RubyGems - grpc - Versions diffs - 1.53.0 → 1.54.0 - Mend

grpc 1.53.0 → 1.54.0

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (685) hide show

data/src/core/lib/resource_quota/arena.h CHANGED Viewed

@@ -45,6 +45,9 @@
 #include "src/core/lib/promise/context.h"
 #include "src/core/lib/resource_quota/memory_quota.h"
+// #define GRPC_ARENA_POOLED_ALLOCATIONS_USE_MALLOC
+// #define GRPC_ARENA_TRACE_POOLED_ALLOCATIONS
 namespace grpc_core {
 namespace arena_detail {
@@ -114,7 +117,9 @@ PoolAndSize ChoosePoolForAllocationSize(
 }  // namespace arena_detail
 class Arena {
-  using PoolSizes = absl::integer_sequence<size_t, 256, 512, 768>;
+  // Selected pool sizes.
+  // How to tune: see tools/codegen/core/optimize_arena_pool_sizes.py
+  using PoolSizes = absl::integer_sequence<size_t, 80, 304, 528, 1024>;
   struct FreePoolNode {
     FreePoolNode* next;
   };
@@ -130,6 +135,13 @@ class Arena {
       size_t initial_size, size_t alloc_size,
       MemoryAllocator* memory_allocator);
+  // Destroy all `ManagedNew` allocated objects.
+  // Allows safe destruction of these objects even if they need context held by
+  // the arena.
+  // Idempotent.
+  // TODO(ctiller): eliminate ManagedNew.
+  void DestroyManagedNewObjects();
   // Destroy an arena.
   void Destroy();
@@ -170,6 +182,7 @@ class Arena {
     return &p->t;
   }
+#ifndef GRPC_ARENA_POOLED_ALLOCATIONS_USE_MALLOC
   class PooledDeleter {
    public:
     explicit PooledDeleter(std::atomic<FreePoolNode*>* free_list)
@@ -209,6 +222,7 @@ class Arena {
         &pools_[arena_detail::PoolFromObjectSize<sizeof(T)>(PoolSizes())];
     return PoolPtr<T>(
         new (AllocPooled(
+            sizeof(T),
             arena_detail::AllocationSizeFromObjectSize<sizeof(T)>(PoolSizes()),
             free_list)) T(std::forward<Args>(args)...),
         PooledDeleter(free_list));
@@ -229,12 +243,95 @@ class Arena {
       return PoolPtr<T[]>(new (Alloc(where.alloc_size)) T[n],
                           PooledDeleter(nullptr));
     } else {
-      return PoolPtr<T[]>(
-          new (AllocPooled(where.alloc_size, &pools_[where.pool_index])) T[n],
-          PooledDeleter(&pools_[where.pool_index]));
+      return PoolPtr<T[]>(new (AllocPooled(where.alloc_size, where.alloc_size,
+                                           &pools_[where.pool_index])) T[n],
+                          PooledDeleter(&pools_[where.pool_index]));
+    }
+  }
+  // Like MakePooled, but with manual memory management.
+  // The caller is responsible for calling DeletePooled() on the returned
+  // pointer, and expected to call it with the same type T as was passed to this
+  // function (else the free list returned to the arena will be corrupted).
+  template <typename T, typename... Args>
+  T* NewPooled(Args&&... args) {
+    auto* free_list =
+        &pools_[arena_detail::PoolFromObjectSize<sizeof(T)>(PoolSizes())];
+    return new (AllocPooled(
+        sizeof(T),
+        arena_detail::AllocationSizeFromObjectSize<sizeof(T)>(PoolSizes()),
+        free_list)) T(std::forward<Args>(args)...);
+  }
+  template <typename T>
+  void DeletePooled(T* p) {
+    auto* free_list =
+        &pools_[arena_detail::PoolFromObjectSize<sizeof(T)>(PoolSizes())];
+    p->~T();
+    FreePooled(p, free_list);
+  }
+#else
+  class PooledDeleter {
+   public:
+    PooledDeleter() = default;
+    explicit PooledDeleter(std::nullptr_t) : delete_(false) {}
