RubyGems - grpc - Versions diffs - 1.42.0 → 1.43.1 - Mend

grpc 1.42.0 → 1.43.1

Potentially problematic release.

This version of grpc might be problematic. Click here for more details.

Files changed (739) hide show

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc ADDED Viewed

@@ -0,0 +1,201 @@
+//
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+#include <grpc/support/port_platform.h>
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+#include "src/core/lib/gprpp/host_port.h"
+#include "src/core/lib/gprpp/stat.h"
+#include "src/core/lib/security/credentials/tls/tls_utils.h"
+#include "src/core/lib/slice/slice_internal.h"
+#include "src/core/lib/surface/api_trace.h"
+namespace grpc_core {
+bool ExternalCertificateVerifier::Verify(
+    grpc_tls_custom_verification_check_request* request,
+    std::function<void(absl::Status)> callback, absl::Status* sync_status) {
+  {
+    MutexLock lock(&mu_);
+    request_map_.emplace(request, std::move(callback));
+  }
+  // Invoke the caller-specified verification logic embedded in
+  // external_verifier_.
+  grpc_status_code status_code = GRPC_STATUS_OK;
+  char* error_details = nullptr;
+  bool is_done = external_verifier_->verify(external_verifier_->user_data,
+                                            request, &OnVerifyDone, this,
+                                            &status_code, &error_details);
+  if (is_done) {
+    if (status_code != GRPC_STATUS_OK) {
+      *sync_status = absl::Status(static_cast<absl::StatusCode>(status_code),
+                                  error_details);
+    }
+    MutexLock lock(&mu_);
+    request_map_.erase(request);
+  }
+  gpr_free(error_details);
+  return is_done;
+}
+void ExternalCertificateVerifier::OnVerifyDone(
+    grpc_tls_custom_verification_check_request* request, void* callback_arg,
+    grpc_status_code status, const char* error_details) {
+  ExecCtx exec_ctx;
+  auto* self = static_cast<ExternalCertificateVerifier*>(callback_arg);
+  std::function<void(absl::Status)> callback;
+  {
+    MutexLock lock(&self->mu_);
+    auto it = self->request_map_.find(request);
+    if (it != self->request_map_.end()) {
+      callback = std::move(it->second);
+      self->request_map_.erase(it);
+    }
+  }
+  if (callback != nullptr) {
+    absl::Status return_status = absl::OkStatus();
+    if (status != GRPC_STATUS_OK) {
+      return_status =
+          absl::Status(static_cast<absl::StatusCode>(status), error_details);
+    }
+    callback(return_status);
+  }
+}
+bool HostNameCertificateVerifier::Verify(
+    grpc_tls_custom_verification_check_request* request,
+    std::function<void(absl::Status)>, absl::Status* sync_status) {
+  GPR_ASSERT(request != nullptr);
+  // Extract the target name, and remove its port.
+  const char* target_name = request->target_name;
+  if (target_name == nullptr) {
+    *sync_status = absl::Status(absl::StatusCode::kUnauthenticated,
+                                "Target name is not specified.");
+    return true;  // synchronous check
+  }
+  absl::string_view target_host;
+  absl::string_view ignored_port;
+  SplitHostPort(target_name, &target_host, &ignored_port);
+  if (target_host.empty()) {
+    *sync_status = absl::Status(absl::StatusCode::kUnauthenticated,
+                                "Failed to split hostname and port.");
+    return true;  // synchronous check
+  }
+  // IPv6 zone-id should not be included in comparisons.
+  const size_t zone_id = target_host.find('%');
+  if (zone_id != absl::string_view::npos) {
+    target_host.remove_suffix(target_host.size() - zone_id);
+  }
+  // Perform the hostname check.
+  // First check the DNS field. We allow prefix or suffix wildcard matching.
+  char** dns_names = request->peer_info.san_names.dns_names;
+  size_t dns_names_size = request->peer_info.san_names.dns_names_size;
+  if (dns_names != nullptr && dns_names_size > 0) {
+    for (size_t i = 0; i < dns_names_size; ++i) {
+      const char* dns_name = dns_names[i];
+      // We are using the target name sent from the client as a matcher to match
+      // against identity name on the peer cert.
+      if (VerifySubjectAlternativeName(dns_name, std::string(target_host))) {
+        return true;  // synchronous check
+      }
+    }
+  }
+  // Then check the IP address. We only allow exact matching.
+  char** ip_names = request->peer_info.san_names.ip_names;
+  size_t ip_names_size = request->peer_info.san_names.ip_names_size;
+  if (ip_names != nullptr && ip_names_size > 0) {
+    for (size_t i = 0; i < ip_names_size; ++i) {
+      const char* ip_name = ip_names[i];
+      if (target_host == ip_name) {
+        return true;  // synchronous check
+      }
+    }
+  }
+  // If there's no SAN, try the CN.
+  if (dns_names_size == 0) {
+    const char* common_name = request->peer_info.common_name;
+    // We are using the target name sent from the client as a matcher to match
+    // against identity name on the peer cert.
+    if (VerifySubjectAlternativeName(common_name, std::string(target_host))) {
+      return true;  // synchronous check
+    }
+  }
+  *sync_status = absl::Status(absl::StatusCode::kUnauthenticated,
+                              "Hostname Verification Check failed.");
+  return true;  // synchronous check
+}
+}  // namespace grpc_core
+//
+// Wrapper APIs declared in grpc_security.h
+//
+int grpc_tls_certificate_verifier_verify(
+    grpc_tls_certificate_verifier* verifier,
+    grpc_tls_custom_verification_check_request* request,
+    grpc_tls_on_custom_verification_check_done_cb callback, void* callback_arg,
+    grpc_status_code* sync_status, char** sync_error_details) {
+  grpc_core::ExecCtx exec_ctx;
+  std::function<void(absl::Status)> async_cb =
+      [callback, request, callback_arg](absl::Status async_status) {
+        callback(request, callback_arg,
+                 static_cast<grpc_status_code>(async_status.code()),
+                 std::string(async_status.message()).c_str());
+      };
+  absl::Status sync_status_cpp;
+  bool is_done = verifier->Verify(request, async_cb, &sync_status_cpp);
+  if (is_done) {
+    if (!sync_status_cpp.ok()) {
+      *sync_status = static_cast<grpc_status_code>(sync_status_cpp.code());
+      *sync_error_details =
+          gpr_strdup(std::string(sync_status_cpp.message()).c_str());
+    }
+  }
+  return is_done;
+}
+void grpc_tls_certificate_verifier_cancel(
+    grpc_tls_certificate_verifier* verifier,
+    grpc_tls_custom_verification_check_request* request) {
+  grpc_core::ExecCtx exec_ctx;
+  verifier->Cancel(request);
+}
+grpc_tls_certificate_verifier* grpc_tls_certificate_verifier_external_create(
+    grpc_tls_certificate_verifier_external* external_verifier) {
+  grpc_core::ExecCtx exec_ctx;
+  return new grpc_core::ExternalCertificateVerifier(external_verifier);
+}
+grpc_tls_certificate_verifier*
+grpc_tls_certificate_verifier_host_name_create() {
+  grpc_core::ExecCtx exec_ctx;
+  return new grpc_core::HostNameCertificateVerifier();
+}
+void grpc_tls_certificate_verifier_release(
+    grpc_tls_certificate_verifier* verifier) {
+  GRPC_API_TRACE("grpc_tls_certificate_verifier_release(verifier=%p)", 1,
+                 (verifier));
+  grpc_core::ExecCtx exec_ctx;
+  if (verifier != nullptr) verifier->Unref();
+}

