Adding call host (:authority header) check in the secure channel.

- Fixes #405.
- This change is not tested as it should (only end to end and no
  negative testing). Will do better when we have testing framework
  for filters.

4 files changed, 261 insertions, 87 deletions

diff --git a/src/core/security/auth.c b/src/core/security/auth.c
index 9d0c075bc3..18c32f90f4 100644
--- a/src/core/security/auth.c
+++ b/src/core/security/auth.c
@@ -35,22 +35,49 @@
 
 #include <string.h>
 
-#include "src/core/security/security_context.h"
-#include "src/core/security/credentials.h"
 #include <grpc/support/alloc.h>
 #include <grpc/support/log.h>
 
+#include "src/core/support/string.h"
+#include "src/core/channel/channel_stack.h"
+#include "src/core/security/security_context.h"
+#include "src/core/security/credentials.h"
+#include "src/core/surface/call.h"
+
 /* We can have a per-call credentials. */
 typedef struct {
   grpc_credentials *creds;
+  grpc_mdstr *host;
   grpc_call_op op;
 } call_data;
 
 /* We can have a per-channel credentials. */
 typedef struct {
   grpc_channel_security_context *security_context;
+  grpc_mdctx *md_ctx;
+  grpc_mdstr *authority_string;
+  grpc_mdstr *error_msg_key;
 } channel_data;
 
+static void do_nothing(void *ignored, grpc_op_error error) {}
+
+static void bubbleup_error(grpc_call_element *elem, const char *error_msg) {
+  grpc_call_op finish_op;
+  channel_data *channeld = elem->channel_data;
+
+  gpr_log(GPR_ERROR, "%s", error_msg);
+  finish_op.type = GRPC_RECV_METADATA;
+  finish_op.dir = GRPC_CALL_UP;
+  finish_op.flags = 0;
+  finish_op.data.metadata = grpc_mdelem_from_metadata_strings(
+      channeld->md_ctx, channeld->error_msg_key,
+      grpc_mdstr_from_string(channeld->md_ctx, error_msg));
+  finish_op.done_cb = do_nothing;
+  finish_op.user_data = NULL;
+  grpc_call_next_op(elem, &finish_op);
+  grpc_call_element_send_cancel(elem);
+}
+
 static void on_credentials_metadata(void *user_data, grpc_mdelem **md_elems,
                                     size_t num_md,
                                     grpc_credentials_status status) {
@@ -62,6 +89,46 @@ static void on_credentials_metadata(void *user_data, grpc_mdelem **md_elems,
   grpc_call_next_op(elem, &((call_data *)elem->call_data)->op);
 }
 
+static void send_security_metadata(grpc_call_element *elem, grpc_call_op *op) {
+  /* grab pointers to our data from the call element */
+  call_data *calld = elem->call_data;
+  channel_data *channeld = elem->channel_data;
+
+  grpc_credentials *channel_creds =
+      channeld->security_context->request_metadata_creds;
+  /* TODO(jboeuf):
+     Decide on the policy in this case:
+     - populate both channel and call?
+     - the call takes precedence over the channel?
+     - leave this decision up to the channel credentials?  */
+  if (calld->creds != NULL) {
+    gpr_log(GPR_ERROR, "Ignoring per call credentials for now.");
+  }
+  if (channel_creds != NULL &&
+      grpc_credentials_has_request_metadata(channel_creds)) {
+    calld->op = *op; /* Copy op (originates from the caller's stack). */
+    grpc_credentials_get_request_metadata(channel_creds,
+                                          on_credentials_metadata, elem);
+  } else {
+    grpc_call_next_op(elem, op);
+  }
+}
+
+static void on_host_checked(void *user_data, grpc_security_status status) {
+  grpc_call_element *elem = (grpc_call_element *)user_data;
+  call_data *calld = elem->call_data;
+
+  if (status == GRPC_SECURITY_OK) {
+    send_security_metadata(elem, &calld->op);
+  } else {
+    char *error_msg;
+    gpr_asprintf(&error_msg, "Invalid host %s set in :authority metadata.",
+                 grpc_mdstr_as_c_string(calld->host));
+    bubbleup_error(elem, error_msg);
+    gpr_free(error_msg);
+  }
+}
+
 /* Called either:
      - in response to an API call (or similar) from above, to send something
      - a network event (or similar) from below, to receive something
@@ -74,26 +141,36 @@ static void call_op(grpc_call_element *elem, grpc_call_element *from_elem,
   channel_data *channeld = elem->channel_data;
 
