Update grpc to 1.43.2 DTCC-864

ref:50a492c335cda70f458797cf945e49fe739c2715

11 files changed, 465 insertions, 131 deletions

diff --git a/contrib/libs/grpc/include/grpcpp/security/alts_context.h b/contrib/libs/grpc/include/grpcpp/security/alts_context.h
index cd1f640a76..125d25310f 100644
--- a/contrib/libs/grpc/include/grpcpp/security/alts_context.h
+++ b/contrib/libs/grpc/include/grpcpp/security/alts_context.h
@@ -19,12 +19,12 @@
 #ifndef GRPCPP_SECURITY_ALTS_CONTEXT_H
 #define GRPCPP_SECURITY_ALTS_CONTEXT_H
 
-#include <grpc/grpc_security_constants.h>
-#include <grpcpp/security/auth_context.h>
-
 #include <map>
 #include <memory>
 
+#include <grpc/grpc_security_constants.h>
+#include <grpcpp/security/auth_context.h>
+
 struct grpc_gcp_AltsContext;
 
 namespace grpc {
diff --git a/contrib/libs/grpc/include/grpcpp/security/alts_util.h b/contrib/libs/grpc/include/grpcpp/security/alts_util.h
index b8f935ad95..25322e31ce 100644
--- a/contrib/libs/grpc/include/grpcpp/security/alts_util.h
+++ b/contrib/libs/grpc/include/grpcpp/security/alts_util.h
@@ -19,13 +19,13 @@
 #ifndef GRPCPP_SECURITY_ALTS_UTIL_H
 #define GRPCPP_SECURITY_ALTS_UTIL_H
 
+#include <memory>
+
 #include <grpc/grpc_security_constants.h>
 #include <grpcpp/impl/codegen/status.h>
 #include <grpcpp/security/alts_context.h>
 #include <grpcpp/security/auth_context.h>
 
-#include <memory>
-
 struct grpc_gcp_AltsContext;
 
 namespace grpc {
diff --git a/contrib/libs/grpc/include/grpcpp/security/auth_context.h b/contrib/libs/grpc/include/grpcpp/security/auth_context.h
index 7a6f2cb718..17784508e2 100644
--- a/contrib/libs/grpc/include/grpcpp/security/auth_context.h
+++ b/contrib/libs/grpc/include/grpcpp/security/auth_context.h
@@ -19,6 +19,6 @@
 #ifndef GRPCPP_SECURITY_AUTH_CONTEXT_H
 #define GRPCPP_SECURITY_AUTH_CONTEXT_H
 
-#include <grpcpp/impl/codegen/security/auth_context.h>
+#include <grpcpp/impl/codegen/security/auth_context.h>  // IWYU pragma: export
 
