libVES.c: Encryption At-rest With Browser-managed PIN-based Cryptographic-grade Key: Simple, Safe, Secure

libVES.c
Overview
VESvault: Simple, Safe and Secure Encryption At-rest
Simple
- Browser-based PIN entry unlocks the User's cryptographic keychain.
- The User can easily sync the encryption keys among multiple personal devices and browsers/apps.
Safe
- The user can add redundant key locations for safety from key loss.
- VESrecovery™ for recovering the key chain via friends' assistance without compromising the User's privacy.
Secure
- Brute force protection with VESlocker hardware-grade PIN security.
- End-to-end encryption using industry standard algorithms with cryptographic grade keys.
libVES.c is a software interface library to VESvault REST API. Any app or service can integrate libVES to maintain secure storage of encrypted data, while having a safe and reliable way of recovering the data in case if the user loses the encryption key.
The structure of VESvault end-to-end encrypted repository is described in the VESvault Repository Documentation.
libVES.c is focused on App Vault operations. Unlike libVES.js, the current version does not impletemt VESrecovery operations that pertain to Primary Vaults. Instead, libVES.c implements full scale stream encryption.
The latest source code of libVES.c and VES utility can be found in the GitHub repository.
The annotated header files are provided below.

/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES.h                   libVES: Main header
 *
 ***************************************************************************/
#define LIBVES_VERSION_NUMBER	0x01020600L
#define LIBVES_VERSION_CODE	"1.26"
#define LIBVES_VERSION_STR	"libVES.c " LIBVES_VERSION_CODE " (c) 2018 - 2023 VESvault Corp"
#define LIBVES_VERSION_SHORT	"libVES/" LIBVES_VERSION_CODE

struct libVES_Ref;
struct libVES_User;
struct jVar;
struct libVES_veskey;

typedef struct libVES {
    const char *apiUrl;
    const char *appName;
    struct libVES_Ref *external;
    char *sessionToken;
    struct libVES_VaultKey *vaultKey;
    struct libVES_User *me;
    struct libVES_VaultKey *(*genVaultKeyFn)(struct libVES *ves, int type, struct libVES_Ref *ref, struct libVES_User *user);
    void (*attnFn)(struct libVES *ves, struct jVar *attn);
    struct CURL *curl;
    void (*httpInitFn)(struct libVES *ves);
    const char *errorMsg;
    char *errorBuf;
    const struct libVES_CiAlgo *cipherAlgo;
    const struct libVES_KeyAlgo *keyAlgo;
    struct libVES_List *unlockedKeys;
    short int veskeyLen;
    short int error;
    char debug;
    unsigned short int sessionTimeout;
    long long sessionExpire;
    const char *pollUrl;
    void *ref;
} libVES;


enum { LIBVES_O_APIURL, LIBVES_O_APPNAME, LIBVES_O_ATTNFN, LIBVES_O_CURL, LIBVES_O_HTTPINITFN,
    LIBVES_O_GENFN, LIBVES_O_CIPHERALGO, LIBVES_O_KEYALGO, LIBVES_O_POLLURL, LIBVES_O_VESKEYLEN,
    LIBVES_O_SESSTMOUT, LIBVES_O_DEBUG, LIBVES_O_REF };

#define LIBVES_E_OK		0
#define LIBVES_E_PARAM		1
#define LIBVES_E_CONN		2
#define LIBVES_E_PARSE		3
#define LIBVES_E_CRYPTO		4
#define LIBVES_E_UNLOCK		5
#define LIBVES_E_DENIED		6
#define LIBVES_E_NOTFOUND	7
#define LIBVES_E_SERVER		8
#define LIBVES_E_UNSUPPORTED	9
#define LIBVES_E_INCORRECT	10
#define LIBVES_E_ASSERT		11
#define LIBVES_E_DIALOG		12
#define LIBVES_E_QUOTA		13
#define LIBVES_E_INTERNAL	31

#define LIBVES_O_FILE		0x01
#define LIBVES_O_VKEY		0x02
#define LIBVES_O_VITEM		0x04

#define LIBVES_O_NEW		0x10
#define LIBVES_O_GET		0x20

#ifndef LIBVES_API_URL
#define LIBVES_API_URL		"https://api.ves.host/v1/"
#endif

#ifndef LIBVES_POLL_URL
#define LIBVES_POLL_URL		"https://poll.ves.host/v1/"
#endif

#ifndef LIBVES_VESKEY_LEN
#define LIBVES_VESKEY_LEN	32
#endif

#ifndef LIBVES_SESS_TMOUT
#define LIBVES_SESS_TMOUT	28800
#endif

extern const char *libVES_version;

/***************************************************************************
 * Global initialization. Optionally, call libVES_init() before creating any
 * instances of libVES to set the app name.
 * appName = "App_Name/version" (User-Agent format),
 * defaults to "(unspecified app)"
 ***************************************************************************/
void libVES_init(const char *appName);

/***************************************************************************
 * A new instance of libVES. vaultURI is an App Vault ves://domain/externalID/
 * or NULL
 ***************************************************************************/
libVES *libVES_new(const char *vaultURI);

/***************************************************************************
 * A new instance of libVES. ref is an app vaule reference.
 * ref gets strong refcounted, call libVES_Ref_free(ref) before deallocating
 * the libVES instance.
 ***************************************************************************/
libVES *libVES_fromRef(struct libVES_Ref *ref);

/***************************************************************************
 * Instantiate a child instance of libVES. The child instance inherits all
 * context and unlocked keys from the parent. Once instantiated, it's safe
 * to use the parent and children concurrently in threads, as long as no
 * context altering operations are performed on the main libVES_VaultKey
 * or the libVES_User instance (ves->me), such as locking/unlocking or
 * loading additional fields. All children must be libVES_free()'d before
 * the parent.
 ***************************************************************************/
libVES *libVES_child(libVES *pves);

/***************************************************************************
 * Get an option value, optn = LIBVES_O_*
 ***************************************************************************/
void *libVES_getOption(libVES *ves, int optn);

/***************************************************************************
 * Set an option value, optn = LIBVES_O_*, returns true on success
 ***************************************************************************/
int libVES_setOption(libVES *ves, int optn, void *val);

/***************************************************************************
 * Return the code of the last error, LIBVES_E_*.
 * The code is reset to LIBVES_E_OK after the call.
 ***************************************************************************/
int libVES_getError(libVES *ves);

/***************************************************************************
 * If the error code matches err - reset the code to LIBVES_E_OK
 * and return true. Otherwise return false without altering the error code.
 ***************************************************************************/
int libVES_checkError(libVES *ves, int err);

/***************************************************************************
 * Error description string for error code err.
 ***************************************************************************/
const char *libVES_errorStr(int err);

/***************************************************************************
 * Populate the error description str for the last error code on ves, and
 * an error detailds message msg.
 * The error code on ves is reset to LIBVES_E_OK after the call.
 ***************************************************************************/
int libVES_getErrorInfo(libVES *ves, const char **str, const char **msg);