   switch (op->type) {
-    case GRPC_SEND_START: {
-      grpc_credentials *channel_creds =
-          channeld->security_context->request_metadata_creds;
-      /* TODO(jboeuf):
-         Decide on the policy in this case:
-         - populate both channel and call?
-         - the call takes precedence over the channel?
-         - leave this decision up to the channel credentials?  */
-      if (calld->creds != NULL) {
-        gpr_log(GPR_ERROR, "Ignoring per call credentials for now.");
+    case GRPC_SEND_METADATA:
+      /* Pointer comparison is OK for md_elems created from the same context. */
+      if (op->data.metadata->key == channeld->authority_string) {
+        if (calld->host != NULL) grpc_mdstr_unref(calld->host);
+        calld->host = grpc_mdstr_ref(op->data.metadata->value);
       }
-      if (channel_creds != NULL &&
-          grpc_credentials_has_request_metadata(channel_creds)) {
+      grpc_call_next_op(elem, op);
+      break;
+
+    case GRPC_SEND_START:
+      if (calld->host != NULL) {
+        grpc_security_status status;
+        const char *call_host = grpc_mdstr_as_c_string(calld->host);
         calld->op = *op; /* Copy op (originates from the caller's stack). */
-        grpc_credentials_get_request_metadata(channel_creds,
-                                              on_credentials_metadata, elem);
-        break;
+        status = grpc_channel_security_context_check_call_host(
+            channeld->security_context, call_host, on_host_checked, elem);
+        if (status != GRPC_SECURITY_OK) {
+          if (status == GRPC_SECURITY_ERROR) {
+            char *error_msg;
+            gpr_asprintf(&error_msg,
+                         "Invalid host %s set in :authority metadata.",
+                         call_host);
+            bubbleup_error(elem, error_msg);
+            gpr_free(error_msg);
+          }
+          break;
+        }
       }
-      /* FALLTHROUGH INTENDED. */
-    }
+      send_security_metadata(elem, op);
+      break;
 
     default:
       /* pass control up or down the stack depending on op->dir */
@@ -116,6 +193,7 @@ static void init_call_elem(grpc_call_element *elem,
      Find a way to pass-in the credentials from the caller here.  */
   call_data *calld = elem->call_data;
   calld->creds = NULL;
+  calld->host = NULL;
 }
 
 /* Destructor for call_data */
@@ -124,6 +202,9 @@ static void destroy_call_elem(grpc_call_element *elem) {
   if (calld->creds != NULL) {
     grpc_credentials_unref(calld->creds);
   }
+  if (calld->host != NULL) {
+    grpc_mdstr_unref(calld->host);
+  }
 }
 
 /* Constructor for channel_data */
@@ -146,6 +227,11 @@ static void init_channel_elem(grpc_channel_element *elem,
   GPR_ASSERT(ctx->is_client_side);
   channeld->security_context =
       (grpc_channel_security_context *)grpc_security_context_ref(ctx);
+  channeld->md_ctx = metadata_context;
+  channeld->authority_string =
+      grpc_mdstr_from_string(channeld->md_ctx, ":authority");
+  channeld->error_msg_key =
+      grpc_mdstr_from_string(channeld->md_ctx, "grpc-message");
 }
 
 /* Destructor for channel data */
@@ -154,6 +240,12 @@ static void destroy_channel_elem(grpc_channel_element *elem) {
   channel_data *channeld = elem->channel_data;
   grpc_channel_security_context *ctx = channeld->security_context;
   if (ctx != NULL) grpc_security_context_unref(&ctx->base);
+  if (channeld->authority_string != NULL) {
+    grpc_mdstr_unref(channeld->authority_string);
+  }
+  if (channeld->error_msg_key != NULL) {
+    grpc_mdstr_unref(channeld->error_msg_key);
+  }
 }
 
