commit ae553dde3a6aa563722d7667032a43449997d648
author Hanno Becker <hanno.becker@arm.com> Fri Feb 08 14:06:00 2019 +0000
committer Hanno Becker <hanno.becker@arm.com> Tue Feb 26 14:38:09 2019 +0000
tree 56e84bb472289f1b9938504eea61fe71043c99ab
parent b9d447908089bce8434766c4ff41144aee7e0865

Free peer's public key as soon as it's no longer needed

On constrained devices, this saves a significant amount of RAM that
might be needed for subsequent expensive operations like ECDHE.

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index d402249..1312e01 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2331,6 +2331,10 @@
     }
 #endif
 
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /* We don't need the peer's public key anymore. Free it. */
+    mbedtls_pk_free( peer_pk );
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
     return( 0 );
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
@@ -2440,6 +2444,13 @@
         return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
     }
 
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+    /* We don't need the peer's public key anymore. Free it,
+     * so that more RAM is available for upcoming expensive
+     * operations like ECDHE. */
+    mbedtls_pk_free( peer_pk );
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
+
     return( ret );
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) ||
@@ -2796,6 +2807,13 @@
 #endif
             return( ret );
         }
+
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
+        /* We don't need the peer's public key anymore. Free it,
+         * so that more RAM is available for upcoming expensive
+         * operations like ECDHE. */
+        mbedtls_pk_free( peer_pk );
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
     }
 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */