marktheunissen/stunnel.patch

## stunnel.patch
commit 13a26e81a7d5dba116a7f4729ce977569cade34d
Author: Michal Trojnara <Michal.Trojnara@mirt.net>
Date:   Thu Oct 2 13:09:51 2014 +0200

    systemd socket activation

diff --git a/CREDITS b/CREDITS
index 8ece5a7..e649af8 100644
--- a/CREDITS
+++ b/CREDITS
@@ -1,9 +1,35 @@
-Special thx to:
+stunnel code contributions

+
+systemd socket activation in version 5.05:
+Copyright (c) 2014 Mark Theunissen
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+Several bugfixes and improvements:
+* Brian Hatch <bri@stunnel.org>
+
+Initial PTY support in version 3.05:
+* Dirk O. Siebnich <dok@vossnet.de>
+
+Initial SSL support in versions 1.x:
 * Adam Hernik <adas@infocentrum.com>
 * Pawel Krawczyk <kravietz@ceti.com.pl>
-* Brian Hatch <bri@stunnel.org>
-* Dirk O. Siebnich <dok@vossnet.de> for PTY support

 and many others...
-
diff --git a/ChangeLog b/ChangeLog
index 3c8b991..13b14f7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,7 @@ Version 5.04, unreleased, urgency: MEDIUM:
 * New features
   - Asynchronous communication with the GUI thread for faster
     logging on Win32.
+  - systemd socket activation (thx to Mark Theunissen).
 * Bugfixes
   - Fixed POLLIN|POLLHUP condition handling error resulting
     in prematurely closed (truncated) connection.
diff --git a/configure b/configure
index 65c7759..2aa1fee 100755
--- a/configure
+++ b/configure
@@ -12266,6 +12266,18 @@ fi

 done

+for ac_header in systemd/sd-daemon.h
+do :
+  ac_fn_c_check_header_mongrel "$LINENO" "systemd/sd-daemon.h" "ac_cv_header_systemd_sd_daemon_h" "$ac_includes_default"
+if test "x$ac_cv_header_systemd_sd_daemon_h" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_SYSTEMD_SD_DAEMON_H 1
+_ACEOF
+
+fi
+
+done
+
 ac_fn_c_check_member "$LINENO" "struct msghdr" "msg_control" "ac_cv_member_struct_msghdr_msg_control" "
 $ac_includes_default
 #include <sys/socket.h>
@@ -12697,6 +12709,63 @@ if test "$ac_res" != no; then :

 fi

+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing sd_listen_fds" >&5
+$as_echo_n "checking for library containing sd_listen_fds... " >&6; }
+if ${ac_cv_search_sd_listen_fds+:} false; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_func_search_save_LIBS=$LIBS
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sd_listen_fds ();
+int
+main ()
+{
+return sd_listen_fds ();
+  ;
+  return 0;
+}
+_ACEOF
+for ac_lib in '' systemd-daemon; do
+  if test -z "$ac_lib"; then
+    ac_res="none required"
+  else
+    ac_res=-l$ac_lib
+    LIBS="-l$ac_lib  $ac_func_search_save_LIBS"
+  fi
+  if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_search_sd_listen_fds=$ac_res
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext
+  if ${ac_cv_search_sd_listen_fds+:} false; then :
+  break
+fi
+done
+if ${ac_cv_search_sd_listen_fds+:} false; then :
+
+else
+  ac_cv_search_sd_listen_fds=no
+fi
+rm conftest.$ac_ext
+LIBS=$ac_func_search_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_sd_listen_fds" >&5
+$as_echo "$ac_cv_search_sd_listen_fds" >&6; }
+ac_res=$ac_cv_search_sd_listen_fds
+if test "$ac_res" != no; then :
+  test "$ac_res" = "none required" || LIBS="$ac_res $LIBS"
+
+fi
+
+

