grpc 1.63.0 → 1.65.2

data/src/core/tsi/ssl_transport_security.cc

@@ -16,13 +16,15 @@
 //
 //
 
-#include <grpc/support/port_platform.h>
-
 #include "src/core/tsi/ssl_transport_security.h"
 
 #include <limits.h>
 #include <string.h>
 
+#include <grpc/support/port_platform.h>
+
+#include "src/core/tsi/transport_security_interface.h"
+
 // TODO(jboeuf): refactor inet_ntop into a portability header.
 // Note: for whomever reads this and tries to refactor this, this
 // can't be in grpc, it has to be in gpr.
@@ -45,6 +47,8 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "absl/log/check.h"
+#include "absl/log/log.h"
 #include "absl/strings/match.h"
 #include "absl/strings/str_cat.h"
 #include "absl/strings/string_view.h"
@@ -52,12 +56,10 @@
 #include <grpc/grpc_crl_provider.h>
 #include <grpc/grpc_security.h>
 #include <grpc/support/alloc.h>
-#include <grpc/support/log.h>
 #include <grpc/support/string_util.h>
 #include <grpc/support/sync.h>
 #include <grpc/support/thd_id.h>
 
-#include "src/core/lib/gpr/useful.h"
 #include "src/core/lib/gprpp/crash.h"
 #include "src/core/lib/security/credentials/tls/grpc_tls_crl_provider.h"
 #include "src/core/tsi/ssl/key_logging/ssl_key_logging.h"
@@ -65,6 +67,7 @@
 #include "src/core/tsi/ssl_transport_security_utils.h"
 #include "src/core/tsi/ssl_types.h"
 #include "src/core/tsi/transport_security.h"
+#include "src/core/util/useful.h"
 
 // --- Constants. ---
 
@@ -194,7 +197,7 @@ static void init_openssl(void) {
 #if OPENSSL_VERSION_NUMBER < 0x10100000
   if (!CRYPTO_get_locking_callback()) {
     int num_locks = CRYPTO_num_locks();
-    GPR_ASSERT(num_locks > 0);
+    CHECK_GT(num_locks, 0);
     g_openssl_mutexes = static_cast<gpr_mu*>(
         gpr_malloc(static_cast<size_t>(num_locks) * sizeof(gpr_mu)));
     for (int i = 0; i < num_locks; i++) {
@@ -203,20 +206,20 @@ static void init_openssl(void) {
     CRYPTO_set_locking_callback(openssl_locking_cb);
     CRYPTO_set_id_callback(openssl_thread_id_cb);
   } else {
-    gpr_log(GPR_INFO, "OpenSSL callback has already been set.");
+    LOG(INFO) << "OpenSSL callback has already been set.";
   }
 #endif
   g_ssl_ctx_ex_factory_index =
       SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
-  GPR_ASSERT(g_ssl_ctx_ex_factory_index != -1);
+  CHECK_NE(g_ssl_ctx_ex_factory_index, -1);
 
   g_ssl_ctx_ex_crl_provider_index =
       SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
-  GPR_ASSERT(g_ssl_ctx_ex_crl_provider_index != -1);
+  CHECK_NE(g_ssl_ctx_ex_crl_provider_index, -1);
 
   g_ssl_ex_verified_root_cert_index = SSL_get_ex_new_index(
       0, nullptr, nullptr, nullptr, verified_root_cert_free);
-  GPR_ASSERT(g_ssl_ex_verified_root_cert_index != -1);
+  CHECK_NE(g_ssl_ex_verified_root_cert_index, -1);
 }
 
 // --- Ssl utils. ---
@@ -224,7 +227,7 @@ static void init_openssl(void) {
 // TODO(jboeuf): Remove when we are past the debugging phase with this code.
 static void ssl_log_where_info(const SSL* ssl, int where, int flag,
                                const char* msg) {
-  if ((where & flag) && GRPC_TRACE_FLAG_ENABLED(tsi_tracing_enabled)) {
+  if ((where & flag) && GRPC_TRACE_FLAG_ENABLED(tsi)) {
     gpr_log(GPR_INFO, "%20.20s - %30.30s  - %5.10s", msg,
             SSL_state_string_long(ssl), SSL_state_string(ssl));
   }
@@ -233,7 +236,7 @@ static void ssl_log_where_info(const SSL* ssl, int where, int flag,
 // Used for debugging. TODO(jboeuf): Remove when code is mature enough.
 static void ssl_info_callback(const SSL* ssl, int where, int ret) {
   if (ret == 0) {
-    gpr_log(GPR_ERROR, "ssl_info_callback: error occurred.\n");
+    LOG(ERROR) << "ssl_info_callback: error occurred.\n";
     return;
   }
 
