Stop using the common cert set for gQUIC certificate compression
The common cert set adds more than 100K to binary size and since it has not been updated in years is providing virtually no value.
Protected by quic_restart_flag_quic_no_common_cert_set.
PiperOrigin-RevId: 406174880
diff --git a/quic/core/crypto/cert_compressor.cc b/quic/core/crypto/cert_compressor.cc
index e2a352d..1fdc3ba 100644
--- a/quic/core/crypto/cert_compressor.cc
+++ b/quic/core/crypto/cert_compressor.cc
@@ -11,6 +11,7 @@
#include "absl/strings/string_view.h"
#include "quic/core/quic_utils.h"
+#include "quic/platform/api/quic_bug_tracker.h"
#include "third_party/zlib/zlib.h"
namespace quic {
@@ -215,8 +216,11 @@
}
}
- if (common_sets && common_sets->MatchCert(*i, client_common_set_hashes,
- &entry.set_hash, &entry.index)) {
+ if (GetQuicRestartFlag(quic_no_common_cert_set)) {
+ QUIC_RESTART_FLAG_COUNT(quic_no_common_cert_set);
+ } else if (common_sets &&
+ common_sets->MatchCert(*i, client_common_set_hashes,
+ &entry.set_hash, &entry.index)) {
entry.type = CertEntry::COMMON;
entries.push_back(entry);
continue;
@@ -243,6 +247,8 @@
entries_size += sizeof(uint64_t);
break;
case CertEntry::COMMON:
+ QUIC_BUG_IF(unexpected_common_cert_entry_1,
+ GetQuicRestartFlag(quic_no_common_cert_set));
entries_size += sizeof(uint64_t) + sizeof(uint32_t);
break;
}
@@ -266,6 +272,8 @@
out += sizeof(uint64_t);
break;
case CertEntry::COMMON:
+ QUIC_BUG_IF(unexpected_common_cert_entry_2,
+ GetQuicRestartFlag(quic_no_common_cert_set));
// Assumes a little-endian machine.
memcpy(out, &i->set_hash, sizeof(i->set_hash));
out += sizeof(i->set_hash);
@@ -382,6 +390,10 @@
break;
}
case CertEntry::COMMON: {
+ if (GetQuicRestartFlag(quic_no_common_cert_set)) {
+ // Client only. No flag count.
+ return false;
+ }
if (!common_sets) {
return false;
}
@@ -628,7 +640,10 @@
uncompressed.remove_prefix(cert_len);
break;
case CertEntry::CACHED:
+ break;
case CertEntry::COMMON:
+ QUIC_BUG_IF(unexpected_common_cert_entry_3,
+ GetQuicRestartFlag(quic_no_common_cert_set));
break;
}
}
diff --git a/quic/core/crypto/cert_compressor_test.cc b/quic/core/crypto/cert_compressor_test.cc
index a024d13..f4ac507 100644
--- a/quic/core/crypto/cert_compressor_test.cc
+++ b/quic/core/crypto/cert_compressor_test.cc
@@ -56,12 +56,18 @@
absl::string_view(reinterpret_cast<const char*>(&set_hash),
sizeof(set_hash)),
absl::string_view(), common_sets.get());
- EXPECT_EQ(
- "03" /* common */
- "2a00000000000000" /* set hash 42 */
- "01000000" /* index 1 */
- "00" /* end of list */,
- absl::BytesToHexString(compressed));
+ if (!GetQuicRestartFlag(quic_no_common_cert_set)) {
+ EXPECT_EQ(
+ "03" /* common */
+ "2a00000000000000" /* set hash 42 */
+ "01000000" /* index 1 */
+ "00" /* end of list */,
+ absl::BytesToHexString(compressed));
+ } else {
+ ASSERT_GE(compressed.size(), 2u);
+ // 01 is the prefix for a zlib "compressed" cert not common or cached.
+ EXPECT_EQ("0100", absl::BytesToHexString(compressed.substr(0, 2)));
+ }
std::vector<std::string> chain2, cached_certs;
ASSERT_TRUE(CertCompressor::DecompressChain(compressed, cached_certs,
diff --git a/quic/core/crypto/quic_crypto_client_config.cc b/quic/core/crypto/quic_crypto_client_config.cc
index 6ecf0e8..e4989bc 100644
--- a/quic/core/crypto/quic_crypto_client_config.cc
+++ b/quic/core/crypto/quic_crypto_client_config.cc
@@ -439,7 +439,9 @@
out->SetVector(kPDMD, QuicTagVector{kX509});
- if (common_cert_sets) {
+ if (GetQuicRestartFlag(quic_no_common_cert_set)) {
+ // Client only. No flag count.
+ } else if (common_cert_sets) {
out->SetStringPiece(kCCS, common_cert_sets->GetCommonHashes());
}
diff --git a/quic/core/quic_flags_list.h b/quic/core/quic_flags_list.h
index 513d376..c75f37b 100644
--- a/quic/core/quic_flags_list.h
+++ b/quic/core/quic_flags_list.h
@@ -73,6 +73,8 @@
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_count_bytes_on_alternative_path_seperately, true)
// If true, do not re-arm PTO while sending application data during handshake.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_donot_rearm_pto_on_application_data_during_handshake, true)
+// If true, do not use the gQUIC common certificate set for certificate compression.
+QUIC_FLAG(FLAGS_quic_restart_flag_quic_no_common_cert_set, false)
// If true, drop unsent PATH_RESPONSEs and rely on peer\'s retry.
QUIC_FLAG(FLAGS_quic_reloadable_flag_quic_drop_unsent_path_response, true)
// If true, enable server retransmittable on wire PING.
