grpc 1.32.0 → 1.33.0.pre1

data/third_party/boringssl-with-bazel/src/include/openssl/x509v3.h

@@ -126,8 +126,8 @@ void *usr_data;	/* Any extension specific data */
 };
 
 typedef struct X509V3_CONF_METHOD_st {
-char * (*get_string)(void *db, char *section, char *value);
-STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section);
+char * (*get_string)(void *db, const char *section, const char *value);
+STACK_OF(CONF_VALUE) * (*get_section)(void *db, const char *section);
 void (*free_string)(void *db, char * string);
 void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section);
 } X509V3_CONF_METHOD;
@@ -162,11 +162,6 @@ ASN1_INTEGER *pathlen;
 };
 
 
-typedef struct PKEY_USAGE_PERIOD_st {
-ASN1_GENERALIZEDTIME *notBefore;
-ASN1_GENERALIZEDTIME *notAfter;
-} PKEY_USAGE_PERIOD;
-
 typedef struct otherName_st {
 ASN1_OBJECT *type_id;
 ASN1_TYPE *value;
@@ -272,21 +267,6 @@ GENERAL_NAMES *issuer;
 ASN1_INTEGER *serial;
 };
 
-/* Strong extranet structures */
-
-typedef struct SXNET_ID_st {
-	ASN1_INTEGER *zone;
-	ASN1_OCTET_STRING *user;
-} SXNETID;
-
-DEFINE_STACK_OF(SXNETID)
-DECLARE_ASN1_SET_OF(SXNETID)
-
-typedef struct SXNET_st {
-	ASN1_INTEGER *version;
-	STACK_OF(SXNETID) *ids;
-} SXNET;
-
 typedef struct NOTICEREF_st {
 	ASN1_STRING *organization;
 	STACK_OF(ASN1_INTEGER) *noticenos;
@@ -517,21 +497,8 @@ DEFINE_STACK_OF(X509_PURPOSE)
 
 DECLARE_ASN1_FUNCTIONS(BASIC_CONSTRAINTS)
 
-DECLARE_ASN1_FUNCTIONS(SXNET)
-DECLARE_ASN1_FUNCTIONS(SXNETID)
-
-int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen); 
-int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen); 
-int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen); 
-
-ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone);
-ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone);
-ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone);
-
 DECLARE_ASN1_FUNCTIONS(AUTHORITY_KEYID)
 
-DECLARE_ASN1_FUNCTIONS(PKEY_USAGE_PERIOD)
-
 DECLARE_ASN1_FUNCTIONS(GENERAL_NAME)
 OPENSSL_EXPORT GENERAL_NAME *GENERAL_NAME_dup(GENERAL_NAME *a);
 OPENSSL_EXPORT int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b);
@@ -558,17 +525,17 @@ DECLARE_ASN1_FUNCTIONS(OTHERNAME)
 DECLARE_ASN1_FUNCTIONS(EDIPARTYNAME)
 OPENSSL_EXPORT int OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b);
 OPENSSL_EXPORT void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value);
-OPENSSL_EXPORT void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype);
+OPENSSL_EXPORT void *GENERAL_NAME_get0_value(const GENERAL_NAME *a, int *ptype);
 OPENSSL_EXPORT int GENERAL_NAME_set0_othername(GENERAL_NAME *gen,
 				ASN1_OBJECT *oid, ASN1_TYPE *value);
-OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, 
+OPENSSL_EXPORT int GENERAL_NAME_get0_otherName(const GENERAL_NAME *gen, 
 				ASN1_OBJECT **poid, ASN1_TYPE **pvalue);
 
-OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5);
+OPENSSL_EXPORT char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *ia5);
 OPENSSL_EXPORT ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str);
 
 DECLARE_ASN1_FUNCTIONS(EXTENDED_KEY_USAGE)
-OPENSSL_EXPORT int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a);
+OPENSSL_EXPORT int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a);
 
 DECLARE_ASN1_FUNCTIONS(CERTIFICATEPOLICIES)
 DECLARE_ASN1_FUNCTIONS(POLICYINFO)
@@ -684,6 +651,48 @@ OPENSSL_EXPORT uint32_t X509_get_extension_flags(X509 *x);
 OPENSSL_EXPORT uint32_t X509_get_key_usage(X509 *x);
 OPENSSL_EXPORT uint32_t X509_get_extended_key_usage(X509 *x);
 