 #endif  // GRPCPP_SECURITY_AUTH_CONTEXT_H
diff --git a/contrib/libs/grpc/include/grpcpp/security/authorization_policy_provider.h b/contrib/libs/grpc/include/grpcpp/security/authorization_policy_provider.h
new file mode 100644
index 0000000000..1d18f700ca
--- /dev/null
+++ b/contrib/libs/grpc/include/grpcpp/security/authorization_policy_provider.h
@@ -0,0 +1,92 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPCPP_SECURITY_AUTHORIZATION_POLICY_PROVIDER_H
+#define GRPCPP_SECURITY_AUTHORIZATION_POLICY_PROVIDER_H
+
+#include <memory>
+
+#include <grpc/status.h>
+#include <grpcpp/impl/codegen/grpc_library.h>
+
+// TODO(yihuazhang): remove the forward declarations here and include
+// <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
+typedef struct grpc_authorization_policy_provider
+    grpc_authorization_policy_provider;
+
+namespace grpc {
+namespace experimental {
+
+// Wrapper around C-core grpc_authorization_policy_provider. Internally, it
+// handles creating and updating authorization engine objects, using SDK
+// authorization policy.
+class AuthorizationPolicyProviderInterface {
+ public:
+  virtual ~AuthorizationPolicyProviderInterface() = default;
+  virtual grpc_authorization_policy_provider* c_provider() = 0;
+};
+
+// Implementation obtains authorization policy from static string. This provider
+// will always return the same authorization engines.
+class StaticDataAuthorizationPolicyProvider
+    : public AuthorizationPolicyProviderInterface {
+ public:
+  static std::shared_ptr<StaticDataAuthorizationPolicyProvider> Create(
+      const TString& authz_policy, grpc::Status* status);
+
+  // Use factory method "Create" to create an instance of
+  // StaticDataAuthorizationPolicyProvider.
+  explicit StaticDataAuthorizationPolicyProvider(
+      grpc_authorization_policy_provider* provider)
+      : c_provider_(provider) {}
+
+  ~StaticDataAuthorizationPolicyProvider() override;
+
+  grpc_authorization_policy_provider* c_provider() override {
+    return c_provider_;
+  }
+
+ private:
+  grpc_authorization_policy_provider* c_provider_ = nullptr;
+};
+
+// Implementation obtains authorization policy by watching for changes in
+// filesystem.
+class FileWatcherAuthorizationPolicyProvider
+    : public AuthorizationPolicyProviderInterface {
+ public:
+  static std::shared_ptr<FileWatcherAuthorizationPolicyProvider> Create(
+      const TString& authz_policy_path, unsigned int refresh_interval_sec,
+      grpc::Status* status);
+
+  // Use factory method "Create" to create an instance of
+  // FileWatcherAuthorizationPolicyProvider.
+  explicit FileWatcherAuthorizationPolicyProvider(
+      grpc_authorization_policy_provider* provider)
+      : c_provider_(provider) {}
+
+  ~FileWatcherAuthorizationPolicyProvider() override;
+
+  grpc_authorization_policy_provider* c_provider() override {
+    return c_provider_;
+  }
+
+ private:
+  grpc_authorization_policy_provider* c_provider_ = nullptr;
+};
+
+}  // namespace experimental
+}  // namespace grpc
+
+#endif  // GRPCPP_SECURITY_AUTHORIZATION_POLICY_PROVIDER_H
diff --git a/contrib/libs/grpc/include/grpcpp/security/binder_credentials.h b/contrib/libs/grpc/include/grpcpp/security/binder_credentials.h
new file mode 100644
index 0000000000..f511837ef2
--- /dev/null
+++ b/contrib/libs/grpc/include/grpcpp/security/binder_credentials.h
@@ -0,0 +1,43 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPCPP_SECURITY_BINDER_CREDENTIALS_H
+#define GRPCPP_SECURITY_BINDER_CREDENTIALS_H
+
+#include <memory>
+
+#include <grpcpp/security/binder_security_policy.h>
+#include <grpcpp/security/server_credentials.h>
+
+namespace grpc {
+
+class ChannelCredentials;
+
+namespace experimental {
+
+/// EXPERIMENTAL Builds Binder ServerCredentials.
+///
+/// This should be used along with `binder:` URI scheme. The path in the URI can
+/// later be used to access the server's endpoint binder.
+/// Note that calling \a ServerBuilder::AddListeningPort() with Binder
+/// ServerCredentials in a non-supported environment will make the subsequent
+/// call to \a ServerBuilder::BuildAndStart() return a null pointer.
+std::shared_ptr<grpc::ServerCredentials> BinderServerCredentials(
+    std::shared_ptr<grpc::experimental::binder::SecurityPolicy>
+        security_policy);
+
+}  // namespace experimental
+}  // namespace grpc
+
+#endif  // GRPCPP_SECURITY_BINDER_CREDENTIALS_H
diff --git a/contrib/libs/grpc/include/grpcpp/security/binder_security_policy.h b/contrib/libs/grpc/include/grpcpp/security/binder_security_policy.h
new file mode 100644
index 0000000000..9b825e759b
--- /dev/null
+++ b/contrib/libs/grpc/include/grpcpp/security/binder_security_policy.h
@@ -0,0 +1,58 @@
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#ifndef GRPCPP_SECURITY_BINDER_SECURITY_POLICY_H
+#define GRPCPP_SECURITY_BINDER_SECURITY_POLICY_H
+
+#include <memory>
+
+namespace grpc {
+namespace experimental {
+namespace binder {
+
+// EXPERIMENTAL Determinines if a connection is allowed to be
+// established on Android. See https://source.android.com/security/app-sandbox
+// for more info about UID.
+class SecurityPolicy {
+ public:
+  virtual ~SecurityPolicy() = default;
+  // Returns true if the UID is authorized to connect.
+  // Must return the same value for the same inputs so callers can safely cache
+  // the result.
+  virtual bool IsAuthorized(int uid) = 0;
+};
+
+// EXPERIMENTAL Allows all connection. Anything on the Android device will be
+// able to connect, use with caution!
+class UntrustedSecurityPolicy : public SecurityPolicy {
+ public:
+  UntrustedSecurityPolicy();
+  ~UntrustedSecurityPolicy() override;
+  bool IsAuthorized(int uid) override;
+};
+
+// EXPERIMENTAL Only allows the connections from processes with the same UID. In
+// most cases this means "from the same APK".
+class InternalOnlySecurityPolicy : public SecurityPolicy {
+ public:
+  InternalOnlySecurityPolicy();
+  ~InternalOnlySecurityPolicy() override;
+  bool IsAuthorized(int uid) override;
+};
+
+}  // namespace binder
+}  // namespace experimental
+}  // namespace grpc
+
+#endif  // GRPCPP_SECURITY_BINDER_SECURITY_POLICY_H
diff --git a/contrib/libs/grpc/include/grpcpp/security/credentials.h b/contrib/libs/grpc/include/grpcpp/security/credentials.h
index fded203821..d6fb5a42be 100644
--- a/contrib/libs/grpc/include/grpcpp/security/credentials.h
+++ b/contrib/libs/grpc/include/grpcpp/security/credentials.h
@@ -59,11 +59,17 @@ std::shared_ptr<grpc::Channel> CreateCustomChannelWithInterceptors(
         std::unique_ptr<grpc::experimental::ClientInterceptorFactoryInterface>>
         interceptor_creators);
 