+    template <typename T>
+    void operator()(T* p) {
+      // TODO(ctiller): promise based filter hijacks ownership of some pointers
+      // to make them appear as PoolPtr without really transferring ownership,
+      // by setting the arena to nullptr.
+      // This is a transitional hack and should be removed once promise based
+      // filter is removed.
+      if (delete_) delete p;
     }
+    bool has_freelist() const { return delete_; }
+   private:
+    bool delete_ = true;
+  };
+  template <typename T>
+  using PoolPtr = std::unique_ptr<T, PooledDeleter>;
+  // Make a unique_ptr to T that is allocated from the arena.
+  // When the pointer is released, the memory may be reused for other
+  // MakePooled(.*) calls.
+  // CAUTION: The amount of memory allocated is rounded up to the nearest
+  //          value in Arena::PoolSizes, and so this may pessimize total
+  //          arena size.
+  template <typename T, typename... Args>
+  PoolPtr<T> MakePooled(Args&&... args) {
+    return PoolPtr<T>(new T(std::forward<Args>(args)...), PooledDeleter());
+  }
+  // Make a unique_ptr to an array of T that is allocated from the arena.
+  // When the pointer is released, the memory may be reused for other
+  // MakePooled(.*) calls.
+  // One can use MakePooledArray<char> to allocate a buffer of bytes.
+  // CAUTION: The amount of memory allocated is rounded up to the nearest
+  //          value in Arena::PoolSizes, and so this may pessimize total
+  //          arena size.
+  template <typename T>
+  PoolPtr<T[]> MakePooledArray(size_t n) {
+    return PoolPtr<T[]>(new T[n], PooledDeleter());
   }
+  // Like MakePooled, but with manual memory management.
+  // The caller is responsible for calling DeletePooled() on the returned
+  // pointer, and expected to call it with the same type T as was passed to this
+  // function (else the free list returned to the arena will be corrupted).
+  template <typename T, typename... Args>
+  T* NewPooled(Args&&... args) {
+    return new T(std::forward<Args>(args)...);
+  }
+  template <typename T>
+  void DeletePooled(T* p) {
+    delete p;
+  }
+#endif
  private:
   struct Zone {
     Zone* prev;
@@ -275,9 +372,24 @@ class Arena {
   void* AllocZone(size_t size);
-  void* AllocPooled(size_t alloc_size, std::atomic<FreePoolNode*>* head);
+  void* AllocPooled(size_t obj_size, size_t alloc_size,
+                    std::atomic<FreePoolNode*>* head);
   static void FreePooled(void* p, std::atomic<FreePoolNode*>* head);
+  void TracePoolAlloc(size_t size, void* ptr) {
+    (void)size;
+    (void)ptr;
+#ifdef GRPC_ARENA_TRACE_POOLED_ALLOCATIONS
+    gpr_log(GPR_ERROR, "ARENA %p ALLOC %" PRIdPTR " @ %p", this, size, ptr);
+#endif
+  }
+  static void TracePoolFree(void* ptr) {
+    (void)ptr;
+#ifdef GRPC_ARENA_TRACE_POOLED_ALLOCATIONS
+    gpr_log(GPR_ERROR, "FREE %p", ptr);
+#endif
+  }
   // Keep track of the total used size. We use this in our call sizing
   // hysteresis.
   std::atomic<size_t> total_used_{0};
@@ -290,7 +402,9 @@ class Arena {
   // last zone; the zone list is reverse-walked during arena destruction only.
   std::atomic<Zone*> last_zone_{nullptr};
   std::atomic<ManagedNewObject*> managed_new_head_{nullptr};
+#ifndef GRPC_ARENA_POOLED_ALLOCATIONS_USE_MALLOC
   std::atomic<FreePoolNode*> pools_[PoolSizes::size()]{};
+#endif
   // The backing memory quota
   MemoryAllocator* const memory_allocator_;
 };

