grpc 1.59.2 → 1.59.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 759d825c6725ecef82f2e56b725a43704250217a4cbff252302a070bf11e3849
-  data.tar.gz: 1156877963781d0594e138c6b5d31695230946eb4738647cec37706691912e15
+  metadata.gz: a2f9c97b2899a98b0aa10617cf7d44f43c790a94ae5254ed9f5aeb00d981fc5f
+  data.tar.gz: 8de2a6a60e16d1f737e2feac45432deca18279de9ec5d53b91a6fad053a40cba
 SHA512:
-  metadata.gz: 5f79426b08ab87c3c5d184f083f51ae3cad7433839409223d74ea30ee2f3c2a731a94cae642c616e256154a2f5f585c8904a2c4bb9233c679558ed942fe319fd
-  data.tar.gz: f00070bbbcd743d96acea7052edae32162a6450465fdeb319bc332a4bd38984fd2a4929e8c903197e748846b88bc6da0bd70e2c4377af722768de7e27a22b89c
+  metadata.gz: 9ec764417ad5ce529fae525c381d4d8cc0a201ef3ca7637702a1f2562606bf43ac4e9896a3649b88087c01dea10248f0d6d339a01559248c62ebf75b28fbb83d
+  data.tar.gz: 514767e299520918851cb034c80a9765ade6f230488a9c278ffff02cca9e9c9610a459e1d6ce8dafd4f87fbac9696c2efb816defb5c9b31ca784436bef481b16

data/Makefile

@@ -411,7 +411,7 @@ Q = @
 endif
 
 CORE_VERSION = 36.0.0
-CPP_VERSION = 1.59.2
+CPP_VERSION = 1.59.5
 
 CPPFLAGS_NO_ARCH += $(addprefix -I, $(INCLUDES)) $(addprefix -D, $(DEFINES))
 CPPFLAGS += $(CPPFLAGS_NO_ARCH) $(ARCH_FLAGS)
@@ -1482,11 +1482,13 @@ LIBGRPC_SRC = \
     src/core/lib/experiments/experiments.cc \
     src/core/lib/gprpp/load_file.cc \
     src/core/lib/gprpp/per_cpu.cc \
+    src/core/lib/gprpp/posix/directory_reader.cc \
     src/core/lib/gprpp/ref_counted_string.cc \
     src/core/lib/gprpp/status_helper.cc \
     src/core/lib/gprpp/time.cc \
     src/core/lib/gprpp/time_averaged_stats.cc \
     src/core/lib/gprpp/validation_errors.cc \
+    src/core/lib/gprpp/windows/directory_reader.cc \
     src/core/lib/gprpp/work_serializer.cc \
     src/core/lib/handshaker/proxy_mapper_registry.cc \
     src/core/lib/http/format_request.cc \
@@ -1636,6 +1638,7 @@ LIBGRPC_SRC = \
     src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc \
     src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc \
     src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc \
+    src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc \
     src/core/lib/security/credentials/tls/tls_credentials.cc \
     src/core/lib/security/credentials/tls/tls_utils.cc \
     src/core/lib/security/credentials/xds/xds_credentials.cc \
@@ -1750,6 +1753,7 @@ PUBLIC_HEADERS_C += \
     include/grpc/fork.h \
     include/grpc/grpc.h \
     include/grpc/grpc_audit_logging.h \
+    include/grpc/grpc_crl_provider.h \
     include/grpc/grpc_posix.h \
     include/grpc/grpc_security.h \
     include/grpc/grpc_security_constants.h \
@@ -2266,6 +2270,7 @@ PUBLIC_HEADERS_C += \
     include/grpc/fork.h \
     include/grpc/grpc.h \
     include/grpc/grpc_audit_logging.h \
+    include/grpc/grpc_crl_provider.h \
     include/grpc/grpc_posix.h \
     include/grpc/grpc_security.h \
     include/grpc/grpc_security_constants.h \
@@ -3656,6 +3661,8 @@ src/core/ext/xds/xds_route_config.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_routing.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_server_config_fetcher.cc: $(OPENSSL_DEP)
 src/core/ext/xds/xds_transport_grpc.cc: $(OPENSSL_DEP)
+src/core/lib/gprpp/posix/directory_reader.cc: $(OPENSSL_DEP)
+src/core/lib/gprpp/windows/directory_reader.cc: $(OPENSSL_DEP)
 src/core/lib/http/httpcli_security_connector.cc: $(OPENSSL_DEP)
 src/core/lib/json/json_util.cc: $(OPENSSL_DEP)
 src/core/lib/matchers/matchers.cc: $(OPENSSL_DEP)
@@ -3685,6 +3692,7 @@ src/core/lib/security/credentials/tls/grpc_tls_certificate_match.cc: $(OPENSSL_D
 src/core/lib/security/credentials/tls/grpc_tls_certificate_provider.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/tls/grpc_tls_certificate_verifier.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc: $(OPENSSL_DEP)
+src/core/lib/security/credentials/tls/grpc_tls_crl_provider.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/tls/tls_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/credentials/xds/xds_credentials.cc: $(OPENSSL_DEP)
 src/core/lib/security/security_connector/alts/alts_security_connector.cc: $(OPENSSL_DEP)