-/// Builds XDS Credentials.
+GRPC_DEPRECATED(
+    "Use grpc::XdsCredentials instead. The experimental version will be "
+    "deleted after the 1.41 release.")
 std::shared_ptr<ChannelCredentials> XdsCredentials(
     const std::shared_ptr<ChannelCredentials>& fallback_creds);
 }  // namespace experimental
 
+/// Builds XDS Credentials.
+std::shared_ptr<ChannelCredentials> XdsCredentials(
+    const std::shared_ptr<ChannelCredentials>& fallback_creds);
+
 /// A channel credentials object encapsulates all the state needed by a client
 /// to authenticate with a server for a given channel.
 /// It can make various assertions, e.g., about the client’s identity, role
@@ -84,7 +90,7 @@ class ChannelCredentials : private grpc::GrpcLibraryCodegen {
   // AsSecureCredentials(). Once we are able to remove insecure builds from gRPC
   // (and also internal dependencies on the indirect method of creating a
   // channel through credentials), we would be able to remove this.
-  friend std::shared_ptr<ChannelCredentials> grpc::experimental::XdsCredentials(
+  friend std::shared_ptr<ChannelCredentials> grpc::XdsCredentials(
       const std::shared_ptr<ChannelCredentials>& fallback_creds);
 
   virtual SecureChannelCredentials* AsSecureCredentials() = 0;
diff --git a/contrib/libs/grpc/include/grpcpp/security/server_credentials.h b/contrib/libs/grpc/include/grpcpp/security/server_credentials.h
index 290b410c1c..d402cd62a7 100644
--- a/contrib/libs/grpc/include/grpcpp/security/server_credentials.h
+++ b/contrib/libs/grpc/include/grpcpp/security/server_credentials.h
@@ -60,10 +60,16 @@ struct SslServerCredentialsOptions {
   grpc_ssl_client_certificate_request_type client_certificate_request;
 };
 
