diff -c --recursive --new-file pidentd-2.8.1/Makefile pidentd-2.8.1-libwrap/Makefile
*** pidentd-2.8.1/Makefile	Tue Jul 29 00:01:22 1997
--- pidentd-2.8.1-libwrap/Makefile	Wed Jan 21 15:46:50 1998
***************
*** 52,57 ****
--- 52,72 ----
  # find a free one on ftp.lysator.liu.se in pub/libraries or on
  # ftp.funet.fi in pub/crypt/libdes.
  #
+ # Usage of LIBWRAP makes sense only when you plan running the daemon as stand-
+ # alone or from inetd with -w flag (if using with -i flag it's probably
+ # much better idea to use tcpd from tcp_wrappers to implement access control).
+ # Note that LIBWRAP option requires that you have libwrap.a and tcpd.h 
+ # located in place from where your compiler can find them, otherwise add 
+ # necessary -I (-I/usr/local/include) to GDEFS and -L (-L/usr/local/lib)
+ # to LDFLAGS. Also add -lwrap to GLIBS.
+ # IMPORTANT! don't use 'rfc931' flag in 'identd' access control rules
+ # in /etc/hosts.deny (this might cause race condition, and high loads...)
+ # For example in your /etc/hosts.deny there could be lines like this:
+ #    identd: .evil.org : deny
+ #    identd: ALL : allow
+ # to refuce connections from any host in evil.org domain, and allow from
+ # anywhere else.
+ #
  # GDEFS=-DINCLUDE_EXTENSIONS -DINCLUDE_PROXY -DINCLUDE_CRYPT \
  #
  # GDEFS=-DINCLUDE_EXTENSIONS -DINCLUDE_PROXY -DINCLUDE_CRYPT \
***************
*** 59,71 ****
  #
  GDEFS=-DINCLUDE_EXTENSIONS -DSTRONG_LOG -DALLOW_FORMAT \
  	-DDPATH_CONFIG='\"$(CONFDIR)/identd.conf\"' \
! 	-DPATH_DESKEY='\"$(CONFDIR)/identd.key\"'
  
  # GLIBS=-lident -ldes
! GLIBS=
  
  CFLAGS=-O
! #LDFLAGS=-L$(DESTROOT)/lib
  
  all:
  	@echo "Please specify the type of system you wish to build for."
--- 74,89 ----
  #
  GDEFS=-DINCLUDE_EXTENSIONS -DSTRONG_LOG -DALLOW_FORMAT \
  	-DDPATH_CONFIG='\"$(CONFDIR)/identd.conf\"' \
! 	-DPATH_DESKEY='\"$(CONFDIR)/identd.key\"' \
! 	-DLIBWRAP -I/usr/local/include -DINCLUDE_CRYPT
  
  # GLIBS=-lident -ldes
! GLIBS= -lwrap -ldes
! #GLIBS=
  
  CFLAGS=-O
! LDFLAGS=-L$(DESTROOT)/lib
! 
  
  all:
  	@echo "Please specify the type of system you wish to build for."
***************
*** 280,286 ****
  
  irix62_32:
  	@echo "Building for Silicon Graphics IRIX 6.2, 32bit CPUs ..."
! 	@(cd src ; $(MAKE) CC="$(CC)" LDFLAGS="$(LDFLAGS) -mips3" LIBS="-lelf $(GLIBS)" CFLAGS="$(CFLAGS) -mips3 -DIRIX -DIRIX62 $(GDEFS)" MAKE=$(MAKE) KSRC=irix5 PREFIX="$(PREFIX)" $(PREFIX)identd)
    
  irix62_64:
  	@echo "Building for Silicon Graphics IRIX 6.2, 64bit CPUs ..."
--- 298,304 ----
  
  irix62_32:
  	@echo "Building for Silicon Graphics IRIX 6.2, 32bit CPUs ..."
! 	@(cd src ; $(MAKE) CC="$(CC)" LDFLAGS="$(LDFLAGS) -mips2" LIBS="-lelf $(GLIBS)" CFLAGS="$(CFLAGS) -mips2 -DIRIX -DIRIX62 $(GDEFS)" MAKE=$(MAKE) KSRC=irix5 PREFIX="$(PREFIX)" $(PREFIX)identd)
    
  irix62_64:
  	@echo "Building for Silicon Graphics IRIX 6.2, 64bit CPUs ..."
diff -c --recursive --new-file pidentd-2.8.1/src/Makefile pidentd-2.8.1-libwrap/src/Makefile
*** pidentd-2.8.1/src/Makefile	Tue Jul 29 00:01:25 1997
--- pidentd-2.8.1-libwrap/src/Makefile	Wed Jan 21 15:49:50 1998
***************
*** 18,24 ****
  	mv $(PREFIX)identd ..
  
  idecrypt:	idecrypt.o crypto.o
! 	$(CC) $(LDFLAGS) -o idecrypt idecrypt.o crypto.o
  	mv idecrypt ..
  
  identd.o:	 identd.c identd.h error.h crypto.h Makefile
--- 18,24 ----
  	mv $(PREFIX)identd ..
  
  idecrypt:	idecrypt.o crypto.o
! 	$(CC) $(LDFLAGS) -o idecrypt idecrypt.o crypto.o $(LIBS)
  	mv idecrypt ..
  
  identd.o:	 identd.c identd.h error.h crypto.h Makefile
diff -c --recursive --new-file pidentd-2.8.1/src/identd.c pidentd-2.8.1-libwrap/src/identd.c
*** pidentd-2.8.1/src/identd.c	Thu Dec 11 16:01:28 1997
--- pidentd-2.8.1-libwrap/src/identd.c	Fri Jan 23 18:46:47 1998
***************
*** 72,77 ****
--- 72,85 ----
  #  include <string.h>
  #endif
  
+ #ifdef LIBWRAP
+ #include <tcpd.h>
+ #include <syslog.h>
+ int allow_severity = LOG_INFO;
+ int deny_severity  = LOG_WARNING;
+ struct request_info tcp_wrapper_req;
+ #endif
+ 
  #include "identd.h"
  #include "error.h"
  #include "paths.h"
***************
*** 760,766 ****
      }
      
      faddr = sin.sin_addr;
!     
      
  #ifdef STRONG_LOG
      if (syslog_flag)
--- 768,801 ----
      }
      
      faddr = sin.sin_addr;
! 
! #ifdef LIBWRAP
!     {
!       /*
!       ** Check using libwrap (part of tcp_wrappers) if we should allow 
!       ** or disallow, this request. We use access control rules 
!       ** (usually in /etc/hosts.deny) with 'identd' as a daemon name.
!       */
! 
!       request_init(&tcp_wrapper_req, 
! 		   RQ_DAEMON, "identd",  /* daemon 'name' to use when
! 					    looking up access control rules */
! 		   RQ_FILE, 0,           /* file descriptor of socket */
! 		   NULL);
!       fromhost(&tcp_wrapper_req);
!       if (!hosts_access(&tcp_wrapper_req)) {
! 	/* refuse this request */
! 	if (!syslog_flag) {
! 	  openlog("identd", LOG_PID
! #ifdef LOG_DAEMON
! 		  , syslog_facility
! #endif
! 		  );
! 	}
! 	refuse(&tcp_wrapper_req);
!       }
!     }
! #endif    
      
  #ifdef STRONG_LOG
      if (syslog_flag)
diff -c --recursive --new-file pidentd-2.8.1/src/parse.c pidentd-2.8.1-libwrap/src/parse.c
*** pidentd-2.8.1/src/parse.c	Tue Jul 29 00:01:28 1997
--- pidentd-2.8.1-libwrap/src/parse.c	Fri Jan 23 18:49:04 1998
***************
*** 50,55 ****
--- 50,61 ----
  #include "error.h"
  #include "crypto.h"
  
+ #if defined(LIBWRAP) && defined(INCLUDE_CRYPT)
+ #include <tcpd.h>
+ extern struct request_info tcp_wrapper_req;
+ #endif
+ 
+ 
  extern void *malloc();
  
  /*
***************
*** 154,167 ****
--- 160,189 ----
    return (rcode == 0);
  }
  
+ 
+ 
  #ifdef INCLUDE_CRYPT
  /*
  ** Checks address of incoming call against network/mask pairs of trusted
  ** networks to determine whether to crypt response or not.
+ **
+ ** If using libwrap, use 'identd-cleartext' as a daemon name in
+ ** access control rules (in /etc/hosts.deny), to specify which hosts/domains
+ ** we trust enough to give cleartext authentication.
+ ** Note 'identd' controls access to the ident service and 'ident-cleartext'
+ ** only whether the authentication is sent encrypted or not.
  */
  int check_crypt(faddr)
    struct in_addr *faddr;
  {
+ #ifdef LIBWRAP
+   /* just change 'daemon name' in request structure */
+   request_set(&tcp_wrapper_req, 
+ 	      RQ_DAEMON, "identd-cleartext", 
+ 	      NULL);
+   /* check if 'identd-cleartex' rules permit cleartext authentication */
+   if (hosts_access(&tcp_wrapper_req)) return 0;
+ #else
    int i;
    extern int netcnt;
    extern u_long localnet[], localmask[];
***************
*** 170,175 ****
--- 192,198 ----
      if ((faddr->s_addr & localmask[i]) == localnet[i])
        return 0;
    }
+ #endif
    return 1;
  }
  #endif
