grpc 1.17.1 → 1.18.0.pre1

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h

@@ -25,6 +25,7 @@
 
 #include "src/core/lib/security/security_connector/security_connector.h"
 
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security_interface.h"
 
@@ -47,20 +48,21 @@ typedef struct {
   This function returns GRPC_SECURITY_OK in case of success or a
   specific error code otherwise.
 */
-grpc_security_status grpc_ssl_channel_security_connector_create(
-    grpc_channel_credentials* channel_creds,
-    grpc_call_credentials* request_metadata_creds,
+grpc_core::RefCountedPtr<grpc_channel_security_connector>
+grpc_ssl_channel_security_connector_create(
+    grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,
+    grpc_core::RefCountedPtr<grpc_call_credentials> request_metadata_creds,
     const grpc_ssl_config* config, const char* target_name,
     const char* overridden_target_name,
-    tsi_ssl_session_cache* ssl_session_cache,
-    grpc_channel_security_connector** sc);
+    tsi_ssl_session_cache* ssl_session_cache);
 
 /* Config for ssl servers. */
 typedef struct {
-  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs;
-  size_t num_key_cert_pairs;
-  char* pem_root_certs;
-  grpc_ssl_client_certificate_request_type client_certificate_request;
+  tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
+  size_t num_key_cert_pairs = 0;
+  char* pem_root_certs = nullptr;
+  grpc_ssl_client_certificate_request_type client_certificate_request =
+      GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
 } grpc_ssl_server_config;
 
 /* Creates an SSL server_security_connector.
@@ -69,9 +71,9 @@ typedef struct {
   This function returns GRPC_SECURITY_OK in case of success or a
   specific error code otherwise.
 */
-grpc_security_status grpc_ssl_server_security_connector_create(
-    grpc_server_credentials* server_credentials,
-    grpc_server_security_connector** sc);
+grpc_core::RefCountedPtr<grpc_server_security_connector>
+grpc_ssl_server_security_connector_create(
+    grpc_core::RefCountedPtr<grpc_server_credentials> server_credentials);
 
 #endif /* GRPC_CORE_LIB_SECURITY_SECURITY_CONNECTOR_SSL_SSL_SECURITY_CONNECTOR_H \
         */

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -30,6 +30,7 @@
 #include "src/core/lib/gpr/env.h"
 #include "src/core/lib/gpr/host_port.h"
 #include "src/core/lib/gpr/string.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/iomgr/load_file.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/security_connector/load_system_roots.h"
@@ -141,16 +142,17 @@ int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) {
   return r;
 }
 
-grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer) {
+grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
+    const tsi_peer* peer) {
   size_t i;
-  grpc_auth_context* ctx = nullptr;
   const char* peer_identity_property_name = nullptr;
 