data/src/core/lib/resource_quota/memory_quota.cc CHANGED Viewed

@@ -645,7 +645,7 @@ std::string PressureController::DebugString() const {
 }
 double PressureTracker::AddSampleAndGetControlValue(double sample) {
-  static const double kSetPoint = 95.0;
+  static const double kSetPoint = 0.95;
   double max_so_far = max_this_round_.load(std::memory_order_relaxed);
   if (sample > max_so_far) {

data/src/core/lib/security/credentials/external/aws_external_account_credentials.cc CHANGED Viewed

@@ -38,7 +38,6 @@
 #include <grpc/support/string_util.h>
 #include "src/core/lib/gprpp/env.h"
-#include "src/core/lib/gprpp/host_port.h"
 #include "src/core/lib/http/httpcli_ssl_credentials.h"
 #include "src/core/lib/iomgr/closure.h"
 #include "src/core/lib/json/json.h"
@@ -49,9 +48,6 @@ namespace grpc_core {
 namespace {
-const char* awsEc2MetadataIpv4Address = "169.254.169.254";
-const char* awsEc2MetadataIpv6Address = "fd00:ec2::254";
 const char* kExpectedEnvironmentId = "aws1";
 const char* kRegionEnvVar = "AWS_REGION";
@@ -78,15 +74,6 @@ std::string UrlEncode(const absl::string_view& s) {
   return result;
 }
-bool ValidateAwsUrl(const std::string& urlString) {
-  absl::StatusOr<URI> url = URI::Parse(urlString);
-  if (!url.ok()) return false;
-  absl::string_view host;
-  absl::string_view port;
-  SplitHostPort(url->authority(), &host, &port);
-  return host == awsEc2MetadataIpv4Address || host == awsEc2MetadataIpv6Address;
-}
 }  // namespace
 RefCountedPtr<AwsExternalAccountCredentials>
@@ -129,22 +116,10 @@ AwsExternalAccountCredentials::AwsExternalAccountCredentials(
     return;
   }
   region_url_ = it->second.string_value();
-  if (!ValidateAwsUrl(region_url_)) {
-    *error = GRPC_ERROR_CREATE(absl::StrFormat(
-        "Invalid host for region_url field, expecting %s or %s.",
-        awsEc2MetadataIpv4Address, awsEc2MetadataIpv6Address));
-    return;
-  }
   it = options.credential_source.object_value().find("url");
   if (it != options.credential_source.object_value().end() &&
       it->second.type() == Json::Type::STRING) {
     url_ = it->second.string_value();
-    if (!ValidateAwsUrl(url_)) {
-      *error = GRPC_ERROR_CREATE(absl::StrFormat(
-          "Invalid host for url field, expecting %s or %s.",
-          awsEc2MetadataIpv4Address, awsEc2MetadataIpv6Address));
-      return;
-    }
   }
   it = options.credential_source.object_value().find(
       "regional_cred_verification_url");
@@ -164,16 +139,16 @@ AwsExternalAccountCredentials::AwsExternalAccountCredentials(
   if (it != options.credential_source.object_value().end() &&
       it->second.type() == Json::Type::STRING) {
     imdsv2_session_token_url_ = it->second.string_value();
-    if (!ValidateAwsUrl(imdsv2_session_token_url_)) {
-      *error = GRPC_ERROR_CREATE(absl::StrFormat(
-          "Invalid host for imdsv2_session_token_url field, expecting %s or "
-          "%s.",
-          awsEc2MetadataIpv4Address, awsEc2MetadataIpv6Address));
-      return;
-    }
   }
 }
+bool AwsExternalAccountCredentials::ShouldUseMetadataServer() {
+  return !((GetEnv(kRegionEnvVar).has_value() ||
+            GetEnv(kDefaultRegionEnvVar).has_value()) &&
+           (GetEnv(kAccessKeyIdEnvVar).has_value() &&
+            GetEnv(kSecretAccessKeyEnvVar).has_value()));
+}
 void AwsExternalAccountCredentials::RetrieveSubjectToken(
     HTTPRequestContext* ctx, const Options& /*options*/,
     std::function<void(std::string, grpc_error_handle)> cb) {
@@ -186,7 +161,7 @@ void AwsExternalAccountCredentials::RetrieveSubjectToken(
   }
   ctx_ = ctx;
   cb_ = cb;
-  if (!imdsv2_session_token_url_.empty()) {
+  if (!imdsv2_session_token_url_.empty() && ShouldUseMetadataServer()) {
     RetrieveImdsV2SessionToken();
   } else if (signer_ != nullptr) {
     BuildSubjectToken();
@@ -381,10 +356,12 @@ void AwsExternalAccountCredentials::RetrieveSigningKeys() {
   auto secret_access_key_from_env = GetEnv(kSecretAccessKeyEnvVar);
   auto token_from_env = GetEnv(kSessionTokenEnvVar);
   if (access_key_id_from_env.has_value() &&
-      secret_access_key_from_env.has_value() && token_from_env.has_value()) {
+      secret_access_key_from_env.has_value()) {
     access_key_id_ = std::move(*access_key_id_from_env);
     secret_access_key_ = std::move(*secret_access_key_from_env);
-    token_ = std::move(*token_from_env);
+    if (token_from_env.has_value()) {
+      token_ = std::move(*token_from_env);
+    }
     BuildSubjectToken();
     return;
   }

data/src/core/lib/security/credentials/external/aws_external_account_credentials.h CHANGED Viewed

