Change the data type for the size of the secure memory pool to BYTES.

README.rst

@@ -26,7 +26,7 @@ import gcrypt [from "path"] ;
 
 ::
 
-  gcrypt.init(ENUM {INIT_SECMEM, DISABLE_SECMEM} [, INT n])
+  gcrypt.init(ENUM {INIT_SECMEM, DISABLE_SECMEM} [, BYTES n])
   gcrypt.init(FINISH)
 
   new OBJECT = gcrypt.symmetric(ENUM cipher, ENUM mode, ENUM padding,
@@ -150,7 +150,7 @@ described below), but if it does:
 CONTENTS
 ========
 
-* VOID init(ENUM {INIT_SECMEM,DISABLE_SECMEM,FINISH}, INT)
+* VOID init(ENUM {INIT_SECMEM,DISABLE_SECMEM,FINISH}, BYTES)
 * symmetric(ENUM {AES,AES128,RIJNDAEL,RIJNDAEL128,AES192,RIJNDAEL192,AES256,RIJNDAEL256}, ENUM {ECB,CFB,CBC,OFB,CTR}, ENUM {PKCS7,ISO7816,X923,NONE}, BLOB, BOOL, BOOL)
 * STRING version()
 * STRING gcrypt_version()
@@ -162,7 +162,7 @@ init
 
 ::
 
-	VOID init(ENUM {INIT_SECMEM,DISABLE_SECMEM,FINISH}, INT n=1)
+	VOID init(ENUM {INIT_SECMEM,DISABLE_SECMEM,FINISH}, BYTES n=1)
 
 Initialize the libgcrypt library, currently to manage the use of
 secure memory. The ENUM specifies an operation for initialization.
@@ -173,11 +173,12 @@ created; details below.
 
 With ``INIT_SECMEM``, you can configure the size of the secure memory
 pool to ``n`` bytes (the ``n`` parameter is ignored for the other
-ENUMs). Secure memory is enabled by default and set to a default size
-(32 KiB in libgcrypt 1.6.3), so you don't have to call ``init()`` with
-``INIT_SECMEM`` to use the default.
+ENUMs). The data type for ``n`` is BYTES, so the value must be written
+with a suffix such as B or KB. Secure memory is enabled by default and
+set to a default size (32 KiB in libgcrypt 1.6.3), so you don't have
+to call ``init()`` with ``INIT_SECMEM`` to use the default.
 
-Setting ``n`` to 0 with ``INIT_SECMEM`` disables secure memory, and
+Setting ``n`` to 0B with ``INIT_SECMEM`` disables secure memory, and
 hence has the same effect as calling ``init(DISABLE_SECMEM)``. If
 secure memory is enabled, libgcrypt imposes a minimum size for the
 pool (16 KiB for libgcrypt 1.6.3), so any value of ``n`` that is
@@ -237,7 +238,7 @@ Examples::
 
   sub vcl_init {
       # Enable secure memory and allocate a 64KiB pool.
-      gcrypt.init(INIT_SECMEM, 65536);
+      gcrypt.init(INIT_SECMEM, 64KB);
       gcrypt.init(FINISH);
   }
 

src/tests/aes.vtc

@@ -8,7 +8,7 @@ varnish v1 -vcl {
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		gcrypt.init(INIT_SECMEM, 65536);
+		gcrypt.init(INIT_SECMEM, 64KB);
 		gcrypt.init(FINISH);
 	}
 } -start

src/tests/disable_secmem.vtc

@@ -63,7 +63,7 @@ varnish v3 -vcl {
 
 	sub vcl_init {
 		gcrypt.init(INIT_SECMEM);
-		gcrypt.init(INIT_SECMEM, 0);
+		gcrypt.init(INIT_SECMEM, 0B);
 		gcrypt.init(FINISH);
 		new k = blobcode.blob(HEX, "00000000000000000000000000000000");
 		new aes = gcrypt.symmetric(AES, ECB, key=k.get(), secure=false);

src/tests/init_secmem.vtc

@@ -24,7 +24,7 @@ varnish v2 -vcl {
 
 	sub vcl_init {
 		gcrypt.init(INIT_SECMEM);
-		gcrypt.init(INIT_SECMEM, 32768);
+		gcrypt.init(INIT_SECMEM, 32KB);
 		gcrypt.init(FINISH);
 	}
 } -start
@@ -41,7 +41,7 @@ varnish v3 -vcl {
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		gcrypt.init(INIT_SECMEM, 0);
+		gcrypt.init(INIT_SECMEM, 0B);
 		gcrypt.init(FINISH);
 	}
 } -start
@@ -57,21 +57,9 @@ varnish v3 -errvcl {vmod gcrypt error: secure memory not enabled in aes construc
 	}
 }
 