data/include/grpc/grpc_crl_provider.h

@@ -0,0 +1,94 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_GRPC_CRL_PROVIDER_H
+#define GRPC_GRPC_CRL_PROVIDER_H
+
+#include <grpc/support/port_platform.h>
+
+#include <memory>
+#include <string>
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+
+#include <grpc/grpc_security.h>
+
+namespace grpc_core {
+namespace experimental {
+
+// Opaque representation of a CRL. Must be thread safe.
+class Crl {
+ public:
+  static absl::StatusOr<std::unique_ptr<Crl>> Parse(
+      absl::string_view crl_string);
+  virtual ~Crl() = default;
+  virtual absl::string_view Issuer() = 0;
+};
+
+// Information about a certificate to be used to fetch its associated CRL. Must
+// be thread safe.
+class CertificateInfo {
+ public:
+  virtual ~CertificateInfo() = default;
+  virtual absl::string_view Issuer() const = 0;
+};
+
+// The base class for CRL Provider implementations.
+// CrlProviders can be passed in as a way to supply CRLs during handshakes.
+// CrlProviders must be thread safe. They are on the critical path of gRPC
+// creating a connection and doing a handshake, so the implementation of
+// `GetCrl` should be very fast. It is suggested to have an in-memory map of
+// CRLs for quick lookup and return, and doing expensive updates to this map
+// asynchronously.
+class CrlProvider {
+ public:
+  virtual ~CrlProvider() = default;
+  // Get the CRL associated with a certificate. Read-only.
+  virtual std::shared_ptr<Crl> GetCrl(
+      const CertificateInfo& certificate_info) = 0;
+};
+
+absl::StatusOr<std::shared_ptr<CrlProvider>> CreateStaticCrlProvider(
+    absl::Span<const std::string> crls);
+
+// Creates a CRL Provider that periodically and asynchronously reloads a
+// directory. The refresh_duration minimum is 60 seconds. The
+// reload_error_callback provides a way for the user to specifically log or
+// otherwise notify of errors during reloading. Since reloading is asynchronous
+// and not on the main codepath, the grpc process will continue to run through
+// reloading errors, so this mechanism is an important way to provide signals to
+// your monitoring and alerting setup.
+absl::StatusOr<std::shared_ptr<CrlProvider>> CreateDirectoryReloaderCrlProvider(
+    absl::string_view directory, std::chrono::seconds refresh_duration,
+    std::function<void(absl::Status)> reload_error_callback);
+
+}  // namespace experimental
+}  // namespace grpc_core
+
+// TODO(gtcooke94) - Mark with api macro when all wrapped langauges support C++
+// in core APIs
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * Sets the crl provider in the options.
+ */
+void grpc_tls_credentials_options_set_crl_provider(
+    grpc_tls_credentials_options* options,
+    std::shared_ptr<grpc_core::experimental::CrlProvider> provider);
+#endif /* GRPC_GRPC_CRL_PROVIDER_H */

