Remove ipsec_utils.c, its headers, and the code block which use it

from npppd(8).  They had been disabled for long time.

4 files changed, 2 insertions, 588 deletions

diff --git a/usr.sbin/npppd/common/ipsec_util.c b/usr.sbin/npppd/common/ipsec_util.c
deleted file mode 100644
index 4a9acb4c552..00000000000
--- a/usr.sbin/npppd/common/ipsec_util.c
+++ /dev/null
@@ -1,382 +0,0 @@
-/*	$OpenBSD: ipsec_util.c,v 1.9 2021/03/29 03:54:39 yasuoka Exp $ */
-/*-
- * Copyright (c) 2007, 2009 Internet Initiative Japan Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-/* $Id: ipsec_util.c,v 1.9 2021/03/29 03:54:39 yasuoka Exp $ */
-/*@file IPsec related utility functions */
-/*
- * RFC 2367 PF_KEY Key Management API, Version 2
- */
-
-#include <sys/socket.h>
-#include <sys/errno.h>
-#include <net/pfkeyv2.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "ipsec_util.h"
-#include "ipsec_util_local.h"
-
-/**
- * Delete the IPsec-SA for transport-mode ESP that matches specified sock and
- * peer.
- * <p>
- * For deleting IPsec-SA for NAT-T, port numbers and protocol must
- * be specified.</p>
- *
- * @param sock	localy bounded address of the IPsec-SA.
- * @param peer	remote address of the IPsec-SA.
- * @param proto	protocol of IPsec-SA.  Specify this only if IPsec-SA is for
- * NAT-T peer.
- * @param dir	IPsec-SA's direction by choosing
- * 	{@link ::IPSEC_UTIL_DIRECTION_IN}, {@link ::IPSEC_UTIL_DIRECTION_OUT}
- *	or {@link ::IPSEC_UTIL_DIRECTION_BOTH}
- * @return	0 if the function success, otherwise return non-zero value;
- */
-int
-ipsec_util_purge_transport_sa(struct sockaddr *sock, struct sockaddr *peer,
-    int proto, int dir)
-{
-	int key_sock;
-	struct timeval tv;
-	struct sadb_del_args del_in, del_out;
-
-	/*
-	 * Assumes address family is (AF_INET|AF_INET6) and has valid length
-	 */
-	if (sock == NULL || peer == NULL ||
-	    !sockaddr_is_valid(peer) || !sockaddr_is_valid(peer))
-		return -1;
-
-	if ((key_sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)) < 0)
-		return -1;
-
-	tv = KEYSOCK_RCVTIMEO;
-	if (setsockopt(key_sock, SOL_SOCKET, SO_RCVTIMEO, &tv, sizeof(tv)) != 0)
-		goto fail;
-
-	del_in.is_valid = del_out.is_valid = 0;
-	if (delete_prepare(key_sock, sock, peer, proto, &del_in, &del_out) != 0)
-		goto fail;
-
-	if (del_in.is_valid && (dir & IPSEC_UTIL_DIRECTION_IN) != 0) {
-		if (send_sadb_delete(key_sock, &del_in))
-			goto fail;
-	}
-	if (del_out.is_valid && (dir & IPSEC_UTIL_DIRECTION_OUT) != 0) {
-		if (send_sadb_delete(key_sock, &del_out))
-			goto fail;
-	}
-	close(key_sock);
-
-	return 0;
-
-fail:
-	close(key_sock);
-
-	return -1;
-}
-
-/***********************************************************************
- * private functions
- ***********************************************************************/
-static void
-ipsec_util_prepare(void)
-{
-
-	/*
-	 * for sadb_msg_seq.  As RFC 2367, it must be used to uniquely
-	 * identify request to a process.
