Added parameter encryption support to more examples. Fix to not set "encrypt" or "decrypt" if command doesn't allow it. Updated documentation.

2020-11-30 09:16:54 -08:00 · 2020-11-30 09:16:54 -08:00 · 4b0b70861c
parent 4c2e8d3f43
commit 4b0b70861c
38 changed files with 776 additions and 512 deletions
--- a/.gitignore
+++ b/.gitignore
@ -38,7 +38,6 @@ examples/tls/tls_client
 examples/pkcs7/pkcs7
 examples/timestamp/signed_timestamp
 examples/pcr/quote
 examples/pcr/quote_paramenc
 examples/pcr/extend
 examples/pcr/reset
 examples/timestamp/clock_set
@ -51,8 +50,6 @@ tests/unit.test
 examples/keygen/keyload
 examples/keygen/keygen
 examples/keygen/keyimport
 examples/keygen/keygen_paramenc
 examples/keygen/keyload_paramenc
 # Generated Cert Files
 certs/ca-*.pem
--- a/README.md
+++ b/README.md
@ -24,6 +24,7 @@ Portable TPM 2.0 project designed for embedded use.
 	* TLS Client
 	* TLS Server
 	* Benchmarking TPM algorithms and TLS
 * Parameter encryption support using AES-CFB or XOR. Supports salted unbound authenticated sessions.
 Note: See [examples/README.md](examples/README.md) for details on using the examples.
@ -637,6 +638,10 @@ Connection: close
 ## Todo
 * Update to v1.59 of specification.
 * Add HMAC support for "authValue".
 * Add ECC encrypted salt.
 * Add bound auth session support.
 * Add multiple auth session (nonceTPMDecrypt and nonceTPMEncrypt) support.
 ## Support
--- a/examples/README.md
+++ b/examples/README.md
@ -6,6 +6,8 @@ The examples create RSA and ECC keys in NV for testing using handles defined in
 The PKCS #7 and TLS examples require generating CSR's and signing them using a test script. See CSR and Certificate Signing below.
 To enable parameter encryption use `-aes` for AES-CFB mode or `-xor` for XOR mode. Only some TPM commands / responses support parameter encryption. If the TPM2_ API has .flags `CMD_FLAG_ENC2` or `CMD_FLAG_DEC2` set then the command will use parameter encryption / decryption.
 ## Native API Test
 Demonstrates calling native TPM2_* API's.
@ -110,8 +112,8 @@ To use symmetric AES/Hashing/HMAC with the TPM define `WOLFTPM_USE_SYMMETRIC`.
 Generation of the Client and Server Certificates requires running:
-1. `./examples/keygen/keygen rsa_test_blob.raw -RSA -T`
+1. `./examples/keygen/keygen rsa_test_blob.raw -rsa -t`
-2. `./examples/keygen/keygen ecc_test_blob.raw -ECC -T`
+2. `./examples/keygen/keygen ecc_test_blob.raw -ecc -t`
 3. `./examples/csr/csr`
 4. `./certs/certreq.sh`
 5. Copy the CA files from wolfTPM to wolfSSL certs directory.
@ -134,9 +136,9 @@ or
 `./examples/server/server -b -p 11111 -g -A ./certs/tpm-ca-ecc-cert.pem -i -V`
 Then run the wolfTPM TLS client example:
-`./examples/tls/tls_client RSA`
+`./examples/tls/tls_client -rsa`
 or
-`./examples/tls/tls_client ECC`
+`./examples/tls/tls_client -ecc`
 ### TLS Server
@ -146,9 +148,9 @@ This example shows using a TPM key and certificate for a TLS server.
 By default it listens on port 11111 and can be overridden at build-time using the `TLS_PORT` macro.
 Run the wolfTPM TLS server example:
-`./examples/tls/tls_server RSA`
+`./examples/tls/tls_server -rsa`
 or
-`./examples/tls/tls_server ECC`
+`./examples/tls/tls_server -ecc`
 Then run the wolfSSL example client this like:
 `./examples/client/client -h localhost -p 11111 -g -d`
@ -194,7 +196,7 @@ Performance benchmarks.
 Examples for generating a TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle.
 ```
-$ ./examples/keygen/keygen keyblob.bin -RSA
+$ ./examples/keygen/keygen keyblob.bin -rsa
 TPM2.0 Key generation example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Creating new RSA key...
@ -208,7 +210,7 @@ Reading 840 bytes from keyblob.bin
 Loaded key to 0x80000001
-$ ./examples/keygen/keygen keyblob.bin -ECC
+$ ./examples/keygen/keygen keyblob.bin -ecc
 TPM2.0 Key generation example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Creating new ECC key...
@ -225,7 +227,7 @@ Loaded key to 0x80000001
 Example for importing a private key as TPM key blob and storing to disk, then loading from disk and loading into temporary TPM handle.
 ```
-$ ./examples/keygen/keyimport keyblob.bin -RSA
+$ ./examples/keygen/keyimport keyblob.bin -rsa
 TPM2.0 Key import example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Imported key (pub 278, priv 222 bytes)
@ -238,7 +240,7 @@ Reading 840 bytes from keyblob.bin
 Loaded key to 0x80000001
-$ ./examples/keygen/keyimport keyblob.bin -ECC
+$ ./examples/keygen/keyimport keyblob.bin -ecc
 TPM2.0 Key Import example
 Loading SRK: Storage 0x81000200 (282 bytes)
 Imported key (pub 86, priv 126 bytes)
--- a/examples/bench/bench.c
+++ b/examples/bench/bench.c
@ -181,11 +181,22 @@ exit:
    return rc;
 }
 static void usage(void)
 {
    printf("Expected usage:\n");
    printf("./examples/bench/bench [-aes/xor]\n");
    printf("* -aes/xor: Use Parameter Encryption\n");   
 }
 /******************************************************************************/
 /* --- BEGIN Bench Wrapper -- */
 /******************************************************************************/
 int TPM2_Wrapper_Bench(void* userCtx)
 {
    return TPM2_Wrapper_BenchArgs(userCtx, 0, NULL);
 }
-int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
+int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[])
 {
    int rc;
    WOLFTPM2_DEV dev;
@ -199,11 +210,35 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
    TPM2B_ECC_POINT pubPoint;
    double start;
    int count;
    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
    WOLFTPM2_SESSION tpmSession;
    if (argc >= 2) {
        if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
            XSTRNCMP(argv[1], "-h", 2) == 0 ||
            XSTRNCMP(argv[1], "--help", 6) == 0) {
            usage();
            return 0;
        }
    }
    while (argc > 1) {
        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
    XMEMSET(&storageKey, 0, sizeof(storageKey));
    XMEMSET(&eccKey, 0, sizeof(eccKey));
    XMEMSET(&rsaKey, 0, sizeof(rsaKey));
    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
    printf("TPM2 Benchmark using Wrapper API's\n");
-
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
    (void)argc;
    (void)argv;
    /* Init the TPM2 device */
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@ -213,6 +248,20 @@ int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[])
    rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
    if (rc != 0) goto exit;
    if (paramEncAlg != TPM_ALG_NULL) {
        /* Start an authenticated session (salted / unbound) with parameter encryption */
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
        /* set session for authorization of the storage key */
        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 
            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
        if (rc != 0) goto exit;
    }
    /* RNG Benchmark */
    bench_stats_start(&count, &start);
    do {
@ -423,6 +472,7 @@ exit:
    wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
    wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
    wolfTPM2_Cleanup(&dev);
@ -441,7 +491,7 @@ int main(int argc, char *argv[])
    int rc = -1;
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(NO_TPM_BENCH)
-    rc = TPM2_Wrapper_Bench(NULL, argc, argv);
+    rc = TPM2_Wrapper_BenchArgs(NULL, argc, argv);
 #else
    printf("Wrapper code not compiled in\n");
 #endif
--- a/examples/bench/bench.h
+++ b/examples/bench/bench.h
@ -26,7 +26,8 @@
    extern "C" {
 #endif
-int TPM2_Wrapper_Bench(void* userCtx, int argc, char *argv[]);
+int TPM2_Wrapper_BenchArgs(void* userCtx, int argc, char *argv[]);
 int TPM2_Wrapper_Bench(void* userCtx);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/examples/csr/csr.c
+++ b/examples/csr/csr.c
@ -137,7 +137,11 @@ exit:
    return rc;
 }
-int TPM2_CSR_Example(void* userCtx, int argc, char *argv[])
+int TPM2_CSR_Example(void* userCtx)
 {
    return TPM2_CSR_ExampleArgs(userCtx, 0, NULL);
 }
 int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[])
 {
    int rc;
    WOLFTPM2_DEV dev;
@ -243,7 +247,7 @@ int main(int argc, char *argv[])
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
    defined(WOLFSSL_CERT_REQ) && \
    (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
-    rc = TPM2_CSR_Example(NULL, argc, argv);
+    rc = TPM2_CSR_ExampleArgs(NULL, argc, argv);
 #else
    (void)argc;
    (void)argv;
--- a/examples/csr/csr.h
+++ b/examples/csr/csr.h
@ -26,7 +26,8 @@
    extern "C" {
 #endif
-int TPM2_CSR_Example(void* userCtx, int argc, char *argv[]);
+int TPM2_CSR_Example(void* userCtx);
 int TPM2_CSR_ExampleArgs(void* userCtx, int argc, char *argv[]);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/examples/keygen/keygen.c
+++ b/examples/keygen/keygen.c
@ -37,9 +37,10 @@
 static void usage(void)
 {
    printf("Expected usage:\n");
-    printf("keygen [keyblob.bin] [-ECC/-RSA] [-T] [-e]\n");
+    printf("./examples/keygen/keygen [keyblob.bin] [-ecc/-rsa] [-t] [-aes/xor]\n");
-    printf("-T: Use default template (otherwise AIK)\n");
+    printf("* -ecc: Use RSA or ECC for keys\n");
-    printf("-e: Use Parameter Encryption\n");
+    printf("* -t: Use default template (otherwise AIK)\n");
    printf("* -aes/xor: Use Parameter Encryption\n");
 }
 int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
@ -50,7 +51,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
    WOLFTPM2_KEYBLOB newKey;
    TPMT_PUBLIC publicTemplate;
    TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
-    int useParamEnc = 0;
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
    WOLFTPM2_SESSION tpmSession;
    TPM2B_AUTH auth;
    int bAIK = 1;
@ -71,14 +72,17 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
            outputFile = argv[1];
