Consistency checks for E2E device downloads

Check that the user_id and device_id in device query responses match those that
we expect.

This resolves an unknown-key attack whereby Eve can re-sign Bob's keys with her
own key, thus getting Alice to send her messages which she can then forward to
Bob, making Bob think that Alice sent the messages to him.

lib/crypto/index.js

@@ -350,9 +350,22 @@ function _updateStoredDeviceKeysForUser(_olmDevice, userId, userStore,
             continue;
         }
 
-        if (_storeDeviceKeys(
-            _olmDevice, userId, deviceId, userStore, userResult[deviceId]
-        )) {
+        var deviceResult = userResult[deviceId];
+
+        // check that the user_id and device_id in the response object are
+        // correct
+        if (deviceResult.user_id !== userId) {
+            console.warn("Mismatched user_id " + deviceResult.user_id +
+                         " in keys from " + userId + ":" + deviceId);
+            continue;
+        }
+        if (deviceResult.device_id !== deviceId) {
+            console.warn("Mismatched device_id " + deviceResult.device_id +
+                         " in keys from " + userId + ":" + deviceId);
+            continue;
+        }
+
+        if (_storeDeviceKeys(_olmDevice, userStore, deviceResult)) {
             updated = true;
         }
     }
@@ -365,12 +378,15 @@ function _updateStoredDeviceKeysForUser(_olmDevice, userId, userStore,
  *
  * returns true if a change was made, else false
  */
-function _storeDeviceKeys(_olmDevice, userId, deviceId, userStore, deviceResult) {
+function _storeDeviceKeys(_olmDevice, userStore, deviceResult) {
     if (!deviceResult.keys) {
         // no keys?
         return false;
     }
 
+    var deviceId = deviceResult.device_id;
+    var userId = deviceResult.user_id;
+
     var signKeyId = "ed25519:" + deviceId;
     var signKey = deviceResult.keys[signKeyId];
     if (!signKey) {