   /* The caller has checked the certificate type property. */
   GPR_ASSERT(peer->property_count >= 1);
-  ctx = grpc_auth_context_create(nullptr);
+  grpc_core::RefCountedPtr<grpc_auth_context> ctx =
+      grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
   grpc_auth_context_add_cstring_property(
-      ctx, GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
+      ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
       GRPC_SSL_TRANSPORT_SECURITY_TYPE);
   for (i = 0; i < peer->property_count; i++) {
     const tsi_peer_property* prop = &peer->properties[i];
@@ -160,24 +162,26 @@ grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer) {
       if (peer_identity_property_name == nullptr) {
         peer_identity_property_name = GRPC_X509_CN_PROPERTY_NAME;
       }
-      grpc_auth_context_add_property(ctx, GRPC_X509_CN_PROPERTY_NAME,
+      grpc_auth_context_add_property(ctx.get(), GRPC_X509_CN_PROPERTY_NAME,
                                      prop->value.data, prop->value.length);
     } else if (strcmp(prop->name,
                       TSI_X509_SUBJECT_ALTERNATIVE_NAME_PEER_PROPERTY) == 0) {
       peer_identity_property_name = GRPC_X509_SAN_PROPERTY_NAME;
-      grpc_auth_context_add_property(ctx, GRPC_X509_SAN_PROPERTY_NAME,
+      grpc_auth_context_add_property(ctx.get(), GRPC_X509_SAN_PROPERTY_NAME,
                                      prop->value.data, prop->value.length);
     } else if (strcmp(prop->name, TSI_X509_PEM_CERT_PROPERTY) == 0) {
-      grpc_auth_context_add_property(ctx, GRPC_X509_PEM_CERT_PROPERTY_NAME,
+      grpc_auth_context_add_property(ctx.get(),
+                                     GRPC_X509_PEM_CERT_PROPERTY_NAME,
                                      prop->value.data, prop->value.length);
     } else if (strcmp(prop->name, TSI_SSL_SESSION_REUSED_PEER_PROPERTY) == 0) {
-      grpc_auth_context_add_property(ctx, GRPC_SSL_SESSION_REUSED_PROPERTY,
+      grpc_auth_context_add_property(ctx.get(),
+                                     GRPC_SSL_SESSION_REUSED_PROPERTY,
                                      prop->value.data, prop->value.length);
     }
   }
   if (peer_identity_property_name != nullptr) {
     GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
-                   ctx, peer_identity_property_name) == 1);
+                   ctx.get(), peer_identity_property_name) == 1);
   }
   return ctx;
 }

data/src/core/lib/security/security_connector/ssl_utils.h

@@ -26,6 +26,7 @@
 #include <grpc/grpc_security.h>
 #include <grpc/slice_buffer.h>
 
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security_interface.h"
 
@@ -47,7 +48,8 @@ grpc_get_tsi_client_certificate_request_type(
 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
 
 /* Exposed for testing only. */
-grpc_auth_context* grpc_ssl_peer_to_auth_context(const tsi_peer* peer);
+grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
+    const tsi_peer* peer);
 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
     const grpc_auth_context* auth_context);
 void grpc_shallow_peer_destruct(tsi_peer* peer);

data/src/core/lib/security/transport/client_auth_filter.cc

@@ -55,7 +55,7 @@ struct call_data {
   // that the memory is not initialized.
   void destroy() {
     grpc_credentials_mdelem_array_destroy(&md_array);
-    grpc_call_credentials_unref(creds);
+    creds.reset();
     grpc_slice_unref_internal(host);
     grpc_slice_unref_internal(method);
     grpc_auth_metadata_context_reset(&auth_md_context);
@@ -64,7 +64,7 @@ struct call_data {
   gpr_arena* arena;
   grpc_call_stack* owning_call;
   grpc_call_combiner* call_combiner;
-  grpc_call_credentials* creds = nullptr;
+  grpc_core::RefCountedPtr<grpc_call_credentials> creds;
   grpc_slice host = grpc_empty_slice();
   grpc_slice method = grpc_empty_slice();
   /* pollset{_set} bound to this call; if we need to make external
@@ -83,8 +83,18 @@ struct call_data {
 
 /* We can have a per-channel credentials. */
 struct channel_data {
-  grpc_channel_security_connector* security_connector;
-  grpc_auth_context* auth_context;
+  channel_data(grpc_channel_security_connector* security_connector,
+               grpc_auth_context* auth_context)
+      : security_connector(
+            security_connector->Ref(DEBUG_LOCATION, "client_auth_filter")),
+        auth_context(auth_context->Ref(DEBUG_LOCATION, "client_auth_filter")) {}
+  ~channel_data() {
+    security_connector.reset(DEBUG_LOCATION, "client_auth_filter");
+    auth_context.reset(DEBUG_LOCATION, "client_auth_filter");
+  }
+
+  grpc_core::RefCountedPtr<grpc_channel_security_connector> security_connector;
+  grpc_core::RefCountedPtr<grpc_auth_context> auth_context;
 };
 }  // namespace
 
