HDR_BODY;
+               cur[2].iov_len  = body_size;
+               cur[3].iov_base = hdr + SMB2_HDR_BODY + body_size;
+               cur[3].iov_len  = full_size - (SMB2_HDR_BODY + body_size);
 
                taken += full_size;
        }
@@ -2823,17 +2920,21 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
        NTSTATUS status;
        bool defer = true;
        struct smbXcli_session *last_session = NULL;
+       size_t inbuf_len = smb_len_tcp(inbuf);
 
-       status = smb2cli_inbuf_parse_compound(inbuf, tmp_mem,
+       status = smb2cli_inbuf_parse_compound(conn,
+                                             inbuf + NBT_HDR_SIZE,
+                                             inbuf_len,
+                                             tmp_mem,
                                              &iov, &num_iov);
        if (!NT_STATUS_IS_OK(status)) {
                return status;
        }
 
-       for (i=0; i<num_iov; i+=3) {
+       for (i=0; i<num_iov; i+=4) {
                uint8_t *inbuf_ref = NULL;
                struct iovec *cur = &iov[i];
-               uint8_t *inhdr = (uint8_t *)cur[0].iov_base;
+               uint8_t *inhdr = (uint8_t *)cur[1].iov_base;
                uint16_t opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
                uint32_t flags = IVAL(inhdr, SMB2_HDR_FLAGS);
                uint64_t mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
@@ -2843,7 +2944,6 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                uint32_t new_credits;
                struct smbXcli_session *session = NULL;
                const DATA_BLOB *signing_key = NULL;
-               bool should_sign = false;
 
                new_credits = conn->smb2.cur_credits;
                new_credits += credits;
@@ -2898,14 +2998,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                }
                last_session = session;
 
-               if (session) {
-                       should_sign = session->smb2.should_sign;
-                       if (session->smb2.channel_setup) {
-                               should_sign = true;
-                       }
-               }
-
-               if (should_sign) {
+               if (state->smb2.should_sign) {
                        if (!(flags & SMB2_HDR_FLAG_SIGNED)) {
                                return NT_STATUS_ACCESS_DENIED;
                        }
@@ -2933,17 +3026,39 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                        }
 
                        last_session = session;
-                       signing_key = &session->smb2.signing_key;
+                       signing_key = &session->smb2.channel_signing_key;
                }
 
-               if ((opcode == SMB2_OP_SESSSETUP) &&
-                    NT_STATUS_IS_OK(status)) {
+               if (opcode == SMB2_OP_SESSSETUP) {
                        /*
-                        * the caller has to check the signing
-                        * as only the caller knows the correct
-                        * session key
+                        * We prefer the channel signing key, if it is
+                        * already there.
+                        *
+                        * If we do not have a channel signing key yet,
+                        * we try the main signing key, if it is not
+                        * the final response.
                         */
-                       signing_key = NULL;
+                       if (signing_key && signing_key->length == 0 &&
+                           !NT_STATUS_IS_OK(status)) {
+                               signing_key = &session->smb2.signing_key;
+                       }
+
+                       if (signing_key && signing_key->length == 0) {
+                               /*
+                                * If we do not have a session key to
+                                * verify the signature, we defer the
+                                * signing check to the caller.
+                                *
+                                * The caller gets NT_STATUS_OK, it
+                                * has to call
+                                * smb2cli_session_set_session_key()
+                                * or
+                                * smb2cli_session_set_channel_key()
+                                * which will check the signature
+                                * with the channel signing key.
+                                */
+                               signing_key = NULL;
+                       }
                }
 
                if (NT_STATUS_EQUAL(status, NT_STATUS_USER_SESSION_DELETED)) {
@@ -2953,9 +3068,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                         * propagate the NT_STATUS_USER_SESSION_DELETED
                         * status to the caller.
                         */
-                       if (signing_key) {
-                               signing_key = NULL;
-                       }
+                       signing_key = NULL;
                }
 
                if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_NAME_DELETED) ||
@@ -2999,7 +3112,9 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                }
 
                if (signing_key) {
-                       status = smb2_signing_check_pdu(*signing_key, cur, 3);
+                       status = smb2_signing_check_pdu(*signing_key,
+                                                       state->conn->protocol,
+                                                       &cur[1], 3);
                        if (!NT_STATUS_IS_OK(status)) {
                                /*
                                 * If the signing check fails, we disconnect
@@ -3015,7 +3130,7 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                 * There might be more than one response
                 * we need to defer the notifications
                 */
-               if ((num_iov == 4) && (talloc_array_length(conn->pending) == 0)) {
+               if ((num_iov == 5) && (talloc_array_length(conn->pending) == 0)) {
                        defer = false;
                }
 
