grpc 1.19.0 → 1.20.0.pre1

data/src/core/lib/iomgr/tcp_windows.cc

@@ -241,7 +241,7 @@ static void on_read(void* tcpp, grpc_error* error) {
 #define DEFAULT_TARGET_READ_SIZE 8192
 #define MAX_WSABUF_COUNT 16
 static void win_read(grpc_endpoint* ep, grpc_slice_buffer* read_slices,
-                     grpc_closure* cb) {
+                     grpc_closure* cb, bool urgent) {
   grpc_tcp* tcp = (grpc_tcp*)ep;
   grpc_winsocket* handle = tcp->socket;
   grpc_winsocket_callback_info* info = &handle->read_info;

data/src/core/lib/iomgr/wakeup_fd_posix.cc

@@ -23,7 +23,6 @@
 #ifdef GRPC_POSIX_WAKEUP_FD
 
 #include <stddef.h>
-#include "src/core/lib/iomgr/wakeup_fd_cv.h"
 #include "src/core/lib/iomgr/wakeup_fd_pipe.h"
 #include "src/core/lib/iomgr/wakeup_fd_posix.h"
 
@@ -51,37 +50,20 @@ void grpc_wakeup_fd_global_destroy(void) { wakeup_fd_vtable = nullptr; }
 
 int grpc_has_wakeup_fd(void) { return has_real_wakeup_fd; }
 
-int grpc_cv_wakeup_fds_enabled(void) { return cv_wakeup_fds_enabled; }
-
-void grpc_enable_cv_wakeup_fds(int enable) { cv_wakeup_fds_enabled = enable; }
-
 grpc_error* grpc_wakeup_fd_init(grpc_wakeup_fd* fd_info) {
-  if (cv_wakeup_fds_enabled) {
-    return grpc_cv_wakeup_fd_vtable.init(fd_info);
-  }
   return wakeup_fd_vtable->init(fd_info);
 }
 
 grpc_error* grpc_wakeup_fd_consume_wakeup(grpc_wakeup_fd* fd_info) {
-  if (cv_wakeup_fds_enabled) {
-    return grpc_cv_wakeup_fd_vtable.consume(fd_info);
-  }
   return wakeup_fd_vtable->consume(fd_info);
 }
 
 grpc_error* grpc_wakeup_fd_wakeup(grpc_wakeup_fd* fd_info) {
-  if (cv_wakeup_fds_enabled) {
-    return grpc_cv_wakeup_fd_vtable.wakeup(fd_info);
-  }
   return wakeup_fd_vtable->wakeup(fd_info);
 }
 
 void grpc_wakeup_fd_destroy(grpc_wakeup_fd* fd_info) {
-  if (cv_wakeup_fds_enabled) {
-    grpc_cv_wakeup_fd_vtable.destroy(fd_info);
-  } else {
-    wakeup_fd_vtable->destroy(fd_info);
-  }
+  wakeup_fd_vtable->destroy(fd_info);
 }
 
 #endif /* GRPC_POSIX_WAKEUP_FD */

data/src/core/lib/security/credentials/jwt/jwt_verifier.cc

@@ -134,7 +134,8 @@ static void jose_header_destroy(jose_header* h) {
 }
 
 /* Takes ownership of json and buffer. */
-static jose_header* jose_header_from_json(grpc_json* json, grpc_slice buffer) {
+static jose_header* jose_header_from_json(grpc_json* json,
+                                          const grpc_slice& buffer) {
   grpc_json* cur;
   jose_header* h = static_cast<jose_header*>(gpr_zalloc(sizeof(jose_header)));
   h->buffer = buffer;
@@ -235,7 +236,8 @@ gpr_timespec grpc_jwt_claims_not_before(const grpc_jwt_claims* claims) {
 }
 