 # Add BeOS libraries
 if test "$host_os" = "beos"; then
diff --git a/configure.ac b/configure.ac
index 6c4a1cb..4b6a741 100644
--- a/configure.ac
+++ b/configure.ac
@@ -168,6 +168,7 @@ AC_MSG_NOTICE([**************************************** header files])
 # AC_HEADER_SYS_WAIT
 AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
 AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h])
+AC_CHECK_HEADERS([systemd/sd-daemon.h])
 AC_CHECK_MEMBERS([struct msghdr.msg_control],
     [AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
     [Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
@@ -192,6 +193,8 @@ AC_SEARCH_LIBS([openpty], [util])
 AC_SEARCH_LIBS([dlopen], [dl])
 AC_SEARCH_LIBS([shl_load], [dld])
 AC_SEARCH_LIBS([inflateEnd], [z])
+AC_SEARCH_LIBS([sd_listen_fds], [systemd-daemon])
+

 # Add BeOS libraries
 if test "$host_os" = "beos"; then
diff --git a/src/common.h b/src/common.h
index 6b15b81..3f3394f 100644
--- a/src/common.h
+++ b/src/common.h
@@ -171,6 +171,11 @@ typedef int socklen_t;
 #define USE_LIBWRAP 1
 #endif

+/* systemd */
+#ifdef HAVE_SYSTEMD_SD_DAEMON_H
+#include <systemd/sd-daemon.h>
+#endif
+
 /* must be included before sys/stat.h for Ultrix */
 /* must be included before sys/socket.h for OpenBSD */
 #include <sys/types.h>   /* u_short, u_long */
diff --git a/src/config.h.in b/src/config.h.in
index ace0015..14f14eb 100644
--- a/src/config.h.in
+++ b/src/config.h.in
@@ -138,6 +138,9 @@
 /* Define to 1 if you have the `sysconf' function. */
 #undef HAVE_SYSCONF

+/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
+#undef HAVE_SYSTEMD_SD_DAEMON_H
+
 /* Define to 1 if you have the <sys/filio.h> header file. */
 #undef HAVE_SYS_FILIO_H

diff --git a/src/stunnel.c b/src/stunnel.c
index 6d283a5..ccbdbb3 100644
--- a/src/stunnel.c
+++ b/src/stunnel.c
@@ -84,10 +84,21 @@ int max_clients=0;
 volatile int num_clients=-1;
 #endif
 s_poll_set *fds; /* file descriptors of listening sockets */
+int systemd_fds; /* number of file descriptors passed by systemd */
+int listen_fds_start; /* base for systemd-provided file descriptors */

 /**************************************** startup */

 void main_init() { /* one-time initialization */
+#ifdef HAVE_SYSTEMD_SD_DAEMON_H
+    systemd_fds=sd_listen_fds(1);
+    if(systemd_fds<0)
+        fatal("systemd initialization failed");
+    listen_fds_start=SD_LISTEN_FDS_START;
+#else
+    systemd_fds=0; /* no descriptors received */
+    listen_fds_start=3; /* the value is not really important */
+#endif
     /* basic initialization contains essential functions required for logging
      * subsystem to function properly, thus all errors here are fatal */
     if(ssl_init()) /* initialize SSL library */
@@ -338,7 +349,9 @@ void unbind_ports(void) {
     for(opt=service_options.next; opt; opt=opt->next) {
         s_log(LOG_DEBUG, "Closing service [%s]", opt->servname);
         if(opt->option.accept && opt->fd>=0) {
-            closesocket(opt->fd);
+            if(opt->fd<listen_fds_start ||
+                    opt->fd>=listen_fds_start+systemd_fds)
+                closesocket(opt->fd);
             s_log(LOG_DEBUG, "Service [%s] closed (FD=%d)",
                 opt->servname, opt->fd);
             opt->fd=-1;
@@ -376,6 +389,7 @@ void unbind_ports(void) {
 int bind_ports(void) {
     SERVICE_OPTIONS *opt;
     char *local_address;
+    int listening_section;

 #ifdef USE_LIBWRAP
     /* execute after options_cmdline() to know service_options.next,
@@ -394,12 +408,22 @@ int bind_ports(void) {
         if(opt->option.accept)
             opt->fd=-1;

