From 372d48b3895af04b0d0ff8eb38e9e208ea07efdf Mon Sep 17 00:00:00 2001
From: Alessio Buraggina <alessioburagginaus@gmail.com>
Date: Wed, 8 Jun 2022 13:02:04 -0400
Subject: [PATCH] Add FreeBSD system roots loading support. (#29436)

Merge freebsd implementation with existing linux logic.
---
 .../load_system_roots_fallback.cc             |  4 ++--
 .../load_system_roots_linux.cc                | 22 ++++++++++++-------
 .../load_system_roots_linux.h                 |  4 ++--
 test/core/security/linux_system_roots_test.cc |  8 ++++---
 4 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/src/core/lib/security/security_connector/load_system_roots_fallback.cc b/src/core/lib/security/security_connector/load_system_roots_fallback.cc
index f448d3fcac6..e377411a5d1 100644
--- a/src/core/lib/security/security_connector/load_system_roots_fallback.cc
+++ b/src/core/lib/security/security_connector/load_system_roots_fallback.cc
@@ -22,7 +22,7 @@
 
 #include "src/core/lib/security/security_connector/load_system_roots.h"
 
-#if !defined(GPR_LINUX) && !defined(GPR_ANDROID)
+#if !defined(GPR_LINUX) && !defined(GPR_ANDROID) && !defined(GPR_FREEBSD)
 
 namespace grpc_core {
 
@@ -30,4 +30,4 @@ grpc_slice LoadSystemRootCerts() { return grpc_empty_slice(); }
 
 }  // namespace grpc_core
 
-#endif /* !(GPR_LINUX || GPR_ANDROID) */
+#endif /* !(GPR_LINUX || GPR_ANDROID || GPR_FREEBSD) */
diff --git a/src/core/lib/security/security_connector/load_system_roots_linux.cc b/src/core/lib/security/security_connector/load_system_roots_linux.cc
index 6b9c50b7182..c90a75cf555 100644
--- a/src/core/lib/security/security_connector/load_system_roots_linux.cc
+++ b/src/core/lib/security/security_connector/load_system_roots_linux.cc
@@ -22,7 +22,7 @@
 
 #include <grpc/slice_buffer.h>
 
-#if defined(GPR_LINUX) || defined(GPR_ANDROID)
+#if defined(GPR_LINUX) || defined(GPR_ANDROID) || defined(GPR_FREEBSD)
 
 #include <dirent.h>
 #include <fcntl.h>
@@ -51,20 +51,26 @@ GPR_GLOBAL_CONFIG_DEFINE_STRING(grpc_system_ssl_roots_dir, "",
 namespace grpc_core {
 namespace {
 
-const char* kLinuxCertFiles[] = {
+#if defined(GPR_LINUX) || defined(GPR_ANDROID)
+const char* kCertFiles[] = {
     "/etc/ssl/certs/ca-certificates.crt", "/etc/pki/tls/certs/ca-bundle.crt",
     "/etc/ssl/ca-bundle.pem", "/etc/pki/tls/cacert.pem",
     "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem"};
-const char* kLinuxCertDirectories[] = {
+const char* kCertDirectories[] = {
     "/etc/ssl/certs", "/system/etc/security/cacerts", "/usr/local/share/certs",
     "/etc/pki/tls/certs", "/etc/openssl/certs"};
+#elif defined(GPR_FREEBSD)  // endif GPR_LINUX || GPR_ANDROID
+const char* kCertFiles[] = {"/etc/ssl/cert.pem",
+                            "/usr/local/share/certs/ca-root-nss.crt"};
+const char* kCertDirectories[] = {""};
+#endif                      // GPR_FREEBSD
 
 grpc_slice GetSystemRootCerts() {
   grpc_slice valid_bundle_slice = grpc_empty_slice();
-  size_t num_cert_files_ = GPR_ARRAY_SIZE(kLinuxCertFiles);
+  size_t num_cert_files_ = GPR_ARRAY_SIZE(kCertFiles);
   for (size_t i = 0; i < num_cert_files_; i++) {
     grpc_error_handle error =
-        grpc_load_file(kLinuxCertFiles[i], 1, &valid_bundle_slice);
+        grpc_load_file(kCertFiles[i], 1, &valid_bundle_slice);
     if (error == GRPC_ERROR_NONE) {
       return valid_bundle_slice;
     } else {
@@ -155,8 +161,8 @@ grpc_slice LoadSystemRootCerts() {
     result = GetSystemRootCerts();
   }
   if (GRPC_SLICE_IS_EMPTY(result)) {
-    for (size_t i = 0; i < GPR_ARRAY_SIZE(kLinuxCertDirectories); i++) {
-      result = CreateRootCertsBundle(kLinuxCertDirectories[i]);
+    for (size_t i = 0; i < GPR_ARRAY_SIZE(kCertDirectories); i++) {
+      result = CreateRootCertsBundle(kCertDirectories[i]);
       if (!GRPC_SLICE_IS_EMPTY(result)) {
         break;
       }
@@ -167,4 +173,4 @@ grpc_slice LoadSystemRootCerts() {
 
 }  // namespace grpc_core
 
-#endif /* GPR_LINUX || GPR_ANDROID */
+#endif /* GPR_LINUX || GPR_ANDROID || GPR_FREEBSD */
diff --git a/src/core/lib/security/security_connector/load_system_roots_linux.h b/src/core/lib/security/security_connector/load_system_roots_linux.h
index c1ef3f63ebb..758bdd97d28 100644
--- a/src/core/lib/security/security_connector/load_system_roots_linux.h
+++ b/src/core/lib/security/security_connector/load_system_roots_linux.h
@@ -23,7 +23,7 @@
 
 #include <grpc/slice.h>
 
-#ifdef GPR_LINUX
+#if defined(GPR_LINUX) || defined(GPR_FREEBSD)
 
 namespace grpc_core {
 
@@ -41,6 +41,6 @@ void GetAbsoluteFilePath(const char* valid_file_dir,
 
 }  // namespace grpc_core
 
-#endif /* GPR_LINUX */
+#endif /* GPR_LINUX || GPR_FREEBSD */
 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_LOAD_SYSTEM_ROOTS_LINUX_H \
         */
diff --git a/test/core/security/linux_system_roots_test.cc b/test/core/security/linux_system_roots_test.cc
index 72eefda6c53..e48dd573661 100644
--- a/test/core/security/linux_system_roots_test.cc
+++ b/test/core/security/linux_system_roots_test.cc
@@ -20,7 +20,7 @@
 
 #include <stdio.h>
 
-#ifdef GPR_LINUX
+#if defined(GPR_LINUX) || defined(GPR_FREEBSD)
 #include <string.h>
 #include <sys/param.h>
 
@@ -94,7 +94,9 @@ int main(int argc, char** argv) {
 }
 #else
 int main() {
-  printf("*** WARNING: this test is only supported on Linux systems ***\n");
+  printf(
+      "*** WARNING: this test is only supported on Linux and FreeBSD systems"
+      "***\n");
   return 0;
 }
-#endif  // GPR_LINUX
+#endif  // GPR_LINUX || GPR_FREEBSD