Changing the API to use a callback mechanism.

This is the agreed-upon solution.

1 files changed, 13 insertions, 7 deletions

diff --git a/src/core/security/security_connector.c b/src/core/security/security_connector.c
index 8a67243a18..654866fd4e 100644
--- a/src/core/security/security_connector.c
+++ b/src/core/security/security_connector.c
@@ -63,10 +63,10 @@ static const char *installed_roots_path =
 
 /* -- Overridden default roots. -- */
 
-static gpr_slice overridden_default_roots;
+static grpc_ssl_roots_override_callback ssl_roots_override_cb = NULL;
 
-void grpc_override_ssl_default_roots(const char *roots_pem) {
-  overridden_default_roots = gpr_slice_from_copied_string(roots_pem);
+void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
+  ssl_roots_override_cb = cb;
 }
 
 /* -- Cipher suites. -- */
@@ -615,13 +615,19 @@ static gpr_slice compute_default_pem_root_certs_once(void) {
   }
 
   /* Try overridden roots path if needed. */
-  if (GPR_SLICE_IS_EMPTY(result) &&
-      !GPR_SLICE_IS_EMPTY(overridden_default_roots)) {
-    result = gpr_slice_ref(overridden_default_roots);
+  grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
+  if (GPR_SLICE_IS_EMPTY(result) && ssl_roots_override_cb != NULL) {
+    char *pem_root_certs = NULL;
+    ovrd_res = ssl_roots_override_cb(&pem_root_certs);
+    if (ovrd_res == GRPC_SSL_ROOTS_OVERRIDE_OK) {
+      GPR_ASSERT(pem_root_certs != NULL);
+      result = gpr_slice_new(pem_root_certs, strlen(pem_root_certs), gpr_free);
+    }
   }
 
   /* Fall back to installed certs if needed. */
-  if (GPR_SLICE_IS_EMPTY(result)) {
+  if (GPR_SLICE_IS_EMPTY(result) &&
+      ovrd_res != GRPC_SSL_ROOTS_OVERRIDE_FAIL_PERMANENTLY) {
     result = gpr_load_file(installed_roots_path, 0, NULL);
   }
   return result;