grpc 1.30.0 → 1.31.1

data/src/core/lib/security/credentials/google_default/credentials_generic.cc

@@ -20,22 +20,24 @@
 
 #include "src/core/lib/security/credentials/google_default/google_default_credentials.h"
 
+#include <string>
+
+#include "absl/strings/str_cat.h"
+
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
-#include <grpc/support/string_util.h>
 
 #include "src/core/lib/gpr/env.h"
-#include "src/core/lib/gpr/string.h"
 
-char* grpc_get_well_known_google_credentials_file_path_impl(void) {
-  char* result = nullptr;
+std::string grpc_get_well_known_google_credentials_file_path_impl(void) {
   char* base = gpr_getenv(GRPC_GOOGLE_CREDENTIALS_PATH_ENV_VAR);
   if (base == nullptr) {
     gpr_log(GPR_ERROR, "Could not get " GRPC_GOOGLE_CREDENTIALS_PATH_ENV_VAR
                        " environment variable.");
-    return nullptr;
+    return "";
   }
-  gpr_asprintf(&result, "%s/%s", base, GRPC_GOOGLE_CREDENTIALS_PATH_SUFFIX);
+  std::string result =
+      absl::StrCat(base, "/", GRPC_GOOGLE_CREDENTIALS_PATH_SUFFIX);
   gpr_free(base);
   return result;
 }

data/src/core/lib/security/credentials/google_default/google_default_credentials.cc

@@ -216,18 +216,19 @@ static int is_metadata_server_reachable() {
 
 /* Takes ownership of creds_path if not NULL. */
 static grpc_error* create_default_creds_from_path(
-    char* creds_path, grpc_core::RefCountedPtr<grpc_call_credentials>* creds) {
+    const std::string& creds_path,
+    grpc_core::RefCountedPtr<grpc_call_credentials>* creds) {
   grpc_auth_json_key key;
   grpc_auth_refresh_token token;
   grpc_core::RefCountedPtr<grpc_call_credentials> result;
   grpc_slice creds_data = grpc_empty_slice();
   grpc_error* error = GRPC_ERROR_NONE;
   Json json;
-  if (creds_path == nullptr) {
+  if (creds_path.empty()) {
     error = GRPC_ERROR_CREATE_FROM_STATIC_STRING("creds_path unset");
     goto end;
   }
-  error = grpc_load_file(creds_path, 0, &creds_data);
+  error = grpc_load_file(creds_path.c_str(), 0, &creds_data);
   if (error != GRPC_ERROR_NONE) goto end;
   json = Json::Parse(grpc_core::StringViewFromSlice(creds_data), &error);
   if (error != GRPC_ERROR_NONE) goto end;
@@ -267,7 +268,6 @@ static grpc_error* create_default_creds_from_path(
 
 end:
   GPR_ASSERT((result == nullptr) + (error == GRPC_ERROR_NONE) == 1);
-  if (creds_path != nullptr) gpr_free(creds_path);
   grpc_slice_unref_internal(creds_data);
   *creds = result;
   return error;
@@ -286,10 +286,13 @@ grpc_channel_credentials* grpc_google_default_credentials_create() {
   gpr_once_init(&g_once, init_default_credentials);
 
   /* First, try the environment variable. */
-  err = create_default_creds_from_path(
-      gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR), &call_creds);
-  if (err == GRPC_ERROR_NONE) goto end;
-  error = grpc_error_add_child(error, err);
+  char* path_from_env = gpr_getenv(GRPC_GOOGLE_CREDENTIALS_ENV_VAR);
+  if (path_from_env != nullptr) {
+    err = create_default_creds_from_path(path_from_env, &call_creds);
+    gpr_free(path_from_env);
+    if (err == GRPC_ERROR_NONE) goto end;
+    error = grpc_error_add_child(error, err);
+  }
 
   /* Then the well-known file. */
   err = create_default_creds_from_path(
@@ -372,7 +375,7 @@ void grpc_flush_cached_google_default_credentials(void) {
 
 static grpc_well_known_credentials_path_getter creds_path_getter = nullptr;
 