/***************************************************************************
 * Convert a VES URI into an object, libVES_VaultKey or libVES_VaultItem.
 * flags are a combination of LIBVES_O_*
 * Returns the object, sets *type to LIBVES_O_* if type != NULL
 ***************************************************************************/
void *libVES_objectFromURI(const char **uri, struct libVES *ves, int flags, int *type);

struct libVES_VaultKey *libVES_defaultGenVaultKey(libVES *ves, int type, struct libVES_Ref *ref, struct libVES_User *user);
void libVES_defaultAttn(libVES *ves, struct jVar *attn);
char *libVES_fetchVerifyToken(const char *objuri, long long int objid, struct libVES *ves);

/***************************************************************************
 * The App Vault Reference associated with the instance of libVES
 ***************************************************************************/
#define libVES_getExternal(ves)	((ves) ? (ves)->external : NULL)

/***************************************************************************
 * The App Vault Key associated with the instance of libVES, do not deallocate
 ***************************************************************************/
struct libVES_VaultKey *libVES_getVaultKey(libVES *ves);

/***************************************************************************
 * Create a new Vault Key for the App Vault associated with the instance
 * of libVES. API restrictions apply.
 ***************************************************************************/
struct libVES_VaultKey *libVES_createVaultKey(libVES *ves);

/***************************************************************************
 * Unlock the App Vault, returns the Vault Key, or NULL on error.
 ***************************************************************************/
struct libVES_VaultKey *libVES_unlock_veskey(libVES *ves, const struct libVES_veskey *veskey);
struct libVES_VaultKey *libVES_unlock(libVES *ves, size_t keylen, const char *veskey);

/***************************************************************************
 * Check if the libVES instance is unlocked
 ***************************************************************************/
#define	libVES_unlocked(ves)		(!!libVES_unlock_veskey(ves, NULL))

/***************************************************************************
 * Lock all Vault Keys previously unlocked on ves.
 ***************************************************************************/
void libVES_lock(libVES *ves);

/***************************************************************************
 * Refresh the Session Token for the unlocked Vault Key,
 * returns 1 on success, 0 on error.
 ***************************************************************************/
int libVES_refreshSession(libVES *ves);

/***************************************************************************
 * Refresh the Session Token for the unlocked Vault Key if the session is
 * timing out, returns 1 on success, 0 on error.
 ***************************************************************************/
int libVES_checkSession(libVES *ves);

/***************************************************************************
 * API session authorization token, an ascii string. Do not deallocate.
 * Created by libVES_unlock() or libVES_primary().
 ***************************************************************************/
#define libVES_getSessionToken(ves)	((ves) ? (ves)->sessionToken : NULL)

/***************************************************************************
 * Set the API session authorization token, from another API session
 ***************************************************************************/
void libVES_setSessionToken(libVES *ves, const char *token);

/***************************************************************************
 * Authorize the Primary Vault session using VESvault password.
 * Returns the current primary Vault Key, that can be further unlocked
 * using libVES_VaultKey_unlock()
 ***************************************************************************/
struct libVES_VaultKey *libVES_primary(libVES *ves, const char *email, const char *passwd);

/***************************************************************************
 * The owner of the Vault associated with ves. Do not deallocate.
 ***************************************************************************/
struct libVES_User *libVES_me(libVES *ves);

/***************************************************************************
 * Get raw string content of the Vault Item identified by uri.
 * If buf == NULL - allocate a new buffer of proper length, the returned buffer
 * is to be deallocated with free().
 * If buf != NULL && len != NULL - fail if *len is less that required length.
 * If len != NULL - populate the actual length *len on success.
 * If len == NULL - terminate the buffer with "\0".
 ***************************************************************************/
char *libVES_getValue(libVES *ves, const char *uri, size_t *len, char *buf);

/***************************************************************************
 * Put a raw string value into an existing or new Vault Item,
 * share with listed Vault URIs if shareURI != NULL
 ***************************************************************************/
int libVES_putValue(libVES *ves, const char *uri, size_t len, const char *value, size_t sharelen, const char **shareURI);

/***************************************************************************
 * Return 1 if the Vault Item identified by uri exists, 0 if doesn't exist,
 * -1 on error. This function does not need any kind of authentication,
 * can be run on newly instantiated ves.
 ***************************************************************************/
int libVES_fileExists(libVES *ves, const char *uri);

/***************************************************************************
 * Share an existing Vault Item identified by uri, with shareURI
 ***************************************************************************/
int libVES_shareFile(libVES *ves, const char *uri, size_t sharelen, const char **shareURI);

/***************************************************************************
 * Flag the Vault Item identified by uri as deleted.
 ***************************************************************************/
int libVES_deleteFile(libVES *ves, const char *uri);

/***************************************************************************
 * Perform pending internal tasks, such as temp key propagation.
 * Can be called periodically to sync the temp keys for the newly created
 * recipients of the User's vault items who are in process of setting up
 * their VES accounts.
 ***************************************************************************/
void libVES_attn(struct libVES *ves);

/***************************************************************************
 * Deallocate libVES, wipe all private content from memory
 ***************************************************************************/
void libVES_free(libVES *ves);

/***************************************************************************
 * Recursively erase any sensitive data from a jVar structure
 ***************************************************************************/
void libVES_cleanseJVar(struct jVar *jvar);

/***************************************************************************
 * Base64 encoded len to binary size
 ***************************************************************************/
#define libVES_b64decsize(len)		((len) * 3 / 4)

/***************************************************************************
 * Binary len to base64 encoded size, including trailing NUL
 ***************************************************************************/
#define libVES_b64encsize(len)		(((len) + 2) / 3 * 4 + 1)

/***************************************************************************
 * Base64 decode, *dec is allocated if NULL, binary size is returned
 ***************************************************************************/
size_t libVES_b64decode(const char *b64, char **dec);
size_t libVES_b64decodel(const char *b64, int len, char **dec);

/***************************************************************************
 * Base64 encode, returns b64 or malloc'd string if b64==NULL, filled with
 * NUL terminated encoded content
 * libVES_b64encode_web produces an RFC4648 section 5 url-safe encoding
 * libVES_b64encode_map takes a custom map, 64 chars + the padding char
 ***************************************************************************/
char *libVES_b64encode(const char *data, size_t len, char *b64);
char *libVES_b64encode_web(const char *data, size_t len, char *b64);
char *libVES_b64encode_map(const char *map, const char *data, size_t len, char *b64);

/***************************************************************************
 * Assign ves->me if not assigned yet, useful for primary vault operations.
 * The user is refcounted if assigned, it's safe to use libVES_User_free(user)
 ***************************************************************************/
void libVES_setUser(struct libVES *ves, struct libVES_User *user);



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/VaultKey.h          libVES: Vault Key object header
 *
 ***************************************************************************/

typedef struct libVES_VaultKey {
    long long int id;
    const struct libVES_KeyAlgo *algo;
    int type;
    struct libVES *ves;
    struct libVES_User *user;
    char *publicKey;
    void *pPub;
    char *privateKey;
    void *pPriv;
    struct libVES_Ref *external;
    struct libVES_VaultItem *vitem;
    struct jVar *entries;
    char *appUrl;
    int refct;
} libVES_VaultKey;

typedef struct libVES_veskey {
    size_t keylen;
    char veskey[];
} libVES_veskey;

struct jVar;

#define LIBVES_VK_CURRENT	0
#define LIBVES_VK_SHADOW	1
#define LIBVES_VK_TEMP		2
#define LIBVES_VK_LOST		3
#define LIBVES_VK_SECONDARY	4
#define LIBVES_VK_RECOVERY	5
#define LIBVES_VK_PENDING	6
#define LIBVES_VK_DELETED	7