 const grpc_channel_filter grpc_client_auth_filter = {
diff --git a/src/core/security/secure_transport_setup.c b/src/core/security/secure_transport_setup.c
index 50a6987fbf..59789a7e4d 100644
--- a/src/core/security/secure_transport_setup.c
+++ b/src/core/security/secure_transport_setup.c
@@ -113,8 +113,7 @@ static void check_peer(grpc_secure_transport_setup *s) {
     return;
   }
   peer_status =
-      grpc_security_context_check_peer(s->ctx, &peer, on_peer_checked, s);
-  tsi_peer_destruct(&peer);
+      grpc_security_context_check_peer(s->ctx, peer, on_peer_checked, s);
   if (peer_status == GRPC_SECURITY_ERROR) {
     gpr_log(GPR_ERROR, "Peer check failed.");
     secure_transport_setup_done(s, 0);
diff --git a/src/core/security/security_context.c b/src/core/security/security_context.c
index 1edec29775..adb0269792 100644
--- a/src/core/security/security_context.c
+++ b/src/core/security/security_context.c
@@ -69,12 +69,22 @@ grpc_security_status grpc_security_context_create_handshaker(
 }
 
 grpc_security_status grpc_security_context_check_peer(
-    grpc_security_context *ctx, const tsi_peer *peer,
-    grpc_security_check_peer_cb cb, void *user_data) {
-  if (ctx == NULL) return GRPC_SECURITY_ERROR;
+    grpc_security_context *ctx, tsi_peer peer, grpc_security_check_cb cb,
+    void *user_data) {
+  if (ctx == NULL) {
+    tsi_peer_destruct(&peer);
+    return GRPC_SECURITY_ERROR;
+  }
   return ctx->vtable->check_peer(ctx, peer, cb, user_data);
 }
 
+grpc_security_status grpc_channel_security_context_check_call_host(
+    grpc_channel_security_context *ctx, const char *host,
+    grpc_security_check_cb cb, void *user_data) {
+  if (ctx == NULL || ctx->check_call_host == NULL) return GRPC_SECURITY_ERROR;
+  return ctx->check_call_host(ctx, host, cb, user_data);
+}
+
 void grpc_security_context_unref(grpc_security_context *ctx) {
   if (ctx == NULL) return;
   if (gpr_unref(&ctx->refcount)) ctx->vtable->destroy(ctx);
@@ -137,6 +147,11 @@ static int check_request_metadata_creds(grpc_credentials *creds) {
 
 /* -- Fake implementation. -- */
 
+typedef struct {
+  grpc_channel_security_context base;
+  int call_host_check_is_async;
+} grpc_fake_channel_security_context;
+
 static void fake_channel_destroy(grpc_security_context *ctx) {
   grpc_channel_security_context *c = (grpc_channel_security_context *)ctx;
   grpc_credentials_unref(c->request_metadata_creds);
@@ -158,31 +173,51 @@ static grpc_security_status fake_server_create_handshaker(
 }
 