 /* Takes ownership of json and buffer even in case of failure. */
-grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_json* json, grpc_slice buffer) {
+grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_json* json,
+                                           const grpc_slice& buffer) {
   grpc_json* cur;
   grpc_jwt_claims* claims =
       static_cast<grpc_jwt_claims*>(gpr_malloc(sizeof(grpc_jwt_claims)));
@@ -350,7 +352,7 @@ typedef struct {
 /* Takes ownership of the header, claims and signature. */
 static verifier_cb_ctx* verifier_cb_ctx_create(
     grpc_jwt_verifier* verifier, grpc_pollset* pollset, jose_header* header,
-    grpc_jwt_claims* claims, const char* audience, grpc_slice signature,
+    grpc_jwt_claims* claims, const char* audience, const grpc_slice& signature,
     const char* signed_jwt, size_t signed_jwt_len, void* user_data,
     grpc_jwt_verification_done_cb cb) {
   grpc_core::ApplicationCallbackExecCtx callback_exec_ctx;
@@ -602,7 +604,8 @@ static EVP_PKEY* find_verification_key(const grpc_json* json,
 }
 
 static int verify_jwt_signature(EVP_PKEY* key, const char* alg,
-                                grpc_slice signature, grpc_slice signed_data) {
+                                const grpc_slice& signature,
+                                const grpc_slice& signed_data) {
   EVP_MD_CTX* md_ctx = EVP_MD_CTX_create();
   const EVP_MD* md = evp_md_from_alg(alg);
   int result = 0;
@@ -621,8 +624,9 @@ static int verify_jwt_signature(EVP_PKEY* key, const char* alg,
     gpr_log(GPR_ERROR, "EVP_DigestVerifyUpdate failed.");
     goto end;
   }
-  if (EVP_DigestVerifyFinal(md_ctx, GRPC_SLICE_START_PTR(signature),
-                            GRPC_SLICE_LENGTH(signature)) != 1) {
+  if (EVP_DigestVerifyFinal(
+          md_ctx, const_cast<uint8_t*>(GRPC_SLICE_START_PTR(signature)),
+          GRPC_SLICE_LENGTH(signature)) != 1) {
     gpr_log(GPR_ERROR, "JWT signature verification failed.");
     goto end;
   }

data/src/core/lib/security/credentials/jwt/jwt_verifier.h

@@ -115,7 +115,8 @@ void grpc_jwt_verifier_verify(grpc_jwt_verifier* verifier,
 
 /* --- TESTING ONLY exposed functions. --- */
 
-grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_json* json, grpc_slice buffer);
+grpc_jwt_claims* grpc_jwt_claims_from_json(grpc_json* json,
+                                           const grpc_slice& buffer);
 grpc_jwt_verifier_status grpc_jwt_claims_check(const grpc_jwt_claims* claims,
                                                const char* audience);
 const char* grpc_jwt_issuer_email_domain(const char* issuer);

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -167,19 +167,16 @@ struct grpc_tls_credentials_options
   grpc_ssl_client_certificate_request_type cert_request_type() const {
     return cert_request_type_;
   }
-  const grpc_tls_key_materials_config* key_materials_config() const {
+  grpc_tls_key_materials_config* key_materials_config() const {
     return key_materials_config_.get();
   }
-  const grpc_tls_credential_reload_config* credential_reload_config() const {
+  grpc_tls_credential_reload_config* credential_reload_config() const {
     return credential_reload_config_.get();
   }
-  const grpc_tls_server_authorization_check_config*
+  grpc_tls_server_authorization_check_config*
   server_authorization_check_config() const {
     return server_authorization_check_config_.get();
   }
-  grpc_tls_key_materials_config* mutable_key_materials_config() {
-    return key_materials_config_.get();
-  }
 