-namespace experimental {
 /// Builds Xds ServerCredentials given fallback credentials
 std::shared_ptr<ServerCredentials> XdsServerCredentials(
     const std::shared_ptr<ServerCredentials>& fallback_credentials);
+
+namespace experimental {
+GRPC_DEPRECATED(
+    "Use grpc::XdsServerCredentials instead. The experimental version will be "
+    "deleted after the 1.41 release.")
+std::shared_ptr<ServerCredentials> XdsServerCredentials(
+    const std::shared_ptr<ServerCredentials>& fallback_credentials);
 }  // namespace experimental
 
 /// Wrapper around \a grpc_server_credentials, a way to authenticate a server.
@@ -83,8 +89,7 @@ class ServerCredentials : private grpc::GrpcLibraryCodegen {
   // We need this friend declaration for access to Insecure() and
   // AsSecureServerCredentials(). When these two functions are no longer
   // necessary, this friend declaration can be removed too.
-  friend std::shared_ptr<ServerCredentials>
-  grpc::experimental::XdsServerCredentials(
+  friend std::shared_ptr<ServerCredentials> grpc::XdsServerCredentials(
       const std::shared_ptr<ServerCredentials>& fallback_credentials);
 
   /// Tries to bind \a server to the given \a addr (eg, localhost:1234,
diff --git a/contrib/libs/grpc/include/grpcpp/security/tls_certificate_provider.h b/contrib/libs/grpc/include/grpcpp/security/tls_certificate_provider.h
index 12c60452d2..80bc668d8a 100644
--- a/contrib/libs/grpc/include/grpcpp/security/tls_certificate_provider.h
+++ b/contrib/libs/grpc/include/grpcpp/security/tls_certificate_provider.h
@@ -17,15 +17,15 @@
 #ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
 #define GRPCPP_SECURITY_TLS_CERTIFICATE_PROVIDER_H
 
+#include <memory>
+#include <vector>
+
 #include <grpc/grpc_security_constants.h>
 #include <grpc/status.h>
 #include <grpc/support/log.h>
 #include <grpcpp/impl/codegen/grpc_library.h>
 #include <grpcpp/support/config.h>
 