@@ -3033,9 +3148,9 @@ static NTSTATUS smb2cli_conn_dispatch_incoming(struct smbXcli_conn *conn,
                }
 
                /* copy the related buffers */
-               state->smb2.recv_iov[0] = cur[0];
-               state->smb2.recv_iov[1] = cur[1];
-               state->smb2.recv_iov[2] = cur[2];
+               state->smb2.recv_iov[0] = cur[1];
+               state->smb2.recv_iov[1] = cur[2];
+               state->smb2.recv_iov[2] = cur[3];
 
                tevent_req_done(req);
        }
@@ -3159,6 +3274,7 @@ static const struct {
        {PROTOCOL_SMB2_10,      SMB2_DIALECT_REVISION_210},
        {PROTOCOL_SMB2_22,      SMB2_DIALECT_REVISION_222},
        {PROTOCOL_SMB2_24,      SMB2_DIALECT_REVISION_224},
+       {PROTOCOL_SMB3_00,      SMB3_DIALECT_REVISION_300},
 };
 
 struct smbXcli_negprot_state {
@@ -3746,7 +3862,11 @@ static struct tevent_req *smbXcli_negprot_smb2_subreq(struct smbXcli_negprot_sta
        SSVAL(buf, 2, dialect_count);
        SSVAL(buf, 4, state->conn->smb2.client.security_mode);
        SSVAL(buf, 6, 0);       /* Reserved */
-       SSVAL(buf, 8, 0);       /* Capabilities */
+       if (state->max_protocol >= PROTOCOL_SMB2_22) {
+               SIVAL(buf, 8, state->conn->smb2.client.capabilities);
+       } else {
+               SIVAL(buf, 8, 0);       /* Capabilities */
+       }
        if (state->max_protocol >= PROTOCOL_SMB2_10) {
                NTSTATUS status;
                DATA_BLOB blob;
@@ -3894,16 +4014,23 @@ static NTSTATUS smbXcli_negprot_dispatch_incoming(struct smbXcli_conn *conn,
        struct tevent_req *subreq;
        struct smbXcli_req_state *substate;
        struct tevent_req *req;
-       uint32_t protocol_magic = IVAL(inbuf, 4);
+       uint32_t protocol_magic;
+       size_t inbuf_len = smb_len_nbt(inbuf);
 
        if (num_pending != 1) {
                return NT_STATUS_INTERNAL_ERROR;
        }
 
+       if (inbuf_len < 4) {
+               return NT_STATUS_INVALID_NETWORK_RESPONSE;
+       }
+
        subreq = conn->pending[0];
        substate = tevent_req_data(subreq, struct smbXcli_req_state);
        req = tevent_req_callback_data(subreq, struct tevent_req);
 
+       protocol_magic = IVAL(inbuf, 4);
+
        switch (protocol_magic) {
        case SMB_MAGIC:
                tevent_req_set_callback(subreq, smbXcli_negprot_smb1_done, req);
@@ -4025,6 +4152,29 @@ uint64_t smb2cli_session_current_id(struct smbXcli_session *session)
        return session->smb2.session_id;
 }
 
+uint16_t smb2cli_session_get_flags(struct smbXcli_session *session)
+{
+       return session->smb2.session_flags;
+}
+
+NTSTATUS smb2cli_session_application_key(struct smbXcli_session *session,
+                                        TALLOC_CTX *mem_ctx,
+                                        DATA_BLOB *key)
+{
+       *key = data_blob_null;
+
+       if (session->smb2.application_key.length == 0) {
+               return NT_STATUS_NO_USER_SESSION_KEY;
+       }
+
+       *key = data_blob_dup_talloc(mem_ctx, session->smb2.application_key);
+       if (key->data == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       return NT_STATUS_OK;
+}
+
 void smb2cli_session_set_id_and_flags(struct smbXcli_session *session,
                                      uint64_t session_id,
                                      uint16_t session_flags)
@@ -4033,13 +4183,13 @@ void smb2cli_session_set_id_and_flags(struct smbXcli_session *session,
        session->smb2.session_flags = session_flags;
 }
 
-NTSTATUS smb2cli_session_update_session_key(struct smbXcli_session *session,
-                                           const DATA_BLOB session_key,
-                                           const struct iovec *recv_iov)
+NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
+                                        const DATA_BLOB _session_key,
+                                        const struct iovec *recv_iov)
 {
        struct smbXcli_conn *conn = session->conn;
        uint16_t no_sign_flags;
-       DATA_BLOB signing_key;
+       uint8_t session_key[16];
        NTSTATUS status;
 
        if (conn == NULL) {
@@ -4053,43 +4203,99 @@ NTSTATUS smb2cli_session_update_session_key(struct smbXcli_session *session,
                return NT_STATUS_OK;
        }
 
