Fixes and new tests for building wolfCrypt/wolfTPM without ECC or RSA. Fixes ZD 18470. Improved smallstack (eliminated `WOLFTPM2_MAX_BUFFER`). Fixes for building with NO_ASN.

.github/workflows/make-test-swtpm.yml

@@ -12,10 +12,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-#pull wolfTPM
+# pull wolfTPM
     - uses: actions/checkout@master
 
-#setup wolfssl
+# setup wolfssl
     - uses: actions/checkout@master
       with:
         repository: wolfssl/wolfssl
@@ -28,9 +28,11 @@ jobs:
       run: ./configure --enable-wolftpm --enable-pkcallbacks
     - name: wolfssl make install
       working-directory: ./wolfssl
-      run: sudo make install
+      run: |
+        make
+        sudo make install
 
-#setup ibmswtpm2
+# setup ibmswtpm2
     - uses: actions/checkout@master
       with:
         repository: kgoldman/ibmswtpm2
@@ -41,7 +43,7 @@ jobs:
           make
           ./tpm_server &
 
-#setup and test defaults (with simulator)
+# setup and test defaults (with simulator)
     - name: autogen
       run: ./autogen.sh
     - name: configure
@@ -74,7 +76,7 @@ jobs:
       run: |
         LD_LIBRARY_PATH=../../src/.libs/:../../wolfssl/src/.libs/ nunit-console wolfTPM.dll
 
-#test no wolfcrypt
+# test no wolfcrypt
     - name: configure no wolfCrypt
       run: ./configure --enable-swtpm --disable-wolfcrypt
     - name: make no wolfCrypt
@@ -84,7 +86,7 @@ jobs:
         make check
         WOLFSSL_PATH=./wolfssl WOLFCRYPT_ENABLE=0 ./examples/run_examples.sh
 
-#test no wrapper
+# test no wrapper
     - name: configure no wrapper
       run: ./configure --enable-swtpm --disable-wrapper
     - name: make no wrapper
@@ -138,10 +140,52 @@ jobs:
     - name: make pedantic
       run: make
 
+# test without ECC
+    - name: wolfssl no ECC
+      working-directory: ./wolfssl
+      run: |
+        ./configure --enable-wolftpm --disable-ecc
+        make
+        sudo make install
+    - name: wolftpm no ECC
+      run: |
+        ./configure --enable-swtpm
+        make
+        make check
+        WOLFSSL_PATH=./wolfssl WOLFCRYPT_ECC=0 ./examples/run_examples.sh
+
+# test without RSA
+    - name: wolfssl no RSA
+      working-directory: ./wolfssl
+      run: |
+        ./configure --enable-wolftpm --disable-rsa
+        make
+        sudo make install
+    - name: wolftpm no RSA
+      run: |
+        ./configure --enable-swtpm
+        make
+        make check
+        WOLFSSL_PATH=./wolfssl WOLFCRYPT_RSA=0 ./examples/run_examples.sh
+
+# test with default configure (no AES CFB, no PKCS7, no crpyto cb, no cert gen)
+    - name: wolfssl default configure
+      working-directory: ./wolfssl
+      run: |
+        ./configure CFLAGS="-DWOLFSSL_PUBLIC_MP"
+        make
+        sudo make install
+    - name: wolftpm default configure
+      run: |
+        ./configure --enable-swtpm
+        make
+        make check
+        WOLFSSL_PATH=./wolfssl WOLFCRYPT_DEFAULT=1 ./examples/run_examples.sh
+
 # capture logs on failure
     - name: Upload failure logs
       if: failure()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: wolftpm-test-logs
         path: |

IDE/QNX/README.md

@@ -41,9 +41,8 @@ Here is a template:
 
 /* Reduce stack use */
 #define MAX_COMMAND_SIZE    1024
-#define MAX_RESPONSE_SIZE   1024
+#define MAX_RESPONSE_SIZE   1350
-#define WOLFTPM2_MAX_BUFFER 1500
+#define MAX_DIGEST_BUFFER   896
-#define MAX_DIGEST_BUFFER   973
 
 /* Debugging */
 #if 1

configure.ac

@@ -355,7 +355,7 @@ then
 
     # Reduces max packet and buffer sizes to 1024 bytes
     # RSA KeyGen AES response is 1329 MAX_RESPONSE_SIZE
-    AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DWOLFTPM2_MAX_BUFFER=1500 -DMAX_DIGEST_BUFFER=973"
+    AM_CFLAGS="$AM_CFLAGS -DMAX_COMMAND_SIZE=1024 -DMAX_RESPONSE_SIZE=1350 -DMAX_DIGEST_BUFFER=896"
 
     # If parameter encryption is not used then maximum session count is one
     if test "x$ENABLED_WOLFCRYPT" = "xno"

examples/bench/bench.c

@@ -269,8 +269,12 @@ int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[])
     if (rc != 0) goto exit;
 
     if (paramEncAlg != TPM_ALG_NULL) {
+        void* bindKey = &storageKey;
+    #ifdef NO_RSA
+        bindKey = NULL; /* cannot bind to key without RSA enabled */
+    #endif
         /* Start an authenticated session (salted / unbound) with parameter encryption */
-        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",

examples/boot/secret_seal.c

@@ -64,7 +64,7 @@ static void usage(void)
 }
 
 /* Load Key Public Info */
-#if !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
 static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
     TPM_ALG_ID alg, const char* file)
 {
@@ -99,7 +99,7 @@ static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
     }
     return rc;
 }
-#endif /* !NO_FILESYSTEM */
+#endif /* !NO_FILESYSTEM && !NO_ASN */
 
 int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[])
 {
@@ -232,7 +232,7 @@ int TPM2_Boot_SecretSeal_Example(void* userCtx, int argc, char *argv[])
         else if (alg == TPM_ALG_ECC)
             publicKeyFile = "./certs/example-ecc256-key-pub.der";
     }
-#if !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
     /* Policy Authorization */
     if (policyFile) {
         policyDigestSz = (word32)sizeof(policyDigest);

examples/boot/secret_unseal.c

@@ -62,7 +62,7 @@ static void usage(void)
 }
 
 /* Load Key Public Info */
-#if !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
 static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
     TPM_ALG_ID alg, const char* file)
 {
@@ -103,7 +103,7 @@ static int LoadAuthKeyInfo(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* authKey,
     }
     return rc;
 }
-#endif /* !NO_FILESYSTEM */
+#endif /* !NO_FILESYSTEM && !NO_ASN */
 
 int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
 {
@@ -251,7 +251,7 @@ int TPM2_Boot_SecretUnseal_Example(void* userCtx, int argc, char *argv[])
     printHexString(policyDigest, policyDigestSz, policyDigestSz);
 
     /* Load external public key and signature */
-#if !defined(NO_FILESYSTEM)
+#if !defined(NO_FILESYSTEM) && !defined(NO_ASN)
     /* Policy Authorization Signature */
     if (pcrSigFile) {
         sigSz = (word32)sizeof(sig);

examples/boot/secure_rot.c

@@ -90,6 +90,7 @@ int TPM2_Boot_SecureROT_Example(void* userCtx, int argc, char *argv[])
     XMEMSET(&parent, 0, sizeof(parent));
     XMEMSET(authBuf, 0, sizeof(authBuf));
     XMEMSET(digest, 0, sizeof(digest));
+    XMEMSET(&nv, 0, sizeof(nv));
 
     if (argc >= 2) {
         if (XSTRCMP(argv[1], "-?") == 0 ||

examples/endorsement/get_ek_certs.c

@@ -107,7 +107,7 @@ static void show_ek_public(const TPM2B_PUBLIC* pub)
     }
 }
 
-#ifndef WOLFTPM2_NO_WOLFCRYPT
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
 static int compare_ek_public(const TPM2B_PUBLIC* ekpub,
     const TPM2B_PUBLIC* certpub)
 {
@@ -154,7 +154,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
     uint32_t certSz;
     TPMT_PUBLIC publicTemplate;
     word32 nvIndex;
-#ifndef WOLFTPM2_NO_WOLFCRYPT
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
     #ifndef WOLFCRYPT_ONLY
     int i;
     WOLFSSL_CERT_MANAGER* cm = NULL;
@@ -196,7 +196,8 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
     rc = 0;
     printf("Found %d TCG handles\n", handles.count);
 
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY)
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(WOLFCRYPT_ONLY) && \
+    !defined(NO_ASN)
     /* load trusted certificates to cert manager */
     certSz = 0;
     cm = wolfSSL_CertManagerNew();
@@ -208,12 +209,13 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
                 WOLFSSL_FILETYPE_PEM);
             if (rc == WOLFSSL_SUCCESS) {
                 certSz++;
-                rc = 0;
             }
             else {
-                printf("Warning: Failed to load trusted PEM at index %d\n", i);
+                printf("Warning: Failed to load trusted PEM at index %d. "
+                    "Error %s (rc %d)\n", i, TPM2_GetRCString(rc), rc);
                 /* not fatal, continue loading trusted certs */
             }
+            rc = 0; /* reset return code */
         }
         printf("Loaded %d trusted certificates\n", certSz);
     }
@@ -272,7 +274,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
             show_ek_public(&endorse.pub);
         }
 
-    #ifndef WOLFTPM2_NO_WOLFCRYPT
+    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
         if (rc == 0) {
             /* Attempt to parse certificate */
             printf("Parsing certificate (%d bytes)\n", certSz);
@@ -376,7 +378,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
             }
         #endif /* WOLFSSL_DER_TO_PEM */
         }
-    #endif /* !WOLFTPM2_NO_WOLFCRYPT */
+    #endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_ASN */
 
         wolfTPM2_UnloadHandle(&dev, &endorse.handle);
         XMEMSET(&endorse, 0, sizeof(endorse));
@@ -384,7 +386,7 @@ int TPM2_EndorsementCert_Example(void* userCtx, int argc, char *argv[])
 
 exit:
 
-#ifndef WOLFTPM2_NO_WOLFCRYPT
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
     #ifdef WOLFSSL_DER_TO_PEM
     XFREE(pem, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     #endif

examples/keygen/external_import.c

@@ -172,6 +172,7 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
     printf("Import Seed %d\n", seedValue.size);
     TPM2_PrintBin(seedValue.buffer, seedValue.size);
 