#ifndef LIBVES_MAXLEN_KEY
#define LIBVES_MAXLEN_KEY	65535
#endif
#ifndef LIBVES_MAXLEN_ENCDATA
#define LIBVES_MAXLEN_ENCDATA	65535
#endif

typedef struct libVES_KeyAlgo {
    char *str;
    char *name;
    int len;
    libVES_VaultKey *(*newfn)(const struct libVES_KeyAlgo *algo, void *pkey, const struct libVES_veskey *veskey, struct libVES *ves);
    char *(*pub2strfn)(libVES_VaultKey *vkey, void *pkey);
    void *(*str2pubfn)(libVES_VaultKey *vkey, const char *str);
    char *(*priv2strfn)(libVES_VaultKey *vkey, void *pkey, const struct libVES_veskey *veskey);
    void *(*str2privfn)(libVES_VaultKey *vkey, const char *str, const struct libVES_veskey *veskey);
    void *(*priv2pubfn)(libVES_VaultKey *vkey, void *pkey);
    int (*encfn)(libVES_VaultKey *vkey, const char *plaintext, size_t *ptlen, char *ciphertext, char *key, size_t *keylen);
    int (*decfn)(libVES_VaultKey *vkey, const char *ciphertext, size_t *ctlen, char *plaintext, char *key, size_t *keylen);
    int (*signfn)(libVES_VaultKey *vkey, const char *plaintext, size_t ptlen, char *signature);
    int (*verifyfn)(libVES_VaultKey *vkey, const char *plaintext, size_t ptlen, const char *signature, size_t sglen);
    void (*lockfn)(libVES_VaultKey *vkey);
    int (*dumpfn)(libVES_VaultKey *vkey, int fd, int flags);
    void (*freefn)(libVES_VaultKey *vkey);
    void *(*pkeygenfn)(const struct libVES_KeyAlgo *algo, const char *algostr);
    void (*pkeyfreefn)(const struct libVES_KeyAlgo *algo, void *pkey);
    int (*methodstrfn)(const struct libVES_KeyAlgo *algo, char *buf, size_t buflen, int idx);
} libVES_KeyAlgo;

#define libVES_KeyAlgo_pseudo(newfn_ptr)		(*((libVES_KeyAlgo *) (((char *) &newfn_ptr) - offsetof(libVES_KeyAlgo, newfn))))
#define libVES_KeyAlgo_callable(algo, func)		(algo->len >= offsetof(libVES_KeyAlgo, func) + sizeof((algo)->func) && (algo)->func)
#define libVES_KeyAlgo_pkeygen(algo, algostr)		(algo)->pkeygenfn(algo, algostr)
#define libVES_KeyAlgo_pkeyfree(algo, algostr)		(algo)->pkeyfreefn(algo, algostr)
#define libVES_KeyAlgo_methodstr(algo, buf, buflen, idx)	(libVES_KeyAlgo_callable(algo, methodstrfn) ? (algo)->methodstrfn(algo, buf, buflen, idx) : -1)

extern const char *libVES_VaultKey_types[];
extern struct libVES_List libVES_VaultKey_algos;

/***************************************************************************
 * Create a Vault Key from private key structure pkey,
 * generate a new private key if pkey == NULL
 ***************************************************************************/
libVES_VaultKey *libVES_VaultKey_new(int type, const struct libVES_KeyAlgo *algo, void *pkey, struct libVES_veskey *veskey, struct libVES *ves);

#define libVES_VaultKey_isNew(vkey)		(vkey && !vkey->id)
libVES_VaultKey *libVES_VaultKey_fromJVar(struct jVar *j_vkey, struct libVES *ves);
void libVES_VaultKey_parseJVar(struct libVES_VaultKey *vkey, struct jVar *jvar);

/***************************************************************************
 * Parse a Vault Key from VES URI,
 * ves://domain/externalId/[userRef] | ves:///internalId/ | ves:////userRef
 ***************************************************************************/
#define libVES_VaultKey_fromURI(uri, ves)	((libVES_VaultKey *) libVES_objectFromURI(uri, ves, LIBVES_O_VKEY | LIBVES_O_GET | LIBVES_O_NEW, NULL))

/***************************************************************************
 * Push Vault Key(s) parsed from the URI into lst,
 * if lst == NULL a new list will be created
 * return lst, or NULL on error
 * One Vault Key will be matched for an App Vault or internalId,
 * up to 2 (current + shadow) for a Primary Vault (ves:////userRef)
 ***************************************************************************/
struct libVES_List *libVES_VaultKey_listFromURI(const char **path, struct libVES *ves, struct libVES_List *lst);

struct jVar *libVES_VaultKey_toJVar(libVES_VaultKey *vkey);

/***************************************************************************
 * Get VES URI - ves://domain/externalId/, use free() to deallocate
 ***************************************************************************/
char *libVES_VaultKey_toURI(libVES_VaultKey *vkey);

/***************************************************************************
 * Get internalId URI - ves:///internalId/, use free() to deallocate
 ***************************************************************************/
char *libVES_VaultKey_toURIi(libVES_VaultKey *vkey);

/***************************************************************************
 * Retrieve or create a Vault Key from ref and optional user
 * ref and user may get strong refcounted by the resulting libVES_VaultKey,
 * use libVES_Ref_free(ref), libVES_User_free(user) before the resulting
 * libVES_VaultKey is deallocated.
 ***************************************************************************/
#define libVES_VaultKey_get(ref, ves, user)	libVES_VaultKey_get2(ref, ves, user, NULL, LIBVES_O_GET | LIBVES_O_NEW)

libVES_VaultKey *libVES_VaultKey_free_ref_user(libVES_VaultKey *vkey, struct libVES_Ref *ref, struct libVES_User *user);

libVES_VaultKey *libVES_VaultKey_get2(struct libVES_Ref *ref, struct libVES *ves, struct libVES_User *user, char **sesstkn, int flags);
libVES_VaultKey *libVES_VaultKey_create(struct libVES_Ref *ref, struct libVES *ves, struct libVES_User *user);
libVES_VaultKey *libVES_VaultKey_createFrom(libVES_VaultKey *vkey);
struct libVES_VaultItem *libVES_VaultKey_propagate(libVES_VaultKey *vkey);

/***************************************************************************
 * Unlock the Vault Key using the veskey.
 * If veskey == NULL - attempt to unlock indirectly using 
 * libVES_VaultKey_getVESkey(), a VESkey stored in an associated Vault Item.
 ***************************************************************************/
void *libVES_VaultKey_unlock(libVES_VaultKey *vkey, const struct libVES_veskey *veskey);

/***************************************************************************
 * Lock the Vault Key, wipe all private data from memory.
 ***************************************************************************/
void libVES_VaultKey_lock(libVES_VaultKey *vkey);

/***************************************************************************
 * Retrieve a VESkey from an associated Vault Item if possible.
 ***************************************************************************/
struct libVES_veskey *libVES_VaultKey_getVESkey(libVES_VaultKey *vkey);

/***************************************************************************
 * Decrypt the Vault Item content. Return decrypted length, or -1 on error.
 ***************************************************************************/
int libVES_VaultKey_decrypt(libVES_VaultKey *vkey, const char *ciphertext, char **plaintext);