data/include/grpc/grpc_security.h

@@ -815,6 +815,24 @@ GRPCAPI void grpc_tls_certificate_provider_release(
  */
 GRPCAPI grpc_tls_credentials_options* grpc_tls_credentials_options_create(void);
 
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * Sets the minimum TLS version that will be negotiated during the TLS
+ * handshake. If not set, the underlying SSL library will set it to TLS v1.2.
+ */
+GRPCAPI void grpc_tls_credentials_options_set_min_tls_version(
+    grpc_tls_credentials_options* options, grpc_tls_version min_tls_version);
+
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * Sets the maximum TLS version that will be negotiated during the TLS
+ * handshake. If not set, the underlying SSL library will set it to TLS v1.3.
+ */
+GRPCAPI void grpc_tls_credentials_options_set_max_tls_version(
+    grpc_tls_credentials_options* options, grpc_tls_version max_tls_version);
+
 /**
  * EXPERIMENTAL API - Subject to change
  *

data/include/grpc/module.modulemap

@@ -9,6 +9,7 @@ header "byte_buffer.h"
   header "fork.h"
   header "grpc.h"
   header "grpc_audit_logging.h"
+  header "grpc_crl_provider.h"
   header "grpc_posix.h"
   header "grpc_security.h"
   header "grpc_security_constants.h"

data/src/core/ext/transport/chttp2/transport/hpack_parser.cc

@@ -91,12 +91,14 @@ constexpr Base64InverseTable kBase64InverseTable;
 class HPackParser::Input {
  public:
   Input(grpc_slice_refcount* current_slice_refcount, const uint8_t* begin,
-        const uint8_t* end, absl::BitGenRef bitsrc, HpackParseResult& error)
+        const uint8_t* end, absl::BitGenRef bitsrc,
+        HpackParseResult& frame_error, HpackParseResult& field_error)
       : current_slice_refcount_(current_slice_refcount),
         begin_(begin),
         end_(end),
         frontier_(begin),
-        error_(error),
+        frame_error_(frame_error),
+        field_error_(field_error),
         bitsrc_(bitsrc) {}
 
   // If input is backed by a slice, retrieve its refcount. If not, return
@@ -215,14 +217,18 @@ class HPackParser::Input {
 
   // Check if we saw an EOF
   bool eof_error() const {
-    return min_progress_size_ != 0 || error_.connection_error();
+    return min_progress_size_ != 0 || frame_error_.connection_error();
+  }
+
+  // Reset the field error to be ok
+  void ClearFieldError() {
+    if (field_error_.ok()) return;
+    field_error_ = HpackParseResult();
   }
 
   // Minimum number of bytes to unstuck the current parse
   size_t min_progress_size() const { return min_progress_size_; }
 
