grpc 1.28.0.pre2 → 1.31.0.pre1

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.h

@@ -29,11 +29,13 @@
 #include "src/core/tsi/ssl_transport_security.h"
 #include "src/core/tsi/transport_security_interface.h"
 
-typedef struct {
+struct grpc_ssl_config {
   tsi_ssl_pem_key_cert_pair* pem_key_cert_pair;
   char* pem_root_certs;
   verify_peer_options verify_options;
-} grpc_ssl_config;
+  grpc_tls_version min_tls_version = grpc_tls_version::TLS1_2;
+  grpc_tls_version max_tls_version = grpc_tls_version::TLS1_3;
+};
 
 /* Creates an SSL channel_security_connector.
    - request_metadata_creds is the credentials object which metadata
@@ -57,14 +59,15 @@ grpc_ssl_channel_security_connector_create(
     tsi_ssl_session_cache* ssl_session_cache);
 
 /* Config for ssl servers. */
-typedef struct {
+struct grpc_ssl_server_config {
   tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs = nullptr;
   size_t num_key_cert_pairs = 0;
   char* pem_root_certs = nullptr;
   grpc_ssl_client_certificate_request_type client_certificate_request =
       GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
-} grpc_ssl_server_config;
-
+  grpc_tls_version min_tls_version = grpc_tls_version::TLS1_2;
+  grpc_tls_version max_tls_version = grpc_tls_version::TLS1_3;
+};
 /* Creates an SSL server_security_connector.
    - config is the SSL config to be used for the SSL channel establishment.
    - sc is a pointer on the connector to be created.

data/src/core/lib/security/security_connector/ssl_utils.cc

@@ -20,10 +20,13 @@
 
 #include "src/core/lib/security/security_connector/ssl_utils.h"
 
+#include <vector>
+
+#include "absl/strings/str_cat.h"
+
 #include <grpc/slice_buffer.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
-#include <grpc/support/string_util.h>
 
 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
 #include "src/core/lib/channel/channel_args.h"
@@ -65,6 +68,9 @@ static const char* cipher_suites = nullptr;
 // All cipher suites for default are compliant with HTTP2.
 GPR_GLOBAL_CONFIG_DEFINE_STRING(
     grpc_ssl_cipher_suites,
+    "TLS_AES_128_GCM_SHA256:"
+    "TLS_AES_256_GCM_SHA384:"
+    "TLS_CHACHA20_POLY1305_SHA256:"
     "ECDHE-ECDSA-AES128-GCM-SHA256:"
     "ECDHE-ECDSA-AES256-GCM-SHA384:"
     "ECDHE-RSA-AES128-GCM-SHA256:"
@@ -132,6 +138,18 @@ grpc_get_tsi_client_certificate_request_type(
   }
 }
 
+tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version) {
+  switch (tls_version) {
+    case grpc_tls_version::TLS1_2:
+      return tsi_tls_version::TSI_TLS1_2;
+    case grpc_tls_version::TLS1_3:
+      return tsi_tls_version::TSI_TLS1_3;
+    default:
+      gpr_log(GPR_INFO, "Falling back to TLS 1.2.");
+      return tsi_tls_version::TSI_TLS1_2;
+  }
+}
+
 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
 #if TSI_OPENSSL_ALPN_SUPPORT
   /* Check the ALPN if ALPN is supported. */
@@ -149,23 +167,20 @@ grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer) {
   return GRPC_ERROR_NONE;
 }
 
-grpc_error* grpc_ssl_check_peer_name(grpc_core::StringView peer_name,
+grpc_error* grpc_ssl_check_peer_name(absl::string_view peer_name,
                                      const tsi_peer* peer) {
   /* Check the peer name if specified. */
   if (!peer_name.empty() && !grpc_ssl_host_matches_name(peer, peer_name)) {
-    char* msg;
-    gpr_asprintf(&msg, "Peer name %s is not in peer certificate",
-                 peer_name.data());
-    grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
-    return error;
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
+            .c_str());
   }
   return GRPC_ERROR_NONE;
 }
 
-bool grpc_ssl_check_call_host(grpc_core::StringView host,
-                              grpc_core::StringView target_name,
-                              grpc_core::StringView overridden_target_name,
+bool grpc_ssl_check_call_host(absl::string_view host,
+                              absl::string_view target_name,
+                              absl::string_view overridden_target_name,
                               grpc_auth_context* auth_context,
                               grpc_error** error) {
   grpc_security_status status = GRPC_SECURITY_ERROR;
@@ -197,29 +212,50 @@ const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols) {
 }
 
 int grpc_ssl_host_matches_name(const tsi_peer* peer,
-                               grpc_core::StringView peer_name) {
-  grpc_core::StringView allocated_name;
-  grpc_core::StringView ignored_port;
+                               absl::string_view peer_name) {
+  absl::string_view allocated_name;
+  absl::string_view ignored_port;
   grpc_core::SplitHostPort(peer_name, &allocated_name, &ignored_port);
   if (allocated_name.empty()) return 0;
 
   // IPv6 zone-id should not be included in comparisons.
   const size_t zone_id = allocated_name.find('%');
-  if (zone_id != grpc_core::StringView::npos) {
+  if (zone_id != absl::string_view::npos) {
     allocated_name.remove_suffix(allocated_name.size() - zone_id);
   }
   return tsi_ssl_peer_matches_name(peer, allocated_name);
 }
 
-int grpc_ssl_cmp_target_name(
-    grpc_core::StringView target_name, grpc_core::StringView other_target_name,
-    grpc_core::StringView overridden_target_name,
-    grpc_core::StringView other_overridden_target_name) {
+int grpc_ssl_cmp_target_name(absl::string_view target_name,
+                             absl::string_view other_target_name,
+                             absl::string_view overridden_target_name,
+                             absl::string_view other_overridden_target_name) {
   int c = target_name.compare(other_target_name);
   if (c != 0) return c;
   return overridden_target_name.compare(other_overridden_target_name);
 }
 
+static bool IsSpiffeId(absl::string_view uri) {
+  // Return false without logging for a non-spiffe uri scheme.
+  if (!absl::StartsWith(uri, "spiffe://")) {
+    return false;
+  };
+  if (uri.size() > 2048) {
+    gpr_log(GPR_INFO, "Invalid SPIFFE ID: ID longer than 2048 bytes.");
+    return false;
+  }
+  std::vector<absl::string_view> splits = absl::StrSplit(uri, '/');
+  if (splits.size() < 4 || splits[3] == "") {
+    gpr_log(GPR_INFO, "Invalid SPIFFE ID: workload id is empty.");
+    return false;
+  }
+  if (splits[2].size() > 255) {
+    gpr_log(GPR_INFO, "Invalid SPIFFE ID: domain longer than 255 characters.");
+    return false;
+  }
+  return true;
+}
+
 grpc_core::RefCountedPtr<grpc_auth_context> grpc_ssl_peer_to_auth_context(
     const tsi_peer* peer, const char* transport_security_type) {
   size_t i;
@@ -232,6 +268,10 @@ grpc_core::RefCountedPtr grpc_ssl_peer_to_auth_context(
   grpc_auth_context_add_cstring_property(
       ctx.get(), GRPC_TRANSPORT_SECURITY_TYPE_PROPERTY_NAME,
       transport_security_type);
+  const char* spiffe_data = nullptr;
+  size_t spiffe_length = 0;
+  int uri_count = 0;
+  bool has_spiffe_id = false;
   for (i = 0; i < peer->property_count; i++) {
     const tsi_peer_property* prop = &peer->properties[i];
     if (prop->name == nullptr) continue;
@@ -263,12 +303,32 @@ grpc_core::RefCountedPtr grpc_ssl_peer_to_auth_context(
       grpc_auth_context_add_property(
           ctx.get(), GRPC_TRANSPORT_SECURITY_LEVEL_PROPERTY_NAME,
           prop->value.data, prop->value.length);
+    } else if (strcmp(prop->name, TSI_X509_URI_PEER_PROPERTY) == 0) {
+      uri_count++;
+      absl::string_view spiffe_id(prop->value.data, prop->value.length);
+      if (IsSpiffeId(spiffe_id)) {
+        spiffe_data = prop->value.data;
+        spiffe_length = prop->value.length;
+        has_spiffe_id = true;
+      }
     }
   }
   if (peer_identity_property_name != nullptr) {
     GPR_ASSERT(grpc_auth_context_set_peer_identity_property_name(
                    ctx.get(), peer_identity_property_name) == 1);
   }
+  // A valid SPIFFE certificate can only have exact one URI SAN field.
+  if (has_spiffe_id) {
+    if (uri_count == 1) {
+      GPR_ASSERT(spiffe_length > 0);
+      GPR_ASSERT(spiffe_data != nullptr);
+      grpc_auth_context_add_property(ctx.get(),
+                                     GRPC_PEER_SPIFFE_ID_PROPERTY_NAME,
+                                     spiffe_data, spiffe_length);
+    } else {
+      gpr_log(GPR_INFO, "Invalid SPIFFE ID: multiple URI SANs.");
+    }
+  }
   return ctx;
 }
 