-#include <memory>
-#include <vector>
-
 // TODO(yihuazhang): remove the forward declaration here and include
 // <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
 typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider;
diff --git a/contrib/libs/grpc/include/grpcpp/security/tls_certificate_verifier.h b/contrib/libs/grpc/include/grpcpp/security/tls_certificate_verifier.h
new file mode 100644
index 0000000000..63f285ece4
--- /dev/null
+++ b/contrib/libs/grpc/include/grpcpp/security/tls_certificate_verifier.h
@@ -0,0 +1,225 @@
+//
+// Copyright 2021 gRPC authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+#ifndef GRPCPP_SECURITY_TLS_CERTIFICATE_VERIFIER_H
+#define GRPCPP_SECURITY_TLS_CERTIFICATE_VERIFIER_H
+
+#include <functional>
+#include <map>
+#include <memory>
+#include <utility>
+#include <vector>
+
+#include <grpc/grpc_security_constants.h>
+#include <grpc/status.h>
+#include <grpc/support/log.h>
+#include <grpcpp/impl/codegen/grpc_library.h>
+#include <grpcpp/impl/codegen/sync.h>
+#include <grpcpp/impl/grpc_library.h>
+#include <grpcpp/support/config.h>
+#include <grpcpp/support/string_ref.h>
+
+// TODO(yihuazhang): remove the forward declaration here and include
+// <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
+typedef struct grpc_tls_custom_verification_check_request
+    grpc_tls_custom_verification_check_request;
+typedef struct grpc_tls_certificate_verifier grpc_tls_certificate_verifier;
+typedef struct grpc_tls_certificate_verifier_external
+    grpc_tls_certificate_verifier_external;
+typedef void (*grpc_tls_on_custom_verification_check_done_cb)(
+    grpc_tls_custom_verification_check_request* request, void* callback_arg,
+    grpc_status_code status, const char* error_details);
+extern "C" grpc_tls_certificate_verifier*
+grpc_tls_certificate_verifier_external_create(
+    grpc_tls_certificate_verifier_external* external_verifier);
+
+namespace grpc {
+namespace experimental {
+
+// Contains the verification-related information associated with a connection
+// request. Users should not directly create or destroy this request object, but
+// shall interact with it through CertificateVerifier's Verify() and Cancel().
+class TlsCustomVerificationCheckRequest {
+ public:
+  explicit TlsCustomVerificationCheckRequest(
+      grpc_tls_custom_verification_check_request* request);
+  ~TlsCustomVerificationCheckRequest() {}
+
+  grpc::string_ref target_name() const;
+  grpc::string_ref peer_cert() const;
+  grpc::string_ref peer_cert_full_chain() const;
+  grpc::string_ref common_name() const;
+  std::vector<grpc::string_ref> uri_names() const;
+  std::vector<grpc::string_ref> dns_names() const;
+  std::vector<grpc::string_ref> email_names() const;
+  std::vector<grpc::string_ref> ip_names() const;
+
+  grpc_tls_custom_verification_check_request* c_request() { return c_request_; }
+
+ private:
+  grpc_tls_custom_verification_check_request* c_request_ = nullptr;
+};
+
+// The base class of all internal verifier implementations, and the ultimate
+// class that all external verifiers will eventually be transformed into.
+// To implement a custom verifier, do not extend this class; instead,
+// implement a subclass of ExternalCertificateVerifier. Note that custom
+// verifier implementations can compose their functionality with existing
+// implementations of this interface, such as HostnameVerifier, by delegating
+// to an instance of that class.
+class CertificateVerifier {
+ public:
+  explicit CertificateVerifier(grpc_tls_certificate_verifier* v);
+
+  ~CertificateVerifier();
+
+  // Verifies a connection request, based on the logic specified in an internal
+  // verifier. The check on each internal verifier could be either synchronous
+  // or asynchronous, and we will need to use return value to know.
+  //
+  // request: the verification information associated with this request
+  // callback: This will only take effect if the verifier is asynchronous.
+  //           The function that gRPC will invoke when the verifier has already
+  //           completed its asynchronous check. Callers can use this function
+  //           to perform any additional checks. The input parameter of the
+  //           std::function indicates the status of the verifier check.
+  // sync_status: This will only be useful if the verifier is synchronous.
+  //              The status of the verifier as it has already done it's
+  //              synchronous check.
+  // return: return true if executed synchronously, otherwise return false
+  bool Verify(TlsCustomVerificationCheckRequest* request,
+              std::function<void(grpc::Status)> callback,
+              grpc::Status* sync_status);
+
+  // Cancels a verification request previously started via Verify().
+  // Used when the connection attempt times out or is cancelled while an async
+  // verification request is pending.
+  //
+  // request: the verification information associated with this request
+  void Cancel(TlsCustomVerificationCheckRequest* request);
+
+  // Gets the core verifier used internally.
+  grpc_tls_certificate_verifier* c_verifier() { return verifier_; }
+
+ private:
+  static void AsyncCheckDone(
+      grpc_tls_custom_verification_check_request* request, void* callback_arg,