   /* Setters for member fields. */
   void set_cert_request_type(

data/src/core/lib/security/credentials/tls/spiffe_credentials.cc

@@ -0,0 +1,129 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <grpc/support/port_platform.h>
+
+#include "src/core/lib/security/credentials/tls/spiffe_credentials.h"
+
+#include <cstring>
+
+#include <grpc/grpc.h>
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+
+#include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/security/security_connector/tls/spiffe_security_connector.h"
+
+#define GRPC_CREDENTIALS_TYPE_SPIFFE "Spiffe"
+
+namespace {
+
+bool CredentialOptionSanityCheck(const grpc_tls_credentials_options* options,
+                                 bool is_client) {
+  if (options == nullptr) {
+    gpr_log(GPR_ERROR, "SPIFFE TLS credentials options is nullptr.");
+    return false;
+  }
+  if (options->key_materials_config() == nullptr &&
+      options->credential_reload_config() == nullptr) {
+    gpr_log(
+        GPR_ERROR,
+        "SPIFFE TLS credentials options must specify either key materials or "
+        "credential reload config.");
+    return false;
+  }
+  if (!is_client && options->server_authorization_check_config() != nullptr) {
+    gpr_log(GPR_INFO,
+            "Server's credentials options should not contain server "
+            "authorization check config.");
+  }
+  return true;
+}
+
+}  // namespace
+
+SpiffeCredentials::SpiffeCredentials(
+    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
+    : grpc_channel_credentials(GRPC_CREDENTIALS_TYPE_SPIFFE),
+      options_(std::move(options)) {}
+
+SpiffeCredentials::~SpiffeCredentials() {}
+
+grpc_core::RefCountedPtr<grpc_channel_security_connector>
+SpiffeCredentials::create_security_connector(
+    grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
+    const char* target_name, const grpc_channel_args* args,
+    grpc_channel_args** new_args) {
+  const char* overridden_target_name = nullptr;
+  tsi_ssl_session_cache* ssl_session_cache = nullptr;
+  for (size_t i = 0; args != nullptr && i < args->num_args; i++) {
+    grpc_arg* arg = &args->args[i];
+    if (strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) == 0 &&
+        arg->type == GRPC_ARG_STRING) {
+      overridden_target_name = arg->value.string;
+    }
+    if (strcmp(arg->key, GRPC_SSL_SESSION_CACHE_ARG) == 0 &&
+        arg->type == GRPC_ARG_POINTER) {
+      ssl_session_cache =
+          static_cast<tsi_ssl_session_cache*>(arg->value.pointer.p);
+    }
+  }
+  grpc_core::RefCountedPtr<grpc_channel_security_connector> sc =
+      SpiffeChannelSecurityConnector::CreateSpiffeChannelSecurityConnector(
+          this->Ref(), std::move(call_creds), target_name,
+          overridden_target_name, ssl_session_cache);
+  if (sc == nullptr) {
+    return nullptr;
+  }
+  grpc_arg new_arg = grpc_channel_arg_string_create(
+      (char*)GRPC_ARG_HTTP2_SCHEME, (char*)"https");
+  *new_args = grpc_channel_args_copy_and_add(args, &new_arg, 1);
+  return sc;
+}
+
+SpiffeServerCredentials::SpiffeServerCredentials(
+    grpc_core::RefCountedPtr<grpc_tls_credentials_options> options)
+    : grpc_server_credentials(GRPC_CREDENTIALS_TYPE_SPIFFE),
+      options_(std::move(options)) {}
+
+SpiffeServerCredentials::~SpiffeServerCredentials() {}
+
+grpc_core::RefCountedPtr<grpc_server_security_connector>
+SpiffeServerCredentials::create_security_connector() {
+  return SpiffeServerSecurityConnector::CreateSpiffeServerSecurityConnector(
+      this->Ref());
+}
+
+grpc_channel_credentials* grpc_tls_spiffe_credentials_create(
+    grpc_tls_credentials_options* options) {
+  if (!CredentialOptionSanityCheck(options, true /* is_client */)) {
+    return nullptr;
+  }
+  return grpc_core::New<SpiffeCredentials>(
+      grpc_core::RefCountedPtr<grpc_tls_credentials_options>(options));
+}
+
+grpc_server_credentials* grpc_tls_spiffe_server_credentials_create(
+    grpc_tls_credentials_options* options) {
+  if (!CredentialOptionSanityCheck(options, false /* is_client */)) {
+    return nullptr;
+  }
+  return grpc_core::New<SpiffeServerCredentials>(
+      grpc_core::RefCountedPtr<grpc_tls_credentials_options>(options));
+}