@@ -314,6 +374,9 @@ tsi_peer grpc_shallow_peer_from_ssl_auth_context(
                  0) {
         add_shallow_auth_property_to_peer(&peer, prop,
                                           TSI_X509_PEM_CERT_CHAIN_PROPERTY);
+      } else if (strcmp(prop->name, GRPC_PEER_SPIFFE_ID_PROPERTY_NAME) == 0) {
+        add_shallow_auth_property_to_peer(&peer, prop,
+                                          TSI_X509_URI_PEER_PROPERTY);
       }
     }
   }
@@ -326,8 +389,8 @@ void grpc_shallow_peer_destruct(tsi_peer* peer) {
 
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* pem_key_cert_pair, const char* pem_root_certs,
-    bool skip_server_certificate_verification,
-    tsi_ssl_session_cache* ssl_session_cache,
+    bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
+    tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi_ssl_client_handshaker_factory** handshaker_factory) {
   const char* root_certs;
   const tsi_ssl_root_certs_store* root_store;
@@ -359,6 +422,8 @@ grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
   options.session_cache = ssl_session_cache;
   options.skip_server_certificate_verification =
       skip_server_certificate_verification;
+  options.min_tls_version = min_tls_version;
+  options.max_tls_version = max_tls_version;
   const tsi_result result =
       tsi_create_ssl_client_handshaker_factory_with_options(&options,
                                                             handshaker_factory);
@@ -375,6 +440,7 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* pem_key_cert_pairs, size_t num_key_cert_pairs,
     const char* pem_root_certs,
     grpc_ssl_client_certificate_request_type client_certificate_request,
+    tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi_ssl_server_handshaker_factory** handshaker_factory) {
   size_t num_alpn_protocols = 0;
   const char** alpn_protocol_strings =
@@ -388,6 +454,8 @@ grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
   options.cipher_suites = grpc_get_ssl_cipher_suites();
   options.alpn_protocols = alpn_protocol_strings;
   options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
+  options.min_tls_version = min_tls_version;
+  options.max_tls_version = max_tls_version;
   const tsi_result result =
       tsi_create_ssl_server_handshaker_factory_with_options(&options,
                                                             handshaker_factory);

data/src/core/lib/security/security_connector/ssl_utils.h

@@ -23,12 +23,14 @@
 
 #include <stdbool.h>
 
+#include "absl/strings/str_split.h"
+#include "absl/strings/string_view.h"
+
 #include <grpc/grpc_security.h>
 #include <grpc/slice_buffer.h>
 