+    listening_section=0;
     for(opt=service_options.next; opt; opt=opt->next) {
         if(opt->option.accept) {
-            opt->fd=s_socket(opt->local_addr.sa.sa_family,
-                SOCK_STREAM, 0, 1, "accept socket");
-            if(opt->fd<0)
-                return 1;
+            if(listening_section<systemd_fds) {
+                opt->fd=listen_fds_start+listening_section;
+                s_log(LOG_DEBUG,
+                    "Listening file descriptor received from systemd (FD=%d)",
+                    opt->fd);
+            } else {
+                opt->fd=s_socket(opt->local_addr.sa.sa_family,
+                    SOCK_STREAM, 0, 1, "accept socket");
+                if(opt->fd<0)
+                    return 1;
+                s_log(LOG_DEBUG, "Listening file descriptor created (FD=%d)",
+                    opt->fd);
+            }
             if(set_socket_options(opt->fd, 0)<0) {
                 closesocket(opt->fd);
                 opt->fd=-1;
@@ -407,26 +431,30 @@ int bind_ports(void) {
             }
             /* local socket can't be unnamed */
             local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr));
-            if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
-                s_log(LOG_ERR, "Error binding service [%s] to %s",
-                    opt->servname, local_address);
-                sockerror("bind");
-                closesocket(opt->fd);
-                opt->fd=-1;
-                str_free(local_address);
-                return 1;
-            }
-            if(listen(opt->fd, SOMAXCONN)) {
-                sockerror("listen");
-                closesocket(opt->fd);
-                opt->fd=-1;
-                str_free(local_address);
-                return 1;
+            /* we don't bind or listen on a socket inherited from systemd */
+            if(listening_section>=systemd_fds) {
+                if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
+                    s_log(LOG_ERR, "Error binding service [%s] to %s",
+                        opt->servname, local_address);
+                    sockerror("bind");
+                    closesocket(opt->fd);
+                    opt->fd=-1;
+                    str_free(local_address);
+                    return 1;
+                }
+                if(listen(opt->fd, SOMAXCONN)) {
+                    sockerror("listen");
+                    closesocket(opt->fd);
+                    opt->fd=-1;
+                    str_free(local_address);
+                    return 1;
+                }
             }
             s_poll_add(fds, opt->fd, 1, 0);
             s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s",
                 opt->servname, opt->fd, local_address);
             str_free(local_address);
+            ++listening_section;
         } else if(opt->option.program && opt->option.remote) {
             /* create exec+connect services */
             /* FIXME: needs to be delayed on reload with opt->option.retry set */
@@ -434,6 +462,12 @@ int bind_ports(void) {
                 alloc_client_session(opt, -1, -1), client_thread);
         }
     }
+    if(listening_section<systemd_fds) {
+        s_log(LOG_ERR,
+            "Too many listening file descriptors received from systemd, got %d",
+            systemd_fds);
+        return 1;
+    }
     return 0; /* OK */
 }

@@ -591,6 +625,9 @@ void stunnel_info(int level) {
         "SELECT"
 #endif /* defined(USE_POLL) */
         ",IPv%c"
+#ifdef HAVE_SYSTEMD_SD_DAEMON_H
+        ",SYSTEMD"
+#endif /* HAVE_SYSTEMD_SD_DAEMON_H */

 #if defined HAVE_OSSL_ENGINE_H || defined HAVE_OSSL_OCSP_H || defined USE_FIPS
         " SSL:"
	commit 13a26e81a7d5dba116a7f4729ce977569cade34d
	Author: Michal Trojnara <Michal.Trojnara@mirt.net>
	Date: Thu Oct 2 13:09:51 2014 +0200

	systemd socket activation

	diff --git a/CREDITS b/CREDITS
	index 8ece5a7..e649af8 100644
	--- a/CREDITS
	+++ b/CREDITS
	@@ -1,9 +1,35 @@
	-Special thx to:
	+stunnel code contributions

	+
	+systemd socket activation in version 5.05:
	+Copyright (c) 2014 Mark Theunissen
	+
	+Permission is hereby granted, free of charge, to any person obtaining a copy of
	+this software and associated documentation files (the "Software"), to deal in
	+the Software without restriction, including without limitation the rights to
	+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
	+of the Software, and to permit persons to whom the Software is furnished to do
	+so, subject to the following conditions:
	+
	+The above copyright notice and this permission notice shall be included in all
	+copies or substantial portions of the Software.
	+
	+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
	+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
	+SOFTWARE.
	+
	+Several bugfixes and improvements:
	+* Brian Hatch <bri@stunnel.org>
	+
	+Initial PTY support in version 3.05:
	+* Dirk O. Siebnich <dok@vossnet.de>
	+
	+Initial SSL support in versions 1.x:
	* Adam Hernik <adas@infocentrum.com>
	* Pawel Krawczyk <kravietz@ceti.com.pl>
	-* Brian Hatch <bri@stunnel.org>
	-* Dirk O. Siebnich <dok@vossnet.de> for PTY support