 static grpc_security_status fake_check_peer(grpc_security_context *ctx,
-                                            const tsi_peer *peer,
-                                            grpc_security_check_peer_cb cb,
+                                            tsi_peer peer,
+                                            grpc_security_check_cb cb,
                                             void *user_data) {
   const char *prop_name;
-  if (peer->property_count != 1) {
+  grpc_security_status status = GRPC_SECURITY_OK;
+  if (peer.property_count != 1) {
     gpr_log(GPR_ERROR, "Fake peers should only have 1 property.");
-    return GRPC_SECURITY_ERROR;
+    status = GRPC_SECURITY_ERROR;
+    goto end;
   }
-  prop_name = peer->properties[0].name;
+  prop_name = peer.properties[0].name;
   if (prop_name == NULL ||
       strcmp(prop_name, TSI_CERTIFICATE_TYPE_PEER_PROPERTY)) {
     gpr_log(GPR_ERROR, "Unexpected property in fake peer: %s.",
             prop_name == NULL ? "<EMPTY>" : prop_name);
-    return GRPC_SECURITY_ERROR;
+    status = GRPC_SECURITY_ERROR;
+    goto end;
   }
-  if (peer->properties[0].type != TSI_PEER_PROPERTY_TYPE_STRING) {
+  if (peer.properties[0].type != TSI_PEER_PROPERTY_TYPE_STRING) {
     gpr_log(GPR_ERROR, "Invalid type of cert type property.");
-    return GRPC_SECURITY_ERROR;
+    status = GRPC_SECURITY_ERROR;
+    goto end;
   }
-  if (strncmp(peer->properties[0].value.string.data, TSI_FAKE_CERTIFICATE_TYPE,
-              peer->properties[0].value.string.length)) {
+  if (strncmp(peer.properties[0].value.string.data, TSI_FAKE_CERTIFICATE_TYPE,
+              peer.properties[0].value.string.length)) {
     gpr_log(GPR_ERROR, "Invalid value for cert type property.");
-    return GRPC_SECURITY_ERROR;
+    status = GRPC_SECURITY_ERROR;
+    goto end;
+  }
+end:
+  tsi_peer_destruct(&peer);
+  return status;
+}
+
+static grpc_security_status fake_channel_check_call_host(
+    grpc_channel_security_context *ctx, const char *host,
+    grpc_security_check_cb cb, void *user_data) {
+  grpc_fake_channel_security_context *c =
+      (grpc_fake_channel_security_context *)ctx;
+  if (c->call_host_check_is_async) {
+    cb(user_data, GRPC_SECURITY_OK);
+    return GRPC_SECURITY_PENDING;
+  } else {
+    return GRPC_SECURITY_OK;
   }
-  return GRPC_SECURITY_OK;
 }
 
 static grpc_security_context_vtable fake_channel_vtable = {
@@ -192,15 +227,17 @@ static grpc_security_context_vtable fake_server_vtable = {
     fake_server_destroy, fake_server_create_handshaker, fake_check_peer};
 
 grpc_channel_security_context *grpc_fake_channel_security_context_create(
-    grpc_credentials *request_metadata_creds) {
-  grpc_channel_security_context *c =
-      gpr_malloc(sizeof(grpc_channel_security_context));
-  gpr_ref_init(&c->base.refcount, 1);
-  c->base.is_client_side = 1;
-  c->base.vtable = &fake_channel_vtable;
+    grpc_credentials *request_metadata_creds, int call_host_check_is_async) {
+  grpc_fake_channel_security_context *c =
+      gpr_malloc(sizeof(grpc_fake_channel_security_context));
+  gpr_ref_init(&c->base.base.refcount, 1);
+  c->base.base.is_client_side = 1;
+  c->base.base.vtable = &fake_channel_vtable;
   GPR_ASSERT(check_request_metadata_creds(request_metadata_creds));
-  c->request_metadata_creds = grpc_credentials_ref(request_metadata_creds);
-  return c;
+  c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds);
+  c->base.check_call_host = fake_channel_check_call_host;
+  c->call_host_check_is_async = call_host_check_is_async;
+  return &c->base;
 }
 
 grpc_security_context *grpc_fake_server_security_context_create(void) {
@@ -215,7 +252,9 @@ grpc_security_context *grpc_fake_server_security_context_create(void) {
 typedef struct {
   grpc_channel_security_context base;
   tsi_ssl_handshaker_factory *handshaker_factory;
-  char *secure_peer_name;
+  char *target_name;
+  char *overridden_target_name;
+  tsi_peer peer;
 } grpc_ssl_channel_security_context;
 
 typedef struct {
@@ -230,7 +269,9 @@ static void ssl_channel_destroy(grpc_security_context *ctx) {
   if (c->handshaker_factory != NULL) {
     tsi_ssl_handshaker_factory_destroy(c->handshaker_factory);
   }
-  if (c->secure_peer_name != NULL) gpr_free(c->secure_peer_name);
+  if (c->target_name != NULL) gpr_free(c->target_name);
+  if (c->overridden_target_name != NULL) gpr_free(c->overridden_target_name);
+  tsi_peer_destruct(&c->peer);
   gpr_free(ctx);
 }
 