 #include "src/core/lib/gprpp/global_config.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
-#include "src/core/lib/gprpp/string_view.h"
 #include "src/core/lib/iomgr/error.h"
 #include "src/core/lib/security/security_connector/security_connector.h"
 #include "src/core/lib/security/security_connector/ssl_utils_config.h"
@@ -45,17 +47,17 @@
 grpc_error* grpc_ssl_check_alpn(const tsi_peer* peer);
 
 /* Check peer name information returned from SSL handshakes. */
-grpc_error* grpc_ssl_check_peer_name(grpc_core::StringView peer_name,
+grpc_error* grpc_ssl_check_peer_name(absl::string_view peer_name,
                                      const tsi_peer* peer);
 /* Compare targer_name information extracted from SSL security connectors. */
-int grpc_ssl_cmp_target_name(
-    grpc_core::StringView target_name, grpc_core::StringView other_target_name,
-    grpc_core::StringView overridden_target_name,
-    grpc_core::StringView other_overridden_target_name);
+int grpc_ssl_cmp_target_name(absl::string_view target_name,
+                             absl::string_view other_target_name,
+                             absl::string_view overridden_target_name,
+                             absl::string_view other_overridden_target_name);
 /* Check the host that will be set for a call is acceptable.*/
-bool grpc_ssl_check_call_host(grpc_core::StringView host,
-                              grpc_core::StringView target_name,
-                              grpc_core::StringView overridden_target_name,
+bool grpc_ssl_check_call_host(absl::string_view host,
+                              absl::string_view target_name,
+                              absl::string_view overridden_target_name,
                               grpc_auth_context* auth_context,
                               grpc_error** error);
 /* Return HTTP2-compliant cipher suites that gRPC accepts by default. */
@@ -71,6 +73,9 @@ grpc_get_tsi_client_certificate_request_type(
 grpc_security_level grpc_tsi_security_level_string_to_enum(
     const char* security_level);
 
+/* Map grpc_tls_version to tsi_tls_version. */
+tsi_tls_version grpc_get_tsi_tls_version(grpc_tls_version tls_version);
+
 /* Map grpc_security_level enum to a string. */
 const char* grpc_security_level_to_string(grpc_security_level security_level);
 
@@ -84,14 +89,15 @@ const char** grpc_fill_alpn_protocol_strings(size_t* num_alpn_protocols);
 /* Initialize TSI SSL server/client handshaker factory. */
 grpc_security_status grpc_ssl_tsi_client_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* key_cert_pair, const char* pem_root_certs,
-    bool skip_server_certificate_verification,
-    tsi_ssl_session_cache* ssl_session_cache,
+    bool skip_server_certificate_verification, tsi_tls_version min_tls_version,
+    tsi_tls_version max_tls_version, tsi_ssl_session_cache* ssl_session_cache,
     tsi_ssl_client_handshaker_factory** handshaker_factory);
 
 grpc_security_status grpc_ssl_tsi_server_handshaker_factory_init(
     tsi_ssl_pem_key_cert_pair* key_cert_pairs, size_t num_key_cert_pairs,
     const char* pem_root_certs,
     grpc_ssl_client_certificate_request_type client_certificate_request,
+    tsi_tls_version min_tls_version, tsi_tls_version max_tls_version,
     tsi_ssl_server_handshaker_factory** handshaker_factory);
 
 /* Exposed for testing only. */
@@ -101,7 +107,7 @@ tsi_peer grpc_shallow_peer_from_ssl_auth_context(
     const grpc_auth_context* auth_context);
 void grpc_shallow_peer_destruct(tsi_peer* peer);
 int grpc_ssl_host_matches_name(const tsi_peer* peer,
-                               grpc_core::StringView peer_name);
+                               absl::string_view peer_name);
 
 /* --- Default SSL Root Store. --- */
 namespace grpc_core {

data/src/core/lib/security/security_connector/tls/tls_security_connector.cc

@@ -23,6 +23,9 @@
 #include <stdbool.h>
 #include <string.h>
 
+#include "absl/strings/str_cat.h"
+#include "absl/strings/string_view.h"
+
 #include <grpc/grpc.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
@@ -62,64 +65,75 @@ tsi_ssl_pem_key_cert_pair* ConvertToTsiPemKeyCertPair(
 
