From ffcd8c39a493daedd5c240c1d1b5d0434311bebf Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 5 Mar 2019 13:44:33 +0000 Subject: [PATCH] Introduce compile-time option to always flush X.509 CRT caches This commit introduces a compile-time option MBEDTLS_X509_ALWAYS_FLUSH which controls whether releasing of CRT frames or public key contexts associated to X.509 CRTs (or, in the future, other cached parsed X.509 structures) should lead to freeing those structures immediately. Enabling this alongside of the MBEDTLS_X509_ON_DEMAND_PARSING leads to significant reduction of the average RAM consumption of Mbed TLS. The option is enabled by default to reduce the permanent RAM overhead of MBEDTLS_X509_ON_DEMAND_PARSING in case the latter is *disabled* (default). (Note that there is very little performance penalty enabling MBEDTLS_X509_ALWAYS_FLUSH in case MBEDTLS_X509_ON_DEMAND_PARSING is disabled, because hardly any parsing needs to be done to setup a CRT frame / PK context from the legacy `mbedtls_x509_crt` structure.) --- include/mbedtls/config.h | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 4b8913ba7..0d4d30a2c 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1789,6 +1789,22 @@ */ //#define MBEDTLS_X509_ON_DEMAND_PARSING +/** + * \def MBEDTLS_X509_ALWAYS_FLUSH + * + * Save RAM by having Mbed TLS always flush caches for parsed X.509 + * structures after use: This means, firstly, that caches of X.509 + * structures used by an API call are flushed when the call returns, + * but it also encompasses immediate flushing of caches when Mbed TLS uses + * multiple structures in succession, thereby reducing the peak RAM usage. + * Setting this option leads to minimal RAM usage of the X.509 module at + * the cost of performance penalties when using X.509 structures multiple + * times (such as trusted CRTs on systems serving many connections). + * + * Uncomment this to always flush caches for unused X.509 structures. + */ +#define MBEDTLS_X509_ALWAYS_FLUSH + /** * \def MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 *