@@ -244,11 +285,11 @@ static void ssl_server_destroy(grpc_security_context *ctx) {
 
 static grpc_security_status ssl_create_handshaker(
     tsi_ssl_handshaker_factory *handshaker_factory, int is_client,
-    const char *secure_peer_name, tsi_handshaker **handshaker) {
+    const char *peer_name, tsi_handshaker **handshaker) {
   tsi_result result = TSI_OK;
   if (handshaker_factory == NULL) return GRPC_SECURITY_ERROR;
   result = tsi_ssl_handshaker_factory_create_handshaker(
-      handshaker_factory, is_client ? secure_peer_name : NULL, handshaker);
+      handshaker_factory, is_client ? peer_name : NULL, handshaker);
   if (result != TSI_OK) {
     gpr_log(GPR_ERROR, "Handshaker creation failed with error %s.",
             tsi_result_to_string(result));
@@ -261,7 +302,10 @@ static grpc_security_status ssl_channel_create_handshaker(
     grpc_security_context *ctx, tsi_handshaker **handshaker) {
   grpc_ssl_channel_security_context *c =
       (grpc_ssl_channel_security_context *)ctx;
-  return ssl_create_handshaker(c->handshaker_factory, 1, c->secure_peer_name,
+  return ssl_create_handshaker(c->handshaker_factory, 1,
+                               c->overridden_target_name != NULL
+                                   ? c->overridden_target_name
+                                   : c->target_name,
                                handshaker);
 }
 
@@ -271,7 +315,7 @@ static grpc_security_status ssl_server_create_handshaker(
   return ssl_create_handshaker(c->handshaker_factory, 0, NULL, handshaker);
 }
 
-static grpc_security_status ssl_check_peer(const char *secure_peer_name,
+static grpc_security_status ssl_check_peer(const char *peer_name,
                                            const tsi_peer *peer) {
   /* Check the ALPN. */
   const tsi_peer_property *p =
@@ -291,28 +335,54 @@ static grpc_security_status ssl_check_peer(const char *secure_peer_name,
   }
 
   /* Check the peer name if specified. */
-  if (secure_peer_name != NULL &&
-      !tsi_ssl_peer_matches_name(peer, secure_peer_name)) {
-    gpr_log(GPR_ERROR, "Peer name %s is not in peer certificate",
-            secure_peer_name);
+  if (peer_name != NULL &&
+      !tsi_ssl_peer_matches_name(peer, peer_name)) {
+    gpr_log(GPR_ERROR, "Peer name %s is not in peer certificate", peer_name);
     return GRPC_SECURITY_ERROR;
   }
   return GRPC_SECURITY_OK;
 }
 
-static grpc_security_status ssl_channel_check_peer(
-    grpc_security_context *ctx, const tsi_peer *peer,
-    grpc_security_check_peer_cb cb, void *user_data) {
+static grpc_security_status ssl_channel_check_peer(grpc_security_context *ctx,
+                                                   tsi_peer peer,
+                                                   grpc_security_check_cb cb,
+                                                   void *user_data) {
   grpc_ssl_channel_security_context *c =
       (grpc_ssl_channel_security_context *)ctx;
-  return ssl_check_peer(c->secure_peer_name, peer);
+  grpc_security_status status = ssl_check_peer(c->overridden_target_name != NULL
+                                                   ? c->overridden_target_name
+                                                   : c->target_name,
+                                               &peer);
+  c->peer = peer;
+  return status;
+}
+
+static grpc_security_status ssl_server_check_peer(grpc_security_context *ctx,
+                                                  tsi_peer peer,
+                                                  grpc_security_check_cb cb,
+                                                  void *user_data) {
+  /* TODO(jboeuf): Find a way to expose the peer to the authorization layer. */
+  grpc_security_status status = ssl_check_peer(NULL, &peer);
+  tsi_peer_destruct(&peer);
+  return status;
 }
 
-static grpc_security_status ssl_server_check_peer(
-    grpc_security_context *ctx, const tsi_peer *peer,
-    grpc_security_check_peer_cb cb, void *user_data) {
-  /* TODO(jboeuf): Find a way to expose the peer to the authorization layer. */
-  return ssl_check_peer(NULL, peer);
+static grpc_security_status ssl_channel_check_call_host(
+    grpc_channel_security_context *ctx, const char *host,
+    grpc_security_check_cb cb, void *user_data) {
+  grpc_ssl_channel_security_context *c =
+      (grpc_ssl_channel_security_context *)ctx;
+
+  if (tsi_ssl_peer_matches_name(&c->peer, host)) return GRPC_SECURITY_OK;
+
+  /* If the target name was overridden, then the original target_name was
+     'checked' transitively during the previous peer check at the end of the
+     handshake. */
+  if (c->overridden_target_name != NULL && !strcmp(host, c->target_name)) {
+    return GRPC_SECURITY_OK;
+  } else {
+    return GRPC_SECURITY_ERROR;
+  }
 }
 