	and many others...
	-
	diff --git a/ChangeLog b/ChangeLog
	index 3c8b991..13b14f7 100644
	--- a/ChangeLog
	+++ b/ChangeLog
	@@ -4,6 +4,7 @@ Version 5.04, unreleased, urgency: MEDIUM:
	* New features
	- Asynchronous communication with the GUI thread for faster
	logging on Win32.
	+ - systemd socket activation (thx to Mark Theunissen).
	* Bugfixes
	- Fixed POLLIN\|POLLHUP condition handling error resulting
	in prematurely closed (truncated) connection.
	diff --git a/configure b/configure
	index 65c7759..2aa1fee 100755
	--- a/configure
	+++ b/configure
	@@ -12266,6 +12266,18 @@ fi

	done

	+for ac_header in systemd/sd-daemon.h
	+do :
	+ ac_fn_c_check_header_mongrel "$LINENO" "systemd/sd-daemon.h" "ac_cv_header_systemd_sd_daemon_h" "$ac_includes_default"
	+if test "x$ac_cv_header_systemd_sd_daemon_h" = xyes; then :
	+ cat >>confdefs.h <<_ACEOF
	+#define HAVE_SYSTEMD_SD_DAEMON_H 1
	+_ACEOF
	+
	+fi
	+
	+done
	+
	ac_fn_c_check_member "$LINENO" "struct msghdr" "msg_control" "ac_cv_member_struct_msghdr_msg_control" "
	$ac_includes_default
	#include <sys/socket.h>
	@@ -12697,6 +12709,63 @@ if test "$ac_res" != no; then :

	fi

	+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing sd_listen_fds" >&5
	+$as_echo_n "checking for library containing sd_listen_fds... " >&6; }
	+if ${ac_cv_search_sd_listen_fds+:} false; then :
	+ $as_echo_n "(cached) " >&6
	+else
	+ ac_func_search_save_LIBS=$LIBS
	+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
	+/* end confdefs.h. */
	+
	+/* Override any GCC internal prototype to avoid an error.
	+ Use char because int might match the return type of a GCC
	+ builtin and then its argument prototype would still apply. */
	+#ifdef __cplusplus
	+extern "C"
	+#endif
	+char sd_listen_fds ();
	+int
	+main ()
	+{
	+return sd_listen_fds ();
	+ ;
	+ return 0;
	+}
	+_ACEOF
	+for ac_lib in '' systemd-daemon; do
	+ if test -z "$ac_lib"; then
	+ ac_res="none required"
	+ else
	+ ac_res=-l$ac_lib
	+ LIBS="-l$ac_lib $ac_func_search_save_LIBS"
	+ fi
	+ if ac_fn_c_try_link "$LINENO"; then :
	+ ac_cv_search_sd_listen_fds=$ac_res
	+fi
	+rm -f core conftest.err conftest.$ac_objext \
	+ conftest$ac_exeext
	+ if ${ac_cv_search_sd_listen_fds+:} false; then :
	+ break
	+fi
	+done
	+if ${ac_cv_search_sd_listen_fds+:} false; then :
	+
	+else
	+ ac_cv_search_sd_listen_fds=no
	+fi
	+rm conftest.$ac_ext
	+LIBS=$ac_func_search_save_LIBS
	+fi
	+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_sd_listen_fds" >&5
	+$as_echo "$ac_cv_search_sd_listen_fds" >&6; }
	+ac_res=$ac_cv_search_sd_listen_fds
	+if test "$ac_res" != no; then :
	+ test "$ac_res" = "none required" \|\| LIBS="$ac_res $LIBS"
	+
	+fi
	+
	+