-char* grpc_get_well_known_google_credentials_file_path(void) {
+std::string grpc_get_well_known_google_credentials_file_path(void) {
   if (creds_path_getter != nullptr) return creds_path_getter();
   return grpc_get_well_known_google_credentials_file_path_impl();
 }

data/src/core/lib/security/credentials/jwt/jwt_credentials.cc

@@ -23,8 +23,13 @@
 #include <inttypes.h>
 #include <string.h>
 
+#include <string>
+
+#include "absl/strings/str_cat.h"
+
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/slice/slice_internal.h"
 #include "src/core/lib/surface/api_trace.h"
 
 #include <grpc/support/alloc.h>
@@ -81,16 +86,14 @@ bool grpc_service_account_jwt_access_credentials::get_request_metadata(
     jwt = grpc_jwt_encode_and_sign(&key_, context.service_url, jwt_lifetime_,
                                    nullptr);
     if (jwt != nullptr) {
-      char* md_value;
-      gpr_asprintf(&md_value, "Bearer %s", jwt);
+      std::string md_value = absl::StrCat("Bearer ", jwt);
       gpr_free(jwt);
       cached_.jwt_expiration =
           gpr_time_add(gpr_now(GPR_CLOCK_REALTIME), jwt_lifetime_);
       cached_.service_url = gpr_strdup(context.service_url);
       cached_.jwt_md = grpc_mdelem_from_slices(
           grpc_slice_from_static_string(GRPC_AUTHORIZATION_METADATA_KEY),
-          grpc_slice_from_copied_string(md_value));
-      gpr_free(md_value);
+          grpc_slice_from_cpp_string(std::move(md_value)));
       jwt_md = GRPC_MDELEM_REF(cached_.jwt_md);
     }
     gpr_mu_unlock(&cache_mu_);

data/src/core/lib/security/credentials/oauth2/oauth2_credentials.cc

@@ -24,6 +24,8 @@
 #include <string.h>
 
 #include "absl/container/inlined_vector.h"
+#include "absl/strings/str_cat.h"
+#include "absl/strings/str_format.h"
 #include "absl/strings/str_join.h"
 
 #include <grpc/grpc_security.h>
@@ -33,7 +35,6 @@
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 
-#include "absl/strings/str_format.h"
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
 #include "src/core/lib/iomgr/error.h"
@@ -136,7 +137,6 @@ grpc_oauth2_token_fetcher_credentials_parse_server_response(
     const grpc_http_response* response, grpc_mdelem* token_md,
     grpc_millis* token_lifetime) {
   char* null_terminated_body = nullptr;
-  char* new_access_token = nullptr;
   grpc_credentials_status status = GRPC_CREDENTIALS_OK;
   Json json;
 
@@ -202,12 +202,12 @@ grpc_oauth2_token_fetcher_credentials_parse_server_response(
       goto end;
     }
     expires_in = it->second.string_value().c_str();
-    gpr_asprintf(&new_access_token, "%s %s", token_type, access_token);
     *token_lifetime = strtol(expires_in, nullptr, 10) * GPR_MS_PER_SEC;
     if (!GRPC_MDISNULL(*token_md)) GRPC_MDELEM_UNREF(*token_md);
     *token_md = grpc_mdelem_from_slices(
         grpc_core::ExternallyManagedSlice(GRPC_AUTHORIZATION_METADATA_KEY),
-        grpc_core::UnmanagedMemorySlice(new_access_token));
+        grpc_slice_from_cpp_string(
+            absl::StrCat(token_type, " ", access_token)));
     status = GRPC_CREDENTIALS_OK;
   }
 
@@ -216,8 +216,7 @@ end:
     GRPC_MDELEM_UNREF(*token_md);
     *token_md = GRPC_MDNULL;
   }
-  if (null_terminated_body != nullptr) gpr_free(null_terminated_body);
-  if (new_access_token != nullptr) gpr_free(new_access_token);
+  gpr_free(null_terminated_body);
   return status;
 }
 
