grpc 1.78.0 → 1.80.0.pre1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b395eda61b4ddda55f3c3d58e5548efe3ff640508f358ee25ae7e95069807dd1
-  data.tar.gz: a161ac1a66e518d01d1778726d29f245a2c098d65206c5699484e5a6d84addae
+  metadata.gz: c07293ac6e598f03bca8daf804e71b55661e5510893c94453e3cba3a277cb889
+  data.tar.gz: 459b8aedf9dd6afe0aaeeb8b5ad391c9ac355c9bb060037ebc2b77361e9821c1
 SHA512:
-  metadata.gz: 2e861bbb78de2db510c14b98d0796adb0b421aa6aa8f5cdc8d38e5f4952a40f2c34a9b1e464f492cfcdd243c305262778b7045631db7bd95ba3abe28a71268a0
-  data.tar.gz: 5535c1177757dbb861f1e26de3e7d645f148eb1a716a282ca8b041a5aee782b89085056d60fa3958045893d066bbd06f17d42dc08e4750b5a4a28c3dd426a09a
+  metadata.gz: cc6ea871354d656c29732774d6b589399ac3097cdfb7e35000b5d90728cdb53517339e97c72296d955666c88977126dce941452f6eb7ff69ebd5d4ad7e758c16
+  data.tar.gz: d1f14482b834f9f8897ce0f6a6744cc7acd9737c51c4447f3f11f508275a56b9fd03bfd45f26f3bb3b2fbb3670eaac137b46af959383b3f5f48ecf190149cb33

data/Makefile

@@ -367,8 +367,8 @@ E = @echo
 Q = @
 endif
 
-CORE_VERSION = 52.0.0
-CPP_VERSION = 1.78.0
+CORE_VERSION = 53.0.0
+CPP_VERSION = 1.80.0-pre1
 
 CPPFLAGS_NO_ARCH += $(addprefix -I, $(INCLUDES)) $(addprefix -D, $(DEFINES))
 CPPFLAGS += $(CPPFLAGS_NO_ARCH) $(ARCH_FLAGS)
@@ -404,7 +404,7 @@ SHARED_EXT_CORE = dll
 SHARED_EXT_CPP = dll
 