	# Add BeOS libraries
	if test "$host_os" = "beos"; then
	diff --git a/configure.ac b/configure.ac
	index 6c4a1cb..4b6a741 100644
	--- a/configure.ac
	+++ b/configure.ac
	@@ -168,6 +168,7 @@ AC_MSG_NOTICE([**************************************** header files])
	# AC_HEADER_SYS_WAIT
	AC_CHECK_HEADERS([malloc.h ucontext.h pthread.h poll.h tcpd.h stropts.h grp.h unistd.h util.h libutil.h pty.h])
	AC_CHECK_HEADERS([sys/types.h sys/select.h sys/poll.h sys/socket.h sys/un.h sys/ioctl.h sys/filio.h sys/resource.h sys/uio.h sys/syscall.h])
	+AC_CHECK_HEADERS([systemd/sd-daemon.h])
	AC_CHECK_MEMBERS([struct msghdr.msg_control],
	[AC_DEFINE([HAVE_MSGHDR_MSG_CONTROL], [1],
	[Define to 1 if you have 'msghdr.msg_control' structure.])], [], [
	@@ -192,6 +193,8 @@ AC_SEARCH_LIBS([openpty], [util])
	AC_SEARCH_LIBS([dlopen], [dl])
	AC_SEARCH_LIBS([shl_load], [dld])
	AC_SEARCH_LIBS([inflateEnd], [z])
	+AC_SEARCH_LIBS([sd_listen_fds], [systemd-daemon])
	+

	# Add BeOS libraries
	if test "$host_os" = "beos"; then
	diff --git a/src/common.h b/src/common.h
	index 6b15b81..3f3394f 100644
	--- a/src/common.h
	+++ b/src/common.h
	@@ -171,6 +171,11 @@ typedef int socklen_t;
	#define USE_LIBWRAP 1
	#endif

	+/* systemd */
	+#ifdef HAVE_SYSTEMD_SD_DAEMON_H
	+#include <systemd/sd-daemon.h>
	+#endif
	+
	/* must be included before sys/stat.h for Ultrix */
	/* must be included before sys/socket.h for OpenBSD */
	#include <sys/types.h> /* u_short, u_long */
	diff --git a/src/config.h.in b/src/config.h.in
	index ace0015..14f14eb 100644
	--- a/src/config.h.in
	+++ b/src/config.h.in
	@@ -138,6 +138,9 @@
	/* Define to 1 if you have the `sysconf' function. */
	#undef HAVE_SYSCONF

	+/* Define to 1 if you have the <systemd/sd-daemon.h> header file. */
	+#undef HAVE_SYSTEMD_SD_DAEMON_H
	+
	/* Define to 1 if you have the <sys/filio.h> header file. */
	#undef HAVE_SYS_FILIO_H

	diff --git a/src/stunnel.c b/src/stunnel.c
	index 6d283a5..ccbdbb3 100644
	--- a/src/stunnel.c
	+++ b/src/stunnel.c
	@@ -84,10 +84,21 @@ int max_clients=0;
	volatile int num_clients=-1;
	#endif
	s_poll_set fds; / file descriptors of listening sockets */
	+int systemd_fds; /* number of file descriptors passed by systemd */
	+int listen_fds_start; /* base for systemd-provided file descriptors */

	/**************************************** startup */

	void main_init() { /* one-time initialization */
	+#ifdef HAVE_SYSTEMD_SD_DAEMON_H
	+ systemd_fds=sd_listen_fds(1);
	+ if(systemd_fds<0)
	+ fatal("systemd initialization failed");
	+ listen_fds_start=SD_LISTEN_FDS_START;
	+#else
	+ systemd_fds=0; /* no descriptors received */
	+ listen_fds_start=3; /* the value is not really important */
	+#endif
	/* basic initialization contains essential functions required for logging
	* subsystem to function properly, thus all errors here are fatal */
	if(ssl_init()) /* initialize SSL library */
	@@ -338,7 +349,9 @@ void unbind_ports(void) {
	for(opt=service_options.next; opt; opt=opt->next) {
	s_log(LOG_DEBUG, "Closing service [%s]", opt->servname);
	if(opt->option.accept && opt->fd>=0) {
	- closesocket(opt->fd);
	+ if(opt->fd<listen_fds_start \|\|
	+ opt->fd>=listen_fds_start+systemd_fds)
	+ closesocket(opt->fd);
	s_log(LOG_DEBUG, "Service [%s] closed (FD=%d)",
	opt->servname, opt->fd);
	opt->fd=-1;
	@@ -376,6 +389,7 @@ void unbind_ports(void) {
	int bind_ports(void) {
	SERVICE_OPTIONS *opt;
	char *local_address;
	+ int listening_section;