 static grpc_security_context_vtable ssl_channel_vtable = {
@@ -345,7 +415,8 @@ static size_t get_default_pem_roots(const unsigned char **pem_root_certs) {
 
 grpc_security_status grpc_ssl_channel_security_context_create(
     grpc_credentials *request_metadata_creds, const grpc_ssl_config *config,
-    const char *secure_peer_name, grpc_channel_security_context **ctx) {
+    const char *target_name, const char *overridden_target_name,
+    grpc_channel_security_context **ctx) {
   size_t num_alpn_protocols = grpc_chttp2_num_alpn_versions();
   const unsigned char **alpn_protocol_strings =
       gpr_malloc(sizeof(const char *) * num_alpn_protocols);
@@ -364,8 +435,8 @@ grpc_security_status grpc_ssl_channel_security_context_create(
         strlen(grpc_chttp2_get_alpn_version_index(i));
   }
 
-  if (config == NULL || secure_peer_name == NULL) {
-    gpr_log(GPR_ERROR, "An ssl channel needs a config and a secure name.");
+  if (config == NULL || target_name == NULL) {
+    gpr_log(GPR_ERROR, "An ssl channel needs a config and a target name.");
     goto error;
   }
   if (!check_request_metadata_creds(request_metadata_creds)) {
@@ -379,8 +450,12 @@ grpc_security_status grpc_ssl_channel_security_context_create(
   c->base.base.vtable = &ssl_channel_vtable;
   c->base.base.is_client_side = 1;
   c->base.request_metadata_creds = grpc_credentials_ref(request_metadata_creds);
-  if (secure_peer_name != NULL) {
-    c->secure_peer_name = gpr_strdup(secure_peer_name);
+  c->base.check_call_host = ssl_channel_check_call_host;
+  if (target_name != NULL) {
+    c->target_name = gpr_strdup(target_name);
+  }
+  if (overridden_target_name != NULL) {
+    c->overridden_target_name = gpr_strdup(overridden_target_name);
   }
   if (config->pem_root_certs == NULL) {
     pem_root_certs_size = get_default_pem_roots(&pem_root_certs);
@@ -478,7 +553,7 @@ grpc_channel *grpc_ssl_channel_create(grpc_credentials *ssl_creds,
   grpc_channel *channel = NULL;
   grpc_security_status status = GRPC_SECURITY_OK;
   size_t i = 0;
-  const char *secure_peer_name = target;
+  const char *overridden_target_name = NULL;
   grpc_arg arg;
   grpc_channel_args *new_args;
 
@@ -486,13 +561,13 @@ grpc_channel *grpc_ssl_channel_create(grpc_credentials *ssl_creds,
     grpc_arg *arg = &args->args[i];
     if (!strcmp(arg->key, GRPC_SSL_TARGET_NAME_OVERRIDE_ARG) &&
         arg->type == GRPC_ARG_STRING) {
-      secure_peer_name = arg->value.string;
+      overridden_target_name = arg->value.string;
       break;
     }
   }
   status = grpc_ssl_channel_security_context_create(
       request_metadata_creds, grpc_ssl_credentials_get_config(ssl_creds),
-      secure_peer_name, &ctx);
+      target, overridden_target_name, &ctx);
   if (status != GRPC_SECURITY_OK) {
     return grpc_lame_client_channel_create();
   }
@@ -510,7 +585,7 @@ grpc_channel *grpc_fake_transport_security_channel_create(
     grpc_credentials *fake_creds, grpc_credentials *request_metadata_creds,
     const char *target, const grpc_channel_args *args) {
   grpc_channel_security_context *ctx =
-      grpc_fake_channel_security_context_create(request_metadata_creds);
+      grpc_fake_channel_security_context_create(request_metadata_creds, 1);
   grpc_channel *channel =
       grpc_secure_channel_create_internal(target, args, ctx);
   grpc_security_context_unref(&ctx->base);
diff --git a/src/core/security/security_context.h b/src/core/security/security_context.h
index 2caa2d3690..25d467d717 100644
--- a/src/core/security/security_context.h
+++ b/src/core/security/security_context.h
@@ -56,16 +56,15 @@ typedef struct grpc_security_context grpc_security_context;
 