@@ -276,30 +279,28 @@ static tsi_result ssl_get_x509_common_name(X509* cert, unsigned char** utf8,
   X509_NAME* subject_name = X509_get_subject_name(cert);
   int utf8_returned_size = 0;
   if (subject_name == nullptr) {
-    gpr_log(GPR_DEBUG, "Could not get subject name from certificate.");
+    VLOG(2) << "Could not get subject name from certificate.";
     return TSI_NOT_FOUND;
   }
   common_name_index =
       X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1);
   if (common_name_index == -1) {
-    gpr_log(GPR_DEBUG,
-            "Could not get common name of subject from certificate.");
+    VLOG(2) << "Could not get common name of subject from certificate.";
     return TSI_NOT_FOUND;
   }
   common_name_entry = X509_NAME_get_entry(subject_name, common_name_index);
   if (common_name_entry == nullptr) {
-    gpr_log(GPR_ERROR, "Could not get common name entry from certificate.");
+    LOG(ERROR) << "Could not get common name entry from certificate.";
     return TSI_INTERNAL_ERROR;
   }
   common_name_asn1 = X509_NAME_ENTRY_get_data(common_name_entry);
   if (common_name_asn1 == nullptr) {
-    gpr_log(GPR_ERROR,
-            "Could not get common name entry asn1 from certificate.");
+    LOG(ERROR) << "Could not get common name entry asn1 from certificate.";
     return TSI_INTERNAL_ERROR;
   }
   utf8_returned_size = ASN1_STRING_to_UTF8(utf8, common_name_asn1);
   if (utf8_returned_size < 0) {
-    gpr_log(GPR_ERROR, "Could not extract utf8 from asn1 string.");
+    LOG(ERROR) << "Could not extract utf8 from asn1 string.";
     return TSI_OUT_OF_RESOURCES;
   }
   *utf8_size = static_cast<size_t>(utf8_returned_size);
@@ -335,7 +336,7 @@ static tsi_result peer_property_from_x509_subject(X509* cert,
                                                   bool is_verified_root_cert) {
   X509_NAME* subject_name = X509_get_subject_name(cert);
   if (subject_name == nullptr) {
-    gpr_log(GPR_INFO, "Could not get subject name from certificate.");
+    LOG(INFO) << "Could not get subject name from certificate.";
     return TSI_NOT_FOUND;
   }
   BIO* bio = BIO_new(BIO_s_mem());
@@ -343,7 +344,7 @@ static tsi_result peer_property_from_x509_subject(X509* cert,
   char* contents;
   long len = BIO_get_mem_data(bio, &contents);
   if (len < 0) {
-    gpr_log(GPR_ERROR, "Could not get subject entry from certificate.");
+    LOG(ERROR) << "Could not get subject entry from certificate.";
     BIO_free(bio);
     return TSI_INTERNAL_ERROR;
   }
@@ -408,7 +409,7 @@ static tsi_result add_subject_alt_names_properties_to_peer(
         property_name = TSI_X509_URI_PEER_PROPERTY;
       }
       if (name_size < 0) {
-        gpr_log(GPR_ERROR, "Could not get utf8 from asn1 string.");
+        LOG(ERROR) << "Could not get utf8 from asn1 string.";
         result = TSI_INTERNAL_ERROR;
         break;
       }
@@ -434,14 +435,14 @@ static tsi_result add_subject_alt_names_properties_to_peer(
       } else if (subject_alt_name->d.iPAddress->length == 16) {
         af = AF_INET6;
       } else {
-        gpr_log(GPR_ERROR, "SAN IP Address contained invalid IP");
+        LOG(ERROR) << "SAN IP Address contained invalid IP";
         result = TSI_INTERNAL_ERROR;
         break;
       }
       const char* name = inet_ntop(af, subject_alt_name->d.iPAddress->data,
                                    ntop_buf, INET6_ADDRSTRLEN);
       if (name == nullptr) {
-        gpr_log(GPR_ERROR, "Could not get IP string from asn1 octet.");
+        LOG(ERROR) << "Could not get IP string from asn1 octet.";
         result = TSI_INTERNAL_ERROR;
         break;
       }
@@ -475,7 +476,7 @@ static tsi_result peer_from_x509(X509* cert, int include_certificate_type,
           : 0;
   size_t property_count;
   tsi_result result;
-  GPR_ASSERT(subject_alt_name_count >= 0);
+  CHECK_GE(subject_alt_name_count, 0);
   property_count = (include_certificate_type ? size_t{1} : 0) +
                    3 /* subject, common name, certificate */ +
                    static_cast<size_t>(subject_alt_name_count);
@@ -530,7 +531,7 @@ static tsi_result peer_from_x509(X509* cert, int include_certificate_type,
   }
   if (result != TSI_OK) tsi_peer_destruct(peer);
 
-  GPR_ASSERT((int)peer->property_count == current_insert_index);
+  CHECK((int)peer->property_count == current_insert_index);
   return result;
 }
 