@@ -442,10 +441,9 @@ void grpc_google_refresh_token_credentials::fetch_oauth2(
       const_cast<char*>("Content-Type"),
       const_cast<char*>("application/x-www-form-urlencoded")};
   grpc_httpcli_request request;
-  char* body = nullptr;
-  gpr_asprintf(&body, GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING,
-               refresh_token_.client_id, refresh_token_.client_secret,
-               refresh_token_.refresh_token);
+  std::string body = absl::StrFormat(
+      GRPC_REFRESH_TOKEN_POST_BODY_FORMAT_STRING, refresh_token_.client_id,
+      refresh_token_.client_secret, refresh_token_.refresh_token);
   memset(&request, 0, sizeof(grpc_httpcli_request));
   request.host = (char*)GRPC_GOOGLE_OAUTH2_SERVICE_HOST;
   request.http.path = (char*)GRPC_GOOGLE_OAUTH2_SERVICE_TOKEN_PATH;
@@ -457,13 +455,12 @@ void grpc_google_refresh_token_credentials::fetch_oauth2(
      extreme memory pressure. */
   grpc_resource_quota* resource_quota =
       grpc_resource_quota_create("oauth2_credentials_refresh");
-  grpc_httpcli_post(httpcli_context, pollent, resource_quota, &request, body,
-                    strlen(body), deadline,
+  grpc_httpcli_post(httpcli_context, pollent, resource_quota, &request,
+                    body.c_str(), body.size(), deadline,
                     GRPC_CLOSURE_INIT(&http_post_cb_closure_, response_cb,
                                       metadata_req, grpc_schedule_on_exec_ctx),
                     &metadata_req->response);
   grpc_resource_quota_unref_internal(resource_quota);
-  gpr_free(body);
 }
 
 grpc_google_refresh_token_credentials::grpc_google_refresh_token_credentials(
@@ -487,16 +484,15 @@ std::string grpc_google_refresh_token_credentials::debug_string() {
                          grpc_oauth2_token_fetcher_credentials::debug_string());
 }
 
-static char* create_loggable_refresh_token(grpc_auth_refresh_token* token) {
+static std::string create_loggable_refresh_token(
+    grpc_auth_refresh_token* token) {
   if (strcmp(token->type, GRPC_AUTH_JSON_TYPE_INVALID) == 0) {
-    return gpr_strdup("<Invalid json token>");
+    return "<Invalid json token>";
   }
-  char* loggable_token = nullptr;
-  gpr_asprintf(&loggable_token,
-               "{\n type: %s\n client_id: %s\n client_secret: "
-               "<redacted>\n refresh_token: <redacted>\n}",
-               token->type, token->client_id);
-  return loggable_token;
+  return absl::StrFormat(
+      "{\n type: %s\n client_id: %s\n client_secret: "
+      "<redacted>\n refresh_token: <redacted>\n}",
+      token->type, token->client_id);
 }
 
 grpc_call_credentials* grpc_google_refresh_token_credentials_create(
@@ -504,12 +500,10 @@ grpc_call_credentials* grpc_google_refresh_token_credentials_create(
   grpc_auth_refresh_token token =
       grpc_auth_refresh_token_create_from_string(json_refresh_token);
   if (GRPC_TRACE_FLAG_ENABLED(grpc_api_trace)) {
-    char* loggable_token = create_loggable_refresh_token(&token);
     gpr_log(GPR_INFO,
             "grpc_refresh_token_credentials_create(json_refresh_token=%s, "
             "reserved=%p)",
-            loggable_token, reserved);
-    gpr_free(loggable_token);
+            create_loggable_refresh_token(&token).c_str(), reserved);
   }
   GPR_ASSERT(reserved == nullptr);
   return grpc_refresh_token_credentials_create_from_auth_refresh_token(token)
@@ -744,13 +738,10 @@ void grpc_access_token_credentials::cancel_get_request_metadata(
 grpc_access_token_credentials::grpc_access_token_credentials(
     const char* access_token)
     : grpc_call_credentials(GRPC_CALL_CREDENTIALS_TYPE_OAUTH2) {
-  char* token_md_value;
-  gpr_asprintf(&token_md_value, "Bearer %s", access_token);
   grpc_core::ExecCtx exec_ctx;
   access_token_md_ = grpc_mdelem_from_slices(
       grpc_core::ExternallyManagedSlice(GRPC_AUTHORIZATION_METADATA_KEY),
-      grpc_core::UnmanagedMemorySlice(token_md_value));
-  gpr_free(token_md_value);
+      grpc_slice_from_cpp_string(absl::StrCat("Bearer ", access_token)));
 }
 
