fix the selection of the verification methods, and test more things

spec/unit/crypto/verification/sas.spec.js

@@ -160,10 +160,25 @@ describe("SAS verification", function() {
         });
 
         it("should verify a key", async function() {
+            let macMethod;
+            const origSendToDevice = alice.sendToDevice;
+            bob.sendToDevice = function(type, map) {
+                if (type === "m.key.verification.accept") {
+                    macMethod = map[alice.getUserId()][alice.deviceId]
+                        .message_authentication_code;
+                }
+                return origSendToDevice.call(this, type, map);
+            };
+
             await Promise.all([
                 aliceVerifier.verify(),
                 bobPromise.then((verifier) => verifier.verify()),
             ]);
+
+            // make sure that it uses the preferred method
+            expect(macMethod).toBe("hkdf-hmac-sha256");
+
+            // make sure Alice and Bob verified each other
             expect(alice.setDeviceVerified)
                 .toHaveBeenCalledWith(bob.getUserId(), bob.deviceId);
             expect(bob.setDeviceVerified)
@@ -173,6 +188,7 @@ describe("SAS verification", function() {
         it("should be able to verify using the old MAC", async function() {
             // pretend that Alice can only understand the old (incorrect) MAC,
             // and make sure that she can still verify with Bob
+            let macMethod;
             const origSendToDevice = alice.sendToDevice;
             alice.sendToDevice = function(type, map) {
                 if (type === "m.key.verification.start") {
@@ -186,10 +202,21 @@ describe("SAS verification", function() {
                 }
                 return origSendToDevice.call(this, type, map);
             };
+            bob.sendToDevice = function(type, map) {
+                if (type === "m.key.verification.accept") {
+                    macMethod = map[alice.getUserId()][alice.deviceId]
+                        .message_authentication_code;
+                }
+                return origSendToDevice.call(this, type, map);
+            };
+
             await Promise.all([
                 aliceVerifier.verify(),
                 bobPromise.then((verifier) => verifier.verify()),
             ]);
+
+            expect(macMethod).toBe("hmac-sha256");
+
             expect(alice.setDeviceVerified)
                 .toHaveBeenCalledWith(bob.getUserId(), bob.deviceId);
             expect(bob.setDeviceVerified)

src/crypto/verification/SAS.js

@@ -281,12 +281,18 @@ export default class SAS extends Base {
 
     async _doRespondVerification() {
         let content = this.startEvent.getContent();
+        // Note: we intersect using our pre-made lists, rather than the sets,
+        // so that the result will be in our order of preference.  Then
+        // fetching the first element from the array will give our preferred
+        // method out of the ones offered by the other party.
         const keyAgreement
-              = intersection(content.key_agreement_protocols, KEY_AGREEMENT_SET)[0];
+              = intersection(
+                  KEY_AGREEMENT_LIST, new Set(content.key_agreement_protocols),
+              )[0];
         const hashMethod
-              = intersection(content.hashes, HASHES_SET)[0];
+              = intersection(HASHES_LIST, new Set(content.hashes))[0];
         const macMethod
-              = intersection(content.message_authentication_codes, MAC_SET)[0];
+              = intersection(MAC_LIST, new Set(content.message_authentication_codes))[0];
         // FIXME: allow app to specify what SAS methods can be used
         const sasMethods
               = intersection(content.short_authentication_string, SAS_SET);