 SHARED_PREFIX =
-SHARED_VERSION_CORE = -52
+SHARED_VERSION_CORE = -53
 SHARED_VERSION_CPP = -1
 else ifeq ($(SYSTEM),Darwin)
 EXECUTABLE_SUFFIX =
@@ -710,6 +710,7 @@ LIBGRPC_SRC = \
     src/core/client_channel/subchannel.cc \
     src/core/client_channel/subchannel_pool_interface.cc \
     src/core/client_channel/subchannel_stream_client.cc \
+    src/core/client_channel/subchannel_stream_limiter.cc \
     src/core/config/config_vars.cc \
     src/core/config/config_vars_non_generated.cc \
     src/core/config/core_configuration.cc \
@@ -826,14 +827,16 @@ LIBGRPC_SRC = \
     src/core/ext/transport/chttp2/transport/ping_callbacks.cc \
     src/core/ext/transport/chttp2/transport/ping_promise.cc \
     src/core/ext/transport/chttp2/transport/ping_rate_policy.cc \
-    src/core/ext/transport/chttp2/transport/security_frame.cc \
     src/core/ext/transport/chttp2/transport/stream_lists.cc \
     src/core/ext/transport/chttp2/transport/transport_common.cc \
     src/core/ext/transport/chttp2/transport/varint.cc \
+    src/core/ext/transport/chttp2/transport/write_cycle.cc \
     src/core/ext/transport/chttp2/transport/write_size_policy.cc \
     src/core/ext/transport/chttp2/transport/writing.cc \
     src/core/ext/transport/inproc/inproc_transport.cc \
     src/core/ext/transport/inproc/legacy_inproc_transport.cc \
+    src/core/ext/upb-gen/cel/expr/checked.upb_minitable.c \
+    src/core/ext/upb-gen/cel/expr/syntax.upb_minitable.c \
     src/core/ext/upb-gen/envoy/admin/v3/certs.upb_minitable.c \
     src/core/ext/upb-gen/envoy/admin/v3/clusters.upb_minitable.c \
     src/core/ext/upb-gen/envoy/admin/v3/config_dump.upb_minitable.c \
@@ -854,9 +857,11 @@ LIBGRPC_SRC = \
     src/core/ext/upb-gen/envoy/config/cluster/v3/filter.upb_minitable.c \
     src/core/ext/upb-gen/envoy/config/cluster/v3/outlier_detection.upb_minitable.c \
     src/core/ext/upb-gen/envoy/config/common/matcher/v3/matcher.upb_minitable.c \
+    src/core/ext/upb-gen/envoy/config/common/mutation_rules/v3/mutation_rules.upb_minitable.c \
     src/core/ext/upb-gen/envoy/config/core/v3/address.upb_minitable.c \
     src/core/ext/upb-gen/envoy/config/core/v3/backoff.upb_minitable.c \
     src/core/ext/upb-gen/envoy/config/core/v3/base.upb_minitable.c \
+    src/core/ext/upb-gen/envoy/config/core/v3/cel.upb_minitable.c \
     src/core/ext/upb-gen/envoy/config/core/v3/config_source.upb_minitable.c \
     src/core/ext/upb-gen/envoy/config/core/v3/event_service_config.upb_minitable.c \
     src/core/ext/upb-gen/envoy/config/core/v3/extension.upb_minitable.c \
@@ -907,6 +912,9 @@ LIBGRPC_SRC = \
     src/core/ext/upb-gen/envoy/extensions/filters/http/router/v3/router.upb_minitable.c \
     src/core/ext/upb-gen/envoy/extensions/filters/http/stateful_session/v3/stateful_session.upb_minitable.c \
     src/core/ext/upb-gen/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.upb_minitable.c \
+    src/core/ext/upb-gen/envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.upb_minitable.c \
+    src/core/ext/upb-gen/envoy/extensions/grpc_service/channel_credentials/tls/v3/tls_credentials.upb_minitable.c \
+    src/core/ext/upb-gen/envoy/extensions/grpc_service/channel_credentials/xds/v3/xds_credentials.upb_minitable.c \
     src/core/ext/upb-gen/envoy/extensions/http/stateful_session/cookie/v3/cookie.upb_minitable.c \
     src/core/ext/upb-gen/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.upb_minitable.c \
     src/core/ext/upb-gen/envoy/extensions/load_balancing_policies/common/v3/common.upb_minitable.c \
@@ -1006,6 +1014,8 @@ LIBGRPC_SRC = \
     src/core/ext/upb-gen/xds/type/v3/cel.upb_minitable.c \
     src/core/ext/upb-gen/xds/type/v3/range.upb_minitable.c \
     src/core/ext/upb-gen/xds/type/v3/typed_struct.upb_minitable.c \
+    src/core/ext/upbdefs-gen/cel/expr/checked.upbdefs.c \
+    src/core/ext/upbdefs-gen/cel/expr/syntax.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/admin/v3/certs.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/admin/v3/clusters.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/admin/v3/config_dump.upbdefs.c \
