Return bad identity error if identity is unset

CVE-2020-13645
backported: https://gitlab.gnome.org/GNOME/glib-networking/-/issues/135

Change-Id: I7002bd96a7077e013587d1e6f0722a1ab54ee4b5

diff --git a/tls/openssl/gtlsconnection-openssl.c b/tls/openssl/gtlsconnection-openssl.c
index 8252516..eb202be 100644 (file)
--- a/tls/openssl/gtlsconnection-openssl.c
+++ b/tls/openssl/gtlsconnection-openssl.c
@@ -313,18 +313,17 @@ verify_peer_certificate (GTlsConnectionOpenssl *openssl,
                          GTlsCertificate       *peer_certificate)
 {
   GTlsConnection *conn = G_TLS_CONNECTION (openssl);
-  GSocketConnectable *peer_identity;
+  GSocketConnectable *peer_identity = NULL;
   GTlsDatabase *database;
-  GTlsCertificateFlags errors;
+  GTlsCertificateFlags errors = 0;
   gboolean is_client;
 
   is_client = G_IS_TLS_CLIENT_CONNECTION (openssl);
   if (is_client)
     peer_identity = g_tls_client_connection_get_server_identity (G_TLS_CLIENT_CONNECTION (openssl));
-  else
-    peer_identity = NULL;
 
-  errors = 0;
+  if (!peer_identity)
+    errors |= G_TLS_CERTIFICATE_BAD_IDENTITY;
 
   database = g_tls_connection_get_database (conn);
   if (database == NULL)