gnutls: report accurate error when TLS-SRP is not built-in

With GnuTLS 3.8.0+ the build-time SRP feature detection always succeeds.
It's also disabled by default in these GnuTLS versions.

When using TLS-SRP without it being available in GnuTLS, report
the correct error code `CURLE_NOT_BUILT_IN`, replacing the out of memory
error reported before this patch.

Also add comments to autotools and cmake scripts about this feature
detection property.

Detecting it at build-time would need to run code which doesn't work
in cross-builds. Once curl requires 3.8.0 as minimum, the build-time
checks can be deleted.

```
# before:
curl: (27) gnutls_srp_allocate_client_cred() failed: An unimplemented or disabled feature has been requested.
# after:
curl: (4) GnuTLS: TLS-SRP support not built in: An unimplemented or disabled feature has been requested.
```

Ref: https://github.com/gnutls/gnutls/commit/dab063fca2eecb9ff1db73234108315c5b713756
Ref: https://github.com/gnutls/gnutls/commit/a21e89edacfe4ec3c501b030fff59c11fd20dcf0

Closes #19365

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4772a6219ae861447ff8c51494c6f7e1c8f68dba..7b442ac7041dffc289e9d702e28b2a18b6221c55 100644 (file)
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -934,6 +934,8 @@ if(CURL_USE_GNUTLS)
     list(APPEND CMAKE_REQUIRED_INCLUDES "${GNUTLS_INCLUDE_DIRS}")
     list(APPEND CMAKE_REQUIRED_LIBRARIES "${GNUTLS_LIBRARIES}")
     curl_required_libpaths("${GNUTLS_LIBRARY_DIRS}")
+    # In GnuTLS 3.8.0 (2023-02-10) and upper, this check always succeeds.
+    # Detecting actual TLS-SRP support needs poking the API at runtime.
     check_symbol_exists("gnutls_srp_verifier" "gnutls/gnutls.h" HAVE_GNUTLS_SRP)
     cmake_pop_check_state()
   endif()

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 6c1fe63b5ebb23244cef4ead4717a7e4607c92e5..f3d6abb23cacacb052873b882fabce9f15a13a5a 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -877,7 +877,12 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
     infof(data, "Using TLS-SRP username: %s", config->username);
 
     rc = gnutls_srp_allocate_client_credentials(&gtls->srp_client_cred);
-    if(rc != GNUTLS_E_SUCCESS) {
+    if(rc == GNUTLS_E_UNIMPLEMENTED_FEATURE) {
+      failf(data, "GnuTLS: TLS-SRP support not built in: %s",
+            gnutls_strerror(rc));
+      return CURLE_NOT_BUILT_IN;
+    }
+    else if(rc != GNUTLS_E_SUCCESS) {
       failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
             gnutls_strerror(rc));
       return CURLE_OUT_OF_MEMORY;

diff --git a/m4/curl-gnutls.m4 b/m4/curl-gnutls.m4
index 0872ee52b68360590c91a925f3bd1c5a381eae66..e934f870dd6b7864c8516e4be152cb47887158d4 100644 (file)
--- a/m4/curl-gnutls.m4
+++ b/m4/curl-gnutls.m4
@@ -156,6 +156,9 @@ if test "$GNUTLS_ENABLED" = "1"; then
 
   dnl ---
   dnl We require GnuTLS with SRP support.
+  dnl
+  dnl In GnuTLS 3.8.0 (2023-02-10) and upper, this check always succeeds.
+  dnl Detecting actual TLS-SRP support needs poking the API at runtime.
   dnl ---
   AC_CHECK_LIB(gnutls, gnutls_srp_verifier,
     [