@@ -98,10 +108,11 @@ void grpc_auth_metadata_context_reset(
     gpr_free(const_cast<char*>(auth_md_context->method_name));
     auth_md_context->method_name = nullptr;
   }
-  GRPC_AUTH_CONTEXT_UNREF(
-      (grpc_auth_context*)auth_md_context->channel_auth_context,
-      "grpc_auth_metadata_context");
-  auth_md_context->channel_auth_context = nullptr;
+  if (auth_md_context->channel_auth_context != nullptr) {
+    const_cast<grpc_auth_context*>(auth_md_context->channel_auth_context)
+        ->Unref(DEBUG_LOCATION, "grpc_auth_metadata_context");
+    auth_md_context->channel_auth_context = nullptr;
+  }
 }
 
 static void add_error(grpc_error** combined, grpc_error* error) {
@@ -175,7 +186,10 @@ void grpc_auth_metadata_context_build(
   auth_md_context->service_url = service_url;
   auth_md_context->method_name = method_name;
   auth_md_context->channel_auth_context =
-      GRPC_AUTH_CONTEXT_REF(auth_context, "grpc_auth_metadata_context");
+      auth_context == nullptr
+          ? nullptr
+          : auth_context->Ref(DEBUG_LOCATION, "grpc_auth_metadata_context")
+                .release();
   gpr_free(service);
   gpr_free(host_and_port);
 }
@@ -184,8 +198,8 @@ static void cancel_get_request_metadata(void* arg, grpc_error* error) {
   grpc_call_element* elem = static_cast<grpc_call_element*>(arg);
   call_data* calld = static_cast<call_data*>(elem->call_data);
   if (error != GRPC_ERROR_NONE) {
-    grpc_call_credentials_cancel_get_request_metadata(
-        calld->creds, &calld->md_array, GRPC_ERROR_REF(error));
+    calld->creds->cancel_get_request_metadata(&calld->md_array,
+                                              GRPC_ERROR_REF(error));
   }
 }
 
@@ -197,7 +211,7 @@ static void send_security_metadata(grpc_call_element* elem,
       static_cast<grpc_client_security_context*>(
           batch->payload->context[GRPC_CONTEXT_SECURITY].value);
   grpc_call_credentials* channel_call_creds =
-      chand->security_connector->request_metadata_creds;
+      chand->security_connector->mutable_request_metadata_creds();
   int call_creds_has_md = (ctx != nullptr) && (ctx->creds != nullptr);
 
   if (channel_call_creds == nullptr && !call_creds_has_md) {
@@ -207,8 +221,9 @@ static void send_security_metadata(grpc_call_element* elem,
   }
 
   if (channel_call_creds != nullptr && call_creds_has_md) {
-    calld->creds = grpc_composite_call_credentials_create(channel_call_creds,
-                                                          ctx->creds, nullptr);
+    calld->creds = grpc_core::RefCountedPtr<grpc_call_credentials>(
+        grpc_composite_call_credentials_create(channel_call_creds,
+                                               ctx->creds.get(), nullptr));
     if (calld->creds == nullptr) {
       grpc_transport_stream_op_batch_finish_with_failure(
           batch,
@@ -220,22 +235,22 @@ static void send_security_metadata(grpc_call_element* elem,
       return;
     }
   } else {
-    calld->creds = grpc_call_credentials_ref(
-        call_creds_has_md ? ctx->creds : channel_call_creds);
+    calld->creds =
+        call_creds_has_md ? ctx->creds->Ref() : channel_call_creds->Ref();
   }
 
   grpc_auth_metadata_context_build(
-      chand->security_connector->base.url_scheme, calld->host, calld->method,
-      chand->auth_context, &calld->auth_md_context);
+      chand->security_connector->url_scheme(), calld->host, calld->method,
+      chand->auth_context.get(), &calld->auth_md_context);
 