-  bool has_error() const { return !error_.ok(); }
-
   // Set the current error - tweaks the error to include a stream id so that
   // chttp2 does not close the connection.
   // Intended for errors that are specific to a stream and recoverable.
@@ -246,10 +252,7 @@ class HPackParser::Input {
   // read prior to being able to get further in this parse.
   void UnexpectedEOF(size_t min_progress_size) {
     GPR_ASSERT(min_progress_size > 0);
-    if (min_progress_size_ != 0 || error_.connection_error()) {
-      GPR_DEBUG_ASSERT(eof_error());
-      return;
-    }
+    if (eof_error()) return;
     // Set min progress size, taking into account bytes parsed already but not
     // consumed.
     min_progress_size_ = min_progress_size + (begin_ - frontier_);
@@ -302,13 +305,18 @@ class HPackParser::Input {
   // Do not use this directly, instead use SetErrorAndContinueParsing or
   // SetErrorAndStopParsing.
   void SetError(HpackParseResult error) {
-    if (!error_.ok() || min_progress_size_ > 0) {
-      if (error.connection_error() && !error_.connection_error()) {
-        error_ = std::move(error);  // connection errors dominate
+    SetErrorFor(frame_error_, error);
+    SetErrorFor(field_error_, std::move(error));
+  }
+
+  void SetErrorFor(HpackParseResult& error, HpackParseResult new_error) {
+    if (!error.ok() || min_progress_size_ > 0) {
+      if (new_error.connection_error() && !error.connection_error()) {
+        error = std::move(new_error);  // connection errors dominate
       }
       return;
     }
-    error_ = std::move(error);
+    error = std::move(new_error);
   }
 
   // Refcount if we are backed by a slice
@@ -320,7 +328,8 @@ class HPackParser::Input {
   // Frontier denotes the first byte past successfully processed input
   const uint8_t* frontier_;
   // Current error
-  HpackParseResult& error_;
+  HpackParseResult& frame_error_;
+  HpackParseResult& field_error_;
   // If the error was EOF, we flag it here by noting how many more bytes would
   // be needed to make progress
   size_t min_progress_size_ = 0;
@@ -597,6 +606,7 @@ class HPackParser::Parser {
   bool ParseTop() {
     GPR_DEBUG_ASSERT(state_.parse_state == ParseState::kTop);
     auto cur = *input_->Next();
+    input_->ClearFieldError();
     switch (cur >> 4) {
         // Literal header not indexed - First byte format: 0000xxxx
         // Literal header never indexed - First byte format: 0001xxxx
@@ -702,7 +712,7 @@ class HPackParser::Parser {
         break;
     }
     gpr_log(
-        GPR_DEBUG, "HTTP:%d:%s:%s: %s%s", log_info_.stream_id, type,
+        GPR_INFO, "HTTP:%d:%s:%s: %s%s", log_info_.stream_id, type,
         log_info_.is_client ? "CLI" : "SVR", memento.md.DebugString().c_str(),
         memento.parse_status == nullptr
             ? ""
@@ -951,11 +961,10 @@ class HPackParser::Parser {
                                   state_.string_length)
             : String::Parse(input_, state_.is_string_huff_compressed,
                             state_.string_length);
-    HpackParseResult& status = state_.frame_error;
     absl::string_view key_string;
     if (auto* s = absl::get_if<Slice>(&state_.key)) {
       key_string = s->as_string_view();
-      if (status.ok()) {
+      if (state_.field_error.ok()) {
         auto r = ValidateKey(key_string);
         if (r != ValidateMetadataResult::kOk) {
           input_->SetErrorAndContinueParsing(
@@ -965,7 +974,7 @@ class HPackParser::Parser {
     } else {
       const auto* memento = absl::get<const HPackTable::Memento*>(state_.key);
       key_string = memento->md.key();
-      if (status.ok() && memento->parse_status != nullptr) {
+      if (state_.field_error.ok() && memento->parse_status != nullptr) {
         input_->SetErrorAndContinueParsing(*memento->parse_status);
       }
     }
@@ -992,16 +1001,16 @@ class HPackParser::Parser {
         key_string.size() + value.wire_size + hpack_constants::kEntryOverhead;
     auto md = grpc_metadata_batch::Parse(
         key_string, std::move(value_slice), state_.add_to_table, transport_size,
-        [key_string, &status, this](absl::string_view message, const Slice&) {
-          if (!status.ok()) return;
+        [key_string, this](absl::string_view message, const Slice&) {
+          if (!state_.field_error.ok()) return;
           input_->SetErrorAndContinueParsing(
               HpackParseResult::MetadataParseError(key_string));
           gpr_log(GPR_ERROR, "Error parsing '%s' metadata: %s",
                   std::string(key_string).c_str(),
                   std::string(message).c_str());
         });
-    HPackTable::Memento memento{std::move(md),
-                                status.PersistentStreamErrorOrNullptr()};
+    HPackTable::Memento memento{
+        std::move(md), state_.field_error.PersistentStreamErrorOrNullptr()};
     input_->UpdateFrontier();
     state_.parse_state = ParseState::kTop;
     if (state_.add_to_table) {
@@ -1163,13 +1172,13 @@ grpc_error_handle HPackParser::Parse(
     std::vector<uint8_t> buffer = std::move(unparsed_bytes_);
     return ParseInput(
         Input(nullptr, buffer.data(), buffer.data() + buffer.size(), bitsrc,
-              state_.frame_error),
+              state_.frame_error, state_.field_error),
         is_last, call_tracer);
   }
-  return ParseInput(
-      Input(slice.refcount, GRPC_SLICE_START_PTR(slice),
-            GRPC_SLICE_END_PTR(slice), bitsrc, state_.frame_error),
-      is_last, call_tracer);
+  return ParseInput(Input(slice.refcount, GRPC_SLICE_START_PTR(slice),
+                          GRPC_SLICE_END_PTR(slice), bitsrc, state_.frame_error,
+                          state_.field_error),
+                    is_last, call_tracer);
 }
 
