smoke test update
diff --git a/tpm2.py b/tpm2.py
index d32a86e..ac420e2 100644
--- a/tpm2.py
+++ b/tpm2.py
@@ -12,6 +12,7 @@
 
 TPM2_CC_CREATE_PRIMARY = 0x0131
 TPM2_CC_DICTIONARY_ATTACK_LOCK_RESET = 0x0139
+TPM2_CC_OBJECT_CHANGE_AUTH = 0x0150
 TPM2_CC_CREATE = 0x0153
 TPM2_CC_LOAD = 0x0157
 TPM2_CC_UNSEAL = 0x015E
diff --git a/tpm2_sessions_smoke.py b/tpm2_sessions_smoke.py
index f9ce342..d233d08 100755
--- a/tpm2_sessions_smoke.py
+++ b/tpm2_sessions_smoke.py
@@ -9,7 +9,7 @@
 import tss2
 
 pwd1 = "wibble"
-
+pwd2 = "newpassword"
 
 class SessionTest(unittest.TestCase):
     def setUp(self):
@@ -31,7 +31,7 @@
                 raise e
         return ha
 
-    def test_handle_clearing(self):
+    def test_handle_flush_on_space_close(self):
         i = self.open_handles()
         print "Ran out of handles at %d" %len(i)
         self.c.close()
@@ -52,19 +52,33 @@
 
     def test_session_consumption(self):
         self.c.read_public(self.c.SRK)
+        # authorization hmac session
         hmac = self.c.start_session(tpm2.TPM2_SE_HMAC)
+        # parameter encryption session
         enc = self.c.start_session(tpm2.TPM2_SE_HMAC, self.c.SRK)
+        # fill all remaing handles
         i = self.open_handles()
         # create rsa key continuing both hmac and encryption sessions
-        k = self.c.create_rsa(self.c.SRK, pwd1, hmac, 1, enc, 1)
+        self.c.create_rsa(self.c.SRK, pwd1, hmac, 1, enc, 1)
         # should be no handles left
         i = self.open_handles()
         self.assertEqual(len(i),0)
-        k = self.c.create_rsa(self.c.SRK, pwd1, hmac, 0, enc, 0)
-        # now should be two handles left
+        # now create rsa key continuing hmac and consuming encryption
+        k = self.c.create_rsa(self.c.SRK, pwd1, hmac, 1, enc, 0)
+        # now should be one handle remaining
         i = self.open_handles()
-        self.assertEqual(len(i),2)
+        self.assertEqual(len(i),1)
+        self.c.flush_context(i[0])
+        # check the hmac continuation actually works
         k = self.c.load(self.c.SRK, k.outPrivate, k.outPublic, None)
+        print "Loaded key at handle %x" %k
+        # and finally verify with an authenticated encrypted operation
+        # consuming both handles
+        enc = self.c.start_session(tpm2.TPM2_SE_HMAC, k)
+        self.c.change_auth(self.c.SRK, k, pwd1, pwd2, hmac, 0, enc, 0)
+        i = self.open_handles()
+        self.assertEqual(len(i), 2)
+        
         
 
 
diff --git a/tss2.py b/tss2.py
index 2ef0568..67f5a4f 100644
--- a/tss2.py
+++ b/tss2.py
@@ -117,6 +117,14 @@
     _fields_ = [("objectHandle", ctypes.c_uint32),
                 ("name", TPM2B_NONCE)]
 
+class ObjectChangeAuth_In(ctypes.Structure):
+    _fields_ = [("objectHandle", ctypes.c_uint32),
+                ("parentHandle", ctypes.c_uint32),
+                ("newAuth", TPM2B_NONCE)]
+
+class ObjectChangeAuth_Out(ctypes.Structure):
+    _fields_ = [("outPrivate", TPM2B_PRIVATE)]
+
 class tpm_error(Exception):
 
     def __init__(self, rc):
@@ -197,8 +205,10 @@
 
         inp.parentHandle = parent
         if (auth != None):
-            inp.inSensitive.sensitive.userAuth.b = ctypes.c_ubyte_Array_128(auth)
-            inp.inSensitive.sensitive.userAuth.s = strlen(auth)
+            lenauth = len(auth)
+            print "AUTh len is %d" %lenauth
+            inp.inSensitive.sensitive.userAuth.b[0:lenauth] = bytearray(auth)
+            inp.inSensitive.sensitive.userAuth.s = lenauth
         inp.inPublic.publicArea.Type = tpm2.TPM2_ALG_RSA
         inp.inPublic.publicArea.nameAlg = tpm2.TPM2_ALG_SHA256
         inp.inPublic.publicArea.objectAttributes = tpm2.TPMA_OBJECT_NODA | tpm2.TPMA_OBJECT_DECRYPT | tpm2.TPMA_OBJECT_USERWITHAUTH | tpm2.TPMA_OBJECT_SENSITIVEDATAORIGIN
@@ -231,3 +241,20 @@
                          tpm2.TPM2_RH_NULL, None, 0);
 
         return out.objectHandle
+
+    def change_auth(self, parent, handle, oldauth, newauth, hmacSession = tpm2.TPM2_RS_PW, hmacCont = 0, encSession = tpm2.TPM2_RH_NULL, encCont = 0):
+        inp = ObjectChangeAuth_In()
+        out = ObjectChangeAuth_Out()
+
+        inp.parentHandle = parent
+        inp.objectHandle = handle
+        inp.newAuth.b[0:len(newauth)] = bytearray(newauth)
+        inp.newAuth.s = len(newauth)
+
+        self.TSS_Execute(ctypes.byref(out), ctypes.byref(inp), None,
+                         tpm2.TPM2_CC_OBJECT_CHANGE_AUTH,
+                         hmacSession, oldauth, hmacCont,
+                         encSession, None, encCont | 0x20,
+                         tpm2.TPM2_RH_NULL, None, 0)
+
+        return out.outPrivate