Flush CRT cache after parsing
This commit modifies the CRT parsing routine to flush
the CRT cache after parsing. More specifically, the
frame cache is flushed before the PK is parsed, to
avoid storing the PK and frame in RAM at the same time.
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 46f139f..fd7979f 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1484,12 +1484,24 @@
goto exit;
#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
+ /* Free the frame before parsing the public key to
+ * keep peak RAM usage low. This is slightly inefficient
+ * because the frame will need to be parsed again on the
+ * first usage of the CRT, but that seems acceptable.
+ * As soon as the frame gets used multiple times, it
+ * will be cached by default. */
+ x509_crt_cache_clear_frame( crt->cache );
+
/* The cache just references the PK structure from the legacy
* implementation, so set up the latter first before setting up
- * the cache. */
+ * the cache.
+ *
+ * We're not actually using the parsed PK context here;
+ * we just parse it to check that it's well-formed. */
ret = mbedtls_x509_crt_cache_provide_pk( crt );
if( ret != 0 )
goto exit;
+ x509_crt_cache_clear_pk( crt->cache );
exit:
if( ret != 0 )