data/src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h ADDED Viewed

@@ -0,0 +1,106 @@
+//
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+#ifndef GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_VERIFIER_H
+#define GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_VERIFIER_H
+#include <grpc/support/port_platform.h>
+#include <string.h>
+#include "absl/status/status.h"
+#include <grpc/grpc_security.h>
+#include "src/core/lib/gprpp/ref_counted.h"
+#include "src/core/lib/gprpp/ref_counted_ptr.h"
+#include "src/core/lib/gprpp/thd.h"
+#include "src/core/lib/iomgr/load_file.h"
+#include "src/core/lib/iomgr/pollset_set.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
+#include "src/core/lib/security/security_connector/ssl_utils.h"
+// An abstraction of the verifier that all verifier subclasses should extend.
+struct grpc_tls_certificate_verifier
+    : public grpc_core::RefCounted<grpc_tls_certificate_verifier> {
+ public:
+  grpc_tls_certificate_verifier() = default;
+  ~grpc_tls_certificate_verifier() override = default;
+  // Verifies the specific request. It can be processed in sync or async mode.
+  // If the caller want it to be processed asynchronously, return false
+  // immediately, and at the end of the async operation, invoke the callback
+  // with the verification results stored in absl::Status. Otherwise, populate
+  // the verification results in |sync_status| and return true. The caller is
+  // expected to populate verification results by setting request.
+  virtual bool Verify(grpc_tls_custom_verification_check_request* request,
+                      std::function<void(absl::Status)> callback,
+                      absl::Status* sync_status) = 0;
+  // Operations that will be performed when a request is cancelled.
+  // This is only needed when in async mode.
+  virtual void Cancel(grpc_tls_custom_verification_check_request* request) = 0;
+};
+namespace grpc_core {
+// A verifier that will transform grpc_tls_certificate_verifier_external to a
+// verifier that extends grpc_tls_certificate_verifier.
+class ExternalCertificateVerifier : public grpc_tls_certificate_verifier {
+ public:
+  explicit ExternalCertificateVerifier(
+      grpc_tls_certificate_verifier_external* external_verifier)
+      : external_verifier_(external_verifier) {}
+  ~ExternalCertificateVerifier() override {
+    if (external_verifier_->destruct != nullptr) {
+      external_verifier_->destruct(external_verifier_->user_data);
+    }
+  }
+  bool Verify(grpc_tls_custom_verification_check_request* request,
+              std::function<void(absl::Status)> callback,
+              absl::Status* sync_status) override;
+  void Cancel(grpc_tls_custom_verification_check_request* request) override {
+    external_verifier_->cancel(external_verifier_->user_data, request);
+  }
+ private:
+  grpc_tls_certificate_verifier_external* external_verifier_;
+  static void OnVerifyDone(grpc_tls_custom_verification_check_request* request,
+                           void* callback_arg, grpc_status_code status,
+                           const char* error_details);
+  // Guards members below.
+  Mutex mu_;
+  // stores each check request and its corresponding callback function.
+  std::map<grpc_tls_custom_verification_check_request*,
+           std::function<void(absl::Status)>>
+      request_map_ ABSL_GUARDED_BY(mu_);
+};
+// An internal verifier that will perform hostname verification check.
+class HostNameCertificateVerifier : public grpc_tls_certificate_verifier {
+ public:
+  bool Verify(grpc_tls_custom_verification_check_request* request,
+              std::function<void(absl::Status)> callback,
+              absl::Status* sync_status) override;
+  void Cancel(grpc_tls_custom_verification_check_request*) override {}
+};
+}  // namespace grpc_core
+#endif  // GRPC_CORE_LIB_SECURITY_CREDENTIALS_TLS_GRPC_TLS_CERTIFICATE_VERIFIER_H