data/src/core/lib/security/credentials/tls/spiffe_credentials.h

@@ -0,0 +1,62 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_SPIFFE_CREDENTIALS_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_SPIFFE_CREDENTIALS_H
+
+#include <grpc/support/port_platform.h>
+
+#include <grpc/grpc_security.h>
+
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
+
+class SpiffeCredentials final : public grpc_channel_credentials {
+ public:
+  explicit SpiffeCredentials(
+      grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
+  ~SpiffeCredentials() override;
+
+  grpc_core::RefCountedPtr<grpc_channel_security_connector>
+  create_security_connector(
+      grpc_core::RefCountedPtr<grpc_call_credentials> call_creds,
+      const char* target_name, const grpc_channel_args* args,
+      grpc_channel_args** new_args) override;
+
+  const grpc_tls_credentials_options& options() const { return *options_; }
+
+ private:
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
+};
+
+class SpiffeServerCredentials final : public grpc_server_credentials {
+ public:
+  explicit SpiffeServerCredentials(
+      grpc_core::RefCountedPtr<grpc_tls_credentials_options> options);
+  ~SpiffeServerCredentials() override;
+
+  grpc_core::RefCountedPtr<grpc_server_security_connector>
+  create_security_connector() override;
+
+  const grpc_tls_credentials_options& options() const { return *options_; }
+
+ private:
+  grpc_core::RefCountedPtr<grpc_tls_credentials_options> options_;
+};
+
+#endif /* GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_SPIFFE_CREDENTIALS_H */

data/src/core/lib/security/security_connector/fake/fake_security_connector.cc

@@ -26,6 +26,8 @@
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 
+#include "src/core/ext/filters/client_channel/lb_policy/grpclb/grpclb.h"
+#include "src/core/ext/filters/client_channel/lb_policy/xds/xds.h"
 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
 #include "src/core/lib/channel/channel_args.h"
 #include "src/core/lib/channel/handshaker.h"
@@ -53,8 +55,11 @@ class grpc_fake_channel_security_connector final
         target_(gpr_strdup(target)),
         expected_targets_(
             gpr_strdup(grpc_fake_transport_get_expected_targets(args))),
-        is_lb_channel_(grpc_core::FindTargetAuthorityTableInArgs(args) !=
-                       nullptr) {
+        is_lb_channel_(
+            grpc_channel_args_find(
+                args, GRPC_ARG_ADDRESS_IS_XDS_LOAD_BALANCER) != nullptr ||
+            grpc_channel_args_find(
+                args, GRPC_ARG_ADDRESS_IS_GRPCLB_LOAD_BALANCER) != nullptr) {
     const grpc_arg* target_name_override_arg =
         grpc_channel_args_find(args, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG);
     if (target_name_override_arg != nullptr) {

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc

@@ -104,7 +104,6 @@ class grpc_ssl_channel_security_connector final
         config->pem_key_cert_pair->private_key != nullptr &&
         config->pem_key_cert_pair->cert_chain != nullptr;
     tsi_ssl_client_handshaker_options options;
-    memset(&options, 0, sizeof(options));
     GPR_DEBUG_ASSERT(pem_root_certs != nullptr);
     options.pem_root_certs = pem_root_certs;
     options.root_store = root_store;
@@ -262,15 +261,22 @@ class grpc_ssl_server_security_connector
       size_t num_alpn_protocols = 0;
       const char** alpn_protocol_strings =
           grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
-      const tsi_result result = tsi_create_ssl_server_handshaker_factory_ex(
-          server_credentials->config().pem_key_cert_pairs,
-          server_credentials->config().num_key_cert_pairs,
-          server_credentials->config().pem_root_certs,
+      tsi_ssl_server_handshaker_options options;
+      options.pem_key_cert_pairs =
+          server_credentials->config().pem_key_cert_pairs;
+      options.num_key_cert_pairs =
+          server_credentials->config().num_key_cert_pairs;
+      options.pem_client_root_certs =
+          server_credentials->config().pem_root_certs;
+      options.client_certificate_request =
           grpc_get_tsi_client_certificate_request_type(
-              server_credentials->config().client_certificate_request),
-          grpc_get_ssl_cipher_suites(), alpn_protocol_strings,
-          static_cast<uint16_t>(num_alpn_protocols),
-          &server_handshaker_factory_);
+              server_credentials->config().client_certificate_request);
+      options.cipher_suites = grpc_get_ssl_cipher_suites();
+      options.alpn_protocols = alpn_protocol_strings;
+      options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
+      const tsi_result result =
+          tsi_create_ssl_server_handshaker_factory_with_options(
+              &options, &server_handshaker_factory_);
       gpr_free((void*)alpn_protocol_strings);
       if (result != TSI_OK) {
         gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
@@ -360,19 +366,24 @@ class grpc_ssl_server_security_connector
     size_t num_alpn_protocols = 0;
     const char** alpn_protocol_strings =
         grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
-    tsi_ssl_pem_key_cert_pair* cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
-        config->pem_key_cert_pairs, config->num_key_cert_pairs);
     tsi_ssl_server_handshaker_factory* new_handshaker_factory = nullptr;
     const grpc_ssl_server_credentials* server_creds =
         static_cast<const grpc_ssl_server_credentials*>(this->server_creds());
     GPR_DEBUG_ASSERT(config->pem_root_certs != nullptr);
-    tsi_result result = tsi_create_ssl_server_handshaker_factory_ex(
-        cert_pairs, config->num_key_cert_pairs, config->pem_root_certs,
+    tsi_ssl_server_handshaker_options options;
+    options.pem_key_cert_pairs = grpc_convert_grpc_to_tsi_cert_pairs(
+        config->pem_key_cert_pairs, config->num_key_cert_pairs);
+    options.num_key_cert_pairs = config->num_key_cert_pairs;
+    options.pem_client_root_certs = config->pem_root_certs;
+    options.client_certificate_request =
         grpc_get_tsi_client_certificate_request_type(
-            server_creds->config().client_certificate_request),
-        grpc_get_ssl_cipher_suites(), alpn_protocol_strings,
-        static_cast<uint16_t>(num_alpn_protocols), &new_handshaker_factory);
-    gpr_free(cert_pairs);
+            server_creds->config().client_certificate_request);
+    options.cipher_suites = grpc_get_ssl_cipher_suites();
+    options.alpn_protocols = alpn_protocol_strings;
+    options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
+    tsi_result result = tsi_create_ssl_server_handshaker_factory_with_options(
+        &options, &new_handshaker_factory);
+    gpr_free((void*)options.pem_key_cert_pairs);
     gpr_free((void*)alpn_protocol_strings);
 