@@ -541,7 +542,7 @@ static tsi_result ssl_ctx_use_certificate_chain(SSL_CTX* context,
   tsi_result result = TSI_OK;
   X509* certificate = nullptr;
   BIO* pem;
-  GPR_ASSERT(pem_cert_chain_size <= INT_MAX);
+  CHECK_LE(pem_cert_chain_size, static_cast<size_t>(INT_MAX));
   pem = BIO_new_mem_buf(pem_cert_chain, static_cast<int>(pem_cert_chain_size));
   if (pem == nullptr) return TSI_OUT_OF_RESOURCES;
 
@@ -604,7 +605,7 @@ static tsi_result ssl_ctx_use_engine_private_key(SSL_CTX* context,
     }
     engine_name = static_cast<char*>(gpr_zalloc(engine_name_length + 1));
     memcpy(engine_name, engine_start, engine_name_length);
-    gpr_log(GPR_DEBUG, "ENGINE key: %s", engine_name);
+    VLOG(2) << "ENGINE key: " << engine_name;
     ENGINE_load_dynamic();
     engine = ENGINE_by_id(engine_name);
     if (engine == nullptr) {
@@ -612,7 +613,7 @@ static tsi_result ssl_ctx_use_engine_private_key(SSL_CTX* context,
       // current working directory.
       engine = ENGINE_by_id("dynamic");
       if (engine == nullptr) {
-        gpr_log(GPR_ERROR, "Cannot load dynamic engine");
+        LOG(ERROR) << "Cannot load dynamic engine";
         result = TSI_INVALID_ARGUMENT;
         break;
       }
@@ -621,29 +622,29 @@ static tsi_result ssl_ctx_use_engine_private_key(SSL_CTX* context,
           !ENGINE_ctrl_cmd_string(engine, "DIR_ADD", ".", 0) ||
           !ENGINE_ctrl_cmd_string(engine, "LIST_ADD", "1", 0) ||
           !ENGINE_ctrl_cmd_string(engine, "LOAD", NULL, 0)) {
-        gpr_log(GPR_ERROR, "Cannot find engine");
+        LOG(ERROR) << "Cannot find engine";
         result = TSI_INVALID_ARGUMENT;
         break;
       }
     }
     if (!ENGINE_set_default(engine, ENGINE_METHOD_ALL)) {
-      gpr_log(GPR_ERROR, "ENGINE_set_default with ENGINE_METHOD_ALL failed");
+      LOG(ERROR) << "ENGINE_set_default with ENGINE_METHOD_ALL failed";
       result = TSI_INVALID_ARGUMENT;
       break;
     }
     if (!ENGINE_init(engine)) {
-      gpr_log(GPR_ERROR, "ENGINE_init failed");
+      LOG(ERROR) << "ENGINE_init failed";
       result = TSI_INVALID_ARGUMENT;
       break;
     }
     private_key = ENGINE_load_private_key(engine, key_id, 0, 0);
     if (private_key == nullptr) {
-      gpr_log(GPR_ERROR, "ENGINE_load_private_key failed");
+      LOG(ERROR) << "ENGINE_load_private_key failed";
       result = TSI_INVALID_ARGUMENT;
       break;
     }
     if (!SSL_CTX_use_PrivateKey(context, private_key)) {
-      gpr_log(GPR_ERROR, "SSL_CTX_use_PrivateKey failed");
+      LOG(ERROR) << "SSL_CTX_use_PrivateKey failed";
       result = TSI_INVALID_ARGUMENT;
       break;
     }
@@ -661,7 +662,7 @@ static tsi_result ssl_ctx_use_pem_private_key(SSL_CTX* context,
   tsi_result result = TSI_OK;
   EVP_PKEY* private_key = nullptr;
   BIO* pem;
-  GPR_ASSERT(pem_key_size <= INT_MAX);
+  CHECK_LE(pem_key_size, static_cast<size_t>(INT_MAX));
   pem = BIO_new_mem_buf(pem_key, static_cast<int>(pem_key_size));
   if (pem == nullptr) return TSI_OUT_OF_RESOURCES;
   do {
@@ -706,7 +707,7 @@ static tsi_result x509_store_load_certs(X509_STORE* cert_store,
   X509* root = nullptr;
   X509_NAME* root_name = nullptr;
   BIO* pem;
-  GPR_ASSERT(pem_roots_size <= INT_MAX);
+  CHECK_LE(pem_roots_size, static_cast<size_t>(INT_MAX));
   pem = BIO_new_mem_buf(pem_roots, static_cast<int>(pem_roots_size));
   if (cert_store == nullptr) return TSI_INVALID_ARGUMENT;
   if (pem == nullptr) return TSI_OUT_OF_RESOURCES;
@@ -724,7 +725,7 @@ static tsi_result x509_store_load_certs(X509_STORE* cert_store,
     if (root_names != nullptr) {
       root_name = X509_get_subject_name(root);
       if (root_name == nullptr) {
-        gpr_log(GPR_ERROR, "Could not get name from root certificate.");
+        LOG(ERROR) << "Could not get name from root certificate.";
         result = TSI_INVALID_ARGUMENT;
         break;
       }
@@ -741,7 +742,7 @@ static tsi_result x509_store_load_certs(X509_STORE* cert_store,
       unsigned long error = ERR_get_error();
       if (ERR_GET_LIB(error) != ERR_LIB_X509 ||
           ERR_GET_REASON(error) != X509_R_CERT_ALREADY_IN_HASH_TABLE) {
-        gpr_log(GPR_ERROR, "Could not add root certificate to ssl context.");
+        LOG(ERROR) << "Could not add root certificate to ssl context.";
         result = TSI_INTERNAL_ERROR;
         break;
       }
@@ -750,7 +751,7 @@ static tsi_result x509_store_load_certs(X509_STORE* cert_store,
     num_roots++;
   }
   if (num_roots == 0) {
-    gpr_log(GPR_ERROR, "Could not load any root certificate.");
+    LOG(ERROR) << "Could not load any root certificate.";
     result = TSI_INVALID_ARGUMENT;
   }
 
