Prevent verification between unverified devices

This commit is contained in:
RMidhunSuresh 2023-06-14 18:23:34 +05:30
parent c27d1b68be
commit 1da93493f6

View File

@ -231,9 +231,34 @@ export class CrossSigning {
return this.sasVerificationInProgress;
}
private handleSASDeviceMessage({ unencrypted: event }) {
if (!event) { return; }
private async handleSASDeviceMessage({ unencrypted: event }) {
if (!event ||
(event.type !== VerificationEventType.Request && event.type !== VerificationEventType.Start)
) {
return;
}
await this.platform.logger.run("CrossSigning.handleSASDeviceMessage", async log => {
const txnId = event.content.transaction_id;
const fromDevice = event.content.from_device;
const fromUser = event.sender;
if (!fromDevice || fromUser !== this.ownUserId) {
/**
* SAS verification may be started with a request or a start message but
* both should contain a from_device.
*/
return;
}
if (!await this.areWeVerified(log)) {
/**
* If we're not verified, then the other device MUST be verified.
* We check this so that verification between two unverified devices
* never happen!
*/
const device = await this.deviceTracker.deviceForId(this.ownUserId, fromDevice, this.hsApi, log);
if (!device || !await this.isOurUserDeviceTrusted(device!, log)) {
return;
}
}
/**
* If we receive an event for the current/previously finished
* SAS verification, we should ignore it because the device channel
@ -259,6 +284,7 @@ export class CrossSigning {
// we don't care about this event!
return;
}
});
}
/** returns our own device key signed by our self-signing key. Other signatures will be missing. */
@ -362,9 +388,9 @@ export class CrossSigning {
});
}
areWeVerified(log: ILogItem): Promise<boolean> {
return log.wrap("CrossSigning.areWeVerified", async () => {
const device = await this.deviceTracker.deviceForId(this.ownUserId, this.deviceId, this.hsApi, log);
areWeVerified(log?: ILogItem): Promise<boolean> {
return this.platform.logger.wrapOrRun(log, "CrossSigning.areWeVerified", async (_log) => {
const device = await this.deviceTracker.deviceForId(this.ownUserId, this.deviceId, this.hsApi, _log);
return this.isOurUserDeviceTrusted(device!, log);
});
}