@@ -45,6 +45,7 @@ class AwsExternalAccountCredentials final : public ExternalAccountCredentials {
                                 grpc_error_handle* error);
  private:
+  bool ShouldUseMetadataServer();
   void RetrieveSubjectToken(
       HTTPRequestContext* ctx, const Options& options,
       std::function<void(std::string, grpc_error_handle)> cb) override;

data/src/core/lib/security/credentials/google_default/google_default_credentials.cc CHANGED Viewed

@@ -22,14 +22,12 @@
 #include <string.h>
-#include <map>
 #include <memory>
 #include <string>
 #include "absl/status/statusor.h"
 #include "absl/strings/match.h"
 #include "absl/strings/string_view.h"
-#include "absl/strings/strip.h"
 #include "absl/types/optional.h"
 #include <grpc/grpc_security.h>  // IWYU pragma: keep
@@ -44,7 +42,6 @@
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/debug/trace.h"
 #include "src/core/lib/gprpp/env.h"
-#include "src/core/lib/gprpp/host_port.h"
 #include "src/core/lib/gprpp/orphanable.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/gprpp/status_helper.h"
@@ -254,57 +251,6 @@ static int is_metadata_server_reachable() {
   return detector.success;
 }
-namespace {
-bool ValidateUrlField(const Json& json, const std::string& field) {
-  auto it = json.object_value().find(field);
-  if (it == json.object_value().end()) {
-    return true;
-  }
-  if (it->second.type() != Json::Type::STRING ||
-      it->second.string_value().empty()) {
-    return false;
-  }
-  absl::StatusOr<grpc_core::URI> url =
-      grpc_core::URI::Parse(it->second.string_value());
-  if (!url.ok()) return false;
-  if (!absl::EqualsIgnoreCase(url->scheme(), "https")) {
-    return false;
-  }
-  absl::string_view host;
-  absl::string_view port;
-  grpc_core::SplitHostPort(url->authority(), &host, &port);
-  if (absl::ConsumeSuffix(&host, ".p.googleapis.com")) {
-    if (absl::StartsWith(host, "sts-") ||
-        absl::StartsWith(host, "iamcredentials-")) {
-      return true;
-    }
-  } else if (absl::ConsumeSuffix(&host, ".googleapis.com")) {
-    if (host == "sts" || host == "iamcredentials") {
-      return true;
-    } else if (absl::StartsWith(host, "sts.") ||
-               absl::StartsWith(host, "iamcredentials.")) {
-      return true;
-    } else if (absl::EndsWith(host, ".sts") ||
-               absl::EndsWith(host, ".iamcredentials")) {
-      return true;
-    } else if (absl::EndsWith(host, "-sts") ||
-               absl::EndsWith(host, "-iamcredentials")) {
-      return true;
-    }
-  }
-  return false;
-}
-bool ValidateExteralAccountCredentials(const Json& json) {
-  return json.type() == Json::Type::OBJECT &&
-         ValidateUrlField(json, "token_url") &&
-         ValidateUrlField(json, "service_account_impersonation_url") &&
-         ValidateUrlField(json, "token_info_url");
-}
-}  // namespace
 // Takes ownership of creds_path if not NULL.
 static grpc_error_handle create_default_creds_from_path(
     const std::string& creds_path,
@@ -363,11 +309,6 @@ static grpc_error_handle create_default_creds_from_path(
     goto end;
   }
-  // Finally try an external account credentials.
-  if (!ValidateExteralAccountCredentials(json)) {
-    error = GRPC_ERROR_CREATE("Invalid external account credentials format.");
-    goto end;
-  }
   result = grpc_core::ExternalAccountCredentials::Create(json, {}, &error);
 end:

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc CHANGED Viewed

@@ -267,10 +267,7 @@ void grpc_oauth2_token_fetcher_credentials::on_http_response(
   // Invoke callbacks for all pending requests.
   while (pending_request != nullptr) {
     if (status == GRPC_CREDENTIALS_OK) {
-      pending_request->md->Append(
-          GRPC_AUTHORIZATION_METADATA_KEY, access_token_value->Ref(),
-          [](absl::string_view, const grpc_core::Slice&) { abort(); });
-      pending_request->result = std::move(pending_request->md);
+      pending_request->result = access_token_value->Ref();
     } else {
       auto err = GRPC_ERROR_CREATE_REFERENCING(
           "Error occurred when fetching oauth2 token.", &error, 1);
@@ -338,7 +335,15 @@ grpc_oauth2_token_fetcher_credentials::GetRequestMetadata(
         if (!pending_request->done.load(std::memory_order_acquire)) {
           return grpc_core::Pending{};
         }
-        return std::move(pending_request->result);
+        if (pending_request->result.ok()) {
+          pending_request->md->Append(
+              GRPC_AUTHORIZATION_METADATA_KEY,
+              std::move(*pending_request->result),
+              [](absl::string_view, const grpc_core::Slice&) { abort(); });
+          return std::move(pending_request->md);
+        } else {
+          return pending_request->result.status();
+        }
       };
 }

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.h CHANGED Viewed

@@ -102,7 +102,7 @@ struct grpc_oauth2_pending_get_request_metadata
   grpc_polling_entity* pollent;
   grpc_core::ClientMetadataHandle md;
   struct grpc_oauth2_pending_get_request_metadata* next;
-  absl::StatusOr<grpc_core::ClientMetadataHandle> result;
+  absl::StatusOr<grpc_core::Slice> result;
 };
 // -- Oauth2 Token Fetcher credentials --

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc CHANGED Viewed

@@ -117,6 +117,8 @@ gpr_timespec TimeoutSecondsToDeadline(int64_t seconds) {
 }  // namespace
+static constexpr int64_t kMinimumFileWatcherRefreshIntervalSeconds = 1;
 FileWatcherCertificateProvider::FileWatcherCertificateProvider(
     std::string private_key_path, std::string identity_certificate_path,
     std::string root_cert_path, int64_t refresh_interval_sec)
@@ -125,6 +127,12 @@ FileWatcherCertificateProvider::FileWatcherCertificateProvider(
       root_cert_path_(std::move(root_cert_path)),
       refresh_interval_sec_(refresh_interval_sec),
       distributor_(MakeRefCounted<grpc_tls_certificate_distributor>()) {
+  if (refresh_interval_sec_ < kMinimumFileWatcherRefreshIntervalSeconds) {
+    gpr_log(GPR_INFO,
+            "FileWatcherCertificateProvider refresh_interval_sec_ set to value "
+            "less than minimum. Overriding configured value to minimum.");
+    refresh_interval_sec_ = kMinimumFileWatcherRefreshIntervalSeconds;
+  }
   // Private key and identity cert files must be both set or both unset.
   GPR_ASSERT(private_key_path_.empty() == identity_certificate_path_.empty());
   // Must be watching either root or identity certs.
@@ -381,6 +389,11 @@ FileWatcherCertificateProvider::ReadIdentityKeyCertPairFromFiles(
   return absl::nullopt;
 }
+int64_t FileWatcherCertificateProvider::TestOnlyGetRefreshIntervalSecond()
+    const {
+  return refresh_interval_sec_;
+}
 absl::StatusOr<bool> PrivateKeyAndCertificateMatch(
     absl::string_view private_key, absl::string_view cert_chain) {
   if (private_key.empty()) {

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h CHANGED Viewed

@@ -151,6 +151,8 @@ class FileWatcherCertificateProvider final
   UniqueTypeName type() const override;
+  int64_t TestOnlyGetRefreshIntervalSecond() const;
  private:
   struct WatcherInfo {
     bool root_being_watched = false;

data/src/core/lib/security/security_connector/load_system_roots_supported.cc CHANGED Viewed

