mirror of
https://github.com/vector-im/hydrogen-web.git
synced 2024-12-23 03:25:12 +01:00
Prevent verification between unverified devices
This commit is contained in:
parent
c27d1b68be
commit
1da93493f6
@ -231,9 +231,34 @@ export class CrossSigning {
|
||||
return this.sasVerificationInProgress;
|
||||
}
|
||||
|
||||
private handleSASDeviceMessage({ unencrypted: event }) {
|
||||
if (!event) { return; }
|
||||
private async handleSASDeviceMessage({ unencrypted: event }) {
|
||||
if (!event ||
|
||||
(event.type !== VerificationEventType.Request && event.type !== VerificationEventType.Start)
|
||||
) {
|
||||
return;
|
||||
}
|
||||
await this.platform.logger.run("CrossSigning.handleSASDeviceMessage", async log => {
|
||||
const txnId = event.content.transaction_id;
|
||||
const fromDevice = event.content.from_device;
|
||||
const fromUser = event.sender;
|
||||
if (!fromDevice || fromUser !== this.ownUserId) {
|
||||
/**
|
||||
* SAS verification may be started with a request or a start message but
|
||||
* both should contain a from_device.
|
||||
*/
|
||||
return;
|
||||
}
|
||||
if (!await this.areWeVerified(log)) {
|
||||
/**
|
||||
* If we're not verified, then the other device MUST be verified.
|
||||
* We check this so that verification between two unverified devices
|
||||
* never happen!
|
||||
*/
|
||||
const device = await this.deviceTracker.deviceForId(this.ownUserId, fromDevice, this.hsApi, log);
|
||||
if (!device || !await this.isOurUserDeviceTrusted(device!, log)) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
/**
|
||||
* If we receive an event for the current/previously finished
|
||||
* SAS verification, we should ignore it because the device channel
|
||||
@ -259,6 +284,7 @@ export class CrossSigning {
|
||||
// we don't care about this event!
|
||||
return;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
/** returns our own device key signed by our self-signing key. Other signatures will be missing. */
|
||||
@ -362,9 +388,9 @@ export class CrossSigning {
|
||||
});
|
||||
}
|
||||
|
||||
areWeVerified(log: ILogItem): Promise<boolean> {
|
||||
return log.wrap("CrossSigning.areWeVerified", async () => {
|
||||
const device = await this.deviceTracker.deviceForId(this.ownUserId, this.deviceId, this.hsApi, log);
|
||||
areWeVerified(log?: ILogItem): Promise<boolean> {
|
||||
return this.platform.logger.wrapOrRun(log, "CrossSigning.areWeVerified", async (_log) => {
|
||||
const device = await this.deviceTracker.deviceForId(this.ownUserId, this.deviceId, this.hsApi, _log);
|
||||
return this.isOurUserDeviceTrusted(device!, log);
|
||||
});
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user