 }  // namespace
 
-/** -- Util function to fetch TLS server/channel credentials. -- */
 grpc_status_code TlsFetchKeyMaterials(
     const grpc_core::RefCountedPtr<grpc_tls_key_materials_config>&
         key_materials_config,
-    const grpc_tls_credentials_options& options, bool server_config,
-    grpc_ssl_certificate_config_reload_status* reload_status) {
+    const grpc_tls_credentials_options& options, bool is_server,
+    grpc_ssl_certificate_config_reload_status* status) {
   GPR_ASSERT(key_materials_config != nullptr);
+  GPR_ASSERT(status != nullptr);
   bool is_key_materials_empty =
       key_materials_config->pem_key_cert_pair_list().empty();
-  if (options.credential_reload_config() == nullptr && is_key_materials_empty &&
-      server_config) {
+  grpc_tls_credential_reload_config* credential_reload_config =
+      options.credential_reload_config();
+  /** If there are no key materials and no credential reload config and the
+   *  caller is a server, then return an error. We do not require that a client
+   *  always provision certificates. **/
+  if (credential_reload_config == nullptr && is_key_materials_empty &&
+      is_server) {
     gpr_log(GPR_ERROR,
             "Either credential reload config or key materials should be "
             "provisioned.");
     return GRPC_STATUS_FAILED_PRECONDITION;
   }
-  grpc_status_code status = GRPC_STATUS_OK;
-  /* Use credential reload config to fetch credentials. */
-  if (options.credential_reload_config() != nullptr) {
+  grpc_status_code reload_status = GRPC_STATUS_OK;
+  /** Use |credential_reload_config| to update |key_materials_config|. **/
+  if (credential_reload_config != nullptr) {
     grpc_tls_credential_reload_arg* arg = new grpc_tls_credential_reload_arg();
     arg->key_materials_config = key_materials_config.get();
-    int result = options.credential_reload_config()->Schedule(arg);
+    arg->error_details = new grpc_tls_error_details();
+    int result = credential_reload_config->Schedule(arg);
     if (result) {
-      /* Do not support async credential reload. */
+      /** Credential reloading is performed async. This is not yet supported.
+       * **/
       gpr_log(GPR_ERROR, "Async credential reload is unsupported now.");
-      status =
+      *status = GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+      reload_status =
           is_key_materials_empty ? GRPC_STATUS_UNIMPLEMENTED : GRPC_STATUS_OK;
     } else {
-      GPR_ASSERT(reload_status != nullptr);
-      *reload_status = arg->status;
+      /** Credential reloading is performed sync. **/
+      *status = arg->status;
       if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED) {
         /* Key materials is not empty. */
         gpr_log(GPR_DEBUG, "Credential does not change after reload.");
       } else if (arg->status == GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_FAIL) {
         gpr_log(GPR_ERROR, "Credential reload failed with an error:");
         if (arg->error_details != nullptr) {
-          gpr_log(GPR_ERROR, "%s", arg->error_details);
+          gpr_log(GPR_ERROR, "%s", arg->error_details->error_details().c_str());
         }
-        status = is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
+        reload_status =
+            is_key_materials_empty ? GRPC_STATUS_INTERNAL : GRPC_STATUS_OK;
       }
     }
-    gpr_free((void*)arg->error_details);
+    delete arg->error_details;
+    /** If the credential reload config was constructed via a wrapped language,
+     *  then |arg->context| and |arg->destroy_context| will not be nullptr. In
+     *  this case, we must destroy |arg->context|, which stores the wrapped
+     *  language-version of the credential reload arg. **/
     if (arg->destroy_context != nullptr) {
       arg->destroy_context(arg->context);
     }
     delete arg;
   }
-  return status;
+  return reload_status;
 }
 