    }
    while (argc > 1) {
-        if (XSTRNCMP(argv[argc-1], "-ECC", 4) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
            alg = TPM_ALG_ECC;
        }
-        if (XSTRNCMP(argv[argc-1], "-T", 2) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-t", 2) == 0) {
            bAIK = 0;
        }
-        if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
-            useParamEnc = 1;
+            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
@ -92,7 +96,7 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
    printf("\tKey Blob: %s\n", outputFile);
    printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
    printf("\tTemplate: %s\n", bAIK ? "AIK" : "Default");
-    printf("\tUse Parameter Encryption: %d\n", useParamEnc);
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != TPM_RC_SUCCESS) {
@ -104,10 +108,10 @@ int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[])
    rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
    if (rc != 0) goto exit;
-    if (useParamEnc) {
+    if (paramEncAlg != TPM_ALG_NULL) {
-        /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
-            TPM_SE_POLICY, TPM_ALG_CFB);
+            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
--- a/examples/keygen/keygen.h
+++ b/examples/keygen/keygen.h
@ -29,8 +29,6 @@
 int TPM2_Keygen_Example(void* userCtx, int argc, char *argv[]);
 int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[]);
 int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[]);
 int TPM2_Keygen_ParamEnc_Example(void* userCtx, int argc, char *argv[]);
 int TPM2_Keyload_ParamEnc_Example(void* userCtx, int argc, char *argv[]);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/examples/keygen/keyimport.c
+++ b/examples/keygen/keyimport.c
@ -38,11 +38,11 @@
 static void usage(void)
 {
    printf("Expected usage:\n");
-    printf("keyimport [keyblob.bin] [-ECC/-RSA] [-e]\n");
+    printf("./examples/keygen/keyimport [keyblob.bin] [-ecc/-rsa] [-aes/xor]\n");
-    printf("-e: Use Parameter Encryption\n");
+    printf("* -ecc: Use RSA or ECC for keys\n");
    printf("* -aes/xor: Use Parameter Encryption\n");
 }
 int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
 {
    int rc;
@ -50,7 +50,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
    WOLFTPM2_KEY storage; /* SRK */
    WOLFTPM2_KEYBLOB impKey;
    TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
-    int useParamEnc = 0;
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
    WOLFTPM2_SESSION tpmSession;
 #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
    XFILE f;
@ -70,11 +70,14 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
            outputFile = argv[1];
    }
    while (argc > 1) {
-        if (XSTRNCMP(argv[argc-1], "-ECC", 4) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
            alg = TPM_ALG_ECC;
        }
-        if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
-            useParamEnc = 1;
+            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
@ -86,7 +89,7 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
    printf("TPM2.0 Key Import example\n");
    printf("\tKey Blob: %s\n", outputFile);
    printf("\tAlgorithm: %s\n", TPM2_GetAlgName(alg));
-    printf("\tUse Parameter Encryption: %d\n", useParamEnc);
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != TPM_RC_SUCCESS) {
@ -98,10 +101,10 @@ int TPM2_Keyimport_Example(void* userCtx, int argc, char *argv[])
    rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
    if (rc != 0) goto exit;
-    if (useParamEnc) {
+    if (paramEncAlg != TPM_ALG_NULL) {
-        /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
-            TPM_SE_POLICY, TPM_ALG_CFB);
+            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
--- a/examples/keygen/keyload.c
+++ b/examples/keygen/keyload.c
@ -46,8 +46,8 @@
 static void usage(void)
 {
    printf("Expected usage:\n");
-    printf("keyload [keyblob.bin] [-e]\n");
+    printf("./examples/keygen/keyload [keyblob.bin] [-aes/xor]\n");
-    printf("-e: Use Parameter Encryption\n");
+    printf("* -aes/xor: Use Parameter Encryption\n");
 }
 int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
@ -56,7 +56,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
    WOLFTPM2_DEV dev;
    WOLFTPM2_KEY storage; /* SRK */
    WOLFTPM2_KEYBLOB newKey;
-    int useParamEnc = 0;
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
    WOLFTPM2_SESSION tpmSession;
 #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
    XFILE f;
@ -75,8 +75,11 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
            inputFile = argv[1];
    }
    while (argc > 1) {
-        if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
-            useParamEnc = 1;
+            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
@ -87,7 +90,7 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
    printf("TPM2.0 Key load example\n");
    printf("\tKey Blob: %s\n", inputFile);
-    printf("\tUse Parameter Encryption: %d\n", useParamEnc);
+    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != TPM_RC_SUCCESS) {
@ -99,10 +102,10 @@ int TPM2_Keyload_Example(void* userCtx, int argc, char *argv[])
    rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
    if (rc != 0) goto exit;
-    if (useParamEnc) {
+    if (paramEncAlg != TPM_ALG_NULL) {
-        /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
-            TPM_SE_POLICY, TPM_ALG_CFB);
+            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
--- a/examples/native/native_test.c
+++ b/examples/native/native_test.c
@ -53,7 +53,11 @@ typedef struct tmpHandle {
 } TpmHandle;
-int TPM2_Native_Test(void* userCtx, int argc, char *argv[])
+int TPM2_Native_Test(void* userCtx)
 {
    return TPM2_Native_TestArgs(userCtx, 0, NULL);
 }
 int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[])
 {
    int rc;
    TPM2_CTX tpm2Ctx;
@ -377,7 +381,8 @@ int TPM2_Native_Test(void* userCtx, int argc, char *argv[])
    }
    /* PCR Extend and Verify */
-    pcrIndex = 16; /* Working with PCR16 because of next PCR Reset test */
+    /* Working with PCR16 because of next PCR Reset test */
    pcrIndex = TPM2_TEST_PCR;
    XMEMSET(&cmdIn.pcrExtend, 0, sizeof(cmdIn.pcrExtend));
    cmdIn.pcrExtend.pcrHandle = pcrIndex;
    cmdIn.pcrExtend.digests.count = 1;
@ -414,9 +419,9 @@ int TPM2_Native_Test(void* userCtx, int argc, char *argv[])
    /* PCR Reset
        Only PCR16(DEBUG) and PCR23(Application specific) can be reset
-        in locality 0. This is the only locality supoprted by wolfTPM.
+        in locality 0. This is the only locality supported by wolfTPM.
    */
-    pcrIndex = 16;
+    pcrIndex = TPM2_TEST_PCR;
    XMEMSET(&cmdIn.pcrReset, 0, sizeof(cmdIn.pcrReset));
    cmdIn.pcrReset.pcrHandle = pcrIndex;
    rc = TPM2_PCR_Reset(&cmdIn.pcrReset);
@ -1373,7 +1378,7 @@ int main(int argc, char *argv[])
 {
    int rc;
-    rc = TPM2_Native_Test(NULL, argc, argv);
+    rc = TPM2_Native_TestArgs(NULL, argc, argv);
    return rc;
 }
--- a/examples/native/native_test.h
+++ b/examples/native/native_test.h
@ -26,7 +26,8 @@
    extern "C" {
 #endif
-int TPM2_Native_Test(void* userCtx, int argc, char *argv[]);
+int TPM2_Native_Test(void* userCtx);
 int TPM2_Native_TestArgs(void* userCtx, int argc, char *argv[]);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/examples/pcr/extend.c
+++ b/examples/pcr/extend.c
@ -45,8 +45,8 @@ static void usage(void)
 {
    printf("Expected usage:\n");
    printf("./examples/pcr/extend [pcr] [filename]\n");
-    printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
+    printf("* pcr: PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
-    printf("* filename points to file(data) to measure\n");
+    printf("* filename: points to file(data) to measure\n");
    printf("\tIf wolfTPM is built with --disable-wolfcrypt the file\n"
           "\tmust contain SHA256 digest ready for extend operation.\n"
           "\tOtherwise, the extend tool computes the hash using wolfcrypt.\n");
--- a/examples/pcr/quote.c
+++ b/examples/pcr/quote.c
@ -41,13 +41,14 @@
 static void usage(void)
 {
    printf("Expected usage:\n");
-    printf("./examples/pcr/quote [pcr] [filename] [-e]\n");
+    printf("./examples/pcr/quote [pcr] [filename] [-ecc] [-aes/xor]\n");
-    printf("* pcr is a PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
+    printf("* pcr: PCR index between 0-23 (default %d)\n", TPM2_TEST_PCR);
-    printf("* filename for saving the TPMS_ATTEST structure to a file\n");
+    printf("* filename: for saving the TPMS_ATTEST structure to a file\n");
    printf("* -ecc: Use RSA or ECC for EK/AIK\n");
    printf("* -aes/xor: Use Parameter Encryption\n");
    printf("Demo usage without parameters, generates quote over PCR%d and\n"
           "saves the output TPMS_ATTEST structure to \"quote.blob\" file.\n",
           TPM2_TEST_PCR);
    printf("-e: Use Parameter Encryption\n");
 }
 int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
@ -58,11 +59,10 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
    int dataSz;
    WOLFTPM2_DEV dev;
    TPMS_ATTEST attestedData;
-
+    TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
    WOLFTPM2_KEY endorse; /* EK  */
    WOLFTPM2_KEY storage; /* SRK */
-    WOLFTPM2_KEY rsaKey;  /* AIK */
+    WOLFTPM2_KEY aik;  /* AIK */
    union {
        Quote_In quoteAsk;
        byte maxInput[MAX_COMMAND_SIZE];
@ -71,12 +71,17 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
        Quote_Out quoteResult;
        byte maxOutput[MAX_RESPONSE_SIZE];
    } cmdOut;
-    int useParamEnc = 0;
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
    WOLFTPM2_SESSION tpmSession;
 #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