+      grpc_status_code status, const char* error_details);
+
+  grpc_tls_certificate_verifier* verifier_ = nullptr;
+  grpc::internal::Mutex mu_;
+  std::map<grpc_tls_custom_verification_check_request*,
+           std::function<void(grpc::Status)>>
+      request_map_ Y_ABSL_GUARDED_BY(mu_);
+};
+
+// The base class of all external, user-specified verifiers. Users should
+// inherit this class to implement a custom verifier.
+// Note that while implementing the custom verifier that extends this class, it
+// is possible to compose an existing ExternalCertificateVerifier or
+// CertificateVerifier, inside the Verify() and Cancel() function of the new
+// custom verifier.
+class ExternalCertificateVerifier {
+ public:
+  // A factory method for creating a |CertificateVerifier| from this class. All
+  // the user-implemented verifiers should use this function to be converted to
+  // verifiers compatible with |TlsCredentialsOptions|.
+  // The resulting CertificateVerifier takes ownership of the newly instantiated
+  // Subclass.
+  template <typename Subclass, typename... Args>
+  static std::shared_ptr<CertificateVerifier> Create(Args&&... args) {
+    grpc::internal::GrpcLibraryInitializer g_gli_initializer;
+    g_gli_initializer.summon();
+    auto* external_verifier = new Subclass(std::forward<Args>(args)...);
+    return std::make_shared<CertificateVerifier>(
+        grpc_tls_certificate_verifier_external_create(
+            external_verifier->base_));
+  }
+
+  // The verification logic that will be performed after the TLS handshake
+  // completes. Implementers can choose to do their checks synchronously or
+  // asynchronously.
+  //
+  // request: the verification information associated with this request
+  // callback: This should only be used if your check is done asynchronously.
+  //           When the asynchronous work is done, invoke this callback function
+  //           with the proper status, indicating the success or the failure of
+  //           the check. The implementer MUST NOT invoke this |callback| in the
+  //           same thread before Verify() returns, otherwise it can lead to
+  //           deadlocks.
+  // sync_status: This should only be used if your check is done synchronously.
+  //              Modifies this value to indicate the success or the failure of
+  //              the check.
+  // return: return true if your check is done synchronously, otherwise return
+  //         false
+  virtual bool Verify(TlsCustomVerificationCheckRequest* request,
+                      std::function<void(grpc::Status)> callback,
+                      grpc::Status* sync_status) = 0;
+
+  // Cancels a verification request previously started via Verify().
+  // Used when the connection attempt times out or is cancelled while an async
+  // verification request is pending. The implementation should abort whatever
+  // async operation it is waiting for and quickly invoke the callback that was
+  // passed to Verify() with a status indicating the cancellation.
+  //
+  // request: the verification information associated with this request
+  virtual void Cancel(TlsCustomVerificationCheckRequest* request) = 0;
+
+ protected:
+  ExternalCertificateVerifier();
+
+  virtual ~ExternalCertificateVerifier();
+
+ private:
+  struct AsyncRequestState {
+    AsyncRequestState(grpc_tls_on_custom_verification_check_done_cb cb,
+                      void* arg,
+                      grpc_tls_custom_verification_check_request* request)
+        : callback(cb), callback_arg(arg), cpp_request(request) {}
+
+    grpc_tls_on_custom_verification_check_done_cb callback;
+    void* callback_arg;
+    TlsCustomVerificationCheckRequest cpp_request;
+  };
+
+  static int VerifyInCoreExternalVerifier(
+      void* user_data, grpc_tls_custom_verification_check_request* request,
+      grpc_tls_on_custom_verification_check_done_cb callback,
+      void* callback_arg, grpc_status_code* sync_status,
+      char** sync_error_details);
+
+  static void CancelInCoreExternalVerifier(
+      void* user_data, grpc_tls_custom_verification_check_request* request);
+
+  static void DestructInCoreExternalVerifier(void* user_data);
+
+  // TODO(yihuazhang): after the insecure build is removed, make this an object
+  // member instead of a pointer.
+  grpc_tls_certificate_verifier_external* base_ = nullptr;
+  grpc::internal::Mutex mu_;
+  std::map<grpc_tls_custom_verification_check_request*, AsyncRequestState>
+      request_map_ Y_ABSL_GUARDED_BY(mu_);
+};
+
+class HostNameCertificateVerifier : public CertificateVerifier {
+ public:
+  HostNameCertificateVerifier();
+};
+
+}  // namespace experimental
+}  // namespace grpc
+
+#endif  // GRPCPP_SECURITY_TLS_CERTIFICATE_VERIFIER_H
diff --git a/contrib/libs/grpc/include/grpcpp/security/tls_credentials_options.h b/contrib/libs/grpc/include/grpcpp/security/tls_credentials_options.h
index b849ec2e6b..471e23be0a 100644
--- a/contrib/libs/grpc/include/grpcpp/security/tls_credentials_options.h
+++ b/contrib/libs/grpc/include/grpcpp/security/tls_credentials_options.h
@@ -19,15 +19,16 @@
 #ifndef GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
 #define GRPCPP_SECURITY_TLS_CREDENTIALS_OPTIONS_H
 
