[glib-networking/mcatanzaro/#135] Return bad identity error if identity is unset

[Michael Catanzaro <mcatanzaro src gnome org>]

commit edd1e68f298433f36b16e0a639a2530deeb69866
Author: Michael Catanzaro <mcatanzaro gnome org>
Date:   Mon May 4 17:47:28 2020 -0500

    Return bad identity error if identity is unset
    
    When the server-identity property of GTlsClientConnection is unset, the
    documentation sasy we need to fail the certificate verification with
    G_TLS_CERTIFICATE_BAD_IDENTITY. This is important because otherwise,
    it's easy for applications to fail to specify server identity.
    
    Unfortunately, we did not correctly implement the intended, documented
    behavior. When server identity is missing, we check the validity of the
    TLS certificate, but do not check if it corresponds to the expected
    server (since we have no expected server). Then we assume the identity
    is good, instead of returning bad identity, as documented. This means,
    for example, that evil.com can present a valid certificate issued to
    evil.com, and we would happily accept it for paypal.com.
    
    Fixes #135

 tls/base/gtlsconnection-base.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)
---
diff --git a/tls/base/gtlsconnection-base.c b/tls/base/gtlsconnection-base.c
index f7ad660..5a6b4fb 100644
--- a/tls/base/gtlsconnection-base.c
+++ b/tls/base/gtlsconnection-base.c
@@ -1235,19 +1235,25 @@ verify_peer_certificate (GTlsConnectionBase *tls,
 {
   GSocketConnectable *peer_identity;
   GTlsDatabase *database;
-  GTlsCertificateFlags errors;
+  GTlsCertificateFlags errors = 0;
   gboolean is_client;
 
   is_client = G_IS_TLS_CLIENT_CONNECTION (tls);
 
-  if (!is_client)
-    peer_identity = NULL;
-  else if (!g_tls_connection_base_is_dtls (tls))
-    peer_identity = g_tls_client_connection_get_server_identity (G_TLS_CLIENT_CONNECTION (tls));
-  else
-    peer_identity = g_dtls_client_connection_get_server_identity (G_DTLS_CLIENT_CONNECTION (tls));
+  if (is_client)
+    {
+      if (!g_tls_connection_base_is_dtls (tls))
+        peer_identity = g_tls_client_connection_get_server_identity (G_TLS_CLIENT_CONNECTION (tls));
+      else
+        peer_identity = g_dtls_client_connection_get_server_identity (G_DTLS_CLIENT_CONNECTION (tls));
 
-  errors = 0;
+      if (!peer_identity)
+        errors |= G_TLS_CERTIFICATE_BAD_IDENTITY;
+    }
+  else
+    {
+      peer_identity = NULL;
+    }
 
   database = g_tls_connection_get_database (G_TLS_CONNECTION (tls));
   if (!database)