    XFILE f;
 #endif
    XMEMSET(&endorse, 0, sizeof(endorse));
    XMEMSET(&storage, 0, sizeof(storage));
    XMEMSET(&aik, 0, sizeof(aik));
    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
    if (argc >= 2) {
        if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
            XSTRNCMP(argv[1], "-h", 2) == 0 ||
@ -98,21 +103,23 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
            outputFile = argv[2];
    }
    while (argc > 1) {
-        if (XSTRNCMP(argv[argc-1], "-e", 2) == 0) {
+        if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
-            useParamEnc = 1;
+            alg = TPM_ALG_ECC;
        }
        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
    XMEMSET(&endorse, 0, sizeof(endorse));
    XMEMSET(&storage, 0, sizeof(storage));
    XMEMSET(&rsaKey, 0, sizeof(rsaKey));
    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
    printf("PCR Quote example - Demo of signed PCR measurement\n");
    printf("\tOutput file: %s\n", outputFile);
    printf("\tPCR Index: %d\n", pcrIndex);
-    printf("\tUse Parameter Encryption: %d\n", useParamEnc);
+    printf("\tUse %s SRK/AIK\n", TPM2_GetAlgName(alg));
    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != TPM_RC_SUCCESS) {
@ -122,7 +129,7 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
    printf("wolfTPM2_Init: success\n");
    /* Create Endorsement Key, also called EK */
-    rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
+    rc = wolfTPM2_CreateEK(&dev, &endorse, alg);
    if (rc != TPM_RC_SUCCESS) {
        printf("wolfTPM2_CreateEK: Endorsement failed 0x%x: %s\n",
            rc, TPM2_GetRCString(rc));
@ -132,11 +139,11 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
        (word32)endorse.handle.hndl, endorse.pub.size);
    /* get SRK */
-    rc = getPrimaryStoragekey(&dev, &storage, TPM_ALG_RSA);
+    rc = getPrimaryStoragekey(&dev, &storage, alg);
    if (rc != 0) goto exit;
-    /* Create an RSA key for Attestation purposes */
+    /* Create key for Attestation purposes */
-    rc = wolfTPM2_CreateAndLoadAIK(&dev, &rsaKey, TPM_ALG_RSA, &storage,
+    rc = wolfTPM2_CreateAndLoadAIK(&dev, &aik, alg, &storage,
        (const byte*)gUsageAuth, sizeof(gUsageAuth)-1);
    if (rc != TPM_RC_SUCCESS) {
        printf("wolfTPM2_CreateAndLoadAIK failed 0x%x: %s\n", rc,
@ -144,12 +151,12 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
        goto exit;
    }
    printf("wolfTPM2_CreateAndLoadAIK: AIK 0x%x (%d bytes)\n",
-        (word32)rsaKey.handle.hndl, rsaKey.pub.size);
+        (word32)aik.handle.hndl, aik.pub.size);
-    if (useParamEnc) {
+    if (paramEncAlg != TPM_ALG_NULL) {
-        /* Start an authenticated session (salted / unbound with AES CFB parameter encryption) */
+        /* Start an authenticated session (salted / unbound) with parameter encryption */
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storage, NULL,
-            TPM_SE_POLICY, TPM_ALG_CFB);
+            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
@ -161,14 +168,14 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
    }
    /* set auth for using the AIK */
-    wolfTPM2_SetAuthHandle(&dev, 0, &rsaKey.handle);
+    wolfTPM2_SetAuthHandle(&dev, 0, &aik.handle);
    /* Prepare Quote request */
    XMEMSET(&cmdIn.quoteAsk, 0, sizeof(cmdIn.quoteAsk));
    XMEMSET(&cmdOut.quoteResult, 0, sizeof(cmdOut.quoteResult));
-    cmdIn.quoteAsk.signHandle = rsaKey.handle.hndl;
+    cmdIn.quoteAsk.signHandle = aik.handle.hndl;
-    cmdIn.quoteAsk.inScheme.scheme = TPM_ALG_RSASSA;
+    cmdIn.quoteAsk.inScheme.scheme = alg == TPM_ALG_RSA ? TPM_ALG_RSASSA : TPM_ALG_ECDSA;
-    cmdIn.quoteAsk.inScheme.details.rsassa.hashAlg = TPM_ALG_SHA256;
+    cmdIn.quoteAsk.inScheme.details.any.hashAlg = TPM_ALG_SHA256;
    cmdIn.quoteAsk.qualifyingData.size = 0; /* optional */
    /* Choose PCR for signing */
    TPM2_SetupPCRSel(&cmdIn.quoteAsk.PCRselect, TPM_ALG_SHA256, pcrIndex);
@ -223,7 +230,7 @@ int TPM2_Quote_Test(void* userCtx, int argc, char *argv[])
 exit:
    /* Close key handles */
-    wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
+    wolfTPM2_UnloadHandle(&dev, &aik.handle);
    wolfTPM2_UnloadHandle(&dev, &storage.handle);
    wolfTPM2_UnloadHandle(&dev, &endorse.handle);
    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
--- a/examples/pkcs7/pkcs7.c
+++ b/examples/pkcs7/pkcs7.c
@ -292,8 +292,11 @@ exit:
    return rc;
 }
-
+int TPM2_PKCS7_Example(void* userCtx)
-int TPM2_PKCS7_Example(void* userCtx, int argc, char *argv[])
+{
    return TPM2_PKCS7_ExampleArgs(userCtx, 0, NULL);
 }
 int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[])
 {
    int rc;
    WOLFTPM2_DEV dev;
@ -409,7 +412,7 @@ int main(int argc, char *argv[])
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
    defined(HAVE_PKCS7) && \
    (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
-    rc = TPM2_PKCS7_Example(NULL, argc, argv);
+    rc = TPM2_PKCS7_ExampleArgs(NULL, argc, argv);
 #else
    (void)argc;
    (void)argv;
--- a/examples/pkcs7/pkcs7.h
+++ b/examples/pkcs7/pkcs7.h
@ -26,7 +26,8 @@
    extern "C" {
 #endif
-int TPM2_PKCS7_Example(void* userCtx, int argc, char *argv[]);
+int TPM2_PKCS7_Example(void* userCtx);
 int TPM2_PKCS7_ExampleArgs(void* userCtx, int argc, char *argv[]);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/examples/timestamp/clock_set.c
+++ b/examples/timestamp/clock_set.c
@ -39,7 +39,7 @@
 static void usage(void)
 {
    printf("Expected usage:\n");
-    printf("./examples/clock/clockSet [time]\n");
+    printf("./examples/clock/clock_set [time]\n");
    printf("* time is a value in miliseconds used as increment (optional)\n");
    printf("* Default time value is 50000 ms (50 seconds)\n");
    printf("\tThe TPM clock can be set only forward.\n");
--- a/examples/timestamp/include.am
+++ b/examples/timestamp/include.am
@ -5,7 +5,8 @@ if BUILD_EXAMPLES
 noinst_PROGRAMS += examples/timestamp/signed_timestamp
 noinst_HEADERS  += examples/timestamp/signed_timestamp.h
 examples_timestamp_signed_timestamp_SOURCES      = examples/timestamp/signed_timestamp.c \
-                                                   examples/tpm_io.c
+                                                   examples/tpm_io.c \
                                                   examples/tpm_test_keys.c
 examples_timestamp_signed_timestamp_LDADD        = src/libwolftpm.la $(LIB_STATIC_ADD)
 examples_timestamp_signed_timestamp_DEPENDENCIES = src/libwolftpm.la
 endif
--- a/examples/timestamp/signed_timestamp.c
+++ b/examples/timestamp/signed_timestamp.c
@ -29,6 +29,7 @@
 #include <examples/tpm_io.h>
 #include <examples/tpm_test.h>
 #include <examples/tpm_test_keys.h>
 #include "signed_timestamp.h"
 #include <stdio.h>
@ -38,48 +39,72 @@
 /* --- BEGIN TPM Timestamp Test -- */
 /******************************************************************************/
-int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
+static void usage(void)
 {
    printf("Expected usage:\n");
    printf("./examples/timestamp/signed_timestamp [-ecc] [-aes/xor]\n");
    printf("* -ecc: Use RSA or ECC for EK/AIK\n");
    printf("* -aes/xor: Use Parameter Encryption\n");
 }
 int TPM2_Timestamp_Test(void* userCtx)
 {
    return TPM2_Timestamp_TestArgs(userCtx, 0, NULL);
 }
 int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[])
 {
    int rc;
    WOLFTPM2_DEV dev;
    TPMS_ATTEST attestedData;
 #ifdef WOLFTPM_WINAPI
    int tryNVkey = 0;
 #else
    int tryNVkey = 1;
 #endif
    union {
        /* For managing TPM session */
        StartAuthSession_In authSes;
        PolicySecret_In policySecret;
        /* For removing keys after use */
        FlushContext_In flushCtx;
        byte maxInput[MAX_COMMAND_SIZE];
    } cmdIn;
    union {
        ReadClock_Out readClock;
        GetTime_Out getTime;
        /* Output from session operations */
        StartAuthSession_Out authSes;
        PolicySecret_Out policySecret;
        byte maxOutput[MAX_RESPONSE_SIZE];
    } cmdOut;
    TPM_HANDLE sessionHandle = TPM_RH_NULL;
    WOLFTPM2_KEY endorse; /* EK  */
    WOLFTPM2_KEY storage; /* SRK */
-    WOLFTPM2_KEY rsaKey;  /* AIK */
+    WOLFTPM2_KEY aik;  /* AIK */
-
+    TPMI_ALG_PUBLIC alg = TPM_ALG_RSA; /* TPM_ALG_ECC */
-    (void)argc;
+    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
-    (void)argv;
+    WOLFTPM2_SESSION tpmSession;
    TPMA_SESSION sessionAttributes;
    XMEMSET(&endorse, 0, sizeof(endorse));
    XMEMSET(&storage, 0, sizeof(storage));
-    XMEMSET(&rsaKey, 0, sizeof(rsaKey));
+    XMEMSET(&aik, 0, sizeof(aik));
    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
    if (argc >= 2) {
        if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
            XSTRNCMP(argv[1], "-h", 2) == 0 ||
            XSTRNCMP(argv[1], "--help", 6) == 0) {
            usage();
            return 0;
        }
    }
    while (argc > 1) {
        if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
            alg = TPM_ALG_ECC;
        }
        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
    printf("TPM2 Demo of generating signed timestamp from the TPM\n");
    printf("\tUse %s SRK/AIK\n", TPM2_GetAlgName(alg));
    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != TPM_RC_SUCCESS) {
        printf("wolfTPM2_Init failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
@ -99,7 +124,7 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
    /* Create Endorsement Key, also called EK */
-    rc = wolfTPM2_CreateEK(&dev, &endorse, TPM_ALG_RSA);
+    rc = wolfTPM2_CreateEK(&dev, &endorse, alg);
    if (rc != TPM_RC_SUCCESS) {
        printf("wolfTPM2_CreateEK: Endorsement failed 0x%x: %s\n",
            rc, TPM2_GetRCString(rc));