+// X509_get0_subject_key_id returns |x509|'s subject key identifier, if present.
+// (See RFC5280, section 4.2.1.2.) It returns NULL if the extension is not
+// present or if some extension in |x509| was invalid.
+//
+// Note that decoding an |X509| object will not check for invalid extensions. To
+// detect the error case, call |X509_get_extensions_flags| and check the
+// |EXFLAG_INVALID| bit.
+OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_subject_key_id(X509 *x509);
+
+// X509_get0_authority_key_id returns keyIdentifier of |x509|'s authority key
+// identifier, if the extension and field are present. (See RFC5280,
+// section 4.2.1.1.) It returns NULL if the extension is not present, if it is
+// present but lacks a keyIdentifier field, or if some extension in |x509| was
+// invalid.
+//
+// Note that decoding an |X509| object will not check for invalid extensions. To
+// detect the error case, call |X509_get_extensions_flags| and check the
+// |EXFLAG_INVALID| bit.
+OPENSSL_EXPORT const ASN1_OCTET_STRING *X509_get0_authority_key_id(X509 *x509);
+
+// X509_get0_authority_issuer returns the authorityCertIssuer of |x509|'s
+// authority key identifier, if the extension and field are present. (See
+// RFC5280, section 4.2.1.1.) It returns NULL if the extension is not present,
+// if it is present but lacks a authorityCertIssuer field, or if some extension
+// in |x509| was invalid.
+//
+// Note that decoding an |X509| object will not check for invalid extensions. To
+// detect the error case, call |X509_get_extensions_flags| and check the
+// |EXFLAG_INVALID| bit.
+OPENSSL_EXPORT const GENERAL_NAMES *X509_get0_authority_issuer(X509 *x509);
+
+// X509_get0_authority_serial returns the authorityCertSerialNumber of |x509|'s
+// authority key identifier, if the extension and field are present. (See
+// RFC5280, section 4.2.1.1.) It returns NULL if the extension is not present,
+// if it is present but lacks a authorityCertSerialNumber field, or if some
+// extension in |x509| was invalid.
+//
+// Note that decoding an |X509| object will not check for invalid extensions. To
+// detect the error case, call |X509_get_extensions_flags| and check the
+// |EXFLAG_INVALID| bit.
+OPENSSL_EXPORT const ASN1_INTEGER *X509_get0_authority_serial(X509 *x509);
+
 OPENSSL_EXPORT int X509_PURPOSE_get_count(void);
 OPENSSL_EXPORT X509_PURPOSE * X509_PURPOSE_get0(int idx);
 OPENSSL_EXPORT int X509_PURPOSE_get_by_sname(char *sname);
@@ -691,11 +700,11 @@ OPENSSL_EXPORT int X509_PURPOSE_get_by_id(int id);
 OPENSSL_EXPORT int X509_PURPOSE_add(int id, int trust, int flags,
 			int (*ck)(const X509_PURPOSE *, const X509 *, int),
 				char *name, char *sname, void *arg);
-OPENSSL_EXPORT char *X509_PURPOSE_get0_name(X509_PURPOSE *xp);
-OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp);
-OPENSSL_EXPORT int X509_PURPOSE_get_trust(X509_PURPOSE *xp);
+OPENSSL_EXPORT char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp);
+OPENSSL_EXPORT char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp);
+OPENSSL_EXPORT int X509_PURPOSE_get_trust(const X509_PURPOSE *xp);
 OPENSSL_EXPORT void X509_PURPOSE_cleanup(void);
-OPENSSL_EXPORT int X509_PURPOSE_get_id(X509_PURPOSE *);
+OPENSSL_EXPORT int X509_PURPOSE_get_id(const X509_PURPOSE *);
 
 OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x);
 OPENSSL_EXPORT STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x);

data/third_party/boringssl-with-bazel/src/ssl/handshake.cc

@@ -235,13 +235,13 @@ bool ssl_hash_message(SSL_HANDSHAKE *hs, const SSLMessage &msg) {
   return hs->transcript.Update(msg.raw);
 }
 
-int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
-                         const SSL_EXTENSION_TYPE *ext_types,
-                         size_t num_ext_types, int ignore_unknown) {
+bool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
+                          Span<const SSL_EXTENSION_TYPE> ext_types,
+                          bool ignore_unknown) {
   // Reset everything.
-  for (size_t i = 0; i < num_ext_types; i++) {
-    *ext_types[i].out_present = 0;
-    CBS_init(ext_types[i].out_data, NULL, 0);
+  for (const SSL_EXTENSION_TYPE &ext_type : ext_types) {
+    *ext_type.out_present = false;
+    CBS_init(ext_type.out_data, nullptr, 0);
   }
 
