*** client-src/client_util.c	2002/10/30 17:31:19	1.1
--- client-src/client_util.c	2002/10/31 17:47:17
***************
*** 396,401 ****
--- 396,402 ----
      options->krb4_auth = 0;
      options->kencrypt = 0;
  #endif
+     options->sencrypt = 0;
      options->exclude_file = NULL;
      options->exclude_list = NULL;
      options->include_file = NULL;
***************
*** 548,553 ****
--- 549,564 ----
  	    options->kencrypt = 1;
  	}
  #endif
+ 	else if(strcmp(tok, "sencrypt") == 0) {
+ 	    if(options->sencrypt != 0) {
+ 		dbprintf(("%s: multiple sencrypt option\n", 
+ 			  debug_prefix(NULL)));
+ 		if(verbose) {
+ 		    printf("ERROR [multiple sencrypt option]\n");
+ 		}
+ 	    }
+ 	    options->sencrypt = 1;
+ 	}
  	else if(strcmp(tok, "exclude-optional") == 0) {
  	    if(options->exclude_optional != 0) {
  		dbprintf(("%s: multiple exclude-optional option\n", 
*** client-src/client_util.h	2002/10/30 17:30:04	1.1
--- client-src/client_util.h	2002/10/31 17:47:18
***************
*** 51,56 ****
--- 51,57 ----
      int krb4_auth;
      int kencrypt;
  #endif
+     int sencrypt;
  } option_t;
  
  typedef struct g_option_s {
*** client-src/sendbackup-dump.c	2002/10/30 17:12:58	1.1
--- client-src/sendbackup-dump.c	2002/10/31 17:47:18
***************
*** 128,133 ****
--- 128,134 ----
      char *cmd = NULL;
      char *indexcmd = NULL;
      char level_str[NUM_STR_SIZE];
+     int cryptout, compout;
  
      ap_snprintf(level_str, sizeof(level_str), "%d", level);
  
***************
*** 136,141 ****
--- 137,154 ----
  
      NAUGHTY_BITS;
  
+     dumpout = dataf;
+     cryptpid = -1;
+     cryptout = -1;
+     if(options->sencrypt) {
+ 	cryptout = dumpout;
+ 	cryptpid = pipespawn(ENCRYPT_PATH, STDIN_PIPE,
+ 			&dumpout, &cryptout, &mesgf,
+ 			ENCRYPT_PATH, ENCRYPT_OPT, NULL);
+     }
+ 
+     comppid = -1;
+     compout = -1;
      if(options->compress == COMPR_FAST || options->compress == COMPR_BEST) {
  	char *compopt = skip_argument;
  
***************
*** 146,153 ****
  	    compopt = COMPRESS_FAST_OPT;
  	}
  #endif
  	comppid = pipespawn(COMPRESS_PATH, STDIN_PIPE,
! 			    &dumpout, &dataf, &mesgf,
  			    COMPRESS_PATH, compopt, NULL);
  	dbprintf(("%s: pid %ld: %s",
  		  debug_prefix_time("-dump"), (long)comppid, COMPRESS_PATH));
--- 159,167 ----
  	    compopt = COMPRESS_FAST_OPT;
  	}
  #endif
+ 	compout = dumpout;
  	comppid = pipespawn(COMPRESS_PATH, STDIN_PIPE,
! 			    &dumpout, &compout, &mesgf,
  			    COMPRESS_PATH, compopt, NULL);
  	dbprintf(("%s: pid %ld: %s",
  		  debug_prefix_time("-dump"), (long)comppid, COMPRESS_PATH));
***************
*** 155,163 ****
  	    dbprintf((" %s", compopt));
  	}
  	dbprintf(("\n"));
-     } else {
- 	dumpout = dataf;
- 	comppid = -1;
      }
  
      /* invoke dump */
--- 169,174 ----
***************
*** 375,380 ****
--- 386,393 ----
      aclose(mesgf);
      if (options->createindex)
  	aclose(indexf);
+     if (compout >= 0) aclose(compout);
+     if (cryptout >= 0) aclose(cryptout);
  }
  
  static void end_backup(status)
*** client-src/sendbackup-gnutar.c	2002/10/30 17:21:21	1.1
--- client-src/sendbackup-gnutar.c	2002/10/31 17:47:18
***************
*** 148,153 ****
--- 148,154 ----
      amandates_t *amdates;
      time_t prev_dumptime;
      char *error_pn = NULL;
+     int cryptout, compout;
  
      error_pn = stralloc2(get_pname(), "-smbclient");
  
***************
*** 156,161 ****
--- 157,174 ----
  
      NAUGHTY_BITS;
  
+     dumpout = dataf;
+     cryptpid = -1;
+     cryptout = -1;
+     if(options->sencrypt) {
+ 	cryptout = dumpout;
+ 	cryptpid = pipespawn(ENCRYPT_PATH, STDIN_PIPE,
+ 			&dumpout, &cryptout, &mesgf,
+ 			ENCRYPT_PATH, ENCRYPT_OPT, NULL);
+      }
+   
+     comppid = -1;
+     compout = -1;
      if(options->compress == COMPR_FAST || options->compress == COMPR_BEST) {
  	char *compopt = skip_argument;
  
***************
*** 166,173 ****
  	    compopt = COMPRESS_FAST_OPT;
  	}
  #endif
  	comppid = pipespawn(COMPRESS_PATH, STDIN_PIPE,
! 			    &dumpout, &dataf, &mesgf,
  			    COMPRESS_PATH, compopt, NULL);
  	dbprintf(("%s: pid %ld: %s",
  		  debug_prefix_time("-gnutar"), (long)comppid, COMPRESS_PATH));
--- 179,187 ----
  	    compopt = COMPRESS_FAST_OPT;
  	}
  #endif
+ 	compout = dumpout;
  	comppid = pipespawn(COMPRESS_PATH, STDIN_PIPE,
! 			    &dumpout, &compout, &mesgf,
  			    COMPRESS_PATH, compopt, NULL);
  	dbprintf(("%s: pid %ld: %s",
  		  debug_prefix_time("-gnutar"), (long)comppid, COMPRESS_PATH));
***************
*** 175,183 ****
  	    dbprintf((" %s", compopt));
  	}
  	dbprintf(("\n"));
-     } else {
- 	dumpout = dataf;
- 	comppid = -1;
      }
  
  #ifdef GNUTAR_LISTED_INCREMENTAL_DIR					/* { */
--- 189,194 ----
***************
*** 545,550 ****
--- 556,563 ----
      aclose(mesgf);
      if (options->createindex)
  	aclose(indexf);
+     if (compout >= 0) aclose(compout);
+     if (cryptout >= 0) aclose(cryptout);
  }
  
  static void end_backup(goterror)
*** client-src/sendbackup.c	2002/10/30 17:25:06	1.1
--- client-src/sendbackup.c	2002/10/31 17:47:19
***************
*** 41,46 ****
--- 41,47 ----
  
  #define TIMEOUT 30
  
+ int cryptpid = -1;
  int comppid = -1;
  int dumppid = -1;
  int tarpid = -1;
***************
*** 88,93 ****
--- 89,95 ----
      char *bsd_opt = "";
      char *krb4_opt = "";
      char *kencrypt_opt = "";
+     char *sencrypt_opt = "";
      char *index_opt = "";
      char *exclude_file_opt;
      char *exclude_list_opt;
***************
*** 108,113 ****
--- 110,116 ----
      if(options->krb4_auth) krb4_opt = "krb4-auth;";
      if(options->kencrypt) kencrypt_opt = "kencrypt;";
  #endif
+     if(options->sencrypt) sencrypt_opt = "sencrypt;";
      if(options->createindex) index_opt = "index;";
  
      exclude_file_opt = stralloc("");
***************
*** 130,135 ****
--- 133,139 ----
  			  bsd_opt,
  			  krb4_opt,
  			  kencrypt_opt,
+ 			  sencrypt_opt,
  			  index_opt,
  			  exclude_file_opt,
  			  exclude_list_opt,
***************
*** 502,507 ****
--- 506,512 ----
      if(pid == comppid) return "compress";
      if(pid == encpid)  return "kencrypt";
      if(pid == indexpid) return "index";
+     if(pid == cryptpid)  return "sencrypt";
      return "unknown";
  }
  
*** client-src/sendbackup.h	2002/10/30 17:29:01	1.1
--- client-src/sendbackup.h	2002/10/31 17:47:19
***************
*** 83,85 ****
--- 83,94 ----
  
  extern backup_program_t *programs[], *program;
  
+ #ifndef ENCRYPT_PATH
+ #define ENCRYPT_PATH	"/local/bin/sst"
+ #ifdef ENCRYPT_OPT
+ #undef ENCRYPT_OPT
+ #endif
+ #define ENCRYPT_OPT	"-celv"
+ /* #define ENCRYPT_OPT	"-celddd"	/* enable debugging messages */
+ #endif
+ extern int cryptpid;
*** common-src/amfeatures.c	2002/10/30 18:07:25	1.1
--- common-src/amfeatures.c	2002/10/31 17:47:39
***************
*** 91,96 ****
--- 91,98 ----
  	am_add_feature(f, fe_options_krb4_auth);
  	am_add_feature(f, fe_options_kencrypt);
  
+ 	am_add_feature(f, fe_options_sencrypt);
+ 
  	am_add_feature(f, fe_req_options_maxdumps);
  	am_add_feature(f, fe_req_options_hostname);
  	am_add_feature(f, fe_req_options_features);
***************
*** 138,143 ****
--- 140,147 ----
  	am_add_feature(f, fe_options_exclude_list);
  	am_add_feature(f, fe_options_krb4_auth);
  	am_add_feature(f, fe_options_kencrypt);
+ 
+ 	am_add_feature(f, fe_options_sencrypt);
  
  	am_add_feature(f, fe_req_options_maxdumps);
  	am_add_feature(f, fe_req_options_hostname);
*** common-src/amfeatures.h	2002/10/30 18:06:41	1.1
--- common-src/amfeatures.h	2002/10/31 17:47:40
***************
*** 112,117 ****
--- 112,119 ----
      fe_options_bsd_auth,
      fe_options_krb4_auth,
      fe_options_kencrypt,
+ 
+     fe_options_sencrypt,
  
      fe_req_options_maxdumps,
      fe_req_options_hostname,
*** server-src/amadmin.c	2002/10/30 17:37:07	1.1
--- server-src/amadmin.c	2002/10/31 17:48:07
***************
*** 1486,1491 ****
--- 1486,1492 ----
  	break;
      }
      printf("        kencrypt %s\n", (dp->kencrypt? "YES" : "NO"));
+     printf("        sencrypt %s\n", (dp->sencrypt? "YES" : "NO"));
  
      printf("        holdingdisk %s\n", (!dp->no_hold? "YES" : "NO"));
      printf("        record %s\n", (dp->record? "YES" : "NO"));
*** server-src/conffile.c	2002/10/30 17:37:50	1.1
--- server-src/conffile.c	2002/10/31 17:48:08
***************
*** 87,93 ****
      OPTIONS, PRIORITY, FREQUENCY, INDEX,
      STARTTIME, COMPRESS, AUTH, STRATEGY,
      SKIP_INCR, SKIP_FULL, RECORD, HOLDING,
!     EXCLUDE, INCLUDE, KENCRYPT, IGNORE, COMPRATE,
  
      /* tape type */
      /*COMMENT,*/ BLOCKSIZE, FILE_PAD, LBL_TEMPL, FILEMARK, LENGTH, SPEED,
--- 87,93 ----
      OPTIONS, PRIORITY, FREQUENCY, INDEX,
      STARTTIME, COMPRESS, AUTH, STRATEGY,
      SKIP_INCR, SKIP_FULL, RECORD, HOLDING,
!     EXCLUDE, INCLUDE, KENCRYPT, SENCRYPT, IGNORE, COMPRATE,
  
      /* tape type */
      /*COMMENT,*/ BLOCKSIZE, FILE_PAD, LBL_TEMPL, FILEMARK, LENGTH, SPEED,
***************
*** 1203,1208 ****
--- 1203,1209 ----
      { "INCLUDE", INCLUDE },
      { "INDEX", INDEX },
      { "KENCRYPT", KENCRYPT },
+     { "SENCRYPT", SENCRYPT },
      { "MAXCYCLE", MAXCYCLE },	/* XXX - historical */
      { "MAXDUMPS", MAXDUMPS },
      { "OPTIONS", OPTIONS },	/* XXX - historical */
***************
*** 1314,1319 ****
--- 1315,1324 ----
  	    get_simple(&tmpval, &dpcur.s_kencrypt, BOOL);
  	    dpcur.kencrypt = (tmpval.i != 0);
  	    break;
+ 	case SENCRYPT:
+ 	    get_simple(&tmpval, &dpcur.s_sencrypt, BOOL);
+ 	    dpcur.sencrypt = (tmpval.i != 0);
+ 	    break;
  	case MAXCYCLE:
  	    get_simple((val_t *)&conf_maxcycle, &dpcur.s_maxcycle, INT);
  	    break;
***************
*** 1425,1430 ****
--- 1430,1436 ----
      dpcur.skip_incr = dpcur.skip_full = 0;
      dpcur.no_hold = 0;
      dpcur.kencrypt = 0;
+     dpcur.sencrypt = 0;
      dpcur.ignore = 0;
      dpcur.index = 0;
  
***************
*** 1449,1454 ****
--- 1455,1461 ----
      dpcur.s_skip_full = 0;
      dpcur.s_no_hold = 0;
      dpcur.s_kencrypt = 0;
+     dpcur.s_sencrypt = 0;
      dpcur.s_ignore = 0;
      dpcur.s_index = 0;
  }
***************
*** 1506,1511 ****
--- 1513,1519 ----
      dtcopy(skip_full, s_skip_full);
      dtcopy(no_hold, s_no_hold);
      dtcopy(kencrypt, s_kencrypt);
+     dtcopy(sencrypt, s_sencrypt);
      dtcopy(ignore, s_ignore);
      dtcopy(index, s_index);
  }
***************
*** 1796,1801 ****
--- 1804,1810 ----
      { "EXCLUDE-FILE", EXCLUDE_FILE },
      { "EXCLUDE-LIST", EXCLUDE_LIST },
      { "KENCRYPT", KENCRYPT },
+     { "SENCRYPT", SENCRYPT },
      { "SKIP-FULL", SKIP_FULL },
      { "SKIP-INCR", SKIP_INCR },
      { NULL, IDENT }
***************
*** 1825,1830 ****
--- 1834,1840 ----
  	    dpcur.exclude_list = append_sl(dpcur.exclude_list, stralloc(tokenval.s));
  	    break;
  	case KENCRYPT:   ckseen(&dpcur.s_kencrypt);  dpcur.kencrypt = 1; break;
+ 	case SENCRYPT:   ckseen(&dpcur.s_sencrypt);  dpcur.sencrypt = 1; break;
  	case SKIP_INCR:  ckseen(&dpcur.s_skip_incr); dpcur.skip_incr= 1; break;
  	case SKIP_FULL:  ckseen(&dpcur.s_skip_full); dpcur.skip_full= 1; break;
  	case INDEX:      ckseen(&dpcur.s_index);     dpcur.index    = 1; break;
***************
*** 2867,2872 ****
--- 2877,2883 ----
  	if(dp->skip_full) printf(" SKIP-FULL");
  	if(dp->no_hold) printf(" NO-HOLD");
  	if(dp->kencrypt) printf(" KENCRYPT");
+ 	if(dp->sencrypt) printf(" SENCRYPT");
  	/* an ignored disk will never reach this point */
  	assert(!dp->ignore);
  	if(dp->index) printf(" INDEX");
*** server-src/conffile.h	2002/10/30 17:41:50	1.1
--- server-src/conffile.h	2002/10/31 17:48:08
***************
*** 152,157 ****
--- 152,158 ----
      unsigned int skip_full:1;
      unsigned int no_hold:1;
      unsigned int kencrypt:1;
+     unsigned int sencrypt:1;
      unsigned int ignore:1;
      unsigned int index:1;
  
***************
*** 179,184 ****
--- 180,186 ----
      int s_skip_full;
      int s_no_hold;
      int s_kencrypt;
+     int s_sencrypt;
      int s_ignore;
      int s_index;
  } dumptype_t;
*** server-src/diskfile.c	2002/10/30 17:43:02	1.1
--- server-src/diskfile.c	2002/10/31 17:48:08
***************
*** 428,433 ****
--- 428,434 ----
      disk->skip_full	= dtype->skip_full;
      disk->no_hold	= dtype->no_hold;
      disk->kencrypt	= dtype->kencrypt;
+     disk->sencrypt	= dtype->sencrypt;
      disk->index		= dtype->index;
      disk->todo		= 1;
  
***************
*** 547,552 ****
--- 548,554 ----
  {
      char *auth_opt = NULL;
      char *kencrypt_opt = "";
+     char *sencrypt_opt = "";
      char *compress_opt = "";
      char *record_opt = "";
      char *index_opt = "";
***************
*** 601,606 ****
--- 603,619 ----
  	}
      }
  
+     if(dp->sencrypt) {
+ 	if(am_has_feature(their_features, fe_options_sencrypt)) {
+ 	    sencrypt_opt = "sencrypt;";
+ 	}
+ 	else if(fdout) {
+ 	    fprintf(fdout,
+ 		"WARNING: %s:%s does not support sencrypt\n",
+ 		dp->host->hostname, dp->name);
+ 	}
+     }
+ 
      switch(dp->compress) {
      case COMP_FAST:
  	if(am_has_feature(their_features, fe_options_compress_fast)) {
***************
*** 788,793 ****
--- 801,807 ----
      result = vstralloc(";",
  		       auth_opt,
  		       kencrypt_opt,
+ 		       sencrypt_opt,
  		       compress_opt,
  		       record_opt,
  		       index_opt,
*** server-src/diskfile.h	2002/10/30 17:42:35	1.1
--- server-src/diskfile.h	2002/10/31 17:48:08
***************
*** 80,85 ****
--- 80,86 ----
      unsigned int skip_full:1;			/* fulls done externally ? */
      unsigned int no_hold:1;			/* don't use holding disk ? */
      unsigned int kencrypt:1;
+     unsigned int sencrypt:1;
      unsigned int index:1;			/* produce an index ? */
      int spindle;			/* spindle # - for parallel dumps */
      int inprogress;			/* being dumped now? */
*** server-src/dumper.c	2002/10/30 17:55:20	1.1
--- server-src/dumper.c	2002/10/31 17:48:08
***************
*** 112,117 ****
--- 112,128 ----
  static am_feature_t *our_features = NULL;
  static char *our_feature_string = NULL;
  
+ int decrypt, cryptpid;
+ 
+ #ifndef DECRYPT_PATH
+ #define DECRYPT_PATH	"/local/bin/sst"
+ #ifdef DECRYPT_OPT
+ #undef DECRYPT_OPT
+ #endif
+ #define DECRYPT_OPT	"-slv"
+ /* #define DECRYPT_OPT	"-slddd"	/* for debugging messages */
+ #endif /* DECRYPT_PATH */
+ 
  /* local functions */
  int main P((int main_argc, char **main_argv));
  int do_dump P((int mesgfd, int datafd, int indexfd, int outfd));
***************
*** 142,147 ****
--- 153,159 ----
        srvcompress = srvcomp_fast;
      else
        srvcompress = srvcomp_none;
+     decrypt = (strstr(options, "sencrypt;") != NULL);
  }
  
  void service_ports_init()
***************
*** 1109,1114 ****
--- 1121,1127 ----
      fd_set readset, selectset;
      struct timeval timeout;
      int outpipe[2];
+     int netpipe[2];
      int header_done;	/* flag - header has been written */
      char *indexfile_tmp = NULL;
      char *indexfile_real = NULL;
***************
*** 1174,1179 ****
--- 1187,1233 ----
      unlink(errfname);				/* so it goes away on close */
      amfree(errfname);
  
+     /* insert pipe in the *READ* side, if decryption is desired */
+     cryptpid = -1;
+     if (decrypt) {
+ 	int tmpfd;
+ 
+ 	tmpfd = datafd;
+ 	if(socketpair(AF_UNIX, SOCK_STREAM, 0, netpipe) == -1)
+ 		error("socketpair: %s", strerror(errno));
+ 	datafd = netpipe[0];
+ 	if(datafd < 0 || datafd >= FD_SETSIZE) {
+ 	    aclose(netpipe[0]);
+ 	    aclose(netpipe[1]);
+ 	    errstr = newstralloc(errstr, "descriptor out of range");
+ 	    errno = EMFILE;
+ 	    goto failed;
+ 	}
+ 	switch(cryptpid=fork()) {
+ 	case -1:
+ 	    errstr = newstralloc2(errstr, "couldn't fork: ", strerror(errno));
+ 	    goto failed;
+ 	default:
+ 	    aclose(netpipe[1]);
+ 	    aclose(tmpfd);
+ 	    break;
+ 	case 0:
+ 	    aclose(netpipe[0]);
+ 	    /* child acts on stdin/stdout */
+ 	    if (dup2(netpipe[1],1) == -1)
+ 		fprintf(stderr, "err dup2 out: %s\n", strerror(errno));
+ 	    if (dup2(tmpfd, 0) == -1)
+ 		fprintf(stderr, "err dup2 in: %s\n", strerror(errno));
+ 	    for(tmpfd = 3; tmpfd <= FD_SETSIZE; ++tmpfd) {
+ 		close(tmpfd);
+ 	    }
+ 	    /* now spawn sst to take care of the rest */
+ 	    execlp(DECRYPT_PATH, DECRYPT_PATH, DECRYPT_OPT, (char *)0);
+ 	    error("error: couldn't exec %s.\n", DECRYPT_PATH);
+ 	}
+ 	/* Now the pipe has been inserted. */
+     }
+ 
      /* insert pipe in the *READ* side, if server-side compression is desired */
      compresspid = -1;
      if (srvcompress) {
***************
*** 1544,1549 ****
--- 1598,1615 ----
  	else if ( killerr == -1 ) {
  	    if(errno != ESRCH)
  		fprintf(stderr,"%s: can't kill index command: %s\n", 
+ 			       get_pname(),strerror(errno));
+ 	}
+     }
+ 
+     if(cryptpid != -1) {
+ 	killerr = kill(cryptpid,SIGTERM);
+ 	if(killerr == 0) {
+ 	    fprintf(stderr,"%s: kill decrypt command\n",get_pname());
+ 	}
+ 	else if ( killerr == -1 ) {
+ 	    if(errno != ESRCH)
+ 		fprintf(stderr,"%s: can't kill decrypt command: %s\n", 
  			       get_pname(),strerror(errno));
  	}
      }