From 7a4de9cdabac75708d09753d9c3a3240e3583cae Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Wed, 27 Feb 2019 13:12:24 +0000
Subject: [PATCH] Flush CRT cache after parsing

This commit modifies the CRT parsing routine to flush
the CRT cache after parsing. More specifically, the
frame cache is flushed before the PK is parsed, to
avoid storing the PK and frame in RAM at the same time.
---
 library/x509_crt.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 46f139f09..fd7979ff1 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1484,12 +1484,24 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
         goto exit;
 #endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
 
+    /* Free the frame before parsing the public key to
+     * keep peak RAM usage low. This is slightly inefficient
+     * because the frame will need to be parsed again on the
+     * first usage of the CRT, but that seems acceptable.
+     * As soon as the frame gets used multiple times, it
+     * will be cached by default. */
+    x509_crt_cache_clear_frame( crt->cache );
+
     /* The cache just references the PK structure from the legacy
      * implementation, so set up the latter first before setting up
-     * the cache. */
+     * the cache.
+     *
+     * We're not actually using the parsed PK context here;
+     * we just parse it to check that it's well-formed. */
     ret = mbedtls_x509_crt_cache_provide_pk( crt );
     if( ret != 0 )
         goto exit;
+    x509_crt_cache_clear_pk( crt->cache );
 
 exit:
     if( ret != 0 )