   CBS copy = *cbs;
@@ -252,38 +252,38 @@ int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
         !CBS_get_u16_length_prefixed(&copy, &data)) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_PARSE_TLSEXT);
       *out_alert = SSL_AD_DECODE_ERROR;
-      return 0;
+      return false;
     }
 
-    const SSL_EXTENSION_TYPE *ext_type = NULL;
-    for (size_t i = 0; i < num_ext_types; i++) {
-      if (type == ext_types[i].type) {
-        ext_type = &ext_types[i];
+    const SSL_EXTENSION_TYPE *found = nullptr;
+    for (const SSL_EXTENSION_TYPE &ext_type : ext_types) {
+      if (type == ext_type.type) {
+        found = &ext_type;
         break;
       }
     }
 
-    if (ext_type == NULL) {
+    if (found == nullptr) {
       if (ignore_unknown) {
         continue;
       }
       OPENSSL_PUT_ERROR(SSL, SSL_R_UNEXPECTED_EXTENSION);
       *out_alert = SSL_AD_UNSUPPORTED_EXTENSION;
-      return 0;
+      return false;
     }
 
     // Duplicate ext_types are forbidden.
-    if (*ext_type->out_present) {
+    if (*found->out_present) {
       OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_EXTENSION);
       *out_alert = SSL_AD_ILLEGAL_PARAMETER;
-      return 0;
+      return false;
     }
 
-    *ext_type->out_present = 1;
-    *ext_type->out_data = data;
+    *found->out_present = 1;
+    *found->out_data = data;
   }
 
-  return 1;
+  return true;
 }
 
 enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs) {

data/third_party/boringssl-with-bazel/src/ssl/handshake_client.cc

@@ -259,7 +259,7 @@ static bool ssl_write_client_cipher_list(SSL_HANDSHAKE *hs, CBB *out) {
         continue;
       }
       any_enabled = true;
-      if (!CBB_add_u16(&child, ssl_cipher_get_value(cipher))) {
+      if (!CBB_add_u16(&child, SSL_CIPHER_get_protocol_id(cipher))) {
         return false;
       }
     }
@@ -358,8 +358,7 @@ static bool parse_supported_versions(SSL_HANDSHAKE *hs, uint16_t *version,
 
   uint8_t alert = SSL_AD_DECODE_ERROR;
   if (!ssl_parse_extensions(&extensions, &alert, ext_types,
-                            OPENSSL_ARRAY_SIZE(ext_types),
-                            1 /* ignore unknown */)) {
+                            /*ignore_unknown=*/true)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return false;
   }

data/third_party/boringssl-with-bazel/src/ssl/handshake_server.cc

@@ -908,7 +908,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
       !CBB_add_u8_length_prefixed(&body, &session_id) ||
       !CBB_add_bytes(&session_id, session->session_id,
                      session->session_id_length) ||
-      !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
+      !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
       !CBB_add_u8(&body, 0 /* no compression */) ||
       !ssl_add_serverhello_tlsext(hs, &body) ||
       !ssl_add_message_cbb(ssl, cbb.get())) {

data/third_party/boringssl-with-bazel/src/ssl/internal.h

@@ -345,6 +345,9 @@ class Array {
     if (new_size > size_) {
       abort();
     }
+    for (size_t i = new_size; i < size_; i++) {
+      data_[i].~T();
+    }
     size_ = new_size;
   }
 
@@ -631,9 +634,6 @@ const EVP_MD *ssl_get_handshake_digest(uint16_t version,
 bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
                             const char *rule_str, bool strict);
 
-// ssl_cipher_get_value returns the cipher suite id of |cipher|.
-uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher);
-
 // ssl_cipher_auth_mask_for_key returns the mask of cipher |algorithm_auth|
 // values suitable for use with |key| in TLS 1.2 and below.
 uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key);
@@ -1926,12 +1926,12 @@ struct SSL_EXTENSION_TYPE {
 
 // ssl_parse_extensions parses a TLS extensions block out of |cbs| and advances
 // it. It writes the parsed extensions to pointers denoted by |ext_types|. On
-// success, it fills in the |out_present| and |out_data| fields and returns one.
-// Otherwise, it sets |*out_alert| to an alert to send and returns zero. Unknown
-// extensions are rejected unless |ignore_unknown| is 1.
-int ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
-                         const SSL_EXTENSION_TYPE *ext_types,
-                         size_t num_ext_types, int ignore_unknown);
+// success, it fills in the |out_present| and |out_data| fields and returns
+// true. Otherwise, it sets |*out_alert| to an alert to send and returns false.
+// Unknown extensions are rejected unless |ignore_unknown| is true.
+bool ssl_parse_extensions(const CBS *cbs, uint8_t *out_alert,
+                          Span<const SSL_EXTENSION_TYPE> ext_types,
+                          bool ignore_unknown);
 
 // ssl_verify_peer_cert verifies the peer certificate for |hs|.
 enum ssl_verify_result_t ssl_verify_peer_cert(SSL_HANDSHAKE *hs);

data/third_party/boringssl-with-bazel/src/ssl/ssl_cipher.cc

@@ -1279,14 +1279,6 @@ bool ssl_create_cipher_list(UniquePtr<SSLCipherPreferenceList> *out_cipher_list,
   return true;
 }
 
-uint16_t ssl_cipher_get_value(const SSL_CIPHER *cipher) {
-  uint32_t id = cipher->id;
-  // All OpenSSL cipher IDs are prefaced with 0x03. Historically this referred
-  // to SSLv2 vs SSLv3.
-  assert((id & 0xff000000) == 0x03000000);
-  return id & 0xffff;
-}
-
 uint32_t ssl_cipher_auth_mask_for_key(const EVP_PKEY *key) {
   switch (EVP_PKEY_id(key)) {
     case EVP_PKEY_RSA:
@@ -1376,10 +1368,17 @@ const SSL_CIPHER *SSL_get_cipher_by_value(uint16_t value) {
 
 uint32_t SSL_CIPHER_get_id(const SSL_CIPHER *cipher) { return cipher->id; }
 
-uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher) {
+uint16_t SSL_CIPHER_get_protocol_id(const SSL_CIPHER *cipher) {
+  // All OpenSSL cipher IDs are prefaced with 0x03. Historically this referred
+  // to SSLv2 vs SSLv3.
+  assert((cipher->id & 0xff000000) == 0x03000000);
   return static_cast<uint16_t>(cipher->id);
 }
 
+uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *cipher) {
+  return SSL_CIPHER_get_protocol_id(cipher);
+}
+
 int SSL_CIPHER_is_aead(const SSL_CIPHER *cipher) {
   return (cipher->algorithm_mac & SSL_AEAD) != 0;
 }

data/third_party/boringssl-with-bazel/src/ssl/tls13_both.cc

@@ -244,8 +244,7 @@ bool tls13_process_certificate(SSL_HANDSHAKE *hs, const SSLMessage &msg,
 
     uint8_t alert = SSL_AD_DECODE_ERROR;
     if (!ssl_parse_extensions(&extensions, &alert, ext_types,
-                              OPENSSL_ARRAY_SIZE(ext_types),
-                              0 /* reject unknown */)) {
+                              /*ignore_unknown=*/false)) {
       ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
       return false;
     }

data/third_party/boringssl-with-bazel/src/ssl/tls13_client.cc

@@ -172,8 +172,7 @@ static enum ssl_hs_wait_t do_read_hello_retry_request(SSL_HANDSHAKE *hs) {
 
   uint8_t alert = SSL_AD_DECODE_ERROR;
   if (!ssl_parse_extensions(&extensions, &alert, ext_types,
-                            OPENSSL_ARRAY_SIZE(ext_types),
-                            0 /* reject unknown */)) {
+                            /*ignore_unknown=*/false)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return ssl_hs_error;
   }
@@ -338,8 +337,7 @@ static enum ssl_hs_wait_t do_read_server_hello(SSL_HANDSHAKE *hs) {
 
   uint8_t alert = SSL_AD_DECODE_ERROR;
   if (!ssl_parse_extensions(&extensions, &alert, ext_types,
-                            OPENSSL_ARRAY_SIZE(ext_types),
-                            0 /* reject unknown */)) {
+                            /*ignore_unknown=*/false)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return ssl_hs_error;
   }
@@ -568,8 +566,7 @@ static enum ssl_hs_wait_t do_read_certificate_request(SSL_HANDSHAKE *hs) {
       !CBS_get_u16_length_prefixed(&body, &extensions) ||
       CBS_len(&body) != 0 ||
       !ssl_parse_extensions(&extensions, &alert, ext_types,
-                            OPENSSL_ARRAY_SIZE(ext_types),
-                            1 /* accept unknown */) ||
+                            /*ignore_unknown=*/true) ||
       (have_ca && CBS_len(&ca) == 0) ||
       !have_sigalgs ||
       !CBS_get_u16_length_prefixed(&sigalgs,
@@ -989,8 +986,7 @@ UniquePtr<SSL_SESSION> tls13_create_session_with_ticket(SSL *ssl, CBS *body) {
 
   uint8_t alert = SSL_AD_DECODE_ERROR;
   if (!ssl_parse_extensions(&extensions, &alert, ext_types,
-                            OPENSSL_ARRAY_SIZE(ext_types),
-                            1 /* ignore unknown */)) {
+                            /*ignore_unknown=*/true)) {
     ssl_send_alert(ssl, SSL3_AL_FATAL, alert);
     return nullptr;
   }

data/third_party/boringssl-with-bazel/src/ssl/tls13_server.cc

@@ -501,7 +501,7 @@ static enum ssl_hs_wait_t do_send_hello_retry_request(SSL_HANDSHAKE *hs) {
       !CBB_add_bytes(&body, kHelloRetryRequest, SSL3_RANDOM_SIZE) ||
       !CBB_add_u8_length_prefixed(&body, &session_id) ||
       !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
-      !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
+      !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
       !CBB_add_u8(&body, 0 /* no compression */) ||
       !tls1_get_shared_group(hs, &group_id) ||
       !CBB_add_u16_length_prefixed(&body, &extensions) ||
@@ -613,7 +613,7 @@ static enum ssl_hs_wait_t do_send_server_hello(SSL_HANDSHAKE *hs) {
       !CBB_add_bytes(&body, ssl->s3->server_random, SSL3_RANDOM_SIZE) ||
       !CBB_add_u8_length_prefixed(&body, &session_id) ||
       !CBB_add_bytes(&session_id, hs->session_id, hs->session_id_len) ||
-      !CBB_add_u16(&body, ssl_cipher_get_value(hs->new_cipher)) ||
+      !CBB_add_u16(&body, SSL_CIPHER_get_protocol_id(hs->new_cipher)) ||
       !CBB_add_u8(&body, 0) ||
       !CBB_add_u16_length_prefixed(&body, &extensions) ||
       !ssl_ext_pre_shared_key_add_serverhello(hs, &extensions) ||