-	 */
-	while (++ipsec_util_seq == 0)
-		/* empty */;
-
-	if (ipsec_util_pid == -1)
-		ipsec_util_pid = getpid();
-}
-
-/*
- * Find IPsec-SA to delete using SADB_DUMP
- */
-static int
-delete_prepare(int key_sock, struct sockaddr *sock, struct sockaddr *peer,
-    int proto, struct sadb_del_args *in, struct sadb_del_args *out)
-{
-	int sz, dump_end, res_count;
-	struct sadb_msg req_msg = {
-		.sadb_msg_version = PF_KEY_V2,
-		.sadb_msg_type = SADB_DUMP,
-		.sadb_msg_satype = SADB_SATYPE_ESP,
-		.sadb_msg_len = PFKEY_UNIT64(sizeof(struct sadb_msg))
-	}, *res_msg;
-	u_char buffer[2048];
-
-	/* Dump the SADB to search the SA that matches sock/peer.  */
-	ipsec_util_prepare();
-	req_msg.sadb_msg_seq = ipsec_util_seq;
-	req_msg.sadb_msg_pid = ipsec_util_pid;
-	sz = send(key_sock, &req_msg, sizeof(req_msg), 0);
-	if (sz <= 0)
-		return -1;
-
-	for (res_count = 0, dump_end = 0; !dump_end;) {
-		int off = 0;
-		uint32_t spi;
-		struct sadb_ext *res_ext;
-		struct sadb_address *res_src, *res_dst;
-
-		sz = recv(key_sock, buffer, sizeof(buffer), 0);
-		if (sz == 0 && res_count == 0)
-			return 0;	/* empty */
-		if (sz <= 0)
-			return -1;
-		if (sz < sizeof(struct sadb_msg))
-			return -1;
-		res_msg = (struct sadb_msg *)buffer;
-		if (res_msg->sadb_msg_errno != 0) {
-			if (res_msg->sadb_msg_errno == ENOENT)
-				return 0;
-			return -1;
-		}
-
-		dump_end = (res_msg->sadb_msg_seq == 0)? 1 : 0;
-		if (res_msg->sadb_msg_version != req_msg.sadb_msg_version ||
-		    res_msg->sadb_msg_type != req_msg.sadb_msg_type ||
-		    res_msg->sadb_msg_pid != req_msg.sadb_msg_pid)
-			continue;
-		res_count++;
-
-		spi = 0; res_src = res_dst = NULL;
-		for (off = sizeof(struct sadb_msg); off < sz;) {
-			res_ext = (struct sadb_ext *)(buffer + off);
-			off += PFKEY_UNUNIT64(res_ext->sadb_ext_len);
-
-			switch (res_ext->sadb_ext_type) {
-			case SADB_EXT_SA:
-				if (((struct sadb_sa *)res_ext)->sadb_sa_state
-				    != SADB_SASTATE_MATURE)
-					break;
-				spi = ((struct sadb_sa *)res_ext)->sadb_sa_spi;
-				break;
-
-			case SADB_EXT_ADDRESS_SRC:
-				res_src = (struct sadb_address *)res_ext;
-				break;
-
-			case SADB_EXT_ADDRESS_DST:
-				res_dst = (struct sadb_address *)res_ext;
-				break;
-			}
-		}
-		if (res_src == NULL || res_dst == NULL || spi == 0)
-			continue;
-
-		if (address_compar(res_src, sock, proto) == 0 &&
-		    address_compar(res_dst, peer, proto) == 0) {
-			(void)sadb_del_args_init(out, spi, res_src, res_dst,
-			    proto);
-			/* continue anyway */
-		} else
-		if (address_compar(res_src, peer, proto) == 0 &&
-		    address_compar(res_dst, sock, proto) == 0) {
-			(void)sadb_del_args_init(in, spi, res_src, res_dst,
-			    proto);
-			/* continue anyway */
-		}
-	}
-
-	return 0;
-}
-
-static int
-send_sadb_delete(int key_sock, struct sadb_del_args *args)
-{
-	int i;
-
-	for (i = 0; i < args->spiidx; i++) {
-		int iovidx, sz;
-		struct iovec iov[10];
-		struct msghdr msg;
-		struct sadb_msg req_msg = {
