grpc 1.24.0 → 1.25.0

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc

@@ -56,7 +56,8 @@ grpc_error* ssl_check_peer(
     gpr_free(msg);
     return error;
   }
-  *auth_context = grpc_ssl_peer_to_auth_context(peer);
+  *auth_context =
+      grpc_ssl_peer_to_auth_context(peer, GRPC_SSL_TRANSPORT_SECURITY_TYPE);
   return GRPC_ERROR_NONE;
 }
 
@@ -116,7 +117,8 @@ class grpc_ssl_channel_security_connector final
     return GRPC_SECURITY_OK;
   }
 
-  void add_handshakers(grpc_pollset_set* interested_parties,
+  void add_handshakers(const grpc_channel_args* args,
+                       grpc_pollset_set* interested_parties,
                        grpc_core::HandshakeManager* handshake_mgr) override {
     // Instantiate TSI handshaker.
     tsi_handshaker* tsi_hs = nullptr;
@@ -131,7 +133,7 @@ class grpc_ssl_channel_security_connector final
       return;
     }
     // Create handshakers.
-    handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
+    handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
   }
 
   void check_peer(tsi_peer peer, grpc_endpoint* ep,
@@ -278,7 +280,8 @@ class grpc_ssl_server_security_connector
     return GRPC_SECURITY_OK;
   }
 
-  void add_handshakers(grpc_pollset_set* interested_parties,
+  void add_handshakers(const grpc_channel_args* args,
+                       grpc_pollset_set* interested_parties,
                        grpc_core::HandshakeManager* handshake_mgr) override {
     // Instantiate TSI handshaker.
     try_fetch_ssl_server_credentials();
@@ -291,7 +294,7 @@ class grpc_ssl_server_security_connector
       return;
     }
     // Create handshakers.
-    handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
+    handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
   }
 
   void check_peer(tsi_peer peer, grpc_endpoint* ep,

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -195,7 +195,7 @@ int grpc_ssl_cmp_target_name(
 }
 
 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
-    const tsi_peer* peer) {
+    const tsi_peer* peer, const char* transport_security_type) {
   size_t i;
   const char* peer_identity_property_name = nullptr;
 
@@ -205,7 +205,7 @@ grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
       grpc_core::MakeRefCounted<grpc_auth_context>(nullptr);
   grpc_auth_context_add_cstring_property(
       ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
-      GRPC_SSL_TRANSPORT_SECURITY_TYPE);
+      transport_security_type);
   for (i = 0; i < peer->property_count; i++) {
     const tsi_peer_property* prop = &peer->properties[i];
     if (prop->name == nullptr) continue;

data/src/core/lib/security/security_connector/ssl_utils.h

@@ -85,7 +85,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
 
 /* Exposed for testing only. */
 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
-    const tsi_peer* peer);
+    const tsi_peer* peer, const char* transport_security_type);
 tsi_peer grpc_shallow_peer_from_ssl_auth_context(
     const grpc_auth_context* auth_context);
 void grpc_shallow_peer_destruct(tsi_peer* peer);

data/src/core/lib/security/security_connector/tls/spiffe_security_connector.cc

@@ -104,6 +104,9 @@ grpc_status_code TlsFetchKeyMaterials(
       }
     }
     gpr_free((void*)arg->error_details);
+    if (arg->destroy_context != nullptr) {
+      arg->destroy_context(arg->context);
+    }
     grpc_core::Delete(arg);
   }
   return status;
@@ -138,7 +141,7 @@ SpiffeChannelSecurityConnector::~SpiffeChannelSecurityConnector() {
 }
 
 void SpiffeChannelSecurityConnector::add_handshakers(
-    grpc_pollset_set* interested_parties,
+    const grpc_channel_args* args, grpc_pollset_set* interested_parties,
     grpc_core::HandshakeManager* handshake_mgr) {
   if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
     gpr_log(GPR_ERROR, "Handshaker factory refresh failed.");
@@ -157,7 +160,7 @@ void SpiffeChannelSecurityConnector::add_handshakers(
     return;
   }
   // Create handshakers.
-  handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
+  handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
 }
 
 void SpiffeChannelSecurityConnector::check_peer(
@@ -173,7 +176,8 @@ void SpiffeChannelSecurityConnector::check_peer(
     tsi_peer_destruct(&peer);
     return;
   }
-  *auth_context = grpc_ssl_peer_to_auth_context(&peer);
+  *auth_context = grpc_ssl_peer_to_auth_context(
+      &peer, GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE);
   const SpiffeCredentials* creds =
       static_cast<const SpiffeCredentials*>(channel_creds());
   const grpc_tls_server_authorization_check_config* config =
@@ -392,6 +396,9 @@ void SpiffeChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
   gpr_free((void*)arg->target_name);
   gpr_free((void*)arg->peer_cert);
   gpr_free((void*)arg->error_details);
+  if (arg->destroy_context != nullptr) {
+    arg->destroy_context(arg->context);
+  }
   grpc_core::Delete(arg);
 }
 