@@ -789,7 +790,7 @@ static tsi_result populate_ssl_context(
       result = ssl_ctx_use_certificate_chain(context, key_cert_pair->cert_chain,
                                              strlen(key_cert_pair->cert_chain));
       if (result != TSI_OK) {
-        gpr_log(GPR_ERROR, "Invalid cert chain file.");
+        LOG(ERROR) << "Invalid cert chain file.";
         return result;
       }
     }
@@ -797,21 +798,21 @@ static tsi_result populate_ssl_context(
       result = ssl_ctx_use_private_key(context, key_cert_pair->private_key,
                                        strlen(key_cert_pair->private_key));
       if (result != TSI_OK || !SSL_CTX_check_private_key(context)) {
-        gpr_log(GPR_ERROR, "Invalid private key.");
+        LOG(ERROR) << "Invalid private key.";
         return result != TSI_OK ? result : TSI_INVALID_ARGUMENT;
       }
     }
   }
   if ((cipher_list != nullptr) &&
       !SSL_CTX_set_cipher_list(context, cipher_list)) {
-    gpr_log(GPR_ERROR, "Invalid cipher list: %s.", cipher_list);
+    LOG(ERROR) << "Invalid cipher list: " << cipher_list;
     return TSI_INVALID_ARGUMENT;
   }
   {
 #if OPENSSL_VERSION_NUMBER < 0x30000000L
     EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
     if (!SSL_CTX_set_tmp_ecdh(context, ecdh)) {
-      gpr_log(GPR_ERROR, "Could not set ephemeral ECDH key.");
+      LOG(ERROR) << "Could not set ephemeral ECDH key.";
       EC_KEY_free(ecdh);
       return TSI_INTERNAL_ERROR;
     }
@@ -819,7 +820,7 @@ static tsi_result populate_ssl_context(
     EC_KEY_free(ecdh);
 #else
     if (!SSL_CTX_set1_groups(context, kSslEcCurveNames, 1)) {
-      gpr_log(GPR_ERROR, "Could not set ephemeral ECDH key.");
+      LOG(ERROR) << "Could not set ephemeral ECDH key.";
       return TSI_INTERNAL_ERROR;
     }
     SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
@@ -839,7 +840,7 @@ tsi_result tsi_ssl_extract_x509_subject_names_from_pem_cert(
 