+#ifndef NO_ASN
     rc = wolfTPM2_ImportPrivateKeyBuffer(&dev, &storage, TPM_ALG_RSA, key2,
         ENCODING_TYPE_PEM, extRSAPrivatePem, (word32)strlen(extRSAPrivatePem),
         NULL, attributes, seedValue.buffer, seedValue.size);
@@ -179,6 +180,9 @@ int TPM2_ExternalImport_Example(void* userCtx, int argc, char *argv[])
         printf("wolfTPM2_ImportPrivateKeyBuffer failed import\n");
         goto exit;
     }
+#else
+    (void)attributes;
+#endif
 
     rc = wolfTPM2_LoadKey(&dev, key2, &primary->handle);
     if (rc != 0) {

examples/keygen/keygen.c

@@ -127,6 +127,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_KEYBLOB primaryBlob; /* Primary key as WOLFTPM2_KEYBLOB */
     TPMT_PUBLIC publicTemplate;
     TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* default, see usage() for options */
+    TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
     TPM_ALG_ID algSym = TPM_ALG_CTR; /* default Symmetric Cipher, see usage */
     TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
     WOLFTPM2_SESSION tpmSession;
@@ -142,7 +143,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     const char *pubFilename = NULL;
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     const char *nameFile = "ak.name"; /* Name Digest for attestation purposes */
-    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA)
+    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
     const char *pemFilename = NULL;
     #endif
 #endif
@@ -220,6 +221,9 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     XMEMSET(&tpmSession, 0, sizeof(tpmSession));
     XMEMSET(&auth, 0, sizeof(auth));
 
+    if (alg == TPM_ALG_RSA)
+        srkAlg = TPM_ALG_RSA;
+
     printf("TPM2.0 Key generation example\n");
     printf("\tKey Blob: %s\n", outputFile);
     printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
@@ -227,6 +231,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
         printf("\t\t %s mode, %d keybits\n", symMode, keyBits);
     }
     printf("\tTemplate: %s\n", bAIK ? "AIK" : "Default");
+    printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg));
     printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
 
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@@ -237,16 +242,12 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
 
     if (endorseKey) {
         /* endorsement is always RSA */
-        rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
+        rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
         endorse.handle.policyAuth = 1; /* EK requires Policy auth, not Password */
         pubFilename = ekPubFile;
         primary = &endorse;
     }
     else {
-        /* SRK: Use RSA or ECC SRK only. Prefer ECC */
-        TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC;
-        if (alg == TPM_ALG_RSA)
-            srkAlg = TPM_ALG_RSA;
         rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
         pubFilename = srkPubFile;
         primary = &storage;
@@ -254,8 +255,17 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
     if (rc != 0) goto exit;
 
     if (paramEncAlg != TPM_ALG_NULL) {
+        void* bindKey = primary;
+    #ifndef HAVE_ECC
+        if (srkAlg == TPM_ALG_ECC)
+            bindKey = NULL; /* cannot bind to key without ECC enabled */
+    #endif
+    #ifdef NO_RSA
+        if (srkAlg == TPM_ALG_RSA)
+            bindKey = NULL; /* cannot bind to key without RSA enabled */
+    #endif
         /* Start an authenticated session (salted / unbound) with parameter encryption */
-        rc = wolfTPM2_StartSession(&dev, &tpmSession, primary, NULL,
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("HMAC Session: Handle 0x%x\n",
@@ -404,7 +414,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
 
     /* Save EK public key as PEM format file to the disk */
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) && \
-    !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_RSA)
+    !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_ASN)
     if (pemFiles) {
         byte pem[MAX_RSA_KEY_BYTES];
         word32 pemSz;

examples/keygen/keyimport.c

@@ -69,7 +69,8 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_DEV dev;
     WOLFTPM2_KEY storage; /* SRK */
     WOLFTPM2_KEYBLOB impKey;
-    TPMI_ALG_PUBLIC alg = TPM_ALG_RSA, srkAlg; /* TPM_ALG_ECC */
+    TPMI_ALG_PUBLIC alg = TPM_ALG_RSA;
+    TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
     TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
     WOLFTPM2_SESSION tpmSession;
     const char* outputFile = "keyblob.bin";
@@ -98,6 +99,9 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
         if (XSTRCMP(argv[argc-1], "-ecc") == 0) {
             alg = TPM_ALG_ECC;
         }
+        else if (XSTRCMP(argv[argc-1], "-rsa") == 0) {
+            alg = TPM_ALG_RSA;
+        }
         else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
             paramEncAlg = TPM_ALG_CFB;
         }
@@ -137,9 +141,13 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
     XMEMSET(&impKey, 0, sizeof(impKey));
     XMEMSET(&tpmSession, 0, sizeof(tpmSession));
 
+    if (alg == TPM_ALG_RSA)
+        srkAlg = TPM_ALG_RSA;
+
     printf("TPM2.0 Key Import example\n");
     printf("\tKey Blob: %s\n", outputFile);
     printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
+    printf("\tSRK: %s\n", TPM2_GetAlgName(srkAlg));
     printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
     printf("\tpassword: %s\n", password);
 
@@ -149,24 +157,24 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
         goto exit;
     }
 
-    srkAlg = alg;
-#if defined(HAVE_ECC) && !defined(WOLFSSL_PUBLIC_MP)
-    if (srkAlg == TPM_ALG_ECC && paramEncAlg != TPM_ALG_NULL) {
-        /* ECC encrypt requires mp_ API's */
-        printf("Parameter encryption with ECC SRK support not available, "
-               "using RSA SRK\n");
-        srkAlg = TPM_ALG_RSA;
-    }
-#endif
-
     /* get SRK */
     rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
     if (rc != 0) goto exit;
 
     if (paramEncAlg != TPM_ALG_NULL) {
+        void* bindKey = &storage;
+    #ifndef HAVE_ECC
+        if (srkAlg == TPM_ALG_ECC)
+            bindKey = NULL; /* cannot bind to key without ECC enabled */
+    #endif
+    #ifdef NO_RSA
+        if (srkAlg == TPM_ALG_RSA)
+            bindKey = NULL; /* cannot bind to key without RSA enabled */
+    #endif
+
         /* Start an authenticated session (salted / unbound) with parameter
          * encryption */
-        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
@@ -191,7 +199,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
              TPMA_OBJECT_userWithAuth |
              TPMA_OBJECT_noDA);
 
-#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
+#if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES) && !defined(NO_ASN)
     if (impFile != NULL) {
         printf("Loading %s%s key file: %s\n",
             encType == ENCODING_TYPE_PEM ? "PEM" : "DER",
@@ -219,6 +227,12 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
                 );
             }
         }
+    #if defined(NO_RSA) || !defined(HAVE_ECC)
+        if (rc == NOT_COMPILED_IN) {
+            printf("Feature not compiled in! Skipping test\n");
+            rc = 0; /* allowing error */
+        }
+    #endif
     }
     else
 #else

examples/keygen/keyload.c

@@ -66,12 +66,15 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
     WOLFTPM2_KEY *primary = NULL;
     WOLFTPM2_KEYBLOB newKey;
     WOLFTPM2_KEY persistKey;
+    TPM_ALG_ID alg;
+    TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC; /* prefer ECC, but allow RSA */
     TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
     WOLFTPM2_SESSION tpmSession;
     const char* inputFile = "keyblob.bin";
     int persistent = 0;
     int endorseKey = 0;
 
+
     if (argc >= 2) {
         if (XSTRCMP(argv[1], "-?") == 0 ||
             XSTRCMP(argv[1], "-h") == 0 ||
@@ -129,18 +132,19 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
     goto exit;
 #endif
 
+    alg = newKey.pub.publicArea.type;
+    if (alg == TPM_ALG_RSA)
+        srkAlg = TPM_ALG_RSA;
+    printf("Loading %s key\n", TPM2_GetAlgName(alg));
+
     if (endorseKey) {
         /* endorsement is always RSA */
-        rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
+        rc = wolfTPM2_CreateEK(&dev, &endorse, srkAlg);
         if (rc != 0) goto exit;
         endorse.handle.policyAuth = 1;
         primary = &endorse;
     }
     else {
-        /* SRK: Use RSA or ECC SRK only. Prefer ECC */
-        TPMI_ALG_PUBLIC srkAlg = TPM_ALG_ECC;
-        if (newKey.pub.publicArea.type == TPM_ALG_RSA)
-            srkAlg = TPM_ALG_RSA;
         rc = getPrimaryStoragekey(&dev, &storage, srkAlg);
         if (rc != 0) goto exit;
         primary = &storage;
@@ -154,11 +158,19 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
         rc = wolfTPM2_SetAuthSession(&dev, 0, &tpmSession, 0);
         if (rc != 0) goto exit;
     }
-
+    else if (paramEncAlg != TPM_ALG_NULL) {
-    if (paramEncAlg != TPM_ALG_NULL) {
+        void* bindKey = &storage;
+    #ifndef HAVE_ECC
+        if (srkAlg == TPM_ALG_ECC)
+            bindKey = NULL; /* cannot bind to key without ECC enabled */
+    #endif
+    #ifdef NO_RSA
+        if (srkAlg == TPM_ALG_RSA)
+            bindKey = NULL; /* cannot bind to key without RSA enabled */
+    #endif
         /* Start an authenticated session (salted / unbound) with parameter
          * encryption */
-        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",

examples/nvram/store.c

@@ -79,6 +79,7 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
     word32 nvIndex = TPM2_DEMO_NVRAM_STORE_INDEX;
     byte* auth = (byte*)gNvAuth;
     word32 authSz = (word32)sizeof(gNvAuth)-1;
+    word32 nvSize;
 
     if (argc >= 2) {
         if (XSTRCMP(argv[1], "-?") == 0 ||
@@ -171,12 +172,17 @@ int TPM2_NVRAM_Store_Example(void* userCtx, int argc, char *argv[])
     rc = wolfTPM2_GetNvAttributesTemplate(parent.hndl, &nvAttributes);
     if (rc != 0) goto exit;
 