@@ -19,6 +19,7 @@
 #include <grpc/support/port_platform.h>
 #include <algorithm>
+#include <string>
 #include <vector>
 #if defined(GPR_LINUX) || defined(GPR_ANDROID) || defined(GPR_FREEBSD) || \
@@ -27,7 +28,6 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <stdio.h>
-#include <string.h>
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <unistd.h>
@@ -35,17 +35,13 @@
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
+#include "src/core/lib/config/config_vars.h"
 #include "src/core/lib/gpr/useful.h"
-#include "src/core/lib/gprpp/global_config.h"
-#include "src/core/lib/gprpp/memory.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/security/security_connector/load_system_roots.h"
 #include "src/core/lib/security/security_connector/load_system_roots_supported.h"
-GPR_GLOBAL_CONFIG_DEFINE_STRING(grpc_system_ssl_roots_dir, "",
-                                "Custom directory to SSL Roots");
 namespace grpc_core {
 namespace {
@@ -150,9 +146,9 @@ grpc_slice CreateRootCertsBundle(const char* certs_directory) {
 grpc_slice LoadSystemRootCerts() {
   grpc_slice result = grpc_empty_slice();
   // Prioritize user-specified custom directory if flag is set.
-  UniquePtr<char> custom_dir = GPR_GLOBAL_CONFIG_GET(grpc_system_ssl_roots_dir);
-  if (strlen(custom_dir.get()) > 0) {
-    result = CreateRootCertsBundle(custom_dir.get());
+  auto custom_dir = ConfigVars::Get().SystemSslRootsDir();
+  if (!custom_dir.empty()) {
+    result = CreateRootCertsBundle(std::string(custom_dir).c_str());
   }
   // If the custom directory is empty/invalid/not specified, fallback to
   // distribution-specific directory.

data/src/core/lib/security/security_connector/ssl_utils.cc CHANGED Viewed

@@ -32,19 +32,18 @@
 #include <grpc/grpc.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
 #include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/config/config_vars.h"
 #include "src/core/lib/gpr/useful.h"
-#include "src/core/lib/gprpp/global_config.h"
 #include "src/core/lib/gprpp/host_port.h"
-#include "src/core/lib/gprpp/memory.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/security_connector/load_system_roots.h"
-#include "src/core/lib/security/security_connector/ssl_utils_config.h"
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security.h"
@@ -76,22 +75,9 @@ void grpc_set_ssl_roots_override_callback(grpc_ssl_roots_override_callback cb) {
 static gpr_once cipher_suites_once = GPR_ONCE_INIT;
 static const char* cipher_suites = nullptr;
-// All cipher suites for default are compliant with HTTP2.
-GPR_GLOBAL_CONFIG_DEFINE_STRING(
-    grpc_ssl_cipher_suites,
-    "TLS_AES_128_GCM_SHA256:"
-    "TLS_AES_256_GCM_SHA384:"
-    "TLS_CHACHA20_POLY1305_SHA256:"
-    "ECDHE-ECDSA-AES128-GCM-SHA256:"
-    "ECDHE-ECDSA-AES256-GCM-SHA384:"
-    "ECDHE-RSA-AES128-GCM-SHA256:"
-    "ECDHE-RSA-AES256-GCM-SHA384",
-    "A colon separated list of cipher suites to use with OpenSSL")
 static void init_cipher_suites(void) {
-  grpc_core::UniquePtr<char> value =
-      GPR_GLOBAL_CONFIG_GET(grpc_ssl_cipher_suites);
-  cipher_suites = value.release();
+  cipher_suites = gpr_strdup(
+      std::string(grpc_core::ConfigVars::Get().SslCipherSuites()).c_str());
 }
 // --- Util ---
@@ -573,14 +559,13 @@ const char* DefaultSslRootStore::GetPemRootCerts() {
 grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
   grpc_slice result = grpc_empty_slice();
-  const bool not_use_system_roots =
-      GPR_GLOBAL_CONFIG_GET(grpc_not_use_system_ssl_roots);
   // First try to load the roots from the configuration.
-  UniquePtr<char> default_root_certs_path =
-      GPR_GLOBAL_CONFIG_GET(grpc_default_ssl_roots_file_path);
-  if (strlen(default_root_certs_path.get()) > 0) {
+  auto default_root_certs_path = ConfigVars::Get().DefaultSslRootsFilePath();
+  if (!default_root_certs_path.empty()) {
     GRPC_LOG_IF_ERROR(
-        "load_file", grpc_load_file(default_root_certs_path.get(), 1, &result));
+        "load_file",
+        grpc_load_file(std::string(default_root_certs_path).c_str(), 1,
+                       &result));
   }
   // Try overridden roots if needed.
   grpc_ssl_roots_override_result ovrd_res = GRPC_SSL_ROOTS_OVERRIDE_FAIL;
@@ -596,7 +581,8 @@ grpc_slice DefaultSslRootStore::ComputePemRootCerts() {
     gpr_free(pem_root_certs);
   }
   // Try loading roots from OS trust store if flag is enabled.
-  if (GRPC_SLICE_IS_EMPTY(result) && !not_use_system_roots) {
+  if (GRPC_SLICE_IS_EMPTY(result) &&
+      !ConfigVars::Get().NotUseSystemSslRoots()) {
     result = LoadSystemRootCerts();
   }
   // Fallback to roots manually shipped with gRPC.