   cert = PEM_read_bio_X509(pem, nullptr, nullptr, const_cast<char*>(""));
   if (cert == nullptr) {
-    gpr_log(GPR_ERROR, "Invalid certificate");
+    LOG(ERROR) << "Invalid certificate";
     result = TSI_INVALID_ARGUMENT;
   } else {
     result = peer_from_x509(cert, 0, peer);
@@ -862,8 +863,7 @@ static tsi_result build_alpn_protocol_name_list(
     size_t length =
         alpn_protocols[i] == nullptr ? 0 : strlen(alpn_protocols[i]);
     if (length == 0 || length > 255) {
-      gpr_log(GPR_ERROR, "Invalid protocol name length: %d.",
-              static_cast<int>(length));
+      LOG(ERROR) << "Invalid protocol name length: " << length;
       return TSI_INVALID_ARGUMENT;
     }
     *protocol_name_list_length += length + 1;
@@ -892,13 +892,12 @@ static tsi_result build_alpn_protocol_name_list(
 static int verify_cb(int ok, X509_STORE_CTX* ctx) {
   int cert_error = X509_STORE_CTX_get_error(ctx);
   if (cert_error == X509_V_ERR_UNABLE_TO_GET_CRL) {
-    gpr_log(GPR_INFO,
-            "Certificate verification failed to find relevant CRL file. "
-            "Ignoring error.");
+    LOG(INFO) << "Certificate verification failed to find relevant CRL file. "
+                 "Ignoring error.";
     return 1;
   }
   if (cert_error != 0) {
-    gpr_log(GPR_ERROR, "Certificate verify failed with code %d", cert_error);
+    LOG(ERROR) << "Certificate verify failed with code " << cert_error;
   }
   return ok;
 }
@@ -942,8 +941,8 @@ static int RootCertExtractCallback(X509_STORE_CTX* ctx, void* /*arg*/) {
   if (ssl_index < 0) {
     char err_str[256];
     ERR_error_string_n(ERR_get_error(), err_str, sizeof(err_str));
-    gpr_log(GPR_ERROR,
-            "error getting the SSL index from the X509_STORE_CTX: %s", err_str);
+    LOG(ERROR) << "error getting the SSL index from the X509_STORE_CTX: "
+               << err_str;
     return ret;
   }
   SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, ssl_index));
@@ -961,7 +960,7 @@ static int RootCertExtractCallback(X509_STORE_CTX* ctx, void* /*arg*/) {
   int success =
       SSL_set_ex_data(ssl, g_ssl_ex_verified_root_cert_index, root_cert);
   if (success == 0) {
-    gpr_log(GPR_INFO, "Could not set verified root cert in SSL's ex_data");
+    LOG(INFO) << "Could not set verified root cert in SSL's ex_data";
   } else {
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
     X509_up_ref(root_cert);
@@ -987,8 +986,7 @@ static grpc_core::experimental::CrlProvider* GetCrlProvider(
   }
   SSL* ssl = static_cast<SSL*>(X509_STORE_CTX_get_ex_data(ctx, ssl_index));
   if (ssl == nullptr) {
-    gpr_log(GPR_INFO,
-            "error while fetching from CrlProvider. SSL object is null");
+    LOG(INFO) << "error while fetching from CrlProvider. SSL object is null";
     return nullptr;
   }
   SSL_CTX* ssl_ctx = SSL_get_SSL_CTX(ssl);
@@ -1006,13 +1004,13 @@ static absl::StatusOr<X509_CRL*> GetCrlFromProvider(
   }
   absl::StatusOr<std::string> issuer_name = grpc_core::IssuerFromCert(cert);
   if (!issuer_name.ok()) {
-    gpr_log(GPR_INFO, "Could not get certificate issuer name");
+    LOG(INFO) << "Could not get certificate issuer name";
     return absl::InvalidArgumentError(issuer_name.status().message());
   }
   absl::StatusOr<std::string> akid = grpc_core::AkidFromCertificate(cert);
   std::string akid_to_use;
   if (!akid.ok()) {
-    gpr_log(GPR_INFO, "Could not get certificate authority key identifier.");
+    LOG(INFO) << "Could not get certificate authority key identifier.";
   } else {
     akid_to_use = *akid;
   }
@@ -1045,12 +1043,12 @@ static bool ValidateCrl(X509* cert, X509* issuer, X509_CRL* crl) {
   // 6.3.3b verify issuer and scope
   valid = grpc_core::VerifyCrlCertIssuerNamesMatch(crl, cert);
   if (!valid) {
-    gpr_log(GPR_DEBUG, "CRL and cert issuer names mismatched.");
+    VLOG(2) << "CRL and cert issuer names mismatched.";
     return valid;
   }
   valid = grpc_core::HasCrlSignBit(issuer);
   if (!valid) {
-    gpr_log(GPR_DEBUG, "CRL issuer not allowed to sign CRLs.");
+    VLOG(2) << "CRL issuer not allowed to sign CRLs.";
     return valid;
   }
   // 6.3.3c Not supporting deltas
@@ -1061,7 +1059,7 @@ static bool ValidateCrl(X509* cert, X509* issuer, X509_CRL* crl) {
   // 6.3.3g Verify CRL Signature
   valid = grpc_core::VerifyCrlSignature(crl, issuer);
   if (!valid) {
-    gpr_log(GPR_DEBUG, "Crl signature check failed.");
+    VLOG(2) << "Crl signature check failed.";
   }
   return valid;
 }
@@ -1151,7 +1149,7 @@ static int CheckChainRevocation(
 static int CustomVerificationFunction(X509_STORE_CTX* ctx, void* arg) {
   int ret = X509_verify_cert(ctx);
   if (ret <= 0) {
-    gpr_log(GPR_DEBUG, "Failed to verify cert chain.");
+    VLOG(2) << "Failed to verify cert chain.";
     // Verification failed. We shouldn't expect to have a verified chain, so
     // there is no need to attempt to extract the root cert from it, check for
     // revocation, or check anything else.
@@ -1161,7 +1159,7 @@ static int CustomVerificationFunction(X509_STORE_CTX* ctx, void* arg) {
   if (provider != nullptr) {
     ret = CheckChainRevocation(ctx, provider);
     if (ret <= 0) {
-      gpr_log(GPR_DEBUG, "The chain failed revocation checks.");
+      VLOG(2) << "The chain failed revocation checks.";
       return ret;
     }
   }
@@ -1175,8 +1173,8 @@ static tsi_result tsi_set_min_and_max_tls_versions(
     SSL_CTX* ssl_context, tsi_tls_version min_tls_version,
     tsi_tls_version max_tls_version) {
   if (ssl_context == nullptr) {
-    gpr_log(GPR_INFO,
-            "Invalid nullptr argument to |tsi_set_min_and_max_tls_versions|.");
+    LOG(INFO) << "Invalid nullptr argument to "
+                 "|tsi_set_min_and_max_tls_versions|.";
     return TSI_INVALID_ARGUMENT;
   }
 #if OPENSSL_VERSION_NUMBER >= 0x10100000
@@ -1197,7 +1195,7 @@ static tsi_result tsi_set_min_and_max_tls_versions(
       break;
 #endif
     default:
-      gpr_log(GPR_INFO, "TLS version is not supported.");
+      LOG(INFO) << "TLS version is not supported.";
       return TSI_FAILED_PRECONDITION;
   }
 