/***************************************************************************
 * Encrypt the Vault Item content, return base64 encoded encrypted string
 * or NULL on error.
 ***************************************************************************/
char *libVES_VaultKey_encrypt(libVES_VaultKey *vkey, const char *plaintext, size_t ptlen);

/***************************************************************************
 * Re-encrypt the entries for all Vault Items from fromVkey to vkey
 ***************************************************************************/
struct jVar *libVES_VaultKey_rekeyFrom(libVES_VaultKey *vkey, libVES_VaultKey *fromVkey, int flags);

/***************************************************************************
 * Find an active Vault Key for a Vault associated with vkey.
 * If exists and is different from vkey - re-encrypt the entries for all
 * Vault Items from vkey to active key. Return true if successful.
 ***************************************************************************/
int libVES_VaultKey_rekey(libVES_VaultKey *vkey);

/***************************************************************************
 * Try to apply the unlocked vkey to the associated libVES instance,
 * either by rekeying it, or by setting as the vaultKey on libVES.
 * Intended for unlocked temp keys.
 * If true - applied successfully, do NOT alter or deallocate vkey.
 * Otherwise - vkey cannot be applied, deallocate as usual.
 ***************************************************************************/
int libVES_VaultKey_apply(libVES_VaultKey *vkey);

int libVES_VaultKey_post(libVES_VaultKey *vkey);
int libVES_VaultKey_typeFromStr(const char *str);
const char *libVES_VaultKey_typeStr(int type);
const libVES_KeyAlgo *libVES_VaultKey_algoFromStr(const char *str);
#define libVES_VaultKey_algoStr(algo)		((algo) ? (algo)->str : NULL)
#define libVES_VaultKey_getId(vkey)		((vkey) ? (vkey)->id : 0)
#define libVES_VaultKey_getType(vkey)		((vkey) ? (vkey)->type : -1)
#define libVES_VaultKey_getAlgo(vkey)		((vkey) ? (vkey)->algo : NULL)
#define libVES_VaultKey_getPublicKey(vkey)	((vkey) ? (vkey)->publicKey : NULL)

/***************************************************************************
 * Encrypted private key (PEM), load from the API if not loaded yet.
 * Do not deallocate.
 ***************************************************************************/
char *libVES_VaultKey_getPrivateKey(libVES_VaultKey *vkey);

/***************************************************************************
 * The private key (PEM), decrypted if the Vault Key is unlocked,
 * encrypted otherwise. Use free() to deallocate.
 ***************************************************************************/
char *libVES_VaultKey_getPrivateKey1(libVES_VaultKey *vkey);

#define libVES_VaultKey_getExternal(vkey)	((vkey) ? (vkey)->external : NULL)
struct libVES_User *libVES_VaultKey_getUser(libVES_VaultKey *vkey);

/***************************************************************************
 * Output the algorithm specific human readable key info to fd.
 ***************************************************************************/
int libVES_VaultKey_dump(libVES_VaultKey *vkey, int fd, int flags);

/***************************************************************************
 * App URL for a new temp key, to be sent in the notification email
 ***************************************************************************/
int libVES_VaultKey_setAppUrl(libVES_VaultKey *vkey, const char *url);

void libVES_VaultKey_free(libVES_VaultKey *vkey);

/***************************************************************************
 * Unlike stream ciphers, Vault Key algorithms should be treated
 * conservatively to minimize cross-platform issues.
 ***************************************************************************/
void libVES_VaultKey_registerAlgo(const struct libVES_KeyAlgo *algo);

extern const struct libVES_ListCtl libVES_VaultKey_ListCtl;
extern const struct libVES_ListCtl libVES_VaultKey_ListCtlU;

/***************************************************************************
 * VESkey, a binary with length
 * Generate a random one if veskey == NULL, see libVES_veskey_generate()
 ***************************************************************************/
libVES_veskey *libVES_veskey_new(size_t keylen, const char *veskey);

/***************************************************************************
 * Generate a random ascii VESkey
 * The character frequency is biased to improve human readability,
 * the entropy is ~ 203 bit for keylen == 32 (vs 256 bit for a random binary)
 * Character frequency graph:
 * https://i.imgur.com/o2oTDLz.png (credits: https://reddit.com/u/skeeto)
 ***************************************************************************/
#define libVES_veskey_generate(keylen)		libVES_veskey_new(keylen, NULL)

void libVES_veskey_free(libVES_veskey *veskey);



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/VaultItem.h         libVES: Vault Item object header
 *
 ***************************************************************************/

typedef struct libVES_VaultItem {
    long long int id;
    short int type;
    short int objectType;
    int flags;
    size_t len;
    char *value;
    union {
	void *object;
	struct libVES_File *file;
	struct libVES_VaultKey *vaultKey;
    };
    struct jVar *meta;
    struct jVar *entries;
    int refct;
    size_t sharelen;
    struct libVES_VaultKey *share[];
} libVES_VaultItem;

struct libVES_Ref;

#define LIBVES_VI_STRING	0
#define LIBVES_VI_FILE		1
#define LIBVES_VI_PASSWORD	2
#define LIBVES_VI_SECRET	3

#define LIBVES_SH_CLN		0x01
#define LIBVES_SH_PRI		0x02
#define LIBVES_SH_ADD		0x10
#define LIBVES_SH_UPD		0x20
#define LIBVES_SH_IGN		0x4000
#define LIBVES_SH_DEL		0x8000
#define LIBVES_SH_SET		(LIBVES_SH_ADD | LIBVES_SH_CLN)

#define LIBVES_SH_META		0x0100

extern const struct libVES_ListCtl libVES_VaultItem_ListCtl;
extern const char *libVES_VaultItem_types[];

libVES_VaultItem *libVES_VaultItem_new();
#define libVES_VaultItem_isNew(vitem)	(vitem && (vitem->flags & LIBVES_SH_ADD))
struct jVar *libVES_VaultItem_Ref_toJVar(struct libVES_Ref *ref);
struct jVar *libVES_VaultItem_toJVar(libVES_VaultItem *vitem);
libVES_VaultItem *libVES_VaultItem_fromJVar(struct jVar *data, struct libVES *ves);
void libVES_VaultItem_parseJVar(struct libVES_VaultItem *vitem, struct jVar *jvar);

/***************************************************************************
 * Load and/or create a Vault Item from ves URI
 * (ves://domain/externalId or ves:///internalId)
 ***************************************************************************/
#define libVES_VaultItem_fromURI(uri, ves)		((libVES_VaultItem *) libVES_objectFromURI(uri, ves, LIBVES_O_VITEM | LIBVES_O_GET | LIBVES_O_NEW, NULL))
#define libVES_VaultItem_loadFromURI(uri, ves)		((libVES_VaultItem *) libVES_objectFromURI(uri, ves, LIBVES_O_VITEM | LIBVES_O_GET, NULL))
#define libVES_VaultItem_createFromURI(uti, ves)	((libVES_VaultItem *) libVES_objectFromURI(uri, ves, LIBVES_O_VITEM | LIBVES_O_NEW, NULL))

/***************************************************************************
 * Get VES URI - ves://domain/externalId, use free() to deallocate
 ***************************************************************************/
char *libVES_VaultItem_toURI(libVES_VaultItem *vitem);

