From ffb280bb63c78bfec1e1ab55040671768c85c923 Mon Sep 17 00:00:00 2001
From: Ashish Sharma <ashish.sharma@espressif.com>
Date: Mon, 28 Jul 2025 14:07:05 +0800
Subject: [PATCH] feat(mbedtls): skip memset ssl buffers with dynamic buffer
 enabled.

As with dynamic buffer feature enabled, the buffers are handled dynamically,
there is no need to memset these on connection reset. This can help to save
some heap memory allocation.
---
 library/pk.c      | 2 ++
 library/ssl_tls.c | 6 ++++++
 sbom.yml          | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/library/pk.c b/library/pk.c
index 0ed7ebb6f..e81516363 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -1344,6 +1344,7 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
                                        sig, sig_size, sig_len);
 #else /* MBEDTLS_USE_PSA_CRYPTO */
 
+#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
     if (ctx->pk_info->type == MBEDTLS_PK_RSA_ALT) {
         mbedtls_rsa_alt_context *rsa_alt = ctx->pk_ctx;
         mbedtls_rsa_context *rsa = (mbedtls_rsa_context *)rsa_alt->key;
@@ -1353,6 +1354,7 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
                                 sig, sig_size, sig_len, f_rng, p_rng);
         }
     }
+#endif /* MBEDTLS_PK_RSA_ALT_SUPPORT */
 
     if (sig_size < mbedtls_pk_get_len(ctx)) {
         return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 30cde2792..e80815d71 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1468,6 +1468,12 @@ void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
     size_t in_buf_len = ssl->in_buf_len;
     size_t out_buf_len = ssl->out_buf_len;
+/* ESP Change: For dynamic buffer feature, the buffer allocation shall be 
+ * handled on-demand basis and hence skip the memset in this API on the buffer pointers 
+ */
+#elif defined(CONFIG_MBEDTLS_DYNAMIC_BUFFER)
+    size_t in_buf_len = 0;
+    size_t out_buf_len = 0;
 #else
     size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
     size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
diff --git a/sbom.yml b/sbom.yml
index 9948d5aa6..f2f7f884a 100644
--- a/sbom.yml
+++ b/sbom.yml
@@ -7,6 +7,10 @@ cve-keywords:
   - mbed tls
   - mbedtls
 cve-exclude-list:
+  - cve: CVE-2025-54764
+    reason: Fixed in 3.6.5
+  - cve: CVE-2025-59438
+    reason: Fixed in 3.6.5
   - cve: CVE-2025-52496
     reason: Fixed in 3.6.4
   - cve: CVE-2025-27810