-# INIT_SECMEM is illegal with bytes < 0.
-varnish v3 -stop
-varnish v4 -vcl {backend b { .host = "${bad_ip}"; } } -start
-varnish v4 -errvcl {INIT_SECMEM number of bytes -1 out of range in gcrypt.init()} {
-	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
-	backend b { .host = "${bad_ip}"; }
-
-	sub vcl_init {
-		gcrypt.init(INIT_SECMEM, -1);
-	}
-}
-
 # Secure memory is enabled by default
-varnish v4 -stop
-varnish v5 -vcl {
+varnish v3 -stop
+varnish v4 -vcl {
 	import gcrypt from "${vmod_topbuild}/src/.libs/libvmod_gcrypt.so";
 	import blobcode;
 	backend b { .host = "${bad_ip}"; }

src/tests/init_usage.vtc

@@ -62,7 +62,7 @@ varnish v1 -vcl {
 	backend b { .host = "${bad_ip}"; }
 
 	sub vcl_init {
-		gcrypt.init(INIT_SECMEM, 32768);
+		gcrypt.init(INIT_SECMEM, 32KB);
 		gcrypt.init(FINISH);
 	}
 }

src/vmod_gcrypt.c

@@ -170,7 +170,7 @@ event(VRT_CTX, struct vmod_priv *priv, enum vcl_event_e e)
 /* Function init */
 
 VCL_VOID
-vmod_init(VRT_CTX, VCL_ENUM cmd, VCL_INT n)
+vmod_init(VRT_CTX, VCL_ENUM cmd, VCL_BYTES n)
 {
 	gcry_error_t err = GPG_ERR_NO_ERROR;
 
@@ -194,11 +194,7 @@ vmod_init(VRT_CTX, VCL_ENUM cmd, VCL_INT n)
 		return;
 	}
 	if (strcmp(cmd, "INIT_SECMEM") == 0) {
-		if (n < 0) {
-			VERR(ctx, "INIT_SECMEM number of bytes %d out of range "
-			     "in gcrypt.init()", n);
-			return;
-		}
+		assert(n >= 0);
 		if ((err = gcry_control(GCRYCTL_INIT_SECMEM, n))
 		    != GPG_ERR_NO_ERROR)
 			VERR(ctx, "Cannot initialize secure memory to %d bytes "

src/vmod_gcrypt.vcc

@@ -9,7 +9,7 @@ $Module gcrypt 3 access the libgcrypt cryptographic library
 
 ::
 
-  gcrypt.init(ENUM {INIT_SECMEM, DISABLE_SECMEM} [, INT n])
+  gcrypt.init(ENUM {INIT_SECMEM, DISABLE_SECMEM} [, BYTES n])
   gcrypt.init(FINISH)
 
   new OBJECT = gcrypt.symmetric(ENUM cipher, ENUM mode, ENUM padding,
@@ -130,7 +130,7 @@ described below), but if it does:
 
 * A Varnish panic is invoked with the error message from libgcrypt.
 
-$Function VOID init(ENUM {INIT_SECMEM, DISABLE_SECMEM, FINISH}, INT n=1)
+$Function VOID init(ENUM {INIT_SECMEM, DISABLE_SECMEM, FINISH}, BYTES n=1)
 
 Initialize the libgcrypt library, currently to manage the use of
 secure memory. The ENUM specifies an operation for initialization.
@@ -141,11 +141,12 @@ created; details below.
 
 With ``INIT_SECMEM``, you can configure the size of the secure memory
 pool to ``n`` bytes (the ``n`` parameter is ignored for the other
-ENUMs). Secure memory is enabled by default and set to a default size
-(32 KiB in libgcrypt 1.6.3), so you don't have to call ``init()`` with
-``INIT_SECMEM`` to use the default.
+ENUMs). The data type for ``n`` is BYTES, so the value must be written
+with a suffix such as B or KB. Secure memory is enabled by default and
+set to a default size (32 KiB in libgcrypt 1.6.3), so you don't have
+to call ``init()`` with ``INIT_SECMEM`` to use the default.
 
-Setting ``n`` to 0 with ``INIT_SECMEM`` disables secure memory, and
+Setting ``n`` to 0B with ``INIT_SECMEM`` disables secure memory, and
 hence has the same effect as calling ``init(DISABLE_SECMEM)``. If
 secure memory is enabled, libgcrypt imposes a minimum size for the
 pool (16 KiB for libgcrypt 1.6.3), so any value of ``n`` that is
@@ -205,7 +206,7 @@ Examples::
 
   sub vcl_init {
       # Enable secure memory and allocate a 64KiB pool.
-      gcrypt.init(INIT_SECMEM, 65536);
+      gcrypt.init(INIT_SECMEM, 64KB);
       gcrypt.init(FINISH);
   }