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc CHANGED Viewed

@@ -29,61 +29,6 @@
 #include "src/core/lib/surface/api_trace.h"
-/** -- gRPC TLS server authorization check API implementation. -- **/
-grpc_tls_server_authorization_check_config::
-    grpc_tls_server_authorization_check_config(
-        const void* config_user_data,
-        int (*schedule)(void* config_user_data,
-                        grpc_tls_server_authorization_check_arg* arg),
-        void (*cancel)(void* config_user_data,
-                       grpc_tls_server_authorization_check_arg* arg),
-        void (*destruct)(void* config_user_data))
-    : config_user_data_(const_cast<void*>(config_user_data)),
-      schedule_(schedule),
-      cancel_(cancel),
-      destruct_(destruct) {}
-grpc_tls_server_authorization_check_config::
-    ~grpc_tls_server_authorization_check_config() {
-  if (destruct_ != nullptr) {
-    destruct_(config_user_data_);
-  }
-}
-int grpc_tls_server_authorization_check_config::Schedule(
-    grpc_tls_server_authorization_check_arg* arg) const {
-  if (schedule_ == nullptr) {
-    gpr_log(GPR_ERROR, "schedule API is nullptr");
-    if (arg != nullptr) {
-      arg->status = GRPC_STATUS_NOT_FOUND;
-      arg->error_details->set_error_details(
-          "schedule API in server authorization check config is nullptr");
-    }
-    return 1;
-  }
-  if (arg != nullptr && context_ != nullptr) {
-    arg->config = const_cast<grpc_tls_server_authorization_check_config*>(this);
-  }
-  return schedule_(config_user_data_, arg);
-}
-void grpc_tls_server_authorization_check_config::Cancel(
-    grpc_tls_server_authorization_check_arg* arg) const {
-  if (cancel_ == nullptr) {
-    gpr_log(GPR_ERROR, "cancel API is nullptr.");
-    if (arg != nullptr) {
-      arg->status = GRPC_STATUS_NOT_FOUND;
-      arg->error_details->set_error_details(
-          "schedule API in server authorization check config is nullptr");
-    }
-    return;
-  }
-  if (arg != nullptr) {
-    arg->config = const_cast<grpc_tls_server_authorization_check_config*>(this);
-  }
-  cancel_(config_user_data_, arg);
-}
 /** -- Wrapper APIs declared in grpc_security.h -- **/
 grpc_tls_credentials_options* grpc_tls_credentials_options_create() {
@@ -98,11 +43,10 @@ void grpc_tls_credentials_options_set_cert_request_type(
   options->set_cert_request_type(type);
 }
-void grpc_tls_credentials_options_set_server_verification_option(
-    grpc_tls_credentials_options* options,
-    grpc_tls_server_verification_option server_verification_option) {
+void grpc_tls_credentials_options_set_verify_server_cert(
+    grpc_tls_credentials_options* options, int verify_server_cert) {
   GPR_ASSERT(options != nullptr);
-  options->set_server_verification_option(server_verification_option);
+  options->set_verify_server_cert(verify_server_cert);
 }
 void grpc_tls_credentials_options_set_certificate_provider(
@@ -139,39 +83,16 @@ void grpc_tls_credentials_options_set_identity_cert_name(
   options->set_identity_cert_name(identity_cert_name);
 }
-void grpc_tls_credentials_options_set_server_authorization_check_config(
+void grpc_tls_credentials_options_set_certificate_verifier(
     grpc_tls_credentials_options* options,
-    grpc_tls_server_authorization_check_config* config) {
+    grpc_tls_certificate_verifier* verifier) {
   GPR_ASSERT(options != nullptr);
-  GPR_ASSERT(config != nullptr);
-  grpc_core::ExecCtx exec_ctx;
-  options->set_server_authorization_check_config(config->Ref());
-}
-grpc_tls_server_authorization_check_config*
-grpc_tls_server_authorization_check_config_create(
-    const void* config_user_data,
-    int (*schedule)(void* config_user_data,
-                    grpc_tls_server_authorization_check_arg* arg),
-    void (*cancel)(void* config_user_data,
-                   grpc_tls_server_authorization_check_arg* arg),
-    void (*destruct)(void* config_user_data)) {
-  if (schedule == nullptr) {
-    gpr_log(GPR_ERROR,
-            "Schedule API is nullptr in creating TLS server authorization "
-            "check config.");
-    return nullptr;
-  }
-  grpc_core::ExecCtx exec_ctx;
-  return new grpc_tls_server_authorization_check_config(
-      config_user_data, schedule, cancel, destruct);
+  GPR_ASSERT(verifier != nullptr);
+  options->set_certificate_verifier(verifier->Ref());
 }
-void grpc_tls_server_authorization_check_config_release(
-    grpc_tls_server_authorization_check_config* config) {
-  GRPC_API_TRACE(
-      "grpc_tls_server_authorization_check_config_release(config=%p)", 1,
-      (config));
-  grpc_core::ExecCtx exec_ctx;
-  if (config != nullptr) config->Unref();
+void grpc_tls_credentials_options_set_check_call_host(
+    grpc_tls_credentials_options* options, int check_call_host) {
+  GPR_ASSERT(options != nullptr);
+  options->set_check_call_host(check_call_host);
 }