 std::string grpc_access_token_credentials::debug_string() {

data/src/core/lib/security/credentials/plugin/plugin_credentials.cc

@@ -22,10 +22,11 @@
 
 #include <string.h>
 
+#include "absl/strings/str_cat.h"
+
 #include <grpc/grpc.h>
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
-#include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 
 #include "src/core/lib/slice/slice_internal.h"
@@ -86,11 +87,10 @@ static grpc_error* process_plugin_result(
     size_t num_md, grpc_status_code status, const char* error_details) {
   grpc_error* error = GRPC_ERROR_NONE;
   if (status != GRPC_STATUS_OK) {
-    char* msg;
-    gpr_asprintf(&msg, "Getting metadata from plugin failed with error: %s",
-                 error_details);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
+    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Getting metadata from plugin failed with error: ",
+                     error_details)
+            .c_str());
   } else {
     bool seen_illegal_header = false;
     for (size_t i = 0; i < num_md; ++i) {

data/src/core/lib/security/credentials/ssl/ssl_credentials.cc

@@ -117,6 +117,16 @@ void grpc_ssl_credentials::build_config(
   }
 }
 
+void grpc_ssl_credentials::set_min_tls_version(
+    grpc_tls_version min_tls_version) {
+  config_.min_tls_version = min_tls_version;
+}
+
+void grpc_ssl_credentials::set_max_tls_version(
+    grpc_tls_version max_tls_version) {
+  config_.max_tls_version = max_tls_version;
+}
+
 /* Deprecated in favor of grpc_ssl_credentials_create_ex. Will be removed
  * once all of its call sites are migrated to grpc_ssl_credentials_create_ex. */
 grpc_channel_credentials* grpc_ssl_credentials_create(
@@ -213,6 +223,16 @@ void grpc_ssl_server_credentials::build_config(
   config_.num_key_cert_pairs = num_key_cert_pairs;
 }
 
+void grpc_ssl_server_credentials::set_min_tls_version(
+    grpc_tls_version min_tls_version) {
+  config_.min_tls_version = min_tls_version;
+}
+
+void grpc_ssl_server_credentials::set_max_tls_version(
+    grpc_tls_version max_tls_version) {
+  config_.max_tls_version = max_tls_version;
+}
+
 grpc_ssl_server_certificate_config* grpc_ssl_server_certificate_config_create(
     const char* pem_root_certs,
     const grpc_ssl_pem_key_cert_pair* pem_key_cert_pairs,

data/src/core/lib/security/credentials/ssl/ssl_credentials.h

@@ -38,6 +38,11 @@ class grpc_ssl_credentials : public grpc_channel_credentials {
       const char* target, const grpc_channel_args* args,
       grpc_channel_args** new_args) override;
 
+  // TODO(mattstev): Plumb to wrapped languages. Until then, setting the TLS
+  // version should be done for testing purposes only.
+  void set_min_tls_version(grpc_tls_version min_tls_version);
+  void set_max_tls_version(grpc_tls_version max_tls_version);
+
  private:
   void build_config(const char* pem_root_certs,
                     grpc_ssl_pem_key_cert_pair* pem_key_cert_pair,
@@ -77,6 +82,11 @@ class grpc_ssl_server_credentials final : public grpc_server_credentials {
                                           config);
   }
 
+  // TODO(mattstev): Plumb to wrapped languages. Until then, setting the TLS
+  // version should be done for testing purposes only.
+  void set_min_tls_version(grpc_tls_version min_tls_version);
+  void set_max_tls_version(grpc_tls_version max_tls_version);
+
   const grpc_ssl_server_config& config() const { return config_; }
 
  private:

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -264,6 +264,8 @@ struct grpc_tls_credentials_options
   grpc_tls_server_verification_option server_verification_option() const {
     return server_verification_option_;
   }
+  grpc_tls_version min_tls_version() const { return min_tls_version_; }
+  grpc_tls_version max_tls_version() const { return max_tls_version_; }
   grpc_tls_key_materials_config* key_materials_config() const {
     return key_materials_config_.get();
   }
@@ -284,6 +286,12 @@ struct grpc_tls_credentials_options
       const grpc_tls_server_verification_option server_verification_option) {
     server_verification_option_ = server_verification_option;
   }
+  void set_min_tls_version(grpc_tls_version min_tls_version) {
+    min_tls_version_ = min_tls_version;
+  }
+  void set_max_tls_version(grpc_tls_version max_tls_version) {
+    max_tls_version_ = max_tls_version;
+  }
   void set_key_materials_config(
       grpc_core::RefCountedPtr<grpc_tls_key_materials_config> config) {
     key_materials_config_ = std::move(config);
@@ -302,6 +310,8 @@ struct grpc_tls_credentials_options
   grpc_ssl_client_certificate_request_type cert_request_type_;
   grpc_tls_server_verification_option server_verification_option_ =
       GRPC_TLS_SERVER_VERIFICATION;
+  grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
+  grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
   grpc_core::RefCountedPtr<grpc_tls_key_materials_config> key_materials_config_;
   grpc_core::RefCountedPtr<grpc_tls_credential_reload_config>
       credential_reload_config_;

data/src/core/lib/security/security_connector/fake/fake_security_connector.cc

@@ -22,6 +22,8 @@
 
 #include <stdbool.h>
 
+#include "absl/strings/str_cat.h"
+
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
@@ -227,11 +229,10 @@ static void fake_check_peer(
   prop_name = peer.properties[0].name;
   if (prop_name == nullptr ||
       strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
-    char* msg;
-    gpr_asprintf(&msg, "Unexpected property in fake peer: %s.",
-                 prop_name == nullptr ? "<EMPTY>" : prop_name);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
+    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Unexpected property in fake peer: ",
+                     prop_name == nullptr ? "<EMPTY>" : prop_name)
+            .c_str());
     goto end;
   }
   if (strncmp(peer.properties[0].value.data, TSI_FAKE_CERTIFICATE_TYPE,
@@ -243,11 +244,10 @@ static void fake_check_peer(
   prop_name = peer.properties[1].name;
   if (prop_name == nullptr ||
       strcmp(prop_name, TSI_SECURITY_LEVEL_PEER_PROPERTY) != 0) {
-    char* msg;
-    gpr_asprintf(&msg, "Unexpected property in fake peer: %s.",
-                 prop_name == nullptr ? "<EMPTY>" : prop_name);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
+    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Unexpected property in fake peer: ",
+                     prop_name == nullptr ? "<EMPTY>" : prop_name)
+            .c_str());
     goto end;
   }
   if (strncmp(peer.properties[1].value.data, TSI_FAKE_SECURITY_LEVEL,

data/src/core/lib/security/security_connector/security_connector.cc

@@ -46,6 +46,8 @@ grpc_server_security_connector::grpc_server_security_connector(
     : grpc_security_connector(url_scheme),
       server_creds_(std::move(server_creds)) {}
 
+grpc_server_security_connector::~grpc_server_security_connector() = default;
+
 grpc_channel_security_connector::grpc_channel_security_connector(
     const char* url_scheme,
     grpc_core::RefCountedPtr<grpc_channel_credentials> channel_creds,

data/src/core/lib/security/security_connector/security_connector.h

@@ -151,7 +151,7 @@ class grpc_server_security_connector : public grpc_security_connector {
   grpc_server_security_connector(
       const char* url_scheme,
       grpc_core::RefCountedPtr<grpc_server_credentials> server_creds);
-  ~grpc_server_security_connector() override = default;
+  ~grpc_server_security_connector() override;
 
   virtual void add_handshakers(const grpc_channel_args* args,
                                grpc_pollset_set* interested_parties,

data/src/core/lib/security/security_connector/ssl/ssl_security_connector.cc

@@ -22,17 +22,19 @@
 
 #include <stdbool.h>
 
+#include "absl/strings/str_cat.h"
+#include "absl/strings/str_format.h"
 #include "absl/strings/string_view.h"
 
