+/* --- @ks_drop@ --- *
+ *
+ * Arguments: @keyset *ks@ = pointer to a keyset
+ *
+ * Returns: ---
+ *
+ * Use: Decrements a keyset's reference counter. If the counter hits
+ * zero, the keyset is freed.
+ */
+
+extern void ks_drop(keyset */*ks*/);
+
+/* --- @ks_gen@ --- *
+ *
+ * Arguments: @const void *k@ = pointer to key material
+ * @size_t x, y, z@ = offsets into key material (see below)
+ *
+ * Returns: A pointer to the new keyset.
+ *
+ * Use: Derives a new keyset from the given key material. The
+ * offsets @x@, @y@ and @z@ separate the key material into three
+ * parts. Between the @k@ and @k + x@ is `my' contribution to
+ * the key material; between @k + x@ and @k + y@ is `your'
+ * contribution; and between @k + y@ and @k + z@ is a shared
+ * value we made together. These are used to construct two
+ * pairs of symmetric keys. Each pair consists of an encryption
+ * key and a message authentication key. One pair is used for
+ * outgoing messages, the other for incoming messages.
+ *
+ * The new key is marked so that it won't be selected for output
+ * by @ksl_encrypt@. You can still encrypt data with it by
+ * calling @ks_encrypt@ directly.
+ */
+
+extern keyset *ks_gen(const void */*k*/,
+ size_t /*x*/, size_t /*y*/, size_t /*z*/);
+
+/* --- @ks_tregen@ --- *
+ *
+ * Arguments: @keyset *ks@ = pointer to a keyset
+ *
+ * Returns: The time at which moves ought to be made to replace this key.
+ */
+
+extern time_t ks_tregen(keyset */*ks*/);
+
+/* --- @ks_activate@ --- *
+ *
+ * Arguments: @keyset *ks@ = pointer to a keyset
+ *
+ * Returns: ---
+ *
+ * Use: Activates a keyset, so that it can be used for encrypting
+ * outgoing messages.
+ */
+
+extern void ks_activate(keyset */*ks*/);
+
+/* --- @ks_encrypt@ --- *
+ *
+ * Arguments: @keyset *ks@ = pointer to a keyset
+ * @buf *b@ = pointer to input buffer
+ * @buf *bb@ = pointer to output buffer
+ *
+ * Returns: Zero if OK, nonzero if the key needs replacing. If the
+ * encryption failed, the output buffer is broken and zero is
+ * returned.
+ *
+ * Use: Encrypts a block of data using the key. Note that the `key
+ * ought to be replaced' notification is only ever given once
+ * for each key. Also note that this call forces a keyset to be
+ * used even if it's marked as not for data output.
+ */
+
+extern int ks_encrypt(keyset */*ks*/, buf */*b*/, buf */*bb*/);
+
+/* --- @ks_decrypt@ --- *
+ *
+ * Arguments: @keyset *ks@ = pointer to a keyset
+ * @buf *b@ = pointer to an input buffer
+ * @buf *bb@ = pointer to an output buffer
+ *
+ * Returns: Zero on success, or nonzero if there was some problem.
+ *
+ * Use: Attempts to decrypt a message using a given key. Note that
+ * requesting decryption with a key directly won't clear a
+ * marking that it's not for encryption.
+ */
+
+extern int ks_decrypt(keyset */*ks*/, buf */*b*/, buf */*bb*/);
+
+/* --- @ksl_free@ --- *