From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Mon, 6 Oct 2025 10:01:49 +0000 (+0200)
Subject: Link in gnutls provider and provide verify error status method for it
X-Git-Tag: rec-5.4.0-alpha1~190^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c112989feb32f0d5737ad9184e427e45a65ed8eb;p=thirdparty%2Fpdns.git

Link in gnutls provider and provide verify error status method for it

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---

diff --git a/pdns/recursordist/meson.build b/pdns/recursordist/meson.build
index 82c7f59c5d..c26daf333a 100644
--- a/pdns/recursordist/meson.build
+++ b/pdns/recursordist/meson.build
@@ -83,6 +83,7 @@ subdir('meson' / 'dnstap')                  # DNSTAP through libfstream
 subdir('meson' / 'libcurl')                 # Curl
 subdir('meson' / 'libcap')                  # Capabilities
 subdir('meson' / 'dlopen')                  # our Rust static library needs dlopen
+subdir('meson' / 'gnutls')                  # GNUTLS
 
 subdir('rec-rust-lib')
 
@@ -327,6 +328,7 @@ deps = [
   dep_libsnmp,
   dep_libsodium,
   dep_libssl,
+  dep_gnutls,
   dep_lua,
   dep_protozero,
   dep_yahttp_header_only,
diff --git a/pdns/recursordist/meson_options.txt b/pdns/recursordist/meson_options.txt
index e1f6d7545e..bfd986313f 100644
--- a/pdns/recursordist/meson_options.txt
+++ b/pdns/recursordist/meson_options.txt
@@ -24,3 +24,4 @@ option('libcurl', type: 'feature', value: 'auto', description: 'Enable Curl supp
 option('nod', type: 'feature', value: 'enabled', description: 'Enable Newly Observed Domains')
 option('libcap', type: 'feature', value: 'auto', description: 'Enable libcap for capabilities handling')
 option('clang-coverage-format', type: 'boolean', value: false, description: 'Whether to generate coverage data in clang format')
+option('tls-gnutls', type: 'feature', value: 'auto', description: 'GnuTLS-based TLS')
diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index d0450680dc..31a452601c 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -1630,7 +1630,17 @@ public:
 
   [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
   {
-    return {-1, "Not implemented yet"};
+    if (d_conn) {
+      auto status = gnutls_session_get_verify_cert_status(d_conn.get());
+      gnutls_datum_t out{};
+      if (gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, &out, 0) == 0) {
+        auto errString = std::string(reinterpret_cast<const char*>(out.data), out.size);
+        gnutls_free(out.data);
+        return {status, errString};
+      }
+      return {status, ""};
+    }
+    return {0, ""};
   }
 
   bool hasSessionBeenResumed() const override