-       if (session->smb2.signing_key.length > 0) {
-               signing_key = session->smb2.signing_key;
-       } else {
-               signing_key = session_key;
+       if (session->smb2.signing_key.length != 0) {
+               return NT_STATUS_INVALID_PARAMETER_MIX;
        }
-       if (session->smb2.channel_setup) {
-               signing_key = session_key;
+
+       ZERO_STRUCT(session_key);
+       memcpy(session_key, _session_key.data,
+              MIN(_session_key.length, sizeof(session_key)));
+
+       session->smb2.signing_key = data_blob_talloc(session,
+                                                    session_key,
+                                                    sizeof(session_key));
+       if (session->smb2.signing_key.data == NULL) {
+               ZERO_STRUCT(session_key);
+               return NT_STATUS_NO_MEMORY;
        }
 
-       status = smb2_signing_check_pdu(signing_key, recv_iov, 3);
-       if (!NT_STATUS_IS_OK(status)) {
-               return status;
+       if (conn->protocol >= PROTOCOL_SMB2_24) {
+               const DATA_BLOB label = data_blob_string_const_null("SMB2AESCMAC");
+               const DATA_BLOB context = data_blob_string_const_null("SmbSign");
+
+               smb2_key_derivation(session_key, sizeof(session_key),
+                                   label.data, label.length,
+                                   context.data, context.length,
+                                   session->smb2.signing_key.data);
        }
 
-       if (!session->smb2.channel_setup) {
-               session->smb2.session_key = data_blob_dup_talloc(session,
-                                                                session_key);
-               if (session->smb2.session_key.data == NULL) {
-                       return NT_STATUS_NO_MEMORY;
-               }
+       session->smb2.encryption_key = data_blob_dup_talloc(session,
+                                               session->smb2.signing_key);
+       if (session->smb2.encryption_key.data == NULL) {
+               ZERO_STRUCT(session_key);
+               return NT_STATUS_NO_MEMORY;
        }
 
-       if (session->smb2.channel_setup) {
-               data_blob_free(&session->smb2.signing_key);
-               session->smb2.channel_setup = false;
+       if (conn->protocol >= PROTOCOL_SMB2_24) {
+               const DATA_BLOB label = data_blob_string_const_null("SMB2AESCCM");
+               const DATA_BLOB context = data_blob_string_const_null("ServerIn ");
+
+               smb2_key_derivation(session_key, sizeof(session_key),
+                                   label.data, label.length,
+                                   context.data, context.length,
+                                   session->smb2.encryption_key.data);
        }
 
-       if (session->smb2.signing_key.length > 0) {
-               return NT_STATUS_OK;
+       session->smb2.decryption_key = data_blob_dup_talloc(session,
+                                               session->smb2.signing_key);
+       if (session->smb2.decryption_key.data == NULL) {
+               ZERO_STRUCT(session_key);
+               return NT_STATUS_NO_MEMORY;
        }
 
-       session->smb2.signing_key = data_blob_dup_talloc(session, signing_key);
-       if (session->smb2.signing_key.data == NULL) {
+       if (conn->protocol >= PROTOCOL_SMB2_24) {
+               const DATA_BLOB label = data_blob_string_const_null("SMB2AESCCM");
+               const DATA_BLOB context = data_blob_string_const_null("ServerOut");
+
+               smb2_key_derivation(session_key, sizeof(session_key),
+                                   label.data, label.length,
+                                   context.data, context.length,
+                                   session->smb2.decryption_key.data);
+       }
+
+       session->smb2.application_key = data_blob_dup_talloc(session,
+                                               session->smb2.signing_key);
+       if (session->smb2.application_key.data == NULL) {
+               ZERO_STRUCT(session_key);
                return NT_STATUS_NO_MEMORY;
        }
 
+       if (conn->protocol >= PROTOCOL_SMB2_24) {
+               const DATA_BLOB label = data_blob_string_const_null("SMB2APP");
+               const DATA_BLOB context = data_blob_string_const_null("SmbRpc");
+
+               smb2_key_derivation(session_key, sizeof(session_key),
+                                   label.data, label.length,
+                                   context.data, context.length,
+                                   session->smb2.application_key.data);
+       }
+       ZERO_STRUCT(session_key);
+
+       session->smb2.channel_signing_key = data_blob_dup_talloc(session,
+                                               session->smb2.signing_key);
+       if (session->smb2.channel_signing_key.data == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       status = smb2_signing_check_pdu(session->smb2.channel_signing_key,
+                                       session->conn->protocol,
+                                       recv_iov, 3);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
        session->smb2.should_sign = false;
+       session->smb2.should_encrypt = false;
 
        if (conn->desire_signing) {
                session->smb2.should_sign = true;
@@ -4099,6 +4305,10 @@ NTSTATUS smb2cli_session_update_session_key(struct smbXcli_session *session,
                session->smb2.should_sign = true;
        }
 