@ -109,45 +134,8 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
        (word32)endorse.handle.hndl, endorse.pub.size);
-    /* Create RSA Storage Key, also called SRK */
+    /* Create Storage Key, also called SRK */
-    /* See if SRK already exists */
+    rc = getPrimaryStoragekey(&dev, &storage, alg);
    if (tryNVkey) {
        rc = wolfTPM2_ReadPublicKey(&dev, &storage, TPM2_DEMO_STORAGE_KEY_HANDLE);
 #ifdef TEST_WRAP_DELETE_KEY
        if (rc == 0) {
            storage.handle.hndl = TPM2_DEMO_STORAGE_KEY_HANDLE;
            rc = wolfTPM2_NVDeleteKey(&dev, TPM_RH_OWNER, &storage);
            if (rc != 0) goto exit;
            rc = TPM_RC_HANDLE; /* mark handle as missing */
        }
 #endif
    }
    if (!tryNVkey || (tryNVkey && rc != 0)) {
        /* Create primary storage key (RSA) */
        rc = wolfTPM2_CreateSRK(&dev, &storage, TPM_ALG_RSA,
            (byte*)gStorageKeyAuth, sizeof(gStorageKeyAuth)-1);
        if (rc != 0) goto exit;
        if (tryNVkey) {
            /* Move storage key into persistent NV */
            rc = wolfTPM2_NVStoreKey(&dev, TPM_RH_OWNER, &storage,
                TPM2_DEMO_STORAGE_KEY_HANDLE);
            if (rc != 0) {
                wolfTPM2_UnloadHandle(&dev, &storage.handle);
                goto exit;
            }
        }
        printf("Created new RSA Primary Storage Key at 0x%x\n",
               storage.handle.hndl);
    }
    else {
        /* specify auth password for storage key */
        storage.handle.auth.size = sizeof(gStorageKeyAuth)-1;
        XMEMCPY(storage.handle.auth.buffer, gStorageKeyAuth,
            storage.handle.auth.size);
    }
    if (rc != TPM_RC_SUCCESS) {
        printf("wolfTPM2_CreateSRK: Storage failed 0x%x: %s\n", rc,
            TPM2_GetRCString(rc));
@ -156,36 +144,21 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
    printf("wolfTPM2_CreateSRK: Storage 0x%x (%d bytes)\n",
        (word32)storage.handle.hndl, storage.pub.size);
    /* Start an authenticated session (salted / unbound) */
    rc = wolfTPM2_StartSession(&dev, &tpmSession, NULL, NULL,
        TPM_SE_POLICY, paramEncAlg);
    if (rc != 0) goto exit;
    printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
        (word32)tpmSession.handle.hndl);
-    /* Start Auth Session */
+    /* Set the endorsement password (blank) */
-    XMEMSET(&cmdIn.authSes, 0, sizeof(cmdIn.authSes));
+    rc = wolfTPM2_SetAuthPassword(&dev, 0, NULL);
-    cmdIn.authSes.sessionType = TPM_SE_POLICY;
+    if (rc != 0) goto exit;
    cmdIn.authSes.tpmKey = TPM_RH_NULL;
    cmdIn.authSes.bind = TPM_RH_NULL;
    cmdIn.authSes.symmetric.algorithm = TPM_ALG_NULL;
    cmdIn.authSes.authHash = TPM_ALG_SHA256;
    cmdIn.authSes.nonceCaller.size = TPM_SHA256_DIGEST_SIZE;
    rc = TPM2_GetNonce(cmdIn.authSes.nonceCaller.buffer,
                       cmdIn.authSes.nonceCaller.size);
    if (rc < 0) {
        printf("TPM2_GetNonce failed 0x%x: %s\n", rc,
            TPM2_GetRCString(rc));
        goto exit;
    }
    rc = TPM2_StartAuthSession(&cmdIn.authSes, &cmdOut.authSes);
    if (rc != TPM_RC_SUCCESS) {
        printf("TPM2_StartAuthSession failed 0x%x: %s\n", rc,
            TPM2_GetRCString(rc));
        goto exit;
    }
    sessionHandle = cmdOut.authSes.sessionHandle;
    printf("TPM2_StartAuthSession: sessionHandle 0x%x\n", (word32)sessionHandle);
    /* Set PolicySecret for our session to enable use of the Endorsement Hierarchy */
    XMEMSET(&cmdIn.policySecret, 0, sizeof(cmdIn.policySecret));
    cmdIn.policySecret.authHandle = TPM_RH_ENDORSEMENT;
-    cmdIn.policySecret.policySession = sessionHandle;
+    cmdIn.policySecret.policySession = tpmSession.handle.hndl;
    rc = TPM2_PolicySecret(&cmdIn.policySecret, &cmdOut.policySecret);
    if (rc != TPM_RC_SUCCESS) {
        printf("policySecret failed 0x%x: %s\n", rc, TPM2_GetRCString(rc));
@ -193,14 +166,13 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
    }
    printf("TPM2_policySecret success\n"); /* No use of the output */
    /* At this stage, the EK is created and NULL password has already been set
     * The EH is enabled through policySecret over the active TPM session and
     * the creation of Attestation Identity Key (AIK) under the EH can take place.
     */
-    /* Create an Attestation RSA key (AIK) */
+    /* Create an Attestation key (AIK) */
-    rc = wolfTPM2_CreateAndLoadAIK(&dev, &rsaKey, TPM_ALG_RSA, &storage,
+    rc = wolfTPM2_CreateAndLoadAIK(&dev, &aik, alg, &storage,
        (const byte*)gAiKeyAuth, sizeof(gAiKeyAuth)-1);
    if (rc != TPM_RC_SUCCESS) {
        printf("wolfTPM2_CreateAndLoadAIK failed 0x%x: %s\n", rc,
@ -208,14 +180,27 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
        goto exit;
    }
    printf("wolfTPM2_CreateAndLoadAIK: AIK 0x%x (%d bytes)\n",
-        (word32)rsaKey.handle.hndl, rsaKey.pub.size);
+        (word32)aik.handle.hndl, aik.pub.size);
    /* set NULL password auth for using EK */
    wolfTPM2_SetAuthPassword(&dev, 0, NULL);
    /* set auth for using the AIK */
-    wolfTPM2_SetAuthHandle(&dev, 1, &rsaKey.handle);
+    wolfTPM2_SetAuthHandle(&dev, 1, &aik.handle);
    /* set session for authorization of the storage key */
    sessionAttributes = TPMA_SESSION_continueSession;
    if (paramEncAlg != TPM_ALG_NULL) {
        sessionAttributes |= (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt);
    }
 #if 0
    /* TODO: Investigate param enc with signed timestamp */
    rc = wolfTPM2_SetAuthSession(&dev, 2, &tpmSession, sessionAttributes);
    if (rc != 0) goto exit;
 #else
    (void)sessionAttributes;
 #endif
    /* At this stage: The EK is created, AIK is created and loaded,
     * Endorsement Hierarchy is enabled through policySecret,
@ -224,7 +209,7 @@ int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[])
     */
    /* Get signed by the TPM timestamp using the AIK key */
-    rc = wolfTPM2_GetTime(&rsaKey, &cmdOut.getTime);
+    rc = wolfTPM2_GetTime(&aik, &cmdOut.getTime);
    if (rc != TPM_RC_SUCCESS) {
        printf("wolfTPM2_GetTime failed 0x%x: %s\n", rc,
            TPM2_GetRCString(rc));
@ -269,19 +254,9 @@ exit:
        printf("Failure 0x%x: %s\n", rc, wolfTPM2_GetRCString(rc));
    }
-    /* Close session */
+    wolfTPM2_UnloadHandle(&dev, &aik.handle);
    if (sessionHandle != TPM_RH_NULL) {
        cmdIn.flushCtx.flushHandle = sessionHandle;
        TPM2_FlushContext(&cmdIn.flushCtx);
    }
    /* Close key handles */
    if (!tryNVkey) {
        wolfTPM2_UnloadHandle(&dev, &storage.handle);
    }
    wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
    wolfTPM2_UnloadHandle(&dev, &endorse.handle);
    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
    wolfTPM2_Cleanup(&dev);
    return rc;
@ -300,7 +275,7 @@ int main(int argc, char *argv[])
    int rc = -1;
 #ifndef WOLFTPM2_NO_WRAPPER
-    rc = TPM2_Timestamp_Test(NULL, argc, argv);
+    rc = TPM2_Timestamp_TestArgs(NULL, argc, argv);
 #else
    printf("Wrapper code not compiled in\n");
 #endif /* !WOLFTPM2_NO_WRAPPER */
--- a/examples/timestamp/signed_timestamp.h
+++ b/examples/timestamp/signed_timestamp.h
@ -26,7 +26,8 @@
    extern "C" {
 #endif
-int TPM2_Timestamp_Test(void* userCtx, int argc, char *argv[]);
+int TPM2_Timestamp_Test(void* userCtx);
 int TPM2_Timestamp_TestArgs(void* userCtx, int argc, char *argv[]);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/examples/tls/tls_client.c
+++ b/examples/tls/tls_client.c
@ -77,7 +77,20 @@
 /******************************************************************************/
 /* --- BEGIN TPM TLS Client Example -- */
 /******************************************************************************/
-int TPM2_TLS_Client(void* userCtx, int argc, char *argv[])
+static void usage(void)
 {
    printf("Expected usage:\n");
    printf("./examples/tls/tls_client [-ecc] [-aes/xor]\n");
    printf("* -ecc: Use RSA or ECC key\n");
    printf("* -aes/xor: Use Parameter Encryption\n");
 }
 int TPM2_TLS_Client(void* userCtx)
 {
    return TPM2_TLS_ClientArgs(userCtx, 0, NULL);
 }
 int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[])
 {
    int rc;
    WOLFTPM2_DEV dev;
@ -108,18 +121,46 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[])
    int i;
 #endif
    int useECC = 0;
    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
    WOLFTPM2_SESSION tpmSession;
    /* initialize variables */
    XMEMSET(&storageKey, 0, sizeof(storageKey));
    XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
    sockIoCtx.fd = -1;
    XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
 #ifndef NO_RSA
    XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
 #endif
 #ifdef HAVE_ECC
    XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
 #endif
    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
-    printf("TPM2 TLS Client Example\n");
+    if (argc >= 2) {
-
+        if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
-    if (argc > 1) {
+            XSTRNCMP(argv[1], "-h", 2) == 0 ||
-        if (XSTRNCMP(argv[1], "ECC", 3) == 0) {
+            XSTRNCMP(argv[1], "--help", 6) == 0) {
-            useECC = 1;
+            usage();
            return 0;
        }
    }
    while (argc > 1) {
        if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
            useECC = 1;
        }
        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
    printf("TPM2 TLS Client Example\n");
    printf("\tUse %s keys\n", useECC ? "ECC" : "RSA");
    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
    /* Init the TPM2 device */
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@ -129,13 +170,10 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[])
    }
    /* Setup the wolf crypto device callback */
    XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
 #ifndef NO_RSA
    XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
    tpmCtx.rsaKey = &rsaKey;
 #endif
 #ifdef HAVE_ECC
    XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
    tpmCtx.eccKey = &eccKey;
 #endif
    tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */
@ -149,6 +187,20 @@ int TPM2_TLS_Client(void* userCtx, int argc, char *argv[])
    rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
    if (rc != 0) goto exit;
    /* Start an authenticated session (salted / unbound) with parameter encryption */
    if (paramEncAlg != TPM_ALG_NULL) {
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
        /* set session for authorization of the storage key */
        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 
            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
        if (rc != 0) goto exit;
    }
 #ifndef NO_RSA
    if (!useECC) {
        /* Create/Load RSA key for TLS authentication */
@ -497,7 +549,7 @@ int main(int argc, char* argv[])
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
    !defined(NO_WOLFSSL_CLIENT) && \
    (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
-    rc = TPM2_TLS_Client(NULL, argc, argv);
+    rc = TPM2_TLS_ClientArgs(NULL, argc, argv);
 #else
    (void)argc;
    (void)argv;
--- a/examples/tls/tls_client.h
+++ b/examples/tls/tls_client.h
@ -26,8 +26,10 @@
    extern "C" {
 #endif
-int TPM2_TLS_Client(void* userCtx, int argc, char *argv[]);
+int TPM2_TLS_Client(void* userCtx);
-int TLS_Client(int argc, char *argv[]);
+int TPM2_TLS_ClientArgs(void* userCtx, int argc, char *argv[]);
 int TLS_Client(void);
 int TLS_ClientArgs(int argc, char *argv[]);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/examples/tls/tls_client_notpm.c
+++ b/examples/tls/tls_client_notpm.c
@ -62,7 +62,11 @@
 /******************************************************************************/
 /* --- BEGIN TLS Client Example -- */
 /******************************************************************************/
-int TLS_Client(int argc, char *argv[])
+int TLS_Client(void)
 {
    return TLS_ClientArgs(0, NULL);
 }
 int TLS_ClientArgs(int argc, char *argv[])
 {
    int rc = 0;
    SockIoCbCtx sockIoCtx;
@ -302,7 +306,7 @@ int main(int argc, char *argv[])
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
    !defined(NO_WOLFSSL_CLIENT)
-    rc = TLS_Client(argc, argv);
+    rc = TLS_ClientArgs(argc, argv);
 #else
    printf("WolfSSL Client code not compiled in\n");
    (void)argc;
--- a/examples/tls/tls_common.h
+++ b/examples/tls/tls_common.h
@ -60,7 +60,7 @@
 /* force use of a TLS cipher suite */
 #if 0
    #ifndef TLS_CIPHER_SUITE
-        #define TLS_CIPHER_SUITE "ECDHE-RSA-AES128-SHA256"
+        #define TLS_CIPHER_SUITE "ECDHE-rsa-AES128-SHA256"
    #endif
 #endif
--- a/examples/tls/tls_server.c
+++ b/examples/tls/tls_server.c
@ -74,7 +74,19 @@
 /******************************************************************************/
 /* --- BEGIN TLS SERVER Example -- */
 /******************************************************************************/
-int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
+static void usage(void)
 {
    printf("Expected usage:\n");
    printf("./examples/tls/tls_server [-ecc] [-aes/xor]\n");
    printf("* -ecc: Use RSA or ECC key\n");
    printf("* -aes/xor: Use Parameter Encryption\n");
 }
 int TPM2_TLS_Server(void* userCtx)
 {
    return TPM2_TLS_ServerArgs(userCtx, 0, NULL);
 }
 int TPM2_TLS_ServerArgs(void* userCtx, int argc, char *argv[])
 {
    int rc;
    WOLFTPM2_DEV dev;
@ -116,18 +128,46 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
    int total_size;
 #endif
    int useECC = 0;
    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
    WOLFTPM2_SESSION tpmSession;
    /* initialize variables */
    XMEMSET(&storageKey, 0, sizeof(storageKey));
    XMEMSET(&sockIoCtx, 0, sizeof(sockIoCtx));
    sockIoCtx.fd = -1;
    XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
 #ifndef NO_RSA
    XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
 #endif
 #ifdef HAVE_ECC
    XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
 #endif
    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
-    printf("TPM2 TLS Server Example\n");
+    if (argc >= 2) {
-
+        if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
-    if (argc > 1) {
+            XSTRNCMP(argv[1], "-h", 2) == 0 ||
-        if (XSTRNCMP(argv[1], "ECC", 3) == 0) {
+            XSTRNCMP(argv[1], "--help", 6) == 0) {
-            useECC = 1;
+            usage();
            return 0;
        }
    }
    while (argc > 1) {
        if (XSTRNCMP(argv[argc-1], "-ecc", 4) == 0) {
            useECC = 1;
        }
        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
    printf("TPM2 TLS Server Example\n");
    printf("\tUse %s keys\n", useECC ? "ECC" : "RSA");
    printf("\tUse Parameter Encryption: %s\n", TPM2_GetAlgName(paramEncAlg));
    /* Init the TPM2 device */
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
@ -137,13 +177,10 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
    }
    /* Setup the wolf crypto device callback */
    XMEMSET(&tpmCtx, 0, sizeof(tpmCtx));
 #ifndef NO_RSA
    XMEMSET(&wolfRsaKey, 0, sizeof(wolfRsaKey));
    tpmCtx.rsaKey = &rsaKey;
 #endif
 #ifdef HAVE_ECC
    XMEMSET(&wolfEccKey, 0, sizeof(wolfEccKey));
    tpmCtx.eccKey = &eccKey;
 #endif
    tpmCtx.checkKeyCb = myTpmCheckKey; /* detects if using "dummy" key */
@ -158,6 +195,20 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
    rc = getPrimaryStoragekey(&dev, &storageKey, TPM_ALG_RSA);
    if (rc != 0) goto exit;
    /* Start an authenticated session (salted / unbound) with parameter encryption */
    if (paramEncAlg != TPM_ALG_NULL) {
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
        /* set session for authorization of the storage key */
        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 
            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
        if (rc != 0) goto exit;
    }    
 #ifndef NO_RSA
    if (!useECC) {
        /* Create/Load RSA key for TLS authentication */
@ -323,7 +374,7 @@ int TPM2_TLS_Server(void* userCtx, int argc, char *argv[])
 #if 0
    /* Optionally choose the cipher suite */
-    rc = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-RSA-AES128-GCM-SHA256");
+    rc = wolfSSL_CTX_set_cipher_list(ctx, "ECDHE-rsa-AES128-GCM-SHA256");
    if (rc != WOLFSSL_SUCCESS) {
        goto exit;
    }
@ -466,7 +517,7 @@ int main(int argc, char* argv[])
 #if !defined(WOLFTPM2_NO_WRAPPER) && !defined(WOLFTPM2_NO_WOLFCRYPT) && \
    !defined(NO_WOLFSSL_SERVER) && \
    (defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB))
-    rc = TPM2_TLS_Server(NULL, argc, argv);
+    rc = TPM2_TLS_ServerArgs(NULL, argc, argv);
 #else
    (void)argc;
    (void)argv;
--- a/examples/tls/tls_server.h
+++ b/examples/tls/tls_server.h
@ -26,7 +26,8 @@
    extern "C" {
 #endif
-int TPM2_TLS_Server(void* userCtx, int argc, char* argv[]);
+int TPM2_TLS_Server(void* userCtx);
 int TPM2_TLS_ServerArgs(void* userCtx, int argc, char* argv[]);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/examples/tpm_test_keys.c
+++ b/examples/tpm_test_keys.c
@ -104,8 +104,8 @@ static int readKeyBlob(const char* filename, WOLFTPM2_KEYBLOB* key)
        rc = BUFFER_E;
        printf("File %s not found!\n", filename);
        printf("Keys can be generated by running:\n"
-               "  ./examples/keygen/keygen rsa_test_blob.raw -RSA -T\n"
+               "  ./examples/keygen/keygen rsa_test_blob.raw -rsa -t\n"
-               "  ./examples/keygen/keygen ecc_test_blob.raw -ECC -T\n");
+               "  ./examples/keygen/keygen ecc_test_blob.raw -ecc -t\n");
    }
 exit:
--- a/examples/wrap/wrap_test.c
+++ b/examples/wrap/wrap_test.c
@ -49,7 +49,19 @@ void TPM2_Wrapper_SetReset(int reset)
    resetTPM = reset;
 }
-int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
+static void usage(void)
 {
    printf("Expected Usage:\n");
    printf("./examples/wrap/wrap_test [-aes/xor]\n");
    printf("* -aes/xor: Use Parameter Encryption\n");
 }
 int TPM2_Wrapper_Test(void* userCtx)
 {
    return TPM2_Wrapper_TestArgs(userCtx, 0, NULL);
 }
 int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[])
 {
    int rc, i;
    WOLFTPM2_DEV dev;
@ -105,6 +117,8 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
    ecc_key wolfEccPubKey;
    ecc_key wolfEccPrivKey;
 #endif
    TPM_ALG_ID paramEncAlg = TPM_ALG_NULL;
    WOLFTPM2_SESSION tpmSession;
 #ifndef NO_RSA
    XMEMSET(&wolfRsaPubKey, 0, sizeof(wolfRsaPubKey));
@ -114,13 +128,30 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
    XMEMSET(&wolfEccPubKey, 0, sizeof(wolfEccPubKey));
    XMEMSET(&wolfEccPrivKey, 0, sizeof(wolfEccPrivKey));
 #endif
    XMEMSET(&tpmSession, 0, sizeof(tpmSession));
 #endif /* !WOLFTPM2_NO_WOLFCRYPT */
-    (void)argc;
+    if (argc >= 2) {
-    (void)argv;
+        if (XSTRNCMP(argv[1], "-?", 2) == 0 ||
            XSTRNCMP(argv[1], "-h", 2) == 0 ||
            XSTRNCMP(argv[1], "--help", 6) == 0) {
            usage();
            return 0;
        }
    }
    while (argc > 1) {
        if (XSTRNCMP(argv[argc-1], "-aes", 4) == 0) {
            paramEncAlg = TPM_ALG_CFB;
        }
        if (XSTRNCMP(argv[argc-1], "-xor", 4) == 0) {
            paramEncAlg = TPM_ALG_XOR;
        }
        argc--;
    }
    printf("TPM2 Demo for Wrapper API's\n");
    /* Init the TPM2 device */
    rc = wolfTPM2_Init(&dev, TPM2_IoCb, userCtx);
    if (rc != 0) return rc;
@ -205,6 +236,19 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
            storageKey.handle.auth.size);
    }
    /* Start an authenticated session (salted / unbound) with parameter encryption */
    if (paramEncAlg != TPM_ALG_NULL) {