+    /* Estimate size of NV */
+    nvSize =
+        keyBlob.pub.size + sizeof(keyBlob.pub.size) + sizeof(UINT16) +
+        keyBlob.priv.size + sizeof(keyBlob.priv.size) + sizeof(UINT16);
+
     /* Try and open existing NV */
     rc = wolfTPM2_NVOpen(&dev, &nv, nvIndex, auth, authSz);
     if (rc != 0) {
         /* In not found try create using wolfTPM2 wrapper for NV_Define */
         rc = wolfTPM2_NVCreateAuth(&dev, &parent, &nv, nvIndex,
-            nvAttributes, TPM2_DEMO_NV_TEST_SIZE, auth, authSz);
+            nvAttributes, nvSize, auth, authSz);
 
         if (rc != 0 && rc != TPM_RC_NV_DEFINED) goto exit;
     }

examples/pcr/policy_sign.c

@@ -133,7 +133,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
         }
     }
     if (rc == 0 && alg == TPM_ALG_RSA) {
-    #ifndef NO_RSA
+    #if !defined(NO_RSA) && !defined(NO_ASN)
         rc = wc_InitRsaKey(&key.rsa, NULL);
         if (rc == 0) {
             byte encHash[WC_MAX_DIGEST_SIZE + WC_MAX_ENCODED_DIG_ASN_SZ];
@@ -173,7 +173,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
     #endif
     }
     else if (rc == 0 && alg == TPM_ALG_ECC) {
-    #if defined(HAVE_ECC) && defined(WOLFSSL_PUBLIC_MP)
+    #if defined(HAVE_ECC) && defined(WOLFSSL_PUBLIC_MP) && !defined(NO_ASN)
         rc = wc_ecc_init(&key.ecc);
         if (rc == 0) {
             word32 idx = 0;
@@ -203,6 +203,7 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
             wc_ecc_free(&key.ecc);
         }
     #else
+        (void)hashAlg;
         rc = NOT_COMPILED_IN;
     #endif
     }
@@ -212,6 +213,12 @@ static int PolicySign(TPM_ALG_ID alg, const char* keyFile, const char* password,
     XFREE(buf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
     wc_FreeRng(&rng);
 
+    (void)hash;
+    (void)hashSz;
+    (void)sig;
+    (void)sigSz;
+    (void)authPubKey;
+
     if (rc != 0) {
         printf("Policy Sign with external key failed %d\n", rc);
     }
@@ -302,6 +309,19 @@ int TPM2_PCR_PolicySign_Example(void* userCtx, int argc, char *argv[])
 
     printf("Sign PCR Policy Example\n");
 
+#ifndef HAVE_ECC
+    if (alg == TPM_ALG_ECC) {
+        printf("ECC not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+#ifdef NO_RSA
+    if (alg == TPM_ALG_RSA) {
+        printf("RSA not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+
     /* Setup PCR's */
     if (pcrArraySz == 0) {
         pcrArray[pcrArraySz] = TPM2_DEMO_PCR_INDEX;

examples/pcr/quote.c

@@ -145,8 +145,17 @@ int TPM2_PCR_Quote_Test(void* userCtx, int argc, char *argv[])
         (word32)aik.handle.hndl, aik.pub.size);
 
     if (paramEncAlg != TPM_ALG_NULL) {
+        void* bindKey = &storage;
+    #ifndef HAVE_ECC
+        if (alg == TPM_ALG_ECC)
+            bindKey = NULL; /* cannot bind to key without ECC enabled */
+    #endif
+    #ifdef NO_RSA
+        if (alg == TPM_ALG_RSA)
+            bindKey = NULL; /* cannot bind to key without RSA enabled */
+    #endif
         /* Start an authenticated session (salted / unbound) with parameter encryption */
-        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",

examples/pkcs7/pkcs7.c

@@ -62,7 +62,7 @@
 
 #ifdef ENABLE_PKCS7EX_EXAMPLE
 /* Dummy Function to Get Data */
-#define MY_DATA_CHUNKS  WOLFTPM2_MAX_BUFFER
+#define MY_DATA_CHUNKS  MAX_DIGEST_BUFFER
 #define MY_DATA_TOTAL  (1024 * 1024) + 12 /* odd remainder for test */
 static int GetMyData(byte* buffer, word32 bufSz, word32 offset)
 {
@@ -92,8 +92,9 @@ static int GetMyData(byte* buffer, word32 bufSz, word32 offset)
 
 /* The wc_PKCS7_EncodeSignedData_ex and wc_PKCS7_VerifySignedData_ex functions
    were added in this PR https://github.com/wolfSSL/wolfssl/pull/1780. */
-static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* derCert,
+static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId,
-    WOLFTPM2_BUFFER* derPubKey, int alg, enum wc_HashType hashType, const char* outFile)
+    byte* derCert, word32 derCertSz, byte* derPubKey, word32 derPubKeySz,
+    int alg, enum wc_HashType hashType, const char* outFile)
 {
     int rc;
     PKCS7 pkcs7;
@@ -139,7 +140,7 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER*
     /* Generate and verify PKCS#7 files containing data using TPM key */
     rc = wc_PKCS7_Init(&pkcs7, NULL, tpmDevId);
     if (rc != 0) goto exit;
-    rc = wc_PKCS7_InitWithCert(&pkcs7, derCert->buffer, derCert->size);
+    rc = wc_PKCS7_InitWithCert(&pkcs7, derCert, derCertSz);
     if (rc != 0) goto exit;
 
     pkcs7.content = NULL; /* not used */
@@ -149,8 +150,8 @@ static int PKCS7_SignVerifyEx(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER*
     pkcs7.rng = wolfTPM2_GetRng(dev);
     /* pass public key instead of private here. The PKCS7 will try a public
      * key decode if using crypto callbacks */
-    pkcs7.privateKey = derPubKey->buffer;
+    pkcs7.privateKey = derPubKey;
-    pkcs7.privateKeySz = derPubKey->size;
+    pkcs7.privateKeySz = derPubKeySz;
 
     outputHeadSz = (int)sizeof(outputHead);
     outputFootSz = (int)sizeof(outputFoot);
@@ -241,8 +242,9 @@ exit:
 }
 #endif /* ENABLE_PKCS7EX_EXAMPLE */
 
-static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* derCert,
+static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId,
-    WOLFTPM2_BUFFER* derPubKey, int alg, enum wc_HashType hashType, const char* outFile)
+    byte* derCert, word32 derCertSz, byte* derPubKey, word32 derPubKeySz,
+    int alg, enum wc_HashType hashType, const char* outFile)
 {
     int rc;
     PKCS7 pkcs7;
@@ -258,7 +260,7 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* de
     /* Generate and verify PKCS#7 files containing data using TPM key */
     rc = wc_PKCS7_Init(&pkcs7, NULL, tpmDevId);
     if (rc != 0) goto exit;
-    rc = wc_PKCS7_InitWithCert(&pkcs7, derCert->buffer, derCert->size);
+    rc = wc_PKCS7_InitWithCert(&pkcs7, derCert, derCertSz);
     if (rc != 0) goto exit;
 
     pkcs7.content = data;
@@ -268,8 +270,8 @@ static int PKCS7_SignVerify(WOLFTPM2_DEV* dev, int tpmDevId, WOLFTPM2_BUFFER* de
     pkcs7.rng = wolfTPM2_GetRng(dev);
     /* pass public key instead of private here. The PKCS7 will try a public
      * key decode if using crypto callbacks */
-    pkcs7.privateKey = derPubKey->buffer;
+    pkcs7.privateKey = derPubKey;
-    pkcs7.privateKeySz = derPubKey->size;
+    pkcs7.privateKeySz = derPubKeySz;
 
     rc = wc_PKCS7_EncodeSignedData(&pkcs7, output, sizeof(output));
     if (rc <= 0) goto exit;
@@ -339,8 +341,10 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
     TPMT_PUBLIC publicTemplate;
     TpmCryptoDevCtx tpmCtx;
     int tpmDevId;
-    WOLFTPM2_BUFFER derCert;
+    byte derCert[MAX_PKCS7_SIZE];
-    WOLFTPM2_BUFFER derPubKey;
+    word32 derCertSz = 0;
+    byte derPubKey[MAX_PKCS7_SIZE];
+    word32 derPubKeySz;
 #if !defined(NO_FILESYSTEM) && !defined(NO_WRITE_TEMP_FILES)
     XFILE derFile;
     const char* inCert = NULL;
@@ -387,12 +391,24 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
 
     printf("TPM2 PKCS7 Example\n");
 
-
     XMEMSET(&derCert, 0, sizeof(derCert));
     XMEMSET(&derPubKey, 0, sizeof(derPubKey));
     XMEMSET(&tpmKey, 0, sizeof(tpmKey));
     XMEMSET(&storageKey, 0, sizeof(storageKey));
 
+#ifndef HAVE_ECC
+    if (alg == TPM_ALG_ECC) {
+        printf("ECC not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+#ifdef NO_RSA
+    if (alg == TPM_ALG_RSA) {
+        printf("RSA not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
     if (rc != 0) return rc;
@@ -475,35 +491,43 @@ int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
     derFile = XFOPEN(inCert, "rb");
     if (derFile != XBADFILE) {
         XFSEEK(derFile, 0, XSEEK_END);
-        derCert.size = (int)XFTELL(derFile);
+        derCertSz = (int)XFTELL(derFile);
         XREWIND(derFile);
-        if (derCert.size > (int)sizeof(derCert.buffer)) {
+        if (derCertSz > (int)sizeof(derCert)) {
             rc = BUFFER_E;
         }
         else {
-            rc = (int)XFREAD(derCert.buffer, 1, derCert.size, derFile);
+            rc = (int)XFREAD(derCert, 1, derCertSz, derFile);
-            rc = (rc == derCert.size) ? 0 : -1;
+            rc = (rc == (int)derCertSz) ? 0 : -1;
         }
         XFCLOSE(derFile);
         if (rc != 0) goto exit;
     }
+    else {
+        printf("Failed to open %s\n", inCert);
+        rc = BAD_FUNC_ARG;
+        goto exit;
+    }
+#else
+    rc = NOT_COMPILED_IN;
+    goto exit;
 #endif
 
     /* Export TPM public key as DER/ASN.1 (should match certificate) */
-    derPubKey.size = (int)sizeof(derPubKey.buffer);
+    derPubKeySz = (int)sizeof(derPubKey);
     rc = wolfTPM2_ExportPublicKeyBuffer(&dev, &tpmKey,
-        ENCODING_TYPE_ASN1, derPubKey.buffer, (word32*)&derPubKey.size);
+        ENCODING_TYPE_ASN1, derPubKey, (word32*)&derPubKeySz);
     if (rc != 0) goto exit;
 
     /* PKCS 7 sign/verify example */
-    rc = PKCS7_SignVerify(&dev, tpmDevId, &derCert, &derPubKey, alg, hashType,
+    rc = PKCS7_SignVerify(&dev, tpmDevId, derCert, derCertSz, derPubKey,
-        outFile);
+        derPubKeySz, alg, hashType, outFile);
     if (rc != 0) goto exit;
 