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc CHANGED Viewed

@@ -74,6 +74,7 @@ void PendingVerifierRequestInit(
   bool has_common_name = false;
   bool has_peer_cert = false;
   bool has_peer_cert_full_chain = false;
+  bool has_verified_root_cert_subject = false;
   std::vector<char*> uri_names;
   std::vector<char*> dns_names;
   std::vector<char*> email_names;
@@ -105,6 +106,11 @@ void PendingVerifierRequestInit(
     } else if (strcmp(prop->name, TSI_X509_IP_PEER_PROPERTY) == 0) {
       char* ip = CopyCoreString(prop->value.data, prop->value.length);
       ip_names.emplace_back(ip);
+    } else if (strcmp(prop->name,
+                      TSI_X509_VERIFIED_ROOT_CERT_SUBECT_PEER_PROPERTY) == 0) {
+      request->peer_info.verified_root_cert_subject =
+          CopyCoreString(prop->value.data, prop->value.length);
+      has_verified_root_cert_subject = true;
     }
   }
   if (!has_common_name) {
@@ -116,6 +122,9 @@ void PendingVerifierRequestInit(
   if (!has_peer_cert_full_chain) {
     request->peer_info.peer_cert_full_chain = nullptr;
   }
+  if (!has_verified_root_cert_subject) {
+    request->peer_info.verified_root_cert_subject = nullptr;
+  }
   request->peer_info.san_names.uri_names_size = uri_names.size();
   if (!uri_names.empty()) {
     request->peer_info.san_names.uri_names =
@@ -202,6 +211,9 @@ void PendingVerifierRequestDestroy(
   if (request->peer_info.peer_cert_full_chain != nullptr) {
     gpr_free(const_cast<char*>(request->peer_info.peer_cert_full_chain));
   }
+  if (request->peer_info.verified_root_cert_subject != nullptr) {
+    gpr_free(const_cast<char*>(request->peer_info.verified_root_cert_subject));
+  }
 }
 tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(

data/src/core/lib/security/transport/secure_endpoint.cc CHANGED Viewed

@@ -236,7 +236,8 @@ static void flush_read_staging_buffer(secure_endpoint* ep, uint8_t** cur,
 }
 static void call_read_cb(secure_endpoint* ep, grpc_error_handle error) {
-  if (GRPC_TRACE_FLAG_ENABLED(grpc_trace_secure_endpoint)) {
+  if (GRPC_TRACE_FLAG_ENABLED(grpc_trace_secure_endpoint) &&
+      gpr_should_log(GPR_LOG_SEVERITY_INFO)) {
     size_t i;
     for (i = 0; i < ep->read_buffer->count; i++) {
       char* data = grpc_dump_slice(ep->read_buffer->slices[i],
@@ -394,7 +395,8 @@ static void endpoint_write(grpc_endpoint* secure_ep, grpc_slice_buffer* slices,
     grpc_slice_buffer_reset_and_unref(&ep->output_buffer);
-    if (GRPC_TRACE_FLAG_ENABLED(grpc_trace_secure_endpoint)) {
+    if (GRPC_TRACE_FLAG_ENABLED(grpc_trace_secure_endpoint) &&
+        gpr_should_log(GPR_LOG_SEVERITY_INFO)) {
       for (i = 0; i < slices->count; i++) {
         char* data =
             grpc_dump_slice(slices->slices[i], GPR_DUMP_HEX | GPR_DUMP_ASCII);