From 46edc59097f8919910ca714949893b49caabd237 Mon Sep 17 00:00:00 2001
From: "No." <tusooa@kazv.moe>
Date: Tue, 9 Jun 2026 20:23:06 -0400
Subject: [PATCH] Fix logic error in validation of incoming olm-encrypted
 messages

Signed-off-by: tusooa <tusooa@kazv.moe>
---
 .../client_server/newsfragments/2394.clarification    |  1 +
 .../modules/end_to_end_encryption.md                  | 11 ++++++-----
 2 files changed, 7 insertions(+), 5 deletions(-)
 create mode 100644 changelogs/client_server/newsfragments/2394.clarification

diff --git a/changelogs/client_server/newsfragments/2394.clarification b/changelogs/client_server/newsfragments/2394.clarification
new file mode 100644
index 00000000..bb12bb1b
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2394.clarification
@@ -0,0 +1 @@
+Fix logic error in validation of incoming olm-encrypted messages
diff --git a/content/client-server-api/modules/end_to_end_encryption.md b/content/client-server-api/modules/end_to_end_encryption.md
index ec86203d..15ff3330 100644
--- a/content/client-server-api/modules/end_to_end_encryption.md
+++ b/content/client-server-api/modules/end_to_end_encryption.md
@@ -1669,8 +1669,9 @@ following checks:
 1.  The `sender` property in the decrypted content must match the
     `sender` of the event.
 2.  The `keys.ed25519` property in the decrypted content must match
-    the `sender_key` property in the cleartext `m.room.encrypted`
-    event body.
+    the Ed25519 identity key of the sending device. This key can be
+    obtained from either [`/keys/query`](#post_matrixclientv3keysquery)
+    or the `sender_device_keys` object (see below).
 3.  The `recipient` property in the decrypted content must match
     the user ID of the local user.
 4.  The `recipient_keys.ed25519` property in the decrypted content
@@ -1678,11 +1679,11 @@ following checks:
 5.  Where `sender_device_keys` is present in the decrypted content:
     1.  `sender_device_keys.user_id` must also match the `sender`
         of the event.
-    2.  `sender_device_keys.keys.ed25519:<device_id>` must also match
+    2.  `sender_device_keys.keys.curve25519:<device_id>` must also match
         the `sender_key` property in the cleartext `m.room.encrypted`
         event body.
-    3.  `sender_device_keys.keys.curve25519:<device_id>` must match
-        the Curve25519 key used to establish the Olm session.
+    3.  `sender_device_keys.keys.ed25519:<device_id>` must be the same
+        as the `keys.ed25519` property in the decrypted content.
     4.  The `sender_device_keys` structure must have a valid signature
         from the key with ID `ed25519:<device_id>` (i.e., the sending
         device's Ed25519 key).