 grpc_error_handle HPackParser::ParseInput(

data/src/core/ext/transport/chttp2/transport/hpack_parser.h

@@ -236,6 +236,8 @@ class HPackParser {
     HPackTable hpack_table;
     // Error so far for this frame (set by class Input)
     HpackParseResult frame_error;
+    // Error so far for this field (set by class Input)
+    HpackParseResult field_error;
     // Length of frame so far.
     uint32_t frame_length = 0;
     // Length of the string being parsed

data/src/core/ext/transport/chttp2/transport/ping_rate_policy.cc

@@ -68,7 +68,8 @@ Chttp2PingRatePolicy::RequestSendPing(Duration next_allowed_ping_interval,
   if (max_pings_without_data_ != 0 && pings_before_data_required_ == 0) {
     return TooManyRecentPings{};
   }
-  if (max_inflight_pings_ != 0 && inflight_pings > max_inflight_pings_) {
+  if (max_inflight_pings_ != 0 &&
+      inflight_pings > static_cast<size_t>(max_inflight_pings_)) {
     return TooManyRecentPings{};
   }
   const Timestamp next_allowed_ping =

data/src/core/lib/gprpp/directory_reader.h

@@ -0,0 +1,48 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_SRC_CORE_LIB_GPRPP_DIRECTORY_READER_H
+#define GRPC_SRC_CORE_LIB_GPRPP_DIRECTORY_READER_H
+
+#include <grpc/support/port_platform.h>
+
+#include <memory>
+
+#include "absl/functional/function_ref.h"
+#include "absl/status/status.h"
+#include "absl/strings/string_view.h"
+
+namespace grpc_core {
+
+class DirectoryReader {
+ public:
+  virtual ~DirectoryReader() = default;
+  // Returns the name of the directory being read.
+  virtual absl::string_view Name() const = 0;
+  // Calls callback for each name in the directory except for "." and "..".
+  // Returns non-OK if there was an error reading the directory.
+  virtual absl::Status ForEach(
+      absl::FunctionRef<void(absl::string_view)> callback) = 0;
+};
+
+std::unique_ptr<DirectoryReader> MakeDirectoryReader(
+    absl::string_view filename);
+
+}  // namespace grpc_core
+
+#endif  // GRPC_SRC_CORE_LIB_GPRPP_DIRECTORY_READER_H