-			.sadb_msg_version = PF_KEY_V2,
-			.sadb_msg_type = SADB_DELETE,
-			.sadb_msg_satype = SADB_SATYPE_ESP
-		}, *res_msg;
-		struct sadb_sa sa;
-		u_char buffer[1024];
-
-		ipsec_util_prepare();
-		iovidx = 0;
-		req_msg.sadb_msg_seq = ipsec_util_seq;
-		req_msg.sadb_msg_pid = ipsec_util_pid;
-		req_msg.sadb_msg_len = PFKEY_UNIT64(sizeof(req_msg)
-		    + sizeof(struct sadb_sa)
-		    + PFKEY_UNUNIT64(args->src.sadb_address_len)
-		    + PFKEY_UNUNIT64(args->dst.sadb_address_len));
-		iov[iovidx].iov_base = &req_msg;
-		iov[iovidx].iov_len = sizeof(req_msg);
-		iovidx++;
-
-		sa.sadb_sa_exttype = SADB_EXT_SA;
-		sa.sadb_sa_len = PFKEY_UNIT64(sizeof(struct sadb_sa));
-		sa.sadb_sa_spi = args->spi[i];
-		iov[iovidx].iov_base = &sa;
-		iov[iovidx].iov_len = sizeof(sa);
-		iovidx++;
-
-		iov[iovidx].iov_base = &args->src;
-		iov[iovidx].iov_len = sizeof(args->src);
-		iovidx++;
-		iov[iovidx].iov_base = &args->src_sa;
-		iov[iovidx].iov_len =
-		    PFKEY_ALIGN8(((struct sockaddr *)&args->src_sa)->sa_len);
-		iovidx++;
-
-		iov[iovidx].iov_base = &args->dst;
-		iov[iovidx].iov_len = sizeof(args->dst);
-		iovidx++;
-		iov[iovidx].iov_base = &args->dst_sa;
-		iov[iovidx].iov_len =
-		    PFKEY_ALIGN8(((struct sockaddr *)&args->dst_sa)->sa_len);
-		iovidx++;
-
-		memset(&msg, 0, sizeof(msg));
-		msg.msg_iov = iov;
-		msg.msg_iovlen = iovidx;
-
-		if ((sz = sendmsg(key_sock, &msg, 0)) <= 0)
-			return 1;
-
-		if ((sz = recv(key_sock, buffer, sizeof(buffer), 0)) <
-		    sizeof(struct sadb_msg))
-			return 1;
-
-		res_msg = (struct sadb_msg *)buffer;
-		if (res_msg->sadb_msg_pid != req_msg.sadb_msg_pid ||
-		    res_msg->sadb_msg_version != req_msg.sadb_msg_version ||
-		    res_msg->sadb_msg_type != req_msg.sadb_msg_type ||
-		    res_msg->sadb_msg_errno != 0)
-			return 1;
-	}
-
-	return 0;
-}
-
-/***********************************************************************
- * Utility functions
- ***********************************************************************/
-static inline int
-address_compar(struct sadb_address *sadb, struct sockaddr *sa, int proto)
-{
-	u_short porta, portb;
-	int cmp;
-	struct sockaddr *sb = (struct sockaddr *)(sadb + 1);
-
-	if ((cmp = sa->sa_family - sb->sa_family) != 0) return cmp;
-	if ((cmp = sa->sa_len - sb->sa_len) != 0) return cmp;
-	if (proto != 0 &&
-	    (cmp = proto - sadb->sadb_address_proto) != 0) return cmp;
-
-	switch (sa->sa_family) {
-	case AF_INET:
-		if (sadb->sadb_address_prefixlen != sizeof(struct in_addr) << 3)
-			return -1;
-		if ((cmp = memcmp(&((struct sockaddr_in *)sa)->sin_addr,
-		    &((struct sockaddr_in *)sb)->sin_addr,
-		    sizeof(struct in_addr))) != 0)
-			return cmp;
-		porta = ((struct sockaddr_in *)sa)->sin_port;
-		portb = ((struct sockaddr_in *)sb)->sin_port;
-		break;
-
-	case AF_INET6:
-		if (sadb->sadb_address_prefixlen != sizeof(struct in6_addr) << 3)
-			return -1;
-		if ((cmp = memcmp(&((struct sockaddr_in6 *)sa)->sin6_addr,
-		    &((struct sockaddr_in6 *)sb)->sin6_addr,