 #ifdef ENABLE_PKCS7EX_EXAMPLE
     /* PKCS 7 large data sign/verify example */
-    rc = PKCS7_SignVerifyEx(&dev, tpmDevId, &derCert, &derPubKey, alg, hashType,
+    rc = PKCS7_SignVerifyEx(&dev, tpmDevId, derCert, derCertSz, derPubKey,
-        outFileEx);
+        derPubKeySz, alg, hashType, outFileEx);
     if (rc != 0) goto exit;
 #endif
 

examples/run_examples.sh

@@ -10,6 +10,15 @@ fi
 if [ -z "$WOLFCRYPT_ENABLE" ]; then
     WOLFCRYPT_ENABLE=1
 fi
+if [ -z "$WOLFCRYPT_DEFAULT" ]; then
+    WOLFCRYPT_DEFAULT=0
+fi
+if [ -z "$WOLFCRYPT_ECC" ]; then
+    WOLFCRYPT_ECC=1
+fi
+if [ -z "$WOLFCRYPT_RSA" ]; then
+    WOLFCRYPT_RSA=1
+fi
 
 rm -f run.out
 touch run.out
@@ -100,41 +109,62 @@ RESULT=$?
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "keyload rsa failed! $RESULT" && exit 1
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/keygen/keygen keyblob.bin -rsa -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc xor failed! $RESULT" && exit 1
+    ./examples/keygen/keyload keyblob.bin -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc xor failed! $RESULT" && exit 1
+
+    if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
         ./examples/keygen/keygen keyblob.bin -rsa -aes >> run.out 2>&1
         RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc failed! $RESULT" && exit 1
+        [ $RESULT -ne 0 ] && echo -e "keygen rsa param enc aes failed! $RESULT" && exit 1
         ./examples/keygen/keyload keyblob.bin -aes >> run.out 2>&1
         RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc failed! $RESULT" && exit 1
 
+        if [ $WOLFCRYPT_RSA -eq 1 ]; then
+            [ $RESULT -ne 0 ] && echo -e "keyload rsa param enc aes failed! $RESULT" && exit 1
             ./examples/keygen/keyimport rsakeyblob.bin -rsa >> run.out 2>&1
             RESULT=$?
             [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1
             ./examples/keygen/keyload rsakeyblob.bin >> run.out 2>&1
             RESULT=$?
+            [ $RESULT -ne 0 ] && echo -e "keyload rsa load failed! $RESULT" && exit 1
             rm -f rsakeyblob.bin
-    [ $RESULT -ne 0 ] && echo -e "keyload rsa import load failed! $RESULT" && exit 1
+        fi
+    fi
 fi
 # keeping keyblob.bin for later tests
 
-./examples/keygen/keygen ecckeyblob.bin -ecc >> run.out 2>&1
+./examples/keygen/keygen eccblob.bin -ecc >> run.out 2>&1
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "keygen ecc failed! $RESULT" && exit 1
-./examples/keygen/keyload ecckeyblob.bin >> run.out 2>&1
+./examples/keygen/keyload eccblob.bin >> run.out 2>&1
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "keyload ecc failed! $RESULT" && exit 1
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
-    ./examples/keygen/keygen ecckeyblob.bin -ecc -aes >> run.out 2>&1
+    if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
+        ./examples/keygen/keygen eccblob.bin -ecc -aes >> run.out 2>&1
         RESULT=$?
         [ $RESULT -ne 0 ] && echo -e "keygen ecc param enc failed! $RESULT" && exit 1
-    ./examples/keygen/keyload ecckeyblob.bin -aes >> run.out 2>&1
+        ./examples/keygen/keyload eccblob.bin -aes >> run.out 2>&1
         RESULT=$?
         [ $RESULT -ne 0 ] && echo -e "keyload ecc param enc failed! $RESULT" && exit 1
+
+        if [ $WOLFCRYPT_ECC -eq 1 ]; then
             ./examples/keygen/keyimport ecckeyblob.bin -ecc >> run.out 2>&1
             RESULT=$?
             [ $RESULT -ne 0 ] && echo -e "keyload ecc import failed! $RESULT" && exit 1
+
+            ./examples/keygen/keyload ecckeyblob.bin >> run.out 2>&1
+            RESULT=$?
+            [ $RESULT -ne 0 ] && echo -e "keyload ecc load failed! $RESULT" && exit 1
+            rm -f ecckeyblob.bin
+        fi
+    fi
 fi
-rm -f ecckeyblob.bin
+rm -f ececcblob.bin
 
 ./examples/keygen/keygen symkeyblob.bin -sym=aescfb128 >> run.out 2>&1
 RESULT=$?
@@ -173,12 +203,21 @@ fi
 # NV Tests
 echo -e "NV Tests"
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/nvram/store -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "nv store param enc xorfailed! $RESULT" && exit 1
+    ./examples/nvram/read -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "nv read param enc xor failed! $RESULT" && exit 1
+
+    if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
         ./examples/nvram/store -aes >> run.out 2>&1
         RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "nv store param enc failed! $RESULT" && exit 1
+        [ $RESULT -ne 0 ] && echo -e "nv store param enc aes failed! $RESULT" && exit 1
         ./examples/nvram/read -aes >> run.out 2>&1
         RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "nv read param enc failed! $RESULT" && exit 1
+        [ $RESULT -ne 0 ] && echo -e "nv read param enc aes failed! $RESULT" && exit 1
+    fi
 fi
 ./examples/nvram/store -priv >> run.out 2>&1
 RESULT=$?
@@ -187,12 +226,21 @@ RESULT=$?
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "nv read priv only failed! $RESULT" && exit 1
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/nvram/store -priv -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc xor failed! $RESULT" && exit 1
+    ./examples/nvram/read -priv -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc xor failed! $RESULT" && exit 1
+
+    if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
         ./examples/nvram/store -priv -aes >> run.out 2>&1
         RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc failed! $RESULT" && exit 1
+        [ $RESULT -ne 0 ] && echo -e "nv store priv only param enc aes failed! $RESULT" && exit 1
         ./examples/nvram/read -priv -aes >> run.out 2>&1
         RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc failed! $RESULT" && exit 1
+        [ $RESULT -ne 0 ] && echo -e "nv read priv only param enc aes failed! $RESULT" && exit 1
+    fi
 fi
 ./examples/nvram/store -pub >> run.out 2>&1
 RESULT=$?
@@ -217,7 +265,7 @@ RESULT=$?
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "keygen ecc test for csr failed! $RESULT" && exit 1
 
-if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
     ./examples/csr/csr -cert >> run.out 2>&1
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "cert self-signed failed! $RESULT" && exit 1
@@ -236,7 +284,7 @@ fi
 
 # PKCS7 Tests
 echo -e "PKCS7 tests"
-if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
     ./examples/pkcs7/pkcs7 >> run.out 2>&1
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "pkcs7 failed! $RESULT" && exit 1
@@ -256,11 +304,11 @@ generate_port() {
     echo -e "Using port $port" >> run.out 2>&1
 }
 
-run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
+run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs] [tlsversion]
-    echo -e "TLS test (TPM as client) $1 $2"
+    echo -e "TLS test (TPM as client) $1 $2 $3"
     generate_port
     pushd $WOLFSSL_PATH >> run.out 2>&1
-    echo -e "./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
+    echo -e "./examples/server/server -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
     ./examples/server/server -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem &> $PWD/run.out &
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls server $1 $2 failed! $RESULT" && exit 1
@@ -273,8 +321,8 @@ run_tpm_tls_client() { # Usage: run_tpm_tls_client [ecc/rsa] [tpmargs]]
     [ $RESULT -ne 0 ] && echo -e "tpm tls client $1 $2 failed! $RESULT" && exit 1
 }
 
-run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
+run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs] [tlsversion]
-    echo -e "TLS test (TPM as server) $1 $2"
+    echo -e "TLS test (TPM as server) $1 $2 $3"
     generate_port
 
     echo -e "./examples/tls/tls_server -p=$port -$1 $2"
@@ -284,35 +332,61 @@ run_tpm_tls_server() { # Usage: run_tpm_tls_server [ecc/rsa] [tpmargs]]
     pushd $WOLFSSL_PATH >> run.out 2>&1
     sleep 0.1
 
-    echo -e "./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
+    echo -e "./examples/client/client -v $3 -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem"
     ./examples/client/client -p $port -w -g -A ./certs/tpm-ca-$1-cert.pem &> $PWD/run.out
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "tls client $1 $2 failed! $RESULT" && exit 1
     popd >> run.out 2>&1
 }
 
-if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
-    # Run with Crypto CB
+    if [ $WOLFCRYPT_RSA -eq 1 ]; then
-    run_tpm_tls_client "rsa" ""
+        # TLS client/server RSA TLS v1.2 and v1.2 Crypto callbacks
-    run_tpm_tls_client "rsa" "-aes"
+        run_tpm_tls_client "rsa" "" "3"
-    run_tpm_tls_client "ecc" ""
+        run_tpm_tls_client "rsa" "-aes" "3"
-    run_tpm_tls_client "ecc" "-aes"
+        run_tpm_tls_client "rsa" "" "4"
+        run_tpm_tls_client "rsa" "-aes" "4"
 
-    run_tpm_tls_server "rsa" ""
+        run_tpm_tls_server "rsa" "" "3"
-    run_tpm_tls_server "rsa" "-aes"
+        run_tpm_tls_server "rsa" "-aes" "3"
-    run_tpm_tls_server "ecc" ""
+        run_tpm_tls_server "rsa" "" "4"
-    run_tpm_tls_server "ecc" "-aes"
+        run_tpm_tls_server "rsa" "-aes" "4"
 
-    # Run with PK
+        # TLS client/server ECC TLS v1.2 and v1.2 PK callbacks
-    run_tpm_tls_client "rsa" "-pk"
+        run_tpm_tls_client "rsa" "-pk" "3"
-    run_tpm_tls_client "rsa" "-pk -aes"
+        run_tpm_tls_client "rsa" "-pk -aes" "3"
-    run_tpm_tls_client "ecc" "-pk"
+        run_tpm_tls_client "rsa" "-pk" "4"
-    run_tpm_tls_client "ecc" "-pk -aes"
+        run_tpm_tls_client "rsa" "-pk -aes" "4"
 
