From 82acf7a9d5d2463963086860f7c6cb8cd9c3a4c6 Mon Sep 17 00:00:00 2001
From: Viktor Szakats <commit@vsz.me>
Date: Wed, 5 Feb 2025 04:27:20 +0100
Subject: [PATCH] ca native and binutils ld test 1

---
 curl.dev.patch | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++
 curl.sh        | 14 +++++------
 2 files changed, 71 insertions(+), 8 deletions(-)
 create mode 100644 curl.dev.patch

diff --git a/curl.dev.patch b/curl.dev.patch
new file mode 100644
index 000000000..90590c468
--- /dev/null
+++ b/curl.dev.patch
@@ -0,0 +1,65 @@
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 30c0154be7..4c12fe1cec 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -765,6 +765,8 @@ if(CURL_USE_OPENSSL)
+       list(APPEND CURL_LIBS "stdc++")
+       list(APPEND CMAKE_REQUIRED_LIBRARIES "stdc++")
+     endif()
++  elseif(WIN32 AND CMAKE_COMPILER_IS_GNUCC AND HAVE_LIBRESSL)
++    list(APPEND CURL_LIBS "ws2_32")  # Add a duplicate to make binutils ld resolve symbols
+   endif()
+ 
+   if(HAVE_BORINGSSL)
+@@ -1472,6 +1474,8 @@ endif()
+ #
+ # CA handling
+ #
++option(CURL_CA_NATIVE_BY_DEFAULT "Use native CA store by default in the curl tool" OFF)
++
+ if(_curl_ca_bundle_supported)
+   set(CURL_CA_BUNDLE "auto" CACHE
+     STRING "Path to the CA bundle. Set 'none' to disable or 'auto' for auto-detection. Defaults to 'auto'.")
+diff --git a/docs/INSTALL-CMAKE.md b/docs/INSTALL-CMAKE.md
+index 893f4b57f8..6421628f69 100644
+--- a/docs/INSTALL-CMAKE.md
++++ b/docs/INSTALL-CMAKE.md
+@@ -177,6 +177,8 @@ assumes that CMake generates `Makefile`:
+ - `CURL_CA_BUNDLE`:                         Path to the CA bundle. Set `none` to disable or `auto` for auto-detection. Default: `auto`
+ - `CURL_CA_EMBED`:                          Path to the CA bundle to embed in the curl tool. Default: (disabled)
+ - `CURL_CA_FALLBACK`:                       Use built-in CA store of TLS backend. Default: `OFF`
++- `CURL_CA_NATIVE_BY_DEFAULT`:              Use native CA store by default in the curl tool. Default: `OFF`
++                                            Supported by GnuTLS, OpenSSL (including forks) on Windows, wolfSSL.
+ - `CURL_CA_PATH`:                           Location of default CA path. Set `none` to disable or `auto` for auto-detection. Default: `auto`
+ - `CURL_CA_SEARCH_SAFE`:                    Enable safe CA bundle search (within the curl tool directory) on Windows. Default: `OFF`
+ 
+diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
+index a41af0c982..e31e7e4514 100644
+--- a/lib/curl_config.h.cmake
++++ b/lib/curl_config.h.cmake
+@@ -34,6 +34,9 @@
+ /* Default SSL backend */
+ #cmakedefine CURL_DEFAULT_SSL_BACKEND "${CURL_DEFAULT_SSL_BACKEND}"
+ 
++/* Use native CA store by default in curl tool */
++#cmakedefine CURL_CA_NATIVE_BY_DEFAULT 1
++
+ /* disables alt-svc */
+ #cmakedefine CURL_DISABLE_ALTSVC 1
+ 
+diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
+index d7ee7b1b22..5cb0ce2d30 100644
+--- a/src/tool_cfgable.c
++++ b/src/tool_cfgable.c
+@@ -46,6 +46,11 @@ void config_init(struct OperationConfig *config)
+   config->ftp_skip_ip = TRUE;
+   config->file_clobber_mode = CLOBBER_DEFAULT;
+   curlx_dyn_init(&config->postdata, MAX_FILE2MEMORY);
++
++#ifdef CURL_CA_NATIVE_BY_DEFAULT
++  config->native_ca_store = TRUE;
++  config->proxy_native_ca_store = TRUE;
++#endif
+ }
+ 
+ static void free_config_fields(struct OperationConfig *config)
diff --git a/curl.sh b/curl.sh
index 4b57f3694..eef259fe1 100755
--- a/curl.sh
+++ b/curl.sh
@@ -70,7 +70,8 @@ _VER="$1"
   # specific positions. Linker complains about a missing --end-group, then
   # adds it automatically anyway.
   if [ "${_LD}" = 'ld' ]; then
-    LDFLAGS+=' -Wl,--start-group'
+    #LDFLAGS+=' -Wl,--start-group'
+    :
   fi
 
   if [ "${_OS}" = 'win' ]; then
@@ -249,8 +250,6 @@ _VER="$1"
 
   CPPFLAGS+=' -DHAS_ALPN'  # for OpenSSL, Schannel when enabled
 
-# options+=' -DCURL_CA_FALLBACK=ON'
-
   options+=' -DCURL_DISABLE_SRP=ON'
 
   if [[ "${_DEPS}" = *'libssh1'* ]] && [ -d "../libssh/${_PPS}" ]; then
@@ -355,12 +354,11 @@ _VER="$1"
     options+=' -DBUILD_CURL_EXE=ON'
     options+=' -DBUILD_STATIC_CURL=ON'
 
-    if [[ "${_DEPS}" = *'cacert'* ]]; then
-      options+=" -DCURL_CA_EMBED=${_TOP}/cacert/${_CACERT}"
-    fi
-
     if [ "${_OS}" = 'win' ]; then
-      options+=' -DCURL_CA_SEARCH_SAFE=ON'
+      options+=' -DCURL_CA_NATIVE_BY_DEFAULT=ON'
+      options+=' -DCURL_DISABLE_CA_SEARCH=ON'
+    elif [[ "${_DEPS}" = *'cacert'* ]]; then
+      options+=" -DCURL_CA_EMBED=${_TOP}/cacert/${_CACERT}"
     fi
   else
     options+=' -DBUILD_CURL_EXE=OFF'