-		    sizeof(struct in6_addr))) != 0)
-			return cmp;
-		porta = ((struct sockaddr_in6 *)sa)->sin6_port;
-		portb = ((struct sockaddr_in6 *)sb)->sin6_port;
-		break;
-
-	default:
-		return -1;
-	}
-	if (porta == 0) {
-		if (ntohs(portb) != 500 && portb != 0)
-			return porta - portb;
-	} else {
-		if ((cmp = porta - portb) != 0) return cmp;
-	}
-
-	return 0;
-}
-
-
-static int
-sadb_del_args_init(struct sadb_del_args *args, uint32_t spi,
-    struct sadb_address *src, struct sadb_address *dst, int proto)
-{
-	if (!args->is_valid) {
-		memset(args, 0, sizeof(struct sadb_del_args));
-
-		args->src = *src;
-		args->dst = *dst;
-		args->src.sadb_address_prefixlen =
-		    args->dst.sadb_address_prefixlen = 0;
-#define	SADB2SA(_base) ((struct sockaddr *)((_base) + 1))
-		memcpy(&args->src_sa, SADB2SA(src),
-		    MINIMUM(sizeof(args->src_sa), SADB2SA(src)->sa_len));
-		memcpy(&args->dst_sa, SADB2SA(dst),
-		    MINIMUM(sizeof(args->src_sa), SADB2SA(dst)->sa_len));
-#undef SADB2SA
-		if (proto != 0) {
-			args->src.sadb_address_proto = proto;
-			args->dst.sadb_address_proto = proto;
-		}
-		args->is_valid = 1;
-	}
-	if (args->spiidx < countof(args->spi)) {
-		args->spi[args->spiidx++] = spi;
-		return 0;
-	}
-
-	return 1;
-}
-
-static int
-sockaddr_is_valid(struct sockaddr *sa)
-{
-	return
-	    ((sa->sa_family == AF_INET &&
-		    sa->sa_len == sizeof(struct sockaddr_in)) ||
-	    (sa->sa_family == AF_INET6 &&
-		    sa->sa_len == sizeof(struct sockaddr_in6)))? 1 : 0;
-}
diff --git a/usr.sbin/npppd/common/ipsec_util.h b/usr.sbin/npppd/common/ipsec_util.h
deleted file mode 100644
index 5579661fd18..00000000000
--- a/usr.sbin/npppd/common/ipsec_util.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*	$OpenBSD: ipsec_util.h,v 1.2 2015/12/17 08:01:55 tb Exp $ */
-/*-
- * Copyright (c) 2009 Internet Initiative Japan Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-#ifndef IPSEC_UTIL_H
-#define IPSEC_UTIL_H
-
-#define IPSEC_UTIL_DIRECTION_IN		1
-#define IPSEC_UTIL_DIRECTION_OUT	2
-#define IPSEC_UTIL_DIRECTION_BOTH	3
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-
-int ipsec_util_purge_transport_sa (struct sockaddr *, struct sockaddr *, int, int);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
diff --git a/usr.sbin/npppd/common/ipsec_util_local.h b/usr.sbin/npppd/common/ipsec_util_local.h
deleted file mode 100644
index 7e9b5aebd76..00000000000
--- a/usr.sbin/npppd/common/ipsec_util_local.h
+++ /dev/null
@@ -1,66 +0,0 @@
-/*	$OpenBSD: ipsec_util_local.h,v 1.4 2015/12/17 08:01:55 tb Exp $ */
-/*-
- * Copyright (c) 2009 Internet Initiative Japan Inc.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-static uint32_t ipsec_util_seq = 0;
-static int ipsec_util_pid = -1;
-
-struct sadb_del_args {
-	int				is_valid;
-	uint32_t			spi[128];
-	int				spiidx;
-	struct sadb_address		src;
-	union {
-		struct sockaddr_in	sin4;
-		struct sockaddr_in6	sin6;
-	} src_sa;
-	u_char				src_pad[8]; /* for PFKEY_ALIGN8 */
-	struct sadb_address		dst;
-	union {
-		struct sockaddr_in	sin4;
-		struct sockaddr_in6	sin6;
-	} dst_sa;
-	u_char				dst_pad[8]; /* for PFKEY_ALIGN8 */
-};
-
-static void        ipsec_util_prepare (void);
-static int         delete_prepare (int, struct sockaddr *, struct sockaddr *, int, struct sadb_del_args *, struct sadb_del_args *);
-static int         send_sadb_delete (int, struct sadb_del_args *);
-static inline int  address_compar (struct sadb_address *, struct sockaddr *, int);
-static int         sadb_del_args_init (struct sadb_del_args *, uint32_t, struct sadb_address *, struct sadb_address *, int);
-static int         sockaddr_is_valid (struct sockaddr *);
-
-#ifndef countof
-#define	countof(x)	(sizeof((x)) / sizeof((x)[0]))
-#endif
-
-#ifdef USE_IPSEC_UTIL_PRIVSEP
-#include <stdio.h>
-#include "privsep.h"
-#define	socket	priv_socket
-#endif
-
-struct timeval const KEYSOCK_RCVTIMEO = { .tv_sec = 0, .tv_usec = 500000L };
diff --git a/usr.sbin/npppd/l2tp/l2tp_ctrl.c b/usr.sbin/npppd/l2tp/l2tp_ctrl.c
index 57c61340f34..a8a642b2d11 100644
--- a/usr.sbin/npppd/l2tp/l2tp_ctrl.c
+++ b/usr.sbin/npppd/l2tp/l2tp_ctrl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: l2tp_ctrl.c,v 1.25 2021/03/29 03:54:39 yasuoka Exp $	*/
+/*	$OpenBSD: l2tp_ctrl.c,v 1.26 2021/05/22 08:29:57 yasuoka Exp $	*/
 
 /*-
  * Copyright (c) 2009 Internet Initiative Japan Inc.
@@ -26,7 +26,7 @@
  * SUCH DAMAGE.
  */
 /**@file Control connection processing functions for L2TP LNS */
-/* $Id: l2tp_ctrl.c,v 1.25 2021/03/29 03:54:39 yasuoka Exp $ */
+/* $Id: l2tp_ctrl.c,v 1.26 2021/05/22 08:29:57 yasuoka Exp $ */
 #include <sys/types.h>
 #include <sys/time.h>
 #include <sys/socket.h>
@@ -52,7 +52,6 @@
 #endif
 
 #include "time_utils.h"
-#include "ipsec_util.h"
 #include "bytebuf.h"
 #include "hash.h"
 #include "debugutil.h"
@@ -69,9 +68,6 @@
 static int		 l2tp_ctrl_init(l2tp_ctrl *, l2tpd *, struct sockaddr *, struct sockaddr *, void *);
 static void		 l2tp_ctrl_reload(l2tp_ctrl *);
 static int		 l2tp_ctrl_send_disconnect_notify(l2tp_ctrl *);
-#if 0
-static void		 l2tp_ctrl_purge_ipsec_sa(l2tp_ctrl *);
-#endif
 static void		 l2tp_ctrl_timeout(int, short, void *);
 static int		 l2tp_ctrl_resend_una_packets(l2tp_ctrl *, bool);
 static void		 l2tp_ctrl_destroy_all_calls(l2tp_ctrl *);
@@ -330,10 +326,6 @@ cleanup:
 			if (l2tp_ctrl_disconnect_all_calls(_this, 1) > 0)
 				break;
 		}
-#if 0
-		if (L2TP_CTRL_CONF(_this)e_ipsec_sa != 0)
-			l2tp_ctrl_purge_ipsec_sa(_this);
-#endif
 
 		l2tp_ctrl_log(_this, LOG_NOTICE, "logtype=Finished");
 
@@ -368,92 +360,6 @@ cleanup:
 	return 1;
 }
 
-#if 0
-/** Delete the IPsec SA for disconnection */
-static void
-l2tp_ctrl_purge_ipsec_sa(l2tp_ctrl *_this)
-{
-	int is_natt, proto;
-	struct sockaddr_storage peer, sock;
-	hash_link *hl;
-#ifdef USE_LIBSOCKUTIL
-	struct in_ipsec_sa_cookie *ipsec_sa_cookie;
-#endif
-	l2tp_ctrl *anot;
-
-	/*
-	 * Search another tunnel that uses the same IPsec SA
-	 * by lineer.