@@ -1216,7 +1214,7 @@ static tsi_result tsi_set_min_and_max_tls_versions(
 #endif
       break;
     default:
-      gpr_log(GPR_INFO, "TLS version is not supported.");
+      LOG(INFO) << "TLS version is not supported.";
       return TSI_FAILED_PRECONDITION;
   }
 #endif
@@ -1228,25 +1226,25 @@ static tsi_result tsi_set_min_and_max_tls_versions(
 tsi_ssl_root_certs_store* tsi_ssl_root_certs_store_create(
     const char* pem_roots) {
   if (pem_roots == nullptr) {
-    gpr_log(GPR_ERROR, "The root certificates are empty.");
+    LOG(ERROR) << "The root certificates are empty.";
     return nullptr;
   }
   tsi_ssl_root_certs_store* root_store = static_cast<tsi_ssl_root_certs_store*>(
       gpr_zalloc(sizeof(tsi_ssl_root_certs_store)));
   if (root_store == nullptr) {
-    gpr_log(GPR_ERROR, "Could not allocate buffer for ssl_root_certs_store.");
+    LOG(ERROR) << "Could not allocate buffer for ssl_root_certs_store.";
     return nullptr;
   }
   root_store->store = X509_STORE_new();
   if (root_store->store == nullptr) {
-    gpr_log(GPR_ERROR, "Could not allocate buffer for X509_STORE.");
+    LOG(ERROR) << "Could not allocate buffer for X509_STORE.";
     gpr_free(root_store);
     return nullptr;
   }
   tsi_result result = x509_store_load_certs(root_store->store, pem_roots,
                                             strlen(pem_roots), nullptr);
   if (result != TSI_OK) {
-    gpr_log(GPR_ERROR, "Could not load root certificates.");
+    LOG(ERROR) << "Could not load root certificates.";
     X509_STORE_free(root_store->store);
     gpr_free(root_store);
     return nullptr;
@@ -1372,7 +1370,7 @@ static tsi_ssl_handshaker_factory_vtable handshaker_factory_vtable = {nullptr};
 // allocating memory for the factory.
 static void tsi_ssl_handshaker_factory_init(
     tsi_ssl_handshaker_factory* factory) {
-  GPR_ASSERT(factory != nullptr);
+  CHECK_NE(factory, nullptr);
 
   factory->vtable = &handshaker_factory_vtable;
   gpr_ref_init(&factory->refcount, 1);
@@ -1476,9 +1474,8 @@ static tsi_result ssl_handshaker_result_extract_peer(
     result = peer_property_from_x509_subject(
         verified_root_cert, &peer->properties[peer->property_count], true);
     if (result != TSI_OK) {
-      gpr_log(GPR_DEBUG,
-              "Problem extracting subject from verified_root_cert. result: %d",
-              static_cast<int>(result));
+      VLOG(2) << "Problem extracting subject from verified_root_cert. result: "
+              << result;
     }
     peer->property_count++;
   }
@@ -1600,7 +1597,7 @@ static tsi_result ssl_handshaker_get_bytes_to_send_to_peer(
     if (error != nullptr) *error = "invalid argument";
     return TSI_INVALID_ARGUMENT;
   }
-  GPR_ASSERT(*bytes_size <= INT_MAX);
+  CHECK_LE(*bytes_size, static_cast<size_t>(INT_MAX));
   bytes_read_from_ssl =
       BIO_read(impl->network_io, bytes, static_cast<int>(*bytes_size));
   if (bytes_read_from_ssl < 0) {
@@ -1671,11 +1668,11 @@ static tsi_result ssl_handshaker_process_bytes_from_peer(
     if (error != nullptr) *error = "invalid argument";
     return TSI_INVALID_ARGUMENT;
   }
-  GPR_ASSERT(*bytes_size <= INT_MAX);
+  CHECK_LE(*bytes_size, static_cast<size_t>(INT_MAX));
   bytes_written_into_ssl_size =
       BIO_write(impl->network_io, bytes, static_cast<int>(*bytes_size));
   if (bytes_written_into_ssl_size < 0) {
-    gpr_log(GPR_ERROR, "Could not write to memory BIO.");
+    LOG(ERROR) << "Could not write to memory BIO.";
     if (error != nullptr) *error = "could not write to memory BIO";
     impl->result = TSI_INTERNAL_ERROR;
     return impl->result;
@@ -1822,7 +1819,7 @@ static tsi_result ssl_handshaker_next(tsi_handshaker* self,
         ssl_bytes_remaining(impl, &unused_bytes, &unused_bytes_size, error);
     if (status != TSI_OK) return status;
     if (unused_bytes_size > received_bytes_size) {
-      gpr_log(GPR_ERROR, "More unused bytes than received bytes.");
+      LOG(ERROR) << "More unused bytes than received bytes.";
       gpr_free(unused_bytes);
       if (error != nullptr) *error = "More unused bytes than received bytes.";
       return TSI_INTERNAL_ERROR;
@@ -1876,7 +1873,7 @@ static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client,
   tsi_ssl_handshaker* impl = nullptr;
   *handshaker = nullptr;
   if (ctx == nullptr) {
-    gpr_log(GPR_ERROR, "SSL Context is null. Should never happen.");
+    LOG(ERROR) << "SSL Context is null. Should never happen.";
     return TSI_INTERNAL_ERROR;
   }
   if (ssl == nullptr) {
@@ -1886,7 +1883,7 @@ static tsi_result create_tsi_ssl_handshaker(SSL_CTX* ctx, int is_client,
 
