BearSSL: add CURLOPT_SSL_CTX_FUNCTION support

Closes #8478

docs/libcurl/opts/CURLOPT_SSL_CTX_DATA.3

@@ -115,8 +115,8 @@ int main(void)
 }
 .fi
 .SH AVAILABILITY
-Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL and in 7.54.0 for
-mbedTLS. Other SSL backends are not supported.
+Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL, in 7.54.0 for mbedTLS,
+in 7.83.0 in BearSSL. Other SSL backends are not supported.
 .SH RETURN VALUE
 CURLE_OK if supported; or an error such as:
 

docs/libcurl/opts/CURLOPT_SSL_CTX_FUNCTION.3

@@ -32,8 +32,9 @@ CURLcode ssl_ctx_callback(CURL *curl, void *ssl_ctx, void *userptr);
 CURLcode curl_easy_setopt(CURL *handle, CURLOPT_SSL_CTX_FUNCTION,
                           ssl_ctx_callback);
 .SH DESCRIPTION
-This option only works for libcurl powered by OpenSSL, wolfSSL or mbedTLS. If
-libcurl was built against another SSL library this functionality is absent.
+This option only works for libcurl powered by OpenSSL, wolfSSL, mbedTLS or
+BearSSL. If libcurl was built against another SSL library this functionality
+is absent.
 
 Pass a pointer to your callback function, which should match the prototype
 shown above.
@@ -42,8 +43,9 @@ This callback function gets called by libcurl just before the initialization
 of an SSL connection after having processed all other SSL related options to
 give a last chance to an application to modify the behavior of the SSL
 initialization. The \fIssl_ctx\fP parameter is actually a pointer to the SSL
-library's \fISSL_CTX\fP for OpenSSL or wolfSSL, and a pointer to
-\fImbedtls_ssl_config\fP for mbedTLS. If an error is returned from the
+library's \fISSL_CTX\fP for OpenSSL or wolfSSL, a pointer to
+\fImbedtls_ssl_config\fP for mbedTLS or a pointer to
+\fIbr_ssl_client_context\fP for BearSSL. If an error is returned from the
 callback no attempt to establish a connection is made and the perform
 operation will return the callback's error code. Set the \fIuserptr\fP
 argument with the \fICURLOPT_SSL_CTX_DATA(3)\fP option.
@@ -152,8 +154,8 @@ int main(void)
 }
 .fi
 .SH AVAILABILITY
-Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL and in 7.54.0 for
-mbedTLS. Other SSL backends are not supported.
+Added in 7.11.0 for OpenSSL, in 7.42.0 for wolfSSL, in 7.54.0 for mbedTLS,
+in 7.83.0 in BearSSL. Other SSL backends are not supported.
 .SH RETURN VALUE
 CURLE_OK if supported; or an error such as:
 

lib/vtls/bearssl.c

@@ -730,6 +730,18 @@ static CURLcode bearssl_connect_step1(struct Curl_easy *data,
     hostname = snihost;
   }
 
+  /* give application a chance to interfere with SSL set up. */
+  if(data->set.ssl.fsslctx) {
+    Curl_set_in_callback(data, true);
+    ret = (*data->set.ssl.fsslctx)(data, &backend->ctx,
+                                   data->set.ssl.fsslctxp);
+    Curl_set_in_callback(data, false);
+    if(ret) {
+      failf(data, "BearSSL: error signaled by ssl ctx callback");
+      return ret;
+    }
+  }
+
   if(!br_ssl_client_reset(&backend->ctx, hostname, 1))
     return CURLE_FAILED_INIT;
   backend->active = TRUE;
@@ -1170,7 +1182,7 @@ static CURLcode bearssl_sha256sum(const unsigned char *input,
 
 const struct Curl_ssl Curl_ssl_bearssl = {
   { CURLSSLBACKEND_BEARSSL, "bearssl" }, /* info */
-  SSLSUPP_CAINFO_BLOB,
+  SSLSUPP_CAINFO_BLOB | SSLSUPP_SSL_CTX,
   sizeof(struct ssl_backend_data),
 
   Curl_none_init,                  /* init */