Minor changes based on peer feedback

Signed-off-by: Dimitar Tomov <dimi@wolfssl.com>

examples/README.md

@@ -379,7 +379,7 @@ After successful key extraction using "read", the NV Index is destroyed. Therefo
 
 ## Seal / Unseal
 
-TPM 2.0 can protect secrets using a standard Seal/Unseal procedure. Seal can be created using a TPM 2.0 key or against a set of PCR values.
+TPM 2.0 can protect secrets using a standard Seal/Unseal procedure. Seal can be created using a TPM 2.0 key or against a set of PCR values. Note: Secret data sealed in a key is limited to a maximum size of 128 bytes.
 
 There are two examples available: `seal/seal` and `seal/unseal`.
 
@@ -392,6 +392,7 @@ Using the `seal` example we store securely our data in a newly generated TPM 2.0
 Please find example output from sealing and unsealing a secret message:
 
 ```
+
 $ ./examples/seal/seal keyblob.bin mySecretMessage
 TPM2.0 Simple Seal example
 	Key Blob: keyblob.bin
@@ -402,6 +403,7 @@ Created new TPM seal key (pub 46, priv 141 bytes)
 Wrote 193 bytes to keyblob.bin
 Key Public Blob 46
 Key Private Blob 141
+
 $ ./examples/keygen/keyload -persistent
 TPM2.0 Key load example
 	Key Blob: keyblob.bin
@@ -411,13 +413,16 @@ Reading 193 bytes from keyblob.bin
 Reading the private part of the key
 Loaded key to 0x80000001
 Key was made persistent at 0x81000202
+
 $ ./examples/seal/unseal message.raw
 Example how to unseal data using TPM2.0
 wolfTPM2_Init: success
 Unsealing succeeded
 Stored unsealed data to file = message.raw
+
 $ cat message.raw
 mySecretMessage
+
 ```
 
 After a successful unsealing, the data is stored into a new file. If no filename is provided, the `unseal` tool stores the data in `unseal.bin`.

examples/seal/seal.c

@@ -137,12 +137,13 @@ int TPM2_Seal_Example(void* userCtx, int argc, char *argv[])
 #if !defined(WOLFTPM2_NO_WOLFCRYPT) && !defined(NO_FILESYSTEM)
     rc = writeKeyBlob(outputFile, &newKey);
 #endif
-//#else
+
-    printf("Key Public Blob %d\n", newKey.pub.size);
+#ifdef DEBUG_WOLFTPM
+    printf("Key Seal, Public Blob %d\n", newKey.pub.size);
     TPM2_PrintBin((const byte*)&newKey.pub.publicArea, newKey.pub.size);
-    printf("Key Private Blob %d\n", newKey.priv.size);
+    printf("Key Seal, Private Blob %d\n", newKey.priv.size);
     TPM2_PrintBin(newKey.priv.buffer, newKey.priv.size);
-//#endif
+#endif
 
 exit:
 

src/tpm2_wrap.c

@@ -4007,6 +4007,15 @@ int wolfTPM2_CreateKeySeal(WOLFTPM2_DEV* dev, WOLFTPM2_KEYBLOB* keyBlob,
     if (dev == NULL || keyBlob == NULL || parent == NULL || publicTemplate == NULL)
         return BAD_FUNC_ARG;
 
+    /* Seal size is limited to TCG defined MAX_SYM_DATA, which is 128 bytes */
+    if (sealSize < 0 || sealSize > 128) {
+        printf("wolfTPM2_CreateKeySeal failed. Seal size is invalid.\n");
+#ifdef DEBUG_WOLFTPM
+        printf("Seal size %d should not be larger than 128 bytes\n", sealSize);
+#endif
+        return BAD_FUNC_ARG;
+    }
+
     /* clear output key buffer */
     XMEMSET(keyBlob, 0, sizeof(WOLFTPM2_KEYBLOB));
     XMEMSET(&createOut, 0, sizeof(createOut)); /* make sure pub struct is zero init */
@@ -4031,13 +4040,13 @@ int wolfTPM2_CreateKeySeal(WOLFTPM2_DEV* dev, WOLFTPM2_KEYBLOB* keyBlob,
     rc = TPM2_Create(&createIn, &createOut);
     if (rc != TPM_RC_SUCCESS) {
     #ifdef DEBUG_WOLFTPM
-        printf("TPM2_Create key failed %d: %s\n", rc, wolfTPM2_GetRCString(rc));
+        printf("wolfTPM2_CreateKeySeal failed %d: %s\n", rc, wolfTPM2_GetRCString(rc));
     #endif
         return rc;
     }
 
 #ifdef DEBUG_WOLFTPM
-    printf("TPM2_Create key: pub %d, priv %d\n",
+    printf("wolfTPM2_CreateKeySeal generated key with: pub %d, priv %d\n",
         createOut.outPublic.size, createOut.outPrivate.size);
     TPM2_PrintPublicArea(&createOut.outPublic);
 #endif