   if (!BIO_new_bio_pair(&network_io, network_bio_buf_size, &ssl_io,
                         ssl_bio_buf_size)) {
-    gpr_log(GPR_ERROR, "BIO_new_bio_pair failed.");
+    LOG(ERROR) << "BIO_new_bio_pair failed.";
     SSL_free(ssl);
     return TSI_OUT_OF_RESOURCES;
   }
@@ -2075,7 +2072,7 @@ static int does_entry_match_name(absl::string_view entry,
 
   // Wildchar subdomain matching.
   if (entry.size() < 3 || entry[1] != '.') {  // At least *.x
-    gpr_log(GPR_ERROR, "Invalid wildchar entry.");
+    LOG(ERROR) << "Invalid wildchar entry.";
     return 0;
   }
   size_t name_subdomain_pos = name.find('.');
@@ -2086,8 +2083,7 @@ static int does_entry_match_name(absl::string_view entry,
   entry.remove_prefix(2);                   // Remove *.
   size_t dot = name_subdomain.find('.');
   if (dot == absl::string_view::npos || dot == name_subdomain.size() - 1) {
-    gpr_log(GPR_ERROR, "Invalid toplevel subdomain: %s",
-            std::string(name_subdomain).c_str());
+    LOG(ERROR) << "Invalid toplevel subdomain: " << name_subdomain;
     return 0;
   }
   if (name_subdomain.back() == '.') {
@@ -2114,7 +2110,7 @@ static int ssl_server_handshaker_factory_servername_callback(SSL* ssl,
       return SSL_TLSEXT_ERR_OK;
     }
   }
-  gpr_log(GPR_ERROR, "No match found for server name: %s.", servername);
+  LOG(ERROR) << "No match found for server name: " << servername;
   return SSL_TLSEXT_ERR_NOACK;
 }
 
@@ -2135,7 +2131,7 @@ static int server_handshaker_factory_npn_advertised_callback(
   tsi_ssl_server_handshaker_factory* factory =
       static_cast<tsi_ssl_server_handshaker_factory*>(arg);
   *out = factory->alpn_protocol_list;
-  GPR_ASSERT(factory->alpn_protocol_list_length <= UINT_MAX);
+  CHECK(factory->alpn_protocol_list_length <= UINT_MAX);
   *outlen = static_cast<unsigned int>(factory->alpn_protocol_list_length);
   return SSL_TLSEXT_ERR_OK;
 }
@@ -2169,7 +2165,7 @@ static int server_handshaker_factory_new_session_callback(
 template <typename T>
 static void ssl_keylogging_callback(const SSL* ssl, const char* info) {
   SSL_CTX* ssl_context = SSL_get_SSL_CTX(ssl);
-  GPR_ASSERT(ssl_context != nullptr);
+  CHECK_NE(ssl_context, nullptr);
   void* arg = SSL_CTX_get_ex_data(ssl_context, g_ssl_ctx_ex_factory_index);
   T* factory = static_cast<T*>(arg);
   factory->key_logger->LogSessionKeys(ssl_context, info);
@@ -2221,7 +2217,7 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
 #endif
   if (ssl_context == nullptr) {
     grpc_core::LogSslErrorStack();
-    gpr_log(GPR_ERROR, "Could not create ssl context.");
+    LOG(ERROR) << "Could not create ssl context.";
     return TSI_INVALID_ARGUMENT;
   }
 