+       generate_random_buffer((uint8_t *)&session->smb2.channel_nonce,
+                              sizeof(session->smb2.channel_nonce));
+       session->smb2.channel_next = 1;
+
        return NT_STATUS_OK;
 }
 
@@ -4113,6 +4323,10 @@ NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_PARAMETER_MIX;
        }
 
+       if (session1->smb2.channel_next == 0) {
+               return NT_STATUS_INVALID_PARAMETER_MIX;
+       }
+
        if (conn == NULL) {
                return NT_STATUS_INVALID_PARAMETER_MIX;
        }
@@ -4124,20 +4338,36 @@ NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
        session2->smb2.session_id = session1->smb2.session_id;
        session2->smb2.session_flags = session1->smb2.session_flags;
 
-       session2->smb2.session_key = data_blob_dup_talloc(session2,
-                                               session1->smb2.session_key);
-       if (session2->smb2.session_key.data == NULL) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
        session2->smb2.signing_key = data_blob_dup_talloc(session2,
                                                session1->smb2.signing_key);
        if (session2->smb2.signing_key.data == NULL) {
                return NT_STATUS_NO_MEMORY;
        }
 
+       session2->smb2.application_key = data_blob_dup_talloc(session2,
+                                               session1->smb2.application_key);
+       if (session2->smb2.application_key.data == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
        session2->smb2.should_sign = session1->smb2.should_sign;
-       session2->smb2.channel_setup = true;
+       session2->smb2.should_encrypt = session1->smb2.should_encrypt;
+
+       session2->smb2.channel_nonce = session1->smb2.channel_nonce;
+       session2->smb2.channel_nonce += session1->smb2.channel_next;
+       session1->smb2.channel_next++;
+
+       session2->smb2.encryption_key = data_blob_dup_talloc(session2,
+                                               session1->smb2.encryption_key);
+       if (session2->smb2.encryption_key.data == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       session2->smb2.decryption_key = data_blob_dup_talloc(session2,
+                                               session1->smb2.decryption_key);
+       if (session2->smb2.decryption_key.data == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
 
        talloc_set_destructor(session2, smbXcli_session_destructor);
        DLIST_ADD_END(conn->sessions, session2, struct smbXcli_session *);
@@ -4146,3 +4376,52 @@ NTSTATUS smb2cli_session_create_channel(TALLOC_CTX *mem_ctx,
        *_session2 = session2;
        return NT_STATUS_OK;
 }
+
+NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
+                                        const DATA_BLOB _channel_key,
+                                        const struct iovec *recv_iov)
+{
+       struct smbXcli_conn *conn = session->conn;
+       uint8_t channel_key[16];
+       NTSTATUS status;
+
+       if (conn == NULL) {
+               return NT_STATUS_INVALID_PARAMETER_MIX;
+       }
+
+       if (session->smb2.channel_signing_key.length != 0) {
+               return NT_STATUS_INVALID_PARAMETER_MIX;
+       }
+
+       ZERO_STRUCT(channel_key);
+       memcpy(channel_key, _channel_key.data,
+              MIN(_channel_key.length, sizeof(channel_key)));
+
+       session->smb2.channel_signing_key = data_blob_talloc(session,
+                                               channel_key,
+                                               sizeof(channel_key));
+       if (session->smb2.channel_signing_key.data == NULL) {
+               ZERO_STRUCT(channel_key);
+               return NT_STATUS_NO_MEMORY;
+       }
+
+       if (conn->protocol >= PROTOCOL_SMB2_24) {
+               const DATA_BLOB label = data_blob_string_const_null("SMB2AESCMAC");
+               const DATA_BLOB context = data_blob_string_const_null("SmbSign");
+
+               smb2_key_derivation(channel_key, sizeof(channel_key),
+                                   label.data, label.length,
+                                   context.data, context.length,
+                                   session->smb2.channel_signing_key.data);
+       }
+       ZERO_STRUCT(channel_key);
+
+       status = smb2_signing_check_pdu(session->smb2.channel_signing_key,
+                                       session->conn->protocol,
+                                       recv_iov, 3);
+       if (!NT_STATUS_IS_OK(status)) {
+               return status;
+       }
+
+       return NT_STATUS_OK;
+}