/***************************************************************************
 * Get internalId URI - ves:///internalId, use free() to deallocate
 ***************************************************************************/
char *libVES_VaultItem_toURIi(libVES_VaultItem *vitem);

/***************************************************************************
 * Create a new VaultItem. Use libVES_VaultItem_set*() to set the value,
 * libVES_VaultItem_entries() to share, libVES_VaultItem_post() to commit,
 * libVES_VaultItem_free() when done.
 ***************************************************************************/
libVES_VaultItem *libVES_VaultItem_create(struct libVES_Ref *ref);

/***************************************************************************
 * Returns the pointer to the raw decrypted value, not NUL terminated, the
 * length is libVES_VaultItem_getLen()
 ***************************************************************************/
const char *libVES_VaultItem_getValue(libVES_VaultItem *vitem);

/***************************************************************************
 * Returns the length of the raw decrypted value, -1 if not available
 ***************************************************************************/
int libVES_VaultItem_getLen(libVES_VaultItem *vitem);

/***************************************************************************
 * Copy the decrypted value as a string with length, use buf = NULL to
 * allocate a new buffer. Returns the buffer pointer, or NULL if not
 * available
 ***************************************************************************/
char *libVES_VaultItem_toStringl(libVES_VaultItem *vitem, size_t *len, char *buf);

/***************************************************************************
 * Set the raw content and type
 ***************************************************************************/
int libVES_VaultItem_setValue(libVES_VaultItem *vitem, size_t len, const char *value, int type);
int libVES_VaultItem_setValue0(libVES_VaultItem *vitem, size_t len, char *value, int type);

/***************************************************************************
 * A stream cipher object stored in the Vault Item
 ***************************************************************************/
struct libVES_Cipher *libVES_VaultItem_getCipher(libVES_VaultItem *vitem, struct libVES *ves);
int libVES_VaultItem_setCipher(libVES_VaultItem *vitem, struct libVES_Cipher *ci);

/***************************************************************************
 * Treat the Vault Item content as JSON string
 ***************************************************************************/
struct jVar *libVES_VaultItem_getObject(libVES_VaultItem *vitem);
int libVES_VaultItem_setObject(libVES_VaultItem *vitem, struct jVar *obj);

/***************************************************************************
 * Prepare entries to share/unshare the Vault Item with the Vault Key,
 * call libVES_VaultItem_post() to commit
 ***************************************************************************/
struct jVar *libVES_VaultItem_share(libVES_VaultItem *vitem, struct libVES_VaultKey *vkey, int flags);

/***************************************************************************
 * Prepare entries to share/unshare the Vault Item with the list of Vault Keys,
 * call libVES_VaultItem_post() to commit
 ***************************************************************************/
struct jVar *libVES_VaultItem_entries(libVES_VaultItem *vitem, struct libVES_List *share, int flags);

/***************************************************************************
 * Iterate through previously shared vault keys.
 * ptr = NULL returns the pointer to the first shared VaultKey,
 * returns NULL at the end of the share list.
 ***************************************************************************/
struct libVES_VaultKey **libVES_VaultItem_nextShare(libVES_VaultItem *vitem, struct libVES_VaultKey **ptr);

/***************************************************************************
 * Find a pointer to the shared VaultKey with the id matching vkey.
 * NULL if not found.
 ***************************************************************************/
struct libVES_VaultKey **libVES_VaultItem_findShare(libVES_VaultItem *vitem, struct libVES_VaultKey *vkey);

/***************************************************************************
 * Retrieve an existing VaultItem and decrypt the value if possible. Use
 * libVES_VaultItem_free() to deallocate. Call libVES_Ref_free(ref) before
 * deallocating the returned VaultItem.
 * Retunrs NULL if not available.
 ***************************************************************************/
libVES_VaultItem *libVES_VaultItem_get(struct libVES_Ref *ref, struct libVES *ves);

/***************************************************************************
 * Commit the changes to the VES repository. Returns true on success.
 ***************************************************************************/
int libVES_VaultItem_post(libVES_VaultItem *vitem, struct libVES *ves);

/***************************************************************************
 * Delete the VaultItem from the VES repository. Returns true on success.
 ***************************************************************************/
int libVES_VaultItem_delete(libVES_VaultItem *vitem, struct libVES *ves);

/***************************************************************************
 * List all Vault Items shared with vkey
 ***************************************************************************/
struct libVES_List *libVES_VaultItem_list(struct libVES_VaultKey *vkey);

/***************************************************************************
 * Get a Verify Token that can be used instead of libVES Session Token to
 * allow retrieving vaultEntries/vaultKey/file on the vitem
 * without granting any other permissions.
 * free() the token when done.
 * If the access needs to be restricted to creator and external only -
 * use libVES_File_fetchVerifyToken(libVES_VaultItem_getFile(vitem), ves)
 ***************************************************************************/
#define libVES_VaultItem_fetchVerifyToken(vitem, ves)	libVES_fetchVerifyToken("vaultItems", libVES_VaultItem_getId(vitem), ves)

/***************************************************************************
 * Send a GET request to the external url with VES authorization
 * X-VES-Authorization: vaultItem.{vitem->id}.{verifyToken}
 * Return jVar response on success, NULL on error, use libVES_getError(ves)
 * assign the http status code to *pcode if not NULL
 ***************************************************************************/
struct jVar *libVES_VaultItem_VESauthGET(struct libVES_VaultItem *vitem, struct libVES *ves, const char *url, long *pcode);

/***************************************************************************
 * Get the item metadata jVar object, do not deallocate. To alter the
 * existing metadata, add/remove keys on the returned jVar, then call
 * libVES_VaultItem_setMeta() with the same jVar object
 ***************************************************************************/
struct jVar *libVES_VaultItem_getMeta(libVES_VaultItem *vitem);

/***************************************************************************
 * Set the item metadata jVar object, do not deallocate meta after this call
 ***************************************************************************/
int libVES_VaultItem_setMeta(libVES_VaultItem *vitem, struct jVar *meta);

const char *libVES_VaultItem_typeStr(int type);
int libVES_VaultItem_typeFromStr(const char *str);
#define libVES_VaultItem_isDeleted(vitem)	((vitem) ? (vitem)->flags & LIBVES_SH_DEL : 0)
#define libVES_VaultItem_force(vitem)		((vitem) ? (vitem)->flags |= LIBVES_SH_UPD : 0)
#define libVES_VaultItem_getId(vkey)		((vitem) ? (vitem)->id : 0)
#define libVES_VaultItem_getType(vitem)		((vitem) ? (vitem)->type : -1)
#define libVES_VaultItem_getFile(vitem)		((vitem && (vitem)->objectType == LIBVES_O_FILE) ? (vitem)->file : NULL)
#define libVES_VaultItem_getVaultKey(vitem)	((vitem && (vitem)->objectType == LIBVES_O_VKEY) ? (vitem)->vaultKey : NULL)

void libVES_VaultItem_free(libVES_VaultItem *vitem);