     if (result != TSI_OK) {

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -112,6 +112,55 @@ grpc_get_tsi_client_certificate_request_type(
   }
 }
 
+grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
+#if TSI_OPENSSL_ALPN_SUPPORT
+  /* Check the ALPN if ALPN is supported. */
+  const tsi_peer_property* p =
+      tsi_peer_get_property_by_name(peer, TSI_SSL_ALPN_SELECTED_PROTOCOL);
+  if (p == nullptr) {
+    return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "Cannot check peer: missing selected ALPN property.");
+  }
+  if (!grpc_chttp2_is_alpn_version_supported(p->value.data, p->value.length)) {
+    return GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "Cannot check peer: invalid ALPN value.");
+  }
+#endif /* TSI_OPENSSL_ALPN_SUPPORT */
+  return GRPC_ERROR_NONE;
+}
+
+grpc_error* grpc_ssl_check_peer_name(const char* peer_name,
+                                     const tsi_peer* peer) {
+  /* Check the peer name if specified. */
+  if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
+    char* msg;
+    gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
+    grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+    gpr_free(msg);
+    return error;
+  }
+  return GRPC_ERROR_NONE;
+}
+
+bool grpc_ssl_check_call_host(const char* host, const char* target_name,
+                              const char* overridden_target_name,
+                              grpc_auth_context* auth_context,
+                              grpc_closure* on_call_host_checked,
+                              grpc_error** error) {
+  grpc_security_status status = GRPC_SECURITY_ERROR;
+  tsi_peer peer = grpc_shallow_peer_from_ssl_auth_context(auth_context);
+  if (grpc_ssl_host_matches_name(&peer, host)) status = GRPC_SECURITY_OK;
+  if (overridden_target_name != nullptr && strcmp(host, target_name) == 0) {
+    status = GRPC_SECURITY_OK;
+  }
+  if (status != GRPC_SECURITY_OK) {
+    *error = GRPC_ERROR_CREATE_FROM_STATIC_STRING(
+        "call host does not match SSL server name");
+  }
+  grpc_shallow_peer_destruct(&peer);
+  return true;
+}
+
 const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
   GPR_ASSERT(num_alpn_protocols != nullptr);
   *num_alpn_protocols = grpc_chttp2_num_alpn_versions();
@@ -142,6 +191,18 @@ int grpc_ssl_host_matches_name(const tsi_peer* peer, const char* peer_name) {
   return r;
 }
 