@@ -1026,9 +1036,11 @@ LIBGRPC_SRC = \
     src/core/ext/upbdefs-gen/envoy/config/cluster/v3/filter.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/config/cluster/v3/outlier_detection.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/config/common/matcher/v3/matcher.upbdefs.c \
+    src/core/ext/upbdefs-gen/envoy/config/common/mutation_rules/v3/mutation_rules.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/config/core/v3/address.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/config/core/v3/backoff.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/config/core/v3/base.upbdefs.c \
+    src/core/ext/upbdefs-gen/envoy/config/core/v3/cel.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/config/core/v3/config_source.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/config/core/v3/event_service_config.upbdefs.c \
     src/core/ext/upbdefs-gen/envoy/config/core/v3/extension.upbdefs.c \
@@ -1172,11 +1184,10 @@ LIBGRPC_SRC = \
     src/core/handshaker/endpoint_info/endpoint_info_handshaker.cc \
     src/core/handshaker/handshaker.cc \
     src/core/handshaker/handshaker_registry.cc \
-    src/core/handshaker/http_connect/http_connect_handshaker.cc \
+    src/core/handshaker/http_connect/http_connect_client_handshaker.cc \
     src/core/handshaker/http_connect/http_proxy_mapper.cc \
     src/core/handshaker/http_connect/xds_http_proxy_mapper.cc \
     src/core/handshaker/proxy_mapper_registry.cc \
-    src/core/handshaker/security/legacy_secure_endpoint.cc \
     src/core/handshaker/security/pipelined_secure_endpoint.cc \
     src/core/handshaker/security/secure_endpoint.cc \
     src/core/handshaker/security/security_handshaker.cc \
@@ -1564,6 +1575,7 @@ LIBGRPC_SRC = \
     src/core/xds/grpc/xds_endpoint_parser.cc \
     src/core/xds/grpc/xds_health_status.cc \
     src/core/xds/grpc/xds_http_fault_filter.cc \
+    src/core/xds/grpc/xds_http_filter.cc \
     src/core/xds/grpc/xds_http_filter_registry.cc \
     src/core/xds/grpc/xds_http_gcp_authn_filter.cc \
     src/core/xds/grpc/xds_http_rbac_filter.cc \
@@ -1814,6 +1826,7 @@ PUBLIC_HEADERS_C += \
     include/grpc/compression.h \
     include/grpc/create_channel_from_endpoint.h \
     include/grpc/credentials.h \
+    include/grpc/credentials_cpp.h \
     include/grpc/event_engine/endpoint_config.h \
     include/grpc/event_engine/event_engine.h \
     include/grpc/event_engine/extensible.h \
@@ -1850,6 +1863,7 @@ PUBLIC_HEADERS_C += \
     include/grpc/impl/slice_type.h \
     include/grpc/load_reporting.h \
     include/grpc/passive_listener.h \
+    include/grpc/private_key_signer.h \
     include/grpc/slice.h \
     include/grpc/slice_buffer.h \
     include/grpc/status.h \
@@ -1891,8 +1905,8 @@ $(LIBDIR)/$(CONFIG)/libgrpc$(SHARED_VERSION_CORE).$(SHARED_EXT_CORE): $(LIBGRPC_
 ifeq ($(SYSTEM),Darwin)
 	$(Q) $(LDXX) $(LDFLAGS) -L$(LIBDIR)/$(CONFIG) -install_name $(SHARED_PREFIX)grpc$(SHARED_VERSION_CORE).$(SHARED_EXT_CORE) -dynamiclib -o $(LIBDIR)/$(CONFIG)/libgrpc$(SHARED_VERSION_CORE).$(SHARED_EXT_CORE) $(LIBGRPC_OBJS) $(LIBDIR)/$(CONFIG)/libcares.a $(OPENSSL_MERGE_LIBS) $(ZLIB_MERGE_LIBS) $(LDLIBS_SECURE) $(LDLIBS)
 else
-	$(Q) $(LDXX) $(LDFLAGS) -L$(LIBDIR)/$(CONFIG) -shared -Wl,-soname,libgrpc.so.52 -o $(LIBDIR)/$(CONFIG)/libgrpc$(SHARED_VERSION_CORE).$(SHARED_EXT_CORE) $(LIBGRPC_OBJS) $(LIBDIR)/$(CONFIG)/libcares.a $(OPENSSL_MERGE_LIBS) $(ZLIB_MERGE_LIBS) $(LDLIBS_SECURE) $(LDLIBS)
-	$(Q) ln -sf $(SHARED_PREFIX)grpc$(SHARED_VERSION_CORE).$(SHARED_EXT_CORE) $(LIBDIR)/$(CONFIG)/libgrpc$(SHARED_VERSION_CORE).so.52
+	$(Q) $(LDXX) $(LDFLAGS) -L$(LIBDIR)/$(CONFIG) -shared -Wl,-soname,libgrpc.so.53 -o $(LIBDIR)/$(CONFIG)/libgrpc$(SHARED_VERSION_CORE).$(SHARED_EXT_CORE) $(LIBGRPC_OBJS) $(LIBDIR)/$(CONFIG)/libcares.a $(OPENSSL_MERGE_LIBS) $(ZLIB_MERGE_LIBS) $(LDLIBS_SECURE) $(LDLIBS)
+	$(Q) ln -sf $(SHARED_PREFIX)grpc$(SHARED_VERSION_CORE).$(SHARED_EXT_CORE) $(LIBDIR)/$(CONFIG)/libgrpc$(SHARED_VERSION_CORE).so.53
 	$(Q) ln -sf $(SHARED_PREFIX)grpc$(SHARED_VERSION_CORE).$(SHARED_EXT_CORE) $(LIBDIR)/$(CONFIG)/libgrpc$(SHARED_VERSION_CORE).so
 endif
 endif