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h CHANGED Viewed

@@ -28,73 +28,9 @@
 #include "src/core/lib/gprpp/ref_counted.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
 #include "src/core/lib/security/security_connector/ssl_utils.h"
-struct grpc_tls_error_details
-    : public grpc_core::RefCounted<grpc_tls_error_details> {
- public:
-  grpc_tls_error_details() : error_details_("") {}
-  void set_error_details(const char* err_details) {
-    error_details_ = err_details;
-  }
-  const std::string& error_details() { return error_details_; }
- private:
-  std::string error_details_;
-};
-/** TLS server authorization check config. **/
-struct grpc_tls_server_authorization_check_config
-    : public grpc_core::RefCounted<grpc_tls_server_authorization_check_config> {
- public:
-  grpc_tls_server_authorization_check_config(
-      const void* config_user_data,
-      int (*schedule)(void* config_user_data,
-                      grpc_tls_server_authorization_check_arg* arg),
-      void (*cancel)(void* config_user_data,
-                     grpc_tls_server_authorization_check_arg* arg),
-      void (*destruct)(void* config_user_data));
-  ~grpc_tls_server_authorization_check_config() override;
-  void* context() const { return context_; }
-  void set_context(void* context) { context_ = context; }
-  int Schedule(grpc_tls_server_authorization_check_arg* arg) const;
-  void Cancel(grpc_tls_server_authorization_check_arg* arg) const;
- private:
-  /** This is a pointer to the wrapped language implementation of
-   * grpc_tls_server_authorization_check_config. It is necessary to implement
-   * the C schedule and cancel functions, given the schedule or cancel function
-   * in a wrapped language. **/
-  void* context_ = nullptr;
-  /** config-specific, read-only user data that works for all channels created
-     with a Credential using the config. */
-  void* config_user_data_;
-  /** callback function for invoking server authorization check. The
-     implementation of this method has to be non-blocking, but can be performed
-     synchronously or asynchronously.
-     If processing occurs synchronously, it populates \a arg->result, \a
-     arg->status, and \a arg->error_details, and returns zero.
-     If processing occurs asynchronously, it returns a non-zero value.
-     Application then invokes \a arg->cb when processing is completed. Note that
-     \a arg->cb cannot be invoked before \a schedule() returns.
-  */
-  int (*schedule_)(void* config_user_data,
-                   grpc_tls_server_authorization_check_arg* arg);
-  /** callback function for canceling a server authorization check request. */
-  void (*cancel_)(void* config_user_data,
-                  grpc_tls_server_authorization_check_arg* arg);
-  /** callback function for cleaning up any data associated with server
-     authorization check config. */
-  void (*destruct_)(void* config_user_data);
-};
 // Contains configurable options specified by callers to configure their certain
 // security features supported in TLS.
 // TODO(ZhenLian): consider making this not ref-counted.
@@ -107,15 +43,14 @@ struct grpc_tls_credentials_options
   grpc_ssl_client_certificate_request_type cert_request_type() const {
     return cert_request_type_;
   }
-  grpc_tls_server_verification_option server_verification_option() const {
-    return server_verification_option_;
-  }
+  bool verify_server_cert() const { return verify_server_cert_; }
   grpc_tls_version min_tls_version() const { return min_tls_version_; }
   grpc_tls_version max_tls_version() const { return max_tls_version_; }
-  grpc_tls_server_authorization_check_config*
-  server_authorization_check_config() const {
-    return server_authorization_check_config_.get();
+  // Returns the verifier set in the options.
+  grpc_tls_certificate_verifier* certificate_verifier() {
+    return verifier_.get();
   }
+  bool check_call_host() const { return check_call_host_; }
   // Returns the distributor from provider_ if it is set, nullptr otherwise.
   grpc_tls_certificate_distributor* certificate_distributor() {
     if (provider_ != nullptr) return provider_->distributor().get();
@@ -131,9 +66,8 @@ struct grpc_tls_credentials_options
       const grpc_ssl_client_certificate_request_type type) {
     cert_request_type_ = type;
   }
-  void set_server_verification_option(
-      const grpc_tls_server_verification_option server_verification_option) {
-    server_verification_option_ = server_verification_option;
+  void set_verify_server_cert(bool verify_server_cert) {
+    verify_server_cert_ = verify_server_cert;
   }
   void set_min_tls_version(grpc_tls_version min_tls_version) {
     min_tls_version_ = min_tls_version;
@@ -141,10 +75,14 @@ struct grpc_tls_credentials_options
   void set_max_tls_version(grpc_tls_version max_tls_version) {
     max_tls_version_ = max_tls_version;
   }
-  void set_server_authorization_check_config(
-      grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
-          config) {
-    server_authorization_check_config_ = std::move(config);
+  // Sets the verifier in the options.
+  void set_certificate_verifier(
+      grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> verifier) {
+    verifier_ = std::move(verifier);
+  }
+  // Sets the verifier in the options.
+  void set_check_call_host(bool check_call_host) {
+    check_call_host_ = check_call_host;
   }
   // Sets the provider in the options.
   void set_certificate_provider(
@@ -177,12 +115,11 @@ struct grpc_tls_credentials_options
  private:
   grpc_ssl_client_certificate_request_type cert_request_type_ =
       GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE;
-  grpc_tls_server_verification_option server_verification_option_ =
-      GRPC_TLS_SERVER_VERIFICATION;
+  bool verify_server_cert_ = true;
   grpc_tls_version min_tls_version_ = grpc_tls_version::TLS1_2;
   grpc_tls_version max_tls_version_ = grpc_tls_version::TLS1_3;
-  grpc_core::RefCountedPtr<grpc_tls_server_authorization_check_config>
-      server_authorization_check_config_;
+  grpc_core::RefCountedPtr<grpc_tls_certificate_verifier> verifier_;
+  bool check_call_host_ = true;
   grpc_core::RefCountedPtr<grpc_tls_certificate_provider> provider_;
   bool watch_root_cert_ = false;
   std::string root_cert_name_;

data/src/core/lib/security/credentials/tls/tls_credentials.cc CHANGED Viewed

@@ -28,29 +28,40 @@
 #include <grpc/support/string_util.h>
 #include "src/core/lib/channel/channel_args.h"
+#include "src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.h"
 #include "src/core/lib/security/security_connector/tls/tls_security_connector.h"
 #define GRPC_CREDENTIALS_TYPE_TLS "Tls"
 namespace {
-bool CredentialOptionSanityCheck(const grpc_tls_credentials_options* options,
+bool CredentialOptionSanityCheck(grpc_tls_credentials_options* options,
                                  bool is_client) {
   if (options == nullptr) {
     gpr_log(GPR_ERROR, "TLS credentials options is nullptr.");
     return false;
   }
-  // TODO(ZhenLian): remove this when it is also supported on server side.
-  if (!is_client && options->server_authorization_check_config() != nullptr) {
-    gpr_log(GPR_INFO,
-            "Server's credentials options should not contain server "
-            "authorization check config.");
+  // In the following conditions, there won't be any issues, but it might
+  // indicate callers are doing something wrong with the API.
+  if (is_client && options->cert_request_type() !=
+                       GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE) {
+    gpr_log(GPR_ERROR,
+            "Client's credentials options should not set cert_request_type.");
   }
-  if (options->server_verification_option() != GRPC_TLS_SERVER_VERIFICATION &&
-      options->server_authorization_check_config() == nullptr) {
+  if (!is_client && !options->verify_server_cert()) {
     gpr_log(GPR_ERROR,
-            "Should provider custom verifications if bypassing default ones.");
-    return false;
+            "Server's credentials options should not set verify_server_cert.");
+  }
+  // In the following conditions, there could be severe security issues.
+  if (is_client && options->certificate_verifier() == nullptr) {
+    // If no verifier is specified on the client side, use the hostname verifier
+    // as default. Users who want to bypass all the verifier check should
+    // implement an external verifier instead.
+    gpr_log(GPR_INFO,
+            "No verifier specified on the client side. Using default hostname "
+            "verifier");
+    options->set_certificate_verifier(
+        grpc_core::MakeRefCounted<grpc_core::HostNameCertificateVerifier>());
   }
   return true;
 }