 grpc_error* TlsCheckHostName(const char* peer_name, const tsi_peer* peer) {
   /* Check the peer name if specified. */
   if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
-    char* msg;
-    gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
-    grpc_error* error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
-    return error;
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
+            .c_str());
   }
   return GRPC_ERROR_NONE;
 }
@@ -131,15 +145,14 @@ TlsChannelSecurityConnector::TlsChannelSecurityConnector(
     : grpc_channel_security_connector(GRPC_SSL_URL_SCHEME,
                                       std::move(channel_creds),
                                       std::move(request_metadata_creds)),
-      overridden_target_name_(overridden_target_name == nullptr
-                                  ? nullptr
-                                  : gpr_strdup(overridden_target_name)) {
+      overridden_target_name_(
+          overridden_target_name == nullptr ? "" : overridden_target_name) {
   key_materials_config_ = grpc_tls_key_materials_config_create()->Ref();
   check_arg_ = ServerAuthorizationCheckArgCreate(this);
-  grpc_core::StringView host;
-  grpc_core::StringView port;
+  absl::string_view host;
+  absl::string_view port;
   grpc_core::SplitHostPort(target_name, &host, &port);
-  target_name_ = grpc_core::StringViewToCString(host);
+  target_name_ = std::string(host);
 }
 
 TlsChannelSecurityConnector::~TlsChannelSecurityConnector() {
@@ -163,8 +176,8 @@ void TlsChannelSecurityConnector::add_handshakers(
   tsi_handshaker* tsi_hs = nullptr;
   tsi_result result = tsi_ssl_client_handshaker_factory_create_handshaker(
       client_handshaker_factory_,
-      overridden_target_name_ != nullptr ? overridden_target_name_.get()
-                                         : target_name_.get(),
+      overridden_target_name_.empty() ? target_name_.c_str()
+                                      : overridden_target_name_.c_str(),
       &tsi_hs);
   if (result != TSI_OK) {
     gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
@@ -179,9 +192,9 @@ void TlsChannelSecurityConnector::check_peer(
     tsi_peer peer, grpc_endpoint* /*ep*/,
     grpc_core::RefCountedPtr<grpc_auth_context>* auth_context,
     grpc_closure* on_peer_checked) {
-  const char* target_name = overridden_target_name_ != nullptr
-                                ? overridden_target_name_.get()
-                                : target_name_.get();
+  const char* target_name = overridden_target_name_.empty()
+                                ? target_name_.c_str()
+                                : overridden_target_name_.c_str();
   grpc_error* error = grpc_ssl_check_alpn(&peer);
   if (error != GRPC_ERROR_NONE) {
     grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_peer_checked, error);
@@ -258,16 +271,16 @@ int TlsChannelSecurityConnector::cmp(
   if (c != 0) {
     return c;
   }
-  return grpc_ssl_cmp_target_name(target_name_.get(), other->target_name_.get(),
-                                  overridden_target_name_.get(),
-                                  other->overridden_target_name_.get());
+  return grpc_ssl_cmp_target_name(
+      target_name_.c_str(), other->target_name_.c_str(),
+      overridden_target_name_.c_str(), other->overridden_target_name_.c_str());
 }
 
 bool TlsChannelSecurityConnector::check_call_host(
-    grpc_core::StringView host, grpc_auth_context* auth_context,
-    grpc_closure* on_call_host_checked, grpc_error** error) {
-  return grpc_ssl_check_call_host(host, target_name_.get(),
-                                  overridden_target_name_.get(), auth_context,
+    absl::string_view host, grpc_auth_context* auth_context,
+    grpc_closure* /*on_call_host_checked*/, grpc_error** error) {
+  return grpc_ssl_check_call_host(host, target_name_.c_str(),
+                                  overridden_target_name_.c_str(), auth_context,
                                   error);
 }
 
