The secret of steel has always carried with it a mystery. You must learn

its riddle, Conan. You must learn its discipline. For no one, no one in
this world can you trust. Not men, not women, not beasts.

22 files changed, 0 insertions, 3672 deletions

diff --git a/lib/libwrap/DISCLAIMER b/lib/libwrap/DISCLAIMER
deleted file mode 100644
index 2d06cb8a2b3..00000000000
--- a/lib/libwrap/DISCLAIMER
+++ /dev/null
@@ -1,18 +0,0 @@
-$OpenBSD: DISCLAIMER,v 1.1 2001/06/04 07:33:53 deraadt Exp $
-
-/************************************************************************
-* Copyright 1995 by Wietse Venema.  All rights reserved.  Some individual
-* files may be covered by other copyrights.
-*
-* This material was originally written and compiled by Wietse Venema at
-* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
-* 1992, 1993, 1994 and 1995.
-*
-* Redistribution and use in source and binary forms, with or without
-* modification, are permitted provided that this entire copyright notice
-* is duplicated in all such copies.
-*
-* This software is provided "as is" and without any expressed or implied
-* warranties, including, without limitation, the implied warranties of
-* merchantibility and fitness for any particular purpose.
-************************************************************************/
diff --git a/lib/libwrap/Makefile b/lib/libwrap/Makefile
deleted file mode 100644
index aa1ca5a263d..00000000000
--- a/lib/libwrap/Makefile
+++ /dev/null
@@ -1,32 +0,0 @@
-#	$OpenBSD: Makefile,v 1.8 2013/11/13 22:37:00 deraadt Exp $
-
-LIB=	wrap
-SRCS=	hosts_access.c options.c shell_cmd.c rfc931.c eval.c \
-	hosts_ctl.c refuse.c percent_x.c clean_exit.c \
-	socket.c update.c misc.c diag.c percent_m.c
-HDRS=	tcpd.h
-
-# Configuration options for libwrap.
-CFLAGS+=-DPROCESS_OPTIONS -DFACILITY=LOG_AUTH -DSEVERITY=LOG_INFO \
-	-DRFC931_TIMEOUT=10 -DHOSTS_ACCESS -DALWAYS_HOSTNAME \
-	-DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\" \
-	-DNETGROUP -DSYS_ERRLIST_DEFINED -D_TCPD_PRIVATE
-CFLAGS+=-DINET6
-
-MAN=	hosts_access.3 hosts_access.5 hosts_options.5 rfc1413.3
-MLINKS+=hosts_access.5 hosts.allow.5
-MLINKS+=hosts_access.5 hosts.deny.5
-MLINKS+=hosts_access.3 hosts_ctl.3
-MLINKS+=hosts_access.3 request_init.3
-MLINKS+=hosts_access.3 request_set.3
-
-includes:
-	@cd ${.CURDIR}; for i in $(HDRS); do \
-	    j="cmp -s $$i ${DESTDIR}/usr/include/$$i || \
-		${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 $$i \
-		${DESTDIR}/usr/include"; \
-	    echo $$j; \
-	    eval "$$j"; \
-	done
-
-.include <bsd.lib.mk>
diff --git a/lib/libwrap/clean_exit.c b/lib/libwrap/clean_exit.c
deleted file mode 100644
index ef20a166be5..00000000000
--- a/lib/libwrap/clean_exit.c
+++ /dev/null
@@ -1,40 +0,0 @@
-/*	$OpenBSD: clean_exit.c,v 1.3 2009/10/27 23:59:30 deraadt Exp $	*/
-
-/*
-  * clean_exit() cleans up and terminates the program. It should be called
-  * instead of exit() when for some reason the real network daemon will not or
-  * cannot be run. Reason: in the case of a datagram-oriented service we must
-  * discard the not-yet received data from the client. Otherwise, inetd will
-  * see the same datagram again and again, and go into a loop.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <unistd.h>
-
-#include "tcpd.h"
-
-/* clean_exit - clean up and exit */
-
-void    clean_exit(request)
-struct request_info *request;
-{
-
-    /*
-     * In case of unconnected protocols we must eat up the not-yet received
-     * data or inetd will loop.
-     */
-
-    if (request->sink)
-	request->sink(request->fd);
-
-    /*
-     * Be kind to the inetd. We already reported the problem via the syslogd,
-     * and there is no need for additional garbage in the logfile.
-     */
-
-    sleep(5);
-    exit(0);
-}
diff --git a/lib/libwrap/diag.c b/lib/libwrap/diag.c
deleted file mode 100644
index 9601e165a4c..00000000000
--- a/lib/libwrap/diag.c
+++ /dev/null
@@ -1,72 +0,0 @@
-/*	$OpenBSD: diag.c,v 1.6 2011/05/30 18:48:33 martynas Exp $	*/
-
- /*
-  * Routines to report various classes of problems. Each report is decorated
-  * with the current context (file name and line number), if available.
-  * 
-  * tcpd_warn() reports a problem and proceeds.
-  * 
-  * tcpd_jump() reports a problem and jumps.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries */
-
-#include <syslog.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <setjmp.h>
-
-/* Local stuff */
-
-#include "tcpd.h"
-
-struct tcpd_context tcpd_context;
-jmp_buf tcpd_buf;
-
-static void tcpd_diag(int, char *, char *, va_list)
-	__attribute__((__format__(__printf__, 3, 0)));
-
-/* tcpd_diag - centralize error reporter */
-
-static void tcpd_diag(severity, tag, format, ap)
-int     severity;
-char   *tag;
-char   *format;
-va_list ap;
-{
-    char    fmt[BUFSIZ];
-
-    if (tcpd_context.file)
-	snprintf(fmt, sizeof fmt, "%s: %s, line %d: %s",
-		tag, tcpd_context.file, tcpd_context.line, format);
-    else
-	snprintf(fmt, sizeof fmt, "%s: %s", tag, format);
-    vsyslog(severity, fmt, ap);
-}
-
-/* tcpd_warn - report problem of some sort and proceed */
-
-/* PRINTFLIKE1 */
-void	tcpd_warn(char *format, ...)
-{
-    va_list ap;
-
-    va_start(ap, format);
-    tcpd_diag(LOG_ERR, "warning", format, ap);
-    va_end(ap);
-}
-
-/* tcpd_jump - report serious problem and jump */
-
-/* PRINTFLIKE1 */
-void    tcpd_jump(char *format, ...)
-{
-    va_list ap;
-
-    va_start(ap, format);
-    tcpd_diag(LOG_ERR, "error", format, ap);
-    va_end(ap);
-    longjmp(tcpd_buf, AC_ERROR);
-}
diff --git a/lib/libwrap/eval.c b/lib/libwrap/eval.c
deleted file mode 100644
index 3151d85df45..00000000000
--- a/lib/libwrap/eval.c
+++ /dev/null
@@ -1,134 +0,0 @@
-/*	$OpenBSD: eval.c,v 1.4 2009/10/27 23:59:30 deraadt Exp $	*/
-
- /*
-  * Routines for controlled evaluation of host names, user names, and so on.
-  * They are, in fact, wrappers around the functions that are specific for
-  * the sockets or TLI programming interfaces. The request_info and host_info
-  * structures are used for result cacheing.
-  * 
-  * These routines allows us to postpone expensive operations until their
-  * results are really needed. Examples are hostname lookups and double
-  * checks, or username lookups. Information that cannot be retrieved is
-  * given the value "unknown" ("paranoid" in case of hostname problems).
-  * 
-  * When ALWAYS_HOSTNAME is off, hostname lookup is done only when required by
-  * tcpd paranoid mode, by access control patterns, or by %letter expansions.
-  * 
-  * When ALWAYS_RFC931 mode is off, user lookup is done only when required by
-  * access control patterns or %letter expansions.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <stdio.h>
-#include <string.h>
-
-/* Local stuff. */
-
-#include "tcpd.h"
-
- /*
-  * When a string has the value STRING_UNKNOWN, it means: don't bother, I
-  * tried to look up the data but it was unavailable for some reason. When a
-  * host name has the value STRING_PARANOID it means there was a name/address
-  * conflict.
-  */
-char    unknown[] = STRING_UNKNOWN;
-char    paranoid[] = STRING_PARANOID;
-
-/* eval_user - look up user name */
-
-char   *eval_user(request)
-struct request_info *request;
-{
-    if (request->user[0] == 0) {
-	strlcpy(request->user, unknown, sizeof(request->user));
-	if (request->sink == 0 && request->client->sin && request->server->sin)
-	    rfc931(request->client->sin, request->server->sin, request->user);
-    }
-    return (request->user);
-}
-
-/* eval_hostaddr - look up printable address */
-
-char   *eval_hostaddr(host)
-struct host_info *host;
-{
-    if (host->addr[0] == 0) {
-	strlcpy(host->addr, unknown, sizeof(host->addr));
-	if (host->request->hostaddr != 0)
-	    host->request->hostaddr(host);
-    }
-    return (host->addr);
-}
-
-/* eval_hostname - look up host name */
-
-char   *eval_hostname(host)
-struct host_info *host;
-{
-    if (host->name[0] == 0) {
-	strlcpy(host->name, unknown, sizeof(host->name));
-	if (host->request->hostname != 0)
-	    host->request->hostname(host);
-    }
-    return (host->name);
-}
-
-/* eval_hostinfo - return string with host name (preferred) or address */
-
-char   *eval_hostinfo(host)
-struct host_info *host;
-{
-    char   *hostname;
-
-#ifndef ALWAYS_HOSTNAME				/* no implicit host lookups */
-    if (host->name[0] == 0)
-	return (eval_hostaddr(host));
-#endif
-    hostname = eval_hostname(host);
-    if (HOSTNAME_KNOWN(hostname)) {
-	return (host->name);
-    } else {
-	return (eval_hostaddr(host));
-    }
-}
-
-/* eval_client - return string with as much about the client as we know */
-
-char   *eval_client(request)
-struct request_info *request;
-{
-    static char both[2 * STRING_LENGTH];
-    char   *hostinfo = eval_hostinfo(request->client);
-
-#ifndef ALWAYS_RFC931				/* no implicit user lookups */
-    if (request->user[0] == 0)
-	return (hostinfo);
-#endif
-    if (STR_NE(eval_user(request), unknown)) {
-	snprintf(both, sizeof both, "%s@%s", request->user, hostinfo);
-	return (both);
-    } else {
-	return (hostinfo);
-    }
-}
-
-/* eval_server - return string with as much about the server as we know */
-
-char   *eval_server(request)
-struct request_info *request;
-{
-    static char both[2 * STRING_LENGTH];
-    char   *host = eval_hostinfo(request->server);
-    char   *daemon = eval_daemon(request);
-
-    if (STR_NE(host, unknown)) {
-	snprintf(both, sizeof both, "%s@%s", daemon, host);
-	return (both);
-    } else {
-	return (daemon);
-    }
-}
diff --git a/lib/libwrap/hosts_access.3 b/lib/libwrap/hosts_access.3
deleted file mode 100644
index 1b22f15db68..00000000000
--- a/lib/libwrap/hosts_access.3
+++ /dev/null
@@ -1,139 +0,0 @@
-.\"	$OpenBSD: hosts_access.3,v 1.15 2007/05/31 19:19:39 jmc Exp $
-.\"
-.\" Copyright (c) 1997, Jason Downs.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
-.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 31 2007 $
-.Dt HOSTS_ACCESS 3
-.Os
-.Sh NAME
-.Nm hosts_access ,
-.Nm hosts_ctl ,
-.Nm request_init ,
-.Nm request_set
-.Nd tcp wrapper access control library
-.Sh SYNOPSIS
-.Fd #include <sys/types.h>
-.Fd #include <tcpd.h>
-.Vt extern int allow_severity;
-.Vt extern int deny_severity;
-.Ft struct request_info *
-.Fn request_init "struct request_info *request" "int key" value ... 0
-.Ft struct request_info *
-.Fn request_set "struct request_info *request" "int key" value ... 0
-.Ft int
-.Fn hosts_access "struct request_info *request"
-.Ft int
-.Fn hosts_ctl "char *daemon" "char *client_name" "char *client_addr" "char *client_user"
-.Sh DESCRIPTION
-The routines described in this document are part of the
-.Nm libwrap.a
-library.
-They implement a rule-based access control language with
-optional shell commands that are executed when a rule fires.
-.Pp
-.Fn request_init
-initializes a structure with information about a client
-request.
-.Fn request_set
-updates an already initialized request structure.
-Both functions take a
-variable-length list of key-value pairs and return their first argument.
-The argument lists are terminated with a zero key value.
-All string-valued arguments are copied.
-The expected keys (and corresponding value types) are:
-.Bl -tag -width XXXXXXXXXXXXXXXXXXXXXXXX
-.It "RQ_FILE (int)"
-The file descriptor associated with the request.
-.It "RQ_CLIENT_NAME (char *)"
-The client host name.
-.It "RQ_CLIENT_ADDR (char *)"
-A printable representation of the client network address.
-.It "RQ_CLIENT_SIN (struct sockaddr_in *)"
-An internal representation of the client network address and port.
-The contents of the structure are not copied.
-.It "RQ_SERVER_NAME (char *)"
-The hostname associated with the server endpoint address.
-.It "RQ_SERVER_ADDR (char *)"
-A printable representation of the server endpoint address.
-.It "RQ_SERVER_SIN (struct sockaddr_in *)"
-An internal representation of the server endpoint address and port.
-The contents of the structure are not copied.
-.It "RQ_DAEMON (char *)"
-The name of the daemon process running on the server host.
-.It "RQ_USER (char *)"
-The name of the user on whose behalf the client host makes the request.
-.El
-.Pp
-.Fn hosts_access
-consults the access control tables described in the
-.Xr hosts_access 5
-manual page.
-When internal endpoint information is available, host names
-and client user names are looked up on demand, using the request structure
-as a cache.
-.Fn hosts_access
-returns zero if access should be denied.
-.Pp
-.Fn hosts_ctl
-is a wrapper around the
-.Fn request_init
-and
-.Fn hosts_access
-routines with a perhaps more convenient interface (though it does not
-pass on enough information to support automated client username
-lookups).
-The client host address, client host name and username
-arguments should contain valid data or STRING_UNKNOWN.
-.Fn hosts_ctl
-returns zero if access should be denied.
-.Pp
-The
-.Fa allow_severity
-and
-.Fa deny_severity
-variables determine
-how accepted and rejected requests may be logged.
-They must be provided
-by the caller and may be modified by rules in the access control tables.
-.Sh FILES
-.Bl -tag -width /etc/hosts.allow -compact
-.It Pa /etc/hosts.allow
-Access control table (allow list)
-.It Pa /etc/hosts.deny
-Access control table (deny list)
-.El
-.Sh DIAGNOSTICS
-Problems are reported via the syslog daemon.
-.Sh SEE ALSO
-.Xr hosts_access 5 ,
-.Xr hosts_options 5
-.Sh AUTHORS
-.Bd -unfilled -offset indent
-Wietse Venema (wietse@wzv.win.tue.nl)
-Department of Mathematics and Computing Science
-Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
-5600 MB Eindhoven, The Netherlands
-.Ed
-.\" @(#) hosts_access.3 1.8 96/02/11 17:01:26
diff --git a/lib/libwrap/hosts_access.5 b/lib/libwrap/hosts_access.5
deleted file mode 100644
index 33729542003..00000000000
--- a/lib/libwrap/hosts_access.5
+++ /dev/null
@@ -1,512 +0,0 @@
-.\"	$OpenBSD: hosts_access.5,v 1.25 2013/07/16 07:15:39 jmc Exp $
-.\"
-.\" Copyright (c) 1997, Jason Downs.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
-.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 16 2013 $
-.Dt HOSTS_ACCESS 5
-.Os
-.Sh NAME
-.Nm hosts_access ,
-.Nm hosts.deny ,
-.Nm hosts.allow
-.Nd tcp wrapper format of host access control files
-.Sh DESCRIPTION
-This manual page describes a simple access control language that is
-based on client (host name/address, user name), and server (process
-name, host name/address) patterns.
-Examples are given at the end.
-The impatient reader is encouraged to skip to the EXAMPLES section for a
-quick introduction.
-.Pp
-An extended version of the access control language is described in the
-.Xr hosts_options 5
-document.
-.\" The extensions are turned on at
-.\" program build time by building with -DPROCESS_OPTIONS.
-.Pp
-In the following text,
-.Ar daemon
-is the process name of a network daemon process, and
-.Ar client
-is the name and/or address of a host requesting service.
-Network daemon process names are specified in the inetd configuration file.
-.Sh ACCESS CONTROL FILES
-The access control software consults two files.
-The search stops at the first match:
-.Bl -bullet -width XXX
-.It
-Access will be granted when a (daemon,client) pair matches an entry in
-the
-.Pa /etc/hosts.allow
-file.
-.It
-Otherwise, access will be denied when a (daemon,client) pair matches an
-entry in the
-.Pa /etc/hosts.deny
-file.
-.It
-Otherwise, access will be granted.
-.El
-.Pp
-A non-existent access control file is treated as if it were an empty
-file.
-Thus, access control can be turned off by providing no access control files.
-.Sh ACCESS CONTROL RULES
-Each access control file consists of zero or more lines of text.
-These lines are processed in order of appearance.
-The search terminates when a match is found.
-.Bl -bullet -width XXX
-.It
-A newline character is ignored when it is preceded by a backslash
-character.
-This permits you to break up long lines so that they are easier to edit.
-.It
-Blank lines or lines that begin with a
-.Sq #
-character are ignored.
-This permits you to insert comments and whitespace so that the tables
-are easier to read.
-.It
-All other lines should satisfy the following format, things between []
-being optional:
-.Pp
-.Dl daemon_list\ \&: client_list [\ \&: shell_command\ \&]
-.El
-.Pp
-.Ar daemon_list
-is a list of one or more daemon process names
-.Pf ( Va argv[0]
-values) or wildcards (see below).
-.Pp
-.Ar client_list
-is a list of one or more host names, host addresses, patterns or wildcards (see
-below) that will be matched against the client host name or address.
-When a client_list item needs to include colon characters (for IPv6 addresses),
-the item needs to be wrapped with square brackets.
-.Pp
-The more complex forms
-.Ar daemon@host
-and
-.Ar user@host
-are
-explained in the sections on server endpoint patterns and on client
-username lookups, respectively.
-.Pp
-List elements should be separated by blanks and/or commas.
-.Pp
-With the exception of YP netgroup lookups, all access control
-checks are case insensitive.
-.Sh PATTERNS
-The access control language implements the following patterns:
-.Bl -bullet -width XXX
-.It
-A string that begins with a
-.Sq \&.
-character.
-A host name is matched if
-the last components of its name match the specified pattern.
-For example, the pattern
-.Sq .tue.nl
-matches the host name
-.Sq wzv.win.tue.nl .
-.It
-A string that ends with a
-.Sq \&.
-character.
-A host address is matched if its first numeric fields match the given string.
-For example, the pattern
-.Sq 131.155.
-matches the address of (almost) every host on the Eind\%hoven University
-network (131.155.x.x).
-.It
-A string that begins with an
-.Sq @
-character is treated as a YP netgroup name.
-A host name is matched if it is a host member of the specified netgroup.
-Netgroup matches are not supported for daemon process names or for client
-user names.
-.It
-An expression of the form
-.Sq n.n.n.n/m.m.m.m
-is interpreted as a
-.Sq net/mask
-pair.
-A host address is matched if
-.Sq net
-is equal to the bitwise AND of the address and the
-.Sq mask .
-For example, the net/mask
-pattern
-.Sq 131.155.72.0/255.255.254.0
-matches every address in the range
-.Sq 131.155.72.0
-through
-.Sq 131.155.73.255 .
-Note that the
-.Sq m.m.m.m
-portion must always be specified.
-.It
-An expression of the form
-.Sq ipv6-addr/ipv6-mask
-is interpreted as a masked IPv6 address match,
-just like a masked IPv4 address match (see above).
-Note that the
-.Sq ipv6-mask
-portion must always be specified.
-.It
-An expression of the form
-.Sq ipv6-addr/prefixlen
-is interpreted as a masked IPv6 address match
-(with mask specified by numeric prefixlen),
-just like a masked IPv4 address match (see above).
-Note that the
-.Sq prefixlen
-portion must always be specified.
-.El
-.Sh WILDCARDS
-The access control language supports explicit wildcards:
-.Bl -tag -width XXXXXXX
-.It ALL
-The universal wildcard, always matches.
-.It LOCAL
-Matches any host whose name does not contain a dot character.
-.It UNKNOWN
-Matches any user whose name is unknown, and matches any host whose name
-or address are unknown.
-This pattern should be used with care:
-host names may be unavailable due to temporary name server problems.
-A network address will be unavailable when the software cannot figure out
-what type of network it is talking to.
-.It KNOWN
-Matches any user whose name is known, and matches any host whose name
-and address are known.
-This pattern should be used with care:
-host names may be unavailable due to temporary name server problems.
-A network address will be unavailable when the software cannot figure out
-what type of network it is talking to.
-.\" .IP PARANOID
-.\" Matches any host whose name does not match its address.
-.\" When tcpd is built with -DPARANOID (default mode), it drops requests
-.\" from such clients even before looking at the access control tables.
-.\" Build without -DPARANOID when you want more control over such requests.
-.El
-.Sh OPERATORS
-.Ss EXCEPT
-Intended use is of the form:
-.Sq list_1 EXCEPT list_2 ;
-this construct matches anything that matches
-.Ar list_1
-unless it matches
-.Ar list_2 .
-The EXCEPT operator can be used in daemon_lists and in
-client_lists.
-The EXCEPT operator can be nested: if the control
-language would permit the use of parentheses,
-.Sq a EXCEPT b EXCEPT c
-would parse as
-.Sq (a EXCEPT (b EXCEPT c)) .
-.Sh SHELL COMMANDS
-If the first-matched access control rule contains a shell command, that
-command is subjected to %<letter> substitutions (see next section).
-The result is executed by a
-.Pa /bin/sh
-child process with standard
-input, output and error connected to
-.Pa /dev/null .
-Specify an
-.Sq &
-at the end of the command if you do not want to wait until it has completed.
-.Pp
-Shell commands should not rely on the PATH setting of the inetd.
-Instead, they should use absolute path names, or they should begin with
-an explicit PATH=whatever statement.
-.Pp
-The
-.Xr hosts_options 5
-document describes an alternative language
-that uses the shell command field in a different and incompatible way.
-.Sh % EXPANSIONS
-The following expansions are available within shell commands:
-.Bl -tag -width XXXXXXX
-.It "%a (%A)"
-The client (server) host address.
-.It %c
-Client information: user@host, user@address, a host name, or just an
-address, depending on how much information is available.
-.It %d
-The daemon process name
-.Pf ( Va argv[0]
-value).
-.It "%h (%H)"
-The client (server) host name or address, if the host name is
-unavailable.
-.It "%n (%N)"
-The client (server) host name (or "unknown" or "paranoid").
-.It %p
-The daemon process ID.
-.It %s
-Server information: daemon@host, daemon@address, or just a daemon name,
-depending on how much information is available.
-.It %u
-The client user name (or "unknown").
-.It %%
-Expands to a single
-.Sq %
-character.
-.El
-.Pp
-Characters in % expansions that may confuse the shell are replaced by
-underscores.
-.Sh SERVER ENDPOINT PATTERNS
-In order to distinguish clients by the network address that they
-connect to, use patterns of the form:
-.Pp
-.Dl process_name@host_pattern\ \&: client_list ...
-.Pp
-Patterns like these can be used when the machine has different internet
-addresses with different internet hostnames.
-Service providers can use
-this facility to offer FTP, GOPHER or WWW archives with internet names
-that may even belong to different organizations.
-See also the
-.Sq twist
-option in the
-.Xr hosts_options 5
-document.
-Many systems can have more than one internet address on one physical
-interface; with other systems you may have to resort to SLIP or PPP
-pseudo interfaces that live in a dedicated network address space.
-.Pp
-The host_pattern obeys the same syntax rules as host names and
-addresses in client_list context.
-Usually, server endpoint information
-is available only with connection-oriented services.
-.Sh CLIENT USERNAME LOOKUP
-When the client host supports the RFC 931 protocol or one of its
-descendants (TAP, IDENT, RFC 1413) the wrapper programs can retrieve
-additional information about the owner of a connection.
-Client username information, when available, is logged together with the
-client host name, and can be used to match patterns like:
-.Pp
-.Dl daemon_list\ \&: ... user_pattern@host_pattern ...
-.Pp
-The daemon wrappers can be configured at compile time to perform
-rule-driven username lookups (default) or to always interrogate the
-client host.
-In the case of rule-driven username lookups, the above
-rule would cause username lookup only when both the
-.Ar daemon_list
-and the
-.Ar host_pattern
-match.
-.Pp
-A user pattern has the same syntax as a daemon process pattern, so the
-same wildcards apply (netgroup membership is not supported).
-One should not get carried away with username lookups, though.
-.Bl -bullet -width XXX
-.It
-The client username information cannot be trusted when it is needed
-most, i.e., when the client system has been compromised.
-In general, ALL and (UN)KNOWN are the only user name patterns that make sense.
-.It
-Username lookups are possible only with TCP-based services, and only
-when the client host runs a suitable daemon; in all other cases the
-result is "unknown".
-.\" .It
-.\" A well-known UNIX kernel bug may cause loss of service when username
-.\" lookups are blocked by a firewall. The wrapper README document
-.\" describes a procedure to find out if your kernel has this bug.
-.It
-Username lookups may cause noticeable delays for non-UNIX users.
-The default timeout for username lookups is 10 seconds: too short to cope
-with slow networks, but long enough to irritate PC users.
-.El
-.Pp
-Selective username lookups can alleviate the last problem.
-For example, a rule like:
-.Pp
-.Dl daemon_list\ \&: @pcnetgroup ALL@ALL
-.Pp
-would match members of the pc netgroup without doing username lookups,
-but would perform username lookups with all other systems.
-.Sh DETECTING ADDRESS SPOOFING ATTACKS
-A flaw in the sequence number generator of many TCP/IP implementations
-allows intruders to easily impersonate trusted hosts and to break in
-via, for example, the remote shell service.
-The IDENT (RFC 931 etc.\&)
-service can be used to detect such and other host address spoofing attacks.
-.Pp
-Before accepting a client request, the wrappers can use the IDENT
-service to find out that the client did not send the request at all.
-When the client host provides IDENT service, a negative IDENT lookup
-result (the client matches
-.Sq UNKNOWN@host )
-is strong evidence of a host spoofing attack.
-.Pp
-A positive IDENT lookup result (the client matches
-.Sq KNOWN@host )
-is less trustworthy.
-It is possible for an intruder to spoof both the
-client connection and the IDENT lookup, although doing so is much
-harder than spoofing just a client connection.
-It may also be that the client\'s IDENT server is lying.
-.Pp
-Note: IDENT lookups don't work with UDP services.
-.Sh EXAMPLES
-The language is flexible enough that different types of access control
-policy can be expressed with a minimum of fuss.
-Although the language
-uses two access control tables, the most common policies can be
-implemented with one of the tables being trivial or even empty.
-.Pp
-When reading the examples below it is important to realize that the
-allow table is scanned before the deny table, that the search
-terminates when a match is found, and that access is granted when no
-match is found at all.
-.Pp
-The examples use host and domain names.
-They can be improved by
-including address and/or network/netmask information, to reduce the
-impact of temporary name server lookup failures.
-.Sh MOSTLY CLOSED
-In this case, access is denied by default.
-Only explicitly authorized hosts are permitted access.
-.Pp
-The default policy (no access) is implemented with a trivial deny
-file:
-.Pp
-.Pa /etc/hosts.deny :
-.Pp
-.Dl ALL: ALL
-.Pp
-This denies all services to all hosts, unless they are permitted access
-by entries in the allow file.
-.Pp
-The explicitly authorized hosts are listed in the allow file.
-For example:
-.Pp
-.Pa /etc/hosts.allow :
-.Bd -literal -offset indent
-ALL: LOCAL @some_netgroup
-ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
-.Ed
-.Pp
-The first rule permits access from hosts in the local domain (no
-.Sq \&.
-in the host name) and from members of the
-.Ar some_netgroup
-netgroup.
-The second rule permits access from all hosts in the
-.Ar foobar.edu
-domain (notice the leading dot), with the exception of
-.Ar terminalserver.foobar.edu .
-.Sh MOSTLY OPEN
-Here, access is granted by default; only explicitly specified hosts are
-refused service.
-.Pp
-The default policy (access granted) makes the allow file redundant so
-that it can be omitted.
-The explicitly non-authorized hosts are listed in the deny file.
-For example:
-.Pp
-.Pa /etc/hosts.deny :
-.Bd -unfilled -offset indent
-ALL: some.host.name, .some.domain
-ALL EXCEPT in.fingerd: other.host.name, .other.domain
-.Ed
-.Pp
-The first rule denies some hosts and domains all services; the second
-rule still permits finger requests from other hosts and domains.
-.Sh BOOBY TRAPS
-The next example permits tftp requests from hosts in the local domain
-(notice the leading dot).
-Requests from any other hosts are denied.
-Instead of the requested file, a finger probe is sent to the offending host.
-The result is mailed to the superuser.
-.Pp
-.Pa /etc/hosts.allow :
-.Pp
-.Dl tftpd: LOCAL, .my.domain
-.Pp
-.Pa /etc/hosts.deny :
-.Bd -unfilled -offset indent
-tftpd: ALL: (/some/where/safe_finger -l @%h | \e
-	/usr/bin/mail -s %d-%h root) &
-.Ed
-.Pp
-The
-.Nm safe_finger
-command comes with the tcpd wrapper and should be
-installed in a suitable place.
-It limits possible damage from data sent by the remote finger server.
-It gives better protection than the standard finger command.
-.Pp
-The expansion of the %h (client host) and %d (service name) sequences
-is described in the section on shell commands.
-.Pp
-Warning: do not booby-trap your finger daemon, unless you are prepared
-for infinite finger loops.
-.Pp
-On network firewall systems this trick can be carried even further.
-The typical network firewall only provides a limited set of services to
-the outer world.
-All other services can be "bugged" just like the above tftp example.
-The result is an excellent early-warning system.
-.Sh FILES
-.Bl -tag -width /etc/hosts.allow -compact
-.It Pa /etc/hosts.allow
-Access control table (allow list)
-.It Pa /etc/hosts.deny
-Access control table (deny list)
-.El
-.Sh DIAGNOSTICS
-An error is reported when a syntax error is found in a host access
-control rule; when the length of an access control rule exceeds the
-capacity of an internal buffer; when an access control rule is not
-terminated by a newline character; when the result of %<letter>
-expansion would overflow an internal buffer; when a system call fails
-that shouldn\'t.
-All problems are reported via the syslog daemon.
-.Sh SEE ALSO
-.Xr tcpd 8 ,
-.Xr tcpdchk 8 ,
-.Xr tcpdmatch 8
-.Sh AUTHORS
-.Bd -unfilled -offset indent
-Wietse Venema (wietse@wzv.win.tue.nl)
-Department of Mathematics and Computing Science
-Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
-5600 MB Eindhoven, The Netherlands
-.Ed
-.Sh BUGS
-If a name server lookup times out, the host name will not be available
-to the access control software, even though the host is registered.
-.Pp
-Domain name server lookups are case insensitive; YP
-netgroup lookups are case sensitive.
-.Pp
-The total length of an entry can be no more than 2047 characters long,
-including the final newline.
-.\" @(#) hosts_access.5 1.20 95/01/30 19:51:46
diff --git a/lib/libwrap/hosts_access.c b/lib/libwrap/hosts_access.c
deleted file mode 100644
index fbde0025fb0..00000000000
--- a/lib/libwrap/hosts_access.c
+++ /dev/null
@@ -1,511 +0,0 @@
-/*	$OpenBSD: hosts_access.c,v 1.12 2009/10/27 23:59:30 deraadt Exp $	*/
-
- /*
-  * This module implements a simple access control language that is based on
-  * host (or domain) names, NIS (host) netgroup names, IP addresses (or
-  * network numbers) and daemon process names. When a match is found the
-  * search is terminated, and depending on whether PROCESS_OPTIONS is defined,
-  * a list of options is executed or an optional shell command is executed.
-  * 
-  * Host and user names are looked up on demand, provided that suitable endpoint
-  * information is available as sockaddr_in structures or TLI netbufs. As a
-  * side effect, the pattern matching process may change the contents of
-  * request structure fields.
-  * 
-  * Diagnostics are reported through syslog(3).
-  * 
-  * Compile with -DNETGROUP if your library provides support for netgroups.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <sys/types.h>
-#include <sys/param.h>
-#ifdef INET6
-#include <sys/socket.h>
-#endif
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <syslog.h>
-#include <ctype.h>
-#include <errno.h>
-#include <setjmp.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdlib.h>
-#include <limits.h>
-#ifdef NETGROUP
-#include <netgroup.h>
-#endif
-#include <netdb.h>
-
-
-/* Local stuff. */
-
-#include "tcpd.h"
-
-/* Error handling. */
-
-extern jmp_buf tcpd_buf;
-
-/* Delimiters for lists of daemons or clients. */
-
-static char sep[] = ", \t\r\n";
-
-/* Constants to be used in assignments only, not in comparisons... */
-
-#define	YES		1
-#define	NO		0
-
- /*
-  * These variables are globally visible so that they can be redirected in
-  * verification mode.
-  */
-
-char   *hosts_allow_table = HOSTS_ALLOW;
-char   *hosts_deny_table = HOSTS_DENY;
-int     hosts_access_verbose = 0;
-
- /*
-  * In a long-running process, we are not at liberty to just go away.
-  */
-
-int     resident = (-1);		/* -1, 0: unknown; +1: yes */
-
-/* Forward declarations. */
-
-static int table_match(char *, struct request_info *);
-static int list_match(char *, struct request_info *,
-    int (*)(char *, struct request_info *));
-static int server_match(char *, struct request_info *);
-static int client_match(char *, struct request_info *);
-static int host_match(char *, struct host_info *);
-static int string_match(char *, char *);
-static int masked_match(char *, char *, char *);
-static int masked_match4(char *, char *, char *);
-#ifdef INET6
-static int masked_match6(char *, char *, char *);
-#endif
-
-/* Size of logical line buffer. */
-
-#define	BUFLEN 2048
-
-/* hosts_access - host access control facility */
-
-int     hosts_access(request)
-struct request_info *request;
-{
-    int     verdict;
-
-    /*
-     * If the (daemon, client) pair is matched by an entry in the file
-     * /etc/hosts.allow, access is granted. Otherwise, if the (daemon,
-     * client) pair is matched by an entry in the file /etc/hosts.deny,
-     * access is denied. Otherwise, access is granted. A non-existent
-     * access-control file is treated as an empty file.
-     * 
-     * After a rule has been matched, the optional language extensions may
-     * decide to grant or refuse service anyway. Or, while a rule is being
-     * processed, a serious error is found, and it seems better to play safe
-     * and deny service. All this is done by jumping back into the
-     * hosts_access() routine, bypassing the regular return from the
-     * table_match() function calls below.
-     */
-
-    if (resident <= 0)
-	resident++;
-    verdict = setjmp(tcpd_buf);
-    if (verdict != 0)
-	return (verdict == AC_PERMIT);
-    if (table_match(hosts_allow_table, request))
-	return (YES);
-    if (table_match(hosts_deny_table, request))
-	return (NO);
-    return (YES);
-}
-
-/* table_match - match table entries with (daemon, client) pair */
-
-static int table_match(table, request)
-char   *table;
-struct request_info *request;
-{
-    FILE   *fp;
-    char    sv_list[BUFLEN];		/* becomes list of daemons */
-    char   *cl_list;			/* becomes list of clients */
-    char   *sh_cmd;			/* becomes optional shell command */
-    int     match = NO;
-    struct tcpd_context saved_context;
-
-    saved_context = tcpd_context;		/* stupid compilers */
-
-    /*
-     * Between the fopen() and fclose() calls, avoid jumps that may cause
-     * file descriptor leaks.
-     */
-
-    if ((fp = fopen(table, "r")) != 0) {
-	tcpd_context.file = table;
-	tcpd_context.line = 0;
-	while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) {
-	    if (sv_list[strlen(sv_list) - 1] != '\n') {
-		tcpd_warn("missing newline or line too long");
-		continue;
-	    }
-	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
-		continue;
-	    if ((cl_list = split_at(sv_list, ':')) == 0) {
-		tcpd_warn("missing \":\" separator");
-		continue;
-	    }
-	    sh_cmd = split_at(cl_list, ':');
-	    match = list_match(sv_list, request, server_match)
-		&& list_match(cl_list, request, client_match);
-	}
-	(void) fclose(fp);
-    } else if (errno != ENOENT) {
-	tcpd_warn("cannot open %s: %m", table);
-    }
-    if (match) {
-	if (hosts_access_verbose > 1)
-	    syslog(LOG_DEBUG, "matched:  %s line %d",
-		   tcpd_context.file, tcpd_context.line);
-	if (sh_cmd) {
-#ifdef PROCESS_OPTIONS
-	    process_options(sh_cmd, request);
-#else
-	    char    cmd[BUFSIZ];
-	    shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request));
-#endif
-	}
-    }
-    tcpd_context = saved_context;
-    return (match);
-}
-
-/* list_match - match a request against a list of patterns with exceptions */
-
-static int list_match(list, request, match_fn)
-char   *list;
-struct request_info *request;
-int   (*match_fn)(char *, struct request_info *);
-{
-    char   *tok;
-    static char *last;
-    int l;
-
-    /*
-     * Process tokens one at a time. We have exhausted all possible matches
-     * when we reach an "EXCEPT" token or the end of the list. If we do find
-     * a match, look for an "EXCEPT" list and recurse to determine whether
-     * the match is affected by any exceptions.
-     */
-
-    for (tok = strtok_r(list, sep, &last); tok != 0;
-      tok = strtok_r(NULL, sep, &last)) {
-	if (STR_EQ(tok, "EXCEPT"))		/* EXCEPT: give up */
-	    return (NO);
-	l = strlen(tok);
-	if (*tok == '[' && tok[l - 1] == ']') {
-	    tok[l - 1] = '\0';
-	    tok++;
-	}
-	if (match_fn(tok, request)) {		/* YES: look for exceptions */
-	    while ((tok = strtok_r(NULL, sep, &last)) && STR_NE(tok, "EXCEPT"))
-		 /* VOID */ ;
-	    return (tok == 0 || list_match(NULL, request, match_fn) == 0);
-	}
-    }
-    return (NO);
-}
-
-/* server_match - match server information */
-
-static int server_match(tok, request)
-char   *tok;
-struct request_info *request;
-{
-    char   *host;
-
-    if ((host = split_at(tok + 1, '@')) == 0) {	/* plain daemon */
-	return (string_match(tok, eval_daemon(request)));
-    } else {					/* daemon@host */
-	return (string_match(tok, eval_daemon(request))
-		&& host_match(host, request->server));
-    }
-}
-
-/* client_match - match client information */
-
-static int client_match(tok, request)
-char   *tok;
-struct request_info *request;
-{
-    char   *host;
-
-    if ((host = split_at(tok + 1, '@')) == 0) {	/* plain host */
-	return (host_match(tok, request->client));
-    } else {					/* user@host */
-	return (host_match(host, request->client)
-		&& string_match(tok, eval_user(request)));
-    }
-}
-
-/* host_match - match host name and/or address against pattern */
-
-static int host_match(tok, host)
-char   *tok;
-struct host_info *host;
-{
-    char   *mask;
-
-    /*
-     * This code looks a little hairy because we want to avoid unnecessary
-     * hostname lookups.
-     * 
-     * The KNOWN pattern requires that both address AND name be known; some
-     * patterns are specific to host names or to host addresses; all other
-     * patterns are satisfied when either the address OR the name match.
-     */
-
-    if (tok[0] == '@') {			/* netgroup: look it up */
-#ifdef  NETGROUP
-	static char mydomain[MAXHOSTNAMELEN];
-	if (mydomain[0] == '\0')
-	    getdomainname(mydomain, sizeof(mydomain));
-	return (innetgr(tok + 1, eval_hostname(host), NULL, mydomain));
-#else
-	tcpd_warn("netgroup support is disabled");	/* not tcpd_jump() */
-	return (NO);
-#endif
-    } else if (STR_EQ(tok, "KNOWN")) {		/* check address and name */
-	char   *name = eval_hostname(host);
-	return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
-    } else if (STR_EQ(tok, "LOCAL")) {		/* local: no dots in name */
-	char   *name = eval_hostname(host);
-	return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name));
-    } else if ((mask = split_at(tok, '/')) != 0) {	/* net/mask */
-	return (masked_match(tok, mask, eval_hostaddr(host)));
-    } else {					/* anything else */
-	return (string_match(tok, eval_hostaddr(host))
-	    || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host))));
-    }
-}
-
-/* string_match - match string against pattern */
-
-static int string_match(tok, string)
-char   *tok;
-char   *string;
-{
-    int     n;
-
-    if (tok[0] == '.') {			/* suffix */
-	n = strlen(string) - strlen(tok);
-	return (n > 0 && STR_EQ(tok, string + n));
-    } else if (STR_EQ(tok, "ALL")) {		/* all: match any */
-	return (YES);
-    } else if (STR_EQ(tok, "KNOWN")) {		/* not unknown */
-	return (STR_NE(string, unknown));
-    } else if (tok[(n = strlen(tok)) - 1] == '.') {	/* prefix */
-	return (STRN_EQ(tok, string, n));
-    } else {					/* exact match */
-	return (STR_EQ(tok, string));
-    }
-}
-
-/* masked_match - match address against netnumber/netmask */
-
-static int masked_match(net_tok, mask_tok, string)
-char   *net_tok;
-char   *mask_tok;
-char   *string;
-{
-#ifndef INET6
-    return masked_match4(net_tok, mask_tok, string);
-#else
-    /*
-     * masked_match4() is kept just for supporting shortened IPv4 address form.
-     * If we could get rid of shortened IPv4 form, we could just always use
-     * masked_match6().
-     */
-    if (dot_quad_addr_new(net_tok, NULL) &&
-        dot_quad_addr_new(mask_tok, NULL) &&
-        dot_quad_addr_new(string, NULL)) {
-	return masked_match4(net_tok, mask_tok, string);
-    } else
-	return masked_match6(net_tok, mask_tok, string);
-#endif
-}
-
-static int masked_match4(net_tok, mask_tok, string)
-char   *net_tok;
-char   *mask_tok;
-char   *string;
-{
-    in_addr_t net;
-    in_addr_t mask;
-    in_addr_t addr;
-
-    /*
-     * Disallow forms other than dotted quad: the treatment that inet_addr()
-     * gives to forms with less than four components is inconsistent with the
-     * access control language. John P. Rouillard <rouilj@cs.umb.edu>.
-     */
-
-    if (!dot_quad_addr_new(string, &addr))
-	return (NO);
-    if (!dot_quad_addr_new(net_tok, &net) ||
-        !dot_quad_addr_new(mask_tok, &mask)) {
-	tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
-	return (NO);				/* not tcpd_jump() */
-    }
-
-    if ((net & ~mask) != 0)
-	tcpd_warn("host bits not all zero in %s/%s", net_tok, mask_tok);
-
-    return ((addr & mask) == net);
-}
-
-#ifdef INET6
-static int masked_match6(net_tok, mask_tok, string)
-char   *net_tok;
-char   *mask_tok;
-char   *string;
-{
-    union {
-	struct sockaddr sa;
-	struct sockaddr_in sin;
-	struct sockaddr_in6 sin6;
-    } net, mask, addr;
-    struct addrinfo hints, *res;
-    unsigned long masklen;
-    char *ep;
-    int i;
-    char *np, *mp, *ap;
-    int alen;
-
-    memset(&hints, 0, sizeof(hints));
-    hints.ai_family = PF_UNSPEC;
-    hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-    hints.ai_flags = AI_NUMERICHOST;
-    if (getaddrinfo(net_tok, "0", &hints, &res) == 0) {
-	if (res->ai_addrlen > sizeof(net) || res->ai_next) {
-	    freeaddrinfo(res);
-	    return NO;
-	}
-	memcpy(&net, res->ai_addr, res->ai_addrlen);
-	freeaddrinfo(res);
-    } else
-	return NO;
-
-    memset(&hints, 0, sizeof(hints));
-    hints.ai_family = net.sa.sa_family;
-    hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-    hints.ai_flags = AI_NUMERICHOST;
-    ep = NULL;
-    if (getaddrinfo(mask_tok, "0", &hints, &res) == 0) {
-	if (res->ai_family == AF_INET6 &&
-	    ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) {
-	    freeaddrinfo(res);
-	    return NO;
-	}
-	if (res->ai_addrlen > sizeof(mask) || res->ai_next) {
-	    freeaddrinfo(res);
-	    return NO;
-	}
-	memcpy(&mask, res->ai_addr, res->ai_addrlen);
-	freeaddrinfo(res);
-    } else {
-	ep = NULL;
-	masklen = strtoul(mask_tok, &ep, 10);
-	if (ep && !*ep) {
-	    memset(&mask, 0, sizeof(mask));
-	    mask.sa.sa_family = net.sa.sa_family;
-	    mask.sa.sa_len = net.sa.sa_len;
-	    switch (mask.sa.sa_family) {
-	    case AF_INET:
-		mp = (char *)&mask.sin.sin_addr;
-		alen = sizeof(mask.sin.sin_addr);
-		break;
-	    case AF_INET6:
-		mp = (char *)&mask.sin6.sin6_addr;
-		alen = sizeof(mask.sin6.sin6_addr);
-		break;
-	    default:
-		return NO;
-	    }
-	    if (masklen / 8 > alen)
-		return NO;
-	    memset(mp, 0xff, masklen / 8);
-	    if (masklen % 8)
-		mp[masklen / 8] = 0xff00 >> (masklen % 8);
-	} else
-	    return NO;
-    }
-
-    memset(&hints, 0, sizeof(hints));
-    hints.ai_family = PF_UNSPEC;
-    hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-    hints.ai_flags = AI_NUMERICHOST;
-    if (getaddrinfo(string, "0", &hints, &res) == 0) {
-	if (res->ai_addrlen > sizeof(addr) || res->ai_next) {
-	    freeaddrinfo(res);
-	    return NO;
-	}
-	/* special case - IPv4 mapped address */
-	if (net.sa.sa_family == AF_INET && res->ai_family == AF_INET6 && 
-	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) {
-	    memset(&addr, 0, sizeof(addr));
-	    addr.sa.sa_family = net.sa.sa_family;
-	    addr.sa.sa_len = net.sa.sa_len;
-	    memcpy(&addr.sin.sin_addr,
-	        &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr.s6_addr[12],
-		sizeof(addr.sin.sin_addr));
-	} else
-	    memcpy(&addr, res->ai_addr, res->ai_addrlen);
-	freeaddrinfo(res);
-    } else
-	return NO;
-
-    if (net.sa.sa_family != mask.sa.sa_family ||
-        net.sa.sa_family != addr.sa.sa_family) {
-	return NO;
-    }
-     
-    switch (net.sa.sa_family) {
-    case AF_INET:
-	np = (char *)&net.sin.sin_addr;
-	mp = (char *)&mask.sin.sin_addr;
-	ap = (char *)&addr.sin.sin_addr;
-	alen = sizeof(net.sin.sin_addr);
-	break;
-    case AF_INET6:
-	np = (char *)&net.sin6.sin6_addr;
-	mp = (char *)&mask.sin6.sin6_addr;
-	ap = (char *)&addr.sin6.sin6_addr;
-	alen = sizeof(net.sin6.sin6_addr);
-	break;
-    default:
-	return NO;
-    }
-
-    for (i = 0; i < alen; i++)
-	if (np[i] & ~mp[i]) {
-	    tcpd_warn("host bits not all zero in %s/%s", net_tok, mask_tok);
-	    break;
-	}
-
-    for (i = 0; i < alen; i++)
-	ap[i] &= mp[i];
-
-    if (addr.sa.sa_family == AF_INET6 && addr.sin6.sin6_scope_id &&
-        addr.sin6.sin6_scope_id != net.sin6.sin6_scope_id)
-	return NO;
-    return (memcmp(ap, np, alen) == 0);
-}
-#endif
diff --git a/lib/libwrap/hosts_ctl.c b/lib/libwrap/hosts_ctl.c
deleted file mode 100644
index 0161f9fda54..00000000000
--- a/lib/libwrap/hosts_ctl.c
+++ /dev/null
@@ -1,36 +0,0 @@
-/*	$OpenBSD: hosts_ctl.c,v 1.2 2009/10/27 23:59:30 deraadt Exp $	*/
-
- /*
-  * hosts_ctl() combines common applications of the host access control
-  * library routines. It bundles its arguments then calls the hosts_access()
-  * access control checker. The host name and user name arguments should be
-  * empty strings, STRING_UNKNOWN or real data. If a match is found, the
-  * optional shell command is executed.
-  * 
-  * Restriction: this interface does not pass enough information to support
-  * selective remote username lookups or selective hostname double checks.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-#include <stdio.h>
-
-#include "tcpd.h"
-
-/* hosts_ctl - limited interface to the hosts_access() routine */
-
-int     hosts_ctl(daemon, name, addr, user)
-char   *daemon;
-char   *name;
-char   *addr;
-char   *user;
-{
-    struct request_info request;
-
-    return (hosts_access(request_init(&request,
-				      RQ_DAEMON, daemon,
-				      RQ_CLIENT_NAME, name,
-				      RQ_CLIENT_ADDR, addr,
-				      RQ_USER, user,
-				      0)));
-}
diff --git a/lib/libwrap/hosts_options.5 b/lib/libwrap/hosts_options.5
deleted file mode 100644
index 0fa3e5675f2..00000000000
--- a/lib/libwrap/hosts_options.5
+++ /dev/null
@@ -1,236 +0,0 @@
-.\"	$OpenBSD: hosts_options.5,v 1.11 2007/05/31 19:19:39 jmc Exp $
-.\"
-.\" Copyright (c) 1997, Jason Downs.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
-.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 31 2007 $
-.Dt HOSTS_OPTIONS 5
-.Os
-.Sh NAME
-.Nm hosts_options
-.Nd tcp wrapper host access control language extensions
-.Sh DESCRIPTION
-This document describes optional extensions to the language described
-in the
-.Xr hosts_access 5
-document.
-.\" The extensions are enabled at program build time.
-.\" For example, by editing the Makefile and turning on the
-.\" PROCESS_OPTIONS compile-time option.
-.Pp
-The extensible language uses the following format:
-.Pp
-.Dl daemon_list\ \&: client_list\ \&: option\ \&: option ...
-.Pp
-The first two fields are described in the
-.Xr hosts_access 5
-manual page.
-The remainder of the rules is a list of zero or more options.
-Any ":"
-characters within options should be protected with a backslash.
-.Pp
-An option is of the form "keyword" or "keyword value".
-Options are processed in the specified order.
-Some options are subjected to %<letter> substitutions.
-For the sake of backwards compatibility with
-earlier versions, an "=" is permitted between keyword and value.
-.Sh LOGGING
-.Bl -tag -width "severity mail.info"
-.It "severity mail.info"
-.It "severity notice"
-Change the severity level at which the event will be logged.
-Facility names (such as mail) are optional, and are not supported
-on systems with older syslog implementations.
-The severity option can be used to emphasize or to ignore specific events.
-.El
-.Sh ACCESS CONTROL
-.Bl -tag -width allow
-.It "allow"
-.It "deny"
-Grant (deny) service.
-These options must appear at the end of a rule.
-.El
-.Pp
-The
-.Ar allow
-and
-.Ar deny
-keywords make it possible to keep all
-access control rules within a single file, for example in the
-.Pa /etc/hosts.allow
-file.
-.Pp
-To permit access from specific hosts only:
-.Bd -unfilled -offset indent
-ALL: .friendly.domain: ALLOW
-ALL: ALL: DENY
-.Ed
-.Pp
-To permit access from all hosts except a few trouble makers:
-.Bd -unfilled -offset indent
-ALL: .bad.domain: DENY
-ALL: ALL: ALLOW
-.Ed
-.Pp
-Notice the leading dot on the domain name patterns.
-.Sh RUNNING OTHER COMMANDS
-.Bl -tag -width "spawn shell_command"
-.It "spawn shell_command"
-Execute, in a child process, the specified shell command, after
-performing the %<letter> expansions described in the hosts_access(5)
-manual page.
-The command is executed with stdin, stdout and stderr
-connected to the null device, so that it won\'t mess up the
-conversation with the client host.
-Example:
-.Bd -literal -offset indent
-spawn (/some/where/safe_finger -l @%h | \e
-	/usr/ucb/mail root) &
-.Ed
-.Pp
-executes, in a background child process, the shell command "safe_finger
--l @%h | mail root" after replacing %h by the name or address of the
-remote host.
-.Pp
-The example uses the "safe_finger" command instead of the regular
-"finger" command, to limit possible damage from data sent by the finger
-server.
-The "safe_finger" command is part of the daemon wrapper
-package; it is a wrapper around the regular finger command that filters
-the data sent by the remote host.
-.It "twist shell_command"
-Replace the current process by an instance of the specified shell
-command, after performing the %<letter> expansions described in the
-.Xr hosts_access 5
-manual page.
-Stdin, stdout and stderr are connected to the client process.
-This option must appear at the end of a rule.
-.Pp
-To send a customized bounce message to the client instead of
-running the real ftp daemon:
-.Bd -literal -offset indent
-ftpd : ... : twist /bin/echo 421 \e
-	Some bounce message
-.Ed
-.Pp
-For an alternative way to talk to client processes, see the
-.Ar banners
-option below.
-.Pp
-To run /some/other/telnetd without polluting its command-line
-array or its process environment:
-.Bd -literal -offset indent
-telnetd : ... : twist PATH=/some/other; \e
-	exec in.telnetd
-.Ed
-.Pp
-Warning:  in case of UDP services, do not twist to commands that use
-the standard I/O or the
-.Xr read 2
-or
-.Xr write 2
-routines to communicate with
-the client process; UDP requires other I/O primitives.
-.El
-.Sh NETWORK OPTIONS
-.Bl -tag -width "linger number_of_seconds"
-.It "keepalive"
-Causes the server to periodically send a message to the client.
-The connection is considered broken when the client does not respond.
-The keepalive option can be useful when users turn off their machine while
-it is still connected to a server.
-The keepalive option is not useful for datagram (UDP) services.
-.It "linger number_of_seconds"
-Specifies how long the kernel will try to deliver not-yet delivered
-data after the server process closes a connection.
-.El
-.Sh USERNAME LOOKUP
-.Bl -tag -width "rfc931 [ timeout_in_seconds ]"
-.It "rfc931 [ timeout_in_seconds ]"
-Look up the client user name with the RFC 931 (TAP, IDENT, RFC 1413)
-protocol.
-This option is silently ignored in case of services based on
-transports other than TCP.
-It requires that the client system runs an
-RFC 931 (IDENT, etc.) -compliant daemon, and may cause noticeable
-delays with connections from non-UNIX clients.
-The timeout period is optional.
-If no timeout is specified a compile-time defined default
-value is taken.
-.El
-.Sh MISCELLANEOUS
-.Bl -tag -width "banners /some/directory"
-.It "banners /some/directory"
-Look for a file in
-.Pa /some/directory
-with the same name as the daemon process (for example
-.Nm telnetd
-for the telnet service), and copy its contents to the client.
-Newline characters are replaced by carriage-return newline, and %<letter>
-sequences are expanded (see the
-.Xr hosts_access 5
-manual page).
-.Pp
-.\" The tcp wrappers source code distribution provides a sample makefile
-.\" (Banners.Makefile) for convenient banner maintenance.
-.\" .Pp
-Warning: banners are supported for connection-oriented (TCP) network
-services only.
-.It "nice [ number ]"
-Change the nice value of the process (default 10).
-Specify a positive value to spend more CPU resources on other processes.
-.It "setenv name value"
-Place a (name, value) pair into the process environment.
-The value is subjected to %<letter> expansions and may contain whitespace (but
-leading and trailing blanks are stripped off).
-.Pp
-Warning: many network daemons reset their environment before spawning a
-login or shell process.
-.It "umask 022"
-Like the umask command that is built into the shell.
-An umask of 022
-prevents the creation of files with group and world write permission.
-The umask argument should be an octal number.
-.It "user nobody"
-.It "user nobody.kmem"
-Assume the privileges of the "nobody" userid (or user "nobody", group
-"kmem").
-The first form is useful with inetd implementations that run all services with
-root privilege.
-The second form is useful for services that need special group privileges only.
-.El
-.Sh DIAGNOSTICS
-When a syntax error is found in an access control rule, the error
-is reported to the syslog daemon; further options will be ignored,
-and service is denied.
-.Sh SEE ALSO
-.Xr hosts_access 5
-.Sh AUTHORS
-.Bd -unfilled -offset indent
-Wietse Venema (wietse@wzv.win.tue.nl)
-Department of Mathematics and Computing Science
-Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513,
-5600 MB Eindhoven, The Netherlands
-.Ed
-.\" @(#) hosts_options.5 1.10 94/12/28 17:42:28
diff --git a/lib/libwrap/misc.c b/lib/libwrap/misc.c
deleted file mode 100644
index d1f3811a52f..00000000000
--- a/lib/libwrap/misc.c
+++ /dev/null
@@ -1,113 +0,0 @@
-/*	$OpenBSD: misc.c,v 1.7 2009/10/27 23:59:30 deraadt Exp $	*/
-
- /*
-  * Misc routines that are used by tcpd and by tcpdchk.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "tcpd.h"
-
-/* xgets - fgets() with backslash-newline stripping */
-
-char   *xgets(ptr, len, fp)
-char   *ptr;
-int     len;
-FILE   *fp;
-{
-    int     got;
-    char   *start = ptr;
-
-    while (len > 1 && fgets(ptr, len, fp)) {
-	got = strlen(ptr);
-	if (got >= 1 && ptr[got - 1] == '\n') {
-	    tcpd_context.line++;
-	    if (got >= 2 && ptr[got - 2] == '\\') {
-		got -= 2;
-	    } else {
-		return (start);
-	    }
-	}
-	ptr += got;
-	len -= got;
-	ptr[0] = 0;
-    }
-    return (ptr > start ? start : 0);
-}
-
-/* split_at - break string at delimiter or return NULL */
-
-char   *split_at(string, delimiter)
-char   *string;
-int     delimiter;
-{
-    char *cp;
-    int bracket;
-
-    bracket = 0;
-    for (cp = string; cp && *cp; cp++) {
-	switch (*cp) {
-	case '[':
-	    bracket++;
-	    break;
-	case ']':
-	    bracket--;
-	    break;
-	default:
-	    if (bracket == 0 && *cp == delimiter) {
-		*cp++ = 0;
-		return cp;
-	    }
-	    break;
-	}
-    }
-    return NULL;
-}
-
-/* dot_quad_addr_new - convert dotted quad to internal form */
-int
-dot_quad_addr_new(str, ap)
-char   *str;
-in_addr_t *ap;
-{
-    struct in_addr a;
-    int in_run = 0;
-    int runs = 0;
-    char *cp = str;
-
-    while (*cp) {
-	if (*cp == '.') {
-	    in_run = 0;
-	} else if (in_run == 0) {
-	    in_run = 1;
-	    runs++;
-	}
-	cp++;
-    }
-    if (runs != 4)
-	return 0;
-
-    if (!inet_aton(str, &a))
-	return 0;
-    if (ap)
-	*ap = a.s_addr;
-    return 1;
-}
-
-/* dot_quad_addr - convert dotted quad to internal form */
-in_addr_t
-dot_quad_addr(str)
-char   *str;
-{
-    in_addr_t addr;
-
-    (void) dot_quad_addr_new(str, &addr);
-    return addr;
-}
diff --git a/lib/libwrap/options.c b/lib/libwrap/options.c
deleted file mode 100644
index 67990952ff5..00000000000
--- a/lib/libwrap/options.c
+++ /dev/null
@@ -1,629 +0,0 @@
-/*	$OpenBSD: options.c,v 1.8 2013/11/22 07:49:44 deraadt Exp $	*/
-
- /*
-  * General skeleton for adding options to the access control language. The
-  * features offered by this module are documented in the hosts_options(5)
-  * manual page (source file: hosts_options.5, "nroff -man" format).
-  * 
-  * Notes and warnings for those who want to add features:
-  * 
-  * In case of errors, abort options processing and deny access. There are too
-  * many irreversible side effects to make error recovery feasible. For
-  * example, it makes no sense to continue after we have already changed the
-  * userid.
-  * 
-  * In case of errors, do not terminate the process: the routines might be
-  * called from a long-running daemon that should run forever. Instead, call
-  * tcpd_jump() which does a non-local goto back into the hosts_access()
-  * routine.
-  * 
-  * In case of severe errors, use clean_exit() instead of directly calling
-  * exit(), or the inetd may loop on an UDP request.
-  * 
-  * In verification mode (for example, with the "tcpdmatch" command) the
-  * "dry_run" flag is set. In this mode, an option function should just "say"
-  * what it is going to do instead of really doing it.
-  * 
-  * Some option functions do not return (for example, the twist option passes
-  * control to another program). In verification mode (dry_run flag is set)
-  * such options should clear the "dry_run" flag to inform the caller of this
-  * course of action.
-  */
-
-/* System libraries. */
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <pwd.h>
-#include <grp.h>
-#include <ctype.h>
-#include <setjmp.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifndef MAXPATHNAMELEN
-#define MAXPATHNAMELEN  BUFSIZ
-#endif
-
-/* Local stuff. */
-
-#include "tcpd.h"
-
-/* Options runtime support. */
-
-int     dry_run = 0;			/* flag set in verification mode */
-extern jmp_buf tcpd_buf;		/* tcpd_jump() support */
-
-/* Options parser support. */
-
-static char whitespace_eq[] = "= \t\r\n";
-#define whitespace (whitespace_eq + 1)
-
-static char *get_field(char *);		/* chew :-delimited field off string */
-static char *chop_string(char *);	/* strip leading and trailing blanks */
-
-/* List of functions that implement the options. Add yours here. */
-
-static void user_option			/* execute "user name.group" option */
-	(char *, struct request_info *);
-static void group_option		/* execute "group name" option */
-	(char *, struct request_info *);
-static void umask_option		/* execute "umask mask" option */
-	(char *, struct request_info *);
-static void linger_option		/* execute "linger time" option */
-	(char *, struct request_info *);
-static void keepalive_option		/* execute "keepalive" option */
-	(char *, struct request_info *);
-static void spawn_option		/* execute "spawn command" option */
-	(char *, struct request_info *);
-static void twist_option		/* execute "twist command" option */
-	(char *, struct request_info *);
-static void rfc931_option		/* execute "rfc931" option */
-	(char *, struct request_info *);
-static void setenv_option		/* execute "setenv name value" */
-	(char *, struct request_info *);
-static void nice_option			/* execute "nice" option */
-	(char *, struct request_info *);
-static void severity_option		/* execute "severity value" */
-	(char *, struct request_info *);
-static void allow_option		/* execute "allow" option */
-	(char *, struct request_info *);
-static void deny_option			/* execute "deny" option */
-	(char *, struct request_info *);
-static void banners_option		/* execute "banners path" option */
-	(char *, struct request_info *);
-
-/* Structure of the options table. */
-
-struct option {
-    char   *name;			/* keyword name, case is ignored */
-    void  (*func)(char *, struct request_info *);
-					/* function that does the real work */
-    int     flags;			/* see below... */
-};
-
-#define NEED_ARG	(1<<1)		/* option requires argument */
-#define USE_LAST	(1<<2)		/* option must be last */
-#define OPT_ARG		(1<<3)		/* option has optional argument */
-#define EXPAND_ARG	(1<<4)		/* do %x expansion on argument */
-
-#define need_arg(o)	((o)->flags & NEED_ARG)
-#define opt_arg(o)	((o)->flags & OPT_ARG)
-#define permit_arg(o)	((o)->flags & (NEED_ARG | OPT_ARG))
-#define use_last(o)	((o)->flags & USE_LAST)
-#define expand_arg(o)	((o)->flags & EXPAND_ARG)
-
-/* List of known keywords. Add yours here. */
-
-static struct option option_table[] = {
-    { "user", user_option, NEED_ARG },
-    { "group", group_option, NEED_ARG },
-    { "umask", umask_option, NEED_ARG },
-    { "linger", linger_option, NEED_ARG },
-    { "keepalive", keepalive_option, 0 },
-    { "spawn", spawn_option, NEED_ARG | EXPAND_ARG },
-    { "twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST },
-    { "rfc931", rfc931_option, OPT_ARG },
-    { "setenv", setenv_option, NEED_ARG | EXPAND_ARG },
-    { "nice", nice_option, OPT_ARG },
-    { "severity", severity_option, NEED_ARG },
-    { "allow", allow_option, USE_LAST },
-    { "deny", deny_option, USE_LAST },
-    { "banners", banners_option, NEED_ARG },
-    { 0 },
-};
-
-/* process_options - process access control options */
-
-void    process_options(options, request)
-char   *options;
-struct request_info *request;
-{
-    char   *key;
-    char   *value;
-    char   *curr_opt;
-    char   *next_opt;
-    struct option *op;
-    char    bf[BUFSIZ];
-
-    for (curr_opt = get_field(options); curr_opt; curr_opt = next_opt) {
-	next_opt = get_field((char *) 0);
-
-	/*
-	 * Separate the option into name and value parts. For backwards
-	 * compatibility we ignore exactly one '=' between name and value.
-	 */
-	curr_opt = chop_string(curr_opt);
-	if (*(value = curr_opt + strcspn(curr_opt, whitespace_eq))) {
-	    if (*value != '=') {
-		*value++ = 0;
-		value += strspn(value, whitespace);
-	    }
-	    if (*value == '=') {
-		*value++ = 0;
-		value += strspn(value, whitespace);
-	    }
-	}
-	if (*value == 0)
-	    value = 0;
-	key = curr_opt;
-
-	/*
-	 * Disallow missing option names (and empty option fields).
-	 */
-	if (*key == 0)
-	    tcpd_jump("missing option name");
-
-	/*
-	 * Lookup the option-specific info and do some common error checks.
-	 * Delegate option-specific processing to the specific functions.
-	 */
-
-	for (op = option_table; op->name && STR_NE(op->name, key); op++)
-	     /* VOID */ ;
-	if (op->name == 0)
-	    tcpd_jump("bad option name: \"%s\"", key);
-	if (!value && need_arg(op))
-	    tcpd_jump("option \"%s\" requires value", key);
-	if (value && !permit_arg(op))
-	    tcpd_jump("option \"%s\" requires no value", key);
-	if (next_opt && use_last(op))
-	    tcpd_jump("option \"%s\" must be at end", key);
-	if (value && expand_arg(op))
-	    value = chop_string(percent_x(bf, sizeof(bf), value, request));
-	if (hosts_access_verbose)
-	    syslog(LOG_DEBUG, "option:   %s %s", key, value ? value : "");
-	(*(op->func)) (value, request);
-    }
-}
-
-/* allow_option - grant access */
-
-/* ARGSUSED */
-
-static void
-allow_option(char *value, struct request_info *request)
-{
-    longjmp(tcpd_buf, AC_PERMIT);
-}
-
-/* deny_option - deny access */
-
-/* ARGSUSED */
-
-static void
-deny_option(char *value, struct request_info *request)
-{
-    longjmp(tcpd_buf, AC_DENY);
-}
-
-/* banners_option - expand %<char>, terminate each line with CRLF */
-
-static void
-banners_option(char *value, struct request_info *request)
-{
-    char    path[MAXPATHNAMELEN];
-    char    ibuf[BUFSIZ];
-    char    obuf[2 * BUFSIZ];
-    struct stat st;
-    int     ch;
-    FILE   *fp;
-
-    snprintf(path, sizeof (path), "%s/%s", value, eval_daemon(request));
-    if ((fp = fopen(path, "r")) != 0) {
-	while ((ch = fgetc(fp)) == 0)
-	    write(request->fd, "", 1);
-	ungetc(ch, fp);
-	while (fgets(ibuf, sizeof(ibuf) - 1, fp)) {
-	    if (split_at(ibuf, '\n'))
-		strlcat(ibuf, "\r\n", sizeof(ibuf));
-	    percent_x(obuf, sizeof(obuf), ibuf, request);
-	    write(request->fd, obuf, strlen(obuf));
-	}
-	fclose(fp);
-    } else if (stat(value, &st) < 0) {
-	tcpd_warn("%s: %m", value);
-    }
-}
-
-/* group_option - switch group id */
-
-/* ARGSUSED */
-
-static void group_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    struct group *grp;
-
-    if ((grp = getgrnam(value)) == 0)
-	tcpd_jump("unknown group: \"%s\"", value);
-    endgrent();
-
-    if (dry_run == 0 && setgid(grp->gr_gid))
-	tcpd_jump("setgid(%s): %m", value);
-}
-
-/* user_option - switch user id */
-
-/* ARGSUSED */
-
-static void user_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    struct passwd *pwd;
-    char   *group;
-
-    if ((group = split_at(value, '.')) != 0)
-	group_option(group, request);
-    if ((pwd = getpwnam(value)) == 0)
-	tcpd_jump("unknown user: \"%s\"", value);
-    endpwent();
-
-    if (dry_run == 0 && setuid(pwd->pw_uid))
-	tcpd_jump("setuid(%s): %m", value);
-}
-
-/* umask_option - set file creation mask */
-
-/* ARGSUSED */
-
-static void umask_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    unsigned int mask;
-    char    junk;
-
-    if (sscanf(value, "%o%c", &mask, &junk) != 1 || (mask & 0777) != mask)
-	tcpd_jump("bad umask value: \"%s\"", value);
-    (void) umask(mask);
-}
-
-/* spawn_option - spawn a shell command and wait */
-
-/* ARGSUSED */
-
-static void spawn_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    if (dry_run == 0)
-	shell_cmd(value);
-}
-
-/* linger_option - set the socket linger time (Marc Boucher <marc@cam.org>) */
-
-/* ARGSUSED */
-
-static void linger_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    struct linger linger;
-    char    junk;
-
-    if (sscanf(value, "%d%c", &linger.l_linger, &junk) != 1
-	|| linger.l_linger < 0)
-	tcpd_jump("bad linger value: \"%s\"", value);
-    if (dry_run == 0) {
-	linger.l_onoff = (linger.l_linger != 0);
-	if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger,
-		       sizeof(linger)) < 0)
-	    tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger);
-    }
-}
-
-/* keepalive_option - set the socket keepalive option */
-
-/* ARGSUSED */
-
-static void keepalive_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    static int on = 1;
-
-    if (dry_run == 0 && setsockopt(request->fd, SOL_SOCKET, SO_KEEPALIVE,
-				   (char *) &on, sizeof(on)) < 0)
-	tcpd_warn("setsockopt SO_KEEPALIVE: %m");
-}
-
-/* nice_option - set nice value */
-
-/* ARGSUSED */
-
-static void nice_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    int     niceval = 10;
-    char    junk;
-
-    if (value != 0 && sscanf(value, "%d%c", &niceval, &junk) != 1)
-	tcpd_jump("bad nice value: \"%s\"", value);
-    if (dry_run == 0 && nice(niceval) < 0)
-	tcpd_warn("nice(%d): %m", niceval);
-}
-
-/* twist_option - replace process by shell command */
-
-static void twist_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    char   *error;
-
-    if (dry_run != 0) {
-	dry_run = 0;
-    } else {
-	if (resident > 0)
-	    tcpd_jump("twist option in resident process");
-
-	syslog(deny_severity, "twist %s to %s", eval_client(request), value);
-
-	/* Before switching to the shell, set up stdin, stdout and stderr. */
-
-#define maybe_dup2(from, to) ((from == to) ? to : (close(to), dup(from)))
-
-	if (maybe_dup2(request->fd, 0) != 0 ||
-	    maybe_dup2(request->fd, 1) != 1 ||
-	    maybe_dup2(request->fd, 2) != 2) {
-	    error = "twist_option: dup: %m";
-	} else {
-	    if (request->fd > 2)
-		close(request->fd);
-	    (void) execl("/bin/sh", "sh", "-c", value, (char *) 0);
-	    error = "twist_option: /bin/sh: %m";
-	}
-
-	/* Something went wrong: we MUST terminate the process. */
-
-	tcpd_warn(error);
-	clean_exit(request);
-    }
-}
-
-/* rfc931_option - look up remote user name */
-
-static void rfc931_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    int     timeout;
-    char    junk;
-
-    if (value != 0) {
-	if (sscanf(value, "%d%c", &timeout, &junk) != 1 || timeout <= 0)
-	    tcpd_jump("bad rfc931 timeout: \"%s\"", value);
-	rfc931_timeout = timeout;
-    }
-    (void) eval_user(request);
-}
-
-/* setenv_option - set environment variable */
-
-/* ARGSUSED */
-
-static void setenv_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    char   *var_value;
-
-    if (*(var_value = value + strcspn(value, whitespace)))
-	*var_value++ = 0;
-    if (setenv(chop_string(value), chop_string(var_value), 1))
-	tcpd_jump("memory allocation failure");
-}
-
- /*
-  * The severity option goes last because it comes with a huge amount of ugly
-  * #ifdefs and tables.
-  */
-
-struct syslog_names {
-    char   *name;
-    int     value;
-};
-
-static struct syslog_names log_fac[] = {
-#ifdef LOG_KERN
-    { "kern", LOG_KERN }, 
-#endif
-#ifdef LOG_USER
-    { "user", LOG_USER },
-#endif
-#ifdef LOG_MAIL
-    { "mail", LOG_MAIL },
-#endif
-#ifdef LOG_DAEMON
-    { "daemon", LOG_DAEMON },
-#endif
-#ifdef LOG_AUTH
-    { "auth", LOG_AUTH },
-#endif
-#ifdef LOG_LPR
-    { "lpr", LOG_LPR },
-#endif
-#ifdef LOG_NEWS
-    { "news", LOG_NEWS },
-#endif
-#ifdef LOG_UUCP
-    { "uucp", LOG_UUCP },
-#endif
-#ifdef LOG_CRON
-    { "cron", LOG_CRON },
-#endif
-#ifdef LOG_LOCAL0
-    { "local0", LOG_LOCAL0 },
-#endif
-#ifdef LOG_LOCAL1
-    { "local1", LOG_LOCAL1 },
-#endif
-#ifdef LOG_LOCAL2
-    { "local2", LOG_LOCAL2 },
-#endif
-#ifdef LOG_LOCAL3
-    { "local3", LOG_LOCAL3 },
-#endif
-#ifdef LOG_LOCAL4
-    { "local4", LOG_LOCAL4 },
-#endif
-#ifdef LOG_LOCAL5
-    { "local5", LOG_LOCAL5 },
-#endif
-#ifdef LOG_LOCAL6
-    { "local6", LOG_LOCAL6 },
-#endif
-#ifdef LOG_LOCAL7
-    { "local7", LOG_LOCAL7 },
-#endif
-    { 0 },
-};
-
-static struct syslog_names log_sev[] = {
-#ifdef LOG_EMERG
-    { "emerg", LOG_EMERG },
-#endif
-#ifdef LOG_ALERT
-    { "alert", LOG_ALERT },
-#endif
-#ifdef LOG_CRIT
-    { "crit", LOG_CRIT },
-#endif
-#ifdef LOG_ERR
-    { "err", LOG_ERR },
-#endif
-#ifdef LOG_WARNING
-    { "warning", LOG_WARNING },
-#endif
-#ifdef LOG_NOTICE
-    { "notice", LOG_NOTICE },
-#endif
-#ifdef LOG_INFO
-    { "info", LOG_INFO },
-#endif
-#ifdef LOG_DEBUG
-    { "debug", LOG_DEBUG },
-#endif
-    { 0 },
-};
-
-/* severity_map - lookup facility or severity value */
-
-static int severity_map(struct syslog_names *table, char *name)
-{
-    struct syslog_names *t;
-
-    for (t = table; t->name; t++)
-	if (STR_EQ(t->name, name))
-	    return (t->value);
-    tcpd_jump("bad syslog facility or severity: \"%s\"", name);
-    /* NOTREACHED */
-}
-
-/* severity_option - change logging severity for this event (Dave Mitchell) */
-
-/* ARGSUSED */
-
-static void severity_option(value, request)
-char   *value;
-struct request_info *request;
-{
-    char   *level = split_at(value, '.');
-
-    allow_severity = deny_severity = level ?
-	severity_map(log_fac, value) | severity_map(log_sev, level) :
-	severity_map(log_sev, value);
-}
-
-/* get_field - return pointer to next field in string */
-
-static char *get_field(string)
-char   *string;
-{
-    static char *last = "";
-    char   *src;
-    char   *dst;
-    char   *ret;
-    int     ch;
-
-    /*
-     * This function returns pointers to successive fields within a given
-     * string. ":" is the field separator; warn if the rule ends in one. It
-     * replaces a "\:" sequence by ":", without treating the result of
-     * substitution as field terminator. A null argument means resume search
-     * where the previous call terminated. This function destroys its
-     * argument.
-     * 
-     * Work from explicit source or from memory. While processing \: we
-     * overwrite the input. This way we do not have to maintain buffers for
-     * copies of input fields.
-     */
-
-    src = dst = ret = (string ? string : last);
-    if (src[0] == 0)
-	return (0);
-
-    while ((ch = *src)) {
-	if (ch == ':') {
-	    if (*++src == 0)
-		tcpd_warn("rule ends in \":\"");
-	    break;
-	}
-	if (ch == '\\' && src[1] == ':')
-	    src++;
-	*dst++ = *src++;
-    }
-    last = src;
-    *dst = 0;
-    return (ret);
-}
-
-/* chop_string - strip leading and trailing blanks from string */
-
-static char *chop_string(string)
-register char *string;
-{
-    char   *start = 0;
-    char   *end;
-    char   *cp;
-
-    for (cp = string; *cp; cp++) {
-	if (!isspace((unsigned char)*cp)) {
-	    if (start == 0)
-		start = cp;
-	    end = cp;
-	}
-    }
-    return (start ? (end[1] = 0, start) : cp);
-}
diff --git a/lib/libwrap/percent_m.c b/lib/libwrap/percent_m.c
deleted file mode 100644
index ce7a3b883e0..00000000000
--- a/lib/libwrap/percent_m.c
+++ /dev/null
@@ -1,42 +0,0 @@
-/*	$OpenBSD: percent_m.c,v 1.5 2013/11/13 22:37:15 deraadt Exp $	*/
-
- /*
-  * Replace %m by system error message.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <errno.h>
-#include <string.h>
-#include "tcpd.h"
-
-#ifndef SYS_ERRLIST_DEFINED
-extern char *sys_errlist[];
-extern int sys_nerr;
-#endif
-
-char *
-percent_m(char*obuf, char*ibuf)
-{
-    char   *bp = obuf;
-    char   *cp = ibuf;
-    int len = BUFSIZ;
-
-    while ((*bp = *cp)) {
-	if (*cp == '%' && cp[1] == 'm') {
-	    len = BUFSIZ - (bp - obuf);
-	    if (errno < sys_nerr && errno > 0) {
-		strlcpy(bp, sys_errlist[errno], len);
-	    } else {
-		snprintf(bp, len, "Unknown error %d", errno);
-	    }
-	    bp += strlen(bp);
-	    cp += 2;
-	} else {
-	    bp++, cp++;
-	}
-    }
-    return (obuf);
-}
diff --git a/lib/libwrap/percent_x.c b/lib/libwrap/percent_x.c
deleted file mode 100644
index 15afce17677..00000000000
--- a/lib/libwrap/percent_x.c
+++ /dev/null
@@ -1,84 +0,0 @@
-/*	$OpenBSD: percent_x.c,v 1.3 2009/10/27 23:59:30 deraadt Exp $	*/
-
- /*
-  * percent_x() takes a string and performs %<char> expansions. It aborts the
-  * program when the expansion would overflow the output buffer. The result
-  * of %<char> expansion may be passed on to a shell process. For this
-  * reason, characters with a special meaning to shells are replaced by
-  * underscores.
-  * 
-  * Diagnostics are reported through syslog(3).
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <syslog.h>
-#include <string.h>
-#include <unistd.h>
-
-/* Local stuff. */
-
-#include "tcpd.h"
-
-/* percent_x - do %<char> expansion, abort if result buffer is too small */
-
-char   *percent_x(result, result_len, string, request)
-char   *result;
-int     result_len;
-char   *string;
-struct request_info *request;
-{
-    char   *bp = result;
-    char   *end = result + result_len - 1;	/* end of result buffer */
-    char   *expansion;
-    int     expansion_len;
-    static char ok_chars[] = "1234567890!@%-_=+:,./\
-abcdefghijklmnopqrstuvwxyz\
-ABCDEFGHIJKLMNOPQRSTUVWXYZ";
-    char   *str = string;
-    char   *cp;
-    int     ch;
-
-    /*
-     * Warning: we may be called from a child process or after pattern
-     * matching, so we cannot use clean_exit() or tcpd_jump().
-     */
-
-    while (*str) {
-	if (*str == '%' && (ch = str[1]) != 0) {
-	    str += 2;
-	    expansion =
-		ch == 'a' ? eval_hostaddr(request->client) :
-		ch == 'A' ? eval_hostaddr(request->server) :
-		ch == 'c' ? eval_client(request) :
-		ch == 'd' ? eval_daemon(request) :
-		ch == 'h' ? eval_hostinfo(request->client) :
-		ch == 'H' ? eval_hostinfo(request->server) :
-		ch == 'n' ? eval_hostname(request->client) :
-		ch == 'N' ? eval_hostname(request->server) :
-		ch == 'p' ? eval_pid(request) :
-		ch == 's' ? eval_server(request) :
-		ch == 'u' ? eval_user(request) :
-		ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), "");
-	    for (cp = expansion; *(cp += strspn(cp, ok_chars)); /* */ )
-		*cp = '_';
-	    expansion_len = cp - expansion;
-	} else {
-	    expansion = str++;
-	    expansion_len = 1;
-	}
-	if (bp + expansion_len >= end) {
-	    tcpd_warn("percent_x: expansion too long: %.30s...", result);
-	    sleep(5);
-	    exit(0);
-	}
-	memcpy(bp, expansion, expansion_len);
-	bp += expansion_len;
-    }
-    *bp = 0;
-    return (result);
-}
diff --git a/lib/libwrap/refuse.c b/lib/libwrap/refuse.c
deleted file mode 100644
index 4b89ca88cce..00000000000
--- a/lib/libwrap/refuse.c
+++ /dev/null
@@ -1,30 +0,0 @@
-/*	$OpenBSD: refuse.c,v 1.2 2009/10/27 23:59:30 deraadt Exp $	*/
-
- /*
-  * refuse() reports a refused connection, and takes the consequences: in
-  * case of a datagram-oriented service, the unread datagram is taken from
-  * the input queue (or inetd would see the same datagram again and again);
-  * the program is terminated.
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <stdio.h>
-#include <syslog.h>
-
-/* Local stuff. */
-
-#include "tcpd.h"
-
-/* refuse - refuse request */
-
-void    refuse(request)
-struct request_info *request;
-{
-    syslog(deny_severity, "refused connect from %s", eval_client(request));
-    clean_exit(request);
-    /* NOTREACHED */
-}
-
diff --git a/lib/libwrap/rfc1413.3 b/lib/libwrap/rfc1413.3
deleted file mode 100644
index 531c9cf7872..00000000000
--- a/lib/libwrap/rfc1413.3
+++ /dev/null
@@ -1,81 +0,0 @@
-.\"	$OpenBSD: rfc1413.3,v 1.14 2007/05/31 19:19:39 jmc Exp $
-.\"
-.\" Copyright (c) 2001, Bob Beck.  All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in the
-.\"    documentation and/or other materials provided with the distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
-.\" OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-.\" WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-.\" DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
-.\" INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-.\" (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-.\" SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-.\" SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: May 31 2007 $
-.Dt RFC1413 3
-.Os
-.Sh NAME
-.Nm rfc1413
-.Nd libwrap client side ident implementation
-.Sh SYNOPSIS
-.Fd #include <tcpd.h>
-.Ft int
-.Fn rfc1413 "struct sockaddr *rmt_sin" "struct sockaddr *our_sin" "char *dest" "size_t dsize" "int ident_timeout_time"
-.Sh DESCRIPTION
-.Fn rfc1413
-retrieves a user name from a remote system using the
-.Nm ident
-protocol described in RFC 1413.
-It is implemented in the
-.Nm libwrap.a
-library.
-.Pp
-.Fn rfc1413
-takes two sockaddr pointers as parameters:
-.Nm rmt_sin
-for the remote host end of a connected TCP socket, and
-.Nm our_sin
-for the local end.
-.Nm dest
-should be allocated by the caller to store the found username,
-and must be of length at least
-.Nm dsize .
-.Nm ident_timeout_time
-is a timeout in seconds on the entire ident query, used to ensure
-that you don't wait forever for a slow or unresponsive remote host
-to answer the ident query.
-.Sh RETURN VALUES
-When username lookup is successful,
-.Fn rfc1413
-strips the trailing CRLF from the returned value and stores up to
-.Nm "dsize - 1"
-bytes of the returned username into
-.Nm dest ,
-always terminating with a NUL byte.
-In this case 0 is returned.
-.Fn rfc1413
-returns -1 if any failure occurs such that it was unable to
-retrieve the remote username.
-.Sh SEE ALSO
-.Xr hosts_access 3
-.Sh BUGS
-The ident protocol only works on TCP sockets.
-.Pp
-Ident connections are made unencrypted, and nothing prevents the
-remote server from lying about who the user is.
-Consequently, ident should never be used to authenticate users.
-ident is however, quite useful for logging users of connections
-from multiuser machines that can be trusted not to lie about it.
-.\" @(#) hosts_access.3 1.8 96/02/11 17:01:26
diff --git a/lib/libwrap/rfc931.c b/lib/libwrap/rfc931.c
deleted file mode 100644
index cda2dde4187..00000000000
--- a/lib/libwrap/rfc931.c
+++ /dev/null
@@ -1,267 +0,0 @@
-/*	$OpenBSD: rfc931.c,v 1.13 2013/11/13 22:37:15 deraadt Exp $	*/
-
-/* rfc1413 does an attempt at an ident query to a client. Originally written
- * by Wietse Venema, rewritten by Bob Beck <beck@openbsd.org> to avoid 
- * potential longjmp problems and get rid of stdio usage on sockets. 
- */
-
-#include <stdio.h>
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/socket.h>
-#include <sys/uio.h>
-#include <netinet/in.h>
-#include <signal.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-#include <stdlib.h>
-
-/* Local stuff for tcpd. */
-
-#include "tcpd.h"
-
-#define	IDENT_PORT	113
-
-static volatile sig_atomic_t ident_timeout;
-
-int rfc931_timeout = RFC931_TIMEOUT; /* global, legacy from tcpwrapper stuff */
-
-/*ARGSUSED*/
-static void
-timeout(int s)
-{     
-	ident_timeout = 1;
-}
-
-/*
- * The old rfc931 from original libwrap for compatibility. Now it calls
- * rfc1413 with the default global parameters, but puts in the string
- * "unknown" (from global unknown) on failure just like the original.
- */
-
-void
-rfc931(rmt_sin, our_sin, dest)
-	struct sockaddr *rmt_sin;
-	struct sockaddr *our_sin;
-	char   *dest; 
-{
-	if (rfc1413(rmt_sin, our_sin, dest, STRING_LENGTH, rfc931_timeout) ==
-	    -1)
-		strlcpy(dest, unknown, STRING_LENGTH);
-}
-
-
-/*
- * rfc1413, an rfc1413 client request for user name given a socket
- * structure, with a timeout in seconds on the whole operation.  On
- * success returns 0 and saves dsize-1 characters of the username
- * provided by remote ident daemon into "dest", stripping off any
- * terminating CRLF, and terminating with a nul byte. Returns -1 on
- * failure (timeout, remote daemon didn't answer, etc). 
- */
-
-int
-rfc1413(rmt_sin, our_sin, dest, dsize, ident_timeout_time)
-	struct sockaddr *rmt_sin;
-	struct sockaddr *our_sin;
-	char   *dest;
-	size_t dsize;
-	int ident_timeout_time;
-{
-	in_port_t rmt_port, our_port;
-	int s, i, gotit, salen;
-	char *cp;
-	in_port_t *rmt_portp;
-	in_port_t *our_portp;
-	fd_set *readfds = NULL;
-	fd_set *writefds = NULL;
-	struct sockaddr_storage rmt_query_sin;
-	struct sockaddr_storage our_query_sin;
-	struct sigaction new_sa, old_sa;
-	char user[256];	 
-	char tbuf[1024];	 
-	size_t rsize, wsize;
-	
-	gotit = 0;
-	s = -1;
-	
-	/* address family must be the same */
-	if (rmt_sin->sa_family != our_sin->sa_family)
-		goto out1;
-	switch (rmt_sin->sa_family) {
-	case AF_INET:
-		salen = sizeof(struct sockaddr_in);
-		rmt_portp = &(((struct sockaddr_in *)rmt_sin)->sin_port);
-		break;
-#ifdef INET6
-	case AF_INET6:
-		salen = sizeof(struct sockaddr_in6);
-		rmt_portp = &(((struct sockaddr_in6 *)rmt_sin)->sin6_port);
-		break;
-#endif
-	default:
-		goto out1;
-	}
-	switch (our_sin->sa_family) {
-	case AF_INET:
-		our_portp = &(((struct sockaddr_in *)our_sin)->sin_port);
-		break;
-#ifdef INET6
-	case AF_INET6:
-		our_portp = &(((struct sockaddr_in6 *)our_sin)->sin6_port);
-		break;
-#endif
-	default:
-		goto out1;
-	}
-
-	if ((s = socket(rmt_sin->sa_family, SOCK_STREAM, 0)) == -1)
-		goto out1;
-
-	/*
-	 * Set up a timer so we won't get stuck while waiting for the server.
-	 * timer sets volatile sig_atomic_t ident_timeout when it fires. 
-	 * this has to be checked after system calls in case we timed out.
-	 */
-	
-	ident_timeout = 0;
-	memset(&new_sa, 0, sizeof(new_sa));
-	new_sa.sa_handler = timeout;
-	new_sa.sa_flags = SA_RESTART;
-	if (sigemptyset(&new_sa.sa_mask) == -1)
-		goto out1;
-	if (sigaction(SIGALRM, &new_sa, &old_sa) == -1)
-		goto out1;
-	alarm(ident_timeout_time);
-	
-	/*
-	 * Bind the local and remote ends of the query socket to the same
-	 * IP addresses as the connection under investigation. We go
-	 * through all this trouble because the local or remote system
-	 * might have more than one network address. The IDENT etc.
-	 * client sends only port numbers; the server takes the IP
-	 * addresses from the query socket.
-	 */
-	
-	memcpy(&our_query_sin, our_sin, salen);
-	switch (our_query_sin.ss_family) {
-	case AF_INET:
-		((struct sockaddr_in *)&our_query_sin)->sin_port = htons(0);
-		break;
-#ifdef INET6
-	case AF_INET6:
-		((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(0);
-		break;
-#endif
-	}
-	memcpy(&rmt_query_sin, rmt_sin, salen);
-	switch (rmt_query_sin.ss_family) {
-	case AF_INET:
-		((struct sockaddr_in *)&rmt_query_sin)->sin_port =
-		    htons(IDENT_PORT);
-		break;
-#ifdef INET6
-	case AF_INET6:
-		((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port =
-		    htons(IDENT_PORT);
-		break;
-#endif
-	}
-	
-	if (bind(s, (struct sockaddr *) & our_query_sin, salen) == -1)
-		goto out;
-	if ((connect(s, (struct sockaddr *) & rmt_query_sin, salen) == -1) ||
-	    ident_timeout)
-		goto out;
-
-	/* We are connected,  build an ident query and send it. */ 
-	
-	rsize = howmany(s+1, NFDBITS);
-	readfds = calloc(rsize, sizeof(fd_mask));
-	if (readfds == NULL) 
-		goto out;
-
-	wsize = howmany(s+1, NFDBITS);
-	writefds = calloc(wsize, sizeof(fd_mask));
-	if (writefds == NULL) 
-		goto out;
-	snprintf(tbuf, sizeof(tbuf), "%u,%u\r\n", ntohs(*rmt_portp),
-	    ntohs(*our_portp));
-	i = 0;
-	while (i < strlen(tbuf)) { 
-		int j;
-
-		memset(writefds, 0, wsize * sizeof(fd_mask));
-		FD_SET(s, writefds);
-		do { 
-			j = select(s + 1, NULL, writefds, NULL, NULL);
-			if (ident_timeout)			    
-				goto out;
-		} while ( j == -1 && (errno == EAGAIN || errno == EINTR ));
-		if (j == -1)
-			goto out;
-		if (FD_ISSET(s, writefds)) {
-			j = write(s, tbuf + i, strlen(tbuf + i));
-			if ((j == -1 && errno != EAGAIN && errno != EINTR) ||
-			    ident_timeout) 
-				goto out;
-			if  (j != -1) 
-				i += j;
-		} else 
-			goto out;
-	} 
-
-	
-	/* Read the answer back. */
-	i = 0;
-	tbuf[0] = '\0';
-	while ((cp = strchr(tbuf, '\n')) == NULL && i < sizeof(tbuf) - 1) {
-		int j;
-
-		memset(readfds, 0, rsize * sizeof(fd_mask));
-		FD_SET(s, readfds);
-		do { 
-			j = select(s + 1, readfds, NULL, NULL, NULL);
-			if (ident_timeout)
-				goto out;
-		} while ( j == -1 && (errno == EAGAIN || errno == EINTR ));
-		if (j == -1)
-			goto out;
-		if (FD_ISSET(s, readfds)) {
-			j = read(s, tbuf + i, sizeof(tbuf) - 1 - i);
-			if ((j == -1 && errno != EAGAIN && errno != EINTR) ||
-			    j == 0 || ident_timeout) 
-				goto out;
-			if  (j != -1) 
-				i += j;
-			tbuf[i] = '\0';
-		} else
-			goto out;
-	}
-	
-	if ((sscanf(tbuf,"%hu , %hu : USERID :%*[^:]:%255s", &rmt_port,
-	    &our_port, user) == 3) &&
-	    (ntohs(*rmt_portp) == rmt_port) &&
-	    (ntohs(*our_portp) == our_port)) {
-		if ((cp = strchr(user, '\r')) != NULL)
-			*cp = '\0';
-		gotit = 1;
-	}
-
-out:
-	alarm(0);
-	sigaction(SIGALRM, &old_sa, NULL);
-	if (readfds != NULL)
-		free(readfds);
-	if (writefds != NULL)
-		free(writefds);
-out1:
-	if (s != -1) 
-		close(s);
-	if (gotit) {
-		strlcpy(dest, user, dsize);
-		return(0);
-	}
-	return(-1);
-}
diff --git a/lib/libwrap/shell_cmd.c b/lib/libwrap/shell_cmd.c
deleted file mode 100644
index 55666455d5b..00000000000
--- a/lib/libwrap/shell_cmd.c
+++ /dev/null
@@ -1,91 +0,0 @@
-/*	$OpenBSD: shell_cmd.c,v 1.4 2013/11/13 22:37:15 deraadt Exp $	*/
-
- /*
-  * shell_cmd() takes a shell command after %<character> substitutions. The
-  * command is executed by a /bin/sh child process, with standard input,
-  * standard output and standard error connected to /dev/null.
-  * 
-  * Diagnostics are reported through syslog(3).
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/wait.h>
-#include <signal.h>
-#include <stdio.h>
-#include <syslog.h>
-#include <string.h>
-#include <unistd.h>
-#include <fcntl.h>
-
-/* Local stuff. */
-
-#include "tcpd.h"
-
-/* Forward declarations. */
-
-static void do_child(char *);
-
-/* shell_cmd - execute shell command */
-
-void    shell_cmd(command)
-char   *command;
-{
-    pid_t	child_pid;
-    pid_t	wait_pid;
-
-    /*
-     * Most of the work is done within the child process, to minimize the
-     * risk of damage to the parent.
-     */
-
-    switch (child_pid = fork()) {
-    case -1:					/* error */
-	tcpd_warn("cannot fork: %m");
-	break;
-    case 00:					/* child */
-	do_child(command);
-	/* NOTREACHED */
-    default:					/* parent */
-	while ((wait_pid = wait((int *) 0)) != -1 && wait_pid != child_pid)
-	     /* void */ ;
-    }
-}
-
-/* do_child - exec command with { stdin, stdout, stderr } to /dev/null */
-
-static void do_child(command)
-char   *command;
-{
-    char   *error;
-    int     tmp_fd;
-
-    /*
-     * Systems with POSIX sessions may send a SIGHUP to grandchildren if the
-     * child exits first. This is sick, sessions were invented for terminals.
-     */
-
-    signal(SIGHUP, SIG_IGN);
-
-    /* Set up new stdin, stdout, stderr, and exec the shell command. */
-
-    for (tmp_fd = 0; tmp_fd < 3; tmp_fd++)
-	(void) close(tmp_fd);
-    if (open("/dev/null", O_RDWR) != 0) {
-	error = "open /dev/null: %m";
-    } else if (dup(0) != 1 || dup(0) != 2) {
-	error = "dup: %m";
-    } else {
-	(void) execl("/bin/sh", "sh", "-c", command, (char *) 0);
-	error = "execl /bin/sh: %m";
-    }
-
-    /* Something went wrong. We MUST terminate the child process. */
-
-    tcpd_warn(error);
-    _exit(0);
-}
diff --git a/lib/libwrap/shlib_version b/lib/libwrap/shlib_version
deleted file mode 100644
index 9c1551636c5..00000000000
--- a/lib/libwrap/shlib_version
+++ /dev/null
@@ -1,2 +0,0 @@
-major=6
-minor=0
diff --git a/lib/libwrap/socket.c b/lib/libwrap/socket.c
deleted file mode 100644
index 93bb7f13400..00000000000
--- a/lib/libwrap/socket.c
+++ /dev/null
@@ -1,278 +0,0 @@
-/*	$NetBSD: socket.c,v 1.17 2003/05/26 10:05:07 itojun Exp $	*/
-
- /*
-  * This module determines the type of socket (datagram, stream), the client
-  * socket address and port, the server socket address and port. In addition,
-  * it provides methods to map a transport address to a printable host name
-  * or address. Socket address information results are in static memory.
-  * 
-  * The result from the hostname lookup method is STRING_PARANOID when a host
-  * pretends to have someone elses name, or when a host name is available but
-  * could not be verified.
-  * 
-  * When lookup or conversion fails the result is set to STRING_UNKNOWN.
-  * 
-  * Diagnostics are reported through syslog(3).
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries. */
-
-#include <sys/types.h>
-#include <sys/param.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <syslog.h>
-#include <string.h>
-
-/* Local stuff. */
-
-#include "tcpd.h"
-
-/* Forward declarations. */
-
-#ifdef APPEND_DOT
-static const char *append_dot(const char *);
-#endif
-static void sock_sink(int);
-
-#ifdef APPEND_DOT
- /*
-  * Speed up DNS lookups by terminating the host name with a dot. Should be
-  * done with care. The speedup can give problems with lookups from sources
-  * that lack DNS-style trailing dot magic, such as local files or NIS maps.
-  */
-
-static const char *
-append_dot(name)
-const char *name;
-{
-    static char hbuf[MAXHOSTNAMELEN + 1];
-
-    /*
-     * Don't append dots to unqualified names. Such names are likely to come
-     * from local hosts files or from NIS.
-     */
-
-    if (strchr(name, '.') == 0 || strlen(name) + 2 > sizeof(hbuf))
-	strlcpy(hbuf, name, sizeof(hbuf));
-    else
-	snprintf(hbuf, sizeof(hbuf), "%s.", name);
-    return hbuf;
-}
-#endif
-
-/* sock_host - look up endpoint addresses and install conversion methods */
-
-void    sock_host(request)
-struct request_info *request;
-{
-    static struct sockaddr_storage client;
-    static struct sockaddr_storage server;
-    socklen_t   len;
-    char        buf[BUFSIZ];
-    int         fd = request->fd;
-
-    sock_methods(request);
-
-    /*
-     * Look up the client host address. Hal R. Brand <BRAND@addvax.llnl.gov>
-     * suggested how to get the client host info in case of UDP connections:
-     * peek at the first message without actually looking at its contents. We
-     * really should verify that client.sin_family gets the value AF_INET,
-     * but this program has already caused too much grief on systems with
-     * broken library code.
-     *
-     * XXX the last sentence is untrue as we support AF_INET6 as well :-)
-     */
-
-    len = sizeof(client);
-    if (getpeername(fd, (struct sockaddr *) & client, &len) < 0) {
-	request->sink = sock_sink;
-	len = sizeof(client);
-	if (recvfrom(fd, buf, sizeof(buf), MSG_PEEK,
-		     (struct sockaddr *) & client, &len) < 0) {
-	    tcpd_warn("can't get client address: %m");
-	    return;				/* give up */
-	}
-#ifdef really_paranoid
-	memset(buf, 0, sizeof(buf));
-#endif
-    }
-    request->client->sin = (struct sockaddr *)&client;
-
-    /*
-     * Determine the server binding. This is used for client username
-     * lookups, and for access control rules that trigger on the server
-     * address or name.
-     */
-
-    len = sizeof(server);
-    if (getsockname(fd, (struct sockaddr *) & server, &len) < 0) {
-	tcpd_warn("getsockname: %m");
-	return;
-    }
-    request->server->sin = (struct sockaddr *)&server;
-}
-
-/* sock_hostaddr - map endpoint address to printable form */
-
-void    sock_hostaddr(host)
-struct host_info *host;
-{
-    struct sockaddr *sa = host->sin;
-
-    if (!sa)
-	return;
-    host->addr[0] = '\0';
-    getnameinfo(sa, sa->sa_len, host->addr, sizeof(host->addr),
-	NULL, 0, NI_NUMERICHOST);
-}
-
-/* sock_hostname - map endpoint address to host name */
-
-void    sock_hostname(host)
-struct host_info *host;
-{
-    struct sockaddr *sa = host->sin;
-    char h1[NI_MAXHOST], h2[NI_MAXHOST];
-    struct addrinfo hints, *res, *res0;
-#ifdef INET6
-    struct sockaddr_in tmp;
-#endif
-
-    if (!sa)
-	return;
-#ifdef INET6
-    /* special case on reverse lookup: mapped addr.  I hate it */
-    if (sa->sa_family == AF_INET6 &&
-        IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr)) {
-	memset(&tmp, 0, sizeof(tmp));
-	tmp.sin_family = AF_INET;
-	tmp.sin_len = sizeof(struct sockaddr_in);
-	memcpy(&tmp.sin_addr,
-	    &((struct sockaddr_in6 *)sa)->sin6_addr.s6_addr[12], 4);
-	sa = (struct sockaddr *)&tmp;
-    }
-#endif
-    if (getnameinfo(sa, sa->sa_len, h1, sizeof(h1), NULL, 0,
-        NI_NUMERICHOST) != 0) {
-	return;
-    }
-    if (getnameinfo(sa, sa->sa_len, host->name, sizeof(host->name), NULL, 0,
-        NI_NAMEREQD) == 0) {
-	/*
-	 * if reverse lookup result looks like a numeric hostname,
-	 * someone is trying to trick us by PTR record like following:
-	 *	1.1.1.10.in-addr.arpa.  IN PTR  2.3.4.5
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-	hints.ai_flags = AI_NUMERICHOST;
-#ifdef APPEND_DOT
-	if (getaddrinfo(append_dot(host->name), "0", &hints, &res0) == 0)
-#else
-	if (getaddrinfo(host->name, "0", &hints, &res0) == 0)
-#endif
-	{
-	    tcpd_warn("Nasty PTR record is configured");
-	    freeaddrinfo(res0);
-	    /* name is bad, clobber it */
-	    (void)strlcpy(host->name, paranoid, sizeof(host->name));
-	    return;
-	}
-	 
-	/*
-	 * Verify that the address is a member of the address list returned
-	 * by getaddrinfo(hostname).
-	 * 
-	 * Verify also that getnameinfo() and getaddrinfo() return the same
-	 * hostname, or rshd and rlogind may still end up being spoofed.
-	 * 
-	 * On some sites, getaddrinfo("localhost") returns "localhost.domain".
-	 * This is a DNS artefact. We treat it as a special case. When we
-	 * can't believe the address list from getaddrinfo("localhost")
-	 * we're in big trouble anyway.
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = sa->sa_family;
-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-	hints.ai_flags = AI_CANONNAME;
-#ifdef APPEND_DOT
-	if (getaddrinfo(append_dot(host->name), "0", &hints, &res0) != 0)
-#else
-	if (getaddrinfo(host->name, "0", &hints, &res0) != 0)
-#endif
-	{
-	    /*
-	     * Unable to verify that the host name matches the address. This
-	     * may be a transient problem or a botched name server setup.
-	     */
-
-	    tcpd_warn("can't verify hostname: getaddrinfo(%s, %d) failed",
-	        host->name, hints.ai_family);
-	} else if (res0->ai_canonname &&
-	    STR_NE(host->name, res0->ai_canonname) &&
-	    STR_NE(host->name, "localhost")) {
-	    /*
-	     * The getnameinfo() and getaddrinfo() calls did not return
-	     * the same hostname. This could be a nameserver configuration
-	     * problem. It could also be that someone is trying to spoof us.
-	     */
-
-	    tcpd_warn("host name/name mismatch: %s != %s",
-		host->name, res0->ai_canonname);
-	    freeaddrinfo(res0);
-	} else {
-	    /*
-	     * The address should be a member of the address list returned by
-	     * getaddrinfo().
-	     */
-
-	    for (res = res0; res; res = res->ai_next) {
-		if (getnameinfo(res->ai_addr, res->ai_addrlen, h2, sizeof(h2),
-		    NULL, 0, NI_NUMERICHOST) != 0) {
-		    continue;
-		}
-		if (STR_EQ(h1, h2)) {
-		    freeaddrinfo(res0);
-		    return;
-		}
-	    }
-
-	    /*
-	     * The host name does not map to the initial address. Perhaps
-	     * someone has messed up. Perhaps someone compromised a name
-	     * server.
-	     */
-
-	    tcpd_warn("host name/address mismatch: %s != %s", h1,
-		res0->ai_canonname ? res0->ai_canonname : "?");
-
-	    freeaddrinfo(res0);
-	}
-	/* name is bad, clobber it */
-	strlcpy(host->name, paranoid, sizeof(host->name));
-    }
-}
-
-/* sock_sink - absorb unreceived IP datagram */
-
-static void sock_sink(fd)
-int     fd;
-{
-    char    	buf[BUFSIZ];
-    struct sockaddr_storage ss;
-    socklen_t	size = sizeof(ss);
-
-    /*
-     * Eat up the not-yet received datagram. Some systems insist on a
-     * non-zero source address argument in the recvfrom() call below.
-     */
-
-    (void) recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) & ss, &size);
-}
diff --git a/lib/libwrap/tcpd.h b/lib/libwrap/tcpd.h
deleted file mode 100644
index 444818e917f..00000000000
--- a/lib/libwrap/tcpd.h
+++ /dev/null
@@ -1,208 +0,0 @@
-/*	$OpenBSD: tcpd.h,v 1.17 2013/11/13 19:38:12 jca Exp $	*/
-
-/*
- * Copyright (c) 1997, Jason Downs.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR(S) ``AS IS'' AND ANY EXPRESS
- * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
- * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- * DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT,
- * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
- * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
- * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
- * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
- /*
-  * @(#) tcpd.h 1.5 96/03/19 16:22:24
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-#ifndef _TCPD_H_
-#define _TCPD_H_
-
-/* Structure to describe one communications endpoint. */
-
-#define STRING_LENGTH	256		/* hosts, users, processes */
-
-struct host_info {
-    char    name[STRING_LENGTH];	/* access via eval_hostname(host) */
-    char    addr[STRING_LENGTH];	/* access via eval_hostaddr(host) */
-    struct sockaddr *sin;		/* socket address or 0 */
-    struct t_unitdata *unit;		/* TLI transport address or 0 */
-    struct request_info *request;	/* for shared information */
-};
-
-/* Structure to describe what we know about a service request. */
-
-struct request_info {
-    int     fd;				/* socket handle */
-    char    user[STRING_LENGTH];	/* access via eval_user(request) */
-    char    daemon[STRING_LENGTH];	/* access via eval_daemon(request) */
-    char    pid[10];			/* access via eval_pid(request) */
-    struct host_info client[1];		/* client endpoint info */
-    struct host_info server[1];		/* server endpoint info */
-    void  (*sink)(int);			/* datagram sink function or 0 */
-    void  (*hostname)(struct host_info *); /* address to printable hostname */
-    void  (*hostaddr)(struct host_info *); /* address to printable address */
-    void  (*cleanup)(void);		/* cleanup function or 0 */
-    struct netconfig *config;		/* netdir handle */
-};
-
-/* Common string operations. Less clutter should be more readable. */
-
-#define STRN_CPY(d,s,l)	{ strncpy((d),(s),(l)); (d)[(l)-1] = 0; }
-
-#define STRN_EQ(x,y,l)	(strncasecmp((x),(y),(l)) == 0)
-#define STRN_NE(x,y,l)	(strncasecmp((x),(y),(l)) != 0)
-#define STR_EQ(x,y)	(strcasecmp((x),(y)) == 0)
-#define STR_NE(x,y)	(strcasecmp((x),(y)) != 0)
-
- /*
-  * Initially, all above strings have the empty value. Information that
-  * cannot be determined at runtime is set to "unknown", so that we can
-  * distinguish between `unavailable' and `not yet looked up'. A hostname
-  * that we do not believe in is set to "paranoid".
-  */
-
-#define STRING_UNKNOWN	"unknown"	/* lookup failed */
-#define STRING_PARANOID	"paranoid"	/* hostname conflict */
-
-__BEGIN_DECLS
-extern char unknown[];
-extern char paranoid[];
-__END_DECLS
-
-#define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid))
-
-#define NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0)
-
-/* Global functions. */
-
-#define fromhost sock_host		/* no TLI support needed */
-
-__BEGIN_DECLS
-extern int hosts_access(struct request_info *);
-extern int hosts_ctl(char *, char *, char *, char *);
-extern void shell_cmd(char *);
-extern char *percent_m(char *, char *);
-extern char *percent_x(char *, int, char *, struct request_info *);
-extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
-extern int rfc1413(struct sockaddr *, struct sockaddr *, char *, size_t, int);
-extern void clean_exit(struct request_info *);
-extern void refuse(struct request_info *);
-#ifdef _STDIO_H_
-extern char *xgets(char *, int, FILE *);
-#endif	/* _STDIO_H_ */
-extern char *split_at(char *, int);
-extern int dot_quad_addr_new(char *, in_addr_t *);
-extern in_addr_t dot_quad_addr(char *);
-
-/* Global variables. */
-
-extern int allow_severity;		/* for connection logging */
-extern int deny_severity;		/* for connection logging */
-extern char *hosts_allow_table;		/* for verification mode redirection */
-extern char *hosts_deny_table;		/* for verification mode redirection */
-extern int hosts_access_verbose;	/* for verbose matching mode */
-extern int rfc931_timeout;		/* user lookup timeout */
-extern int resident;			/* > 0 if resident process */
-
- /*
-  * Routines for controlled initialization and update of request structure
-  * attributes. Each attribute has its own key.
-  */
-
-extern struct request_info *request_init(struct request_info *, ...);
-extern struct request_info *request_set(struct request_info *, ...);
-
-#define RQ_FILE		1		/* file descriptor */
-#define RQ_DAEMON	2		/* server process (argv[0]) */
-#define RQ_USER		3		/* client user name */
-#define RQ_CLIENT_NAME	4		/* client host name */
-#define RQ_CLIENT_ADDR	5		/* client host address */
-#define RQ_CLIENT_SIN	6		/* client endpoint (internal) */
-#define RQ_SERVER_NAME	7		/* server host name */
-#define RQ_SERVER_ADDR	8		/* server host address */
-#define RQ_SERVER_SIN	9		/* server endpoint (internal) */
-
- /*
-  * Routines for delayed evaluation of request attributes. Each attribute
-  * type has its own access method. The trivial ones are implemented by
-  * macros. The other ones are wrappers around the transport-specific host
-  * name, address, and client user lookup methods. The request_info and
-  * host_info structures serve as caches for the lookup results.
-  */
-
-extern char *eval_user(struct request_info *);
-extern char *eval_hostname(struct host_info *);
-extern char *eval_hostaddr(struct host_info *);
-extern char *eval_hostinfo(struct host_info *);
-extern char *eval_client(struct request_info *);
-extern char *eval_server(struct request_info *);
-#define eval_daemon(r)	((r)->daemon)	/* daemon process name */
-#define eval_pid(r)	((r)->pid)	/* process id */
-
-/* Socket-specific methods, including DNS hostname lookups. */
-
-extern void sock_host(struct request_info *);
-extern void sock_hostname(struct host_info *);
-extern void sock_hostaddr(struct host_info *);
-#define sock_methods(r) \
-	{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
-
- /*
-  * Problem reporting interface. Additional file/line context is reported
-  * when available. The jump buffer (tcpd_buf) is not declared here, or
-  * everyone would have to include <setjmp.h>.
-  */
-
-extern void tcpd_warn(char *, ...)
-    __attribute__((__format__(__printf__, 1, 2)));
-extern void tcpd_jump(char *, ...)
-    __attribute__((__format__(__printf__, 1, 2)));
-__END_DECLS
-
-struct tcpd_context {
-    char   *file;			/* current file */
-    int     line;			/* current line */
-};
-
-__BEGIN_DECLS
-extern struct tcpd_context tcpd_context;
-
- /*
-  * While processing access control rules, error conditions are handled by
-  * jumping back into the hosts_access() routine. This is cleaner than
-  * checking the return value of each and every silly little function. The
-  * (-1) returns are here because zero is already taken by longjmp().
-  */
-
-#define AC_PERMIT	1		/* permit access */
-#define AC_DENY		(-1)		/* deny_access */
-#define AC_ERROR	AC_DENY		/* XXX */
-
- /*
-  * In verification mode an option function should just say what it would do,
-  * instead of really doing it. An option function that would not return
-  * should clear the dry_run flag to inform the caller of this unusual
-  * behavior.
-  */
-
-extern void process_options(char *, struct request_info *);
-extern int dry_run;			/* verification flag */
-__END_DECLS
-
-#endif	/* _TCPD_H_ */
diff --git a/lib/libwrap/update.c b/lib/libwrap/update.c
deleted file mode 100644
index 36e5c021e8a..00000000000
--- a/lib/libwrap/update.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*	$OpenBSD: update.c,v 1.7 2013/11/13 22:37:15 deraadt Exp $	*/
-
- /*
-  * Routines for controlled update/initialization of request structures.
-  * 
-  * request_init() initializes its argument. Pointers and string-valued members
-  * are initialized to zero, to indicate that no lookup has been attempted.
-  * 
-  * request_set() adds information to an already initialized request structure.
-  * 
-  * Both functions take a variable-length name-value list.
-  * 
-  * Diagnostics are reported through syslog(3).
-  * 
-  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
-  */
-
-/* System libraries */
-
-#include <stdio.h>
-#include <stdarg.h>
-#include <syslog.h>
-#include <string.h>
-#include <unistd.h>
-
-/* Local stuff. */
-
-#include "tcpd.h"
-
-/* request_fill - request update engine */
-
-static struct request_info *request_fill(struct request_info *request,
-    va_list ap)
-{
-    int     key;
-    char   *ptr;
-
-    while ((key = va_arg(ap, int)) > 0) {
-	switch (key) {
-	default:
-	    tcpd_warn("request_fill: invalid key: %d", key);
-	    return (request);
-	case RQ_FILE:
-	    request->fd = va_arg(ap, int);
-	    continue;
-	case RQ_CLIENT_SIN:
-	    request->client->sin = va_arg(ap, struct sockaddr *);
-	    continue;
-	case RQ_SERVER_SIN:
-	    request->server->sin = va_arg(ap, struct sockaddr *);
-	    continue;
-
-	    /*
-	     * All other fields are strings with the same maximal length.
-	     */
-
-	case RQ_DAEMON:
-	    ptr = request->daemon;
-	    break;
-	case RQ_USER:
-	    ptr = request->user;
-	    break;
-	case RQ_CLIENT_NAME:
-	    ptr = request->client->name;
-	    break;
-	case RQ_CLIENT_ADDR:
-	    ptr = request->client->addr;
-	    break;
-	case RQ_SERVER_NAME:
-	    ptr = request->server->name;
-	    break;
-	case RQ_SERVER_ADDR:
-	    ptr = request->server->addr;
-	    break;
-	}
-	strlcpy(ptr, va_arg(ap, char *), STRING_LENGTH);
-    }
-    return (request);
-}
-
-/* request_init - initialize request structure */
-
-struct request_info *request_init(struct request_info *request, ...)
-{
-    static struct request_info default_info;
-    struct request_info *r;
-    va_list ap;
-
-    /*
-     * Initialize data members. We do not assign default function pointer
-     * members, to avoid pulling in the whole socket module when it is not
-     * really needed.
-     */
-    va_start(ap, request);
-    *request = default_info;
-    request->fd = -1;
-    strlcpy(request->daemon, unknown, sizeof(request->daemon));
-    snprintf(request->pid, sizeof(request->pid), "%ld", (long)getpid());
-    request->client->request = request;
-    request->server->request = request;
-    r = request_fill(request, ap);
-    va_end(ap);
-    return (r);
-}
-
-/* request_set - update request structure */
-
-struct request_info *request_set(struct request_info *request, ...)
-{
-    struct request_info *r;
-    va_list ap;
-
-    va_start(ap, request);
-    r = request_fill(request, ap);
-    va_end(ap);
-    return (r);
-}