 #define GRPC_SECURITY_CONTEXT_ARG "grpc.security_context"
 
-typedef void (*grpc_security_check_peer_cb)(void *user_data,
-                                            grpc_security_status status);
+typedef void (*grpc_security_check_cb)(void *user_data,
+                                       grpc_security_status status);
 
 typedef struct {
   void (*destroy)(grpc_security_context *ctx);
   grpc_security_status (*create_handshaker)(grpc_security_context *ctx,
                                             tsi_handshaker **handshaker);
-  grpc_security_status (*check_peer)(grpc_security_context *ctx,
-                                     const tsi_peer *peer,
-                                     grpc_security_check_peer_cb,
+  grpc_security_status (*check_peer)(grpc_security_context *ctx, tsi_peer peer,
+                                     grpc_security_check_cb cb,
                                      void *user_data);
 } grpc_security_context_vtable;
 
@@ -87,18 +86,14 @@ grpc_security_status grpc_security_context_create_handshaker(
 
 /* Check the peer.
    Implementations can choose to check the peer either synchronously or
-   asynchronously. In the first case, a successful will return
+   asynchronously. In the first case, a successful call will return
    GRPC_SECURITY_OK. In the asynchronous case, the call will return
    GRPC_SECURITY_PENDING unless an error is detected early on.
-
-   Note:
-   Asynchronous implementations of this interface should make a copy of the
-   fields of the peer they want to check as there is no guarantee on the
-   lifetime of the peer object beyond this call.
+   Ownership of the peer is transfered.
 */
 grpc_security_status grpc_security_context_check_peer(
-    grpc_security_context *ctx, const tsi_peer *peer,
-    grpc_security_check_peer_cb cb, void *user_data);
+    grpc_security_context *ctx, tsi_peer peer,
+    grpc_security_check_cb cb, void *user_data);
 
 /* Util to encapsulate the context in a channel arg. */
 grpc_arg grpc_security_context_to_arg(grpc_security_context *ctx);
@@ -120,14 +115,26 @@ typedef struct grpc_channel_security_context grpc_channel_security_context;
 struct grpc_channel_security_context {
   grpc_security_context base; /* requires is_client_side to be non 0. */
   grpc_credentials *request_metadata_creds;
+  grpc_security_status (*check_call_host)(
+      grpc_channel_security_context *ctx, const char *host,
+      grpc_security_check_cb cb, void *user_data);
 };
 
+/* Checks that the host that will be set for a call is acceptable.
+   Implementations can choose do the check either synchronously or
+   asynchronously. In the first case, a successful call will return
+   GRPC_SECURITY_OK. In the asynchronous case, the call will return
+   GRPC_SECURITY_PENDING unless an error is detected early on. */
+grpc_security_status grpc_channel_security_context_check_call_host(
+    grpc_channel_security_context *ctx, const char *host,
+    grpc_security_check_cb cb, void *user_data);
+
 /* --- Creation security contexts. --- */
 
 /* For TESTING ONLY!
    Creates a fake context that emulates real channel security.  */
 grpc_channel_security_context *grpc_fake_channel_security_context_create(
-    grpc_credentials *request_metadata_creds);
+    grpc_credentials *request_metadata_creds, int call_host_check_is_async);
 
 /* For TESTING ONLY!
    Creates a fake context that emulates real server security.  */
@@ -148,7 +155,8 @@ grpc_security_context *grpc_fake_server_security_context_create(void);
 */
 grpc_security_status grpc_ssl_channel_security_context_create(
     grpc_credentials *request_metadata_creds, const grpc_ssl_config *config,
-    const char *secure_peer_name, grpc_channel_security_context **ctx);
+    const char *target_name, const char *overridden_target_name,
+    grpc_channel_security_context **ctx);
 
 /* Creates an SSL server_security_context.
    - config is the SSL config to be used for the SSL channel establishment.