   GPR_ASSERT(calld->pollent != nullptr);
   GRPC_CALL_STACK_REF(calld->owning_call, "get_request_metadata");
   GRPC_CLOSURE_INIT(&calld->async_result_closure, on_credentials_metadata,
                     batch, grpc_schedule_on_exec_ctx);
   grpc_error* error = GRPC_ERROR_NONE;
-  if (grpc_call_credentials_get_request_metadata(
-          calld->creds, calld->pollent, calld->auth_md_context,
-          &calld->md_array, &calld->async_result_closure, &error)) {
+  if (calld->creds->get_request_metadata(
+          calld->pollent, calld->auth_md_context, &calld->md_array,
+          &calld->async_result_closure, &error)) {
     // Synchronous return; invoke on_credentials_metadata() directly.
     on_credentials_metadata(batch, error);
     GRPC_ERROR_UNREF(error);
@@ -279,9 +294,8 @@ static void cancel_check_call_host(void* arg, grpc_error* error) {
   call_data* calld = static_cast<call_data*>(elem->call_data);
   channel_data* chand = static_cast<channel_data*>(elem->channel_data);
   if (error != GRPC_ERROR_NONE) {
-    grpc_channel_security_connector_cancel_check_call_host(
-        chand->security_connector, &calld->async_result_closure,
-        GRPC_ERROR_REF(error));
+    chand->security_connector->cancel_check_call_host(
+        &calld->async_result_closure, GRPC_ERROR_REF(error));
   }
 }
 
@@ -299,16 +313,16 @@ static void auth_start_transport_stream_op_batch(
     GPR_ASSERT(batch->payload->context != nullptr);
     if (batch->payload->context[GRPC_CONTEXT_SECURITY].value == nullptr) {
       batch->payload->context[GRPC_CONTEXT_SECURITY].value =
-          grpc_client_security_context_create(calld->arena);
+          grpc_client_security_context_create(calld->arena, /*creds=*/nullptr);
       batch->payload->context[GRPC_CONTEXT_SECURITY].destroy =
           grpc_client_security_context_destroy;
     }
     grpc_client_security_context* sec_ctx =
         static_cast<grpc_client_security_context*>(
             batch->payload->context[GRPC_CONTEXT_SECURITY].value);
-    GRPC_AUTH_CONTEXT_UNREF(sec_ctx->auth_context, "client auth filter");
+    sec_ctx->auth_context.reset(DEBUG_LOCATION, "client_auth_filter");
     sec_ctx->auth_context =
-        GRPC_AUTH_CONTEXT_REF(chand->auth_context, "client_auth_filter");
+        chand->auth_context->Ref(DEBUG_LOCATION, "client_auth_filter");
   }
 
   if (batch->send_initial_metadata) {
@@ -327,8 +341,8 @@ static void auth_start_transport_stream_op_batch(
                         grpc_schedule_on_exec_ctx);
       char* call_host = grpc_slice_to_c_string(calld->host);
       grpc_error* error = GRPC_ERROR_NONE;
-      if (grpc_channel_security_connector_check_call_host(
-              chand->security_connector, call_host, chand->auth_context,
+      if (chand->security_connector->check_call_host(
+              call_host, chand->auth_context.get(),
               &calld->async_result_closure, &error)) {
         // Synchronous return; invoke on_host_checked() directly.
         on_host_checked(batch, error);
@@ -374,6 +388,10 @@ static void destroy_call_elem(grpc_call_element* elem,
 /* Constructor for channel_data */
 static grpc_error* init_channel_elem(grpc_channel_element* elem,
                                      grpc_channel_element_args* args) {
+  /* The first and the last filters tend to be implemented differently to
+     handle the case that there's no 'next' filter to call on the up or down
+     path */
+  GPR_ASSERT(!args->is_last);
   grpc_security_connector* sc =
       grpc_security_connector_find_in_args(args->channel_args);
   if (sc == nullptr) {
@@ -386,33 +404,15 @@ static grpc_error* init_channel_elem(grpc_channel_element* elem,
     return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
         "Auth context missing from client auth filter args");
   }
-
-  /* grab pointers to our data from the channel element */
-  channel_data* chand = static_cast<channel_data*>(elem->channel_data);
-
-  /* The first and the last filters tend to be implemented differently to
-     handle the case that there's no 'next' filter to call on the up or down
-     path */
-  GPR_ASSERT(!args->is_last);
-
-  /* initialize members */
-  chand->security_connector =
-      reinterpret_cast<grpc_channel_security_connector*>(
-          GRPC_SECURITY_CONNECTOR_REF(sc, "client_auth_filter"));
-  chand->auth_context =
-      GRPC_AUTH_CONTEXT_REF(auth_context, "client_auth_filter");
+  new (elem->channel_data) channel_data(
+      static_cast<grpc_channel_security_connector*>(sc), auth_context);
   return GRPC_ERROR_NONE;
 }
 