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: grpc
 version: !ruby/object:Gem::Version
-  version: 1.32.0
+  version: 1.33.0.pre1
 platform: ruby
 authors:
 - gRPC Authors
 autorequire: 
 bindir: src/ruby/bin
 cert_chain: []
-date: 2020-09-08 00:00:00.000000000 Z
+date: 2020-10-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: google-protobuf
@@ -315,9 +315,9 @@ files:
 - src/core/ext/filters/client_channel/lb_policy/weighted_target/weighted_target.cc
 - src/core/ext/filters/client_channel/lb_policy/xds/cds.cc
 - src/core/ext/filters/client_channel/lb_policy/xds/eds.cc
-- src/core/ext/filters/client_channel/lb_policy/xds/lrs.cc
+- src/core/ext/filters/client_channel/lb_policy/xds/eds_drop.cc
 - src/core/ext/filters/client_channel/lb_policy/xds/xds.h
-- src/core/ext/filters/client_channel/lb_policy/xds/xds_routing.cc
+- src/core/ext/filters/client_channel/lb_policy/xds/xds_cluster_manager.cc
 - src/core/ext/filters/client_channel/lb_policy_factory.h
 - src/core/ext/filters/client_channel/lb_policy_registry.cc
 - src/core/ext/filters/client_channel/lb_policy_registry.h
@@ -347,6 +347,7 @@ files:
 - src/core/ext/filters/client_channel/resolver/fake/fake_resolver.h
 - src/core/ext/filters/client_channel/resolver/sockaddr/sockaddr_resolver.cc
 - src/core/ext/filters/client_channel/resolver/xds/xds_resolver.cc
+- src/core/ext/filters/client_channel/resolver/xds/xds_resolver.h
 - src/core/ext/filters/client_channel/resolver_factory.h
 - src/core/ext/filters/client_channel/resolver_registry.cc
 - src/core/ext/filters/client_channel/resolver_registry.h
@@ -476,6 +477,8 @@ files:
 - src/core/ext/upb-generated/envoy/config/core/v3/config_source.upb.h
 - src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.c
 - src/core/ext/upb-generated/envoy/config/core/v3/event_service_config.upb.h
+- src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.c
+- src/core/ext/upb-generated/envoy/config/core/v3/extension.upb.h
 - src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.c
 - src/core/ext/upb-generated/envoy/config/core/v3/grpc_service.upb.h
 - src/core/ext/upb-generated/envoy/config/core/v3/health_check.upb.c
@@ -488,6 +491,8 @@ files:
 - src/core/ext/upb-generated/envoy/config/core/v3/proxy_protocol.upb.h
 - src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.c
 - src/core/ext/upb-generated/envoy/config/core/v3/socket_option.upb.h
+- src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.c
+- src/core/ext/upb-generated/envoy/config/core/v3/substitution_format_string.upb.h
 - src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.c
 - src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint.upb.h
 - src/core/ext/upb-generated/envoy/config/endpoint/v3/endpoint_components.upb.c
@@ -562,10 +567,10 @@ files:
 - src/core/ext/upb-generated/envoy/type/v3/range.upb.h
 - src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.c
 - src/core/ext/upb-generated/envoy/type/v3/semantic_version.upb.h
-- src/core/ext/upb-generated/gogoproto/gogo.upb.c
-- src/core/ext/upb-generated/gogoproto/gogo.upb.h
 - src/core/ext/upb-generated/google/api/annotations.upb.c
 - src/core/ext/upb-generated/google/api/annotations.upb.h
+- src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.c
+- src/core/ext/upb-generated/google/api/expr/v1alpha1/checked.upb.h
 - src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.c
 - src/core/ext/upb-generated/google/api/expr/v1alpha1/syntax.upb.h
 - src/core/ext/upb-generated/google/api/http.upb.c
@@ -598,23 +603,41 @@ files:
 - src/core/ext/upb-generated/src/proto/grpc/lb/v1/load_balancer.upb.h
 - src/core/ext/upb-generated/udpa/annotations/migrate.upb.c
 - src/core/ext/upb-generated/udpa/annotations/migrate.upb.h
+- src/core/ext/upb-generated/udpa/annotations/security.upb.c
+- src/core/ext/upb-generated/udpa/annotations/security.upb.h
 - src/core/ext/upb-generated/udpa/annotations/sensitive.upb.c
 - src/core/ext/upb-generated/udpa/annotations/sensitive.upb.h
 - src/core/ext/upb-generated/udpa/annotations/status.upb.c
 - src/core/ext/upb-generated/udpa/annotations/status.upb.h
 - src/core/ext/upb-generated/udpa/annotations/versioning.upb.c
 - src/core/ext/upb-generated/udpa/annotations/versioning.upb.h
