+
+ bulkalgs *(*getalgs)(const algswitch */*asw*/, dstr */*e*/,
+ key_file */*kf*/, key */*k*/);
+ /* Determine algorithms to use and return a @bulkalgs@ object
+ * representing the decision. On error, write tokens to @e@ and
+ * return null.
+ */
+
+ T( void (*tracealgs)(const bulkalgs */*a*/); )
+ /* Write trace information about the algorithm selection. */
+
+ int (*checkalgs)(bulkalgs */*a*/, const algswitch */*asw*/, dstr */*e*/);
+ /* Check that the algorithms in @a@ and @asw@ are acceptable. On
+ * error, write tokens to @e@ and return @-1@; otherwise return zero.
+ */
+
+ int (*samealgsp)(const bulkalgs */*a*/, const bulkalgs */*aa*/);
+ /* If @a@ and @aa@ represent the same algorithm selection, return
+ * nonzero; if not, return zero.
+ */
+
+ void (*alginfo)(const bulkalgs */*a*/, admin */*adm*/);
+ /* Report on the algorithm selection to an admin client: call
+ * @a_info@ with appropriate key-value pairs.
+ */
+
+ size_t (*overhead)(const bulkalgs */*a*/);
+ /* Return the per-packet overhead of the bulk transform, in bytes. */
+
+ size_t (*expsz)(const bulkalgs */*a*/);
+ /* Return the total size limit for the bulk transform, in bytes,
+ * after which the keys must no longer be used.
+ */
+
+ bulkctx *(*genkeys)(const bulkalgs */*a*/, const struct rawkey */*rk*/);
+ /* Generate session keys and construct and return an appropriate
+ * context for using them, by calling @ks_derive@.
+ */
+
+ bulkchal *(*genchal)(const bulkalgs */*a*/);
+ /* Construct and return a challenge issuing and verification
+ * context with a fresh random key.
+ */
+
+ void (*freealgs)(bulkalgs */*a*/);
+ /* Release an algorithm selection object. (Associated bulk
+ * encryption contexts and challenge contexts may still exist and
+ * must remain valid.)
+ */
+
+ int (*encrypt)(bulkctx */*bc*/, unsigned /*ty*/,
+ buf */*b*/, buf */*bb*/, uint32 /*seq*/);
+ /* Encrypt the packet in @b@, with type @ty@ (which doesn't need
+ * encoding separately) and sequence number @seq@ (which must be
+ * recoverable by @decrypt@), and write the result to @bb@. On
+ * error, return a @KSERR_...@ code and/or break the output buffer.
+ */
+
+ int (*decrypt)(bulkctx */*bc*/, unsigned /*ty*/,