 /* Destructor for channel data */
 static void destroy_channel_elem(grpc_channel_element* elem) {
-  /* grab pointers to our data from the channel element */
   channel_data* chand = static_cast<channel_data*>(elem->channel_data);
-  grpc_channel_security_connector* sc = chand->security_connector;
-  if (sc != nullptr) {
-    GRPC_SECURITY_CONNECTOR_UNREF(&sc->base, "client_auth_filter");
-  }
-  GRPC_AUTH_CONTEXT_UNREF(chand->auth_context, "client_auth_filter");
+  chand->~channel_data();
 }
 
 const grpc_channel_filter grpc_client_auth_filter = {

data/src/core/lib/security/transport/secure_endpoint.cc

@@ -416,6 +416,11 @@ static grpc_resource_user* endpoint_get_resource_user(
   return grpc_endpoint_get_resource_user(ep->wrapped_ep);
 }
 
+static bool endpoint_can_track_err(grpc_endpoint* secure_ep) {
+  secure_endpoint* ep = reinterpret_cast<secure_endpoint*>(secure_ep);
+  return grpc_endpoint_can_track_err(ep->wrapped_ep);
+}
+
 static const grpc_endpoint_vtable vtable = {endpoint_read,
                                             endpoint_write,
                                             endpoint_add_to_pollset,
@@ -425,7 +430,8 @@ static const grpc_endpoint_vtable vtable = {endpoint_read,
                                             endpoint_destroy,
                                             endpoint_get_resource_user,
                                             endpoint_get_peer,
-                                            endpoint_get_fd};
+                                            endpoint_get_fd,
+                                            endpoint_can_track_err};
 
 grpc_endpoint* grpc_secure_endpoint_create(
     struct tsi_frame_protector* protector,

data/src/core/lib/security/transport/security_handshaker.cc

@@ -30,6 +30,7 @@
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/handshaker.h"
 #include "src/core/lib/channel/handshaker_registry.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/transport/secure_endpoint.h"
 #include "src/core/lib/security/transport/tsi_error.h"
@@ -38,34 +39,62 @@
 
 #define GRPC_INITIAL_HANDSHAKE_BUFFER_SIZE 256
 
-typedef struct {
+namespace {
+struct security_handshaker {
+  security_handshaker(tsi_handshaker* handshaker,
+                      grpc_security_connector* connector);
+  ~security_handshaker() {
+    gpr_mu_destroy(&mu);
+    tsi_handshaker_destroy(handshaker);
+    tsi_handshaker_result_destroy(handshaker_result);
+    if (endpoint_to_destroy != nullptr) {
+      grpc_endpoint_destroy(endpoint_to_destroy);
+    }
+    if (read_buffer_to_destroy != nullptr) {
+      grpc_slice_buffer_destroy_internal(read_buffer_to_destroy);
+      gpr_free(read_buffer_to_destroy);
+    }
+    gpr_free(handshake_buffer);
+    grpc_slice_buffer_destroy_internal(&outgoing);
+    auth_context.reset(DEBUG_LOCATION, "handshake");
+    connector.reset(DEBUG_LOCATION, "handshake");
+  }
+
+  void Ref() { refs.Ref(); }
+  void Unref() {
+    if (refs.Unref()) {
+      grpc_core::Delete(this);
+    }
+  }
+
   grpc_handshaker base;
 