@@ -412,7 +419,7 @@ SpiffeServerSecurityConnector::~SpiffeServerSecurityConnector() {
 }
 
 void SpiffeServerSecurityConnector::add_handshakers(
-    grpc_pollset_set* interested_parties,
+    const grpc_channel_args* args, grpc_pollset_set* interested_parties,
     grpc_core::HandshakeManager* handshake_mgr) {
   /* Refresh handshaker factory if needed. */
   if (RefreshHandshakerFactory() != GRPC_SECURITY_OK) {
@@ -428,7 +435,7 @@ void SpiffeServerSecurityConnector::add_handshakers(
             tsi_result_to_string(result));
     return;
   }
-  handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this));
+  handshake_mgr->Add(grpc_core::SecurityHandshakerCreate(tsi_hs, this, args));
 }
 
 void SpiffeServerSecurityConnector::check_peer(
@@ -436,7 +443,8 @@ void SpiffeServerSecurityConnector::check_peer(
     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
     grpc_closure* on_peer_checked) {
   grpc_error* error = grpc_ssl_check_alpn(&peer);
-  *auth_context = grpc_ssl_peer_to_auth_context(&peer);
+  *auth_context = grpc_ssl_peer_to_auth_context(
+      &peer, GRPC_TLS_SPIFFE_TRANSPORT_SECURITY_TYPE);
   tsi_peer_destruct(&peer);
   GRPC_CLOSURE_SCHED(on_peer_checked, error);
 }

data/src/core/lib/security/security_connector/tls/spiffe_security_connector.h

@@ -47,7 +47,8 @@ class SpiffeChannelSecurityConnector final
       const char* target_name, const char* overridden_target_name);
   ~SpiffeChannelSecurityConnector() override;
 
-  void add_handshakers(grpc_pollset_set* interested_parties,
+  void add_handshakers(const grpc_channel_args* args,
+                       grpc_pollset_set* interested_parties,
                        grpc_core::HandshakeManager* handshake_mgr) override;
 
   void check_peer(tsi_peer peer, grpc_endpoint* ep,
@@ -117,7 +118,8 @@ class SpiffeServerSecurityConnector final
       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
   ~SpiffeServerSecurityConnector() override;
 
-  void add_handshakers(grpc_pollset_set* interested_parties,
+  void add_handshakers(const grpc_channel_args* args,
+                       grpc_pollset_set* interested_parties,
                        grpc_core::HandshakeManager* handshake_mgr) override;
 
   void check_peer(tsi_peer peer, grpc_endpoint* ep,

data/src/core/lib/security/transport/client_auth_filter.cc

@@ -324,7 +324,7 @@ static void cancel_check_call_host(void* arg, grpc_error* error) {
   }
 }
 
-static void auth_start_transport_stream_op_batch(
+static void client_auth_start_transport_stream_op_batch(
     grpc_call_element* elem, grpc_transport_stream_op_batch* batch) {
   GPR_TIMER_SCOPE("auth_start_transport_stream_op_batch", 0);
 
@@ -369,29 +369,29 @@ static void auth_start_transport_stream_op_batch(
 }
 
 /* Constructor for call_data */
-static grpc_error* init_call_elem(grpc_call_element* elem,
-                                  const grpc_call_element_args* args) {
+static grpc_error* client_auth_init_call_elem(
+    grpc_call_element* elem, const grpc_call_element_args* args) {
   new (elem->call_data) call_data(elem, *args);
   return GRPC_ERROR_NONE;
 }
 
-static void set_pollset_or_pollset_set(grpc_call_element* elem,
-                                       grpc_polling_entity* pollent) {
+static void client_auth_set_pollset_or_pollset_set(
+    grpc_call_element* elem, grpc_polling_entity* pollent) {
   call_data* calld = static_cast<call_data*>(elem->call_data);
   calld->pollent = pollent;
 }
 
 /* Destructor for call_data */
-static void destroy_call_elem(grpc_call_element* elem,
-                              const grpc_call_final_info* final_info,
-                              grpc_closure* ignored) {
+static void client_auth_destroy_call_elem(
+    grpc_call_element* elem, const grpc_call_final_info* final_info,
+    grpc_closure* ignored) {
   call_data* calld = static_cast<call_data*>(elem->call_data);
   calld->destroy();
 }
 