/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/Cipher.h            libVES: Stream cipher header
 *
 ***************************************************************************/
typedef struct libVES_Cipher {
    const struct libVES_CiAlgo *algo;
    struct libVES *ves;
    void *ctx;
    struct jVar *meta;
    int flags;
    int refct;
    char key[0];
} libVES_Cipher;

typedef struct libVES_CiAlgo {
    const char *str;
    const char *name;
    int len;
    struct libVES_Cipher *(*newfn)(const struct libVES_CiAlgo *algo, struct libVES *ves, size_t, const char *);
    int (*keylenfn)(struct libVES_Cipher *ci);
    int (*decfn)(struct libVES_Cipher *, int, const char *, size_t, char *);
    int (*encfn)(struct libVES_Cipher *, int, const char *, size_t, char *);
    struct libVES_Seek *(*seekfn)(struct libVES_Cipher *, struct libVES_Seek *);
    void (*resetfn)(struct libVES_Cipher *);
    void (*freefn)(struct libVES_Cipher *);
} libVES_CiAlgo;

#define LIBVES_CF_ENC	0x01
#define LIBVES_CF_DEC	0x02
#define LIBVES_CF_EXACT	0x10

typedef struct libVES_Seek {
    off_t plainPos;
    off_t cipherPos;
    off_t cipherFbPos;
    size_t cipherFbLen;
    void *cipherFb;
    int flags;
} libVES_Seek;

#define LIBVES_SK_ENC	0x01
#define LIBVES_SK_DEC	0x02
#define LIBVES_SK_RDY	0x0100
#define LIBVES_SK_FBK	0x0200
#define LIBVES_SK_ERR	0x8000
#define LIBVES_SK_NEW	0

extern struct libVES_List libVES_Cipher_algos;

#define libVES_CiAlgo_callable(algo, func)		(algo->len >= offsetof(libVES_CiAlgo, func) + sizeof((algo)->func) && (algo)->func)

/***************************************************************************
 * New cipher object. If key == NULL - generate a random key.
 ***************************************************************************/
libVES_Cipher *libVES_Cipher_new(const struct libVES_CiAlgo *algo, struct libVES *ves, size_t keylen, const char *key);

/***************************************************************************
 * New cipher, default algorithm, randomly generated key.
 ***************************************************************************/
#define libVES_Cipher_generate(ves)	libVES_Cipher_new(ves->cipherAlgo, ves, 0, NULL)

libVES_Cipher *libVES_Cipher_forVEntry(size_t keylen, const char *key, struct libVES *ves);
int libVES_Cipher_proceed(libVES_Cipher *ci, int final, const char *srctext, size_t srclen, char **dsttext, int func(libVES_Cipher *ci, int final, const char *src, size_t srclen, char *dst));

/***************************************************************************
 * Decrypt stream. Returns the decrypted length, -1 on error,
 * If *plaintext == NULL - the buffer is allocated automatically.
 ***************************************************************************/
int libVES_Cipher_decrypt(libVES_Cipher *ci, int final, const char *ciphertext, size_t ctlen, char **plaintext);

/***************************************************************************
 * Encrypt stream. Returns the encrypted length, -1 on error.
 * If *ciphertext == NULL - the buffer is allocated automatically.
 ***************************************************************************/
int libVES_Cipher_encrypt(libVES_Cipher *ci, int final, const char *plaintext, size_t ptlen, char **ciphertext);

/***************************************************************************
 * Calculate the max expected length of a plaintext.
 * If (flags & LIBVES_CF_EXACT) is set after the call - the returned value
 * is the exact length.
 ***************************************************************************/
#define libVES_Cipher_decsize(ci, final, ciphertext, ptlen)	libVES_Cipher_decrypt(ci, final, ciphertext, ptlen, NULL)

/***************************************************************************
 * Calculate the max expected length of a ciphertext.
 * If (flags & LIBVES_CF_EXACT) is set after the call - the returned value
 * is the exact length.
 ***************************************************************************/
#define libVES_Cipher_encsize(ci, final, plaintext, ptlen)	libVES_Cipher_encrypt(ci, final, plaintext, ptlen, NULL)

/***************************************************************************
 * Seek to a specific position in plaintext & ciphertext.
 * Synopsis:
 *   libVES_Seek *sk = libVES_Cipher_seek(ci, NULL);
 *   // Set (sk->plainPos) or (sk->cipherPos) to the desired position      //
 *   sk = libVES_Cipher_seek(ci, sk);
 *   if (sk->flags & LIBVES_SK_FBK) {
 *     // Seek the ciphertext to (sk->cipherFbPos),                        //
 *     // Read at least (sk->cipherFbLen) bytes from the ciphertext,       //
 *     // Point (sk->cipherFb) to the read bytes.                          //
 *     sk = libVES_Cipher_seek(ci, sk);
 *   }
 *   if (sk->flags & LIBVES_SK_RDY) {
 *     // Seek the plaintext to (sk->plainPos),                            //
 *     // Seek the ciphertext to (sk->cipherPos),                          //
 *     // Proceed with encryption / decryption.                            //
 *   }
 ***************************************************************************/
struct libVES_Seek *libVES_Cipher_seek(libVES_Cipher *ci, struct libVES_Seek *sk);

char *libVES_Cipher_toStringl(libVES_Cipher *ci, size_t *len, char *buf);

const struct libVES_CiAlgo *libVES_Cipher_getAlgo(libVES_Cipher *ci);
struct jVar *libVES_Cipher_getMeta(libVES_Cipher *ci);
int libVES_Cipher_setMeta(libVES_Cipher *ci, struct jVar *jv);

#define libVES_Cipher_algoStr(algo)	((algo) ? (algo)->str : NULL)
const libVES_CiAlgo *libVES_Cipher_algoFromStr(const char *str);
void libVES_Cipher_reset(libVES_Cipher *ci);
void libVES_Cipher_free(libVES_Cipher *ci);

#define libVES_Seek_free(sk)	free(sk)

/***************************************************************************
 * Apps are encouraged to use custom stream cipher algorithms.
 * Make sure the string identifier of the algorithm (algo->str)
 * is unique within the scope of any apps the Vault Items can be shared with.
 * Registered algorithm is available to all libVES instances within the process.
 ***************************************************************************/
void libVES_Cipher_registerAlgo(const struct libVES_CiAlgo *algo);

/***************************************************************************
 * "NULL" cipher. No encryption implemented, secret metadata only.
 ***************************************************************************/
extern const struct libVES_CiAlgo libVES_CiAlgo_NULL;



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/File.h              libVES: File object, for user vault items.
 *                            Internal to libVES in this version.
 *
 ***************************************************************************/

typedef struct libVES_File {
    long long int id;
    char *name;
    char *mime;
    char *path;
    struct libVES_Ref *external;
    struct libVES_User *creator;
    int refct;
} libVES_File;

libVES_File *libVES_File_new(struct libVES_Ref *ref);
libVES_File *libVES_File_fromJVar(struct jVar *data);
struct jVar *libVES_File_toJVar(libVES_File *file);
char *libVES_File_toURI(libVES_File *file);

/***************************************************************************
 * Get a Verify Token that can be used instead of libVES Session Token to
 * allow retrieving creator and external on the file
 * without granting any other permissions.
 * free() the token when done.
 * See also libVES_VaultItem_fetchVerifyToken()
 ***************************************************************************/
#define libVES_File_fetchVerifyToken(file, ves)		((file) ? libVES_fetchVerifyToken("files", (file)->id, ves) : NULL)