	#ifdef USE_LIBWRAP
	/* execute after options_cmdline() to know service_options.next,
	@@ -394,12 +408,22 @@ int bind_ports(void) {
	if(opt->option.accept)
	opt->fd=-1;

	+ listening_section=0;
	for(opt=service_options.next; opt; opt=opt->next) {
	if(opt->option.accept) {
	- opt->fd=s_socket(opt->local_addr.sa.sa_family,
	- SOCK_STREAM, 0, 1, "accept socket");
	- if(opt->fd<0)
	- return 1;
	+ if(listening_section<systemd_fds) {
	+ opt->fd=listen_fds_start+listening_section;
	+ s_log(LOG_DEBUG,
	+ "Listening file descriptor received from systemd (FD=%d)",
	+ opt->fd);
	+ } else {
	+ opt->fd=s_socket(opt->local_addr.sa.sa_family,
	+ SOCK_STREAM, 0, 1, "accept socket");
	+ if(opt->fd<0)
	+ return 1;
	+ s_log(LOG_DEBUG, "Listening file descriptor created (FD=%d)",
	+ opt->fd);
	+ }
	if(set_socket_options(opt->fd, 0)<0) {
	closesocket(opt->fd);
	opt->fd=-1;
	@@ -407,26 +431,30 @@ int bind_ports(void) {
	}
	/* local socket can't be unnamed */
	local_address=s_ntop(&opt->local_addr, addr_len(&opt->local_addr));
	- if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
	- s_log(LOG_ERR, "Error binding service [%s] to %s",
	- opt->servname, local_address);
	- sockerror("bind");
	- closesocket(opt->fd);
	- opt->fd=-1;
	- str_free(local_address);
	- return 1;
	- }
	- if(listen(opt->fd, SOMAXCONN)) {
	- sockerror("listen");
	- closesocket(opt->fd);
	- opt->fd=-1;
	- str_free(local_address);
	- return 1;
	+ /* we don't bind or listen on a socket inherited from systemd */
	+ if(listening_section>=systemd_fds) {
	+ if(bind(opt->fd, &opt->local_addr.sa, addr_len(&opt->local_addr))) {
	+ s_log(LOG_ERR, "Error binding service [%s] to %s",
	+ opt->servname, local_address);
	+ sockerror("bind");
	+ closesocket(opt->fd);
	+ opt->fd=-1;
	+ str_free(local_address);
	+ return 1;
	+ }
	+ if(listen(opt->fd, SOMAXCONN)) {
	+ sockerror("listen");
	+ closesocket(opt->fd);
	+ opt->fd=-1;
	+ str_free(local_address);
	+ return 1;
	+ }
	}
	s_poll_add(fds, opt->fd, 1, 0);
	s_log(LOG_DEBUG, "Service [%s] (FD=%d) bound to %s",
	opt->servname, opt->fd, local_address);
	str_free(local_address);
	+ ++listening_section;
	} else if(opt->option.program && opt->option.remote) {
	/* create exec+connect services */
	/* FIXME: needs to be delayed on reload with opt->option.retry set */
	@@ -434,6 +462,12 @@ int bind_ports(void) {
	alloc_client_session(opt, -1, -1), client_thread);
	}
	}
	+ if(listening_section<systemd_fds) {
	+ s_log(LOG_ERR,
	+ "Too many listening file descriptors received from systemd, got %d",
	+ systemd_fds);
	+ return 1;
	+ }
	return 0; /* OK */
	}

	@@ -591,6 +625,9 @@ void stunnel_info(int level) {
	"SELECT"
	#endif /* defined(USE_POLL) */
	",IPv%c"
	+#ifdef HAVE_SYSTEMD_SD_DAEMON_H
	+ ",SYSTEMD"
	+#endif /* HAVE_SYSTEMD_SD_DAEMON_H */

	#if defined HAVE_OSSL_ENGINE_H \|\| defined HAVE_OSSL_OCSP_H \|\| defined USE_FIPS
	" SSL:"