   // State set at creation time.
   tsi_handshaker* handshaker;
-  grpc_security_connector* connector;
+  grpc_core::RefCountedPtr<grpc_security_connector> connector;
 
   gpr_mu mu;
-  gpr_refcount refs;
+  grpc_core::RefCount refs;
 
-  bool shutdown;
+  bool shutdown = false;
   // Endpoint and read buffer to destroy after a shutdown.
-  grpc_endpoint* endpoint_to_destroy;
-  grpc_slice_buffer* read_buffer_to_destroy;
+  grpc_endpoint* endpoint_to_destroy = nullptr;
+  grpc_slice_buffer* read_buffer_to_destroy = nullptr;
 
   // State saved while performing the handshake.
-  grpc_handshaker_args* args;
-  grpc_closure* on_handshake_done;
+  grpc_handshaker_args* args = nullptr;
+  grpc_closure* on_handshake_done = nullptr;
 
-  unsigned char* handshake_buffer;
   size_t handshake_buffer_size;
+  unsigned char* handshake_buffer;
   grpc_slice_buffer outgoing;
   grpc_closure on_handshake_data_sent_to_peer;
   grpc_closure on_handshake_data_received_from_peer;
   grpc_closure on_peer_checked;
-  grpc_auth_context* auth_context;
-  tsi_handshaker_result* handshaker_result;
-} security_handshaker;
+  grpc_core::RefCountedPtr<grpc_auth_context> auth_context;
+  tsi_handshaker_result* handshaker_result = nullptr;
+};
+}  // namespace
 
 static size_t move_read_buffer_into_handshake_buffer(security_handshaker* h) {
   size_t bytes_in_read_buffer = h->args->read_buffer->length;
@@ -85,26 +114,6 @@ static size_t move_read_buffer_into_handshake_buffer(security_handshaker* h) {
   return bytes_in_read_buffer;
 }
 
-static void security_handshaker_unref(security_handshaker* h) {
-  if (gpr_unref(&h->refs)) {
-    gpr_mu_destroy(&h->mu);
-    tsi_handshaker_destroy(h->handshaker);
-    tsi_handshaker_result_destroy(h->handshaker_result);
-    if (h->endpoint_to_destroy != nullptr) {
-      grpc_endpoint_destroy(h->endpoint_to_destroy);
-    }
-    if (h->read_buffer_to_destroy != nullptr) {
-      grpc_slice_buffer_destroy_internal(h->read_buffer_to_destroy);
-      gpr_free(h->read_buffer_to_destroy);
-    }
-    gpr_free(h->handshake_buffer);
-    grpc_slice_buffer_destroy_internal(&h->outgoing);
-    GRPC_AUTH_CONTEXT_UNREF(h->auth_context, "handshake");
-    GRPC_SECURITY_CONNECTOR_UNREF(h->connector, "handshake");
-    gpr_free(h);
-  }
-}
-
 // Set args fields to NULL, saving the endpoint and read buffer for
 // later destruction.
 static void cleanup_args_for_failure_locked(security_handshaker* h) {
@@ -194,7 +203,7 @@ static void on_peer_checked_inner(security_handshaker* h, grpc_error* error) {
   tsi_handshaker_result_destroy(h->handshaker_result);
   h->handshaker_result = nullptr;
   // Add auth context to channel args.
-  grpc_arg auth_context_arg = grpc_auth_context_to_arg(h->auth_context);
+  grpc_arg auth_context_arg = grpc_auth_context_to_arg(h->auth_context.get());
   grpc_channel_args* tmp_args = h->args->args;
   h->args->args =
       grpc_channel_args_copy_and_add(tmp_args, &auth_context_arg, 1);
@@ -211,7 +220,7 @@ static void on_peer_checked(void* arg, grpc_error* error) {
   gpr_mu_lock(&h->mu);
   on_peer_checked_inner(h, error);
   gpr_mu_unlock(&h->mu);
-  security_handshaker_unref(h);
+  h->Unref();
 }
 