-    run_tpm_tls_server "rsa" "-pk "
+        run_tpm_tls_server "rsa" "-pk " "3"
-    run_tpm_tls_server "rsa" "-pk -aes"
+        run_tpm_tls_server "rsa" "-pk -aes" "3"
-    run_tpm_tls_server "ecc" "-pk"
+        run_tpm_tls_server "rsa" "-pk " "4"
-    run_tpm_tls_server "ecc" "-pk -aes"
+        run_tpm_tls_server "rsa" "-pk -aes" "4"
+
+    fi
+    if [ $WOLFCRYPT_ECC -eq 1 ]; then
+        # TLS client/server ECC TLS v1.2 and v1.2 Crypto callbacks
+        run_tpm_tls_client "ecc" "" "3"
+        run_tpm_tls_client "ecc" "-aes" "3"
+        run_tpm_tls_client "ecc" "" "4"
+        run_tpm_tls_client "ecc" "-aes" "4"
+
+        run_tpm_tls_server "ecc" "" "3"
+        run_tpm_tls_server "ecc" "-aes" "3"
+        run_tpm_tls_server "ecc" "" "4"
+        run_tpm_tls_server "ecc" "-aes" "4"
+
+        # TLS client/server ECC TLS v1.2 and v1.2 PK callbacks
+        run_tpm_tls_client "ecc" "-pk" "3"
+        run_tpm_tls_client "ecc" "-pk -aes" "3"
+        run_tpm_tls_client "ecc" "-pk" "4"
+        run_tpm_tls_client "ecc" "-pk -aes" "4"
+
+        run_tpm_tls_server "ecc" "-pk" "3"
+        run_tpm_tls_server "ecc" "-pk -aes" "3"
+        run_tpm_tls_server "ecc" "-pk" "4"
+        run_tpm_tls_server "ecc" "-pk -aes" "4"
+    fi
 fi
 
 
@@ -382,17 +456,29 @@ RESULT=$?
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "pcr quote failed! $RESULT" && exit 1
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/pcr/quote 16 zip.quote -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "pcr quote param enc xor failed! $RESULT" && exit 1
+
+    if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
         ./examples/pcr/quote 16 zip.quote -aes >> run.out 2>&1
         RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "pcr quote param enc failed! $RESULT" && exit 1
+        [ $RESULT -ne 0 ] && echo -e "pcr quote param enc aes failed! $RESULT" && exit 1
+    fi
 fi
 ./examples/pcr/quote 16 zip.quote -ecc >> run.out 2>&1
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "pcr quote ecc failed! $RESULT" && exit 1
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/pcr/quote 16 zip.quote -ecc -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc xor failed! $RESULT" && exit 1
+
+    if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
         ./examples/pcr/quote 16 zip.quote -ecc -aes >> run.out 2>&1
         RESULT=$?
-    [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc failed! $RESULT" && exit 1
+        [ $RESULT -ne 0 ] && echo -e "pcr quote ecc param enc aes failed! $RESULT" && exit 1
+    fi
 fi
 rm -f zip.quote
 
@@ -403,14 +489,20 @@ echo -e "Benchmark tests"
 RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "bench failed! $RESULT" && exit 1
 if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+    ./examples/bench/bench -maxdur=25 -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "bench (XOR param enc) failed! $RESULT" && exit 1
+
+    if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
         ./examples/bench/bench -maxdur=25 -aes >> run.out 2>&1
         RESULT=$?
         [ $RESULT -ne 0 ] && echo -e "bench (AES param enc) failed! $RESULT" && exit 1
+    fi
 fi
 
 # Secure Boot ROT
 echo -e "Secure Boot ROT (Root of Trust) test"
-if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
     ./examples/boot/secure_rot -nvindex=0x1400200 -authstr=test -write=./certs/example-ecc256-key-pub.der >> run.out 2>&1
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "secure rot write ecc256! $RESULT" && exit 1
@@ -455,19 +547,28 @@ RESULT=$?
 [ $RESULT -ne 0 ] && echo -e "unseal failed! $RESULT" && exit 1
 rm -f sealedkeyblob.bin
 
-if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_RSA -eq 1 ]; then
+    ./examples/seal/seal sealedkeyblob.bin mySecretMessage -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "seal xor failed! $RESULT" && exit 1
+    ./examples/seal/unseal message.raw sealedkeyblob.bin -xor >> run.out 2>&1
+    RESULT=$?
+    [ $RESULT -ne 0 ] && echo -e "unseal xor failed! $RESULT" && exit 1
+
+    if [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
         ./examples/seal/seal sealedkeyblob.bin mySecretMessage -aes >> run.out 2>&1
         RESULT=$?
         [ $RESULT -ne 0 ] && echo -e "seal aes failed! $RESULT" && exit 1
         ./examples/seal/unseal message.raw sealedkeyblob.bin -aes >> run.out 2>&1
         RESULT=$?
         [ $RESULT -ne 0 ] && echo -e "unseal aes failed! $RESULT" && exit 1
+    fi
     rm -f sealedkeyblob.bin
 fi
 
 # Seal/Unseal (Policy auth)
 echo -e "Seal/Unseal (Policy auth)"
-if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
+if [ $WOLFCRYPT_ENABLE -eq 1 ] && [ $WOLFCRYPT_DEFAULT -eq 0 ]; then
     # Extend "aaa" to test PCR 16
     echo aaa > aaa.bin
     ./examples/pcr/reset 16 >> run.out 2>&1
@@ -477,6 +578,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
     RESULT=$?
     [ $RESULT -ne 0 ] && echo -e "pcr 16 extend failed! $RESULT" && exit 1
 
+    if [ $WOLFCRYPT_RSA -eq 1 ]; then
         # RSA
         ./examples/pcr/policy_sign -pcr=16 -rsa -key=./certs/example-rsa2048-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
         RESULT=$?
@@ -532,8 +634,9 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
         rm -f tmp-rsa2048-key.pem
         rm -f tmp-rsa2048-key-pub.der
         rm -f pcrsig_fail.bin
+    fi
 
-
+    if [ $WOLFCRYPT_ECC -eq 1 ]; then
         # ECC
         ./examples/pcr/policy_sign -pcr=16 -ecc -key=./certs/example-ecc256-key.der -out=pcrsig.bin -outpolicy=policyauth.bin >> run.out 2>&1
         RESULT=$?
@@ -592,6 +695,7 @@ if [ $WOLFCRYPT_ENABLE -eq 1 ]; then
         rm -f tmp-ecc256-key.pem
         rm -f tmp-ecc256-key-pub.der
         rm -f pcrsig_fail.bin
+    fi
 
     rm -f pcrsig.bin
     rm -f policyauth.bin

examples/timestamp/signed_timestamp.c

@@ -46,7 +46,7 @@
 static void usage(void)
 {
     printf("Expected usage:\n");
-    printf("./examples/timestamp/signed_timestamp [-ecc] [-aes/xor]\n");
+    printf("./examples/timestamp/signed_timestamp [-ecc/-rsa] [-aes/xor]\n");
     printf("* -ecc: Use RSA or ECC for SRK/AIK\n");
     printf("* -aes/xor: Use Parameter Encryption\n");
 }
@@ -93,6 +93,9 @@ int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[])
         if (XSTRCMP(argv[argc-1], "-ecc") == 0) {
             alg = TPM_ALG_ECC;
         }
+        else if (XSTRCMP(argv[argc-1], "-rsa") == 0) {
+            alg = TPM_ALG_RSA;
+        }
         else if (XSTRCMP(argv[argc-1], "-aes") == 0) {
             paramEncAlg = TPM_ALG_CFB;
         }

examples/tls/tls_client.c

@@ -86,8 +86,9 @@
 static void usage(void)
 {
     printf("Expected usage:\n");
-    printf("./examples/tls/tls_client [-ecc] [-aes/xor]\n");
+    printf("./examples/tls/tls_client [-ecc/rsa] [-aes/xor]\n");
-    printf("* -ecc: Use RSA or ECC key\n");
+    printf("* -ecc: Use ECC key/cert\n");
+    printf("* -rsa: Use RSA key/cert\n");
     printf("* -aes/xor: Use Parameter Encryption\n");
     printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT);
 #if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
@@ -195,6 +196,19 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
     printf("\tUsing Port: %d\n", port);
     printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto");
 
+#ifndef HAVE_ECC
+    if (useECC) {
+        printf("ECC not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+#ifdef NO_RSA
+    if (!useECC) {
+        printf("RSA not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
     if (rc != 0) {
@@ -394,7 +408,16 @@ int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
         /* Export TPM public key as DER */
         byte   der[1024];
         word32 derSz = (word32)sizeof(der);
-        rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey,
+    #if defined(HAVE_ECC) && !defined(NO_RSA)
+        void* pkey = !useECC ? &rsaKey : &eccKey;
+    #elif !defined(NO_RSA)
+        void* pkey = &rsaKey;
+    #elif defined(HAVE_ECC)
+        void* pkey = &eccKey;
+    #else
+        void* pkey = NULL;
+    #endif
+        rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey,
             ENCODING_TYPE_ASN1, der, &derSz);
         if (rc < 0) {
             printf("Failed to export RSA public key!\n");

examples/tls/tls_common.h

@@ -386,6 +386,41 @@ static inline int myVerify(int preverify, WOLFSSL_X509_STORE_CTX* store)
     return 1;
 }
 
+#ifndef NO_DH
+/* dh2048 p */
+static const unsigned char test_dh_p[] =
+{
+    0xD3, 0xB2, 0x99, 0x84, 0x5C, 0x0A, 0x4C, 0xE7, 0x37, 0xCC, 0xFC, 0x18,
+    0x37, 0x01, 0x2F, 0x5D, 0xC1, 0x4C, 0xF4, 0x5C, 0xC9, 0x82, 0x8D, 0xB7,
+    0xF3, 0xD4, 0xA9, 0x8A, 0x9D, 0x34, 0xD7, 0x76, 0x57, 0xE5, 0xE5, 0xC3,
+    0xE5, 0x16, 0x85, 0xCA, 0x4D, 0xD6, 0x5B, 0xC1, 0xF8, 0xCF, 0x89, 0x26,
+    0xD0, 0x38, 0x8A, 0xEE, 0xF3, 0xCD, 0x33, 0xE5, 0x56, 0xBB, 0x90, 0x83,
+    0x9F, 0x97, 0x8E, 0x71, 0xFB, 0x27, 0xE4, 0x35, 0x15, 0x45, 0x86, 0x09,
+    0x71, 0xA8, 0x9A, 0xB9, 0x3E, 0x0F, 0x51, 0x8A, 0xC2, 0x75, 0x51, 0x23,
+    0x12, 0xFB, 0x94, 0x31, 0x44, 0xBF, 0xCE, 0xF6, 0xED, 0xA6, 0x3A, 0xB7,
+    0x92, 0xCE, 0x16, 0xA9, 0x14, 0xB3, 0x88, 0xB7, 0x13, 0x81, 0x71, 0x83,
+    0x88, 0xCD, 0xB1, 0xA2, 0x37, 0xE1, 0x59, 0x5C, 0xD0, 0xDC, 0xCA, 0x82,
+    0x87, 0xFA, 0x43, 0x44, 0xDD, 0x78, 0x3F, 0xCA, 0x27, 0x7E, 0xE1, 0x6B,
+    0x93, 0x19, 0x7C, 0xD9, 0xA6, 0x96, 0x47, 0x0D, 0x12, 0xC1, 0x13, 0xD7,
+    0xB9, 0x0A, 0x40, 0xD9, 0x1F, 0xFF, 0xB8, 0xB4, 0x00, 0xC8, 0xAA, 0x5E,
+    0xD2, 0x66, 0x4A, 0x05, 0x8E, 0x9E, 0xF5, 0x34, 0xE7, 0xD7, 0x09, 0x7B,
+    0x15, 0x49, 0x1D, 0x76, 0x31, 0xD6, 0x71, 0xEC, 0x13, 0x4E, 0x89, 0x8C,
+    0x09, 0x22, 0xD8, 0xE7, 0xA3, 0xE9, 0x7D, 0x21, 0x51, 0x26, 0x6E, 0x9F,
+    0x30, 0x8A, 0xBB, 0xBC, 0x74, 0xC1, 0xC3, 0x27, 0x6A, 0xCE, 0xA3, 0x12,
+    0x60, 0x68, 0x01, 0xD2, 0x34, 0x07, 0x80, 0xCC, 0x2D, 0x7F, 0x5C, 0xAE,
+    0xA2, 0x97, 0x40, 0xC8, 0x3C, 0xAC, 0xDB, 0x6F, 0xFE, 0x6C, 0x6D, 0xD2,
+    0x06, 0x1C, 0x43, 0xA2, 0xB2, 0x2B, 0x82, 0xB7, 0xD0, 0xAB, 0x3F, 0x2C,
+    0xE7, 0x9C, 0x19, 0x16, 0xD1, 0x5E, 0x26, 0x86, 0xC7, 0x92, 0xF9, 0x16,
+    0x0B, 0xFA, 0x66, 0x83
+};
+
+/* dh2048 g */
+static const unsigned char test_dh_g[] =
+{
+    0x02,
+};
+#endif /* !NO_DH */
+
 /******************************************************************************/
 /* --- END Supporting TLS functions --- */
 /******************************************************************************/