-	 */
-	for (hl = hash_first(_this->l2tpd->ctrl_map);
-	    hl != NULL; hl = hash_next(_this->l2tpd->ctrl_map)) {
-		anot = hl->item;
-		if (anot == _this)
-			continue;
-
-		if (_this->peer.ss_family != anot->peer.ss_family)
-			continue;
-		if (_this->peer.ss_family == AF_INET) {
-			if (SIN(&_this->peer)->sin_addr.s_addr !=
-			    SIN(&anot->peer)->sin_addr.s_addr)
-				continue;
-		} else if (_this->peer.ss_family == AF_INET6) {
-			if (!IN6_ARE_ADDR_EQUAL(
-			    &(SIN6(&_this->peer)->sin6_addr),
-			    &(SIN6(&anot->peer)->sin6_addr)))
-				continue;
-		}
-#ifdef USE_LIBSOCKUTIL
-		if (_this->sa_cookie != NULL && anot->sa_cookie != NULL) {
-			/* Both tunnels belong the same NAT box.  */
-
-			if (memcmp(_this->sa_cookie, anot->sa_cookie,
-			    sizeof(struct in_ipsec_sa_cookie)) != 0)
-				/* Different hosts behind the NAT box.  */
-				continue;
-
-			/* The SA is shared by another tunnels by one host. */
-			return;	/* don't purge the sa */
-
-		} else if (_this->sa_cookie != NULL || anot->sa_cookie != NULL)
-			/* Only one is behind the NAT */
-			continue;
-#endif
-		return;	/* don't purge the sa */
-	}
-
-#if defined(USE_LIBSOCKUTIL)  && defined(IP_IPSEC_SA_COOKIE)
-	is_natt = (_this->sa_cookie != NULL)? 1 : 0;
-#else
-	is_natt = 0;
-#endif
-	proto = 0;
-	memcpy(&peer, &_this->peer, _this->peer.ss_len);
-	memcpy(&sock, &_this->sock, _this->sock.ss_len);
-	if (!is_natt)
-		SIN(&peer)->sin_port = SIN(&sock)->sin_port = 0;
-#if defined(USE_LIBSOCKUTIL)  && defined(IP_IPSEC_SA_COOKIE)
-	else {
-		ipsec_sa_cookie = _this->sa_cookie;
-		SIN(&peer)->sin_port = ipsec_sa_cookie->remote_port;
-		SIN(&sock)->sin_port = ipsec_sa_cookie->local_port;
-#if 1
-		/*
-		 * XXX: As RFC 2367, protocol should be specified if the port
-		 * XXX: number is non-zero.
-		 */
-		proto = 0;
-#else
-		proto = IPPROTO_UDP;
-#endif
-	}
-#endif
-	if (ipsec_util_purge_transport_sa((struct sockaddr *)&peer,
-	    (struct sockaddr *)&sock, proto, IPSEC_UTIL_DIRECTION_BOTH) != 0)
-		l2tp_ctrl_log(_this, LOG_NOTICE, "failed to purge IPsec SA");
-}
-#endif
-
 /* timeout processing */
 static void
 l2tp_ctrl_timeout(int fd, short evtype, void *ctx)