Bundle SSL certs with the templates.

If this is undesired it can be avoided by specifying builtin_certs=no .
Bundled SSL certs will be used unless you specify an override in:
Project Settings -> SSL -> Certificates .

3 files changed, 51 insertions, 9 deletions

diff --git a/core/SCsub b/core/SCsub
index a6365bf925..8012ed132c 100644
--- a/core/SCsub
+++ b/core/SCsub
@@ -93,6 +93,9 @@ if 'builtin_zstd' in env and env['builtin_zstd']:
 # Godot's own sources
 env.add_source_files(env.core_sources, "*.cpp")
 
+# Certificates
+env.Depends("#core/io/certs_compressed.gen.h", ["#thirdparty/certs/ca-certificates.crt", env.Value(env['builtin_certs'])])
+env.CommandNoCache("#core/io/certs_compressed.gen.h", "#thirdparty/certs/ca-certificates.crt", run_in_subprocess(core_builders.make_certs_header))
 
 # Make binders
 env.CommandNoCache(['method_bind.gen.inc', 'method_bind_ext.gen.inc'], 'make_binders.py', run_in_subprocess(make_binders.run))
diff --git a/core/core_builders.py b/core/core_builders.py
index 90e505aab9..7b2f88a242 100644
--- a/core/core_builders.py
+++ b/core/core_builders.py
@@ -4,7 +4,36 @@ All such functions are invoked in a subprocess on Windows to prevent build flaki
 
 """
 from platform_methods import subprocess_main
-from compat import iteritems, itervalues, open_utf8, escape_string
+from compat import iteritems, itervalues, open_utf8, escape_string, byte_to_str
+
+
+def make_certs_header(target, source, env):
+
+    src = source[0]
+    dst = target[0]
+    f = open(src, "rb")
+    g = open_utf8(dst, "w")
+    buf = f.read()
+    decomp_size = len(buf)
+    import zlib
+    buf = zlib.compress(buf)
+
+    g.write("/* THIS FILE IS GENERATED DO NOT EDIT */\n")
+    g.write("#ifndef _CERTS_RAW_H\n")
+    g.write("#define _CERTS_RAW_H\n")
+    if env['builtin_certs']:
+        # Defined here and not in env so changing it does not trigger a full rebuild.
+        g.write("#define BUILTIN_CERTS_ENABLED\n")
+        g.write("static const int _certs_compressed_size = " + str(len(buf)) + ";\n")
+        g.write("static const int _certs_uncompressed_size = " + str(decomp_size) + ";\n")
+        g.write("static const unsigned char _certs_compressed[] = {\n")
+        for i in range(len(buf)):
+            g.write("\t" + byte_to_str(buf[i]) + ",\n")
+        g.write("};\n")
+    g.write("#endif")
+
+    g.close()
+    f.close()
 
 
 def make_authors_header(target, source, env):
diff --git a/core/io/stream_peer_ssl.cpp b/core/io/stream_peer_ssl.cpp
index 1f59021938..a02565bc1c 100644
--- a/core/io/stream_peer_ssl.cpp
+++ b/core/io/stream_peer_ssl.cpp
@@ -30,6 +30,8 @@
 
 #include "stream_peer_ssl.h"
 
+#include "core/io/certs_compressed.gen.h"
+#include "core/io/compression.h"
 #include "core/os/file_access.h"
 #include "core/project_settings.h"
 
@@ -68,24 +70,32 @@ PoolByteArray StreamPeerSSL::get_project_cert_array() {
 	ProjectSettings::get_singleton()->set_custom_property_info("network/ssl/certificates", PropertyInfo(Variant::STRING, "network/ssl/certificates", PROPERTY_HINT_FILE, "*.crt"));
 
 	if (certs_path != "") {
-
+		// Use certs defined in project settings.
 		FileAccess *f = FileAccess::open(certs_path, FileAccess::READ);
 		if (f) {
 			int flen = f->get_len();
 			out.resize(flen + 1);
-			{
-				PoolByteArray::Write w = out.write();
-				f->get_buffer(w.ptr(), flen);
-				w[flen] = 0; //end f string
-			}
-
+			PoolByteArray::Write w = out.write();
+			f->get_buffer(w.ptr(), flen);
+			w[flen] = 0; // Make sure it ends with string terminator
 			memdelete(f);
-
 #ifdef DEBUG_ENABLED
 			print_verbose(vformat("Loaded certs from '%s'.", certs_path));
 #endif
 		}
 	}
+#ifdef BUILTIN_CERTS_ENABLED
+	else {
+		// Use builtin certs only if user did not override it in project settings.
+		out.resize(_certs_uncompressed_size + 1);
+		PoolByteArray::Write w = out.write();
+		Compression::decompress(w.ptr(), _certs_uncompressed_size, _certs_compressed, _certs_compressed_size, Compression::MODE_DEFLATE);
+		w[_certs_uncompressed_size] = 0; // Make sure it ends with string terminator
+#ifdef DEBUG_ENABLED
+		print_verbose("Loaded builtin certs");
+#endif
+	}
+#endif
 
 	return out;
 }