diff --git a/src/transport/SecureMessageCodec.cpp b/src/transport/SecureMessageCodec.cpp index d1746479392350..666c5f3e69192b 100644 --- a/src/transport/SecureMessageCodec.cpp +++ b/src/transport/SecureMessageCodec.cpp @@ -36,8 +36,8 @@ using System::PacketBufferHandle; namespace SecureMessageCodec { -CHIP_ERROR Encode(Transport::SecureSession * state, PayloadHeader & payloadHeader, PacketHeader & packetHeader, - System::PacketBufferHandle & msgBuf, MessageCounter & counter) +CHIP_ERROR Encrypt(Transport::SecureSession * state, PayloadHeader & payloadHeader, PacketHeader & packetHeader, + System::PacketBufferHandle & msgBuf, MessageCounter & counter) { VerifyOrReturnError(!msgBuf.IsNull(), CHIP_ERROR_INVALID_ARGUMENT); VerifyOrReturnError(!msgBuf->HasChainedBuffer(), CHIP_ERROR_INVALID_MESSAGE_LENGTH); @@ -72,8 +72,8 @@ CHIP_ERROR Encode(Transport::SecureSession * state, PayloadHeader & payloadHeade return CHIP_NO_ERROR; } -CHIP_ERROR Decode(Transport::SecureSession * state, PayloadHeader & payloadHeader, const PacketHeader & packetHeader, - System::PacketBufferHandle & msg) +CHIP_ERROR Decrypt(Transport::SecureSession * state, PayloadHeader & payloadHeader, const PacketHeader & packetHeader, + System::PacketBufferHandle & msg) { ReturnErrorCodeIf(msg.IsNull(), CHIP_ERROR_INVALID_ARGUMENT); diff --git a/src/transport/SecureMessageCodec.h b/src/transport/SecureMessageCodec.h index dcba0dc1199b34..455466f374f9ec 100644 --- a/src/transport/SecureMessageCodec.h +++ b/src/transport/SecureMessageCodec.h @@ -49,8 +49,8 @@ namespace SecureMessageCodec { * @param counter The local counter object to be used * @ return CHIP_ERROR The result of the encode operation */ -CHIP_ERROR Encode(Transport::SecureSession * state, PayloadHeader & payloadHeader, PacketHeader & packetHeader, - System::PacketBufferHandle & msgBuf, MessageCounter & counter); +CHIP_ERROR Encrypt(Transport::SecureSession * state, PayloadHeader & payloadHeader, PacketHeader & packetHeader, + System::PacketBufferHandle & msgBuf, MessageCounter & counter); /** * @brief @@ -66,8 +66,8 @@ CHIP_ERROR Encode(Transport::SecureSession * state, PayloadHeader & payloadHeade * unencrypted message. * @ return CHIP_ERROR The result of the decode operation */ -CHIP_ERROR Decode(Transport::SecureSession * state, PayloadHeader & payloadHeader, const PacketHeader & packetHeader, - System::PacketBufferHandle & msgBuf); +CHIP_ERROR Decrypt(Transport::SecureSession * state, PayloadHeader & payloadHeader, const PacketHeader & packetHeader, + System::PacketBufferHandle & msgBuf); } // namespace SecureMessageCodec } // namespace chip diff --git a/src/transport/SessionManager.cpp b/src/transport/SessionManager.cpp index c6fa054918e031..79970cadd5ffbe 100644 --- a/src/transport/SessionManager.cpp +++ b/src/transport/SessionManager.cpp @@ -124,7 +124,7 @@ CHIP_ERROR SessionManager::PrepareMessage(SessionHandle session, PayloadHeader & } MessageCounter & counter = GetSendCounterForPacket(payloadHeader, *state); - ReturnErrorOnFailure(SecureMessageCodec::Encode(state, payloadHeader, packetHeader, message, counter)); + ReturnErrorOnFailure(SecureMessageCodec::Encrypt(state, payloadHeader, packetHeader, message, counter)); #if CHIP_PROGRESS_LOGGING destination = state->GetPeerNodeId(); @@ -399,6 +399,10 @@ void SessionManager::SecureMessageDispatch(const PacketHeader & packetHeader, co ExitNow(err = CHIP_ERROR_KEY_NOT_FOUND_FROM_PEER); } + // Decrypt and verify the message before message counter verification or any further processing. + VerifyOrExit(CHIP_NO_ERROR == SecureMessageCodec::Decrypt(state, payloadHeader, packetHeader, msg), + ChipLogError(Inet, "Secure transport received message, but failed to decode/authenticate it, discarding")); + // Verify message counter if (packetHeader.GetFlags().Has(Header::FlagValues::kSecureSessionControlMessage)) { @@ -445,10 +449,6 @@ void SessionManager::SecureMessageDispatch(const PacketHeader & packetHeader, co mPeerConnections.MarkConnectionActive(state); - // Decode the message - VerifyOrExit(CHIP_NO_ERROR == SecureMessageCodec::Decode(state, payloadHeader, packetHeader, msg), - ChipLogError(Inet, "Secure transport received message, but failed to decode it, discarding")); - if (isDuplicate == SessionManagerDelegate::DuplicateMessage::Yes && !payloadHeader.NeedsAck()) { ChipLogDetail(Inet,