+ * Asymmetric pubkey cryptosystem (apc).
+ *
+ * This is just RSA, but this fact is a hidden implementation detail.
+ */
+
+/** The size of the challenge sent to the client. */
+#define APC_CHALLENGE_SIZE 64
+
+/** Opaque structure for public and private keys. */
+struct asymmetric_key;
+
+/**
+ * Encrypt a buffer using asymmetric keys.
+ *
+ * \param pub: The public key.
+ * \param inbuf The input buffer.
+ * \param len The length of \a inbuf.
+ * \param outbuf The output buffer.
+ *
+ * \return The size of the encrypted data on success, negative on errors.
+ */
+int apc_pub_encrypt(struct asymmetric_key *pub, unsigned char *inbuf,
+ unsigned len, unsigned char *outbuf);
+
+/**
+ * Decrypt a buffer using a private key.
+ *
+ * \param key_file Full path of the key.
+ * \param outbuf The output buffer.
+ * \param inbuf The encrypted input buffer.
+ * \param inlen The length of \a inbuf.
+ *
+ * The \a outbuf must be large enough to hold at least 512 bytes.
+ *
+ * \return The size of the recovered plaintext on success, negative on errors.
+ */
+int apc_priv_decrypt(const char *key_file, unsigned char *outbuf,
+ unsigned char *inbuf, int inlen);
+
+/**
+ * Read an asymmetric key from a file.
+ *
+ * \param key_file The file containing the key.
+ * \param result The key structure is returned here.
+ *
+ * \return The size of the key on success, negative on errors.
+ */
+int apc_get_pubkey(const char *key_file, struct asymmetric_key **result);
+
+/**
+ * Deallocate a public key.
+ *
+ * \param key Pointer to the key structure to free.
+ *
+ * This should be called for keys obtained by \ref apc_get_pubkey() if the key is no
+ * longer needed.
+ */
+void apc_free_pubkey(struct asymmetric_key *key);
+
+
+/**
+ * Fill a buffer with random content.
+ *
+ * \param buf The buffer to fill.
+ * \param num The size of \a buf in bytes.
+ *
+ * This function puts \a num cryptographically strong pseudo-random bytes into
+ * buf. If it can not guarantee an unpredictable byte sequence (for example
+ * because the PRNG has not been seeded with enough randomness) the function
+ * logs an error message and calls exit().
+ */
+void get_random_bytes_or_die(unsigned char *buf, int num);
+
+/**
+ * Initialize the crypto backend.
+ *
+ * This function initializes the crypto library and seeds the pseudo random
+ * number generator used by random() with a random seed obtained from the
+ * crypto implementation. On errors, an error message is logged and the
+ * function calls exit().
+ *
+ * \sa \ref get_random_bytes_or_die(), srandom(3), random(3), \ref
+ * para_random().
+ */
+void crypt_init(void);
+
+/** Allocate all resources of the crypto backend. */
+void crypt_shutdown(void);
+
+/** Opaque structure for stream ciphers. */
+struct stream_cipher;
+
+/** Number of bytes of the session key for stream ciphers. */
+#define SESSION_KEY_LEN 32
+
+/**
+ * Used for client-server communication encryption.