@@ -320,8 +333,10 @@ grpc_security_status TlsChannelSecurityConnector::ReplaceHandshakerFactory(
       key_materials_config_->pem_key_cert_pair_list());
   grpc_security_status status = grpc_ssl_tsi_client_handshaker_factory_init(
       pem_key_cert_pair, key_materials_config_->pem_root_certs(),
-      skip_server_certificate_verification, ssl_session_cache,
-      &client_handshaker_factory_);
+      skip_server_certificate_verification,
+      grpc_get_tsi_tls_version(creds->options().min_tls_version()),
+      grpc_get_tsi_tls_version(creds->options().max_tls_version()),
+      ssl_session_cache, &client_handshaker_factory_);
   /* Free memory. */
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pair, 1);
   return status;
@@ -334,17 +349,18 @@ grpc_security_status TlsChannelSecurityConnector::InitializeHandshakerFactory(
       static_cast<const TlsCredentials*>(channel_creds());
   grpc_tls_key_materials_config* key_materials_config =
       creds->options().key_materials_config();
-  /* Copy key materials config from credential options. */
+  // key_materials_config_->set_key_materials will handle the copying of the key
+  // materials users provided
   if (key_materials_config != nullptr) {
-    grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
-        key_materials_config->pem_key_cert_pair_list();
-    auto pem_root_certs = grpc_core::UniquePtr<char>(
-        gpr_strdup(key_materials_config->pem_root_certs()));
-    key_materials_config_->set_key_materials(std::move(pem_root_certs),
-                                             std::move(cert_pair_list));
+    key_materials_config_->set_key_materials(
+        key_materials_config->pem_root_certs(),
+        key_materials_config->pem_key_cert_pair_list());
   }
   grpc_ssl_certificate_config_reload_status reload_status =
       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  /** If |creds->options()| has a credential reload config, then the call to
+   *  |TlsFetchKeyMaterials| will use it to update the root cert and
+   *  pem-key-cert-pair list stored in |key_materials_config_|. **/
   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), false,
                            &reload_status) != GRPC_STATUS_OK) {
     /* Raise an error if key materials are not populated. */
@@ -359,6 +375,9 @@ grpc_security_status TlsChannelSecurityConnector::RefreshHandshakerFactory() {
       static_cast<const TlsCredentials*>(channel_creds());
   grpc_ssl_certificate_config_reload_status reload_status =
       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  /** If |creds->options()| has a credential reload config, then the call to
+   *  |TlsFetchKeyMaterials| will use it to update the root cert and
+   *  pem-key-cert-pair list stored in |key_materials_config_|. **/
   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), false,
                            &reload_status) != GRPC_STATUS_OK) {
     return GRPC_SECURITY_ERROR;
@@ -384,31 +403,30 @@ void TlsChannelSecurityConnector::ServerAuthorizationCheckDone(
 grpc_error* TlsChannelSecurityConnector::ProcessServerAuthorizationCheckResult(
     grpc_tls_server_authorization_check_arg* arg) {
   grpc_error* error = GRPC_ERROR_NONE;
-  char* msg = nullptr;
   /* Server authorization check is cancelled by caller. */
   if (arg->status == GRPC_STATUS_CANCELLED) {
-    gpr_asprintf(&msg,
-                 "Server authorization check is cancelled by the caller with "
-                 "error: %s",
-                 arg->error_details);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Server authorization check is cancelled by the caller "
+                     "with error: ",
+                     arg->error_details->error_details())
+            .c_str());
   } else if (arg->status == GRPC_STATUS_OK) {
     /* Server authorization check completed successfully but returned check
      * failure. */
     if (!arg->success) {
-      gpr_asprintf(&msg, "Server authorization check failed with error: %s",
-                   arg->error_details);
-      error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+      error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+          absl::StrCat("Server authorization check failed with error: ",
+                       arg->error_details->error_details())
+              .c_str());
     }
     /* Server authorization check did not complete correctly. */
   } else {
-    gpr_asprintf(
-        &msg,
-        "Server authorization check did not finish correctly with error: %s",
-        arg->error_details);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
+    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat(
+            "Server authorization check did not finish correctly with error: ",
+            arg->error_details->error_details())
+            .c_str());
   }
-  gpr_free(msg);
   return error;
 }
 
