From: cunix@mail.de
Date: 2019-04-29 16:00:00
Subject: System certs as fallback for project certs
References: https://github.com/godotengine/godot/pull/22066#issuecomment-421565719
            https://github.com/godotengine/godot/pull/22066#issuecomment-422528664
            https://github.com/godotengine/godot/issues/22232
Upstream:   offered to upstream

If project has no value set for "network/ssl/certificates" (the default),
"default_certs" is not filled by function "load_default_certificates" because
we don't use builtin certs - BUILTIN_CERTS_ENABLED is not defined.

We use a distro specific "system_certs_path" as build option and apply it here
via "_SYSTEM_CERTS_PATH" (defined in included "core/io/certs_compressed.gen.h")
as fallback for certificates.

In result patch restores upstream behavior for certificate usage.
Difference is:
Where upstream by default uses hard coded certificates at build time, we hard
code path to the default certificates as "/var/lib/ca-certificates/ca-bundle.pem".
This bundle might be updated separately or admin can edit content of this file.

User can always define different path via Editor or Project settings.

See comments in patch for more details.

---

diff -r -U 5 a/modules/mbedtls/crypto_mbedtls.cpp b/modules/mbedtls/crypto_mbedtls.cpp
--- a/modules/mbedtls/crypto_mbedtls.cpp
+++ b/modules/mbedtls/crypto_mbedtls.cpp
@@ -44,10 +44,12 @@
 #define PEM_END_CRT "-----END CERTIFICATE-----\n"
 
 #include <mbedtls/debug.h>
 #include <mbedtls/pem.h>
 
+#include <string.h>
+
 CryptoKey *CryptoKeyMbedTLS::create() {
 	return memnew(CryptoKeyMbedTLS);
 }
 
 Error CryptoKeyMbedTLS::load(String p_path) {
@@ -204,10 +206,21 @@
 	ERR_FAIL_COND(default_certs == NULL);
 
 	if (p_path != "") {
 		// Use certs defined in project settings.
 		default_certs->load(p_path);
+	} else if (strcmp(_SYSTEM_CERTS_PATH, "") != 0) {
+		// Use system certs only if user did not override in project settings
+		// and if _SYSTEM_CERTS_PATH is set.
+		// Should happen if Project Setting "network/ssl/certificates" is empty.
+		// Editor Setting "network/ssl/editor_ssl_certificates" is already set
+		// to "_SYSTEM_CERTS_PATH" by default -> This is caught by "if (p_path != "") {".
+		// But the same fallback might apply for certificates used by editor
+		// if user has set "network/ssl/editor_ssl_certificates" to "".
+		// "load_default_certificates" is only called twice with one of
+		// these parameters.
+		default_certs->load(_SYSTEM_CERTS_PATH);
 	}
 #ifdef BUILTIN_CERTS_ENABLED
 	else {
 		// Use builtin certs only if user did not override it in project settings.
 		PoolByteArray out;