 /* Constructor for channel_data */
-static grpc_error* init_channel_elem(grpc_channel_element* elem,
-                                     grpc_channel_element_args* args) {
+static grpc_error* client_auth_init_channel_elem(
+    grpc_channel_element* elem, grpc_channel_element_args* args) {
   /* The first and the last filters tend to be implemented differently to
      handle the case that there's no 'next' filter to call on the up or down
      path */
@@ -414,20 +414,20 @@ static grpc_error* init_channel_elem(grpc_channel_element* elem,
 }
 
 /* Destructor for channel data */
-static void destroy_channel_elem(grpc_channel_element* elem) {
+static void client_auth_destroy_channel_elem(grpc_channel_element* elem) {
   channel_data* chand = static_cast<channel_data*>(elem->channel_data);
   chand->~channel_data();
 }
 
 const grpc_channel_filter grpc_client_auth_filter = {
-    auth_start_transport_stream_op_batch,
+    client_auth_start_transport_stream_op_batch,
     grpc_channel_next_op,
     sizeof(call_data),
-    init_call_elem,
-    set_pollset_or_pollset_set,
-    destroy_call_elem,
+    client_auth_init_call_elem,
+    client_auth_set_pollset_or_pollset_set,
+    client_auth_destroy_call_elem,
     sizeof(channel_data),
-    init_channel_elem,
-    destroy_channel_elem,
+    client_auth_init_channel_elem,
+    client_auth_destroy_channel_elem,
     grpc_channel_next_get_info,
     "client-auth"};

data/src/core/lib/security/transport/security_handshaker.cc

@@ -22,6 +22,7 @@
 
 #include <stdbool.h>
 #include <string.h>
+#include <limits>
 
 #include <grpc/slice_buffer.h>
 #include <grpc/support/alloc.h>
@@ -46,7 +47,8 @@ namespace {
 class SecurityHandshaker : public Handshaker {
  public:
   SecurityHandshaker(tsi_handshaker* handshaker,
-                     grpc_security_connector* connector);
+                     grpc_security_connector* connector,
+                     const grpc_channel_args* args);
   ~SecurityHandshaker() override;
   void Shutdown(grpc_error* why) override;
   void DoHandshake(grpc_tcp_server_acceptor* acceptor,
@@ -97,15 +99,23 @@ class SecurityHandshaker : public Handshaker {
   grpc_closure on_peer_checked_;
   RefCountedPtr<grpc_auth_context> auth_context_;
   tsi_handshaker_result* handshaker_result_ = nullptr;
+  size_t max_frame_size_ = 0;
 };
 
 SecurityHandshaker::SecurityHandshaker(tsi_handshaker* handshaker,
-                                       grpc_security_connector* connector)
+                                       grpc_security_connector* connector,
+                                       const grpc_channel_args* args)
     : handshaker_(handshaker),
       connector_(connector->Ref(DEBUG_LOCATION, "handshake")),
       handshake_buffer_size_(GRPC_INITIAL_HANDSHAKE_BUFFER_SIZE),
       handshake_buffer_(
           static_cast<uint8_t*>(gpr_malloc(handshake_buffer_size_))) {
+  const grpc_arg* arg =
+      grpc_channel_args_find(args, GRPC_ARG_TSI_MAX_FRAME_SIZE);
+  if (arg != nullptr && arg->type == GRPC_ARG_INTEGER) {
+    max_frame_size_ = grpc_channel_arg_get_integer(
+        arg, {0, 0, std::numeric_limits<int>::max()});
+  }
   gpr_mu_init(&mu_);
   grpc_slice_buffer_init(&outgoing_);
   GRPC_CLOSURE_INIT(&on_handshake_data_sent_to_peer_,
@@ -201,7 +211,8 @@ void SecurityHandshaker::OnPeerCheckedInner(grpc_error* error) {
   // Create zero-copy frame protector, if implemented.
   tsi_zero_copy_grpc_protector* zero_copy_protector = nullptr;
   tsi_result result = tsi_handshaker_result_create_zero_copy_grpc_protector(
-      handshaker_result_, nullptr, &zero_copy_protector);
+      handshaker_result_, max_frame_size_ == 0 ? nullptr : &max_frame_size_,
+      &zero_copy_protector);
   if (result != TSI_OK && result != TSI_UNIMPLEMENTED) {
     error = grpc_set_tsi_error_result(
         GRPC_ERROR_CREATE_FROM_STATIC_STRING(
@@ -213,8 +224,9 @@ void SecurityHandshaker::OnPeerCheckedInner(grpc_error* error) {
   // Create frame protector if zero-copy frame protector is NULL.
   tsi_frame_protector* protector = nullptr;
   if (zero_copy_protector == nullptr) {
-    result = tsi_handshaker_result_create_frame_protector(handshaker_result_,
-                                                          nullptr, &protector);
+    result = tsi_handshaker_result_create_frame_protector(
+        handshaker_result_, max_frame_size_ == 0 ? nullptr : &max_frame_size_,
+        &protector);
     if (result != TSI_OK) {
       error = grpc_set_tsi_error_result(GRPC_ERROR_CREATE_FROM_STATIC_STRING(
                                             "Frame protector creation failed"),
@@ -459,7 +471,8 @@ class ClientSecurityHandshakerFactory : public HandshakerFactory {
         reinterpret_cast<grpc_channel_security_connector*>(
             grpc_security_connector_find_in_args(args));
     if (security_connector) {
-      security_connector->add_handshakers(interested_parties, handshake_mgr);
+      security_connector->add_handshakers(args, interested_parties,
+                                          handshake_mgr);
     }
   }
   ~ClientSecurityHandshakerFactory() override = default;
@@ -474,7 +487,8 @@ class ServerSecurityHandshakerFactory : public HandshakerFactory {
         reinterpret_cast<grpc_server_security_connector*>(
             grpc_security_connector_find_in_args(args));
     if (security_connector) {
-      security_connector->add_handshakers(interested_parties, handshake_mgr);
+      security_connector->add_handshakers(args, interested_parties,
+                                          handshake_mgr);
     }
   }
   ~ServerSecurityHandshakerFactory() override = default;
@@ -487,28 +501,30 @@ class ServerSecurityHandshakerFactory : public HandshakerFactory {
 //
 