data/src/core/lib/gprpp/posix/directory_reader.cc

@@ -0,0 +1,82 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#include <memory>
+
+#include "absl/functional/function_ref.h"
+#include "absl/status/status.h"
+#include "absl/strings/string_view.h"
+
+#if defined(GPR_LINUX) || defined(GPR_ANDROID) || defined(GPR_FREEBSD) || \
+    defined(GPR_APPLE)
+
+#include <dirent.h>
+
+#include <string>
+
+#include "src/core/lib/gprpp/directory_reader.h"
+
+namespace grpc_core {
+
+namespace {
+const char kSkipEntriesSelf[] = ".";
+const char kSkipEntriesParent[] = "..";
+}  // namespace
+
+class DirectoryReaderImpl : public DirectoryReader {
+ public:
+  explicit DirectoryReaderImpl(absl::string_view directory_path)
+      : directory_path_(directory_path) {}
+  absl::string_view Name() const override { return directory_path_; }
+  absl::Status ForEach(absl::FunctionRef<void(absl::string_view)>) override;
+
+ private:
+  const std::string directory_path_;
+};
+
+std::unique_ptr<DirectoryReader> MakeDirectoryReader(
+    absl::string_view filename) {
+  return std::make_unique<DirectoryReaderImpl>(filename);
+}
+
+absl::Status DirectoryReaderImpl::ForEach(
+    absl::FunctionRef<void(absl::string_view)> callback) {
+  // Open the dir for reading
+  DIR* directory = opendir(directory_path_.c_str());
+  if (directory == nullptr) {
+    return absl::InternalError("Could not read crl directory.");
+  }
+  struct dirent* directory_entry;
+  // Iterate over everything in the directory
+  while ((directory_entry = readdir(directory)) != nullptr) {
+    const absl::string_view file_name = directory_entry->d_name;
+    // Skip "." and ".."
+    if (file_name == kSkipEntriesParent || file_name == kSkipEntriesSelf) {
+      continue;
+    }
+    // Call the callback with this filename
+    callback(file_name);
+  }
+  closedir(directory);
+  return absl::OkStatus();
+}
+}  // namespace grpc_core
+
+#endif  // GPR_LINUX || GPR_ANDROID || GPR_FREEBSD || GPR_APPLE

data/src/core/lib/gprpp/windows/directory_reader.cc

@@ -0,0 +1,80 @@
+//
+//
+// Copyright 2023 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#include <grpc/support/port_platform.h>
+
+#if defined(GPR_WINDOWS)
+
+#include <sys/stat.h>
+#include <windows.h>
+
+#include <string>
+#include <vector>
+
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+
+#include <grpc/support/log.h>
+
+#include "src/core/lib/gprpp/directory_reader.h"
+namespace grpc_core {
+
+namespace {
+const char kSkipEntriesSelf[] = ".";
+const char kSkipEntriesParent[] = "..";
+}  // namespace
+
+class DirectoryReaderImpl : public DirectoryReader {
+ public:
+  explicit DirectoryReaderImpl(absl::string_view directory_path)
+      : directory_path_(directory_path) {}
+  absl::string_view Name() const override { return directory_path_; }
+  absl::Status ForEach(absl::FunctionRef<void(absl::string_view)>) override;
+
+ private:
+  const std::string directory_path_;
+};
+
+std::unique_ptr<DirectoryReader> MakeDirectoryReader(
+    absl::string_view filename) {
+  return std::make_unique<DirectoryReaderImpl>(filename);
+}
+
+// Reference for reading directory in Windows:
+// https://stackoverflow.com/questions/612097/how-can-i-get-the-list-of-files-in-a-directory-using-c-or-c
+// https://learn.microsoft.com/en-us/windows/win32/fileio/listing-the-files-in-a-directory
+absl::Status DirectoryReaderImpl::ForEach(
+    absl::FunctionRef<void(absl::string_view)> callback) {
+  std::string search_path = absl::StrCat(directory_path_, "/*");
+  WIN32_FIND_DATAA find_data;
+  HANDLE hFind = ::FindFirstFileA(search_path.c_str(), &find_data);
+  if (hFind == INVALID_HANDLE_VALUE) {
+    return absl::InternalError("Could not read crl directory.");
+  }
+  do {
+    if (!(find_data.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY)) {
+      callback(find_data.cFileName);
+    }
+  } while (::FindNextFileA(hFind, &find_data));
+  ::FindClose(hFind);
+  return absl::OkStatus();
+}
+
+}  // namespace grpc_core
+
+#endif  // GPR_WINDOWS