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
-#include <grpc/support/string_util.h>
 
 #include "src/core/ext/transport/chttp2/alpn/alpn.h"
 #include "src/core/lib/channel/handshaker.h"
 #include "src/core/lib/gpr/string.h"
 #include "src/core/lib/gprpp/host_port.h"
 #include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/sync.h"
 #include "src/core/lib/security/context/security_context.h"
 #include "src/core/lib/security/credentials/credentials.h"
 #include "src/core/lib/security/credentials/ssl/ssl_credentials.h"
@@ -52,11 +54,9 @@ grpc_error* ssl_check_peer(
   }
   /* Check the peer name if specified. */
   if (peer_name != nullptr && !grpc_ssl_host_matches_name(peer, peer_name)) {
-    char* msg;
-    gpr_asprintf(&msg, "Peer name %s is not in peer certificate", peer_name);
-    error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-    gpr_free(msg);
-    return error;
+    return GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+        absl::StrCat("Peer name ", peer_name, " is not in peer certificate")
+            .c_str());
   }
   *auth_context =
       grpc_ssl_peer_to_auth_context(peer, GRPC_SSL_TRANSPORT_SECURITY_TYPE);
@@ -106,6 +106,8 @@ class grpc_ssl_channel_security_connector final
     }
     options.cipher_suites = grpc_get_ssl_cipher_suites();
     options.session_cache = ssl_session_cache;
+    options.min_tls_version = grpc_get_tsi_tls_version(config->min_tls_version);
+    options.max_tls_version = grpc_get_tsi_tls_version(config->max_tls_version);
     const tsi_result result =
         tsi_create_ssl_client_handshaker_factory_with_options(
             &options, &client_handshaker_factory_);
@@ -160,11 +162,10 @@ class grpc_ssl_channel_security_connector final
             verify_options_->verify_peer_callback_userdata);
         gpr_free(peer_pem);
         if (callback_status) {
-          char* msg;
-          gpr_asprintf(&msg, "Verify peer callback returned a failure (%d)",
-                       callback_status);
-          error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(msg);
-          gpr_free(msg);
+          error = GRPC_ERROR_CREATE_FROM_COPIED_STRING(
+              absl::StrFormat("Verify peer callback returned a failure (%d)",
+                              callback_status)
+                  .c_str());
         }
       }
     }
@@ -250,6 +251,10 @@ class grpc_ssl_server_security_connector
       options.cipher_suites = grpc_get_ssl_cipher_suites();
       options.alpn_protocols = alpn_protocol_strings;
       options.num_alpn_protocols = static_cast<uint16_t>(num_alpn_protocols);
+      options.min_tls_version = grpc_get_tsi_tls_version(
+          server_credentials->config().min_tls_version);
+      options.max_tls_version = grpc_get_tsi_tls_version(
+          server_credentials->config().max_tls_version);
       const tsi_result result =
           tsi_create_ssl_server_handshaker_factory_with_options(
               &options, &server_handshaker_factory_);
@@ -302,6 +307,7 @@ class grpc_ssl_server_security_connector
     bool status;
     if (!has_cert_config_fetcher()) return false;
 
+    grpc_core::MutexLock lock(&mu_);
     grpc_ssl_server_credentials* server_creds =
         static_cast<grpc_ssl_server_credentials*>(this->mutable_server_creds());
     grpc_ssl_certificate_config_reload_status cb_result =
@@ -381,6 +387,7 @@ class grpc_ssl_server_security_connector
     server_handshaker_factory_ = new_factory;
   }
 
+  grpc_core::Mutex mu_;
   tsi_ssl_server_handshaker_factory* server_handshaker_factory_ = nullptr;
 };
 }  // namespace