204c130b28
Update to 4.0 OBS-URL: https://build.opensuse.org/request/show/1069987 OBS-URL: https://build.opensuse.org/package/show/games/godot?expand=0&rev=52
68 lines
2.5 KiB
Diff
68 lines
2.5 KiB
Diff
From: cunix@mail.de
|
|
Date: 2019-04-29 16:00:00
|
|
Subject: System certs as fallback for project certs
|
|
References: https://github.com/godotengine/godot/pull/22066#issuecomment-421565719
|
|
https://github.com/godotengine/godot/pull/22066#issuecomment-422528664
|
|
https://github.com/godotengine/godot/issues/22232
|
|
Upstream: offered to upstream
|
|
Rebased: 2023-03-03
|
|
|
|
If project has no value set for "network/ssl/certificates" (the default),
|
|
"default_certs" is not filled by function "load_default_certificates" because
|
|
we don't use builtin certs - BUILTIN_CERTS_ENABLED is not defined.
|
|
|
|
We use a distro specific "system_certs_path" as build option and apply it here
|
|
via "_SYSTEM_CERTS_PATH" (defined in included "core/io/certs_compressed.gen.h")
|
|
as fallback for certificates.
|
|
|
|
In result patch restores upstream behavior for certificate usage.
|
|
Difference is:
|
|
Where upstream by default uses hard coded certificates at build time, we hard
|
|
code path to the default certificates as "/var/lib/ca-certificates/ca-bundle.pem".
|
|
This bundle might be updated separately or admin can edit content of this file.
|
|
|
|
User can always define different path via Editor or Project settings.
|
|
|
|
See comments in patch for more details.
|
|
|
|
---
|
|
|
|
--- a/modules/mbedtls/crypto_mbedtls.cpp
|
|
+++ b/modules/mbedtls/crypto_mbedtls.cpp
|
|
@@ -45,10 +45,12 @@
|
|
|
|
#include <mbedtls/debug.h>
|
|
#include <mbedtls/md.h>
|
|
#include <mbedtls/pem.h>
|
|
|
|
+#include <string.h>
|
|
+
|
|
CryptoKey *CryptoKeyMbedTLS::create() {
|
|
return memnew(CryptoKeyMbedTLS);
|
|
}
|
|
|
|
Error CryptoKeyMbedTLS::load(String p_path, bool p_public_only) {
|
|
@@ -305,10 +307,22 @@
|
|
ERR_FAIL_COND(default_certs == nullptr);
|
|
|
|
if (!p_path.is_empty()) {
|
|
// Use certs defined in project settings.
|
|
default_certs->load(p_path);
|
|
+
|
|
+ } else if (strcmp(_SYSTEM_CERTS_PATH, "") != 0) {
|
|
+ // Use system certs only if user did not override in project settings
|
|
+ // and if _SYSTEM_CERTS_PATH is set.
|
|
+ // Should happen if Project Setting "network/ssl/certificates" is empty.
|
|
+ // Editor Setting "network/ssl/editor_ssl_certificates" is already set
|
|
+ // to "_SYSTEM_CERTS_PATH" by default -> This is caught by "if (p_path != "") {".
|
|
+ // But the same fallback might apply for certificates used by editor
|
|
+ // if user has set "network/ssl/editor_ssl_certificates" to "".
|
|
+ // "load_default_certificates" is only called twice with one of
|
|
+ // these parameters.
|
|
+ default_certs->load(_SYSTEM_CERTS_PATH);
|
|
}
|
|
#ifdef BUILTIN_CERTS_ENABLED
|
|
else {
|
|
// Use builtin certs only if user did not override it in project settings.
|
|
PackedByteArray out;
|