From 8e6149598b57e9904b0ff31b2b83bbcc57b39953 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Tue, 4 Nov 2025 18:37:49 +0100
Subject: [PATCH] gnutls: report accurate error when TLS-SRP is not built-in

With GnuTLS 3.8.0+ the build-time SRP feature detection always succeeds.
It's also disabled by default in these GnuTLS versions.

When using TLS-SRP without it being available in GnuTLS, report
the correct error code `CURLE_NOT_BUILT_IN`, replacing the out of memory
error reported before this patch.

Also add comments to autotools and cmake scripts about this feature
detection property.

Detecting it at build-time would need to run code which doesn't work
in cross-builds. Once curl requires 3.8.0 as minimum, the build-time
checks can be deleted.

```
# before:
curl: (27) gnutls_srp_allocate_client_cred() failed: An unimplemented or disabled feature has been requested.
# after:
curl: (4) GnuTLS: TLS-SRP support not built in: An unimplemented or disabled feature has been requested.
```

Ref: https://github.com/gnutls/gnutls/commit/dab063fca2eecb9ff1db73234108315c5b713756
Ref: https://github.com/gnutls/gnutls/commit/a21e89edacfe4ec3c501b030fff59c11fd20dcf0

Closes #19365
---
 CMakeLists.txt    | 2 ++
 lib/vtls/gtls.c   | 7 ++++++-
 m4/curl-gnutls.m4 | 3 +++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 4772a6219a..7b442ac704 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -934,6 +934,8 @@ if(CURL_USE_GNUTLS)
     list(APPEND CMAKE_REQUIRED_INCLUDES "${GNUTLS_INCLUDE_DIRS}")
     list(APPEND CMAKE_REQUIRED_LIBRARIES "${GNUTLS_LIBRARIES}")
     curl_required_libpaths("${GNUTLS_LIBRARY_DIRS}")
+    # In GnuTLS 3.8.0 (2023-02-10) and upper, this check always succeeds.
+    # Detecting actual TLS-SRP support needs poking the API at runtime.
     check_symbol_exists("gnutls_srp_verifier" "gnutls/gnutls.h" HAVE_GNUTLS_SRP)
     cmake_pop_check_state()
   endif()
diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 6c1fe63b5e..f3d6abb23c 100644
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -877,7 +877,12 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
     infof(data, "Using TLS-SRP username: %s", config->username);
 
     rc = gnutls_srp_allocate_client_credentials(&gtls->srp_client_cred);
-    if(rc != GNUTLS_E_SUCCESS) {
+    if(rc == GNUTLS_E_UNIMPLEMENTED_FEATURE) {
+      failf(data, "GnuTLS: TLS-SRP support not built in: %s",
+            gnutls_strerror(rc));
+      return CURLE_NOT_BUILT_IN;
+    }
+    else if(rc != GNUTLS_E_SUCCESS) {
       failf(data, "gnutls_srp_allocate_client_cred() failed: %s",
             gnutls_strerror(rc));
       return CURLE_OUT_OF_MEMORY;
diff --git a/m4/curl-gnutls.m4 b/m4/curl-gnutls.m4
index 0872ee52b6..e934f870dd 100644
--- a/m4/curl-gnutls.m4
+++ b/m4/curl-gnutls.m4
@@ -156,6 +156,9 @@ if test "$GNUTLS_ENABLED" = "1"; then
 
   dnl ---
   dnl We require GnuTLS with SRP support.
+  dnl
+  dnl In GnuTLS 3.8.0 (2023-02-10) and upper, this check always succeeds.
+  dnl Detecting actual TLS-SRP support needs poking the API at runtime.
   dnl ---
   AC_CHECK_LIB(gnutls, gnutls_srp_verifier,
     [
-- 
2.47.3