data/include/grpc/credentials.h

@@ -645,21 +645,6 @@ GRPCAPI void grpc_tls_identity_pairs_add_pair(grpc_tls_identity_pairs* pairs,
  */
 GRPCAPI void grpc_tls_identity_pairs_destroy(grpc_tls_identity_pairs* pairs);
 
-/**
- * EXPERIMENTAL API - Subject to change
- *
- * Creates a grpc_tls_certificate_provider that will load credential data from
- * static string during initialization. This provider will always return the
- * same cert data for all cert names.
- * root_certificate and pem_key_cert_pairs can be nullptr, indicating the
- * corresponding credential data is not needed.
- * This function will make a copy of |root_certificate|.
- * The ownership of |pem_key_cert_pairs| is transferred.
- */
-GRPCAPI grpc_tls_certificate_provider*
-grpc_tls_certificate_provider_static_data_create(
-    const char* root_certificate, grpc_tls_identity_pairs* pem_key_cert_pairs);
-
 /**
  * EXPERIMENTAL API - Subject to change
  *
@@ -692,6 +677,46 @@ grpc_tls_certificate_provider_file_watcher_create(
     const char* root_cert_path, const char* spiffe_bundle_map_path,
     unsigned int refresh_interval_sec);
 
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * Creates a grpc_tls_certificate_provider that will load credential data from
+ * memory during initialization. This provider allows updating the identity and
+ * root certificates independently.
+ */
+GRPCAPI grpc_tls_certificate_provider*
+grpc_tls_certificate_provider_in_memory_create();
+
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * Update the root certificate of a grpc_tls_certificate_provider created with
+ * `grpc_tls_certificate_provider_in_memory_create`.
+ *
+ * root_certificate can be nullptr, indicating the corresponding credential data
+ * is not needed. This function will make a copy of |root_cert|.
+ *
+ * Returns true if the root certificate was successfully updated.
+ */
+GRPCAPI bool grpc_tls_certificate_provider_in_memory_set_root_certificate(
+    grpc_tls_certificate_provider* provider, const char* root_cert);
+
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * Update the identity certificate of a grpc_tls_certificate_provider created
+ * with `grpc_tls_certificate_provider_in_memory_create`.
+ *
+ * pem_key_cert_pairs can be nullptr, indicating the
+ * corresponding credential data is not needed.
+ * The ownership of |pem_key_cert_pairs| is transferred.
+ *
+ * Returns true if the identity certificate was successfully updated.
+ */
+GRPCAPI bool grpc_tls_certificate_provider_in_memory_set_identity_certificate(
+    grpc_tls_certificate_provider* provider,
+    grpc_tls_identity_pairs* pem_key_cert_pairs);
+
 /**
  * EXPERIMENTAL API - Subject to change
  *
@@ -984,27 +1009,22 @@ typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider;
 /**
  * EXPERIMENTAL API - Subject to change
  *
- * Sets the credential provider in the options.
+ * Sets the identity certificate provider in the options.
  * The |options| will implicitly take a new ref to the |provider|.
  */
-GRPCAPI void grpc_tls_credentials_options_set_certificate_provider(
+GRPCAPI void grpc_tls_credentials_options_set_identity_certificate_provider(
     grpc_tls_credentials_options* options,
     grpc_tls_certificate_provider* provider);
 