+#include <memory>
+#include <vector>
+
 #include <grpc/grpc_security_constants.h>
 #include <grpc/status.h>
 #include <grpc/support/log.h>
 #include <grpcpp/security/tls_certificate_provider.h>
+#include <grpcpp/security/tls_certificate_verifier.h>
 #include <grpcpp/support/config.h>
 
-#include <memory>
-#include <vector>
-
 // TODO(yihuazhang): remove the forward declaration here and include
 // <grpc/grpc_security.h> directly once the insecure builds are cleaned up.
 typedef struct grpc_tls_server_authorization_check_arg
@@ -36,116 +37,11 @@ typedef struct grpc_tls_server_authorization_check_config
     grpc_tls_server_authorization_check_config;
 typedef struct grpc_tls_credentials_options grpc_tls_credentials_options;
 typedef struct grpc_tls_certificate_provider grpc_tls_certificate_provider;
+typedef struct grpc_tls_certificate_verifier grpc_tls_certificate_verifier;
 
 namespace grpc {
 namespace experimental {
 
-/** TLS server authorization check arguments, wraps
- *  grpc_tls_server_authorization_check_arg. It is used for experimental
- *  purposes for now and it is subject to change.
- *
- *  The server authorization check arg contains all the info necessary to
- *  schedule/cancel a server authorization check request. The callback function
- *  must be called after finishing the schedule operation. See the description
- *  of the grpc_tls_server_authorization_check_arg struct in grpc_security.h for
- *  more details. **/
-class TlsServerAuthorizationCheckArg {
- public:
-  /** TlsServerAuthorizationCheckArg does not take ownership of the C arg passed
-   * to the constructor. One must remember to free any memory allocated to the
-   * C arg after using the setter functions below. **/
-  explicit TlsServerAuthorizationCheckArg(
-      grpc_tls_server_authorization_check_arg* arg);
-  ~TlsServerAuthorizationCheckArg();
-
-  /** Getters for member fields. **/
-  void* cb_user_data() const;
-  int success() const;
-  TString target_name() const;
-  TString peer_cert() const;
-  TString peer_cert_full_chain() const;
-  grpc_status_code status() const;
-  TString error_details() const;
-
-  /** Setters for member fields. **/
-  void set_cb_user_data(void* cb_user_data);
-  void set_success(int success);
-  void set_target_name(const TString& target_name);
-  void set_peer_cert(const TString& peer_cert);
-  void set_peer_cert_full_chain(const TString& peer_cert_full_chain);
-  void set_status(grpc_status_code status);
-  void set_error_details(const TString& error_details);
-
-  /** Calls the C arg's callback function. **/
-  void OnServerAuthorizationCheckDoneCallback();
-
- private:
-  grpc_tls_server_authorization_check_arg* c_arg_;
-};
-
-/** An interface that the application derives and uses to instantiate a
- * TlsServerAuthorizationCheckConfig instance. Refer to the definition of the
- * grpc_tls_server_authorization_check_config in grpc_tls_credentials_options.h
- * for more details on the expectations of the member functions of the
- * interface.
- * **/
-struct TlsServerAuthorizationCheckInterface {
-  virtual ~TlsServerAuthorizationCheckInterface() = default;
-  /** A callback that invokes the server authorization check. **/
-  virtual int Schedule(TlsServerAuthorizationCheckArg* arg) = 0;
-  /** A callback that cancels a server authorization check request. **/
-  virtual void Cancel(TlsServerAuthorizationCheckArg* /* arg */) {}
-};
-
-/** TLS server authorization check config, wraps
- *  grps_tls_server_authorization_check_config. It is used for experimental
- *  purposes for now and it is subject to change. **/
-class TlsServerAuthorizationCheckConfig {
- public:
-  explicit TlsServerAuthorizationCheckConfig(
-      std::shared_ptr<TlsServerAuthorizationCheckInterface>
-          server_authorization_check_interface);