+- src/core/ext/upb-generated/udpa/core/v1/authority.upb.c
+- src/core/ext/upb-generated/udpa/core/v1/authority.upb.h
+- src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.c
+- src/core/ext/upb-generated/udpa/core/v1/collection_entry.upb.h
+- src/core/ext/upb-generated/udpa/core/v1/context_params.upb.c
+- src/core/ext/upb-generated/udpa/core/v1/context_params.upb.h
+- src/core/ext/upb-generated/udpa/core/v1/resource.upb.c
+- src/core/ext/upb-generated/udpa/core/v1/resource.upb.h
+- src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.c
+- src/core/ext/upb-generated/udpa/core/v1/resource_locator.upb.h
+- src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.c
+- src/core/ext/upb-generated/udpa/core/v1/resource_name.upb.h
 - src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.c
 - src/core/ext/upb-generated/udpa/data/orca/v1/orca_load_report.upb.h
 - src/core/ext/upb-generated/validate/validate.upb.c
 - src/core/ext/upb-generated/validate/validate.upb.h
+- src/core/ext/xds/certificate_provider_factory.h
+- src/core/ext/xds/certificate_provider_registry.cc
+- src/core/ext/xds/certificate_provider_registry.h
+- src/core/ext/xds/certificate_provider_store.h
+- src/core/ext/xds/google_mesh_ca_certificate_provider_factory.cc
+- src/core/ext/xds/google_mesh_ca_certificate_provider_factory.h
 - src/core/ext/xds/xds_api.cc
 - src/core/ext/xds/xds_api.h
 - src/core/ext/xds/xds_bootstrap.cc
 - src/core/ext/xds/xds_bootstrap.h
-- src/core/ext/xds/xds_channel.h
 - src/core/ext/xds/xds_channel_args.h
-- src/core/ext/xds/xds_channel_secure.cc
 - src/core/ext/xds/xds_client.cc
 - src/core/ext/xds/xds_client.h
 - src/core/ext/xds/xds_client_stats.cc
@@ -715,6 +738,7 @@ files:
 - src/core/lib/gprpp/arena.h
 - src/core/lib/gprpp/atomic.h
 - src/core/lib/gprpp/debug_location.h
+- src/core/lib/gprpp/dual_ref_counted.h
 - src/core/lib/gprpp/fork.cc
 - src/core/lib/gprpp/fork.h
 - src/core/lib/gprpp/global_config.h
@@ -919,6 +943,8 @@ files:
 - src/core/lib/iomgr/work_serializer.h
 - src/core/lib/json/json.h
 - src/core/lib/json/json_reader.cc
+- src/core/lib/json/json_util.cc
+- src/core/lib/json/json_util.h
 - src/core/lib/json/json_writer.cc
 - src/core/lib/profiling/basic_timers.cc
 - src/core/lib/profiling/stap_timers.cc
@@ -934,6 +960,7 @@ files:
 - src/core/lib/security/authorization/mock_cel/evaluator_core.h
 - src/core/lib/security/authorization/mock_cel/flat_expr_builder.h
 - src/core/lib/security/authorization/mock_cel/statusor.h
+- src/core/lib/security/certificate_provider.h
 - src/core/lib/security/context/security_context.cc
 - src/core/lib/security/context/security_context.h
 - src/core/lib/security/credentials/alts/alts_credentials.cc
@@ -973,10 +1000,14 @@ files:
 - src/core/lib/security/credentials/plugin/plugin_credentials.h
 - src/core/lib/security/credentials/ssl/ssl_credentials.cc
 - src/core/lib/security/credentials/ssl/ssl_credentials.h
+- src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.cc
+- src/core/lib/security/credentials/tls/grpc_tls_certificate_distributor.h
 - src/core/lib/security/credentials/tls/grpc_tls_credentials_options.cc
 - src/core/lib/security/credentials/tls/grpc_tls_credentials_options.h
 - src/core/lib/security/credentials/tls/tls_credentials.cc
 - src/core/lib/security/credentials/tls/tls_credentials.h
+- src/core/lib/security/credentials/xds/xds_credentials.cc
+- src/core/lib/security/credentials/xds/xds_credentials.h
 - src/core/lib/security/security_connector/alts/alts_security_connector.cc
 - src/core/lib/security/security_connector/alts/alts_security_connector.h
 - src/core/lib/security/security_connector/fake/fake_security_connector.cc
@@ -1574,6 +1605,7 @@ files:
 - third_party/boringssl-with-bazel/src/crypto/digest_extra/digest_extra.c
 - third_party/boringssl-with-bazel/src/crypto/dsa/dsa.c
 - third_party/boringssl-with-bazel/src/crypto/dsa/dsa_asn1.c
+- third_party/boringssl-with-bazel/src/crypto/dsa/internal.h
 - third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_asn1.c
 - third_party/boringssl-with-bazel/src/crypto/ec_extra/ec_derive.c
 - third_party/boringssl-with-bazel/src/crypto/ec_extra/hash_to_curve.c
@@ -1828,12 +1860,10 @@ files:
 - third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pci.c