#define libVES_File_getCreator(file)	((file) ? (file)->creator : NULL)

void libVES_File_free(libVES_File *file);



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/User.h              libVES: User object header
 *
 ***************************************************************************/

typedef struct libVES_User {
    long long int id;
    char *email;
    char *firstName;
    char *lastName;
    struct libVES_VaultKey *primary;
    int refct;
} libVES_User;
struct libVES_VaultKey;
struct libVES;

/***************************************************************************
 * Parse the userRef part of VES URI (ves://domain/externalId/userRef)
 ***************************************************************************/
libVES_User *libVES_User_fromPath(const char **path);

libVES_User *libVES_User_fromJVar(struct jVar *data);
struct jVar *libVES_User_toJVar(libVES_User *user);
struct libVES_List *libVES_User_vaultKeys2(libVES_User *user, struct libVES_List *lst, struct libVES *ves, const char *reqs, const char *rsps);

/***************************************************************************
 * Primary Vault Keys, current and shadow.
 * Push to lst, or to a new Vault Key list lst == NULL.
 ***************************************************************************/
#define libVES_User_activeVaultKeys(user, lst, ves)	libVES_User_vaultKeys2(user, lst, ves, "users?fields=activeVaultKeys(id,type,algo,publicKey)", "activeVaultKeys")

/***************************************************************************
 * Vault Keys for the user.
 * Push to lst, or to a new Vault Key list lst == NULL.
 ***************************************************************************/
#define libVES_User_vaultKeys(user, lst, ves)	libVES_User_vaultKeys2(user, lst, ves, "users?fields=vaultKeys(id,type,algo,publicKey,privateKey)", "vaultKeys")

/***************************************************************************
 * Authenticate using VESvault password, populate sesstkn,
 * return current primary Vault Key
 ***************************************************************************/
struct libVES_VaultKey *libVES_User_primary(libVES_User *user, const char *passwd, char **sesstkn, struct libVES *ves);

libVES_User *libVES_User_loadFields(libVES_User *user, struct libVES *ves);
#define libVES_User_getId(user)			((user) ? (user)->id : 0)
#define libVES_User_getEmail(user)		((user) ? (user)->email : NULL)
#define libVES_User_getFirstName(user)		((user) ? (user)->firstName : NULL)
#define libVES_User_getLastName(user)		((user) ? (user)->lastName : NULL)
char *libVES_User_getName1(libVES_User *user);
libVES_User *libVES_User_copy(libVES_User *user);
void libVES_User_free(libVES_User *user);



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/Ref.h               libVES: Object reference header
 *
 ***************************************************************************/

typedef struct libVES_Ref {
    char *domain;
    int refct;
    union {
	char externalId[0];
	long long int internalId;
    };
} libVES_Ref;

/***************************************************************************
 * New internalID ref, ves:///internalId[/...]
 ***************************************************************************/
libVES_Ref *libVES_Ref_new(long long int intId);

/***************************************************************************
 * New externalID ref, ves://domain/externalId[/...]
 ***************************************************************************/
libVES_Ref *libVES_External_new(const char *domain, const char *extId);

/***************************************************************************
 * Parse the domain and externalId, or the internalId, from the URI.
 * Upon return, *uri points to the next char after the parsed part.
 ***************************************************************************/
libVES_Ref *libVES_Ref_fromURI(const char **uri, struct libVES *ves);

libVES_Ref *libVES_External_fromJVar(struct jVar *data);
struct jVar *libVES_Ref_toJVar(libVES_Ref *ref, struct jVar *dst);
libVES_Ref *libVES_Ref_copy(libVES_Ref *ref);

const char *libVES_Ref_getDomain(libVES_Ref *ref);
const char *libVES_Ref_getExternalId(libVES_Ref *ref);
long long libVES_Ref_getInternalId(libVES_Ref *ref);

void libVES_Ref_free(libVES_Ref *ref);

/***************************************************************************
 * App level refcount management. After calling refup() any calls to
 * *_free() on obj will be ignored. Call refdn() to automatically
 * deallocate the object.
 * refup() returns obj, refdn returns obj or NULL if the object have been
 * deallocated by the call.
 * Both calls are NULL safe.
 ***************************************************************************/
libVES_Ref *libVES_Ref_refup(libVES_Ref *obj);
libVES_Ref *libVES_Ref_refdn(libVES_Ref *obj);



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2023 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * KeyStore.h                    libVES: Local key storage
 *
 ***************************************************************************/


#define	LIBVES_KS_NOPIN		0x01
#define	LIBVES_KS_NOSYNC	0x02
#define	LIBVES_KS_SAVE		0x04
#define	LIBVES_KS_PERSIST	0x08
#define	LIBVES_KS_SESS		0x10
#define	LIBVES_KS_RESYNC	0x20
#define	LIBVES_KS_FORGET	0x40
#define	LIBVES_KS_PRIMARY	0x80

struct libVES_KeyStore_dialog;
struct libVES_Ref;

typedef struct libVES_KeyStore {
    int (* getfn)(struct libVES_KeyStore *ks, const char *domain, const char *extid, char *val, int maxlen, int flags);
    int (* putfn)(struct libVES_KeyStore *ks, const char *domain, const char *extid, const char *val, int len, int flags);
    int (* deletefn)(struct libVES_KeyStore *ks, const char *domain, const char *extid, int flags);
    void *(* dialogfn)(struct libVES_KeyStore_dialog *dlg);
    void *(* dialogcb)(struct libVES_KeyStore_dialog *dlg);
    const struct libVES_KeyStore_api *api;
    void *store;
    void *ctl;
} libVES_KeyStore;

#define	LIBVES_KSD_INIT		0
#define	LIBVES_KSD_OPEN		1
#define	LIBVES_KSD_ERROR	2
#define	LIBVES_KSD_CLOSE	3
#define	LIBVES_KSD_EXPIRE	4
#define	LIBVES_KSD_DONE		15
#define	LIBVES_KSD_PIN		16
#define	LIBVES_KSD_PINRETRY	17
#define	LIBVES_KSD_SYNC		32
#define	LIBVES_KSD_NOUSER	33

typedef struct libVES_KeyStore_dialog {
    int len;
    int state;
    int retry;
    int flags;
    struct libVES_KeyStore *ks;
    struct libVES *ves;
    const struct libVES_KeyStore_api *api;
    void *ref;
    const char *domain;
    const char *extid;
    const char *email;
    const char *syncode;
    char *pin;
    int pinmax;
} libVES_KeyStore_dialog;

struct libVES_KeyStore_api {
    const char *locker;
    const char *msg;
    const char *exportkey;
    const char *importdone;
};

extern struct libVES_KeyStore_api libVES_KeyStore_api_default;


#define LIBVES_KEYSTORE_EXT2(name)	libVES_KeyStore_ ## name
#define LIBVES_KEYSTORE_EXT(name)	LIBVES_KEYSTORE_EXT2(name)
#ifdef LIBVES_KEYSTORE
extern struct libVES_KeyStore LIBVES_KEYSTORE_EXT(LIBVES_KEYSTORE);
#define libVES_KeyStore_default &LIBVES_KEYSTORE_EXT(LIBVES_KEYSTORE)
#endif