+bool grpc_ssl_cmp_target_name(const char* target_name,
+                              const char* other_target_name,
+                              const char* overridden_target_name,
+                              const char* other_overridden_target_name) {
+  int c = strcmp(target_name, other_target_name);
+  if (c != 0) return c;
+  return (overridden_target_name == nullptr ||
+          other_overridden_target_name == nullptr)
+             ? GPR_ICMP(overridden_target_name, other_overridden_target_name)
+             : strcmp(overridden_target_name, other_overridden_target_name);
+}
+
 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
     const tsi_peer* peer) {
   size_t i;
@@ -230,6 +291,79 @@ void grpc_shallow_peer_destruct(tsi_peer* peer) {
   if (peer->properties != nullptr) gpr_free(peer->properties);
 }
 
+grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
+    tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
+    tsi_ssl_session_cache* ssl_session_cache,
+    tsi_ssl_client_handshaker_factory** handshaker_factory) {
+  const char* root_certs;
+  const tsi_ssl_root_certs_store* root_store;
+  if (pem_root_certs == nullptr) {
+    // Use default root certificates.
+    root_certs = grpc_core::DefaultSslRootStore::GetPemRootCerts();
+    if (root_certs == nullptr) {
+      gpr_log(GPR_ERROR, "Could not get default pem root certs.");
+      return GRPC_SECURITY_ERROR;
+    }
+    root_store = grpc_core::DefaultSslRootStore::GetRootStore();
+  } else {
+    root_certs = pem_root_certs;
+    root_store = nullptr;
+  }
+  bool has_key_cert_pair = pem_key_cert_pair != nullptr &&
+                           pem_key_cert_pair->private_key != nullptr &&
+                           pem_key_cert_pair->cert_chain != nullptr;
+  tsi_ssl_client_handshaker_options options;
+  GPR_DEBUG_ASSERT(root_certs != nullptr);
+  options.pem_root_certs = root_certs;
+  options.root_store = root_store;
+  options.alpn_protocols =
+      grpc_fill_alpn_protocol_strings(&options.num_alpn_protocols);
+  if (has_key_cert_pair) {
+    options.pem_key_cert_pair = pem_key_cert_pair;
+  }
+  options.cipher_suites = grpc_get_ssl_cipher_suites();
+  options.session_cache = ssl_session_cache;
+  const tsi_result result =
+      tsi_create_ssl_client_handshaker_factory_with_options(&options,
+                                                            handshaker_factory);
+  gpr_free((void*)options.alpn_protocols);
+  if (result != TSI_OK) {
+    gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
+            tsi_result_to_string(result));
+    return GRPC_SECURITY_ERROR;
+  }
+  return GRPC_SECURITY_OK;
+}
+
+grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
+    tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
+    const char* pem_root_certs,
+    grpc_ssl_client_certificate_request_type client_certificate_request,
+    tsi_ssl_server_handshaker_factory** handshaker_factory) {
+  size_t num_alpn_protocols = 0;
+  const char** alpn_protocol_strings =
+      grpc_fill_alpn_protocol_strings(&num_alpn_protocols);
+  tsi_ssl_server_handshaker_options options;
+  options.pem_key_cert_pairs = pem_key_cert_pairs;
+  options.num_key_cert_pairs = num_key_cert_pairs;
+  options.pem_client_root_certs = pem_root_certs;
+  options.client_certificate_request =
+      grpc_get_tsi_client_certificate_request_type(client_certificate_request);
+  options.cipher_suites = grpc_get_ssl_cipher_suites();
+  options.alpn_protocols = alpn_protocol_strings;
+  options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
+  const tsi_result result =
+      tsi_create_ssl_server_handshaker_factory_with_options(&options,
+                                                            handshaker_factory);
+  gpr_free((void*)alpn_protocol_strings);
+  if (result != TSI_OK) {
+    gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.",
+            tsi_result_to_string(result));
+    return GRPC_SECURITY_ERROR;
+  }
+  return GRPC_SECURITY_OK;
+}
+
 /* --- Ssl cache implementation. --- */
 
 grpc_ssl_session_cache* grpc_ssl_session_cache_create_lru(size_t capacity) {