 - third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcia.c
 - third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pcons.c
-- third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pku.c
 - third_party/boringssl-with-bazel/src/crypto/x509v3/v3_pmaps.c
 - third_party/boringssl-with-bazel/src/crypto/x509v3/v3_prn.c
 - third_party/boringssl-with-bazel/src/crypto/x509v3/v3_purp.c
 - third_party/boringssl-with-bazel/src/crypto/x509v3/v3_skey.c
-- third_party/boringssl-with-bazel/src/crypto/x509v3/v3_sxnet.c
 - third_party/boringssl-with-bazel/src/crypto/x509v3/v3_utl.c
 - third_party/boringssl-with-bazel/src/include/openssl/aead.h
 - third_party/boringssl-with-bazel/src/include/openssl/aes.h
@@ -2135,55 +2165,55 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.3.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubygems_version: 3.1.4
 signing_key: 
 specification_version: 4
 summary: GRPC system in Ruby
 test_files:
+- src/ruby/spec/testdata/server1.key
+- src/ruby/spec/testdata/server1.pem
+- src/ruby/spec/testdata/client.pem
+- src/ruby/spec/testdata/ca.pem
+- src/ruby/spec/testdata/client.key
+- src/ruby/spec/testdata/README
+- src/ruby/spec/server_credentials_spec.rb
+- src/ruby/spec/error_sanity_spec.rb
+- src/ruby/spec/call_spec.rb
+- src/ruby/spec/client_auth_spec.rb
 - src/ruby/spec/call_credentials_spec.rb
-- src/ruby/spec/generic/rpc_desc_spec.rb
-- src/ruby/spec/generic/service_spec.rb
+- src/ruby/spec/pb/health/checker_spec.rb
+- src/ruby/spec/pb/duplicate/codegen_spec.rb
+- src/ruby/spec/pb/codegen/grpc/testing/package_options_import2.proto
+- src/ruby/spec/pb/codegen/grpc/testing/same_package_service_name.proto
+- src/ruby/spec/pb/codegen/grpc/testing/package_options_import.proto
+- src/ruby/spec/pb/codegen/grpc/testing/package_options.proto
+- src/ruby/spec/pb/codegen/grpc/testing/same_ruby_package_service_name.proto
+- src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto
+- src/ruby/spec/pb/codegen/package_option_spec.rb
+- src/ruby/spec/spec_helper.rb
+- src/ruby/spec/channel_connection_spec.rb
 - src/ruby/spec/generic/client_interceptors_spec.rb
-- src/ruby/spec/generic/server_interceptors_spec.rb
 - src/ruby/spec/generic/interceptor_registry_spec.rb
+- src/ruby/spec/generic/rpc_server_spec.rb
 - src/ruby/spec/generic/active_call_spec.rb
 - src/ruby/spec/generic/client_stub_spec.rb
+- src/ruby/spec/generic/service_spec.rb
+- src/ruby/spec/generic/server_interceptors_spec.rb
+- src/ruby/spec/generic/rpc_desc_spec.rb
 - src/ruby/spec/generic/rpc_server_pool_spec.rb
-- src/ruby/spec/generic/rpc_server_spec.rb
-- src/ruby/spec/channel_connection_spec.rb
+- src/ruby/spec/channel_spec.rb
+- src/ruby/spec/support/services.rb
+- src/ruby/spec/support/helpers.rb
 - src/ruby/spec/time_consts_spec.rb
-- src/ruby/spec/server_spec.rb
-- src/ruby/spec/pb/codegen/package_option_spec.rb
-- src/ruby/spec/pb/codegen/grpc/testing/package_options_import.proto
-- src/ruby/spec/pb/codegen/grpc/testing/same_package_service_name.proto
-- src/ruby/spec/pb/codegen/grpc/testing/package_options.proto
-- src/ruby/spec/pb/codegen/grpc/testing/package_options_ruby_style.proto
-- src/ruby/spec/pb/codegen/grpc/testing/same_ruby_package_service_name.proto
-- src/ruby/spec/pb/codegen/grpc/testing/package_options_import2.proto
-- src/ruby/spec/pb/duplicate/codegen_spec.rb
-- src/ruby/spec/pb/health/checker_spec.rb
 - src/ruby/spec/client_server_spec.rb
-- src/ruby/spec/spec_helper.rb
 - src/ruby/spec/user_agent_spec.rb
 - src/ruby/spec/channel_credentials_spec.rb
-- src/ruby/spec/call_spec.rb
-- src/ruby/spec/testdata/client.key
-- src/ruby/spec/testdata/server1.key
-- src/ruby/spec/testdata/client.pem
-- src/ruby/spec/testdata/ca.pem
-- src/ruby/spec/testdata/server1.pem
-- src/ruby/spec/testdata/README
-- src/ruby/spec/client_auth_spec.rb
-- src/ruby/spec/support/helpers.rb
-- src/ruby/spec/support/services.rb
-- src/ruby/spec/errors_spec.rb
-- src/ruby/spec/channel_spec.rb
-- src/ruby/spec/error_sanity_spec.rb
 - src/ruby/spec/google_rpc_status_utils_spec.rb
 - src/ruby/spec/compression_options_spec.rb
-- src/ruby/spec/server_credentials_spec.rb
+- src/ruby/spec/server_spec.rb
+- src/ruby/spec/errors_spec.rb
 - src/ruby/spec/debug_message_spec.rb