Fix to add userWithAuth enforcement

dgarske · dgarske · commit f64f30eead67 · 2026-04-16T14:44:53.000-07:00
diff --git a/src/fwtpm/fwtpm_command.c b/src/fwtpm/fwtpm_command.c
@@ -12788,6 +12788,33 @@ int FWTPM_ProcessCommand(FWTPM_CTX* ctx,
     }
 #endif
 
+    /* userWithAuth enforcement: per TPM 2.0 spec Part 1, Section 19.7.1,
+     * if an object has authPolicy set and userWithAuth is CLEAR, only a
+     * policy session can authorize the object. Reject password and HMAC
+     * sessions for such objects. */
+    for (pj = 0; pj < cmdAuthCnt && pj < (int)entry->authHandleCnt; pj++) {
+        if (cmdAuths[pj].handle == TPM_RS_PW ||
+            (cmdAuths[pj].sess != NULL &&
+             cmdAuths[pj].sess->sessionType == TPM_SE_HMAC)) {
+            TPM_HANDLE entityH = cmdHandles[pj];
+            FWTPM_Object* uwObj = NULL;
+            if ((entityH & 0xFF000000) == (TRANSIENT_FIRST & 0xFF000000) ||
+                (entityH & 0xFF000000) == (PERSISTENT_FIRST & 0xFF000000)) {
+                uwObj = FwFindObject(ctx, entityH);
+            }
+            if (uwObj != NULL && uwObj->pub.authPolicy.size > 0 &&
+                !(uwObj->pub.objectAttributes & TPMA_OBJECT_userWithAuth)) {
+            #ifdef DEBUG_WOLFTPM
+                printf("fwTPM: Password/HMAC auth rejected for handle "
+                    "0x%x — policy required (userWithAuth clear)\n", entityH);
+            #endif
+                *rspSize = FwBuildErrorResponse(rspBuf,
+                    TPM_ST_NO_SESSIONS, TPM_RC_AUTH_UNAVAILABLE);
+                return TPM_RC_SUCCESS;
+            }
+        }
+    }
+
     /* Password auth validation: for password sessions (TPM_RS_PW),
      * verify the password matches the entity's authValue.
      * Per TPM 2.0 spec Part 1, Section 19.8.4: password authorization
