otp_crypto: harden PSA security and error handling

- Reset key attributes after psa_import_key in one-shot cipher path
  to match all other PSA import sites
- Use secure_free for all crypto-adjacent buffers (sign/verify data,
  signature buffers, MAC data, AEAD AAD and combined buffers) to
  prevent sensitive data from lingering in freed memory
- Reject AEAD decryption without a tag early with a clear error
  instead of letting it fail deep in PSA
- Add finalized flag to MAC state so repeated mac_final/mac_update
  calls after finalization raise a clear error instead of a generic
  PSA failure
- Document that ssl:nif_conf_rng is a no-op on mbedtls 4.x where
  PSA handles randomness internally

Signed-off-by: Peter M <petermm@gmail.com>

Author: petermm

src/libAtomVM/otp_crypto.c

@@ -745,6 +745,7 @@ static term nif_crypto_crypto_one_time(Context *ctx, int argc, term argv[])
     psa_set_key_bits(&attributes, key_bits);
 
     psa_status_t status = psa_import_key(&attributes, key_data, key_len, &key_id);
+    psa_reset_key_attributes(&attributes);
     if (UNLIKELY(status != PSA_SUCCESS)) {
         char err_msg[48];
         snprintf(err_msg, sizeof(err_msg), "key import err %d", (int) status);
@@ -1782,9 +1783,9 @@ static term nif_crypto_sign(Context *ctx, int argc, term argv[])
 cleanup:
     psa_destroy_key(key_id);
 
-    free(maybe_allocated_data);
-    free(sig_raw);
-    free(sig_der);
+    secure_free(maybe_allocated_data, data_len);
+    secure_free(sig_raw, sig_raw_size);
+    secure_free(sig_der, sig_der_size);
 
     if (UNLIKELY(!success)) {
         RAISE_ERROR(result);
@@ -1951,8 +1952,8 @@ static term nif_crypto_verify(Context *ctx, int argc, term argv[])
 cleanup:
     psa_destroy_key(key_id);
 
-    free(maybe_allocated_data);
-    free(sig_raw);
+    secure_free(maybe_allocated_data, data_len);
+    secure_free(sig_raw, sig_raw_size);
 
     if (UNLIKELY(!success)) {
         RAISE_ERROR(result);
@@ -2112,7 +2113,7 @@ static term nif_crypto_mac(Context *ctx, int argc, term argv[])
     psa_destroy_key(key_id);
     secure_free(mac_out, mac_out_size);
     secure_free(maybe_allocated_key, key_len);
-    free(maybe_allocated_data);
+    secure_free(maybe_allocated_data, data_len);
 
     if (UNLIKELY(!success)) {
         RAISE_ERROR(result);
@@ -2147,6 +2148,7 @@ struct MacState
     psa_algorithm_t psa_algo;
     psa_key_type_t psa_key_type;
     size_t key_bit_size;
+    bool finalized;
 #ifndef AVM_NO_SMP
     Mutex *mutex;
 #endif
@@ -2317,13 +2319,17 @@ static term nif_crypto_mac_update(Context *ctx, int argc, term argv[])
     }
     struct MacState *mac_state = (struct MacState *) psa_mac_obj_ptr;
 
+    if (UNLIKELY(mac_state->finalized)) {
+        RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "MAC already finalized", ctx));
+    }
+
     void *maybe_allocated_data = NULL;
     size_t data_len;
     term data_term = argv[1];
     const void *data;
     term iodata_handle_result = handle_iodata(data_term, &data, &data_len, &maybe_allocated_data);
     if (UNLIKELY(iodata_handle_result != OK_ATOM)) {
-        free(maybe_allocated_data);
+        secure_free(maybe_allocated_data, data_len);
         RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "Bad text", ctx));
     }
 
@@ -2333,6 +2339,7 @@ static term nif_crypto_mac_update(Context *ctx, int argc, term argv[])
         psa_mac_abort(&mac_state->psa_op);
         psa_destroy_key(mac_state->key_id);
         mac_state->key_id = 0;
+        mac_state->finalized = true;
         SMP_MUTEX_UNLOCK(mac_state->mutex);
         secure_free(maybe_allocated_data, data_len);
         RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "Unexpected error", ctx));
@@ -2358,6 +2365,10 @@ static term nif_crypto_mac_final(Context *ctx, int argc, term argv[])
     }
     struct MacState *mac_state = (struct MacState *) psa_mac_obj_ptr;
 