-  ~TlsServerAuthorizationCheckConfig();
-
-  int Schedule(TlsServerAuthorizationCheckArg* arg) const {
-    if (server_authorization_check_interface_ == nullptr) {
-      gpr_log(GPR_ERROR, "server authorization check interface is nullptr");
-      if (arg != nullptr) {
-        arg->set_status(GRPC_STATUS_NOT_FOUND);
-        arg->set_error_details(
-            "the interface of the server authorization check config is "
-            "nullptr");
-      }
-      return 1;
-    }
-    return server_authorization_check_interface_->Schedule(arg);
-  }
-
-  void Cancel(TlsServerAuthorizationCheckArg* arg) const {
-    if (server_authorization_check_interface_ == nullptr) {
-      gpr_log(GPR_ERROR, "server authorization check interface is nullptr");
-      if (arg != nullptr) {
-        arg->set_status(GRPC_STATUS_NOT_FOUND);
-        arg->set_error_details(
-            "the interface of the server authorization check config is "
-            "nullptr");
-      }
-      return;
-    }
-    server_authorization_check_interface_->Cancel(arg);
-  }
-
-  /** Returns C struct for the server authorization check config. **/
-  grpc_tls_server_authorization_check_config* c_config() const {
-    return c_config_;
-  }
-
- private:
-  grpc_tls_server_authorization_check_config* c_config_;
-  std::shared_ptr<TlsServerAuthorizationCheckInterface>
-      server_authorization_check_interface_;
-};
-
 // Base class of configurable options specified by users to configure their
 // certain security features supported in TLS. It is used for experimental
 // purposes for now and it is subject to change.
@@ -187,6 +83,19 @@ class TlsCredentialsOptions {
   //
   // @param identity_cert_name the name of identity key-cert pairs being set.
   void set_identity_cert_name(const TString& identity_cert_name);
+  // Sets the certificate verifier used to perform post-handshake peer identity
+  // checks.
+  void set_certificate_verifier(
+      std::shared_ptr<CertificateVerifier> certificate_verifier);
+  // Sets the options of whether to check the hostname of the peer on a per-call
+  // basis. This is usually used in a combination with virtual hosting at the
+  // client side, where each individual call on a channel can have a different
+  // host associated with it.
+  // This check is intended to verify that the host specified for the individual
+  // call is covered by the cert that the peer presented.
+  // We will perform such checks by default. This should be disabled if
+  // verifiers other than the host name verifier is used.
+  void set_check_call_host(bool check_call_host);
 
   // ----- Getters for member fields ----
   // Get the internal c options. This function shall be used only internally.
@@ -196,6 +105,7 @@ class TlsCredentialsOptions {
 
  private:
   std::shared_ptr<CertificateProviderInterface> certificate_provider_;
+  std::shared_ptr<CertificateVerifier> certificate_verifier_;
   grpc_tls_credentials_options* c_credentials_options_ = nullptr;
 };
 
@@ -207,14 +117,9 @@ class TlsCredentialsOptions {
 // It is used for experimental purposes for now and it is subject to change.
 class TlsChannelCredentialsOptions final : public TlsCredentialsOptions {
  public:
-  // Sets the option to verify the server.
-  // The default is GRPC_TLS_SERVER_VERIFICATION.
-  void set_server_verification_option(
-      grpc_tls_server_verification_option server_verification_option);
-  // Sets the custom authorization config.
-  void set_server_authorization_check_config(
-      std::shared_ptr<TlsServerAuthorizationCheckConfig>
-          authorization_check_config);
+  // Sets the decision of whether to do a crypto check on the server certs.
+  // The default is true.
+  void set_verify_server_certs(bool verify_server_certs);
 
  private:
 };