 /**
  * EXPERIMENTAL API - Subject to change
  *
- * If set, gRPC stack will keep watching the root certificates with
- * name |root_cert_name|.
- * If this is not set on the client side, we will use the root certificates
- * stored in the default system location, since client side must provide root
- * certificates in TLS.
- * If this is not set on the server side, we will not watch any root certificate
- * updates, and assume no root certificates needed for the server(single-side
- * TLS). Default root certs on the server side is not supported.
+ * Sets the root certificate provider in the options.
+ * The |options| will implicitly take a new ref to the |provider|.
  */
-GRPCAPI void grpc_tls_credentials_options_watch_root_certs(
-    grpc_tls_credentials_options* options);
+GRPCAPI void grpc_tls_credentials_options_set_root_certificate_provider(
+    grpc_tls_credentials_options* options,
+    grpc_tls_certificate_provider* provider);
 
 /**
  * EXPERIMENTAL API - Subject to change
@@ -1015,16 +1035,6 @@ GRPCAPI void grpc_tls_credentials_options_watch_root_certs(
 GRPCAPI void grpc_tls_credentials_options_set_root_cert_name(
     grpc_tls_credentials_options* options, const char* root_cert_name);
 
-/**
- * EXPERIMENTAL API - Subject to change
- *
- * If set, gRPC stack will keep watching the identity key-cert pairs
- * with name |identity_cert_name|.
- * This is required on the server side, and optional on the client side.
- */
-GRPCAPI void grpc_tls_credentials_options_watch_identity_key_cert_pairs(
-    grpc_tls_credentials_options* options);
-
 /**
  * EXPERIMENTAL API - Subject to change
  *

data/include/grpc/credentials_cpp.h

@@ -0,0 +1,39 @@
+/*
+ *
+ * Copyright 2025 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#ifndef GRPC_CREDENTIALS_CPP_H
+#define GRPC_CREDENTIALS_CPP_H
+
+#include <grpc/credentials.h>
+#include <grpc/support/port_platform.h>
+
+#include <optional>
+#include <string>
+
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * Overrides the SNI that the client sends in the TLS handshake. nullopt
+ * indicates that SNI should not be overridden. An empty string value indicates
+ * that SNI should not be sent at all.
+ */
+void grpc_tls_credentials_options_set_sni_override(
+    grpc_tls_credentials_options* options,
+    std::optional<std::string> sni_override);
+
+#endif /* GRPC_CREDENTIALS_CPP_H */

data/include/grpc/event_engine/event_engine.h

@@ -20,6 +20,7 @@
 #include <grpc/event_engine/memory_allocator.h>
 #include <grpc/event_engine/port.h>
 #include <grpc/event_engine/slice_buffer.h>
+#include <grpc/grpc.h>
 #include <grpc/support/port_platform.h>
 
 #include <bitset>
@@ -158,7 +159,7 @@ class EventEngine : public std::enable_shared_from_this<EventEngine>,
   /// * sockaddr_in6
   class ResolvedAddress {
    public:
-    static constexpr socklen_t MAX_SIZE_BYTES = 128;
+    static constexpr socklen_t MAX_SIZE_BYTES = GRPC_MAX_SOCKADDR_SIZE;
 
     ResolvedAddress(const sockaddr* address, socklen_t size);
     ResolvedAddress() = default;
@@ -191,8 +192,8 @@ class EventEngine : public std::enable_shared_from_this<EventEngine>,
     class ReadArgs final {
      public:
       ReadArgs() = default;
-      ReadArgs(const ReadArgs&) = delete;
-      ReadArgs& operator=(const ReadArgs&) = delete;
+      ReadArgs(const ReadArgs&) = default;
+      ReadArgs& operator=(const ReadArgs&) = default;
       ReadArgs(ReadArgs&&) = default;
       ReadArgs& operator=(ReadArgs&&) = default;
 
@@ -733,6 +734,10 @@ void AbslStringify(Sink& out, const EventEngine::TaskHandle& handle) {
   out.Append(detail::FormatHandleString(handle.keys[0], handle.keys[1]));
 }
 
+/** Fetch a vtable for a grpc_channel_arg that points to a grpc_event_engine
+ */
+const grpc_arg_pointer_vtable* grpc_event_engine_arg_vtable(void);
+
 }  // namespace experimental
 }  // namespace grpc_event_engine
 

data/include/grpc/grpc.h

@@ -529,6 +529,10 @@ GRPCAPI void grpc_resource_quota_resize(grpc_resource_quota* resource_quota,
 GRPCAPI void grpc_resource_quota_set_max_threads(
     grpc_resource_quota* resource_quota, int new_max_threads);
 
+/** Update the size of the maximum number of streams allowed */
+GRPCAPI void grpc_resource_quota_set_max_outstanding_streams(
+    grpc_resource_quota* resource_quota, int new_max_outstanding_streams);
+
 /** EXPERIMENTAL.  Dumps xDS configs as a serialized ClientConfig proto.
     The full name of the proto is envoy.service.status.v3.ClientConfig. */
 GRPCAPI grpc_slice grpc_dump_xds_configs(void);

data/include/grpc/impl/call.h

@@ -25,4 +25,13 @@
 void grpc_call_run_in_event_engine(const grpc_call* call,
                                    absl::AnyInvocable<void()> cb);
 
+// Run a callback in the call's EventEngine creating a new ExecCtx for it. If
+// UseCallEventEngineInCompletionQueueEnabled is enabled, this will run the
+// callback in the call's EventEngine. Otherwise, it will run the callback
+// inline since the completion queue has already scheduled this thread in an
+// EventEngine.
+// Internal-only
+void grpc_call_run_cq_cb(const grpc_call* call,
+                         absl::AnyInvocable<void()>&& cb);
+
 #endif /* GRPC_IMPL_CALL_H */

data/include/grpc/impl/channel_arg_names.h

@@ -420,6 +420,11 @@
  *  Defaults to 250ms. */
 #define GRPC_ARG_HAPPY_EYEBALLS_CONNECTION_ATTEMPT_DELAY_MS \
   "grpc.happy_eyeballs_connection_attempt_delay_ms"
+/** If set, uses the provided EventEngine as the channel's event engine.
+ * TODO(aananthv): Remove GRPC_INTERNAL_ARG_EVENT_ENGINE once all usages are
+ * migrated to this arg.
+ */
+#define GRPC_ARG_EVENT_ENGINE "grpc.experimental.event_engine"
 /** It accepts a MemoryAllocatorFactory as input and If specified, it forces
  * the default event engine to use memory allocators created using the provided
  * factory. */
@@ -434,5 +439,7 @@
 /** If non-zero, allow security frames to be sent and received. */
 #define GRPC_ARG_SECURITY_FRAME_ALLOWED "grpc.security_frame_allowed"
 /** \} */
+/** If non-zero, enable TCP tracing and stats collection. */
+#define GRPC_ARG_TCP_TRACING_ENABLED "grpc.tcp_tracing_enabled"
 
 #endif /* GRPC_IMPL_CHANNEL_ARG_NAMES_H */

data/include/grpc/module.modulemap

@@ -8,6 +8,7 @@ header "byte_buffer.h"
   header "compression.h"
   header "create_channel_from_endpoint.h"
   header "credentials.h"
+  header "credentials_cpp.h"
   header "fork.h"
   header "grpc.h"
   header "grpc_audit_logging.h"
@@ -40,6 +41,7 @@ header "byte_buffer.h"
   header "impl/slice_type.h"
   header "load_reporting.h"
   header "passive_listener.h"
+  header "private_key_signer.h"
   header "slice.h"
   header "slice_buffer.h"
   header "status.h"