examples/tls/tls_server.c

@@ -83,8 +83,9 @@ static int mStop = 0;
 static void usage(void)
 {
     printf("Expected usage:\n");
-    printf("./examples/tls/tls_server [-ecc] [-aes/xor]\n");
+    printf("./examples/tls/tls_server [-ecc/rsa] [-aes/xor]\n");
-    printf("* -ecc: Use RSA or ECC key\n");
+    printf("* -ecc: Use ECC key/cert\n");
+    printf("* -rsa: Use RSA key/cert\n");
     printf("* -aes/xor: Use Parameter Encryption\n");
     printf("* -p=port: Supply a custom port number (default %d)\n", TLS_PORT);
 #if defined(WOLFTPM_CRYPTOCB) && defined(HAVE_PK_CALLBACKS)
@@ -212,6 +213,19 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
     printf("\tUsing Port: %d\n", port);
     printf("\tUsing %s callbacks\n", usePK ? "PK" : "Crypto");
 
+#ifndef HAVE_ECC
+    if (useECC) {
+        printf("ECC not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+#ifdef NO_RSA
+    if (!useECC) {
+        printf("RSA not compiled in!\n");
+        return 0; /* don't report error */
+    }
+#endif
+
     /* Init the TPM2 device */
     rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
     if (rc != 0) {
@@ -390,7 +404,16 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
         /* Export TPM public key as DER */
         byte   der[1024];
         word32 derSz = (word32)sizeof(der);
-        rc = wolfTPM2_ExportPublicKeyBuffer(&dev, !useECC ? &rsaKey : &eccKey,
+    #if defined(HAVE_ECC) && !defined(NO_RSA)
+        void* pkey = !useECC ? &rsaKey : &eccKey;
+    #elif !defined(NO_RSA)
+        void* pkey = &rsaKey;
+    #elif defined(HAVE_ECC)
+        void* pkey = &eccKey;
+    #else
+        void* pkey = NULL;
+    #endif
+        rc = wolfTPM2_ExportPublicKeyBuffer(&dev, pkey,
             ENCODING_TYPE_ASN1, der, &derSz);
         if (rc < 0) {
             printf("Failed to export TPM public key!\n");
@@ -458,6 +481,14 @@ int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
     }
 #endif
 
+#if !defined(NO_DH) && !defined(HAVE_ECC)
+    /* setup DHE option */
+    wolfSSL_CTX_SetTmpDH(ctx, test_dh_p, sizeof(test_dh_p), test_dh_g,
+        sizeof(test_dh_g));
+#endif
+
+    printf("Waiting for client on port %d\n", port);
+
     /* Setup socket and connection */
     rc = SetupSocketAndListen(&sockIoCtx, port);
     if (rc != 0) goto exit;

examples/tpm_test.h

@@ -44,7 +44,7 @@
 #define TPM2_DEMO_NV_TEST_INDEX         0x01800200
 #define TPM2_DEMO_NV_TEST_AUTH_INDEX    0x01800201
 #define TPM2_DEMO_NVRAM_STORE_INDEX     0x01800202
-#define TPM2_DEMO_NV_TEST_SIZE          1024 /* max size on Infineon SLB9670 is 1664 */
+#define TPM2_DEMO_NV_TEST_SIZE          MAX_DIGEST_BUFFER /* max size on Infineon SLB9670 is 1664 */
 #define TPM2_DEMO_NV_COUNTER_INDEX      0x01800300
 
 #define TPM2_DEMO_NV_SECURE_ROT_INDEX   0x01400200

examples/tpm_test_keys.c

@@ -422,7 +422,7 @@ int getECCkey(WOLFTPM2_DEV* pDev, WOLFTPM2_KEY* pStorageKey, WOLFTPM2_KEY* key,
     if (rc != 0) {
         return rc;
     }
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC)
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN)
     if (pWolfEccKey) {
         /* setup wolf ECC key with TPM deviceID, so crypto callbacks are used */
         rc = wc_ecc_init_ex((ecc_key*)pWolfEccKey, NULL, tpmDevId);

examples/wrap/wrap_test.c

@@ -116,7 +116,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
 
 #ifndef WOLFTPM2_NO_WOLFCRYPT
     int tpmDevId = INVALID_DEVID;
-#if defined(HAVE_ECC) || (!defined(NO_RSA) && !defined(NO_ASN))
+#if (defined(HAVE_ECC) || !defined(NO_RSA)) && !defined(NO_ASN)
     word32 idx;
 #endif
 #ifndef NO_RSA
@@ -267,7 +267,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
 
     /* Start an authenticated session (salted / unbound) with parameter encryption */
     if (paramEncAlg != TPM_ALG_NULL) {
-        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
+        void* bindKey = &storageKey;
+    #ifdef NO_RSA
+        bindKey = NULL; /* cannot bind to key without RSA enabled */
+    #endif
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
@@ -434,7 +438,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
 #else
     rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
     if (rc != 0) goto exit;
-#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA */
+#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA && !NO_ASN */
 
     /* Load raw RSA public key into TPM */
     rc = wolfTPM2_LoadRsaPublicKey(&dev, &publicKey,
@@ -459,24 +463,38 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
     if (rc != 0) goto exit;
     rc = wolfTPM2_RsaKey_WolfToTpm_ex(&dev, &storageKey, &wolfRsaPrivKey,
         &rsaKey);
-    if (rc != 0) goto exit;
-    /* Use TPM Handle... */
     wc_FreeRsaKey(&wolfRsaPrivKey);
+    if (rc != 0 && rc != NOT_COMPILED_IN) {
+        /* NOT_COMPILED_IN here likely means that AES-CFB is not enabled for
+         * encrypting secrets */
+        goto exit;
+    }
+    printf("RSA Private Key Loaded into TPM: Handle 0x%x\n",
+        (word32)rsaKey.handle.hndl);
+
+    /* Use TPM Handle... */
+
     rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
     if (rc != 0) goto exit;
+#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA && !NO_ASN */
 
     /* Load raw RSA private key into TPM */
     rc = wolfTPM2_LoadRsaPrivateKey(&dev, &storageKey, &rsaKey,
         kRsaKeyPubModulus, (word32)sizeof(kRsaKeyPubModulus),
         kRsaKeyPubExponent,
         kRsaKeyPrivQ,      (word32)sizeof(kRsaKeyPrivQ));
-    if (rc != 0) goto exit;
+    if (rc != 0 && rc != NOT_COMPILED_IN) {
-    /* Use TPM Handle... */
+        /* NOT_COMPILED_IN here likely means that AES-CFB is not enabled for
-    printf("RSA Private Key Loaded into TPM: Handle 0x%x\n",
+         * encrypting secrets */
+        goto exit;
+    }
+    printf("RSA Private Key RAW Loaded into TPM: Handle 0x%x\n",
         (word32)rsaKey.handle.hndl);
+
+    /* Use TPM Handle... */
+
     rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
     if (rc != 0) goto exit;
-#endif /* !WOLFTPM2_NO_WOLFCRYPT && !NO_RSA */
 
     /* Close TPM session based on RSA storage key */
     wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
@@ -529,7 +547,11 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
 
     /* Start an authenticated session (salted / unbound) with parameter encryption */
     if (paramEncAlg != TPM_ALG_NULL) {
-        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
+        void* bindKey = &storageKey;
+    #ifndef HAVE_ECC
+        bindKey = NULL; /* cannot bind to key without ECC enabled */
+    #endif
+        rc = wolfTPM2_StartSession(&dev, &tpmSession, bindKey, NULL,
             TPM_SE_HMAC, paramEncAlg);
         if (rc != 0) goto exit;
         printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
@@ -620,7 +642,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
     /*------------------------------------------------------------------------*/
     /* ECC KEY LOADING TESTS */
     /*------------------------------------------------------------------------*/
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC)
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN)
     /* Extract an ECC public key from TPM */
     /* Setup wolf ECC key with TPM deviceID, so crypto callbacks
        can be used for private operations */
@@ -636,7 +658,6 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
     rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
     if (rc != 0) goto exit;
 
-
     /* Load ECC DER public key into TPM */
     rc = wc_ecc_init(&wolfEccPubKey);
     if (rc != 0) goto exit;
@@ -653,7 +674,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
 #else
     rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
     if (rc != 0) goto exit;
-#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC */
+#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC && !NO_ASN */
 
     /* Load raw ECC public key into TPM */
     rc = wolfTPM2_LoadEccPublicKey(&dev, &publicKey, TPM_ECC_NIST_P256,
@@ -666,7 +687,7 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
     rc = wolfTPM2_UnloadHandle(&dev, &publicKey.handle);
     if (rc != 0) goto exit;
 