 static grpc_error* check_peer_locked(security_handshaker* h) {
@@ -222,8 +231,8 @@ static grpc_error* check_peer_locked(security_handshaker* h) {
     return grpc_set_tsi_error_result(
         GRPC_ERROR_CREATE_FROM_STATIC_STRING("Peer extraction failed"), result);
   }
-  grpc_security_connector_check_peer(h->connector, peer, &h->auth_context,
-                                     &h->on_peer_checked);
+  h->connector->check_peer(peer, h->args->endpoint, &h->auth_context,
+                           &h->on_peer_checked);
   return GRPC_ERROR_NONE;
 }
 
@@ -281,7 +290,7 @@ static void on_handshake_next_done_grpc_wrapper(
   if (error != GRPC_ERROR_NONE) {
     security_handshake_failed_locked(h, error);
     gpr_mu_unlock(&h->mu);
-    security_handshaker_unref(h);
+    h->Unref();
   } else {
     gpr_mu_unlock(&h->mu);
   }
@@ -317,7 +326,7 @@ static void on_handshake_data_received_from_peer(void* arg, grpc_error* error) {
         h, GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
                "Handshake read failed", &error, 1));
     gpr_mu_unlock(&h->mu);
-    security_handshaker_unref(h);
+    h->Unref();
     return;
   }
   // Copy all slices received.
@@ -329,7 +338,7 @@ static void on_handshake_data_received_from_peer(void* arg, grpc_error* error) {
   if (error != GRPC_ERROR_NONE) {
     security_handshake_failed_locked(h, error);
     gpr_mu_unlock(&h->mu);
-    security_handshaker_unref(h);
+    h->Unref();
   } else {
     gpr_mu_unlock(&h->mu);
   }
@@ -343,7 +352,7 @@ static void on_handshake_data_sent_to_peer(void* arg, grpc_error* error) {
         h, GRPC_ERROR_CREATE_REFERENCING_FROM_STATIC_STRING(
                "Handshake write failed", &error, 1));
     gpr_mu_unlock(&h->mu);
-    security_handshaker_unref(h);
+    h->Unref();
     return;
   }
   // We may be done.
@@ -355,7 +364,7 @@ static void on_handshake_data_sent_to_peer(void* arg, grpc_error* error) {
     if (error != GRPC_ERROR_NONE) {
       security_handshake_failed_locked(h, error);
       gpr_mu_unlock(&h->mu);
-      security_handshaker_unref(h);
+      h->Unref();
       return;
     }
   }
@@ -368,7 +377,7 @@ static void on_handshake_data_sent_to_peer(void* arg, grpc_error* error) {
 
 static void security_handshaker_destroy(grpc_handshaker* handshaker) {
   security_handshaker* h = reinterpret_cast<security_handshaker*>(handshaker);
-  security_handshaker_unref(h);
+  h->Unref();
 }
 
 static void security_handshaker_shutdown(grpc_handshaker* handshaker,
@@ -393,14 +402,14 @@ static void security_handshaker_do_handshake(grpc_handshaker* handshaker,
   gpr_mu_lock(&h->mu);
   h->args = args;
   h->on_handshake_done = on_handshake_done;
-  gpr_ref(&h->refs);
+  h->Ref();
   size_t bytes_received_size = move_read_buffer_into_handshake_buffer(h);
   grpc_error* error =
       do_handshaker_next_locked(h, h->handshake_buffer, bytes_received_size);
   if (error != GRPC_ERROR_NONE) {
     security_handshake_failed_locked(h, error);
     gpr_mu_unlock(&h->mu);
-    security_handshaker_unref(h);
+    h->Unref();
     return;
   }
   gpr_mu_unlock(&h->mu);
@@ -410,27 +419,32 @@ static const grpc_handshaker_vtable security_handshaker_vtable = {
     security_handshaker_destroy, security_handshaker_shutdown,
     security_handshaker_do_handshake, "security"};
 