 RefCountedPtr<Handshaker> SecurityHandshakerCreate(
-    tsi_handshaker* handshaker, grpc_security_connector* connector) {
+    tsi_handshaker* handshaker, grpc_security_connector* connector,
+    const grpc_channel_args* args) {
   // If no TSI handshaker was created, return a handshaker that always fails.
   // Otherwise, return a real security handshaker.
   if (handshaker == nullptr) {
     return MakeRefCounted<FailHandshaker>();
   } else {
-    return MakeRefCounted<SecurityHandshaker>(handshaker, connector);
+    return MakeRefCounted<SecurityHandshaker>(handshaker, connector, args);
   }
 }
 
 void SecurityRegisterHandshakerFactories() {
   HandshakerRegistry::RegisterHandshakerFactory(
       false /* at_start */, HANDSHAKER_CLIENT,
-      UniquePtr<HandshakerFactory>(New<ClientSecurityHandshakerFactory>()));
+      MakeUnique<ClientSecurityHandshakerFactory>());
   HandshakerRegistry::RegisterHandshakerFactory(
       false /* at_start */, HANDSHAKER_SERVER,
-      UniquePtr<HandshakerFactory>(New<ServerSecurityHandshakerFactory>()));
+      MakeUnique<ServerSecurityHandshakerFactory>());
 }
 
 }  // namespace grpc_core
 
 grpc_handshaker* grpc_security_handshaker_create(
-    tsi_handshaker* handshaker, grpc_security_connector* connector) {
-  return SecurityHandshakerCreate(handshaker, connector).release();
+    tsi_handshaker* handshaker, grpc_security_connector* connector,
+    const grpc_channel_args* args) {
+  return SecurityHandshakerCreate(handshaker, connector, args).release();
 }

data/src/core/lib/security/transport/security_handshaker.h

@@ -28,7 +28,8 @@ namespace grpc_core {
 
 /// Creates a security handshaker using \a handshaker.
 RefCountedPtr<Handshaker> SecurityHandshakerCreate(
-    tsi_handshaker* handshaker, grpc_security_connector* connector);
+    tsi_handshaker* handshaker, grpc_security_connector* connector,
+    const grpc_channel_args* args);
 
 /// Registers security handshaker factories.
 void SecurityRegisterHandshakerFactories();
@@ -38,6 +39,7 @@ void SecurityRegisterHandshakerFactories();
 // TODO(arjunroy): This is transitional to account for the new handshaker API
 // and will eventually be removed entirely.
 grpc_handshaker* grpc_security_handshaker_create(
-    tsi_handshaker* handshaker, grpc_security_connector* connector);
+    tsi_handshaker* handshaker, grpc_security_connector* connector,
+    const grpc_channel_args* args);
 
