Link in gnutls provider and provide verify error status method for it

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>

diff --git a/pdns/recursordist/meson.build b/pdns/recursordist/meson.build
index 82c7f59c5d3b5a8ce2af7ab10f2633fbf8c26456..c26daf333a1960e78387ba8fc9bf6bd7377fcb72 100644 (file)
--- a/pdns/recursordist/meson.build
+++ b/pdns/recursordist/meson.build
@@ -83,6 +83,7 @@ subdir('meson' / 'dnstap')                  # DNSTAP through libfstream
 subdir('meson' / 'libcurl')                 # Curl
 subdir('meson' / 'libcap')                  # Capabilities
 subdir('meson' / 'dlopen')                  # our Rust static library needs dlopen
+subdir('meson' / 'gnutls')                  # GNUTLS
 
 subdir('rec-rust-lib')
 
@@ -327,6 +328,7 @@ deps = [
   dep_libsnmp,
   dep_libsodium,
   dep_libssl,
+  dep_gnutls,
   dep_lua,
   dep_protozero,
   dep_yahttp_header_only,

diff --git a/pdns/recursordist/meson_options.txt b/pdns/recursordist/meson_options.txt
index e1f6d7545e17600884a2378d9e3eb26e3b12befc..bfd986313f98b45aa9146e1a50f0f6cc591a6c59 100644 (file)
--- a/pdns/recursordist/meson_options.txt
+++ b/pdns/recursordist/meson_options.txt
@@ -24,3 +24,4 @@ option('libcurl', type: 'feature', value: 'auto', description: 'Enable Curl supp
 option('nod', type: 'feature', value: 'enabled', description: 'Enable Newly Observed Domains')
 option('libcap', type: 'feature', value: 'auto', description: 'Enable libcap for capabilities handling')
 option('clang-coverage-format', type: 'boolean', value: false, description: 'Whether to generate coverage data in clang format')
+option('tls-gnutls', type: 'feature', value: 'auto', description: 'GnuTLS-based TLS')

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index d0450680dccd22ca328455f2132b38caf27c3ff7..31a452601c5db672fbf8adc64cdc786a21bda365 100644 (file)
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -1630,7 +1630,17 @@ public:
 
   [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
   {
-    return {-1, "Not implemented yet"};
+    if (d_conn) {
+      auto status = gnutls_session_get_verify_cert_status(d_conn.get());
+      gnutls_datum_t out{};
+      if (gnutls_certificate_verification_status_print(status, GNUTLS_CRT_X509, &out, 0) == 0) {
+        auto errString = std::string(reinterpret_cast<const char*>(out.data), out.size);
+        gnutls_free(out.data);
+        return {status, errString};
+      }
+      return {status, ""};
+    }
+    return {0, ""};
   }
 
   bool hasSessionBeenResumed() const override