+    if (UNLIKELY(mac_state->finalized)) {
+        RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "MAC already finalized", ctx));
+    }
+
     bool success = false;
     term result = ERROR_ATOM;
 
@@ -2377,6 +2388,7 @@ static term nif_crypto_mac_final(Context *ctx, int argc, term argv[])
     psa_status_t status = psa_mac_sign_finish(&mac_state->psa_op, mac_buf, mac_size, &mac_len);
     psa_destroy_key(mac_state->key_id);
     mac_state->key_id = 0;
+    mac_state->finalized = true;
     SMP_MUTEX_UNLOCK(mac_state->mutex);
     if (UNLIKELY(status != PSA_SUCCESS)) {
         result = make_crypto_error(__FILE__, __LINE__, "Unexpected error", ctx);
@@ -2409,6 +2421,10 @@ static term nif_crypto_mac_finalN(Context *ctx, int argc, term argv[])
     }
     struct MacState *mac_state = (struct MacState *) psa_mac_obj_ptr;
 
+    if (UNLIKELY(mac_state->finalized)) {
+        RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "MAC already finalized", ctx));
+    }
+
     avm_int_t requested_len;
     if (UNLIKELY(!term_is_integer(argv[1]))) {
         RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "Bad length", ctx));
@@ -2438,6 +2454,7 @@ static term nif_crypto_mac_finalN(Context *ctx, int argc, term argv[])
     psa_status_t status = psa_mac_sign_finish(&mac_state->psa_op, mac_buf, mac_size, &mac_len);
     psa_destroy_key(mac_state->key_id);
     mac_state->key_id = 0;
+    mac_state->finalized = true;
     SMP_MUTEX_UNLOCK(mac_state->mutex);
     if (UNLIKELY(status != PSA_SUCCESS)) {
         result = make_crypto_error(__FILE__, __LINE__, "Unexpected error", ctx);
@@ -3214,6 +3231,10 @@ static term nif_crypto_crypto_one_time_aead(Context *ctx, int argc, term argv[])
         RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "EncFlag must be a boolean", ctx));
     }
 
+    if (UNLIKELY(!encrypting && argc == 6)) {
+        RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "Tag is required for AEAD decryption", ctx));
+    }
+
     size_t tag_len = aead_params->default_tag_len;
     const void *tag_data = NULL;
     size_t tag_data_len = 0;
@@ -3369,15 +3390,15 @@ static term nif_crypto_crypto_one_time_aead(Context *ctx, int argc, term argv[])
         out_buf_size = pt_size + 1;
         out_buf = malloc(out_buf_size); // +1 to ensure valid malloc even for 0
         if (IS_NULL_PTR(out_buf)) {
-            free(combined_buf);
+            secure_free(combined_buf, combined_len);
             result = OUT_OF_MEMORY_ATOM;
             goto cleanup;
         }
 
         size_t pt_len = 0;
         status = psa_aead_decrypt(key_id, psa_algo, iv_data, iv_len, aad_data, aad_len,
             combined_buf, combined_len, out_buf, pt_size, &pt_len);
-        free(combined_buf);
+        secure_free(combined_buf, combined_len);
 
         switch (status) {
             case PSA_SUCCESS:
@@ -3411,7 +3432,7 @@ static term nif_crypto_crypto_one_time_aead(Context *ctx, int argc, term argv[])
 cleanup:
     psa_destroy_key(key_id);
     secure_free(maybe_allocated_intext, intext_len);
-    free(maybe_allocated_aad);
+    secure_free(maybe_allocated_aad, aad_len);
     secure_free(out_buf, out_buf_size);
 
     if (UNLIKELY(!success)) {

src/libAtomVM/otp_ssl.c

@@ -521,6 +521,7 @@ static term nif_ssl_conf_rng(Context *ctx, int argc, term argv[])
 
     mbedtls_ssl_conf_rng(&conf_obj->config, mbedtls_ctr_drbg_random, &ctr_drbg_obj->context);
 #else
+    // mbedtls 4.x uses PSA for randomness; no explicit RNG configuration needed.
     UNUSED(conf_obj);
     UNUSED(ctr_drbg_obj);
 #endif