/***************************************************************************
 * Unlock ves using ks libVES_KeyStore module. Flags are LIBVES_KS_*
 * Set ks = NULL to use the default keystore.
 ***************************************************************************/
struct libVES *libVES_KeyStore_unlock(struct libVES_KeyStore *ks, struct libVES *ves, int flags);

/***************************************************************************
 * Save an externally supplied key identified by ref in the keystore ks.
 * Set ks = NULL to use the default keystore.
 ***************************************************************************/
int libVES_KeyStore_savekey(struct libVES_KeyStore *ks, const struct libVES_Ref *ref, size_t keylen, const char *key);



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/List.h              libVES: Dynamic list header
 *
 ***************************************************************************/
typedef struct libVES_List {
    const struct libVES_ListCtl *ctl;
    void **list;
    size_t len;
    size_t max;
    int refct;
} libVES_List;

typedef struct libVES_ListCtl {
    int (*cmpfn)(void *, void *);
    void (*freefn)(void *);
} libVES_ListCtl;

extern const libVES_ListCtl libVES_ListCtl_NULL;

libVES_List *libVES_List_new(const struct libVES_ListCtl *ctl);
void *libVES_List_add(struct libVES_List *lst, void *entry, int pos);
void libVES_List_remove(struct libVES_List *lst, void *entry);
#define libVES_List_unshift(lst, entry)		libVES_List_add(lst, entry, 0)
#define libVES_List_push(lst, entry)		libVES_List_add(lst, entry, -1)
void *libVES_List_find(struct libVES_List *lst, void *entry);
void **libVES_List_nextptr(struct libVES_List *lst, void **ptr);
void **libVES_List_prevptr(struct libVES_List *lst, void **ptr);
#define libVES_List_next(lst, ptr, type)	((type **)libVES_List_nextptr(lst, (void **)ptr))
#define libVES_List_prev(lst, ptr, type)	((type **)libVES_List_prevptr(lst, (void **)ptr))
void libVES_List_free(struct libVES_List *lst);

#define libVES_List_STATIC(var, ctrl, length, ...)	const void *var ## LST[length] = { __VA_ARGS__ }; libVES_List var = { .ctl = (ctrl), .len = length, .max = 0, .list = (void **) var ## LST }
#define libVES_List_STATIC0(var, ctrl)			libVES_List var = { .ctl = (ctrl), .len = 0, .max = 0, .list = NULL }



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/KeyAlgo_EVP.h       libVES: Vault Key algo header, via OpenSSL EVP
 *
 ***************************************************************************/

/***************************************************************************
 * RSA via EVP
 ***************************************************************************/
extern const struct libVES_KeyAlgo libVES_KeyAlgo_RSA;
#define libVES_KeyAlgo_RSA_defaultBits		4096

/***************************************************************************
 * ECDH via EVP
 ***************************************************************************/
extern const struct libVES_KeyAlgo libVES_KeyAlgo_ECDH;
#define libVES_KeyAlgo_ECDH_defaultCurve	NID_secp521r1

extern void *libVES_KeyAlgo_autoEVPfn;
extern void *libVES_KeyAlgo_autoPEMfn;

/***************************************************************************
 * Pseudo algo - autodetect from EVP private key
 ***************************************************************************/
#define libVES_KeyAlgo_autoEVP		libVES_KeyAlgo_pseudo(libVES_KeyAlgo_autoEVPfn)

/***************************************************************************
 * Pseudo algo - autodetect from PEM private key
 ***************************************************************************/
#define libVES_KeyAlgo_autoPEM		libVES_KeyAlgo_pseudo(libVES_KeyAlgo_autoPEMfn)

/***************************************************************************
 * Private PEM to EVP, use veskey if encrypted
 ***************************************************************************/
struct evp_pkey_st *libVES_KeyAlgo_EVP_fromPEM(const struct libVES_veskey *veskey, const char *pem);

/***************************************************************************
 * Private EVP to PEM, encrypted if veskey != NULL
 ***************************************************************************/
char *libVES_KeyAlgo_EVP_toPEM(const struct libVES_veskey *veskey, struct evp_pkey_st *pkey);


int libVES_KeyAlgo_EVP_veskey_cb(char *buf, int size, int rwflag, void *u);



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2022 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/KeyAlgo_OQS.h       libVES: Vault Key algo header, via libOQS
 *
 ***************************************************************************/

/***************************************************************************
 * libOQS KEM Wrapper
 ***************************************************************************/
typedef struct libVES_KeyAlgo_OQS_Key {
    struct OQS_KEM *kem;
    void *pub;
    void *priv;
} libVES_KeyAlgo_OQS_Key;

extern const struct libVES_KeyAlgo libVES_KeyAlgo_OQS;
#define libVES_KeyAlgo_OQS_defaultAlgo		"Kyber768"

#define libVES_KeyAlgo_OQS_OID			"1.3.6.1.4.1.53675.3.5"



/***************************************************************************
 *          ___       ___
 *         /   \     /   \    VESvault
 *         \__ /     \ __/    Encrypt Everything without fear of losing the Key
 *            \\     //                   https://vesvault.com https://ves.host
 *             \\   //
 *     ___      \\_//
 *    /   \     /   \         libVES:                      VESvault API library
 *    \__ /     \ __/
 *       \\     //            VES Utility:   A command line interface to libVES
 *        \\   //
 *         \\_//              - Key Management and Exchange
 *         /   \              - Item Encryption and Sharing
 *         \___/              - Stream Encryption
 *
 *
 * (c) 2018 VESvault Corp
 * Jim Zubov <jz@vesvault.com>
 *
 * GNU General Public License v3
 * You may opt to use, copy, modify, merge, publish, distribute and/or sell
 * copies of the Software, and permit persons to whom the Software is
 * furnished to do so, under the terms of the COPYING file.
 *
 * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
 * KIND, either express or implied.
 *
 * libVES/CiAlgo_AES.h        libVES: Stream cipher AES* algorithm header
 *
 ***************************************************************************/


typedef struct libVES_CiAlgo_AESgcm {
    unsigned char key[32];
    unsigned char seed[12];
    unsigned char iv[12];
    size_t offs;
    union {
	char *pbuf;
	struct {
	    void *mdctx;
	    char gbuf[16];
	};
    };
} libVES_CiAlgo_AESgcm;

typedef struct libVES_CiAlgo_AEScfb {
    unsigned char key[32];
    unsigned char seed[32];
    unsigned char iv[32];
} libVES_CiAlgo_AEScfb;


#define libVES_Cipher_KEYLENforVEntry	(sizeof(((libVES_CiAlgo_AESgcm *)0)->key) + sizeof(((libVES_CiAlgo_AESgcm *)0)->seed))
#define libVES_Cipher_PADLENforVEntry	48


/***************************************************************************
 * AES256GCM1K
 * Chunked seekable GCM stream cipher with integrity check.
 ***************************************************************************/
extern const struct libVES_CiAlgo libVES_CiAlgo_AES256GCM1K;

/***************************************************************************
 * AES256CFB
 * Seekable CFB stream cipher, no integrity check.
 ***************************************************************************/
extern const struct libVES_CiAlgo libVES_CiAlgo_AES256CFB;

/***************************************************************************
 * AES256GCMp
 * Padded GCM, used internally for Vault Item content.
 ***************************************************************************/
extern const struct libVES_CiAlgo libVES_CiAlgo_AES256GCMp;