@@ -417,6 +435,7 @@ TlsChannelSecurityConnector::ServerAuthorizationCheckArgCreate(
     void* user_data) {
   grpc_tls_server_authorization_check_arg* arg =
       new grpc_tls_server_authorization_check_arg();
+  arg->error_details = new grpc_tls_error_details();
   arg->cb = ServerAuthorizationCheckDone;
   arg->cb_user_data = user_data;
   arg->status = GRPC_STATUS_OK;
@@ -431,7 +450,7 @@ void TlsChannelSecurityConnector::ServerAuthorizationCheckArgDestroy(
   gpr_free((void*)arg->target_name);
   gpr_free((void*)arg->peer_cert);
   if (arg->peer_cert_full_chain) gpr_free((void*)arg->peer_cert_full_chain);
-  gpr_free((void*)arg->error_details);
+  delete arg->error_details;
   if (arg->destroy_context != nullptr) {
     arg->destroy_context(arg->context);
   }
@@ -525,7 +544,10 @@ grpc_security_status TlsServerSecurityConnector::ReplaceHandshakerFactory() {
   grpc_security_status status = grpc_ssl_tsi_server_handshaker_factory_init(
       pem_key_cert_pairs, num_key_cert_pairs,
       key_materials_config_->pem_root_certs(),
-      creds->options().cert_request_type(), &server_handshaker_factory_);
+      creds->options().cert_request_type(),
+      grpc_get_tsi_tls_version(creds->options().min_tls_version()),
+      grpc_get_tsi_tls_version(creds->options().max_tls_version()),
+      &server_handshaker_factory_);
   /* Free memory. */
   grpc_tsi_ssl_pem_key_cert_pairs_destroy(pem_key_cert_pairs,
                                           num_key_cert_pairs);
@@ -539,15 +561,17 @@ grpc_security_status TlsServerSecurityConnector::InitializeHandshakerFactory() {
   grpc_tls_key_materials_config* key_materials_config =
       creds->options().key_materials_config();
   if (key_materials_config != nullptr) {
-    grpc_tls_key_materials_config::PemKeyCertPairList cert_pair_list =
-        key_materials_config->pem_key_cert_pair_list();
-    auto pem_root_certs = grpc_core::UniquePtr<char>(
-        gpr_strdup(key_materials_config->pem_root_certs()));
-    key_materials_config_->set_key_materials(std::move(pem_root_certs),
-                                             std::move(cert_pair_list));
+    key_materials_config_->set_key_materials(
+        key_materials_config->pem_root_certs(),
+        key_materials_config->pem_key_cert_pair_list());
   }
   grpc_ssl_certificate_config_reload_status reload_status =
       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  /** If |creds->options()| has a credential reload config, then the call to
+   *  |TlsFetchKeyMaterials| will use it to update the root cert and
+   *  pem-key-cert-pair list stored in |key_materials_config_|. Otherwise, it
+   *  will return |GRPC_STATUS_OK| if |key_materials_config_| already has
+   *  credentials, and an error code if not. **/
   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), true,
                            &reload_status) != GRPC_STATUS_OK) {
     /* Raise an error if key materials are not populated. */
@@ -562,6 +586,11 @@ grpc_security_status TlsServerSecurityConnector::RefreshHandshakerFactory() {
       static_cast<const TlsServerCredentials*>(server_creds());
   grpc_ssl_certificate_config_reload_status reload_status =
       GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED;
+  /** If |creds->options()| has a credential reload config, then the call to
+   *  |TlsFetchKeyMaterials| will use it to update the root cert and
+   *  pem-key-cert-pair list stored in |key_materials_config_|. Otherwise, it
+   *  will return |GRPC_STATUS_OK| if |key_materials_config_| already has
+   *  credentials, and an error code if not. **/
   if (TlsFetchKeyMaterials(key_materials_config_, creds->options(), true,
                            &reload_status) != GRPC_STATUS_OK) {
     return GRPC_SECURITY_ERROR;