Don't initiate any connections in passive mode, not even for ACQUIRE messages

from the PFKEY socket.  This is needed for sasyncd.

ok mikeb@

2 files changed, 9 insertions, 6 deletions

diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index c109d1fc610..551847d2c36 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.45 2011/01/26 16:59:24 mikeb Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.46 2011/01/26 17:07:59 reyk Exp $	*/
 /*	$vantronix: ikev2.c,v 1.101 2010/06/03 07:57:33 reyk Exp $	*/
 
 /*
@@ -125,10 +125,7 @@ ikev2_dispatch_parent(int fd, struct iked_proc *p, struct imsg *imsg)
 	case IMSG_CTL_PASSIVE:
 		if (config_getmode(env, imsg->hdr.type) == -1)
 			return (0);	/* ignore error */
-		if (env->sc_passive)
-			timer_unregister_initiator(env);
-		else
-			timer_register_initiator(env, ikev2_init_ike_sa);
+		timer_register_initiator(env, ikev2_init_ike_sa);
 		return (0);
 	case IMSG_UDP_SOCKET:
 		return (config_getsocket(env, imsg, ikev2_msg_cb));
@@ -3696,6 +3693,9 @@ ikev2_acquire_sa(struct iked *env, struct iked_flow *acquire)
 	struct iked_flow	*flow;
 	struct iked_sa		*sa;
 
+	if (env->sc_passive)
+		return;
+
 	flow = RB_FIND(iked_activeflows, &env->sc_activeflows, acquire);
 	if (!flow) {
 		log_warnx("%s: flow wasn't found", __func__);
diff --git a/sbin/iked/timer.c b/sbin/iked/timer.c
index d2b1bb084cc..47f16f983b0 100644
--- a/sbin/iked/timer.c
+++ b/sbin/iked/timer.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: timer.c,v 1.3 2011/01/21 11:56:00 reyk Exp $	*/
+/*	$OpenBSD: timer.c,v 1.4 2011/01/26 17:07:59 reyk Exp $	*/
 
 /*
  * Copyright (c) 2010 Reyk Floeter <reyk@vantronix.net>
@@ -55,6 +55,9 @@ timer_register_initiator(struct iked *env,
 
 	timer_unregister_initiator(env);
 
+	if (env->sc_passive)
+		return;
+
 	tmr = &timer_initiator;
 	gettimeofday(&tmr->tmr_first, NULL);
 	gettimeofday(&tmr->tmr_last, NULL);