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC)
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(HAVE_ECC) && !defined(NO_ASN)
     /* Load ECC DER Private Key into TPM */
     rc = wc_ecc_init(&wolfEccPrivKey);
     if (rc != 0) goto exit;
@@ -676,15 +697,21 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
     if (rc != 0) goto exit;
     rc = wolfTPM2_EccKey_WolfToTpm_ex(&dev, &storageKey, &wolfEccPrivKey,
         &eccKey);
+    wc_ecc_free(&wolfEccPrivKey);
     if (rc != 0 && rc != NOT_COMPILED_IN) {
-        /* a NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled
+        /* NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled
-         * exposing the mp_ math API's needed for encrypting secrets */
+         * exposing the mp_ math API's or AES CFB is not enabled.
+         * Both are needed for encrypting secrets */
         goto exit;
     }
+    printf("ECC Private Key Loaded into TPM: Handle 0x%x\n",
+        (word32)eccKey.handle.hndl);
+
     /* Use TPM Handle... */
-    wc_ecc_free(&wolfEccPrivKey);
+
     rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
     if (rc != 0) goto exit;
+#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC && !NO_ASN */
 
     /* Load raw ECC private key into TPM */
     rc = wolfTPM2_LoadEccPrivateKey(&dev, &storageKey, &eccKey, TPM_ECC_NIST_P256,
@@ -692,16 +719,18 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
         kEccKeyPubYRaw, (word32)sizeof(kEccKeyPubYRaw),
         kEccKeyPrivD,   (word32)sizeof(kEccKeyPrivD));
     if (rc != 0 && rc != NOT_COMPILED_IN) {
-        /* a NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled
+        /* NOT_COMPILED_IN here likely means the WOLFSSL_PUBLIC_MP is enabled
-         * exposing the mp_ math API's needed for encrypting secrets */
+         * exposing the mp_ math API's or AES CFB is not enabled.
+         * Both are needed for encrypting secrets */
         goto exit;
     }
-    /* Use TPM Handle... */
+    printf("ECC Private Key RAW Loaded into TPM: Handle 0x%x\n",
-    printf("ECC Private Key Loaded into TPM: Handle 0x%x\n",
         (word32)eccKey.handle.hndl);
+
+    /* Use TPM Handle... */
+
     rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
     if (rc != 0) goto exit;
-#endif /* !WOLFTPM2_NO_WOLFCRYPT && HAVE_ECC */
 
 #if 0 /* disabled until ECC Encrypted salt is added */
     /* Close TPM session based on ECC storage key */
@@ -981,7 +1010,6 @@ int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
     if (rc != 0) goto exit;
 #endif
 
-
 exit:
 
     if (rc != 0) {
@@ -999,6 +1027,10 @@ exit:
 
     wolfTPM2_Cleanup(&dev);
 
+#ifndef WOLFTPM2_NO_WOLFCRYPT
+    (void)tpmDevId;
+#endif
+
     return rc;
 }
 

src/tpm2_cryptocb.c

@@ -27,9 +27,8 @@
 
 #if !defined(WOLFTPM2_NO_WRAPPER)
 
-#if defined(WOLFTPM_CRYPTOCB) || \
+#if defined(HAVE_ECC) && (defined(WOLFTPM_CRYPTOCB) || \
-   (defined(HAVE_PK_CALLBACKS) && !defined(WOLFCRYPT_ONLY))
+   (defined(HAVE_PK_CALLBACKS) && !defined(WOLFCRYPT_ONLY)))
-
 /* Helper to trim leading zeros when not required  */
 static byte* wolfTPM2_ASNTrimZeros(byte* in, word32* len)
 {
@@ -41,7 +40,7 @@ static byte* wolfTPM2_ASNTrimZeros(byte* in, word32* len)
     *len -= idx;
     return in;
 }
-#endif /* WOLFTPM_CRYPTOCB || HAVE_PK_CALLBACKS */
+#endif
 
 #ifdef WOLFTPM_CRYPTOCB
 

src/tpm2_linux.c

@@ -28,7 +28,6 @@
 #ifdef WOLFTPM_LINUX_DEV
 #include <wolftpm/tpm2_linux.h>
 #include <wolftpm/tpm2_packet.h>
-#include <wolftpm/tpm2_wrap.h> /* Needed only for WOLFTPM2_MAX_BUFFER */
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
@@ -48,11 +47,7 @@
  * partial reads. The only way to receive a complete response is to read
  * the maximum allowed TPM response from the kernel, which is 4K. And most
  * of the ARM systems use older kernels, such as the RPI that uses v4.12
- *
+ */
- * The caller knows what the expected outcome of the operation is. Therefore,
- * the response size is limited only by the WOLFTPM2_MAX_BUFFER used to limit
- * the WOLFTPM2_BUFFER in wolfTPM wrappers */
-
 
 /* Talk to a TPM device exposed by the Linux tpm_tis driver */
 int TPM2_LINUX_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)

src/tpm2_wrap.c

@@ -970,8 +970,10 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
         #ifdef WOLFTPM_DEBUG_VERBOSE
             printf("Session %d: Edit (PolicyAuth)\n", index);
             printf("\tHandle 0x%x (not touching)\n", session->sessionHandle);
-            printf("\tPolicyAuth %d->%d\n", session->policyAuth, handle->policyAuth);
+            printf("\tPolicyAuth %d->%d\n",
-            printf("\tAuth Sz %d -> %d\n", session->auth.size, authDigestSz + handle->auth.size);
+                session->policyAuth, handle->policyAuth);
+            printf("\tAuth Sz %d -> %d\n", session->auth.size,
+                authDigestSz + handle->auth.size);
             TPM2_PrintBin(session->auth.buffer, session->auth.size);
             TPM2_PrintBin(handle->auth.buffer, handle->auth.size);
             printf("\tName Sz %d -> %d\n", session->name.size, handle->name.size);
@@ -979,8 +981,13 @@ int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index,
             TPM2_PrintBin(handle->name.name, handle->name.size);
         #endif
             session->policyAuth = handle->policyAuth;
+            if ((word32)handle->auth.size + authDigestSz >
+                    sizeof(session->auth.buffer)) {
+                return BUFFER_E;
+            }
             session->auth.size = authDigestSz + handle->auth.size;
-            XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer, handle->auth.size);
+            XMEMCPY(&session->auth.buffer[authDigestSz], handle->auth.buffer,
+                handle->auth.size);
             session->name.size = handle->name.size;
             XMEMCPY(session->name.name, handle->name.name, handle->name.size);
             return TPM_RC_SUCCESS;
@@ -2085,20 +2092,21 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
     TPMT_SYM_DEF_OBJECT* sym, TPM2B_DATA* symSeed, int useIv)
 {
     int rc = 0;
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && \
+#ifndef WOLFTPM2_NO_WOLFCRYPT
-    !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && !defined(NO_HMAC)
     int outerWrap = 0, innerWrap = 0;
     int digestSz = 0;
     int integritySz = 0;
     int ivSz = 0;
     int sensSz = 0;
     BYTE* sensitiveData = NULL;
+    TPM2B_SYM_KEY symKey;
     TPM2B_IV ivField;
     TPM2_Packet packet;
-    TPM2B_SYM_KEY symKey;
+#ifdef WOLFTPM2_PRIVATE_IMPORT
     TPM2B_DIGEST hmacKey;
     Aes enc;
     Hmac hmac_ctx;
+#endif
 
     if (sens == NULL || priv == NULL) {
         return BAD_FUNC_ARG;
@@ -2160,6 +2168,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
     }
 
     if (outerWrap) {
+    #ifdef WOLFTPM2_PRIVATE_IMPORT
         /* Generate symmetric key for encryption of inner values */
         symKey.size = (symKey.size + 7) / 8; /* convert to byte and round up */
         rc = TPM2_KDFa(nameAlg, symSeed, "STORAGE", (TPM2B_NONCE*)name,
@@ -2230,10 +2239,15 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
         /* store the size of the integrity */
         digestSz = TPM2_Packet_SwapU16(digestSz);
         XMEMCPY(&priv->buffer[0], &digestSz, sizeof(word16));
+    #else
+        (void)sensitiveData;
+        (void)name;
+        (void)symKey;
+        rc = NOT_COMPILED_IN;
+    #endif
     }
 
 #else
-    rc = NOT_COMPILED_IN;
     (void)sens;
     (void)priv;
     (void)nameAlg;
@@ -2242,6 +2256,7 @@ static int SensitiveToPrivate(TPM2B_SENSITIVE* sens, TPM2B_PRIVATE* priv,
     (void)sym;
     (void)symSeed;
     (void)useIv;
+    rc = NOT_COMPILED_IN;
 #endif
     return rc;
 }
@@ -2727,7 +2742,6 @@ int wolfTPM2_ReadPublicKey(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* key,
 }
 
 #ifndef WOLFTPM2_NO_WOLFCRYPT
-
 #ifndef NO_ASN
 #ifndef NO_RSA
 int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz,
@@ -2825,7 +2839,7 @@ int wolfTPM2_DecodeRsaDer(const byte* der, word32 derSz,
 
     return rc;
 }
-#endif
+#endif /* !NO_RSA */
 #ifdef HAVE_ECC
 int wolfTPM2_DecodeEccDer(const byte* der, word32 derSz, TPM2B_PUBLIC* pub,
     TPM2B_SENSITIVE* sens, TPMA_OBJECT attributes)
@@ -2967,6 +2981,7 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
             }
         }
     #else
+        (void)out;
         rc = NOT_COMPILED_IN;
     #endif
     }
@@ -3006,16 +3021,15 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
     /* Optionally convert to PEM */
     if (rc == 0 && encodingType == ENCODING_TYPE_PEM) {
     #ifdef WOLFSSL_DER_TO_PEM
-        WOLFTPM2_BUFFER tmp;
+        byte tmp[MAX_CONTEXT_SIZE];
-        if (derSz > (word32)sizeof(tmp.buffer)) {
+        if (derSz > (word32)sizeof(tmp)) {
             rc = BUFFER_E;
         }
         else {
             /* move DER to temp variable */
-            tmp.size = derSz;
+            XMEMCPY(tmp, out, derSz);
-            XMEMCPY(tmp.buffer, out, derSz);
             XMEMSET(out, 0, *outSz);
-            rc = wc_DerToPem(tmp.buffer, tmp.size, out, *outSz, PUBLICKEY_TYPE);
+            rc = wc_DerToPem(tmp, derSz, out, *outSz, PUBLICKEY_TYPE);
             if (rc > 0) {
                 *outSz = rc;
                 rc = 0;
@@ -3193,10 +3207,8 @@ int wolfTPM2_ImportPrivateKeyBuffer(WOLFTPM2_DEV* dev,
 
     return rc;
 }
-#endif /* !NO_ASN */
 
 #ifndef NO_RSA
-#ifndef NO_ASN
 int wolfTPM2_RsaPrivateKeyImportDer(WOLFTPM2_DEV* dev,
     const WOLFTPM2_KEY* parentKey, WOLFTPM2_KEYBLOB* keyBlob, const byte* input,
     word32 inSz, TPMI_ALG_RSA_SCHEME scheme, TPMI_ALG_HASH hashAlg)
@@ -3242,7 +3254,6 @@ int wolfTPM2_RsaPrivateKeyImportDer(WOLFTPM2_DEV* dev,
 
     return rc;
 }
-#endif /* !NO_ASN */
 
 #ifdef WOLFTPM2_PEM_DECODE
 int wolfTPM2_RsaPrivateKeyImportPem(WOLFTPM2_DEV* dev,
@@ -3257,6 +3268,24 @@ int wolfTPM2_RsaPrivateKeyImportPem(WOLFTPM2_DEV* dev,
 }
 #endif /* WOLFTPM2_PEM_DECODE */
 