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
        /* set session for authorization of the storage key */
        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 
            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
        if (rc != 0) goto exit;
    }
    /* Create RSA key for sign/verify */
    rc = wolfTPM2_GetKeyTemplate_RSA(&publicTemplate,
@ -367,6 +411,9 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
    rc = wolfTPM2_UnloadHandle(&dev, &rsaKey.handle);
    if (rc != 0) goto exit;
    /* Close TPM session based on RSA storage key */
    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
    /*------------------------------------------------------------------------*/
    /* ECC TESTS */
@ -413,6 +460,19 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
            storageKey.handle.auth.size);
    }
    /* Start an authenticated session (salted / unbound) with parameter encryption */
    if (paramEncAlg != TPM_ALG_NULL) {
        rc = wolfTPM2_StartSession(&dev, &tpmSession, &storageKey, NULL,
            TPM_SE_HMAC, paramEncAlg);
        if (rc != 0) goto exit;
        printf("TPM2_StartAuthSession: sessionHandle 0x%x\n",
            (word32)tpmSession.handle.hndl);
        /* set session for authorization of the storage key */
        rc = wolfTPM2_SetAuthSession(&dev, 1, &tpmSession, 
            (TPMA_SESSION_decrypt | TPMA_SESSION_encrypt | TPMA_SESSION_continueSession));
        if (rc != 0) goto exit;
    }
    /* Create an ECC key for ECDSA */
    rc = wolfTPM2_GetKeyTemplate_ECC(&publicTemplate,
@ -568,6 +628,9 @@ int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[])
    rc = wolfTPM2_UnloadHandle(&dev, &eccKey.handle);
    if (rc != 0) goto exit;
    /* Close TPM session based on ECC storage key */
    wolfTPM2_UnloadHandle(&dev, &tpmSession.handle);
    /*------------------------------------------------------------------------*/
    /* NV TESTS */
@ -866,7 +929,7 @@ int main(int argc, char *argv[])
    (void)argv;
 #ifndef WOLFTPM2_NO_WRAPPER
-    rc = TPM2_Wrapper_Test(NULL, argc, argv);
+    rc = TPM2_Wrapper_TestArgs(NULL, argc, argv);
 #else
    printf("Wrapper code not compiled in\n");
 #endif
--- a/examples/wrap/wrap_test.h
+++ b/examples/wrap/wrap_test.h
@ -27,7 +27,8 @@
 #endif
 void TPM2_Wrapper_SetReset(int reset);
-int TPM2_Wrapper_Test(void* userCtx, int argc, char *argv[]);
+int TPM2_Wrapper_Test(void* userCtx);
 int TPM2_Wrapper_TestArgs(void* userCtx, int argc, char *argv[]);
 #ifdef __cplusplus
    }  /* extern "C" */
--- a/scripts/tls_setup.sh
+++ b/scripts/tls_setup.sh
@ -3,8 +3,8 @@
 # Generate keyblobs and certs needed for TLS examples
 #
-./examples/keygen/keygen rsa_test_blob.raw -RSA -T
+./examples/keygen/keygen rsa_test_blob.raw -rsa -t
-./examples/keygen/keygen ecc_test_blob.raw -ECC -T
+./examples/keygen/keygen ecc_test_blob.raw -ecc -t
 ./examples/csr/csr
 ./certs/certreq.sh
--- a/src/tpm2.c
+++ b/src/tpm2.c
@ -88,191 +88,20 @@ static void TPM2_ReleaseLock(TPM2_CTX* ctx)
 /* Send Command Wrapper */
 typedef enum CmdFlags {
    CMD_FLAG_NONE = 0x00,
-    CMD_FLAG_ENC2 = 0x01, /* size of first command parameter */
+    CMD_FLAG_ENC2 = 0x01, /* 16-bit size of first command parameter */
-    CMD_FLAG_ENC4 = 0x02,
+    CMD_FLAG_ENC4 = 0x02, /* 32-bit size (not used) */
-    CMD_FLAG_DEC2 = 0x04, /* size of first response parameter */
+    CMD_FLAG_DEC2 = 0x04, /* 16-bit size of first response parameter */
-    CMD_FLAG_DEC4 = 0x08,
+    CMD_FLAG_DEC4 = 0x08, /* 32-bit size (not used) */
 } CmdFlags_t;
 /* Command Details */
 typedef struct {
-    int authCnt;
+    int authCnt;      /* number of authentication handles - determined at run-time */
-    int inHandleCnt;
+    int inHandleCnt;  /* number of input handles - fixed */
-    int outHandleCnt;
+    int outHandleCnt; /* number of output handles - fixed */
-    int flags;
+    int flags;        /* If command allows param enc or dec - fixed */
 } CmdInfo_t;
 #ifndef WOLFTPM2_NO_WOLFCRYPT
 /* Get name for object/handle */
 static int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name)
 {
    TPM2_AUTH_SESSION* session;
    XMEMSET(name, 0, sizeof(TPM2B_NAME));
    if (idx >= handleCnt)
        return TPM_RC_SUCCESS;
    session = &ctx->session[idx];
    if (session->name.size > 0) {
        name->size = session->name.size;
        XMEMCPY(name->name, session->name.name, name->size);
    }
    return TPM_RC_SUCCESS;
 }
 /* Compute the command parameter hash */
 /* TCG TPM 2.0 Part 1 - 18.7 Command Parameter Hash cpHash */
 static int TPM2_CalcCpHash(TPM2_CTX* ctx, CmdInfo_t* info,
    TPMI_ALG_HASH authHash, TPM_CC cmdCode, BYTE* param, UINT32 paramSz, 
    TPM2B_DIGEST* hash)
 {
    int rc;
    wc_HashAlg hash_ctx;
    enum wc_HashType hashType;
    TPM2B_NAME name1, name2, name3;
    rc =  TPM2_GetName(ctx, info->inHandleCnt, 0, &name1);
    rc |= TPM2_GetName(ctx, info->inHandleCnt, 1, &name2);
    rc |= TPM2_GetName(ctx, info->inHandleCnt, 2, &name3);
    if (rc != TPM_RC_SUCCESS)
        return BAD_FUNC_ARG;
    rc = TPM2_GetHashType(authHash);
    hashType = (enum wc_HashType)rc;
    rc = wc_HashGetDigestSize(hashType);
    if (rc < 0)
        return rc;
    hash->size = rc;
    /* Hash of data (name) goes into remainder */
    rc = wc_HashInit(&hash_ctx, hashType);
    if (rc == 0) {
        /* Hash Command Code */
        UINT32 ccSwap = TPM2_Packet_SwapU32(cmdCode);
        rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
        /* For Command's only hash each session name */
        if (rc == 0 && name1.size > 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, name1.name, name1.size);
        if (rc == 0 && name2.size > 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, name2.name, name2.size);
        if (rc == 0 && name3.size > 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, name3.name, name3.size);
        /* Hash Remainder of parameters - after handles and auth */
        if (rc == 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz);
        if (rc == 0)
            rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer);
        wc_HashFree(&hash_ctx, hashType);
    }
    (void)ctx;
    return rc;
 }
 /* Compute the response parameter hash */
 /* TCG TPM 2.0 Part 1 - 18.8 Response Parameter Hash rpHash */
 static int TPM2_CalcRpHash(TPM2_CTX* ctx, TPMI_ALG_HASH authHash, 
    TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash)
 {
    int rc;
    wc_HashAlg hash_ctx;
    enum wc_HashType hashType;
    rc = TPM2_GetHashType(authHash);
    hashType = (enum wc_HashType)rc;
    rc = wc_HashGetDigestSize(hashType);
    if (rc < 0)
        return rc;
    hash->size = rc;
    /* Hash of data (name) goes into remainder */
    rc = wc_HashInit(&hash_ctx, hashType);
    if (rc == 0) {
        UINT32 ccSwap;
        /* Hash Response Code - HMAC only calculated with success - always 0 */
        ccSwap = 0;
        rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
        /* Hash Command Code */
        if (rc == 0) {
            ccSwap = TPM2_Packet_SwapU32(cmdCode);
            rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
        }
        /* Hash Remainder of parameters - after handles */
        if (rc == 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz);
        if (rc == 0)
            rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer);
        wc_HashFree(&hash_ctx, hashType);
    }
    (void)ctx;
    return rc;
 }
 /* Compute the HMAC using cpHash, nonces and session attributes */
 /* TCG TPM 2.0 Part 1 - 19.6.5 - HMAC Computation */
 static int TPM2_CalcHmac(TPM2_CTX* ctx, TPMI_ALG_HASH authHash, TPM2B_AUTH* auth, 
    const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew, 
    const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes,
    TPM2B_AUTH* hmac)
 {
    int rc;
    Hmac hmac_ctx;
    enum wc_HashType hashType;
    /* use authHash for hmac hash algorithm */
    rc = TPM2_GetHashType(authHash);
    hashType = (enum wc_HashType)rc;
    hmac->size = TPM2_GetHashDigestSize(authHash);
    if (hmac->size <= 0)
        return BAD_FUNC_ARG;
    /* setup HMAC */
    rc = wc_HmacInit(&hmac_ctx, NULL, INVALID_DEVID);
    if (rc != 0)
        return rc;
    /* start HMAC - sessionKey || authValue */
    rc = wc_HmacSetKey(&hmac_ctx, hashType, auth->buffer, auth->size);
    /* pHash - hash of command code and parameters */
    if (rc == 0)
        rc = wc_HmacUpdate(&hmac_ctx, hash->buffer, hash->size);
    /* nonce new (on cmd caller, on resp tpm) */
    if (rc == 0)
        rc = wc_HmacUpdate(&hmac_ctx, nonceNew->buffer, nonceNew->size);
    /* nonce old (on cmd TPM, on resp caller) */
    if (rc == 0)
        rc = wc_HmacUpdate(&hmac_ctx, nonceOld->buffer, nonceOld->size);
    /* TODO: nonceTPMDecrypt */
    /* TODO: nonceTPMEncrypt */
    /* sessionAttributes */
    if (rc == 0)
        rc = wc_HmacUpdate(&hmac_ctx, &sessionAttributes, 1);
    /* finalize return into hmac buffer */
    if (rc == 0)
        rc = wc_HmacFinal(&hmac_ctx, hmac->buffer);
    wc_HmacFree(&hmac_ctx);
    (void)ctx;
    return rc;
 }
 #endif /* !WOLFTPM2_NO_WOLFCRYPT */
 static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
    CmdInfo_t* info, TPM_CC cmdCode, UINT32 cmdSz)
 {
@ -330,9 +159,19 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
        if (session->sessionHandle != TPM_RS_PW) {
        #ifndef WOLFTPM2_NO_WOLFCRYPT
            TPM2B_NAME name1, name2, name3;
            TPM2B_DIGEST hash;
        #endif
            /* if param enc is not supported for this command then clear flag */
            /* session attribute flags are from TPM perspective */
            if ((info->flags & (CMD_FLAG_ENC2 | CMD_FLAG_ENC4)) == 0) {
                authCmd.sessionAttributes &= ~TPMA_SESSION_decrypt;
            }
            if ((info->flags & (CMD_FLAG_DEC2 | CMD_FLAG_DEC4)) == 0) {
                authCmd.sessionAttributes &= ~TPMA_SESSION_encrypt;
            }
            /* Handle session request for encryption */
            if (encParam && session->sessionAttributes & TPMA_SESSION_decrypt) {
                /* Encrypt the first command parameter */
@ -346,9 +185,19 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
            }
        #ifndef WOLFTPM2_NO_WOLFCRYPT
            rc =  TPM2_GetName(ctx, info->inHandleCnt, 0, &name1);
            rc |= TPM2_GetName(ctx, info->inHandleCnt, 1, &name2);
            rc |= TPM2_GetName(ctx, info->inHandleCnt, 2, &name3);
            if (rc != TPM_RC_SUCCESS) {
            #ifdef DEBUG_WOLFTPM
                printf("Error getting names for cpHash!\n");
            #endif
                return BAD_FUNC_ARG;
            }
            /* calculate "cpHash" hash for command code, names and parameters */
-            rc = TPM2_CalcCpHash(ctx, info, session->authHash, cmdCode, 
+            rc = TPM2_CalcCpHash(session->authHash, cmdCode, &name1, 
-                param, paramSz, &hash);
+                &name2, &name3, param, paramSz, &hash);
            if (rc != TPM_RC_SUCCESS) {
            #ifdef DEBUG_WOLFTPM
                printf("Error calculating cpHash!\n");
@ -357,7 +206,7 @@ static int TPM2_CommandProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
            }
            /* Calculate HMAC for policy, hmac or salted sessions */
            /* this is done after encryption */
-            rc = TPM2_CalcHmac(ctx, session->authHash, &session->auth, &hash, 
+            rc = TPM2_CalcHmac(session->authHash, &session->auth, &hash, 
                &session->nonceCaller, &session->nonceTPM, 
                session->sessionAttributes, &authCmd.hmac);
            if (rc != TPM_RC_SUCCESS) {
@ -439,8 +288,8 @@ static int TPM2_ResponseProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
                TPM2B_AUTH hmac;
                /* calculate "rpHash" hash for command code and parameters */
-                rc = TPM2_CalcRpHash(ctx, session->authHash, cmdCode, 
+                rc = TPM2_CalcRpHash(session->authHash, cmdCode, param, paramSz,
-                    param, paramSz, &hash);
+                    &hash);
                if (rc != TPM_RC_SUCCESS) {
                #ifdef DEBUG_WOLFTPM
                    printf("Error calculating rpHash!\n");
@ -449,7 +298,7 @@ static int TPM2_ResponseProcess(TPM2_CTX* ctx, TPM2_Packet* packet,
                }
                /* Calculate HMAC prior to decryption */
-                rc = TPM2_CalcHmac(ctx, session->authHash, &session->auth, &hash, 
+                rc = TPM2_CalcHmac(session->authHash, &session->auth, &hash, 
                    &session->nonceTPM, &session->nonceCaller, 
                    session->sessionAttributes, &hmac);
                if (rc != TPM_RC_SUCCESS) {
@ -570,8 +419,11 @@ static TPM_RC TPM2_SendCommand(TPM2_CTX* ctx, TPM2_Packet* packet)
 static TPM_ST TPM2_GetTag(TPM2_CTX* ctx)
 {
    TPM_ST st = TPM_ST_NO_SESSIONS;
-    if (ctx && ctx->session && TPM2_GetSessionAuthCount(ctx) > 0) {
+    if (ctx && ctx->session) {
-        st = TPM_ST_SESSIONS;
+        int authCount = TPM2_GetSessionAuthCount(ctx);
        if (authCount == 1 && ctx->session[0].sessionHandle != TPM_RS_PW) {
            st = TPM_ST_SESSIONS;
        }
    }
    return st;
 }
@ -594,6 +446,61 @@ static inline void TPM2_WolfCrypt_Init(void)
 /******************************************************************************/
 /* --- Public Functions -- */
 /******************************************************************************/
 TPM2_CTX* TPM2_GetActiveCtx(void)
 {
    return gActiveTPM;
 }
 void TPM2_SetActiveCtx(TPM2_CTX* ctx)
 {
    gActiveTPM = ctx;
 }
 TPM_RC TPM2_SetSessionAuth(TPM2_AUTH_SESSION* session)
 {
    TPM_RC rc;
    TPM2_CTX* ctx = TPM2_GetActiveCtx();
    if (ctx == NULL)
        return BAD_FUNC_ARG;
    rc = TPM2_AcquireLock(ctx);
    if (rc == TPM_RC_SUCCESS) {
        ctx->session = session;
        TPM2_ReleaseLock(ctx);
    }
    return rc;
 }
 /* Finds the number of active Auth Session in the given TPM2 context */
 int TPM2_GetSessionAuthCount(TPM2_CTX* ctx)
 {
    int sessionCount, sessionHandle;
    if (ctx == NULL || ctx->session == NULL)
        return BAD_FUNC_ARG;
    for (sessionCount = 0; sessionCount < MAX_SESSION_NUM; sessionCount++) {
        sessionHandle = ctx->session[sessionCount].sessionHandle;
        /* According to the TCG Spec, Part 1, Chapter 15.4
         * Session Handles have most significant octet at
         * 0x02 for HMAC sessions
         * 0x03 for Policy sessions
         * Password sessions use predefined value of TPM_RS_PW
         * Trial sessions are not of interest
         */
        if (sessionHandle != TPM_RS_PW) {
            /* Not a password session, mask the most significant octet(MSO) */
            sessionHandle &= 0xFF000000;
            /* Check MSO for an HMAC or Policy session, otherwise invalid */
            if ((sessionHandle ^ 0x02000000) && (sessionHandle ^ 0x03000000))
                break;
        }
    }
    return sessionCount;
 }
 TPM_RC TPM2_ChipStartup(TPM2_CTX* ctx, int timeoutTries)
 {
@ -5316,62 +5223,6 @@ int TPM2_GetHashType(TPMI_ALG_HASH hashAlg)
    return 0;
 }
 TPM2_CTX* TPM2_GetActiveCtx(void)
 {
    return gActiveTPM;
 }
 void TPM2_SetActiveCtx(TPM2_CTX* ctx)
 {
    gActiveTPM = ctx;
 }
 TPM_RC TPM2_SetSessionAuth(TPM2_AUTH_SESSION* session)
 {
    TPM_RC rc;
    TPM2_CTX* ctx = TPM2_GetActiveCtx();
    if (ctx == NULL)
        return BAD_FUNC_ARG;
    rc = TPM2_AcquireLock(ctx);
    if (rc == TPM_RC_SUCCESS) {
        ctx->session = session;
        TPM2_ReleaseLock(ctx);
    }
    return rc;
 }
 /* Finds the number of active Auth Session in the given TPM2 context */
 int TPM2_GetSessionAuthCount(TPM2_CTX* ctx)
 {
    int sessionCount, sessionHandle;
    if (ctx == NULL || ctx->session == NULL)
        return BAD_FUNC_ARG;
    for (sessionCount = 0; sessionCount < MAX_SESSION_NUM; sessionCount++) {
        sessionHandle = ctx->session[sessionCount].sessionHandle;
        /* According to the TCG Spec, Part 1, Chapter 15.4
         * Session Handles have most significant octet at
         * 0x02 for HMAC sessions
         * 0x03 for Policy sessions
         * Password sessions use predefined value of TPM_RS_PW
         * Trial sessions are not of interest
         */
        if (sessionHandle != TPM_RS_PW) {
            /* Not a password session, mask the most significant octet(MSO) */
            sessionHandle &= 0xFF000000;
            /* Check MSO for an HMAC or Policy session, otherwise invalid */
            if ((sessionHandle ^ 0x02000000) && (sessionHandle ^ 0x03000000))
                break;
        }
    }
    return sessionCount;
 }
 /* Can optionally define WOLFTPM2_USE_HW_RNG to force using TPM hardware for RNG source */
 int TPM2_GetNonce(byte* nonceBuf, int nonceSz)
 {
@ -5414,6 +5265,24 @@ int TPM2_GetNonce(byte* nonceBuf, int nonceSz)
    return rc;
 }
 /* Get name for object/handle */
 int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name)
 {
    TPM2_AUTH_SESSION* session;
    XMEMSET(name, 0, sizeof(TPM2B_NAME));
    if (idx >= handleCnt)
        return TPM_RC_SUCCESS;
    session = &ctx->session[idx];
    if (session->name.size > 0) {
        name->size = session->name.size;
        XMEMCPY(name->name, session->name.name, name->size);
    }
    return TPM_RC_SUCCESS;
 }
 void TPM2_SetupPCRSel(TPML_PCR_SELECTION* pcr, TPM_ALG_ID alg, int pcrIndex)
 {
    if (pcr) {
--- a/src/tpm2_param_enc.c
+++ b/src/tpm2_param_enc.c
@ -338,6 +338,150 @@ static int TPM2_ParamDec_AESCFB(TPM2_AUTH_SESSION *session, TPM2B_AUTH* keyIn,
 /* --- Public Functions -- */
 /******************************************************************************/
 #ifndef WOLFTPM2_NO_WOLFCRYPT
 /* Compute the command parameter hash */
 /* TCG TPM 2.0 Part 1 - 18.7 Command Parameter Hash cpHash */
 int TPM2_CalcCpHash(TPMI_ALG_HASH authHash, TPM_CC cmdCode, 
    TPM2B_NAME* name1, TPM2B_NAME* name2, TPM2B_NAME* name3,
    BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash)
 {
    int rc;
    wc_HashAlg hash_ctx;
    enum wc_HashType hashType;
    rc = TPM2_GetHashType(authHash);
    hashType = (enum wc_HashType)rc;
    rc = wc_HashGetDigestSize(hashType);
    if (rc < 0)
        return rc;
    hash->size = rc;
    /* Hash of data (name) goes into remainder */
    rc = wc_HashInit(&hash_ctx, hashType);
    if (rc == 0) {
        /* Hash Command Code */
        UINT32 ccSwap = TPM2_Packet_SwapU32(cmdCode);
        rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
        /* For Command's only hash each session name */
        if (rc == 0 && name1 && name1->size > 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, name1->name, name1->size);
        if (rc == 0 && name2 && name2->size > 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, name2->name, name2->size);
        if (rc == 0 && name3 && name3->size > 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, name3->name, name3->size);
        /* Hash Remainder of parameters - after handles and auth */
        if (rc == 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz);
        if (rc == 0)
            rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer);
        wc_HashFree(&hash_ctx, hashType);
    }
    return rc;
 }
 /* Compute the response parameter hash */
 /* TCG TPM 2.0 Part 1 - 18.8 Response Parameter Hash rpHash */
 int TPM2_CalcRpHash(TPMI_ALG_HASH authHash, 
    TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash)
 {
    int rc;
    wc_HashAlg hash_ctx;
    enum wc_HashType hashType;
    rc = TPM2_GetHashType(authHash);
    hashType = (enum wc_HashType)rc;
    rc = wc_HashGetDigestSize(hashType);
    if (rc < 0)
        return rc;
    hash->size = rc;
    /* Hash of data (name) goes into remainder */
    rc = wc_HashInit(&hash_ctx, hashType);
    if (rc == 0) {
        UINT32 ccSwap;
        /* Hash Response Code - HMAC only calculated with success - always 0 */
        ccSwap = 0;
        rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
        /* Hash Command Code */
        if (rc == 0) {
            ccSwap = TPM2_Packet_SwapU32(cmdCode);
            rc = wc_HashUpdate(&hash_ctx, hashType, (byte*)&ccSwap, sizeof(ccSwap));
        }
        /* Hash Remainder of parameters - after handles */
        if (rc == 0)
            rc = wc_HashUpdate(&hash_ctx, hashType, param, paramSz);
        if (rc == 0)
            rc = wc_HashFinal(&hash_ctx, hashType, hash->buffer);
        wc_HashFree(&hash_ctx, hashType);
    }
    return rc;
 }
 /* Compute the HMAC using cpHash, nonces and session attributes */
 /* TCG TPM 2.0 Part 1 - 19.6.5 - HMAC Computation */
 int TPM2_CalcHmac(TPMI_ALG_HASH authHash, TPM2B_AUTH* auth, 
    const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew, 
    const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes,
    TPM2B_AUTH* hmac)
 {
    int rc;
    Hmac hmac_ctx;
    enum wc_HashType hashType;
    /* use authHash for hmac hash algorithm */
    rc = TPM2_GetHashType(authHash);
    hashType = (enum wc_HashType)rc;
    hmac->size = TPM2_GetHashDigestSize(authHash);
    if (hmac->size <= 0)
        return BAD_FUNC_ARG;
    /* setup HMAC */
    rc = wc_HmacInit(&hmac_ctx, NULL, INVALID_DEVID);
    if (rc != 0)
        return rc;
    /* start HMAC - sessionKey || authValue */
    /* TODO: Handle "authValue" case "a value that is found in the sensitive area of an entity" */
    rc = wc_HmacSetKey(&hmac_ctx, hashType, auth->buffer, auth->size);
    /* pHash - hash of command code and parameters */
    if (rc == 0)
        rc = wc_HmacUpdate(&hmac_ctx, hash->buffer, hash->size);
    /* nonce new (on cmd caller, on resp tpm) */
    if (rc == 0)
        rc = wc_HmacUpdate(&hmac_ctx, nonceNew->buffer, nonceNew->size);
    /* nonce old (on cmd TPM, on resp caller) */
    if (rc == 0)
        rc = wc_HmacUpdate(&hmac_ctx, nonceOld->buffer, nonceOld->size);
    /* TODO: nonceTPMDecrypt */
    /* TODO: nonceTPMEncrypt */
    /* sessionAttributes */
    if (rc == 0)
        rc = wc_HmacUpdate(&hmac_ctx, &sessionAttributes, 1);
    /* finalize return into hmac buffer */
    if (rc == 0)
        rc = wc_HmacFinal(&hmac_ctx, hmac->buffer);
    wc_HmacFree(&hmac_ctx);
    return rc;
 }
 #endif /* !WOLFTPM2_NO_WOLFCRYPT */
 TPM_RC TPM2_ParamEnc_CmdRequest(TPM2_AUTH_SESSION *session,
                                BYTE *paramData, UINT32 paramSz)
 {
--- a/src/tpm2_wrap.c
+++ b/src/tpm2_wrap.c
@ -21,10 +21,6 @@
 #include <wolftpm/tpm2_wrap.h>
 #include <wolftpm/tpm2_param_enc.h>
 #ifndef WOLFTPM2_NO_WOLFCRYPT
 #include <wolfssl/wolfcrypt/aes.h>
 #include <wolfssl/wolfcrypt/hmac.h>
 #endif
 #ifndef WOLFTPM2_NO_WRAPPER
@ -398,7 +394,7 @@ int wolfTPM2_SetAuth(WOLFTPM2_DEV* dev, int index,
    TPM2_SetSessionAuth(dev->session);
-    return 0;
+    return TPM_RC_SUCCESS;
 }
 int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index, 
@ -410,31 +406,27 @@ int wolfTPM2_SetAuthPassword(WOLFTPM2_DEV* dev, int index,
 int wolfTPM2_SetAuthHandle(WOLFTPM2_DEV* dev, int index, 
    const WOLFTPM2_HANDLE* handle)
 {
-    return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, &handle->auth, 0, &handle->name);
+    const TPM2B_AUTH* auth = NULL;
    const TPM2B_NAME* name = NULL;
    if (handle) {
        auth = &handle->auth;
        name = &handle->name;
    }
    return wolfTPM2_SetAuth(dev, index, TPM_RS_PW, auth, 0, name);
 }
 int wolfTPM2_SetAuthSession(WOLFTPM2_DEV* dev, int index, 
    const WOLFTPM2_SESSION* tpmSession, TPMA_SESSION sessionAttributes)
 {
    int rc;
    TPM2B_AUTH* auth = NULL;
    if (dev == NULL || index >= MAX_SESSION_NUM) {
        return BAD_FUNC_ARG;
    }
    /* use auth from earlier session */
    if (index > 1) {
        auth = &dev->session[index-1].auth;
    }
    /* TODO: Make use of auth for an earlier session? */
    /* If the encrypt session is associated with a handle, the authValue of the 
        handle will be concatenated with sessionKey to generate encryption key */
    (void)auth;
    rc = wolfTPM2_SetAuth(dev, index, tpmSession->handle.hndl,
        &tpmSession->handle.auth, sessionAttributes, NULL);
-    if (rc == 0) {
+    if (rc == TPM_RC_SUCCESS) {
        TPM2_AUTH_SESSION* session = &dev->session[index];
        /* define the symmetric algorithm */
@ -497,7 +489,7 @@ int wolfTPM2_Cleanup(WOLFTPM2_DEV* dev)
 #ifndef WOLFTPM2_NO_WOLFCRYPT
 #ifndef NO_RSA
 /* returns both the plaintext and encrypted salt, based on the salt key bPublic. */
-static int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
+int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
    TPM2B_DIGEST *salt, TPM2B_ENCRYPTED_SECRET *encSalt, TPMT_PUBLIC *publicArea)
 {
    int rc;
@ -563,7 +555,7 @@ static int wolfTPM2_RSA_Salt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
 }
 #endif /* !NO_RSA */
-static int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
+int wolfTPM2_EncryptSalt(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
    StartAuthSession_In* in, TPM2B_AUTH* bindAuth, TPM2B_DIGEST* salt)
 {
    int rc;
@ -632,10 +624,15 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session,
    }
    /* set session auth for key */
-    wolfTPM2_SetAuthHandle(dev, 0, &tpmKey->handle);
+    if (tpmKey) {
-
+        wolfTPM2_SetAuthHandle(dev, 0, &tpmKey->handle);
-    authSesIn.tpmKey = tpmKey ? tpmKey->handle.hndl :
+        authSesIn.tpmKey = tpmKey->handle.hndl;
-                                (TPMI_DH_OBJECT)TPM_RH_NULL;
+    }
    else {
        wolfTPM2_SetAuthPassword(dev, 0, NULL);
        authSesIn.tpmKey = (TPMI_DH_OBJECT)TPM_RH_NULL;
    }
    /* setup bind key */
    authSesIn.bind = (TPMI_DH_ENTITY)TPM_RH_NULL;
    if (bind) {
        authSesIn.bind = bind->hndl;
@ -716,6 +713,7 @@ int wolfTPM2_StartSession(WOLFTPM2_DEV* dev, WOLFTPM2_SESSION* session,
    }
    /* return session */
    session->type = authSesIn.sessionType;
    session->authHash = authSesIn.authHash;
    session->handle.hndl = authSesOut.sessionHandle;
    session->handle.symmetric = authSesIn.symmetric;
--- a/wolftpm/tpm2.h
+++ b/wolftpm/tpm2.h
@ -1679,10 +1679,10 @@ typedef struct TPM2_CTX {
    /* Pointer to current TPM auth sessions */
    TPM2_AUTH_SESSION* session;
-    /* Command Buffer */
+    /* Command / Response Buffer */
    byte cmdBuf[MAX_COMMAND_SIZE];
-    /* Informational Bits */
+    /* Informational Bits - use unsigned int for best compiler compatibility */
 #ifndef WOLFTPM2_NO_WOLFCRYPT
    #ifndef SINGLE_THREADED
    unsigned int hwLockInit:1;
@ -2762,8 +2762,8 @@ WOLFTPM_API int TPM2_SetMode(SetMode_In* in);
 /* Non-standard API's */
 #define _TPM_Init TPM2_Init
-/* In when using devtpm or swtpm, the ioCb and userCtx are not used
+/* When using devtpm or swtpm, the ioCb and userCtx are not used
- * and must be set to NULL. TPM2_Init_minimal() call TPM2_Init_ex()
+ * and should be NULL. TPM2_Init_minimal() calls TPM2_Init_ex()
 * with them set to NULL.
 *
 * In other modes, the ioCb shall be set in order to use TIS.
@ -2800,6 +2800,7 @@ WOLFTPM_API int TPM2_GetTpmCurve(int curveID);
 WOLFTPM_API int TPM2_GetWolfCurve(int curve_id);
 WOLFTPM_API int TPM2_ParseAttest(const TPM2B_ATTEST* in, TPMS_ATTEST* out);
 WOLFTPM_LOCAL int TPM2_GetName(TPM2_CTX* ctx, int handleCnt, int idx, TPM2B_NAME* name);
 #ifdef WOLFTPM2_USE_WOLF_RNG
 WOLFTPM_API int TPM2_GetWolfRng(WC_RNG** rng);
--- a/wolftpm/tpm2_param_enc.h
+++ b/wolftpm/tpm2_param_enc.h
@ -35,6 +35,16 @@ WOLFTPM_API int TPM2_KDFa(
    BYTE *key, UINT32 keySz
 );
 WOLFTPM_LOCAL int TPM2_CalcHmac(TPMI_ALG_HASH authHash, TPM2B_AUTH* auth, 
    const TPM2B_DIGEST* hash, const TPM2B_NONCE* nonceNew, 
    const TPM2B_NONCE* nonceOld, TPMA_SESSION sessionAttributes,
    TPM2B_AUTH* hmac);
 WOLFTPM_LOCAL int TPM2_CalcRpHash(TPMI_ALG_HASH authHash, 
    TPM_CC cmdCode, BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash);
 WOLFTPM_LOCAL int TPM2_CalcCpHash(TPMI_ALG_HASH authHash, TPM_CC cmdCode, 
    TPM2B_NAME* name1, TPM2B_NAME* name2, TPM2B_NAME* name3,
    BYTE* param, UINT32 paramSz, TPM2B_DIGEST* hash);
 /* Perform encryption over the first parameter of a TPM packet */
 WOLFTPM_LOCAL TPM_RC TPM2_ParamEnc_CmdRequest(TPM2_AUTH_SESSION *session,
                                BYTE *paramData, UINT32 paramSz);
--- a/wolftpm/tpm2_types.h
+++ b/wolftpm/tpm2_types.h
@ -81,6 +81,7 @@ typedef int64_t  INT64;
    #include <wolfssl/wolfcrypt/ecc.h>
    #include <wolfssl/wolfcrypt/asn_public.h>
    #include <wolfssl/wolfcrypt/hmac.h>
    #include <wolfssl/wolfcrypt/aes.h>
    #ifdef WOLF_CRYPTO_CB
        #include <wolfssl/wolfcrypt/cryptocb.h>
    #elif defined(WOLF_CRYPTO_DEV)
--- a/wolftpm/tpm2_wrap.h
+++ b/wolftpm/tpm2_wrap.h
@ -366,6 +366,11 @@ WOLFTPM_API int wolfTPM2_GetTime(WOLFTPM2_KEY* aikKey, GetTime_Out* getTimeOut);
 #define wolfTPM2_GetRCString  TPM2_GetRCString
 #define wolfTPM2_GetCurveSize TPM2_GetCurveSize
 /* for salted auth sessions */
 WOLFTPM_LOCAL int wolfTPM2_RSA_Salt(struct WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
    TPM2B_DIGEST *salt, TPM2B_ENCRYPTED_SECRET *encSalt, TPMT_PUBLIC *publicArea);
 WOLFTPM_LOCAL int wolfTPM2_EncryptSalt(struct WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
    StartAuthSession_In* in, TPM2B_AUTH* bindAuth, TPM2B_DIGEST* salt);
 #if defined(WOLF_CRYPTO_DEV) || defined(WOLF_CRYPTO_CB)