-static grpc_handshaker* security_handshaker_create(
-    tsi_handshaker* handshaker, grpc_security_connector* connector) {
-  security_handshaker* h = static_cast<security_handshaker*>(
-      gpr_zalloc(sizeof(security_handshaker)));
-  grpc_handshaker_init(&security_handshaker_vtable, &h->base);
-  h->handshaker = handshaker;
-  h->connector = GRPC_SECURITY_CONNECTOR_REF(connector, "handshake");
-  gpr_mu_init(&h->mu);
-  gpr_ref_init(&h->refs, 1);
-  h->handshake_buffer_size = GRPC_INITIAL_HANDSHAKE_BUFFER_SIZE;
-  h->handshake_buffer =
-      static_cast<uint8_t*>(gpr_malloc(h->handshake_buffer_size));
-  GRPC_CLOSURE_INIT(&h->on_handshake_data_sent_to_peer,
-                    on_handshake_data_sent_to_peer, h,
+namespace {
+security_handshaker::security_handshaker(tsi_handshaker* handshaker,
+                                         grpc_security_connector* connector)
+    : handshaker(handshaker),
+      connector(connector->Ref(DEBUG_LOCATION, "handshake")),
+      handshake_buffer_size(GRPC_INITIAL_HANDSHAKE_BUFFER_SIZE),
+      handshake_buffer(
+          static_cast<uint8_t*>(gpr_malloc(handshake_buffer_size))) {
+  grpc_handshaker_init(&security_handshaker_vtable, &base);
+  gpr_mu_init(&mu);
+  grpc_slice_buffer_init(&outgoing);
+  GRPC_CLOSURE_INIT(&on_handshake_data_sent_to_peer,
+                    ::on_handshake_data_sent_to_peer, this,
                     grpc_schedule_on_exec_ctx);
-  GRPC_CLOSURE_INIT(&h->on_handshake_data_received_from_peer,
-                    on_handshake_data_received_from_peer, h,
+  GRPC_CLOSURE_INIT(&on_handshake_data_received_from_peer,
+                    ::on_handshake_data_received_from_peer, this,
                     grpc_schedule_on_exec_ctx);
-  GRPC_CLOSURE_INIT(&h->on_peer_checked, on_peer_checked, h,
+  GRPC_CLOSURE_INIT(&on_peer_checked, ::on_peer_checked, this,
                     grpc_schedule_on_exec_ctx);
-  grpc_slice_buffer_init(&h->outgoing);
+}
+}  // namespace
+
+static grpc_handshaker* security_handshaker_create(
+    tsi_handshaker* handshaker, grpc_security_connector* connector) {
+  security_handshaker* h =
+      grpc_core::New<security_handshaker>(handshaker, connector);
   return &h->base;
 }
 
@@ -477,8 +491,9 @@ static void client_handshaker_factory_add_handshakers(
   grpc_channel_security_connector* security_connector =
       reinterpret_cast<grpc_channel_security_connector*>(
           grpc_security_connector_find_in_args(args));
-  grpc_channel_security_connector_add_handshakers(
-      security_connector, interested_parties, handshake_mgr);
+  if (security_connector) {
+    security_connector->add_handshakers(interested_parties, handshake_mgr);
+  }
 }
 
 static void server_handshaker_factory_add_handshakers(
@@ -488,8 +503,9 @@ static void server_handshaker_factory_add_handshakers(
   grpc_server_security_connector* security_connector =
       reinterpret_cast<grpc_server_security_connector*>(
           grpc_security_connector_find_in_args(args));
-  grpc_server_security_connector_add_handshakers(
-      security_connector, interested_parties, handshake_mgr);
+  if (security_connector) {
+    security_connector->add_handshakers(interested_parties, handshake_mgr);
+  }
 }
 
 static void handshaker_factory_destroy(