data/include/grpc/private_key_signer.h

@@ -0,0 +1,104 @@
+//
+//
+// Copyright 2025 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+//
+
+#ifndef GRPC_PRIVATE_KEY_SIGNER_H
+#define GRPC_PRIVATE_KEY_SIGNER_H
+
+#include <grpc/credentials.h>
+
+#include <memory>
+#include <string>
+#include <variant>
+
+#include "absl/functional/any_invocable.h"
+#include "absl/status/statusor.h"
+#include "absl/strings/string_view.h"
+
+namespace grpc_core {
+
+// Implementations of this class must be thread-safe.
+class PrivateKeySigner {
+ public:
+  // A handle for an asynchronous signing operation.
+  //
+  // When `PrivateKeySigner::Sign` is implemented asynchronously, it returns an
+  // instance of a concrete implementation of this class. This handle is used
+  // to manage the asynchronous signing operation and can be used to cancel the
+  // operation via `PrivateKeySigner::Cancel`.
+  //
+  // Users must provide their own concrete implementation of this class. The
+  // handle can store any state needed for the asynchronous operation.
+  class AsyncSigningHandle {
+   public:
+    virtual ~AsyncSigningHandle() = default;
+  };
+
+  // Enum class representing TLS signature algorithm identifiers from BoringSSL.
+  // The values correspond to the SSL_SIGN_* macros in <openssl/ssl.h>.
+  enum class SignatureAlgorithm {
+    kRsaPkcs1Sha256,
+    kRsaPkcs1Sha384,
+    kRsaPkcs1Sha512,
+    kEcdsaSecp256r1Sha256,
+    kEcdsaSecp384r1Sha384,
+    kEcdsaSecp521r1Sha512,
+    kRsaPssRsaeSha256,
+    kRsaPssRsaeSha384,
+    kRsaPssRsaeSha512,
+  };
+
+  // A callback that is invoked when an asynchronous signing operation is
+  // complete. The argument should contain the signed bytes on success, or a
+  // non-OK status on failure.
+  using OnSignComplete = absl::AnyInvocable<void(absl::StatusOr<std::string>)>;
+
+  virtual ~PrivateKeySigner() = default;
+
+  // Signs data_to_sign.
+  // May return either synchronously or asynchronously.
+  // For synchronous returns, directly returns either the signed bytes
+  // or a failed status, and the callback will never be invoked.
+  // For asynchronous implementations, returns a handle for the asynchronous
+  // signing operation. The function argument on_sign_complete must be called by
+  // the implementer when the async signing operation is complete.
+  // on_sign_complete must not be invoked synchronously within Sign().
+  virtual std::variant<absl::StatusOr<std::string>,
+                       std::shared_ptr<AsyncSigningHandle>>
+  Sign(absl::string_view data_to_sign, SignatureAlgorithm signature_algorithm,
+       OnSignComplete on_sign_complete) = 0;
+
+  // Cancels an in-flight async signing operation using a handle returned
+  // from a previous call to Sign().
+  virtual void Cancel(std::shared_ptr<AsyncSigningHandle> handle) = 0;
+};
+}  // namespace grpc_core
+
+/**
+ * EXPERIMENTAL API - Subject to change
+ *
+ * Adds a identity key signer and a identity certificate chain to
+ * grpc_tls_identity_pairs. This implementation only works with gRPC Binaries
+ * built with BoringSSL.
+ * Returns OK if success, or a non-OK status on failure.
+ */
+absl::Status grpc_tls_identity_pairs_add_pair_with_signer(
+    grpc_tls_identity_pairs* pairs,
+    std::shared_ptr<grpc_core::PrivateKeySigner> private_key_signer,
+    absl::string_view cert_chain);
+
+#endif /* GRPC_PRIVATE_KEY_SIGNER_H */

data/include/grpc/support/port_platform.h

@@ -891,4 +891,10 @@ extern void gpr_unreachable_code(const char* reason, const char* file,
 #endif
 #endif
 
+#ifdef GPR_OPENBSD
+#define GRPC_MAX_SOCKADDR_SIZE 256
+#else
+#define GRPC_MAX_SOCKADDR_SIZE 128
+#endif
+
 #endif /* GRPC_SUPPORT_PORT_PLATFORM_H */