+int wolfTPM2_RsaKey_TpmToPemPub(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
+    byte* pem, word32* pemSz)
+{
+    return wolfTPM2_ExportPublicKeyBuffer(dev, tpmKey,
+        ENCODING_TYPE_PEM, pem, pemSz);
+}
+#endif /* !NO_RSA */
+#endif /* !NO_ASN */
+
+#ifndef NO_RSA
+static word32 wolfTPM2_RsaKey_Exponent(byte* e, word32 eSz)
+{
+    word32 exponent = 0, i;
+    for (i=0; i<eSz && i<sizeof(word32); i++) {
+        exponent |= ((word32)e[i]) << (i*8);
+    }
+    return exponent;
+}
 
 int wolfTPM2_RsaKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
     RsaKey* wolfKey)
@@ -3294,22 +3323,6 @@ int wolfTPM2_RsaKey_TpmToWolf(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
     return rc;
 }
 
-int wolfTPM2_RsaKey_TpmToPemPub(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
-    byte* pem, word32* pemSz)
-{
-    return wolfTPM2_ExportPublicKeyBuffer(dev, tpmKey,
-        ENCODING_TYPE_PEM, pem, pemSz);
-}
-
-static word32 wolfTPM2_RsaKey_Exponent(byte* e, word32 eSz)
-{
-    word32 exponent = 0, i;
-    for (i=0; i<eSz && i<sizeof(word32); i++) {
-        exponent |= ((word32)e[i]) << (i*8);
-    }
-    return exponent;
-}
-
 int wolfTPM2_RsaKey_WolfToTpm_ex(WOLFTPM2_DEV* dev, const WOLFTPM2_KEY* parentKey,
     RsaKey* wolfKey, WOLFTPM2_KEY* tpmKey)
 {
@@ -3369,6 +3382,7 @@ int wolfTPM2_RsaKey_WolfToTpm(WOLFTPM2_DEV* dev, RsaKey* wolfKey,
     return wolfTPM2_RsaKey_WolfToTpm_ex(dev, NULL, wolfKey, tpmKey);
 }
 
+#ifndef NO_ASN
 int wolfTPM2_RsaKey_PubPemToTpm(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
     const byte* pem, word32 pemSz)
 {
@@ -3413,6 +3427,7 @@ int wolfTPM2_RsaKey_PubPemToTpm(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
 
     return rc;
 }
+#endif /* !NO_ASN */
 #endif /* !NO_RSA */
 
 #ifdef HAVE_ECC
@@ -6719,15 +6734,14 @@ static int CSR_MakeAndSign(WOLFTPM2_DEV* dev, WOLFTPM2_CSR* csr, CSRKey* key,
     /* Optionally convert to PEM */
     if (rc >= 0 && outFormat == CTC_FILETYPE_PEM) {
     #ifdef WOLFSSL_DER_TO_PEM
-        WOLFTPM2_BUFFER tmp;
+        byte tmp[MAX_CONTEXT_SIZE];
-        tmp.size = rc;
+        if (rc > (int)sizeof(tmp)) {
-        if (rc > (int)sizeof(tmp.buffer)) {
             rc = BUFFER_E;
         }
         else {
-            XMEMCPY(tmp.buffer, out, rc);
+            XMEMCPY(tmp, out, rc);
             XMEMSET(out, 0, outSz);
-            rc = wc_DerToPem(tmp.buffer, tmp.size, out, outSz,
+            rc = wc_DerToPem(tmp, (word32)rc, out, outSz,
                 selfSignCert ? CERT_TYPE : CERTREQ_TYPE);
         }
     #else

tests/unit_tests.c

@@ -332,7 +332,8 @@ static void test_wolfTPM2_CSR(void)
 #endif
 }
 
-#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE)
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE) && \
+    !defined(NO_RSA)
 static WOLFTPM2_KEY authKey; /* also used for test_wolfTPM2_PCRPolicy */
 
 static void test_wolfTPM_ImportPublicKey(void)
@@ -499,7 +500,7 @@ static void test_wolfTPM2_KeyBlob(TPM_ALG_ID alg)
     WOLFTPM2_DEV dev;
     WOLFTPM2_KEY srk;
     WOLFTPM2_KEYBLOB key;
-    WOLFTPM2_BUFFER blob;
+    byte blob[MAX_CONTEXT_SIZE];
     TPMT_PUBLIC publicTemplate;
     word32 privBufferSz, pubBufferSz;
 
@@ -550,25 +551,26 @@ static void test_wolfTPM2_KeyBlob(TPM_ALG_ID alg)
         NULL, &privBufferSz, &key);
     AssertIntEQ(rc, LENGTH_ONLY_E);
 
+    AssertIntLT(pubBufferSz + privBufferSz, sizeof(blob));
+
     /* Test exporting private and public parts separately */
-    rc = wolfTPM2_GetKeyBlobAsSeparateBuffers(blob.buffer, &pubBufferSz,
+    rc = wolfTPM2_GetKeyBlobAsSeparateBuffers(blob, &pubBufferSz,
-        &blob.buffer[pubBufferSz], &privBufferSz, &key);
+        blob +pubBufferSz, &privBufferSz, &key);
     AssertIntEQ(rc, 0);
 
     /* Test getting size only */
-    rc = wolfTPM2_GetKeyBlobAsBuffer(NULL, sizeof(blob.buffer), &key);
+    rc = wolfTPM2_GetKeyBlobAsBuffer(NULL, sizeof(blob), &key);
     AssertIntGT(rc, 0);
 
     /* Export private and public key */
-    rc = wolfTPM2_GetKeyBlobAsBuffer(blob.buffer, sizeof(blob.buffer), &key);
+    rc = wolfTPM2_GetKeyBlobAsBuffer(blob, sizeof(blob), &key);
     AssertIntGT(rc, 0);
-    blob.size = rc;
 
     /* Reset the originally created key */
     XMEMSET(&key, 0, sizeof(key));
 
     /* Load key blob (private/public) from buffer */
-    rc = wolfTPM2_SetKeyBlobFromBuffer(&key, blob.buffer, blob.size);
+    rc = wolfTPM2_SetKeyBlobFromBuffer(&key, blob, rc);
     AssertIntEQ(rc, 0);
     key.handle.auth.size = sizeof(gKeyAuth)-1;
     XMEMCPY(key.handle.auth.buffer, gKeyAuth, key.handle.auth.size);
@@ -604,7 +606,8 @@ int unit_tests(int argc, char *argv[])
     test_TPM2_KDFa();
     test_wolfTPM2_ReadPublicKey();
     test_wolfTPM2_CSR();
-    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE)
+    #if !defined(WOLFTPM2_NO_WOLFCRYPT) && defined(WOLFTPM2_PEM_DECODE) && \
+        !defined(NO_RSA)
     test_wolfTPM_ImportPublicKey();
     test_wolfTPM2_PCRPolicy();
     #endif

wolftpm/tpm2_types.h

@@ -646,6 +646,7 @@ typedef int64_t  INT64;
 #ifndef WOLFTPM2_WRAP_DIGEST
     #define WOLFTPM2_WRAP_DIGEST TPM_ALG_SHA256
 #endif
+
 /* Defines the default RSA key bits for the wrapper functions */
 #ifndef WOLFTPM2_WRAP_RSA_KEY_BITS
     #define WOLFTPM2_WRAP_RSA_KEY_BITS MAX_RSA_KEY_BITS
@@ -672,17 +673,24 @@ typedef int64_t  INT64;
 #if !defined(WOLFTPM2_NO_HEAP) && defined(WOLFSSL_PEM_TO_DER) && \
     (defined(WOLFSSL_CERT_EXT) || defined(WOLFSSL_PUB_PEM_TO_DER)) && \
     !defined(NO_ASN)
+    /* Enable the certificate PEM decode support */
     #define WOLFTPM2_PEM_DECODE
 #endif
 
-/* Firmware upgrade requires wolfCrypt for hash and supported
+/* Firmware upgrade requires wolfCrypt for hashing.
- * only for Infineon SLB9672/SLB9673 */
+ * Supported only for Infineon SLB9672/SLB9673 */
 #if defined(WOLFTPM_FIRMWARE_UPGRADE) && \
     (defined(WOLFTPM2_NO_WOLFCRYPT) || \
      (!defined(WOLFTPM_SLB9672) && !defined(WOLFTPM_SLB9673)))
     #undef WOLFTPM_FIRMWARE_UPGRADE
 #endif
 
+#if !defined(WOLFTPM2_NO_WOLFCRYPT) && \
+    !defined(NO_AES) && defined(WOLFSSL_AES_CFB) && !defined(NO_HMAC)
+    /* Support for importing external private keys */
+    #define WOLFTPM2_PRIVATE_IMPORT
+#endif
+
 
 /* ---------------------------------------------------------------------------*/
 /* ENDIANESS HELPERS */

wolftpm/tpm2_wrap.h

@@ -95,13 +95,10 @@ typedef struct WOLFTPM2_CSR {
 } WOLFTPM2_CSR;
 #endif
 
-#ifndef WOLFTPM2_MAX_BUFFER
+/* buffer similar to TPM2B_MAX_BUFFER that can be used */
-    #define WOLFTPM2_MAX_BUFFER 2048
-#endif
-
 typedef struct WOLFTPM2_BUFFER {
     int size;
-    byte buffer[WOLFTPM2_MAX_BUFFER];
+    byte buffer[MAX_DIGEST_BUFFER];
 } WOLFTPM2_BUFFER;
 
 typedef enum WOLFTPM2_MFG {