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc

@@ -20,6 +20,9 @@
 
 #include "src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h"
 
+#include <memory>
+
+#include <grpc/grpc_crl_provider.h>
 #include <grpc/support/log.h>
 
 #include "src/core/lib/debug/trace.h"
@@ -128,3 +131,22 @@ void grpc_tls_credentials_options_set_send_client_ca_list(
   }
   options->set_send_client_ca_list(send_client_ca_list);
 }
+
+void grpc_tls_credentials_options_set_crl_provider(
+    grpc_tls_credentials_options* options,
+    std::shared_ptr<grpc_core::experimental::CrlProvider> provider) {
+  GPR_ASSERT(options != nullptr);
+  options->set_crl_provider(std::move(provider));
+}
+
+void grpc_tls_credentials_options_set_min_tls_version(
+    grpc_tls_credentials_options* options, grpc_tls_version min_tls_version) {
+  GPR_ASSERT(options != nullptr);
+  options->set_min_tls_version(min_tls_version);
+}
+
+void grpc_tls_credentials_options_set_max_tls_version(
+    grpc_tls_credentials_options* options, grpc_tls_version max_tls_version) {
+  GPR_ASSERT(options != nullptr);
+  options->set_max_tls_version(max_tls_version);
+}

data/src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h

@@ -61,6 +61,8 @@ struct grpc_tls_credentials_options
   const std::string& identity_cert_name() const { return identity_cert_name_; }
   const std::string& tls_session_key_log_file_path() const { return tls_session_key_log_file_path_; }
   const std::string& crl_directory() const { return crl_directory_; }
+  // Returns the CRL Provider
+  std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider() const { return crl_provider_; }
   bool send_client_ca_list() const { return send_client_ca_list_; }
 
   // Setters for member fields.
@@ -82,6 +84,7 @@ struct grpc_tls_credentials_options
   void set_tls_session_key_log_file_path(std::string tls_session_key_log_file_path) { tls_session_key_log_file_path_ = std::move(tls_session_key_log_file_path); }
   //  gRPC will enforce CRLs on all handshakes from all hashed CRL files inside of the crl_directory. If not set, an empty string will be used, which will not enable CRL checking. Only supported for OpenSSL version > 1.1.
   void set_crl_directory(std::string crl_directory) { crl_directory_ = std::move(crl_directory); }
+  void set_crl_provider(std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider) { crl_provider_ = std::move(crl_provider); }
   void set_send_client_ca_list(bool send_client_ca_list) { send_client_ca_list_ = send_client_ca_list; }
 
   bool operator==(const grpc_tls_credentials_options& other) const {
@@ -98,6 +101,7 @@ struct grpc_tls_credentials_options
       identity_cert_name_ == other.identity_cert_name_ &&
       tls_session_key_log_file_path_ == other.tls_session_key_log_file_path_ &&
       crl_directory_ == other.crl_directory_ &&
+      (crl_provider_ == other.crl_provider_) &&
       send_client_ca_list_ == other.send_client_ca_list_;
   }
 
@@ -115,6 +119,7 @@ struct grpc_tls_credentials_options
   std::string identity_cert_name_;
   std::string tls_session_key_log_file_path_;
   std::string crl_directory_;
+  std::shared_ptr<grpc_core::experimental::CrlProvider> crl_provider_;
   bool send_client_ca_list_ = false;
 };