 #endif /* GRPC_CORE_LIB_SECURITY_TRANSPORT_SECURITY_HANDSHAKER_H */

data/src/core/lib/security/transport/server_auth_filter.cc

@@ -257,7 +257,7 @@ static void recv_trailing_metadata_ready(void* user_data, grpc_error* err) {
   GRPC_CLOSURE_RUN(calld->original_recv_trailing_metadata_ready, err);
 }
 
-static void auth_start_transport_stream_op_batch(
+static void server_auth_start_transport_stream_op_batch(
     grpc_call_element* elem, grpc_transport_stream_op_batch* batch) {
   call_data* calld = static_cast<call_data*>(elem->call_data);
   if (batch->recv_initial_metadata) {
@@ -278,23 +278,23 @@ static void auth_start_transport_stream_op_batch(
 }
 
 /* Constructor for call_data */
-static grpc_error* init_call_elem(grpc_call_element* elem,
-                                  const grpc_call_element_args* args) {
+static grpc_error* server_auth_init_call_elem(
+    grpc_call_element* elem, const grpc_call_element_args* args) {
   new (elem->call_data) call_data(elem, *args);
   return GRPC_ERROR_NONE;
 }
 
 /* Destructor for call_data */
-static void destroy_call_elem(grpc_call_element* elem,
-                              const grpc_call_final_info* final_info,
-                              grpc_closure* ignored) {
+static void server_auth_destroy_call_elem(
+    grpc_call_element* elem, const grpc_call_final_info* final_info,
+    grpc_closure* ignored) {
   call_data* calld = static_cast<call_data*>(elem->call_data);
   calld->~call_data();
 }
 
 /* Constructor for channel_data */
-static grpc_error* init_channel_elem(grpc_channel_element* elem,
-                                     grpc_channel_element_args* args) {
+static grpc_error* server_auth_init_channel_elem(
+    grpc_channel_element* elem, grpc_channel_element_args* args) {
   GPR_ASSERT(!args->is_last);
   grpc_auth_context* auth_context =
       grpc_find_auth_context_in_args(args->channel_args);
@@ -306,20 +306,20 @@ static grpc_error* init_channel_elem(grpc_channel_element* elem,
 }
 
 /* Destructor for channel data */
-static void destroy_channel_elem(grpc_channel_element* elem) {
+static void server_auth_destroy_channel_elem(grpc_channel_element* elem) {
   channel_data* chand = static_cast<channel_data*>(elem->channel_data);
   chand->~channel_data();
 }
 
 const grpc_channel_filter grpc_server_auth_filter = {
-    auth_start_transport_stream_op_batch,
+    server_auth_start_transport_stream_op_batch,
     grpc_channel_next_op,
     sizeof(call_data),
-    init_call_elem,
+    server_auth_init_call_elem,
     grpc_call_stack_ignore_set_pollset_or_pollset_set,
-    destroy_call_elem,
+    server_auth_destroy_call_elem,
     sizeof(channel_data),
-    init_channel_elem,
-    destroy_channel_elem,
+    server_auth_init_channel_elem,
+    server_auth_destroy_channel_elem,
     grpc_channel_next_get_info,
     "server-auth"};

data/src/core/lib/slice/slice.cc

@@ -82,14 +82,11 @@ class NewSliceRefcount {
               &base_),
         user_destroy_(destroy),
         user_data_(user_data) {}
-
-  GRPC_ALLOW_CLASS_TO_USE_NON_PUBLIC_DELETE
+  ~NewSliceRefcount() { user_destroy_(user_data_); }
 
   grpc_slice_refcount* base_refcount() { return &base_; }
 
  private:
-  ~NewSliceRefcount() { user_destroy_(user_data_); }
-
   grpc_slice_refcount base_;
   RefCount refs_;
   void (*user_destroy_)(void*);
@@ -147,14 +144,11 @@ class NewWithLenSliceRefcount {
         user_data_(user_data),
         user_length_(user_length),
         user_destroy_(destroy) {}
-
-  GRPC_ALLOW_CLASS_TO_USE_NON_PUBLIC_DELETE
+  ~NewWithLenSliceRefcount() { user_destroy_(user_data_, user_length_); }
 
   grpc_slice_refcount* base_refcount() { return &base_; }
 
  private:
-  ~NewWithLenSliceRefcount() { user_destroy_(user_data_, user_length_); }
-
   grpc_slice_refcount base_;
   RefCount refs_;
   void* user_data_;
@@ -170,8 +164,6 @@ class MovedStringSliceRefCount {
               &base_),
         str_(std::move(str)) {}
 
-  GRPC_ALLOW_CLASS_TO_USE_NON_PUBLIC_DELETE
-
   grpc_slice_refcount* base_refcount() { return &base_; }
 
  private: