From 8a00ff7f1f931939746bc150435951fcb6350003 Mon Sep 17 00:00:00 2001 From: "J. Ryan Stinnett" Date: Tue, 21 Jan 2020 11:00:38 +0000 Subject: [PATCH 1/3] Change all user info verification checks to cross-signing This fixes some user vs. device verification confusion in user info by changing all the verification tests to the cross-signing variant when the lab is enabled. Fixes https://github.com/vector-im/riot-web/issues/11886 --- src/components/views/right_panel/UserInfo.js | 25 +++++++++++++------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/src/components/views/right_panel/UserInfo.js b/src/components/views/right_panel/UserInfo.js index 5f7de42368..15387af8d5 100644 --- a/src/components/views/right_panel/UserInfo.js +++ b/src/components/views/right_panel/UserInfo.js @@ -129,18 +129,21 @@ function verifyUser(user) { function DeviceItem({userId, device}) { const cli = useContext(MatrixClientContext); const deviceTrust = cli.checkDeviceTrust(userId, device.deviceId); + const isVerified = SettingsStore.isFeatureEnabled("feature_cross_signing") ? + deviceTrust.isCrossSigningVerified() : + deviceTrust.isVerified(); const classes = classNames("mx_UserInfo_device", { - mx_UserInfo_device_verified: deviceTrust.isVerified(), - mx_UserInfo_device_unverified: !deviceTrust.isVerified(), + mx_UserInfo_device_verified: isVerified, + mx_UserInfo_device_unverified: !isVerified, }); const iconClasses = classNames("mx_E2EIcon", { - mx_E2EIcon_verified: deviceTrust.isVerified(), - mx_E2EIcon_warning: !deviceTrust.isVerified(), + mx_E2EIcon_verified: isVerified, + mx_E2EIcon_warning: !isVerified, }); const onDeviceClick = () => { - if (!deviceTrust.isVerified()) { + if (!isVerified) { verifyDevice(userId, device); } }; @@ -148,7 +151,7 @@ function DeviceItem({userId, device}) { const deviceName = device.ambiguous ? (device.getDisplayName() ? device.getDisplayName() : "") + " (" + device.deviceId + ")" : device.getDisplayName(); - const trustedLabel = deviceTrust.isVerified() ? _t("Trusted") : _t("Not trusted"); + const trustedLabel = isVerified ? _t("Trusted") : _t("Not trusted"); return (
{deviceName}
@@ -177,8 +180,11 @@ function DevicesSection({devices, userId, loading}) { for (let i = 0; i < devices.length; ++i) { const device = devices[i]; const deviceTrust = deviceTrusts[i]; + const isVerified = SettingsStore.isFeatureEnabled("feature_cross_signing") ? + deviceTrust.isCrossSigningVerified() : + deviceTrust.isVerified(); - if (deviceTrust.isVerified()) { + if (isVerified) { verifiedDevices.push(device); } else { unverifiedDevices.push(device); @@ -1277,7 +1283,10 @@ const UserInfo = ({user, groupId, roomId, onClose}) => { text = _t("Messages in this room are end-to-end encrypted."); } - const userVerified = cli.checkUserTrust(user.userId).isVerified(); + const userTrust = cli.checkUserTrust(user.userId); + const userVerified = SettingsStore.isFeatureEnabled("feature_cross_signing") ? + userTrust.isCrossSigningVerified() : + userTrust.isVerified(); const isMe = user.userId === cli.getUserId(); let verifyButton; if (!userVerified && !isMe) { From a7231d73367828e70a2005080ae44c317a579cb0 Mon Sep 17 00:00:00 2001 From: "J. Ryan Stinnett" Date: Tue, 21 Jan 2020 11:33:09 +0000 Subject: [PATCH 2/3] New session toast should check cross-signing verification To ensure all your sessions are cross-signing verified, we use the more specific test for only that kind of verification in the new session toast. --- src/DeviceListener.