@@ -2288,7 +2284,7 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
 
       X509_VERIFY_PARAM_set_depth(param, kMaxChainLength);
       if (result != TSI_OK) {
-        gpr_log(GPR_ERROR, "Cannot load server root certificates.");
+        LOG(ERROR) << "Cannot load server root certificates.";
         break;
       }
     }
@@ -2298,16 +2294,16 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
           options->alpn_protocols, options->num_alpn_protocols,
           &impl->alpn_protocol_list, &impl->alpn_protocol_list_length);
       if (result != TSI_OK) {
-        gpr_log(GPR_ERROR, "Building alpn list failed with error %s.",
-                tsi_result_to_string(result));
+        LOG(ERROR) << "Building alpn list failed with error "
+                   << tsi_result_to_string(result);
         break;
       }
 #if TSI_OPENSSL_ALPN_SUPPORT
-      GPR_ASSERT(impl->alpn_protocol_list_length < UINT_MAX);
+      CHECK(impl->alpn_protocol_list_length < UINT_MAX);
       if (SSL_CTX_set_alpn_protos(
               ssl_context, impl->alpn_protocol_list,
               static_cast<unsigned int>(impl->alpn_protocol_list_length))) {
-        gpr_log(GPR_ERROR, "Could not set alpn protocol list to context.");
+        LOG(ERROR) << "Could not set alpn protocol list to context.";
         result = TSI_INVALID_ARGUMENT;
         break;
       }
@@ -2337,7 +2333,7 @@ tsi_result tsi_create_ssl_client_handshaker_factory_with_options(
     X509_STORE_set_verify_cb(cert_store, verify_cb);
     if (!X509_STORE_load_locations(cert_store, nullptr,
                                    options->crl_directory)) {
-      gpr_log(GPR_ERROR, "Failed to load CRL File from directory.");
+      LOG(ERROR) << "Failed to load CRL File from directory.";
     } else {
       X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store);
       X509_VERIFY_PARAM_set_flags(
@@ -2442,7 +2438,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
 #endif
       if (impl->ssl_contexts[i] == nullptr) {
         grpc_core::LogSslErrorStack();
-        gpr_log(GPR_ERROR, "Could not create ssl context.");
+        LOG(ERROR) << "Could not create ssl context.";
         result = TSI_OUT_OF_RESOURCES;
         break;
       }
@@ -2464,7 +2460,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
           impl->ssl_contexts[i], kSslSessionIdContext,
           GPR_ARRAY_SIZE(kSslSessionIdContext));
       if (set_sid_ctx_result == 0) {
-        gpr_log(GPR_ERROR, "Failed to set session id context.");
+        LOG(ERROR) << "Failed to set session id context.";
         result = TSI_INTERNAL_ERROR;
         break;
       }
@@ -2474,7 +2470,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
                 impl->ssl_contexts[i],
                 const_cast<char*>(options->session_ticket_key),
                 options->session_ticket_key_size) == 0) {
-          gpr_log(GPR_ERROR, "Invalid STEK size.");
+          LOG(ERROR) << "Invalid STEK size.";
           result = TSI_INVALID_ARGUMENT;
           break;
         }
@@ -2487,7 +2483,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
             strlen(options->pem_client_root_certs),
             options->send_client_ca_list ? &root_names : nullptr);
         if (result != TSI_OK) {
-          gpr_log(GPR_ERROR, "Invalid verification certs.");
+          LOG(ERROR) << "Invalid verification certs.";
           break;
         }
         if (options->send_client_ca_list) {
@@ -2535,7 +2531,7 @@ tsi_result tsi_create_ssl_server_handshaker_factory_with_options(
         X509_STORE_set_verify_cb(cert_store, verify_cb);
         if (!X509_STORE_load_locations(cert_store, nullptr,
                                        options->crl_directory)) {
-          gpr_log(GPR_ERROR, "Failed to load CRL File from directory.");
+          LOG(ERROR) << "Failed to load CRL File from directory.";
         } else {
           X509_VERIFY_PARAM* param = X509_STORE_get0_param(cert_store);
           X509_VERIFY_PARAM_set_flags(
@@ -2631,8 +2627,8 @@ int tsi_ssl_peer_matches_name(const tsi_peer* peer, absl::string_view name) {
 const tsi_ssl_handshaker_factory_vtable* tsi_ssl_handshaker_factory_swap_vtable(
     tsi_ssl_handshaker_factory* factory,
     tsi_ssl_handshaker_factory_vtable* new_vtable) {
-  GPR_ASSERT(factory != nullptr);
-  GPR_ASSERT(factory->vtable != nullptr);
+  CHECK_NE(factory, nullptr);
+  CHECK_NE(factory->vtable, nullptr);
 
   const tsi_ssl_handshaker_factory_vtable* orig_vtable = factory->vtable;
   factory->vtable = new_vtable;