project-chip · restyled-io · Sep 30, 2021 · Sep 30, 2021 · Sep 30, 2021 · Sep 30, 2021
diff --git a/src/transport/SecureMessageCodec.cpp b/src/transport/SecureMessageCodec.cpp
@@ -36,8 +36,8 @@ using System::PacketBufferHandle;
 
 namespace SecureMessageCodec {
 
-CHIP_ERROR Encode(Transport::SecureSession * state, PayloadHeader & payloadHeader, PacketHeader & packetHeader,
-                  System::PacketBufferHandle & msgBuf, MessageCounter & counter)
+CHIP_ERROR Encrypt(Transport::SecureSession * state, PayloadHeader & payloadHeader, PacketHeader & packetHeader,
+                   System::PacketBufferHandle & msgBuf, MessageCounter & counter)
 {
     VerifyOrReturnError(!msgBuf.IsNull(), CHIP_ERROR_INVALID_ARGUMENT);
     VerifyOrReturnError(!msgBuf->HasChainedBuffer(), CHIP_ERROR_INVALID_MESSAGE_LENGTH);
@@ -72,8 +72,8 @@ CHIP_ERROR Encode(Transport::SecureSession * state, PayloadHeader & payloadHeade
     return CHIP_NO_ERROR;
 }
 
-CHIP_ERROR Decode(Transport::SecureSession * state, PayloadHeader & payloadHeader, const PacketHeader & packetHeader,
-                  System::PacketBufferHandle & msg)
+CHIP_ERROR Decrypt(Transport::SecureSession * state, PayloadHeader & payloadHeader, const PacketHeader & packetHeader,
+                   System::PacketBufferHandle & msg)
 {
     ReturnErrorCodeIf(msg.IsNull(), CHIP_ERROR_INVALID_ARGUMENT);
 

diff --git a/src/transport/SecureMessageCodec.h b/src/transport/SecureMessageCodec.h
@@ -49,8 +49,8 @@ namespace SecureMessageCodec {
  * @param counter       The local counter object to be used
  * @ return CHIP_ERROR  The result of the encode operation
  */
-CHIP_ERROR Encode(Transport::SecureSession * state, PayloadHeader & payloadHeader, PacketHeader & packetHeader,
-                  System::PacketBufferHandle & msgBuf, MessageCounter & counter);
+CHIP_ERROR Encrypt(Transport::SecureSession * state, PayloadHeader & payloadHeader, PacketHeader & packetHeader,
+                   System::PacketBufferHandle & msgBuf, MessageCounter & counter);
 
 /**
  * @brief
@@ -66,8 +66,8 @@ CHIP_ERROR Encode(Transport::SecureSession * state, PayloadHeader & payloadHeade
  *                      unencrypted message.
  * @ return CHIP_ERROR  The result of the decode operation
  */
-CHIP_ERROR Decode(Transport::SecureSession * state, PayloadHeader & payloadHeader, const PacketHeader & packetHeader,
-                  System::PacketBufferHandle & msgBuf);
+CHIP_ERROR Decrypt(Transport::SecureSession * state, PayloadHeader & payloadHeader, const PacketHeader & packetHeader,
+                   System::PacketBufferHandle & msgBuf);
 } // namespace SecureMessageCodec
 
 } // namespace chip
diff --git a/src/transport/SessionManager.cpp b/src/transport/SessionManager.cpp
@@ -124,7 +124,7 @@ CHIP_ERROR SessionManager::PrepareMessage(SessionHandle session, PayloadHeader &
         }
 
         MessageCounter & counter = GetSendCounterForPacket(payloadHeader, *state);
-        ReturnErrorOnFailure(SecureMessageCodec::Encode(state, payloadHeader, packetHeader, message, counter));
+        ReturnErrorOnFailure(SecureMessageCodec::Encrypt(state, payloadHeader, packetHeader, message, counter));
 
 #if CHIP_PROGRESS_LOGGING
         destination = state->GetPeerNodeId();
@@ -399,6 +399,10 @@ void SessionManager::SecureMessageDispatch(const PacketHeader & packetHeader, co
         ExitNow(err = CHIP_ERROR_KEY_NOT_FOUND_FROM_PEER);
     }
 
+    // Decrypt and verify the message before message counter verification or any further processing.
+    VerifyOrExit(CHIP_NO_ERROR == SecureMessageCodec::Decrypt(state, payloadHeader, packetHeader, msg),
+                 ChipLogError(Inet, "Secure transport received message, but failed to decode/authenticate it, discarding"));
+
     // Verify message counter
     if (packetHeader.GetFlags().Has(Header::FlagValues::kSecureSessionControlMessage))
     {
@@ -445,10 +449,6 @@ void SessionManager::SecureMessageDispatch(const PacketHeader & packetHeader, co
 
     mPeerConnections.MarkConnectionActive(state);
 
-    // Decode the message
-    VerifyOrExit(CHIP_NO_ERROR == SecureMessageCodec::Decode(state, payloadHeader, packetHeader, msg),
-                 ChipLogError(Inet, "Secure transport received message, but failed to decode it, discarding"));
-
     if (isDuplicate == SessionManagerDelegate::DuplicateMessage::Yes && !payloadHeader.NeedsAck())
     {
         ChipLogDetail(Inet,