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/DeviceListener.js b/src/DeviceListener.js index 9ae6a62ab1..a4c5785db4 100644 --- a/src/DeviceListener.js +++ b/src/DeviceListener.js @@ -75,7 +75,7 @@ export default class DeviceListener { if (device.deviceId == cli.deviceId) continue; const deviceTrust = await cli.checkDeviceTrust(cli.getUserId(), device.deviceId); - if (deviceTrust.isVerified() || this._dismissed.has(device.deviceId)) { + if (deviceTrust.isCrossSigningVerified() || this._dismissed.has(device.deviceId)) { ToastStore.sharedInstance().dismissToast(toastKey(device)); } else { ToastStore.sharedInstance().addOrReplaceToast({ From b3d56b378e3e5e959204fc0c1a880fb89b3203b7 Mon Sep 17 00:00:00 2001 From: "J. Ryan Stinnett" Date: Tue, 21 Jan 2020 12:03:46 +0000 Subject: [PATCH 3/3] Use cross-signing verification only for own devices The device verification checks are slightly more nuanced: we want to use stricter cross-signing checks for your own devices to encourage everyone to trust their devices via cross-signing so that other users can in turn trust them. However, for other users, it's okay to use the looser verification check that also includes locally verified devices. --- src/components/views/right_panel/UserInfo.js | 25 +++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/components/views/right_panel/UserInfo.js b/src/components/views/right_panel/UserInfo.js index 15387af8d5..a0819be472 100644 --- a/src/components/views/right_panel/UserInfo.js +++ b/src/components/views/right_panel/UserInfo.js @@ -64,10 +64,17 @@ const _getE2EStatus = (cli, userId, devices) => { const hasUnverifiedDevice = devices.some((device) => device.isUnverified()); return hasUnverifiedDevice ? "warning" : "verified"; } + const isMe = userId === cli.getUserId(); const userVerified = cli.checkUserTrust(userId).isCrossSigningVerified(); const allDevicesVerified = devices.every(device => { const { deviceId } = device; - return cli.checkDeviceTrust(userId, deviceId).isCrossSigningVerified(); + // For your own devices, we use the stricter check of cross-signing + // verification to encourage everyone to trust their own devices via + // cross-signing so that other users can then safely trust you. + // For other people's devices, the more general verified check that + // includes locally verified devices can be used. + const deviceTrust = cli.checkDeviceTrust(userId, deviceId); + return isMe ? deviceTrust.isCrossSigningVerified() : deviceTrust.isVerified(); }); if (allDevicesVerified) { return userVerified ? "verified" : "normal"; @@ -128,8 +135,14 @@ function verifyUser(user) { function DeviceItem({userId, device}) { const cli = useContext(MatrixClientContext); + const isMe = userId === cli.getUserId(); const deviceTrust = cli.checkDeviceTrust(userId, device.deviceId); - const isVerified = SettingsStore.isFeatureEnabled("feature_cross_signing") ? + // For your own devices, we use the stricter check of cross-signing + // verification to encourage everyone to trust their own devices via + // cross-signing so that other users can then safely trust you. + // For other people's devices, the more general verified check that + // includes locally verified devices can be used. + const isVerified = (isMe && SettingsStore.isFeatureEnabled("feature_cross_signing")) ? deviceTrust.isCrossSigningVerified() : deviceTrust.isVerified(); @@ -172,6 +185,7 @@ function DevicesSection({devices, userId, loading}) { if (devices === null) { return _t("Unable to load device list"); } + const isMe = userId === cli.getUserId(); const deviceTrusts = devices.map(d => cli.checkDeviceTrust(userId, d.deviceId)); const unverifiedDevices = []; @@ -180,7 +194,12 @@ function DevicesSection({devices, userId, loading}) { for (let i = 0; i < devices.length; ++i) { const device = devices[i]; const deviceTrust = deviceTrusts[i]; - const isVerified = SettingsStore.isFeatureEnabled("feature_cross_signing") ? + // For your own devices, we use the stricter check of cross-signing + // verification to encourage everyone to trust their own devices via + // cross-signing so that other users can then safely trust you. + // For other people's devices, the more general verified check that + // includes locally verified devices can be used. + const isVerified = (isMe && SettingsStore.isFeatureEnabled("feature_cross_signing")) ? deviceTrust.isCrossSigningVerified() : deviceTrust.isVerified();